Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1



Similar documents
Implementation Plan for Version 5 CIP Cyber Security Standards

Summary of CIP Version 5 Standards

Cyber Security Standards Update: Version 5

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

NERC CIP Tools and Techniques

NERC Cyber Security Standards

Cyber Security Compliance (NERC CIP V5)

Standard CIP 004 3a Cyber Security Personnel and Training

CIP Cyber Security Security Management Controls

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5

Technology Solutions for NERC CIP Compliance June 25, 2015

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Standard CIP Cyber Security Security Management Controls

Information Shield Solution Matrix for CIP Security Standards

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

BPA Policy Cyber Security Program

LogRhythm and NERC CIP Compliance

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Cyber Security Standards: Version 5 Revisions. Security Reliability Program 2015

Notable Changes to NERC Reliability Standard CIP-010-3

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ]

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

TRIPWIRE NERC SOLUTION SUITE

Meeting NERC CIP Access Control Standards. Presented on February 12, 2014

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

CIP Physical Security. Nate Roberts CIP Security Auditor I

Cyber Security Standards Update: Version 5 with Revisions

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

CIP R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

FERC, NERC and Emerging CIP Standards

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

NERC CIP VERSION 5 COMPLIANCE

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!


Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

The North American Electric Reliability Corporation ( NERC ) hereby submits

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Property of NBC Universal

Verve Security Center

NERC CIP Compliance with Security Professional Services

A. Introduction. B. Requirements. Standard PER System Personnel Training

149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ; Order No.

CIP Cyber Security Electronic Security Perimeter(s)

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

Reclamation Manual Directives and Standards

3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities.

Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5

NERC-CIP S MOST WANTED

North American Electric Reliability Corporation (NERC) Cyber Security Standard

CIP R1 & R2: Configuration Change Management

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

ISACA North Dallas Chapter

Muscle to Protect Your Grid July Sustainable and Cost-effective Muscle to Protect Your Grid

146 FERC 61,166 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

Secure Remote Substation Access Solutions

NB Appendix CIP NB-1 - Cyber Security Personnel & Training

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015

NERC CIP Compliance Gaining Oversight with ConsoleWorks

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

AURORA Vulnerability Background

Effective Use of Assessments for Cyber Security Risk Mitigation

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IRA Risk Factors Update for CIP. Ben Christensen Senior Compliance Risk Analyst, Cyber Security October 14, 2015

SecFlow Security Appliance Review

DATA RECOVERY SOLUTIONS EXPERT DATA RECOVERY SOLUTIONS FOR ALL DATA LOSS SCENARIOS.

How To Write A Cyber Security Checkout On A Nerc Webinar

NERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

NERC CIP Version 5 webinar series Change management

Lessons Learned CIP Reliability Standards

Midwest Reliability Organization Procedure For NERC PRC-012

Cyber Security and Privacy - Program 183

From Chaos to Clarity: Embedding Security into the SDLC

TOP 10 CHALLENGES. With suggested solutions

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

Document ID. Cyber security for substation automation products and systems

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI DSS Requirements - Security Controls and Processes

NERC CIP Compliance 10/11/2011

April 28, Dear Mr. Chairman:

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS

This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Transcription:

External Consultation Draft Version 1.0 December 12, 2013 1. Purpose The purpose of this reliability standard is to set the effective dates for the Version 5 CIP Cyber Security reliability standards and describe compliance timelines for planned and unplanned changes that result in a higher categorization for a BES cyber system. Implementation Plan for Version 5 CIP Cyber Security Standards October 26, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and retirements of terms to the Glossary of Terms used in NERC Reliability Standards must be approved before these standards can become effective. 2. Applicable Reliability Standards This reliability standard applies to the Version 5 CIP Cyber Security reliability standards, which are:the following standards and definitions, collectively referred to as Version 5 CIP Cyber Security Standards, 1 are covered by this Implementation Plan: CIP 002-AB 5.1 Cyber Security BES Cyber System Categorization; CIP 003 AB-5 Cyber Security Security Management Controls ; CIP 004 AB-5.1 Cyber Security Personnel and Training; CIP 005-AB 5 Cyber Security Electronic Security Perimeter(s); CIP 006-AB 5 Cyber Security Physical Security of BES Cyber Systems; CIP 007-AB 5 Cyber Security Systems Security Management; CIP 008-AB 5 Cyber Security Incident Reporting and Response Planning; CIP 009-AB 5 Cyber Security Recovery Plans for BES Cyber Systems; CIP 010-AB 1 Cyber Security Configuration Change Management and Vulnerability Assessments; and CIP 011_AB 1 Cyber Security Information Protection. Definitions of Terms used in Version 5 CIP Cyber Security Standards document, which includes proposed additions, modifications, and retirements of terms to the Glossary Page 1 of 7

of Terms used in NERC Reliability Standards. These standards and Definitions of Terms used in Version 5 CIP Cyber Security Standards are posted for ballot by NERC concurrently with this Implementation Plan. When these standards and Definitions of Terms used in Version 5 CIP Cyber Security Standards become effective, all prior versions of these standards are retired. 1 Although CIP-010-1 and CIP-011-1 are proposed as first versions, any reference to Version 5 CIP Cyber Security Standards includes CIP-010-1 and CIP-011-1, in addition to CIP-002-5 through CIP-009-5, because CIP-010-1 and CIP-011-1 were developed as part of the Version 5 CIP Cyber Security Standards development process. 3. Compliance with Standards Once the Version 5 CIP Cyber Security reliability standards these standards and Definitions of Terms used in Version 5 CIP Cyber Security Standards become effective, the responsible entities Responsible Entities identified in the Aapplicability Ssection of each Version 5 CIP Cyber Security reliability standard the standard must comply with the requirements of those reliability standards. 4. Proposed Effective Date for Version 5 CIP Cyber Security Standards The Version 5 Cyber Security reliability standards, except for requirement R2 of CIP-003-AB-5, become effective on the first day of the calendar quarter (January 1, April 1, July 1 or October 1) that follows eight (8) full calendar quarters after approval by the Commission. Requirement R2 of CIP-003-AB-5 becomes effective on the first day of the calendar quarter (January 1, April 1, July 1 or October 1) that follows twelve (12) full calendar quarters after approval by the Commission. Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP- 005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP-011-1 as follows: 1. 24 Months Minimum The Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan. 2 2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees approval, and CIP-003-5 R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. Page 2 of 7

Initial Performance of Certain Periodic Requirements Specific Version 5 CIP Cyber Security Standards have periodic requirements that contain time parameters for subsequent and recurring iterations of the requirement, such as, but not limited to,... at least once every 15 calendar months..., and responsible entities shall comply initially with those periodic requirements as follows: 1. On or before the Effective Date of the Version 5 CIP Cyber Security Standards for the following requirements: CIP-002-5, Requirement R2 CIP-003-5, Requirement R1 2. On or before the Effective Date of CIP-003-5, Requirement R2 for the following requirement: CIP-003-5, Requirement R2 2 In jurisdictions where CIP-002-4 through CIP-009-4 have not yet become effective according to their implementation plan (even if approved by order), this implementation plan and the Version 5 CIP Cyber Security Standards supersede and replace the implementation plan and standards for CIP-002-4 through CIP-009-4. 3. Within 14 calendar days after the Effective Date of the Version 5 CIP Cyber Security CIP-007-5, Requirement R4, Part 4.4 4. Within 35 calendar days after the Effective Date of the Version 5 CIP Cyber Security CIP-010-1, Requirement R2, Part 2.1 5. Within three calendar months after the Effective Date of the Version 5 CIP Cyber Security CIP-004-5, Requirement R4, Part 4.2 6. Within 12 calendar months after the Effective Date of the Version 5 CIP Cyber Security CIP-004-5, Requirement R2, Part 2.3 CIP-004-5, Requirement R4, Parts 4.3 and 4.4 CIP-006-5, Requirement R3, Part 3.1 CIP-008-5, Requirement R2, Part 2.1 CIP-009-5, Requirement R2, Parts 2.1, 2.2 CIP-010-1, Requirement R3, Parts 3.1 Page 3 of 7

7. Within 24 calendar months after the Effective Date of the Version 5 CIP Cyber Security CIP-009-5, Requirement R2, Part 2.3 CIP-010-1, Requirement R3, Part 3.2 8. Within 7 years after the last personnel risk assessment that was performed pursuant to a previous version of the CIP Cyber Security Standards for a personnel risk assessment for the following requirement: CIP-004-5, Requirement R3, Part 3.5. Previous Identity Verification A documented identity verification performed pursuant to a previous version of the CIP Cyber Security Standards does not need to be reperformed under CIP-004-5, Requirement R3, Part 3.1. 5. Planned or Unplanned Changes Resulting in a Higher Categorization Planned changes refer to any changes of the electric system or BES Ccyber Ssystem as identified through the annual assessment under CIP-002-AB-5.1, Rrequirement R2, which were planned and implemented by the Rresponsible eentity identified in the applicability section of each Version 5 CIP Cyber Security reliability standard. For example, if an automation modernization activity is performed at a transmission substation, whereby Cyber Assets are installed that meet the criteria in CIP-002-5, Attachment 1, then the new BES Cyber System has been implemented as a result of a planned change, and must, therefore, be in compliance with the Version 5 CIP Cyber Security Standards upon the commissioning of the modernized transmission substation. In contrast, unplanned changes refer to any changes of the electric system or BES Ccyber Ssystem, as identified through the annual assessment under CIP-002-AB-5.1, Rrequirement R2, which were not planned by the rresponsible eentity identified in the applicability section of each Version 5 CIP Cyber Security reliability standard. Consider the scenario where a particular BES Cyber System at a transmission substation does not meet the criteria in CIP-002-5, Attachment 1, then, later, an action is performed outside of that particular transmission substation; such as, a transmission line is constructed or retired, a generation plant is modified, changing its rated output, and that unchanged BES Cyber System may become a medium impact BES Cyber System based on the CIP-002-5, Attachment 1, criteria. For planned changes resulting in a higher categorization, the rresponsible eentity identified in the applicability section of each Version 5 CIP Cyber Security reliability standard shall comply with all applicable requirements in the Version 5 CIP Cyber Security reliability Sstandards on the update of the identification and categorization of the affected BES Ccyber Ssystem and any applicable and associated Pphysical Aaccess Ccontrol Ssystems, Eelectronic Aaccess Ccontrol and Mmonitoring Ssystems and Pprotected Ccyber Aassets, with additional time to comply for requirements in the same manner as those timelines specified in the section Initial Performance of Certain Periodic Requirements above. Page 4 of 7

For unplanned changes resulting in a higher categorization, the rresponsible eentity identified in the applicability section of each Version 5 CIP Cyber Security reliability standard shall comply with all applicable requirements in the Version 5 CIP Cyber Security reliability Sstandards, according to the following timelines, following the identification and categorization of the affected BES ccyber Ssystem and any applicable and associated Pphysical Aaccess Ccontrol Ssystems, Eelectronic Aaccess Ccontrol and Mmonitoring Ssystems and Pprotected Ccyber Aassets, with additional time to comply for requirements in the same manner as those timelines specified in the section Initial Performance of Certain Periodic Requirements above. Scenario of Unplanned Changes After the Effective Date for Each Version 5 CIP Cyber Security Reliability Standard New hhigh iimpact BES Ccyber Ssystem New mmedium iimpact BES Ccyber Ssystem Compliance Implementation twelve (12) months twelve (12) months Newly categorized hhigh iimpact BES Ccyber Ssystem from mmedium iimpact twelve (12) months for BES Ccyber Ssystem requirements not applicable to Medium- Impact BES Ccyber Ssystems Newly categorized mmedium iimpact BES Ccyber Ssystem twelve (12) months The Responsible eentity identified in the applicability section of each Version 5 CIP Cyber Security reliability standard identifies first mmedium iimpact or hhigh iimpact BES ccyber Ssystem (i.e., the rresponsible eentity identified in the applicability section of each Version 5 CIP Cyber Security reliability Twenty-four (24) months standard previously had no BES Ccyber Ssystems categorized as hhigh Applicability Reference Tables iimpact or mmedium iimpact according to the CIP-002-AB-5.1 identification and categorization The following tables processes) are provided as a convenient reference to show which requirements in the Version 5 CIP Cyber Security Standards apply to specific Cyber Assets. Associated Electronic Access Control or Monitoring Systems Physical Access Control System Protected Cyber Assets Page 5 of 7

CIP-004-5 R2 Cyber Security Training Program CIP-004-5 R3 Personnel Risk Assessment Program CIP-004-5 R4 Access Management Program CIP-004-5 R5 Access Revocation CIP-005-5 R1 Part 1.2 Electronic Security Perimeter CIP-005-5 R2 Remote Access Management CIP-006-5 R1 Physical Security Plan CIP-006-5 R2 Visitor Control Program CIP-006-5 R3 Maintenance and Testing Program CIP-007-5 R1 Ports and Services CIP-007-5 R2 Security Patch Management CIP-007-5 R3 Malicious Code Prevention CIP-007-5 R4 Security Event Monitoring CIP-007-5 R5 System Access Control CIP-010-1 R1 Configuration Change Management CIP-010-1 R2 Configuration Monitoring CIP-010-1 R3 Vulnerability Assessments CIP-011-1 R1 Information Protection Page 6 of 7

CIP-011-1 R2 BES Cyber Asset Reuse and Disposal Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information