CIP Information Protection

Size: px

Start display at page:

Download "CIP Information Protection"

Noah Jefferson
6 years ago
Views:

1 CIP Information Protection Wayne Lewis 3/25/15 3/25/2015 1

2 Information Protection CIP Purpose To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. 3/25/2015 2

3 Information Protection Table R1 (except PCAs) BES Cyber System Information (BES CSI) - Information about BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. - Does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, e.g., device names, individual IP addresses without context, ESP names, or policy statements. - BES CSI examples - security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems not publicly available and could be used to allow unauthorized access or unauthorized distribution - Also may include collections of network addresses and network topology of the BES Cyber System. - Doesn t include publicly available information. - Paper or Electronic information 3/25/2015 3

4 Information Protection Table R1 (except PCAs) Part 1.1 Method(s) to identify information that meets the definition of BES Cyber System Information. - Documented method to identify BES Cyber System Information from entity s information protection program - Consider impact of third party providers. - Does not mandate one specific type of arrangement - Removed the CIP-003-3a R4.3 requirement to assess information protection program and have an action plan to remediate deficiencies. 3/25/2015 4

5 Information Protection Table R1 (except PCAs) Part 1.2 Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use. - Procedures for protecting and securely handling, which include topics such as storage, security during transit, and use of BES Cyber System Information - Includes information stored on Transient Cyber Assets and Removable Media 3/25/2015 5

6 BES Cyber Asset Reuse and Disposal Table R2 Part 2.1 Prior to the release for reuse of applicable Cyber Assets that contain BES Cyber System Information (except for reuse within other systems identified in the Applicable Systems column), the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset data storage media. - Take action to prevent unauthorized retrieval of information (see NIST SP800-88) instead of CIP R7.2 erase. - Except for reuse within other Applicable Systems - Maintain documentation that identifies the custodian for the data storage media while the data storage media is outside of the PSP. - Includes Transient Cyber Assets and Removable Media. - Evidence such as tracking records of actions, e.g., clearing, purging, destroying, or encrypting, retaining in the PSP. 3/25/2015 6

7 BES Cyber Asset Reuse and Disposal Table R2 Part 2.2 Prior to the disposal of applicable Cyber Assets that contain BES Cyber System Information, the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset or destroy the data storage media. - Take action to prevent unauthorized retrieval of information (see NIST SP800-88) instead of CIP R7.1 destroy or erase. - Maintain documentation that identifies the custodian for the data storage media while the data storage media is outside of the PSP. - Includes Transient Cyber Assets and Removable Media. - Evidence such as tracking records of disposal actions, e.g., destruction actions. - Suggested measures listed reverse paragraph 81 deletion of CIP- 007 R7.3. 3/25/2015 7

8 Information Protection Table R2 FAQ - BES Cyber Asset in medium facility in the field. If the device breaks and has to be sent to a vendor, what does an entity need to do to ensure the integrity of the information on that device is protected as required by the standard? - CIP-011 does not explicitly address the case where a device must be sent to a vendor. - Presuming that the device is being sent to the vendor for repair and eventual redeployment, not disposal, the responsible entity would have to comply with the requirements of R2.1, which address the reuse of Cyber Assets. - If the device is not released for reuse or is not being disposed, the entity should either retain or wipe the BES Cyber System Information or obtain the necessary agreements with the vendor to secure BES Cyber System Information. 3/25/2015 8

9 Questions 3/25/2015 9

CIP CIP 101. Ben Christensen Senior Compliance Risk Analyst, Cyber Security

CIP CIP 101. Ben Christensen Senior Compliance Risk Analyst, Cyber Security CIP- 011-1 CIP 101 Ben Christensen Senior Compliance Risk Analyst, Cyber Security 2 Agenda Help enaaes understand and prepare for the upcoming CIP 011-1 standard Differences and relaaons to current requirements