National Academies Press: OpenBook

Terrorism and the Electric Power Delivery System (2012)

Chapter:Appendix E: Summary of NERC Cyber Security Standards

« Previous: Appendix D: Acronyms
Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×

E

Summary of NERC Cyber Security Standards

The stated purpose of mandatory NERC Standards CIP-002 through CIP-009 is to provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of the bulk electric system. These standards recognize the differing roles of each entity in the operation of the bulk electric system, the criticality and vulnerability of the assets needed to manage bulk electric system reliability, and the risks to which they are exposed. Responsible entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.

Business and operational demands for managing and maintaining a reliable bulk electric system increasingly rely on cyber assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data, resulting in increased risks to these cyber assets.

Standard CIP-002 requires the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the bulk electric system. These critical assets are to be identified through the application of an annual risk-based assessment that identifies and documents the risk-based assessment methodology used to identify critical assets. The responsible entity is required to maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria.

The risk-based assessment shall consider the following assets: control centers and backup control centers; transmission substations that support the reliable operation of the bulk electric system; generation resources that support the reliable operation of the bulk electric system; systems and facilities critical to system restoration, including black-start generators and substations in the electrical path of transmission lines used for initial system restoration; systems and facilities critical to automatic load shedding under a common control system capable of shedding 300 MW or more; special protection systems that support the reliable operation of the bulk electric system; and any additional assets that support the reliable operation of the bulk electric system that the responsible entity deems appropriate to include in its assessment.

Using this list of critical assets, the responsible entity must develop a list of associated critical cyber assets essential to the operation of the critical asset. Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time inter-utility data exchange. Critical cyber assets are further qualified if they have at least one of the following characteristics: the cyber asset uses a routable protocol to communicate outside the electronic security perimeter, or the cyber asset uses a routable protocol within a control center, or the cyber asset is dial-up accessible.

To ensure compliance, a senior manager or delegate(s) must approve annually the list of critical assets and the list of critical cyber assets and keep a signed and dated record of the approval.

SECURITY MANAGEMENT CONTROLS: THREATS AND RISKS

Responsible entities must have minimum security management controls in place to protect critical cyber assets. The first step in complying with this charge is the development and implementation of a cyber security policy that represents management’s commitment and ability to secure its critical cyber assets. The responsible entity shall, at a minimum,

_____________________

NOTE: This appendix provides a modified summary recitation of the NERC cyber security standards, available at http://www.nerc.com/~flez/standards/Reliability_Standards.html#Critical_Infrastructure_Protection (accessed November 2007). These standards have been reformatted and to some degree paraphrased in order to enhance their readability among diverse audiences.

Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×

ensure the following: This cyber security policy must be readily available to all personnel who have access to, or are responsible for, critical cyber assets.

The responsible entity must assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, the policy. This senior manager shall be identified by name, title, business phone, business address, and date of designation. Changes to the senior manager must be documented within 30 calendar days of the effective date. The senior manager or delegate(s) shall authorize and document any exception from the requirements of the cyber security policy.

Information Protection

The responsible entity shall implement and document a program to identify, classify, and protect information associated with critical cyber assets. The critical cyber asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists of critical assets, network topology or similar diagrams, floor plans of computing centers that contain critical cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident response plans, and security configuration information.

The responsible entity shall, at least annually, assess adherence to its critical cyber asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment.

Access Control

The responsible entity must document and implement a program for managing access to protected critical cyber asset information. The responsible entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. Personnel are identified by name, title, business phone, and the information for which they are responsible for authorizing access. At least annually, the responsible entity must review the access privileges to protected information to confirm that access privileges are correct and that they correspond with the responsible entity’s needs and appropriate personnel roles and responsibilities.

Change Control and Configuration Management

The responsible entity must establish and document a process of change control and configuration management for adding, modifying, replacing, or removing critical cyber asset hardware or software, and must implement supporting configuration management activities to identify, control, and document all entity- or vendor-related changes to hardware and software components of critical cyber assets pursuant to the change control process.

ELECTRONIC SECURITY PERIMETER(S)

The identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter, are required.

Electronic Security Perimeter

The responsible entity must ensure that every critical cyber asset resides within an electronic security perimeter. The responsible entity must identify and document the electronic security perimeter(s) and all access points to the perimeter(s).

1. Access points to the electronic security perimeter(s) must include any externally connected communication end point (for example, dial-up modems) terminating at any device within the electronic security perimeter(s).

2. For a dial-up-accessible critical cyber asset that uses a non-routable protocol, the responsible entity must define an electronic security perimeter for that single access point at the dial-up device.

3. Communication links connecting discrete electronic security perimeters must not be considered part of the electronic security perimeter. However, end points of these communication links within the electronic security perimeter(s) must be considered access points to the electronic security perimeter(s).

4. Any non-critical cyber asset within a defined electronic security perimeter must be identified and protected.

5. Cyber assets used in the access control and monitoring of the electronic security perimeter(s) must be afforded certain protective measures.

6. The responsible entity must maintain documentation on the electronic security perimeter(s), all interconnected critical and non-critical cyber assets within the electronic security perimeter(s), all electronic access points to the electronic security perimeter(s), and the cyber assets deployed for the access control and monitoring of these access points.

Electronic Access Controls

The responsible entity must implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter(s).

Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×

1. These processes and mechanisms must use an access control model that denies access by default, such that explicit access permissions must be specified.

2. At all access points to the electronic security perimeter(s), the responsible entity must enable only ports and services required for operations and for monitoring cyber assets within the electronic security perimeter, and must document, individually or by specified grouping, the configuration of those ports and services.

3. The responsible entity must maintain a procedure for securing dial-up access to the electronic security perimeter(s).

4. Where external interactive access into the electronic security perimeter has been enabled, the responsible entity must implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

5. The required documentation must, at least, identify and describe:

•   The processes for access request and authorization,

•   The authentication methods,

•   The review process for authorization rights, and

•   The controls used to secure dial-up accessible connections.

6. Where technically feasible, electronic access control devices must display an appropriate-use banner on the user screen upon all interactive access attempts. The responsible entity must maintain a document identifying the content of the banner.

Monitoring Electronic Access

The responsible entity must implement and document an electronic or manual process(es) for monitoring and logging access at access points to the electronic security perimeter(s) 24 hours a day, 7 days a week.

1. For dial-up-accessible critical cyber assets that use non-routable protocols, the responsible entity must implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible.

2. Where technically feasible, the security monitoring process(es) must detect and alert for attempts at or actual unauthorized accesses. These alerts must provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the responsible entity must review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every 90 calendar days

Cyber Vulnerability Assessment

The responsible entity must perform a cyber vulnerability assessment of the electronic access points to the electronic security perimeter(s) at least annually. The vulnerability assessment must include, at a minimum, the following:

1. A document identifying the vulnerability assessment process;

2. A review to verify that only ports and services required for operations at these access points are enabled;

3. The discovery of all access points to the electronic security perimeter;

4. A review of controls for default accounts, passwords, and network management community strings; and

5. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.

Documentation Review and Maintenance

The responsible entity must review, update, and maintain all documentation to support compliance with the requirements, including the following:

1. The responsible entity must ensure that all documentation required reflects current configurations and processes and must review the documents and procedures at least annually.

2. The responsible entity must update the documentation to reflect the modification of the network or controls within 90 calendar days of the change.

3. The responsible entity must retain electronic access logs for at least 90 calendar days. Logs related to reportable incidents must be kept in accordance with the requirements.

INCIDENT REPORTING AND RESPONSE PLANNING

Cyber Security Incident Response Plan

The responsible entity must develop and maintain a cyber security incident response plan. The cyber security incident response plan must address, at a minimum, the following:

1. Procedures to characterize and classify events as reportable cyber security incidents.

2. Response actions, including roles and responsibilities of incident response teams, incident handling procedures, and communication plans.

3. Process for reporting cyber security incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC). The responsible entity must

Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×

    ensure that all reportable cyber security incidents are reported to the ES ISAC either directly or through an intermediary.

4. Process for updating the cyber security incident response plan within 90 calendar days of any changes.

5. Process for ensuring that the cyber security incident response plan is reviewed at least annually.

6. Process for ensuring that the cyber security incident response plan is tested at least annually. A test of the incident response plan can range from a paper drill, to a full operational exercise, to the response to an actual incident.

Cyber Security Incident Documentation

The responsible entity must keep relevant documentation.

PHYSICAL SECURITY OF CRITICAL CYBER ASSETS

The implementation of a physical security program is intended to ensure the protection of critical cyber assets.

Physical Security Plan

The responsible entity must create and maintain a physical security plan, approved by a senior manager or delegate(s), that must address, at a minimum, the following:

1. Processes to ensure and document that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the responsible entity must deploy and document alternative measures to control physical access to the critical cyber assets.

2. Processes to identify all access points through each physical security perimeter and measures to control entry at those access points.

3. Processes, tools, and procedures to monitor physical access to the perimeter(s).

4. Procedures for the appropriate use of physical access controls, including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls.

5. Procedures for reviewing access authorization requests and revocation of access authorization.

6. Procedures for escorted access within the physical security perimeter of personnel not authorized for unescorted access.

7. Process for updating the physical security plan within 90 calendar days of any physical security system redesign or reconfiguration, including, but not limited to, addition or removal of access points through the physical security perimeter, physical access controls, monitoring controls, or logging controls.

8. Means for ensuring that cyber assets used in the access control and monitoring of the physical security perimeter(s) are afforded the same protective measures as other cyber assets.

9.  Process for ensuring that the physical security plan is reviewed at least annually.

Physical Access Controls

The responsible entity must document and implement the operational and procedural controls to manage physical access at all access points to the physical security perimeter(s) 24 hours a day, 7 days a week. The responsible entity must implement one or more of the following physical access methods:

1. Card key. A means of electronic access whereby the access rights of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another.

2. Special locks. These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “man-trap” systems.

3. Security personnel. Personnel who are responsible for controlling physical access and who might reside on-site or at a monitoring station.

4. Other authentication devices. Biometric, keypad, token, or other equivalent devices that control physical access to critical cyber assets.

Monitoring Physical Access

The responsible entity must document and implement the technical and procedural controls for monitoring physical access at all access points to the physical security perimeter(s) 24 hours a day, 7 days a week. Unauthorized access attempts must be reviewed immediately and handled in accordance with established procedures. One or more of the following monitoring methods must be used:

1. Alarm systems. Systems that alarm to indicate that a door, gate, or window has been opened without authorization. These alarms must provide for immediate notification to personnel responsible for response.

2. Human observation of access points. Monitoring of physical access points by authorized personnel.

Logging Physical Access

Logging must record sufficient information to uniquely identify individuals and the time of access 24 hours a day, 7 days a week. The responsible entity must implement and document the technical and procedural mechanisms for log-

Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×

ging physical entry at all access points to the physical security perimeter(s) using one or more of the following logging methods or their equivalent:

1. Computerized logging. Electronic logs produced by the responsible entity’s selected access control and monitoring method.

2. Video recording. Electronic capture of video images of sufficient quality to determine identity.

3. Manual logging. A log book, sign-in sheet, or other record of physical access maintained by security or other personnel authorized to control and monitor physical access.

Access Log Retention

The responsible entity must retain physical access logs for at least 90 calendar days. Logs related to reportable incidents must be kept in accordance with the requirements of Standard CIP-008.

Maintenance and Testing

The responsible entity must implement a maintenance and testing program to ensure that all physical security systems function properly. The program must include, at a minimum, the following:

1. Testing and maintenance of all physical security mechanisms on a cycle no longer than 3 years.

2. Retention of testing and maintenance records for the proper cycle documented by the responsible entity.

3. Retention of outage records regarding access controls, logging, and monitoring for a minimum of 1 calendar year.

PERSONNEL AND TRAINING

Personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, including contractors and service vendors, are required to have an appropriate level of personnel risk assessment, training, and security awareness.

Awareness

The responsible entity must establish, maintain, and document a security awareness program to ensure that personnel having authorized cyber or authorized unescorted physical access receive ongoing reinforcement in sound security practices. The program must include security awareness reinforcement on at least a quarterly basis using mechanisms such as:

•   Direct communications (e.g., e-mails, memos, computer based training, etc.);

•   Indirect communications (e.g., posters, intranet, brochures, etc.);

•   Management support and reinforcement (e.g., presentations, meetings, etc.).

Training

The responsible entity must establish, maintain, and document an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, and review the program annually and update as necessary.

This program will ensure that all personnel having such access to critical cyber assets, including contractors and service vendors, are trained within 90 calendar days of such authorization.

Training must cover the policies, access controls, and procedures as developed for the critical cyber assets and include, at a minimum, the following required items appropriate to personnel roles and responsibilities:

•   The proper use of critical cyber assets;

•   Physical and electronic access controls to critical cyber assets;

•   The proper handling of critical cyber asset information; and

•   Action plans and procedures to recover or re-establish critical cyber assets and access thereto following a cyber security incident.

The responsible entity must maintain documentation that training is conducted at least annually, including the date the training was completed and attendance records.

Personnel Risk Assessment

The responsible entity must have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access. A personnel risk assessment must be conducted pursuant to that program within 30 days of such personnel being granted such access. Such program must at a minimum include the following:

1. The responsible entity must ensure that each assessment conducted includes, at least, identity verification (e.g., Social Security number verification in the United States) and a 7-year criminal check. The responsible entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending on the criticality of the position.

Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×

2. The responsible entity must update each personnel risk assessment at least every 7 years after the initial personnel risk assessment or for cause.

3. The responsible entity must document the results of personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, and must document that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004.

Access

The responsible entity must maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets, including their specific electronic and physical access rights to critical cyber assets.

•   The responsible entity must review quarterly the list(s) of its personnel who have such access to critical cyber assets, and update the list(s) within 7 calendar days of any change of personnel with such access to critical cyber assets, or any change in the access rights of such personnel. The responsible entity must ensure that access list(s) for contractors and service vendors are properly maintained.

•   The responsible entity must revoke such access to critical cyber assets within 24 hours for personnel terminated for cause and within 7 calendar days for personnel who no longer require such access to critical cyber assets.

RECOVERY PLANS FOR CRITICAL CYBER ASSETS

Recovery plan(s) must be in place for critical cyber assets, and these plans must follow established business continuity and disaster recovery techniques and practices. The responsible entity must comply with the following requirements.

Recovery Plans

The responsible entity must create and annually review recovery plan(s) for critical cyber assets. The recovery plan(s) must address at a minimum the following:

1. Specify the required actions in response to events or conditions of varying duration and severity that would activate the recovery plan(s).

2. Define the roles and responsibilities of responders.

Exercises

The recovery plan(s) must be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident.

Change Control

Recovery plan(s) must be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates must be communicated to personnel responsible for the activation and implementation of the recovery plan(s) within 90 calendar days of the change.

Backup and Restore

The recovery plan(s) must include processes and procedures for the backup and storage of information required to successfully restore critical cyber assets. For example, backups may include spare electronic components or equipment, written documentation of configuration settings, tape backup, etc.

Testing Backup Media

Information essential to recovery that is stored on backup media must be tested at least annually to ensure that the information is available. Testing can be completed off-site.

Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×
Page128
Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×
Page129
Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×
Page130
Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×
Page131
Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×
Page132
Suggested Citation:"Appendix E: Summary of NERC Cyber Security Standards." National Research Council. 2012. Terrorism and the Electric Power Delivery System. Washington, DC: The National Academies Press. doi: 10.17226/12050.
×
Page133
Next: Appendix F: Substation Configurations »
Terrorism and the Electric Power Delivery System Get This Book
×
Buy Paperback | $49.00 Buy Ebook | $39.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles, and many key facilities are unguarded. This vulnerability is exacerbated by the fact that the power grid, most of which was originally designed to meet the needs of individual vertically integrated utilities, is being used to move power between regions to support the needs of competitive markets for power generation. Primarily because of ambiguities introduced as a result of recent restricting the of the industry and cost pressures from consumers and regulators, investment to strengthen and upgrade the grid has lagged, with the result that many parts of the bulk high-voltage system are heavily stressed.

Electric systems are not designed to withstand or quickly recover from damage inflicted simultaneously on multiple components. Such an attack could be carried out by knowledgeable attackers with little risk of detection or interdiction. Further well-planned and coordinated attacks by terrorists could leave the electric power system in a large region of the country at least partially disabled for a very long time. Although there are many examples of terrorist and military attacks on power systems elsewhere in the world, at the time of this study international terrorists have shown limited interest in attacking the U.S. power grid. However, that should not be a basis for complacency. Because all parts of the economy, as well as human health and welfare, depend on electricity, the results could be devastating.

Terrorism and the Electric Power Delivery System focuses on measures that could make the power delivery system less vulnerable to attacks, restore power faster after an attack, and make critical services less vulnerable while the delivery of conventional electric power has been disrupted.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!