cipc control systems security working group...1. communication and data flow documentation should...

CIPC Control Systems Security Working Group Mapping of NIST Cybersecurity Framework to NERC CIP v3/v5 November 2014 Executive Summary The NIST Cybersecurity Framework (CSF) and the NERC Critical Infrastructure Protection (CIP) standards contain sets of controls and control objectives that have a great many similarities, and a fair number of differences. Mapping the two at a high level is a fairly straightforward exercise, but presents some challenges at the detailed control-level. The attached spreadsheets attempt to inform and give guidance to electricity subsector cyber-security practictioners attempting to create a holistic cybersecurity program for Bulk Electric System Cyber Systems (BCS) that meets the specific controls within the CIP standards, and the control objectives of the NIST CSF. Background In April 2014, the Control Systems Security Working Group (CSSWG) was approached by the Electricity Sub-sector Coordinating Council (ESCC) to form a cross-functional team to map the NIST cybersecurity framework to the CIP standards, both versions 3 and version 5. The individuals listed below volunteered to undertake this effort. The mappings were developed based on the expertise of the project team, but also heavily borrowed from other efforts. For instance, the NIST framework has been mapped to the Electric Sector Cybersecurity Capability Maturity Model (ES-C2M2), and to other standards such as NIST SP 800-53, both of which have been mapped back to NERC CIP by others. In many cases the team “hopped” from one set of mappings to another to gain insight into the controls of both frameworks in order to establish the final product. Using the mapping document The NIST CSF categories and sub-categories are not specifically referred to as “controls” but are instead written in the form of control objectives, giving the entity the latitude to develop their own controls and processes to meet the objective. The NERC CIP standards, on the other hand, carry regulatory weight and are be written in such a way as to be auditable in a consistent fashion. Accordingly, the CIP requirements are written more like controls (e.g. “the responsible entity shall implement…”). These characteristics, while providing for a challenging mapping exercise, lend themselves pretty well to a dual framework implementation for NERC cyber assets. By using the NERC CIP controls to satisfy NIST CSF control objectives, compliance with both frameworks can be achieved – and potentially without a great deal of additional effort beyond documentation.

Mapping of NIST Cybersecurity Framework to NERC CIP v3/v5 2

Using the mapping document (cont’d)

In the example above, the control objective is NIST PR.AC-5 “Network integrity is protected…”. The entity can meet this control object by adjusting two policy controls (CIP-003-5 R1 - 1.2 and CIP-003-5 R1 - 1.8) and two technical controls (CIP-005-5 R1 and CIP-007-5 R1) to meet the desired control objective. Exact mappings Due to the writing styles and varying levels of specificity between the two control frameworks, there are relatively few exact mappings – e.g. one NIST CSF sub-category mapped exactly to one NERC CIP requirement. Instead, most NIST CSF sub-categories are mapped to multiple NERC CIP requirements, as in the example above. Missed mappings Because the NIST CSF contains control objectives, the project team was able to think creatively and provide mappings that broadly meet the stated goal. There were, however, specific areas of the CSF that are simply not covered in the NERC CIP standards no matter how broadly you interpret them. Examples can be found in the Business Environment (BE) section (supply chain, organization’s mission, etc), Governance (GV), Risk Management Strategy (RM), and others. In cases where no meaningful mapping could be established, the project team provides some guidance in column ‘H’ on the spreadsheet, titled ‘Guidance for combined NERC CIP & NIST CSF’.

Mapping of NIST Cybersecurity Framework to NERC CIP v3/v5 3

Control-level guidance As an artifact of the drafting process, the project team documented some simple guidance as notations to help rationalize the individual and grouped mappings. The team elected to retain this language to help provide context to the mappings, and perhaps assist the entity with tips on how to modify their CIP program to accommodate the CSF control objectives. They are not meant to be overly prescriptive, but used as a thought exercise when considering both frameworks acting together as a single program. Inclusion of the ES-C2M2 The spreadsheet contains an additional mapping of the ES-C2M2 objectives and practices, as mapped to the NIST CSF sub-categories. As an supplementary exercise, the entity may wish to undertake an assessment of currently practices (ex: MIL 1) against the desired maturity level as informed by the organization’s risk management practice. Marc A. Child (Project Lead) Nadya Bartol Cliff Glantz Great River Energy Utilities Telecom Council Pacific Northwest National Lab Jarrid Hall Christine Hasha Cynthia Hill-Watson CSGI ERCOT Tennessee Valley Authority Beth Lemke Mark Morgan Bill Noto Wisconsin Public Service Pacific Northwest National Lab GE Power & Water

MIL 1 MIL 2 MIL 3

CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of

Critical Assets developed pursuant to Requirement R2, the

Responsible Entity shall develop a list of associated Critical Cyber

Assets essential to the operation of the Critical Asset. Examples at

control centers and backup control centers include systems and

facilities at master and remote sites that provide monitoring and

control, automatic generation control, real-time power system

modeling, and real-time interutility data exchange. The Responsible

Entity shall review this list at least annually, and update it as

necessary. For the purpose of Standard CIP-002-3, Critical Cyber

Assets are further qualified to be those having at least one of the

following characteristics:

1. Ensure inventory includes assets in all security zones

CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall

document and implement a cyber security policy that represents

management’s commitment and ability to secure its Critical Cyber

Assets. The Responsible Entity shall, at minimum, ensure the

following:

1. Policy language should address inventory and asset management

ID.AM-2: Software platforms and applications

within the organization are inventoried

ACM-1b ACM-1c ACM-1e

ACM-1f






















1. Communication and data flow documentation should include any communication and data flows

between BES Cyber Systems and other systems such as business systems, physical security systems,

etc.

Asset Management (AM): The data, personnel,

devices, systems, and facilities that enable the

organization to achieve business purposes are

identified and managed consistent with their relative

importance to business objectives and the

organization’s risk strategy.

RM-2g ACM-1e

NERC CIP v3

Mapping of NIST Cybersecurity Framework to NERC CIP version 3

Nov-14

Function Category Subcategory

C2M2 Practices **

Guidance for combined NERC CIP v3 & NIST CSF

ID.AM-1: Physical devices and systems within

the organization are inventoried

ACM-1a ACM-1c ACM-1e

ACM-1f

ID.AM-3: Organizational communication and

data flows are mapped










following:

1. Ensure organizational policies include a reference to the CIP Senior Manager's role in approving

cybersecurity policies for NERC CIP systems.

CIP-003-3 R4: Information Protection — The Responsible Entity

shall implement and document a program to identify, classify, and

protect information associated with Critical Cyber Assets.

1. Diagrams for CIP-005-5 should include data flows in addition to logical & physical connectivity

2. Data flows should be classified according to the sensitivity of the information

CIP-005-3 R2: Electronic Access Controls — The Responsible Entity

shall implement and document the organizational processes and

technical and procedural mechanisms for control of electronic

access at all electronic access points to the Electronic Security

Perimeter(s).















1. Perform zone-level inventories regularly and compare with previous iterations

2. Results are reviewed by a person with authority to approve

ID.AM-4: External information systems are

catalogued

EDM-1a EDM-1c

EDM-1e

EDM-1g

RM-1c

Page 1 of 23

MIL 1 MIL 2 MIL 3NERC CIP v3


Nov-14


C2M2 Practices **






following:


2. Policy language should address criteria for connecting external information systems

3. Information systems should be considered 'external' if they interconnect across security zones

CIP-005-3 R1: Electronic Security Perimeter — The Responsible

Entity shall ensure that every Critical Cyber Asset resides within an

Electronic Security Perimeter. The Responsible Entity shall identify

and document the Electronic Security Perimeter(s) and all access

points to the perimeter(s).

1. Ensure documentation include a reason for each inbound/outbound access flow


3. Establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which perform

BES reliability operating services (BROS) and evaluate the potential for adverse impact that the loss,

compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).





















following:


2. Inventories should include classification, criticality, and business value







2. Ensure CIP-005-5 diagrams are coded to highlight classification, criticality, and business value for

each BES Cyber System

CIP-009-3 R1.1: Specify the required actions in response to events

or conditions of varying duration and severity that would activate the

recovery plan(s).

1. Recovery plans should be priorities based on classification, criticality, and business value

ID.AM-5: Resources (e.g., hardware, devices,

data, and software) are prioritized based on

their classification, criticality, and business

value

ACM-1a

ACM-1b

ACM-1c

ACM-1d

recovery plan(s).





following:

1. Ensure policy includes cybersecurity roles and responsibilities for the entire workforce, including third-

party stakeholders

CIP-003-3 R2.3: Where allowed by Standards CIP-002-3 through

CIP-009-3, the senior manager may delegate authority for specific

actions to a named delegate or delegates. These delegations shall

be documented in the same manner as R2.1 and R2.2, and

approved by the senior manager.

1. Clearly define the responsibilities of the person or department responsible for cybersecurity issues

related to third-party stakeholders

CIP-003-3 R2: Leadership — The Responsible Entity shall assign a

single senior manager with overall responsibility and authority for

leading and managing the entity’s implementation of, and adherence

to, Standards CIP-002-3 through CIP-009-3.

1. Clearly define the boundaries of the responsibilities of the CIP Senior Manager

CIP-007-3 R5.1: The Responsible Entity shall ensure that individual

and shared system accounts and authorized access permissions are

consistent with the concept of “need to know” with respect to work

functions performed.

1. Ensure cybersecurity provisioning procedures include handling of third-party access requests

2. Ensure cybersecurity staff are trained on access management procedures and policies related to third-

party access requests

ID.BE-1: The organization’s role in the supply

chain is identified and communicated

EDM-1b EDM-1d EDM-1f

EDM-1g

RM-1c



ID.BE-2: The organization’s place in critical

infrastructure and its industry sector is identified

and communicated

EDM-1b EDM-1d

CPM-1c

EDM-1f

EDM-1g

RM-1c

1. Opportunities to communicate the organizations place in critical infrastructure include: security

awareness, annual cybersecurity training, and organizational policies

Business Environment (BE): The organization’s

mission, objectives, stakeholders, and activities are

understood and prioritized; this information is used to

inform cybersecurity roles, responsibilities, and risk

management decisions.

ID.AM-6: Cybersecurity roles and

responsibilities for the entire workforce and

third-party stakeholders (e.g., suppliers,

customers, partners) are established

WM-1a

WM-1b

WM-1c

Page 2 of 23



Nov-14


C2M2 Practices **


ID.BE-3: Priorities for organizational mission,

objectives, and activities are established and

communicated

RM-3b RM-1c 1. Opportunities to communicate the organizations mission, objectives, and activities include: security


ID.BE-4: Dependencies and critical functions

for delivery of critical services are established

ACM-1a

ACM-1b

EDM-1a

ACM-1c

ACM-1d

EDM-1c

EDM-1e

ACM-1e

ACM-1f

RM-1c

EDM-1g













1. Ensure identification of cyber assets, electronic access points, and data flows that facilitate delivery of

critical services that are supported by networks other than those subject to NERC CIP

ID.BE-5: Resilience requirements to support

delivery of critical services are established

IR-4a

IR-4b

IR-4c

IR-4e CIP-009-3 R1: Recovery Plans — The Responsible Entity shall

create and annually review recovery plan(s) for Critical Cyber

Assets. The recovery plan(s) shall address at a minimum the

following:







following:

1. Establish an organization information security policy

CIP-004-3 R1: Awareness — The Responsible Entity shall establish,

document, implement, and maintain a security awareness program

to ensure personnel having authorized cyber or authorized

unescorted physical access to Critical Cyber Assets receive on-going

reinforcement in sound security practices. The program shall include

security awareness reinforcement on at least a quarterly basis using

mechanisms such as:

�

Direct communications (e.g., emails, memos, computer based

training, etc.);

�

1. Ensure employees and third-parties are made aware of the organizational security policy

IDENTIFY

(ID)

Governance (GV): The policies, procedures, and

processes to manage and monitor the organization’s

regulatory, legal, risk, environmental, and operational

requirements are understood and inform the

management of cybersecurity risk.

ID.GV-1: Organizational information security

policy is established

RM-1a CPM-2g CPM-5d

RM-3e

Indirect communications (e.g., posters, intranet, brochures, etc.);

�

Management support and reinforcement (e.g., presentations,

meetings, etc.).

CIP-004-3 R3: Personnel Risk Assessment —The Responsible Entity

shall have a documented personnel risk assessment program, in

accordance with federal, state, provincial, and local laws, and

subject to existing collective bargaining unit agreements, for

personnel having authorized cyber or authorized unescorted physical

access to Critical Cyber Assets. A personnel risk assessment shall

be conducted pursuant to that program prior to such personnel being

granted such access except in specified circumstances such as an

emergency.

1. Ensure employees and third-parties are provided annual training on the contents of the organizational

security policy






1. Ensure that information security roles and responsibilities for BES Cyber systems are consistent and

compatible with the information security roles and responsibilties for other enterprise systems (e.g., IT or

physical security).





1. Develop a clear policy "line of sight" extending from the Board level down to the end user

2. Establish clear responsibilities both inside and outside the NERC cyber security program

ID.GV-3: Legal and regulatory requirements

regarding cybersecurity, including privacy and

civil liberties obligations, are understood and

managed

CPM-2k

IR-3n

RM-3f

ACM-4f

IAM-3f

TVM-3f

SA-4f

ISC-2f

IR-5f

EDM-3f

WM-5f

1. Enhance cybersecurity training and awareness program by including content on the NERC ERO

model, and the NIST Cybersecurity Framework and any related regulatory frameworks.

ID.GV-2: Information security roles &

responsibilities are coordinated and aligned

with internal roles and external partners

WM-1a

WM-1b

WM-1c

WM-5b

ISC-2b

WM-1f

WM-1g

Page 3 of 23



Nov-14


C2M2 Practices **


ID.GV-4: Governance and risk management

processes address cybersecurity risks

RM-2a

RM-2b

RM-3b RM-2h

RM-3e

RM-1c

RM-1e

1. Where CIP version 5 has moved from a risk-based to a bright-line based approach to identifying in-

scope assets, organizations should focus on integrating their methodology with their enterprise risk-

management frameworks.

2. Additional cyber systems should be identified and protected based on their risk to the business or risk

to the reliability of the bulk electric system





following:

1. Policies for vulnerability management should be established

CIP-007-3 R3: Security Patch Management — The Responsible

Entity, either separately or as a component of the documented

configuration management process specified in CIP-003-3

Requirement R6, shall establish, document and implement a security

patch management program for tracking, evaluating, testing, and

installing applicable cyber security software patches for all Cyber

Assets within the Electronic Security Perimeter(s).

1. Security Patch Management should be established

2. Adherence to Security Patch Management practices should be measured as part of the vulnerability

assessment processes

3. Missing security patches should be compared to the documented mitigation plans

CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible

Entity shall perform a cyber vulnerability assessment of all Cyber

Assets within the Electronic Security Perimeter at least annually. The

vulnerability assessment shall include, at a minimum, the following:

1. Asset vulnerabilities are identified and documented








1. Ensure you are getting information from sources such as ICS CERT, ES ISAC, US CERT, relevant

vendor forums, and other applicable information sharing forums and sources.





1. Enhance the vulnerability assessment processes by inclusion of a threat management practice that

can be executed quickly in reaction to a threat (zero-day attack targeting BASH, for instance)

Risk Assessment (RA): The organization understands

the cybersecurity risk to organizational operations

(including mission, functions, image, or reputation),

organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and

documented

TVM-2a

TVM-2b

TVM-2c

TVM-2d

TVM-2e

TVM-2f

RM-1c

RM-2j

TVM-2i

TVM-2j

TVM-2k

TVM-2l

TVM-2m

ID.RA-2: Threat and vulnerability information is

received from information sharing forums and

sources

TVM-1a

TVM-1b

TVM-2a

TVM-2b


ID.RA-3: Threats, both internal and external,

are identified and documented

TVM-1a

TVM-1b

TVM-1d

TVM-1e

TVM-1f

RM-1c

RM-2j

TVM-1i

TVM-1j

CIP-007-3 R6.3: The Responsible Entity shall maintain logs of

system events related to cyber security, where technically feasible,

to support incident response as required in Standard CIP-008-3.

1. Enhance the threat management practice by implementing procedures to:

- modify logging levels in reaction to high-impact threat

- obtain signatures of known attacks and search your environment for matches

- perform vulnerability scans against test or standby systems whose configuration matches production

systems

- establish multi-tier response guidelines such that security events are researched more quickly under

higher threat levels

ID.RA-4: Potential business impacts and

likelihoods are identified

TVM-1d

TVM-1f

TVM-1i CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of















2. Additional cyber systems should be identified and protected based on their risk to the business or risk

to the reliability of the bulk electric system








1. Enhance patch mitigation plans by documenting impacts and business risk

2. Business risk can be informative for scheduling patch deployments and mitigation plans





1. Enhance vulnerability assessment processes by documenting potential impacts and business risk

2. Business risk can be informative for scheduling vulnerability assessment findings and mitigation plans

ID.RA-5: Threats, vulnerabilities, likelihoods,

and impacts are used to determine risk

RM-1c

RM-2j

TVM-1i

TVM-2l

TVM-2m

Page 4 of 23



Nov-14


C2M2 Practices **















CIP-008-3 R1.2: Response actions, including roles and

responsibilities of Cyber Security Incident response teams, Cyber

Security Incident handling procedures, and communication plans.

1. Business risk can be informative for developing prioritized incident response plans

ID.RM-1: Risk management processes are

established, managed, and agreed to by

organizational stakeholders

RM-2a

RM-2b

RM-1a

RM-1b

RM-2c

RM-2d

RM-2e

RM-2f

RM-2g

RM-3a

RM-3b

RM-3c

RM-3d

RM-1c

RM-1d

RM-1e

RM-2h

RM-2i

RM-2j

RM-3e

RM-3f

RM-3g

RM-3h

RM-3i

1. Enterprise risk management practices should include risks associated with BES Cyber Systems, to

include what is unique about these systems as well as what makes them similar to other enterprise

information systems.

ID.RM-2: Organizational risk tolerance is

determined and clearly expressed

RM-1c

RM-1e

1. Risks should be assigned to business process owners who have the authority to effect change,

mitigate, or accept risk.

ID.RM-3: The organization’s determination of

risk tolerance is informed by their role in critical

infrastructure and sector specific risk analysis

RM-1b RM-1c 1. Business process owners who manage risks associated with BES Cyber Systems should be educated

in their responsibilities as a critical infrastructure custodian.

Risk Management Strategy (RM): The organization’s

priorities, constraints, risk tolerances, and assumptions

are established and used to support operational risk

decisions.

ID.RA-6: Risk responses are identified and

prioritized

RM-2e RM-1c

RM-2j

TVM-1i

TVM-2l

IR-3m

IR-4d

IR-4e






following:

1. Access control rules for logical system access should be clearly stated in an organizational policy with

a goal to protect systems from unauthorized access. The policy should address the granting,

modification, removal, and review of access permissions. The policy should establish the requirements

for the use of "principle of least privilege" or "need to know". The access control policy should be

periodically reviewed and approved by an appropriate member of senior management.

2. Policies should include requirements for granting access only when background check and training

requirements are met

CIP-004-3 R4.2: The Responsible Entity shall revoke such access to

Critical Cyber Assets within 24 hours for personnel terminated for

cause and within seven calendar days for personnel who no longer

require such access to Critical Cyber Assets.

1. A formal procedure or process should be defined for revoking logical system access and shared

account access. The procedure or process should ensure that the triggering events (e.g.: termination,

promotion, job transfer) for access revocation are clearly stated and how those events are incorporated

into access revocation processes. This can be accomplished through a written procedure or documented

workflow.

CIP-007-3 R5: Account Management — The Responsible Entity

shall establish, implement, and document technical and procedural

controls that enforce access authentication of, and accountability

for, all user activity, and that minimize the risk of unauthorized

system access.

1. A formal procedure or process should be defined for managing logical system access. The procedure

or process should encompass: (1) granting of access (including training and background checks), and (2)

periodic review of access permissions (including review and update of training and background checks).

The procedure or process should demonstrate implementation of "principle of least privilege" or "need to

know". This can be accomplished through a written procedure or documented workflow.





system access.

1. There should be a formal procedure or process for managing system access controls to protect

systems from unauthorized access. The procedure or process should define: (1) the use of authentication

methods; (2) management of default accounts provided by vendors and accounts shared by multiple

people; (3) management of all entity-defined accounts shared by multiple people, including generic,

service, and administrator accounts; (4) implementation of password requirements, including complexity

and periodic changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.





following:

1. Access control rules for physical access should be clearly stated in an organizational policy with a goal

to protect systems from unauthorized access. The policy should address the granting, modification,

removal, and review of access permissions. The policy should establish the requirements for the use of

"principle of least privilege" or "need to use". The access control policy should be periodically reviewed

and approved by an appropriate member of senior management.





1. There should be a formal procedure or process for revoking physical access information access. The

procedure or process should ensure that the triggering events (e.g.: termination, promotion, job transfer)

for access revocation are clearly stated and how those events are incorporated into access revocation

processes. This can be accomplished through a written procedure or documented workflow.

Access Control (AC): Access to assets and associated

facilities is limited to authorized users, processes, or

devices, and to authorized activities and transactions.

PR.AC-1: Identities and credentials are

managed for authorized devices and users

IAM-1a

IAM-1b

IAM-1c

IAM-1d

IAM-1e

IAM-1f

RM-1c

IAM-1g

PR.AC-2: Physical access to assets is

managed and protected

IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

Page 5 of 23



Nov-14


C2M2 Practices **


CIP-006-3 R1.6: A visitor control program for visitors (personnel

without authorized unescorted access to a Physical Security

Perimeter), containing at a minimum the following:

1. There should be a formal procedure or process for managing visitors to premises. The procedure or

process should define: (1) logging of entry and exit; (2) continuous escort and supervision of visitors.

CIP-006-3 R1: Physical Security Plan — The Responsible Entity

shall document, implement, and maintain a physical security plan,

approved by the senior manager or delegate(s) that shall address, at

a minimum, the following:

1. There should be a formal procedure or process for managing physical access controls to protect

systems from unauthorized access. The procedure or process should define: (1) the use of access

control mechanisms; (2) logging of entry and exit; (3) monitoring of physical premises; and (4) alerting on

unauthorized access.

CIP-006-3 R4: Physical Access Controls — The Responsible Entity

shall document and implement the operational and procedural

controls to manage physical access at all access points to the

Physical Security Perimeter(s) twenty-four hours a day, seven days a

week. The Responsible Entity shall implement one or more of the

following physical access methods:

�

Card Key: A means of electronic access where the access rights of

the card holder are predefined in a computer database. Access

rights may differ from one perimeter to another.

�

Special Locks: These include, but are not limited to, locks with

“restricted key” systems, magnetic locks that can be operated

remotely, and “man-trap” systems.

�

Security Personnel: Personnel responsible for controlling physical

access who may reside on-site or at a monitoring station.

�

Other Authentication Devices: Biometric, keypad, token, or other

equivalent devices that control physical access to the Critical Cyber

Assets.

1. A formal procedure or process should be defined for managing physical access. The procedure or

process should encompass: (1) granting of access (including training and background checks), and (2)








following:

1. Access control rules for remote access should be clearly stated in an organizational policy with a goal



"principle of least privilege" or "need to use". The access control policy should be periodically reviewed






PR.AC-3: Remote access is managed IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g












1. There should be formal procedure or process to monitor and control dialup remote access to the

information system which requires the use of authentication.





Perimeter(s).

1. There should be formal procedure or process to monitor and control all methods of remote access

(e.g., VPN, Citrix) to the information system. Remote access should only be allowed through managed

access control points that do not allow direct access to protected assets. Encryption should be to protect

the confidentiality of remote access sessions. Multi-factor authentication should be used for all remote

access sessions.





system access.

1. A formal procedure or process should be defined for managing remote access. The procedure or









following:


a goal to protect systems from unauthorized access. The policy should address the granting,

modification, removal, and review of access permissions. The policy should establish the requirements

for the use of "principle of least privilege" or "need to know". The access control policy should be

periodically reviewed and approved by an appropriate member of senior management.

2. Policies should contain requirements for management of system-level credentials.




















PR.AC-4: Access permissions are managed,

incorporating the principles of least privilege

and separation of duties

IAM-2d

Page 6 of 23



Nov-14


C2M2 Practices **






system access.






and periodic changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts. The

procedure or process should demonstrate implementation of "principle of least privilege" or "need to






following:


a goal to protect systems from unauthorized access. The policy should address the restriction of access

to the network layer. This can be accomplished through network segmentation and network access

controls.

2. Policies should contain requirements for information protection within, and between, the various

network security zones.






1. There should be formal procedures and processes to implement security zones separating protected

assets from other organizational networks and public networks. Monitoring of communications at the

network boundary should be implemented. Connection to protected assets should only be through

managed interfaces consisting of boundary protection devices arranged in accordance with an

organizational documented security architecture.

CIP-007-3 R2: Ports and Services — The Responsible Entity shall

establish, document and implement a process to ensure that only

those ports and services required for normal and emergency

operations are enabled.

1. There should be formal procedures and processes to manage and secure network accessible ports as

well as physical I/O ports in operation on an asset. This includes monitoring and documenting the status

and use of discovered ports.





following:

1. Policies should contain requirements for user training and security awareness.







mechanisms such as:

�


1. Implement a security awareness program that covers all assets, locations, and stakeholders.

Awareness and Training (AT): The organization’s

personnel and partners are provided cybersecurity

awareness education and are adequately trained to

perform their information security-related duties and

responsibilities consistent with related policies,

procedures, and agreements.

PR.AC-5: Network integrity is protected,

incorporating network segregation where

appropriate

CPM-3a CPM-3b

CPM-3c

CPM-3d

PR.AT-1: All users are informed and trained WM-3a WM-3b

WM-3c

WM-3d

WM-3e

WM-3f

WM-3g

WM-3h

WM-3i


training, etc.);

�


�


meetings, etc.).

CIP-004-3 R2: Training — The Responsible Entity shall establish,

document, implement, and maintain an annual cyber security

training program for personnel having authorized cyber or authorized

unescorted physical access to Critical Cyber Assets. The cyber

security training program shall be reviewed annually, at a minimum,

and shall be updated whenever necessary.

1. Implement a security training program that covers all assets, locations, and stakeholders.





following:








mechanisms such as:

�


training, etc.);

�


�


meetings, etc.).


PR.AT-2: Privileged users understand roles &

responsibilities.

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

Page 7 of 23



Nov-14


C2M2 Practices **













following:








mechanisms such as:

�


training, etc.);

�


�


meetings, etc.).












1. Policies should contain requirements for user training and security awareness.PR.AT-4: Senior executives understand roles &

responsibilities

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

PR.AT-3: Third-party stakeholders (e.g.,

suppliers, customers, partners) understand

roles & responsibilities

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g



following:






1. CIP Senior Manager should be able to demonstrate that they understand their roles and

responsibilties. Consider an acknowledgement form.







mechanisms such as:

�


training, etc.);

�


�


meetings, etc.).













following:


WM-1g

PR.AT-5: Physical and information security

personnel understand roles & responsibilities

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

Page 8 of 23



Nov-14


C2M2 Practices **








mechanisms such as:

�


training, etc.);

�


�


meetings, etc.).












1. Ensure physical security personnel are trained on the visitor control program and are given tools as

necessary to monitor and manage the program.





following:

1. Rules for identifying and protecting the confidentiality and integrity of information should be included in

the entity's official security policy. System-related information requiring protection includes items defined

as BES Protected Information.




1. Formal procedures and processes should be implemented to identify and secure protected information

at rest and data in transit.

Data Security (DS): Information and records (data) are

managed consistent with the organization’s risk

strategy to protect the confidentiality, integrity, and

availability of information.

PR.DS-1: Data-at-rest is protected ACM-1b

TVM-1c

TVM-2c

CPM-3b ACM-1e

TVM-2i

TVM-2n





1. Access control rules for protection of the confidentiality and integrity of information at rest, or

information when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation)

should be used to restrict access to such information.

CIP-007-3 R4: Malicious Software Prevention — The Responsible

Entity shall use anti-virus software and other malicious software

(“malware”) prevention tools, where technically feasible, to detect,

prevent, deter, and mitigate the introduction, exposure, and

propagation of malware on all Cyber Assets within the Electronic

Security Perimeter(s).

1. Monitoring, detection and prevention of malicious code should be implemented to protect information

at rest.





system access.

1. Access control rules for protection of the confidentiality and integrity of information at rest, or

information when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation)

should be used to restrict access to such information.

CIP-007-3 R7: Disposal or Redeployment — The Responsible Entity

shall establish and implement formal methods, processes, and

procedures for disposal or redeployment of Cyber Assets within the

Electronic Security Perimeter(s) as identified and documented in

Standard CIP-005-3.

1. Formal procedures and processes should be implemented to sanitize media containing protected

information prior to disposal, release out of organizational control, or release for reuse. Mechanisms

should sanitize information to the strength and integrity commensurate with the security category or

classification of the information.





following:

1. Rules for protection of the confidentiality and integrity of information transit while on the network or

when using remote access should be included in the entity's official security policy.










1. Access control rules for protection of the confidentiality and integrity of information in transit while on

the network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should

be used to restrict access to such information.

PR.DS-2: Data-in-transit is protected ACM-1b

TVM-1c

TVM-2c

CPM-3b ACM-1e

TVM-2i

TVM-2n

Page 9 of 23



Nov-14


C2M2 Practices **










2. Access points to a higher security zone should include controls for protecting the data traversing those

boundaries.





Perimeter(s).

1. There should be formal procedures and processes to implement secure remote access for the

transmission of protected information. Reference the definition of Interactive Remote Access.







1. Monitoring, detection and prevention of malicious code should be implemented to protect information

in transit.





system access.




PR.DS-3: Assets are formally managed

throughout removal, transfers, and disposition

ACM-1a

ACM-1b

ACM-2a

ACM-2b

ACM-3a

ACM-3b

ACM-1c

ACM-1d

ACM-2c

ACM-3c

ACM-3d

ACM-4a

ACM-4b

ACM-4c

ACM-4d

ACM-1e

ACM-1f

ACM-2d

ACM-2e

ACM-3e

ACM-3f

ACM-4e

ACM-4f

ACM-4g

ACM-4h

ACM-4i





Standard CIP-005-3.


information prior to disposal, release out of organizational control, or release for reuse. Mechanisms

should sanitize information to the strength and integrity commensurate with the security category or

classification of the information.





following:

1. Contingency planning rules should be included in the organization's policy statements.



1. Formal procedures and processes should be implemented to protect against or limits the effects of

denial of service attacks. The management of excess capacity, bandwidth, or other redundancy to limit

PR.DS-4: Adequate capacity to ensure

availability is maintained

TVM-1c

TVM-2c

CPM-3b TVM-2i

TVM-2n






denial of service attacks. The management of excess capacity, bandwidth, or other redundancy to limit

the effects of information flooding denial of service attacks and counter flooding attacks.

CIP-007-3 R6.4: The Responsible Entity shall retain all logs specified

in Requirement R6 for ninety calendar days.

1. Where possible, ensure capacity monitoring is included in the organizations event log monitoring

program.

CIP-009-3 R1: Recovery Plans — The Responsible Entity shall



following:

1. Formal procedures and processes should be implemented for contingency planning as part of an

overall program for achieving business continuity. Contingency planning addresses both information

system restoration and implementation of alternative mission/business processes when systems are

compromised.





following:

1. Rules for protection of the confidentiality and integrity of information from data leaks when it is located

on storage devices should be included in the entity's official security policy.




1. The information protection program can consist of policy controls such as document markings, secure

handling procedures, secure destruction procedures - and technical controls such as access control,

encryption, or digital loss prevention.













1. Formal procedures and processes should be implemented to ensure protected information is properly

segmented and enforces flow access controls. Flow access controls should be automatically enforced,

where possible.





Perimeter(s).

1. Formal processes and procedures should be implemented to ensure that encrypted information does

not bypass system monitoring capabilities. This includes the proper configuration of encryption

termination points.

PROTECT

(PR)

PR.DS-5: Protections against data leaks are

implemented

TVM-1c

TVM-2c

CPM-3b TVM-2i

TVM-2n

Page 10 of 23



Nov-14


C2M2 Practices **








1. Formal procedures and processes should be implemented to prevent, deter, detect, and mitigate

malicious code that has an intent of allowing data leak.





system access.








system access.

1. Formal procedures and processes should be implemented to manage system access controls to

prevent data leaks through vulnerable person and system accounts.

CIP-007-3 R6: Security Status Monitoring — The Responsible Entity

shall ensure that all Cyber Assets within the Electronic Security

Perimeter, as technically feasible, implement automated tools or

organizational process controls to monitor system events that are

related to cyber security.

1. Formal procedures and processes should be implemented to ensure monitoring of event to protect

information from data leaks.





Standard CIP-005-3.








following:

1. Rules for the implementation of configuration managment of software, firmware, and information

integrity should be included in the entity's official security policy.

CIP-003-3 R6: Change Control and Configuration Management —

The Responsible Entity shall establish and document a process of

change control and configuration management for adding,

modifying, replacing, or removing Critical Cyber Asset hardware or

software, and implement supporting configuration management

activities to identify, control and document all entity or vendor-related

changes to hardware and software components of Critical Cyber

Assets pursuant to the change control process.

1. Formal processes and procedures should be implemented to monitor the approved configuration of

hardware, software, and firmware to detect any unauthorized changes.

PR.DS-6: Integrity checking mechanisms are

used to verify software, firmware, and

information integrity

ACM-3d






following:

1. Rules for the implementation of segregation of production and test environemtns should be included in

the entity's official security policy.









1. Formal procedures and processes should be testing of changes to be applied to the production

environment. A designated, separate test environment should be used, where poissible.






1. Formal procedures and processes should be implemented to properly segregate test and production

network environments.

PR.IP-1: A baseline configuration of

information technology/industrial control

systems is created and maintained

ACM-2a

ACM-2b

ACM-2c ACM-2d

ACM-2e









1. Ensure baseline configurations are protected from possible compromise

PR.IP-2: A System Development Life Cycle to

manage systems is implemented

ACM-3d 1. A framework for SDLC can be included in an entity's Change Management and Configuration

Monitoring program

Information Protection Processes and Procedures

(IP): Security policies (that address purpose, scope,

roles, responsibilities, management commitment, and

coordination among organizational entities), processes,

and procedures are maintained and used to manage

protection of information systems and assets.

PR.DS-7: The development and testing

environment(s) are separate from the

production environment

ACM-3c ACM-3e

Page 11 of 23



Nov-14


C2M2 Practices **






following:

1. Change control policies should include broad requirements for what types of activities constitute a

change









1. Change control procedures should include specific requirements for what types of activities constitute

a change

CIP-009-3 R4: Backup and Restore — The recovery plan(s) shall

include processes and procedures for the backup and storage of

information required to successfully restore Critical Cyber Assets.

For example, backups may include spare electronic components or

equipment, written documentation of configuration settings, tape

backup, etc.

1. Recovery plans should specific business requirements for data retention and periodicity of backups

CIP-009-3 R5: Testing Backup Media — Information essential to

recovery that is stored on backup media shall be tested at least

annually to ensure that the information is available. Testing can be

completed off site.

1. Recovery plans testing should be on a frequency commensurate with the importance of the asset

2. Recovery plans should be tested subsequent to any major change or upgrade to a system

PR.IP-5: Policy and regulations regarding the

physical operating environment for

organizational assets are met

RM-2b

IAM-2a

RM-3f

IAM-3f





following:

1. Policies should contain requirements for the physical operating environment of the cyber system,

including environmental (temperature, moisture, vibration, dust), power (redundant feeds, battery), and

fire-suppression. Policies should contain requirements for environmental monitoring of the physical

operating environment.

PR.IP-6: Data is destroyed according to policy ACM-3d CIP-007-3 R7: Disposal or Redeployment — The Responsible Entity



1. Implement a management control to test a sampling of retired systems to ensure data is no longer

accessible.

PR.IP-3: Configuration change control

processes are in place

ACM-3a

ACM-3b

ACM-3c

ACM-3d

ACM-3e

ACM-3f

PR.IP-4: Backups of information are

conducted, maintained, and tested periodically

IR-4a

IR-4b

IR-4c

IR-4f IR-4g

IR-4j



Standard CIP-005-3.

PR.IP-7: Protection processes are continuously

improved

TVM-1h CPM-1g CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible




1. The stated goal of the entity's vulnerability assessment program should be the strengthening of

security controls through a process of regular review and assessment

2. Assessments should evaluate the current threat landscape and the ability of existing controls to

mitigate or eliminate the risk





1. Results of vulnerability assessments should be communicated to key stakeholders, to include a frank

assessment of the effectiveness of the security controls.

CIP-008-3 R1: Cyber Security Incident Response Plan — The

Responsible Entity shall develop and maintain a Cyber Security

Incident response plan and implement the plan in response to Cyber

Security Incidents. The Cyber Security Incident response plan shall

address, at a minimum, the following:

1. Results of incident response tests should be communicated to key stakeholders, to include a frank

assessment of the effectiveness of the response actions and security controls.





following:

1. Policies should contain language addressing the management of the recovery plans

PR.IP-8: Effectiveness of protection

technologies is shared with appropriate parties

ISC-1a

ISC-1b

ISC-1c

ISC-1d

ISC-1e

ISC-1f

ISC-1g

ISC-2b

ISC-1h

ISC-1i

ISC-1j

ISC-1k

ISC-1l

PR.IP-9: Response plans (Incident Response

and Business Continuity) and recovery plans

(Incident Recovery and Disaster Recovery) are

in place and managed

IR-4c IR-3e

IR-3f

IR-4d

IR-4f

IR-5a

IR-5b

IR-5c

IR-5d

RM-1a

RM-1b

TVM-1d

IR-3k

IR-3m

IR-4i

IR-4j

IR-5e

IR-5f

IR-5g

IR-5h

IR-5i

RM-1c

Page 12 of 23



Nov-14


C2M2 Practices **







1. Plans are in place and managed




following:


CIP-009-3 R3: Change Control — Recovery plan(s) shall be updated

to reflect any changes or lessons learned as a result of an exercise

or the recovery from an actual incident. Updates shall be

communicated to personnel responsible for the activation and

implementation of the recovery plan(s) within thirty calendar days of

the change being completed.







1. Plans are implemented when required and tested regularlyPR.IP-10: Response and recovery plans are

tested

IR-3e

IR-4f

IR-3k

IR-4i

IR-4j

CIP-009-3 R2: Exercises — The recovery plan(s) shall be exercised

at least annually. An exercise of the recovery plan(s) can range from

a paper drill, to a full operational exercise, to recovery from an actual

incident.

1. Plans are implemented when required and tested regularly









emergency.

1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)










system access.









1. Develop a holistic vulnerability management plan that includes patch management, malicious software

prevention, and regular vulnerability assessments - including scanning where feasible

PR.IP-12: A vulnerability management plan is

developed and implemented

TVM-2d

TVM-2e

TVM-3e

TVM-3f

PR.IP-11: Cybersecurity is included in human

resources practices (e.g., deprovisioning,

personnel screening)

WM-2a

WM-2b

WM-2c

WM-2d

WM-2e

WM-2f

WM-2g

WM-2h

Page 13 of 23



Nov-14


C2M2 Practices **
























1. Maintenance practices should be addressed in, and follow, the organizations change control practices

CIP-006-3 R8: Maintenance and Testing — The Responsible Entity

shall implement a maintenance and testing program to ensure that

all physical security systems under Requirements R4, R5, and R6

function properly. The program must include, at a minimum, the

following:

1. Like in CIP-006-5 R3, entities should consider a formal process for maintaining and testing the

mechanisms used for electronic access control. This should include the testing of the changes prior to

implementation.













1. Formal processes and procedures should be implemented to manage the use of remote access for

performing maintenance functions in accordance with the configuration management program or

process.

Maintenance (MA): Maintenance and repairs of

industrial control and information system components is

performed consistent with policies and procedures.

PR.MA-2: Remote maintenance of

organizational assets is approved, logged, and

performed in a manner that prevents

unauthorized access

SA-1a

IR-1c

IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

IAM-2h

IAM-2i

PR.MA-1: Maintenance and repair of

organizational assets is performed and logged

in a timely manner, with approved and

controlled tools

IAM-2a ACM-1c AMC-3f



Perimeter(s).

process.





following:



implementation.




1. Formal processes and procedures should be implemented to log successful and unsuccessful access

attempts.

CIP-006-3 R2: Protection of Physical Access Control Systems —

Cyber Assets that authorize and/or log access to the Physical

Security Perimeter(s), exclusive of hardware at the Physical Security

Perimeter access point such as electronic lock control mechanisms

and badge readers, shall:

CIP-006-3 R2.1: Be protected from unauthorized physical access.

1. Formal processes and procedures should be implemented to monitor for unauthorized access.

CIP-006-3 R6: Logging Physical Access — Logging shall record

sufficient information to uniquely identify individuals and the time of

access twenty-four hours a day, seven days a week. The

Responsible Entity shall implement and document the technical and

procedural mechanisms for logging physical entry at all access

points to the Physical Security Perimeter(s) using one or more of the

following logging methods or their equivalent:

�

Computerized Logging: Electronic logs produced by the Responsible

Entity’s selected access control and monitoring method.

�

Video Recording: Electronic capture of video images of sufficient

quality to determine identity.

�

Manual Logging: A log book or sign-in sheet, or other record of

physical access maintained by security or other personnel

authorized to control and monitor physical access as specified in

Requirement R4.


attempts.

Protective Technology (PT): Technical security

solutions are managed to ensure the security and

resilience of systems and assets, consistent with

related policies, procedures, and agreements.

PR.PT-1: Audit/log records are determined,

documented, implemented, and reviewed in

accordance with policy

SA-1a

SA-2a

SA-1b

SA-1c

SA-2e

SA-4a

SA-1d

SA-1e

SA-3d

SA-4e

Page 14 of 23



Nov-14


C2M2 Practices **


CIP-006-3 R7: Access Log Retention — The Responsible Entity shall

retain physical access logs for at least ninety calendar days. Logs

related to reportable incidents shall be kept in accordance with the

requirements of Standard CIP-008-3.

1. Formal processes and procedures should be implemented to retain audit logs.

CIP-006-3 R7: Access Log Retention — The Responsible Entity shall

retain physical access logs for at least ninety calendar days. Logs

related to reportable incidents shall be kept in accordance with the

requirements of Standard CIP-008-3.


CIP-007-3 R6.4: The Responsible Entity shall retain all logs specified

in Requirement R6 for ninety calendar days.


CIP-007-3 R6.5: The Responsible Entity shall review logs of system

events related to cyber security and maintain records documenting

review of logs.

1. Formal processes and procedures should be implemented to ensure receipt of required audit logs and

identify failures of logging capabilities.

PR.PT-2: Removable media is protected and its

use restricted according to policy

IAM-2a

IAM-2b

IAM-1c

IAM-2c IAM-2e

IAM-3f

IAM-1i

1. This requirement will be addressed in CIP version 6





1. A formal procedure or process should be defined for revoking logical system access and shared

account access. The procedure or process should ensure that the triggering events (e.g.: termination,

promotion, job transfer) for access revocation are clearly stated and how those events are incorporated

into access revocation processes. This can be accomplished through a written procedure or documented

workflow.





Perimeter(s).

1. There should be formal procedure or process to monitor and control remote access.














PR.PT-3: Access to systems and assets is

controlled, incorporating the principle of least

functionality

IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

IAM-2h

IAM-2i




system access.











1.There should be formal procedure or process to secure communications and control networks.





Perimeter(s).

1. There should be formal procedure or process to secure communications and control networks using

remote access.





system access.

1. Rules for the implementation of access control to communications and control network protections

should be included in the entity's official security policy.

DE.AE-1: A baseline of network operations and

expected data flows for users and systems is

established and managed

SA-2b SA-2e 1. Baseline network monitoring practices can be integrated within the entity's CIP-005-5 R1.5 Malicious

Communications program, CIP-007-5 R3 Malicious Code Prevention program, and/or CIP-010-1 R2

Change Monitoring program.





following:

1. Security policy must include intrusion detection and a process for analzying detected events including

target and attack methodology.






1. Monitoring tools and log sources should be configured to collect event data at a level of granularity

necessary to effectively analyze the event.






1. Response plans should include processes for detailed analysis of the event, and a feedback loop to

ensure the same event will be more effectively detected or prevented in the future.

Anomalies and Events (AE): Anomalous activity is

detected in a timely manner and the potential impact of

events is understood.

DE.AE-2: Detected events are analyzed to

understand attack targets and methods

IR-2i

IR-3h

PR.PT-4: Communications and control

networks are protected

CPM-3a CPM-3b

CPM-3c

CPM-3d

Page 15 of 23



Nov-14


C2M2 Practices **


DE.AE-3: Event data are aggregated and

correlated from multiple sources and sensors

IR-1e IR-1f

IR-2i






1. Select and implement security event logging and monitoring tools that can analyze events from

multiple sources and are capable of alerting based on correlated events

DE.AE-4: Impact of events is determined IR-2b IR-2d IR-2g CIP-008-3 R1.2: Response actions, including roles and

responsibilities of Cyber Security Incident response teams, Cyber

Security Incident handling procedures, and communication plans.

1. Must have a procedure for classifying, e.g., analyzing impact, of events.





following:

1. Policies should address thresholds for invoking the response plans






1. Response to incidents should be triggered based on thresholds established with the plan and per the

entity's policies





following:

1. Roles and responsibilities of personnel as it relates to detected security events should be defined as

well as training programs necessary to disseminate the required information.






1. Roles of any delegates specified by the CIP Senior Manager related to security event detection or

response should be documented





1. Role of the CIP Senior Manager in security event detection or response should be documented where

appropriate





1. Response actions for detected malicious code should include clear and pre-defined roles and

responsibilities

Detection Processes (DP): Detection Processes (DP):

Detection processes and procedures are maintained

and tested to ensure timely and adequate awareness of

anomalous events.

DE.DP-1: Roles and responsibilities for

detection are well defined to ensure

accountability

IR-1a

IR-3a

WM-1a

WM-1b

WM-1d WM-1f

WM-1h

DE.AE-5: Incident alert thresholds are

established

IR-2d

TVM-1d

SA-2d

IR-2g

RM-2j










responsibilities

DE.DP-2: Detection activities comply with all

applicable requirements

IR-1d IR-1g

IR-5f

RM-1c

RM-2j






1. When preparing after-action reports for a security event, ensure processes include a review of

responses against applicable company policies and external regulations







1. Staff can be effectively trained on security event response by testing detection technologies and

observing the response. For instance, regularly submit an EICAR file to a non-production cyber asset to

test the malware detection/prevention system.





following:

1. Physical access controls are routinely tested






1. Detection tools can be tested during incident response drills





following:

1. Policies should contain language addressing the notification of stakeholders of an event that meets

documented thresholds

DE.DP-4: Event detection information is

communicated to appropriate parties

IR-1b

IR-3c

ISC-1a

ISC-1c

ISC-1d

IR-3n

ISC-1h

DE.DP-3: Detection processes are tested IR-3e IR-3j

Page 16 of 23



Nov-14


C2M2 Practices **







1. Event summaries should be communicated to key stakeholders, to include a frank assessment of the

effectiveness of the response actions and security controls.








DE.DP-5: Detection processes are continuously

improved

IR-3h IR-3k CIP-008-3 R1: Cyber Security Incident Response Plan — The





1. The stated goal of the incident response testing program should be the strengthening of security

controls through a process of regular review and assessment

2. Incident tests should be structured to emulate the current threat landscape and the assess the ability of

existing controls to mitigate or eliminate the risk

DE.CM-1: The network is monitored to detect

potential cybersecurity events

SA-2a

SA-2b

SA-2e

SA-2f

SA-2g

SA-2i







1. Monitoring of network access points is specified in CIP-005-5 R1.5

2. Monitoring can be enhanced by including analysis of traffic within the security perimeter




1. Program should specify monitoring of visitors within a secure perimeter (human and/or electronic

monitoring)

CIP-006-3 R1: Physical Security Plan — The Responsible Entity

shall document, implement, and maintain a physical security plan,

approved by the senior manager or delegate(s) that shall address, at

a minimum, the following:

1. Plan should specify technical and procedural controls for monitoring the physical environment





following:

1. Policies should make clear that end-user activities will be monitored



1. Access controls should configured to properly log events related to personnel usage activities

DETECT

(DE)

Security Continuous Monitoring (CM): The

information system and assets are monitored at

discrete intervals to identify cybersecurity events and

verify the effectiveness of protective measures.

DE.CM-3: Personnel activity is monitored to

detect potential cybersecurity events

SA-2a

SA-2b

SA-2i

DE.CM-2: The physical environment is

monitored to detect potential cybersecurity

events

SA-2a

SA-2b

SA-2i




system access.






1. Monitoring tools should be capable of detecting interactive (personnel) activities separate from non-

interactive (machine to machine) activities





following:

1. Policies should contain requirements for malware controls for any device initiating an interactive

remote access session







1. Processes should include criteria and thresholds for invoking incident response plans for detected

malicious code









1. Configuration monitoring procedures can be enhanced to include active monitoring of mobile device

code, for any such assets that are in scope for NERC CIP including devices used for maintenance and

testing








malicious code

DE.CM-6: External service provider activity is


events

EDM-2a

SA-2a

SA-2b

EDM-2j

EDM-2l

EDM-2n







1. Electronic perimeter monitoring should include technical or procedural controls to detect potential

cybersecurity events sourced from an external service provider

DE.CM-5: Unauthorized mobile code is

detected

SA-2a

SA-2b

SA-2e SA-2h

SA-2i

DE.CM-4: Malicious code is detected SA-2a

SA-2b

SA-2e

CPM-4a

SA-2i

Page 17 of 23



Nov-14


C2M2 Practices **






following:

1. Policies should contain requirements for authorization of access

2. Personnel should be made aware that the entity is monitoring for unauthorized access









emergency.

1. Personnel authorized to attain or retain authorized access to electronic or unescorted physical access

to BES cyber systems shall have a process identified to authenticate the individual and perform

appropriate background checks.

2. Personnel risk management program should stipulate consequences for violating policies related to

access management

CIP-006-3 R2: Protection of Physical Access Control Systems —

Cyber Assets that authorize and/or log access to the Physical

Security Perimeter(s), exclusive of hardware at the Physical Security

Perimeter access point such as electronic lock control mechanisms

and badge readers, shall:

CIP-006-3 R2.1: Be protected from unauthorized physical access.

1. Monitor for unauthorized personnel

CIP-006-3 R5: Monitoring Physical Access — The Responsible

Entity shall document and implement the technical and procedural

controls for monitoring physical access at all access points to the


week. Unauthorized access attempts shall be reviewed immediately

and handled in accordance with the procedures specified in

Requirement CIP-008-3. One or more of the following monitoring

methods shall be used:

�

Alarm Systems: Systems that alarm to indicate a door, gate or

window has been opened without authorization. These alarms must

provide for immediate notification to personnel responsible for

response.

�

Human Observation of Access Points: Monitoring of physical access

points by authorized personnel as specified in Requirement R4.


DE.CM-7: Monitoring for unauthorized

personnel, connections, devices, and software

is performed

SA-2a

SA-2b

SA-2e

SA-2f

SA-2g

SA-2i






1. Monitor for unauthorized access to a protected device

2. Monitor for unauthorized remote access to a protected network

3. Monitor for unauthorized devices within a protected network

4. Monitor for unauthorized software in conjunction with CIP-010-1 R2





following:

1. Policies should make clear the stakeholders expectations of the vulnerability assessment program







1. Where malicious code prevention processes utilize signature-based protections, ensure scans are

performed subsequent to any update to those signatures





1. If active assessment of a production environment is performed it should be done in a way that

minimizes the potential of adverse consequences. New cyber assets should be actively tested prior to

deployment in a production system.





following:

1. Policies should include language that communicates management's expectations for responding to

alerts from detection systems

Analysis (AN): Analysis is conducted to ensure

adequate response and support recovery activities.

DE.CM-8: Vulnerability scans are performed TVM-2e TVM-2i

RS.AN-1: Notifications from detection systems

are investigated

IR-1e

SA-3a

IR-1f

IR-1h

Page 18 of 23



Nov-14


C2M2 Practices **










�




response.

�



1. Procedures should include language that supports management's expectations for responding to alerts

from detection systems















RS.AN-2: The impact of the incident is

understood

IR-2d

IR-2g

IR-2d

TVM-1d

IR-2g

RM-2j






1. When implementing an incident response plan, response personnel should take deliberate actions only

when the impact of the incident and their actions are understood





following:

1. Policy should establish criteria for when and how forensic data is collected, handled, and analyzedRS.AN-3: Forensics are performed IR-3d IR-3i

following:






1. Procedures should include steps for how forensic data is collected, handled, and analyzed

1. Forensics activities are performed when specified in the response plans





following:

1. Policy should establish a classification model for security events






1. Procedures should follow an established classification model to ensure that security events can be

responded to quickly based on general characteristics







1. Goal of the training should be that personnel know their roles and order of operations when a

response is needed






1. Roles and responsibilities of personnel as it relates to incident response should be defined within each

plan





following:

1. Policies can be used to document management's expectations for incident reporting

Communications (CO): Response activities are

coordinated with internal and external stakeholders, as

appropriate, to include external support from law

enforcement agencies.

RS.CO-1: Personnel know their roles and order

of operations when a response is needed

IR-3a IR-5a

IR-5b

RS.CO-2: Events are reported consistent with

established criteria

IR-1a

IR-1b

RS.AN-4: Incidents are categorized consistent

with response plans

IR-2a IR-1d

IR-1e

IR-2d

TVM-1d

IR-2g

RM-1c

Page 19 of 23



Nov-14


C2M2 Practices **










�




response.

�



1. Reporting reporting criteria should address events detected at physical access points







1. Reporting reporting criteria should address events detected at electronic access points






1. Reporting reporting criteria should address events detected by monitoring tools






1. Procedures for event reporting should be specified within each response plan

RS.CO-3: Information is shared consistent with

response plans

ISC-1a

ISC-1b

IR-3d

ISC-1c

ISC-1d












following:

1. Policies can be used to document management's expectations for incident reporting and coordination

with stakeholders











following:


with stakeholders






1. Procedures for information sharing should be specified within each response plan





following:

1. Policies should contain language that communicates management's requirements for strengthening

response plans by incorporating findings from lessons-learned analysis






1. Response plans should be written to include references to lessons-learned or procedural

enhancements that were the result of a prior incident





following:

1. Policies should contain language that communicates management's requirements for reviewing and

updating incident response plans

RESPOND

(RS)

Improvements (IM): Organizational response activities

are improved by incorporating lessons learned from

current and previous detection/response activities.

RS.IM-1: Response plans incorporate lessons

learned

IR-3h

RS.IM-2: Response strategies are updated IR-3e IR-3k

RS.CO-4: Coordination with stakeholders

occurs consistent with response plans

IR-3d

IR-5b

RS.CO-5: Voluntary information sharing occurs

with external stakeholders to achieve broader

cybersecurity situational awareness

ISC-1a

ISC-1b

IR-3c

ISC-1c

ISC-1d

ISC-1e

ISC-1f

ISC-1h

ISC-1i

ISC-1j

ISC-1k

ISC-1l

Page 20 of 23



Nov-14


C2M2 Practices **







1. Plans should be reviewed and updated according to the periodicity specified in the policy





following:

1. Policies should specify a model of containment, eradication, and recovery for security incidents









�




response.

�



1. Procedures should specify a model of containment, eradication, and recovery for security incidents for

events detected at physical access points








events detected at electronic access points







events detected by malicious code prevention systems

Mitigation (MI): Activities are performed to prevent

expansion of an event, mitigate its effects, and

eradicate the incident.

RS.MI-1: Incidents are contained IR-3b









events detected by event monitoring systems






1. Incident response procedures should specify a model of containment, eradication, and recovery





following:










�




response.

�













RS.MI-2: Incidents are mitigated IR-3b

Page 21 of 23



Nov-14


C2M2 Practices **



























following:

1. Policies should contain language that communicates management's requirements for addressing

newly identified vulnerabilities








1. Patch management plans should include procedures for addressing zero-day or imminent threat

vulnerabilities







1. Malicious code prevention plans should include procedures for addressing zero-day or imminent threat

vulnerabilities





1. Vulnerability management plans should include procedures for notification of and response to zero-day

or imminent threat vulnerabilities

RS.MI-3: Newly identified vulnerabilities are

mitigated or documented as accepted risks

TVM-2c TVM-2f

TVM-2g

RM-2j

TVM-2m

TVM-2n


Response Planning (RP): Response processes and

procedures are executed and maintained, to ensure

timely response to detected cybersecurity events.

RS.RP-1: Response plan is executed during or

after an event

IR-3d CIP-008-3 R1: Cyber Security Incident Response Plan — The





1. Response plan is executed during or after an event

RC.CO-1: Public Relations are managed TVM-1d

IR-4d

RM-1c 1. Within the context of the incident and emergency response program, define a communications plan

that specifically addresses external stakeholders

2. Create pre-defined templates for communications in response to predictable events

RC.CO-2: Reputation after an event is repaired IR-4d 1. Within the context of the incident and emergency response program, define a communications plan

that specifically addresses external stakeholders






following:

1. Ensure security policy defines criteria for communications to all stakeholders




following:

1. Ensure recovery plans include communications criteria based on severity of event







1. Update communications protocols as necessary to match the changing business





following:

1. Ensure security policy defines criteria for managing updates to recovery plans

Communications (CO): Restoration activities are

coordinated with internal and external parties, such as

coordinating centers, Internet Service Providers,

owners of attacking systems, victims, other CSIRTs,

and vendors.

Improvements (IM): Improvements (IM): Recovery

planning and processes are improved by incorporating

lessons learned into future activities.

RC.IM-1: Recovery plans incorporate lessons

learned

IR-3h

IR-4i

IR-3k

RC.CO-3: Recovery activities are

communicated to internal stakeholders and

executive and management teams

IR-3d IR-5e

Page 22 of 23



Nov-14


C2M2 Practices **








1. Ensure response plans define a process for after-action review of all activities associated with a real or

simulated event, including a defined communications plan.





following:








1. Ensure response plans are informed by the risk program, and are routinely updated





following:

1. Define expectations and roles and responsibilities within the security policy. Include contingencies and

management practices where policy provisions can be suspended and tracked in response to emergency

events.






1. Ensure a clear escalation path exists between routine system monitoring activities and the recovery

plans.




following:

1. Establish an enterprise emergency response capability that addresses assets in multiple security

zones, and recovery plans give precedence to higher risk systems.







1. Establish an enterprise emergency response capability that addresses assets in multiple security

zones, and recovery plans give precedence to higher risk systems.

Recovery Planning (RP): Recovery processes and

procedures are executed and maintained to ensure

timely restoration of systems or assets affected by

cybersecurity events.

RECOVER

(RC)

RC.RP-1: Recovery plan is executed during or

after an event

IR-3b IR-3o

IR-4k

RC.IM-2: Recovery strategies are updated IR-3h

IR-3k

Abbrevi-

ationDomain

ACM Asset, Change, and Configuration Management

CPM Cybersecurity Program Management

EDMSupply Chain and External Dependancies Management

IAM Identity and Access Management

IREvent and Incident Response, Continuity of Operations

ISC Information Sharing and Communications

RM Risk Management

SA Situational Awareness

TVM Threat and Vulnerability Management

WM Workforce Management

** C2M2 Domains and Abbreviations

Page 23 of 23

MIL 1 MIL 2 MIL 3

CIP-002-5.1 R1: Each Responsible Entity shall implement a process

that considers each of the following assets for purposes of parts 1.1

through 1.3: i. Control Centers and backup Control Centers; ii.

Transmission stations and substations; iii. Generation resources;

iv.Systems and facilities critical to system restoration, including

Blackstart Resources and Cranking Paths and initial switching

requirements; v.Special Protection Systems that support the reliable

operation of the Bulk Electric System; and vi.For Distribution

Providers, Protection Systems specified in Applicability section 4.2.1

above.


2. Must establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which

perform BES reliability operating services (BROS) and evaluate the potential for adverse impact that the

loss, compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).

CIP-002-5.1 R2: The Responsible Entity shall: (2.1) Review the

identifications in Requirement R1 and its parts (and update them if

there are changes identified) at least once every 15 calendar months,

even if it has no identified items in Requirement R1, and; (2.2) Have

its CIP Senior Manager or delegate approve the identifications

required by Requirement R1 at least once every 15 calendar months,

even if it has no identified items in Requirement R1.



CIP-003-5 R2: Each Responsible Entity for its assets identified in

CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner

that identifies, assesses, and corrects deficiencies, one or more

documented cyber security policies that collectively address the

following topics, and review and obtain CIP Senior Manager approval

for those policies at least once every 15 calendar months: (An

inventory, list, or discrete identification of low impact BES Cyber

Systems or their BES Cyber Assets is not required). (2.1) Cyber

security awareness; (2.2) Physical security controls; (2.3) Electronic

access controls for external routable protocol connections and Dial‐up

Connectivity; and (2.4) Incident response to a Cyber Security Incident.











above.


2 Ensure for all registered functions that all BES reliability operating services preformed are identified and

evaluated. Reference CIP-002-5.1 Guidelines and Technical Basis.

- Dynamic Response to BES conditions

- Balancing Load and Generation

- Controlling Frequency (Real Power)

- Controlling Voltage (Reactive Power)

- Managing Constraints

- Monitoring & Control

- Restoration of BES

- Situational Awareness

- Inter‐Entity Real‐Time Coordination and Communication





its CIP Senior Manager or delegate approve the identifications

required by Requirement R1 at least once every 15 calendar months,

even if it has no identified items in Requirement R1.

1. Ensure reviews include participation of all NERC registered functions at a minimum.










above.

1. Communication and data flow documentation should include any communication and data flows between

BES Cyber Systems and other systems such as business systems, physical security systems, etc.


Nov-14

C2M2 Practices **

Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF

ID.AM-1: Physical devices and systems within

the organization are inventoried

ACM-1a ACM-1c ACM-1e

ACM-1f

ID.AM-2: Software platforms and applications

within the organization are inventoried

ACM-1b ACM-1c ACM-1e

ACM-1f

ID.AM-3: Organizational communication and

data flows are mapped

RM-2g ACM-1e

Asset Management (AM): The data, personnel,

devices, systems, and facilities that enable the

organization to achieve business purposes are identified

and managed consistent with their relative importance to

business objectives and the organization’s risk strategy.

Page 1 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and

medium impact BES Cyber Systems, shall review and obtain CIP

Senior Manager approval at least once every 15 calendar months for

one or more documented cyber security policies that collectively

address the following topics: Electronic Security Perimeters (CIP‐005)

including Interactive Remote Access;

1. Ensure organizational policies include a reference to the CIP Senior Manager's role in approving

cybersecurity policies for NERC CIP systems.

CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote

Access to BES Cyber Systems shall implement one or more

documented processes that collectively include the applicable

requirement parts, where technically feasible, in CIP-005-5 Table R2

– Interactive Remote Access Management.



CIP-011-1 R1: Each Responsible Entity shall implement, in a Manner


documented information protection program(s) that collectively

includes each of the applicable requirement parts in CIP‐011‐1 Table

R1 – Information Protection.












above.


2. Must establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which

perform BES reliability operating services (BROS) and evaluate the potential for adverse impact that the

loss, compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).







CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact

and medium impact BES Cyber Systems, shall review and obtain CIP



address the following topics: 1.1 Personnel & training (CIP‐004) 1.2

Electronic Security Perimeters (CIP005) including interactive Remote

Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4

System security management (CIP007), 1.5 Incident reporting and

response planning (CIP008), 1.6 Recovery plans for BES Cyber

Systems (CIP009), 1.7 Configuration change management and

vulnerability assessments (CIP010), 1.8 Informatiion protection

(CIP011) and 1.9 Declaring and responding to CIP Exceptional

Circumstances.


CIP-003 R2: Each Responsible Entity for its assets identified in CIP-

002-5, Requirement R1, Part R1.3, shall implement, in a manner that

identifies, assesses, and corrects deficiencies,


address the following topics, and review and obtain CIP Senior

Manager approval for those policies at least once every 15 calendar

months: [Violation Risk Factor: Lower] [Time Horizon: Operations

Planning]

2.1 Cyber security awareness;

2.2 Physical security controls;

2.3 Electronic access controls for external routable protocol

connections and Dial-up Connectivity; and

2.4 Incident response to a Cyber Security Incident.

An inventory, list, or discrete identification of low impact BES Cyber

Systems or their BES Cyber Assets is not required.


2. Policy language should address criteria for connecting external information systems

3. Information systems should be considered 'external' if they interconnect across security zones

CIP-005-5 R1: Each Responsible Entity shall implement one or more

documented processes that collectively include each of the applicable

requirement parts in CIP-005-5 Table R1 – Electronic Security

Perimeter.

1. Ensure documentation include a reason for each inbound/outbound access flow





ID.AM-4: External information systems are

catalogued

EDM-1a EDM-1c

EDM-1e

EDM-1g

RM-1c

Page 2 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **











above.

















Circumstances.



CIP-003 R2: Each Responsible Entity for its assets identified in CIP-

002-5, Requirement R1, Part R1.3, shall implement, in a manner that

identifies, assesses, and corrects deficiencies,


address the following topics, and review and obtain CIP Senior

Manager approval for those policies at least once every 15 calendar

months: [Violation Risk Factor: Lower] [Time Horizon: Operations

Planning]

2.1 Cyber security awareness;

2.2 Physical security controls;

2.3 Electronic access controls for external routable protocol

connections and Dial-up Connectivity; and

2.4 Incident response to a Cyber Security Incident.

An inventory, list, or discrete identification of low impact BES Cyber

Systems or their BES Cyber Assets is not required.






Perimeter.


2. Ensure CIP-005-5 diagrams are coded to highlight classification, criticality, and business value for each

BES Cyber System

CIP-009-5 R1 - 1.1: Each Responsible Entity shall have one or more

documented recovery plans that collectively include each of the

applicablerequirement parts in CIP‐009‐5 Table R1:

1.1 Conditions for activation of the recovery plan(s).

1. Recovery plans should be priorities based on classification, criticality, and business value





address the following topics: Personnel & training (CIP‐004)

1. Ensure policy includes cybersecurity roles and responsibilities for the entire workforce, including third-

party stakeholders

CIP-003-5 R3: Each Responsible Entity shall identify a CIP Senior

Manager by name and document any change within 30 calendar days

of the change.

1. Clearly define the boundaries of the responsibilities of the CIP Senior Manager

ID.AM-5: Resources (e.g., hardware, devices,

data, and software) are prioritized based on their

classification, criticality, and business value

ACM-1a

ACM-1b

ACM-1c

ACM-1d

ID.AM-6: Cybersecurity roles and

responsibilities for the entire workforce and third-

party stakeholders (e.g., suppliers, customers,

partners) are established

WM-1a

WM-1b

WM-1c

Page 3 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


CIP-003-5 R4: The Responsible Entity shall implement, in a manner

that identifies, assesses, and corrects deficiencies, a documented

process to delegate authority, unless no delegations are used. Where

allowed by the CIP Standards, the CIP Senior Manager may delegate

authority for specific actions to a delegate or delegates. These

delegations shall be documented, including the name or title of the

delegate, the specific actions delegated, and the date of the

delegation; approved by the CIP Senior Manager; and updated within

30 days of any change to the delegation. Delegation changes do not

need to be reinstated with a change to the delegator.



CIP-004-5.1 R4: Each Responsible Entity shall implement, in a

manner that identifies, assesses, and corrects deficiencies, one or

more documented access management programs that collectively

include each of the applicable requirement parts in CIP‐004‐5.1 Table

R4 – Access Management Program.

1. Ensure cybersecurity provisioning procedures include handling of third-party access requests

2. Ensure cybersecurity staff are trained on access management procedures and policies related to third-

party access requests

ID.BE-1: The organization’s role in the supply

chain is identified and communicated

EDM-1b EDM-1d EDM-1f

EDM-1g

RM-1c



ID.BE-2: The organization’s place in critical

infrastructure and its industry sector is identified

and communicated

EDM-1b EDM-1d

CPM-1c

EDM-1f

EDM-1g

RM-1c

1. Opportunities to communicate the organizations place in critical infrastructure include: security


ID.BE-3: Priorities for organizational mission,

objectives, and activities are established and

communicated

RM-3b RM-1c 1. Opportunities to communicate the organizations mission, objectives, and activities include: security


ID.BE-4: Dependencies and critical functions for


ACM-1a

ACM-1b

EDM-1a

ACM-1c

ACM-1d

EDM-1c

EDM-1e

ACM-1e

ACM-1f

RM-1c

EDM-1g










above.



ID.BE-5: Resilience requirements to support


IR-4a

IR-4b

IR-4c

IR-4e CIP-009-5 R1: Each Responsible Entity shall have one or more


applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan

Specifications.















Circumstances.

1. Establish an organization information security policyID.GV-1: Organizational information security

policy is established

RM-1a CPM-2g CPM-5d

RM-3e

Business Environment (BE): The organization’s

mission, objectives, stakeholders, and activities are

understood and prioritized; this information is used to

inform cybersecurity roles, responsibilities, and risk

management decisions.

Governance (GV): The policies, procedures, and

processes to manage and monitor the organization’s

regulatory, legal, risk, environmental, and operational

requirements are understood and inform the

management of cybersecurity risk.

IDENTIFY

(ID)

Page 4 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


CIP-003-5 R2: Each Responsible Entity for its assets identified in

CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner


documented cyber security policies that collectively address the




Systems or their BES Cyber Assets is not required). (2.1) Cyber

security awareness; (2.2) Physical security controls; (2.3) Electronic


Connectivity; and (2.4) Incident response to a Cyber Security Incident.

1. Establish an organization information security policy

CIP-004-5.1 R1: Each Responsible Entity shall implement one or

more documented processes that collectively include each of the

applicable requirement parts in CIP‐004‐5.1 Table R1 – Security

Awareness Program. (1.1) Security awareness that, at least once

each calendar quarter, reinforces cyber security practices (which may

include associated physical security practices) for the Responsible

Entity’s personnel who have authorized electronic or authorized

unescorted physical access to BES Cyber Systems.

1. Ensure employees and third-parties are made aware of the organizational security policy



more documented personnel risk assessment programs to attain and

retain authorized electronic or authorized unescorted physical access

to BES Cyber Systems that collectively include each of the applicable

requirement parts in CIP‐004‐5.1 Table R3 – Personnel Risk

Assessment Program.

1. Ensure employees and third-parties are provided annual training on the contents of the organizational

security policy



of the change.

1. Develop a clear policy "line of sight" extending from the Board level down to the end user

2. Establish clear responsibilities both inside and outside the NERC cyber security program











1. Ensure that information security roles and responsibilities for BES Cyber systems are consistent and

compatible with the information security roles and responsibilties for other enterprise systems (e.g., IT or

physical security).

ID.GV-3: Legal and regulatory requirements

regarding cybersecurity, including privacy and

civil liberties obligations, are understood and

managed

CPM-2k

IR-3n

RM-3f

ACM-4f

IAM-3f

TVM-3f

SA-4f

ISC-2f

IR-5f

EDM-3f

WM-5f

1. Enhance cybersecurity training and awareness program by including content on the NERC ERO model,

and the NIST Cybersecurity Framework and any related regulatory frameworks.

ID.GV-4: Governance and risk management

processes address cybersecurity risks

RM-2a

RM-2b

RM-3b RM-2h

RM-3e

RM-1c

RM-1e




2. Additional cyber systems should be identified and protected based on their risk to the business or risk to

the reliability of the bulk electric system

ID.GV-2: Information security roles &

responsibilities are coordinated and aligned with

internal roles and external partners

WM-1a

WM-1b

WM-1c

WM-5b

ISC-2b

WM-1f

WM-1g

Page 5 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **




requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability

Assessments.







1. Policies for Interactive Remote Access should be established

2. Adherence to Interactive Remote Access policies should be measured as part of the vulnerability






address the following topics: System security management (CIP‐007);

1. Policies for Systems Security Management should be established

2. Adherence to Systems Security Management policies should be measured as part of the vulnerability






address the following topics: Configuration change management and

vulnerability assessments (CIP‐010);

1. Policies for Change Management should be established

2. Adherence to Change Management policies should be measured as part of the vulnerability assessment

processes





address the following topics: Physical security of BES Cyber Systems

(CIP‐006);

1. Policies for Physical Access should be established

2. Adherence to Physical Access policies should be measured as part of the vulnerability assessment

processes

CIP-007-5 R2: Each Responsible Entity shall implement, in a manner



requirement parts in CIP-007-5 Table R2 – Security Patch

Management.

1. Security Patch Management should be established

2. Adherence to Security Patch Management practices should be measured as part of the vulnerability


3. Missing security patches should be compared to the documented mitigation plans





Management.

1. Ensure you are getting information from sources such as ICS CERT, ES ISAC, US CERT, relevant

vendor forums, and other applicable information sharing forums and sources.




Assessments.

1. Enhance the vulnerability assessment processes by inclusion of a threat management practice that can

be executed quickly in reaction to a threat (zero-day attack targeting BASH, for instance)

ID.RA-3: Threats, both internal and external, are

identified and documented

TVM-1a

TVM-1b

TVM-1d

TVM-1e

TVM-1f

RM-1c

RM-2j

TVM-1i

TVM-1j

CIP-007-5 R4 - 4.1: Log events at the BES Cyber System level (per

BES Cyber System capability) or at the Cyber Asset level (per Cyber

Asset capability) for identification of, and after-the-fact investigations

of, Cyber Security Incidents that includes,

as a minimum, each of the following types of events:

4.1.1. Detected successful login attempts;

4.1.2. Detected failed access attempts and failed login attempts;

4.1.3. Detected malicious code.

1. Enhance the threat management practice by implementing procedures to:

- modify logging levels in reaction to high-impact threat

- obtain signatures of known attacks and search your environment for matches

- perform vulnerability scans against test or standby systems whose configuration matches production

systems

- establish multi-tier response guidelines such that security events are researched more quickly under

higher threat levels

ID.RA-1: Asset vulnerabilities are identified and

documented

TVM-2a

TVM-2b

TVM-2c

TVM-2d

TVM-2e

TVM-2f

RM-1c

RM-2j

TVM-2i

TVM-2j

TVM-2k

TVM-2l

TVM-2m

ID.RA-2: Threat and vulnerability information is

received from information sharing forums and

sources

TVM-1a

TVM-1b

TVM-2a

TVM-2b

Risk Assessment (RA): The organization understands

the cybersecurity risk to organizational operations

(including mission, functions, image, or reputation),

organizational assets, and individuals.

Page 6 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


ID.RA-4: Potential business impacts and

likelihoods are identified

TVM-1d

TVM-1f

TVM-1i CIP-002-5.1 R1: Each Responsible Entity shall implement a process









above.




2. Additional cyber systems should be identified and protected based on their risk to the business or risk to

the reliability of the bulk electric system





Management.

1. Enhance patch mitigation plans by documenting impacts and business risk





Assessments.

1. Enhance vulnerability assessment processes by documenting potential impacts and business risk






Management.


CIP-008-5 R1 - 1.1: Each Responsible Entity shall document one or

more Cyber Security Incident response plan(s) that collectively

include

1.1 One or more processes to identify, classify, and respond to Cyber

Security Incidents.

1. Business risk can be informative for developing prioritized incident response plans




Assessments.


ID.RM-1: Risk management processes are

established, managed, and agreed to by

organizational stakeholders

RM-2a

RM-2b

RM-1a

RM-1b

RM-2c

RM-2d

RM-2e

RM-2f

RM-2g

RM-3a

RM-3b

RM-3c

RM-3d

RM-1c

RM-1d

RM-1e

RM-2h

RM-2i

RM-2j

RM-3e

RM-3f

RM-3g

RM-3h

RM-3i

1. Enterprise risk management practices should include risks associated with BES Cyber Systems, to

include what is unique about these systems as well as what makes them similar to other enterprise

information systems.

ID.RM-2: Organizational risk tolerance is

determined and clearly expressed

RM-1c

RM-1e

1. Risks should be assigned to business process owners who have the authority to effect change, mitigate,

or accept risk.

ID.RM-3: The organization’s determination of

risk tolerance is informed by their role in critical


RM-1b RM-1c 1. Business process owners who manage risks associated with BES Cyber Systems should be educated in

their responsibilities as a critical infrastructure custodian.






1. Access control rules for logical system access should be clearly stated in an organizational policy with a

goal to protect systems from unauthorized access. The policy should address the granting, modification,


"principle of least privilege" or "need to know". The access control policy should be periodically reviewed



requirements are met

ID.RA-6: Risk responses are identified and

prioritized

RM-2e RM-1c

RM-2j

TVM-1i

TVM-2l

IR-3m

IR-4d

IR-4e

PR.AC-1: Identities and credentials are

managed for authorized devices and users

IAM-1a

IAM-1b

IAM-1c

IAM-1d

IAM-1e

IAM-1f

RM-1c

IAM-1g

ID.RA-5: Threats, vulnerabilities, likelihoods,

and impacts are used to determine risk

RM-1c

RM-2j

TVM-1i

TVM-2l

TVM-2m

Risk Management Strategy (RM): The organization’s

priorities, constraints, risk tolerances, and assumptions

are established and used to support operational risk

decisions.

Access Control (AC): Access to assets and associated

facilities is limited to authorized users, processes, or

devices, and to authorized activities and transactions.

Page 7 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **












2. Policies should include requirements for management of system-level credentials

CIP-003-5 R2 - 2.3: Each Responsible Entity for its assets identified

in CIP-002-5, Requirement R1, Part R1.3 (ie: low impact), shall

implement, in a manner that identifies, assesses, and corrects

deficiencies, one or more documented cyber security policies that

collectively address the following topics, and review and obtain CIP

Senior Manager approval for those policies at least once every 15

calendar months: Electronic access controls for external routable

protocol connections and Dial-up Connectivity

1. Access control rules for asset and facility access should be clearly stated in an organizational policy with

a goal to protect systems from unauthorized access. The policy should address the granting, modification,




2. Policies should include requirements for management of credentials related to secure dial-up

connections.






1. A formal procedure or process should be defined for managing logical system access. The procedure or







more documented access revocation programs that collectively


R5 – Access Revocation.

1. A formal procedure or process should be defined for revoking logical system access and shared account

access. The procedure or process should ensure that the triggering events (e.g.: termination, promotion,

job transfer) for access revocation are clearly stated and how those events are incorporated into access

revocation processes. This can be accomplished through a written procedure or documented workflow.




requirement parts in CIP-007-5 Table R5 – System Access Controls.

1. There should be a formal procedure or process for managing system access controls to protect systems

from unauthorized access. The procedure or process should define: (1) the use of authentication methods;

(2) management of default accounts provided by vendors and accounts shared by multiple people; (3)

management of all entity-defined accounts shared by multiple people, including generic, service, and

administrator accounts; (4) implementation of password requirements, including complexity and periodic

changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.












requirements are met.





address the following topics: Physical security of BES Cyber Systems

(CIP‐006);




"principle of least privilege" or "need to use". The access control policy should be periodically reviewed and

approved by an appropriate member of senior management.


in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a


more documented cyber security policies that collectively address the


for those policies at least once every 15 calendar months: Physical

security controls;




"principle of least privilege" or "need to use". The access control policy should be periodically reviewed and

approved by an appropriate member of senior management.






1. A formal procedure or process should be defined for managing physical access. The procedure or














PR.AC-2: Physical access to assets is managed

and protected

IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

Page 8 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **




documented physical security plans that collectively include all of the

applicable requirement parts in CIP-006-5 Table R1 – Physical

Security Plan.

1. There should be a formal procedure or process for managing physical access controls to protect

systems from unauthorized access. The procedure or process should define: (1) the use of access control

mechanisms; (2) logging of entry and exit; (3) monitoring of physical premises; and (4) alerting on

unauthorized access.



documented visitor control programs that include each of the

applicable requirement parts in CIP-006-5 Table R2 – Visitor Control

Program.

1. There should be a formal procedure or process for managing visitors to premises. The procedure or

process should define: (1) logging of entry and exit; (2) continuous escort and supervision of visitors.

















1. Access control rules for remote access should be clearly stated in an organizational policy with a goal to

protect systems from unauthorized access. The policy should address the granting, modification, removal,

and review of access permissions. The policy should establish the requirements for the use of "principle of

least privilege" or "need to use". The access control policy should be periodically reviewed and approved

by an appropriate member of senior management.









1. Access control rules for remote access should be clearly stated in an organizational policy with a goal to

protect systems from unauthorized access. The policy should address the granting, modification, removal,

and review of access permissions. The policy should establish the requirements for the use of "principle of

least privilege" or "need to use". The access control policy should be periodically reviewed and approved

by an appropriate member of senior management.






1. A formal procedure or process should be defined for managing remote access. The procedure or

















Perimeter.

1. There should be formal procedure or process to monitor and control dialup remote access to the

information system which requires the use of authentication.






1. There should be formal procedure or process to monitor and control all methods of remote access (e.g.,

VPN, Citrix) to the information system. Remote access should only be allowed through managed access

control points that do not allow direct access to protected assets. Encryption should be to protect the

confidentiality of remote access sessions. Multi-factor authentication should be used for all remote access

sessions.











2. Policies should contain requirements for management of system-level credentials.





address the following topics: Information protection (CIP‐011);






2. Policies should contain requirements for information access management, including information in hard-

copy formats, information in transit, and data at rest.

PR.AC-4: Access permissions are managed,

incorporating the principles of least privilege and

separation of duties

IAM-2d

PR.AC-3: Remote access is managed IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

Page 9 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **
































changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts. The procedure or

process should demonstrate implementation of "principle of least privilege" or "need to know". This can be

accomplished through a written procedure or documented workflow.








goal to protect systems from unauthorized access. The policy should address the restriction of access to

the network layer. This can be accomplished through network segmentation and network access controls.

2. Policies should contain requirements for network segmentation as it pertains to Interactive Remote

Access connections.







goal to protect systems from unauthorized access. The policy should address the restriction of access to

the network layer. This can be accomplished through network segmentation and network access controls.

2. Policies should contain requirements for information protection within, and between, the various network

security zones.




Perimeter.

1. There should be formal procedures and processes to implement security zones separating protected

assets from other organizational networks and public networks. Monitoring of communications at the

network boundary should be implemented. Connection to protected assets should only be through

managed interfaces consisting of boundary protection devices arranged in accordance with an

organizational documented security architecture.




requirement parts in CIP-007-5 Table R1 – Ports and Services.

1. There should be formal procedures and processes to manage and secure network accessible ports as

well as physical I/O ports in operation on an asset. This includes monitoring and documenting the status

and use of discovered ports.

PR.AT-1: All users are informed and trained CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact










vulnerability assessments (CIP010), 1.8 Information protection


Circumstances.


PR.AT-1: All users are informed and trained CIP-003-5 R2 - 2.1: Each Responsible Entity for its assets identified







Systems or their BES Cyber Assets is not required). Cyber security

awareness;


PR.AC-5: Network integrity is protected,

incorporating network segregation where

appropriate

CPM-3a CPM-3b

CPM-3c

CPM-3d

WM-3a WM-3b

WM-3c

WM-3d

WM-3e

WM-3f

WM-3g

WM-3h

WM-3i

Awareness and Training (AT): The organization’s

personnel and partners are provided cybersecurity

awareness education and are adequately trained to

perform their information security-related duties and

responsibilities consistent with related policies,

procedures, and agreements.

Page 10 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


PR.AT-1: All users are informed and trained CIP-004-5.1 R1: Each Responsible Entity shall implement one or









PR.AT-1: All users are informed and trained CIP-004-5.1 R2: Each Responsible Entity shall implement, in a

manner that identifies, assesses, and corrects deficiencies, a cyber

security training program(s) appropriate to individual roles, functions,

or responsibilities that collectively includes each of the applicable

requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training

Program.














Circumstances.










awareness;
















Program.














Circumstances.

1. Policies should contain requirements for user training and security awareness.PR.AT-3: Third-party stakeholders (e.g.,

suppliers, customers, partners) understand roles

& responsibilities

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

PR.AT-2: Privileged users understand roles &

responsibilities.

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

Page 11 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **










awareness;
















Program.














Circumstances.










awareness;












1. CIP Senior Manager should be able to demonstrate that they understand their roles and responsibilties.

Consider an acknowledgement form.










PR.AT-4: Senior executives understand roles &

responsibilities

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

Page 12 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **







Program.














Circumstances.










awareness;
















Program.





applicable requirement parts in CIP-005-5 Table R2 - Visitor Control

Program)

1. Ensure physical security personnel are trained on the visitor control program and are given tools as

necessary to monitor and manage the program.














1. Access control rules for protection of the confidentiality and integrity of information at rest, or information

when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation) should be

used to restrict access to such information.






1. Access control rules for protection of the confidentiality and integrity of information at rest, or information

when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation) should be


PR.AT-5: Physical and information security

personnel understand roles & responsibilities

WM-1a

WM-1b

WM-1c

WM-1d

WM-1e

WM-1f

WM-1g

PR.DS-1: Data-at-rest is protected ACM-1b

TVM-1c

TVM-2c

CPM-3b ACM-1e

TVM-2i

TVM-2n

Data Security (DS): Information and records (data) are

managed consistent with the organization’s risk strategy

to protect the confidentiality, integrity, and availability of

information.

Page 13 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **





requirement parts in CIP-007-5 Table R3 – Malicious Code

Prevention.

1. Monitoring, detection and prevention of malicious code should be implemented to protect information at

rest.










requirement parts in CIP‐011‐1 Table R2 – BES Cyber Asset Reuse

and Disposal.


information prior to disposal, release out of organizational control, or release for reuse. Mechanisms should

sanitize information to the strength and integrity commensurate with the security category or classification

of the information.







1. Rules for protection of the confidentiality and integrity of information transit while on the network or

when using remote access should be included in the entity's official security policy.

























1. Access control rules for protection of the confidentiality and integrity of information in transit while on the

network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should be













Perimeter.




2. Access points to a higher security zone should include controls for protecting the data traversing those

boundaries.






1. There should be formal procedures and processes to implement secure remote access for the

transmission of protected information. Reference the definition of Interactive Remote Access.





Prevention.

1. Monitoring, detection and prevention of malicious code should be implemented to protect information in

transit.








PR.DS-2: Data-in-transit is protected ACM-1b

TVM-1c

TVM-2c

CPM-3b ACM-1e

TVM-2i

TVM-2n

Page 14 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


PR.DS-3: Assets are formally managed

throughout removal, transfers, and disposition

ACM-1a

ACM-1b

ACM-2a

ACM-2b

ACM-3a

ACM-3b

ACM-1c

ACM-1d

ACM-2c

ACM-3c

ACM-3d

ACM-4a

ACM-4b

ACM-4c

ACM-4d

ACM-1e

ACM-1f

ACM-2d

ACM-2e

ACM-3e

ACM-3f

ACM-4e

ACM-4f

ACM-4g

ACM-4h

ACM-4i




and Disposal.


information prior to disposal, release out of organizational control, or release for reuse. Mechanisms should

sanitize information to the strength and integrity commensurate with the security category or classification

of the information.





address the following topics: Recovery plans for BES Cyber Systems

(CIP‐009);

1. Contingency planning rules should be included in the organization's policy statements.

CIP-007-5 R4 - 4.3: Where technically feasible, retain applicable

event logs identified in Part 4.1 for at least the last 90 consecutive

calendar days except under CIP Exceptional Circumstances.

1. Where possible, ensure capacity monitoring is included in the organizations event log monitoring

program.

CIP-009-5 R1: Each Responsible Entity shall have one or more



Specifications.

1. Formal procedures and processes should be implemented for contingency planning as part of an overall

program for achieving business continuity. Contingency planning addresses both information system

restoration and implementation of alternative mission/business processes when systems are

compromised.




requirement parts in CIP‐007‐5 Table R3 – Malicious

Code Prevention.

1. Formal procedures and processes should be implemented to protect against or limits the effects of

denial of service attacks. The management of excess capacity, bandwidth, or other redundancy to limit the

effects of information flooding denial of service attacks and counter flooding attacks.







1. Rules for protection of the confidentiality and integrity of information from data leaks while on the

network or when using remote access should be included in the entity's official security policy.






1. Rules for protection of the confidentiality and integrity of information from data leaks when it is located

on storage devices should be included in the entity's official security policy.




























PR.DS-4: Adequate capacity to ensure

availability is maintained

TVM-1c

TVM-2c

CPM-3b TVM-2i

TVM-2n

PR.DS-5: Protections against data leaks are

implemented

TVM-1c

TVM-2c

CPM-3b TVM-2i

TVM-2n

PROTECT

(PR)

Page 15 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **













Perimeter.

1. Formal procedures and processes should be implemented to ensure protected information is properly

segmented and enforces flow access controls. Flow access controls should be automatically enforced,

where possible.






1. Formal processes and procedures should be implemented to ensure that encrypted information does not

bypass system monitoring capabilities. This includes the proper configuration of encryption termination

points.





Prevention.

1. Formal procedures and processes should be implemented to prevent, deter, detect, and mitigate

malicious code that has an intent of allowing data leak.




requirement parts in CIP‐007‐5 Table R4 – Security

Event Monitoring.

1. Formal procedures and processes should be implemented to ensure monitoring of event to protect

information from data leaks.





1. Formal procedures and processes should be implemented to manage system access controls to prevent

data leaks through vulnerable person and system accounts.












and Disposal.










1. Rules for the implementation of configuration managment of software, firmware, and information integrity





requirement parts in CIP‐010‐1 Table R1 – Configuration Change

Management.

1. Formal processes and procedures should be implemented to document the approved configuration of

hardware, software, and firmware.




requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring.

1. Formal processes and procedures should be implemented to monitor the approved configuration of

hardware, software, and firmware to detect any unauthorized changes.







1. Rules for the implementation of segregation of production and test environemtns should be included in

the entity's official security policy.

PR.DS-7: The development and testing

environment(s) are separate from the production

environment

ACM-3c ACM-3e

PR.DS-6: Integrity checking mechanisms are

used to verify software, firmware, and

information integrity

ACM-3d

Page 16 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **








1. Rules for the implementation and use of testing environments should be included in the entity's official

security policy.




Perimeter.

1. Formal procedures and processes should be implemented to properly segregate test and production

network environments.





1. Formal procedures and processes should be testing of changes to be applied to the production

environment. A designated, separate test environment should be used, where poissible.





Management.

1. Ensure baseline configurations are protected from possible compromise





1. Use monitoring tools to ensure integrity of baseline configurations when stored outside of a protected

security zone

PR.IP-2: A System Development Life Cycle to

manage systems is implemented

ACM-3d 1. A framework for SDLC can be included in an entity's Change Management and Configuration Monitoring

program






1. Systems management policies should contain requirements for change control







1. Change control policies should include broad requirements for what types of activities constitute a

change





Management.

1. Change control procedures should include specific requirements for what types of activities constitute a

change





1. Configuration monitoring procedures should include specific requirements for what types of changes

should be monitored & managed

PR.IP-1: A baseline configuration of information

technology/industrial control systems is created

and maintained

ACM-2a

ACM-2b

ACM-2c ACM-2d

ACM-2e

PR.IP-3: Configuration change control

processes are in place

ACM-3a

ACM-3b

ACM-3c

ACM-3d

ACM-3e

ACM-3f

Information Protection Processes and Procedures

(IP): Security policies (that address purpose, scope,

roles, responsibilities, management commitment, and

coordination among organizational entities), processes,

and procedures are maintained and used to manage

protection of information systems and assets.

Page 17 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **



documented recoery plans that collectively include each of the

applicable requirement parts in CIP-009-5 Table R1 - Recovery Plan

Specifications.

1. Recovery plans should specific business requirements for data retention and periodicity of backups

CIP-009-5 R3: Each Responsible Entity shall maintain each of its

recovery plans in accordance with each of the applicable requirement

parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and

Communication.

1. Recovery plans testing should be on a frequency commensurate with the importance of the asset

2. Recovery plans should be tested subsequent to any major change or upgrade to a system

PR.IP-5: Policy and regulations regarding the

physical operating environment for

organizational assets are met

RM-2b

IAM-2a

RM-3f

IAM-3f













Circumstances.

1. Policies should contain requirements for the physical operating environment of the cyber system,

including environmental (temperature, moisture, vibration, dust), power (redundant feeds, battery), and fire-

suppression. Policies should contain requirements for environmental monitoring of the physical operating

environment.

PR.IP-6: Data is destroyed according to policy ACM-3d CIP-011-1 R2: Each Responsible Entity shall implement one or more



and Disposal.

1. Implement a management control to test a sampling of retired systems to ensure data is no longer

accessible.

PR.IP-7: Protection processes are continuously

improved

TVM-1h CPM-1g CIP-010-1 R3: Each Responsible Entity shall implement one or more


requirement parts in CIP‐010‐1 Table R3– Vulnerability Assessments.

1. The stated goal of the entity's vulnerability assessment program should be the strengthening of security

controls through a process of regular review and assessment

2. Assessments should evaluate the current threat landscape and the ability of existing controls to mitigate

or eliminate the risk


Cyber Security Incident response plans according to each of the

applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security

Incident Response Plan Review, Update, and Communication.

1. Results of incident response tests should be communicated to key stakeholders, to include a frank

assessment of the effectiveness of the response actions and security controls.



requirement parts in CIP‐010‐1 Table R3– Vulnerability Assessments.

1. Results of vulnerability assessments should be communicated to key stakeholders, to include a frank

assessment of the effectiveness of the security controls.





address the following topics: Incident reporting and response planning

(CIP‐008);


PR.IP-8: Effectiveness of protection

technologies is shared with appropriate parties

ISC-1a

ISC-1b

ISC-1c

ISC-1d

ISC-1e

ISC-1f

ISC-1g

ISC-2b

ISC-1h

ISC-1i

ISC-1j

ISC-1k

ISC-1l

PR.IP-9: Response plans (Incident Response

and Business Continuity) and recovery plans

(Incident Recovery and Disaster Recovery) are

in place and managed

IR-4c IR-3e

IR-3f

IR-4d

IR-4f

IR-5a

IR-5b

IR-5c

IR-5d

RM-1a

RM-1b

TVM-1d

IR-3k

IR-3m

IR-4i

IR-4j

IR-5e

IR-5f

IR-5g

IR-5h

IR-5i

RM-1c

PR.IP-4: Backups of information are conducted,

maintained, and tested periodically

IR-4a

IR-4b

IR-4c

IR-4f IR-4g

IR-4j

Page 18 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **







(CIP‐009);









Systems or their BES Cyber Assets is not required). Incident

response to a Cyber Security Incident.


CIP-008-5 R1: Each Responsible Entity shall document one or more

Cyber Security Incident response plan(s) that collectively include each

of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber

Security Incident Response Plan Specifications.










Specifications.





Communication.


TVM-1d

Page 19 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


CIP-008-5 R2: Each Responsible Entity shall implement each of its

documented Cyber Security Incident response plans to collectively

include each of the applicable requirement parts in CIP‐008‐5 Table

R2 – Cyber Security Incident Response Plan Implementation and

Testing.



that identifies, assesses, and corrects deficiencies, its documented

recovery plan(s) to collectively include each of the applicable

requirement parts in CIP‐009‐5 Table R2 – Recovery Plan

Implementation and Testing.








Assessment Program.






R4 - Access Management Program.












Management.







Prevention.






Assessments.







Management.



documented Physical Access Control System maintenance and

testing programs that collectively include each of the applicable

requirement parts in CIP-006-5 Table R3 – Maintenance and Testing

Program.



implementation.

PR.IP-12: A vulnerability management plan is

developed and implemented

TVM-2d

TVM-2e

TVM-3e

TVM-3f

PR.MA-1: Maintenance and repair of

organizational assets is performed and logged in

a timely manner, with approved and controlled

tools

IAM-2a ACM-1c AMC-3f

PR.IP-10: Response and recovery plans are

tested

IR-3e

IR-4f

IR-3k

IR-4i

IR-4j

PR.IP-11: Cybersecurity is included in human

resources practices (e.g., deprovisioning,

personnel screening)

WM-2a

WM-2b

WM-2c

WM-2d

WM-2e

WM-2f

WM-2g

WM-2h

Maintenance (MA): Maintenance and repairs of

industrial control and information system components is

performed consistent with policies and procedures.

Page 20 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **







1. Formal processes and procedures should be implemented to manage the use of remote access for

performing maintenance functions in accordance with the configuration management program or process.





Program.



implementation.





Management.


CIP-006-5 R1 - 1.6: Monitor each Physical Access Control

System for unauthorized physical access to a Physical Access

Control System.

1. Formal processes and procedures should be implemented to monitor for unauthorized access.

CIP-006-5 R1 - 1.8: Log (through automated means or by

personnel who control entry) entry of each individual with authorized

unescorted physical access into each Physical Security Perimeter,

with information to identify the individual and date and time of entry.


attempts.

CIP-006-5 R1 - 1.9: Retain physical access logs of entry of

individuals with authorized unescorted physical access into each

Physical Security Perimeter for at least ninety calendar days.


CIP-006-5 R2 - 2.2: Require manual or automated logging

of visitor entry into and exit from the Physical Security Perimeter that

includes date and time of the initial entry and last exit, the visitor’s

name, and the name of an individual point of contact responsible for

the visitor, except during CIP Exceptional Circumstances.


attempts.

CIP-006-5 R1 - 2.3: Retain visitor logs for at least ninety

calendar days.


CIP-007-5 R4 - 4.3: Where technically feasible, retain applicable

event logs identified in Part 4.1 for at least the last 90 consecutive

calendar days except under CIP Exceptional Circumstances.


CIP-007-5 R4 - 4.4: Review a summarization or sampling of logged

events as determined by the Responsible Entity at intervals no

greater than 15 calendar days to identify undetected Cyber Security

Incidents.

1. Formal processes and procedures should be implemented to ensure receipt of required audit logs and

identify failures of logging capabilities.

PR.PT-2: Removable media is protected and its

use restricted according to policy

IAM-2a

IAM-2b

IAM-1c

IAM-2c IAM-2e

IAM-3f

IAM-1i

1. This requirement will be addressed in CIP version 6
















1. A formal procedure or process should be defined for revoking logical system access and shared account

access. The procedure or process should ensure that the triggering events (e.g.: termination, promotion,

job transfer) for access revocation are clearly stated and how those events are incorporated into access

revocation processes. This can be accomplished through a written procedure or documented workflow.






1. There should be formal procedure or process to monitor and control remote access.

PR.PT-3: Access to systems and assets is

controlled, incorporating the principle of least

functionality

IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

IAM-2h

IAM-2i

PR.MA-2: Remote maintenance of

organizational assets is approved, logged, and

performed in a manner that prevents

unauthorized access

SA-1a

IR-1c

IAM-2a

IAM-2b

IAM-2c

IAM-2d

IAM-2e

IAM-2f

IAM-2g

IAM-2h

IAM-2i

PR.PT-1: Audit/log records are determined,

documented, implemented, and reviewed in

accordance with policy

SA-1a

SA-2a

SA-1b

SA-1c

SA-2e

SA-4a

SA-1d

SA-1e

SA-3d

SA-4e

Protective Technology (PT): Technical security

solutions are managed to ensure the security and

resilience of systems and assets, consistent with related

policies, procedures, and agreements.

Page 21 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **

















1. Rules for the implementation of access control to communications and control network protections





Perimeter.

1.There should be formal procedure or process to secure communications and control networks.






1. There should be formal procedure or process to secure communications and control networks using

remote access.

DE.AE-1: A baseline of network operations and

expected data flows for users and systems is

established and managed

SA-2b SA-2e 1. Baseline network monitoring practices can be integrated within the entity's CIP-005-5 R1.5 Malicious

Communications program, CIP-007-5 R3 Malicious Code Prevention program, and/or CIP-010-1 R2

Change Monitoring program.






(CIP‐008);

1. Security policy must include intrusion detection and a process for analzying detected events including

target and attack methodology.




requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.

1. Monitoring tools and log sources should be configured to collect event data at a level of granularity

necessary to effectively analyze the event.











Testing.



DE.AE-3: Event data are aggregated and

correlated from multiple sources and sensors

IR-1e IR-1f

IR-2i





1. Select and implement security event logging and monitoring tools that can analyze events from multiple

sources and are capable of alerting based on correlated events

DE.AE-4: Impact of events is determined IR-2b IR-2d IR-2g CIP-008-5 R1 - 1.1: Each Responsible Entity shall document one or

more Cyber Security Incident response plan(s) that collectively

include

1.1 One or more processes to identify, classify, and respond to Cyber

Security Incidents.

1. Must have a procedure for classifying, e.g., analyzing impact, of events.






(CIP‐008);


PR.PT-4: Communications and control networks

are protected

CPM-3a CPM-3b

CPM-3c

CPM-3d

DE.AE-2: Detected events are analyzed to

understand attack targets and methods

IR-2i

IR-3h

DE.AE-5: Incident alert thresholds are

established

IR-2d

TVM-1d

SA-2d

IR-2g

RM-2j

Anomalies and Events (AE): Anomalous activity is

detected in a timely manner and the potential impact of

events is understood.

Page 22 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **

















entity's policies





Testing.


entity's policies






entity's policies

2. When performing an after-incident review, ensure thresholds were appropriate

DE.CM-1: The network is monitored to detect

potential cybersecurity events

SA-2a

SA-2b

SA-2e

SA-2f

SA-2g

SA-2i

CIP-005-5 R1 - 1.5: Each Responsible Entity shall implement one or


applicable requirement parts in CIP‐005‐5 Table R1 – Electronic

Security Perimeter. Have one or more methods for

detecting known or suspected malicious communications for both

inbound and outbound communications.

1. Monitoring of network access points is specified in CIP-005-5 R1.5

2. Monitoring can be enhanced by including analysis of traffic within the security perimeter



documented physical security plans that collectively include all of the

applicable requirement parts in CIP-006-5 Table R1 – Physical

Security Plan.

1. Plan should specify technical and procedural controls for monitoring the physical environment




applicable requirement parts in CIP-006-5 Table R2 – Visitor Control

Program.

1. Program should specify monitoring of visitors within a secure perimeter (human and/or electronic

monitoring)


















1. Monitoring tools should be capable of detecting interactive (personnel) activities separate from non-

interactive (machine to machine) activities





1. Access controls should configured to properly log events related to personnel usage activities

DE.CM-2: The physical environment is


events

SA-2a

SA-2b

SA-2i

DE.CM-3: Personnel activity is monitored to

detect potential cybersecurity events

SA-2a

SA-2b

SA-2i

Security Continuous Monitoring (CM): The

information system and assets are monitored at discrete

intervals to identify cybersecurity events and verify the

effectiveness of protective measures.

Page 23 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **








1. Policies should contain requirements for malware controls for any device initiating an interactive remote

access session





Prevention.


malicious code





Prevention.


malicious code





1. Configuration monitoring procedures can be enhanced to include active monitoring of mobile device

code, for any such assets that are in scope for NERC CIP including devices used for maintenance and

testing

DE.CM-6: External service provider activity is


events

EDM-2a

SA-2a

SA-2b

EDM-2j

EDM-2l

EDM-2n







1. Electronic perimeter monitoring should include technical or procedural controls to detect potential

cybersecurity events sourced from an external service provider








Systems or their BES Cyber Assets is not required). Electronic


Connectivity;

1. Policies should contain requirements for authorization of access

2. Personnel should be made aware that the entity is monitoring for unauthorized access







Assessment Program.

1. Personnel authorized to attain or retain authorized access to electronic or unescorted physical access to

BES cyber systems shall have a process identified to authenticate the individual and perform appropriate

background checks.

2. Personnel risk management program should stipulate consequences for violating policies related to

access management

CIP-006-5 R1 - 1.5: Issue an alarm or alert in response to detected

unauthorized access through a physical access point into a Physical

Security Perimeter to the personnel identified in the BES Cyber

Security Incident response plan within 15 minutes of detection.


CIP-006-5 R1 - 1.6: Monitor each Physical Access Control

System for unauthorized physical access to a Physical Access

Control System.






1. Monitor for unauthorized access to a protected device

2. Monitor for unauthorized remote access to a protected network

3. Monitor for unauthorized devices within a protected network

4. Monitor for unauthorized software in conjunction with CIP-010-1 R2

DE.CM-7: Monitoring for unauthorized

personnel, connections, devices, and software is

performed

SA-2a

SA-2b

SA-2e

SA-2f

SA-2g

SA-2i

DE.CM-4: Malicious code is detected SA-2a

SA-2b

SA-2e

CPM-4a

SA-2i

DE.CM-5: Unauthorized mobile code is detected SA-2a

SA-2b

SA-2e SA-2h

SA-2i

DETECT

(DE)

Page 24 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **








1. Policies should make clear the stakeholders expectations of the vulnerability assessment program





Prevention.

1. Where malicious code prevention processes utilize signature-based protections, ensure scans are

performed subsequent to any update to those signatures




Assessments.

1. If active assessment of a production environment is performed it should be done in a way that minimizes

the potential of adverse consequences. New cyber assets should be actively tested prior to deployment in

a production system.






1. Roles and responsibilities of personnel as it relates to detected security events should be defined as well

as training programs necessary to disseminate the required information.



of the change.

1. Role of the CIP Senior Manager in security event detection or response should be documented where

appropriate











1. Roles of any delegates specified by the CIP Senior Manager related to security event detection or

response should be documented





Prevention.


responsibilities






responsibilities

DE.DP-2: Detection activities comply with all

applicable requirements

IR-1d IR-1g

IR-5f

RM-1c

RM-2j





1. When preparing after-action reports for a security event, ensure processes include a review of

responses against applicable company policies and external regulations

DE.CM-8: Vulnerability scans are performed TVM-2e TVM-2i

DE.DP-1: Roles and responsibilities for

detection are well defined to ensure

accountability

IR-1a

IR-3a

WM-1a

WM-1b

WM-1d WM-1f

WM-1h

Detection Processes (DP): Detection Processes (DP):

Detection processes and procedures are maintained

and tested to ensure timely and adequate awareness of

anomalous events.

Page 25 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **


CIP-004-5.1 R2 - 2.1: Each Responsible Entity shall implement, in a





Program. Training content on:

2.1.1. Cyber security policies;

2.1.2. Physical access controls;

2.1.3. Electronic access controls;

2.1.4. The visitor control program;

2.1.5. Handling of BES Cyber System Information and its storage;

2.1.6. Identification of a Cyber Security Incident and initial

notifications in accordance with the entity’s incident response plan;

2.1.7. Recovery plans for BES Cyber Systems;

2.1.8. Response to Cyber Security Incidents; and

2.1.9. Cyber security risks associated with a BES Cyber System’s

electronic interconnectivity and interoperability with other Cyber

Assets.

1. Staff can be effectively trained on security event response by testing detection technologies and

observing the response. For instance, regularly submit an EICAR file to a non-production cyber asset to

test the malware detection/prevention system.





Program.

1. Physical access controls are routinely tested





Testing.

1. Detection tools can be tested during incident response drills






(CIP‐008);

1. Policies should contain language addressing the notification of stakeholders of an event that meets

documented thresholds











Testing.



DE.DP-5: Detection processes are continuously

improved

IR-3h IR-3k CIP-008-5 R2: Each Responsible Entity shall implement each of its




Testing.

1. The stated goal of the incident response testing program should be the strengthening of security controls

through a process of regular review and assessment

2. Incident tests should be structured to emulate the current threat landscape and the assess the ability of

existing controls to mitigate or eliminate the risk

Response Planning (RP): Response processes and

procedures are executed and maintained, to ensure

timely response to detected cybersecurity events.

RS.RP-1: Response plan is executed during or

after an event

IR-3d CIP-008-5 R2: Each Responsible Entity shall implement each of its




Testing.

1. Response plan is executed during or after an event

CIP-004-5.1 R2 - Part 2.1.8: Each Responsible Entity shall


deficiencies, a cyber security training program(s) appropriate to

individual roles, functions, or responsibilities that collectively includes

each of the applicable requirement parts in CIP-004-5.1 Table R2 –

Cyber Security Training Program. 2.1.8. Training content on:

Response to Cyber Security Incidents;

1. Goal of the training should be that personnel know their roles and order of operations when a response

is needed

DE.DP-4: Event detection information is

communicated to appropriate parties

IR-1b

IR-3c

ISC-1a

ISC-1c

ISC-1d

IR-3n

ISC-1h

RS.CO-1: Personnel know their roles and order

of operations when a response is needed

IR-3a IR-5a

IR-5b

DE.DP-3: Detection processes are tested IR-3e IR-3j

Communications (CO): Response activities are

coordinated with internal and external stakeholders, as

appropriate, to include external support from law

enforcement agencies.

Page 26 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **






1. Roles and responsibilities of personnel as it relates to incident response should be defined within each

plan





1. After-action tasks should include an analysis of the effectiveness and accuracy of the documented roles

and responsibilities






(CIP‐008);


















1. Reporting reporting criteria should address events detected at electronic access points






CIP-006-5 R1 - 1.7: Issue an alarm or alert in response to

detected unauthorized physical access to a Physical Access Control

System to the personnel identified in the BES Cyber Security Incident

response plan within 15 minutes of the detection.






1. Reporting reporting criteria should address events detected by monitoring tools










Testing.

1. Procedures for event reporting should be followed





1. After-action tasks should include an analysis of the effectiveness and accuracy of reporting






RS.CO-2: Events are reported consistent with

established criteria

IR-1a

IR-1b

RS.CO-3: Information is shared consistent with

response plans

ISC-1a

ISC-1b

IR-3d

ISC-1c

ISC-1d

Page 27 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **






Testing.












with stakeholders










Testing.







(CIP‐008);


with stakeholders











with stakeholders





1. Procedures for information sharing should be specified within each response plan





Testing.

1. Procedures for information sharing should be followed






(CIP‐008);














RS.CO-4: Coordination with stakeholders

occurs consistent with response plans

IR-3d

IR-5b

RS.CO-5: Voluntary information sharing occurs

with external stakeholders to achieve broader

cybersecurity situational awareness

ISC-1a

ISC-1b

IR-3c

ISC-1c

ISC-1d

ISC-1e

ISC-1f

ISC-1h

ISC-1i

ISC-1j

ISC-1k

ISC-1l

RS.AN-1: Notifications from detection systems

are investigated

IR-1e

SA-3a

IR-1f

IR-1h

Analysis (AN): Analysis is conducted to ensure

adequate response and support recovery activities.

Page 28 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **
























Testing.



RS.AN-2: The impact of the incident is

understood

IR-2d

IR-2g

IR-2d

TVM-1d

IR-2g

RM-2j





Testing.

1. When implementing an incident response plan, response personnel should take deliberate actions only

when the impact of the incident and their actions are understood






(CIP‐008);

1. Policy should establish criteria for when and how forensic data is collected, handled, and analyzed





1. Procedures should include steps for how forensic data is collected, handled, and analyzed





Testing.


CIP-009-5 R1 - 1.5: One or more processes to preserve data, per

Cyber Asset capability, for determining the cause of a Cyber Security

Incident that triggers activation of the recovery plan(s). Data

preservation should not impede or restrict recovery.







(CIP‐008);


















RS.AN-4: Incidents are categorized consistent

with response plans

IR-2a IR-1d

IR-1e

IR-2d

TVM-1d

IR-2g

RM-1c

RS.AN-3: Forensics are performed IR-3d IR-3i

RESPOND

(RS)

Page 29 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **






Testing.








(CIP‐008);






address the following topics: Declaring and responding to CIP

Exceptional Circumstances.




































Prevention.













Testing.







(CIP‐008);


RS.MI-1: Incidents are contained IR-3b

RS.MI-2: Incidents are mitigated IR-3b

Mitigation (MI): Activities are performed to prevent

expansion of an event, mitigate its effects, and eradicate

the incident.

Page 30 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **






address the following topics: Declaring and responding to CIP

Exceptional Circumstances.




































Prevention.













Testing.








1. Policies should contain language that communicates management's requirements for addressing newly

identified vulnerabilities





Management.

1. Patch management plans should include procedures for addressing zero-day or imminent threat

vulnerabilities





Prevention.

1. Malicious code prevention plans should include procedures for addressing zero-day or imminent threat

vulnerabilities

RS.MI-3: Newly identified vulnerabilities are

mitigated or documented as accepted risks

TVM-2c TVM-2f

TVM-2g

RM-2j

TVM-2m

TVM-2n

Page 31 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **





Assessments.

1. Vulnerability management plans should include procedures for notification of and response to zero-day

or imminent threat vulnerabilities






(CIP‐008);


















Testing.

1. Response plans should be written to include references to lessons-learned or procedural enhancements

that were the result of a prior incident





1. During after-action analysis of an actual or simulated incident, carefully document each each action, or

lack of action, and the results. Address each action or lack of action with a critical analysis, and provide

recommendations for improvement






(CIP‐008);























Testing.

1. Version numbers should be clear, and incident responders should communicate to ensure staff is using

the in-force version at time of an incident











(CIP‐008);



events.

RS.IM-1: Response plans incorporate lessons

learned

IR-3h

RS.IM-2: Response strategies are updated IR-3e IR-3k

RC.RP-1: Recovery plan is executed during or

after an event

IR-3b IR-3o

IR-4k

Improvements (IM): Organizational response activities

are improved by incorporating lessons learned from

current and previous detection/response activities.

Recovery Planning (RP): Recovery processes and

procedures are executed and maintained to ensure

timely restoration of systems or assets affected by

cybersecurity events.

Page 32 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **







(CIP‐009);



events.





1. Ensure a clear escalation path exists between routine system monitoring activities and the recovery

plans.




Specifications.

1. Establish an enterprise emergency response capability that addresses assets in multiple security zones,

and recovery plans give precedence to higher risk systems.





Implementation and Testing






Communication.








(CIP‐009);





Communication.

1. Ensure response plans define a process for after-action review of all activities associated with a real or

simulated event, including a defined communications plan.






(CIP‐009);





Communication.

1. Ensure response plans are informed by the risk program, and are routinely updated

RC.CO-1: Public Relations are managed TVM-1d

IR-4d

RM-1c 1. Within the context of the incident and emergency response program, define a communications plan that

specifically addresses external stakeholders


RC.CO-2: Reputation after an event is repaired IR-4d 1. Within the context of the incident and emergency response program, define a communications plan that

specifically addresses external stakeholders







(CIP‐009);

1. Ensure security policy defines criteria for communications to all stakeholders




Specifications.

1. Ensure recovery plans include communications criteria based on severity of event

RC.CO-3: Recovery activities are

communicated to internal stakeholders and

executive and management teams

IR-3d IR-5e

RC.IM-2: Recovery strategies are updated IR-3h

IR-3k

Improvements (IM): Improvements (IM): Recovery

planning and processes are improved by incorporating

lessons learned into future activities.

Communications (CO): Restoration activities are

coordinated with internal and external parties, such as

coordinating centers, Internet Service Providers, owners

of attacking systems, victims, other CSIRTs, and

vendors.

RECOVER

(RC)

Page 33 of 34

MIL 1 MIL 2 MIL 3


Nov-14

C2M2 Practices **






Implementation and Testing.

1. Implement communications protocols during an actual or simulated event




Communication.

1. Update communications protocols as necessary to match the changing business

Abbrevi-

ationDomain

ACM Asset, Change, and Configuration Management

CPM Cybersecurity Program Management

EDMSupply Chain and External Dependancies Management

IAM Identity and Access Management

IREvent and Incident Response, Continuity of Operations

ISC Information Sharing and Communications

RM Risk Management

SA Situational Awareness

TVM Threat and Vulnerability Management

WM Workforce Management

** C2M2 Domains and Abbreviations

Page 34 of 34

cipc control systems security working group...1. communication and data flow documentation should...

Documents