Cyber Security Standards Update: Version 5 with Revisions

Size: px
Start display at page:

Download "Cyber Security Standards Update: Version 5 with Revisions"

Transcription

1 Cyber Security Standards Update: Version 5 with Revisions Security Reliability Program 2015

2 Agenda CIP Standards History Version 5 Format Impact Levels NOPR Final Rule References 2 RELIABILITY ACCOUNTABILITY

3 Pre-Version 1 FERC Request for Standard Market Design CIP Standards History o Request from FERC Staff to develop language May 8, 2002 o Modeled after ISO17799 o Transmitted to FERC on July 25, 2002 o Included in Standard Market Design NOPR as Appendix G Urgent Action 1200 o Follow-on to SMD Appendix G work o SAR Developed in 2003, approved April 7, 2003 o UA1200 approved by industry June 26, RELIABILITY ACCOUNTABILITY

4 Version 1 CIP Standards History SAR Effort started August 2003 Requirements drafting started June 8, 2004 Filed with FERC August 28, 2006 Approved by FERC January 18, 2008 Effective July 1, 2008 through January 1, 2010 (phased) 4 RELIABILITY ACCOUNTABILITY

5 CIP Standards History Version 2 SAR started February 2008 Requirements development started October 6, 2008 Low-hanging fruit Filed with FERC May 22, 2009 Approved by FERC September 30, 2009 Effective April 1, 2010 Version 3 (current effective version) Compliance filing to Version 2 Filed with FERC December 29, 2009 Approved by FERC March 31, 2010 Effective October 1, RELIABILITY ACCOUNTABILITY

6 CIP Standards History Version 4 Critical Asset bright-lines Approved by Industry on December 30, 2010 Filed with FERC on February 10, 2011 Approved by FERC on April 19, 2012 Superseded by Version 5 in FERC Order 791 on November 22, RELIABILITY ACCOUNTABILITY

7 Version 5 7 RELIABILITY ACCOUNTABILITY

8 CIP Standards Version 5 D1 Post for 60-day comment and concurrent ballot period November 7, 2011 to January 6, day ballot period (December 17, 2011 January 6, 2012) Multiple separate ballots o One for each standard (10 standards) o One for Implementation Plan o One for Definitions o Single ballot pool 8 RELIABILITY ACCOUNTABILITY

9 CIP Standards Version 5 D2 Post for 40-day comment and concurrent ballot period April 12, 2012 to May 21, day ballot period (May 11, 2012 May 21, 2012) Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 9 RELIABILITY ACCOUNTABILITY

10 CIP Standards Version 5 D3 Post for 30-day comment and concurrent ballot period September 11, 2012 to October 10, day ballot period (October 1, 2012 October 10, 2012) Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 10 RELIABILITY ACCOUNTABILITY

11 CIP Standards Version 5 D4 Post for 10-day recirculation ballot period October 26, 2012 to November 5, 2012 No substantial changes made to standards oclarifications and corrections based on comments received from Draft 3 Changes to existing votes from last successive ballot ono action maintain Draft 3 vote Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 11 RELIABILITY ACCOUNTABILITY

12 Version 5 Ballot Results 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Initial Ballot (January 2012) Successive Ballot (May 2012) Successive Ballot (October 2012) Recirculation Ballot (November 2012) 12 RELIABILITY ACCOUNTABILITY

13 FERC Approval Process Filed with FERC February 1, 2013 (after 5:00 PM on 1/31) FERC Docket RM ,483 page filing (yes, ten thousand pages) Available on NERC Website at: o %20and%20Exhibits%20A-E.pdf o %20DL/Exhibit%20F%20(Part%201%20of%202).pdf o %20DL/Exhibit%20F%20(Part%202%20of%202).pdf o %20DL/Exhibits%20G-H.pdf FERC version at (76MB file) Filings to Canadian Regulators made on February 7, RELIABILITY ACCOUNTABILITY

14 CIP Standards Version 5 CIP-002-5: BES Cyber Asset and BES Cyber System Categorization CIP-003-5: Security Management Controls CIP-004-5: Personnel and Training CIP-005-5: Electronic Security Perimeter(s) CIP-006-5: Physical Security of BES Cyber Systems CIP-007-5: Systems Security Management CIP-008-5: Incident Reporting and Response Planning CIP-009-5: Recovery Plans for BES Cyber Assets and Systems CIP-010-1: Configuration Management and Vulnerability Assessments CIP-011-1: Information Protection 14 RELIABILITY ACCOUNTABILITY

15 SDT s Development Goals Goal 1: To address the remaining requirements-related directives from all CIP related FERC orders, all approved interpretations, and CAN topics within applicable existing requirements. Goal 2: To develop consistent identification criteria of BES Cyber Systems and application of cyber security requirements that are appropriate for the risk presented to the BES. Goal 3: To provide guidance and context for each Standard Requirement. Goal 4: To leverage current stakeholder investments used for complying with existing CIP requirements. Goal 5: To minimize technical feasibility exceptions. Goal 6: To develop requirements that foster a culture of security and due diligence in the industry to complement a culture of compliance. Goal 7: To develop a realistic and comprehensible implementation plan for the industry. 15 RELIABILITY ACCOUNTABILITY

16 CIP Standards Version 5 New / Modified Terms: BES Cyber Asset BES Cyber System BES Cyber System Information CIP Exceptional Circumstance CIP Senior Manager Control Center Cyber Assets Cyber Security Incident Dial-up Connectivity Electronic Access Control and Monitoring Systems (EACMS) Electronic Access Point (EAP) Electronic Security Perimeter (ESP) External Routable Connectivity Interactive Remote Access Intermediate System Physical Access Control Systems (PACS) Physical Security Perimeter (PSP) Protected Cyber Asset (PCA) Reportable Cyber Security Incident 16 RELIABILITY ACCOUNTABILITY

17 BES Cyber Systems Cyber Assets: Programmable electronic devices, and communication networks including the hardware, software, and data in those devices. 17 RELIABILITY ACCOUNTABILITY

18 BES Cyber Systems BES Cyber Asset: A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) 18 RELIABILITY ACCOUNTABILITY

19 BES Cyber Systems BES Cyber System: One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. 19 RELIABILITY ACCOUNTABILITY

20 Electronic Perimeters External Routable Connectivity: The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bidirectional routable protocol connection. Dial-up Connectivity: A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link. 20 RELIABILITY ACCOUNTABILITY

21 Electronic Perimeters Electronic Security Perimeter ( ESP ) : The logical border surrounding a network to which Critical Cyber Assets BES Cyber Systems are connected using a routable protocol and for which access is controlled. Electronic Access Point ( EAP ): A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter. 21 RELIABILITY ACCOUNTABILITY

22 Electronic Perimeters Electronic Access Control or Monitoring Systems ( EACMS ): Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Devices. Protected Cyber Assets ( PCA ): One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 22 RELIABILITY ACCOUNTABILITY

23 Interactive Remote Access Interactive Remote Access: User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. 23 RELIABILITY ACCOUNTABILITY

24 Interactive Remote Access Intermediate System: A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter. 24 RELIABILITY ACCOUNTABILITY

25 Physical Perimeters Physical Security Perimeter ( PSP ): The physical, completely enclosed ( six-wall ) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled. The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled. 25 RELIABILITY ACCOUNTABILITY

26 Physical Perimeters Physical Access Control Systems ( PACS ): Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers. 26 RELIABILITY ACCOUNTABILITY

27 Control Centers Control Center: One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations. 27 RELIABILITY ACCOUNTABILITY

28 Retired Terms Critical Assets Critical Cyber Assets CIP Standards Version 5 28 RELIABILITY ACCOUNTABILITY

29 CIP Standards Version 5 CIP-002 Eliminates the Critical Asset step of the identification process Builds on bright line concepts introduced in CIP Version 3/4 Critical Asset control centers High Other Version 3/4 Critical Assets Medium Some Version 3/4 non-critical assets Medium Transmission now looking at a capacity calculation rather than number of lines at a voltage level o See SRI_Equation_Refinement_May6_2011.pdf Catch-all category for non-specifically categorized Low o Something everywhere within the BES o Programmatic requirement: CIP Requirement R2 29 RELIABILITY ACCOUNTABILITY

30 CIP Standards Version 5 High Impact Large Control Centers CIP-003 to 009 V3/V4 plus Medium Impact Generation and Transmission Control Centers Similar to CIP-003 to 009 V3/V4 All other BES Cyber Systems (Low Impact) must implement a policy to address: Cybersecurity Awareness Physical Security Controls Electronic Access Controls Incident Response V3/V4 Critical Non-Critical Large Control Centers Generation and Transmission Control Centers Generation and Transmission Small Control Centers Generation and Transmission V5 High Medium Low Non-Impactful (Distribution, Marketing, Business) 30 RELIABILITY ACCOUNTABILITY

31 CIP Notes when reading NERC Standards: Capitalization is very important. Capitalized words refer to terms in the NERC Glossary of Terms Used in Reliability Standards ( /Glossary_of_Terms.pdf) Non-capitalized terms do not refer to NERC glossary terms o i.e., Real-time is not the same as real-time o Facilities is not the same as facilities Terms with well known and authoritative definitions defer to those authoritative sources (e.g., FACTS ) Not all terms used have either NERC Glossary definitions or authoritative definitions (e.g., plant ) 31 RELIABILITY ACCOUNTABILITY

32 High Impact Rating (H): Version 5 Impact Rating Criteria Each BES Cyber System used by and located at any of the following: 1.1. Each Control Center or backup Control Center used to perform the functional obligations of the Reliability Coordinator. (V4 1.14) 1.2. Each Control Center or backup Control Center used to perform the functional obligations of the Balancing Authority: 1) for generation equal to or greater than an aggregate of 3000 MW in a single Interconnection, or 2) for one or more of the assets that meet criterion 2.3, 2.6, or 2.9. (V4 1.15) 1.3. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or (V4 1.16) 1.4 Each Control Center or backup Control Center used to perform the functional obligations of the Generator Operator for one or more of the assets that meet criterion 2.1, 2.3, 2.6, or 2.9. (V4 1.17) 32 RELIABILITY ACCOUNTABILITY

33 Version 5 Impact Rating Criteria Medium Impact Rating (M): Each BES Cyber System, not included in Section 1 above, associated with any of the following: 2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection. (V4 1.1) 2.2. Each BES reactive resource or group of resources at a single location (excluding generation Facilities) with an aggregate maximum Reactive Power nameplate rating of 1000 MVAR or greater (excluding those at generation Facilities). The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of resources that in aggregate equal or exceed 1000 MVAR. (V4 1.2) 33 RELIABILITY ACCOUNTABILITY

34 Version 5 Impact Rating Criteria 2.3. Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year. (V4 1.3) 2.4. Transmission Facilities operated at 500 kv or higher. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.6) 34 RELIABILITY ACCOUNTABILITY

35 Version 5 Impact Rating Criteria 2.5. Transmission Facilities that are operating between 200 kv and 499 kv at a single station or substation, where the station or substation is connected at 200 kv or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below. The "aggregate weighted value" for a single station or substation is determined by summing the "weight value per line" shown in the table below for each incoming and each outgoing BES Transmission Line that is connected to another Transmission station or substation. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.7) Voltage Value of a Line less than 200 kv (not applicable) 200 kv to 299 kv kv to 499 kv kv and above 0 Weight Value per Line (not applicable) 35 RELIABILITY ACCOUNTABILITY

36 Version 5 Impact Rating Criteria 2.6. Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies. (V4 1.8 & 1.9) 2.7. Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements. (v4 1.11) 2.8. Transmission Facilities, including generation interconnection Facilities, providing the generation interconnection required to connect generator output to the Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the generation Facilities identified by any Generator Owner as a result of its application of Attachment 1, criterion 2.1 or 2.3. (V4 1.10) 36 RELIABILITY ACCOUNTABILITY

37 Version 5 Impact Rating Criteria 2.9. Each Special Protection System (SPS), Remedial Action Scheme (RAS), or automated switching System that operates BES Elements, that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limits (IROLs) violations for failure to operate as designed or cause a reduction in one or more IROLs if destroyed, degraded, misused, or otherwise rendered unavailable. (V4 1.12) Each system or group of Elements that performs automatic Load shedding under a common control system, without human operator initiation, of 300 MW or more implementing undervoltage load shedding (UVLS) or underfrequency load shedding (UFLS) under a load shedding program that is subject to one or more requirements in a NERC or regional reliability standard. (v4 1.13) 37 RELIABILITY ACCOUNTABILITY

38 Version 5 Impact Rating Criteria Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. (V4 1.15) Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above. (V4 1.16) Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MW in a single Interconnection. (V4 1.17) 38 RELIABILITY ACCOUNTABILITY

39 Low Impact Rating (L) Version 5 Impact Rating Criteria BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 Facilities, of this standard: 3.1. Control Centers and backup Control Centers Transmission stations and substations Generation resources Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements. (V4 1.4 & 1.5) 3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System. (V4 1.12) 3.6. For Distribution Providers, Protection Systems specified in Applicability section above. (V & 1.13) 39 RELIABILITY ACCOUNTABILITY

40 Non-CCA assets in Version 3 are also covered Non-Critical Cyber Assets within an ESP are now named Protected Cyber Assets, are associated with a BES Cyber System, and called out in the Applicable Systems column EACMS and PACS are associated with a BES Cyber System, and are called out in the Applicable Systems column CIP Standards Version 5 40 RELIABILITY ACCOUNTABILITY

41 CIP Standards Version 5 High Water Marking Within an ESP, all systems are treated as if they are at the highest impact level of any system in the same ESP Includes non-impactful Cyber Assets (e.g., market systems, distribution systems, corporate systems) (See definition of PCA) Market System Medium Impact BES Cyber System High Impact BES Cyber System All treated as High Impact BES Cyber Systems Low Impact BES Cyber System All treated as Medium Impact BES Cyber Systems 42 RELIABILITY ACCOUNTABILITY

42 CIP Standards Version 5 Rationale, Guidance & Changes, Main Requirement and Measure Applicable Systems for requirement part Requirement part text Requirement part Measure text Requirement part Reference Requirement part change rationale 43 RELIABILITY ACCOUNTABILITY

43 Format CIP Standards Version 5 Following Results-based Standards format Background section before requirements Requirement and Measurement next to each other Rationale and guidance developed in parallel with requirements Two posting formats one with guidance/rationale text boxes inline; other with guidance and rational text grouped at end Still must audit only to the requirement Guidelines and Technical Basis section at end 44 RELIABILITY ACCOUNTABILITY

44 CIP Standards Version 5 Applicable Systems column in tables What systems the row in the table apply to Listed in each standard Specific phrases consistent across all standards A requirement part (row) may have multiple applicability statements Examples: o High Impact BES Cyber Systems o Medium Impact BES Cyber Systems o Medium Impact BES Cyber Systems at Control Centers o Medium Impact BES Cyber Systems with External Routable Connectivity o Protected Cyber Assets o Electronic Access Control Systems 45 RELIABILITY ACCOUNTABILITY

45 Connectivity No longer a blanket exemption CIP Standards Version 5 Now listed in applicability section Routable Connectivity or Dial-up Connectivity Routable protocol applicability now applies where large volume, real-time communications requirements are listed e.g., logging Low Impact CIP Requirement R2 Programmatic controls (i.e., have a program for ) Requires physical and cyber security protections for locations containing low Does not require lists of every low impact BES Cyber System 46 RELIABILITY ACCOUNTABILITY

46 TFEs CIP Standards Version 5 Attempting to minimize required TFEs (e.g., anti-malware on switches) Reduced from 14 requirements/subs to 8 requirements (13 parts) But still have TFEs (including new ones where existing V1 V4 problems exist) Have added per Cyber Asset capability language to allow strict compliance with the language of the requirement, without requiring a TFE (~5 requirements) Measures Guidance to auditors as well as entities An example of evidence may include, but is not limited to, No longer a meaningless restatement of the requirement 47 RELIABILITY ACCOUNTABILITY

47 Bulleted lists vs. numbered lists Bulleted lists are separated by or CIP Standards Version 5 Bulleted lists imply that not all of the items in the list are required Numbered lists are separated by and Numbered lists imply that all of the items in the lists are required Both bulleted and numbered lists are used in both requirements and measures 48 RELIABILITY ACCOUNTABILITY

48 Features of Version 5 Closes out directives in FERC Order No. 706 (also, FERC Order No. 761 imposed March 31, 2013, filing deadline) Results-based standards Focus on reliability and security-related result Non-technology specific Smarter use of Technical Feasibility Exception (TFE) process Plain language of the requirement, i.e., per device capability Risk-informed systems approach Adopt solutions and tailor security based on function and risk No longer a harsh in or out demarcation for applicability Impact and connectivity informs applicability 49 RELIABILITY ACCOUNTABILITY

49 Systems approach illustration Features of Version 5 Cyber Assets function together as a complex system Identify the system and apply requirements to the whole rather than the part High Watermarking inside boundary 50 RELIABILITY ACCOUNTABILITY

50 Paradigm shift that builds on experience Features of Version 5 Informed by and responsive to implementation and audit lessons from Versions 1 through 3 Framework for establishing a culture of security Balanced flexibility Demonstrates clear accountability for Critical Infrastructure Protection, yet... Allows adaptation of requirements to individual operations Specifies what to achieve, but broad in how to get there 51 RELIABILITY ACCOUNTABILITY

51 CIP Standards Version 5 Proposed Effective Date (from CIP-002-5; all standards use the same language): Months Minimum CIP shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. 2. In those jurisdictions where no regulatory approval is required CIP shall become effective on the first day of the ninth calendar quarter following Board of Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. 52 RELIABILITY ACCOUNTABILITY

52 Implementation issues: CIP Standards Version 5 Specified initial performance of all periodic requirements in implementation plan 24 months following regulatory approval for all requirements Identity Verification does not need to be repeated Discussion of unplanned re-categorization to a higher impact level Discussion of disaster recovery actions Discussion of requirements applied to access control systems (physical and electronic), and Protected Cyber Assets 53 RELIABILITY ACCOUNTABILITY

53 Applicability Section: Section 4.1 Functional Entities CIP Standards Version 5 o Describes which asset owners, based on their functional model designation, and specific ownership of assets, must comply with the standards o May have no qualifications applies to all entities registered for that function Section 4.2 Facilities o Describes which assets must comply with the standards o May have no qualifications applies to all BES assets owned by that function 54 RELIABILITY ACCOUNTABILITY

54 Applicability Example: CIP Standards Version 5 For Distribution Providers only those registered DPs that own specifically called out pieces of equipment, such as UFLS systems, must comply with the standards For those DPs, only the specifically called out pieces of equipment must comply with the standards If a DP does not own any called out equipment, it does not need to comply with the standards If a DP owns a piece of called out equipment, only that called out equipment must comply with the standards 55 RELIABILITY ACCOUNTABILITY

55 CIP Standards Version 5 56 RELIABILITY ACCOUNTABILITY

56 CIP Standards Version 5 57 RELIABILITY ACCOUNTABILITY

57 CIP Standards Version 5 58 RELIABILITY ACCOUNTABILITY

58 CIP through CIP-009-5, CIP-010-1, CIP Results-based Standard format Requirements and measures together Guidance and rational in text boxes Looks bigger CIP Standards Version 5 ~1 printout for Version 5 compared to ~¼ printout for Version 3/4 Includes much more guidance and rationale for each requirement 59 RELIABILITY ACCOUNTABILITY

59 CIP Standards Version 5 CIP Requirements; 5 Parts; Attachment with bright lines for High and Medium CIP Requirements; 13 Parts CIP Requirements; 18 Parts CIP Requirements; 8 Parts CIP Requirements; 13 Parts CIP Requirements; 20 Parts CIP Requirements; 9 Parts CIP Requirements; 10 Parts CIP Requirements; 10 Parts CIP Requirements; 4 Parts Total: 32 Requirements; 110 Parts 60 RELIABILITY ACCOUNTABILITY

60 Version 3 Requirement Counts CIP Requirements; 0 sub-requirements CIP Requirements; 18 sub-requirements CIP Requirements; 12 sub-requirements CIP Requirements; 26 sub-requirements CIP Requirements; 15 sub-requirements CIP Requirements; 34 sub-requirements CIP Requirements; 6 sub-requirements CIP Requirements; 2 sub-requirements Total: 43 Requirements; 113 sub-requirements 61 RELIABILITY ACCOUNTABILITY

61 Sub-Requirements CIP Standards Version 5 Each Requirement / Sub-Requirement is a compliance touch-point Non-compliance with a sub-requirement stands on its own Sub-requirements have independent VSLs (unless rolled-up) Requirement Parts Only the Requirement is a compliance touch-point Cannot be independently in non-compliance with a Part VSLs written only at the Requirement level (making very long and complicated VSL language) Parts allow flexibility in development and implementation of the requirement 62 RELIABILITY ACCOUNTABILITY

62 Version 5 Technical Webinar Draft 1 Technical Webinar on format and CIP-002 Industry lead November 15, 2011 Draft 1 Technical webinar on CIP-003 through CIP-011 Industry lead November 29, 2011 ( 63 RELIABILITY ACCOUNTABILITY

63 Version 5 Webinars Draft 2 Technical Webinar SDT Lead April 10, 2012 Draft 3 Technical Webinar SDT Lead September 21, 2012 ( 64 RELIABILITY ACCOUNTABILITY

64 CIP Standards Version 5 Annual interaction with CAN-0010 now 15 months Monthly requirements changed to 35 days Measures are examples with bulleted lists; format, wording Compliance artifacts in requirements (e.g., documentation of ) LSE (removed), replaced with DP LSE functions changed since original standards development timeframe 300 MW threshold on UFLS/UVLS No justification for a different value Notifications: IROL, must run (resolving as part of V4) IROL s in WECC 65 RELIABILITY ACCOUNTABILITY

65 CIP Standards Version 5 Definition / threshold of Control Center Includes data centers Connectivity (routable, dial-up) Low Impact (policy only) List not required Date tracking (PRA, training, access, etc) Access revocation (reassignments, timing, immediate) Removed 99.9% availability phrasing Difficult to track and audit Interactive Remote Access Clarify encryption and multi-factor authentication points Remove examples from requirements / purpose of encryption 66 RELIABILITY ACCOUNTABILITY

66 CIP Standards Version 5 Ports & Services Physical ports - FERC Directive No remediation plan if install patches within 35 days Allow updates to existing plans rather than new plans all the time Periodic review of patch sources not individual patches Anti-malware clarify system level Per device capability clauses added Password changing / pseudorandom passwords (RuggedCom vulnerability impacts) Evidence Retention (compliance vs. security monitoring) 67 RELIABILITY ACCOUNTABILITY

67 CIP Standards Version 5 Take back reporting requirement from EOP-004 into CIP-008 Guidance on active vs. passive vulnerability assessment V4 bypass language still in implementation plan 68 RELIABILITY ACCOUNTABILITY

68 Issued April 18, 2013 Version 5 NOPR Posted at 75 pages Comments due June 24, 2013 (60 days after publication in Federal Register) Contains 48 specific requests for comment (may be overlap) Proposes 11 directives for change Proposes 16 areas where FERC may direct changes 69 RELIABILITY ACCOUNTABILITY

69 Major Themes: Identify, Assess and Correct language Impact Categorization Version 5 NOPR o No reference to studies supporting bright-line thresholds o No consideration of coordinated attack on multiple low impact systems o Only based on BES impact (i.e., no assessment of confidentiality, integrity or availability ) Low Impact BES cyber Systems o Specificity of requirements o Lack of inventory 70 RELIABILITY ACCOUNTABILITY

70 Definitions: Version 5 NOPR o 15 minute impact in BES Cyber Asset o Generation Control Centers (vs. control rooms) o Removal of communication networks from Cyber Asset o Use of reliability tasks phrase o Intermediate System vs. intermediate device 71 RELIABILITY ACCOUNTABILITY

71 Implementation Plan o Proposes to accept the Version 4 bypass language o Are 24 /36 months necessary? Violation Risk Factors o Inconsistent with prior versions Violation Severity Levels Version 5 NOPR o Inconsistent with Commission guidelines o May need to be modified based on outcome of IAC discussion 72 RELIABILITY ACCOUNTABILITY

72 New Topics (post Order No. 706) Communications Security Version 5 NOPR o Including encryption, protections for serial communications Remote Access (more than proposed Version 5 language?) o May already be covered by Version 5 language NIST topics o Maintenance devices o Separation of duties o Threat / risk based categorization o May include other areas May be others 73 RELIABILITY ACCOUNTABILITY

73 NERC Response: 60 page response (largest response) Version 5 NOPR o ( 20DL/NERC%20Comments%20to%20CIPV5%20NOPR%20_%20FINAL.pdf) Supports standards as filed: o IAC: - Discusses meaning of IAC language - Reliability Benefit of IAC Language - Compliance obligations of IAC language - Consistency with NIST Framework o BES Cyber Asset Categorization and Protection - Supports Facility rating approach - Protections of low impact BES Cyber Assets - Supports not requiring inventory of low impact BES Cyber Assets 74 RELIABILITY ACCOUNTABILITY

74 NERC Response (continued): o Definitions: BES Cyber Asset - 15-minute parameter - 30-day exclusion o Definitions: Control Center - Geographically disperse generating plants o Definitions: Cyber Assets - Removal of communications networks o Definitions: Reliability Tasks - Well-understood term o Definitions: Intermediate Devices - Filing oversight Version 5 NOPR 75 RELIABILITY ACCOUNTABILITY

75 NERC Response (continued): Version 5 NOPR o Implementation Plan: and 36-month timeframes appropriate and necessary - Transition guidance and pilot program o VRF & VSL - Severity of violation as expressed in duration of violation - Not two separate violations o Other Technical Concerns - Technical conferences to discuss issues - Use Reliability Standards Development Process o Remote Access - Concerns addressed in CIP RELIABILITY ACCOUNTABILITY

76 NOPR Comments: 65 files submitted from 62 parties 782 pages Generally supportive of NERC positions o Issues with IAC language o Issues with RFA analysis and estimates (cost & time) Next Steps: Version 5 NOPR FERC must read, summarize and react to all comments while writing final rule 77 RELIABILITY ACCOUNTABILITY

77 Version 5 Final Rule Final Rule Issued November 22, 2013 Docket RM13-5 Order No page rule Published in Federal Register December 3, RELIABILITY ACCOUNTABILITY

78 Final Rule Highlights Effective Date of Final Rule: February 3, 2014 Effective Date for Compliance with all non-periodic requirements: April 1, 2016 for High and Medium Impact April 1, 2017 for Low Impact Compliance with initial performance of periodic requirements as discussed in the Implementation Plan, using an Effective Date of April 1, RELIABILITY ACCOUNTABILITY

79 Approved technical requirements Approved 19 definitions Approved implementation plan Approved bypass of Version 4 Approve, with modifications, VRF / VSL Final Rule Highlights 80 RELIABILITY ACCOUNTABILITY

80 Submit modified VRF / VSL within 90 days Submit two directed changes and one informational filing within one year IAC Communications Networks Survey: 15-minute clause Two other directed changes do not have specified time frame Low Impact BES Cyber Systems Transient Devices Final Rule Highlights 81 RELIABILITY ACCOUNTABILITY

81 Address concerns with IAC Language Prefer to have compliance language removed from requirements Allow for flexibility for addressing concerns Supports move away from zero tolerance compliance approach for the 17 requirements IAC language ambiguous, concerns about inconsistent application, unclear expectations placed on industry Submit within one year IAC Language 82 RELIABILITY ACCOUNTABILITY

82 BES Cyber Asset Categorization Allow impact-based categorization May revisit in future Not persuaded to move blackstart from Low to Medium, but may revisit Does not consider connectivity, but may revisit Confirm that Low will not include non-bes assets 83 RELIABILITY ACCOUNTABILITY

83 Low Impact requirements Lack of objective criteria for evaluating Low Impact protections Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process Open to alternative approaches the criteria NERC proposes for evaluating a responsible entities protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified. No detailed inventory required list of locations / Facilities OK 84 RELIABILITY ACCOUNTABILITY

84 Survey industry about impacts of 15-minute parameter, during transition period What Cyber Assets are included / excluded by the 15- minute parameter Informational filing to FERC in one year 15-Minute Parameter Commission may revisit issue following informational filing 85 RELIABILITY ACCOUNTABILITY

85 30-day exemption in Definition Do not direct change to definition Directed modifications to address transient devices issues 86 RELIABILITY ACCOUNTABILITY

86 Devices connected for less than 30-days (USB, laptop, etc) Transient Devices Direct modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level systems 87 RELIABILITY ACCOUNTABILITY

87 Control Center Accept definition without change 88 RELIABILITY ACCOUNTABILITY

88 Approve definition of Cyber Asset without change Direct creation of definition of communication networks and requirements to address issues: Locked wiring closets Disconnected or locked spare jacks Communications Network Protection of cabling by conduit or cable trays Submit within one year Include discussion in FERC Staff-led conference 89 RELIABILITY ACCOUNTABILITY

89 No need to define phrase Refers to Functional Model tasks Reliability Tasks 90 RELIABILITY ACCOUNTABILITY

90 Intermediate Devices Accept errata filing (Intermediate Devices -> Intermediate Systems) 91 RELIABILITY ACCOUNTABILITY

91 Approve implementation Plan as filed 24-month for High & Medium 36-month for Low Bypass Version 4 Support NERC proposal to develop transition guidance and pilot program Declined to extend implementation plan Not persuaded to allow early shift to V5 Implementation Plan However, issues of early compliance can be addressed by NERC and Registered Entities as appropriate. 92 RELIABILITY ACCOUNTABILITY

92 Approve 30 (of 32) VRFs Move two VRFs from Lower to Medium Modify VSLs: IAC Language Address typographical errors Clarify unexplained elements Submit within 90 days Additional VSL changes will be required for any changed requirement IAC VRF / VSL 93 RELIABILITY ACCOUNTABILITY

93 FERC Staff-led Conference FERC Staff-led conference within 180 days NIST Framework for categorizations (C-I-A) Communications security Remote access Differences between CIP & NIST May produce new or modified directives 94 RELIABILITY ACCOUNTABILITY

94 Issued Dec 13, 2013 Errata Notice Corrects P 16 of order to confirm effective date of standard: This errata notice serves to correct P 16. Specifically, the reference to eighth in the seventh line of P 16 is changed to [ninth]. The sentence as revised would thus read, NERC requests that the CIP version 5 Standards become effective on the first day of the [ninth] calendar quarter after a Final Rule is issued in this docket. 95 RELIABILITY ACCOUNTABILITY

95 VRF/VSL Compliance Filing Updated VRFs & VSLs filed with FERC on May 15, 2014 Response to Order No. 791 VRF modifications filed for: CIP-006-5, Requirement R3 CIP , Requirement R4 VSL modifications filed for CIP-003-5, Requirements R1 and R2 CIP , Requirement R4 CIP-008-5, Requirement R2 CIP-009-5, Requirement R3 Filing approved on July 9, 2014 by Letter Order 96 RELIABILITY ACCOUNTABILITY

96 Steps Forward Any change to the requirements language must be made pursuant to the NERC Standards Process Manual Standards Drafting Team will need to be involved Opportunity for industry command and ballot Two directives with timeframes Must file in prescribed timeframe Desire to address all directives as soon as possible VRF/VSL changes and Survey will happen outside of standards development process 97 RELIABILITY ACCOUNTABILITY

97 References Project Development History: Version 4 page: Version 4 Guidance Document Version 5 page: Version 5 Transition Guidance V5%20Transition%20Guidance%20FINAL.pdf 98 RELIABILITY ACCOUNTABILITY

98 Questions Scott Mix, CISSP Senior CIP Technical Manager

Cyber Security Standards Update: Version 5

Cyber Security Standards Update: Version 5 Cyber Security Standards Update: Version 5 January 17, 2013 Scott Mix, CISSP CIP Technical Manager Agenda Version 5 Impact Levels Format Features 2 RELIABILITY ACCOUNTABILITY CIP Standards Version 5 CIP

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments

CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

CIP-003-5 Cyber Security Security Management Controls

CIP-003-5 Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-5 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and

More information

NERC Cyber Security Standards

NERC Cyber Security Standards SANS January, 2008 Stan Johnson Manager of Situation Awareness and Infrastructure Security Stan.johnson@NERC.net 609-452-8060 Agenda History and Status of Applicable Entities Definitions High Level of

More information

CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments

CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard. CIP-002-5 Cyber Security BES Cyber System Categorization When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard. A.

More information

NB Appendix CIP-004-5.1-NB-1 - Cyber Security Personnel & Training

NB Appendix CIP-004-5.1-NB-1 - Cyber Security Personnel & Training This appendix establishes modifications to the FERC approved NERC standard CIP-004-5.1 for its specific application in New Brunswick. This appendix must be read with CIP-004-5.1 to determine a full understanding

More information

CIP-005-5 Cyber Security Electronic Security Perimeter(s)

CIP-005-5 Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-5 3. Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security

More information

Cyber Security Compliance (NERC CIP V5)

Cyber Security Compliance (NERC CIP V5) Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability

More information

Cyber Security Standards: Version 5 Revisions. Security Reliability Program 2015

Cyber Security Standards: Version 5 Revisions. Security Reliability Program 2015 Cyber Security Standards: Version 5 Revisions Security Reliability Program 2015 Overview of Development Activities The Team Standard Drafting Team (SDT) appointed to address these revisions in Project

More information

Implementation Plan for Version 5 CIP Cyber Security Standards

Implementation Plan for Version 5 CIP Cyber Security Standards Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 11, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and

More information

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1 A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements

More information

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-14-000]

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-14-000] 152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM15-14-000] Revised Critical Infrastructure Protection Reliability Standards (July 16, 2015) AGENCY:

More information

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1 Alberta Reliability Stard A. Introduction 1. Title: 2. Number: 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the bulk electric system from individuals

More information

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a

More information

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5 Alberta Reliability Stard Final Proposed Draft Version 2.0 September 9, 2014 A. Introduction 1. Title: 2. Number: 3. Purpose: To manage physical access to BES cyber systems by specifying a physical security

More information

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5 A. Introduction 1. Title: 2. Number: 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise

More information

NERC CIP Tools and Techniques

NERC CIP Tools and Techniques NERC CIP Tools and Techniques Supplemental Project - Introduction Webcast Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com (843) 619-0050 October

More information

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

E-Commerce Security Perimeter (ESP) Identification and Access Control Process Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American

More information

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014 CIP v5/v6 Implementation Plan CIP v5 Workshop Tony Purgar October 2-3, 2014 Revision History CIP v5/v6 Implementation Plan Change History Date Description Initial Release July 25, 2014 Revision V0.1 August-2014

More information

Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5

Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5 A. Introduction 1. Title: 2. Number: 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS

KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS Lenny Mansell Director, Consulting Services 1 January 29, 2014 AGENDA Introduction Multiple paradigm shifts ahead How

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

Notable Changes to NERC Reliability Standard CIP-005-5

Notable Changes to NERC Reliability Standard CIP-005-5 MIDWEST RELIABILITY ORGANIZATION Notable Changes to NERC Reliability Standard CIP-005-5 Electronic Security Perimeter(s) Bill Steiner MRO Principal Risk Assessment and Mitigation Engineer MRO CIP Version

More information

CIP-014-1 Physical Security. Nate Roberts CIP Security Auditor I

CIP-014-1 Physical Security. Nate Roberts CIP Security Auditor I CIP-014-1 Physical Security Nate Roberts CIP Security Auditor I Notes Critical Infrastructure Protection (CIP) Standard CIP-014-1 is currently pending approval by the Federal Energy Regulatory Commission

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Reclamation Manual Directives and Standards

Reclamation Manual Directives and Standards Vulnerability Assessment Requirements 1. Introduction. Vulnerability assessment testing is required for all access points into an electronic security perimeter (ESP), all cyber assets within the ESP, and

More information

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1 External Consultation Draft Version 1.0 December 12, 2013 1. Purpose The purpose of this reliability standard is to set the effective dates for the Version 5 CIP Cyber Security reliability standards and

More information

3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities.

3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities. A. Introduction 1. Title: Event Reporting 2. Number: EOP-004-2 3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities. 4. Applicability:

More information

Notable Changes to NERC Reliability Standard CIP-010-3

Notable Changes to NERC Reliability Standard CIP-010-3 C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Notable Changes to NERC Reliability Standard CIP-010-3 Cyber Security Configuration Change Management and Vulnerability

More information

The North American Electric Reliability Corporation ( NERC ) hereby submits

The North American Electric Reliability Corporation ( NERC ) hereby submits December 8, 2009 VIA ELECTRONIC FILING Kirsten Walli, Board Secretary Ontario Energy Board P.O Box 2319 2300 Yonge Street Toronto, Ontario, Canada M4P 1E4 Re: North American Electric Reliability Corporation

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE R1 Provide Risk Based Assessment Methodology (RBAM) R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased R1.2 Provide evidence

More information

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015 EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015 Housekeeping Items Submit questions using control panel Contact

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire Upcoming Audit Date: March 16, 2015 Upcoming Audit Type: O&P Audit Start of Audit Period: March 16, 2012 Date Submitted: Table of Contents

More information

CIP-003-6 R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

CIP-003-6 R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security CIP-003-6 R2 BES Assets Containing Low Impact BCS Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security Slide 2 About Me Been with WECC for 5 years 1 ½ years as a Compliance Program Coordinator

More information

Redesigning automation network security

Redesigning automation network security White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The

More information

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP 004 3a Cyber Security Personnel and Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation

More information

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC

More information

Lessons Learned CIP Reliability Standards

Lessons Learned CIP Reliability Standards Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A

More information

4.1.1 Generator Owner 4.1.2 Transmission Owner that owns synchronous condenser(s)

4.1.1 Generator Owner 4.1.2 Transmission Owner that owns synchronous condenser(s) A. Introduction 1. Title: Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability 2. Number: MOD-025-2 3. Purpose: To ensure

More information

A. Introduction. B. Requirements. Standard PER-005-1 System Personnel Training

A. Introduction. B. Requirements. Standard PER-005-1 System Personnel Training A. Introduction 1. Title: System Personnel Training 2. Number: PER-005-1 3. Purpose: To ensure that System Operators performing real-time, reliability-related tasks on the North American Bulk Electric

More information

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM14-15-000; Order No.

149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM14-15-000; Order No. 149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM14-15-000; Order No. 802] Physical Security Reliability Standard (Issued November 20, 2014) AGENCY:

More information

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process. CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations

More information

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised

More information

ISACA North Dallas Chapter

ISACA North Dallas Chapter ISACA rth Dallas Chapter Business Continuity Planning Observations of Critical Infrastructure Environments Ron Blume, P.E. Ron.blume@dyonyx.com 214-280-8925 Focus of Discussion Business Impact Analysis

More information

SecFlow Security Appliance Review

SecFlow Security Appliance Review Solution Paper. SecFlow Security Appliance Review NERC CIP version 5 Compliance Enabler July 2014 Abstract The alarming increase in cyber attacks on critical infrastructure poses new risk management challenges

More information

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to

More information

BPA Policy 434-1 Cyber Security Program

BPA Policy 434-1 Cyber Security Program B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy

More information

NERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum

NERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum NERC CIP Compliance Dave Powell Plant Engineering and Environmental Performance Presentation to 2009 BRO Forum August 12, 2009 1 NERC CIP 101 What is NERC CIP? CIP Terminology CIP compliance overview CIP

More information

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in

More information

Midwest Reliability Organization Procedure For NERC PRC-012

Midwest Reliability Organization Procedure For NERC PRC-012 Midwest Reliability Organization Procedure For NERC PRC-012 A. Introduction The following procedure developed by the MRO Protective Relay Subcommittee (PRS) and Transmission Assessment Subcommittee (TAS)

More information

Standard CIP 003 1 Cyber Security Security Management Controls

Standard CIP 003 1 Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: Standard CIP-003 requires that Responsible Entities have minimum security management controls in place

More information

Technology Solutions for NERC CIP Compliance June 25, 2015

Technology Solutions for NERC CIP Compliance June 25, 2015 Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

Verve Security Center

Verve Security Center Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution

More information

NERC CIP Compliance 10/11/2011

NERC CIP Compliance 10/11/2011 NERC CIP Compliance 10/11/2011 Authored by Dan Barker, American Transmission Co. Ron Bender, Nebraska Public Power District Richard Burt, Minnkota Power Cooperative, Inc. Marc Child, Great River Energy

More information

Cyber Security and Privacy - Program 183

Cyber Security and Privacy - Program 183 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Top 10 Compliance Issues for Implementing Security Programs

Top 10 Compliance Issues for Implementing Security Programs www.dyonyx.com Top 10 Compliance Issues for Implementing Security Programs This White Paper articulates the top ten issues that we have encountered in the design and implementation of comprehensive Security

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! October 3, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber

More information

NERC-CIP S MOST WANTED

NERC-CIP S MOST WANTED WHITE PAPER NERC-CIP S MOST WANTED The Top Three Most Violated NERC-CIP Standards What you need to know to stay off the list. www.alertenterprise.com NERC-CIP s Most Wanted AlertEnterprise, Inc. White

More information

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework Jacques Benoit, Cooper Power Systems Inc., Energy Automations Solutions - Cybectec Robert O Reilly, Cooper

More information

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard The North American Electric Reliability Corporation 1 s (NERC) CIP Reliability Standard is the most comprehensive and pervasive

More information

121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

TOP 10 CHALLENGES. With suggested solutions

TOP 10 CHALLENGES. With suggested solutions NERC CIP VERSION 5 TOP 10 CHALLENGES With suggested solutions 401 Congress Avenue, Suite 1540 Austin, TX 78791 Phone: 512-687- 6224 E- Mail: chumphreys@theanfieldgroup.com Web: www.theanfieldgroup.com

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

Reclamation Manual Directives and Standards

Reclamation Manual Directives and Standards Critical Cyber Asset (CCA) Identification Methodology 1. Introduction. A. The Bureau of Reclamation will employ a multi-step methodology to identify CCAs associated with its inventory of critical assets

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

Security Policy for External Customers

Security Policy for External Customers 1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Secure Substation Automation for Operations & Maintenance

Secure Substation Automation for Operations & Maintenance Secure Substation Automation for Operations & Maintenance Byron Flynn GE Energy 1. Abstract Today s Cyber Security requirements have created a need to redesign the Station Automation Architectures to provide

More information

CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011

CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 1 Purpose Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building

More information

FERC, NERC and Emerging CIP Standards

FERC, NERC and Emerging CIP Standards Protecting Critical Infrastructure and Cyber Assets in Power Generation and Distribution Embracing standards helps prevent costly fines and improves operational efficiency Bradford Hegrat, CISSP, Principal

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

NERC CIP Compliance Gaining Oversight with ConsoleWorks

NERC CIP Compliance Gaining Oversight with ConsoleWorks NERC CIP Compliance Gaining Oversight with ConsoleWorks The current challenge for many Utility companies is finding efficient ways to gain oversight and control over NERC CIP regulation compliance. NERC

More information

Security and Privacy Controls for Federal Information Systems and Organizations

Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

NERC CIP Implementation Prepared by David Grubbs City of Garland NERC Critical Infrastructure Protection Committee (CIPC) Municipal Systems are well represented on the NERC CIPC Committee David Grubbs,

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of

More information

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information