Do You Know About Heavyweight NERC CIP 011-1?

Sunday, March 13, 2011

Ron Lepofsky

39b6d5c1d3c6db11155b975f1b08059f

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness.

Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process.

To me it looks like the heavyweight in the list of otherwise fairly general standards. It’s called CIP 011 1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

  • CIP 001-1 Sabotage DetectionCIP 002-1
  • Critical Cyber Asset Identification
  • CIP 003-1 Security Management Controls
  • CIP 004-1 Personnel and Training
  • CIP 005-1 Electronic Security Perimeter(s)C
  • IP 006-1 Physical Security of Critical Cyber Assets CIP 007-1 Systems Security Management CIP 008-1 Incident Reporting and Response Planning
  • CIP 009-1 Recovery Plans for Critical Cyber Assets
  • CIP 010-1 BES Cyber System Categorization ( in draft)
  • CIP 011 1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations.

The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

  • CIP-011-1 Table R3 – Cyber Security Training
  • CIP-011-1 Table R3 – Cyber Security Training
  • CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
  • CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
  • CIP-011-1 Table R6 – Physical Access Control Systems 
  • CIP-011-1 Table R7 – Account Management Specifications
  • CIP-011-1 Table R8 – Account Management Implementation
  • CIP-011-1 Table R9 – Access Revocation
  • CIP-011-1 Table R9 – Access Revocation CIP-011-1 Table R10 – Account Access Control Specifications
  • CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
  • CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
  • CIP-011-1 Table R13 – Remote Access Revocation
  • CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
  • CIP-011-1 Table R15 – Malicious Code CIP-011-1 Table R16 – Security Patch Management 
  • CIP-011-1 Table R17 – System Hardening CIP-011-1 Table R18 – Security Event Monitoring 
  • CIP-011-1 Table R19 – Communications and Data Integrity 
  • CIP-011-1 Table R20 – Electronic Boundary Protection
  • CIP-011-1 Table R21 – System Boundary Protection
  • CIP-011-1 Table R22 – Protective Cyber Systems
  • CIP-011-1 Table R23 – Configuration Change Management
  • CIP-011-1 Table R23 – Configuration Change Management
  • CIP-011-1 Table R24 – Information Protection
  • CIP-011-1 Table R25 – Media Sanitization CIP-011-1 Table R26 – Maintenance
  • CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
  • CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
  • CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
  • CIP-011-1 Table R30 – Recovery Plan Specifications
  • CIP-011-1 Table R31 – Recovery Plan Testing Specifications
  • CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week.

Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

Possibly Related Articles:
5822
General
SCADA NIST Compliance Smart Grid Standards NERC CIP
Post Rating I Like this!
Default-avatar
Tom Alrich The CIP-011 you're referring to, along with the accompanying CIP-010, was actually an early version of what is now called CIP Version 5, which is currently being worked on by the NERC CSO706 (CIP) Standards Drafting Team. It was discussed at an industry meeting last May, and posted for comment afterwards.

But it was always meant as a replacement for CIP-002 through -009, not a supplement. It resembles NIST 800-53 to some degree, because the SDT was following FERC's directive in Order 706 to follow the NIST standard as much as possible.

However, I wouldn't spend too much time on that version, since the SDT has substantially revamped it. Between when it was posted and now, the SDT developed CIP Version 4, which is now awaiting FERC approval. Version 4 incorporates - with a number of changes - the 'bright-line' criteria that were listed in the original CIP-010 last year; these will be incorporated in Version 5 as well.

Version 5 will most likely be called CIP-002 through -009 Version 5, not CIP-010 and -011 Version 1, so I believe the -010 and -011 nomenclature will never see the light of day.

1300149544
39b6d5c1d3c6db11155b975f1b08059f
Ron Lepofsky Tom: Thank you so much for the clarification. I've been phoning all over NERC to try and get some clarification on timing. I'm going to contact NERC again with you info and see if there is a public forum in which they have published this info.

Tx again and regards, Ron L
1300905683
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.