CIP-003-7 - Cyber Security — Security Management Controls
CIP-003-7 - Cyber Security — Security Management ControlsA. Introduction1. Title:Cyber Security — Security Management Controls2. Number:CIP-003-73. Purpose:To specify consistent and sustainable security management controls thatestablish responsibility and accountability to protect BES Cyber Systems againstcompromise that could lead to misoperation or instability in the Bulk Electric System (BES).4. Applicability:4.1. Functional Entities: For the purpose of the requirements contained herein, thefollowing list of functional entities will be collectively referred to as “ResponsibleEntities.” For requirements in this standard where a specific functional entity or subsetof functional entities are the applicable entity or entities, the functional entity orentities are specified explicitly.4.1.1. Balancing Authority4.1.2. Distribution Provider that owns one or more of the following Facilities,systems, and equipment for the protection or restoration of the BES:4.1.2.1. Each underfrequency Load shedding (UFLS) or undervoltage Loadshedding (UVLS) system that:4.1.2.1.1. is part of a Load shedding program that is subject to one ormore requirements in a NERC or Regional ReliabilityStandard; and4.1.2.1.2. performs automatic Load shedding under a commoncontrol system owned by the Responsible Entity, withouthuman operator initiation, of 300 MW or more.4.1.2.2. Each Special Protection System (SPS) or Remedial Action Scheme(RAS) where the SPS or RAS is subject to one or more requirements ina NERC or Regional Reliability Standard.4.1.2.3. Each Protection System (excluding UFLS and UVLS) that applies toTransmission where the Protection System is subject to one or morerequirements in a NERC or Regional Reliability Standard.4.1.2.4. Each Cranking Path and group of Elements meeting the initialswitching requirements from a Blackstart Resource up to andincluding the first interconnection point of the starting station serviceof the next generation unit(s) to be started.4.1.3. Generator Operator4.1.4. Generator Owner4.1.5. Interchange Coordinator or Interchange Authority4.1.6. Reliability CoordinatorPage 1 of 57
CIP-003-7 - Cyber Security — Security Management Controls4.1.7. Transmission Operator4.1.8. Transmission Owner4.2. Facilities: For the purpose of the requirements contained herein, the followingFacilities, systems, and equipment owned by each Responsible Entity in Section 4.1above are those to which these requirements are applicable. For requirements in thisstandard where a specific type of Facilities, system, or equipment or subset ofFacilities, systems, and equipment are applicable, these are specified explicitly.4.2.1. Distribution Provider: One or more of the following Facilities, systems andequipment owned by the Distribution Provider for the protection orrestoration of the BES:4.2.1.1. Each UFLS or UVLS System that:4.2.1.1.1. is part of a Load shedding program that is subject to one ormore requirements in a NERC or Regional ReliabilityStandard; and4.2.1.1.2. performs automatic Load shedding under a commoncontrol system owned by the Responsible Entity, withouthuman operator initiation, of 300 MW or more.4.2.1.2. Each SPS or RAS where the SPS or RAS is subject to one or morerequirements in a NERC or Regional Reliability Standard.4.2.1.3. Each Protection System (excluding UFLS and UVLS) that applies toTransmission where the Protection System is subject to one or morerequirements in a NERC or Regional Reliability Standard.4.2.1.4. Each Cranking Path and group of Elements meeting the initialswitching requirements from a Blackstart Resource up to andincluding the first interconnection point of the starting station serviceof the next generation unit(s) to be started.4.2.2. Responsible Entities listed in 4.1 other than Distribution Providers:All BES Facilities.4.2.3. Exemptions: The following are exempt from Standard CIP-003-7:4.2.3.1. Cyber Assets at Facilities regulated by the Canadian Nuclear SafetyCommission.4.2.3.2. Cyber Assets associated with communication networks and datacommunication links between discrete Electronic Security Perimeters(ESPs).4.2.3.3. The systems, structures, and components that are regulated by theNuclear Regulatory Commission under a cyber security plan pursuantto 10 C.F.R. Section 73.54.Page 2 of 57
CIP-003-7 - Cyber Security — Security Management Controls4.2.3.4. For Distribution Providers, the systems and equipment that are notincluded in section 4.2.1 above.5. Effective Dates:See Implementation Plan for CIP-003-7.6. Background:Standard CIP-003 exists as part of a suite of CIP Standards related to cyber security, whichrequire the initial identification and categorization of BES Cyber Systems and requireorganizational, operational, and procedural controls to mitigate risk to BES Cyber Systems.The term policy refers to one or a collection of written documents that are used tocommunicate the Responsible Entities’ management goals, objectives and expectations forhow the Responsible Entity will protect its BES Cyber Systems. The use of policies alsoestablishes an overall governance foundation for creating a culture of security andcompliance with laws, regulations, and standards.The term documented processes refers to a set of required instructions specific to theResponsible Entity and to achieve a specific outcome. This term does not imply any namingor approval structure beyond what is stated in the requirements. An entity should includeas much as it believes necessary in its documented processes, but it must address theapplicable requirements.The terms program and plan are sometimes used in place of documented processes whereit makes sense and is commonly understood. For example, documented processesdescribing a response are typically referred to as plans (i.e., incident response plans andrecovery plans). Likewise, a security plan can describe an approach involving multipleprocedures to address a broad subject matter.Similarly, the term program may refer to the organization’s overall implementation of itspolicies, plans, and procedures involving a subject matter. Examples in the standardsinclude the personnel risk assessment program and the personnel training program. The fullimplementation of the CIP Cyber Security Reliability Standards could also be referred to as aprogram. However, the terms program and plan do not imply any additional requirementsbeyond what is stated in the standards.Responsible Entities can implement common controls that meet requirements for multiplehigh, medium, and low impact BES Cyber Systems. For example, a single cyber securityawareness program could meet the requirements across multiple BES Cyber Systems.Measures provide examples of evidence to show documentation and implementation of therequirement. These measures serve to provide guidance to entities in acceptable records ofcompliance and should not be viewed as an all-inclusive list.Throughout the standards, unless otherwise stated, bulleted items in the requirements andmeasures are items that are linked with an “or,” and numbered items are items that arelinked with an “and.”Page 3 of 57
CIP-003-7 - Cyber Security — Security Management ControlsMany references in the Applicability section use a threshold of 300 MW for UFLS and UVLS.This particular threshold of 300 MW for UVLS and UFLS was provided in Version 1 of the CIPCyber Security Standards. The threshold remains at 300 MW since it is specificallyaddressing UVLS and UFLS, which are last ditch efforts to save the BES. A review of UFLStolerances defined within Regional Reliability Standards for UFLS program requirements todate indicates that the historical value of 300 MW represents an adequate and reasonablethreshold value for allowable UFLS operational tolerances.Page 4 of 57
CIP-003-7 - Cyber Security — Security Management ControlsB. Requirements and MeasuresR1. Each Responsible Entity shall review and obtain CIP Senior Manager approval at leastonce every 15 calendar months for one or more documented cyber security policiesthat collectively address the following topics: [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]1.1.For its high impact and medium impact BES Cyber Systems, if any:1.1.1. Personnel and training (CIP-004);1.1.2. Electronic Security Perimeters (CIP-005) including Interactive RemoteAccess;1.1.3. Physical security of BES Cyber Systems (CIP-006);1.1.4. System security management (CIP-007);1.1.5. Incident reporting and response planning (CIP-008);1.1.6. Recovery plans for BES Cyber Systems (CIP-009);1.1.7. Configuration change management and vulnerability assessments (CIP010);1.1.8. Information protection (CIP-011); and1.1.9. Declaring and responding to CIP Exceptional Circumstances.1.2.For its assets identified in CIP-002 containing low impact BES Cyber Systems, ifany:1.2.1. Cyber security awareness;1.2.2. Physical security controls;1.2.3. Electronic access controls;1.2.4. Cyber Security Incident response;1.2.5. Transient Cyber Assets and Removable Media malicious code riskmitigation; and1.2.6. Declaring and responding to CIP Exceptional Circumstances.M1. Examples of evidence may include, but are not limited to, policy documents; revisionhistory, records of review, or workflow evidence from a document managementsystem that indicate review of each cyber security policy at least once every 15calendar months; and documented approval by the CIP Senior Manager for each cybersecurity policy.R2. Each Responsible Entity with at least one asset identified in CIP-002 containing lowimpact BES Cyber Systems shall implement one or more documented cyber securityplan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.[Violation Risk Factor: Lower] [Time Horizon: Operations Planning]Page 5 of 57
CIP-003-7 - Cyber Security — Security Management ControlsNote: An inventory, list, or discrete identification of low impact BES Cyber Systems ortheir BES Cyber Assets is not required. Lists of authorized users are not required.M2. Evidence shall include each of the documented cyber security plan(s) that collectivelyinclude each of the sections in Attachment 1 and additional evidence to demonstrateimplementation of the cyber security plan(s). Additional examples of evidence persection are located in Attachment 2.R3.Each Responsible Entity shall identify a CIP Senior Manager by name and documentany change within 30 calendar days of the change. [Violation Risk Factor: Medium][Time Horizon: Operations Planning]M3. An example of evidence may include, but is not limited to, a dated and approveddocument from a high level official designating the name of the individual identifiedas the CIP Senior Manager.R4. The Responsible Entity shall implement a documented process to delegate authority,unless no delegations are used. Where allowed by the CIP Standards, the CIP SeniorManager may delegate authority for specific actions to a delegate or delegates. Thesedelegations shall be documented, including the name or title of the delegate, thespecific actions delegated, and the date of the delegation; approved by the CIP SeniorManager; and updated within 30 days of any change to the delegation. Delegationchanges do not need to be reinstated with a change to the delegator. [Violation RiskFactor: Lower] [Time Horizon: Operations Planning]M4. An example of evidence may include, but is not limited to, a dated document,approved by the CIP Senior Manager, listing individuals (by name or title) who aredelegated the authority to approve or authorize specifically identified items.Page 6 of 57
CIP-003-7 - Cyber Security — Security Management ControlsC. Compliance1. Compliance Monitoring Process1.1. Compliance Enforcement Authority:As defined in the NERC Rules of Procedure, “Compliance Enforcement Authority”(CEA) means NERC or the Regional Entity in their respective roles of monitoringand enforcing compliance with the NERC Reliability Standards.1.2. Evidence Retention:The following evidence retention periods identify the period of time an entity isrequired to retain specific evidence to demonstrate compliance. For instanceswhere the evidence retention period specified below is shorter than the timesince the last audit, the CEA may ask an entity to provide other evidence to showthat it was compliant for the full time period since the last audit.The Responsible Entity shall keep data or evidence to show compliance asidentified below unless directed by its CEA to retain specific evidence for alonger period of time as part of an investigation: Each Responsible Entity shall retain evidence of each requirement in thisstandard for three calendar years. If a Responsible Entity is found non-compliant, it shall keep informationrelated to the non-compliance until mitigation is complete and approved orfor the time specified above, whichever is longer. The CEA shall keep the last audit records and all requested and submittedsubsequent audit records.1.3. Compliance Monitoring and Assessment Processes: Compliance Audits Self-Certifications Spot Checking Compliance Investigations Self-Reporting Complaints1.4. Additional Compliance Information:None.Page 7 of 57
CIP-003-7 - Cyber Security — Security Management Controls2. Table of Compliance ElementsR#R1TimeHorizonOperationsPlanningViolation Severity Levels (CIP-003-7)VRFLower VSLModerate VSLHigh VSLSevere VSLThe ResponsibleEntity documentedand implementedone or more cybersecurity policies forits high impact andmedium impact BESCyber Systems, butdid not address twoof the nine topicsrequired by R1.(R1.1)The Responsible Entitydocumented andimplemented one ormore cyber securitypolicies for its highimpact and mediumimpact BES CyberSystems, but did notaddress three of the ninetopics required by R1.(R1.1)The ResponsibleEntity documentedand implementedone or more cybersecurity policies forits high impact andmedium impact BESCyber Systems, butdid not address fouror more of the ninetopics required byR1. (R1.1)ORORThe ResponsibleEntity did notcomplete its reviewof the one or moredocumented cybersecurity policies forits high impact andmedium impact BESCyber Systems asrequired by R1within 15 calendarmonths but didThe ResponsibleEntity did notcomplete its reviewof the one or moredocumented cybersecurity policies forits high impact andmedium impact BESCyber Systems asrequired by R1within 16 calendarmonths but didThe Responsible Entitydid not complete itsreview of the one ormore documented cybersecurity policies for itshigh impact and mediumimpact BES CyberSystems as required byR1 within 17 calendarmonths but didcomplete this review inless than or equal to 18Medium The ResponsibleEntity documentedand implementedone or more cybersecurity policies forits high impact andmedium impact BESCyber Systems, butdid not address oneof the nine topicsrequired by R1.(R1.1)ORORThe ResponsibleEntity did not haveany documentedcyber securitypolicies for its highimpact and mediumimpact BES CyberSystems as requiredby R1. (R1.1)ORPage 8 of 57
CIP-003-7 - Cyber Security — Security Management ControlsR#TimeHorizonViolation Severity Levels (CIP-003-7)VRFLower VSLModerate VSLHigh VSLSevere VSLcomplete this reviewin less than or equalto 16 calendarmonths of theprevious review.(R1.1)complete this reviewin less than or equalto 17 calendarmonths of theprevious review.(R1.1)calendar months of theprevious review. (R1.1)ORORThe ResponsibleEntity did notcomplete itsapproval of the oneor more documentedcyber securitypolicies for its highimpact and mediumimpact BES CyberSystems as requiredby R1 by the CIPSenior Managerwithin 15 calendarmonths but didcomplete thisapproval in less thanor equal to 16calendar months ofthe previousapproval. (R1.1)The ResponsibleEntity did notcomplete itsapproval of the oneor moredocumented cybersecurity policies forits high impact andmedium impact BESCyber Systems asrequired by R1 bythe CIP SeniorManager within 16calendar months butdid complete thisapproval in less thanor equal to 17calendar months ofthe previousapproval. (R1.1)The ResponsibleEntity did notcomplete its reviewof the one or moredocumented cybersecurity policies asrequired by R1within 18 calendarmonths of theprevious review. (R1)ORThe Responsible Entitydid not complete itsapproval of the one ormore documented cybersecurity policies for itshigh impact and mediumimpact BES CyberSystems as required byR1 by the CIP SeniorManager within 17calendar months but didcomplete this approvalin less than or equal to18 calendar months ofthe previous approval.(R1)ORThe Responsible Entitydocumented one ormore cyber securitypolicies for its assetsidentified in CIP-002containing low impactORThe ResponsibleEntity did notcomplete itsapproval of the oneor moredocumented cybersecurity policies forits high impact andmedium impact BESCyber Systems asrequired by R1 bythe CIP SeniorManager within 18calendar months ofthe previousapproval. (R1.1)Page 9 of 57
CIP-003-7 - Cyber Security — Security Management ControlsR#TimeHorizonViolation Severity Levels (CIP-003-7)VRFLower VSLModerate VSLORORThe ResponsibleEntity documentedone or more cybersecurity policies forits assets identifiedin CIP-002 containinglow impact BESCyber Systems, butdid not address oneof the six topicsrequired by R1.(R1.2)The ResponsibleEntity documentedone or more cybersecurity policies forits assets identifiedin CIP-002 containinglow impact BESCyber Systems, butdid not address twoof the six topicsrequired by R1.(R1.2)ORORThe ResponsibleEntity did notcomplete its reviewof the one or moredocumented cybersecurity policies forits assets identifiedin CIP-002 containinglow impact BESCyber Systems asrequired byRequirement R1within 15 calendarThe ResponsibleEntity did notcomplete its reviewof the one or moredocumented cybersecurity policies forits assets identifiedin CIP-002 containinglow impact BESCyber Systems asrequired byRequirement R1within 16 calendarHigh VSLBES Cyber Systems, butdid not address three ofthe six topics required byR1. (R1.2)ORThe Responsible Entitydid not complete itsreview of the one ormore documented cybersecurity policies for itsassets identified in CIP002 containing lowimpact BES CyberSystems as required byR1 within 17 calendarmonths but didcomplete this review inless than or equal to 18calendar months of theprevious review. (R1.2)ORThe Responsible Entitydid not complete itsapproval of the one ormore documented cybersecurity policies for itsSevere VSLORThe ResponsibleEntity documentedone or more cybersecurity policies forits assets identifiedin CIP-002 containinglow impact BESCyber Systems, butdid not address fouror more of the sixtopics required byR1. (R1.2)ORThe ResponsibleEntity did not haveany documentedcyber securitypolicies for its assetsidentified in CIP-002containing lowimpact BES CyberSystems as requiredby R1. (R1.2)ORPage 10 of 57
CIP-003-7 - Cyber Security — Security Management ControlsR#TimeHorizonViolation Severity Levels (CIP-003-7)VRFLower VSLModerate VSLHigh VSLSevere VSLmonths but didcomplete this reviewin less than or equalto 16 calendarmonths of theprevious review.(R1.2)months but didcomplete this reviewin less than or equalto 17 calendarmonths of theprevious review.(R1.2)ORORThe ResponsibleEntity did notcomplete itsapproval of the oneor more documentedcyber securitypolicies for its assetsidentified in CIP-002containing lowimpact BES CyberSystems as requiredby Requirement R1by the CIP SeniorManager within 15calendar months butdid complete thisapproval in less thanor equal to 16calendar months ofThe ResponsibleEntity did notcomplete itsapproval of the oneor moredocumented cybersecurity policies forits assets identifiedin CIP-002 containinglow impact BESCyber Systems asrequired byRequirement R1 bythe CIP SeniorManager within 16calendar months butdid complete thisapproval in less thanor equal to 17assets identified in CIP002 containing lowimpact BES CyberSystems as required byRequirement R1 by theCIP Senior Managerwithin 17 calendarmonths but didcomplete this approva
CIP-003-7 - Cyber Security — Security Management Controls . Page 3 of 57. 4.2.3.4. For Distribution Providers, the systems and equipment that are not included in section 4.2.1 above. 5. Effective Dates: See Implementation Plan for CIP-003-7. 6. Background: Standard CIP-003 exists as part
CIP -003 -5, CIP -004 -5, CIP -005 -5, CIP -006 -5, CIP -007 -5, CIP -008 -5, CIP -009 -5, CIP -010 -1, . controls to mitigate risk to BES Cyber Systems. This suite of CIP Standards is referred to as the Version 5 CIP Cybe r Security Standards . Most requirement s open with , Each Responsible Entity shall implement one or more documented .
CIP-005-5 . 4/1/2016: CIP-006-5. 4/1/2016: CIP-007-5. 4/1/2016: CIP-008-5. 4/1/2016: CIP-009-5. 4/1/2016: CIP-010-1. 4/1/2016: CIP-011-1. 4/1/2016: Talk with Texas RE & NRWG February 18, 2016. 3 CIP
(CIP 005 and CIP 006) g, g ( ) Replacement of 500 signs and 3,000 chain markers (CIP 020) Rehabilitation of 5,000 feet of track pads/shock absorbers (CIP 021) Rehabilitation of 5 miles of third rail (CIP 023) Rehabilitation of 10 miles of running rail (CIP 024)Rehabilitati
drive un 4,00 208,17 832,68 lote: 003 - lote 003 1 12807 bateria 45 amp para uno fire moura un 1,00 280,35 280,35 lote: 003 - lote 003 2 12885 filtro p71 para uno fire tecfil un 1,00 39,42 39,42 lote: 003 - lote 003 3 12809 Óleo motor 10w40 para uno fire lubrax un 1,00 70,10 70,10 lote: 003 - lote 003 4
1.3 Physical security of BES Cyber Systems (CIP -006) 1.4 System security management (CIP -007) 1.5 Incident reporting and response planning (CIP -008) 1.6 Recovery plans for BES Cyber Systems (CIP -009) 1.7 Configuration change management and vulnerability ass
CIP 005 R1.5 Cyber Assets used in the access control and monitoring of the Electronic Security Perimeters shall be afforded the protective measures as a specified in Standard CIP-003, Standard CIP-004 Requirement R3, Standard CIP-005 Requirements R2 and R3, Standard CIP-006 R
One characteristic of the BES Cyber Asset is a real-time scoping characteristic. The time horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to the application of these Version 5 CIP Cyber Security Standards is defined as that which is material to real-time operations f
3 Lorsqu’un additif présent dans un arôme, un additif ou une enzyme alimentaire a une fonction technologique dans la denrée alimentaire à laquelle il est adjoint, il est considéré comme additif de cette denrée alimentaire, et non de l’arôme, de l’additif ou de l’enzyme alimentaire ajouté et doit dès lors remplir les conditions d’emploi définies pour la denrée en question .
