Project 2008-06 Cyber Security Order 706
January 10, 2012
Most of the material presented has been compiled from NERC webinars
and drafting team meetings
Ballot
CIP-002-5 Cyber Security
CIP-003-5 Cyber Security
CIP-004-5 Cyber Security
CIP-005-5 Cyber Security
CIP-006-5 Cyber Security
CIP-007-5 Cyber Security
CIP-008-5 Cyber Security
CIP-009-5 Cyber Security
CIP-010-5 Cyber Security
CIP-011-5 Cyber Security
CIP V5 Implementation Plan
CIP V5 Definitions
Results
Quorum: 93.62%
Approval: 22.09%
Quorum: 93.62%
Approval: 33.49%
Quorum: 93.62%
Approval: 26.82%
Quorum: 93.62%
Approval: 28.04%
Quorum: 93.61%
Approval: 29.60%
Quorum: 93.61%
Approval: 24.15%
Quorum: 94.02%
Approval: 34.30%
Quorum: 93.61%
Approval: 27.28%
Quorum: 93.61%
Approval: 26.61%
Quorum: 93.61%
Approval: 29.88%
Quorum: 92.15%
Approval: 42.06%
Quorum: 92.56%
Approval: 25.34%


The drafting team will consider all comments and
determine what changes to make to each of the
standards, the implementation plan, and the
definitions.
After the drafting team has revised the standards,
they will be submitted, along with the team’s
Consideration of Comments, for quality review and
subsequently posted for a successive ballot.
January 6 –
March 26
• Consideration of comments
March 26 –
April 27
• 30-day posting for comment
and successive ballot
June 6–22
• Possible Recirculation ballot

Critical assets
 Replaced by CIP-002 Attachment 1 and BES Reliability
Operating Services definition

Critical cyber assets
 Replaced by BES Cyber Asset and BES Cyber System

Physical security perimeter
 Replaced by Defined Physical Boundary
 No more “six-wall” specification

Cyber Assets

BES Cyber Asset

BES Cyber System
Programmable electronic devices including the
hardware, software, and data in those devices
A Cyber Asset that if rendered unavailable,
degraded, or misused would, within 15 minutes of its operation, misoperation, or non-operation, when required, adversely impact one or more
BES Reliability Operating Services
One or more BES Cyber Assets that are typically
grouped together, logically or physically, to operate one or more BES
Reliability Operating Services
 Largely replaces Critical Cyber Asset
 Provides an opportunity for controls to be applied at a system level



High Impact
◦ Large Control Centers
◦ CIP-003 through 009+
Medium Impact
◦ Generation and Transmission
◦ Other Control Centers
◦ Similar to CIP-003 to 009 v4
All other BES Cyber Systems
◦ Security Policy
◦ Security Awareness
◦ Incident Response
◦ Boundary Protection

Categorized list of High and Medium Impact
 Attachment 1 criteria



Other BES Cyber Systems deemed to be Low Impact
by default
Update required lists for significant changes to BES
that affect High/Medium categorization
Senior manager or delegate annual review and
approval

CIP-003-5 was reorganized to only include
elements of policy and cyber security
program governance.
◦ Elements that addressed Change Control and
Configuration Management were moved to CIP010-5
◦ Elements that address Information Protection were
moved to CIP-011-5

Training
◦ Addition of visitor control program
◦ Reorganization of requirements into the respective
requirements for “program” and “implementation” of
the training.

Personnel Risk Assessment
◦ Changed to only initial identity verification
◦ Now includes documenting the processes used to
determine when to deny access
◦ Reorganization of requirements into the respective
requirements for “program” and “implementation”

Authorization
◦ Consolidated authorization and review
requirements from CIP-003-4, CIP-004-4, CIP006-4 and CIP-007-4
◦ Allow quarterly and annual reviews to find and fix
problems rather than self-report everything as a
violation

Revocation
◦ Remove ability to access BES Cyber System when
access no longer needed







Define ‘External Connectivity’ for scope
modification
Focus on ‘Electronic Access Points’ vs. ESP
Require IDS at Control Centers
Add clarity to ‘secure’ dialups
Consolidated Monitoring and Vulnerability
Assessment Requirements in CIP-007 and
CIP-011 respectively
Removed Appropriate Use Banner
Incorporated CIP-005-4 Urgent Action
revisions

Physical Security Program
◦ Must define the operational or procedural controls
to restrict physical access
◦ Removed current “6 wall” wording to instead require
Defined Physical Boundary
◦ For High Impact, added the need to utilize two or
more different and complementary physical access
controls to restrict physical access
◦ Testing changed to a 24 month cycle with ongoing
discussions of different cycles based on
environment.





Addition of physical I/O port requirement
Security Patch management source
requirement
Non-prescriptive malware requirement
Security Event Monitoring failure handling
Bi-weekly log summary/sampling reviews




Simplified access-control requirements,
removed TFE language while strengthening
password requirements
Added requirement for maintenance devices
Consolidated vulnerability assessment in CIP010-5
Disposal requirement moved to CIP-011-5



Defined Reportable Cyber Security Incident
for clearer
Working to harmonize with EOP-004-2
Includes additional specification on update
and lessons learned associated with the
response plan.



Added requirement to implement the
response plan.
Verification of backup media information
prior to storage
Preservation of data for analysis

Consolidates all references to Configuration
Change Management and Vulnerability
Assessments.
◦ Previously these requirements were dispersed
throughout CIP-003-4, CIP-005-4, and CIP-007-4

Consolidates all references to Information
Protection and Media Sanitization.
◦ Previously these requirements were dispersed
throughout CIP-003-4 and CIP-007-4


Requirements for authorization and
revocation of access to BES Cyber System
Information moved to CIP-004-5.
Shifts the focus of the requirements for
media sanitization from the Cyber Asset to
the information itself.


18 Months Minimum – The standards shall become
effective on the later of January 1, 2015, or the first
calendar day of the seventh calendar quarter after the date
of the order providing applicable regulatory approval.
Notwithstanding any order to the contrary, CIP-002-4
through CIP-009-4 do not become effective, and CIP-0023 through CIP-009-3 remain in effect and are not retired
until the effective date of the Version 5 CIP Cyber Security
Standards under this implementation plan.
In jurisdictions where CIP-002-4 through CIP-009-4 have
not yet become effective according to their
implementation plan (even if approved by order), this
implementation plan and the Version 5 CIP Cyber Security
Standards supersede and replace the implementation plan
and standards for CIP-002-4 through CIP-009-4.