North American Electric Reliability Corporation
(NERC)
Compliance Guide
August 2012
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.ra...
Upcoming SlideShare
Loading in...5
×

Rapid7 NERC-CIP Compliance Guide

438

Published on

The North American Electric Reliability Corporation (NERC) introduced Critical Infrastructure Protections (CIPs) as mandatory cyber security regulations, intended to protect the bulk electric grid. This compliance guide, updated according to NERC CIP version 4 (applicable as of June 25, 2012), provides an overview of the compliance requirements as well as steps to achieve NERC compliance.

To download a free Nexpose demo, click here:
http://www.rapid7.com/products/nexpose/compare-downloads.jsp

To download a free Metasploit demo, click here:
http://www.rapid7.com/products/metasploit/download.jsp

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
438
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Rapid7 NERC-CIP Compliance Guide

  1. 1. North American Electric Reliability Corporation (NERC) Compliance Guide August 2012
  2. 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What is NERC? The North American Electric Reliability Corporation (NERC) is a not-for-profit corporation whose mission is to improve the reliability of the critical systems that create and transport electricity around the continent. In NERC’s jargon, these critical systems are called “bulk power systems.” What does reliability really mean? Reliability = Adequacy + Security Adequacy: Adequacy means having sufficient resources to provide customers with a continuous supply of electricity at the proper voltage and frequency, virtually all of the time. In this case, “resources” refers to a combination of electricity generation and transmission facilities, which produce and deliver electricity. Maintaining adequacy requires system operators and planners to take into account both scheduled and reasonably expected unscheduled outages of equipment, while maintaining a constant balance between supply and demand. Security: Security is perceived as the ability of the bulk power system to: • Withstand sudden, unexpected disturbances, such as short circuits or unanticipated loss of system elements due to natural causes. • Withstand disturbances caused by man-made physical or cyber attacks. The bulk power system must be planned, designed, built and operated in a manner that takes into account modern threats and more traditional risks to security. Who must be NERC compliant? All bulk power system owners, operators, and users must comply with approved NERC reliability standards. These entities are required to register with NERC through the appropriate regional entity. The process for registration is described in the NERC Rules of Procedure, Section 500 and Appendix 5A. The list of all organizations that are registered and therefore subject to compliance can be found on this page: Compliance Registry files (NRC). This list is updated monthly. Who is responsible for NERC compliance? NERC relies on eight regional entities to monitor compliance with the NERC standards of bulk power system owners, operators, and users within their regional boundaries. The members of the regional entities come from all segments of the electric industry: investor-owned utilities, federal power agencies, rural electric cooperatives, state, municipal and provincial utilities, independent power producers, power marketers, and end-use customers. Compliance enforcement methods include regularly scheduled compliance audits, random spot checks, and specific investigations when warranted by indications that a standard may have been violated.
  3. 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The NERC audit The NERC and its related regions have primary responsibilities to: • Develop an overall audit schedule • Initiate the audit process for an entity • Develop and deliver audit criteria and associated documentation to audited entities • Identify the audit team members • Coordinate audited entity questionnaires • Publish the audit findings Overview of the audit process 1. Entities being audited are informed at least sixty calendar days prior to the on-site audit through the receipt of a request for information and a questionnaire. 2. Entities have seven calendar days to provide the requested information, and must submit the completed questionnaire no later than thirty calendar days prior to the audit. 3. The audit team is tasked with reviewing an entity’s questionnaire responses and documentation, performing the on-site audit, and preparing a report of its findings. 4. The final audit report is posted on the NERC website within sixty calendar days of the completion of the audit. 5. Within forty-five calendar days of the date of audit report posting, the audited entities must supply a response plan to NERC addressing the report recommendations, including a timeline for implementation. This response plan will be published on the NERC website when submitted by the entity. For detailed information about the audit process see: NERC Readiness Audit Procedure What are the consequences of non-compliance? Whenever a possible violation is discovered, a thorough review is conducted based on the following considerations: • The underlying facts and circumstances • The Reliability Standard at issue • The potential and actual level of risk to reliability, including mitigating factors • The registered entity’s compliance program • The registered entity’s compliance history
  4. 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Based on this examination, NERC could either issue: • A formal “Notice of Penalty” (NOP) for alleged violations that constitute a High or Medium risk. • A formal notice of “Find, Fix, Track and Report” (FFT) in case of alleged violations that constitute a minimal risk. • A dismissal. The details of the investigation are provided to the Federal Energy Regulatory Commission (FERC) in the U.S., or to applicable governmental authorities in Canada. The information becomes publicly available on the NERC’s website. What is the NERC compliance framework? There are 14 sets of reliability standards subject to enforcement: 1. Resource and Demand Balancing (BAL) 2. Communications (COM) 3. Critical Infrastructure Protection (CIP) 4. Emergency Preparedness and Operations (EOP) 5. Facilities Design, Connections, and Maintenance (FAC) 6. Interchange Scheduling and Coordination (INT) 7. Interconnection Reliability Operations and Coordination (IRO) 8. Modeling, Data, and Analysis (MOD) 9. Nuclear (NUC) 10. Personnel Performance, Training, and Qualifications (PER) 11. Protection and Control (PRC) 12. Transmission Operations (TOP) 13. Transmission Planning (TPL) 14. Voltage and Reactive (VAR) In the context of Information Technology, and more specifically, in the context of cyber threats, “Critical Infrastructure Protection” (CIP) is the set of relevant standards.
  5. 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The Critical Infrastructure Protection (CIP) Standards This guideline is based on NERC CIP version 4, applicable as of June 25, 2012. NERC-CIP consists of the following standards: CIP-001 Sabotage Reporting Requirements related to the communication of information concerning sabotage events to appropriate parties. Disturbances or unusual occurrences suspected or determined to be caused by sabotage shall be reported to the appropriate systems, governmental agencies, and regulatory bodies. CIP-002 Critical Cyber Asset Identification Requirements related to the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the Bulk Electric System. CIP-003 Security Management Controls Requirements related to minimal security general management controls that must be in place to protect critical cyber assets and associated information: Cyber Security Policy, Security Responsibilities, Information Protection, and Access Control to critical cyber asset information. CIP-004 Personnel & Training Requirements related to the security awareness program, security policies, procedures trainings, and access management. CIP-005 Electronic Security Perimeter(s) Requirements related to the protection of access points to Electronic Security Perimeters: access controls, monitoring, vulnerability assessment, and documentation. CIP-006 Physical Security of Critical Cyber Assets Requirements related to the physical protection of cyber assets: physical access control, monitoring, logging physical access, log retention, maintenance and testing of physical controls.
  6. 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com CIP-007 Systems Security Management Requirements related to testing procedures prior to production, ports and services usage, patch management, malicious software prevention, account management, system event monitoring, disposal or redeployment, vulnerability assessment, and documentation. CIP-008 Incident Reporting and Response Planning Requirements related to the identification, classification, response, and reporting of Cyber Security Incidents related to critical cyber assets: Incident response plans and documentation. CIP-009 Recovery Plans for Critical Cyber Assets Requirements related to business continuity, disaster recovery techniques, and practices associated with the cyber assets: Recovery Plans, Exercises, Change Control, Backup and Restore, Testing Backup Media. How can organizations comply with NERC? Each of the above standards includes: • A description of the standard’s purpose • The list of responsible entities to which the standard applies • The list of associated requirements • The list of measures to demonstrate compliance • The associated compliance monitoring and enforcement process • The associated data retention policy • The associated Violation Risk Factors (VRFs) and Violation Severity Levels (VSLs) matrix (determination of risk factors and severity levels according to the identified gaps). » Note: The VRF represents the pre-violation potential risk that a standard would pose to the bulk power system if it were violated.  » A VSL is a post-violation measure of the severity of the violation.  » The VSL and VRF are combined to help NERC establish base penalty ranges for particular violations.
  7. 7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com How Rapid7 can help Rapid7 has extensive experience partnering with energy and utility entities such as Sempra Energy, Pedernales Electric Company, and Southern Company to help them with the complex regulatory environment of the energy sector. Rapid7 provides full end-to-end security solutions and services for energy and utility entities to help them meet NERC-CIP requirements. Rapid7 Nexpose is a security risk intelligence solution that proactively supports the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting, and mitigation. In the context of the NERC-CIP, Nexpose helps registered entities to: • Take inventory of their cyber asset systems, services, and installed applications within the Electronic Security Perimeter(s). • Detect sensitive data on their critical cyber assets environment by allowing file searching so that if Nexpose gains access to an asset’s file system in the scanning process, it can search for and retrieve files in that system. • Take inventory of open ports and associated services by performing either manual or scheduled discovery scans. • Configure asset scanning and reporting based on criteria such as device type, software type, operating system type, or geographic location. • Automate the task of asset discovery and identification within the Electronic Security Perimeter(s). • Automate the process for tracking types of operating systems and applications installed on each system, including information about versions and patch levels. • Catalog all software -including any malicious software- by using the latest fingerprinting technologies to identify systems, services, and installed applications within the Electronic Security Perimeter(s). • Detect the presence of unauthorized software within Electronic Security Perimeter(s) and notify designated organizational officials through alerts generated on an automated mechanism • Generate easy-to-use detailed reports with role-based access controls to allow organizations to share information easily. • Discover accounts that were terminated, and review results either in the UI or report format, and then use the data to feed information access and management policies. • Audit users and groups on all cyber assets within the Electronic Security Perimeter(s). • Test the efficiency of access control systems and policies for critical cyber asset information. • Test the external and internal boundaries defenses of Electronic Security Perimeter(s). • Test the external and internal boundaries defenses whenever new cyber assets are added or significant
  8. 8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com changes are made to existing cyber assets within the Electronic Security Perimeter(s). • Perform comprehensive unified vulnerability scanning of all the electronic access points to the Electronic Security Perimeter(s). • Detect misconfigurations, and identify missing patches and malicious software. • Perform on-going scheduled and ad-hoc scanning of Web applications. • Provide an automated mechanism to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. • Get a detailed action plan to remediate or mitigate vulnerabilities, including a sequenced remediation roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA. • Set up automated monitoring access controls, including limited number of login attempts, password length requirements, allowable special characters, and other login ID access control policies. • Setup automated monitoring of software policy settings and misconfigurations, including Web browser patching levels, up-to-date firewalls, IDS/IPS system patches, and configuration settings for Web applications, including their underlying database servers, network ports, protocols, services, and log policies. • Deliver auditable and reportable events on vulnerabilities throughout the Electronic Security Perimeter(s). • Get top-down visibility of the real risk to cyber assets and business operations, enabling them to organize and prioritize thousands of assets and quickly focus on the items that pose the greatest risk. • Apply risk scoring to measure violations against established desktop and server configuration management policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and database applications. • Alert of policy violations or misconfigurations. Rapid7 Metasploit is a penetration testing solution that helps enterprise vulnerability management programs to test how well their perimeter holds up against real world attacks. In the context of the NERC-CIP, Metasploit helps registered entities to: • Test the external and internal boundaries defenses of the Electronic Security Perimeter(s). • Test the level of accessibility and exploitability of critical cyber assets. • Test the efficiency of access control systems and policies within the Electronic Security Perimeter(s). • Survey hosts for use of approved authentication measures. • Audit password length/complexity and authentication methods. • Enable internal Red Team staffs to perform both scheduled and ad-hoc penetration testing of Electronic Security Perimeter(s).
  9. 9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Determine the exploitability of identified vulnerabilities. • Determine if a hacker could access and steal electronic protected information through Web applications. • Support incident responses by providing details on vulnerabilities and misconfigurations that were exploited, as well as remediation steps to prevent future exploits. Rapid7 Consulting Services help registered entities to: • Define and refine the scope of their Electronic Security Perimeter(s). • Evaluate their security controls pertaining to: • Communication procedures • Cyber asset inventory • Cyber security policies • Leadership • Exception handling • Protection of critical information • Access controls and change management • Awareness and personal training • Personal risk management and physical access management • Protection of Electronic Security Perimeters • Physical protection of cyber critical assets • Testing procedures • Open ports and services management, patch managements • Disposal • Cyber vulnerability assessments • Documentation • Incident response plans • Identify gaps in their security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure cyber assets and sensitive information. • Recommend best practices to optimize data security, including system access policies that limit access to system components and sensitive data to only those whose job roles absolutely require such access.
  10. 10. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Provide customizable security awareness training to users of their organizational information systems. • Provide vulnerability management security training and certification to managers and users of organizational information systems requiring knowledge and technical abilities to detect and validate vulnerabilities on the IT infrastructure, determine the associated risk severity, write IT risk reports, and apply mitigations through remediation and control. • Perform an independent analysis and penetration test on delivered information systems, information system components, and information technology products within their Electronic Security Perimeter(s). • Audit their recovery plans to identify any gaps that should be addressed in order to successfully backup and restore systems, and establish procedures to ensure business process continuity and private protection while operating in emergency mode. • Assist them in writing documentation required by NERC-CIP. Rapid7 community, SecurityStreet, helps registered entities to: • Stay up-to-date with the latest developments in the vulnerability management and information security areas. Security Rule standards Nexpose Metasploit Consulting Services CIP-001 Sabotage Reporting R1-R4 Communication procedures and guidelines  CIP-002 Critical Cyber Asset Identification R1-Develop a list of its identified Critical Assets  R2-Critical Cyber Asset Identification   R3-Annual Approval  CIP-003 Security Management Controls R1-Cyber Security Policy  R2-Leadership  R3-Exceptions  R4-Information Protection   R5-Access Control   CIP-004 Personnel & Training R1-Awareness  R2-Training  R3-Personnel Risk Assessment  R4-Access  CIP-005 Electronic Security Perimeter(s)
  11. 11. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Security Rule standards Nexpose Metasploit Consulting Services R1-Electronic Security Perimeter   R2-Electronic Access Controls    R3-Monitoring Electronic Access   R4-Cyber Vulnerability Assessment    R5-Documentation Review and Maintenance  CIP-006 Physical Security of Critical Cyber Assets R1-Physical Security Plan  R2-Protection of Physical Access Control Systems  R3-Protection of Electronic Access Control Systems  R4-Physical Access Controls  R5-Monitoring Physical Access  R6-Logging Physical Access  R7-Access Log Retention  R8-Maintenance and Testing  CIP-007 Systems Security Management R1-Test Procedures    R2-Ports and Services    R3-Security Patch Management    R4-Malicious Software Prevention   R5-Account Management    R6-Security Status Monitoring   R7-Disposal or Redeployment  R8-Cyber Vulnerability Assessment    R9-Documentation Review and Maintenance  CIP-008 Incident Reporting and Response Planning R1-Cyber Security Incident Response Plan    R2-Cyber Security Incident Documentation    CIP-009 Recovery Plans for Critical Cyber Assets R1-Recovery Plans   R2-Exercises  R3-Change Control 
  12. 12. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Rapid7 Solution for NERC-CIP Compliance The section goes into detail about the nine NERC-CIP Security Standards. Each standard is outlined by the title, version number, and associated requirements. It also addresses Violation Risk Factors (VRF) and how Rapid7 Nexpose, Metasploit, and Consulting Services help with meeting compliance. CIP-001 Sabotage Reporting # CIP-001-2a Associated Requirements: Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity shall: # Requirements VRF R1 Have procedures for the recognition of and for making operating personnel aware of sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection. - R2 Have procedures for the communication of information concerning sabotage events to appropriate parties in the Interconnection. - R3 Provide its operating personnel with sabotage response guidelines, including information about which personnel should be contacted to report disturbances due to sabotage events. - R4 Establish applicable communications contacts with local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP) officials, and develop reporting procedures as appropriate to the circumstances. - » Note: VRFs are undefined. Use Rapid7 Consulting Services to: • Evaluate your communication procedures and response guidelines, identify gaps, and provide guidance on developing missing procedures.
  13. 13. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com CIP-002 Critical Cyber Asset Identification # CIP-002-4a Associated Requirements: # Requirements VRF R1 The Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 – Critical Asset Criteria. The Responsible Entity shall update this list as necessary, and review it at least annually. H R2 Critical Cyber Asset Identification — Using the list of critical assets, the Responsible Entity shall develop a list of associated critical cyber assets essential to the operation of the critical assets. The Responsible Entity shall review this list at least annually, and update it as necessary. H R3 Annual Approval — The senior manager or delegate(s) shall annually approve the list of critical assets and the list of critical cyber assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)’s approval of these lists (even if such lists are null). L Use Rapid7 Nexpose to: • Take inventory of your cyber asset systems, services, and installed applications using the latest fingerprinting technologies. • Get top-down visibility of risk to your cyber assets and business operations, enabling you to organize and prioritize thousands of assets and quickly focus on the items that pose the greatest risk. • Get a clear map of the Real Risk posed to your critical cyber assets by the identified vulnerabilities across your organization’s IT landscape. Use Rapid7 Consulting Services to: • Evaluate your security controls pertaining to the cyber asset inventory, and provide guidance on developing missing control policies and procedures.
  14. 14. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com CIP-003 Security Management Controls # CIP-003-4 Associated requirements: # Requirements VRF R1 Cyber Security Policy — The Responsible Entity shall document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following: M R1.1 The cyber security policy addresses the requirements in Standards CIP- 002-4 through CIP-009-4, including provisions for emergency situations. L R1.2 The cyber security policy is readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets. L R1.3 Annual review and approval of the cyber security policy by the senior manager assigned pursuant to R2. L R2 Leadership — The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002-4 through CIP-009-4. L R2.1 The senior manager shall be identified by name, title, and date of designation. L R2.2 Changes to the senior manager must be documented within thirty calendar days of the effective date. L R2.3 Where allowed by Standards CIP-002-4 through CIP-009-4, the senior manager may delegate authority for specific actions to a named delegate or delegates. These delegations shall be documented in the same manner as R2.1 and R2.2, and approved by the senior manager. L R2.4 The senior manager or delegate(s) shall authorize and document any exceptions from the requirements of the cyber security policy. L R3 Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). L R3.1 Exceptions to the Responsible Entity’s cyber security policy must be documented within thirty days of being approved by the senior manager or delegate(s). L
  15. 15. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R3.2 Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures for the exception. L R3.3 Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. M R4 Information Protection — The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. M R4.1 The critical cyber asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP-002-4, network topology or similar diagrams, floor plans of computing centers that contain critical cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident response plans, and security configuration information. M R4.1 The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the critical cyber asset information. L R4.2 The Responsible Entity shall, at least annually, assess adherence to its critical cyber asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment. L R5 Access Control — The Responsible Entity shall document and implement a program for managing access to protected critical cyber asset information. L R5.1 The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. R5.1.1. Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access. R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verified at least annually. L
  16. 16. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R5.2 The Responsible Entity shall review, at least annually, the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. L R5.3 The Responsible Entity shall assess and document, at least annually, the processes for controlling access privileges to protected information. L R6 Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing critical cyber asset hardware or software. They shall also implement supporting configuration management activities to identify, control and document all entity or vendor related changes to hardware and software components of critical cyber assets pursuant to the change control process. L Use Rapid7 Nexpose to: • Detect sensitive data on your critical cyber assets environment by allowing file searching so that if Nexpose gains access to an asset’s file system in the scanning process, it can search for and retrieve files in that system. • Generate easy-to-use detailed reports combined with role-based access controls to allow organizations to share information easily. • Audit users and groups on your critical cyber assets. • Discover accounts that were terminated, and review results either in the UI or in report format, and then use the data to feed your information access and management policies. • Set up automated monitoring access controls (including adherence to policies for role-based access) to validate enforcement of access restrictions. • Test the efficiency of access control systems and policies for critical cyber asset information. • Provide an automated mechanism to detect the presence of unauthorized software on critical cyber assets, and notify designated organizational officials through automated alerts. Use Rapid7 Consulting Services to: • Evaluate your security controls pertaining to cyber security policies, leadership, exception handling, protection of critical information, access controls, and change management. • Identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure your cyber assets and sensitive information.
  17. 17. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com CIP-004 Personnel & Training # CIP-004-4 Associated Requirements: # Requirements VRF R1 Awareness — The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel with authorized cyber or authorized unescorted physical access to critical cyber assets receive on-going reinforcement in sound security practices. L R2 Training — The Responsible Entity shall establish, document, implement, and maintain an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to critical cyber assets. The cyber security training program shall be reviewed annually, at a minimum, and shall be updated whenever necessary. L R2.1 This program will ensure that all personnel having such access to critical cyber assets, including contractors and service vendors, are trained prior to being granted such access except in specified circumstances such as an emergency. M R2.2 Training shall cover the policies, access controls, and procedures, as developed for the critical cyber assets covered by CIP-004-4, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: R2.2.1. The proper use of critical cyber assets; (L) R2.2.2. Physical and electronic access controls to critical cyber assets; (L) R2.2.3. The proper handling of critical cyber asset information; and, (L) R2.2.4. Action plans and procedures to recover or re-establish critical cyber assets and access following a Cyber Security Incident. (L) M R2.3 The Responsible Entity shall maintain documentation that training is conducted at least annually, including information such as the date training was completed, and attendance records. L
  18. 18. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R3 Personnel Risk Assessment —The Responsible Entity shall have a documented personnel risk assessment program in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements for personnel with authorized cyber or authorized unescorted physical access to critical cyber assets. A personnel risk assessment shall be conducted pursuant to that program, prior to the personnel being granted such access, except in specified circumstances such as an emergency. M R3.1 The Responsible Entity shall ensure that each assessment conducted at least includes identity verification (e.g., Social Security Number verification in the U.S.) and a seven-year criminal check. The Responsible Entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending upon the criticality of the position. L R3.2 The Responsible Entity shall update each personnel risk assessment for a specific cause and/or at least every seven years after the initial personnel risk assessment. L R3.3 The Responsible Entity shall document the results of personnel risk assessments of its personnel with authorized cyber or authorized unescorted physical access to critical cyber assets, and the personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004-4. L R4 Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets, including their specific electronic and physical access rights to critical cyber assets. L R4.1 The Responsible Entity shall review the list(s) of its personnel who have such access to critical cyber assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to critical cyber assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained. L R4.2 The Responsible Entity shall revoke such access to critical cyber assets within 24 hours for personnel terminated for cause, and within seven calendar days for personnel who no longer require such access to critical cyber assets. M
  19. 19. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Use Rapid7 Consulting Services to: • Provide customizable security awareness training to users of your organizational information systems. • Provide vulnerability management security training and certification to managers and users of organizational information systems requiring knowledge and technical abilities to detect and validate vulnerabilities on the IT infrastructure, determine the associated risk severity, write IT risk reports, and apply mitigations through remediation and control. • Evaluate the security controls pertaining to awareness and personal training, personal risk management, and physical access management. • Identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure your cyber assets and related information. • Recommend best practices to optimize data security, including system access policies that limit access to system components and sensitive data to only those whose job roles absolutely require such access. CIP-005 Electronic Security Perimeter(s) #CIP-005-4a Associated Requirements: # Requirements VRF R1 Electronic Security Perimeter — The Responsible Entity shall ensure that every critical cyber asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s). M R1.1 Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end points (for example, dial- up modems) terminating at any device within the Electronic Security Perimeter(s). M R1.2 For a dial-up accessible critical cyber asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device. M R1.3 Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s). M
  20. 20. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R1.4 Any non-critical cyber asset within a defined Electronic Security Perimeter shall be identified and protected pursuant to the requirements of Standard CIP-005-4a. M R1.5 Cyber assets used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall be afforded the protective measures as a specified in Standard CIP- 003-4; Standard CIP-004- 4 Requirement R3; Standard CIP-005-4a Requirements R2 and R3; Standard CIP-006-4c Requirement R3; Standard CIP-007-4 Requirements R1 and R3 through R9; Standard CIP-008-4; and Standard CIP-009-4. M R1.6 The Responsible Entity shall maintain documentation of Electronic Security Perimeter(s), all interconnected critical and non-critical cyber assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points. L R2 Electronic Access Controls — The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s). M R2.1 These processes and mechanisms shall use an access control model that denies access by default, such that explicit access permissions must be specified. M R2.2 At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring cyber assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. M R2.3 The Responsible Entity shall implement and maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s). M R2.4 Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party where technically feasible. M
  21. 21. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R2.5 The required documentation shall, at least, identify and describe: R2.5.1. The processes for access request and authorization. R2.5.2. The authentication methods. R2.5.3. The review process for authorization rights, in accordance with Standard CIP-004-4 Requirement R4. R2.5.4. The controls used to secure dial-up accessible connections. L R2.6 Appropriate Use Banner — Where technically feasible, electronic access control devices shall display an appropriate use banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner. L R3 Monitoring ElectronicAccess — The Responsible Entity shall implement and document an electronic or manual process for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. M R3.1 For dial-up accessible critical cyber assets that use non-routable protocols, the Responsible Entity shall implement and document monitoring processes at each access point to the dial-up device where technically feasible. M R3.2 Where technically feasible, the security monitoring processes shall detect and alert of attempts at accesses and/or actual unauthorized accesses. These alerts shall provide appropriate notification to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at accesses and/or actual unauthorized accesses at least every ninety calendar days. M R4 Cyber VulnerabilityAssessment — The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. The vulnerability assessment shall include, at a minimum, the following: M R4.1 A document identifying the vulnerability assessment process; L R4.2 A review to verify that only ports and services required for operations at these access points are enabled; M
  22. 22. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R4.3 The discovery of all access points to the Electronic Security Perimeter; M R4.4 A review of controls for default accounts, passwords, and network management community strings; M R4.5 Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. M R5 Documentation Review and Maintenance — The Responsible Entity shall review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005- 4a. L R5.1 The Responsible Entity shall ensure that all documentation required by Standard CIP- 005-4a reflect current configurations and processes and shall review the documents and procedures referenced in Standard CIP-005-4a at least annually. L R5.2 The Responsible Entity shall update the documentation to reflect modifications of the network or controls within ninety calendar days of the change. L R5.3 The Responsible Entity shall retain electronic access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008-4. L Use Rapid7 Nexpose to: • Take inventory of your cyber asset systems, services, and installed applications within the Electronic Security Perimeter(s). • Detect the presence of unauthorized software within Electronic Security Perimeter(s) and notify designated organizational officials through alerts generated on an automated mechanism. Perform comprehensive unified vulnerability scanning of all the electronic access points to the Electronic Security Perimeter(s). • Get easy-to-use detailed reports combined with role-based access controls to allow organizations to share information easily. • Provide an automated mechanism to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. • Audit users and groups on critical cyber assets. • Discover accounts that were terminated, and review results either in the UI or in report format, and then use the data to feed your information access and management policies. • Test the efficiency of your access control systems and policies.
  23. 23. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Test the external and internal boundaries defenses of your Electronic Security Perimeter(s). • Set up automated monitoring access controls, including a limited number of login attempts, password length requirements, allowable special characters, and other login ID access control policies. • Get a detailed action plan to remediate or mitigate vulnerabilities, including a sequenced remediation roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA. • Deliver auditable and reportable events on vulnerabilities throughout the Electronic Security Perimeter(s). Use Rapid7 Metasploit to: • Test the efficiency of your access control systems and policies within the Electronic Security Perimeter(s). • Survey hosts for use of approved authentication measures. • Audit password length/complexity and authentication methods. • Test the external and internal boundaries defenses of the Electronic Security Perimeter(s). • Perform your external and internal penetration testing of cyber critical assets to determine if a hacker could access and steal sensitive cyber information. Penetration testing includes network-layer and application- layer tests. Penetration testing is conducted using Nexpose in conjunction with a variety of specialized tools including Metasploit, the leading open-source penetration testing platform with the world’s largest database of public, tested exploits. Use Rapid7 Consulting Services to: • Define and refine the scope of your Electronic Security Perimeter(s). • Evaluate the security controls pertaining to the protection of your Electronic Security Perimeters. • Identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure your cyber assets and data. • Recommend best practices to optimize data security, including system access policies that limit access to system components and sensitive data to only those whose job roles absolutely require such access. • Assist you in writing documentation required by NERC-CIP. • Perform an independent analysis and penetration test on delivered information systems, information system components, and information technology products within your Electronic Security Perimeter(s).
  24. 24. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com CIP-006 Physical Security of Critical Cyber Assets #CIP-006-4d Associated requirements: # Requirements VRF R1 Physical Security Plan — The Responsible Entity shall document, implement, and maintain a physical security plan, approved by the senior manager or delegate(s) that shall address, at a minimum, the following: - R1.1 All Cyber Assets within an Electronic Security Perimeter shall reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to such cyber assets. - R1.2 Identification of all physical access points through each Physical Security Perimeter and measures to control entry at those access points. - R1.3 Processes, tools, and procedures to monitor physical access to the perimeter(s). - R1.4 Appropriate use of physical access controls as described in Requirement R4, including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls. - R1.5 Review of access authorization requests and revocation of access authorization, in accordance with CIP-004-4 Requirement R4 - R1.6 A visitor control program for visitors (personnel without authorized unescorted access to a Physical Security Perimeter), containing at a minimum the following: R1.6.1. Logs (manual or automated) to document the entry and exit of visitors, including the date and time of entrances and exits from Physical Security Perimeters. R1.6.2. Continuous escorted access of visitors within the Physical Security Perimeter. - R1.7 Update of the physical security plan within thirty calendar days of the completion of any physical security system redesign or reconfiguration, including, but not limited to, addition or removal of access points through the Physical Security Perimeter, physical access controls, monitoring controls, or logging controls. - R1.8 Annual review of the physical security plan. -
  25. 25. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R2 Protection of Physical Access Control Systems — Cyber assets that authorize and/or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point, such as electronic lock control mechanisms and badge readers, shall: - R2.1 Be protected from unauthorized physical access. - R2.2 Be afforded the protective measures specified in Standard CIP-003-4; Standard CIP- 004-4 Requirement R3; Standard CIP-005-4 Requirements R2 and R3; Standard CIP- 006-4 Requirements R4 and R5; Standard CIP- 007-4; Standard CIP-008-4; and Standard CIP-009-4. - R3 Protection of Electronic Access Control Systems — Cyber assets used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall reside within an identified Physical Security Perimeter. - R4 Physical Access Controls — The Responsible Entity shall document and implement the operational and procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty- four hours a day, seven days a week. The Responsible Entity shall implement one or more of the following physical access methods: • Card Key: A means of electronic access where the access rights of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another. • Special Locks: These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “man-trap” systems. • Security Personnel: Personnel responsible for controlling physical access that may reside on-site or at a monitoring station. • Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access to the critical cyber assets. -
  26. 26. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R5 Monitoring Physical Access — The Responsible Entity shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008-4. One or more of the following monitoring methods shall be used: • Alarm Systems: Systems that raise an alarm to indicate a door, gate, or window has been opened without authorization. These alarms must provide immediate notification to the personnel responsible for response. • Human Observation of Access Points: Monitoring of physical access points by authorized personnel as specified in Requirement R4. - R6 Logging Physical Access — Logging shall record sufficient information to uniquely identify individuals and their times of access, twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using one or more of the following logging methods or their equivalent: • Computerized Logging: Electronic logs produced by the Responsible Entity’s selected access control and monitoring method. • Video Recording: Electronic capture of video images of sufficient quality to determine identities. • Manual Logging: A log book or sign-in sheet, or other record of physical access maintained by security or other personnel authorized to control and monitor physical access as specified in Requirement R4. - R7 Access Log Retention — The Responsible Entity shall retain physical access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008-4. -
  27. 27. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R8 Maintenance and Testing — The Responsible Entity shall implement a maintenance and testing program to ensure that all physical security systems under Requirements R4, R5, and R6 function properly. The program must include, at a minimum, the following: - R8.1 Testing and maintenance of all physical security mechanisms on a cycle that is no longer than three years. - R8.2 Retention of testing and maintenance records for the cycle determined by the Responsible Entity in Requirement R8.1. - R8.3 Retention of outage records regarding access controls, logging, and monitoring for a minimum of one calendar year. - Use Rapid7 Consulting Services to: • Evaluate the security controls pertaining to the physical protection of your cyber critical assets. • Identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures. CIP-007 Systems Security Management #CIP-007-4 Associated Requirements: # Requirements VRF R1 Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing cyber assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-4, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware. M R1.1 The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system and/or its operation. M R1.2 The Responsible Entity shall document that testing is performed in a manner that reflects the production environment. L
  28. 28. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R1.3 The Responsible Entity shall document test results. L R2 Ports and Services — The Responsible Entity shall establish, document, and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled. M R2.1 The Responsible Entity shall enable only those ports and services required for normal and emergency operations. M R2.2 The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all cyber assets inside the Electronic Security Perimeter(s). M R2.3 In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document the compensating measure(s) applied to mitigate risk exposure. M R3 Security Patch Management — The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-4 Requirement R6, shall establish, document, and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all cyber assets within the Electronic Security Perimeter(s). L R3.1 The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades. L R3.2 The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure. L R4 Malicious Software Prevention — The Responsible Entity shall use anti- virus software and other malicious software (“malware”) prevention tools where technically feasible to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets within the Electronic Security Perimeter(s). M
  29. 29. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R4.1 The Responsible Entity shall document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure. M R4.2 The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address testing and installing the signatures. M R5 Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. L R5.1 The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed. R5.1.1. The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003-4 Requirement R5. (L) R5.1.2. The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. (L) R5.1.3. The Responsible Entity shall review, at least annually, user accounts to verify that access privileges are in accordance with Standard CIP-003-4 Requirement R5 and Standard CIP-004-4 Requirement R4. (M) M R5.2 The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges - including factory default accounts. R5.2.1. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. (M) R5.2.2. The Responsible Entity shall identify those individuals with access to shared accounts. (L) R5.2.3. Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination). (M) L
  30. 30. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R5.3 At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible: R5.3.1. Each password shall be a minimum of six characters. (L) R5.3.2. Each password shall consist of a combination of alpha, numeric, and “special” characters. (L) R5.3.3. Each password shall be changed at least annually, or more frequently based on risk. (M) L R6 Security Status Monitoring — The Responsible Entity shall ensure that all cyber assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. L R6.1 The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms to monitor for security events on all cyber assets within the Electronic Security Perimeter. M R6.2 The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents. M R6.3 The Responsible Entity shall maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP-008-4. M R6.4 The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days. L R6.5 The Responsible Entity shall review logs of system events related to cyber security, and maintain records documenting review of logs. L R7 Disposal or Redeployment — The Responsible Entity shall establish and implement formal methods, processes, and procedures for disposal or redeployment of cyber assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005-4. L R7.1 Prior to the disposal of such assets, the Responsible Entity shall destroy or erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data. L R7.2 Prior to redeployment of such assets, the Responsible Entity shall, at a minimum, erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data. L
  31. 31. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R7.3 The Responsible Entity shall maintain records that such assets were disposed of or redeployed in accordance with documented procedures. L R8 Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of all cyber assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following: L R8.1 A document identifying the vulnerability assessment process. L R8.2 A review to verify that only ports and services required for operation of the cyber assets within the Electronic Security Perimeter are enabled. M R8.3 A review of controls for default accounts. M R8.4 Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. M R9 Documentation Review and Maintenance — The Responsible Entity shall review and update the documentation specified in Standard CIP- 007-4 at least annually. Changes resulting from modifications to the systems or controls shall be documented within thirty calendar days of the change being completed. L Use Rapid7 Nexpose to: • Test your external and internal boundaries defenses whenever new cyber assets are added or significant changes are made to existing cyber assets within the Electronic Security Perimeter. • Detect misconfigurations, identify missing patches and malicious software. • Perform on-going scheduled and ad-hoc scanning of Web applications. • Get a detailed, sequenced remediation roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA. • Take inventory of systems, open ports, and associated services by performing either manual or scheduled discovery scans. • Configure asset scanning and reporting based on specific criteria such as device type, software type, operating system type, or geographic location. • Automate the task of asset discovery and identification within the Electronic Security Perimeter(s). • Automate tracking types of operating systems and applications installed on each system, including versions and patch levels.
  32. 32. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Catalog all software -including any malicious software- by using the latest fingerprinting technologies to identify systems, services, and installed applications within the Electronic Security Perimeter(s). • Setup automated monitoring of software policy settings and misconfigurations, including Web browser patching levels, up-to-date firewalls, IDS/IPS system patches, and configuration settings for Web applications, including their underlying database servers, network ports, protocols, services, and log policies. • Apply risk scoring to measure violations against established desktop and server configuration management policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and database applications. • Alert of policy violations or misconfigurations. • Audit users and groups on all cyber assets within the Electronic Security Perimeter(s). • Discover accounts that were terminated, and review results either in the UI or in report format, and then use the data to feed your information access and management policies. • Set up automated monitoring access controls (including adherence to policies for role-based access) to validate enforcement of access restrictions. Use Rapid7 Metasploit to: • Enable your internal Red Team staff to perform both scheduled and ad-hoc penetration testing of your Electronic Security Perimeter(s). • Determine the exploitability of identified vulnerabilities. • Perform external and internal penetration testing and use reporting to document findings, either to prepare for external audit or to conduct a security assessment in-house. • Test the external and internal boundaries defenses upon infrastructure changes. • Test the level of accessibility and exploitability of critical cyber assets. • Determine if a hacker could access and steal electronic protected information through Web applications. • Test the efficiency of the access control systems and policies. • Survey hosts for use of approved authentication measures. • Audit password length/complexity and authentication methods. Use Rapid7 Consulting Services to: • Evaluate the security controls pertaining to testing procedures, open ports and services management, patch management, disposal, and cyber vulnerability assessments and documentation. • Identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure your cyber assets and related information from external threats.
  33. 33. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Recommend best practices to optimize data security, including system access policies that limit access to system components and sensitive data to only those whose job roles absolutely require such access. • Assist you in writing documentation required by NERC-CIP. • Perform an independent analysis and penetration test on delivered information systems, information system components, and information technology products within your Electronic Security Perimeter(s). CIP-008 Incident Reporting and Response Planning #CIP-008-04 Associated Requirements # Requirements VRF R1 Cyber Security Incident Response Plan — The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. The Cyber Security Incident response plan shall address, at a minimum, the following: L R1.1 Procedures to characterize and classify events as reportable Cyber Security Incidents. L R1.2 Response actions, including roles and responsibilities of Cyber Security Incident response teams, Cyber Security Incident handling procedures, and communication plans. L R1.3 Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all reportable Cyber Security Incidents are reported to the ES-ISAC, either directly or through an intermediary. L R1.4 Process for updating the Cyber Security Incident response plan within thirty calendar days of any changes. L R1.5 Process for ensuring that the Cyber Security Incident response plan is reviewed at least annually. L R1.6 Process for ensuring the Cyber Security Incident response plan is tested at least annually. A test of the Cyber Security Incident response plan can range from a paper drill, to a full operational exercise, to the response to an actual incident. L R2 Cyber Security Incident Documentation — The Responsible Entity shall keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years. L
  34. 34. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Use Rapid7 Nexpose to: • Get a clear map of the Real Risk posed by the identified vulnerabilities across your organization’s IT landscape. Nexpose is the only product that includes real exploit and malware intelligence combined with CVSS base scores, temporal scoring, environment considerations (e.g., any mitigating controls in place), and asset criticality for risk classification. • Get a detailed, sequenced remediation roadmap with time estimates for each task which can then be managed either through Nexpose’s built-in ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA. Use Rapid7 Nexpose and Metasploit to: • Support your incident responses by providing details on vulnerabilities and misconfigurations that were exploited, as well as remediation steps to prevent future exploits. Use Rapid7 Consulting Services to: • Evaluate your security controls pertaining to your incident response plan, identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure your cyber assets and related information from external threats CIP-009 Recovery Plans for Critical Cyber Assets #CIP-009-4 Associated Requirements: # Requirements VRF R1 Recovery Plans — The Responsible Entity shall create and annually review recovery plan(s) for critical cyber assets. The recovery plan(s) shall address at a minimum the following: M R1.1 Specific required actions in response to events or conditions of varying duration and severity that would activate the recovery plan(s). M R1.2 Defined roles and responsibilities of responders. M R2 Exercises — The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident. L
  35. 35. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com R3 Change Control — Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates shall be communicated to personnel responsible for the activation and implementation of the recovery plan(s) within thirty calendar days of the change being completed. L R4 Backup and Restore — The recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore critical cyber assets. For example, backups may include spare electronic components or equipment, written documentation of configuration settings, tape backup, etc. L R5 Testing Backup Media — Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available. Testing can be completed off site. L Use Rapid7 Nexpose to: • Ensure continuous logging of historical scan data showing a device’s previous state. • Use automated utility to save duplicates of data to a backup server. Use Rapid7 Consulting Services to: • Audit your recovery plans to identify any gaps that should be addressed in order to successfully backup and restore systems, and establish procedures to ensure business process continuity and private protection while operating in emergency mode. To see how Rapid7’s IT Security Risk Management suite can benefit your organization, visit Rapid7.com.
  36. 36. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×