2 Page 2 Overview This dcument is intended t be the primary surce f infrmatin fr Briv s cmpliance with the Nrth America Electric Reliability Crpratin (NERC) reliability standard fr Critical Infrastructure Prtectin (CIP) Cyber Security Standards. The fllwing tpics are cvered: Critical Cyber Asset Identificatin (CIP-002-3) Security Management Cntrls (CIP-003-3) Electrnic Security Perimeter(s) (CIP-005-3a) Physical Security f Cyber Security Assets (CIP-006-3c) Systems Security Management (CIP-007-3a) Incident Reprting and Respnse Planning (CIP-008-3) Recvery Plans fr Critical Cyber Assets (CIP-009-3) Secndary surces fr infrmatin n Briv s infrmatin security capabilities can be fund at This dcument is rganized by the currently regulated CIP requirement tpics. Where Briv OnAir prvides the capability t meet the requirement, it is described in mre detail. CIP requirements that are strictly based in plicy r are nt therwise regulated r supprted by Briv OnAir are nt discussed. Backgrund Briv Inc. prvides a web-hsted physical access cntrl system by the prduct name Briv OnAir. Briv OnAir is designed t cntrl physical access t drs and gates via the use f a knwn credential such as an access card, PIN r bimetric template. There are three majr cmpnents t the verall peratin f the Briv OnAir service: Custmer premises equipment cnsisting f a Cntrl Panel and Readers Briv s centralized, web-hsted applicatins resident at ur Data Center Web brwser n end-user PC fr System Administratin These cmpnents share data acrss multiple platfrms and netwrks in rder t distribute credentials, centralize access and alarm event recrds, live and recrded vide, and prvide ther services such as sftware updates t Cntrl Panels. Cntrl Panels are netwrked t ur Data Center thrugh a variety f IP technlgies. It is assumed that Briv s n site access cntrl panels, PC s with brwser access t Briv s hsting Center and Briv s hsting center fall within an Electrnic Security Perimeter (ESP) which requires identificatin and prtectin per CIP Old Gergetwn Rad, Suite 300, Bethesda, MD Tll Free
3 Page 3 Critical Cyber Asset Identificatin (CIP-002-3) Per the standard, Standard CIP requires the identificatin and dcumentatin f the Critical Cyber Assets assciated with the Critical Assets that supprt the reliable peratin f the Bulk Electric System (BES). These Critical Assets are t be identified thrugh the applicatin f a risk-based assessment. The Respnsible Entity identifies the Critical Assets. The Critical Cyber Assets are thse cmpnents that are essential t the peratin f the Critical Assets. Fr the purpses f the Standard CIP-002-3, Critical Cyber Assets are further qualified t be thse having at least ne f the fllwing characteristics: The Cyber Asset uses a rutable prtcl t cmmunicate utside the Electrnic Security Perimeter; r, The Cyber Asset uses a rutable prtcl with a cntrl center; r, The Cyber Asset is dial-up accessible. The physical access cntrl system may nt be cnsidered essential t the peratin f critical assets and pwer generatin, s it may nt necessarily be n the initial list f identified assets. Hwever, the PACS uses TCP/IP (a rutable prtcl) fr cmmunicatin with Briv s data center. Fr this reasn, it shuld be included n the list f Critical Cyber Assets. Hardware at the physical security perimeter, hwever, including badge readers, electrnic lcking mechanisms, lcking cntrl mechanisms, etc., shuld nt be included in the list f critical assets. Certain hardware such as dr cntrllers and input/utput devices are used fr data cllectin and interface t the envirnment, but are pass-thrugh devices withut autnmus authrizatin r lgging respnsibility; and therefre, these devices need nt be cnsidered cyber assets. Briv OnAir uses access cntrl panels with purpse-built firmware. There is n perating system and due t the purpse-built nature, they are nt subject t traditinal viruses, wrms, Trjan hrses, r ther malicius attacks. Security Management Cntrls (CIP-003-3) CIP R5 requires that the Respnsible Entity dcument and implement a prgram fr managing access t prtected Critical Cyber Asset infrmatin. Briv OnAir supprt individual lgin credentials fr each administratr. The lgin credentials include a username and passwrd. Passwrds may be made up f letters, numbers and nnalphanumeric characters. Passwrds may be up t 128 characters lng and t meet the NERC-CIP requirements a strng passwrd requirement can be enfrced. Within Briv OnAir, a strng passwrd is ne that is case sensitive; has at least 6 characters; must have at least ne lwercase character, ne uppercase character, ne numeric
4 Page 4 character, and ne nn-alphanumeric character. In additin, a passwrd cannt be the same as the administratr s username. The administratr s accunt can be assigned a specific rle. Briv OnAir supprts tiered administratin within the sftware, thereby preventing an administratr frm perfrming functins they are nt authrized t perfrm. One f the requirements fr Critical Cyber Asset Infrmatin (CCAI) prtectin is t set frth privileges fr access. Briv OnAir enfrces a tiered based administratin mdel. Each administratr lgging int the system can be tracked and assciated with their admin ID. The type f administratr is made up f a list f capabilities and features in the system which the administratr is allwed t utilize. Master Administratrs have cmplete access t the Briv OnAir accunt and can create, edit, and delete ther administratrs as well as view, edit, and append data and activate any devices within the accunt. Super Administratrs have the same rights as the Master Administratr except that they cannt alter the Master Administratr s credentials in any way. Senir Administratrs have the same rights as Super Administratrs, except that they cannt create new administratrs. Assistant Administratrs can view, edit, r append data and activate devices n the accunt, depending upn their permissins. View the administratr can review data in the accunt, but cannt edit r append it. Edit the administratr can edit and delete data in the accunt. Append the administratr may add r remve users frm the accunt. Activate the administratr can activate devices n the accunt, fr example using the Unlck Dr functinality. Electrnic Security Perimeter(s) (CIP-005-3a) Standard CIP-005-3a requires the identificatin and prtectin f the Electrnic Security Perimeter(s) inside which all Critical Cyber Assets reside as well as all access pints n the perimeter. Fr the purpses f CIP-005-3a cmpliance the fllwing tpics are relevant t Briv OnAir slutin and prvide the required dcumentatin fr sectin R2.5 f CIP-005-3a: CIP-005-3a R2.1 Cmpliance: Briv OnAir panels cmply with CIP R2.1 as they are set up t deny by default all cnnectin attempts. CIP-005-3a R2.2 Cmpliance: Briv OnAir panels cmply with CIP R2.2 since nly prt 443 is required fr utbund cmmunicatins. CIP-005-3a R2.3 Cmpliance: This sectin is nt applicable as there is n dial-up access t the Electrnic Perimeter prvided within the Briv slutin. CIP-005-3a R2.4 Cmpliance fr Brwser Access: Administratrs access their data via the Internet, using a web brwser in an encrypted Secure Sckets Layer (SSL) sessin. Briv supprts 128-bit encryptin n this link. Administratrs are authenticated via username and passwrd.
5 Page 5 CIP-005-3a R2.4 Cmpliance fr Panels: As required fr system peratin, Briv cntrl panels establish an SSL sessin with Briv OnAir befre it begins t exchange infrmatin. The cntrl panel checks a digital certificate that resides n the servers at Briv s data center. In ding s, Briv presents its digital certificate t the cntrl panel which supplies mutual validatin. If the certificate presented by the Briv data center des nt match the certificate that the cntrl panel expects, then it will refuse t cmmunicate with the data center. Briv servers are able t verify the cntrl panel s identity because Briv installs a unique digital certificate (used as a client certificate in the cntext f SSL) n each cntrl panel at the time f manufacture. This certificate is digitally signed by Briv s that its rigin can always be cnfirmed at a later time, and cannt be faked. When a cntrl panel attempts t establish an SSL sessin t dwnlad data r reprts events, Briv servers frce it t present its client certificate befre gaining access t the system. If it has a valid certificate that was issued by Briv, then an SSL sessin is initiated and it is allwed t dwnlad data and uplad event infrmatin. If nt, it is blcked frm any further activity n the server. In additin t blcking attempts at spfing r impersnatin, the client certificate requirement als blcks ut attempts by hackers t gain access t these web servers. CIP-005-3a R2.4 Cmpliance fr Briv s data center: Briv s servers fr Briv OnAir are physically hsted at secure, guarded, 24x7 facilities with strict physical access cntrls. The sites are als equipped with the latest fire detectin and cntrl technlgy, as well as redundant, diesel backed uninterruptible pwer supplies. In rder t prtect Briv s hsted applicatins at ur data center, we have implemented safeguards against all f the fllwing types f threats: Denial f Service (DOS) attacks Web server explits Applicatins server explits Operating system explits Database attacks Malicius emplyees Scial engineering attacks Natural disaster As recmmended by best practices in the field f infrmatin security, Briv uses a multilayered apprach t prviding fr the security f its servers and the cnfidentiality f the infrmatin they hld. The first layer f security is prvided by dedicated, redundant firewalls that screen ut all Internet traffic except fr legitimate requests t access ne f the frntend web servers that Briv perates fr its Briv OnAir service. A secnd layer f security, specifically designed t prtect against cmmn denial f service (DOS) attempts, is prvided by a set f switches that detect these attacks and shunt the traffic befre it can affect the quality f service prvided by ur web servers. Briv uses highly rated perating systems n all f its servers, which prvides fr insurance against many f the security hles that affect ther brands f perating system. Briv further hardens its servers thrugh a rigrus set f plicies that restrict services and prts, restrict user IDs and
6 Page 6 passwrds, and require applicatin f all f the latest security-related perating system patches frm ur vendrs. Physical Security f Cyber Security Assets (CIP-006-3c) Per the standard, Standard CIP-006-3c is intended t ensure the implementatin f a physical security prgram fr the prtectin f Critical Cyber Assets. The Respnsible Entity shall dcument, implement, and maintain a physical security perimeter (PSP). The PSP is a six-wall brder surrunding the Electrnic Security Perimeter (ESP). CIP-006-3c R1 Cmpliance with Physical Security Plan. In additin t the perimeter, there will be access cntrl at different levels thrughut the facility. Fr example, the lbby may be cmpletely pen t the public, whereas ffices may be cntrlled nly permitting access via card reader r PIN cde. Certain highly secure areas, such as server rms r financial archives, may require bimetric authenticatin. The specifics will be determined based n a risk assessment. CIP-006-3c R2 Cmpliance with Prtectin f Physical Access Cntrl Systems. This requirement indicates that cyber assets used fr physical security are affrded the prtective measures f CIP-003, CIP-004-3, CIP-005-R2 & R3, CIP-006-R2, CIP-007-3a, CIP-008-3, and CIP Please refer t the specific sectins f this dcument t review hw Briv OnAir facilitates this requirement. Hardware at the physical security perimeter, hwever, including badge readers, electrnic lcking mechanisms, lcking cntrl mechanisms, etc., shuld nt be included in the list f critical assets. Certain hardware such as dr cntrllers and input/utput devices are used fr data cllectin and interface t the envirnment, but are pass-thrugh devices withut autnmus authrizatin r lgging respnsibility; and therefre, these devices need nt be cnsidered cyber assets. Briv OnAir uses access cntrl panels with purpse-built firmware. There is n perating system and due t the purpse-built nature, they are nt subject t traditinal viruses, wrms, Trjan hrses, r ther malicius attacks. CIP-006-3c R4 Cmpliance with Physical Access Cntrls. Briv OnAir prvides means fr implementing peratinal cntrl as well as supprting the dcumentatin requirements fr all access pints t the Physical Security Perimeter. Cards card access ffers excellent management cntrl and is cst effective in cmparisn t deplying 24/7 security persnnel. Card access als speeds persnnel thrughput and simplifies lgging and reprting. CIP-006-3c R5 Cmpliance with Mnitring Physical Access. The Respnsible Entity shall dcument and implement the technical and prcedural cntrls fr mnitring physical access at all access pints t the Physical Security Perimeter(s) twenty-fur hurs a day, seven days a week. Unauthrized access attempts shall be reviewed immediately and handled in accrdance with the prcedures specified in Requirement CIP Alarm systems Briv OnAir can be used directly t mnitr alarm inputs, cntrl access thrugh drs, and trigger utputs. ntificatin can be linked t these events, immediately infrming the necessary persnnel.
7 Page 7 Briv events can als be passed t ther mnitring systems via analg r digital means. CIP-006-3c R6 Cmpliance with Lgging Physical Access. Briv OnAir lgs all system activity (at access pints as well as administratr activity) which supprts the requirement t recrd sufficient infrmatin t uniquely identify individuals and the time f access. Electrnic lgging all events (at access pints as well as administratr activity) are jurnaled in the Briv OnAir system. These events can be used t generate reprts in a number f different cnfiguratins thrugh the My Reprts functinality within Briv OnAir. Vide recrding vide is supprted thrugh Briv OnAir Vide r NVR integratin. Events are viewable bth live and frm archived vide thrugh the Briv OnAir interface. These vide clips are autmatically linked t their respective event in the Briv OnAir Activity Lg. CIP-006-3c R7 Cmpliance with Access Lg Retentin. Activity Lg infrmatin is viewable fr ninety (90) calendar days. Per CIP regulatins, retentin f recrds is required fr at least three (3) years and archived data can be retrieved upn request frm Briv. CIP-006-3c R8 Cmpliance with Maintenance and Testing. The Respnsible Entity is required t develp the maintenance and testing prgram. This prgram is required t include the items listed belw: Maintenance f physical security mechanisms n a cycle f n lnger than three (3) years. Firmware changes t the Briv OnAir cntrl panels are cvered under this requirement, but the need fr firmware updates ccurs rarely. Retentin f utage recrds fr a minimum f ne calendar year Briv OnAir makes an entry in the Activity Lg fr pwer lss events. The My Reprts functinality allws this infrmatin t be retrieved frm up t 366 days ag. Systems Security Management (CIP-007-3a) Standard CIP requires Respnsible Entities t define methds, prcesses, and prcedures fr securing thse systems determined t be Critical Cyber Assets, as well as the ther (nn-critical) Cyber Assets within the Electrnic Security Perimeter(s). CIP-007-3a R2 Cmpliance with Prts and Services. Prt 443 pen t utbund traffic is the nly prt that needs t be available fr the Briv OnAir t functin prperly. CIP-007-3a R5 Cmpliance with Accunt Management. The Respnsible Entity shall enfrce authenticatin f, and accuntability fr, all user activity. Briv OnAir allws master administratrs t delete ther administratrs and t create new administratrs with specific privileges t enfrce accuntability. Briv OnAir als jurnals all accunt activity fr up t 90 days, which is viewable by the master administratr. Briv OnAir als supprts strng passwrds, allwing fr the fllwing requirements: Must be at least 6 characters lng Must have at least ne lwercase character Must have at least ne uppercase character Must have at least ne numeric character Must have at least ne nn-alphanumeric character Cannt be the same as the admin ID
8 Page 8 Finally, Briv OnAir is cnfigured t autmatically lg ff an administratr after a specified perid f inactivity. Incident Reprting and Respnse Planning (CIP-008-3) Per the standard, Standard CIP ensures the identificatin, classificatin, respnse, and reprting f Cyber Security Incidents related t Critical Cyber Assets. The Respnsible Entity shall develp and maintain a Cyber Security Incident respnse plan and implement the plan in respnse t Cyber Security Incidents. The requirements f this sectin necessitate plicies, prcedures, and applicatins beynd the scpe f the PACS, althugh peratins within the PACS may assist as part f an incident respnse plan. Alarm events that are received by the Briv PACS can be tied t an ntificatin which can be sent t any number f recipients, including nsite security persnnel. Briv OnAir supprts integratin with 3 rd party systems thrugh Briv API, ur RESTful API. Develpers may use Briv API t write middleware fr integratin with, fr example, an incident reprting and management sftware package. Recvery Plans fr Critical Cyber Assets (CIP-009-3) Per the standard, Standard CIP ensures that recvery plan(s) are put in place fr Critical Cyber Assets and that these plans fllw established business cntinuity and disaster recvery techniques and practices. Briv OnAir stres all accunt data ff-site at a Briv data center, thereby remving the necessity fr n-site backups. Cmmunicatin lss with the Briv PACS is captured by OnAir and ntificatins can be created fr any number f recipients, including n-site security persnnel and OnAir administratrs. Additinally, Briv s disaster recvery actin plan ensures that all data center infrmatin is securely stred at a disaster recvery facility. Briv s disaster recvery plan is listed as SSAE16 and ISO27001 cmpliant.
9 Page 9 Transprtatin Wrker Identity Credential Many f the electric pwer generatin and distributin cmpanies have facilities that are regulated t cmply with the TWIC prgram implemented by the Transprtatin Security Agency. The TWIC card is an electrnically enabled (smart card) identity dcument. The TWIC has bigraphic and bimetric data that assciate the card with the individual. By registering the credential ID number in the physical access cntrl system (via Briv s integratin with pivclass), the card can als be used t assciate the individual with their access privileges as assigned by the administratr at the facility. The TWIC prgram requires that all individuals with unescrted access t secure areas f regulated facilities must have their TWIC card within 5 minutes f their persn. If the card is used t gain access t secure areas, it is a further assurance that the persn has their card with them. T prvide the irrefutable cnnectin between the persn and the card, bimetric authenticatin must be applied at the entrance. Use f the TWIC as the access cntrl credential als simplifies the prcess fr the cardhlder. They n lnger have t carry multiple cards t gain access at varius facilities. The TWIC is based n Federal Infrmatin Prcessing Standard (FIPS) 201 and therefre is interperable with ther systems that als supprt this standard. Supprt f the standard means that the system is capable f reading the card the cardhlder must still register in the PACS and be assigned apprpriate access rights. Supprt fr the TWIC and ther FIPS 201-based credential slutins is achieved by use f Briv OnAir. The latest versin f OnAir supprts the varius identity fields n the TWIC and similar smart cards. Summary This cmpliance dcument has highlighted areas within the NERC Critical Infrastructure Prtectin Cyber Security Standards where Briv OnAir supprts the effrts f the Respnsible Entity in securing the perimeter f their facility. Additinally, being a cyber-asset itself, the Briv PACS inherently supprts the features needed t facilitate the Respnsibility Entity s plicies, prcedures, and dcumentatin requirements.
Clud PBX Master Service Agreement Versin 1.2 Updated 7/1/2012 http://www.vip-cnnectins.cm 1 email@example.com This Master Service Agreement (this Agreement ) is entered int this day f ( Effective
998-2095-07-21-14AR0 by Adam Gauci, P.Eng., Didier Giarratan, and Sandeep Pathania Executive summary The utility industry is under pressure t imprve substatin autmatin cyber security. Manufacturers f substatin
Infrmatin Technlgy Security Plicy May 2002 ii INFORMATION TECHNOLOGY SECURITY POLICY TABLE OF CONTENTS Statement f Directin Principles Specialized Technical Staff Users f Electrnic Assets Internet Risk
Payment Card Industry (PCI) Card Prductin Physical Security Requirements Versin 1.0 May 2013 PCI Security Standards Cuncil LLC 2013 This dcument and its cntents may nt be used, cpied, disclsed, r distributed
Detailed Statement f Wrk Evlve IP 989 Old Eagle Schl Rad Suite 815 Wayne, PA 19087 610.964.8000 firstname.lastname@example.org Page 1 Table f Cntents Evlved Office: HPBX...7 General Prduct Terms and Evlve IP Deliverables...
WHITE PAPER N Security, Cmpliance and Other Capabilities in Micrsft An Osterman Research White Paper Published July 2013 spnsred by spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black
Business Prcess Prtectrs Business Service Management Active Errr Identificatin Event Driven Autmatin Errr Handling and Escalatin Intelligent Ntificatin Prcess Reprting IT Management Business and IT Autmatin
WHITE PAPER N Security, Cmpliance and Other Capabilities in Micrsft An Osterman Research White Paper Published July 2013 spnsred by spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black
PHYSICAL SECURITY & ENVIRONMENTAL SECURITY General Overview Physical security elements are safeguards enacted t ensure nly authrized individuals have access t varius physical lcatins, such as crprate facilities,
www.nvell.cm/dcumentatin System Administratin ZENwrks Mbile Management 2.5.x September 2012 Legal Ntices Nvell, Inc., makes n representatins r warranties with respect t the cntents r use f this dcumentatin,
Nrth Carlina Department f Cultural Resurces Divisin f Histrical Resurces Archives & Recrds Sectin Gvernment Recrds Branch E-mail as a Public Recrd in Nrth Carlina: A Plicy fr Its Retentin and Dispsitin
WHITE PAPER An Osterman Research White Paper Published March 2014 Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 email@example.com
INTELLIGENT BUSINESS STRATEGIES WHITE PAPER Enterprise Infrmatin Prtectin - The Impact f Big Data By Mike Fergusn Intelligent Business Strategies March 2013 Prepared fr: Table f Cntents Intrductin... 4
Sample Crprate Mbile Device Acceptable Use and Security Plicy BYOD plicy template made publicly available by a Frtune 1000 Insurance Cmpany CISO WISEGATE MEMBER CONTENT 22 2303 Ranch Rad 620 Suth #135-165
Pwer ver Ethernet Pwer View Pr 3 User Guide Revisin 1.7 Catalg Number 06-0051-056 2009 Crp. All rights reserved. This dcument is subject t change withut ntice. Acknwledgements All ther prducts r trademarks
IDENTIFICATION AND REPORTING OF SECURITY INCIDENTS FOR STRATEGIC OPERATORS A basic guide fr the prtectin f critical infrastructures www.intec.es @inteccert January 2014 CONTENTS THE GUIDE S OBJECTIVE...
ABSTRACT Paper SAS298-2014 SAS Visual Analytics fr the Three Cs: Clud, Cnsumerizatin, and Cllabratin Christpher Redpath and Nichlas Eayrs, SAS Institute Inc., Cary, NC SAS Visual Analytics delivers the
Getting Started Guide fr Administratrs Fr Numara FtPrints, Numara FtPrints fr eservice Versin 9.0 Numara Sftware Inc. Numara FtPrints Getting Started fr Administratrs Manual: Rev 9.0 Numara Sftware numarasftware.cm
Integratin Cmpetency Center ICC Handbk Versin 3.0 29 Nvember 2012 ICC - Integratin Cmpetency Center ICC is a shared service intended fr cmpanies wh wish t design, develp and maintain integratin slutins
OPEN AUTOMATED DEMAND RESPONSE COMMUNICATIONS SPECIFICATION (Versin 1.0) Arnld Schwarzenegger Gvernr Prepared Fr: Califrnia Energy Cmmissin Public Interest Energy Research Prgram PIER FINAL PROJECT REPORT
Williamsn Cunty Bard f Educatin Prcedures and Guidelines Effective Date: 6/21/10; 8/15/11; Page 1 f 7 PURPOSE Williamsn Cunty Schls prvides student and emplyee access t the Internet as a means t increase