FRCC CIP V5 FAQ and Lessons Learned Tracking

Transcription

1 FRCC CIP V5 FAQ and Lessons Learned Tracking FRCC CIP V5 FAQ and Lessons Learned Tracking Date: December 19,

2 As part of the FRCC CIP V5 Outreach efforts, FRCC is providing the following information in response to the questions submitted to us by the Registered Entities within the FRCC Region. FRCC will update this document as information becomes available during the NERC process of vetting frequently asked questions (FAQs). Please refer to the NERC Lessons Learned and FAQ Coordination Process document titled CIP V5 Transition Lessons Learned and Frequently Asked Questions Coordination, which is located at the following URL nation.pdf. This document outlines the process of handling questions submitted by Regions and Registered Entities to attain responses in support of level of technical discussion and analysis required to support implementation or enhance stakeholder understanding of the CIP Version 5 standards. The questions below are being provided as submitted by the Registered Entities with an FRCC initial proposed response, status, and reference to any identified Lessons Learned or FAQ Reference already in progress. NOTICE: The FRCC CIP V5 FAQ and Lessons Learned Tracking information is accurate to the best of FRCC s understanding, and all the information is provided in good faith. If it conflicts with NERC, FERC, or other statutory requirements, NERC standards and Rules of Procedure take precedence over any material or information provided in this document. Initial proposed responses are intended to provide guidance to the Registed Entities until a fully vetted response has been developed and approved through the NERC process referenced above. FRCC CIP V5 FAQ and Lessons Learned Tracking Date: December 19,

3 For the status column, FRCC has noted where in the process the particular question currently resides. The values for this column are as follow: FRCC Reviewing An initial propose response is being developed and/or a determination of whether this particular question is already being handled in the process is being made. FRCC Submitted to NERC This question has been submitted to NERC for processing in the coordination effort discussed above. An initial response may not have been provided if information was unavailable to FRCC such as the non public details of pilot participant activity. Submitted to NERC by Another Region This question matches another question submitted by another Region and already identified as an FAQ or specific Lessons Learned document in progress. NERC FAQ Being Developed This question has been identified by the NERC process to be handled as an FAQ, and the response is being developed. NERC FAQ Posted for Comment This question has been identified by the NERC process to be handled as an FAQ, and the initial response has been developed and posted to the NERC website for industry comment under the Lessons Learned and FAQs Posted for Industry Comment at the URL Program V5 Implementation Study.aspx. NERC FAQ Posted Final This question has been identified by the NERC process to be handled as an FAQ, been through posting for comment, and the final response has been posted on the NERC website under the Final Lessons Learned and FAQs section at the URL Program V5 Implementation Study.aspx. NERC Lessons Learned Being Developed This question has been identified by the NERC process to be handled as a Lessons Learned, and the response is being developed. NERC Lessons Learned Posted for Comment This question has been identified by the NERC process to be handled as an Lessons Learned, and the initial response has been developed and posted to the NERC website for industry comment under the Lessons Learned and FAQs Posted for Industry Comment at the URL Program V5 Implementation Study.aspx. NERC Lessons Learned Posted Final This question has been identified by the NERC process to be handled as an Lessons Learned, been through posting for comment, and the final response has been posted on the NERC website under the Final Lessons Learned and FAQs section at the URL Program V5 Implementation Study.aspx. FRCC CIP V5 FAQ and Lessons Learned Tracking Date: December 19,

4 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) General Device capability How did pilot participants document the per device capabilities? How and when will that be reviewed? 8/13/ General Electronic Access Points Where do tie line meters with dial up modems fall under CIP V5? The ones in question are usually shared facilities in a serially connected substation. They provide situational awareness /monitoring capability for grid operators. Are they in scope as Electronic Access Points? 8/13/2014 Dial up connectivity authentication is required where technically feasible under CIP R1.4 for those High and Medium Impact BES Cyber Systems. Under CIP V5, these would not be defined as Electronic Access Points. Each Entity should, however, review their Cyber Assets to ensure all connectivity has been properly identified to determine specific designation of an Electronic Access Point (EAP) or Low Impact BES Cyber System Electronic Access Point (LEAP) General Asset Removal From the V5 FAQs: NERC draft Transition Guidance dated July 2013 indicated that an entity removing assets may do so only after their Reliability Coordinator, Transmission Planner, Planning Coordinator, or Planning Authority confirm notification of the removal. September 2013 NERC Transition Guidance indicates 3rd parties are responsible for reaching out (vs. the entity): NERC highly encourages these third parties to proactively designate the necessary assets in a timely fashion. What is the expectation related to notifying the Reliability Coordinator? Is there any other obligation? 8/13/2014 While not specifically identified in the CIP V5 Transition Guidance, CIP Attachment 1 Impact Rating Critera 2.3, 2.6, 2.7, 2.8 specifically provide for the identification by and/or notification of a Generator Owner, Generator Operator, Transmission Planner, Planning Coordinator, or Reliability Coordinator when determining the impact rating for different types of assets. These should be reviewed by each entity to determine their specific obligations for notification and identification of the impact ratings on all assets described under CIP R Generic Malicious Code and Log Collection How did pilot participants provide malicious code prevention and collect logs for security event monitoring where there was no external routable protocol? Or, in general, what issues did the pilot participants find in trying to become V5 compliant for substations with serial communications? 8/13/ General Protected Cyber Assets External Routable Connectivity Currently we believe that the substations with external IP connectivity will have all assets in scope as either BES Cyber Systems or Protected Cyber Assets. The definition of Protected Cyber Assets does not seem to apply for substations without External Routable Connectivity. Is that the case? 8/13/2014 Protected Cyber Assets (PCA) are associated with a referenced high or medium impact BES Cyber System. There are several requirements in the CIP V5 set of Standards that are applicable to "Medium Impact BES Cyber Systems and their associated PCA". In the case of those requirements, they would apply to those BES Cyber Systems identified at a substation without External Routable Connectivity that are within the same ESP as that BES Cyber System General Serial Communication In a substation where we have tie line metering, is it necessary to provide an intermediate device (RTU) to provide data from one utility to another? If it is strictly serial communication, is there a need to do anything? 8/20/2014 No. An intermediate device is specifically required by CIP R2 Part 2.1 for those High Impact BES Cyber Systems and Medium Impact BES Cyber Systems with External Routable Connectivity and their associated Protected Cyber Assets (PCA) for Interactive Remote Access. A determination of the BES Cyber Systems must be made by the Entity to determine the appropriate impact rating and any subsequent requirement for implementing an appropriate Electronic Access Points (EAP) or Low Impact BES Cyber System Electronic Access Point (LEAP) General Routable Protocol RFC1490 Protocol what does NERC/FRCC consider this? Serial? Routable? Enabling Frame Relay Encapsulation (Layer 2) point to point communication (like a long printer cable) 8/20/2014 A communications protocol that contains a network address as well as a device address is typically defined as a routable protocol. TCP/IP is a routable protocol, and the IP network layer in TCP/IP provides this capability. The TCP/IP suite provides two transport methods. TCP ensures that data arrive intact and complete, while UDP just transmits packets. RFC 1490 is an encapsulation method for carrying network interconnect traffic over a Frame Relay backbone. If IP traffic is encapsulated in this protocol, then it would be considered to be a routable protocol General Routable Protocol Is IEC61850 a routable protocol? 8/15/2014 A communications protocol that contains a network address as well as a device address is typically defined as a routable protocol. TCP/IP is a routable protocol, and the IP network layer in TCP/IP provides this capability. The TCP/IP suite provides two transport methods. TCP ensures that data arrive intact and complete, while UDP just transmits packets. IEC61850 is a standard protocol for the design of electrical substation automation. This protocol can run over TCP/IP networks or substation LANs using high speed switched Ethernet to obtain the necessary response times for protective relaying. If the IEC61850 is running over TCP/IP it would be considered to be a routable protocol General Programmable Can FRCC or FERC share the current thoughts on programmable vs configurable as it applies to the definition of Cyber Asset? 8/20/2014 NERC response already in progress NERC Lessons Learned Being Developed 12/19/2014 Programmable Electronic Devices #3

5 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) General TFE The TFE annual reports have significantly changed. In relation to continued research for strict compliance on version 3 vs. version 5 do we need to continue to research v3 strict compliance while we are researching version 5 compliance (in regards to TFEs)? 8/27/2014 For those TFEs that do not have a CIP V5 equivalent, strict compliance should continue to be researched so long as CIP V3 remains mandatory and enforceable. For those TFEs that have a CIP V5 equivalent, the Entity has the option to migrate to CIP V5 compliance as outlined in the CIP V5 Transition Guidance and could therefore pursue strict compliance with CIP V5 for the TFE General Network Base Solutions Attached is a diagram of a concept for the new non routable sites that could come in to scope for NERC CIP V5. It seems that NERC will accept a network based security solution as a substitute for client based. Would FRCC/FERC provide guidance on whether this solution could potentially satisfy most of the manual effort CIP standard requirements that are listed on the diagram. 8/27/2014 FRCC Reviewing 12/19/2014 An additional advantage to this solution would be the potential to utilize only one firewall cluster at a central location, and maybe eliminate the need for bi directional traffic. See the drawing at the end of the questions for the referenced diagram. NERC - Layer 2 SPAN -- RSPAN concept.pdf General Intermediate System Virtual Environment Based on the definition of an Intermediate System being A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter does the Cyber Asset performing the access control have to be identified as an EACM with all the appropriate controls, and if the Cyber Asset is a VMguest, does the VMhost have to be identified as part of the Intermediate System and then the entire system is an EACM? 9/9/2014 NERC response already in progress NERC Lessons Learned Being Developed 12/19/2014 Interactive Remote Access #15 Virtual Server and Network Environments # General EACM Identification Should the Identity Management tool be classified as an EACM? It will reside in an ESP DMZ environment and could be on a dedicated VM infrastructure. 8/29/2014 The definition of Electronic Access or Monitoring System (EACM) is "Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems." If this Identify Management tool is performing any portion of the electronic access control functions for the Electronic Security Perimiter(s) or BES Cyber Systems, then it would be classifed as an EACM and should be protected accordingly. The reference to the virtual environments is being addressed by a Lessons Learned in progress. Virtual Server and Network Environment # General Programmable Slide 36 of Tobias Whitney s CIP V3 V5 Transition presentation (11 June 2014) contains the bullet: configurable is not programmable. Is this statement meant to be definitive? In other words could a battery charger be a BES Cyber Asset if it is only configurable and not programmable? Is the device programmable if the configuration settings are stored in NVRAM so they are saved across a reboot? 10/3/2014 NERC response already in progress NERC Lessons Learned Being Developed 12/19/2014 Programmable Electronic Devices # CIP R1 Identifying BES Cyber Systems For CIP , how did the pilot participants approach the identification of BES Cyber Systems? Or did they just continue application of standards to the individual BES Cyber Assets? 8/15/2014 Study participants took different approaches to identifying their BES Cyber Assets and BES Cyber Systems. The application of a particular CIP V5 requirement to the BES Cyber Systems varied depending upon the grouping of BES Cyber Assets into the specific BES Cyber System, and the availability of specific solutions capable of applying the required control to all of the BES Cyber Assets identified in the BES Cyber System. NERC Lessons Learned Being Developed 12/19/2014 Identifying BES Cyber Systems and BES Cyber Assets #5 Grouping BES Cyber Assets # CIP R1 Common Control NERC was considering common control to extend to having a single control room (distinct PSPs) that would operate only one unit of a multi unit plant site. the language in the standard refers to common mode failure of systems and/or shared systems. What is the direction for physical co location of plant DCS systems? 8/15/2014 NERC response already in progress NERC Lessons Learned Posted for Comment 12/19/2014 Generation Segmentation #1

6 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) CIP R1 Identifying BES Cyber Systems What is implied by the word group within Bright line criteria 2.1 Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection.? Is the word implying that a large physical site can have groups (i.e. Combined Cycle units) each with its own 1500 MW threshold, or is the word simply clarifying that the single plant location is the grouping, or is any combination of units that is greater that 1500MW as a single site, a group? This last interpretation may be the most accurate since it would have the result of identifying all combinations of units which could exceed the 1500MW criteria but is it the only valid interpretation? 8/28/2014 NERC response already in progress NERC Lessons Learned Posted for Comment 12/19/2014 Generation Segmentation # CIP R1 Identifying BES Cyber Systems Does bright line criteria 2.8 bring into scope generation interconnection Facilities that connect less that 1500MW? According to bright line criteria 2.8 Transmission Facilities, including generation interconnection Facilities, providing the generation interconnection required to connect generator output to the Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the generation Facilities identified by any Generator Owner as a result of its application of Attachment 1, criterion 2.1 or 2.3. are in scope, however this criteria is unclear in that, does the loss of the generation Facilities mean all the Facilities identified by 2.1 or any of the Facilities or is it just per group of generating units as stated in 2.1 or finally is it any combination of units identified in 2.1 that exceed 1500MW? If it is all the Facilities a Combined Cycle Unit (<1500MW) collector bus would not meet the criteria, however if it is any of the Facilities then this collector bus would meet the criteria. Since 2.1 provides the clarification that For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection it would appear that only Transmission Facilities or generation interconnection Facilities that connect more that 1500MW would be included in this criteria. 8/28/2014 NERC response already in progress NERC Lessons Learned Being Developed 12/19/2014 Generation Interconnection Points # CIP R1 Identifying BES Cyber Systems According to CIP 005 R1 Part 1.1, All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. Medium Impact BES Cyber Assets that do not use a routable protocol are not required to be within an ESP but they are within the scope of the requirements. This places multiplexes in a difficult position. If a multiplexer used a routable protocol and was outside of an ESP then according to section of the CIP standards, and specifically section Cyber Assets associated with the communication network and data communication links between discrete Electronic Security Perimeters. Are exempted from the CIP standards. However if the multiplexer is not using a routable protocol it appears that they cannot be exempted from the standards. Is this correct? 8/28/2014 The definitions for BES Cyber Asset nor BES Cyber Systems do not exclude Cyber Assets by their lack of or use of a routable protocol. If the multiplexer is identified as a BES Cyber Asset, it becomes a part of a BES Cyber System (i.e., by itself or with other BES Cyber Assets). The specific impact rating of that BES Cyber System and its use of a routable protocol would then determine the specific CIP V5 requirements that would be applicable. Further information regarding the classification and grouping is being addressed by a Lessons Learned in progress. Identifying BES Cyber Systems and BES Cyber Assets #5 Grouping BES Cyber Assets # CIP R1 Identifying BES Cyber Systems Does the language in CIP 002 Medium Impact Rating (M) Each BES Cyber System, not included in Section 1 above, associated with any of the following: imply that BES Cyber Systems not located at High control centers but associated with high control centers must be protected as Medium s. An example would be; Are the meters and RTU s at a tie line substation associated with a BA calculating ACE within a high control center, required to be afforded the protection of Medium Impact BES Cyber Systems? 9/5/2014 NERC response already in progress NERC Lessons Learned Being Developed 12/19/2014 Identifying BES Cyber Systems and BES Cyber Assets #5 Grouping BES Cyber Assets #7

7 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) CIP R1 Identifying BES Cyber Systems In the NERC document Identifying Critical Cyber Assets page 35 example drawing 3 and page 38 example drawing 6 enforce there examples. Can these guidance documents be updated to reflect the new Glossary Terms? 10/7/2014 The NERC document Identifying Critical Cyber Assets was written for CIP V3 and does not use the same terminology as CIP V5. As such, this document will not be updated. A new Lessons Learned is being developed that should address the examples provided. NERC Lessons Learned Being Developed 12/19/2014 Identifying BES Cyber Systems and BES Cyber Assets #5 Grouping BES Cyber Assets #7 See the drawing at the end of the questions for the specific examples provided in drawings. Document CIP R1 Identifying BES Cyber Systems For registrations where Coordinated Functional Registrations (CFR) exist, who has the responsibility under the bright line criteria for performance? As an example, CIP Bright Line criteria 2.6 states Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies. Unlike criteria 2.3 that indicate registrations and communications between those registrations, this bright line criteria is simply related to the generation itself. However the criteria creates associations with RC, PC and TP through the word its (in relation to the generation) implying that the entity responsible for protecting the generation needs to know who may have identified their generator (according to this criteria). Since entities are entering into Coordinated Functional Registrations to assign responsibilities and since Planning Authority (Planning Coordinator) cannot have overlapping geographical areas of responsibility, which Planning Authority/Planning Coordinator is responsible for assessing the impact of the generator as referenced in criteria 2.6? 11/24/2014 FRCC Reviewing 12/19/ CIP R1 Identifying BES Cyber Systems CIP Bright Line criteria 1.4 states Each Control Center or backup Control Center used to perform the functional obligations of the Generator Operator for one or more of the assets that meet criterion 2.1, 2.3, 2.6, or The phrase one or more of the assets for criterion 2.1 is open for interpretation since the criteria 2.1 identifies groups of generators. The question becomes are the assets in criteria 1.4 the groups in 2.1 or the generators within the groups? 11/24/2014 As noted, the CIP Impact Rating Criteria 2.1 states "by each group of generating units at a single plant location". The use of "one or more of the assets that meet criterion 2.1" as stated in 1.4 would then mean the "group" as performed in 2.1. Even if assets was referring to the indiviudal generation units, the "one or more" qualification in 1.4 would cause the inclusion CIP R1.9 CIP Exceptional Circumstance There are several places in the standards where it seems that it will be difficult to ensure compliance in the event of a CIP Exceptional Circumstance. Is it the thought that if a Cat 3 hurricane hits Tampa Bay that we would suspend all CIP requirements and restore the grid and associated cyber systems, then go back and make sure that the CIP requirements are met? (In other words, would common sense prevail, or should we start the RFI process for consideration of that within the standards? Or can out CIP R1.9 address any/all situations/exceptions to NERC CIP standards in the event of something like a hurricane?) 8/13/2014 The definition of a CIP Exceptional Circumstance is "A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability." CIP R1.9 requires an entity specifically address in their cyber security policies "declaring and responding to CIP Exceptional Circumstances". As further described in the Guidelines and Technical Basis under Requirement R1, 1.9, these processes can "invoke special procedures in the event of a CIP Exceptional Circumstance," and can "allow for exceptions to policy that do not violate CIP requirements." Unless specifically called out in a CIP V5 requirement as "except under CIP Exceptional Circumstances", compliance to the CIP V5 Standards and Requirements must be maintained. In those instances, the Registered Entity would still be required to provide evidence that the CIP Exceptional Circumstance has taken place and the timeframe for which it temporarily suspended compliance with that specific requirement CIP 004 R2 Part 2.1 Training Did all the pilot participants prepare separate courses for each role, function or responsibility? How granular do the security training courses need to go to address the training required for each role, function or responsibility? 8/13/2014 CIP R2 requires a "cyber security training program(s) appropriate to individual roles, functions, or responsibilities " Each Entity must determine the level of appropriateness to each role, function, or responsibility. As noted in the Guidelines and Technical Basis Requirement R2, "The Responsible Entity has the flexibility to define the training program and it may consist of multiple modules and multiple delivery mechanisms, but a single training program for all individuals needing to be trained is acceptable." Thus a single training program must address all roles, functions, or responsibilities.

8 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) CIP 005 R1 Part 1.3 Electronic Access Points Does CIP 005 R1 Part 1.3 apply if Part 1.2 does not apply? If no, no further questions. If yes, what do you consider to be acceptable approach for providing this? 8/15/2014 No, Part 1.3 does not apply if Part 1.2 did not apply. Electronic Access Points (EAPs) would be identified through the application of Part 1.1 and subsequent application of Part 1.2. Part 1.3 would then apply for those EAPs identified. As noted in the Guidelines and Technical Basis Requirement R1, "even standalone networks that have no external connectivity to other networks must have a defined ESP", but may or may not have an EAP CIP 005 R1 Part 1.4 Dial up Connectivity If Part 1.4 (Dial Up Connectivity) applies, what other standards have to be applied to that device? Does it revert back to all Medium Impact standards? Or just this one? 8/15/2014 Dial up connectivity is a specific connection mechanism applied to High and Medium Impact BES Cyber Systems under CIP 005 R1 Part 1.4. All other CIP V5 standards applicable to High and Medium Impact BES Cyber Systems would apply, depending on impact classification of the specific BES Cyber System and a lack of unique criteria on the "Applicable Systems" column to specifically exclude the BES Cyber System CIP 005 R1 Part 1.1 Electronic Security Perimeters Regarding CIP 005 5, page 16 in the Guidelines for R1, what is required of the ESP defined for a standalone network (Medium Impact BES at a substation that meets CIP 002 Attachment 1 Criteria 2.5 that has no External Routable Protocol)? 8/15/2014 As required under CIP 005 R1 Part 1.1, "all applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP." Each of the CIP V5 requirements must be reviewed by the Entity to determine their applicability to a Medium Impact BES Cyber System. Some of the requirements further qualify the "applicable systems" and others do not making them applicable to those Medium Impact BES Cyber Systems without External Routable Protocol CIP 005 R1 Part 1.1 Electronic Security Perimeter Regarding CIP 005 5, page 17, 2nd paragraph in the Guidelines for R1, are serial ports exempted from the ESP consideration? Can the serial communications extend beyond the 6 walls of the PSP as long as they are terminated inside another PSP. The example is for a substation with multiple control houses with buried fiber cables between the two houses carrying serial signals. 8/15/2014 As required under CIP 005 R1 Part 1.1, "all applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP." Serial connectivity is not used to define an ESP. The Physical Security Perimeter definition for CIP V5 is "The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled." This revised definition no longer includes the "completely enclosed ( sixwall ) border" qualification. The specific requirements from CIP should be reviewed to determine those that are applicable based upon the impact rating of the BES Cyber System and further qualification of the "applicable systems" column of the requirements CIP 005 R1 Part 1.1 Electronic Security Perimeter Regarding CIP 005 5, for a substation with Medium Impact BES Cyber Systems, can the ESP be extended to include two control houses with buried cable between the two? Will this communication require alarms, encryption or something else to meet the draft CIP 006 requirements for the revisions to CIP 006 5? 8/15/2014 The Physical Security Perimeter definition for CIP V5 is "The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled." This revised definition no longer was the "completely enclosed ( six wall ) border" qualification. The specific requirements from CIP should be reviewed to determine those that are applicable based upon the impact rating of the BES Cyber System and further qualification of the "applicable systems" column of the requirements CIP 005 R1 Part 1.1 Electronic Security Perimeter For CIP R1 Part 1.1: for a Medium Impact BES CS at a substation that is connected via serial communications to the EMS. Inside the substation control room, there is an HMI with a LAN that communicates inside the substation over IP. The language in the standard says "All applicable Cyber Assets connected to a network via routable protocol shall reside within a defined ESP." Which network does "a network" refer to? 8/20/2014 The Electronic Security Perimeter definition for CIP V5 is "The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol." In this instance, the logical border would that which surrounds all BES Cyber Systems at the substation that have been classified as Medium Impact CIP 007 R5 Part 5.7 Account Alert Notifications The Measures column for Part 5.7 states "Rules in the alerting configuration showing how the system notified individuals after a determined number of unsuccessful login attempts." Is notification that the user account is locked sufficient? Or do we need to notify of unsuccessful login attempts? We are not aware of a tool that alerts the user.have one that might be able to alert IT Security. Would that work? 8/20/2014 The requirement of Part 5.7 is to "generate alerts after a threshold of unsuccessful authentication attempts." The Measures is simply providing an example of a method to demonstrate that the alerts are being generated. The rules used to alert with notification that the user account is locked as a result of exceeding a threshold of unsuccessful authentication attempts would also suffice. The actual alert content has not been specified by the requirement CIP 005 Access Point GE S3C firewall if it is a bridging device that has serial on both sides, is it an access point? We think that bridging is at Layer 2 routing is at Layer 3. 8/20/2014 The Electronic Access Point (EAP) definition for CIP V5 is "A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter." In this instance with both connections being serial, there is no routable communication, and therefore no EAP.

9 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) CIP 005 Interactive Remote Access Is anyone doing Interactive Remote Access to relays and rtus and not using external routable connectivity? (ie, use of a tool such as Subnet Solutions) 8/27/2014 FRCC Reviewing 12/19/ CIP Applicabilitity Communication Networks Both CIP V3 and V5 provide the following exemptions (within section within CIP V3 standards and within CIP V5) Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. are exempt from the standards. This exemption is mute on the underlying technology of the equipment comprising the networks and links meaning that the exempt equipment could be packet switched (routable) or circuit switched (copper path end to end) or something else (like SONET). If the equipment is not packet switched then the caveat of between ESP s should include non routable devices (they have no ESP since this make no sense). In other words, if two non routable BES Cyber Systems at different locations communicate across a SONET system, is the SONET equipment exempt from the standards? 10/3/2014 The Electronic Security Perimeter (ESP) definition for CIP V5 is "The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol." In this instance, there are no ESPs since there is no routable protocol. Because there are no ESPs, the exemption "between discrete ESPs" does not apply. The specific SONET equipment must be analyzed to determine if it qualifies as a BES Cyber Asset, and then grouped as desired by the entity into a BES Cyber System. If it does not qualify as a BES Cyber Asset, then it would not be included as a BES Cyber System and thus would become exempt from the CIP V5 Standards. NERC Lessons Learned Being Developed 12/19/2014 Identifying BES Cyber Systems and BES Cyber Assets #5 Grouping BES Cyber Assets # CIP R1 Part 1.6 PACS Physical Access Monitoring How did pilot participants monitor for unauthorized physical access for the individual devices that make up the PACS system. Or is this directed to the servers that host the PACS? Did they alarm/alert on each of the guard and badging workstations? 8/15/ CIP 006 PACS Protections High Water Marking How did pilot participants treat their PACS systems if the same PACS system is used for both High and Medium locations, do the protections need to be provided at the High level for all locations (even if the badging station location is a Low Impact facility)? What is FRCC s interpretation/recommendation? 8/15/2014 The definition of the Physical Access Control Systems (PACS) is "Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers." PACS are also associated with providing protections of BES Cyber Systems. As such, the PACS Cyber Assets have protections that must be applied according to the specific requirements of CIP V5 and should assume the protections required for the highest rated BES Cyber System in which it is associated. Identifying BES Cyber Systems and BES Cyber Assets #5 Grouping BES Cyber Assets # CIP R3 Part 3.1 PACS Testing What does the testing requirement in CIP R3 Part 3.1 mean for PACS workstations and servers? Does that need to be documented the same way the card readers/door alarms are? 8/15/2014 PACS workstations and servers should be tested in such a way to demonstrate "they function properly" as required in Part 3.1. Since these Cyber Assets do not perform the same functions as the card readers/door alarms, the actual testing and documentation will not be the same. Sufficient evidence should be documented to demonstrate the Cyber Assets were tested and "function properly". One method of accomplishing this would be to create a set of test scripts for the Cyber Assets to demonstrate they are functioning properly, execute them as required, and document the results of the executed tests CIP R1 Part 1.6 PACS Monitoring Physical Access What is FRCC s interpretation on the PCs that are used to remote into a PACS device? Since the standard says monitor the physical access of the PACS device, we were considering that the devices used for remote capabilities are not subjected to CIP requirements. Is that your understanding? 8/15/2014 The definition of the Physical Access Control Systems (PACS) is "Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers." The requirement in CIP R1 Part 1.6 refers to the PACS as a whole system, and as such would be applicable to all Cyber Assets that make up the PACS. It is generally accepted that any Cyber Asset that has software unique to the PACS installed on it would be included as a part of the PACS CIP R1 General Within CIP 006 5, under Guidelines and Technical Basis, Requirement 1 last paragraph, Entities may choose for certain PACS to reside in a PSP controlling access to applicable BES Cyber Systems. For these PACS, there is no additional obligation to comply with Requirement Parts 1.1, 1.7 and 1.8 beyond what is already required for the PSP. Is auditing going to abide by this caveat with in the guidance? 9/5/2014 Yes. The specific Parts (i.e., 1.1, 1.7, and 1.8) referenced by the Guidelines and Technical Basis are specifically called out since they become repetitive to those requirement Parts already required for the Physical Security Perimeter (s) of BES Cyber Systems which must be in place.

10 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) CIP R3 Part 3.1 Malicious Code For CIP R3 Part 3.1 on malicious code for non routable sites, is hardening or group policy sufficient? 8/15/2014 "System hardening", "policies", etc. have been provided as examples of acceptable measures of meeting the requirement to "deploy method(s) to deter, detect, or prevent malicious code". While these methods are defined as acceptable, they should be documented in such a way to demonstrate their applicability to the desired BES Cyber Systems and their ability to provide the required control CIP R4 Part 4.1 Log Retention and Use For CIP R4 Part 4.1, if there is a non routable site and device logs multiples of examples how long do you have to keep the logs? Is it 90 days? It does not appear to be a requirement to retrieve/review the logs unless needed for forensic and after the fact identification of Cyber Security Incidents. Is that the case? 8/15/2014 FRCC Reviewing 12/19/ CIP R5 Part 5.2 Default or Other Generic Accounts If a system does not have accounts but uses passwords to login, can we indicate/note and then follow Part 5.5 for the password complexity. 8/15/2014 For those BES Cyber Assets identified in the applicable systems column, access to a the Cyber Asset with only a password should be considered a "generic account type" and documented as such using enough information to discern the access without divulging the specific password CIP R5 Part 5.3 Shared Account Access Documentation Where there are no accounts but just passwords, but the users don t have access to the passwords, they access them through Subnet Solutions. Is this acceptable? 8/15/2014 For those BES Cyber Assets identified in the applicable systems column, access to a the Cyber Asset with only a password should be considered a "generic account type" and individuals who have authorized access to these shared type of accounts should be documented as such using enough information to discern the access without divulging the specific password CIP R5 R5.2 Account Management How did pilot participants treat the devices that do not have accounts but use separate passwords to delineate the role the user has? (substations) 8/13/ CIP R5 R5.5 Password Only Authentication Passwords What does the following mean? For password only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Is this a distinction between the authentication via a jump host or 2 factor authentication? Or does it apply to access to the devices where there are no user accounts but only passwords? 8/15/2014 This requirement is not referring to "remote" interactive user access which requires a jump host, but rather interactive user access in general. The requirement phrase "password only authentication for interactive user access" is referring to those Cyber Assets where an actual account name is not used and only a password is used to allow interactive user access CIP R2 Part 2.3 Patching What is FRCC s expectation related to patching mitigation plans in CIP R2 Part 2.3? Do they have any recommendations on these? Will the mitigation plans fall under regular Self Certification and Audits/Spot Checks or is there another checkpoint/reporting obligation? 8/15/2014 The mitigation plans referenced by this requirement are not the same as those submitted by a Registered Entity in response to a Possible or Alleged Violation. Please refer to Guidelines and Technical Basis section of CIP item 2.3 under Requirement R2 for an explanation of these mitigation plans. FRCC's expectation will be that a Registered Entity has a clear mitigation plan addressing the mitigation of the vulnerabilities addressed by the security patch not being applied and that a timeframe to complete those mitigations is present. During any applicable monitoring method, FRCC may review these mitigation plans to determine the status of their implementation as required under Part CIP R4 Part 4.3 and Part 4.4 Log Retention and Review For logging in CIP 007 R4.3 and 4.4, the standard is clear on log retention and review for control center environments. What is FRCC s interpretation/expectation of medium devices that we document the logging capabilities. There does not seem to be a requirement to retain or review such logs. How do you recommend that we proceed. 8/15/2014 FRCC Reviewing 12/19/2014

11 FRCC CIP V5 FAQ and Lessons Learned Tracking 12/19/2014 Question # Standard / Requirement Topic Question/Comment Date Received Initial Proposed Response (subject to NERC vetting process) Status Last Updated Lessons Learned or FAQ Reference (# references on NERC Posted FAQ or Lessons Learned Summary documents) CIP R3 Part 3.2 CVA From the NERC V5 FAQ: 13. CIP 010 R 3.2: Active assessment: Are tools such as Nmap required for active assessments, or can entities use custom scripts (which use native OS commands) to enumerate open ports and services? What constitutes an active port scan? A: Commonly used tools such as Nmap are preferred to conduct active vulnerability assessments to ensure that the assessment is accurate and complete. Custom scripts using native OS commands could be corrupted (e.g., modified not to show all open ports). Also, entities will need to provide evidence that custom scripts have been properly designed, developed, and tested so that the results of the assessments may be validated. The intent of the active assessment is to test the Cyber Asset from the outside rather than simply having the Cyber Asset look at itself. Can you discuss or elaborate on this? 8/27/2014 FRCC Reviewing 12/19/ CIP R1 Part 1.5 Testing When rolling out a cumulative update that updates a Config Mgr client utilized by SCCM, is it sufficient to say that rolling out the same change to the corporate environment would constitute testing when it is rolled out to the NERC environment? (Similar to how we perform testing with AV signatures) 8/27/2014 CIP R1 Part states " test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimized adverse effects, that models the baseline configuration to ensure that required security controls in CIP 005 and CIP 007 are not adversely affected." The Registered Entity must be able to demonstrate that the "test environment" used is representative of the Production environment baseline and would properly ensure that required security controls in CIP 005 and CIP 007 are not adversely affected CIP R2 BES Cyber Asset Reuse and Disposal For CIP 011 R2 BES Cyber Asset Reuse or Disposal we were wondering how to deal with V3 cyber assets that will remain in production but will no longer be covered as medium impact BES CS for version 5. The standards don t address the concept of cyber assets remaining in place but moving between impact levels. 8/15/2014 Cyber Assets covered under CIP R7 that fall into the classification of a Low Impact BES Cyber System under CIP V5 would not require any action under the CIP R2 requirement. Those actions required under CIP R7 would remain required until that version of the Standard is no longer mandatory and enforceable.

12 Question # Non-routable Non-routable Non-routable Non-routable SITE A SITE B Layer2 SW Layer2 SW Layer2 SW Layer2 SW Unidirectional SPAN Of all traffic Unidirectional SPAN Of all traffic Unidirectional SPAN Of all traffic Unidirectional SPAN Of All traffic Layer2 SW Non-routable Layer2 SW Non-routable Could this solution meet the requirements for the following NERC standard below? Corporate Intranet (Encrypted) CIP (R-1.5) CIP (R-3.1) Unidirectional RSPAN of all traffic To VlAN 1000 Unidirectional RSPAN of all traffic To VlAN 1000 CIP (R-3.2) CIP (R-3.3) Layered defense Deny rule on firewall interface denying IP any to any back to non routable sites. CIP (R-4.1) CIP (R-4.2) CIP (R-4.1) Firewall with Antivirus / IPS / Anti-Maleware As a bonus could this solution mitigate the following CIP standards? CIP (R-2.1) CIP (R-2.2) Layer3 SW Vlan 1000 CIP (R-2.3) Logging / SIEM security Main Data Center Site

13 Question # Medium Impact Asset High Impact control center EXAMPLE 1: An Entity believes that the communication depicted in the example above is NOT External Routable Communications with the substation. Connection Details: The example above shows communications stating in the right square when an engineer initiates communications with a device in the substation (like the Schweitzer in the left square). An IP address (the IP address of the DS2000 at the control center for that substation) and a serial address (ex: :5510) initiates the communications. When the communications arrives at the DS2000 at the control center the IP is removed from the communications. The IP portion of the communications does not leave the control center. Exiting the DS2000 (at the control center) is serial communication carried over Ethernet or Frame (layer 2) to a DS1500 in the substation that sends the serial communications to the device identified as The DS1500 is the entry point into the substation. NO IP leaves the control center and NO IP enters or exits the substation environment. Evidence: In the Guideline and Technical Basis document for CIP005 R1 5 it states If there is routable connectivity across the ESP into any Cyber Asset, then an Electronic Access Point (EAP) must control traffic into and out of the ESP. In the NERC document Identifying Critical Cyber Assets page 35 example drawing 3 and page 38 example drawing 6 enforce there examples. Can these guidance documents be updated to reflect the new Glossary Terms?