Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

Size: px
Start display at page:

Download "Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms"

Transcription

1 GE Digital Energy D20MX - NERC - CIP Response Product Bulletin Date: May 6th, 2013 Classification: GE Information NERC Critical Infrastructure Protection Response Overview The purpose of this document is to answer commonly asked questions pertaining to the security features supported by the D20MX Substation Gateway relative to the legacy D20. Users of GE Multilin D20 equipment may require this information for the purposes of assessment and implementation of NERC-CIP processes. CIP Sabotage Reporting CIP Critical Cyber Asset Identification CIP Security Management Controls All All All All R1 R2 R3 R4 Cyber Security Policy The Responsible Entity shall document and implement a cyber-security policy that represents management s commitment and ability to secure its Critical Cyber Assets. Leadership The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity s implementation of, and adherence to, Standards CIP through CIP Exceptions Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). Information Protection The Responsible Users can be assigned one of four roles Entity shall implement and document a with increasing levels of access to program to identify, classify, and protect information and control through RADIUS information associated with Critical Cyber or local to the D20MX. The RADIUS Assets. server can also be configured to grant access based on a D20MX device s IP address. A one-time local password solution is also possible using the Cyber-Ark Privileged Identity Management Suite, which can be purchased from Cyber-Ark General Electric Company. All rights reserved. * Trademarks of General Electric Company. PRBT-0305 V1.00 R2

2 CIP Personnel & Training CIP Electronic Security Perimeter R5 R6 R1 R3 R4 Access Control The Responsible Entity Users can be assigned one of four roles shall document and implement a program with increasing levels of access to for managing access to protected Critical Cyber Asset information. information and control through RADIUS. The RADIUS server can also be configured to grant access based on a D20MX device s IP address. A one-time local password solution is also possible using the Cyber-Ark Privileged Identity Management Suite, which can be purchased from Cyber-Ark. Change Control and Configuration User account additions/deletions and Management The Responsible Entity password changes are logged in the shall establish and document a process of D20MX s user activity log. The D20MX change control and configuration can also log these events to redundant management for adding, modifying, syslog servers. replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor-related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. Awareness, Training and Personnel Risk Assessment Access The Responsible Entity shall A RADIUS Server or the Cyber-Ark maintain list (s) of personnel with Privileged Identity Management Suite, authorized cyber or authorized unescorted which the D20MX supports, provides physical access to Critical Cyber Assets, reporting on the individuals authorized including their specific electronic and for access to the D20MX. physical access rights to Critical Cyber Assets R4.2 The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets. R1.2 For a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device. R1.3 Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s). A RADIUS Server or the Cyber-Ark Privileged Identity Management Suite, which the D20MX supports, provides a centralized administration point where users can be revoked quickly and easily. The D20MX's password and user authentication in conjunction with dialback modems provides strong authentication security for this type of access. Remote file transfer can be secured with SFTP and RADIUS Server authentication. The RADIUS server can be configured with two factor authentication services such as RSA Secure ID. The implementation here is less secure in comparison to what the D20MX provides. Remote file transfer is not secure since SFTP and RADIUS server authentication are not supported in these legacy. PRBT GE Information

3 R2.1 These processes and mechanisms shall use an access control model that denies access by default, such that explicit access permissions must be specified. The D20MX will only allow users who have been granted explicit permissions to access the system. R2.2 At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. The D20MX will only enable the ports and services configured. R2.3 The Responsible Entity shall maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s). R2.4 Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. The D20MX's password and user authentication in conjunction with dialback modems secures this type of access. Remote file transfer can be secured with SFTP and RADIUS Server authentication. The RADIUS server can be configured with two factor authentication services such as RSA Secure ID. R2.6 Appropriate Use Banner Where technically feasible, electronic access control devices shall display an appropriate use banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner. The D20MX displays a configurable appropriate use banner to a user at the WESMAINT II+ login screen. R3 Monitoring Electronic Access The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. R3.1 For dial-up accessible Critical Cyber Assets that use non-routable protocols, the Responsible Entity shall implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible. There are in-built supervisory permissions in older firmware. However, firmware with B014-1 v5.00 or greater do not have hard-coded login credentials. B014-1 is the Wesmaint II+ application. Extensive testing as shown that some LAN-based systems may be assessable through port(s) that haven t been configured. The implementation here is less secure in comparison to what the D20MX provides. Remote file transfer is not secure since SFTP and RADIUS Server authentication are not supported in these legacy. A configurable appropriate user banner is presented at the WESMAINT II+ login screen. Successful and Unsuccessful login Information regarding attempts are logged in the D20MX s user successful/unsuccessful login activity log. The D20MX can also log attempts are not available. these events to redundant syslog servers. The D20MX logs all successful and unsuccessful login attempts for Wesmaint II+ access over dial-up modem. The D20MX can also log these events to redundant syslog servers. Information regarding successful/unsuccessful login attempts are not available. PRBT GE Information

4 CIP Physical Security CIP R1 Systems Security Management R3.2 Where technically feasible, the security monitoring process (es) shall detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days. R4.2 A review to verify that only ports and services required for operations at these access points are enabled; R5.3 The Responsible Entity shall retain electronic access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008. Successful and Unsuccessful login attempts are logged in the D20MX s user activity log. The D20MX can also log these events to redundant syslog servers. The D20MX will only enable the ports and services configured. The D20MX is capable of reporting events to redundant syslog servers where logs can be retained in excess of ninety days. The D20MX can also be configured to archive in local storage enough records for normal account activity over a period of 90 days (i.e. 10,000 records). Information regarding successful/unsuccessful login are not available. Extensive testing as shown that some LAN-based systems may be assessable through port(s) that haven t been configured. All All Not applicable to D20MX. Test Procedures The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-3, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database, or other third-party software or firmware R2.1 Ports and Services The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. The D20MX will only enable the ports and services configured. Extensive testing as shown that some LAN-based systems may be assessable through port(s) that haven t been configured. PRBT GE Information

5 CIP R3 Systems Security Management R4 R5 Security Patch Management The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). Malicious Software Prevention The Responsible Entity shall use anti-virus software and other malicious software ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). Account Management The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. R5.1.2 The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. GE Multilin implements a continuous Vulnerability Scanning and Management program tailored for the D20MX. Our scanning tools are continuously updated for the latest vulnerabilities and issues and run against our devices. GE Multilin maintains a registered users list for Cyber Security notifications. The process is setup to send notifications to registered users in the event that a critical vulnerability is identified. Design of the D20MX substation gateway is based on an embedded computing platform rather than a generic computing platform. The D20MX is designed to not load software or execute arbitrary third party programs as required by conventional means of malware/virus transmission (e.g. USB drives, and freeware). It is not currently technically feasible to provide any type of anti-malware or anti-virus software for it at this time. A RADIUS Server or the Cyber-Ark Privileged Identity Management Suite, which the D20MX supports, can be used to enforce access authentication and accountability. Similar design methodology as the D20MX The D20MX supports logging of sufficient detail to create an historical audit trail. The D20MX is capable of reporting events to redundant syslog servers where logs can be retained in excess of ninety days. The D20MX can also be configured to archive in local storage enough records for normal account activity over a period of 90 days (i.e. 10,000 records). PRBT GE Information

6 R5.1.3 The Responsible Entity shall review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP Requirement R5 and Standard CIP Requirement R4. R5.2 The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts. R5.2.1 The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. R5.2.3 Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination). The D20MX supports four user roles which can be assigned in the RADIUS server: Observer, Operator, Engineer and Administrator. Observer can only monitor the system. Operator can do everything an Observer can, and perform operational commands such as controls. Engineer can do everything an Operator can, and change the SCADA configuration. Administrator can do everything an Engineer can, and change passwords. RADIUS servers allow access control granularity based on specific D20MXs a user can access. By default the D20MX comes with one default account to allow for setup of the D20MX. The username for this account is admin. The Responsible Entity is advised to change the password and optionally the username of the admin account, as soon as possible. By default the D20MX comes with one default account to allow for setup of the D20MX. The username for this account is admin. The Responsible Entity is advised to change the password and optionally the username of the admin account, as soon as possible. The D20MX keeps a user audit trail called the user activity log containing user logins (successful or unsuccessful); creation, or deletion of user accounts through the offline configuration tool and password changes. Automated account management packages, such as Cyber-Ark Privileged Identity Management Suite, can be used to change the password in the event of personnel changes, or to change the password after each use. There are in-built supervisory permissions in older firmware. All firmware with B014-1 v5.00 or greater do not have hard-coded login credentials. B014-1 is the Wesmaint II+ application. There are in-built supervisory permissions in older firmware. All firmware with B014-1 v5.00 or greater do not have hard-coded login credentials. B014-1 is the Wesmaint II+ application. PRBT GE Information

7 R5.3 At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible: R Each password shall be a minimum of six characters. R Each password shall consist of a combination of alpha, numeric, and special characters. R6 R Each password shall be changed at least annually, or more frequently based on risk. Security Status Monitoring The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. R6.4 The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days. R7 R7 The D20MX enforces the following rules for local password changes: Passwords cannot contain the user's account name or parts of the user's account name that exceed two consecutive characters. Passwords must be at least six characters in length. Passwords must contain characters from three of the following four categories: o English uppercase characters (A through Z). o English lowercase characters (a through z). o Base 10 digits (0 through 9). o Non-alphabetic characters (for example,!, $, #, %). Therefore, R5.3.1 and R5.3.2 are enforced locally. R5.3.1, R5.3.2 and R5.3.3 can be enforced through a RADIUS server, which the D20MX supports. The D20MX logs events under standard Syslog file format to redundant syslog servers. Any capable SEM Software package can be used for further event analysis and alerting. The D20MX is capable of reporting events to redundant syslog servers where logs can be retained in excess of ninety days. The D20MX can also be configured to archive in local storage enough records for normal account activity over a period of 90 days (i.e. 10,000 records). The Responsible Entity shall review logs of system events related to cyber security and maintain records documenting review of logs. Disposal or Redeployment The Responsible Entity shall establish and implement formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP All new firmware with B014-1 v5.00 or greater do have some restrictions but not enough to meet the R5.3 requirements. B014-1 is the Wesmaint II+ application. PRBT GE Information

8 CIP Incident Reporting and Response Planning CIP Recovery Plans for Critical Cyber Assets R1 Cyber Security Incident Response Plan The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. R2 Cyber Security Incident Documentation. The Responsible Entity shall keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years R1 Recovery Plans The Responsible Entity. shall create and annually review recovery plan(s) for Critical Cyber Assets. R2 Exercises The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident R3 Change Control Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates shall be communicated to personnel responsible for the activation and implementation of the recovery plan(s) within thirty calendar days of the change being completed. R4 R5 Backup and Restore The recovery plan(s) GE recommends customers to maintain shall include processes and procedures for a backup of the latest D20MX the backup and storage of information configuration and firmware for the required to successfully restore Critical purpose of disaster recovery. Cyber Assets. For example, backups may include spare electronic components or equipment, written documentation of configuration settings, tape backup, etc. Testing Backup Media Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available. Testing can be completed off site GE recommends customers to maintain a backup of the latest D20 configuration and firmware for the purpose of disaster recovery. PRBT GE Information

9 APPENDIX NERC CIP-007-3: Frequent Asked Questions CIP R2 Ports and Services Q: R2a - Provide a list of factory default open ports tcp and udp A: TCP Ports: 22 and 922. Port 22 is used for SSH access to Wesmaint II+ and SFTP. Port 922 is used for SSH access to the Shell and SFTP. Q: R2b - Can these ports be closed via firmware or software? A: Yes, if LAN is disabled in the configuration, the ports will not be opened. Q: R2c - Can new ports be opened via firmware or software? A: Yes, by configuring DNP/TCP or DNP/UDP, the associated ports will be opened. CIP R3 Security Patch Management Q: R3a - Are automated security update notifications available from the vendor via ? A: GE Multilin maintains a registered users list for Cyber Security notifications. The process is setup to send notifications to registered users in the event that a critical vulnerability is identified. Q: R3b - If not, are they available in another way? CIP R4 Malicious software prevention Q: R4a - Does the device support anti-malware tools? A: No, as not currently technically feasible as well as the risk of malware attack being nominal given the device does not run a generic OS but a tailored RTOS that is not designed to load or execute 3rd party software components or programs. Q: R4b - If yes, does the vendor support automated anti-malware signature updates or in another way? CIP R5 Account Management Q: R5a - Can the device be accessed remotely via the network? A: Yes, if so configured. Q: R5b - If yes, does the access method use login accounts? A: Yes, the access method uses both local accounts and remote accounts via a RADIUS server. Q: R5c - Provide a list of factory default accounts and their access privileges (e.g. administrator, individual, shared, read-only, read-write) A: Factory default user account: username: admin; access privilege: administrator. System default user account: username: recover; access privilege: administrator. System default user account is disabled once a valid configuration is synchronized to the D20MX. Q: R5d - Can new user accounts be created in addition to the factory default ones? A: Yes. PRBT GE Information

10 Q: R5e - Can the privileges of the user accounts be changed for both factory default or newly created ones A: Yes for the factory default account and newly created ones. Yes for the system default account, but rather than change its privilege, the system default account is completely disabled once a valid configuration is synchronized to the D20MX. Q: R5f - Does the access require passwords? A: Wesmaint II+, shell and SFTP access require a password. However, with physical access to the serial port and power switch, a password is not required to restore the system to the default system state. Q: R5g - If yes, does the password have a minimum of 6 characters (combination of alpha, numeric, and special) A: Yes. Q: R5h - Can the device support a user access log? A: Yes, the D20MX supports a local access log as well as a remote access log through one or two syslog servers. Q: R5i - If yes, can the user access log be stored in the device for at least 90 days for auditing purposes? A: Yes, the local user access log can be configured to hold enough records for normal account activity over a period of 90 days (e.g. 10,000 records). CIP R6 Security Status Monitoring Q: R6a - Does the device provide support for automated security status monitoring tools, specifically for monitoring system events related to cyber security (example, syslog)? A: Yes, the D20MX logs events under standard syslog file format to redundant syslog servers. Q: R6b - Can the device log events, especially security related events? A: Yes, the D20MX logs unsuccessful login attempts. Q: R6c - Can the device detect a security incident? A: No, the D20MX relies on a Security Event Manager software package to perform detection of security incidents through analysis of the records logged by the D20MX. Q: R6d - Can the device send an alert upon detecting a security incident? A: No, the D20MX relies on a Security Event Manager software package to perform alerts of a security incident. In addition SNMP related questions Q: Does the device support SNMP? A: No If yes - Can SNMP be disabled completely? - Can the public community password be changed? - Does the device support only MIB II or full MIB support is available? - If full MIB support is available where can we get the MIB file(s) from? Is there a document describing the SNMP traps in detail? Product Support We trust that this information assures you that GE Digital Energy is committed to the continued support of the D20MX product line. We appreciate your business and look forward to continuing to grow our relationship. If you need help with any aspect of your GE Digital Energy product, you have a few options: PRBT GE Information

11 Search Technical Support The GE Digital Energy Web site provides fast access to technical information, such as manuals, release notes and knowledge base topics. Visit us on the Web at: Contact Customer Service The GE Digital Energy Customer Service Center is open 24 hours a day, seven days a week for you to talk directly to a GE representative. In the U.S. and Canada, call toll-free: International customers, please call: Or to: ge4service@ge.com Copyright Notice 2013, General Electric Company. All rights reserved. The information contained in this online publication is the exclusive property of General Electric Company, except as otherwise indicated. You may view, copy and print documents and graphics incorporated in this online publication (the Documents ) subject to the following: (1) the Documents may be used solely for personal, informational, non-commercial purposes; (2) the Documents may not be modified or altered in any way; and (3) General Electric Company withholds permission for making the Documents or any portion thereof accessible via the internet. Except as expressly provided herein, you may not use, copy, print, display, reproduce, publish, license, post, transmit or distribute the Documents in whole or in part without the prior written permission of General Electric Company. If applicable, any use, modification, reproduction, release, performance, display, or disclosure of the Software Product and Associated Material by the U.S. Government shall be governed solely by the terms of the License Agreement and shall be prohibited except to the extent expressly permitted by the terms of the License Agreement. The information contained in this online publication is subject to change without notice. The software described in this online publication is supplied under license and may be used or copied only in accordance with the terms of such license. Trademark Notice GE and the GE monogram are trademarks and service marks of General Electric Company. * Trademarks of General Electric Company. Other company or product names mentioned in this document may be trademarks or registered trademarks of their respective companies. Document Revision History Version Revision Date Author Change Description April 25, 2013 K. Odetunde, Created D. Thanos, G. LaMarre 1 April 30, 2013 R. Rees Corrected product name in Product Support section. 2 May 6, 2013 K. Odetunde Added comparison to the D20 legacy. PRBT GE Information

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES 002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission

More information

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing

More information

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks NERC Standard Requirement Requirement Text Measures ConsoleWorks

More information

Critical Cyber Asset Identification Security Management Controls

Critical Cyber Asset Identification Security Management Controls Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP 007 4a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for

More information

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed

More information

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed

More information

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-1 3. Purpose: Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s)

More information

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010 Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes

More information

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)

More information

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)

More information

CYBER SECURITY POLICY REVISION: 12

CYBER SECURITY POLICY REVISION: 12 1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred

More information

D20ME II/ME Replaced Effective Immediately

D20ME II/ME Replaced Effective Immediately GE Grid Solutions D20ME II/ME Replaced Effective Immediately Product Bulletin Date: February 24 th 2017 Classification: GE Information D20ME/D20MEII D20MX The D20MX substation controller replaces both

More information

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-4a 3. Purpose: Standard CIP-005-4a requires the identification and protection of the Electronic Security Perimeter(s)

More information

Product Bulletin. SGConfig Configuration Tool v8.3. GE Digital Energy. Release Notification of SGConfig 8.3. SGConfig v8.

Product Bulletin. SGConfig Configuration Tool v8.3. GE Digital Energy. Release Notification of SGConfig 8.3. SGConfig v8. GE Digital Energy SGConfig Configuration Tool v8.3 Product Bulletin Date: January 5, 2015 Classification: GE Information Release Notification of SGConfig 8.3 SGConfig is a PC software-based user interface

More information

Product Bulletin. SGConfig Configuration Tool v9.0. GE Grid Solutions. Release Notification of SGConfig 9.0. Before Installation

Product Bulletin. SGConfig Configuration Tool v9.0. GE Grid Solutions. Release Notification of SGConfig 9.0. Before Installation GE Grid Solutions SGConfig Configuration Tool v9.0 Product Bulletin Date: August 11, 2016 Classification: GE Information Release Notification of SGConfig 9.0 SGConfig is a PC software-based user interface

More information

Security Standards for Electric Market Participants

Security Standards for Electric Market Participants Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system

More information

CIP Cyber Security Security Management Controls. A. Introduction

CIP Cyber Security Security Management Controls. A. Introduction CIP-003-7 - Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-7 3. Purpose: To specify consistent and sustainable security

More information

AUTHORITY FOR ELECTRICITY REGULATION

AUTHORITY FOR ELECTRICITY REGULATION SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...

More information

SGConfig Configuration Tool v11.1 R0 Product Bulletin

SGConfig Configuration Tool v11.1 R0 Product Bulletin GE Grid Solutions SGConfig Configuration Tool v11.1 R0 Date: December 11 th, 2018 Classification: GE Information Publication Number: PRBT-0416 Release Notification of SGConfig 11.1 SGConfig is a PC software-based

More information

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System Application description 04/2017 NERC CIP Compliance Matrix of RUGGEDCOM RUGGEDCOM https://support.industry.siemens.com/cs/ww/en/view/109747098 Warranty and Liability Warranty and Liability Note The Application

More information

DRAFT. Standard 1300 Cyber Security

DRAFT. Standard 1300 Cyber Security These definitions will be posted and balloted along with the standard, but will not be restated in the standard. Instead, they will be included in a separate glossary of terms relevant to all standards

More information

Juniper Vendor Security Requirements

Juniper Vendor Security Requirements Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks

More information

Standard CIP Cyber Security Physical Security

Standard CIP Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security program

More information

CIP Cyber Security Systems Security Management

CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in

More information

Standard CIP Cyber Security Physical Security

Standard CIP Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-1 3. Purpose: Standard CIP-006 is intended to ensure the implementation of a physical security program

More information

Analysis of CIP-006 and CIP-007 Violations

Analysis of CIP-006 and CIP-007 Violations Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December

More information

Standard CIP-006-1a Cyber Security Physical Security

Standard CIP-006-1a Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-1a 3. Purpose: Standard CIP-006 is intended to ensure the implementation of a physical security program

More information

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric

More information

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP-006-4c Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-4c 3. Purpose: Standard CIP-006-4c is intended to ensure the implementation of a physical security

More information

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP-006-3c Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security

More information

THE TRIPWIRE NERC SOLUTION SUITE

THE TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED BUSINESS INTELLIGENCE SOLUTION BRIEF THE TRIPWIRE NERC SOLUTION SUITE A TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on

More information

The D20MX and its Predecessors Features and Functionality

The D20MX and its Predecessors Features and Functionality GE TN0049 V1.00 R0 Digital Energy Substation Controller - D20MX Technical Note The D20MX and its Predecessors Features and Functionality Overview The D20MX Substation Controller is a specialized computing

More information

Unofficial Comment Form for Interpretation of CIP-007-3, Requirement R5, for ITC (Project 2012-INT-04)

Unofficial Comment Form for Interpretation of CIP-007-3, Requirement R5, for ITC (Project 2012-INT-04) Unofficial Comment Form for Interpretation of, Requirement R5, for ITC (Project 2012-INT-04) Project 2012-INT-04 Interpretation for ITC Unofficial Comment Form Project 2012-INT-04 Interpretation of Applicability

More information

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Project 2014-02 - Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Violation Risk Factor and Justifications The tables

More information

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP 004 3a Cyber Security Personnel and Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access

More information

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791. Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Compliance Exception and Self-Logging Report Q4 2014

Compliance Exception and Self-Logging Report Q4 2014 Agenda Item 5 Board of Trustees Compliance Committee Open Session February 11, 2015 Compliance Exception and Self-Logging Report Q4 2014 Action Information Introduction Beginning in November 2013, NERC

More information

Rich Powell Director, CIP Compliance JEA

Rich Powell Director, CIP Compliance JEA Rich Powell Director, CIP Compliance JEA Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation Account Control

More information

A. Introduction. Page 1 of 22

A. Introduction. Page 1 of 22 The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-5.1 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals

More information

Standard CIP Cyber Security Security Management Controls

Standard CIP Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-4 3. Purpose: Standard CIP-003-4 requires that Responsible Entities have minimum security management controls in

More information

CIP Cyber Security Security Management Controls. Standard Development Timeline

CIP Cyber Security Security Management Controls. Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

A new D GHz CPU main board [REV: B01 or newer]. See Figure 1 New D GHz Main board (Rev: B01).

A new D GHz CPU main board [REV: B01 or newer]. See Figure 1 New D GHz Main board (Rev: B01). GE Digital Energy D400 CPU Migration Instructions TN00062 V1.00 R0 Technical Note This document: Provides the steps required to migrate existing firmware and configuration files to a 1.6 GHz D400. Applies

More information

CIP Cyber Security Systems Security Management

CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-6 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in

More information

Compliance: Evidence Requests for Low Impact Requirements

Compliance: Evidence Requests for Low Impact Requirements MIDWEST RELIABILITY ORGANIZATION Compliance: Evidence Requests for Low Impact Requirements Jess Syring, CIP Compliance Engineer MRO CIP Low Impact Workshop March 1, 2017 Improving RELIABILITY and mitigating

More information

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government

More information

A new D GHz CPU main module [Rev: B01 or newer]. See Figure 1 New D GHz Main module (Rev: B01).

A new D GHz CPU main module [Rev: B01 or newer]. See Figure 1 New D GHz Main module (Rev: B01). GE Digital Energy D400 CPU Migration Instructions TN00062 V1.00 R2 Technical Note This document: Provides the steps required to migrate existing firmware and configuration files to a 1.6 GHz D400. Applies

More information

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft

More information

7.16 INFORMATION TECHNOLOGY SECURITY

7.16 INFORMATION TECHNOLOGY SECURITY 7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for

More information

The Common Controls Framework BY ADOBE

The Common Controls Framework BY ADOBE The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018. Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada

More information

Cyber Security Standards Drafting Team Update

Cyber Security Standards Drafting Team Update Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications

More information

Implementation Plan for Version 5 CIP Cyber Security Standards

Implementation Plan for Version 5 CIP Cyber Security Standards Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 17, 2012 Note: On September 17, 2012, NERC was alerted that some references in the Initial Performance of Certain Periodic

More information

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP V5 Updates Midwest Energy Association Electrical Operations Conference CIP V5 Updates Midwest Energy Association Electrical Operations Conference May 2015 Bob Yates, CISSP, MBA Principal Technical Auditor ReliabilityFirst Corporation Agenda Cyber Security Standards Version

More information

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure

More information

IPM Secure Hardening Guidelines

IPM Secure Hardening Guidelines IPM Secure Hardening Guidelines Introduction Due to rapidly increasing Cyber Threats and cyber warfare on Industrial Control System Devices and applications, Eaton recommends following best practices for

More information

ISO27001 Preparing your business with Snare

ISO27001 Preparing your business with Snare WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security

More information

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems Eroshan Weerathunga, Anca Cioraca, Mark Adamiak GE Grid Solutions MIPSYCON 2017 Introduction Threat

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

CIP 007 Compliance. Kevin B. Perry Dir, Critical Infrastructure Protection

CIP 007 Compliance. Kevin B. Perry Dir, Critical Infrastructure Protection CIP 007 Compliance Kevin B. Perry Dir, Critical Infrastructure Protection kperry@spp.org 501.614.3251 Agenda CIP 007 Purpose CIP 007 Requirement Overview Past Non Compliance Potential Non Compliance Concerns

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015 Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently

More information

Cyber security tips and self-assessment for business

Cyber security tips and self-assessment for business Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this

More information

CIP-007/R1 System Configuration Baseline/Security Control Testing. Kevin B. Perry

CIP-007/R1 System Configuration Baseline/Security Control Testing. Kevin B. Perry CIP-007/R1 System Configuration Baseline/Security Control Testing Kevin B. Perry kperry.re@spp.org 501.614.3251 Agenda Requirement overview What we have seen to date What really needs to be done How you

More information

Security Architecture

Security Architecture Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014 Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed

More information

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry Internal Security Assessor: Quick Reference V1.0 PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card

More information

Carbon Black PCI Compliance Mapping Checklist

Carbon Black PCI Compliance Mapping Checklist Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and

More information

CIP Cyber Security Configuration Management and Vulnerability Assessments

CIP Cyber Security Configuration Management and Vulnerability Assessments Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

1. SAR posted for comment (March 20, 2008). 2. SC authorized moving the SAR forward to standard development (July 10, 2008).

1. SAR posted for comment (March 20, 2008). 2. SC authorized moving the SAR forward to standard development (July 10, 2008). Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Guide to cyber security/cip specifications and requirements for suppliers. September 2016 Guide to cyber security/cip specifications and requirements for suppliers September 2016 Introduction and context The AltaLink cyber security/cip specification and requirements for suppliers (the standard)

More information

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite for Sage MAS 90 and 200 ERP Versions 4.30.0.18 and 4.40.0.1 and Sage MAS 90 and 200 Extended Enterprise Suite Versions 1.3 with Sage MAS 90 and 200 ERP 4.30.0.18 and 1.4 with Sage MAS 90 and 200 ERP 4.40.0.1

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014 Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

How AlienVault ICS SIEM Supports Compliance with CFATS

How AlienVault ICS SIEM Supports Compliance with CFATS How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal

More information

Standard Development Timeline

Standard Development Timeline CIP-003-67(i) - Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

CIP Cyber Security Security Management Controls

CIP Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-6 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and

More information

Standard CIP Cyber Security Incident Reporting and Response Planning

Standard CIP Cyber Security Incident Reporting and Response Planning A. Introduction 1. Title: Cyber Security Incident Reporting and Response Planning 2. Number: CIP-008-4 3. Purpose: Standard CIP-008-4 ensures the identification, classification, response, and reporting

More information

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains

More information

Security Principles for Stratos. Part no. 667/UE/31701/004

Security Principles for Stratos. Part no. 667/UE/31701/004 Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED

More information

Standard Development Timeline

Standard Development Timeline CIP 003 7 Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security

More information

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.

More information

TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS 2007

TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS 2007 Princeton Forrestal Village, 116-390 Village Boulevard, Princeton, New Jersey 08540-5721 www.nerc.com 609-452-8060 (Voice) 609-452-9550 (Fax) TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED

More information