The North American Electric Reliability Corporation (NERC) has published under the Critical Infrastructure Protection program a security standard that is mandatory for every SCADA to manage infrastructure within the electrical system. It has a close resemblance to ISO27002 control objectives. Look for the Critical Infrastructure protection item at NERC website. Let's have a look inside the detail of each document:
||Its purpose is to define how to handle disturbances or unusual occurrences, suspected or determined to be caused by sabotage. It indicates that companies need to define procedures and guides to handle sabotage and how to report them to the appropriate systems, governmental agencies, and regulatory bodies.
||Cyber Security - Critical Cyber Asset Identification
Its purpose is to require the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. It must include at least one of the following characteristics:
- The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or,
- The Cyber Asset uses a routable protocol within a control center; or,
- The Cyber Asset is dial-up accessible.
||Cyber Security - Security Management Controls
||Its purpose is to create and mantain Cyber Security Policy, define Leadership of a senior manager to lead an manage the implementation of CIP standards, control exceptions to policy, define and implement access control measures, change control, configuration management and information protection methodologies.
||Cyber Security - Personnel and Training
|| It requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets obtained in CIP002-4a, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness as defined by the risk assessment model inside the company and in compliance with the Information Security Management System.
||Cyber Security - Electronic Security Perimeter
|| It requires the identification and protection of the Electronic Security Perimeter inside which all Critical Cyber Assets reside. This means placing controls like Firewalls that have specific support for the SCADA protocols being used, Application Whitelisting, IPS among many others. All those controls cannot induce or modify the protocol flow between all the SCADA entities in place.
||Cyber Security - Physical Security of Critical Cyber Assets
|| This standard is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. This include the implementation of physical controls like special locks, walls, biometric and the monitoring system checking all those controls for anomalies.
||Cyber Security - Systems Security Management
|| It requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets inside the Electronic Security Perimeter, like test procedures, security baseline for ports and services, security patch management, malicious software prevention, account management and security status monitoring.
||Cyber Security - Incident Reporting and Response Planning
||It ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. For more details on incident response, check NIST Computer Incident Response guide.
||Cyber Security - Recovery plans for Critical Cyber Assets
It that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices
The implementation of the NERC CIP standards needs to be build from the Information Security Management System directives and both of them need to agree in the way controls are implemented.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org
Manuel Humberto Santander Pelaacuteez
I'm sure those that have to deal with FERC Order 706-related items are well aware, but NERC CIP version 4 standards (CIP-XXX-4) are not applicable until April 1, 2014. Until then, NERC CIP version 3 (CIP-XXX-3) standards are applicable to all NERC Registered Entities. There is speculation that NERC CIP version 4 implimentation may be put on hold or skipped altogether if NERC CIP version 5 (CIP-XXX-5) meets what FERC is looking for. The idea being that FERC would rather have entities devote time to preparing to move to the more comprehensive and inclusive forthcoming NERC CIP version 5 vs. the NERC CIP version 4 standard which will drop off a large amount of Critical Assets. NERC CIP version 5 is presently being ballotted for the 3rd time right now and closing on Oct 10th. Additionally, I would add that NERC CIP-001 is not really an IT standard and is being considered for retirement as the requirements are duplicated elsewhere and/or are being rolled into a forthcoming EOP-004-2, which is part of the more applicable FERC Order 693 standards. One final note is that COM-001 really should be included for IT staff having to impliment NERC standards.