CIP Low Impact Standards: It's Go Time!
(Originally posted on December 11, 2019)
CIP-003-7 becomes completely enforceable on January 1st, 2020.
Are you ready?
As mentioned in our last post CIP-003-8 becomes effective on April 1st, 2020 and will remain our primary focus for CIP-003.
The link to CIP-003-8 can be found on NERC’s website here.
Low Impact CIP Recap
Below is a quick recap for the new requirements becoming effective for the New Year.
CIP-003-8 R1.2.2 - Physical Security Controls
· Have and implement a plan and controls in place to control access to:
o the low impact BES cyber systems.
§ This can be at the asset level if necessary, i.e. the perimeter fence gate.
o the Cyber Assets that provide electronic asset controls, i.e. the firewalls.
CIP-003-8 R1.2.3 - Electronic Access Control
· Have and implement a plan and controls in place to permit only required inbound and outbound communications that are:
o between a BES Cyber System and a Cyber Asset outside the asset;
o and using a routable protocol;
o and not used for time-sensitive protection (e.g. GOOSE)
· Authenticate all Dial-Up Connectivity that provides access to low impact BES Cyber Systems, per Cyber Asset capability.
CIP-003-8 R1.2.5 - Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation
Have and implement a plan and controls in place to stop the transfer of malicious code into BES Cyber Systems from Transient Cyber Assets (TCAs) and Removable Media (RM); plans must include:
· If the TCAs are managed by the Responsible Entity (RE) use one or a combination of the following:
o scan the TCAs with regularly updated antivirus software before connecting to the BES Cyber Systems
o utilize application whitelisting on the TCAs
o some other method to prevent the spread of malicious code.
· If the TCAs are not managed by the RE
o use one or a combination of the following:
§ review the antivirus signature update level
§ review the antivirus update process
§ review use of live operating system and software executable only from read-only media
§ review of system hardening
§ some other method to prevent the spread of malicious code.
o the RE shall determine if any additional mitigation actions are necessary and implement them before connecting the TCA.
· For Removable Media do the following:
o scan the device with antivirus before connecting to the BES Cyber System, do NOT use the BES Cyber System to do the scanning
o if malicious code is detected, ensure it is mitigated before connecting to a BES Cyber System
CIP-003-8 R1.2.5 - Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation
· Have a policy in place that details how the RE declares and responds to a CIP exceptional circumstance.
o Don’t forget to have the CIP Senior Manager review this policy every 15 months.