Nerc Version 3 vs Version5 changes
Click here to load reader
-
Upload
ken-r-anderson-cd -
Category
Technology
-
view
122 -
download
0
Transcript of Nerc Version 3 vs Version5 changes
CIP Version 3 vs. CIP Version 5: - Changes- Impacts- Action
Agenda
High Level Changes Concepts, Format, Language, Guidance, Number of
Requirements Change highlights within each CIP Domain
CIP-002 through CIP-011
High Level Changes: Concepts Changes made to address FERC order 706 –
Incorporate NIST framework elements in CIP standards and make improvements over v3
Asset classification revamped - CCA/CA retired and replaced with BES Cyber System and BES Cyber Asset BES Cyber System: One or more BES Cyber Assets
logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity
Allows flexible asset classification (Telecom Infrastructure between ESPs still exempt)
BES Cyber Asset: “Essential to the function of the BES” (paraphrased)
High Level Changes: Concepts
High/Medium/Low Criticality Rating applied to each identified BES Cyber System based on CIP-002-5 criteria
Requirements applied granularly to each High/Medium/Low BES Cyber System and their “associated EACMS, PACS, PCA”
Sometimes “external routable connectivity” is used as a qualifier for applying a requirement
Requirements are applied to BES Cyber Systems, however the actual controls may still require implementation on the individual BES Cyber Asset which comprise the system
Description:
Electronic Access Control or Monitoring Systems (“EACMS”) – Examples include: Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems. Physical Access Control Systems (“PACS”)– Examples include: authentication servers, card systems, and badge control systems. Protected Cyber Assets (“PCA”) – Examples may include, to the extent they are within the ESP: file servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems.
High Level Changes: Format
Requirements are presented in a table Leftmost column is the “applicability” column which shows
the BES Cyber Systems and associated classified cyber assets that must comply with a requirement.
High Level Changes: Language Self correcting language:
“shall implement, in a manner that identifies, assesses, and corrects deficiencies,”
17 main requirements (including their sub requirements) Processes must have self correcting mechanisms 100% defect free expectation removed for those
requirements which have this wording Measures/Guidance
Greatly improved wording of measures so that they provide better guidance of expected action/evidence
Each CIP domain now has a guidance section with additional information
129 requirements (down from 166)
Change Highlights: NERC CIP 5 domains
CIP-002 Asset Classification
Classification received major overhaul Critical Asset replaced with BES Cyber System Critical Cyber Asset replaced with BES Cyber Asset 3 additional Cyber Asset Classification Categories (PCA,
EACMS, PACS)
May impact number of facilities/Cyber Assets in scope Foundations of previous asset classification project may
be leveraged but the process must be re-written and effort must be spent to reclassify according to new criteria
All other project scopes may change based on above; impact currently unknown
CIP-003 Security Management Controls New requirement for Low impact BES Cyber
Systems Implement cyber security policies that address
awareness, physical security, electronic access controls for external connections, and incident response
100% new effort for this requirement Security Standards and Policy Alignment
Must be aligned to CIP version 5 Incorporate new CIPv5 guidance into Standards
CIP-004 Personnel & Training Changed - Cyber Security Training
More comprehensive requirements for contents Changed - Personnel risk assessment
“For cause” wording removed Consolidated Access Management Program
requirements under 1 requirement Information, physical, and electronic access
management program now in 1 set of requirements (CIP-004 R4)
The requirements have differences from CIPv3 - both physical and access projects will have to take these changes into account
Access revocation requirements are changed for the better (more lenient)
CIP-005 Electronic Security Perimeter Change - Explicit requirement calls for inbound &
outbound rules Change - Explicit requirement for two-factor
authentication to interactive remote access for High and Medium (change “strong” to “two-factor”)
New requirement explicitly calling for IDS/IPS technologies for High
New requirement for encryption terminating at an intermediate system for High and Medium
New TFE (technical feasibility exception) eligibility for dial-up authentication
CIP-006 Physical Sec of BES Cyber Systems
Removed 6-wall requirement and removed TFE – shifted focus to “restrict access to only those authorized” (which in most cases will still be 6-wall, see guidance) (Physical)
Changed – Requirement for two physical access controls for granting access to High PSPs [TFE eligible]
Changed – 15 minute timeframe for notifications to CSIRP of unauthorized physical access (Physical)
Changed – Maintenance cycle reduced from 36 months to 24 months (Physical)
CIP-007 System Security Management Removed TFE for ports/services Removed TFE for antivirus Removed TFE for logging capability Removed TFE for password characteristics Added TFE for annual password changes Added TFE for log retention New requirement to manage physical ports New requirement to limit unsuccessful auth.
attempts or generate alerts for High Change wording for logging/alerting –15 day
review, clearer requirements
CIP-007 System Security Management Change – Patch management requirements for
tracking, evaluating and installing patches slightly changed Evaluation is from “last evaluation” not “availability
of patch” For applicable patches can now either:
Apply the patch Create mitigation plan; or Revise existing mitigation plan
New requirement for tracking patch management mitigation plan execution
CIP-008 Incident Reporting and Response Planning
New requirement to notify ES-ISAC within 1 hour of Reportable Incident identification May not apply in Alberta
New requirement to update CSIRP and communicate within 90 days of any test or incident
CIP-009 Recovery Plans for BES Cyber Systems New requirement to verify the successful
completion of backup processes New requirement for processes to preserve data
to determine cause of cyber security incident New requirement to operationally exercise backup
procedures every 36 months for High
CIP-010 Configuration Change Management and Vulnerability Assessments
Consolidated Config/Change/Vuln into a new CIP domain, CIP-010
Change – Explicitly require updates to baselines when changes are made to baselines for High and Medium
New requirement to monitor for configuration changes at least every 35 days for High
New requirement to perform active vulnerability assessment of new Cyber Assets
CIP-011 Information Protection Information protection is now its own CIP domain,
CIP-011 New requirement to protect information in transit
and use
Understanding the NERC CIP 5 StandardsUnderstanding the NERC CIP 5 Standards
Questions ??Questions ??