Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings Ballot CIP-002-5 Cyber Security CIP-003-5 Cyber Security CIP-004-5 Cyber Security CIP-005-5 Cyber Security CIP-006-5 Cyber Security CIP-007-5 Cyber Security CIP-008-5 Cyber Security CIP-009-5 Cyber Security CIP-010-5 Cyber Security CIP-011-5 Cyber Security CIP V5 Implementation Plan CIP V5 Definitions Results Quorum: 93.62% Approval: 22.09% Quorum: 93.62% Approval: 33.49% Quorum: 93.62% Approval: 26.82% Quorum: 93.62% Approval: 28.04% Quorum: 93.61% Approval: 29.60% Quorum: 93.61% Approval: 24.15% Quorum: 94.02% Approval: 34.30% Quorum: 93.61% Approval: 27.28% Quorum: 93.61% Approval: 26.61% Quorum: 93.61% Approval: 29.88% Quorum: 92.15% Approval: 42.06% Quorum: 92.56% Approval: 25.34% The drafting team will consider all comments and determine what changes to make to each of the standards, the implementation plan, and the definitions. After the drafting team has revised the standards, they will be submitted, along with the team’s Consideration of Comments, for quality review and subsequently posted for a successive ballot. January 6 – March 26 • Consideration of comments March 26 – April 27 • 30-day posting for comment and successive ballot June 6–22 • Possible Recirculation ballot Critical assets Replaced by CIP-002 Attachment 1 and BES Reliability Operating Services definition Critical cyber assets Replaced by BES Cyber Asset and BES Cyber System Physical security perimeter Replaced by Defined Physical Boundary No more “six-wall” specification Cyber Assets BES Cyber Asset BES Cyber System Programmable electronic devices including the hardware, software, and data in those devices A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its operation, misoperation, or non-operation, when required, adversely impact one or more BES Reliability Operating Services One or more BES Cyber Assets that are typically grouped together, logically or physically, to operate one or more BES Reliability Operating Services Largely replaces Critical Cyber Asset Provides an opportunity for controls to be applied at a system level High Impact ◦ Large Control Centers ◦ CIP-003 through 009+ Medium Impact ◦ Generation and Transmission ◦ Other Control Centers ◦ Similar to CIP-003 to 009 v4 All other BES Cyber Systems ◦ Security Policy ◦ Security Awareness ◦ Incident Response ◦ Boundary Protection Categorized list of High and Medium Impact Attachment 1 criteria Other BES Cyber Systems deemed to be Low Impact by default Update required lists for significant changes to BES that affect High/Medium categorization Senior manager or delegate annual review and approval CIP-003-5 was reorganized to only include elements of policy and cyber security program governance. ◦ Elements that addressed Change Control and Configuration Management were moved to CIP010-5 ◦ Elements that address Information Protection were moved to CIP-011-5 Training ◦ Addition of visitor control program ◦ Reorganization of requirements into the respective requirements for “program” and “implementation” of the training. Personnel Risk Assessment ◦ Changed to only initial identity verification ◦ Now includes documenting the processes used to determine when to deny access ◦ Reorganization of requirements into the respective requirements for “program” and “implementation” Authorization ◦ Consolidated authorization and review requirements from CIP-003-4, CIP-004-4, CIP006-4 and CIP-007-4 ◦ Allow quarterly and annual reviews to find and fix problems rather than self-report everything as a violation Revocation ◦ Remove ability to access BES Cyber System when access no longer needed Define ‘External Connectivity’ for scope modification Focus on ‘Electronic Access Points’ vs. ESP Require IDS at Control Centers Add clarity to ‘secure’ dialups Consolidated Monitoring and Vulnerability Assessment Requirements in CIP-007 and CIP-011 respectively Removed Appropriate Use Banner Incorporated CIP-005-4 Urgent Action revisions Physical Security Program ◦ Must define the operational or procedural controls to restrict physical access ◦ Removed current “6 wall” wording to instead require Defined Physical Boundary ◦ For High Impact, added the need to utilize two or more different and complementary physical access controls to restrict physical access ◦ Testing changed to a 24 month cycle with ongoing discussions of different cycles based on environment. Addition of physical I/O port requirement Security Patch management source requirement Non-prescriptive malware requirement Security Event Monitoring failure handling Bi-weekly log summary/sampling reviews Simplified access-control requirements, removed TFE language while strengthening password requirements Added requirement for maintenance devices Consolidated vulnerability assessment in CIP010-5 Disposal requirement moved to CIP-011-5 Defined Reportable Cyber Security Incident for clearer Working to harmonize with EOP-004-2 Includes additional specification on update and lessons learned associated with the response plan. Added requirement to implement the response plan. Verification of backup media information prior to storage Preservation of data for analysis Consolidates all references to Configuration Change Management and Vulnerability Assessments. ◦ Previously these requirements were dispersed throughout CIP-003-4, CIP-005-4, and CIP-007-4 Consolidates all references to Information Protection and Media Sanitization. ◦ Previously these requirements were dispersed throughout CIP-003-4 and CIP-007-4 Requirements for authorization and revocation of access to BES Cyber System Information moved to CIP-004-5. Shifts the focus of the requirements for media sanitization from the Cyber Asset to the information itself. 18 Months Minimum – The standards shall become effective on the later of January 1, 2015, or the first calendar day of the seventh calendar quarter after the date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-0023 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan. In jurisdictions where CIP-002-4 through CIP-009-4 have not yet become effective according to their implementation plan (even if approved by order), this implementation plan and the Version 5 CIP Cyber Security Standards supersede and replace the implementation plan and standards for CIP-002-4 through CIP-009-4.