CIP Version 3 vs. CIP Version 5: - Changes- Impacts- Action

Agenda

High Level Changes Concepts, Format, Language, Guidance, Number of

Requirements Change highlights within each CIP Domain

CIP-002 through CIP-011

High Level Changes: Concepts Changes made to address FERC order 706 –

Incorporate NIST framework elements in CIP standards and make improvements over v3

Asset classification revamped - CCA/CA retired and replaced with BES Cyber System and BES Cyber Asset BES Cyber System: One or more BES Cyber Assets

logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity

Allows flexible asset classification (Telecom Infrastructure between ESPs still exempt)

BES Cyber Asset: “Essential to the function of the BES” (paraphrased)

High Level Changes: Concepts

High/Medium/Low Criticality Rating applied to each identified BES Cyber System based on CIP-002-5 criteria

Requirements applied granularly to each High/Medium/Low BES Cyber System and their “associated EACMS, PACS, PCA”

Sometimes “external routable connectivity” is used as a qualifier for applying a requirement

Requirements are applied to BES Cyber Systems, however the actual controls may still require implementation on the individual BES Cyber Asset which comprise the system

Description:

Electronic Access Control or Monitoring Systems (“EACMS”) – Examples include: Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems. Physical Access Control Systems (“PACS”)– Examples include: authentication servers, card systems, and badge control systems. Protected Cyber Assets (“PCA”) – Examples may include, to the extent they are within the ESP: file servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems.

High Level Changes: Format

Requirements are presented in a table Leftmost column is the “applicability” column which shows

the BES Cyber Systems and associated classified cyber assets that must comply with a requirement.

High Level Changes: Language Self correcting language:

“shall implement, in a manner that identifies, assesses, and corrects deficiencies,”

17 main requirements (including their sub requirements) Processes must have self correcting mechanisms 100% defect free expectation removed for those

requirements which have this wording Measures/Guidance

Greatly improved wording of measures so that they provide better guidance of expected action/evidence

Each CIP domain now has a guidance section with additional information

129 requirements (down from 166)

Change Highlights: NERC CIP 5 domains

CIP-002 Asset Classification

Classification received major overhaul Critical Asset replaced with BES Cyber System Critical Cyber Asset replaced with BES Cyber Asset 3 additional Cyber Asset Classification Categories (PCA,

EACMS, PACS)

May impact number of facilities/Cyber Assets in scope Foundations of previous asset classification project may

be leveraged but the process must be re-written and effort must be spent to reclassify according to new criteria

All other project scopes may change based on above; impact currently unknown

CIP-003 Security Management Controls New requirement for Low impact BES Cyber

Systems Implement cyber security policies that address

awareness, physical security, electronic access controls for external connections, and incident response

100% new effort for this requirement Security Standards and Policy Alignment

Must be aligned to CIP version 5 Incorporate new CIPv5 guidance into Standards

CIP-004 Personnel & Training Changed - Cyber Security Training

More comprehensive requirements for contents Changed - Personnel risk assessment

“For cause” wording removed Consolidated Access Management Program

requirements under 1 requirement Information, physical, and electronic access

management program now in 1 set of requirements (CIP-004 R4)

The requirements have differences from CIPv3 - both physical and access projects will have to take these changes into account

Access revocation requirements are changed for the better (more lenient)

CIP-005 Electronic Security Perimeter Change - Explicit requirement calls for inbound &

outbound rules Change - Explicit requirement for two-factor

authentication to interactive remote access for High and Medium (change “strong” to “two-factor”)

New requirement explicitly calling for IDS/IPS technologies for High

New requirement for encryption terminating at an intermediate system for High and Medium

New TFE (technical feasibility exception) eligibility for dial-up authentication

CIP-006 Physical Sec of BES Cyber Systems

Removed 6-wall requirement and removed TFE – shifted focus to “restrict access to only those authorized” (which in most cases will still be 6-wall, see guidance) (Physical)

Changed – Requirement for two physical access controls for granting access to High PSPs [TFE eligible]

Changed – 15 minute timeframe for notifications to CSIRP of unauthorized physical access (Physical)

Changed – Maintenance cycle reduced from 36 months to 24 months (Physical)

CIP-007 System Security Management Removed TFE for ports/services Removed TFE for antivirus Removed TFE for logging capability Removed TFE for password characteristics Added TFE for annual password changes Added TFE for log retention New requirement to manage physical ports New requirement to limit unsuccessful auth.

attempts or generate alerts for High Change wording for logging/alerting –15 day

review, clearer requirements

CIP-007 System Security Management Change – Patch management requirements for

tracking, evaluating and installing patches slightly changed Evaluation is from “last evaluation” not “availability

of patch” For applicable patches can now either:

Apply the patch Create mitigation plan; or Revise existing mitigation plan

New requirement for tracking patch management mitigation plan execution

CIP-008 Incident Reporting and Response Planning

New requirement to notify ES-ISAC within 1 hour of Reportable Incident identification May not apply in Alberta

New requirement to update CSIRP and communicate within 90 days of any test or incident

CIP-009 Recovery Plans for BES Cyber Systems New requirement to verify the successful

completion of backup processes New requirement for processes to preserve data

to determine cause of cyber security incident New requirement to operationally exercise backup

procedures every 36 months for High

CIP-010 Configuration Change Management and Vulnerability Assessments

Consolidated Config/Change/Vuln into a new CIP domain, CIP-010

Change – Explicitly require updates to baselines when changes are made to baselines for High and Medium

New requirement to monitor for configuration changes at least every 35 days for High

New requirement to perform active vulnerability assessment of new Cyber Assets

CIP-011 Information Protection Information protection is now its own CIP domain,

CIP-011 New requirement to protect information in transit

and use

Understanding the NERC CIP 5 StandardsUnderstanding the NERC CIP 5 Standards

Questions ??Questions ??