Do You Know About Heavyweight NERC CIP 011-1?

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness.

Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process.

To me it looks like the heavyweight in the list of otherwise fairly general standards. It’s called CIP 011 1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

• CIP 001-1 Sabotage DetectionCIP 002-1
• Critical Cyber Asset Identification
• CIP 003-1 Security Management Controls
• CIP 004-1 Personnel and Training
• CIP 005-1 Electronic Security Perimeter(s)C
• IP 006-1 Physical Security of Critical Cyber Assets CIP 007-1 Systems Security Management CIP 008-1 Incident Reporting and Response Planning
• CIP 009-1 Recovery Plans for Critical Cyber Assets
• CIP 010-1 BES Cyber System Categorization ( in draft)
• CIP 011 1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations.

The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

• CIP-011-1 Table R3 – Cyber Security Training
• CIP-011-1 Table R3 – Cyber Security Training
• CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
• CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
• CIP-011-1 Table R6 – Physical Access Control Systems 
• CIP-011-1 Table R7 – Account Management Specifications
• CIP-011-1 Table R8 – Account Management Implementation
• CIP-011-1 Table R9 – Access Revocation
• CIP-011-1 Table R9 – Access Revocation CIP-011-1 Table R10 – Account Access Control Specifications
• CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
• CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
• CIP-011-1 Table R13 – Remote Access Revocation
• CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
• CIP-011-1 Table R15 – Malicious Code CIP-011-1 Table R16 – Security Patch Management 
• CIP-011-1 Table R17 – System Hardening CIP-011-1 Table R18 – Security Event Monitoring 
• CIP-011-1 Table R19 – Communications and Data Integrity 
• CIP-011-1 Table R20 – Electronic Boundary Protection
• CIP-011-1 Table R21 – System Boundary Protection
• CIP-011-1 Table R22 – Protective Cyber Systems
• CIP-011-1 Table R23 – Configuration Change Management
• CIP-011-1 Table R23 – Configuration Change Management
• CIP-011-1 Table R24 – Information Protection
• CIP-011-1 Table R25 – Media Sanitization CIP-011-1 Table R26 – Maintenance
• CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
• CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
• CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
• CIP-011-1 Table R30 – Recovery Plan Specifications
• CIP-011-1 Table R31 – Recovery Plan Testing Specifications
• CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week.

Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca