I found the details for the new security standard for the power industry. Below are the 8 new standards that are effective June 1st, 2006. Please see the Implementation Plan for complete list of dates
for compliance with the requirements. NERC will be holding Cyber Security Standard Workshops throughout North America for the next few months. Check the PDF announcement for details on when it will be held in your city.
Click the links below for the actual text of the security standard.
- CIP-002-1: Critical
Cyber Asset Identification
- Risk based Asset classification. A required first step so that you know how to apply the other requirements
- CIP-003-1: Security Management Controls
- People and Policy, gotta catch them all
- CIP-004-1: Personnel & Training
- Awareness program, Training, Personnel background checks, and access lists
- CIP-005-1: Electronic Security Perimeter(s)
- “identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter”
- CIP-006-1: Physical Security of Critical Cyber Assets
- Monitor and log physical access
- CIP-007-1: Systems Security Management
- Methods, Process, and procedure
- CIP-008-1: Incident Reporting and Response Planning
- “identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets”
- CIP-009-1: Recovery Plans for Critical Cyber Assets
- BCP and DR
I really like the layout of this standard. It not only lists the requirements, but the measures (what the auditor expects to see), auditing schedule, data retention, and non-compliance levels. It's not an all or nothing game with this one, you have well defined levels of non-compliance. Both CIP-005 and CIP-007 look very interesting, so I dove in. These are just the high level requirements, check the PDF for all the details.
R1. Electronic Security Perimeter — The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s).
R2. Electronic Access Controls — The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).
R3. Monitoring Electronic Access — The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.
R4. Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually.
R5. Documentation Review and Maintenance — The Responsible Entity shall review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005.
R1. Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls.
R2. Ports and Services — The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled.
R3. Security Patch Management — The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003 Requirement R6, shall establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).
R4. Malicious Software Prevention — The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
R5. Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.
R6. Security Status Monitoring — The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security.
R7. Disposal or Redeployment — The Responsible Entity shall establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005.
R8. Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually.
Looks fun! Another security regulation to comply to…. Can you Digg it?
digg_url = 'http://digg.com/security/New_Security_Standard_for_the_Power_Industry';