Transcription
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningA. Introduction1.Title:Cyber Security — Incident Reporting and Response Planning2.Number:CIP-008-63.Purpose: To mitigate the risk to the reliable operation of the BES as the result of aCyber Security Incident by specifying incident response requirements.4.Applicability:4.1.Functional Entities: For the purpose of the requirements contained herein,the following list of functional entities will be collectively referred to as“Responsible Entities.” For requirements in this standard where a specificfunctional entity or subset of functional entities are the applicable entity orentities, the functional entity or entities are specified explicitly.4.1.1 Balancing Authority4.1.2 Distribution Provider that owns one or more of the following Facilities,systems, and equipment for the protection or restoration of the BES:4.1.2.1 Each underfrequency Load shedding (UFLS) or undervoltageLoad shedding (UVLS) system that:4.1.2.1.1 is part of a Load shedding program that is subjectto one or more requirements in a NERC or RegionalReliability Standard; and4.1.2.1.2 performs automatic Load shedding under acommon control system owned by the ResponsibleEntity, without human operator initiation, of 300MW or more.4.1.2.2 Each Remedial Action Scheme where the Remedial ActionScheme is subject to one or more requirements in a NERC orRegional Reliability Standard.4.1.2.3 Each Protection System (excluding UFLS and UVLS) thatapplies to Transmission where the Protection System issubject to one or more requirements in a NERC or RegionalReliability Standard.4.1.2.4 Each Cranking Path and group of Elements meeting the initialswitching requirements from a Blackstart Resource up to andincluding the first interconnection point of the starting stationservice of the next generation unit(s) to be started.4.1.3 Generator Operator4.1.4 Generator Owner4.1.5 Reliability CoordinatorPage 1 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response Planning4.1.6 Transmission Operator4.1.7 Transmission Owner4.2.Facilities: For the purpose of the requirements contained herein, the followingFacilities, systems, and equipment owned by each Responsible Entity in 4.1above are those to which these requirements are applicable. For requirementsin this standard where a specific type of Facilities, system, or equipment orsubset of Facilities, systems, and equipment are applicable, these are specifiedexplicitly.4.2.1 Distribution Provider: One or more of the following Facilities, systemsand equipment owned by the Distribution Provider for the protectionor restoration of the BES:4.2.1.1 Each UFLS or UVLS System that:4.2.1.1.1 is part of a Load shedding program that is subjectto one or more requirements in a NERC or RegionalReliability Standard; and4.2.1.1.2 performs automatic Load shedding under acommon control system owned by the ResponsibleEntity, without human operator initiation, of 300MW or more.4.2.1.2 Each Remedial Action Scheme where the Remedial ActionScheme is subject to one or more requirements in a NERC orRegional Reliability Standard.4.2.1.3 Each Protection System (excluding UFLS and UVLS) thatapplies to Transmission where the Protection System issubject to one or more requirements in a NERC or RegionalReliability Standard.4.2.1.4 Each Cranking Path and group of Elements meeting the initialswitching requirements from a Blackstart Resource up to andincluding the first interconnection point of the starting stationservice of the next generation unit(s) to be started.4.2.2 Responsible Entities listed in 4.1 other than Distribution Providers:All BES Facilities.4.2.3 Exemptions: The following are exempt from Standard CIP-008-6:4.2.3.1 Cyber Assets at Facilities regulated by the Canadian NuclearSafety Commission.4.2.3.2 Cyber Assets associated with communication networks anddata communication links between discrete Electronic SecurityPerimeters.Page 2 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response Planning4.2.3.3 The systems, structures, and components that are regulatedby the Nuclear Regulatory Commission under a cyber securityplan pursuant to 10 C.F.R. Section 73.54.4.2.3.4 For Distribution Providers, the systems and equipment thatare not included in section 4.2.1 above.4.2.3.5 Responsible Entities that identify that they have no BES CyberSystems categorized as high impact or medium impactaccording to the CIP-002 identification and categorizationprocesses.5.Effective Dates:See Implementation Plan for CIP-008-6.6.Background:Standard CIP-008 exists as part of a suite of CIP Standards related to cyber security.CIP-002 requires the initial identification and categorization of BES Cyber Systems. CIP003, CIP-004, CIP-005, CIP-006, CIP-007, CIP-008, CIP-009, CIP-010, and CIP-011require a minimum level of organizational, operational, and procedural controls tomitigate risk to BES Cyber Systems.Most requirements open with, “Each Responsible Entity shall implement one or moredocumented [processes, plan, etc.] that include the applicable items in [TableReference].” The referenced table requires the applicable items in the procedures forthe requirement’s common subject matter.The term documented processes refers to a set of required instructions specific to theResponsible Entity and to achieve a specific outcome. This term does not imply anyparticular naming or approval structure beyond what is stated in the requirements.An entity should include as much as it believes necessary in its documented processes,but must address the applicable requirements in the table.The terms program and plan are sometimes used in place of documented processeswhere it is commonly understood. For example, documented processes describing aresponse are typically referred to as plans (i.e., incident response plans and recoveryplans). Likewise, a security plan can describe an approach involving multipleprocedures to address a broad subject matter.Similarly, the term program may refer to the organization’s overall implementation ofits policies, plans and procedures involving a particular subject matter. Examples inthe standards include the personnel risk assessment program and the personneltraining program. The full implementation of the CIP Cyber Security Standards couldalso be referred to as a program. However, the terms program and plan do not implyany additional requirements beyond what is stated in the standards.Page 3 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningResponsible Entities can implement common controls that meet requirements formultiple high and medium impact BES Cyber Systems. For example, a single trainingprogram could meet the requirements for training personnel across multiple BESCyber Systems.Measures for the initial requirement are simply the documented processesthemselves. Measures in the table rows provide examples of evidence to showdocumentation and implementation of applicable items in the documented processes.These measures serve to provide guidance to entities in acceptable records ofcompliance and should not be viewed as an all-inclusive list.Throughout the standards, unless otherwise stated, bulleted items in therequirements and measures are items that are linked with an “or,” and numbereditems are items that are linked with an “and.”Many references in the Applicability section use a threshold of 300 MW for UFLS andUVLS. This particular threshold of 300 MW for UVLS and UFLS was provided in Version1 of the CIP Cyber Security Standards. The threshold remains at 300 MW since it isspecifically addressing UVLS and UFLS, which are last ditch efforts to save the BulkElectric System. A review of UFLS tolerances defined within regional reliabilitystandards for UFLS program requirements to date indicates that the historical value of300 MW represents an adequate and reasonable threshold value for allowable UFLSoperational tolerances.“Applicable Systems” Columns in Tables:Each table has an “Applicable Systems” column to further define the scope of systemsto which a specific requirement row applies. The CSO706 SDT adapted this conceptfrom the National Institute of Standards and Technology (“NIST”) Risk ManagementFramework as a way of applying requirements more appropriately based on impactand connectivity characteristics. The following conventions are used in the“Applicable Systems” column as described. High Impact BES Cyber Systems – Applies to BES Cyber Systems categorized ashigh impact according to the CIP-002 identification and categorization processes. Medium Impact BES Cyber Systems – Applies to BES Cyber Systems categorized asmedium impact according to the CIP-002 identification and categorizationprocesses.Page 4 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningB. Requirements and MeasuresR1.Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include eachof the applicable requirement parts in CIP-008-6 Table R1 – Cyber Security Incident Response Plan Specifications. [ViolationRisk Factor: Lower] [Time Horizon: Long Term Planning].M1. Evidence must include each of the documented plan(s) that collectively include each of the applicable requirement parts inCIP-008-6 Table R1 – Cyber Security Incident Response Plan Specifications.CIP-008-6 Table R1 – Cyber Security Incident Response Plan SpecificationsPart1.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated: EACMSMedium Impact BES Cyber Systemsand their associated: EACMSRequirementsOne or more processes to identify,classify, and respond to CyberSecurity Incidents.MeasuresAn example of evidence may include,but is not limited to, dateddocumentation of Cyber SecurityIncident response plan(s) that includethe process(es) to identify, classify,and respond to Cyber SecurityIncidents.Page 5 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningCIP-008-6 Table R1 – Cyber Security Incident Response Plan SpecificationsPart1.2Applicable SystemsHigh Impact BES Cyber Systems andtheir associated: EACMSMedium Impact BES Cyber Systemsand their associated: EACMSRequirementsOne or more processes:1.2.1 That include criteria toevaluate and defineattempts to compromise;1.2.2 To determine if an identifiedCyber Security Incident is: A Reportable CyberSecurity Incident; or An attempt tocompromise, asdetermined byapplying the criteriafrom Part 1.2.1, one ormore systemsidentified in the“Applicable Systems”column for this Part;andMeasuresExamples of evidence may include,but are not limited to, dateddocumentation of Cyber SecurityIncident response plan(s) that provideguidance or thresholds fordetermining which Cyber SecurityIncidents are also Reportable CyberSecurity Incidents or a Cyber SecurityIncident that is determined to be anattempt to compromise a systemidentified in the “Applicable Systems”column including justification forattempt determination criteria anddocumented processes fornotification.1.2.3 To provide notification perRequirement R4.Page 6 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningCIP-008-6 Table R1 – Cyber Security Incident Response Plan SpecificationsPart1.3Applicable SystemsHigh Impact BES Cyber Systems andtheir associated: EACMSRequirementsMeasuresThe roles and responsibilities of CyberSecurity Incident response groups orindividuals.An example of evidence may include,but is not limited to, dated CyberSecurity Incident response process(es)or procedure(s) that define roles andresponsibilities (e.g., monitoring,reporting, initiating, documenting,etc.) of Cyber Security Incidentresponse groups or individuals.Incident handling procedures forCyber Security Incidents.An example of evidence may include,but is not limited to, dated CyberSecurity Incident response process(es)or procedure(s) that address incidenthandling (e.g., containment,eradication, recovery/incidentresolution).Medium Impact BES Cyber Systemsand their associated: 1.4EACMSHigh Impact BES Cyber Systems andtheir associated: EACMSMedium Impact BES Cyber Systemsand their associated: EACMSPage 7 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR2. Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectivelyinclude each of the applicable requirement parts in CIP-008-6 Table R2 – Cyber Security Incident Response PlanImplementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-Time Operations].M2. Evidence must include, but is not limited to, documentation that collectively demonstrates implementation of each of theapplicable requirement parts in CIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and Testing.CIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and TestingPart2.1Applicable SystemsHigh Impact BES Cyber Systems andtheir associated: EACMSMedium Impact BES Cyber Systemsand their associated: EACMSRequirementsTest each Cyber Security Incidentresponse plan(s) at least once every15 calendar months: By responding to an actualReportable Cyber SecurityIncident;With a paper drill or tabletopexercise of a Reportable CyberSecurity Incident; orWith an operational exercise of aReportable Cyber SecurityIncident.MeasuresExamples of evidence may include,but are not limited to, dated evidenceof a lessons-learned report thatincludes a summary of the test or acompilation of notes, logs, andcommunication resulting from thetest. Types of exercises may includediscussion or operations basedexercises.Page 8 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningCIP-008-6 Table R2 – Cyber Security Incident Response Plan Implementation and TestingPart2.2Applicable SystemsHigh Impact BES Cyber Systems andtheir associated: EACMSMedium Impact BES Cyber Systemsand their associated: 2.3EACMSHigh Impact BES Cyber Systems andtheir associated: EACMSMedium Impact BES Cyber Systemsand their associated: EACMSRequirementsMeasuresUse the Cyber Security Incidentresponse plan(s) under RequirementR1 when responding to a ReportableCyber Security Incident, responding toa Cyber Security Incident thatattempted to compromise a systemidentified in the “Applicable Systems”column for this Part, or performing anexercise of a Reportable CyberSecurity Incident. Documentdeviations from the plan(s) takenduring the response to the incident orexercise.Examples of evidence may include,but are not limited to, incidentreports, logs, and notes that werekept during the incident responseprocess, and follow-updocumentation that describesdeviations taken from the plan duringthe incident response or exercise.Retain records related to ReportableCyber Security Incidents and CyberSecurity Incidents that attempted tocompromise a system identified in the“Applicable Systems” column for thisPart as per the Cyber Security Incidentresponse plan(s) under RequirementR1.An example of evidence may include,but is not limited to, dateddocumentation, such as security logs,police reports, emails, response formsor checklists, forensic analysis results,restoration records, and post-incidentreview notes related to ReportableCyber Security Incidents and a CyberSecurity Incident that is determinedto be an attempt to compromise asystem identified in the “ApplicableSystems” column.Page 9 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR3. Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of theapplicable requirement parts in CIP-008-6 Table R3 – Cyber Security Incident Response Plan Review, Update, andCommunication. [Violation Risk Factor: Lower] [Time Horizon: Operations Assessment].M3. Evidence must include, but is not limited to, documentation that collectively demonstrates maintenance of each CyberSecurity Incident response plan according to the applicable requirement parts in CIP-008-6 Table R3 – Cyber SecurityIncident Response Plan Review, Update, and Communication.Page 10 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningCIP-008-6 Table R3 – Cyber Security Incident Response PlanReview, Update, and CommunicationPart3.1Applicable SystemsRequirementsHigh Impact BES Cyber Systems andtheir associated:No later than 90 calendar days aftercompletion of a Cyber Security Incidentresponse plan(s) test or actual EACMSReportable Cyber Security IncidentMedium Impact BES Cyber Systems and response:their associated:3.1.1. Document any lessons learned EACMSor document the absence ofany lessons learned;3.1.2. Update the Cyber SecurityIncident response plan basedon any documented lessonslearned associated with theplan; and3.1.3. Notify each person or groupwith a defined role in the CyberSecurity Incident response planof the updates to the CyberSecurity Incident response planbased on any documentedlessons learned.MeasuresAn example of evidence may include,but is not limited to, all of thefollowing:1. Dated documentation of postincident(s) review meeting notesor follow-up report showinglessons learned associated withthe Cyber Security Incidentresponse plan(s) test or actualReportable Cyber Security Incidentresponse or dated documentationstating there were no lessonslearned;2. Dated and revised Cyber SecurityIncident response plan showingany changes based on the lessonslearned; and3. Evidence of plan updatedistribution including, but notlimited to: Emails; USPS or other mail service; Electronic distribution system;or Training sign-in sheets.Page 11 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningCIP-008-6 Table R3 – Cyber Security Incident Response PlanReview, Update, and CommunicationPart3.2Applicable SystemsRequirementsHigh Impact BES Cyber Systems andtheir associated:No later than 60 calendar days after achange to the roles or responsibilities,Cyber Security Incident response EACMSgroups or individuals, or technologyMedium Impact BES Cyber Systems and that the Responsible Entity determinestheir associated:would impact the ability to execute theplan: EACMS3.2.1. Update the Cyber SecurityIncident response plan(s); and3.2.2. Notify each person or groupwith a defined role in the CyberSecurity Incident response planof the updates.MeasuresAn example of evidence may include,but is not limited to:1. Dated and revised CyberSecurity Incident response planwith changes to the roles orresponsibilities, responders ortechnology; and2. Evidence of plan updatedistribution including, but notlimited to: Emails; USPS or other mail service; Electronic distributionsystem; or Training sign-in sheets.Page 12 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR4. Each Responsible Entity shall notify the Electricity Information Sharing and Analysis Center (E-ISAC) and, if subject to thejurisdiction of the United States, the United States National Cybersecurity and Communications Integration Center(NCCIC), 1 or their successors, of a Reportable Cyber Security Incident and a Cyber Security Incident that was an attempt tocompromise, as determined by applying the criteria from Requirement R1, Part 1.2.1, a system identified in the “ApplicableSystems” column, unless prohibited by law, in accordance with each of the applicable requirement parts in CIP-008-6 TableR4 – Notifications and Reporting for Cyber Security Incidents. [Violation Risk Factor: Lower] [Time Horizon: OperationsAssessment].M4. Evidence must include, but is not limited to, documentation that collectively demonstrates notification of each determinedReportable Cyber Security Incident and a Cyber Security Incident that was an attempt to compromise a system identified inthe “Applicable Systems” column according to the applicable requirement parts in CIP-008-6 Table R4 – Notifications andReporting for Cyber Security Incidents.CIP-008-6 Table R4 – Notifications and Reporting for Cyber Security IncidentsPart4.1Applicable SystemsHigh Impact BES Cyber Systemsand their associated: EACMSMedium Impact BES CyberSystems and their associated: EACMSRequirementsInitial notifications and updates shallinclude the following attributes, at aminimum, to the extent known:4.1.1 The functional impact;4.1.2 The attack vector used; andMeasuresExamples of evidence may include,but are not limited to, dateddocumentation of initialnotifications and updates to the EISAC and NCCIC.4.1.3 The level of intrusion that wasachieved or attempted.1The National Cybersecurity and Communications Integration Center (NCCIC) is the successor organization of the Industrial Control SystemsCyber Emergency Response Team (ICS-CERT). In 2017, NCCIC realigned its organizational structure and integrated like functions previouslyperformed independently by the ICS-CERT and the United States Computer Emergency Readiness Team (US-CERT).Page 13 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningCIP-008-6 Table R4 – Notifications and Reporting for Cyber Security IncidentsPart4.2Applicable SystemsHigh Impact BES Cyber Systemsand their associated: EACMSMedium Impact BES CyberSystems and their associated: 4.3EACMSHigh Impact BES Cyber Systemsand their associated: EACMSMedium Impact BES CyberSystems and their associated: RequirementsMeasuresAfter the Responsible Entity’sdetermination made pursuant todocumented process(es) inRequirement R1, Part 1.2, provide initialnotification within the followingtimelines:Examples of evidence may include,but are not limited to, dateddocumentation of notices to the EISAC and NCCIC. One hour after thedetermination of a ReportableCyber Security Incident. By the end of the next calendarday after determination that aCyber Security Incident was anattempt to compromise asystem identified in the“Applicable Systems” column forthis Part.Provide updates, if any, within 7calendar days of determination of newor changed attribute informationrequired in Part 4.1.Examples of evidence may include,but are not limited to, dateddocumentation of submissions tothe E-ISAC and NCCIC.EACMSPage 14 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningC. Compliance1. Compliance Monitoring Process:1.1. Compliance Enforcement Authority:The Regional Entity shall serve as the Compliance Enforcement Authority (“CEA”) unless theapplicable entity is owned, operated, or controlled by the Regional Entity. In such cases theERO or a Regional Entity approved by FERC or other applicable governmental authority shallserve as the CEA.1.2. Evidence Retention:The following evidence retention periods identify the period of time an entity is required toretain specific evidence to demonstrate compliance. For instances where the evidenceretention period specified below is shorter than the time since the last audit, the CEA may askan entity to provide other evidence to show that it was compliant for the full time periodsince the last audit.The Responsible Entity shall keep data or evidence to show compliance as identified belowunless directed by its CEA to retain specific evidence for a longer period of time as part of aninvestigation: Each Responsible Entity shall retain evidence of each requirement in this standard forthree calendar years. If a Responsible Entity is found non-compliant, it shall keep information related to thenon-compliance until mitigation is complete and approved or for the time specifiedabove, whichever is longer. The CEA shall keep the last audit records and all requested and submitted subsequentaudit records.1.3. Compliance Monitoring and Assessment Processes: Compliance Audit Self-Certification Spot Checking Compliance Investigation Self-Reporting Complaint1.4. Additional Compliance Information:NonePage 15 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response Planning2. Table of Compliance ElementsR#R1TimeHorizonLong TermPlanningViolation Severity Levels (CIP-008-6)VRFLowerLower VSLN/AModerate VSLN/AHigh VSLSevere VSLThe Responsible Entityhas developed theCyber SecurityIncident responseplan(s), but the plandoes not include theroles andresponsibilities ofCyber SecurityIncident responsegroups or individuals.(1.3)The Responsible Entityhas not developed aCyber SecurityIncident response planwith one or moreprocesses to identify,classify, and respondto Cyber SecurityIncidents. (1.1)ORThe Responsible Entityhas developed a CyberORSecurity IncidentThe Responsible Entity response plan, but thehas developed theplan does not includeCyber Securityone or moreIncident responseprocesses to identifyplan(s), but the planReportable Cyberdoes not includeSecurity Incidents or aincident handlingCyber Securityprocedures for CyberIncident that was anSecurity Incidents.attempt to(1.4)compromise, asdetermined byORapplying the criteriaThe Responsible Entity from Part 1.2.1, ahas developed a Cyber system identified inPage 16 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR#TimeHorizonVRFViolation Severity Levels (CIP-008-6)Lower VSLModerate VSLHigh VSLSevere VSLSecurity Incidentthe “Applicableresponse plan, but the Systems” column forplan does not include Part 1.2. (1.2)one or more processesto provide notificationper Requirement R4.(1.2)ORThe Responsible Entityhas developed a CyberSecurity Incidentresponse plan, but theplan does not includeone or more processesthat include criteria toevaluate and defineattempts tocompromise. he Responsible Entityhas not tested theCyber SecurityIncident responseplan(s) within 15calendar months, notexceeding 16 calendarmonths between testsof the plan(s). (2.1)The Responsible Entityhas not tested theCyber SecurityIncident responseplan(s) within 16calendar months, notexceeding 17 calendarmonths between testsof the plan(s). (2.1)The Responsible Entityhas not tested theCyber SecurityIncident responseplan(s) within 17calendar months, notexceeding 18 calendarmonths between testsof the plan(s). (2.1)The Responsible Entityhas not tested theCyber SecurityIncident responseplan(s) within 18calendar monthsbetween tests of theplan(s). (2.1)ORPage 17 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR#TimeHorizonVRFViolation Severity Levels (CIP-008-6)Lower VSLModerate VSLHigh VSLSevere VSLORThe Responsible EntityThe Responsible Entity did not retain relevantrecords related todid not documentReportable Cyberdeviations, if any,from the plan during a Security Incidents orCyber Securitytest or when aIncidents that were anReportable Cyberattempt toSecurity Incident or acompromise a systemCyber Securityidentified in theIncident that was an“Applicable Systems”attempt tocompromise a system column for Part 2.3.(2.3)identified in the“Applicable Systems”column for Part 2.2occurs. (2.2)R3OperationsAssessmentLowerThe Responsible Entityhas not notified eachperson or group witha defined role in theCyber SecurityIncident responseplan of updates to theCyber SecurityIncident responseplan within greaterthan 90 but less than120 calendar days of atest or actual incidentThe Responsible Entityhas not updated theCyber SecurityIncident response planbased on anydocumented lessonslearned within 90 andless than 120 calendardays of a test or actualincident response to aReportable CyberThe Responsible Entityhas neitherdocumented lessonslearned nordocumented theabsence of any lessonslearned within 90 andless than 120 calendardays of a test or actualincident response to aReportable CyberThe Responsible Entityhas neitherdocumented lessonslearned nordocumented theabsence of anylessons learned within120 calendar days of atest or actual incidentresponse to aReportable CyberPage 18 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR#TimeHorizonVRFViolation Severity Levels (CIP-008-6)Lower VSLresponse to aReportable CyberSecurity Incident.(3.1.3)Moderate VSLHigh VSLSecurity Incident.(3.1.2)Security Incident.(3.1.1)ORORThe Responsible Entityhas not notified eachperson or group with adefined role in theCyber SecurityIncident response planof updates to theCyber SecurityIncident response planwithin 120 calendardays of a test or actualincident response to aReportable CyberSecurity Incident.(3.1.3)The Responsible Entityhas not updated theCyber SecurityIncident response planbased on anydocumented lessonslearned within 120calendar days of a testor actual incidentresponse to aReportable CyberSecurity Incident.(3.1.2)ORThe Responsible Entityhas not updated theCyber SecurityIncident responseplan(s) or notifiedeach person or groupwith a defined rolewithin 60 and lessthan 90 calendar daysSevere VSLSecurity Incident.(3.1.1)ORThe Responsible Entityhas not updated theCyber SecurityIncident responseplan(s) or notifiedeach person or groupwith a defined rolewithin 90 calendardays of any of thefollowing changes thatthe responsible entityPage 19 of 24
CIP-008-6 — Cyber Security — Incident Reporting and Response PlanningR#TimeHorizonVRFViolation Severity Levels (CIP-008-6)Lower VSLModerate VSLHigh VSLof any of the followingchanges that theresponsible entitydetermines wouldimpact the ability toexecute the plan: (3.2)determines wouldimpact the ability toexecute the plan: (3.2) Roles orresponsibilities, or Cyber SecurityIncident responsegroups or individuals,or Technologychanges.R4OperationsAssessmentLowerThe Responsible Entitynotified E-ISAC andNCCIC, or theirsuccessors, of a CyberSecurity Incident thatwas an attempt tocompromise a systemidentified in the“Applicable Systems”column for Part 4.2but failed to notify orupdate E-ISAC orNCCIC, or theirsuccessors, within theThe Responsible Entityfailed to notify E-ISACor NCCIC, or theirsuccessors, of a CyberSecurity Incident thatwas an attempt tocompromise, asdetermined byapplying the criteriafrom Requirement R1,Part 1.2.1, a systemidentified in the“Applicable Systems”column. (R4)Severe VSL Roles orresponsibilities, o
See Implementation Plan for CIP-008-6. 6. Background: Standard CIP-008 exists as part of a suite of CIP Standards related to cyber security. CIP-002 requires the initial identification and categorization of BES Cyber Systems. CIP-003, CIP-004, CIP-005, CIP-006, CIP-007, CIP-008, CIP-009, CIP-010, and CIP-011
