CIP -007 -5 Cyber Security Systems Security Management

1y ago
26 Views
3 Downloads
584.78 KB
72 Pages
Last View : 10d ago
Last Download : 4m ago
Upload by : Callan Shouse
Transcription

CIP-007-5 — Cyber Security – Systems Security ManagementA. Introduction1.Title:Cyber Security — System Security Management2.Number:CIP-007-53.Purpose: To manage system security by specifying select technical, operational,and procedural requirements in support of protecting BES Cyber Systems againstcompromise that could lead to misoperation or instability in the BES.4.Applicability:4.1.Functional Entities: For the purpose of the requirements contained herein, thefollowing list of functional entities will be collectively referred to as “ResponsibleEntities.” For requirements in this standard where a specific functional entity orsubset of functional entities are the applicable entity or entities, the functional entityor entities are specified explicitly.4.1.1 Balancing Authority4.1.2 Distribution Provider that owns one or more of the following Facilities, systems,and equipment for the protection or restoration of the BES:4.1.2.1 Each underfrequency Load shedding (UFLS) or undervoltage Load shedding(UVLS) system that:4.1.2.1.1 is part of a Load shedding program that is subject to one or morerequirements in a NERC or Regional Reliability Standard; and4.1.2.1.2 performs automatic Load shedding under a common control systemowned by the Responsible Entity, without human operator initiation,of 300 MW or more.4.1.2.2 Each Special Protection System or Remedial Action Scheme where theSpecial Protection System or Remedial Action Scheme is subject to one ormore requirements in a NERC or Regional Reliability Standard.4.1.2.3 Each Protection System (excluding UFLS and UVLS) that applies toTransmission where the Protection System is subject to one or morerequirements in a NERC or Regional Reliability Standard.4.1.2.4 Each Cranking Path and group of Elements meeting the initial switchingrequirements from a Blackstart Resource up to and including the firstinterconnection point of the starting station service of the next generationunit(s) to be started.4.1.3 Generator Operator4.1.4 Generator Owner4.1.5 Interchange Coordinator or Interchange Authority4.1.6 Reliability CoordinatorPage 1 of 67

CIP-007-5 — Cyber Security – Systems Security Management4.1.7 Transmission Operator4.1.8 Transmission Owner4.2.Facilities: For the purpose of the requirements contained herein, the followingFacilities, systems, and equipment owned by each Responsible Entity in 4.1 aboveare those to which these requirements are applicable. For requirements in thisstandard where a specific type of Facilities, system, or equipment or subset ofFacilities, systems, and equipment are applicable, these are specified explicitly.4.2.1 Distribution Provider: One or more of the following Facilities, systems andequipment owned by the Distribution Provider for the protection or restorationof the BES:4.2.1.1 Each UFLS or UVLS System that:4.2.1.1.1 is part of a Load shedding program that is subject to one or morerequirements in a NERC or Regional Reliability Standard; and4.2.1.1.2 performs automatic Load shedding under a common control systemowned by the Responsible Entity, without human operator initiation,of 300 MW or more.4.2.1.2 Each Special Protection System or Remedial Action Scheme where theSpecial Protection System or Remedial Action Scheme is subject to one ormore requirements in a NERC or Regional Reliability Standard.4.2.1.3 Each Protection System (excluding UFLS and UVLS) that applies toTransmission where the Protection System is subject to one or morerequirements in a NERC or Regional Reliability Standard.4.2.1.4 Each Cranking Path and group of Elements meeting the initial switchingrequirements from a Blackstart Resource up to and including the firstinterconnection point of the starting station service of the next generationunit(s) to be started.4.2.2 Responsible Entities listed in 4.1 other than Distribution Providers:All BES Facilities.4.2.3 Exemptions: The following are exempt from Standard CIP-007-5:4.2.3.1 Cyber Assets at Facilities regulated by the Canadian Nuclear SafetyCommission.4.2.3.2 Cyber Assets associated with communication networks and datacommunication links between discrete Electronic Security Perimeters.4.2.3.3 The systems, structures, and components that are regulated by the NuclearRegulatory Commission under a cyber security plan pursuant to 10 C.F.R.Section 73.54.Page 2 of 67

CIP-007-5 — Cyber Security – Systems Security Management4.2.3.4 For Distribution Providers, the systems and equipment that are not includedin section 4.2.1 above.4.2.3.5 Responsible Entities that identify that they have no BES Cyber Systemscategorized as high impact or medium impact according to the CIP-002-5identification and categorization processes.5.6.Effective Dates:1.24 Months Minimum – CIP-007-5 shall become effective on the later of July 1,2015, or the first calendar day of the ninth calendar quarter after the effectivedate of the order providing applicable regulatory approval.2.In those jurisdictions where no regulatory approval is required, CIP-007-5 shallbecome effective on the first day of the ninth calendar quarter following Board ofTrustees’ approval, or as otherwise made effective pursuant to the lawsapplicable to such ERO governmental authorities.Background:Standard CIP-007-5 exists as part of a suite of CIP Standards related to cyber security.CIP-002-5 requires the initial identification and categorization of BES Cyber Systems.CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1,and CIP-011-1 require a minimum level of organizational, operational and proceduralcontrols to mitigate risk to BES Cyber Systems. This suite of CIP Standards is referredto as the Version 5 CIP Cyber Security Standards.Most requirements open with, “Each Responsible Entity shall implement one or moredocumented [processes, plan, etc] that include the applicable items in [TableReference].” The referenced table requires the applicable items in the procedures forthe requirement’s common subject matter.The SDT has incorporated within this standard a recognition that certain requirementsshould not focus on individual instances of failure as a sole basis for violating thestandard. In particular, the SDT has incorporated an approach to empower andenable the industry to identify, assess, and correct deficiencies in the implementationof certain requirements. The intent is to change the basis of a violation in thoserequirements so that they are not focused on whether there is a deficiency, but onidentifying, assessing, and correcting deficiencies. It is presented in thoserequirements by modifying “implement” as follows:Each Responsible Entity shall implement, in a manner that identifies, assesses,and corrects deficiencies, . . .The term documented processes refers to a set of required instructions specific to theResponsible Entity and to achieve a specific outcome. This term does not imply anyparticular naming or approval structure beyond what is stated in the requirements.An entity should include as much as it believes necessary in their documentedprocesses, but they must address the applicable requirements in the table. ThePage 3 of 67

CIP-007-5 — Cyber Security – Systems Security Managementdocumented processes themselves are not required to include the “. . . identifies,assesses, and corrects deficiencies, . . ." elements described in the precedingparagraph, as those aspects are related to the manner of implementation of thedocumented processes and could be accomplished through other controls orcompliance management activities.The terms program and plan are sometimes used in place of documented processeswhere it makes sense and is commonly understood. For example, documentedprocesses describing a response are typically referred to as plans (i.e., incidentresponse plans and recovery plans). Likewise, a security plan can describe anapproach involving multiple procedures to address a broad subject matter.Similarly, the term program may refer to the organization’s overall implementation ofits policies, plans and procedures involving a subject matter. Examples in thestandards include the personnel risk assessment program and the personnel trainingprogram. The full implementation of the CIP Cyber Security Standards could also bereferred to as a program. However, the terms program and plan do not imply anyadditional requirements beyond what is stated in the standards.Responsible Entities can implement common controls that meet requirements formultiple high and medium impact BES Cyber Systems. For example, a single trainingprogram could meet the requirements for training personnel across multiple BESCyber Systems.Measures for the initial requirement are simply the documented processesthemselves. Measures in the table rows provide examples of evidence to showdocumentation and implementation of applicable items in the documented processes.These measures serve to provide guidance to entities in acceptable records ofcompliance and should not be viewed as an all-inclusive list.Throughout the standards, unless otherwise stated, bulleted items in therequirements and measures are items that are linked with an “or,” and numbereditems are items that are linked with an “and.”Many references in the Applicability section use a threshold of 300 MW for UFLS andUVLS. This particular threshold of 300 MW for UVLS and UFLS was provided in Version1 of the CIP Cyber Security Standards. The threshold remains at 300 MW since it isspecifically addressing UVLS and UFLS, which are last ditch efforts to save the BulkElectric System. A review of UFLS tolerances defined within regional reliabilitystandards for UFLS program requirements to date indicates that the historical value of300 MW represents an adequate and reasonable threshold value for allowable UFLSoperational tolerances.“Applicable Systems” Columns in Tables:Each table has an “Applicable Systems” column to further define the scope of systemsto which a specific requirement row applies. The CSO706 SDT adapted this conceptfrom the National Institute of Standards and Technology (“NIST”) Risk ManagementPage 4 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementFramework as a way of applying requirements more appropriately based on impactand connectivity characteristics. The following conventions are used in the“Applicable Systems” column as described. High Impact BES Cyber Systems – Applies to BES Cyber Systems categorized ashigh impact according to the CIP-002-5 identification and categorizationprocesses.Medium Impact BES Cyber Systems – Applies to BES Cyber Systems categorized asmedium impact according to the CIP-002-5 identification and categorizationprocesses. Medium Impact BES Cyber Systems at Control Centers – Only applies to mediumimpact BES Cyber Systems located at a Control Center. Medium Impact BES Cyber Systems with External Routable Connectivity – Onlyapplies to medium impact BES Cyber Systems with External Routable Connectivity.This also excludes Cyber Assets in the BES Cyber System that cannot be directlyaccessed through External Routable Connectivity. Electronic Access Control or Monitoring Systems (EACMS) – Applies to eachElectronic Access Control or Monitoring System associated with a referenced highimpact BES Cyber System or medium impact BES Cyber System in the applicabilitycolumn. Examples may include, but are not limited to, firewalls, authenticationservers, and log monitoring and alerting systems. Physical Access Control Systems (PACS) – Applies to each Physical Access ControlSystem associated with a referenced high impact BES Cyber System or mediumimpact BES Cyber System. Protected Cyber Assets (PCA) – Applies to each Protected Cyber Asset associatedwith a referenced high impact BES Cyber System or medium impact BES CyberSystem.Page 5 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementB. Requirements and MeasuresR1.Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or moredocumented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R1 – Ports andServices. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations.]M1. Evidence must include the documented processes that collectively include each of the applicable requirement parts in CIP007-5 Table R1 – Ports and Services and additional evidence to demonstrate implementation as described in the Measurescolumn of the table.Page 6 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R1– Ports and ServicesPart1.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemswith External Routable Connectivityand their associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresWhere technically feasible, enable onlylogical network accessible ports thathave been determined to be needed bythe Responsible Entity, including portranges or services where needed tohandle dynamic ports. If a device hasno provision for disabling or restrictinglogical ports on the device then thoseports that are open are deemedneeded.Examples of evidence may include, butare not limited to: 1.2High Impact BES Cyber SystemsMedium Impact BES Cyber Systems atControl CentersProtect against the use of unnecessaryphysical input/output ports used fornetwork connectivity, consolecommands, or removable media.Documentation of the need forall enabled ports on allapplicable Cyber Assets andElectronic Access Points,individually or by group.Listings of the listening ports onthe Cyber Assets, individually orby group, from either the deviceconfiguration files, commandoutput (such as netstat), ornetwork scans of open ports; orConfiguration files of hostbased firewalls or other devicelevel mechanisms that onlyallow needed ports and deny allothers.An example of evidence may include,but is not limited to, documentationshowing types of protection of physicalinput/output ports, either logicallythrough system configuration orphysically using a port lock or signage.Page 7 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementR2.Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or moredocumented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R2 – SecurityPatch Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].M2. Evidence must include each of the applicable documented processes that collectively include each of the applicablerequirement parts in CIP-007-5 Table R2 – Security Patch Management and additional evidence to demonstrateimplementation as described in the Measures column of the table.Page 8 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R2 – Security Patch ManagementPart2.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCARequirementsA patch management process fortracking, evaluating, and installingcyber security patches for applicableCyber Assets. The tracking portionshall include the identification of asource or sources that theResponsible Entity tracks for therelease of cyber security patches forapplicable Cyber Assets that areupdateable and for which a patchingsource exists.MeasuresAn example of evidence may include,but is not limited to, documentationof a patch management process anddocumentation or lists of sources thatare monitored, whether on anindividual BES Cyber System or CyberAsset basis.Page 9 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R2 – Security Patch ManagementPart2.2Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresAt least once every 35 calendar days,evaluate security patches forapplicability that have been releasedsince the last evaluation from thesource or sources identified in Part2.1.An example of evidence may include,but is not limited to, an evaluationconducted by, referenced by, or onbehalf of a Responsible Entity ofsecurity-related patches released bythe documented sources at least onceevery 35 calendar days.Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCAPage 10 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R2 – Security Patch ManagementPart2.3Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCARequirementsFor applicable patches identified inPart 2.2, within 35 calendar days ofthe evaluation completion, take oneof the following actions: MeasuresExamples of evidence may include,but are not limited to: Apply the applicable patches; orCreate a dated mitigation plan;orRevise an existing mitigationplan.Mitigation plans shall include theResponsible Entity’s planned actionsto mitigate the vulnerabilitiesaddressed by each security patch anda timeframe to complete thesemitigations. Records of the installation ofthe patch (e.g., exports fromautomated patchmanagement tools thatprovide installation date,verification of BES CyberSystem Component softwarerevision, or registry exportsthat show software has beeninstalled); orA dated plan showing whenand how the vulnerability willbe addressed, to includedocumentation of the actionsto be taken by the ResponsibleEntity to mitigate thevulnerabilities addressed bythe security patch and atimeframe for the completionof these mitigations.Page 11 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R2 – Security Patch ManagementPart2.4Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresFor each mitigation plan created orAn example of evidence may include,revised in Part 2.3, implement thebut is not limited to, records ofplan within the timeframe specified in implementation of mitigations.the plan, unless a revision to the planor an extension to the timeframespecified in Part 2.3 is approved bythe CIP Senior Manager or delegate.Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCAR3.Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or moredocumented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R3 – MaliciousCode Prevention. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations].M3. Evidence must include each of the documented processes that collectively include each of the applicable requirementparts in CIP-007-5 Table R3 – Malicious Code Prevention and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.Page 12 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R3 – Malicious Code PreventionPart3.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsDeploy method(s) to deter, detect, orprevent malicious code.MeasuresAn example of evidence may include,but is not limited to, records of theResponsible Entity’s performance ofthese processes (e.g., throughtraditional antivirus, systemhardening, policies, etc.).Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCAPage 13 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R3 – Malicious Code PreventionPart3.2Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsMitigate the threat of detectedmalicious code.Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCA3.3High Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAFor those methods identified in Part3.1 that use signatures or patterns,have a process for the update of thesignatures or patterns. The processmust address testing and installing thesignatures or patterns.MeasuresExamples of evidence may include,but are not limited to: Records of response processesfor malicious code detection Records of the performance ofthese processes when maliciouscode is detected.An example of evidence may include,but is not limited to, documentationshowing the process used for theupdate of signatures or patterns.Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCAPage 14 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementR4.Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or moredocumented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R4 – SecurityEvent Monitoring. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Assessment.]M4. Evidence must include each of the documented processes that collectively include each of the applicable requirementparts in CIP-007-5 Table R4 – Security Event Monitoring and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.CIP-007-5 Table R4 – Security Event MonitoringPart4.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresLog events at the BES Cyber Systemlevel (per BES Cyber System capability)or at the Cyber Asset level (per CyberAsset capability) for identification of,and after-the-fact investigations of,Cyber Security Incidents that includes,as a minimum, each of the followingtypes of events:Examples of evidence may include, butare not limited to, a paper or systemgenerated listing of event types forwhich the BES Cyber System is capableof detecting and, for generatedevents, is configured to log. This listingmust include the required types ofevents.4.1.1. Detected successful loginattempts;4.1.2. Detected failed accessattempts and failed loginattempts;4.1.3. Detected malicious code.Page 15 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R4 – Security Event MonitoringPart4.2Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemswith External Routable Connectivityand their associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresGenerate alerts for security eventsthat the Responsible Entitydetermines necessitates an alert, thatincludes, as a minimum, each of thefollowing types of events (per CyberAsset or BES Cyber System capability):Examples of evidence may include, butare not limited to, paper or systemgenerated listing of security eventsthat the Responsible Entitydetermined necessitate alerts,including paper or system generatedlist showing how alerts are configured.4.2.1.4.2.2.Detected malicious code fromPart 4.1; andDetected failure of Part 4.1event logging.Page 16 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R4 – Security Event MonitoringPart4.3Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresWhere technically feasible, retainapplicable event logs identified in Part4.1 for at least the last 90 consecutivecalendar days except under CIPExceptional Circumstances.Examples of evidence may include, butare not limited to, documentation ofthe event log retention process andpaper or system generated reportsshowing log retention configurationset at 90 days or greater.Review a summarization or samplingof logged events as determined by theResponsible Entity at intervals nogreater than 15 calendar days toidentify undetected Cyber SecurityIncidents.Examples of evidence may include, butare not limited to, documentationdescribing the review, any findingsfrom the review (if any), and dateddocumentation showing the reviewoccurred.Medium Impact BES Cyber Systems atControl Centers and their associated:1. EACMS;2. PACS; and3. PCA4.4R5.High Impact BES Cyber Systems andtheir associated:1. EACMS; and2. PCAEach Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or moredocumented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R5 – SystemAccess Controls. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].M5. Evidence must include each of the applicable documented processes that collectively include each of the applicablerequirement parts in CIP-007-5 Table 5 – System Access Controls and additional evidence to demonstrate implementationas described in the Measures column of the table.Page 17 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresHave a method(s) to enforceauthentication of interactive user access,where technically feasible.An example of evidence may include,but is not limited to, documentationdescribing how access isauthenticated.Medium Impact BES Cyber Systems atControl Centers and their associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemswith External Routable Connectivityand their associated:1. EACMS;2. PACS; and3. PCAPage 18 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.2Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsIdentify and inventory all known enableddefault or other generic account types,either by system, by groups of systems, bylocation, or by system type(s).MeasuresAn example of evidence may include,but is not limited to, a listing ofaccounts by account types showingthe enabled or generic account typesin use for the BES Cyber System.Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCAPage 19 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.3Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsIdentify individuals who have authorizedaccess to shared accounts.MeasuresAn example of evidence may include,but is not limited to, listing of sharedaccounts and the individuals who haveauthorized access to each sharedaccount.Medium Impact BES Cyber Systemswith External Routable Connectivityand their associated:1. EACMS;2. PACS; and3. PCAPage 20 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.4Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCARequirementsChange known default passwords, perCyber Asset capabilityMeasuresExamples of evidence may include, butare not limited to: Medium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCARecords of a procedure thatpasswords are changed when newdevices are in production; orDocumentation in system manualsor other vendor documentsshowing default vendorpasswords were generatedpseudo-randomly and are therebyunique to the device.Page 21 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.5Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemsand their associated:1. EACMS;2. PACS; and3. PCARequirementsMeasuresFor password-only authentication forExamples of evidence may include, butinteractive user access, either technicallyare not limited to:or procedurally enforce the following System-generated reports orpassword parameters:screen-shots of the system5.5.1. Password length that is, at least,enforced password parameters,the lesser of eight characters orincluding length and complexity;the maximum length supported byorthe Cyber Asset; and Attestations that include a5.5.2. Minimum password complexityreference to the documentedthat is the lesser of three or moreprocedures that were followed.different types of characters (e.g.,uppercase alphabetic, lowercasealphabetic, numeric, nonalphanumeric) or the maximumcomplexity supported by the CyberAsset.Page 22 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.6Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemswith External Routable Connectivityand their associated:1. EACMS;2. PACS; and3. PCARequirementsWhere technically feasible, forpassword-only authentication forinteractive user access, eithertechnically or procedurally enforcepassword changes or an obligation tochange the password at least onceevery 15 calendar months.MeasuresExamples of evidence may include,but are not limited to: System-generated reports orscreen-shots of the systemenforced periodicity of changingpasswords; or Attestations that include areference to the documentedprocedures that were followed.Page 23 of 67

CIP-007-5 — Cyber Security – Systems Security ManagementCIP-007-5 Table R5 – System Access ControlPart5.7Applicable SystemsHigh Impact BES Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES Cyber Systemsat Control Centers and theirassociated:1. EACMS;2. PACS; and3. PCARequirementsWhere technically feasible, either: Limit the number ofunsuccessful authenticationattempts; or Generate alerts after athreshold of unsuccessfulauthentication attempts.MeasuresExamples of evidence may include,but are not limited to: Documentation of the accountlockout parameters; or Rules in the alerting configurationshowing how the system notifiedindividuals after a deter

CIP -003 -5, CIP -004 -5, CIP -005 -5, CIP -006 -5, CIP -007 -5, CIP -008 -5, CIP -009 -5, CIP -010 -1, . controls to mitigate risk to BES Cyber Systems. This suite of CIP Standards is referred to as the Version 5 CIP Cybe r Security Standards . Most requirement s open with , Each Responsible Entity shall implement one or more documented .

Related Documents:

CIP-005-5 . 4/1/2016: CIP-006-5. 4/1/2016: CIP-007-5. 4/1/2016: CIP-008-5. 4/1/2016: CIP-009-5. 4/1/2016: CIP-010-1. 4/1/2016: CIP-011-1. 4/1/2016: Talk with Texas RE & NRWG February 18, 2016. 3 CIP

1.3 Physical security of BES Cyber Systems (CIP -006) 1.4 System security management (CIP -007) 1.5 Incident reporting and response planning (CIP -008) 1.6 Recovery plans for BES Cyber Systems (CIP -009) 1.7 Configuration change management and vulnerability ass

(CIP 005 and CIP 006) g, g ( ) Replacement of 500 signs and 3,000 chain markers (CIP 020) Rehabilitation of 5,000 feet of track pads/shock absorbers (CIP 021) Rehabilitation of 5 miles of third rail (CIP 023) Rehabilitation of 10 miles of running rail (CIP 024)Rehabilitati

CIP-007-6 — Cyber Security - Systems Security Management Page 3 of 51 4.2.3.5 Responsible Entities that identify that they have no BES Cyber Systems categorized as high impact or medium impact according to the CIP-002-5.1 identification and categorization processes. 5. Effective Dates: See Implementation Plan for CIP-007-6. 6. Background:

Other protozoal intestinal diseases (007) Balantidiasis (007.0) Giardiasis (007.1) Coccidiosis (007.2) Intestinal trichomoniasis (007.3) Other protozoal intestinal diseases (007.8) Unspecified (007.9) Intestinal infections due to other organisms (008) Escherichia coli (008.0) Arizona (008.1) Aerobacter aerogenes (008.2)

Other protozoal intestinal diseases (007) Balantidiasis (007.0) Giardiasis (007.1) Coccidiosis (007.2) Intestinal trichomoniasis (007.3) Other protozoal intestinal diseases (007.8) Unspecified (007.9) Intestinal infections due to other organisms (008) Escherichia coli (008.0) Arizona (008.1) Aerobacter aerogenes (008.2)

One characteristic of the BES Cyber Asset is a real-time scoping characteristic. The time horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to the application of these Version 5 CIP Cyber Security Standards is defined as that which is material to real-time operations f

300-a02 abp enterprise sdn bhd. 7th floor menara lien hee no, 8 jalan tangung, 47700 petaling jaya. selangor p. j john c.o.d. 03-7804448 03-7804444 300-c01 control manufacturing 400-2 (tingkat satu) batu 1/2, jalan pahang, 51000 kuala lumpur kl lal net 60 days 03-6632599 03-6632588