WIXLIB

CIP--007CIP007--5 Summary of Modifications (2/2) Simplified accessaccess-controlcontrol requirements,removed TFE language while strengtheningpassword requirements Added requirement for maintenance devices CConsolidatedlid t d vulnerabilitylbilit assessmentt iin CIPCIP010-5 Disposal requirement moved to CIP-011-5August 24, 2011CSO706 SDT Webinar28

CIP-007CIP007--5 Addressing FERC Directives((Logg Review))FERC OrderOd706 Para. 525“The Commission adopts the CIP NOPR proposal to require the ERO tomodify CIP-005-1 to require logs to be reviewed more frequently than 90days, but clarifies its direction in several respects. At this time, theCommission does not believe that it is necessary to require responsibleentities to review logs daily ”FERC Order706 Para. 628“Requirement R6 of CIP-007-1 does not address the frequency with whichlog should be reviewed. Requirement R6.4 requires logs to be retained for90 calendar days. This allows a situation where logs would only be reviewed90 days after they are created. The Commission continues to believe that, ingeneral, logs should be reviewed at least weekly ” The SDT Proposes the performance of a review of logsummaries or samples every two weeks.August 24, 2011CSO706 SDT Webinar29

CIP-007CIP007--5 Addressing FERC Directives((Malware))FERC OrderOd706 Para. 620FERC Order706 Para. 622“The Commission will not adoptp Consumers’ recommendation that everyy systemyin an electronicsecurity perimeter does not need antivirus software. Critical cyber assets must be protected,regardless of the operating system being used. Consumers has not provided convincing evidencethat any specific operating system is not directly vulnerable to virus attacks. Virus technologychanges every day. Therefore we believe it is in the public interest to protect all cyber assetswithin an electronic security perimeter, regardless of the operating system being used ”“The Commission also directs the ERO to modify Requirement R4 to include safeguards againstpersonnel introducing, either maliciously or unintentionally, viruses or malicious software to acyber asset within the electronic security perimeter through remote access, electronic media, orother means, consistent with our discussion above. Rewrote the requirement as a competency basedrequirement that does not prescribe technology. Added Maintenance to cover malware onremovable media.August 24, 2011CSO706 SDT Webinar30

CIP-007CIP007--5 Addressing FERC Directives((Ports & Services))MarchMh 18thOrder onports/services“The Commission recognizes and encourages NERC’s intention toaddress physical ports to eliminate the current gap in protection as partof its ongoing CIP Reliability Standards project scheduled forcompletion by the end of 2010. Should this effort fail to address theissue, however, the Commission will take appropriate action, whichcould include directing NERC to produce a modified or new standardth t includesthati l d securityit off physicalh i l ports.”t ” The SDT proposes to address this directive byhaving a requirement to disable or restrict use ofphysicalh i l I/O portstAugust 24, 2011CSO706 SDT Webinar31

CIP--008CIP008--5 Summary of Modifications Defined Reportable Cyber Security Incident Working to harmonize with EOP-004-2 Includes additional specification on update andlessons learned associated with the responseplanlAugust 24, 2011CSO706 SDT Webinar32

CIP--008CIP008--5 Addressing FERC DirectivesFERCOrder 706Para.a a 66661“the Commission directs the ERO to develop a modification to CIP-008-1 to: (1)include language that takes into account a breach that may occur through cyber orphysical means; (2) harmonize, but not necessarily limit, the meaning of the termreportable incident with other reporting mechanisms, such as DOE Form OE 417;(3) recognize that the term should not be triggered by ineffectual and untargetedattacks that proliferate on the internet; and (4) ensure that the guidance languagethat is developed results in a Reliability Standard that can be audited andenforced.”fd”A11. Added: Reportable Cyber Security Incidents are either: Any malicious act or suspicious event or events that compromise, or was an attempt to compromise, the Electronic Security Perimeter orPhysical Security Perimeter of a BES Cyber System.orAny event or events which have either impacted or have the potential to impact the reliability of the Bulk Electric System (ReliabilityFunction CIP-002-5).2. Retired R1.3 which contained provisions for reporting Cyber Security Incidents. This is now addressed in EOP-004-2, Requirement 1, Part1 3 Will need1.3.d to givei iinstructioni to report as a “Reportable“Rbl CCyberb SSecurityi Event”E” ini EOPEOP-004004 space.3. See R1.1 above4. Guidance and measurements are being developed accordinglyAugust 24, 2011CSO706 SDT Webinar33

Slide 33A1Rework text format to be consistent with other slide formats (bullets and fonts).Applied to tother slides in CIP-008 and CIP-009 aswell.Author, 8/19/2011

CIP--008CIP008--5 Addressing FERC DirectivesFERCOrder 706Para.aa 66733“The Commission adopts the CIP NOPR proposal to directthe ERO to modifymodif CIPCIP-008-1008 1 to reqrequireire each responsibleentity to contact appropriate government authorities andindustry participants in the event of a cyber securityincident as soon as possible, but, in any event, within onehour of the event,event even if it is a preliminary reportreport.”Cyber Security - Incident Reporting and Response Planning: Retired R1.3which contained provisions for reporting Cyber Security Incidents. This isnow addressed in EOP-004-2, Requirement 1, Part 1.3 and Attachment 1August 24, 2011CSO706 SDT Webinar34

CIP--008CIP008--5 Addressing FERC DirectivesFERCOrder 706Para. 676“the Commission directs the ERO to modify CIP-008-1t requiretoi a responsibleibl entitytit tto, att a minimum,i inotifytifthe ESISAC and appropriate government authorities ofa cyber security incident as soon as possible, but, inany event, within one hour of the event, even if it is apreliminaryli ireport.”t ”– Cyber Security - Incident Reporting and Response Planning: Retired R1.3provisions for reportingpg CyberySecurityy Incidents. This iswhich contains paddressed in EOP-004-2, Requirement 1, Part 1.3.August 24, 2011CSO706 SDT Webinar35

CIP--008CIP008--5 Addressing FERC DirectivesFERCOrder 706Para.a a 686“The Commission adopts the CIP NOPR proposal to direct the ERO tomodify CIPCIP-008-1,008 1 Requirement R2 to require responsible entities tomaintain documentation of paper drills, full operational drills, andresponses to actual incidents, all of which must include lessonslearned.The Commission further directs the ERO to include language inCIP-008-1 to require revisions to the incident response plan to addressththesellessonsllearned.”d ”R3.3 and R3.4 Includes additional specification on update of response planAddresses FERC Requirement (686) to modify on lessons learned andaspects of the DHS ControlsAugust 24, 2011CSO706 SDT Webinar36

CIP--009CIP009--5 Summary of Modifications Added requirement to implement the responseplan Verification of backup media information prior tostorage PreservationPti off datad t forf analysisl iAugust 24, 2011CSO706 SDT Webinar37

CIP--009CIP009--5 Addressing FERC DirectivesFERCOrder 706Para.a a 69694“For the reasons discussed in the CIP NOPR, the Commission adoptsthe proposal to direct the ERO to modify CIPCIP-009-1009 1 to include a specificrequirement to implement a recovery plan.We further adopt theproposal to enforce this Reliability Standard such that, if an entity hasthe required recovery plan but does not implement it when theanticipated event or conditions occur, the entity will not be incomplianceliwithith thisthi ReliabilityR li bilit StStandard”d d”Added specific R1 requirement to implement recovery planAugust 24, 2011CSO706 SDT Webinar38

CIP--009CIP009--5 Addressing FERC DirectivesFERCOrder 706Para.a a 73939“The Commission adopts the CIP NOPR proposal to direct the ERO tomodify CIP- 009-1 to incorporate guidance that the backup andrestoration processes and procedures required by Requirement R4should include, at least with regard to significant changes made to theoperational control system, verification that they are operational beforeth backupstheb kare storedt d or reliedli d upon ffor recovery purposes.””R1.5 Added requirements related to restoration processes based on review ofthe DHS ControlsAugust 24, 2011CSO706 SDT Webinar39

CIP--009CIP009--5 Addressing FERC DirectivesFERCOrder 706Para. 748“The Commission adopts the CIP NOPR proposal to directthe ERO to modify CIP-009-1 to provide direction thatb k practicesbackuptiincludei l d regularl proceduresdtto ensureverification that backups are successful and backupfailures are addressed, so that backups are available forfuture use.”R1.5 : Processes for the restoration of BES Cyber Systems to the mostcurrentt baselinebli configurationfitiAugust 24, 2011CSO706 SDT Webinar40

CIP--009CIP009--5 Addressing FERC DirectivesFERCOrder 706Para. 706“Preserve data for analysis”CIP-009-5 1.6Requires process to preserve data for analysisAugust 24, 2011CSO706 SDT Webinar41

CIP--010CIP010--5 Requirements Summary The SDT proposes the development of a newStandard CIP-010-5 that consolidates allreferences to Configuration ChangeManagement and Vulnerability Assessments. Previously these requirements were dispersedthroughout CIP-003-4, CIP-005-4, and CIP-007-4August 24, 2011CSO706 SDT Webinar42

CIP--010CIP010--5 Requirements Summary The SDT has made changes the VulnerabilityAssessment requirements to: Consolidate the previous requirements in CIP-005-4CIP 005 4and CIP-007-4 into a single requirement Make pprovisions for differences between ControlCenters and field assets Respond to FERC Order 706 regarding theperformance of “active vulnerability assessments”August 24, 2011CSO706 SDT Webinar43

CIP--010CIP010--5 Addressing FERC DirectivesFERCOrder 706Para.a a 39397“The Commission directs the ERO to develop modificationsto RequirementReq irement R6 of CIPCIP-003-1003 1 to providepro ide an eexpresspressacknowledgment of the need for the change control andconfiguration management process to consider accidentalconsequences and malicious actions along with intentionalchanges ”changes. The SDT proposes the introduction of a defined baseline configurationand an explicit requirement for monitoring for changes to the baselineconfigurationgin Highg ImpactpControl Centers in order to capturepmalicious changes to a BES Cyber System. Additionally, the SDT proposes that changes to High Impact ControlCenters be tested in a test environment prior to their implementation inthe production environment to aid in identifying any accidentalconsequences of the change.August 24, 2011CSO706 SDT Webinar44

CIP--010CIP010--5 Addressing FERC DirectivesFERC Order706 Para. 609FERC Order706 Para. 610FERC Order706 Para. 611“WeWe therefore direct the ERO to develop requirements addressing what constitutes a“representative system” and to modify CIP-007-1 accordingly. The Commission directsthe ERO to consider providing further guidance on testing systems in a referencedocument.”“we direct the ERO to revise the Reliability Standard to require each responsible entity todocument differences between testing and production environments in a mannerconsistent with the discussion above.”“the Commission cautions that certain changes to a production or test environment mightmake the differences between the two greater and directs the ERO to take this intoaccount when developing guidance on when to require updated documentation to ensurethat there are no significant gaps between what is tested and what is in production.” The SDT proposes to require a “representative system” or test system for those High Impact ControlCenters to use for the purposes of testing proposed changes and performing active vulnerabilityassessments. The SDT proposes using the defined baseline configuration of a BES Cyber System for the measuringstick as to whether a test system is truly representative of the production system. To account for any additional differences between the two systems, the SDT proposes using the wordsdirectly from FERC Order 706 “Document the differences between the test environment and theproductionpoduc o eenvironmento e includingc ud g a descdescriptionp o oof thee measureseasu es used too accouaccount foro aanyyddifferencese e ces inoperation between the test and production environments.”August 24, 2011CSO706 SDT Webinar45

CIP--010CIP010--5 Addressing FERC DirectivesFERC Order706 Para. 541“we adopt the ERO’s proposal to provide for active vulnerabilityassessments rather than full live vulnerability assessments.”FERC Order706. Para 542“the Commission adopts the ERO’s recommendation of requiring activevulnerability assessments of test systems.”FERC Order706 Para. 547“we direct the ERO to modify Requirement R4 to require theserepresentativepactive vulnerabilityy assessments at least once everyythree years, with subsequent annual paper assessments in theintervening years” The SDT has added requirements for an “active vulnerability”assessment to occur at least once everyy three yyears for Highg ImpactpControl Centers using a test system so as to prevent unforeseenimpacts on the Bulk Electric System.August 24, 2011CSO706 SDT Webinar46

CIP--010CIP010--5 Addressing FERC DirectivesFERC OrderOd706 Para. 544FERC Order706 Para. 544“thethe Commission directs the ERO to revise the Reliability Standardso that annual vulnerability assessments are sufficient, unless asignificant change is made to the electronic security perimeter ordefense in depth measure, rather than with every modification.”“we are directing the ERO to determine, through the ReliabilityStandards development process, what would constitute amodification that would require an active vulnerability assessment” The SDT has proposed that prior to adding a newcyber asset into a BES Cyber System, that thenew cyber asset undergo an active vulnerabilityassessment. An exception is made for specified exceptionalcircumstances such as an emergency.August 24, 2011CSO706 SDT Webinar47

CIP--011CIP011--5 Requirements Summary The SDT proposes the development of a newStandard CIP-011-5 that consolidates all referencesto Information Protection and Media Sanitization Previously these requirements were dispersed throughoutCIP-003-4 and CIP-007-4 The SDT has also moved the requirementsregarding the authorization and revocation of accessto BES Cyber System Information to CIP-004-5CIP-004-5,consolidating these requirements with those forelectronic and physical accessAugust 24, 2011CSO706 SDT Webinar48

CIP--011CIP011--5 Requirements Summary The SDT has introduced a definition of aglossary term “BES Cyber System Information”which defines what needs to be protected Previously, this list was a requirement itselfAugust 24, 2011CSO706 SDT Webinar49

CIP--011CIP011--5 Summary The SDT has shifted the focus of therequirements for media sanitization from theCyber Asset to the information itself In version 4, these requirements are invoked whenthe Critical Cyber Asset is to be disposed of orredeployedp y In version 5, the requirement is triggered when either: BES CyberySystemyInformation no longerg needs to be storedon specific media, or Media containing BES Cyber System Information isgfor disposalpdesignatedAugust 24, 2011CSO706 SDT Webinar50

CIP--011CIP011--5 Addressing FERC DirectivesFERC OrderOd706 Para. 633“The Commission adopts the CIP NOPR proposal todirect the EROO to clarifyf what it means to preventunauthorized retrieval of data from a cyber asset prior todiscarding it or redeploying it.”FERC Order706 Para 635“thethe Commission directs the ERO to revise RequirementR7 of CIP-007-1 to clarify, consistent with thisdiscussion, what it means to prevent unauthorizedretrieval of data.” The SDT has proposed that preventing unauthorizedretrieval of data means to “render the data unrecoverable.” The SDT understands that this mayy be too highg of a barand is continuing discussions in this area.August 24, 2011CSO706 SDT Webinar51

Implementation Plan Implementationppplan is in the veryy earlyypphases ofdevelopment Current concepts include staggered Effective Dates for: CIP-002-5 Organizational Requirements (CIP-003-5, CIP-008-5) Technical Requirements (CIP(CIP-005-5,005 5 CIPCIP-006-5,006 5 etcetc.)) Technical Requirements would be further staggered by: High Impact BES Cyber Systems Medium Impact BES Cyber SystemspCyberySystemsy Low ImpactAugust 24, 2011CSO706 SDT Webinar52

Implementation Plan Currently evaluating a single implementationplan that would include compliance timelines forfuture newly identified BES Cyber Systems andthose BES Cyber Systems that changecategories Eliminates the separate Implementation Plan forNewly Identified Critical Cyber Assets and NewlyRegistered Entities (IPFNICCANRE)August 24, 2011CSO706 SDT Webinar53

Schedule to Date – 2011SeptemberAugustJuly Meet with IndustryRepresentatives Prepare forNERC QualityReview Meet with FERCStaffJuly Walk-through ofGeneration andTransmissionEnvironmentsJune RegionalAudit StaffAugust 24, 2011CSO706 SDT Webinar54

Key Dates Moving Forward November 3rd, 2011 –First Posting for Comment and Ballot Webinars – November 15th and 29th, 2011 Ballot Opensp– December 9th, 2011 Ballot Closing – December 19th, 2011August 24, 2011CSO706 SDT Webinar55

Questions?Points of Contact:Philip Huff – philip.huff@aecc.comDoug Johnson – douglas.johnson@comed.comDavid Revill – david.revill@gatrans.comSlides and Recording of Webinar will be Posted(on NERC Website)

V5 Use of MVA bright-line under consideration August 24, 2011 CSO706 SDT Webinar 14. CIPCIP--003003--5 Summary of Modifications (1/2)5 Summary of Modifications (1/2) . from CIP-003-4, CIP-004-4, CIP-006-4 and CIP-007-4 Allow quarterly and annual reviews to find and fix problems rather than self-report everything as a violation