rapid7 nerc-cip compliance guide

North American Electric Reliability Corporation (NERC)

Compliance Guide

August 2012

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

What is NERC?

The North American Electric Reliability Corporation (NERC) is a not-for-profi t corporation whose mission is to improve the reliability of the critical systems that create and transport electricity around the continent. In NERC’s jargon, these critical systems are called “bulk power systems.”

What does reliability really mean? Reliability = Adequacy + Security

Adequacy: Adequacy means having suffi cient resources to provide customers with a continuous supply of electricity at the proper voltage and frequency, virtually all of the time. In this case, “resources” refers to a combination of electricity generation and transmission facilities, which produce and deliver electricity. Maintaining adequacy requires system operators and planners to take into account both scheduled and reasonably expected unscheduled outages of equipment, while maintaining a constant balance between supply and demand.

Security: Security is perceived as the ability of the bulk power system to:

• Withstand sudden, unexpected disturbances, such as short circuits or unanticipated loss of system elements

due to natural causes.

• Withstand disturbances caused by man-made physical or cyber attacks.

The bulk power system must be planned, designed, built and operated in a manner that takes into account modern threats and more traditional risks to security.

Who must be NERC compliant?

All bulk power system owners, operators, and users must comply with approved NERC reliability standards. These entities are required to register with NERC through the appropriate regional entity.

The process for registration is described in the NERC Rules of Procedure, Section 500 and Appendix 5A.

The list of all organizations that are registered and therefore subject to compliance can be found on this page: Compliance Registry fi les (NRC). This list is updated monthly.

Who is responsible for NERC compliance?

NERC relies on eight regional entities to monitor compliance with the NERC standards of bulk power system owners, operators, and users within their regional boundaries.

The members of the regional entities come from all segments of the electric industry: investor-owned utilities, federal power agencies, rural electric cooperatives, state, municipal and provincial utilities, independent power producers, power marketers, and end-use customers.

Compliance enforcement methods include regularly scheduled compliance audits, random spot checks, and specifi c investigations when warranted by indications that a standard may have been violated.


The NERC audit

The NERC and its related regions have primary responsibilities to:

• Develop an overall audit schedule

• Initiate the audit process for an entity

• Develop and deliver audit criteria and associated documentation to audited entities

• Identify the audit team members

• Coordinate audited entity questionnaires

• Publish the audit fi ndings

Overview of the audit process

1. Entities being audited are informed at least sixty calendar days prior to the on-site audit through the receipt

of a request for information and a questionnaire.

2. Entities have seven calendar days to provide the requested information, and must submit the completed

questionnaire no later than thirty calendar days prior to the audit.

3. The audit team is tasked with reviewing an entity’s questionnaire responses and documentation, performing

the on-site audit, and preparing a report of its fi ndings.

4. The fi nal audit report is posted on the NERC website within sixty calendar days of the completion of the audit.

5. Within forty-fi ve calendar days of the date of audit report posting, the audited entities must supply a response

plan to NERC addressing the report recommendations, including a timeline for implementation. This response

plan will be published on the NERC website when submitted by the entity.

For detailed information about the audit process see: NERC Readiness Audit Procedure

What are the consequences of non-compliance?

Whenever a possible violation is discovered, a thorough review is conducted based on the following considerations:

• The underlying facts and circumstances

• The Reliability Standard at issue

• The potential and actual level of risk to reliability, including mitigating factors

• The registered entity’s compliance program

• The registered entity’s compliance history


Based on this examination, NERC could either issue:

• A formal “Notice of Penalty” (NOP) for alleged violations that constitute a High or Medium risk.

• A formal notice of “Find, Fix, Track and Report” (FFT) in case of alleged violations that constitute a minimal

risk.

• A dismissal.

The details of the investigation are provided to the Federal Energy Regulatory Commission (FERC) in the U.S., or to applicable governmental authorities in Canada. The information becomes publicly available on the NERC’s website.

What is the NERC compliance framework?

There are 14 sets of reliability standards subject to enforcement:

1. Resource and Demand Balancing (BAL)

2. Communications (COM)

3. Critical Infrastructure Protection (CIP)

4. Emergency Preparedness and Operations (EOP)

5. Facilities Design, Connections, and Maintenance (FAC)

6. Interchange Scheduling and Coordination (INT)

7. Interconnection Reliability Operations and Coordination (IRO)

8. Modeling, Data, and Analysis (MOD)

9. Nuclear (NUC)

10. Personnel Performance, Training, and Qualifi cations (PER)

11. Protection and Control (PRC)

12. Transmission Operations (TOP)

13. Transmission Planning (TPL)

14. Voltage and Reactive (VAR)

In the context of Information Technology, and more specifi cally, in the context of cyber threats, “Critical Infrastructure Protection” (CIP) is the set of relevant standards.


The Critical Infrastructure Protection (CIP) Standards

This guideline is based on NERC CIP version 4, applicable as of June 25, 2012.

NERC-CIP consists of the following standards:

CIP-001 Sabotage Reporting Requirements related to the communication of information concerning sabotage events to appropriate parties.Disturbances or unusual occurrences suspected or determined to be caused by sabotage shall be reported to the appropriate systems, governmental agencies, and regulatory bodies.

CIP-002 Critical Cyber Asset Identifi cation Requirements related to the identifi cation and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the Bulk Electric System.

CIP-003 Security Management Controls Requirements related to minimal security general management controls that must be in place to protect critical cyber assets and associated information: Cyber Security Policy, Security Responsibilities, Information Protection, and Access Control to critical cyber asset information.

CIP-004 Personnel & Training Requirements related to the security awareness program, security policies, procedures trainings, and access management.

CIP-005 Electronic Security Perimeter(s) Requirements related to the protection of access points to Electronic Security Perimeters: access controls, monitoring, vulnerability assessment, and documentation.

CIP-006 Physical Security of Critical Cyber Assets

Requirements related to the physical protection of cyber assets: physical access control, monitoring, logging physical access, log retention, maintenance and testing of physical controls.


CIP-007 Systems Security Management Requirements related to testing procedures prior to production, ports and services usage, patch management, malicious software prevention, account management, system event monitoring, disposal or redeployment, vulnerability assessment, and documentation.

CIP-008 Incident Reporting and Response Planning

Requirements related to the identifi cation, classifi cation, response, and reporting of Cyber Security Incidents related to critical cyber assets: Incident response plans and documentation.

CIP-009 Recovery Plans for Critical Cyber Assets

Requirements related to business continuity, disaster recovery techniques, and practices associated with the cyber assets: Recovery Plans, Exercises, Change Control, Backup and Restore, Testing Backup Media.

How can organizations comply with NERC?

Each of the above standards includes:

• A description of the standard’s purpose

• The list of responsible entities to which the standard applies

• The list of associated requirements

• The list of measures to demonstrate compliance

• The associated compliance monitoring and enforcement process

• The associated data retention policy

• The associated Violation Risk Factors (VRFs) and Violation Severity Levels (VSLs) matrix (determination of risk

factors and severity levels according to the identifi ed gaps).

» Note: The VRF represents the pre-violation potential risk that a standard would pose to the bulk power system if it were violated.

» A VSL is a post-violation measure of the severity of the violation.

» The VSL and VRF are combined to help NERC establish base penalty ranges for particular violations.


How Rapid7 can help

Rapid7 has extensive experience partnering with energy and utility entities such as Sempra Energy, Pedernales Electric Company, and Southern Company to help them with the complex regulatory environment of the energy sector. Rapid7 provides full end-to-end security solutions and services for energy and utility entities to help them meet NERC-CIP requirements.

Rapid7 Nexpose is a security risk intelligence solution that proactively supports the entire vulnerability management lifecycle, including discovery, detection, verifi cation, risk classifi cation, impact analysis, reporting, and mitigation.

In the context of the NERC-CIP, Nexpose helps registered entities to:

• Take inventory of their cyber asset systems, services, and installed applications within the Electronic Security

Perimeter(s).

• Detect sensitive data on their critical cyber assets environment by allowing fi le searching so that if Nexpose

gains access to an asset’s fi le system in the scanning process, it can search for and retrieve fi les in that

system.

• Take inventory of open ports and associated services by performing either manual or scheduled discovery

scans.

• Confi gure asset scanning and reporting based on criteria such as device type, software type, operating system

type, or geographic location.

• Automate the task of asset discovery and identifi cation within the Electronic Security Perimeter(s).

• Automate the process for tracking types of operating systems and applications installed on each system,

including information about versions and patch levels.

• Catalog all software -including any malicious software- by using the latest fi ngerprinting technologies to

identify systems, services, and installed applications within the Electronic Security Perimeter(s).

• Detect the presence of unauthorized software within Electronic Security Perimeter(s) and notify designated

organizational offi cials through alerts generated on an automated mechanism

• Generate easy-to-use detailed reports with role-based access controls to allow organizations to share

information easily.

• Discover accounts that were terminated, and review results either in the UI or report format, and then use the

data to feed information access and management policies.

• Audit users and groups on all cyber assets within the Electronic Security Perimeter(s).

• Test the effi ciency of access control systems and policies for critical cyber asset information.

• Test the external and internal boundaries defenses of Electronic Security Perimeter(s).

• Test the external and internal boundaries defenses whenever new cyber assets are added or signifi cant


changes are made to existing cyber assets within the Electronic Security Perimeter(s).

• Perform comprehensive unifi ed vulnerability scanning of all the electronic access points to the Electronic

Security Perimeter(s).

• Detect misconfi gurations, and identify missing patches and malicious software.

• Perform on-going scheduled and ad-hoc scanning of Web applications.

• Provide an automated mechanism to compare the results of vulnerability scans over time to determine trends

in information system vulnerabilities.

• Get a detailed action plan to remediate or mitigate vulnerabilities, including a sequenced remediation

roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in

ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA.

• Set up automated monitoring access controls, including limited number of login attempts, password length

requirements, allowable special characters, and other login ID access control policies.

• Setup automated monitoring of software policy settings and misconfi gurations, including Web browser

patching levels, up-to-date fi rewalls, IDS/IPS system patches, and confi guration settings for Web applications,

including their underlying database servers, network ports, protocols, services, and log policies.

• Deliver auditable and reportable events on vulnerabilities throughout the Electronic Security Perimeter(s).

• Get top-down visibility of the real risk to cyber assets and business operations, enabling them to organize and

prioritize thousands of assets and quickly focus on the items that pose the greatest risk.

• Apply risk scoring to measure violations against established desktop and server confi guration management

policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and

database applications.

• Alert of policy violations or misconfi gurations.

Rapid7 Metasploit is a penetration testing solution that helps enterprise vulnerability management programs to test how well their perimeter holds up against real world attacks.

In the context of the NERC-CIP, Metasploit helps registered entities to:

• Test the external and internal boundaries defenses of the Electronic Security Perimeter(s).

• Test the level of accessibility and exploitability of critical cyber assets.

• Test the effi ciency of access control systems and policies within the Electronic Security Perimeter(s).

• Survey hosts for use of approved authentication measures.

• Audit password length/complexity and authentication methods.

• Enable internal Red Team staffs to perform both scheduled and ad-hoc penetration testing of Electronic

Security Perimeter(s).


• Determine the exploitability of identifi ed vulnerabilities.

• Determine if a hacker could access and steal electronic protected information through Web applications.

• Support incident responses by providing details on vulnerabilities and misconfi gurations that were exploited,

as well as remediation steps to prevent future exploits.

Rapid7 Consulting Services help registered entities to:

• Defi ne and refi ne the scope of their Electronic Security Perimeter(s).

• Evaluate their security controls pertaining to:

• Communication procedures

• Cyber asset inventory

• Cyber security policies

• Leadership

• Exception handling

• Protection of critical information

• Access controls and change management

• Awareness and personal training

• Personal risk management and physical access management

• Protection of Electronic Security Perimeters

• Physical protection of cyber critical assets

• Testing procedures

• Open ports and services management, patch managements

• Disposal

• Cyber vulnerability assessments

• Documentation

• Incident response plans

• Identify gaps in their security program, determine if security policies are being followed in actual day-to-day

operations, and provide guidance on developing missing control policies and procedures required to secure

cyber assets and sensitive information.

• Recommend best practices to optimize data security, including system access policies that limit access to

system components and sensitive data to only those whose job roles absolutely require such access.


• Provide customizable security awareness training to users of their organizational information systems.

• Provide vulnerability management security training and certifi cation to managers and users of organizational

information systems requiring knowledge and technical abilities to detect and validate vulnerabilities on the

IT infrastructure, determine the associated risk severity, write IT risk reports, and apply mitigations through

remediation and control.

• Perform an independent analysis and penetration test on delivered information systems, information system

components, and information technology products within their Electronic Security Perimeter(s).

• Audit their recovery plans to identify any gaps that should be addressed in order to successfully backup and

restore systems, and establish procedures to ensure business process continuity and private protection while

operating in emergency mode.

• Assist them in writing documentation required by NERC-CIP.

Rapid7 community, SecurityStreet, helps registered entities to:

• Stay up-to-date with the latest developments in the vulnerability management and information security areas.

Security Rule standards Nexpose MetasploitConsulting Services

CIP-001 Sabotage Reporting

R1-R4 Communication procedures and guidelines

CIP-002 Critical Cyber Asset Identifi cation

R1-Develop a list of its identifi ed Critical Assets

R2-Critical Cyber Asset Identifi cation

R3-Annual Approval

CIP-003 Security Management Controls

R1-Cyber Security Policy

R2-Leadership

R3-Exceptions

R4-Information Protection

R5-Access Control

CIP-004 Personnel & Training

R1-Awareness

R2-Training

R3-Personnel Risk Assessment

R4-Access

CIP-005 Electronic Security Perimeter(s)


Security Rule standards Nexpose MetasploitConsulting Services

R1-Electronic Security Perimeter

R2-Electronic Access Controls

R3-Monitoring Electronic Access

R4-Cyber Vulnerability Assessment

R5-Documentation Review and Maintenance


R1-Physical Security Plan

R2-Protection of Physical Access Control Systems

R3-Protection of Electronic Access Control Systems

R4-Physical Access Controls

R5-Monitoring Physical Access

R6-Logging Physical Access

R7-Access Log Retention

R8-Maintenance and Testing

CIP-007 Systems Security Management

R1-Test Procedures

R2-Ports and Services

R3-Security Patch Management

R4-Malicious Software Prevention

R5-Account Management

R6-Security Status Monitoring

R7-Disposal or Redeployment

R8-Cyber Vulnerability Assessment

R9-Documentation Review and Maintenance


R1-Cyber Security Incident Response Plan

R2-Cyber Security Incident Documentation


R1-Recovery Plans

R2-Exercises

R3-Change Control


Rapid7 Solution for NERC-CIP Compliance

The section goes into detail about the nine NERC-CIP Security Standards. Each standard is outlined by the title, version number, and associated requirements. It also addresses Violation Risk Factors (VRF) and how Rapid7 Nexpose, Metasploit, and Consulting Services help with meeting compliance.

CIP-001 Sabotage Reporting

# CIP-001-2a

Associated Requirements:

Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity shall:

# Requirements VRF

R1 Have procedures for the recognition of and for making operating personnel aware of sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection.

-

R2 Have procedures for the communication of information concerning sabotage events to appropriate parties in the Interconnection.

-

R3 Provide its operating personnel with sabotage response guidelines, including information about which personnel should be contacted to report disturbances due to sabotage events.

-

R4 Establish applicable communications contacts with local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP) offi cials, and develop reporting procedures as appropriate to the circumstances.

-

» Note: VRFs are undefi ned.

Use Rapid7 Consulting Services to:

• Evaluate your communication procedures and response guidelines, identify gaps, and provide guidance on

developing missing procedures.


CIP-002 Critical Cyber Asset Identifi cation

# CIP-002-4a


# Requirements VRF

R1 The Responsible Entity shall develop a list of its identifi ed Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 – Critical Asset Criteria. The Responsible Entity shall update this list as necessary, and review it at least annually.

H

R2 Critical Cyber Asset Identifi cation — Using the list of critical assets, the Responsible Entity shall develop a list of associated critical cyber assets essential to the operation of the critical assets. The Responsible Entity shall review this list at least annually, and update it as necessary.

H

R3 Annual Approval — The senior manager or delegate(s) shall annually approve the list of critical assets and the list of critical cyber assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)’s approval of these lists (even if such lists are null).

L

Use Rapid7 Nexpose to:

• Take inventory of your cyber asset systems, services, and installed applications using the latest fi ngerprinting

technologies.

• Get top-down visibility of risk to your cyber assets and business operations, enabling you to organize and

prioritize thousands of assets and quickly focus on the items that pose the greatest risk.

• Get a clear map of the Real Risk posed to your critical cyber assets by the identifi ed vulnerabilities across your

organization’s IT landscape.


• Evaluate your security controls pertaining to the cyber asset inventory, and provide guidance on developing

missing control policies and procedures.


CIP-003 Security Management Controls

# CIP-003-4

Associated requirements:

# Requirements VRF

R1 Cyber Security Policy — The Responsible Entity shall document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following:

M

R1.1 The cyber security policy addresses the requirements in Standards CIP-002-4 through CIP-009-4, including provisions for emergency situations.

L

R1.2 The cyber security policy is readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets.

L

R1.3 Annual review and approval of the cyber security policy by the senior manager assigned pursuant to R2.

L

R2 Leadership — The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002-4 through CIP-009-4.

L

R2.1 The senior manager shall be identifi ed by name, title, and date of designation.

L

R2.2 Changes to the senior manager must be documented within thirty calendar days of the effective date.

L

R2.3 Where allowed by Standards CIP-002-4 through CIP-009-4, the senior manager may delegate authority for specifi c actions to a named delegate or delegates. These delegations shall be documented in the same manner as R2.1 and R2.2, and approved by the senior manager.

L

R2.4 The senior manager or delegate(s) shall authorize and document any exceptions from the requirements of the cyber security policy.

L

R3 Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s).

L

R3.1 Exceptions to the Responsible Entity’s cyber security policy must be documented within thirty days of being approved by the senior manager or delegate(s).

L


R3.2 Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures for the exception.

L

R3.3 Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented.

M

R4 Information Protection — The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets.

M

R4.1 The critical cyber asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP-002-4, network topology or similar diagrams, fl oor plans of computing centers that contain critical cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident response plans, and security confi guration information.

M

R4.1 The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the critical cyber asset information.

L

R4.2 The Responsible Entity shall, at least annually, assess adherence to its critical cyber asset information protection program, document the assessment results, and implement an action plan to remediate defi ciencies identifi ed during the assessment.

L

R5 Access Control — The Responsible Entity shall document and implement a program for managing access to protected critical cyber asset information.

L

R5.1 The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.

R5.1.1. Personnel shall be identifi ed by name, title, and the information for which they are responsible for authorizing access.

R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verifi ed at least annually.

L


R5.2 The Responsible Entity shall review, at least annually, the access privileges to protected information to confi rm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities.

L

R5.3 The Responsible Entity shall assess and document, at least annually, the processes for controlling access privileges to protected information.

L

R6 Change Control and Confi guration Management — The Responsible Entity shall establish and document a process of change control and confi guration management for adding, modifying, replacing, or removing critical cyber asset hardware or software. They shall also implement supporting confi guration management activities to identify, control and document all entity or vendor related changes to hardware and software components of critical cyber assets pursuant to the change control process.

L


• Detect sensitive data on your critical cyber assets environment by allowing fi le searching so that if Nexpose

gains access to an asset’s fi le system in the scanning process, it can search for and retrieve fi les in that

system.

• Generate easy-to-use detailed reports combined with role-based access controls to allow organizations to

share information easily.

• Audit users and groups on your critical cyber assets.

• Discover accounts that were terminated, and review results either in the UI or in report format, and then use

the data to feed your information access and management policies.

• Set up automated monitoring access controls (including adherence to policies for role-based access) to

validate enforcement of access restrictions.

• Test the effi ciency of access control systems and policies for critical cyber asset information.

• Provide an automated mechanism to detect the presence of unauthorized software on critical cyber assets,

and notify designated organizational offi cials through automated alerts.


• Evaluate your security controls pertaining to cyber security policies, leadership, exception handling,

protection of critical information, access controls, and change management.

• Identify gaps in your security program, determine if security policies are being followed in actual day-to-day


your cyber assets and sensitive information.


CIP-004 Personnel & Training

# CIP-004-4


# Requirements VRF

R1 Awareness — The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel with authorized cyber or authorized unescorted physical access to critical cyber assets receive on-going reinforcement in sound security practices.

L

R2 Training — The Responsible Entity shall establish, document, implement, and maintain an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to critical cyber assets. The cyber security training program shall be reviewed annually, at a minimum, and shall be updated whenever necessary.

L

R2.1 This program will ensure that all personnel having such access to critical cyber assets, including contractors and service vendors, are trained prior to being granted such access except in specifi ed circumstances such as an emergency.

M

R2.2 Training shall cover the policies, access controls, and procedures, as developed for the critical cyber assets covered by CIP-004-4, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: R2.2.1. The proper use of critical cyber assets; (L)R2.2.2. Physical and electronic access controls to critical cyber assets; (L)R2.2.3. The proper handling of critical cyber asset information; and, (L)R2.2.4. Action plans and procedures to recover or re-establish critical cyber assets and access following a Cyber Security Incident. (L)

M

R2.3 The Responsible Entity shall maintain documentation that training is conducted at least annually, including information such as the date training was completed, and attendance records.

L


R3 Personnel Risk Assessment —The Responsible Entity shall have a documented personnel risk assessment program in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements for personnel with authorized cyber or authorized unescorted physical access to critical cyber assets. A personnel risk assessment shall be conducted pursuant to that program, prior to the personnel being granted such access, except in specifi ed circumstances such as an emergency.

M

R3.1 The Responsible Entity shall ensure that each assessment conducted at least includes identity verifi cation (e.g., Social Security Number verifi cation in the U.S.) and a seven-year criminal check. The Responsible Entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending upon the criticality of the position.

L

R3.2 The Responsible Entity shall update each personnel risk assessment for a specifi c cause and/or at least every seven years after the initial personnel risk assessment.

L

R3.3 The Responsible Entity shall document the results of personnel risk assessments of its personnel with authorized cyber or authorized unescorted physical access to critical cyber assets, and the personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004-4.

L

R4 Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets, including their specifi c electronic and physical access rights to critical cyber assets.

L

R4.1 The Responsible Entity shall review the list(s) of its personnel who have such access to critical cyber assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to critical cyber assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained.

L

R4.2 The Responsible Entity shall revoke such access to critical cyber assets within 24 hours for personnel terminated for cause, and within seven calendar days for personnel who no longer require such access to critical cyber assets.

M



• Provide customizable security awareness training to users of your organizational information systems.

• Provide vulnerability management security training and certifi cation to managers and users of organizational

information systems requiring knowledge and technical abilities to detect and validate vulnerabilities on the

IT infrastructure, determine the associated risk severity, write IT risk reports, and apply mitigations through

remediation and control.

• Evaluate the security controls pertaining to awareness and personal training, personal risk management, and

physical access management.



your cyber assets and related information.



CIP-005 Electronic Security Perimeter(s)

#CIP-005-4a


# Requirements VRF

R1 Electronic Security Perimeter — The Responsible Entity shall ensure that every critical cyber asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s).

M

R1.1 Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end points (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).

M

R1.2 For a dial-up accessible critical cyber asset that uses a non-routable protocol, the Responsible Entity shall defi ne an Electronic Security Perimeter for that single access point at the dial-up device.

M

R1.3 Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s).

M


R1.4 Any non-critical cyber asset within a defi ned Electronic Security Perimeter shall be identifi ed and protected pursuant to the requirements of Standard CIP-005-4a.

M

R1.5 Cyber assets used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall be afforded the protective measures as a specifi ed in Standard CIP- 003-4; Standard CIP-004-4 Requirement R3; Standard CIP-005-4a Requirements R2 and R3; Standard CIP-006-4c Requirement R3; Standard CIP-007-4 Requirements R1 and R3 through R9; Standard CIP-008-4; and Standard CIP-009-4.

M

R1.6 The Responsible Entity shall maintain documentation of Electronic Security Perimeter(s), all interconnected critical and non-critical cyber assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points.

L

R2 Electronic Access Controls — The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

M

R2.1 These processes and mechanisms shall use an access control model that denies access by default, such that explicit access permissions must be specifi ed.

M

R2.2 At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring cyber assets within the Electronic Security Perimeter, and shall document, individually or by specifi ed grouping, the confi guration of those ports and services.

M

R2.3 The Responsible Entity shall implement and maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s).

M

R2.4 Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party where technically feasible.

M


R2.5 The required documentation shall, at least, identify and describe:

R2.5.1. The processes for access request and authorization. R2.5.2. The authentication methods. R2.5.3. The review process for authorization rights, in accordance with Standard CIP-004-4 Requirement R4. R2.5.4. The controls used to secure dial-up accessible connections.

L

R2.6 Appropriate Use Banner — Where technically feasible, electronic access control devices shall display an appropriate use banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner.

L

R3 Monitoring Electronic Access — The Responsible Entity shall implement and document an electronic or manual process for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

M

R3.1 For dial-up accessible critical cyber assets that use non-routable protocols, the Responsible Entity shall implement and document monitoring processes at each access point to the dial-up device where technically feasible.

M

R3.2 Where technically feasible, the security monitoring processes shall detect and alert of attempts at accesses and/or actual unauthorized accesses. These alerts shall provide appropriate notifi cation to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at accesses and/or actual unauthorized accesses at least every ninety calendar days.

M

R4 Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. The vulnerability assessment shall include, at a minimum, the following:

M

R4.1 A document identifying the vulnerability assessment process; L

R4.2 A review to verify that only ports and services required for operations at these access points are enabled;

M


R4.3 The discovery of all access points to the Electronic Security Perimeter; M

R4.4 A review of controls for default accounts, passwords, and network management community strings;

M

R4.5 Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identifi ed in the assessment, and the execution status of that action plan.

M

R5 Documentation Review and Maintenance — The Responsible Entity shall review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005- 4a.

L

R5.1 The Responsible Entity shall ensure that all documentation required by Standard CIP- 005-4a refl ect current confi gurations and processes and shall review the documents and procedures referenced in Standard CIP-005-4a at least annually.

L

R5.2 The Responsible Entity shall update the documentation to refl ect modifi cations of the network or controls within ninety calendar days of the change.

L

R5.3 The Responsible Entity shall retain electronic access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008-4.

L


• Take inventory of your cyber asset systems, services, and installed applications within the Electronic Security

Perimeter(s).

• Detect the presence of unauthorized software within Electronic Security Perimeter(s) and notify designated

organizational offi cials through alerts generated on an automated mechanism. Perform comprehensive unifi ed

vulnerability scanning of all the electronic access points to the Electronic Security Perimeter(s).

• Get easy-to-use detailed reports combined with role-based access controls to allow organizations to share

information easily.

• Provide an automated mechanism to compare the results of vulnerability scans over time to determine trends

in information system vulnerabilities.

• Audit users and groups on critical cyber assets.



• Test the effi ciency of your access control systems and policies.


• Test the external and internal boundaries defenses of your Electronic Security Perimeter(s).

• Set up automated monitoring access controls, including a limited number of login attempts, password length

requirements, allowable special characters, and other login ID access control policies.

• Get a detailed action plan to remediate or mitigate vulnerabilities, including a sequenced remediation

roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in

ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA.

• Deliver auditable and reportable events on vulnerabilities throughout the Electronic Security Perimeter(s).

Use Rapid7 Metasploit to:

• Test the effi ciency of your access control systems and policies within the Electronic Security Perimeter(s).



• Test the external and internal boundaries defenses of the Electronic Security Perimeter(s).

• Perform your external and internal penetration testing of cyber critical assets to determine if a hacker could

access and steal sensitive cyber information. Penetration testing includes network-layer and application-

layer tests. Penetration testing is conducted using Nexpose in conjunction with a variety of specialized tools

including Metasploit, the leading open-source penetration testing platform with the world’s largest database

of public, tested exploits.


• Defi ne and refi ne the scope of your Electronic Security Perimeter(s).

• Evaluate the security controls pertaining to the protection of your Electronic Security Perimeters.



your cyber assets and data.



• Assist you in writing documentation required by NERC-CIP.


components, and information technology products within your Electronic Security Perimeter(s).



#CIP-006-4d

Associated requirements:

# Requirements VRF

R1 Physical Security Plan — The Responsible Entity shall document, implement, and maintain a physical security plan, approved by the senior manager or delegate(s) that shall address, at a minimum, the following:

-

R1.1 All Cyber Assets within an Electronic Security Perimeter shall reside within an identifi ed Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to such cyber assets.

-

R1.2 Identifi cation of all physical access points through each Physical Security Perimeter and measures to control entry at those access points.

-

R1.3 Processes, tools, and procedures to monitor physical access to the perimeter(s).

-

R1.4 Appropriate use of physical access controls as described in Requirement R4, including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls.

-

R1.5 Review of access authorization requests and revocation of access authorization, in accordance with CIP-004-4 Requirement R4

-

R1.6 A visitor control program for visitors (personnel without authorized unescorted access to a Physical Security Perimeter), containing at a minimum the following: R1.6.1. Logs (manual or automated) to document the entry and exit of visitors, including the date and time of entrances and exits from Physical Security Perimeters. R1.6.2. Continuous escorted access of visitors within the Physical Security Perimeter.

-

R1.7 Update of the physical security plan within thirty calendar days of the completion of any physical security system redesign or reconfi guration, including, but not limited to, addition or removal of access points through the Physical Security Perimeter, physical access controls, monitoring controls, or logging controls.

-

R1.8 Annual review of the physical security plan. -


R2 Protection of Physical Access Control Systems — Cyber assets that authorize and/or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point, such as electronic lock control mechanisms and badge readers, shall:

-

R2.1 Be protected from unauthorized physical access. -

R2.2 Be afforded the protective measures specifi ed in Standard CIP-003-4; Standard CIP- 004-4 Requirement R3; Standard CIP-005-4 Requirements R2 and R3; Standard CIP- 006-4 Requirements R4 and R5; Standard CIP-007-4; Standard CIP-008-4; and Standard CIP-009-4.

-

R3 Protection of Electronic Access Control Systems — Cyber assets used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall reside within an identifi ed Physical Security Perimeter.

-

R4 Physical Access Controls — The Responsible Entity shall document and implement the operational and procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week.

The Responsible Entity shall implement one or more of the following physical access methods:

• Card Key: A means of electronic access where the access rights

of the card holder are predefi ned in a computer database. Access

rights may differ from one perimeter to another.

• Special Locks: These include, but are not limited to, locks with

“restricted key” systems, magnetic locks that can be operated

remotely, and “man-trap” systems.

• Security Personnel: Personnel responsible for controlling physical

access that may reside on-site or at a monitoring station.

• Other Authentication Devices: Biometric, keypad, token, or other

equivalent devices that control physical access to the critical

cyber assets.

-


R5 Monitoring Physical Access — The Responsible Entity shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specifi ed in Requirement CIP-008-4. One or more of the following monitoring methods shall be used:

• Alarm Systems: Systems that raise an alarm to indicate a door,

gate, or window has been opened without authorization. These

alarms must provide immediate notifi cation to the personnel

responsible for response.

• Human Observation of Access Points: Monitoring of physical

access points by authorized personnel as specifi ed in

Requirement R4.

-

R6 Logging Physical Access — Logging shall record suffi cient information to uniquely identify individuals and their times of access, twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using one or more of the following logging methods or their equivalent:

• Computerized Logging: Electronic logs produced by the

Responsible Entity’s selected access control and monitoring

method.

• Video Recording: Electronic capture of video images of suffi cient

quality to determine identities.

• Manual Logging: A log book or sign-in sheet, or other record

of physical access maintained by security or other personnel

authorized to control and monitor physical access as specifi ed in

Requirement R4.

-

R7 Access Log Retention — The Responsible Entity shall retain physical access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008-4.

-


R8 Maintenance and Testing — The Responsible Entity shall implement a maintenance and testing program to ensure that all physical security systems under Requirements R4, R5, and R6 function properly. The program must include, at a minimum, the following:

-

R8.1 Testing and maintenance of all physical security mechanisms on a cycle that is no longer than three years.

-

R8.2 Retention of testing and maintenance records for the cycle determined by the Responsible Entity in Requirement R8.1.

-

R8.3 Retention of outage records regarding access controls, logging, and monitoring for a minimum of one calendar year.

-


• Evaluate the security controls pertaining to the physical protection of your cyber critical assets.


operations, and provide guidance on developing missing control policies and procedures.

CIP-007 Systems Security Management

#CIP-007-4


# Requirements VRF

R1 Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and signifi cant changes to existing cyber assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-4, a signifi cant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or fi rmware.

M

R1.1 The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system and/or its operation.

M

R1.2 The Responsible Entity shall document that testing is performed in a manner that refl ects the production environment.

L


R1.3 The Responsible Entity shall document test results. L

R2 Ports and Services — The Responsible Entity shall establish, document, and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.

M

R2.1 The Responsible Entity shall enable only those ports and services required for normal and emergency operations.

M

R2.2 The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all cyber assets inside the Electronic Security Perimeter(s).

M

R2.3 In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document the compensating measure(s) applied to mitigate risk exposure.

M

R3 Security Patch Management — The Responsible Entity, either separately or as a component of the documented confi guration management process specifi ed in CIP-003-4 Requirement R6, shall establish, document, and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all cyber assets within the Electronic Security Perimeter(s).

L

R3.1 The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades.

L

R3.2 The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.

L

R4 Malicious Software Prevention — The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools where technically feasible to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets within the Electronic Security Perimeter(s).

M


R4.1 The Responsible Entity shall document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.

M

R4.2 The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address testing and installing the signatures.

M

R5 Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

L

R5.1 The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed. R5.1.1. The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003-4 Requirement R5. (L)R5.1.2. The Responsible Entity shall establish methods, processes, and procedures that generate logs of suffi cient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. (L)R5.1.3. The Responsible Entity shall review, at least annually, user accounts to verify that access privileges are in accordance with Standard CIP-003-4 Requirement R5 and Standard CIP-004-4 Requirement R4. (M)

M

R5.2 The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges - including factory default accounts. R5.2.1. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. (M)R5.2.2. The Responsible Entity shall identify those individuals with access to shared accounts. (L)R5.2.3. Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination). (M)

L


R5.3 At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible: R5.3.1. Each password shall be a minimum of six characters. (L)R5.3.2. Each password shall consist of a combination of alpha, numeric, and “special” characters. (L)R5.3.3. Each password shall be changed at least annually, or more frequently based on risk. (M)

L

R6 Security Status Monitoring — The Responsible Entity shall ensure that all cyber assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security.

L

R6.1 The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms to monitor for security events on all cyber assets within the Electronic Security Perimeter.

M

R6.2 The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents.

M

R6.3 The Responsible Entity shall maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP-008-4.

M

R6.4 The Responsible Entity shall retain all logs specifi ed in Requirement R6 for ninety calendar days.

L

R6.5 The Responsible Entity shall review logs of system events related to cyber security, and maintain records documenting review of logs.

L

R7 Disposal or Redeployment — The Responsible Entity shall establish and implement formal methods, processes, and procedures for disposal or redeployment of cyber assets within the Electronic Security Perimeter(s) as identifi ed and documented in Standard CIP-005-4.

L

R7.1 Prior to the disposal of such assets, the Responsible Entity shall destroy or erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.

L

R7.2 Prior to redeployment of such assets, the Responsible Entity shall, at a minimum, erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.

L


R7.3 The Responsible Entity shall maintain records that such assets were disposed of or redeployed in accordance with documented procedures.

L

R8 Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of all cyber assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following:

L

R8.1 A document identifying the vulnerability assessment process. L

R8.2 A review to verify that only ports and services required for operation of the cyber assets within the Electronic Security Perimeter are enabled.

M

R8.3 A review of controls for default accounts. M

R8.4 Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identifi ed in the assessment, and the execution status of that action plan.

M

R9 Documentation Review and Maintenance — The Responsible Entity shall review and update the documentation specifi ed in Standard CIP-007-4 at least annually. Changes resulting from modifi cations to the systems or controls shall be documented within thirty calendar days of the change being completed.

L


• Test your external and internal boundaries defenses whenever new cyber assets are added or signifi cant

changes are made to existing cyber assets within the Electronic Security Perimeter.

• Detect misconfi gurations, identify missing patches and malicious software.

• Perform on-going scheduled and ad-hoc scanning of Web applications.

• Get a detailed, sequenced remediation roadmap with time estimates for each task, which can then be

managed either through Nexpose’s built-in ticket system or through a leading help desk system such as

Remedy, Peregrine, Tivoli, or CA.

• Take inventory of systems, open ports, and associated services by performing either manual or scheduled

discovery scans.

• Confi gure asset scanning and reporting based on specifi c criteria such as device type, software type, operating

system type, or geographic location.

• Automate the task of asset discovery and identifi cation within the Electronic Security Perimeter(s).

• Automate tracking types of operating systems and applications installed on each system, including versions

and patch levels.


• Catalog all software -including any malicious software- by using the latest fi ngerprinting technologies to

identify systems, services, and installed applications within the Electronic Security Perimeter(s).

• Setup automated monitoring of software policy settings and misconfi gurations, including Web browser

patching levels, up-to-date fi rewalls, IDS/IPS system patches, and confi guration settings for Web applications,

including their underlying database servers, network ports, protocols, services, and log policies.

• Apply risk scoring to measure violations against established desktop and server confi guration management

policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and

database applications.

• Alert of policy violations or misconfi gurations.

• Audit users and groups on all cyber assets within the Electronic Security Perimeter(s).



• Set up automated monitoring access controls (including adherence to policies for role-based access) to

validate enforcement of access restrictions.

Use Rapid7 Metasploit to:

• Enable your internal Red Team staff to perform both scheduled and ad-hoc penetration testing of your

Electronic Security Perimeter(s).

• Determine the exploitability of identifi ed vulnerabilities.

• Perform external and internal penetration testing and use reporting to document fi ndings, either to prepare

for external audit or to conduct a security assessment in-house.

• Test the external and internal boundaries defenses upon infrastructure changes.

• Test the level of accessibility and exploitability of critical cyber assets.

• Determine if a hacker could access and steal electronic protected information through Web applications.

• Test the effi ciency of the access control systems and policies.




• Evaluate the security controls pertaining to testing procedures, open ports and services management, patch

management, disposal, and cyber vulnerability assessments and documentation.



your cyber assets and related information from external threats.




• Assist you in writing documentation required by NERC-CIP.


components, and information technology products within your Electronic Security Perimeter(s).


#CIP-008-04

Associated Requirements

# Requirements VRF

R1 Cyber Security Incident Response Plan — The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. The Cyber Security Incident response plan shall address, at a minimum, the following:

L

R1.1 Procedures to characterize and classify events as reportable Cyber Security Incidents.

L

R1.2 Response actions, including roles and responsibilities of Cyber Security Incident response teams, Cyber Security Incident handling procedures, and communication plans.

L

R1.3 Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all reportable Cyber Security Incidents are reported to the ES-ISAC, either directly or through an intermediary.

L

R1.4 Process for updating the Cyber Security Incident response plan within thirty calendar days of any changes.

L

R1.5 Process for ensuring that the Cyber Security Incident response plan is reviewed at least annually.

L

R1.6 Process for ensuring the Cyber Security Incident response plan is tested at least annually. A test of the Cyber Security Incident response plan can range from a paper drill, to a full operational exercise, to the response to an actual incident.

L

R2 Cyber Security Incident Documentation — The Responsible Entity shall keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years.

L



• Get a clear map of the Real Risk posed by the identifi ed vulnerabilities across your organization’s IT landscape.

Nexpose is the only product that includes real exploit and malware intelligence combined with CVSS base

scores, temporal scoring, environment considerations (e.g., any mitigating controls in place), and asset

criticality for risk classifi cation.

• Get a detailed, sequenced remediation roadmap with time estimates for each task which can then be

managed either through Nexpose’s built-in ticket system or through a leading help desk system such as

Remedy, Peregrine, Tivoli, or CA.

Use Rapid7 Nexpose and Metasploit to:

• Support your incident responses by providing details on vulnerabilities and misconfi gurations that were

exploited, as well as remediation steps to prevent future exploits.


• Evaluate your security controls pertaining to your incident response plan, identify gaps in your security

program, determine if security policies are being followed in actual day-to-day operations, and provide

guidance on developing missing control policies and procedures required to secure your cyber assets and

related information from external threats


#CIP-009-4


# Requirements VRF

R1 Recovery Plans — The Responsible Entity shall create and annually review recovery plan(s) for critical cyber assets. The recovery plan(s) shall address at a minimum the following:

M

R1.1 Specifi c required actions in response to events or conditions of varying duration and severity that would activate the recovery plan(s).

M

R1.2 Defi ned roles and responsibilities of responders. M

R2 Exercises — The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident.

L


R3 Change Control — Recovery plan(s) shall be updated to refl ect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates shall be communicated to personnel responsible for the activation and implementation of the recovery plan(s) within thirty calendar days of the change being completed.

L

R4 Backup and Restore — The recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore critical cyber assets. For example, backups may include spare electronic components or equipment, written documentation of confi guration settings, tape backup, etc.

L

R5 Testing Backup Media — Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available. Testing can be completed off site.

L


• Ensure continuous logging of historical scan data showing a device’s previous state.

• Use automated utility to save duplicates of data to a backup server.


• Audit your recovery plans to identify any gaps that should be addressed in order to successfully backup and

restore systems, and establish procedures to ensure business process continuity and private protection while

operating in emergency mode.

To see how Rapid7’s IT Security Risk Management suite can benefi t your organization, visit Rapid7.com.

rapid7 nerc-cip compliance guide

Technology

audit process

nerc website

onsite audit

nerc readiness audit

nerc compliant

audit criteria

date of audit report

nal audit report