NERC CIP Compliance Matrix of RUGGEDCOM ROX II Operating System

Transcription

1 Application description 03/2017 NERC CIP Compliance Matrix of RUGGEDCOM ROX II Operating RUGGEDCOM ROX II

2 Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit Entry-ID: , 1.0, 03/2017 2

3 Table of Contents Table of Contents Warranty and Liability Overview CIP-005-5: Cyber Security Electronic Security Perimeter(s) CIP-007-6: Cyber Security s Security Management CIP-010-2: Cyber Security Configuration Change Management and Vulnerability References Glossary of Terms Related Literature History Entry-ID: , 1.0, 03/2017 3

4 1 Overview 1 Overview NOTICE The content of this document will review how the RUGGEDCOM ROX II operating system can assist in complying with NERC CIP version 5 and version 6 requirements. To fully comply and meet NERC CIP requirements requires a program which includes a combination of tools, documentation, process and training. The RUGGEDCOM ROX II operating system can be one of the tools used to help address some of these requirements. If there are any questions or concerns in meeting any of the NERC CIP requirements, it is recommended that you contact your regional NERC Auditor. This document describes how the RUGGEDCOM ROX II operating system supports the latest security requirements specified by NERC CIP. On January 21st 2016 FERC issued Order 822 approving version 6 of the NERC standards involving revisions to seven NERC Critical Infrastructure Protection Standards and six new or modified terms. February 25, 2016 FERC granted the motion requesting an extension of time for the implementation for the V5 requirements to match the V6 standards which generally went into effect on July 1, 2016, with the Low Impact and Transient Devices requirements going into effect on April 1, More information is available at North American Electric Reliability Corporation website: The RUGGEDCOM Ethernet Switches/Routers are high port density Layer 2/Layer 3 Ethernet routing and switching platforms designed to operate in harsh environments. This product family can withstand high levels of electromagnetic interference, radio frequency interference and a wide temperature range of -40 C to +85 C. These devices are designed to meet the challenging climatic and environmental demands found in utility, industrial and military network applications. RUGGEDCOM ROX II is the latest operating system that applies to RX1400, RX1500 and RX5000 Series Multi- Service Platform products, providing reliability and performance when it s needed the most. The cyber security and networking features make them ideally suited for creating secure Ethernet networks for mission critical, real-time, control applications in harsh environments. The following pages will describe the most product relevant NERC CIP standards and requirements from CIP v5 and v6, and outline how the RUGGEDCOM ROX II operating system can be used to assist as part of CIP program to address certain requirements. More product information can be found through Siemens RUGGEDCOM online manuals with specific security recommendations and considerations. Meanwhile there are a few NERC CIP requirements as listed below that are process and/or documentation focused. They are not directly applicable to Siemens product, therefore not detailed in this document. However they should be also taken into consideration during system design, service and operations. Entry-ID: , 1.0, 03/2017 4

5 1 Overview Table 1-1 Standard Title CIP CIP CIP CIP CIP CIP CIP CIP BES Cyber Categorization Security Management Controls Personnel & Training Physical Security of BES Cyber s Incident Reporting and Response Planning Recovery Plans for BES Cyber s Information Protection Physical Security Entry-ID: , 1.0, 03/2017 5

6 2 CIP-005-5: Cyber Security Electronic Security Perimeter(s) 2 CIP-005-5: Cyber Security Electronic Security Perimeter(s) Purpose To manage electronic access to BES Cyber s by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber s against compromise that could lead to mis-operation or instability in the BES. R1 Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in Table 2-1: Table R1 Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations]. M1 Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in Table 2-1: Table R1 Electronic Security Perimeter and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 2-1: Table R1 Electronic Security Perimeter Part Applicable s Requirement Measures 1.1 High Impact BES PCA PCA 1.2 High Impact BES Cyber s with External Routable Connectivity and their associated: PCA Cyber s with External Routable Connectivity and their associated: PCA 1.3 Electronic Access Points for High Impact BES Cyber s All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. All External Routable Connectivity must be through an identified Electronic Access Point (EAP). Require inbound and outbound access permissions, including the reason limited to, a list of all ESPs with all uniquely identifiable applicable Cyber Assets connected via a routable protocol within each ESP. limited to, network diagrams showing all external routable communication paths and the identified EAPs. limited to, a list of ROX II products can be defined for EAP/ESP management through techniques for the system security designs and enhance the level of security for the operation of the entire system; it can be enforced with firewall, password and/or other means. For instance a port on ROX devices can be designated as the EAP interface to satisfy such requirement R1.2. The ROX Shorewall firewall can be used to meet the specific requirement R1.3 more than helping control the access. Entry-ID: , 1.0, 03/2017 6

7 2 CIP-005-5: Cyber Security Electronic Security Perimeter(s) Part Applicable s Requirement Measures Electronic Access Points for Medium Impact BES Cyber s 1.4 High Impact BES Cyber s with Dial-up Connectivity and PCA Cyber s with Dial-up Connectivity and PCA 1.5 Electronic Access Points for High Impact BES Cyber s Electronic Access Points for Medium Impact BES Cyber s at Control Centers for granting access, and deny all other access by default. Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. rules (firewall, access control lists, etc.) that demonstrate that only permitted access is allowed and that each access rule has a documented reason. limited to, a documented process that describes how the Responsible Entity is providing authenticated access through each dial-up connection. limited to, documentation that malicious communications detection methods (e.g. intrusion detection system, application layer firewall, etc.) are implemented. Not supported in ROX II. ROX II does not provide an embedded anti-virus or malware protection software. But it does include an internal firewall that can be enabled for increased protection from attacks from the network. R2 Each Responsible Entity allowing Interactive Remote Access to BES Cyber s shall implement one or more documented processes that collectively include the applicable requirement parts, where technically feasible, in Table 2-2: Table R2 Interactive Remote Access Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations]. M2 Evidence must include the documented processes that collectively address each of the applicable requirement parts in Table 2-2: Table R2 Interactive Remote Access Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 2-2: Table R2 Interactive Remote Access Management Part Applicable s Requirement Measures 2.1 High Impact BES Utilize an Intermediate such that the Cyber ROX II can be accessed via an intermediate system Entry-ID: , 1.0, 03/2017 7

8 2 CIP-005-5: Cyber Security Electronic Security Perimeter(s) Part Applicable s Requirement Measures PCA Cyber s with External Routable Connectivity and their associated: PCA 2.2 High Impact BES PCA Cyber s with External Routable Connectivity and their associated: PCA 2.3 High Impact BES PCA Cyber s with External Routable Connectivity and their associated: PCA Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate. Require multi-factor authentication for all Interactive Remote Access sessions. limited to, network diagrams or architecture documents. limited to, architecture documents detailing where encryption initiates and terminates. limited to, architecture documents detailing the authentication factors used. authenticators may limited to, Something the individual knows such as passwords or PINs. This does not include User ID; Something the individual has such as tokens, digital certificates, or smart cards; or Something the individual is such as fingerprints, iris scans, or other biometric characteristics. via standard CLI scripted commands Remote access to ROX II is implemented via encrypted communications (SSH/SFTP, HTTPS/SSL/TLS, RADIUS, IPSec, SNMPv3). Passwords are salted and hashed, and the keys are stored encrypted. ROX II can provide strong single factor authentication on the device; Multi-factor authentication can be supported via an external Radius server for login. Entry-ID: , 1.0, 03/2017 8

9 3 CIP-007-6: Cyber Security s Security Management 3 CIP-007-6: Cyber Security s Security Management Purpose R1 M1 To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber s against compromise that could lead to misoperation or instability in the Bulk Electric (BES). Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 3-1: Ports and Services. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations.] Evidence must include the documented processes that collectively include each of the applicable requirement parts in Table 3-1: Ports and Services and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 3-1: Ports and Services Part Applicable s Requirement Measures 1.1 High Impact BES Cyber s with External Routable Connectivity and their associated: Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed. evidence may include, but are not limited to: Documentation of the need for all enabled ports on all applicable Cyber Assets and Electronic Access Points, individually or by group. Listings of the listening ports on the Cyber Assets, individually or by group, from either the device configuration files, command output (such as netstat), or network scans of open ports; or Configuration files of host-based firewalls or other device level mechanisms that only allow needed ports and deny all others. Logical accessible ports in ROX II devices can be disabled as needed. Entry-ID: , 1.0, 03/2017 9

10 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures 1.2 High Impact BES 1. PCA; and 2. Nonprogrammab le communication components located inside both a PSP and an ESP. R2 M2 Cyber s at Control Centers and 1. PCA; and 2. Nonprogrammab le communication components located inside both a PSP and an ESP. Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or Removable Media. limited to, documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage. ROX II supports administration maintenance and configuration through a serial console port, which is protected by strong authentication. Multiple failed login attempts will be logged on the system, security events will be logged, and the IP address will be logged after a number of incorrect login attempts. User document details all ports on the device including access possibilities. Physical ports can be disabled as needed. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 3-2: Security Patch Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in Table 3-2: Security Patch Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 3-2: Security Patch Management Part Applicable s Requirement Measures 2.1 High Impact BES A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for limited to, documentation of a patch management process and documentation or lists of sources that are monitored, whether on an individual BES Cyber or Cyber Asset basis. For RUGGEDCOM switches/routers based on ROX II, firmware can be reloaded and updated individually, which ensures the patchability of the system. During a firmware update, the device is fully operational. A reboot is required to activate the new Entry-ID: , 1.0, 03/

11 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures 2.2 High Impact BES 2.3 High Impact BES applicable Cyber Assets that are updateable and for which a patching source exists. At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions: Apply the applicable patches; or Create a dated mitigation plan; Or Revise an existing mitigation plan. Mitigation plans shall include the Responsible Entity s planned actions to mitigate the vulnerabilities addressed by each limited to, an evaluation conducted by, referenced by, or on behalf of a Responsible Entity of security-related patches released by the documented sources at least once every 35 calendar days. limited to: Records of the installation of the patch (e.g., exports from automated patch management tools that provide installation date, verification of BES Cyber Component software revision, or registry exports that show software has been installed); or A dated plan showing when and how the firmware version on the alternate partition. The period of nonoperability is limited to the boot time. If an interruption of normal operations is unacceptable, the use of redundant systems can ensure uninterrupted operation. For RUGGEDCOM switches/routers based on ROX II, Siemens has a patch management process in place according to which documents all firmware releases, feature enhancements, and bug fixes in a traceable manner. Updates are made available by Siemens free of charge. The corresponding installation is usually performed by the system operator or the service technician responsible for system maintenance. n/a (Process/documentati on requirement) Entry-ID: , 1.0, 03/

12 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures 2.4 High Impact BES R3 2. PACS; security patch and a timeframe to complete these mitigations. For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. vulnerability will be addressed, to include documentation of the actions to be taken by the Responsible Entity to mitigate the vulnerabilities addressed by the security patch and a timeframe for the completion of these mitigations. limited to, records of implementation of mitigations. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 3-3: Malicious Code Prevention. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations]. M3 Evidence must include each of the documented processes that collectively include each of the applicable requirement parts in Table 3-3: Malicious Code Prevention and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 3-3: Malicious Code Prevention Part Applicable s Requirement Measures 3.1 High Impact BES Deploy method(s) to deter, detect, or prevent malicious code. limited to, records of the Responsible Entity s performance of these processes (e.g., through traditional antivirus, system hardening, The ROX II packages are cryptographically signed to ensure authenticity based on a variety of available cryptographic standards/key lengths. Binary files are not signed at this time. Entry-ID: , 1.0, 03/

13 3 CIP-007-6: Cyber Security s Security Management Part Applicable s 2. PACS; 3.2 High Impact BES 2. PACS; 3.3 High Impact BES R4 2. PACS; Requirement Mitigate the threat of detected malicious code. For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns. Measures policies, etc.). limited to: Records of response processes for malicious code detection Records of the performance of these processes when malicious code is detected. limited to, documentation showing the process used for the update of signatures or patterns. n/a (Process/documentation requirement) Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 3-4: Security Event Monitoring. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Assessment.] M4 Evidence must include each of the documented processes that collectively include each of the applicable requirement parts in Table 3-4: Security Event Monitoring and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 3-4: Security Event Monitoring Part Applicable s 4.1 High Impact BES Requirement Log events at the BES Cyber level (per BES Cyber capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact Measures limited to, a paper or system generated listing of event types for which the BES Cyber is capable of detecting Security relevant actions, events and errors are logged, including both successful and failed login attempts. And the IP address will be blocked after a number of unsuccessful Entry-ID: , 1.0, 03/

14 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures 2. PACS; investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: and, for generated events, is configured to log. This listing must include the required types of events. attempts. Most logs allow some level of configuration and customization. 4.2 High Impact BES Cyber s with External Routable Connectivity and Detected successful login attempts; Detected failed access attempts and failed login attempts; Detected malicious code. Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber capability): Detected malicious code from Part 4.1; and limited to, paper or system generated listing of security events that the Responsible Entity determined necessitate alerts, including paper or system generated list showing how alerts are configured. Not a ROX II function. 4.3 High Impact BES Cyber s at Control Centers and 4.4 High Impact BES and 2. PCA Detected failure of Part 4.1 eventlogging. Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. Review a summarization or sampling of logged events as determined by the limited to, documentation of the event log retention process and paper or system generated reports showing log retention configuration set at 90 days or greater. limited to, documentation See ROX II support in Part 4.1 compliance response. Logs can be exported to Remote Syslog for retention. n/a (Process/documentation requirement) Entry-ID: , 1.0, 03/

15 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents. describing the review, any findings from the review (if any), and dated documentation showing the review occurred. R5 Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 3-5: Access Controls. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]. M5 Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in Table 3-5: Access Controls and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 3-5: Access Control Part Applicable s 5.1 High Impact BES Cyber s at Control Centers and Requirement Have a method(s) to enforce authentication of interactive user access, where technically feasible. Measures limited to, documentation describing how access is authenticated. Users must be authenticated to perform actions on the system. Users are identified and authenticated with a personal account. Authentication is either ROX II based or via RADIUS server. Strong passwords are supported. Cyber s with External Routable Connectivity and 5.2 High Impact BES Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, limited to, a listing of accounts by account types showing the enabled or generic n/a (Process/documentation requirement) Entry-ID: , 1.0, 03/

16 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures 5.3 High Impact BES Cyber s with External Routable Connectivity and 5.4 High Impact BES by location, or by system type(s). Identify individuals who have authorized access to shared accounts. Change known default passwords, per Cyber Asset capability account types in use for the BES Cyber. limited to, listing of shared accounts and the individuals who have authorized access to each shared account. limited to: Records of a procedure that passwords are changed when new devices are in production; or Documentation in system manuals or other vendor documents showing default vendor passwords were generated pseudo-randomly and are thereby unique to the device. 5.5 High Impact BES For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Password length that is, at least, the lesser of eight characters or limited to: generated reports or screen-shots of the system enforced password parameters, including length and complexity; Authentication is either ROX II based or via RADIUS server. Password complexity rules are configurable in ROX II. Entry-ID: , 1.0, 03/

17 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures 5.6 High Impact BES Cyber s with External Routable Connectivity and and 2. PACS the maximum length supported by the Cyber Asset; and Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, nonalphanumeric) or the maximum complexity supported by the Cyber Asset. Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. or Attestations that include a reference to the documented procedures that were followed. limited to: generated reports or screen-shots of the system enforced periodicity of changing passwords; or Attestations that include a reference to the documented procedures that were followed. This is a process/documentation requirement, ROX II supports password changes. 5.7 High Impact BES Cyber s at Control Centers and Where technically feasible, either: Limit the number of unsuccessful authentication attempts; or Generate alerts after a threshold of unsuccessful authentication attempts. limited to: Documentation of the account lockout parameters; or Rules in the alerting configuration showing how the ROX II provides brute force attack prevention. Entry-ID: , 1.0, 03/

18 3 CIP-007-6: Cyber Security s Security Management Part Applicable s Requirement Measures system notified individuals after a determined number of unsuccessful login attempts. Entry-ID: , 1.0, 03/

19 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Purpose R1 M1 To prevent and detect unauthorized changes to BES Cyber s by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber s from compromise that could lead to misoperation or instability in the Bulk Electric (BES). Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 4-1: Configuration Change Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in Table 4-1: Configuration Change Management and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 4-1: Configuration Change Management Part Applicable s Requirement Measures 1.1 High Impact BES Develop a baseline configuration, individually or by group, which shall include the following items: Operating system(s) (including version) or firmware where no independent operating system exists; Any commercially available or open-source application software (including version) intentionally installed; Any custom software installed; Any logical limited to: A spreadsheet identifying the required items of the baseline configuration for each Cyber Asset, individually or by group; or A record in an asset management system that identifies the required items of the baseline configuration for each Cyber Asset, individually or by group. The information required to comply is viewable from either the ROX II user interface or RUGGEDCOM NMS. Entry-ID: , 1.0, 03/

20 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Part Applicable s Requirement Measures 1.2 High Impact BES network accessible ports; and Any security patches applied. Authorize and document changes that deviate from the existing baseline configuration. limited to: A change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; or Documentation that the change was performed in accordance with. n/a ( Process/documentation requirement) 1.3 High Impact BES 1.4 High Impact BES For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. For a change that deviates from the existing baseline configuration: Prior to the change, determine required cyber security controls in CIP-005 and CIP-007 that limited to, updated baseline documentation with a date that is within 30 calendar days of the date of the completion of the change. limited to, a list of cyber security controls verified or tested along with the dated test results. Entry-ID: , 1.0, 03/

21 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Part Applicable s Requirement Measures could be impacted by the change; Following the change, verify that required cyber security controls determined in are not adversely affected; and Document the results of the verification. 1.5 High Impact BES Cyber s Where technically feasible, for each change that deviates from the existing baseline configuration: Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected; and Document the results of the testing and, if a test environment limited to, a list of cyber security controls tested along with successful test results and a list of differences between the production and test environments with descriptions of how any differences were accounted for, including of the date of the test. Entry-ID: , 1.0, 03/

22 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Part Applicable s Requirement Measures was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. R2 M2 Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in Table 4-2: Configuration Monitoring. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in Table 4-2: Configuration Monitoring and additional evidence to demonstrate implementation as described in the Measures column of the table. Table 4-2: Configuration Monitoring Part Applicable s Requirement Measures 2.1 High Impact BES and 2. PCA Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. limited to, logs from a system that is monitoring the configuration along with records of investigation for any unauthorized changes that were detected. The ROX II configuration can be downloaded and compared to baseline as required. Entry-ID: , 1.0, 03/

23 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability R3 M3 Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP Table R3. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP Table R3. Table 4-3: Vulnerability Assessments Part Applicable s Requirement Measures 3.1 High Impact BES Cyber s and At least once every 15 calendar months, conduct a paper or active vulnerability assessment. limited to: A document listing the date of the assessment (performed at least once every 15 calendar months), the controls assessed for each BES Cyber along with the method of assessment; or A document listing the date of the assessment and the output of any tools used to perform the assessment. n/a ( Process/documentation requirement) 3.2 High Impact BES Cyber s Where technically feasible, at least once every 36 calendar months: Perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessment limited to, a document listing the date of the assessment (performed at least once every 36 calendar months), the output of the Entry-ID: , 1.0, 03/

24 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Part Applicable s Requirement Measures 3.3 High Impact BES and 2. PCA 3.4 High Impact BES in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration of the BES Cyber in a production environment; and Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. Prior to adding a new applicable Cyber Asset to a production environment, perform an active vulnerability assessment of the new Cyber Asset, except for CIP Exceptional Circumstances and like replacements of the same type of Cyber Asset with a baseline configuration that models an existing baseline configuration of the previous or other existing Cyber Asset. Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate tools used to perform the assessment, and a list of differences between the production and test environments with descriptions of how any differences were accounted for in conducting the assessment. limited to, a document listing the date of the assessment (performed prior to the commissioning of the new Cyber Asset) and the output of any tools used to perform the assessment. limited to, a document listing the results or the review or assessment, a list Entry-ID: , 1.0, 03/

25 4 CIP-010-2: Cyber Security Configuration Change Management and Vulnerability Part Applicable s Requirement Measures Cyber s and vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action items. of action items, documented proposed dates of completion for the action plan, and records of the status of the action items (such as minutes of a status meeting, updates in a work order system, or a spreadsheet tracking the action items). R4 Each Responsible Entity, for its high impact and medium impact BES Cyber s and associated Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) for Transient Cyber Assets and Removable Media. M4 Evidence shall include each of the documented plan(s) for Transient Cyber Assets and Removable Media that collectively include each of the applicable sections in Attachment and additional evidence to demonstrate implementation of plan(s) for Transient Cyber Assets and Removable Media. Additional examples of evidence per section are located in Attachment. If a Responsible Entity does not use Transient Cyber Asset(s) or Removable Media, examples of evidence include, but are not limited to, a statement, policy, or other document that states the Responsible Entity does not use Transient Cyber Asset(s) or Removable Media. Table 4-4 Part Requirement address or support ALL ALL n/a (Process/documentation requirement) Entry-ID: , 1.0, 03/

26 5 References 5 References RUGGEDCOM ROX II User Guide NERC CIP version 5 and version 6 requirements ( 6 Glossary of Terms BES Bulk Electric CCA Critical Cyber Asset CIP Critical Infrastructure Protection EAMCS Electronic Access Control or Monitoring s EAP Electronic Access Point ESP Electronic Security Perimeter LEAP Low Impact BES Cyber Electronic Access Point LERC Low Impact External Routable Connectivity NERC North American Electric Reliability Corporation OS Operating PACS Physical Access Control s PCA Protected Cyber Asset Entry-ID: , 1.0, 03/

27 7 Related Literature 7 Related Literature Table 7-1 Topic \1\ Siemens Industry Online Support \2\ Download page of this entry Title / Link History Table 8-1 Version Date Modifications V1.0 03/2017 First version Entry-ID: , 1.0, 03/