NERC CIP Compliance 10/11/2011

Transcription

1 NERC CIP Compliance 10/11/2011 Authored by Dan Barker, American Transmission Co. Ron Bender, Nebraska Public Power District Richard Burt, Minnkota Power Cooperative, Inc. Marc Child, Great River Energy Marc Gaudette, Dominion Jennifer White, Alliant Energy The Midwest Reliability Organization (MRO) Standards Committee (SC) is committed to providing training and non-binding guidance to industry stakeholders regarding existing and emerging Reliability Standards. Any materials, including presentations, were developed through the Standards Committee by Subject Matter Experts from member organizations within the MRO. The materials have been reviewed by MRO staff and provide reasonable application guidance for the standard(s) addressed. Ultimately, demonstrating compliance depends on a number of factors including the precise language of the standard, the specific facts and circumstances, and quality of evidence. These documents may be reproduced or distributed to any person or entity only in its entirety Cleveland Avenue N Roseville, MN Phone (651) Fax (651)

2 Contents Introduction... 3 Paper Overview... 4 General Recommendations... 6 CIP Critical Cyber Asset Identification... 9 CIP Security Management Controls CIP Personnel and Training CIP Electronic Security Perimeters CIP-006-3c Physical Security of Critical Cyber Assets CIP Systems Security Management CIP Incident Reporting and Response Planning CIP Recovery Plans for Critical Cyber Assets Summary About the Authors [NERC CIP Compliance] P a g e 2

3 Introduction This paper has been developed to address NERC CIP compliance. The focus of this paper is not on specific requirements, but rather the overarching goal of achieving compliance and demonstrating that achievement. The question answered herein can be applied to every single entity: How do I demonstrate that I m complying with the NERC CIP Standards? The key to successful compliance is to concentrate on performance and doing the right thing while simultaneously collecting and maintaining evidence to demonstrate that performance. It is easier to demonstrate compliance if the programs, documentation, and process outputs are designed with that task in mind. Though the recommendations within this paper will focus on demonstrating compliance, there may also be program design and configuration suggestions that will overlap with achieving compliance. Registered entities are in various stages of compliance some have established, effective compliance programs while others are still developing compliance programs and considering the implications of CIP compliance. The authors of this paper have varied levels of audit experience, ranging from sufficiency audits to audits of all 43 requirements in the CIP Standards. The guidance within this paper is derived from those experiences, as well as the experiences of creating and implementing CIP compliance programs in general. The recommendations in this paper should be helpful to entities responsible for implementing brand new programs as well as those entities engaged in adjusting existing programs to more effectively achieve compliance after audit experiences or program maturation. [NERC CIP Compliance] P a g e 3

4 Paper Overview The authors of this paper engaged in hours of discussion over the finer points of interpretation, security practices, and system capability. At the end of those discussions, the authors didn t always agree. In order to ensure that the results were based on a strict application of the language of the Standards, the results of those conversations have been categorized into the following sections: General Recommendations: A successful compliance program relies heavily on a few, universally applied principles. These principles are so central that they were repeated in the discussion of every single requirement. The recommendations in this section should be remembered and revisited when each component of a compliance program is designed. CIP through CIP-009-3: In addition to the general recommendations, each Standard has an approach more likely to yield success than another. Those approaches have been identified in each section using the following elements: The actual Standards language is included in each section for reference. This is included for ease of use. Definitions sections will identify the terms in each Standard that should be clearly documented by the entity. Actual definitions are not provided, as they will differ based on the individual compliance program. Instead, these are lists of terms used to simply identify those that become pivotal within that compliance program. Recommendations for each requirement are based on strict application. Where sub-requirements require additional information, they will be specifically addressed. It is important to remember that all of the recommendations are to be understood as suggestions and are non-binding application guidance. [NERC CIP Compliance] P a g e 4

5 Tips are included within each Recommendation section. Adherence to these tips is not required for strict compliance. Instead, following this guidance may make compliance easier to achieve or demonstrate. Notes are also provided in the Recommendations sections where the additional considerations are necessary. They contain detail that should be considered when implementing the recommendation. Evidence sections include a high-level list of the types of evidence that an auditor will likely request or the types of evidence that, if provided, will give the auditors a clear demonstration of compliance. Of course, additional evidence may be appropriate based on the specific compliance implementation. If it clearly answers a compliance question or demonstrates an activity required for compliance, it s a good idea to include it, regardless of whether or not it appears in the evidence lists in this paper. Summary: This paper is based on Version 3 of the CIP Standards. The authors are aware that at least two more versions are underway and in various states of draft and/or approval. The body of this paper does not address future versions or anticipated changes within those versions. [NERC CIP Compliance] P a g e 5

6 General Recommendations While there are details within each requirement that require specific attention, some aspects of compliance are consistent throughout. Each recommendation in this section can be applied to most, if not all, of the requirements. When developing the individual components of a compliance program, each of these recommendations should be revisited. Where any of these can be uniquely applied to an individual requirement, they will be mentioned again in that section. Documentation: If you didn t document it, you didn t do it. Many of the requirements speak directly to documenting a program or process. However, not all documents are created equal. o Structure Documents used for compliance should have components that ensure inclusion of necessary information, change management, and references to other relevant documents. Remember your audience and choose a format that allows users and auditors to find information quickly and easily. Helpful components include: Owner/Approver, Definitions, Purpose (mapped to the CIP requirement addressed), Procedure, etc. o Revision history Revision history makes it possible to demonstrate that revisions are made in accordance with implementation deadlines, procedural change timeframes, annual reviews, etc. Keeping revision history will establish point-in-time compliance. It is also helpful to have a summary of what changed with each revision. Maintain revision history for the duration of the audit period. o Roles and Responsibilities Written procedures are a great way to ensure that each individual knows his or her role in the process. Additionally, they help add clarity in identifying a Subject Matter Expert (SME) to participate during an audit. o Tip: Unless required by the Standards, use titles not names. Evidence Considerations: Evidence is more than just documentation. Demonstrating compliance usually means corroborating evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance. The best types of evidence are consistent throughout the organization. For example, NERC CIP changes should require the same request form and follow the same processes, yielding exactly the same types of output. They should also provide reliable time/date stamps that are difficult to falsify. As an example, screen captures should include a visible time and date stamp within the capture. Attestations provided for compliance activities are considered weaker evidence, which may need to be corroborated with stronger evidence. But where demonstration of a null [NERC CIP Compliance] P a g e 6

7 list or the absence of an activity is necessary, an attestation may be the only record that can be provided in addition to the documented process; therefore an attestation may be sufficient. Reviews: Another item expressly addressed throughout the CIP Standards is the requirement to conduct reviews. Each documented process should be accompanied by how reviews are initiated, conducted, and tracked. Rigor and formality in this process will be rewarded. For each documented review, the auditor should easily understand: o Who was the reviewer? o What content was reviewed? o When was it reviewed? o What changes were made? If so, how were they communicated? Definitions: Each requirement may contain words or phrases that are not entirely clear. Even industry terms can be applied differently in relation to a specific program or device. NERC has published, and continues to publish, documents that can be used to understand what is meant by the terms included in the Standards. These documents include, but are not limited to, Compliance Application Notices (CANs), Reliability Standard Audit Worksheets (RSAWs), interpretation documents, and guidance documents. Even though these documents can provide assistance, it is the obligation of the entity to ensure that the definition or interpretation in use is documented. It s reasonable to use definitions from trusted resources in the industry, but reliance on that definition should be supported in a documented part of the specific program to which it applies. In fact, even where using a definition provided by NERC, ensure that definition is documented with the program for point-in-time understanding of the entity s implementation of CIP compliance. References: There are lots of available guidance documents for writing emergency and operating plans, determining sound security practices, specifications for configuration of physical and electronic controls, industry standards, etc. Adhering to the guidance within those materials can aid in developing and maintaining compliance programs, as well as demonstrate rigor in researching available solutions. Maintain copies of source material to provide during audits, as this can help explain why specific elements were implemented. Support: Within the organization, it s possible that disparate groups engage in the support of the assets within the scope of CIP compliance. Historically segregated IT and business areas are sharing responsibilities and control in order to achieve compliance. Configurations required for compliance should be protected by strong change control processes and clear documentation outlining roles and responsibilities. Personnel who may only be peripherally involved in support of CIP assets, perimeters, and information should receive CIP training. [NERC CIP Compliance] P a g e 7

8 Correlation: Ensure a broad understanding of all the NERC Reliability Standards (BAL, COM, CIP, EOP, FAC, INT, IRO, MOD, NUC, PER, PRC, TOP, TPL, VAR) when developing a CIP Compliance program. This understanding should include reporting obligations, definitions, and any cross-references. Ensure that documented processes are consistent throughout the entity s compliance programs. Audits: When resources and time allow, internal and vendor audit resources should be considered for program definitions, targeted auditing, or full mock audits. The entity can rehearse interviewing, learn about its ability to respond to audit scenarios or information requests, practice compiling evidence and documentation, and identify potential insufficiencies. It can be helpful to check with neighboring entities for reliable vendors. A pre-audit conference call or meeting with MRO audit staff is strongly encouraged by MRO to address questions and answers. Keep in mind MRO staff will answer questions like what is evidence required to demonstrate compliance. but will not answer if I do this will I be complaint? Collaboration: Within the constraints of information protection, entities can benefit from sharing program designs, interpretations, implementation tips, and audit experiences. Collaboration can result in innovative solutions to common problems, increased leverage when dealing with common vendors, as well as shared expertise and lessons learned. Note: It s important to remember that individual audit experiences may vary, and information should be carefully weighed by each entity before action, even if that information is contained within this paper. Timing: Consider your compliance activities when scheduling major projects that may share personnel, technology, or other resources. Consider freezes on technology or process changes when preparing for a regional audit, schedule internal audit activities outside of self-certification windows, etc. Wherever possible, avoid competition and individual priorities will line up appropriately. [NERC CIP Compliance] P a g e 8

9 CIP Critical Cyber Asset Identification The creation of a Risk-Based Assessment Methodology for identifying Critical Assets and the subsequent evaluations of criticality for the associated cyber devices will ultimately determine the size and scope of its CIP compliance program, including the applicability of the CIP-003 through CIP-009 Standards. CIP Requirements: R1. Critical Asset Identification Method The Responsible Entity shall identify and document a risk-based assessment methodology to use to identify its Critical Assets. R1.1. The Responsible Entity shall maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria. R1.2. The risk-based assessment shall consider the following assets: R Control centers and backup control centers performing the functions of the entities listed in the Applicability section of this standard. R Transmission substations that support the reliable operation of the Bulk Electric System. R Generation resources that support the reliable operation of the Bulk Electric System. R Systems and facilities critical to system restoration, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration. R Systems and facilities critical to automatic load shedding under a common control system capable of shedding 300 MW or more. R Special Protection Systems that support the reliable operation of the Bulk Electric System. R Any additional assets that support the reliable operation of the Bulk Electric System that the Responsible Entity deems appropriate to include in its assessment. R2. Critical Asset Identification The Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the risk-based assessment methodology required in R1. The Responsible Entity shall review this list at least annually, and update it as necessary. R3. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R2, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time interutility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002-3, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics: R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible. R4. Annual Approval The senior manager or delegate(s) shall approve annually the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1, R2, and R3 the Responsible Entity may determine that it has no Critical Assets [NERC CIP Compliance] P a g e 9

10 or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s) s approval of the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null.) Definitions: The terminology used within any CIP-002 risk based methodology should be carefully defined and included in all documentation. If any proprietary terms impact the risk based methodology or its application, be sure to include those, as well as the following: o Essential to the operation of the critical asset Have some criteria for this evaluation. o Annual Be sure to document what you consider annual once per calendar year, 12 rolling months, etc. Even if this lines up with the NERC guidance document, write it down. o Control Center, Critical Asset, Critical Cyber Asset, and Cyber Assets These are all terms that have industry-established definitions, but entities should consider including those definitions within compliance documentation. Documenting the definition will also allow the entity to add qualifiers and conditions that may be useful in determining inclusion or exclusion of devices or locations while demonstrating that compliance is still achieved. Recommendations: CIP R1 Critical Asset Identification Method and R2 Critical Asset Identification o R1.2 is formatted to include sub-requirements for each type of asset that should be included in the risk based methodology. Consider mapping documentation to those sub-requirements. Also, use common terminology or ensure direct mapping from proprietary terminology to the verbiage used within the Standards. o Document the criteria used to evaluate the criticality of each type of asset. It might be helpful to enlist Bulk Electric System (BES) Asset Subject Matter Experts (SMEs) to assist in the establishment of those criteria, as they are the best equipped to understand impact and criticality. Document the process for applying the risk based methodology and completing the evaluation. Include the results of the evaluations (scorecard) and the name(s) and expertise of the individual(s) completing the assessment. o The application of the risk based methodology should start with a complete inventory of all systems and assets. Clearly document any filter applied to the inventory before the application of the risk based methodology, reducing the number of assets considered in the application of the risk based methodology. The risk based methodology should also include a dynamic understanding of the entire list of systems and assets to be assessed. o Ensure that new assets can be added in between approval cycles to address periodic changes to BES assets. It may help to keep documentation from regular meetings designed to address any changes. o If the application of the risk based methodology results in a null list, the application results and the list, itself, must be documented. [NERC CIP Compliance] P a g e 10

11 o Avoid basing an evaluation on any assets, facilities, or systems as though they are isolated. Make sure you are considering common mode failures. o If any additional assets are identified pursuant to R1.2.7, ensure complete documentation of the criteria or definitions used to identify them. CIP R1 and R2 Evidence Considerations: Critical Asset identification risk-based methodology Annual records of the application of the risk-based methodology (dated scorecards) Critical Asset List or null attestation CIP R3 Critical Cyber Asset Identification o Document the criteria used to evaluate the criticality of each type of cyber asset. It might be helpful to enlist system administrators for each type of asset, system, or perimeter in the establishment of those criteria, as they are best equipped to understand impact and criticality. o Document the process for applying the risk based methodology and completing the criticality evaluation. Include the process of acquiring the original list of cyber devices to which the risk based methodology will be applied, the results of the criticality evaluations (scorecard), and the name(s) and expertise of the individual(s) completing the assessment. o For both the criticality methodology and associated documentation, consider grouping Critical Cyber Assets (CCAs) based on identified subcategories (e.g., Operating System (OS), device type, etc.) These categories can expedite the application of the risk based methodology and make it easier to create documentation for the other Standards. o Once the criteria for determining the criticality of a cyber asset are determined, consider removal of non-critical Cyber Assets (nccas) from within Electronic Security Perimeters (ESPs) (e.g. printers) that house CCAs. Because nccas within the ESP must be protected in most of the ways CCAs must be protected, reduction of that list will reduce the overall compliance effort. o Be prepared to defend what is on your list and what is not on your list. CIP R3 Evidence Considerations: Critical Cyber Asset identification methodology Annual records of the application of the methodology (dated scorecards) Critical Cyber Asset list or null attestation CIP R4 Annual Approval o Ensure that the senior manager designated in accordance with CIP-003 R2 has, on an annual basis is approved, signed and dated: [NERC CIP Compliance] P a g e 11

12 the risk-based assessment methodology for determining Critical Assets (new in CIP and continued in CIP-002-3) the list of Critical Assets the list of Critical Cyber Assets o If a delegate has approved, signed and dated any of the identified lists or methodologies, ensure the delegation of those responsibilities is documented. o If any null lists exist for the CA or CCA identification, they must still be approved, signed, and dated. CIP R4 Evidence Considerations: Dated Sr. Manager or delegate approval for the Critical Asset identification risk-based methodology Dated Sr. Manager or delegate approval for the Critical Asset List or null attestation Dated Sr. Manager or delegate approval for Critical Cyber Asset List or null attestation [NERC CIP Compliance] P a g e 12

13 CIP Security Management Controls The requirements in CIP-003 need to be considered for more than just the Security Management Controls. Due to potentially-related procedures and literal cross-references, many of the requirements in CIP-007 will tie back to the requirements herein. It is up to each entity to determine the extent to which these relationships between the Standards will create relationships in the individual procedures. Whether operationally tied or not, where cross-references exist, the requirements should be considered as additive requirements rather than as replacements. CIP Requirements: R1. Cyber Security Policy The Responsible Entity shall document and implement a cyber security policy that represents management s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following: R1.1. The cyber security policy addresses the requirements in Standards CIP through CIP-009-3, including provision for emergency situations. R1.2. The cyber security policy is readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets. R1.3. Annual review and approval of the cyber security policy by the senior manager assigned pursuant to R2. R2. Leadership The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity s implementation of, and adherence to, Standards CIP through CIP R2.1. The senior manager shall be identified by name, title, and date of designation. R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date. R2.3. Where allowed by Standards CIP through CIP-009-3, the senior manager may delegate authority for specific actions to a named delegate or delegates. These delegations shall be documented in the same manner as R2.1 and R2.2, and approved by the senior manager. R2.4. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy. R3. Exceptions Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). R3.1. Exceptions to the Responsible Entity s cyber security policy must be documented within thirty days of being approved by the senior manager or delegate(s). R3.2. Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures. R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. R4. Information Protection The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP- [NERC CIP Compliance] P a g e 13

14 002-3, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information. R4.2. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information. R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. R5. Access Control The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. R5.1. The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. R Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access. R The list of personnel responsible for authorizing access to protected information shall be verified at least annually. R5.2. The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity s needs and appropriate personnel roles and responsibilities. R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. R6. Change Control and Configuration Management The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor-related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. Definitions: In addition to those listed below, any proprietary terms used in the application of CIP should be included in any related documentation: o Emergency Situations It might be helpful to include examples or criteria with a definition. o Critical Cyber Asset Information While an information protection program can be compliant without having a special classification for NERC CIP information, be prepared to defend any information included, and especially excluded, from the overall information protection program as it relates to the types of information prescribed by the Standards. [NERC CIP Compliance] P a g e 14

15 Recommendations: CIP R1 Cyber Security Policy o The Cyber Security Policy is the only document requiring a senior manager signature that cannot be delegated. Ensure the individual identified in CIP-003 R2 is the individual that signs/approves this policy. o For R1.1, including provision for emergency situations, is an additive requirement and must be addressed. It may help to treat it as a separate requirement. Ensure thorough documentation of the individual(s) with authority to declare and conclude emergency situations, along with the specific procedures for those activities. Document the changes to normal operating procedures that are allowed during emergency situations, as well as the compensatory measures in place to mitigate risk. (e.g., emergency change controls, exceptions to physical and logical controls, etc.). o If your organization has a corporate emergency restoration or business continuity plan, it is important to ensure that these plans do not contain instructions or processes that contradict those in place for compliance. To the extent that it is possible, cross-references will aid responders in ensuring all requirements are met. o If your organization allows electronic signatures, consider document management systems to expedite approvals. o For R1.2, be prepared to demonstrate that all personnel have access to the cyber security policy. The text within the policy should explicitly state that availability, as well as any electronic or hardcopy methods of dissemination. Be sure to address availability for external personnel. o TIP: Methods for ensuring availability for external personnel include, but are not limited to: access to company/corporate internet pages, delivery with annual training, mailings, or corporate/company billboards. CIP R1 Evidence Considerations: A Cyber Security Policy Evidence of availability Dated Senior Manager review and approval record CIP R2 Leadership o This procedure should, at a minimum, address: The process for documenting the designation of the Senior Manager responsibilities and any relationship to other roles within the organization Any delegation processes specific to these responsibilities, including the approval of the delegation by the Senior Manager Processes for changing the designation of the Senior Manager or any delegates due to personnel changes or absence. o Ensure procedures include the relevant documentation updates within 30 calendar days of the personnel changes. [NERC CIP Compliance] P a g e 15

16 o TIP: Consider an official form for any delegation which specifies the responsibilities being delegated and the period of delegation. o TIP: Minimize delegation. Delegation used in excess can create a negative impression of corporate leadership and their awareness of and engagement in CIP activities. CIP R2 Evidence Considerations: Designation of a Senior Manager Senior Manager approval for delegates List of delegates with responsibilities Evidence documentation updates for personnel changes CIP R3 Exceptions o Even if no exceptions are currently necessary, processes for declaration, authorization, and conclusion should be documented. o Within exception processes, potential scope of allowable exceptions, any relationship to Technical Feasibility Exceptions (TFEs), and documentation requirements for necessity and compensatory measures should be addressed. o Approval procedures should address annual reviews for existing exceptions as well as approval of new exceptions outside of the annual review cycle. o Exception approval and review records should include, at a minimum: Exception duration Senior Manager approval date Summary of exception, along with necessity Risk analysis Mitigation/compensatory measures Subsequent evidence of annual review and approval o TIP: Long term exceptions are discouraged within successful compliance programs, unless required by technical infeasibility and documented in accordance with those requirements. CIP R3 Evidence Considerations: Initial exception review / approval records Annual Senior Manager review / approval records CIP R4 Information Protection o Information classifications should be defined, including the individual(s) or role(s) that determines the classification and what protective measures need to be applied based on that classification. o Information Protection policies and procedures should ensure the protection of information through its lifecycle. Procedures should address labeling, access controls, proper handling/distribution, proper use, storage, and disposal. [NERC CIP Compliance] P a g e 16

17 o Before classifying information, ensure awareness of its uses, both internally and publicly. For example, in some locations, floor plans are stored at the county court house. In those instances, a confidential classification may not make sense unless a copy of that floor plan includes additional, sensitive information. o For R4.3, ensure a procedure for the assessments is documented, including initiation, required personnel, sampling criteria, etc. Define any situations or criteria that would constitute a deficiency, as well as acceptable timeframes for mitigations. Document the process for creating mitigation plans and ensuring completion within specified timeframes. Also, ensure that the results from the annual assessments are maintained. Official forms may be helpful for capturing assessment information. o TIP: Information protection policies and procedures should be flexible enough to address newly identified types of information and repositories. o TIP: An information protection program should include the components found in requirement #4. o TIP: If existing information protection policies will be used for NERC CIP compliance, ensure an annual review of those policies if not already implemented. CIP R4 Evidence Considerations: Information Protection policies and procedures Assessment methodology Assessment results and action plans CIP R5 Access Control o This requirement is not limited to information protection, it should also be used to establish access controls for account management as a product of the crossreference in CIP-007 R5. As these sub-requirements relate to account management, they will be addressed in that section of this white paper. o Know what you have and where it lives. For information, this means a comprehensive understanding (which can be an inventory) of existing information is the first step. This includes formats, physical and electronic repositories, any copies, etc. With respect to information, the Standards do not explicitly require an information inventory, though it is easy to see how maintenance of an inventory would aid ongoing compliance. At a minimum, an annual collection and review of the quantity, quality, and location of information is sufficient. o Be cognizant of duplicate data used for multiple types of documentation and different business needs. Multiple controls and repositories may be appropriate to limit access appropriately. o At least once annually, the actual access to each repository should be identified, reviewed, and verified as appropriate. Understand that this list may include personnel (IT or physical plant) that support the infrastructure in addition to users of the actual information. Even though these personnel do not use the actual [NERC CIP Compliance] P a g e 17

18 information, a business need for that access is still demonstrated as it is required to perform support functions. o The annual components of this requirement just apply to the access reviews, but access controls are 24 / 7. Ensure that access to information, either electronic or physical, has robust change control implemented. This can mean using the same kinds of request, prerequisite, configuration, and removal processes/timeframes as are implemented for CCA access, but that level is not required. o In order to demonstrate the ability to understand point-in-time access to NERC CIP information, you should either maintain a list with real-time updates to actual access or you should be able to generate the current list of actual access at any time. Thoroughly document whatever controls are in place to ensure one or the other. o For R5.2, the lists of access, the reviews for appropriateness, the personnel performing the reviews, and any corrections/mitigations for identified issues should all be included in the documentation of assessments. o For R5.3, the controls in place to protect information should be reviewed. To make this possible, all controls must be documented, and those processes and procedures should be reviewed at least once annually. o TIP: Design your data management system to be as automated as possible for tracking, reviewing, approving, and communicating access changes and changes to the information, itself. CIP R5 Evidence Considerations: List of personnel responsible for authorizing information access, which includes names and titles Annual verification of list of personnel responsible for authorizing information access Annual review / verification of the access privileges for information Annual review of the process for controlling access CIP R6 Change Control and Configuration Management o For configuration management, identify the list of attributes that will be tracked for each protected cyber asset. To ensure an ongoing understanding of the configuration of protected devices, create a process and a schedule for verifying the accuracy of the attributes. o For change control, the first step is to thoroughly define the changes that must be documented through this program. Consider decision trees or examples to help determine whether or not change control processes are required. o TIP: For defining significant changes, start with the list of significant changes identified in CIP-007 R1 and R7 and add any others, as appropriate to the protected systems. In some cases, changes within the application (e.g., clearance code changes for physical access control systems) may constitute the kinds of changes requiring formal request and approval processes. [NERC CIP Compliance] P a g e 18

19 o Change control programs should identify normal change control processes, which include formal/documented: request processes that include a description of the change thorough enough to allow the approver to understand the changes and identify any BES risk or impact identification of the appropriate approver(s) signed (electronic or manual) and dated approval completion date of the change o Change control and configuration management programs should have clear request and approval processes for vendor-related changes or vendor-initiated changes before the changes are implemented. o Consider linking test records from CIP-007 R1 to change control processes to ensure traceability between any significant changes and the required security testing. NOTE: Be aware that linking change control to security testing by using the exact same definitions for significant change may programmatically force security posture testing for application changes that may not impact security of the device, itself. Analyze several change examples to ensure each program is joined where feasible and separated where reasonable. o Consider linking documentation updates to related changes. This can help demonstrate that changes to documentation were made within compliance timeframes (usually 30 calendar days). o Exceptions to normal change control processes should be documented. Emergency change control processes, if allowed, should define acceptable circumstances for initiation, approval processes, and personnel authorized to make decisions if primary change approvers or implementers are unavailable. o If emergency changes are allowed, document their relationship, or lack of relationship, to the emergency provisions identified for CIP-003 R1.1 or even other standards. An emergency situation, such as a flood, may not require emergency changes to any individual cyber assets. Likewise, the necessary changes may be isolated to a situation requiring immediate resolution for an individual asset rather than any kind of over-arching emergency situation. CIP R6 Evidence Considerations: Documented Change Control & Configuration Management process Change records [NERC CIP Compliance] P a g e 19

20 CIP Personnel and Training One of the most violated of the Standards is CIP-004. This is probably not due to the difficulty of compliance, but rather to the strict timelines associated with each requirement and the volume of individual records needed to prove compliance. Process documentation will be particularly important, as it will aid in the understanding of inputs and outputs for each step of any automated or manual processes. This documentation will also help internal and external personnel understand specific responsibilities and associated timeframes. Lastly, auditors attempting to understand the implemented access controls will rely on process documentation and dated evidence to determine compliance. CIP Requirements: R1. Awareness The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: Direct communications (e.g., s, memos, computer based training, etc.); Indirect communications (e.g., posters, intranet, brochures, etc.); Management support and reinforcement (e.g., presentations, meetings, etc.). R2. Training The Responsible Entity shall establish, document, implement, and maintain an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. The cyber security training program shall be reviewed annually, at a minimum, and shall be updated whenever necessary. R2.1. This program will ensure that all personnel having such access to Critical Cyber Assets, including contractors and service vendors, are trained prior to their being granted such access except in specified circumstances such as an emergency. R2.2. Training shall cover the policies, access controls, and procedures as developed for the Critical Cyber Assets covered by CIP-004-3, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: R The proper use of Critical Cyber Assets; R Physical and electronic access controls to Critical Cyber Assets; R The proper handling of Critical Cyber Asset information; and, R Action plans and procedures to recover or re-establish Critical Cyber Assets and access thereto following a Cyber Security Incident. R2.3. The Responsible Entity shall maintain documentation that training is conducted at least annually, including the date the training was completed and attendance records. R3. Personnel Risk Assessment The Responsible Entity shall have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. A personnel risk assessment shall be conducted pursuant to that program prior to such personnel being granted such access except in specified circumstances such as an emergency. The personnel risk assessment program shall at a minimum include: R3.1. The Responsible Entity shall ensure that each assessment conducted include, at least, identity verification (e.g., Social Security Number verification in the U.S.) and [NERC CIP Compliance] P a g e 20

21 seven-year criminal check. The Responsible Entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending upon the criticality of the position. R3.2. The Responsible Entity shall update each personnel risk assessment at least every seven years after the initial personnel risk assessment or for cause. R3.3. The Responsible Entity shall document the results of personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, and that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP R4. Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained. R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets. Definitions: In addition to those listed below, any proprietary terms used in the application of CIP should be included in any related documentation: o Authorized Electronic Access or Authorized Physical Access It might be helpful to define these where subtle aspects might materially change the access controls in place. o Quarterly Like annual, this term can be interpreted in a couple different ways. Document whether this is a rolling quarter or a calendar quarter. o Action plans and procedures given the sensitive nature of actual response and recovery plans, it may not be appropriate to share the full plan prior to granting access. For the purposes of training, create a reasonable abstract that can be used to meet this requirement. Recommendations: CIP R1 Awareness o The quarterly awareness program process documentation should include typical or acceptable communication methods and frequency, as well as the type of content that is considered acceptable for the scope of this requirement. o Security messages can relate specifically to NERC CIP or to general security concepts. o Evidence that quarterly awareness messages have been made available should be kept and should include the date of the message and specific delivery method. o Ensure that the awareness messages are made available to everyone with NERC CIP access and that any special communication methods used to reach vendors and off-site personnel are documented. [NERC CIP Compliance] P a g e 21

22 o Evidence of the receipt/attendance for awareness messages is not required. o TIP: Use multiple communication methods to reach all intended audience members (e.g., company intranet for internal personnel plus an message directly to external personnel). CIP R1 Evidence Considerations: Documented quarterly awareness program Content of quarterly awareness messages Method of dissemination CIP R2 Training o Training must be delivered to every individual with physical or cyber access this will include physical plant workers, support personnel, and vendors. Document the controls that prevent access configuration without training and ensure that evidence of training reflects necessary time/date stamps. o If third party training solutions or vendor-provided training courses are used, ensure the content can be mapped back to the R2.2 requirements, and obtain copies of the content. Be prepared to demonstrate that all training used to comply with this requirement meets the same criteria. If the training content cannot be modified to meet the requirements, be prepared to supplement it. o All content requirements of R2.2 must be met prior to actual access being granted within the system. o The training program needs to encompass or include all authorized internal and external personnel. Evidence of training records need to be maintained and accessible for demonstrating compliance. Ensure the attendance records include the necessary time and date stamps and/or signatures. Attestations or lists from the third party companies with names and dates may not be sufficient. o TIP: In order to ensure delivery of the training to all personnel with access, consider multiple delivery methods and even multiple types of courses relative to each type of access. All training courses, regardless of media or audience, should map back to the content listed in R2.2. CIP R2 Evidence Considerations: Documented annual training program Annual training content, mapped back to R2.2, at a minimum Annual program review record Dated attendance records (Correlation with dated access configuration records will be required for audit) CIP R3 Personnel Risk Assessment o As with training, the Personnel Risk Assessment (PRA) program needs to accommodate internal and external individuals. Be prepared to provide the actual results from the PRA for each individual who has or has had physical or cyber [NERC CIP Compliance] P a g e 22