CIP-007: Cyber Security Sub-Requirements (Update: v5 Rev.3.09 09/11/12)
- R1.1. Where technically feasible, enable only logical network accessible ports that the Responsible Entity needs, including port ranges or services to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device, the open ports are deemed needed.
- R1.2. Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media.
- R2.1. A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.
- R2.2. At least once every 35 calendar days, evaluate applicability of security patches that have been released since the last evaluation. use the source or sources identified in Part 2.1 for evaluation.
- R2.3. For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, perform one of the following actions:
- R2.4. For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate.
- R3.1. Deploy method(s) to deter, detect, or prevent malicious code.
- R3.2. Mitigate the threat of identified malicious code.
- R3.3 For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns.
- R4.1. Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents, which includes, as a minimum, each of the following types of events:
- R4.2. Generate alerts for security events that need an alert, which includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability):
- R4.3 Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days, except under CIP Exceptional Circumstances.
- R4.4 Review a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 days to identify undetected Cyber Security Incidents.
- R5.1. Have a method(s) to enforce authentication of interactive user access, where technically feasible.
- R5.2. Identify and inventory all enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s).
- R5.3. Identify individuals who have authorized access to shared accounts.
- R5.4. Change known default passwords, per Cyber Asset capability.
- R5.5. For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters:
- 5.5.1. Password length that is, at least, less than eight characters or the maximum length supported by the Cyber Asset; and
- 5.5.2. Minimum password complexity that is less than three or more different types of characters (for example, uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.
- R5.6. Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months.
- R5.7. Where technically feasible:
Copyright © Cloud Software Group, Inc. All rights reserved.