CIP-003: The New Stuff - Part 2

CIP-003
Written By Jim Sheldon

(Originally posted on October 20, 2018)

Happy Polar Vortex!

I don’t know what the temp is where you are, but it’s -25 degrees out in sunny North Dakota.

Not as fun as Festivus but still more exciting than CIP-003-7.

Last time we discussed the changes upcoming in version 7 of CIP-003; namely, the additions of Transient Cyber Assets and Exceptional Circumstances to R1.2.

This post will cover R2 Section 2, Physical Security Controls.

Wait a minute! I thought NERC/CIP standards were dealing with cyber security controls?

What’s with this physical stuff?

CIP-003-7 R2 S2 — Physical Security Controls — Effective January 1, 2020

The physical control requirement specified by NERC are for protecting the BES Cyber Systems and the Cyber Asset that provides electronic access control, i.e. firewalls. The verbiage for R2 S3 is shown below.

·         R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.

o    Section 2. Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.

Again, as in previous blog posts a plan is required. How exactly are you going to control physical access?

NERC gives you the option to control access to the entire BES asset as well as the BES Cyber Systems themselves. The Cyber Asset providing electronic asset controls (i.e.firewall) may reside in the same physical location as the BES Cyber System. One physical security control may meet the requirement.

Example physical security controls may include one or more of the following:

1.      Controlling access through the single drive-thru gate at the plant perimeter fence with a guard house.

2.      Requiring personnel to check out a key that unlocks the padlock providing access to the closet where the firewall resides.

3.      Utilizing a Physical Access Control System (PACS) and card key readers to control access to the data center where the BES Cyber System resides.

As usual with all things CIP, whatever physical control is utilized to protect any portion of the Cyber System, ensure it is included in the plan.

Jim Sheldon
Previous

NERC/CIP Fine Case Study
Next

CIP-003: The New Stuff - Part 1