CIP-005: Cyber Security Illustrative Approach

Multiple electronic security perimeters may be required; for example, one may be needed around a control room, while another may be established around a substation. For any electronic security perimeter established, the responsible entity must develop mechanisms to control and monitor electronic access to all electronic access points. In addition the mechanism, must assess the electronic security perimeter’s cyber vulnerability and test every electronic access point at least annually.

The Federal Energy Regulatory Commission (FERC) has instructed the NERC to issue specific supplemental guidance on the identification and protection of electronic security perimeters. NERC will issue additional guidance on:

• Adequacy of electronic security perimeters – While the electronic security perimeter constitutes a first line of defense, the effectiveness of any one defensive measure depends on the quality of active human maintenance. Also, there is no one perfect defensive measure that will guarantee the protection of the Bulk-Power System. Therefore, when constructing an electronic security perimeter, each entity should implement a defensive security approach including two or more defensive measures in a defense in depth poster, if technically feasible. However, there may be instances in which certain facilities cannot implement defense in depth or where such an approach would harm reliability rather than enhance it. In such instances, the responsible entity should implement electronic defense in depth measures or justify why it is not technical feasible.
• Protecting access points and controls – Examples of strong verification and authentication technologies for protecting access points under Requirement R2.4 include digital certificates and two-factor authentication. FERC has instructed NERC to identify additional examples of specific verification technologies and other technically equivalent measures or technologies.
• Monitoring access logs – Automated and manual log reviews are important. Automated review systems provide a reasonable day-to-day check of the system and a convenient screening for obvious system breaches. Supplemental periodic manual review provides the opportunity to recognize an unanticipated form of malicious activity and improve automated detection settings. In addition, manual review is beneficial to judge the effectiveness of protection measures, such as firewall settings. For example, if a firewall setting is incorrect or ineffective, an automated review system may not identify a cyber security intrusion. For entities without automated log review and alerts, performing a manual review is even more important because this is the only review of the logs.

  Each entity should designate individual assets as “readily accessible” or “not readily accessible.” Readily available logs, such as those from within a control room setting, should be reviewed at least weekly. Logs that are not readily available, such as those located at a remote substation, are less accessible and therefore can be read less frequently. Any attempt, however, to differentiate the required frequency of review of these logs must be balanced against the criticality of the facilities; it is not acceptable to dismiss a critical facility from timely review simply because it is remote.

• Vulnerability assessments – Annual vulnerability assessments are sufficient when no significant modifications have been made to the electronic access points of the electronic security perimeter. When the electronic security perimeter or another measure in a defense in depth strategy is significantly modified, it is not acceptable to wait a year to test modifications. In such instances, a vulnerability assessment of the electronic access points as part of, or contemporaneously with, any modifications to the electronic security perimeter or defense in depth strategy should be conducted. For example, updating an attack signature file on the electronic access point might not require an active vulnerability assessment, but replacing the devices that comprise the electronic access point could require a vulnerability assessment.

  In addition to the annual vulnerability assessment, each entity should conduct an active vulnerability assessment at least once every three years, with annual paper assessments allowable in the intervening years. If an active vulnerability assessment is not “technically feasible,” then a responsible entity may apply to be excused from full compliance to the NERC Regional Entity, fully documenting the necessary interim actions, milestone schedule, and mitigation plan.

  Active vulnerability testing should be conducted on test systems. Test systems do not need to exactly match or mirror the operational system. However, to perform active vulnerability assessments, the responsible entities should create a representative system, that is, one that replicates the actual system as closely as possible. The active vulnerability assessment should be carried out on this representative system. The responsible entity should also document the differences between the operational and representative system for the auditors. As part of this documentation, the responsible entity should also document how test results on the representative system might differ from the operational system and how the responsible entity accounts for such differences in operating the system. In short, the responsible entity should ensure that the testing systems are adequate to model the production systems and to document and account for the differences between the two.