Implementation Plan for Version 5 CIP Cyber Security Standards

Similar documents
Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

CIP Cyber Security Configuration Management and Vulnerability Assessments

Standard CIP Cyber Security Security Management Controls

Standard CIP 007 4a Cyber Security Systems Security Management

CIP Cyber Security Security Management Controls. Standard Development Timeline

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Critical Cyber Asset Identification

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP 007 3a Cyber Security Systems Security Management

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Personnel & Training

CIP Cyber Security Systems Security Management

Standard Development Timeline

Standard Development Timeline

Critical Cyber Asset Identification Security Management Controls

Standard CIP Cyber Security Critical Cyber As s et Identification

CIP Standards Development Overview

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP Cyber Security Systems Security Management

CIP Cyber Security Incident Reporting and Response Planning

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Draft CIP Standards Version 5

Standard CIP Cyber Security Incident Reporting and Response Planning

Standard CIP Cyber Security Critical Cyber As s et Identification

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Cyber Security Reliability Standards CIP V5 Transition Guidance:

CIP Cyber Security Recovery Plans for BES Cyber Systems

Implementing Cyber-Security Standards

CIP Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Physical Security of BES Cyber Systems

Cyber Security Standards Drafting Team Update

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

CIP Cyber Security Personnel & Training

A. Introduction. B. Requirements and Measures

Standard CIP-006-3c Cyber Security Physical Security

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Summary of FERC Order No. 791

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

Cyber Security Supply Chain Risk Management

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Project Physical Security Directives Mapping Document

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cyber Threats? How to Stop?

Standard COM Communication and Coordination

SGAS Low Impact Atlanta, GA September 14, 2016

Proposed Clean and Redline for Version 2 Implementation Plan

CIP Cyber Security Physical Security of BES Cyber Systems

Physical Security Reliability Standard Implementation

Purpose. ERO Enterprise-Endorsed Implementation Guidance

CIP Standards Development Overview

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Standard Development Timeline

Standard Development Timeline

CIP Cyber Security Physical Security of BES Cyber Systems

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

NERC and Regional Coordination Update

CIP Cyber Security Recovery Plans for BES Cyber Systems

New Brunswick 2018 Annual Implementation Plan Version 1

Standard CIP Cyber Security Physical Security

Standard CIP Cyber Security Physical Security

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Standard CIP-006-1a Cyber Security Physical Security

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

1. SAR posted for comment (March 20, 2008). 2. SC authorized moving the SAR forward to standard development (July 10, 2008).

CYBER SECURITY POLICY REVISION: 12

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Reliability Standard Audit Worksheet 1

primary Control Center, for the exchange of Real-time data with its Balancing

Standard Development Timeline

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

CIP Cyber Security Electronic Security Perimeter(s)

Implementation Plan for COM-001-2

Standard Development Timeline

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

CIP Cyber Security Security Management Controls. A. Introduction

requirements in a NERC or Regional Reliability Standard.

requirements in a NERC or Regional Reliability Standard.

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Project Retirement of Reliability Standard Requirements

A. Introduction. Page 1 of 22

Standard Development Timeline

Standard Development Timeline

Project CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016

TOP-010-1(i) Real-time Reliability Monitoring and Analysis Capabilities

Reliability Standard Audit Worksheet 1

Transcription:

Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 17, 2012 Note: On September 17, 2012, NERC was alerted that some references in the Initial Performance of Certain Periodic Requirements section were incorrectly synchronized to certain changes that occurred in the standards since draft 2. This revised draft corrects the reference from CIP-007-5, Requirement R4, Part 4.5 to CIP-007-5, Requirement R4, Part R4.4, it removes the references to CIP-007-5, Requirement R3, Part 3.3 and CIP-011-1, Requirement R1, Part 1.3, and it removes the duplicate reference to CIP-009-5, Requirement R2, Part 2.3. It also corrects instances of typographical spelling errors of identified and security. No other changes were made to this implementation plan or any of the other CIP V5 standards currently posted. Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and retirements of terms to the Glossary of Terms used in NERC Reliability Standards must be approved before these standards can become effective. Applicable Standards The following standards and definitions, collectively referred to as Version 5 CIP Cyber Security Standards, 1 are covered by this Implementation Plan: CIP 002 5 Cyber Security BES Cyber System Categorization CIP 003 5 Cyber Security Security Management Controls CIP 004 5 Cyber Security Personnel and Training CIP 005 5 Cyber Security Electronic Security Perimeter(s) CIP 006 5 Cyber Security Physical Security of BES Cyber Systems CIP 007 5 Cyber Security Systems Security Management CIP 008 5 Cyber Security Incident Reporting and Response Planning CIP 009 5 Cyber Security Recovery Plans for BES Cyber Systems CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments CIP 011 1 Cyber Security Information Protection 1 Although CIP-010-1 and CIP-011-1 are proposed as first versions, any reference to Version 5 CIP Cyber Security Standards includes CIP- 010-1 and CIP-011-1, in addition to CIP-002-5 through CIP-009-5, because CIP-010-1 and CIP-011-1 were developed as part of the Version 5 CIP Cyber Security Standards development process.

Definitions of Terms used in Version 5 CIP Cyber Security Standards document, which includes proposed additions, modifications, and retirements of terms to the Glossary of Terms used in NERC Reliability Standards. These standards and Definitions of Terms used in Version 5 CIP Cyber Security Standards are posted for ballot by NERC concurrently with this Implementation Plan. When these standards and Definitions of Terms used in Version 5 CIP Cyber Security Standards become effective, all prior versions of these standards are retired. Compliance with Standards Once these standards and Definitions of Terms used in Version 5 CIP Cyber Security Standards become effective, the responsible entities identified in the Applicability Section of the standard must comply with the requirements. Proposed Effective Date for Version 5 CIP Cyber Security Standards Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP-011-1 as follows: 1. 24 Months Minimum The Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan. 2 2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees approval, and CIP-003-5 R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. Initial Performance of Certain Periodic Requirements Specific Version 5 CIP Cyber Security Standards have periodic requirements that contain time parameters for subsequent and recurring iterations of the requirement;, such as, but not limited to, 2 In jurisdictions where CIP-002-4 through CIP-009-4 have not yet become effective according to their implementation plan (even if approved by order), this implementation plan and the Version 5 CIP Cyber Security Standards supersede and replace the implementation plan and standards for CIP-002-4 through CIP-009-4. 2

... at least once eachevery 15 calendar year... months..., and responsible entities shall comply initially with those periodic requirements, as follows: 1. On or before the Effective Date of the Version 5 CIP Cyber Security Standards for the following requirements: CIP-002-5, Requirement R2 CIP-003-5 R4, Requirement R1 2. On or before the Effective Date of CIP-003-5, Requirement R2 for the following requirement: CIP-003-5, Requirement R2 2.3. Within 14 calendar days after the Effective Date of the Version 5 CIP Cyber Security CIP-007-5, Requirement R4, Part 4.45 3.4. Within 35 calendar days after the Effective Date of the Version 5 CIP Cyber Security CIP-007-5 R3 Part 3.3 CIP-010-1, Requirement R2, Part 2.1 4.5. Within three calendar months after the Effective Date of the Version 5 CIP Cyber Security CIP-004-5 R6, Requirement R4, Part 6.54.2 5.6. Within 12 calendar months after the Effective Date of the Version 5 CIP Cyber Security CIP-004-5 R3, Requirement R2, Part 2.3.2 CIP-004-5 R6, Requirement R4, Parts 6.64.3 and 6.74.4 CIP-006-5, Requirement R3, Part 3.1 CIP-008-5, Requirement R2, Part 2.1 CIP-008-5, Requirement R3, Part 3.1 CIP-009-5, Requirement R2, Parts 2.1, 2.2 and 2.2 CIP-009-5, Requirement R3, Part 3.1 CIP-010-5, Requirement R3, Parts 3.1 and 3.2 CIP-011-5 R1, Part 1.3 7. Within 24 calendar months after the Effective Date of the Version 5 CIP Cyber Security CIP-009-5, Requirement R2, Part 2.3 3

CIP-010-1, Requirement R3, Part 3.2 6.8. Within 7 years after the last personnel risk assessment that was performed pursuant to a previous version of the CIP Cyber Security Standards for a personnel risk assessment for the following requirement: CIP-004-5 R5, Requirement R3, Part 3.5.2. Previous Identity Verification A documented identity verification performed pursuant to a previous version of the CIP Cyber Security Standards does not need to be reperformed under CIP-004-5 R4, Part 4.1. Planned or Unplanned Changes Resulting in a Higher Categorization Planned changes refer to any changes of the electric system or BES Cyber System, as described inidentified through the annual assessment under CIP-002-5, R1.1Requirement R2, which were planned and implemented by the responsible entity. For example, if an automation modernization activity is performed at a transmission substation, whereby Cyber Assets are installed that meet the criteria in CIP-002-5, Attachment 1, then the new BES Cyber System has been implemented as a result of a planned change, and must, therefore, be in compliance with the Version 5 CIP Cyber Security Standards upon the commissioning of the modernized transmission substation. In contrast, unplanned changes refer to any changes of the electric system or BES Cyber System, as described inidentified through the annual assessment under CIP-002-5, R1.1Requirement R2, which were not planned by the responsible entity. Consider the scenario where a particular BES Cyber System at a transmission substation does not meet the criteria in CIP-002-5, Attachment 1, then, later, an action is performed outside of that particular transmission substation; such as, a transmission line is constructed or retired, a generation plant is modified, changing its rated output, and that unchanged BES Cyber System may become a medium impact BES Cyber System based on the CIP-002-5, Attachment 1, criteria. For planned changes resulting in a higher categorization, the responsible entity shall comply with all applicable requirements in the Version 5 CIP Cyber Security Standards on the update of the identification and categorization of the affected BES Cyber System, as required in CIP-002-5, R1.1 and any applicable and associated Physical Control Systems, Electronic Control and Monitoring Systems and Protected Cyber Assets, with additional time to comply for requirements in the same manner as those timelines specified in the section Initial Performance of Certain Periodic Requirements above. For unplanned changes resulting in a higher categorization, the responsible entity shall comply with all applicable requirements in the Version 5 CIP Cyber Security Standards, according to the following timelines, following the identification and categorization of the affected BES Cyber System, as required 4

in CIP-002-5, R1.4: and any applicable and associated Physical Control Systems, Electronic Control and Monitoring Systems and Protected Cyber Assets, with additional time to comply for requirements in the same manner as those timelines specified in the section Initial Performance of Certain Periodic Requirements above. Scenario of Unplanned Changes After the Effective Date New high impact BES Cyber System New medium impact BES Cyber System Newly categorized high impact BES Cyber System from medium impact BES Cyber System Newly categorized medium impact BES Cyber System Responsible entity identifies first medium impact or high impact BES Cyber System Compliance Implementation 12 months 12 months 12 months for requirements not applicable to Medium-Impact BES Cyber Systems 12 months 24 months Additional Guidance and Implementation Time Periods for Disaster Recovery A special case of restoration as part of a disaster recovery situation (such as storm restoration) shall follow the emergency provisions of the Responsible Entity s policy required by CIP-003-5, R1. Applicability Reference Tables The rationale for this is that the primary task following a disaster is the restoration of the power system and the ability to serve customer Load. Cyber security provisionstables are implemented to support reliability and operations. If restoration were to be slowed to ensure full compliance with provided as a convenient reference to show which requirements in the Version 5 CIP Cyber Security Standards, restoration could be hampered and reliability could be harmed. However, following the completion of the restoration activities, the entity is obligated to comply with the Version 5 CIP Cyber Security Standards at the restored Facilities, and be able to demonstrate full compliance in a spotcheck or audit; or file a self-report of non-compliance with a mitigation plan describing how and when full compliance will be achieved. The following security requirements in CIP-003 through CIP-011 apply to these Associated Electronic Control or Monitoring Systems, Physical Control Systems, and Protectedspecific Cyber Assets. 5

CIP-004-5 R2 Cyber Security Training Program Associated Electronic Control or Monitoring Systems CIP-004-5 R3 Cyber Security Training CIP-004-5 R4R3 CIP-004-5 R5 CIP-004-5 R6R4 CIP-004-5 R7R5 CIP-005-5 R1 Part 1.2 CIP-005-5 R2 Personnel Risk Assessment Program Personnel Risk Assessment Management Program Revocation Electronic Security Perimeter Remote Management Physical Control System CIP-006-5 R1 Physical Security Plan CIP-006-5 R2 Visitor Control Program CIP-006-5 R3 Maintenance and Testing Program CIP-007-5 R1 Ports and Services CIP-007-5 R2 CIP-007-5 R3 Security Patch Management Malicious Code Prevention CIP-007-5 R4 Security Event Monitoring CIP-007-5 R5 System Control Protected Cyber Assets 6

CIP-010-1 R1 Configuration Change Management Associated Electronic Control or Monitoring Systems Physical Control System CIP-010-1 R2 Configuration Monitoring CIP-010-1 R3 Vulnerability Assessments CIP-011-1 R1 Information Protection CIP-011-1 R2 BES Cyber Asset Reuse and Disposal Protected Cyber Assets 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback