CIP-007: Cyber Security Illustrative Approach

While these system security management requirements are more prescriptive in nature than the other CIP Requirements, the Federal Energy Regulatory Commission (FERC) has instructed the NERC to issue specific supplemental guidance on the appropriate methods, processes, and procedures for securing critical and non-critical cyber assets within the electronic security perimeters. NERC will issue additional guidance on:

  • Test procedures – Similar to the active vulnerability testing procedures defined under the electronic security perimeter requirements, test systems do not need to match or mirror production systems. However, to perform active testing, the responsible entities should create a representative system, that is, one that replicates the actual system as closely as possible. The Responsible Entity should also document the differences between the operational and representative system for the auditors. As part of this documentation, the Responsible Entity should also document how test results on the representative system might differ from the operational system and how the Responsible Entity accounts for such differences in operating the system. In short, the Responsible Entity should ensure that the testing systems are adequate to model the production systems and to document and account for the differences between the two.
  • Malicious software prevention – Entities should establish safeguards against personnel introducing, either maliciously or unintentionally, viruses or malicious software to a cyber asset within the electronic security perimeter through remote access, electronic media, or other means.
  • While every system in an electronic security perimeter does not need antivirus software, critical cyber assets must be protected, regardless of the operating system being used. Any network infrastructure devices that are not directly targeted can be affected as collateral damage. Computer virus technology changes every day. Therefore, entities should protect all cyber assets within an electronic security perimeter, regardless of the operating system being used.
  • Security status monitoring – Among other things, a Responsible Entity must maintain logs of system events related to cyber security, where technically feasible, to support security incident response as required in CIP-008, Incident Reporting and Response Planning. Logs must be retained for 90 calendar days, and the Responsible Entity must review logs of system events related to cyber security and maintain records documenting review of logs. A sampling of logs should be reviewed at least weekly. Log sampling procedures should be defined in the entity’s cyber security policy. The review process should be rigorous enough to enable the entity to detect intrusions by attackers. Examples of information that should be contained in logs include:
    • Identification of the information affected
    • Type of activity
    • Date and time of activity
    • Individual performing the activity
    • Individual approving the activity
  • Disposal or redeployment – Each entity should assure that there is no opportunity for unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying it. In general, there are three methods for disposing of computer data:
    • Clear: Overwriting the media with random content.
    • Purge: Degaussing the media with a strong magnetic field. High-quality degaussing can adequately protect media from unauthorized access. Degaussing, however, is not the sole means for achieving this goal.
    • Destroy: Methods include disintegration, pulverization, melting, and incineration.
  • Cyber vulnerability assessment – Vulnerability testing is a valuable tool in determining whether actions that were taken to support the security posture of the electronic security perimeter and other areas of responsibility are in fact adequate. Each entity’s vulnerability testing should take into account emerging and diverse technologies and newly discovered vulnerabilities as they emerge. The FERC has directed the ERO and NERC to provide more direction on what features, functionality, and vulnerabilities the responsible entities should address when conducting the vulnerability assessments.
  • Documentation review and maintenance – Establishing and maintaining correct documentation of methods, processes and procedures for securing a Responsible Entity’s system is necessary. If an event occurred before documentation was updated, an operator may not know of a change and could operate the system relying on out-of-date information. Such an event would put reliability at risk by not informing operators of a method, process or procedure to secure the system against a known risk.