CIP-005: Cyber Security SubRequirements

  • R1.1. Access points to the Electronic Security Perimeters shall include any externally connected communication end point (for example, dial-up modems) terminating at any device in the Electronic Security Perimeters.
  • R1.2. For a dial-up accessible Critical Cyber Asset that uses a nonroutable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device.
  • R1.3. Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links in the Electronic Security Perimeters shall be considered access points to the Electronic Security Perimeters.
  • R1.4. Any noncritical Cyber Asset in a defined Electronic Security Perimeter shall be identified and protected pursuant to the requirements of Standard CIP-005.
  • R1.5. Cyber Assets used in the access control or monitoring of the Electronic Security Perimeters shall be afforded the protective measures as a specified in Standard CIP- 003; Standard CIP-004 Requirement R3; Standard CIP-005 Requirements R2 and R3; Standard CIP-006 Requirement R3; Standard CIP-007 Requirements R1 and R3 through R9; Standard CIP-008; and Standard CIP-009.
  • R1.6. The Responsible Entity shall maintain documentation of Electronic Security Perimeters, all interconnected critical and noncritical Cyber Assets in the Electronic Security Perimeters, all electronic access points to the Electronic Security Perimeters and the Cyber Assets deployed for the access control and monitoring of these access points.
  • R2.1. The entity’s electronic access control processes and mechanisms shall use an access control model that denies access by default, unless explicit access permissions are specified.
  • R2.2. At all access points to the Electronic Security Perimeters, the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets in the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services.
  • R2.3. The Responsible Entity shall implement and maintain a procedure for securing dial-up access to the Electronic Security Perimeters.
  • R2.4. Where external interactive access to the Electronic Security Perimeter is enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.
  • R2.5. The required documentation must, at least, identify and describe:
    • R2.5.1. The processes for access request and authorization.
    • R2.5.2. The authentication methods.
    • R2.5.3. The review process for authorization rights, in accordance with Standard CIP-004 Requirement R4.
    • R2.5.4. The controls used to secure dial-up accessible connections.
  • R2.6. Appropriate Use Banner- Where technically feasible, electronic access control devices shall display an appropriate usage banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner.
  • R3.1. For dial-up accessible Critical Cyber Assets that use nonroutable protocols, the Responsible Entity shall implement and document monitoring processes at each access point to the dial-up device, where technically feasible.
  • R3.2. Where technically feasible, the security monitoring processes shall detect and generate alert for attempts at or actual unauthorized access. These alerts are used to send appropriate notifications to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.
  • R5.1. The Responsible Entity shall ensure that all documentation required by Standard CIP- 005 reflect current configurations and processes and shall review the documents and procedures referenced in Standard CIP-005-2 at least annually.
  • R5.2. The Responsible Entity shall update the documentation to reflect the modification of the network or controls in ninety calendar days of the change.
  • R5.3. The Responsible Entity shall retain electronic access logs for at least ninety calendar days. Logs related to reportable incidents must meet with the requirements of Standard CIP-008.