Nokia mission-critical communications networks solution for power utilities

Transcription

1 Nokia mission-critical communications networks solution for power utilities Attaining NERC CIP version 5 reliability standards compliance Application note 1 Application note

2 Abstract Since its advent, electricity has become the bedrock of the modern societies and economies. A secure electric grid is crucial to ensure reliable electricity delivery for daily use for commercial and residential users. As a result, power utilities worldwide consider security protection a top priority. In particular, power utilities in North America have long been required to comply with the Critical Infrastructure Protection (CIP) standards specified by the North American Electric Reliability Corporation (NERC). This application note summarizes the CIP Version 5 Reliability Standards and explains how the Nokia Mission-critical Communications Networks Solution for Power Utilities can contribute to your efforts to protect the grid and comply with regulatory requirements. 2 Application note

3 Contents Abstract 2 Introduction 4 Summary of CIP Version 5 Standards 5 Nokia Mission-Critical Communications Networks Solution 6 Attaining CIP Compliance with the Nokia Solution 8 Conclusion 19 Acronyms 20 References 20 3 Application note

4 Introduction Highly secure communications are crucial for maintaining daily operations in mission-critical networks, particularly those of public infrastructure such as the power grid owned and operated by electric utilities. Reliable and secure delivery of electricity to commercial and residential users is essential to a functioning modern society. In North America, power utilities operating bulk electric systems (BESs) have long been required to comply with the Critical Infrastructure Protection (CIP) standards specified by the North American Electric Reliability Corporation (NERC)1. Network elements, such as routers and switches, and any missioncritical traffic that rides over communications networks to support BES operations and delivery are subject to the strict security requirements outlined in the NERC CIP standards. Networking technologies that can meet these standards are a part of a utility s strategy in modernizing grid operations and adopting a new mission-critical communications infrastructure. On November 22, 2013, the Federal Energy Regulatory Commission (FERC), the independent government agency that regulates the interstate transmission of electricity in the United States, approved Version 5 of the CIP Reliability Standards for the Bulk Electric Systems of North America, CIP through CIP-011-1, in its Order No This new version of the standards represents a significant expansion of requirements over the current CIP Version 3 standards2. CIP Version 5 includes new cyber security specifications and extends the scope of the systems that the CIP standards protect3. Power utilities in North America are now racing toward the deadline of April 1, 2016 for achieving compliance. This application note details how the Nokia Mission-critical Communications Networks Solution for Power Utilities can play a seminal role in helping power grid operators comply with the mandatory NERC CIP requirements. 1 NERC s area of responsibility spans the continental United States, Canada and the northern portion of Baja California, Mexico. 2 Version 4 will not be implemented because Version 5 provides more comprehensive improvements to the standards. FERC approved NERC s proposal to bypass implementation of Version 4 and allow utilities to transition directly from Version 3 to Version 5. 3 For details, see 4 Application note

5 Summary of CIP Version 5 Standards In 2008, FERC approved eight reliability standards that NERC developed to protect bulk electric systems, considered as mission-critical infrastructure, from cyber-attacks. These standards formed the first version of CIP Reliability Standards. Since then, the set has been expanded to ten standards4. A synopsis of each follows. CIP : Cyber Security BES Cyber System Categorization Requires the responsible entities (operators, owners or co-ordinators) to implement a process to classify all bulk electric system cyber systems (BES cyber systems)5 impacting the bulk electric system as having a high, medium or low impact. The assets encompass control centers, transmission stations and substations, generation resources, system restoration facilities and special protection systems. CIP-003-6: Cyber Security Security Management Controls Requires the responsible entities to review and obtain CIP senior manager approval of documented cyber security policies for its high- and mediumimpact BES cyber systems at least once every 15 months. CIP-004-6: Cyber Security Personnel and Training Requires the responsible entities to document and implement processes or programs for cyber security awareness, training, personnel risk assessment and access management. CIP-005-5: Cyber Security Electronic Security Perimeter(s) Requires the responsible entities to deploy a controlled electronic security perimeter to manage electronic access to and protection of BES cyber systems against compromise that could lead to misoperation or instability for high- and medium-impact BES cyber systems. CIP-006-6: Cyber Security Physical Security of BES cyber systems Requires the responsible entities to specify a physical security plan to manage physical access to BCSs and to protect high- and medium-impact BES cyber systems from compromise that could lead to misoperation or instability. CIP-007-6: Cyber Security System Security Management Requires the responsible entities to manage system security by specifying technical, operational and procedural requirements in support of protecting high- and medium-impact BES cyber systems against compromise that could lead to misoperation or instability. 4 The CIP Version 5 Standards comprise a set of documents ranging from CIP-002 to CIP-011. CIP-001 from the CIP Version 3 Standards has been merged into EOP under the FERC Order RD ( whats-new/comm-meet/2013/062013/e-8.pdf) 5 This is a new term introduced in CIP Version 5 and referring to cyber assets subject to CIP protection. For definitions of terms used in CIP Version 5, see CIP V5 Definitions. 5 Application note

6 CIP-008-5: Cyber Security Incident Reporting and Response Planning Requires the responsible entities to document cyber security incident response plans for BES cyber systems and BES cyber assets. CIP-009-5: Cyber Security Recovery Plans for BES Cyber Systems Requires the responsible entities to have recovery plans for high- and mediumimpact BES cyber systems. This includes controls, timelines to update the plan(s), and any procedures needed to protect data for investigation of security events triggering the plan and BES cyber systems recovery. CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Assessments Requires the responsible entities to develop procedures for configuration change management and vulnerability assessment to protect the BES cyber systems from compromise that could lead to misoperation or instability in the BES cyber systems. CIP-011-2: Cyber Security Information Protection Requires the responsible entities to implement methods and procedures to protect information for high- and medium-impact BES cyber systems. Nokia Mission-Critical Communications Networks Solution The Nokia Mission-critical Communications Networks Solution has been deployed worldwide in more than 450 mission-critical communications networks of power utilities, public safety and transportation. It consists of the following IP/MPLS products (see Figure 1): Nokia 7750 Service Router (7750 SR) Nokia Nokia 7210 Service Access Switch (7210 SAS) Nokia 5620 Service Aware Manager (5620 SAM) Nokia Service Portal Express for Utilities (SPE) The following key characteristics enable resilient communications for power utilities mission-critical networks to accomplish their tasks reliably: 1. Support for legacy and next-generation applications with full scalability and flexibility for future evolution 2. Streamlined network operations, administration and maintenance (OAM) using a single and consistent end-to-end nodal and network management solution set: Command Line Interface (CLI), Simple Network Management Protocol (SNMP), the 5620 SAM and the Service Express Portal for Utilities 6 Application note

7 Comprehensive installation options, including: Standard rack/cabinet-based installations Versatile DIN rail/wall/panel/stand mounting options High and low voltage support in small enclosures for outdoor deployments 3. Same Alcatel Lucent Service Router Operating System (SR-OS) across entire portfolio, maintaining IP/MPLS control and management plane consistency throughout the network; this simplifies network design, operations, maintenance and training 4. End-to-end network and service management using utility terminology; customizable workflow to support NERC Version 5 CIP process Figure 1. Nokia Mission-Critical Communications Networks Solution for Power Utilities Control center 7750 SR SR SR-a SR-a SR-c12 Mission-critical WAN network SAM/SPE Bulk generation and transmission Distribution Distribution/FAN 500 Kv 230 Kv 115 Kv 66 Kv 33 Kv and lower 7705 SAR SAR-H Digital substation LAN network 7705 SAR-Hc 7705 SAR-W Station Bus Process Bus 7210 SAS-D 7210 SAS-T 7210 SAS-M 7 Application note

8 Attaining CIP Compliance with the Nokia Solution The following tables summarize how the Nokia Mission-critical Communications Networks Solution can play an integral role in helping utilities to achieve compliance with the NERC CIP Version 5 standards. For details of a particular specification, please visit the NERC CIP project webpage. CIP : BES Cyber System categorization Requirement Specification summary Nokia IP/MPLS product functionality R1 Classify BES assets as low, medium or high impact SPE allows operators to classify the assets to which the Nokia communications equipment is connected into different asset types according to the NERC CIP guideline. R2 Review and approve BES cyber systems list by CIP senior manager or delegate at least once every 15 calendar months CIP-003-6: Security Management Controls The configured SPE asset groups can be updated to reflect changes to cyber systems list after review as needed. Requirement Specification summary Nokia IP/MPLS product functionality R1 R2 R3 R4 Approve cyber security policies for high- and mediumimpact BES cyber systems by CIP senior manager every 15 calendar months 2.1 CIP senior manager to review and approve cyber security policy for low-impact BES cyber systems to address 2.2 to 2.6 below at least once every 15 calendar months 2.2 Implement operational or procedural control processes to restrict physical access 2.3 Implement processes for escorted visitor access and monitoring physical access point(s) at control centers with external routable protocol paths 2.4 Implement processes to enforce external routable protocol paths through only identified access point(s) coupled with inbound and outbound access permission policy and authentication when establishing dial-up connectivity The 7705 SAR, 7210 SAS, 7750 SR, 5620 SAM and SPE* configurations can be altered to reflect cyber security policy updates based on senior management approval. Same as R1. The five products can be used to provide secure and highly available communications to electronic physical security devices (e.g., cameras, access card readers, door alarms) as needed. Same as 2.2. The five products provide a variety of access list policies, including access control lists and zone-based stateful firewalling capabilities to enforce inbound and outbound policies. Note: Not applicable for a dial-up connection. 2.5 Implement a cyber security incident response plan The five products can be configured similar to CIP-001-2a-R1 through R4 to support the plan. 2.6 Implement a security awareness program that reinforces cyber security practices at least quarterly Identify a CIP senior manager and update any change within 30 calendar days CIP senior manager must document any delegate when allowed by the standards * All future instances of these five IP/MPLS products will read the five products. Same as 2.5. The user privilege of CIP senior manager can be configured and tailored on the five products. Similar to R3. The delegate s user privilege on the five products can be updated as required. 8 Application note

9 CIP-004-6: Personnel and Training Requirement Specification summary Nokia IP/MPLS Product Functionality R1 Security awareness program R2 Cyber security training program R3 Personnel risk assessments R4 Access management program R5 Access revocation program 1.1 Document and implement security processes for high- and medium-impact BES cyber systems; reinforce security practices at least quarterly for personnel who have authorized electronic or unescorted physical access to BES cyber systems 2.1 Implement a cyber security training program appropriate to operating personnel roles, functions and responsibilities for high- and medium-impact BES cyber systems with external routable connectivity plus their associated electronic access control or monitoring systems (EACMSs) and physical access control systems (PACSs) 2.2 Require completion of the training specified in 2.1 prior to granting access except during CIP exceptional circumstances 2.3 Require completion of training at least once every 15 months 3.1 Implement a program to confirm identity of staff to attain and retain access to high- and medium-impact BES cyber systems with external routable connectivity plus their associated EACMSs and PACSs 3.2 Implement a process to perform seven-year criminal history checks 3.3 Implement a process to evaluate criminal history record checks 3.4 Implement a process for verifying personnel risk assessments performed for contractors or service vendors according to 3.1 through Implement a process to ensure authorized individuals have had a personnel risk assessment completed according to 3.1 through 3.4 within the last seven years Implement a process to authorize electronic access and unescorted physical access with verification at least every 15 calendar months for high- and mediumimpact BES cyber system information Implement a process to remove and revoke an individual s access upon employee termination or transfer The manuals and training material for the five products can be incorporated into security processes as required. Nokia University offers product and security training for the five products as needed. Same as 2.1. Same as 2.1. The five products are highly customizable for a variety of user access and control levels as identified by CIP-001-2a-R1 through R4. Same as R4. 9 Application note

10 CIP-005-5: Electronic Security Perimeter(s) Requirement Specification summary Nokia IP/MPLS product functionality R1 Electronic security perimeter (ESP) R2 Interactive remote management 1.1 Identify a list of all BES cyber systems and protected cyber assets with ESP network topology for high- and medium-impact BES cyber systems 1.2 All external routable connectivity must be through an identified electronic access point (EAP). Document EAP configuration and rationale for high- and mediumimpact BES cyber systems 1.3 Identify and document all access rule lists for granting and denying access for high- and mediumimpact BES cyber systems 1.4 Document access authentication for high- and medium-impact BES cyber systems with dial-up connectivity 1.5 Document malicious communications detection methods for high- and medium-impact BES cyber systems at control centers 2.1 Utilize an intermediate system so that there is no direct external access from client to high- and medium-impact BES cyber systems with external routable connectivity 2.2 Utilize encryption for remote access sessions for high- and medium-impact BES cyber systems with external routable connectivity SPE enables operators to identify connected critical assets as in CIP R1 and can also display the network topology, connectivity and services of protected cyber assets. Configurations of 7705 SAR, 7750 SR and 7210 SAS, through SPE and 5620 SAM as EAPs, can be logged and then documented as needed. For example, comments for configuration changes and rationale can be added via CLI commands in nodes or through the graphic user interface (GUI) of the 5620 SAM and SPE. See access control and firewalling capabilities as described in CIP R2 through R2.4. Dial-up connectivity is not applicable to Nokia products and services. The 7705 SAR, 7750 SR, 7210 SAS and SPE log any unsuccessful login attempt to the nodes or management systems as evidence of a potential malicious attempt. The 7705 SAR and 7750 SR provide stateful firewalling capabilities that include logging of any malicious attempts to circumvent the firewall. These logging events can be used to document malicious detection at the BES cyber systems. The 7705 SAR and 7750 SR provide encryption and authentication. If any malicious attempt is made to hijack an encrypted tunnel or communications, statistics of these events are tracked. These statistics can be collected by the SPE and 5620 SAM to provide documented evidence of a potential malicious attack. The 7705 SAR, 7210 SAS or 7750 SR can be deployed as the intermediate system as required to provide access from clients to high-impact BES cyber systems. If required, the 5620 SAM and SPE can be the only means to access the 7705 SAR, 7210 SAS and 7750 SR by disabling direct CLI access. The 7705 SAR, 7210 SAS and 7750 SR support the use of RADIUS, TACACS+ and local authentication to validate users requesting access to the network node. Login control parameters are supported, including exponential-back off, idle time and inbound-maxsessions. Secure Shell (SSH) is used to provide a secure encrypted connection to a router. The 7705 SAR and 7750 SR can encrypt management access to BES cyber system traffic by using either IPsec or Network Group encryption. 10 Application note

11 Requirement Specification summary Nokia IP/MPLS product functionality 2.3 Utilize multi-factor authentication such as passwords generated by a specific smart card The five products support configurable passwords as needed. Any tools used to create passwords can be scripted to update the authentication information for each node in the network. CIP-006-6: Physical Security of BES Cyber Systems Requirement Specification summary Nokia IP/MPLS product functionality R1 Physical security plan 1.1 Document operational or procedural controls to restrict physical access to medium- impact BES cyber systems without external routable connectivity and their associated PACSs; PACS is associated with high-impact BES cyber systems 1.2 Utilize physical access control to allow unescorted physical access into each physical security perimeter (PSP) to only authorized individuals; document access through access logs 1.3 Utilize two or more physical access controls to collectively allow unescorted physical access into each PSP for authorized individuals 1.4 Monitor for unauthorized access to high- and medium-impact BES cyber systems with external connectivity and their associated EACMSs and protected cyber assets (PCAs) 1.5 Issue an alarm or alert in response to detected unauthorized access to high- and medium-impact BES cyber systems with external routable connectivity, and their associated EACMSs and PCAs, within 15 minutes of detection 1.6 Monitor each PACS for authorized physical access to high- and medium-impact BES cyber systems with external routable connectivity 1.7 Issue an alarm or alert in response to detected unauthorized physical access to a PACS associated with high- or medium-impact BES cyber systems with external routable connectivity to the personnel identified in the BES Cyber Security Incident Response Plan within 15 minutes of the detection 1.8 Log entry of each individual with authorized access into each PSP with high- and medium-impact BES cyber systems with external routable connectivity and their associated EACMSs and PCAs The 7705 SAR, 7750 SR and 7210 SAS can relay control messaging from physical access equipment to control centers in a secure manner as required. The three products also have physical dry contact alarm solutions that, when triggered, can provide physical intrusion detection that can be relayed to centralized network managers via SNMP. Same as 1.2. Same as 1.2. Refer to CIP R2 through 2.2 for RADIUS and TACACS+. Same as 1.2. Refer to CIP R2 through 2.2 for RADIUS and TACACS+. Same as 1.2. Refer to CIP R2 through 2.2 for RADIUS and TACACS+. Same as 1.2. Refer to CIP R2 through 2.2 for RADIUS and TACACS+. Refer to CIP R2 through 2.2 for RADIUS and TACACS+. 11 Application note

12 Requirement Specification summary Nokia IP/MPLS product functionality R2 Visitor control program R3 PACS maintenance and testing program 1.9 Retain physical access log entry of individuals with access into each PSP with high- and medium-impact BES cyber systems with external connectivity, and their associated EACMSs and PCAs, for at least ninety calendar days 1.10 For high- and medium-impact BES cyber systems and PCAs at control center, restrict physical access to cabling and other nonprogrammable components used for connection between cyber assets within the same ESP when such cabling and components are located outside of a PSP; where physical access restrictions are not implemented, encryption and communication link alarm/monitor should be used 2.1 Require continuous escorted access of visitors within each PSP except during CIP exceptional circumstances 2.2 Require manual or automated logging of visitor entry into and exit from the PSP for high- or mediumimpact BES cyber systems with external routable connectivity, and their associated EACMSs and PCAs, that includes date and time of the initial entry and last exit, the visitor s name and the host except during CIP exceptional circumstances 2.3 Retain the visitor logs in 2.2 for at least ninety calendar days 3.1 Maintain and test, at the PACS, locally mounted hardware or devices at the PSP for high- and mediumimpact BES cyber systems with external routable connectivity at least once every 24 calendar months to ensure they function properly The 7705 SAR, 7750 SR and 7210 SAS support external alarm dry contact input that can map connected alarm system warning outputs to SNMP trap messages for alert and logging. Refer to CIP R2 through 2.2 for RADIUS and TACACS+. The 7705 SAR and 7750 SR support either IPsec or Network Group encryption to maintain secure encryption and authentication paths as needed. Encryption can be enhanced with firewalls, access control lists (ACLs) or link failure detection methods to generate link or traffic alarms as needed. SPE supports notification for alarm events associated with ports and nodes classified as NERC CIP critical assets. The five products have a variety of OAM protocol testing functions to help test services in a network. These testing functions can be used at any frequency needed to help satisfy this requirement. CIP-007-6: Systems Security Management Requirement Specification summary Nokia IP/MPLS product functionality R1 Ports and services 1.1 Enable only required logical network accessible ports, including dynamic port ranges for high- and medium-impact BES cyber systems with external routable connectivity and their associated EACMSs, PACSs and PCAs The 7705 SAR, 7750 SR and 7210 SAS have the ability to allow operators to create logical ports (e.g., VLAN interfaces, L3 interfaces, L3 VPRNs or pseudowires) and services as needed. Logical ports and services are available as required via IP/MPLS-based capabilities. Depending on networking needs, a mixture of logical separation is available. When complemented by 802.1x authentication, ACLs and firewalling capabilities, comprehensive logical protection mechanisms can be implemented. 12 Application note

13 Requirement Specification summary Nokia IP/MPLS product functionality R2 Security patch management R3 Malicious code prevention R4 Security event monitoring 1.2 Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands or removable media for high- and medium-impact BES cyber systems at control centers 2.1 Implement a patch management process for tracking, evaluating and installing cyber security patches for high- and medium-impact BES cyber systems and their associated EACMSs, PACSs and PCAs 2.2 Evaluate security patches identified in Part 2.1 at least every 35 calendar days 2.3 For patches identified in Part 2.2, either apply or create/revise a mitigation plan within 35 calendar days after the evaluation completion 2.4 Implement mitigation plans identified in Part 2.3 within the timeframe specified in the plan unless a revision or an extension is approved 3.1 Deploy method(s) for high- and medium-impact BES cyber systems, and their associated EACMSs, PACSs and PCAs, to deter, detect or prevent malicious code 3.2 Mitigate the threat of detected malicious code to high- and medium-impact BES cyber systems and their associated EACMSs, PACSs and PCAs 3.3 Implement a process for the update of signatureor pattern-based methods in Part Log all login attempts (successful and failed) and malicious code detected events for high- and medium-impact BES cyber systems and their associated EACMSs, PACSs and PCAs 4.2 Generate alerts for security events that are determined to necessitate alerts The 7705 SAR, 7750 SR and 7210 SAS logical ports (e.g., VLAN interfaces, L3 interfaces, L3 VPRNs or pseudowires) are enabled by configuration. Any unused port that is not enabled will not allow traffic into or out of the network. This can be further complemented by 802.1x authentication, ACLs and firewall capabilities to provide physical input/output port protection as needed. Nokia provides timely updates to its software should any vulnerabilities need to be addressed. The 5620 SAM provides a simple but elegant process to help install new software loads for 7705 SAR, 7210 SAS and 7750 SR nodes. The Nokia product support teams will create new software loads as needed, which can be tested when available. Not all new software loads may contain security patches if no security vulnerabilities were fixed. The 5620 SAM is available to install new software loads for 7705 SAR, 7210 SAS and 7750 SR nodes. Same as 2.3. The 7705 SAR and 7750 SR support a stateful zone-based firewall and ACLs, and provide traffic separation via MPLS label switched path (LSP) tunnels and strict quality of service (QoS) policies to help prevent unauthorized access to BES cyber systems, deterring attempts by malicious code to gain access to the BES cyber system. Also, Nokia is planning statistical-based intrusion detection capabilities on its platforms to help detect and block malicious code. Same as 3.1. The SR-OS software running on network nodes is a closed software system and has no exploitable or external APIs. Same as 3.1. The five products provide event logging features that help control the generation, dissemination and recording of system events, including security and configuration change events. Failed login attempts are an example of such generated events and logs. Same as 4.1. Also, the SPE can generate notifications for a configured set of security events detected by the network. 13 Application note

14 Requirement Specification summary Nokia IP/MPLS product functionality R5 System access control 4.3 Where technically feasible, retain applicable event logs identified in Part 4.1 for 90 consecutive calendar days except under CIP exceptional circumstances 4.4 Review a summary or sampling of logged events at a minimum interval of 15 calendar days to identify undetected cyber security incidents 5.1 Have methods to enforce authentication of interactive user access, where technology is feasible, for high- and medium-impact BES cyber systems at control centers, medium-impact BES cyber systems with external routable connectivity, and their associated EACMSs, PACSs and PCAs The 7705 SAR, 7750 SR and 7210 SAS can send event accounting to an AAA server configured to keep event logs for 90 days or more. The 5620 SAM and SPE can store event logs for 90 days or more. Same as 4.1. For all five products, failed attempt thresholds and lockout timers can be configured for specific user profiles to enforce user scope of command and control. Refer to CIP R2 through 2.2 for RADIUS and TACACS Identify and inventory all known enabled default or other generic account types by system, group of systems, location or system type(s) 5.3 Identify individuals who have authorized access to shared accounts 5.4 Change known default passwords for each cyber asset capability 5.5 Technically or procedurally enforce specified password parameters for password-only authentication for interactive user access 5.6 Technically or procedurally enforce (where technically feasible), for password-only authentication for interactive user access, password changes or an obligation to change the password at least once every 15 calendar months 5.7 Where technically feasible, limit the number of unsuccessful authentication attempts or generate alerts after a threshold of unsuccessful authentication attempts The 5620 SAM and SPE user accounts can be a list or grouped into types or scope depending on the privileges of users managing the network. The 5620 SAM and SPE can provide needed information for any identification process. All default passwords of the five products can be changed as needed. The five products can be part of the enforcement process. Password length and complexity (special characters) can be enforced for a higher level of security. Refer to CIP R2 through 2.2 for descriptions of passwords, RADIUS and TACACS+. The five products can enforce a user password aging period. Refer to CIP R2 through 2.2 for descriptions of passwords, RADIUS and TACACS+. The 7705, 7210 SAS and 7750 SR can freeze the user account for a set period after the failed login attempt threshold is crossed. Refer to CIP R2 through 2.2 for descriptions of passwords, RADIUS and TACACS+. 14 Application note

15 CIP-008-5: Incident Reporting and Response Planning Requirement Specification summary Nokia IP/MPLS product functionality R1 BES cyber security incident response plan specifications R2 BES cyber security response plan implementation and testing R3 BES cyber security incident response plan review, update and communication 1.1 Implement a process to identify, classify and respond to BES cyber security incidents 1.2 Implement a process to determine if an identified incident is a reportable BES cyber security incident 1.3 Define the roles and responsibilities of BES cyber security incident response personnel, incident handling procedures and internal staff/external organizations that should be notified of the incident 2.1 Execute the BES cyber security incident plan(s) when incident occurs; record deviations from the plan(s) during the incident or test 2.2 Implement the BES cyber security incident response plan(s) when the standard becomes effective and at least once every calendar year thereafter, not to exceed 15 months between the plan executions 2.3 Retain relevant documentation related to reportable incidents for three calendar years 3.1 Review each BES cyber security incident response plan for accuracy and completeness initially upon the effective date of the standard and at least once each calendar year thereafter, not to exceed 15 calendar months between reviews, and update if necessary 3.2 Review the results of the plans test or actual incident response within 30 calendar days of the execution, documenting any lessons learned for high- and medium-impact BES cyber systems 3.3 Update the plan(s) based on any documented lessons learned within 60 calendar days of the completion of the review of the plan(s) 3.4 Update the plan(s) within 30 calendar days of any organizational or technology changes that impact the plan(s) 3.5 Communicate each update to the plan(s) to all involved persons in the plan(s) within 30 calendar days of the update completion The five products are able to help identify, classify and respond as described in CIP- EOP The five products are able to help determine if an identified incident is a reportable incident via Nokia product capabilities as described in CIP- EOP The five products are able to help enforce roles and responsibilities as described in CIP- EOP-004-2, CIP and CIP The five products can be used to help execute the BES cyber security plan(s) as described in CIP- EOP-004-2, CIP and CIP The five products can be used to help implement the BES cyber security incident response plan(s) as described in CIP- EOP-004-2, CIP-003 and CIP The five products are able to help identify, classify and respond as described in CIP- EOP Information can be retained for an indefinite period of time. The time period is limited only by storage space. Flexible configurations and settings of five products are available to streamline updates or modifications after review of the plan(s). Similar to Application note

16 CIP-009-5: Recovery Plans for BES Cyber Systems Requirement Specification summary Nokia IP/MPLS product functionality R1 Specifications of recovery plan(s) for high- and medium-impact BES cyber systems and associated physical and electronic access control systems R2 Implementation and testing for recovery plan(s) for high- and medium-impact BES cyber systems and associated physical and electronic access control systems 1.1 Identify conditions that activate recovery plan(s) The five products can be used to help identify conditions that activate a recovery plan as described in CIP- EOP-004-2, CIP-003 and CIP SPE can provide and SNMP notification for a configured set of events to activate a recovery plan. 1.2 Roles and responsibilities of responders The privileges and scope of user accounts that can manage the five products can be tailored according to the roles and responsibilities described in CIP One or more processes for the backup, storage and protection of information required to restore BES cyber system functionality 1.4 Verify information to ensure the backup process is completed successfully 1.5 Where technically feasible, preserve data for analysis or diagnosis of the cause of any event that triggers activation 2.1 Test the plan(s) initially upon the effective date of the standard and at least once every 15 calendar months 2.2 Test information used in BES cyber system recovery at least once every 15 calendar months to ensure its usability and validity 2.3 Test the plan(s) through an operational exercise in a representative environment initially upon the effective date of the standard and at least once every 36 calendar months thereafter The 5620 SAM enables users to back up and store router configurations. Nodal redundancy and highavailability mechanisms are available to ensure backup equipment and network paths maintain communications as needed for information protection SAR, 7210 SAS and 7750 SR configuration backup by 5620 SAM is verified upon completion SAR, 7210 SAS and 7750 SR configuration files can be backed up and uploaded to destination servers for storage. The five products have a variety of tools for gathering information, diagnostics and statistics that can be used to aid with testing procedures. Same as 2.1. Same as Application note

17 Requirement Specification summary Nokia IP/MPLS product functionality R3 Review, update and communication of recovery plan(s) for high- and medium-impact BES cyber systems and associated physical and electronic access control systems 3.1 Review the plan(s) initially upon the effective date of the standard and at least once every 15 months or when BES cyber systems are replaced; document any identified deficiencies or lessons learned 3.2 Review the results of each recovery plan test or actual incident recovery within 30 calendar days after exercise completion 3.3 Update the plan(s) based on documented deficiencies or lessons learned within 30 calendar days of the review 3.4 Update the plan(s) to address organizational or technology changes within 30 calendar days of such change 3.5 Communicate all plan updates to each responder identified in the plan(s) within 30 calendar days of the update being completed Same as R Flexible configurations and settings of the five products are available to streamline updates or modifications after plan reviews. Same as 3.3. Same as 3.3. For example, user account profiles used on the five products can be modified to reflect communication of plan updates. CIP-010-2: Configuration Change Management and Vulnerability Assessments Requirement Specification summary Nokia IP/MPLS product functionality R1 Configuration change management for high- and medium-impact BES cyber systems and their associated EACMSs, PACSs and PCAs 1.1 Develop a baseline configuration that includes OSs or firmware where no independent OS exits; commercial, open-source and custom software installed; logical network accessible ports; and security patches applied 1.2 Authorize and document changes that deviate from the existing baseline configuration 1.3 Update the baseline configuration to reflect deviation within 30 calendar days of change completion See previous sections for Nokia product capabilities that can become part of a baseline configuration. A workflow process with authorization steps can be set up through SPE when new configurations (e.g., new services) are provisioned that need to deviate from baseline configurations. New configuration files can be backed up as part of the workflow process. 17 Application note

18 Requirement Specification summary Nokia IP/MPLS product functionality R2 Configuration monitoring for high-impact BES cyber systems and associated EACMSs and PCAs R3 Vulnerability assessments R4 Transient cyber assets and removable media protection 1.4 Prior to a change, determine the impact on cyber security controls in CIP-005 and CIP-007, verify that the change does not adversely affect cyber security controls, and document the results of the verification 1.5 For high-impact BES cyber systems, where technically feasible, prior to change implementation test changes in a test or production environment where adverse effects are minimized; model the baseline configuration to ensure required cyber security controls in CIP-005 and CIP-007 are not adversely affected; and document the results of the testing 2.1 Monitor at least once every 35 calendar days for changes to the baseline configuration; document and investigate detected unauthorized changes 3.1 Conduct a paper or active vulnerability assessment at least once every 15 calendar months for high- and medium-impact BES cyber systems and their associated EACMSs, PACSs and PCAs 3.2 Where technically feasible, perform and document the results of an active vulnerability assessment in a test or production environment where adverse effects are minimized 3.3 Perform an active vulnerability assessment of the new cyber asset prior to adding it to high-impact BES cyber systems and their associated EACMSs and PCAs in a production environment 3.4 Document assessment results and the action plan to remediate vulnerabilities identified for highand medium-impact BES cyber systems and their associated EACMSs, PACSs and PCAs 4.1 Record the authorization of the usage of transient cyber assets, except for CIP exceptional circumstances, for high- and medium-impact BES cyber systems and associated PCAs 4.2 Deploy method(s) to deter, detect or prevent malicious code on transient cyber assets 4.3 Deploy method(s) to detect malicious code on removable media prior to use on systems The five products have a variety of tools for gathering information, diagnostics and statistics that can be used to aid with testing procedures. Nokia can provide consulting services to assist in this process. Same as 1.4. The five products support configuration change logging to help document and provide records of detailed changes that occur, who performed the changes, and when they occurred. The 5620 SAM can perform configuration backups with version control mechanisms to help monitor changes to baseline configurations. The five products have a variety of tools for gathering information, diagnostics and statistics that can be used to aid with testing procedures. Same as 3.1. Same as 3.1. Same as 3.1. Results can be used to develop documentation as needed. SPE user can classify ports and nodes of the WAN as NERC critical assets so that there is a record of any authorization to use these ports or nodes in a transient manner. Same as CIP Same as CIP Mitigate the threat of detected malicious code Same as CIP Update signatures or patterns of detection method Same as CIP Application note

19 Requirement Specification summary Nokia IP/MPLS product functionality 4.6 Prior to use, evaluate transient cyber assets for modifications 4.7 Evaluate transient cyber assets, within 35 calendar days prior to use, to ensure security patches are up to date The five products have a variety of tools for gathering information, diagnostics and statistics that can be used to aid with testing procedures. The five products have a variety of tools for gathering information, diagnostics and statistics that can be used to aid with testing procedures. CIP-011-2: Information Protection Requirement Specification summary Nokia IP/MPLS product functionality R1 Information protection for high- and medium-impact BES cyber systems and their associated EACMSs and PACSs R2 BES cyber asset reuse and disposal Conclusion 1.1 Devise methods to identify information that meets the definition of BES cyber system information 1.2 Implement procedures for protecting and securely handling BES information, including storage, transit and use 2.1 Prior to the release for reuse of cyber assets that contain BES cyber system information, take action to prevent unauthorized retrieval of such information from its data storage media 2.2 Prior to the disposal of cyber assets that contain BES cyber system information, take action to prevent unauthorized retrieval of such information from its data storage media Since its advent, electricity has become the bedrock of the modern societies and economies. A secure electric grid is crucial to ensure reliable electricity delivery for daily use. As a result, power utilities in North America are now mandated to dedicate resources to design and execute actions to fulfill the requirements and regulations defined in the CIP Version 5 Reliability Standards. Nokia has real-world expertise in converged scalable network service delivery, resilient high availability and field-proven cyber security best practices. Our industry-leading mission-critical communications networks solution not only delivers the required network reliability, performance and scalability, it also serves as a bulwark defending against security threats and intrusions. Nokia can contribute significantly to your efforts to protect the grid and comply with regulatory requirements. For more information about Nokia s solutions for power utilities, go to As part of the method, the 5620 SAM and SPE allow operators to enter information about the BES cyber system connected to 7705 SAR, 7210 SAS and 7750 SR nodes SAR, 7210 SAS and 7750 SR nodal information can be viewed and changed only by a certain class of users on an as-need basis. Nokia can provide consulting services to assist in this process for reuse of equipment. Nokia can provide consulting services to assist in the disposal of equipment. 19 Application note

20 Acronyms 5620 SAM Nokia 5620 Service Aware Manager 7210 SAS Nokia 7210 Service Access Switch 7705 SAR Nokia 7705 Service Aggregation Router 7750 SR Nokia 7750 Service Router ACL access control list BES bulk electric system CIP Critical Infrastructure Protection CLI Command Line Interface EACMS electronic access control or monitoring system EAP electronic access point ESP electronic security perimeter FERC Federal Energy Regulatory Commission IP Internet Protocol JMS Oracle Java Message Service MPLS NERC OAM PACS PCA PSP RADIUS SNMP SPE SR-OS TACACS VLAN VPRN Multi-Protocol Label Switching North American Electric Reliability Corporation operations, administration and maintenance physical access control system protected cyber asset physical security perimeter Remote Authentication Dial-In User Service Simple Network Management Protocol Nokia Service Portal Express for Utilities Nokia Service Router-Operating System Terminal Access Controller Access Control System Virtual Local Area Network Virtual Private Routed Network References Nokia 5620 Service Aware Manager. Nokia 7210 Service Access Switch. Nokia 7705 Service Aggregation Router. Nokia 7750 Service Router. Nokia Service Portal Express for Utilities. Federal Energy Regulatory Commission website. North American Electric Reliability Corporation website. Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. Nokia Oyj Karaportti 3 FI Espoo Finland Tel (0) Product code: PR (July) Nokia 2016 nokia.com