Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Slides:



Advertisements
Similar presentations
NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Advertisements

Federal Energy Regulatory Commission July Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
Update in NERC CIP Activities September 4, Update on CIP Update on Revisions to CIP Version 5  -x Posting  v6 Posting Questions Agenda.
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
NERC Lessons Learned Summary December NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.
State of Standards and Standards in Development Sean Cavote, Manager of Standards Development WECC Operating Committee Meeting March 26, 2015.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP thru CIP CIP and CIP Version 5 Filing FERC requested filing by 3/31/2013.
CIP Version 5 Update OC Meeting November 7, 2013.
Information Security Policies and Standards
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
Physical Security CIP NERC Standing Committees December 9-10, 2014.
Reliability Standards Update
Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.
Critical Infrastructure Protection Update Christine Hasha CIP Compliance Lead Advisor, ERCOT TAC March 27, 2014.
Update in NERC CIP Activities June 5, Update on CIP Update on Revisions to CIP Version 5 –BES Cyber Asset Survey –Implementation Plan Questions.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.
1 Hot Topics in the CIP Standards Second Quarter 2010 Questions by Audience Answers by RFC Staff June 22, 2010.
1 Remote Access Update ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.
SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
CIP Systems Security Management A Compliance Perspective
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
Critical Infrastructure Protection Update Christine Hasha CIP Compliance Lead Advisor, ERCOT TAC March 27, 2014.
Status Report for Critical Infrastructure Protection Advisory Group
Project System Protection Coordination Requirement revisions to PRC (ii) Texas Reliability Entity NERC Standards Reliability Subcommittee.
Project (COM-001-3) Interpersonal Communications Capabilities Michael Cruz-Montes, CenterPoint Energy Senior Consultant, Policy & Compliance, SDT.
Paragraph 81 Project. 2RELIABILITY | ACCOUNTABILITY Background FERC March 15, 2012 Order regarding the Find, Fix, Track and Report (FFT) process  Paragraph.
Project Cyber Security Order 706 Version 5 CIP Standards Potential to Adversely Impact ERCOT Black Start Capability.
Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.
NERC Project S ystem Protection Coordination - PRC-027​ Presentation to the NSRS Conference Call August 17, 2015 Sam Francis Oncor Electric Delivery.
State of Georgia Release Management Training
SE513 Software Quality Assurance Lecture10: Documentation and Quality Records Control Galin, SQA from Theory to Education Limited.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Mandatory Reliability Standards (MRS)
Standards Subject to Future Enforcement 2017
NERC CIP Implementation – Lessons Learned and Path Forward
NERC Cyber Security Standards Pre-Ballot Review
Understanding Existing Standards:
Larry Bugh ECAR Standard Drafting Team Chair January 2005
Larry Bugh ECAR Standard Drafting Team Chair January 2005
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Cyber System-Centric Approach To Cyber Security and CIP
Mandatory Reliability Standards
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
Presentation transcript:

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings

Ballot Results CIP Cyber SecurityQuorum: 93.62% Approval: 22.09% CIP Cyber SecurityQuorum: 93.62% Approval: 33.49% CIP Cyber SecurityQuorum: 93.62% Approval: 26.82% CIP Cyber SecurityQuorum: 93.62% Approval: 28.04% CIP Cyber SecurityQuorum: 93.61% Approval: 29.60% CIP Cyber SecurityQuorum: 93.61% Approval: 24.15% CIP Cyber SecurityQuorum: 94.02% Approval: 34.30% CIP Cyber SecurityQuorum: 93.61% Approval: 27.28% CIP Cyber SecurityQuorum: 93.61% Approval: 26.61% CIP Cyber SecurityQuorum: 93.61% Approval: 29.88% CIP V5 Implementation PlanQuorum: 92.15% Approval: 42.06% CIP V5 DefinitionsQuorum: 92.56% Approval: 25.34%

 The drafting team will consider all comments and determine what changes to make to each of the standards, the implementation plan, and the definitions.  After the drafting team has revised the standards, they will be submitted, along with the team’s Consideration of Comments, for quality review and subsequently posted for a successive ballot.

Consideration of comments January 6 – March day posting for comment and successive ballot March 26 – April 27 Possible Recirculation ballot June 6–22

 Critical assets  Replaced by CIP-002 Attachment 1 and BES Reliability Operating Services definition  Critical cyber assets  Replaced by BES Cyber Asset and BES Cyber System  Physical security perimeter  Replaced by Defined Physical Boundary  No more “six-wall” specification

 Cyber Assets Programmable electronic devices including the hardware, software, and data in those devices  BES Cyber Asset A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its operation, mis- operation, or non-operation, when required, adversely impact one or more BES Reliability Operating Services  BES Cyber System One or more BES Cyber Assets that are typically grouped together, logically or physically, to operate one or more BES Reliability Operating Services  Largely replaces Critical Cyber Asset  Provides an opportunity for controls to be applied at a system level

 High Impact ◦ Large Control Centers ◦ CIP-003 through 009+  Medium Impact ◦ Generation and Transmission ◦ Other Control Centers ◦ Similar to CIP-003 to 009 v4  All other BES Cyber Systems ◦ Security Policy ◦ Security Awareness ◦ Incident Response ◦ Boundary Protection

 Categorized list of High and Medium Impact  Attachment 1 criteria  Other BES Cyber Systems deemed to be Low Impact by default  Update required lists for significant changes to BES that affect High/Medium categorization  Senior manager or delegate annual review and approval

 CIP was reorganized to only include elements of policy and cyber security program governance. ◦ Elements that addressed Change Control and Configuration Management were moved to CIP ◦ Elements that address Information Protection were moved to CIP-011-5

CIP Summary of Modifications (1/2)  Training ◦ Addition of visitor control program ◦ Reorganization of requirements into the respective requirements for “program” and “implementation” of the training.  Personnel Risk Assessment ◦ Changed to only initial identity verification ◦ Now includes documenting the processes used to determine when to deny access ◦ Reorganization of requirements into the respective requirements for “program” and “implementation”

CIP Summary of Modifications (2/2)  Authorization ◦ Consolidated authorization and review requirements from CIP-003-4, CIP-004-4, CIP and CIP ◦ Allow quarterly and annual reviews to find and fix problems rather than self-report everything as a violation  Revocation ◦ Remove ability to access BES Cyber System when access no longer needed

 Define ‘External Connectivity’ for scope modification  Focus on ‘Electronic Access Points’ vs. ESP  Require IDS at Control Centers  Add clarity to ‘secure’ dialups  Consolidated Monitoring and Vulnerability Assessment Requirements in CIP-007 and CIP-011 respectively  Removed Appropriate Use Banner  Incorporated CIP Urgent Action revisions

CIP Summary of Modifications  Physical Security Program ◦ Must define the operational or procedural controls to restrict physical access ◦ Removed current “6 wall” wording to instead require Defined Physical Boundary ◦ For High Impact, added the need to utilize two or more different and complementary physical access controls to restrict physical access ◦ Testing changed to a 24 month cycle with ongoing discussions of different cycles based on environment.

 Addition of physical I/O port requirement  Security Patch management source requirement  Non-prescriptive malware requirement  Security Event Monitoring failure handling  Bi-weekly log summary/sampling reviews

 Simplified access-control requirements, removed TFE language while strengthening password requirements  Added requirement for maintenance devices  Consolidated vulnerability assessment in CIP  Disposal requirement moved to CIP-011-5

 Defined Reportable Cyber Security Incident for clearer  Working to harmonize with EOP  Includes additional specification on update and lessons learned associated with the response plan.

 Added requirement to implement the response plan.  Verification of backup media information prior to storage  Preservation of data for analysis

 Consolidates all references to Configuration Change Management and Vulnerability Assessments. ◦ Previously these requirements were dispersed throughout CIP-003-4, CIP-005-4, and CIP-007-4

 Consolidates all references to Information Protection and Media Sanitization. ◦ Previously these requirements were dispersed throughout CIP and CIP  Requirements for authorization and revocation of access to BES Cyber System Information moved to CIP  Shifts the focus of the requirements for media sanitization from the Cyber Asset to the information itself.

 18 Months Minimum – The standards shall become effective on the later of January 1, 2015, or the first calendar day of the seventh calendar quarter after the date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP through CIP do not become effective, and CIP through CIP remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.  In jurisdictions where CIP through CIP have not yet become effective according to their implementation plan (even if approved by order), this implementation plan and the Version 5 CIP Cyber Security Standards supersede and replace the implementation plan and standards for CIP through CIP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.