1 Hot Topics in the CIP Standards Second Quarter 2010 Questions by Audience Answers by RFC Staff June 22, 2010
Questions Questions should be ed to Matt Thomas Subject: “CIP Questions will considered in the order they are received Clarifying questions are welcome and we’ll do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline 2
Q1 QShould printers that reside within the Electronic Security Perimeter be considered Critical Cyber Assets under CIP-002? AThere is no firm answer for this. If the printers are “essential to the operation” of your Critical Asset, and communicate within a control center or outside an ESP with a routable protocol, then yes. Keep in mind that “essential to the operation” is more than availability; confidentiality and integrity are factors also. If real-time operational decisions are made based on prints made on these printers, then they should probably be identified as Critical Cyber Assets. Whether the printers are Critical Cyber Assets or not, if they contain hard drives and reside within an ESP then keep in mind the requirements of CIP R7. 3
Q2 QDoes the requirement to document testing under CIP-007 Requirement R1 require a Responsible Entity to produce screen shots of the testing performed? For example, if a particular test case requires a test step to modify a file's date/size, will the test case results suffice as evidence of compliance, or is the Responsible Entity expected to provide screen shots to prove that the change was made? AWithout observing the exact circumstances, a direct yes/no answer is not possible. However, this is a question about the sufficiency of evidence that arises frequently. Evidence used to demonstrate compliance must be sufficient to lead a prudent person to conclude that the action, in this case testing, took place. If you are not certain the evidence you are keeping is sufficient, you can use “stacking” evidence (additional evidence supporting the conclusion) to strengthen your case. Keep in mind that the testing required by CIP R1 is for adverse impact on existing cyber security controls. 4
Q3 QUnder CIP-007 Requirement R7, what is the approved method for cleansing a Cyber Asset that is being removed from the Electronic Security Perimeter? AThere is no method approved for this process. The requirement is to “destroy or erase the data storage media.” Deletion of files does not qualify as erasing the media, but any wiping protocol will suffice until more specifics are published by NERC. QUnder CIP-007 Requirement R7, what is the approved method for cleansing a Cyber Asset that is being removed from the Electronic Security Perimeter? Additionally, what evidence is necessary to demonstrate that the device was properly cleansed prior to redeployment outside of the ESP? AGenerally an entity will keep records of the destruction or re-deployment of cyber assets, with a sign-off of the date erasure of media was completed. Other methods may be used to document media erasure, but this seems to be the most common. Also see the answer to Q2 regarding sufficiency of evidence. 5
Q4 QCIP-009 Requirement R2 requires that recovery plans be exercised at least annually. Does this require that the entire recovery plan, including all scenarios, must be exercised annually, or would a Responsible Entity be compliant so long as it exercises at least one of the scenarios within the recovery plan annually? AReliabilityFirst has held that the annual exercise does not require all scenarios to be tested. At least one scenario MUST be exercised. It is prudent to exercise the most severe scenarios first and, over time, all scenarios. Each entity should ensure that the documentation of the exercise clearly demonstrates that the recovery plan was actually exercised. An audit team will need to be able to tie the documentation of the exercise to a particular recovery plan. 6
Q5 QIs there a requirement for a physical access control system to reside within an Electronic Security Perimeter (ESP)? ACIP R2, Protection of Physical Access Control Systems, does not require a physical access control system to reside within a formal Physical Security Perimeter (PSP). Therefore, the physical access control system cannot be required to reside within an ESP, as the ESP would need to be protected by a PSP. Note that the physical access control system must still be protected from unauthorized physical access per CIP R2.1. CIP R2.2 requires that a physical access control system “be afforded the protective measures” of, among others, CIP R2 and R3. This means that a physical access control system must still have electronic access controls and monitoring, but does not need the full documentation of an ESP 7
Q6 QFor the new Part B spreadsheet, when we have TFEs that are based on the software on the device or on other network devices, rather than the physical device, what should be stated for the manufacturer/model/version? For example, because Microsoft Windows Active Directory cannot meet the password complexity requirements, should those devices be listed with Microsoft Windows rather than Dell/HP/etc.? AThe manufacturer and model should be that of the hardware device. In the version column, please put the version of the software running on the hardware such as Windows XP with Service Pack 3. 8
Q7 QIf new covered assets requiring TFEs that have already been approved are added to an ESP, or existing covered assets are removed from the ESP, when do these changes need to be communicated to ReliabilityFirst? Does this need to be done before or after the devices are installed/removed, and do these updates need to be made and sent for Part A and/or Part B forms/documents? A If the new covered assets are identical to the ones covered by an existing TFE, then the existing TFE may be Amended to add the new assets. If the new covered assets are different than the ones in the existing TFE, then a new TFE would be required. For the installation of new assets, the Amendment or new TFE must be submitted before implementation. We would like 60 days notice but that is not required. Amendments for the retirement of assets should be done around the effective date of the retirement. 9
Q8 QAny update on Q14 from the last Hot topics Webinar (i.e. NERC guidance on TFEs for CIP-007 R3.2) QQuestion 14: Did FERC provide any guidance on the two additional requirements for TFEs by FERC? For example, any time a patch is not applied should a TFE be applied? ARFC is waiting on guidance from NERC ANERC has drafted guidance that is currently being reviewed by the Regional Entities. With regard to patches, our current position is that a TFE is required only if the vendor makes a blanket statement that patches are not allowed to their devices. For example, some EMS vendors have said that applying patches may make their software unstable and may void their warranty. All other patches must be evaluated and decisions documented if the patch would be applied or not but a TFE is not required. 10
Q9 QIf the retention period as stated in the Standard is “…the previous full calendar year…”, will that be sufficient in the event of an audit when the entity’s audit period is every three years? AThe 706 Standard Drafting Team is working on revising the CIP standards and is aware of the issue. The Team is drafting language to resolve the document retention issue in the next version of the CIP standards. The following is an extract from the first draft of CIP-010: Each Responsible Entity shall retain evidence for Requirements R1, R2 and R3, and Measures M1, M2 and M3 for a full calendar year or since the last audit, whichever is longer. 11
Q10 QAny update from the roaming laptop or for remote access examples from the last Hot Topic webinar? AThere has been no activity that the ReliabilityFirst CIP team is aware of on the “wandering laptop” issue, a concern with compliance to CIP-007 R1. One hour after the close of this webinar, however, NERC posted Compliance Application Notice on the NERC website which addresses remote access. It is available here: 3%20R3_4_clean.pdf 12
Q11 QWhat is the requirement regarding personal storage devices such as Thumb drives, Cell Phones, and PDA's regarding entry and exit to the perimeter? A Assuming you are referring to a physical security perimeter, CIP standards and requirements are silent on this point. As long as the devices are not used within an ESP, presence and use of such devices are within the purview of the Entity. 13
Q12 QWhen defining “annual”, as in testing, some testing must be done when appropriate and done earlier than every 12 months. If done early but does not show as consecutive years due to time of the month, is that deemed non compliant? For instance, testing 2/28/10 for 2011 submittal and then testing 12/31/10 for 2012 submittal. If our definition of “annual” is stated in writing as such, if not defined in standard by NERC or RFC, is this sufficient for compliance? The concern is not only with CIP but with other standards that require testing like Black Start and such. AReliabilityFirst is currently developing its response. Please check back soon for an answer to this question. 14