Download:
pdf |
pdfCIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
A. Introduction
1.
Title:
Cyber Security — Electronic Security Perimeter(s)
2.
Number:
CIP-005-6
3.
Purpose: To manage electronic access to BES Cyber Systems by specifying a
controlled Electronic Security Perimeter in support of protecting BES Cyber Systems
against compromise that could lead to misoperation or instability in the BES.
4.
Applicability:
4.1. Functional Entities: For the purpose of the requirements contained herein, the
following list of functional entities will be collectively referred to as “Responsible
Entities.” For requirements in this standard where a specific functional entity or
subset of functional entities are the applicable entity or entities, the functional
entity or entities are specified explicitly.
4.1.1. Balancing Authority
4.1.2. Distribution Provider that owns one or more of the following Facilities,
systems, and equipment for the protection or restoration of the BES:
4.1.2.1. Each underfrequency Load shedding (UFLS) or undervoltage
Load shedding (UVLS) system that:
4.1.2.1.1. is part of a Load shedding program that is subject to
one or more requirements in a NERC or Regional
Reliability Standard; and
4.1.2.1.2. performs automatic Load shedding under a common
control system owned by the Responsible Entity,
without human operator initiation, of 300 MW or
more.
4.1.2.2. Each Remedial Action Scheme (RAS) where the RAS is subject to
one or more requirements in a NERC or Regional Reliability
Standard.
4.1.2.3. Each Protection System (excluding UFLS and UVLS) that applies
to Transmission where the Protection System is subject to one
or more requirements in a NERC or Regional Reliability
Standard.
4.1.2.4. Each Cranking Path and group of Elements meeting the initial
switching requirements from a Blackstart Resource up to and
including the first interconnection point of the starting station
service of the next generation unit(s) to be started.
4.1.3. Generator Operator
4.1.4. Generator Owner
Page 1 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
4.1.5. Interchange Coordinator or Interchange Authority
4.1.6. Reliability Coordinator
4.1.7. Transmission Operator
4.1.8. Transmission Owner
4.2. Facilities: For the purpose of the requirements contained herein, the following
Facilities, systems, and equipment owned by each Responsible Entity in Section
4.1 above are those to which these requirements are applicable. For
requirements in this standard where a specific type of Facilities, system, or
equipment or subset of Facilities, systems, and equipment are applicable, these
are specified explicitly.
4.2.1. Distribution Provider: One or more of the following Facilities, systems
and equipment owned by the Distribution Provider for the protection or
restoration of the BES:
4.2.1.1 Each UFLS or UVLS System that:
4.2.1.1.1 is part of a Load shedding program that is subject to
one or more requirements in a NERC or Regional
Reliability Standard; and
4.2.1.1.2 performs automatic Load shedding under a common
control system owned by the Responsible Entity,
without human operator initiation, of 300 MW or
more.
4.2.1.2 Each RAS where the RAS is subject to one or more requirements
in a NERC or Regional Reliability Standard.
4.2.1.3 Each Protection System (excluding UFLS and UVLS) that applies
to Transmission where the Protection System is subject to one
or more requirements in a NERC or Regional Reliability
Standard.
4.2.1.4 Each Cranking Path and group of Elements meeting the initial
switching requirements from a Blackstart Resource up to and
including the first interconnection point of the starting station
service of the next generation unit(s) to be started.
4.2.2. Responsible Entities listed in 4.1 other than Distribution Providers:
All BES Facilities.
4.2.3. Exemptions: The following are exempt from Standard CIP-005-6:
4.2.3.1. Cyber Assets at Facilities regulated by the Canadian Nuclear
Safety Commission.
Page 2 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
4.2.3.2. Cyber Assets associated with communication networks and data
communication links between discrete Electronic Security
Perimeters.
4.2.3.3. The systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan
pursuant to 10 C.F.R. Section 73.54.
4.2.3.4. For Distribution Providers, the systems and equipment that are
not included in section 4.2.1 above.
4.2.3.5. Responsible Entities that identify that they have no BES Cyber
Systems categorized as high impact or medium impact
according to the CIP-002-5 identification and categorization
processes.
5.
Effective Date:
See Implementation Plan for Project 2016-03.
6.
Background: Standard CIP-005 exists as part of a suite of CIP Standards related to
cyber security, which require the initial identification and categorization of BES Cyber
Systems and require a minimum level of organizational, operational and procedural
controls to mitigate risk to BES Cyber Systems.
Most requirements open with, “Each Responsible Entity shall implement one or more
documented [processes, plan, etc.] that include the applicable items in [Table
Reference].” The referenced table requires the applicable items in the procedures for
the requirement’s common subject matter.
The term documented processes refers to a set of required instructions specific to the
Responsible Entity and to achieve a specific outcome. This term does not imply any
particular naming or approval structure beyond what is stated in the requirements.
An entity should include as much as it believes necessary in its documented processes,
but it must address the applicable requirements in the table.
The terms program and plan are sometimes used in place of documented processes
where it makes sense and is commonly understood. For example, documented
processes describing a response are typically referred to as plans (i.e., incident
response plans and recovery plans). Likewise, a security plan can describe an
approach involving multiple procedures to address a broad subject matter.
Similarly, the term program may refer to the organization’s overall implementation of
its policies, plans, and procedures involving a subject matter. Examples in the
standards include the personnel risk assessment program and the personnel training
program. The full implementation of the CIP Cyber Security Standards could also be
referred to as a program. However, the terms program and plan do not imply any
additional requirements beyond what is stated in the standards.
Page 3 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
Responsible Entities can implement common controls that meet requirements for
multiple high and medium impact BES Cyber Systems. For example, a single training
program could meet the requirements for training personnel across multiple BES
Cyber Systems.
Measures for the initial requirement are simply the documented processes
themselves. Measures in the table rows provide examples of evidence to show
documentation and implementation of applicable items in the documented processes.
These measures serve to provide guidance to entities in acceptable records of
compliance and should not be viewed as an all-inclusive list.
Throughout the standards, unless otherwise stated, bulleted items in the
requirements and measures are items that are linked with an “or,” and numbered
items are items that are linked with an “and.”
Many references in the Applicability section use a threshold of 300 MW for UFLS and
UVLS. This particular threshold of 300 MW for UVLS and UFLS was provided in Version
1 of the CIP Cyber Security Standards. The threshold remains at 300 MW since it is
specifically addressing UVLS and UFLS, which are last ditch efforts to save the Bulk
Electric System. A review of UFLS tolerances defined within regional reliability
standards for UFLS program requirements to date indicates that the historical value of
300 MW represents an adequate and reasonable threshold value for allowable UFLS
operational tolerances.
“Applicable Systems” Columns in Tables:
Each table has an “Applicable Systems” column to further define the scope of
systems to which a specific requirement row applies. The CSO706 SDT adapted this
concept from the National Institute of Standards and Technology (“NIST”) Risk
Management Framework as a way of applying requirements more appropriately
based on impact and connectivity characteristics. The following conventions are used
in the “Applicability Systems” column as described.
•
High Impact BES Cyber Systems – Applies to BES Cyber Systems categorized as
high impact according to the CIP-002 identification and categorization processes.
•
High Impact BES Cyber Systems with Dial-up Connectivity – Only applies to high
impact BES Cyber Systems with Dial-up Connectivity.
•
High Impact BES Cyber Systems with External Routable Connectivity – Only
applies to high impact BES Cyber Systems with External Routable Connectivity.
This also excludes Cyber Assets in the BES Cyber System that cannot be directly
accessed through External Routable Connectivity.
•
Medium Impact BES Cyber Systems – Applies to BES Cyber Systems categorized
as medium impact according to the CIP-002 identification and categorization
processes.
•
Medium Impact BES Cyber Systems at Control Centers – Only applies to
medium impact BES Cyber Systems located at a Control Center.
Page 4 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
•
Medium Impact BES Cyber Systems with Dial-up Connectivity – Only applies to
medium impact BES Cyber Systems with Dial-up Connectivity.
•
Medium Impact BES Cyber Systems with External Routable Connectivity – Only
applies to medium impact BES Cyber Systems with External Routable
Connectivity. This also excludes Cyber Assets in the BES Cyber System that
cannot be directly accessed through External Routable Connectivity.
•
Protected Cyber Assets (PCA) – Applies to each Protected Cyber Asset
associated with a referenced high impact BES Cyber System or medium impact
BES Cyber System.
•
Electronic Access Points (EAP) – Applies at Electronic Access Points associated
with a referenced high impact BES Cyber System or medium impact BES Cyber
System.
Page 5 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
B. Requirements and Measures
R1.
Each Responsible Entity shall implement one or more documented processes that collectively include each of the
applicable requirement parts in CIP-005-6 Table R1 – Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time
Horizon: Operations Planning and Same Day Operations].
M1. Evidence must include each of the applicable documented processes that collectively include each of the applicable
requirement parts in CIP-005-6 Table R1 – Electronic Security Perimeter and additional evidence to demonstrate
implementation as described in the Measures column of the table.
CIP-005-6 Table R1 – Electronic Security Perimeter
Part
1.1
Applicable Systems
High Impact BES Cyber Systems and
their associated:
• PCA
Requirements
All applicable Cyber Assets connected
to a network via a routable protocol
shall reside within a defined ESP.
An example of evidence may include,
but is not limited to, a list of all ESPs
with all uniquely identifiable
applicable Cyber Assets connected via
a routable protocol within each ESP.
All External Routable Connectivity must
be through an identified Electronic
Access Point (EAP).
An example of evidence may include,
but is not limited to, network
diagrams showing all external
routable communication paths and
the identified EAPs.
Medium Impact BES Cyber Systems
and their associated:
• PCA
1.2
High Impact BES Cyber Systems with
External Routable Connectivity and
their associated:
• PCA
Medium Impact BES Cyber Systems
with External Routable Connectivity
and their associated:
• PCA
Measures
Page 6 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
CIP-005-6 Table R1 – Electronic Security Perimeter
Part
1.3
1.4
Applicable Systems
Requirements
Measures
Electronic Access Points for Medium
Impact BES Cyber Systems
Require inbound and outbound access
permissions, including the reason for
granting access, and deny all other
access by default.
An example of evidence may include,
but is not limited to, a list of rules
(firewall, access control lists, etc.) that
demonstrate that only permitted
access is allowed and that each access
rule has a documented reason.
High Impact BES Cyber Systems with
Dial-up Connectivity and their
associated:
• PCA
Where technically feasible, perform
authentication when establishing Dialup Connectivity with applicable Cyber
Assets.
An example of evidence may include,
but is not limited to, a documented
process that describes how the
Responsible Entity is providing
authenticated access through each
dial-up connection.
Have one or more methods for
detecting known or suspected
malicious communications for both
inbound and outbound
communications.
An example of evidence may include,
but is not limited to, documentation
that malicious communications
detection methods (e.g. intrusion
detection system, application layer
firewall, etc.) are implemented.
Electronic Access Points for High
Impact BES Cyber Systems
Medium Impact BES Cyber Systems
with Dial-up Connectivity and their
associated:
• PCA
1.5
Electronic Access Points for High
Impact BES Cyber Systems
Electronic Access Points for Medium
Impact BES Cyber Systems at Control
Centers
Page 7 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
R2.
Each Responsible Entity shall implement one or more documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-6 Table R2 –Remote Access Management. [Violation Risk Factor:
Medium] [Time Horizon: Operations Planning and Same Day Operations].
M2. Evidence must include the documented processes that collectively address each of the applicable requirement parts in CIP005-6 Table R2 –Remote Access Management and additional evidence to demonstrate implementation as described in the
Measures column of the table.
CIP-005-6 Table R2 – Remote Access Management
Part
2.1
Applicable Systems
High Impact BES Cyber Systems and
their associated:
• PCA
Medium Impact BES Cyber Systems
with External Routable Connectivity
and their associated:
• PCA
2.2
High Impact BES Cyber Systems and
their associated:
• PCA
Medium Impact BES Cyber Systems
with External Routable Connectivity
and their associated:
• PCA
Requirements
Measures
For all Interactive Remote Access,
utilize an Intermediate System such
that the Cyber Asset initiating
Interactive Remote Access does not
directly access an applicable Cyber
Asset.
Examples of evidence may include,
but are not limited to, network
diagrams or architecture documents.
For all Interactive Remote Access
sessions, utilize encryption that
terminates at an Intermediate
System.
An example of evidence may include,
but is not limited to, architecture
documents detailing where
encryption initiates and terminates.
Page 8 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
CIP-005-6 Table R2 – Remote Access Management
Part
2.3
Applicable Systems
High Impact BES Cyber Systems and
their associated:
• PCA
Medium Impact BES Cyber Systems
with External Routable Connectivity
and their associated:
• PCA
Requirements
Require multi-factor authentication
for all Interactive Remote Access
sessions.
Measures
An example of evidence may include,
but is not limited to, architecture
documents detailing the
authentication factors used.
Examples of authenticators may
include, but are not limited to,
• Something the individual
knows such as passwords or
PINs. This does not include
User ID;
• Something the individual has
such as tokens, digital
certificates, or smart cards; or
• Something the individual is
such as fingerprints, iris scans,
or other biometric
characteristics.
Page 9 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
CIP-005-6 Table R2 – Remote Access Management
Part
2.4
Applicable Systems
High Impact BES Cyber Systems and
their associated:
• PCA
Medium Impact BES Cyber Systems
with External Routable Connectivity
and their associated:
• PCA
Requirements
Measures
Have one or more methods for
determining active vendor remote
access sessions (including Interactive
Remote Access and system-to-system
remote access).
Examples of evidence may include,
but are not limited to, documentation
of the methods used to determine
active vendor remote access
(including Interactive Remote Access
and system-to-system remote access),
such as:
• Methods for accessing logged
or monitoring information to
determine active vendor
remote access sessions;
• Methods for monitoring
activity (e.g. connection tables
or rule hit counters in a
firewall, or user activity
monitoring) or open ports (e.g.
netstat or related commands
to display currently active
ports) to determine active
system to system remote
access sessions; or
• Methods that control vendor
initiation of remote access
such as vendors calling and
requesting a second factor in
order to initiate remote
access.
Page 10 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
CIP-005-6 Table R2 – Remote Access Management
Part
2.5
Applicable Systems
High Impact BES Cyber Systems and
their associated:
• PCA
Medium Impact BES Cyber Systems
with External Routable Connectivity
and their associated:
• PCA
Requirements
Measures
Have one or more method(s) to
disable active vendor remote access
(including Interactive Remote Access
and system-to-system remote access).
Examples of evidence may include,
but are not limited to, documentation
of the methods(s) used to disable
active vendor remote access
(including Interactive Remote Access
and system-to-system remote access),
such as:
• Methods to disable vendor
remote access at the
applicable Electronic Access
Point for system-to-system
remote access; or
• Methods to disable vendor
Interactive Remote Access at
the applicable Intermediate
System.
Page 11 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
C. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Enforcement Authority: “Compliance Enforcement Authority”
means NERC or the Regional Entity, or any entity as otherwise designated by an
Applicable Governmental Authority, in their respective roles of monitoring
and/or enforcing compliance with mandatory and enforceable Reliability
Standards in their respective jurisdictions.
1.2. Evidence Retention: The following evidence retention period(s) identify the
period of time an entity is required to retain specific evidence to demonstrate
compliance. For instances where the evidence retention period specified below
is shorter than the time since the last audit, the Compliance Enforcement
Authority may ask an entity to provide other evidence to show that it was
compliant for the full-time period since the last audit.
The applicable entity shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation.
•
Each applicable entity shall retain evidence of each requirement in this
standard for three calendar years.
•
If an applicable entity is found non-compliant, it shall keep information
related to the non-compliance until mitigation is complete and approved or
for the time specified above, whichever is longer.
• The CEA shall keep the last audit records and all requested and submitted
subsequent audit records.
1.3. Compliance Monitoring and Enforcement Program: As defined in the NERC
Rules of Procedure, “Compliance Monitoring and Enforcement Program” refers
to the identification of the processes that will be used to evaluate data or
information for the purpose of assessing performance or outcomes with the
associated Reliability Standard.
Page 12 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
Violation Severity Levels
R#
R1.
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
The Responsible Entity did
not have a method for
detecting malicious
communications for both
inbound and outbound
communications. (1.5)
Severe VSL
The Responsible Entity did
not document one or more
processes for CIP-005-6
Table R1 – Electronic Security
Perimeter. (R1)
OR
The Responsible Entity did
not have all applicable Cyber
Assets connected to a
network via a routable
protocol within a defined
Electronic Security Perimeter
(ESP). (1.1)
OR
External Routable
Connectivity through the ESP
was not through an
identified EAP. (1.2)
OR
The Responsible Entity did
not require inbound and
outbound access
permissions and deny all
other access by default. (1.3)
Page 13 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
R#
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
OR
The Responsible Entity did
not perform authentication
when establishing dial-up
connectivity with the
applicable Cyber Assets,
where technically feasible.
(1.4)
R2.
The Responsible Entity does
not have documented
processes for one or more of
the applicable items for
Requirement Parts 2.1
through 2.3.
The Responsible Entity did
not implement processes for
one of the applicable items
for Requirement Parts 2.1
through 2.3.
The Responsible Entity did
not implement processes for
two of the applicable items
for Requirement Parts 2.1
through 2.3;
The Responsible Entity did
not implement processes for
three of the applicable items
for Requirement Parts 2.1
through 2.3;
OR
OR
The Responsible Entity did
not have either: one or more
method(s) for determining
active vendor remote access
sessions (including
Interactive Remote Access
and system-to-system
remote access) (2.4); or one
or more methods to disable
active vendor remote access
(including Interactive
The Responsible Entity did
not have one or more
method(s) for determining
active vendor remote access
sessions (including
Interactive Remote Access
and system-to-system
remote access) (2.4) and one
or more methods to disable
active vendor remote access
(including Interactive
Page 14 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
R#
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
Remote Access and systemto-system remote access)
(2.5).
Remote Access and systemto-system remote access)
(2.5).
D. Regional Variances
None.
E. Associated Documents
None.
Page 15 of 23
�CIP-005-6 — Cyber Security – Electronic Security Perimeter(s)
Version History
Version
Date
Action
Change Tracking
1
1/16/06
R3.2 — Change “Control Center” to “control
center.”
3/24/06
2
9/30/09
Modifications to clarify the requirements
and to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Changed compliance monitor to Compliance
Enforcement Authority.
3
12/16/09
Updated version number from -2 to -3
Approved by the NERC Board of Trustees.
3
3/31/10
Approved by FERC.
4
12/30/10
Modified to add specific criteria for Critical
Asset identification.
Update
4
1/24/11
Approved by the NERC Board of Trustees.
Update
5
11/26/12
Adopted by the NERC Board of Trustees.
Modified to
coordinate with
other CIP
standards and to
revise format to
use RBS Template.
5
11/22/13
FERC Order issued approving CIP-005-5.
6
07/20/17
6
08/10/17
Modified to address certain directives in
FERC Order No. 829.
Adopted by the NERC Board of Trustees.
Revised
Page 16 of 23
�CIP-005-6 Supplemental Material
Guidelines and Technical Basis
Section 4 – Scope of Applicability of the CIP Cyber Security Standards
Section “4. Applicability” of the standards provides important information for Responsible
Entities to determine the scope of the applicability of the CIP Cyber Security Requirements.
Section “4.1. Functional Entities” is a list of NERC functional entities to which the standard
applies. If the entity is registered as one or more of the functional entities listed in Section 4.1,
then the NERC CIP Cyber Security Standards apply. Note that there is a qualification in Section
4.1 that restricts the applicability in the case of Distribution Providers to only those that own
certain types of systems and equipment listed in 4.2. Furthermore,
Section “4.2. Facilities” defines the scope of the Facilities, systems, and equipment owned by
the Responsible Entity, as qualified in Section 4.1, that is subject to the requirements of the
standard. As specified in the exemption section 4.2.3.5, this standard does not apply to
Responsible Entities that do not have High Impact or Medium Impact BES Cyber Systems under
CIP-002-5’s categorization. In addition to the set of BES Facilities, Control Centers, and other
systems and equipment, the list includes the set of systems and equipment owned by
Distribution Providers. While the NERC Glossary term “Facilities” already includes the BES
characteristic, the additional use of the term BES here is meant to reinforce the scope of
applicability of these Facilities where it is used, especially in this applicability scoping section.
This in effect sets the scope of Facilities, systems, and equipment that is subject to the
standards.
Requirement R1:
CIP-005-6, Requirement R1 requires segmenting of BES Cyber Systems from other systems of
differing trust levels by requiring controlled Electronic Access Points between the different trust
zones. Electronic Security Perimeters are also used as a primary defense layer for some BES
Cyber Systems that may not inherently have sufficient cyber security functionality, such as
devices that lack authentication capability.
All applicable BES Cyber Systems that are connected to a network via a routable protocol must
have a defined Electronic Security Perimeter (ESP). Even standalone networks that have no
external connectivity to other networks must have a defined ESP. The ESP defines a zone of
protection around the BES Cyber System, and it also provides clarity for entities to determine
what systems or Cyber Assets are in scope and what requirements they must meet. The ESP is
used in:
•
Defining the scope of ‘Associated Protected Cyber Assets’ that must also meet certain CIP
requirements.
•
Defining the boundary in which all of the Cyber Assets must meet the requirements of the
highest impact BES Cyber System that is in the zone (the ‘high water mark’).
The CIP Cyber Security Standards do not require network segmentation of BES Cyber Systems
by impact classification. Many different impact classifications can be mixed within an ESP.
Page 17 of 23
�CIP-005-6 Supplemental Material
However, all of the Cyber Assets and BES Cyber Systems within the ESP must be protected at
the level of the highest impact BES Cyber System present in the ESP (i.e., the “high water
mark”) where the term “Protected Cyber Assets” is used. The CIP Cyber Security Standards
accomplish the “high water mark” by associating all other Cyber Assets within the ESP, even
other BES Cyber Systems of lesser impact, as “Protected Cyber Assets” of the highest impact
system in the ESP.
For example, if an ESP contains both a high impact BES Cyber System and a low impact BES
Cyber System, each Cyber Asset of the low impact BES Cyber System is an “Associated
Protected Cyber Asset” of the high impact BES Cyber System and must meet all requirements
with that designation in the applicability columns of the requirement tables.
If there is routable connectivity across the ESP into any Cyber Asset, then an Electronic Access
Point (EAP) must control traffic into and out of the ESP. Responsible Entities should know what
traffic needs to cross an EAP and document those reasons to ensure the EAPs limit the traffic to
only those known communication needs. These include, but are not limited to, communications
needed for normal operations, emergency operations, support, maintenance, and
troubleshooting.
The EAP should control both inbound and outbound traffic. The standard added outbound
traffic control, as it is a prime indicator of compromise and a first level of defense against zero
day vulnerability-based attacks. If Cyber Assets within the ESP become compromised and
attempt to communicate to unknown hosts outside the ESP (usually ‘command and control’
hosts on the Internet, or compromised ‘jump hosts’ within the Responsible Entity’s other
networks acting as intermediaries), the EAPs should function as a first level of defense in
stopping the exploit. This does not limit the Responsible Entity from controlling outbound
traffic at the level of granularity that it deems appropriate, and large ranges of internal
addresses may be allowed. The SDT’s intent is that the Responsible Entity knows what other
Cyber Assets or ranges of addresses a BES Cyber System needs to communicate with and limits
the communications to that known range. For example, most BES Cyber Systems within a
Responsible Entity should not have the ability to communicate through an EAP to any network
address in the world, but should probably be at least limited to the address space of the
Responsible Entity, and preferably to individual subnet ranges or individual hosts within the
Responsible Entity’s address space. The SDT’s intent is not for Responsible Entities to document
the inner workings of stateful firewalls, where connections initiated in one direction are
allowed a return path. The intent is to know and document what systems can talk to what other
systems or ranges of systems on the other side of the EAP, such that rogue connections can be
detected and blocked.
This requirement applies only to communications for which access lists and ‘deny by default’
type requirements can be universally applied, which today are those that employ routable
protocols. Direct serial, non-routable connections are not included as there is no perimeter or
firewall type security that should be universally mandated across all entities and all serial
communication situations. There is no firewall or perimeter capability for an RS232 cable run
Page 18 of 23
�CIP-005-6 Supplemental Material
between two Cyber Assets. Without a clear ‘perimeter type’ security control that can be applied
in practically every circumstance, such a requirement would mostly generate technical
feasibility exceptions (“TFEs”) rather than increased security.
As for dial-up connectivity, the Standard Drafting Team’s intent of this requirement is to
prevent situations where only a phone number can establish direct connectivity to the BES
Cyber Asset. If a dial-up modem is implemented in such a way that it simply answers the phone
and connects the line to the BES Cyber Asset with no authentication of the calling party, it is a
vulnerability to the BES Cyber System. The requirement calls for some form of authentication of
the calling party before completing the connection to the BES Cyber System. Some examples of
acceptable methods include dial-back modems, modems that must be remotely enabled or
powered up, and modems that are only powered on by onsite personnel when needed along
with policy that states they are disabled after use. If the dial-up connectivity is used for
Interactive Remote Access, then Requirement R2 also applies.
The standard adds a requirement to detect malicious communications for Control Centers. This
is in response to FERC Order No. 706, Paragraphs 496-503, where ESPs are required to have two
distinct security measures such that the BES Cyber Systems do not lose all perimeter protection
if one measure fails or is misconfigured. The Order makes clear that this is not simply
redundancy of firewalls, thus the SDT has decided to add the security measure of malicious
traffic inspection as a requirement for these ESPs. Technologies meeting this requirement
include Intrusion Detection or Intrusion Prevention Systems (IDS/IPS) or other forms of deep
packet inspection. These technologies go beyond source/destination/port rule sets and thus
provide another distinct security measure at the ESP.
Requirement R2:
See Secure Remote Access Reference Document (see remote access alert).
Page 19 of 23
�CIP-005-6 Supplemental Material
Rationale
Rationale for R1:
The Electronic Security Perimeter (“ESP”) serves to control traffic at the external electronic
boundary of the BES Cyber System. It provides a first layer of defense for network based attacks
as it limits reconnaissance of targets, restricts and prohibits traffic to a specified rule set, and
assists in containing any successful attacks.
Summary of Changes: CIP-005, Requirement R1 has taken more of a focus on the discrete
Electronic Access Points, rather than the logical “perimeter.”
CIP-005 (V1 through V4), Requirement R1.2 has been deleted from V5. This requirement was
definitional in nature and used to bring dial-up modems using non-routable protocols into the
scope of CIP-005. The non-routable protocol exclusion no longer exists as a blanket CIP-002
filter for applicability in V5, therefore there is no need for this requirement.
CIP-005 (V1 through V4), Requirement R1.1 and R1.3 were also definitional in nature and have
been deleted from V5 as separate requirements but the concepts were integrated into the
definitions of ESP and Electronic Access Point (“EAP”).
Reference to prior version: (Part 1.1) CIP-005-4, R1
Change Rationale: (Part 1.1)
Explicitly clarifies that BES Cyber Assets connected via routable protocol must be in an Electronic
Security Perimeter.
Reference to prior version: (Part 1.2) CIP-005-4, R1
Change Rationale: (Part 1.2)
Changed to refer to the defined term Electronic Access Point and BES Cyber System.
Reference to prior version: (Part 1.3) CIP-005-4, R2.1
Change Rationale: (Part 1.3)
Changed to refer to the defined term Electronic Access Point and to focus on the entity knowing
and having a reason for what it allows through the EAP in both inbound and outbound
directions.
Reference to prior version: (Part 1.4) CIP-005-4, R2.3
Page 20 of 23
�CIP-005-6 Supplemental Material
Change Rationale: (Part 1.4)
Added clarification that dial-up connectivity should perform authentication so that the BES
Cyber System is not directly accessible with a phone number only.
Reference to prior version: (Part 1.5) CIP-005-4, R1
Change Rationale: (Part 1.5)
Per FERC Order No. 706, Paragraphs 496-503, ESPs need two distinct security measures such
that the Cyber Assets do not lose all perimeter protection if one measure fails or is
misconfigured. The Order makes clear this is not simple redundancy of firewalls, thus the SDT
has decided to add the security measure of malicious traffic inspection as a requirement for
these ESPs.
Rationale for R2:
Registered Entities use Interactive Remote Access to access Cyber Assets to support and
maintain control systems networks. Discovery and announcement of vulnerabilities for remote
access methods and technologies, that were previously thought secure and in use by a number
of electric sector entities, necessitate changes to industry security control standards. Currently,
no requirements are in effect for management of secure remote access to Cyber Assets to be
afforded the NERC CIP protective measures. Inadequate safeguards for remote access can allow
unauthorized access to the organization’s network, with potentially serious consequences.
Additional information is provided in Guidance for Secure Interactive Remote Access published
by NERC in July 2011.
Remote access control procedures must provide adequate safeguards through robust
identification, authentication and encryption techniques. Remote access to the organization’s
network and resources will only be permitted providing that authorized users are
authenticated, data is encrypted across the network, and privileges are restricted.
The Intermediate System serves as a proxy for the remote user. Rather than allowing all the
protocols the user might need to access Cyber Assets inside the Electronic Security Perimeter to
traverse from the Electronic Security Perimeter to the remote computer, only the protocol
required for remotely controlling the jump host is required. This allows the firewall rules to be
much more restrictive than if the remote computer was allowed to connect to Cyber Assets
within the Electronic Security Perimeter directly. The use of an Intermediate System also
protects the Cyber Asset from vulnerabilities on the remote computer.
The use of multi-factor authentication provides an added layer of security. Passwords can be
guessed, stolen, hijacked, found, or given away. They are subject to automated attacks
including brute force attacks, in which possible passwords are tried until the password is found,
or dictionary attacks, where words and word combinations are tested as possible passwords.
But if a password or PIN must be supplied along with a one-time password supplied by a token,
a fingerprint, or some other factor, the password is of no value unless the other factor(s) used
for authentication are acquired along with it.
Page 21 of 23
�CIP-005-6 Supplemental Material
Encryption is used to protect the data that is sent between the remote computer and the
Intermediate System. Data encryption is important for anyone who wants or needs secure data
transfer. Encryption is needed when there is a risk of unauthorized interception of
transmissions on the communications link. This is especially important when using the Internet
as the communication means.
Requirement R2 Parts 2.4 and 2.5 addresses Order No. 829 directives for controls on vendorinitiated remote access to BES Cyber Systems covering both user-initiated and machine-tomachine vendor remote access (P. 51). The objective is to mitigate potential risks of a
compromise at a vendor during an active remote access session with a Responsible Entity from
impacting the BES.
The objective of Requirement R2 Part 2.4 is for entities to have visibility of active vendor
remote access sessions (including Interactive Remote Access and system-to-system remote
access) that are taking place on their system. This scope covers all remote access sessions with
vendors. The obligation in Part 2.4 requires entities to have a method to determine active
vendor remote access sessions. While not required, a solution that identifies all active remote
access sessions, regardless of whether they originate from a vendor, would meet the intent of
this requirement. The objective of Requirement R2 Part 2.5 is for entities to have the ability to
disable active remote access sessions in the event of a system breach as specified in Order No.
829 (P. 52).
The scope of Requirement R2 in CIP-005-6 is expanded from approved CIP-005-5 to address all
remote access management, not just Interactive Remote Access. If a Responsible Entity does
not allow remote access (system-to-system or Interactive Remote Access) then the Responsible
Entity need not develop a process for each of the subparts in Requirement R2. The entity could
document that it does not allow remote access to meet the reliability objective.
The term vendor(s) as used in the standard is limited to those persons, companies, or other
organizations with whom the Responsible Entity, or its affiliates, contracts with to supply BES
Cyber Systems and related services. It does not include other NERC registered entities providing
reliability services (e.g., Balancing Authority or Reliability Coordinator services pursuant to
NERC Reliability Standards). A vendor, as used in the standard, may include: (i) developers or
manufacturers of information systems, system components, or information system services; (ii)
product resellers; or (iii) system integrators
Summary of Changes: This is a new requirement to continue the efforts of the Urgent Action
team for Project 2010-15: Expedited Revisions to CIP-005-3.
Reference to prior version: (Part 2.1) New
Change Rationale: (Part 2.1)
This is a new requirement to continue the efforts of the Urgent Action team for Project 2010-15:
Expedited Revisions to CIP-005-3.
Page 22 of 23
�CIP-005-6 Supplemental Material
Reference to prior version: (Part 2.2) CIP-007-5, R3.1
Change Rationale: (Part 2.2)
This is a new requirement to continue the efforts of the Urgent Action team for Project 2010-15:
Expedited Revisions to CIP-005-3. The purpose of this part is to protect the confidentiality and
integrity of each Interactive Remote Access session.
Reference to prior version: (Part 2.3) CIP-007-5, R3.2
Change Rationale: (Part 2.3)
This is a new requirement to continue the efforts of the Urgent Action team for Project 2010-15:
Expedited Revisions to CIP-005-3. The multi-factor authentication methods are also the same as
those identified in the Homeland Security Presidential Directive 12 (HSPD-12), issued August 12,
2007.
.
Page 23 of 23
�
| File Type | application/pdf |
| File Title | Item 2a(i)_CIP-005-6_clean_apr_17_2017 |
| Author | Laura Anderson |
| File Modified | 2017-09-15 |
| File Created | 2017-09-15 |