CIP-005-6 and CIP-010-3 › Administrative › CIP-005-6 and...CIP-010-3 is July 1, 2020; at which...
Transcript of CIP-005-6 and CIP-010-3 › Administrative › CIP-005-6 and...CIP-010-3 is July 1, 2020; at which...
CIP-005-6
and
CIP-010-3
New Requirements
Overview
August 15, 2019
John Graminski, MBA/TM, CISSP
Senior Compliance Auditor, Cyber Security
Agenda
▪ Objective
▪ Background
▪ CIP-005-6
• New Requirements Overview
• Takeaways
▪ CIP-010-3
• New Requirements Overview
• Takeaways
▪ Implementation Date
▪ Summary
▪ Questions & Answers
2
Objective
To raise awareness and give an overview
of the new requirements of CIP-005-6 and
CIP-010-3
3
Background
▪ CIP-005-5 and CIP-010-2 are being modified as part of Project 2016-
03 Cyber Security Supply Chain Risk Management.
▪ Under FERC Order No. 829, Page 1, project develops a new or
modified standard to address “supply chain risk management for
industrial control system hardware, software, and computing and
networking services associated with bulk electric system
operations”.
▪ Includes the new Standard CIP-013-1, Supply Chain Risk
Management.
▪ Also includes the modified Standards CIP-005-6 and CIP-010-3,
which contain new requirements for supply chain risk
management.
4
CIP-005-6 New Requirements
5
CIP-005-6 New Requirements
6
CIP-005-6 Takeaways
▪ R2, Parts 2.4 and 2.5 scope—Covers all remote access
sessions with vendors, including Interactive Remote
Access and system-to-system remote access.
▪ Part 2.4 objective—Give entities visibility of all active
vendor remote access sessions.
▪ Part 2.5 objective—Give entities the ability to disable
any active remote access sessions in case of a system
breach (FERC Order No. 829, Page 52).
7
CIP-010-3 New Requirements
8
CIP-010-3 Takeaways
▪ R1, Part 1.6 scope—Covers all changes that deviate from an existing baseline configuration associated with baseline items in—
• Part 1.1.1—Operating systems,
• Part 1.1.2—Commercially available or open-source application software, and
• Part 1.1.5—Security patches applied.
▪ R1, Part 1.6.1 objective—Entities verify the identity of the software source.
▪ R1, Part 1.6.2 objective—Entities verify the integrity of the software taken from the source.
9
Implementation Date
The implementation date for CIP-005-6 and
CIP-010-3 is July 1, 2020; at which time the
Standards will be mandatory and enforceable.
Refer to Project 2016-03 Cyber Security Supply Chain Risk Management (July 2017) for
more information:
https://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainMan
agement.aspx
10
Summary
CIP-005-6 and CIP-010-3 include the following new Requirements:
▪ CIP-005-6, Requirement 2, Part 2.4 requires entities to have one
or more methods for determining active vendor remote access
sessions.
▪ CIP-005-6 Requirement 2, Part 2.5 requires entities to have one
or more methods to disable active remote access sessions for
vendors.
▪ CIP-010-3 Requirement 1, Part 1.6, for changes to the baseline
configuration, requires entities to verify the identity of a
software source, and to verify the integrity of the software taken
from the source.
11
Contact:
John Graminski, MBA/TM, CISSPSenior Compliance Auditor, Cyber Security
(360) 823-2452 (Office)
(801) 707-2516 (Cell)
12