Title: Cyber Security Standard Workshop Status of Draft Cyber Security Standards
1Cyber Security Standard WorkshopStatus of
Draft Cyber Security Standards
- Larry Bugh
- ECAR
- Standard Drafting Team Chair
- January 2005
2Agenda for This Session
- Status Update
- Format/Numbering Changes
- Other Major Changes
- Transition from Standard 1200 to new Cyber
Security Standards - Proposed Development Schedule
- Proposed Implementation Plan
3Status Update
- Draft 1 of standard and FAQ posted Sep. 15th for
public comment - Webcast conducted Oct. 18th
- Draft 2 of standards and FAQ posted Jan. 17, 2005
for 30 days - Draft 1 of Proposed Implementation Plan posted
Jan. 17, 2005 for 30 days - Development Highlights posted.
4Agenda for This Session
- Status Update
- Format/Numbering Changes
- Other Major Changes
- Transition from Standard 1200 to new Cyber
Security Standards - Proposed Development Schedule
- Proposed Implementation Plan
5Format/Numbering Changes
- New numbering scheme for NERC Reliability
Standards - New format for NERC Reliability Standards
- All requirements together, all measures, etc.
- Option to keep 1300 as one standard or separate
standards - Decided to separate by section
- One implementation plan
- Likely ballot as a package
6Format/Numbering Changes
- New standards as compared to sections in Draft
Standard 1300 Draft 1
7Agenda for This Session
- Status Update
- Format/Numbering Changes
- Other Major Changes
- Transition from Standard 1200 to new Cyber
Security Standards - Proposed Development Schedule
- Proposed Implementation Plan
8Other Major Changes
- Overall
- Applicable entities with no critical cyber assets
exempt from CIP-003-1 through CIP-009-1. - Definitions revised.
- Definition for Critical Cyber Asset revised.
- Standards do not apply to nuclear facilities.
- CIP-002-1 Critical Cyber Assets (1302)
- Reinforced relationship of critical assets to
operations - Modified criteria for generation/generation
control - Documentation/Protection of all cyber assets
within the ePerimeter - CIP-003-1 Security Management Controls (1301)
- Moved Change Management requirements from
CIP-006-1 to this standard.
9Other Major Changes
- CIP-004-1 Personnel and Training (1303)
- Background Screening" was changed to "Personnel
Risk Assessment", based upon several comments,
and to be more inclusive in application. - SSN verification was changed to "Identity
Verification" to provide for legal variance
between the laws in member entity's countries. - The wording "unrestricted access" was changed to
"authorized access" throughout for consistency
and clarity. - Access revocation and records change requirements
under this section were changed throughout to "7
calendar days, and 24 hours for personnel
terminated for cause" for flexibility and
consistency. - We did not add drug screening to the
requirements, despite several comments, due to
the complexity and administrative issues
associated with that area. Companies are free to
pursue measures beyond the Standard, which seeks
to set the baseline.
10Other Major Changes (cont)
- CIP-005-1 Electronic Security (1304)
- Clarified requirement for strong technical and
procedural controls for access to perimeter - Technical feasibility caveat added for banners
- Fixed inconsistency in levels of non-compliance
- CIP-006-1 Physical Security (1305)
- Requirements section was updated to more clearly
define the physical security elements of the
Security Plan. - Physical security perimeter requirement was
clarified, removing references to assigned
security levels, and modifying the four-wall
boundary concept. - Updated levels of non-compliance for consistency
across all proposed NERC Cyber Security
Standards. - CCTV monitoring control was modified to include
the point of facility access as a monitoring
point. - Manual logging control was modified to include
remote verification as a means of ensuring
completeness.
11Other Major Changes (cont)
- CIP-007-1 Systems Security Management (1306)
- Reference to "unattended facilities" was added
and a delineation for requirements between
"attended" and "unattended" facilities was
included in sub-sections where appropriate. - In draft one, for a few sub-sections,
requirements were indicated in the measures
section. In draft two, this was cleared up and
requirements were moved to the requirements
section. - Risk based assessment was added to the Security
Patch Management section for determining patch
applicability. - Review requirements were updated for consistency.
- A statement was added to the Retention of System
Logs section to indicate the entity is
responsible for determining their logging
strategy. - Clarified various terms concepts (i.e.,
potential vs. known vulnerabilities, end-user
accounts, generic account policy)
12Other Major Changes (cont)
- CIP-008-1 Incident Reporting and Response
Planning (1307) - Combined Incident and Security Incident
definitions to create a new definition Cyber
Security Incident - Changed the title to Incident Reporting and
Response Planning to better reflect standard
scope - Updated introduction paragraph to clarify the
requirements of the standard - Updated the Cyber Security Incident Reporting
requirement to reflect that the responsible
entity is accountable for ensuring that the
Electricity Sector Information and Analysis
Center (ES ISAC) receives the cyber security
incident report - If a cyber security incident occurs and is not
reported to the ES ISAC it will now result in
level three noncompliance - Includes minor formatting changes to make the
requirement, measurement, and non-compliance
sections clearer.
13Other Major Changes (cont)
- CIP-009-1 Recovery Plans (1308)
- The third paragraph was moved to the FAQ as it
primarily explained the degree of recovery
required in consideration of the expected impact
and risk involved. - The requirement to 'post' a recovery contact list
was stricken from the Standard. The drafting
team agreed with several comments made that
posting a contact list is procedural and often
unacceptable depending on the situation at that
location. - Some grammar, structure and clarification were
made in keeping with comments posted.
14Agenda for This Session
- Status Update
- Format/Numbering Changes
- Other Major Changes
- Transition from UA Standard 1200 to new Cyber
Security Standards - Proposed Development Schedule
- Proposed Implementation Plan
15Transition from 1200 new Cyber Security
Standards
- Drafting Team recognizes impact of changes.
- Implementation plan proposes to phase in new
requirements. - 1st draft of implementation plan posted w/draft 2
16Agenda for This Session
- Status Update
- Format/Numbering Changes
- Other Major Changes
- Transition from Standard 1200 to new Cyber
Security Standards - Proposed Development Schedule
- Proposed Implementation Plan
17Proposed Development Schedule
- Tentative posting/review schedule for CIP-002-1
CIP-009-1
18Agenda for This Session
- Status Update
- Format/Numbering Changes
- Other Major Changes
- Transition from Standard 1200 to new Cyber
Security Standards - Proposed Development Schedule
- Proposed Implementation Plan
19Proposed Implementation Plan
Sample Compliance Schedule for Standards
CIP-002-1 through CIP-009-1 (from Implementation
Plan Draft 1)
AC - Auditably Compliant means the entity meets
the full intent of the requirement and can prove
compliance to an auditor. SC - Substantially
Compliant means an entity has begun the process
to become compliant with a requirement, but is
not yet Auditably Compliant.
Implementation Plan Draft 1 contains comparable
tables for Draft Standards CIP-003-1 through
CIP-009-1
20Questions???
- Contact info
- Larry Bugh ECAR
- 330.580.8017
- larryb_at_ecar.org
- http//www.nerc.com/