Larry Bugh ECAR Standard Drafting Team Chair January 2005 Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005
Agenda for This Session Status Update Format/Numbering Changes Other Major Changes Transition from Standard 1200 to new Cyber Security Standards Proposed Development Schedule Proposed Implementation Plan
Status Update Draft 1 of standard and FAQ posted Sep. 15th for public comment Webcast conducted Oct. 18th Draft 2 of standards and FAQ posted Jan. 17, 2005 for 30 days Draft 1 of Proposed Implementation Plan posted Jan. 17, 2005 for 30 days Development Highlights posted.
Agenda for This Session Status Update Format/Numbering Changes Other Major Changes Transition from Standard 1200 to new Cyber Security Standards Proposed Development Schedule Proposed Implementation Plan
Format/Numbering Changes New numbering scheme for NERC Reliability Standards New format for NERC Reliability Standards All requirements together, all measures, etc. Option to keep 1300 as one standard or separate standards Decided to separate by section One implementation plan Likely ballot as a package
Format/Numbering Changes New standards as compared to sections in Draft Standard 1300 – Draft 1 Old Section # Topic New Std # 1301 Security Management Controls CIP-003-1 1302 Critical Cyber Assets CIP-002-1 1303 Personnel and Training CIP-004-1 1304 Electronic Security CIP-005-1 1305 Physical Security CIP-006-1 1306 Systems Security Management CIP-007-1 1307 Incident Reporting and Response Planning CIP-008-1 1308 Recovery Plans CIP-009-1
Agenda for This Session Status Update Format/Numbering Changes Other Major Changes Transition from Standard 1200 to new Cyber Security Standards Proposed Development Schedule Proposed Implementation Plan
Other Major Changes Overall CIP-002-1 – Critical Cyber Assets (1302) Applicable entities with no critical cyber assets exempt from CIP-003-1 through CIP-009-1. Definitions revised. Definition for Critical Cyber Asset revised. Standards do not apply to nuclear facilities. CIP-002-1 – Critical Cyber Assets (1302) Reinforced relationship of critical assets to operations Modified criteria for generation/generation control Documentation/Protection of all cyber assets within the ePerimeter CIP-003-1 – Security Management Controls (1301) Moved Change Management requirements from CIP-006-1 to this standard.
Other Major Changes CIP-004-1 – Personnel and Training (1303) Background Screening" was changed to "Personnel Risk Assessment", based upon several comments, and to be more inclusive in application. SSN verification was changed to "Identity Verification" to provide for legal variance between the laws in member entity's countries. The wording "unrestricted access" was changed to "authorized access" throughout for consistency and clarity. Access revocation and records change requirements under this section were changed throughout to "7 calendar days, and 24 hours for personnel terminated for cause" for flexibility and consistency. We did not add drug screening to the requirements, despite several comments, due to the complexity and administrative issues associated with that area. Companies are free to pursue measures beyond the Standard, which seeks to set the baseline.
Other Major Changes (con’t) CIP-005-1 – Electronic Security (1304) Clarified requirement for strong technical and procedural controls for access to perimeter Technical feasibility caveat added for banners Fixed inconsistency in levels of non-compliance CIP-006-1 – Physical Security (1305) Requirements section was updated to more clearly define the physical security elements of the Security Plan. Physical security perimeter requirement was clarified, removing references to assigned security levels, and modifying the four-wall boundary concept. Updated levels of non-compliance for consistency across all proposed NERC Cyber Security Standards. CCTV monitoring control was modified to include the point of facility access as a monitoring point. Manual logging control was modified to include remote verification as a means of ensuring completeness.
Other Major Changes (con’t) CIP-007-1 – Systems Security Management (1306) Reference to "unattended facilities" was added and a delineation for requirements between "attended" and "unattended" facilities was included in sub-sections where appropriate. In draft one, for a few sub-sections, requirements were indicated in the measures section. In draft two, this was cleared up and requirements were moved to the requirements section. Risk based assessment was added to the Security Patch Management section for determining patch applicability. Review requirements were updated for consistency. A statement was added to the Retention of System Logs section to indicate the entity is responsible for determining their logging strategy. Clarified various terms & concepts (i.e., potential vs. known vulnerabilities, end-user accounts, generic account policy)
Other Major Changes (con’t) CIP-008-1 – Incident Reporting and Response Planning (1307) Combined Incident and Security Incident definitions to create a new definition: Cyber Security Incident Changed the title to Incident Reporting and Response Planning to better reflect standard scope Updated introduction paragraph to clarify the requirements of the standard Updated the Cyber Security Incident Reporting requirement to reflect that the responsible entity is accountable for ensuring that the Electricity Sector Information and Analysis Center (ES ISAC) receives the cyber security incident report If a cyber security incident occurs and is not reported to the ES ISAC it will now result in level three noncompliance Includes minor formatting changes to make the requirement, measurement, and non-compliance sections clearer.
Other Major Changes (con’t) CIP-009-1 – Recovery Plans (1308) The third paragraph was moved to the FAQ as it primarily explained the degree of recovery required in consideration of the expected impact and risk involved. The requirement to 'post' a recovery contact list was stricken from the Standard. The drafting team agreed with several comments made that posting a contact list is procedural and often unacceptable depending on the situation at that location. Some grammar, structure and clarification were made in keeping with comments posted.
Agenda for This Session Status Update Format/Numbering Changes Other Major Changes Transition from UA Standard 1200 to new Cyber Security Standards Proposed Development Schedule Proposed Implementation Plan
Transition from 1200 – new Cyber Security Standards Drafting Team recognizes impact of changes. Implementation plan proposes to phase in new requirements. 1st draft of implementation plan posted w/draft 2
Agenda for This Session Status Update Format/Numbering Changes Other Major Changes Transition from Standard 1200 to new Cyber Security Standards Proposed Development Schedule Proposed Implementation Plan
Proposed Development Schedule Tentative posting/review schedule for CIP-002-1 — CIP-009-1: Jan 17 - Feb 17 Post Draft 2 for a 30-day comment period (abbreviated period). Feb 2 Conduct a Webcast for the Registered Ballot Body Feb 18 - March 15 Resolve comments on Draft 2 and prepare Draft 3. March 15 - April 30 Post draft 3 for a 45-day comment period May 1 – May 31 Resolve comments on Draft 3 and prepare final draft June 1 – June 30 Post final draft for 30-day review prior to ballot July 1 – July 31 Hold two rounds of balloting (includes time to respond to first ballots cast with negative comments.) August 1 – 31 Post for 30 days prior to BOT adoption into the compliance program (assuming a positive vote by the ballot pool)
Agenda for This Session Status Update Format/Numbering Changes Other Major Changes Transition from Standard 1200 to new Cyber Security Standards Proposed Development Schedule Proposed Implementation Plan
Proposed Implementation Plan Sample Compliance Schedule for Standards CIP-002-1 through CIP-009-1 (from Implementation Plan – Draft 1) 1st Qtr 2006 1st Qtr 2007 2008 & Beyond Requirement Control Center Other Facilities Standard CIP-004-1 – Personnel & Training BA & RC R1 AC SC R2 R3 R4 AC - Auditably Compliant means the entity meets the full intent of the requirement and can prove compliance to an auditor. SC - Substantially Compliant means an entity has begun the process to become compliant with a requirement, but is not yet Auditably Compliant. Implementation Plan – Draft 1 contains comparable tables for Draft Standards CIP-003-1 through CIP-009-1
Questions??? http://www.nerc.com/ Contact info: Larry Bugh – ECAR 330.580.8017 larryb@ecar.org http://www.nerc.com/