Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1



Similar documents
Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Summary of CIP Version 5 Standards

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Security Management Controls

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

NB Appendix CIP NB-1 - Cyber Security Personnel & Training

NERC Cyber Security Standards

Notable Changes to NERC Reliability Standard CIP-010-3

NERC CIP Tools and Techniques

CIP Cyber Security Electronic Security Perimeter(s)

CIP R1 & R2: Configuration Change Management

Technology Solutions for NERC CIP Compliance June 25, 2015

NERC CIP VERSION 5 COMPLIANCE

Cyber Security Compliance (NERC CIP V5)

Implementation Plan for Version 5 CIP Cyber Security Standards

KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS

Reclamation Manual Directives and Standards

Standard CIP Cyber Security Systems Security Management

Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

Standard CIP 007 3a Cyber Security Systems Security Management

How To Write A Cyber Security Checkout On A Nerc Webinar

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

Cyber Security Standards Update: Version 5

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Information Shield Solution Matrix for CIP Security Standards

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Cyber Security Standards Update: Version 5 with Revisions

BSM for IT Governance, Risk and Compliance: NERC CIP

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

Midwest Reliability Organization Procedure For NERC PRC-012

NERC s New BES Definition: How Many CHP Units Will It Impact?

Federal Energy Regulatory Commission. Small Entity Compliance Guide Mandatory Reliability Standards (Order No. 693)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Tyson Jarrett CIP Enforcement Analyst. Best Practices for Security Patch Management October 24, 2013 Anaheim, CA

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Generation Interconnection Feasibility Study Report-Web Version. PJM Generation Interconnection Request Queue Position Z1-055

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

TRIPWIRE NERC SOLUTION SUITE

Meeting NERC CIP Access Control Standards. Presented on February 12, 2014

Lessons Learned CIP Reliability Standards

Standard CIP Cyber Security Security Management Controls

Verve Security Center

A Tactical Approach to Continuous Compliance. Walt Sikora, Vice President Security Solutions EMMOS 2013

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire

Open Enterprise Architectures for a Substation Password Management System

LogRhythm and NERC CIP Compliance

NERC CIP Compliance 10/11/2011

The North American Electric Reliability Corporation ( NERC ) hereby submits

Plans for CIP Compliance

Property of NBC Universal

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Scope of Restoration Plan

4.1.1 Generator Owner Transmission Owner that owns synchronous condenser(s)

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Reclamation Manual Directives and Standards

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Information Technology Branch Access Control Technical Standard

FERC, NERC and Emerging CIP Standards

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

FRCC Standards Handbook. FRCC Automatic Underfrequency Load Shedding Program. Revision Date: July 2003

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

SecFlow Security Appliance Review

References Appendices I. INTRODUCTION... 6 A. Background... 6 B. Standards... 6

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

GRADUATE RELIABILITY TRAINING PROGRAM. Initiation Date: September 2012

Voluntary Cyber Security Standards for Industrial Control Systems v

ISACA North Dallas Chapter

Patch Management Policy

NERC CIP Compliance Gaining Oversight with ConsoleWorks

Title 20 PUBLIC SERVICE COMMISSION. Subtitle 50 SERVICE SUPPLIED BY ELECTRIC COMPANIES. Chapter 02 Engineering

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Best Practices for PCI DSS V3.0 Network Security Compliance

Keshav Sarin CIP Enforcement Analyst. BURP (Best User Reporting Practices) February 11, 2011 Marina del Rey, California

ISO Controls and Objectives

Jenifer Vallace Associate Cyber Security Analyst. Best User Reporting Practices September 24, 2013 CIP 101

Cyber Security for NERC CIP Version 5 Compliance

NERC CIP Compliance with Security Professional Services

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015

Patch and Vulnerability Management Program

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

Looking at the SANS 20 Critical Security Controls

Load Dispatcher (Class Code 5223) Task List

INFORMATION TECHNOLOGY SECURITY STANDARDS

Master/Local Control Center Procedure No. 13 (M/LCC 13) Communications Between the ISO and Local Control Centers

74% 96 Action Items. Compliance

Transcription:

A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES cyber systems from compromise that could lead to misoperation or instability in the bulk electric system. 4. Applicability: 4.1. For the purpose of the requirements contained herein, the following list of entities will be collectively referred to as Responsible Entities. For requirements in this reliability standard where a specific entity or subset of entities are the applicable entity or entities, the entity or entities are specified explicitly. 4.1.1. [Intentionally left blank.] 4.1.2. a legal owner of an electric distribution system that owns one or more of the following facilities, systems, and equipment for the protection or restoration of the bulk electric system: 4.1.2.1. each underfrequency load shedding or under voltage load shed system that: 4.1.2.1.1. is part of a load shedding program that is subject to one or more requirements in a reliability standard; and 4.1.2.1.2. performs automatic load shedding under a common control system owned by the entity in subsection 4.1.2., without human operator initiation, of 300 MW or more; 4.1.2.2. each remedial action scheme where the remedial action scheme is subject to one or more requirements in a reliability standard; 4.1.2.3. each protection system (excluding underfrequency load shedding and under voltage load shed) that applies to transmission where the protection system is subject to one or more requirements in a reliability standard; and 4.1.2.4. each cranking path and group of elements meeting the initial switching requirements from a contracted blackstart resource up to and including the first point of supply and/or point of delivery of the next generating unit or aggregated generating facility to be started; 4.1.3. the operator of a generating unit and the operator of an aggregated generating facility; 4.1.4. the legal owner of a generating unit and the legal owner of an aggregated generating facility; 4.1.5. [Intentionally left blank.] 4.1.6. [Intentionally left blank.] Effective: 2017-10-01 Page 1 of 9

4.1.7. the operator of a transmission facility; 4.1.8. the legal owner of a transmission facility; and 4.1.9. the ISO. 4.2. For the purpose of the requirements contained herein, the following facilities, systems, and equipment owned by each Responsible Entity in subsection 4.1 above are those to which these requirements are applicable. For requirements in this reliability standard where a specific type of facilities, system, or equipment or subset of facilities, systems, and equipment are applicable, these are specified explicitly. 4.2.1. One or more of the following facilities, systems and equipment that operate at, or control elements that operate at, a nominal voltage of 25 kv or less and are owned by a legal owner of an electric distribution system or a legal owner of a transmission facility for the protection or restoration of the bulk electric system: 4.2.1.1. each underfrequency load shedding or under voltage load shed system that: 4.2.1.1.1. is part of a load shedding program that is subject to one or more requirements in a reliability standard; and 4.2.1.1.2. performs automatic load shedding under a common control system owned by one or more of the entities in subsection 4.2.1, without human operator initiation, of 300 MW or more; 4.2.1.2. each remedial action scheme where the remedial action scheme is subject to one or more requirements in a reliability standard; 4.2.1.3. each protection system (excluding underfrequency load shedding and under voltage load shed) that applies to transmission where the protection system is subject to one or more requirements in a reliability standard; and 4.2.1.4. each cranking path and group of elements meeting the initial switching requirements from a contracted blackstart resource up to and including the first point of supply and/or point of delivery of the next generating unit or aggregated generating facility to be started; 4.2.2. Responsible Entities listed in subsection 4.1 other than a legal owner of an electric distribution system are responsible for: 4.2.2.1. each transmission facility that is part of the bulk electric system except each transmission facility that: 4.2.2.1.1. is a transformer with fewer than 2 windings at 100 kv or higher and does not connect a contracted blackstart resource; 4.2.2.1.2. radially connects only to load; 4.2.2.1.3. radially connects only to one or more generating units or aggregated generating facilities with a combined maximum authorized real power of Effective: 2017-10-01 Page 2 of 9

less than or equal to 67.5 MW and does not connect a contracted blackstart resource; or 4.2.2.1.4. radially connects to load and one or more generating units or aggregated generating facilities that have a combined maximum authorized real power of less than or equal to 67.5 MW and does not connect a contracted blackstart resource; 4.2.2.2. a reactive power resource that is dedicated to supplying or absorbing reactive power that is connected at 100 kv or higher, or through a dedicated transformer with a high-side voltage of 100 kv or higher, except those reactive power resources operated by an end-use customer for its own use; 4.2.2.3. a generating unit that is: 4.2.2.3.1. directly connected to the bulk electric system and has a maximum authorized real power rating greater than 18 MW unless the generating unit is part of an industrial complex; 4.2.2.3.2. within a power plant which: 4.2.2.3.2.1. is not part of an aggregated generating facility; 4.2.2.3.2.2. is directly connected to the bulk electric system; and 4.2.2.3.2.3. has a combined maximum authorized real power rating greater than 67.5 MW unless the power plant is part of an industrial complex; 4.2.2.3.3. within an industrial complex with supply transmission service greater than 67.5 MW; or 4.2.2.3.4. a contracted blackstart resource; 4.2.2.4. an aggregated generating facility that is: 4.2.2.4.1. directly connected to the bulk electric system and has a maximum authorized real power rating greater than 67.5 MW unless the aggregated generating facility is part of an industrial complex; 4.2.2.4.2. within an industrial complex with supply transmission service greater than 67.5 MW; or 4.2.2.4.3. a contracted blackstart resource; and 4.2.2.5. control centres and backup control centres. 4.2.3. The following are exempt from this reliability standard: 4.2.3.1. [Intentionally left blank.] 4.2.3.2. cyber assets associated with communication networks and data communication links between discrete electronic security perimeters. 4.2.3.3. [Intentionally left blank.] Effective: 2017-10-01 Page 3 of 9

4.2.3.4. for the legal owner of an electric distribution system, the systems and equipment that are not included in subsection 4.2.1 above. 4.2.3.5. Responsible Entities that identify that they have no BES cyber systems categorized as High Impact or Medium Impact according to the CIP 002-AB 5.1 identification and categorization processes. 5. [Intentionally left blank.] 6. [Intentionally left blank.] B. Requirements and Measures R1. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP 010-AB 1 Table R1 Configuration Change Management. M1. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP 010-AB 1 Table R1 Configuration Change Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table R1 Configuration Change Management 1.1 High Impact BES cyber and and Develop a baseline configuration, individually or by group, which shall include the following items: 1.1.1. operating system(s) (including version) or firmware where no independent operating system exists; 1.1.2. any commercially available or open source application software (including version) intentionally installed; 1.1.3. any custom software installed; 1.1.4. any logical network accessible ports; and 1.1.5. any security patches applied. Examples of evidence may include, but are not limited to: a spreadsheet identifying the required items of the baseline configuration for each cyber asset, individually or by group; or a record in an asset management system that identifies the required items of the baseline configuration for each cyber asset, individually or by group. 1.2 High Impact BES cyber Authorize and document Examples of evidence may Effective: 2017-10-01 Page 4 of 9

and Table R1 Configuration Change Management changes that deviate from the include, but are not limited to: existing baseline configuration. and 1.3 High Impact BES cyber and and 1.4 High Impact BES cyber For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 days of completing the change. For a change that deviates from the existing baseline configuration: a change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; or documentation that the change was performed in accordance with the requirement. include, but is not limited to, updated baseline documentation with a date that is within 30 days of the date of the completion of the change. list of cyber security controls verified or tested along with Effective: 2017-10-01 Page 5 of 9

Table R1 Configuration Change Management the dated test results. and and 1.5 High Impact BES cyber systems 1.4.1. prior to the change, determine required cyber security controls in CIP 005 and CIP 007 that could be impacted by the change; 1.4.2. following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and 1.4.3. document the results of the verification. Where technically feasible, for each change that deviates from the existing baseline configuration: 1.5.1. prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP 005 and CIP 007 are not adversely affected; and 1.5.2. document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for list of cyber security controls tested along with successful test results and a list of differences between the production and test environments with descriptions of how any differences were accounted for, including the date of the test. Effective: 2017-10-01 Page 6 of 9

Table R1 Configuration Change Management any differences in operation between the test and production environments. R2. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP 010-AB 1 Table R2 Configuration Monitoring. M2. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP 010-AB 1 Table R2 Configuration Monitoring and additional evidence to demonstrate implementation as described in the Measures column of the table. Table R2 Configuration Monitoring 2.1 High Impact BES cyber and 2. protected cyber assets Monitor at least once every 35 days for changes to the baseline configuration (as described in requirement R1, part 1.1). Document and investigate detected unauthorized changes. include, but is not limited to, logs from a system that is monitoring the configuration along with records of investigation for any unauthorized changes that were detected. R3. Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in CIP 010-AB 1 Table R3. M3. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP 010-AB 1 Table R3 Vulnerability Assessments and additional evidence to demonstrate implementation as described in the Measures column of the table. Table R3 3.1 High Impact BES cyber At least once every 15 months, conduct a paper or active vulnerability assessment. Examples of evidence may include, but are not limited to: a document listing the date of the assessment (performed at least once Effective: 2017-10-01 Page 7 of 9

Table R3 and and 3.2 High Impact BES cyber systems 3.3 High Impact BES cyber Where technically feasible, at least once every 36 months: 3.2.1 perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration of the BES cyber system in a production environment; and 3.2.2 document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. Prior to adding a new applicable cyber asset to a every 15 months), the controls assessed for each BES cyber system along with the method of assessment; or a document listing the date of the assessment and the output of any tools used to perform the assessment. document listing the date of the assessment (performed at least once every 36 months), the output of the tools used to perform the assessment, and a list of differences between the production and test environments with descriptions of how any differences were accounted for in conducting the assessment. Effective: 2017-10-01 Page 8 of 9

Table R3 production environment, document listing the date of perform an active vulnerability the assessment (performed assessment of the new cyber prior to the commissioning of asset, except for CIP the new cyber asset) and the 2. protected cyber assets exceptional circumstances and like replacements of the same type of cyber asset with a baseline configuration that models an existing baseline configuration of the previous or other existing cyber asset. output of any tools used to perform the assessment. 3.4 High Impact BES cyber and and Document the results of the assessments conducted according to parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action items. document listing the results or the review or assessment, a list of action items, documented proposed dates of completion for the action plan, and records of the status of the action items (such as minutes of a status meeting, updates in a work order system, or a spreadsheet tracking the action items). Revision History Date Description 2017-10-01 Initial release. Effective: 2017-10-01 Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information