Application description 04/2017 NERC CIP Compliance · PDF fileWarranty and Liability NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System Entry-ID: 109747098, 1.0, 04/2017

https://support.industry.siemens.com/cs/ww/en/view/109747098

Application description � 04/2017

NERC CIP Compliance Matrixof RUGGEDCOM CROSSBOWOperating SystemRUGGEDCOM CROSSBOW


Warranty and Liability

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 2

ãS

iem

ens

AG

2017

All

right

sre

serv

ed

Warranty and Liability

Note The Application Examples are not binding and do not claim to be completeregarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These application examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice.If there are any deviations between the recommendations provided in theseapplication examples and other Siemens publications – e.g. Catalogs – thecontents of the other documents have priority.

We do not accept any liability for the information contained in this document.

Any claims against us – based on whatever legal reason – resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract(“wesentliche Vertragspflichten”). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.

Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of the Siemens AG.

Securityinforma-tion

Siemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, solutions, machines, equipment and/ornetworks. They are important components in a holistic industrial securityconcept. With this in mind, Siemens’ products and solutions undergo continuousdevelopment. Siemens recommends strongly that you regularly check forproduct updates.

For the secure operation of Siemens products and solutions, it is necessary totake suitable preventive action (e.g. cell protection concept) and integrate eachcomponent into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more informationabout industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.industry.siemens.com.

http://www.siemens.com/industrialsecurity

http://support.industry.siemens.com/

Table of Contents


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

Table of ContentsWarranty and Liability .............................................................................................. 21 Overview ......................................................................................................... 42 CIP-005-5.1: Cyber Security – BES Cyber System Categorization .............. 53 CIP-003-6: Cyber Security –Security Management Controls ....................... 74 CIP-04-6: Cyber Security – Personnel & Training ........................................ 95 CIP-005-5: Cyber Security — Electronic Security Perimeter(s) ................. 116 CIP-006-6: Cyber Security — Physical Security of BES Cyber

Systems ........................................................................................................ 147 CIP-007-6: Cyber Security — Systems Security Management .................. 158 CIP-008-5: Cyber Security — Incident Reporting and Response

Planning ........................................................................................................ 259 CIP-009-6: Cyber Security — Recovery Plans for BES Cyber

Systems ........................................................................................................ 2810 CIP-010-2: Cyber Security — Configuration Change Management

and Vulnerability .......................................................................................... 2911 CIP-011-2: Cyber Security — Information Protection ................................ 3412 References .................................................................................................... 3913 Glossary of Terms ........................................................................................ 3914 Related Literature ......................................................................................... 4015 History .......................................................................................................... 40

1 Overview


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

1 OverviewOn January 21st, 2016, FERC issued Order 822 approving version 6 of the NERCstandards involving revisions to seven NERC Critical Infrastructure ProtectionStandards and six new or modified terms. February 25, 2016 FERC grants themotion requesting an extension of time for the implementation for the v5requirements to match the V6 standards which will generally go into effect on July1, 2016, with the Low Impact and Transient Devices requirements going into effecton April 1, 2017.Siemens’ RUGGEDCOM CROSSBOW is a scalable enterprise software solutiontailored to provide secure, intermediate access to remote IED’s. It wasconceptualized and designed to implement the best practices and procedures fromInformation Technology (IT) and bring it to the Operation Technology (OT)environment, initially with the needs of the Electric Utilities in mind, but positionedfor expansion into other security sensitive markets. Developed as a centralizedsolution to provide strong, two factor authentication for authorized users, it deliverscyber-secure access to remote users for the management of IED’s and theirassociated files. Through RUGGEDCOM CROSSBOW, an IED maintenanceapplication is allowed to remotely communicate with its associated IED’s as if theusers were directly connecting to the device.The proceeding pages will list the NERC CIP standards and requirements for CIPv5 and v6 as they are written to go into effect on July 1, 2016 and how SiemensRUGGEDCOM CROSSBOW can be used to assist as part of CIP program toaddress certain requirements.

2 CIP-005-5.1: Cyber Security – BES Cyber System Categorization


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

2 CIP-005-5.1: Cyber Security – BES CyberSystem Categorization

PurposeTo identify and categorize BES Cyber Systems and their associated BES Assetsfor the application of cyber security requirements commensurate with the adverseimpact that loss, compromise, or misuse of those BES Cyber Systems could haveon the reliable operation of the BES. Identification and categorization of BES CyberSystems support appropriate protection against compromises that could lead tomis-operation or instability in the BES.

Table 2-1: CIP-005-5.1: Cyber Security – BES Cyber System Categorization

Part Requirement CROSSBOW features to address orsupport the requirement

R1 Each Responsible Entity shall implement a processthat considers each of the following assets forpurposes of parts 1.1 through 1.3: [Violation RiskFactor: High][Time Horizon: Operations Planning]

i. Control Centers and backup Control Centers;ii. Transmission stations and substations;iii. Generation resources;iv. Systems and facilities critical to system

restoration, including Blackstart Resourcesand Cranking Paths and initial switchingrequirements;

v. Special Protection Systems that support thereliable operation of the Bulk Electric System;and

vi. For Distribution Providers, ProtectionSystems specified in Applicability section4.2.1 above.

1.1. Identify each of the high impact BES CyberSystems according to Attachment 1, Section1, if any, at each asset;

1.2. Identify each of the medium impact BESCyber Systems according to Attachment 1,Section 2, if any, at each asset; and

1.3. Identify each asset that contains a low impactBES Cyber System according to Attachment1, Section 3, if any (a discrete list of lowimpact BES Cyber Systems is not required).

CROSSBOW contains a database of allsubstation cyber assets under its control.Integral critical cyber asset reports identify:

· All CCAs (for pre-v5 compatibility)· All cyber assets· High/Medium/Low impact rating· All assets added or edited since a

given date· Key configuration parameters· Current firmware version (for select

device types)

This function of CROSSBOW allows foreasy categorization of impact level (High,Medium, and Low)

M1 Acceptable evidence includes, but is not limited to,dated electronic or physical lists required byRequirement R1, and Parts 1.1 and 1.2.

R2 The Responsible Entity shall: [Violation RiskFactor: Lower] [Time Horizon: OperationsPlanning]

2.1. Review the identifications in Requirement R1and its parts (and update them if there arechanges identified) at least once every 15calendar months, even if it has no identifieditems in Requirement R1, and

Printed Cyber asset report format includesarea for review information, e.g. Reviewername, title, date, & signature. Reports maybe scheduled in advance and emailed toassigned reviewers to ensure timely review.

2 CIP-005-5.1: Cyber Security – BES Cyber System Categorization


ãS

iem

ens

AG

2017

All

right

sre

serv

ed


2.2. Have its CIP Senior Manager or delegatesapprove the identifications required byRequirement R1 at least once every 15calendar months, even if it has no identifieditems in Requirement R1.

M2 Acceptable evidence includes, but is not limited to,electronic or physical dated records to demonstratethat the Responsible Entity has reviewed andupdated, where necessary, the identificationsrequired in Requirement R1 and its parts, and hashad its CIP Senior Manager or delegate approvethe identifications required in Requirement R1 andits parts at least once every 15 calendar months,even if it has none identified in Requirement R1and its parts, as required by Requirement R2.

3 CIP-003-6: Cyber Security –Security Management Controls


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

3 CIP-003-6: Cyber Security –SecurityManagement Controls

PurposeTo specify consistent and sustainable security management controls that establishresponsibility and accountability to protect BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the Bulk ElectricSystem (BES).

Table 3-1: CIP-003-6: Cyber Security – Security Management Controls


R1 Each Responsible Entity shall review and obtainCIP Senior Manager approval at least once every15 calendar months for one or more documentedcyber security policies that collectively address thefollowing topics: [Violation Risk Factor: Medium][Time Horizon: Operations Planning]1.1. For its high impact and medium impact BES

Cyber Systems, if any:1.1.1. Personnel and training (CIP-004);1.1.2. Electronic Security Perimeters (CIP-

005) including Interactive RemoteAccess;

1.1.3. Physical security of BES CyberSystems (CIP-006);

1.1.4. System security management (CIP-007);

1.1.5. Incident reporting and responseplanning (CIP-008);

1.1.6. Recovery plans for BES Cyber Systems(CIP-009);

1.1.7. Configuration change management andvulnerability assessments (CIP-010);

1.1.8. Information protection (CIP-011); and1.1.9. Declaring and responding to CIP

Exceptional Circumstances.1.2. For its assets identified in CIP-002 containing

low impact BES Cyber Systems, if any:1.2.1. Cyber security awareness;1.2.2. Physical security controls;1.2.3. Electronic access controls for Low

Impact External Routable Connectivity(LERC) and Dial-up Connectivity; and

1.2.4. Cyber Security Incident response

N/A (process documentation requirement)

M1 Examples of evidence may include, but are notlimited to, policy documents; revision history,records of review, or workflow evidence from adocument management system that indicatereview of each cyber security policy at least onceevery 15 calendar months; and documentedapproval by the CIP Senior Manager for eachcyber security policy.

R2 Each Responsible Entity with at least one asset N/A (process documentation requirement)

3 CIP-003-6: Cyber Security –Security Management Controls


ãS

iem

ens

AG

2017

All

right

sre

serv

ed


identified in CIP-002 containing low impact BESCyber Systems shall implement one or moredocumented cyber security plan(s) for its lowimpact BES Cyber Systems that include thesections in Attachment 1. [Violation Risk Factor:Lower] [Time Horizon: Operations Planning]

Note: An inventory, list, or discrete identification oflow impact BES Cyber Systems or their BES CyberAssets is not required. Lists of authorized users arenot required.

M2 Evidence shall include each of the documentedcyber security plan(s) that collectively include eachof the sections in Attachment 1 and additionalevidence to demonstrate implementation of thecyber security plan(s). Additional examples ofevidence per section are located in Attachment 2.

R3 Each Responsible Entity shall identify a CIP SeniorManager by name and document any change within 30calendar days of the change. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning]

CROSSBOW administrator can identify theperson/people responsible for NERCcompliance by name and provide them withaccess to reports only.

M3 An example of evidence may include, but is not limited to,a dated and approved document from a high level officialdesignating the name of the individual identified as theCIP Senior Manager.

R4 The Responsible Entity shall implement adocumented process to delegate authority, unlessno delegations are used. Where allowed by theCIP Standards, the CIP Senior Manager maydelegate authority for specific actions to a delegateor delegates. These delegations shall bedocumented, including the name or title of thedelegate, the specific actions delegated, and thedate of the delegation; approved by the CIP SeniorManager; and updated within 30 days of anychange to the delegation. Delegation changes donot need to be reinstated with a change to thedelegator. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]

N/A (process documentation requirement)

M4 An example of evidence may include, but is notlimited to, a dated document, approved by the CIPSenior Manager, listing individuals (by name ortitle) who are delegated the authority to approve orauthorize specifically identified items.

4 CIP-04-6: Cyber Security – Personnel & Training


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

4 CIP-04-6: Cyber Security – Personnel &Training

PurposeTo minimize the risk against compromise that could lead to mis-operation orinstability in the Bulk Electric System (BES) from individuals accessing BES CyberSystems by requiring an appropriate level of personnel risk assessment, training,and security awareness in support of protecting BES Cyber Systems.

R1Each Responsible Entity shall implement one or more documented processes thatcollectively include each of the applicable requirement parts in CIP-004-6 Table R1– Security Awareness Program. [Violation Risk Factor: Lower] [Time Horizon:Operations Planning]

M1Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-004-6 Table R1– Security Awareness Program and additional evidence to demonstrateimplementation as described in the Measures column of the table.

R2Each Responsible Entity shall implement one or more cyber security trainingprogram(s) appropriate to individual roles, functions, or responsibilities thatcollectively includes each of the applicable requirement parts in CIP-004-6 TableR2 – Cyber Security Training Program. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]

M2Evidence must include the training program that includes each of the applicablerequirement parts in CIP-004-6 Table R2 –Cyber Security Training Program andadditional evidence to demonstrate implementation of the program(s).

R3Each Responsible Entity shall implement one or more documented personnel riskassessment program(s) to attain and retain authorized electronic or authorizedunescorted physical access to BES Cyber Systems that collectively include each ofthe applicable requirement parts in CIP-004-6 Table R3 – Personnel RiskAssessment Program. [Violation Risk Factor: Medium] [Time Horizon: OperationsPlanning]

M3Evidence must include the documented personnel risk assessment programs thatcollectively include each of the applicable requirement parts in CIP-004-6 Table R3– Personnel Risk Assessment Program and additional evidence to demonstrateimplementation of the program(s).

R4Each Responsible Entity shall implement one or more documented accessmanagement program(s) that collectively include each of the applicablerequirement parts in CIP-004-6 Table R4 – Access Management Program.

4 CIP-04-6: Cyber Security – Personnel & Training


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

[Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same DayOperations]

M4Evidence must include the documented processes that collectively include each ofthe applicable requirement parts in CIP-004-6 Table R4 – Access ManagementProgram and additional evidence to demonstrate that the access managementprogram was implemented as described in the Measures column of the table.

Table 4-1: CIP-004-6: Cyber Security – Personnel & Training


ALL ALL n/a (Process/documentationrequirement)

5 CIP-005-5: Cyber Security — Electronic Security Perimeter(s)


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

5 CIP-005-5: Cyber Security — ElectronicSecurity Perimeter(s)

PurposeTo manage electronic access to BES Cyber Systems by specifying a controlledElectronic Security Perimeter in support of protecting BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the BES.

R1Each Responsible Entity shall implement one or more documented processes thatcollectively include each of the applicable requirement parts in CIP-005-5 Table R1– Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time Horizon:Operations Planning and Same Day Operations]

M1Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-005-5 Table R1– Electronic Security Perimeter and additional evidence to demonstrateimplementation as described in the Measures column of the table.

Table 5-1: CIP-005-5: Table R1 – Electronic Security Perimeter

Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement

1.1 High Impact BESCyber Systems andtheir associated:· PCA

Medium Impact BESCyber Systems andtheir associated:· PCA

All applicable CyberAssets connected toa network via aroutable protocolshall reside within adefined ESP.

An example ofevidence mayinclude, but is notlimited to, a list of allESPs with alluniquely identifiableapplicable CyberAssets connected viaa routable protocolwithin each ESP.

CROSSBOWprovides a report ofall devices using aroutable protocol, byfacility

1.2 High Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA

Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA

All External RoutableConnectivitymust be through anidentifiedElectronic AccessPoint (EAP).

An example ofevidence mayinclude, but is notlimited to, networkdiagrams showing allexternal routablecommunication pathsand the identifiedEAPs.

CROSSBOWprovides a report ofall Electronic AccessPoints, by facility

1.3 Electronic AccessPoints for HighImpact BES CyberSystems

Electronic AccessPoints for Medium

Require inbound andoutbound accesspermissions,including the reasonfor granting access,and deny all otheraccess by default.

An example ofevidence mayinclude, but is notlimited to, a list ofrules (firewall, accesscontrol lists, etc.) thatdemonstrate that only

A typicalCROSSBOWimplementationresults in theCROSSBOW serverbeing configured asthe only system



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


Impact BES CyberSystems

permitted access isallowed and that eachaccess rule has adocumented reason.

allowed to connect tothe EAP forinteractive access.This may be enforcedwith certificates,passwords, or othermeans.

1.4 High Impact BESCyber Systems withDial-up Connectivityand their associated:· PCA

Medium Impact BESCyber Systems withDial-up Connectivityand their associated:· PCA

Where technicallyfeasible, performauthentication whenestablishing Dial-upConnectivity withapplicable CyberAssets.

An example ofevidence mayinclude, but is notlimited to, adocumented processthat describes howthe ResponsibleEntity is providingauthenticated accessthrough each dial-upconnection.

CROSSBOWsupports many 3rdparty dial-up EAPs,and providesauthenticated accessto and through them.

1.5 Electronic AccessPoints for HighImpact BES CyberSystems

Electronic AccessPoints for MediumImpact BES CyberSystems at ControlCenters

Have one or moremethods fordetecting known orsuspected maliciouscommunications forboth inbound andoutboundcommunications.

An example ofevidence mayinclude, but is notlimited to,documentation thatmaliciouscommunicationsdetection methods(e.g. intrusiondetection system,application layerfirewall, etc.) areimplemented.

CROSSBOW may beused to aggregatelogs from EAPs, andgenerate alerts underspecific conditions.

R2Each Responsible Entity allowing Interactive Remote Access to BES CyberSystems shall implement one or more documented processes that collectivelyinclude the applicable requirement parts, where technically feasible, in CIP-005-5Table R2 – Interactive Remote Access Management. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning and Same Day Operations]

M2Evidence must include the documented processes that collectively address each ofthe applicable requirement parts in CIP-005-5 Table R2 – Interactive RemoteAccess Management and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.

Table 5-2: CIP-005-5: Table R2 – Interactive Remote Access Management



Utilize anIntermediate Systemsuch that the CyberAsset initiating

Examples ofevidence mayinclude, but are notlimited to, network

CROSSBOW SecureAccess Manager actsas intermediatesystem between



ãS

iem

ens

AG

2017

All

right

sre

serv

ed



Interactive RemoteAccess does notdirectly access anapplicable CyberAsset.

diagrams orarchitecturedocuments.

clients and the CyberAssets. CROSSBOWpermits access toBES Cyber System orProtected CyberAsset only to thosebeen granted accessprivileges by anauthorizedadministrator.



For all InteractiveRemote Accesssessions, utilizeencryption thatterminates at anIntermediate System.

An example ofevidence mayinclude, but is notlimited to,architecturedocuments detailingwhere encryptioninitiates andterminates.

CROSSBOW client –servercommunications isalways encrypted.Connections from theserver may beencrypted to EAPswhich support it.



Require multi-factorauthentication for allInteractive RemoteAccess sessions.

An example ofevidence mayinclude, but is notlimited to,architecturedocuments detailingthe authenticationfactors used.Examples ofauthenticators mayinclude, but are notlimited to,· Something the

individual knowssuch aspasswords orPINs. This doesnot include UserID;

· Something theindividual hassuch as tokens,digitalcertificates, orsmart cards; or

· Something theindividual is suchas fingerprints,iris scans, orother biometriccharacteristics.

CROSSBOW makesit technically feasibleto secure interactiveaccess to all IEDs,using strong (2-factor) authentication.CROSSBOW’s openarchitecture allowseasy integration withvarious back-endauthenticationservers, such as RSASecurID, RADIUS, orActive Directory.

6 CIP-006-6: Cyber Security — Physical Security of BES Cyber Systems


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

6 CIP-006-6: Cyber Security — PhysicalSecurity of BES Cyber Systems

PurposeTo manage physical access to Bulk Electric System (BES) Cyber Systems byspecifying a physical security plan in support of protecting BES Cyber Systemsagainst compromise that could lead to mis-operation or instability in the BES.

R1Each Responsible Entity shall implement one or more documented physicalsecurity plan(s) that collectively include all of the applicable requirement parts inCIP-006-6 Table R1 – Physical Security Plan. [Violation Risk Factor: Medium][Time Horizon: Long Term Planning and Same Day Operations]

M1Evidence must include each of the documented physical security plans thatcollectively include all of the applicable requirement parts in CIP-006-6 Table R1 –Physical Security Plan and additional evidence to demonstrate implementation ofthe plan or plans as described in the Measures column of the table.

R2Each Responsible Entity shall implement one or more documented visitor controlprogram(s) that include each of the applicable requirement parts in CIP-006-6Table R2 – Visitor Control Program. [Violation Risk Factor: Medium] [Time Horizon:Same Day Operations.]

M2Evidence must include one or more documented visitor control programs thatcollectively include each of the applicable requirement parts in CIP-006-6 Table R2– Visitor Control Program and additional evidence to demonstrate implementationas described in the Measures column of the table.

R3Each Responsible Entity shall implement one or more documented PhysicalAccess Control System maintenance and testing program(s) that collectivelyinclude each of the applicable requirement parts in CIP-006-6 Table R3 –Maintenance and Testing Program. [Violation Risk Factor: Medium] [Time Horizon:Long Term Planning]

M3Evidence must include each of the documented Physical Access Control Systemmaintenance and testing programs that collectively include each of the applicablerequirement parts in CIP-006-6 Table R3 – Maintenance and Testing Program andadditional evidence to demonstrate implementation as described in the Measurescolumn of the table.

Table 6-1: CIP-006-6: Cyber Security – Physical Security of BES Cyber Systems


ALL ALL n/a (Process/documentationrequirement)

7 CIP-007-6: Cyber Security — Systems Security Management


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

7 CIP-007-6: Cyber Security — SystemsSecurity Management

PurposeTo manage system security by specifying select technical, operational, andprocedural requirements in support of protecting BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the Bulk ElectricSystem (BES).

R1Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R1 – Ports and Services. [Violation Risk Factor: Medium] [Time Horizon:Same Day Operations]

M1Evidence must include the documented processes that collectively include each ofthe applicable requirement parts in CIP- 007-6 Table R1 – Ports and Services andadditional evidence to demonstrate implementation as described in the Measurescolumn of the table.

Table 7-1: CIP-007-6: Table R1 – Ports and Services


1.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA

Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and3. PCA

Where technicallyfeasible, enable onlylogical networkaccessible ports thathave beendetermined to beneeded by theResponsible Entity,including port rangesor services whereneeded to handledynamic ports. If adevice has noprovision fordisabling orrestricting logicalports on the devicethen those ports thatare open are deemedneeded.

Examples ofevidence mayinclude, but are notlimited to:· Documentation

of the need for allenabled ports onall applicableCyber Assetsand ElectronicAccess Points,individually or bygroup.

· Listings of thelistening ports onthe CyberAssets,individually or bygroup, fromeither the deviceconfigurationfiles, commandoutput (such asnetstat), ornetwork scans ofopen ports; or

· Configurationfiles of host-based firewalls

CROSSBOWdocuments all thedevices it isconnected to andtheir applicable ports.



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


or other devicelevelmechanisms thatonly allowneeded portsand deny allothers.

1.2 High Impact BESCyber Systems andtheir associated:1. PCA; and2. Nonprogrammable

communicationcomponentslocated insideboth a PSP andan ESP.

Medium Impact BESCyber Systems atControl Centers andtheir associated:1. PCA; and2. Nonprogrammable

communicationcomponentslocated insideboth a PSP andan ESP.

Protect against theuse of unnecessaryphysical input/outputports used fornetwork connectivity,console commands,or Removable Media.

An example ofevidence mayinclude, but is notlimited to,documentationshowing types ofprotection of physicalinput/output ports,either logicallythrough systemconfiguration orphysically using aport lock or signage.

n/a (documentationrequirement)

R2Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R2 – Security Patch Management. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]

M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-007-6 Table R2– Security Patch Management and additional evidence to demonstrateimplementation as described in the Measures column of the table.

Table 7-2: CIP-007-6: Table R2 – Security Patch Management


2.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES

A patch managementprocess for tracking,evaluating, andinstalling cybersecurity patches forapplicable CyberAssets. The tracking

An example ofevidence mayinclude, but is notlimited to,documentation of apatch managementprocess and

SIEMENS performsmonthly regressiontesting ofCROSSBOW againstall supportedoperating systems forcompatibility with



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA

portion shall includethe identification of asource or sourcesthat the ResponsibleEntity tracks for therelease of cybersecurity patches forapplicable CyberAssets that areupdateable and forwhich a patchingsource exists.

documentation orlists of sources thatare monitored,whether on anindividual BES CyberSystem or CyberAsset basis.

Microsoft OSpatches. Anotification email issent to all customerswith currentmaintenanceagreements within 3weeks of the releasefrom Microsoft.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA

At least once every35 calendar days,evaluate securitypatches forapplicability that havebeen released sincethe last evaluationfrom the source orsources identified inPart 2.1.

An example ofevidence mayinclude, but is notlimited to, anevaluation conductedby, referenced by, oron behalf of aResponsible Entity ofsecurity-relatedpatches released bythe documentedsources at least onceevery 35 calendardays.

SIEMENS performsmonthly regressiontesting ofCROSSBOW againstall supportedoperating systems forcompatibility withMicrosoft OSpatches. Anotification email issent to all customerswith currentmaintenanceagreements within 3weeks of the releasefrom Microsoft.



For applicablepatches identified inPart 2.2, within 35calendar days of theevaluationcompletion, take oneof the followingactions:· Apply the

applicablepatches; or

· Create a datedmitigation plan;Or

· Revise anexistingmitigation plan.

Mitigation plans shallinclude theResponsible Entity’splanned actions tomitigate thevulnerabilitiesaddressed by eachsecurity patch and atimeframe tocomplete thesemitigations.

Examples ofevidence mayinclude, but are notlimited to:· Records of the

installation of thepatch (e.g.,exports fromautomated patchmanagementtools that provideinstallation date,verification ofBES CyberSystemComponentsoftwarerevision, orregistry exportsthat showsoftware hasbeen installed);or

· A dated planshowing whenand how thevulnerability willbe addressed, toinclude

CROSSBOW canmonitor devices forcurrent software andconfigurationversions & generatereports.

CROSSBOW may bescripted to applysecurity patches tofield devices



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


documentation ofthe actions to betaken by theResponsibleEntity to mitigatethe vulnerabilitiesaddressed by thesecurity patchand a timeframefor thecompletion ofthesemitigations.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS;

For each mitigationplan created orrevised in Part 2.3,implement the planwithin the timeframespecified in the plan,unless a revision tothe plan or anextension to thetimeframe specifiedin Part 2.3 isapproved by the CIPSenior Manager ordelegate.

An example ofevidence mayinclude, but is notlimited to, records ofimplementation ofmitigations.


R3Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R3 – Malicious Code Prevention. [Violation Risk Factor: Medium] [TimeHorizon: Same Day Operations]

M3Evidence must include each of the documented processes that collectively includeeach of the applicable requirement parts in CIP-007-6 Table R3 – Malicious CodePrevention and additional evidence to demonstrate implementation as described inthe Measures column of the table.

Table 7-3: CIP-007-6: Table R3 – Malicious Code Prevention



Medium Impact BESCyber Systems and

Deploy method(s) todeter, detect, orprevent maliciouscode.

An example ofevidence mayinclude, but is notlimited to, records ofthe ResponsibleEntity’s performanceof these processes(e.g., throughtraditional antivirus,

n/a (processdocumentation)



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


their associated:1. EACMS;2. PACS;3. PCA

system hardening,policies, etc.).



Mitigate the threat ofdetected maliciouscode.

Examples ofevidence mayinclude, but are notlimited to:· Records of

responseprocesses formalicious codedetection

· Records of theperformance ofthese processeswhen maliciouscode is detected.

CROSSBOW canaggregate (usingsyslog) notificationsfrom other systemcomponents, andprovide usernotifications.



For those methodsidentified in Part 3.1that use signaturesor patterns, have aprocess for theupdate of thesignatures orpatterns. Theprocess mustaddress testing andinstalling thesignatures orpatterns.

An example ofevidence mayinclude, but is notlimited to,documentationshowing the processused for the updateof signatures orpatterns.


R4Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R4 – Security Event Monitoring. [Violation Risk Factor: Medium] [TimeHorizon: Same Day Operations and Operations Assessment]

M4Evidence must include each of the documented processes that collectively includeeach of the applicable requirement parts in CIP-007-6 Table R4 – Security EventMonitoring and additional evidence to demonstrate implementation as described inthe Measures column of the table.

Table 7-4: CIP-007-6: Table R4 – Security Event Monitoring


4.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and

Log events at theBES Cyber Systemlevel (per BES CyberSystem capability) orat the Cyber Asset

Examples ofevidence mayinclude, but are notlimited to, a paper orsystem generated

CROSSBOW logsactivities (failedaccess attempts andfailed login), andevents for the



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


3. PCA


level (per CyberAsset capability) foridentification of,and after-the-factinvestigations of,Cyber SecurityIncidents thatincludes, as aminimum, each of thefollowing types ofevents:4.1.1. Detected

successfulloginattempts;

4.1.2. Detectedfailed accessattempts andfailed loginattempts;

4.1.3. Detectedmaliciouscode.

listing of event typesfor which the BESCyber System iscapable of detectingand, for generatedevents, is configuredto log. This listingmust include therequired types ofevents.

devices it isconnected to. It mayaggregate eventsfrom EAPs and otherdevices via syslog,and generate alerts.



Generate alerts forsecurity events thatthe ResponsibleEntity determinesnecessitates an alert,that includes, as aminimum, each of thefollowing types ofevents (per CyberAsset or BES CyberSystem capability):4.2.1. Detected

maliciouscode fromPart 4.1; and

4.2.2. Detectedfailure of Part4.1eventlogging.

Examples ofevidence mayinclude, but are notlimited to, paper orsystem generatedlisting of securityevents that theResponsible Entitydeterminednecessitate alerts,including paper orsystem generated listshowing how alertsare configured.

CROSSBOW hasconfigurable alertsand notifications.Users may benotified withinCROSSBOW, viaemail, or via syslog.


Medium Impact BESCyber Systems atControl Centers andtheir associated:1. EACMS;2. PACS; and3. PCA

Where technicallyfeasible, retainapplicable event logsidentified in Part 4.1for at least the last 90consecutive calendardays except underCIP ExceptionalCircumstances.

Examples ofevidence mayinclude, but are notlimited to,documentation of theevent log retentionprocess and paper orsystem generatedreports showing logretentionconfiguration set at90 days or greater.

Data may be retainedindefinitely within theCROSSBOWdatabase.

4.4 High Impact BESCyber Systems and

Review asummarization or

Examples ofevidence may

Data may be retainedindefinitely within the



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


their associated:1. EACMS; and2. PCA

sampling of loggedevents as determinedby the ResponsibleEntity at intervals nogreater than 15calendar days toidentify undetectedCyber SecurityIncidents.

include, but are notlimited to,documentationdescribing the review,any findings from thereview (if any), anddated documentationshowing the reviewoccurred.

CROSSBOWdatabase.

R5Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R5 – System Access Controls. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]

M5Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-007-6 Table 5 –System Access Controls and additional evidence to demonstrate implementationas described in the Measures column of the table.

Table 7-5: CIP-007-6: Table R5 – System Access Controls





Have a method(s) toenforceauthentication ofinteractive useraccess, wheretechnically feasible.

An example ofevidence mayinclude, but is notlimited to,documentationdescribing howaccess isauthenticated.

CROSSBOW makesstrong userauthenticationtechnically feasiblefor all device types,by authenticatingusers credentialsagainst ActiveDirectory, RADIUS,or 2-FactorAuthentication (e.g.:RSA)

5.2 High Impact BESCyber Systems andtheir associated:1. EACMS;

Identify and inventoryall known enableddefault or othergeneric account

An example ofevidence mayinclude, but is notlimited to, a listing of

CROSSBOWgenerally eliminatesthe need for sharedaccounts. Every user



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


2. PACS; and3. PCA


types, either bysystem, by groups ofsystems, by location,or by system type(s).

accounts by accounttypes showing theenabled or genericaccount types in usefor the BES CyberSystem.

has their own uniqueaccount for allactivities. TheCROSSBOW serverbecomes the only“user” that connectsto devices.



Identify individualswho have authorizedaccess to sharedaccounts.

An example ofevidence mayinclude, but is notlimited to, listing ofshared accounts andthe individuals whohave authorizedaccess to eachshared account.

Systems arenormally configuredso that theCROSSBOW systemis the only “user” toaccess deviceaccounts.CROSSBOW thenmanages individualuser accesspermissions.

5.4 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA

Change knowndefault passwords,per Cyber Assetcapability

Examples ofevidence mayinclude, but are notlimited to:· Records of a

procedure thatpasswords arechanged whennew devices arein production; or

· Documentationin systemmanuals or othervendordocumentsshowing defaultvendorpasswords weregeneratedpseudo-randomlyand are therebyunique to thedevice.

CROSSBOW allowschanging the defaultpassword of alldevices at any giventime to a specific orrandomly generatednew password.

CROSSBOW has abuild-in report toshow all devices andthe age of all currentpasswords.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;

For password-onlyauthentication forinteractive useraccess, eithertechnically orprocedurally enforcethe followingpasswordparameters:5.5.1. Password

length that is,

Examples ofevidence mayinclude, but are notlimited to:· System-

generatedreports orscreen-shots ofthe systemenforcedpassword

CROSSBOW canenforce passwordlength andcomplexity rules,specified by devicetype.

Passwords may beautomaticallychanged on aconfigurable time



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


2. PACS; and3. PCA

at least, thelesser ofeightcharacters orthe maximumlengthsupported bythe CyberAsset; and

5.5.2. Minimumpasswordcomplexitythat is thelesser ofthree or moredifferenttypes ofcharacters(e.g.,uppercasealphabetic,lowercasealphabetic,numeric,non-alphanumeric) or themaximumcomplexitysupported bythe CyberAsset.

parameters,including lengthand complexity;or

· Attestations thatinclude areference to thedocumentedprocedures thatwere followed.

interval.


Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and

Where technicallyfeasible, forpassword-onlyauthentication forinteractive useraccess, eithertechnically orprocedurally enforcepassword changes oran obligation tochange the passwordat least once every15 calendar months.

Examples ofevidence mayinclude, but are notlimited to:· System-

generatedreports orscreen-shots ofthe systemenforcedperiodicity ofchangingpasswords; or

· Attestations thatinclude areference to thedocumentedprocedures thatwere followed.

CROSSBOWsupports variousback-endauthenticationsystems (ActiveDirectory, RADIUS,RSA SecurID) thatenforce userpassword rules.


Where technicallyfeasible, either:Limit the number ofunsuccessfulauthenticationattempts; orGenerate alerts after

Examples ofevidence mayinclude, but are notlimited to:· Documentation

of the accountlockout

CROSSBOW willdisable a useraccount after aconfigurable numberof failed loginattempts.



ãS

iem

ens

AG

2017

All

right

sre

serv

ed



a threshold ofunsuccessfulauthenticationattempts.

parameters; or· Rules in the

alertingconfigurationshowing how thesystem notifiedindividuals aftera determinednumber ofunsuccessfullogin attempts.

8 CIP-008-5: Cyber Security — Incident Reporting and Response Planning


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

8 CIP-008-5: Cyber Security — IncidentReporting and Response Planning

PurposeTo mitigate the risk to the reliable operation of the BES as the result of a CyberSecurity Incident by specifying incident response requirements.

R1Each Responsible Entity shall document one or more Cyber Security Incidentresponse plan(s) that collectively include each of the applicable requirement partsin CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications.[Violation Risk Factor: Lower] [Time Horizon: Long Term Planning]

M1Evidence must include each of the documented plan(s) that collectively includeeach of the applicable requirement parts in CIP-008-5 Table R1 – Cyber SecurityIncident Response Plan Specifications.

Table 8-1: CIP-008-5: Table R1 – System Access Control


1.1 High Impact BESCyber SystemsMedium Impact BESCyber Systems

One or moreprocesses to identify,classify, and respondto Cyber SecurityIncidents.

An example ofevidence mayinclude, but is notlimited to, dateddocumentation ofCyber SecurityIncident responseplan(s) that includethe process toidentify, classify, andrespond to CyberSecurity Incidents.

All security eventswithin CROSSBOWare available throughreports, syslog, oremail.


One or moreprocesses todetermine if anidentified CyberSecurity Incident is aReportable CyberSecurity Incident andnotify the ElectricitySector InformationSharing and AnalysisCenter (ES-ISAC),unless prohibited bylaw. Initial notificationto the ES-ISAC,which may be only apreliminary notice,shall not exceed onehour from thedetermination of aReportable CyberSecurity Incident.

Examples ofevidence mayinclude, but are notlimited to, dateddocumentation ofCyber SecurityIncident responseplan(s) that provideguidance orthresholds fordetermining whichCyber SecurityIncidents are alsoReportable CyberSecurity Incidentsand documentationof initial notices to theElectricity SectorInformation Sharingand Analysis Center(ES-ISAC).




ãS

iem

ens

AG

2017

All

right

sre

serv

ed



The roles andresponsibilities ofCyber SecurityIncident responsegroups or individuals.

An example ofevidence mayinclude, but is notlimited to, datedCyber SecurityIncident responseprocess(es) orprocedure(s) thatdefine roles andresponsibilities (e.g.,monitoring, reporting,initiating,documenting, etc.) ofCyber SecurityIncident responsegroups or individuals.

n/a (processdocumentationrequirement)


Incident handlingprocedures forCyber SecurityIncidents.

An example ofevidence mayinclude, but is notlimited to, datedCyber SecurityIncident responseprocess(es) orprocedure(s) thataddress incidenthandling (e.g.,containment,eradication,recovery/incidentresolution).

n/a (processdocumentationrequirement)

R2Each Responsible Entity shall implement each of its documented Cyber SecurityIncident response plans to collectively include each of the applicable requirementparts in CIP-008-5 Table R2 – Cyber Security Incident Response PlanImplementation and Testing. [Violation Risk Factor: Lower] [Time Horizon:Operations Planning and Real-Time Operations]

M2Evidence must include, but is not limited to, documentation that collectivelydemonstrates implementation of each of the applicable requirement parts in CIP-008-5 Table R2 – Cyber Security Incident Response Plan Implementation andTesting.

Table 8-2: CIP-008-5: Table R2 – Cyber Security Incident Response Plan Implementation and Testing


ALL ALL ALL ALL n/a (processdocumentationrequirement)



ãS

iem

ens

AG

2017

All

right

sre

serv

ed

R3Each Responsible Entity shall maintain each of its Cyber Security Incidentresponse plans according to each of the applicable requirement parts in CIP-008-5Table R3 – Cyber Security Incident Response Plan Review, Update, andCommunication. [Violation Risk Factor: Lower] [Time Horizon: OperationsAssessment]

M3Evidence must include, but is not limited to, documentation that collectivelydemonstrates maintenance of each Cyber Security Incident response planaccording to the applicable requirement parts in CIP-008-5 Table R3 – CyberSecurity Incident.

Table 8-3: CIP-008-5: Table R3 – Cyber Security Incident Response Plan Review, Update, andCommunication



9 CIP-009-6: Cyber Security — Recovery Plans for BES Cyber Systems


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

9 CIP-009-6: Cyber Security — RecoveryPlans for BES Cyber Systems

PurposeTo recover reliability functions performed by BES Cyber Systems by specifyingrecovery plan requirements in support of the continued stability, operability, andreliability of the BES.

R1Each Responsible Entity shall have one or more documented recovery plan(s) thatcollectively include each of the applicable requirement parts in CIP-009-6 Table R1– Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon:Long Term Planning]

M1Evidence must include the documented recovery plan(s) that collectively includethe applicable requirement parts in CIP-009-6 Table R1 – Recovery PlanSpecifications.

Table 9-1: CIP-009-6: Table R1 thru R3 – Recovery Plans for BES Cyber Systems



10 CIP-010-2: Cyber Security — Configuration Change Management and Vulnerability


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

10 CIP-010-2: Cyber Security —Configuration Change Management andVulnerability

PurposeTo prevent and detect unauthorized changes to BES Cyber Systems by specifyingconfiguration change management and vulnerability assessment requirements insupport of protecting BES Cyber Systems from compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).

R1Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-010-2Table R1 – Configuration Change Management. [Violation Risk Factor: Medium][Time Horizon: Operations Planning]

M1Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-010-2 Table R1– Configuration Change Management and additional evidence to demonstrateimplementation as described in the Measures column of the table.

Table 10-1: CIP-010-2: Table R1 – Configuration Change Management




Develop a baselineconfiguration,individually or bygroup, which shallinclude the followingitems:1.1.1. Operating

system(s)(includingversion) orfirmwarewhere noindependentoperatingsystemexists;

1.1.2. Anycommerciallyavailable oropen-sourceapplicationsoftware(includingversion)intentionallyinstalled;

1.1.3. Any customsoftware

Examples ofevidence mayinclude, but are notlimited to:· A spreadsheet

identifying therequired items ofthe baselineconfiguration foreach CyberAsset,individually or bygroup; or

· A record in anassetmanagementsystem thatidentifies therequired items ofthe baselineconfiguration foreach CyberAsset,individually or bygroup.

CROSSBOW cancreate a baselinerecord for all cyberassets. Reports areavailable whichdocument firmwareversions of all cyberassets.



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


installed;1.1.4. Any logical

networkaccessibleports; and

1.1.5. Any securitypatchesapplied.



Authorize anddocument changesthat deviate from theexisting baselineconfiguration.

Examples ofevidence mayinclude, but are notlimited to:· A change

request recordand associatedelectronicauthorization(performed bythe individual orgroup with theauthority toauthorize thechange) in achangemanagementsystem for eachchange; or

· Documentationthat the changewas performed inaccordance withthe requirement.

CROSSBOW may beused to automatemany devicemonitoring tasks,such as verifyingfirmware version, andcomparing currentconfiguration to anapproved baseline.

Configurationchanges are loggedin the CROSSBOWdatabase.



For a change thatdeviates from theexisting baselineconfiguration, updatethe baselineconfiguration asnecessary within 30calendar days ofcompleting thechange.

An example ofevidence mayinclude, but is notlimited to, updatedbaselinedocumentation with adate that is within 30calendar days of thedate of thecompletion of thechange.

CROSSBOWprovides a simple “1-click” method fortaking a snapshot ofa deviceconfiguration andmarking it asbaseline.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and

For a change thatdeviates from theexisting baselineconfiguration:1.4.1. Prior to the

change,determinerequiredcybersecuritycontrols inCIP-005 and

An example ofevidence mayinclude, but is notlimited to, a list ofcyber securitycontrols verified ortested along with thedated test results.

n/a (processrequirement)



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


3. PCA CIP-007 thatcould beimpacted bythe change;

1.4.2. Following thechange,verify thatrequiredcybersecuritycontrolsdetermined in1.4.1 are notadverselyaffected; and

1.4.3. Documentthe results oftheverification.

1.5 High Impact BESCyber Systems

Where technicallyfeasible, for eachchange that deviatesfrom the existingbaselineconfiguration:1.5.1. Prior to

implementingany changein theproductionenvironment,test thechanges in atestenvironmentor test thechanges in aproductionenvironmentwhere thetest isperformed ina mannerthatminimizesadverseeffects, thatmodels thebaselineconfigurationto ensurethat requiredcybersecuritycontrols inCIP-005 andCIP-007 arenot adverselyaffected; and

An example ofevidence mayinclude, but is notlimited to, a list ofcyber securitycontrols tested alongwith successful testresults and a list ofdifferences betweenthe production andtest environmentswith descriptions ofhow any differenceswere accounted for,including of the dateof the test.




ãS

iem

ens

AG

2017

All

right

sre

serv

ed


1.5.2. Documentthe results ofthe testingand, if a testenvironmentwas used,thedifferencesbetween thetestenvironmentand theproductionenvironment,including adescription ofthe measuresused toaccount foranydifferences inoperationbetween thetest andproductionenvironments.

R2Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-010-2Table R2 – Configuration Monitoring. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]

M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-010-2 Table R2– Configuration Monitoring and additional evidence to demonstrate implementationas described in the Measures column of the table.

Table 10-2: CIP-010-2: Table R2 – Configuration Monitoring


2.1 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PCA

Monitor at least onceevery 35 calendardays for changes tothe baselineconfiguration (asdescribed inRequirement R1,Part 1.1). Documentand investigate

An example ofevidence mayinclude, but is notlimited to, logs from asystem that ismonitoring theconfiguration alongwith records ofinvestigation for any

CROSSBOW may beused to automatemany tasks, such asverifying firmwareversion, andcomparing currentconfiguration to anapproved baseline.Configuration



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


detectedunauthorizedchanges.

unauthorizedchanges that weredetected.

changes are loggedin the CROSSBOWdatabase andgenerate alerts.

11 CIP-011-2: Cyber Security — Information Protection


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

11 CIP-011-2: Cyber Security — InformationProtection

PurposeTo prevent unauthorized access to BES Cyber System Information by specifyinginformation protection requirements in support of protecting BES Cyber Systemsagainst compromise that could lead to mis-operation or instability in the BulkElectric System (BES).

R1Each Responsible Entity shall implement one or more documented informationprotection program(s) that collectively includes each of the applicable requirementparts in CIP-011-2 Table R1 – Information Protection. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning]

M1Evidence for the information protection program must include the applicablerequirement parts in CIP-011-2 Table R1 – Information Protection and additionalevidence to demonstrate implementation as described in the Measures column ofthe table.

Table 11-1: CIP-011-2: Table R1 – Configuration Monitoring


1.1 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS

Medium Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS

Method(s) to identifyinformation thatmeets the definitionof BES CyberSystem Information.

Examples ofacceptable evidenceinclude, but are notlimited to:· Documented

method toidentify BESCyber SystemInformation fromentity’sinformationprotectionprogram; or

· Indications oninformation (e.g.,labels orclassification)that identify BESCyber SystemInformation asdesignated in theentity’sinformationprotectionprogram; or

· Trainingmaterials thatprovidepersonnel with




ãS

iem

ens

AG

2017

All

right

sre

serv

ed


sufficientknowledge torecognize BESCyber SystemInformation; or

· Repository orelectronic andphysical locationdesignated forhousing BESCyber SystemInformation in theentity’sinformationprotectionprogram.



Procedure(s) forprotecting andsecurely handlingBES Cyber SystemInformation, includingstorage, transit, anduse.

Examples ofacceptable evidenceinclude, but are notlimited to:· Procedures for

protecting andsecurelyhandling, whichinclude topicssuch as storage,security duringtransit, and useof BES CyberSystemInformation; or

· Recordsindicating thatBES CyberSystemInformation ishandled in amannerconsistent withthe entity’sdocumentedprocedure(s).

CROSSBOW hidesor obfuscates BESCyber Systeminformation from allusers exceptauthorizedadministrators.

R2Each Responsible Entity shall implement one or more documented process(es)that collectively include the applicable requirement parts in CIP-011-2 Table R2 –BES Cyber Asset Reuse and Disposal. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]

M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-011-2 Table R2– BES Cyber Asset Reuse and Disposal and additional evidence to demonstrateimplementation as described in the Measures column of the table.



ãS

iem

ens

AG

2017

All

right

sre

serv

ed

Table 11-2: CIP-011-2 Table R2 – BES Cyber Asset Reuse and Disposal




Method(s) to identifyinformation thatmeets the definitionof BES CyberSystem Information.

Examples ofacceptable evidenceinclude, but are notlimited to:· Documented

method toidentify BESCyber SystemInformation fromentity’sinformationprotectionprogram; or

· Indications oninformation (e.g.,labels orclassification)that identify BESCyber SystemInformation asdesignated in theentity’sinformationprotectionprogram; or

· Trainingmaterials thatprovidepersonnel withsufficientknowledge torecognize BESCyber SystemInformation; or

· Repository orelectronic andphysical locationdesignated forhousing BESCyber SystemInformation in theentity’sinformationprotectionprogram.




Procedure(s) forprotecting andsecurely handlingBES Cyber SystemInformation, includingstorage, transit, anduse.

Examples ofacceptable evidenceinclude, but are notlimited to:· Procedures for

protecting andsecurelyhandling, whichinclude topicssuch as storage,security duringtransit, and use

CROSSBOW hidesor obfuscates BESCyber Systeminformation from allusers exceptauthorizedadministrators.



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


of BES CyberSystemInformation; or

· Recordsindicating thatBES CyberSystemInformation ishandled in amannerconsistent withthe entity’sdocumentedprocedure(s).

R2Each Responsible Entity shall implement one or more documented process(es)that collectively include the applicable requirement parts in CIP-011-2 Table R2 –BES Cyber Asset Reuse and Disposal. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]

M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-011-2 Table R2– BES Cyber Asset Reuse and Disposal and additional evidence to demonstrateimplementation as described in the Measures column of the table.

Table 11-3: CIP-011-2: Table R2 – BES Cyber Asset Reuse and Disposal




Prior to the releasefor reuse ofapplicable CyberAssets that containBES Cyber SystemInformation (exceptfor reuse within othersystems identified inthe “ApplicableSystems” column),the ResponsibleEntity shall takeaction to prevent theunauthorizedretrieval of BESCyber SystemInformation from theCyber Asset datastorage media.

Examples ofacceptable evidenceinclude, but are notlimited to:· Records tracking

sanitizationactions taken topreventunauthorizedretrieval of BESCyber SystemInformation suchas clearing,purging, ordestroying; or

· Records trackingactions such asencrypting,retaining in thePhysical SecurityPerimeter orother methods

This is primarily aprocess requirement.CROSSBOW’sscripting capabilitiescould be used tosanitize devices priorto reuse.



ãS

iem

ens

AG

2017

All

right

sre

serv

ed


used to preventunauthorizedretrieval of BESCyber SystemInformation.



Prior to the releasefor reuse ofapplicable CyberAssets that containBES Cyber SystemInformation (exceptfor reuse within othersystems identified inthe “ApplicableSystems” column),the ResponsibleEntity shall takeaction to prevent theunauthorizedretrieval of BESCyber SystemInformation from theCyber Asset datastorage media.

Examples ofacceptable evidenceinclude, but are notlimited to:• Records that

indicate that datastorage mediawas destroyedprior to thedisposal of anapplicable CyberAsset; or

· Records ofactions taken topreventunauthorizedretrieval of BESCyber SystemInformation priorto the disposal ofan applicableCyber Asset.

This is primarily aprocess requirement.CROSSBOW’sscripting capabilitiescould be used tosanitize devices priorto reuse.

12 References


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

12 References· RUGGEDCOM CROSSBOW User Guide· NERC CIP version 5 and version 6 requirements

(http://www.nerc.com/pa/CI/Comp/Pages/default.aspx)

13 Glossary of TermsBES Bulk Electric SystemCCA Critical Cyber AssetCIP Critical Infrastructure ProtectionEAMCS Electronic Access Control or Monitoring SystemsLEAP Low Impact BES Cyber System Electronic Access PointLERC Low Impact External Routable ConnectivityNERC North American Electric Reliability CorporationPACS Physical Access Control SystemsPCA Protected Cyber Asset

http://www.nerc.com/pa/CI/Comp/Pages/default.aspx

14 Related Literature


ãS

iem

ens

AG

2017

All

right

sre

serv

ed

14 Related Literature

Table 14-1

Topic Title / Link

\1\ Siemens IndustryOnline Support

http://support.industry.siemens.com

\2\ Download page ofthis entry


15 History

Table 15-1

Version Date Modifications

V1.0 04/2017 First version

http://support.industry.siemens.com/


Documents

Application description 04/2017 NERC CIP Compliance · PDF fileWarranty and Liability NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System Entry-ID: 109747098, 1.0, 04/2017