CIP-008: Cyber Security Illustrative Approach

Sources of external threat information include industry information sharing and analysis centers such as Electricity Sector Information Sharing and Analysis Center (ES-ISAC), Infraguard, mailing lists, and commercial reporting services.

Internal vulnerability information is available from condition reporting and activity monitoring. Cyber security response teams should be able to access all relevant internal vulnerability information in a read-only format. Such data may reside in centralized log repositories, on the devices that perform the logging, and in results of self-assessments and independent tests. Security response centers also should have available tools to analyze the logs and to perform ad hoc activity monitoring. Other additional and useful data sources are reports of anomalies in both network and host performance and the end-user experience.

Because the identification of incidents requires monitoring and management, response teams frequently use security information management (SIM) tools to assist in the data collection, analysis, classification, and reporting of activities related to security incidents.

The cyber security response team should be governed by policies and procedures that address security incidents:

• M1. Monitoring policies should enable adequate continual and ad hoc monitoring of communications and the use of the results of monitoring in subsequent legal procedures. The responsibility and authority of security personnel and system administrators for monitoring should be established, and the tools used should be reviewed and approved by appropriate management with appropriate conditions for use.
• M2. Classification policies should be sufficiently clear to enable timely classification of incidents into different levels of severity. Response and reporting levels should be commensurate with the severity levels.
• M3. Escalation policies should address when different personnel within the organization will be contacted about the incident and the responsibility those personnel have in incident analysis and response.
• M4. Reporting policies should address internal and external reporting, including coordination with service providers and reporting to ES-ISAC.

In addition, a policy should address who is empowered to declare an incident to be an intrusion.

At a minimum, each entity should tests its incident response plan at least annually. Such testing should validate that planned response actions are exercised in reference to a presumed or hypothetical incident contemplated by the cyber security response plan, and not necessarily that the presumed incident is performed on the live system. Employees should take what action would be required under the response plan, given the hypothetical incident. When reviewing actual incidents or testing the incident response plan, the entity should document lessons learned and incorporate appropriate changes to the plan, as needed.

The effectiveness of a cyber security incident response team also is a function of the training and expertise of the security analysts. An entity should ensure that its analysts are sufficiently trained to appropriately analyze network and host activity and to use the monitoring and analysis tools made available to them.