CIP-012-1: Cyber Security - Communication between Control Centers

• R1. The Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more documented plans to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between any applicable Control Centers. The Responsible Entity is not required to include oral communications in its plan. The plan shall include: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]

  • 1.1. Identification of security protection used to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers

  • 1.2. Identification of where the Responsible Entity applied security protection for transmitting Real-time Assessment and Real-time monitoring data between Control Centers

  • 1.3. If the Control Centers are owned or operated by different Responsible Entities, identification of the responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time assessment and Real-time monitoring data between those Control Centers.

Identification of Security Protection (R1.1)

• An export of the configuration of a firewall showing the configuration of a VPN tunnel and the routing that directs applicable data through the VPN.

• An export of the configuration of a transport-level device that demonstrates encryption is enabled for applicable (or all) data.

• Configuration of an application that demonstrates that the applicable data is encrypted from the application to the remote client or application.