CIP-003: Meat and Potatoes

CIP-003
Written By Jim Sheldon

(Originally posted on November 25, 2018)

I apologize that this is long and dry like the Thanksgiving turkey I ate this week.

There is so much happening in CIP-003 that it will take more than one blog post to cover everything.

Yayy!! More CIP goodness for everyone!

First things first. There are two versions:

·         CIP-003-6 — This is the current enforceable standard.

·         CIP-003-7 — This standard becomes effective in January 2020.

This first blog post on CIP-003 will include the requirements that are currently auditable; i.e., you could be fined if you are not meeting these requirements.

CIP-003-6 R1.2 — Documented Cyber Security Policies — Effective April 1, 2017

The verbiage for the first requirement in CIP-003 is shown below.

·         R1. Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:

o    1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any:

§  1.2.1. Cyber security awareness;

§  1.2.2. Physical security controls;

§  1.2.3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and

§  1.2.4. Cyber Security Incident response

There are a lot of things happening in this requirement, but there are only 3 major considerations to this requirement.

1.      Have a security policy that covers: cyber security awareness, physical security, electronic access, and cyber security incident response. This can be an overall policy, a single policy for each topic, or any combination that makes sense to your company.

2.      Review the policy every 15 months.

3.      Ensure the CIP senior manager approves the policy every 15 months.

That’s it. Avoiding over-complicated legal speak is definitely the route to take. Remember Occam’s razor, the simplest solution tends to be the correct one.

CIP-003-6 R2 S1 and S4 — Cyber Security Awareness Plan and Cyber Security Incident Response — Effective April 1, 2017

The requirements for sections 1 and 4 are currently enforceable and the verbiage for each is listed below. Sections 2 and 3 requirements are changed and will be effective in January 2020. The next blog post will cover the future requirements.

·         R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.

o    Section 1. Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).

o    Section 4. Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:

§  4.1 Identification, classification, and response to Cyber Security Incidents;

§  4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;

§  4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;

§  4.4 Incident handling for Cyber Security Incidents;

§  4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and

§  4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.

These two requirements are similar to R1.2, except that a plan is the required instead of a policy.

What’s the difference between a policy and plan?

Think of the policy as an organization’s strategy to accomplish a mission and the plan is the detailed steps to accomplish it.

Section 1 is very straightforward: Have a plan that reinforces cyber security practices every 15 months.

This could be anything from a poster in the hallway reminding employees to update their passwords to the CIP senior manager giving an hour lecture on email phishing attacks.

The requirement leaves it up to entity to decide what and how to reinforce; let’s also assume they want us to reinforce good cyber security practices. (Remember your CIP senior manger has to be able to defend it to an auditor)

The important thing here, and in every CIP requirement, is make sure your plan and actions match. It is also critical to have evidence but this is a topic for a future post.

Section 4 is more complicated as it has 6 distinct sub-requirements.

I will not go through each sub-requirement in detail; however, there are a few gotchas for incident response.

Make sure you think about each step in the event of a potential incident, then be sure to put them in the plan.

·         Who decides that something is not correct (roles and responsibilities)? Once they recognize that something isn’t right who do they report this to (roles and responsibilities)? How do they determine if this is an incident (identify)? How severe is the incident (classify)? What are the next steps if it is an incident (response)?

The word ”Reportable” in sub-requirement 4.2 is a defined CIP term and can be found in the CIP glossary of terms.

Make sure to document any actual, or potential, incidents thoroughly as these can be used to test your incident response plan.

Jim Sheldon
Previous

CIP-003: The New Stuff - Part 1
Next

CIP-002: Where it all starts!!