Embed Size (px)
Citation preview
the Guide provides best practice recommendations and problem areas to avoid.
The Guide narrates each CIP Requirement and provides supporting information to assist with Requirement comprehension and compliance. This guide was developed using Version 3 of the CIP Standards. Guidance for CIP-002 Version 4 has also been provided. The following are Book Features that will be found in each requirement or sub-requirement if applicable.
A b o u t t h e G u i d e
The NERC CIP Corporate Compliance Guide was developed to serve as the first ever, holistic, abridged “Go-To” source for all NERC CIP compliance questions. It provides insight from FERC Order 706 that was used as the basis for the development of each of the CIP Standards. It references every NERC document published for guidance, interpretation or application for each CIP Standard.
The Guide provides detailed information as to what documentation is needed per Requirement and Sub-Requirement and then details additional evidence that must be provided during an audit to achieve compliance. Finally,
B o o k F e a t u r e s
The NERC CIP Compliance
Guide Book contains the
following features for each
of the CIP Standards:
FERC Order 706
NERC’s Compliance
Application Notices
NERC’s Request for
Interpretations
NERC’s Frequently
Asked Questions
NERC’s Guidelines
FERC
Audit Questions
Documentation
Additional
Evidence
Problem Areas
Best Practices
Version 4
Violation Risk Factors (VRF): A measure of the
impact that a violation of a requirement has on Bulk Electric System reliability, and are used by Compliance when determining sanctions.
Violation Security Levels (VSL): The factors that
escalate a sanction based on how badly an entity performed, or more specifically, the degree by which a requirement was not achieved relative to full compliance.
Corporate Risk Solutions, Inc.
Special points of interest:
The first edition is based upon Version 3 and the impact of Version 4.
The Guide includes interpretations of best practices, quality evidence, and key items
that create pitfalls in many compliance programs. Price List
Price per book
1 - 9 Books 800.00
10-24 Books 500.00
25-49 Books 450.00
*50-74 Books 400.00
75-99 Books 350.00
100 Books 300.00
CAN
RFI
IV
* Purchases of 50 + books receive
unlimited distribution rights of an
electronic Adobe.PDF version of the
Compliance Guide within the
purchaser’s company.
CORPORATE RISK SOLUTIONS, INC.
FERC Order 706: Commission approval of
FERC Order 706 addressing
the CIP Reliability Standards
and directing NERC to
develop modifications to
the CIP Reliability Standards
to address specific concerns.
NERC’s Compliance
Application Notices: Compliance Applications
Notices are designed to
clarify how compliance is
being applied in the field.
Audit Questions: These
are questions that can be
expected during an audit.
Documentation: This
section discusses what
documents are needed for
compliance and what exactly
needs to be stated in the
document, including key
words that the auditors will
be looking for and exact
language.
B o o k F e a t u r e s E x p l a i n e d
Best Practices: This
section include industry best practice, but also “Audit” best practice information. For example CIP-004 R4 does not require an Access Controls Procedure document, audit best practice recommends having this document and what it should contain.
Version 4: The guide is
looking forward as to what to look for and what will be expected for V. 4 of the Standard, this is only applicable to CIP-002.
NERC’s Appendix 4D: Technical Feasibility Exemptions (TFEs) that apply to CIP-005, CIP-006 or CIP-007.
Violation Risk Factors (VRF): A measure of the impact
that a violation of a requirement has on Bulk Electric System reliability, and are used by Compliance when determining sanctions.
Violation Security Levels (VSL): The factors that escalate
a sanction based on how badly an entity performed, or more specifically, the degree by which a requirement was not achieved relative to full compliance.
Additional Evidence: All the required documents
are the first line of evidence
during an audit. They are a
statement of what an Entity
does and how they do it.
Additional Evidence is the
evidence that proves it, i.e.
Logs, Approvers Lists, CVA
Results, CCA List, etc…
Problem Areas: Frequent concerns or deficiencies with respect to compliance to the Requirement
“CRSI is committed to
bringing our clients the
most up-to-date and
relevant information
for all aspects of the
NERC Audit.”
PAGE 2
FERC
CAN
NERC’s Request for
Interpretations: Request For Interpretation
questions submitted to
NERC for clarification
NERC’s Frequently
Asked Questions
NERC’s Guidelines: Frequently Asked
Questions that are generic
inquiries to NERC or one of
the Regional Reliability
Councils
RFI
IV
A4 A4
Table of Contents
“One problem solved by the
Guide is quickly locating the
various published information
associated with the CIP
standards. This includes for
each CIP standard the specific
related references in FERC
Order 706, NERC Frequently
Asked Questions, NERC
CANs and NERC Guidelines.
Where applicable, references
to NERC Interpretations are
also included.” - Robert
Hoopes, Senior Director -
FERC/NERC Compliance, PPL
Services Corporation
PAGE 3
Introduction
Features
CIP 002 Critical Cyber Asset Identification
CIP 003 Security Management Controls
CIP 004 Personnel and Training
CIP 005 Electronic Security Perimeters
CIP 006 Physical Security of Critical Cyber Assets
CIP 007 Systems Security Management
CIP 008 Incident Reporting and Response Planning
CIP 009 Recovery Plans for Critical Cyber Assets
Definitions
Document Retention Requirements for CIP 002– 009
CIP Standards Accessibility Exemptions
SME Testimony Tips
Implementation Plan for Newly Identified CCAs and
Appendix A: CIP Cross Reference Matrix
Appendix B: CIP Standards Exemplars
Appendix C: Technical Feasibility Exemptions
Acknowledgments
The Compliance Guide is
designed for all members
of your company.
Those that will benefit
most from the Guide are
Subject Matter Experts,
members of the internal
Compliance Team, Senior
Executives,
Management, employees
dealing directly with
NERC CIP on a daily basis.
The Guide is designed as
a reference source for all
NERC CIP compliance
questions.
W h o i s t h e N E R C C I P C o m p l i a n c e G u i d e f o r ?
“There has been an
overwhelming response from
those that have seen the Guide,
and everyone that has seen it
has asked when they can get a
copy of their own.” - Large
Investor-Owned Utility
CORPORATE RISK SOLUTIONS, INC.
PAGE 4
F u t u r e Ve r s i o n s
For future versions of the book, a significant discount will be
offered only to those who have previously purchased the
first edition. It is intended that in future versions (Version 5),
the Guide will be offered in a web format so it can operate
within an Intranet platform for which a subscription service
from CRSI will maintain the currency of and provide
enhancements to the Guide and supporting templates.
Significant discounts will also be offered for the web format
only to those who have previously purchased the first
edition. It is anticipated that the information contained in
this Guide will be valid and applicable for a minimum of 18-
24 months.
Exemplars Index
“We wish we could have
had a copy of this Guide
when we first embarked
on our Compliance
program. We would not
have struggled so much
with trying to get the
program off the ground.”
- Large Investor-Owned
Utility, Confidential
PAGE 5
Table - Patch Software Management
Table - Comparison of Secure Trusted Network Alternatives to IPsec VPNs
Table - Evaluation Guidance for Control Centers
Figure - RBAM Assessment
Figure - Critical Asset Update List
Figure - Supporting Critical Cyber Assets
Figure - Firewall Arrangement for Energy Management Network
Figure - IDS In-Depth Defense Strategy
Figure - ESP Sample Drawing for Power Plant
Figure - ILO Network Segregation
Figure - Remote Access
Figure - Vendor Remote Access
Figure - Patch Management Lifecycle
Figure - Sample PSP Diagram for Power Plant
Figure - Cyber Security Controls Sample Baseline Document
Figure - Cyber Security Test Plan
Figure - Cyber Security Event Process Lifecycle
Figure - Cyber Vulnerability Assessment
Figure - Action Plan Scanning Schedule
PAGE 6
CORPORATE RISK SOLUTIONS, INC.
B o o k E x c e r p t f r o m A p p e n d i x B : E x e m p l a r s I n d e x
Book Excerpt from CIP-002 Critical Cyber Asset Identification: CIP-002 R1: CIP-002 R1: Critical Asset Identification Method - The Responsible Entity shall identify and document a risk-based assessment methodology to use to identify its Critical Assets
[ The CIP Cross Reference Matrix
(Appendix A) maps relevant CIP
requirements that impact or are
impacted by this Standard. ]
1Version 1 P 234. Reliability Standard CIP-002-1 deals with the identification of Critical Cyber Assets. The NERC Glossary defines “cyber assets” as “programmable electronic devices and communication networks including hardware, software, and data.” It defines “Critical Cyber Assets” as “cyber assets essential to the reliable operation of Critical Assets.” NERC defines “Critical Assets” as “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.” The accurate identification of Critical Assets and Critical Cyber Assets pursuant to CIP-002-1 is the cornerstone of the CIP Reliability Standards because it acts as a filter, determining whether a Responsible Entity must comply with the remaining CIP requirements in CIP-003-1 through CIP-009-1.
P 235. As the first step in identifying Critical Cyber Assets, CIP-002-1 requires each Responsible Entity to develop a risk-based assessment methodology to use in identifying its Critical Assets. Requirement R1 specifies certain types of assets that an assessment must consider for Critical Asset status and also allows the consideration of additional assets that the Responsible Entity deems appropriate. Requirement R2 requires the Responsible Entity to develop a list of Critical Assets based on an annual application of the risk-based assessment methodology. Requirement R3 provides that the Responsible Entity must use the list of Critical Assets to develop a list of associated Critical Cyber Assets that are essential to the operation
of the Critical Assets. CIP-002-1 requires an annual reevaluation and approval by senior management of the lists of Critical Assets and Critical Cyber Assets.
P 236. Pursuant to section 215 of the FPA, the Commission approves Standard CIP-002-1 as mandatory and enforceable. …
P 237. Requirement R1 of CIP-002-1 requires each Responsible Entity to develop a risk based assessment methodology to identify Critical Assets. A Responsible Entity must maintain documentation describing its methodology that includes procedures and evaluation criteria. Requirement R1 identifies specific assets that the methodology must “consider,” including control centers, facilities critical to system restoration and automatic load shedding, and substations and generation resources that support reliable operation of the Bulk-Power System – as well as any other assets that support reliable operations and the Responsible Entity deems appropriate to include in its assessment.
P 256. Regarding MidAmerican’s comments on use of the N minus 1 criterion when applying a risk-based assessment methodology to the identification of Critical Assets, we agree with MidAmerican that an N minus 1 criterion is not an appropriate risk-based assessment methodology for identifying Critical Assets. ...Thus, the fact that the system was developed to withstand the loss of any single asset should not be the basis for not protecting that asset. Also, we note that the definition of “Critical Assets” is focused on the criticality of the asset, not the likelihood of an outage. Based on this reasoning, in response to US Power, we clarify that a generator
should not assume that none of its individual generating assets would be regarded “critical” to the Bulk-Power System.
P 280. The Commission has two concerns regarding the misuse of facilities, and clarifies those concerns here. First, Requirement R1.2.1 requires responsible entities to consider control centers and backup control centers as potential Critical Assets. In determining whether those control centers should be Critical Assets, we believe that responsible entities should examine the impact on reliability if the control centers are unavailable, due for example to power or communications failures, or denial of service attacks. Responsible entities should also examine the impact that misuse of those control centers could have on the electric facilities they control and what the combined impact of those electric facilities could be on the reliability of the Bulk-Power System. The Commission recognizes that, when these matters are taken into account, it is difficult to envision a scenario in which a reliability coordinator, transmission operator or transmission owner control center or backup control center would not properly be identified as a Critical Asset.
“NERC CIP-002-1 R1
requires that the risk-
based methodology
used to identify Critical
Assets be documented
and CIP-002-1 R2
requires a list of
Critical Assets be
maintained and
updated as necessary.”
PAGE 7
PAGE 8
CORPORATE RISK SOLUTIONS, INC.
W h a t O t h e r s A r e S a y i n g
“I strongly recommend CRSI's NERC CIP Compliance Guide to peers responsible for compliance with the CIP standards. It is exceptionally well done and can be used as a reference to validate various aspects of a current CIP compliance program or as a problem solving tool to work through CIP compliance issues. Its use in preparing for a CIP audit will be great benefit to those organizations using it.” - Robert Hoopes, Senior Director - FERC/NERC Compliance, PPL Services Corporation
“What we have found in using CRSI is that with multiple prominent groups involved in the CIP program, we are rarely ever able to agree on what to do to be compliant. The value of CRSI and this Guide is that it quickly helps to identify who is right. This is a huge time saver because when we are debating things internally, we now have an excellent and well-organized resource to go to. We now consider this an expert in-house resource that we can readily go to for advice.” - Large investor-owned utility
“The Guide is laid out in a useful format with tabs for each CIP standard, applicable Appendices and other related sections. The consistent formatting for each CIP standard section, highlighting each requirement and drilling down into the various sub-requirements helps the reader quickly locate desired references. The base price for the Guide may seem high at first but the value provided quickly offsets the price. Many hours of expensive external consulting can be precluded by utilizing the detailed knowledge documented in the Guide. We purchased a copy for each of our operating affiliates subject to the CIP standards to aid in their CIP compliance efforts.” - Robert Hoopes, Senior Director - FERC/NERC Compliance, PPL Services Corporation
Westar Energy purchased the CRSI NERC CIP Compliance Guide as a supplemental tool for our Compliance team and subject matter experts in preparation for our spring 2012 NERC CIP Audit. The Guide Book provides a one-stop reference to many aspects of NERC CIP compliance including NERC's FAQ's, potential auditor questions, expected documentation and evidence, problem areas, and best practices. The Compliance and SME Testimony Tips within the Guide Book provides valuable information used to coach the subject matter experts in their interaction with the Audit team. I highly recommend the CRSI NERC CIP Compliance Guide to CIP compliance personnel and subject matter experts. “ - Eric R. Ervin, Manager NERC CIP, Westar Energy
“While we were initially leery of the price tag, CRSI’s NERC Compliance Guidebook is well worth the money. It has a clean and easy-to-follow layout. We especially like the Frequently Asked Questions, Best Practices, and questions that an Auditor might ask. We started using it immediately after receiving it and are already providing additional books to other Subject Matter Experts, such as our Director of Operations and Director of Engineering. As we have been working to revamp our CIP Compliance Program, this guidebook serves as an excellent resource and reference book to help us in this process.” - Rick Twigg, Chief Information Officer, Vermont Electric Power Company
PAGE 9
“A nice feature of the Guide is
the incorporation, for each
CIP requirement/sub-
requirement, of a set of
Auditor Questions,
Documentation, Additional
Evidence, Problem Areas and
Best Practices. The
knowledge contained in these
various sections is invaluable
to the users of the
Guidebook.”
FEATURE HIGHLIGHT
“Another nice feature is that the
Guide addresses the pending
changes contained in Version 4 of
the CIP standards.”
PAGE 10
CORPORATE RISK SOLUTIONS, INC.
Copyright © 2012 by Corporate Risk Solutions, Inc. (CRSI). All rights reserved. No part of this book may be reproduced for publication or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, except as may be expressly permitted by the applicable copyright statutes or by written authorization from CRSI. Published in the United States of America. CRSI’s NERC CIP Compliance Guide Book is sold and distributed solely as a resource product, and is not representative of CRSI’s traditional work product “works-for-hire”. As such, the unique terms and conditions of the sale are solely provided in the purchase agreement and are excluded from any contracted work for CRSI may have been engaged in its capacity as a Professional Consulting Company.
Terms and Conditions:
1. A limited distribution agreement is provided with each sale as identified in the CRSI NERC CIP Compliance Guide. Beyond this limited distribution agreement, no transfer of intellectual property rights is made with the purchase.
2. Purchases of the CRSI NERC CIP Compliance Guide Book are exclusive of any former, current or future contract with CRSI for professional services.
3. Payment via accepted payment processes is required at the time of order and in advance of product shipping and delivery.
4. Payment is in U.S. Dollars
5. For the current edition (First Edition), no additional product updates or maintenance services are provided.
6. This book is presented solely for educational and informational purposes. The author and publisher are not offering it as legal, accounting or other professional services advice. While best efforts have been used in preparing this book, it may contain errors, omissions or information that was accurate as of its publication but has subsequently become outdated. The author or publisher shall not be liable or responsible to any person or entity with respect to any loss or incidental or consequential damages caused, or alleged to have been caused, directly or indirectly, by the information contained herein.
7. No warranty may be created or extended by sales representatives or written sales materials.
8. Purchase of the CRSI NERC CIP Compliance Guide Book represents acceptance of these terms and conditions.
Price List Price per book
1 - 9 Books 800.00
10-24 Books 500.00
25-49 Books 450.00
*50-74 Books 400.00
75-99 Books 350.00
100 Books 300.00
* Purchases of 50 + books receive
unlimited distribution rights of an
electronic Adobe.PDF version of the
Compliance Guide within the purchaser’s
company.
Shipping is included in book price.
PAGE 11
Quantity Price Subtotal
Order total:
Name/Company Name
Billing Address
Phone/Email
Method of Payment
Check/ACH
MasterCard
Visa
Credit Card No. Exp. Date
Signature
O r d e r F o r m
8725 Rosehill Road, Suite 450
Lenexa, KS 66215
Phone: 913-422-0410
Fax: 913-422-3905
E-mail: [email protected]
Find out more at www.corprisk.net
**Payment must be received prior to shipping of the Compliance Guide books.**
