Do You Know About Heavyweight NERC CIP 011-1?

Article title
logo
Ron Lepofsky

Ron Lepofsky, President, ERE Information Security Auditors

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011-1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011-1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

 

Leave a Reply

One Platform. Every Solution.
AssurX Quality + Compliance ManagementA single versatile system can improve quality, compliance and streamline workflow
Don't Miss A Post

Subscribe to our blog to receive an email when we publish new content.

Recommended posts
Recent Posts
Categories
One Platform. Every Solution.
AssurX Quality + Compliance ManagementA single versatile system can improve quality, compliance and streamline workflow