Cyber Security Standard Workshop Status of Draft Cyber Security Standards

1
Cyber Security Standard WorkshopStatus of
Draft Cyber Security Standards

• Larry Bugh
• ECAR
• Standard Drafting Team Chair
• January 2005

2
Agenda for This Session

• Status Update
• Format/Numbering Changes
• Other Major Changes
• Transition from Standard 1200 to new Cyber
  Security Standards
• Proposed Development Schedule
• Proposed Implementation Plan

3
Status Update

• Draft 1 of standard and FAQ posted Sep. 15th for
  public comment
• Webcast conducted Oct. 18th
• Draft 2 of standards and FAQ posted Jan. 17, 2005
  for 30 days
• Draft 1 of Proposed Implementation Plan posted
  Jan. 17, 2005 for 30 days
• Development Highlights posted.

4
Agenda for This Session

• Status Update
• Format/Numbering Changes
• Other Major Changes
• Transition from Standard 1200 to new Cyber
  Security Standards
• Proposed Development Schedule
• Proposed Implementation Plan

5
Format/Numbering Changes

• New numbering scheme for NERC Reliability
  Standards
• New format for NERC Reliability Standards
• All requirements together, all measures, etc.
• Option to keep 1300 as one standard or separate
  standards
• Decided to separate by section
• One implementation plan
• Likely ballot as a package

6
Format/Numbering Changes

• New standards as compared to sections in Draft
  Standard 1300 Draft 1

7
Agenda for This Session

• Status Update
• Format/Numbering Changes
• Other Major Changes
• Transition from Standard 1200 to new Cyber
  Security Standards
• Proposed Development Schedule
• Proposed Implementation Plan

8
Other Major Changes

• Overall
• Applicable entities with no critical cyber assets
  exempt from CIP-003-1 through CIP-009-1.
• Definitions revised.
• Definition for Critical Cyber Asset revised.
• Standards do not apply to nuclear facilities.
• CIP-002-1 Critical Cyber Assets (1302)
• Reinforced relationship of critical assets to
  operations
• Modified criteria for generation/generation
  control
• Documentation/Protection of all cyber assets
  within the ePerimeter
• CIP-003-1 Security Management Controls (1301)
• Moved Change Management requirements from
  CIP-006-1 to this standard.

9
Other Major Changes

• CIP-004-1 Personnel and Training (1303)
• Background Screening" was changed to "Personnel
  Risk Assessment", based upon several comments,
  and to be more inclusive in application.
• SSN verification was changed to "Identity
  Verification" to provide for legal variance
  between the laws in member entity's countries.
• The wording "unrestricted access" was changed to
  "authorized access" throughout for consistency
  and clarity.
• Access revocation and records change requirements
  under this section were changed throughout to "7
  calendar days, and 24 hours for personnel
  terminated for cause" for flexibility and
  consistency.
• We did not add drug screening to the
  requirements, despite several comments, due to
  the complexity and administrative issues
  associated with that area. Companies are free to
  pursue measures beyond the Standard, which seeks
  to set the baseline.

10
Other Major Changes (cont)

• CIP-005-1 Electronic Security (1304)
• Clarified requirement for strong technical and
  procedural controls for access to perimeter
• Technical feasibility caveat added for banners
• Fixed inconsistency in levels of non-compliance
• CIP-006-1 Physical Security (1305)
• Requirements section was updated to more clearly
  define the physical security elements of the
  Security Plan.
• Physical security perimeter requirement was
  clarified, removing references to assigned
  security levels, and modifying the four-wall
  boundary concept.
• Updated levels of non-compliance for consistency
  across all proposed NERC Cyber Security
  Standards.
• CCTV monitoring control was modified to include
  the point of facility access as a monitoring
  point.
• Manual logging control was modified to include
  remote verification as a means of ensuring
  completeness.

11
Other Major Changes (cont)

• CIP-007-1 Systems Security Management (1306)
• Reference to "unattended facilities" was added
  and a delineation for requirements between
  "attended" and "unattended" facilities was
  included in sub-sections where appropriate.
• In draft one, for a few sub-sections,
  requirements were indicated in the measures
  section.  In draft two, this was cleared up and
  requirements were moved to the requirements
  section.
• Risk based assessment was added to the Security
  Patch Management section for determining patch
  applicability.
• Review requirements were updated for consistency.
• A statement was added to the Retention of System
  Logs section to indicate the entity is
  responsible for determining their logging
  strategy.
• Clarified various terms concepts (i.e.,
  potential vs. known vulnerabilities, end-user
  accounts, generic account policy)

12
Other Major Changes (cont)

• CIP-008-1 Incident Reporting and Response
  Planning (1307)
• Combined Incident and Security Incident
  definitions to create a new definition Cyber
  Security Incident
• Changed the title to Incident Reporting and
  Response Planning to better reflect standard
  scope
• Updated introduction paragraph to clarify the
  requirements of the standard
• Updated the Cyber Security Incident Reporting
  requirement to reflect that the responsible
  entity is accountable for ensuring that the
  Electricity Sector Information and Analysis
  Center (ES ISAC) receives the cyber security
  incident report
• If a cyber security incident occurs and is not
  reported to the ES ISAC it will now result in
  level three noncompliance
• Includes minor formatting changes to make the
  requirement, measurement, and non-compliance
  sections clearer.

13
Other Major Changes (cont)

• CIP-009-1 Recovery Plans (1308)
• The third paragraph was moved to the FAQ as it
  primarily explained the degree of recovery
  required in consideration of the expected impact
  and risk involved.
• The requirement to 'post' a recovery contact list
  was stricken from the Standard. The drafting
  team agreed with several comments made that
  posting a contact list is procedural and often
  unacceptable depending on the situation at that
  location.
• Some grammar, structure and clarification were
  made in keeping with comments posted.

14
Agenda for This Session

• Status Update
• Format/Numbering Changes
• Other Major Changes
• Transition from UA Standard 1200 to new Cyber
  Security Standards
• Proposed Development Schedule
• Proposed Implementation Plan

15
Transition from 1200 new Cyber Security
Standards

• Drafting Team recognizes impact of changes.
• Implementation plan proposes to phase in new
  requirements.
• 1st draft of implementation plan posted w/draft 2

16
Agenda for This Session

• Status Update
• Format/Numbering Changes
• Other Major Changes
• Transition from Standard 1200 to new Cyber
  Security Standards
• Proposed Development Schedule
• Proposed Implementation Plan

17
Proposed Development Schedule

• Tentative posting/review schedule for CIP-002-1
  CIP-009-1

18
Agenda for This Session

• Status Update
• Format/Numbering Changes
• Other Major Changes
• Transition from Standard 1200 to new Cyber
  Security Standards
• Proposed Development Schedule
• Proposed Implementation Plan

19
Proposed Implementation Plan
Sample Compliance Schedule for Standards
CIP-002-1 through CIP-009-1 (from Implementation
Plan Draft 1)
AC - Auditably Compliant means the entity meets
the full intent of the requirement and can prove
compliance to an auditor. SC - Substantially
Compliant means an entity has begun the process
to become compliant with a requirement, but is
not yet Auditably Compliant.
Implementation Plan Draft 1 contains comparable
tables for Draft Standards CIP-003-1 through
CIP-009-1
20
Questions???

• Contact info
• Larry Bugh ECAR
• 330.580.8017
• larryb_at_ecar.org
• http//www.nerc.com/