CIP-005: Cyber Security Sub-Requirements

  • R1.1. Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).
  • R1.2. For a dial-up accessible Critical Cyber Asset that uses a nonroutable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device.
  • R1.3. Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s).
  • R1.4. Any noncritical Cyber Asset within a defined Electronic Security Perimeter shall be identified and protected pursuant to the requirements of Standard CIP-005.
  • R1.5. Cyber Assets used in the access control or monitoring of the Electronic Security Perimeter(s) shall be afforded the protective measures as a specified in Standard CIP- 003; Standard CIP-004 Requirement R3; Standard CIP-005 Requirements R2 and R3; Standard CIP-006 Requirement R3; Standard CIP-007 Requirements R1 and R3 through R9; Standard CIP-008; and Standard CIP-009.
  • R1.6. The Responsible Entity shall maintain documentation of Electronic Security Perimeter(s), all interconnected critical and noncritical Cyber Assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points.
  • R2.1. The entity’s electronic access control processes and mechanisms shall use an access control model that denies access by default, unless explicit access permissions are specified.
  • R2.2. At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services.
  • R2.3. The Responsible Entity shall implement and maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s).
  • R2.4. Where external interactive access to the Electronic Security Perimeter is enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.
  • R2.5. The required documentation must, at least, identify and describe:
    • R2.5.1. The processes for access request and authorization.
    • R2.5.2. The authentication methods.
    • R2.5.3. The review process for authorization rights, in accordance with Standard CIP-004 Requirement R4.
    • R2.5.4. The controls used to secure dial-up accessible connections.
  • R2.6. Appropriate Use Banner - Where technically feasible, electronic access control devices shall display an appropriate usage banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner.
  • R3.1. For dial-up accessible Critical Cyber Assets that use nonroutable protocols, the Responsible Entity shall implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible.
  • R3.2. Where technically feasible, the security monitoring process(es) shall detect and generate alert for attempts at or actual unauthorized access. These alerts are used to send appropriate notifications to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.
  • R5.1. The Responsible Entity shall ensure that all documentation required by Standard CIP- 005 reflect current configurations and processes and shall review the documents and procedures referenced in Standard CIP-005-2 at least annually.
  • R5.2. The Responsible Entity shall update the documentation to reflect the modification of the network or controls within ninety calendar days of the change.
  • R5.3. The Responsible Entity shall retain electronic access logs for at least ninety calendar days. Logs related to reportable incidents must meet with the requirements of Standard CIP-008.