CIP-009: Cyber Security Illustrative Approach

Changes in business processes and technology, increased terrorism concerns, catastrophic natural disasters, and the threat of a pandemic have focussed even greater attention on the need for effective business continuity planning. Consequently, these issues should be given greater consideration in the business continuity planning process.

Responsible entities should consider the potential for area-wide disasters that could affect an entire region and result in significant loss of service to the Bulk-Power System. The business continuity planning process should address interdependencies, both market-based and geographic, among system participants and infrastructure service providers. In most cases, recovery time objectives (RTOs) are now much shorter than they were in years past, and for most entities RTOs are based on hours, minutes, and even seconds. Ultimately, all entities should anticipate and plan for the unexpected and ensure that their recovery and business continuity planning process appropriately addresses the lessons they have learned from past incidents and disasters.

Events that trigger the implementation of a business continuity plan may also have significant security implications. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at different physical locations, using similar but different machines and software, which may communicate over different communications lines. Different trade-offs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Recovery and business continuity plans should be reviewed as an integral part of the security process. For example, risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the entity and its critical cyber assets in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for backup sites and communications networks. These security considerations should be integrated with the testing of business continuity plan implementations.

A responsible entities recovery and business continuity planning process should reflect the following objectives:

• The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components;
• Business continuity planning involves the development of an enterprise-wide business continuity planning and the prioritization of business objectives and critical operations that are essential for recovery;
• Recovery and business continuity planning should include regular updates based on changes in business processes, audit recommendations, and lessons learned from testing; and
• Business continuity planning represents a cyclical, process-oriented approach that includes business impact analysis (BIA), risk assessment, risk management, and risk monitoring and testing.

The following additional practices are commonly used to maintain a recovery and business continuity plan:

• Integrating business continuity planning into every business decision
• Incorporating business continuity planning maintenance responsibilities in applicable employee job descriptions and personnel evaluations
• Assigning the responsibility for periodic review of the business continuity planning to a planning coordinator, department, group, or committee
• Performing regular audits and annual, or more frequent, tests of the recovery and business continuity planning