Nov 2, 2016 — A. Introduction. 1. Title: Cyber Security — BES Cyber System Categorization. 2. Number: CIP-002-5.1a. 3. Purpose: To identify and categorize
121 KB – 37 Pages
PAGE – 1 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 1 of 37 A. Introduction 1. Title: Cyber Security BES Cyber System Categorization 2. Number: CIP – 002 – 5 .1 a 3. Purpose: To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise , or misuse of those BES Cyber Systems could have on the reliab le operation of the BES. Identification and categorization of BES Cyber Systems supp ort appropriate protection against compromises that could lead to misoperation or instability in the BES. 4. Applicability: 4.1. Functional Entities: For the purpose of the requirements contained herein, the following list of functional entit functional entit y or subset of functional entit ies are the applicable entity or entities, the functional entit y or e ntities are specified ex plicitly. 4.1.1. Balancing Authority 4.1.2. Distribution Provider that owns one or more of the following Facilities, systems , and equipment for the protection or restoration of the BES: 4.1.2.1. Each underfrequency load shedding (UFLS) or undervoltage load shedding (UVLS) syste m that: 4.1.2.1.1. is part of a Load shedding program that is subject to one or more requirements in a NERC or Regional Reliability Standard ; and 4.1.2.1.2. performs automatic Load shedding under a common control system owned by the Responsible Entity, without human operator initiation, of 300 MW or more . 4.1.2.2. Each Special Protection System or Remedial Action Scheme where the Special Protection System or Remedial Action Scheme is subject to one or more requirements in a NERC or Regional Reliability Standard . 4.1.2.3. Each Protection System (excluding UFLS and UVLS) that applies to Transmission where the Protection System is subject to one or more requirements in a NERC or Regional Reliability Standard . 4.1.2.4. Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s) to be started . 4.1.3. Generator Operator 4.1.4. Generator Owner
PAGE – 2 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 2 of 37 4.1.5. Interchange Coordinator or Interchange Authority 4.1.6. Reliability Coordina tor 4.1.7. Transmission Operator 4.1.8. Transmission Owner 4.2. Facilities : For the purpose of the requirements contained herein, the following Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicab le. For requirements in this standard where a specific type of Facilities, system, or equipment or subset of Facilities, systems, and equipment are applicable, these are specified explicitly. 4.2.1. Distribution Provider : One or more of the following Facilities, s ystem s and equipment owned by the Distribution Provider for the protection or restoration of the BES: 4.2.1.1. Each UFLS or UVLS System that : 4.2.1.1.1. is part of a Load shedding program that is subject to one or more requirements in a NERC or Regional Reliability Standard ; and 4.2.1.1.2. performs automatic Load shedding under a common control system owned by the Responsible Entity , without human operator initiation, of 300 MW or more . 4.2.1.2. Each Special Protection System or Remedial Action Scheme where the Special Protection System or Rem edial Action Scheme is subject to one or more requirements in a NERC or Regional Reliability Standard . 4.2.1.3. Each Protection System (excluding UFLS and UVLS) that applies to Transmission where the Protection System is subject to one or more requirements in a NER C or Regional Reliability Standard . 4.2.1.4. Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s) to be started . 4.2.2. Responsible E ntities listed in 4.1 other than Distribution Providers : All BES Facilities . 4.2.3. Exemptions: The following are exempt from Standard CIP – 002 – 5 .1 a : 4.2.3.1. Cyber Assets at Facilities regulated by the Canadian Nuclear Safety Commission. 4.2.3.2. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
PAGE – 3 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 3 of 37 4.2.3.3. T he s ystem s, structures, and components that are regulated b y the Nuclear Regulatory Commission under a cyber security plan pursuant to 10 C.F.R. Section 73.54. 4.2.3.4. For Distribut ion Providers, the s ystems and equipment that are not included in section 4.2. 1 above. 5. Effective Dates: 1. 24 Months Minimum CIP – 002 – 5 .1 a shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. 2. In those jurisdictions where no regulatory appr oval is required CIP – 002 – 5 .1 a shall become effective on the first day of the ninth calendar quarter following Board or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities . 6. Background: – categorize their BES Cyber Systems based on the impact of their associated Facilities, s ystems, and equipment , which, if destroyed, degraded, misused , or otherwise rendered unavailable, would affect the reliable operation of the Bulk Electric System . Several concepts provide the basis for the approach to the standard. Throughout the standards, unless otherwise stated, bulleted items in the requirements are , are items that are . Many references in the Applicability section and the criteria in Attachment 1 of CIP – 002 use a threshold of 300 MW for UFLS and UVLS. This particular threshold of 300 MW for UVLS and UFLS was provided in Version 1 of the CIP Cyber Security Standards . The threshold remains at 300 MW since it is specifically addressing UVLS and UFLS, which are last ditch efforts to save the Bulk Electric System. A review of UFLS tolerances defined within regional reliability standards for UFLS program requirements to date indicates that the historical value of 300 MW represents an adequate and reasonable threshold value for allowable UFLS operational tolerances. BES C yber Systems One of the fundamental differences between Versions 4 and 5 of the CIP Cyber Security Standards is the shift from identifying Critical Cyber Assets to identifying BES Mana the target for categorizing and applying security controls.
PAGE – 4 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 4 of 37 In transitioning from Version 4 to Version 5, a BES Cyber System can be viewed simply as a grouping of Critical Cyber Assets (as that term is used in Version 4) . The CIP Cyber Security Standards use term primarily to provide a higher level for referencing the object of a require ment. For example, it becomes possible to apply requirements dealing with recovery and malware protection to a grouping rather than individual Cyber Assets , and it becomes clearer in the requirement that malware protection applies to the system as a whole and may not be necessary for every individual device to comply. Another reason for using the term BES Cyber System is to provide a convenient level at which a Responsible Entity can organize their documented implementation of the requirements and compli ance evidence. Responsible Entities can use the well – developed concept of a security plan for each BES Cyber System to document the programs, processes , and plans in place to comply with security requirements. It is left up to the Responsible Entity to de termine the level of granularity at which to identify a BES Cyber System within the qualifications in the definition of BES Cyber System . For example, the Responsible Entity might choose to view an entire plant control system as a single BES Cyber System , or it might choose to view certain components of the plant control system as distinct BES Cyber Systems. The Responsible Entity should take into consideration the operational environment and
PAGE – 5 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 5 of 37 scope of management when defining the BES Cyber System boundary in order to maximize efficiency in secure operations. Defining the boundary too tightly may result in redundant paperwork and authorizations, while defining the boundary too broadly could make the secure operation of the BES Cyber System difficult to mon itor and assess. Reliable Operation of the BES The scope of the CIP Cyber Security Standards is restricted to BES Cyber Systems that would impact the reliable operation of the BES. In order to identify BES Cyber Systems , Responsible Entities determine whe ther the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional defined in its relationships with other functional entities in the NERC Functional Model . This ensures that the initial scope for consi deration includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable operation of the BES . The definition of BES Cyber Asset provides the basis for this scoping. Real – time Operations One characteristic of the BES Cyber Asset is a r eal – time scoping characteristic. The time horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to the ap plication of these Version 5 CIP Cyber Security Standards is defined as that which is material to r eal – time operations for the reliab le operation of the BES. To provide a better define R eal – BES Cyber Assets are those Cyber Asset s that, if rendered unavailable, degraded, or misused , would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise. This time window must not include in its consideration the activation of redundant BES C yber A ssets or BES Cyber Systems: from the cyber security standpoint, redundancy does not mitigate cyber security vulnerabilities. Categorization Criteria The criteria defined in Attachment 1 are used to categorize BES Cyber Systems into impact categories. Requirement 1 only requires the discrete identification of BES Cyber Systems for those in the h igh impact and m edium impact categories. All BES Cyber Systems for Fac ilities not included in Attachment 1 Impact Rating Criteria, Criteria 1.1 to 1.4 and Criteria 2.1 to 2.1 1 default to be l ow i mpact. This general process of categorization of BES Cyber Systems based on impact on the reliable operation of the BES is consistent with risk management approaches for the purpose of application of cyber security requirements in the remainder of the Version 5 CIP C yber S ecurity S tandards. Electronic Access Control or Monitoring Systems, Physical Access Control Systems , and Protected Cyber Assets that are associated with BES Cyber Systems
PAGE – 6 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 6 of 37 BES Cyber Systems have associated Cyber Assets, which , if compromised, pose a threat to the BES Cyber System by virtue of : (a) their location within the Electronic Security Perimeter (Protec ted Cyber Assets) , or (b) the security control function they perform (Electronic Access Control or Monitoring Systems and Physical Access Control Systems). T hese Cyber Assets include: Examples include: Electronic Access Points, Intermediate Systems , authentication servers (e.g. , RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems. Physical Access Control Examples include: authentication servers, card systems, and badge control systems . Examples may include , to the extent they are within the ESP : file servers, ftp servers, time servers, LAN switches, netwo rked printers, digital fault recorders, and emission monitoring systems. B. Requirements and Measures R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3 : [Violation Risk Factor: High][Time Horizon: Operations Planning] i. Control Centers and backup Control Centers; ii. Transmission stations and substations ; iii. Generation resources; iv. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Path s and initial switching requirements ; v. Special Protection Systems that support the reliable operat ion of the Bulk Electric System ; and vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above. 1.1. Identify e ach of the h igh impact BES Cyber Systems according to Attachment 1, Section 1 , if any, at each asset ; 1.2. Identify e ach of the medium impact BES Cyber Systems according to Attachment 1, Section 2 , if any, at each asset; and 1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required) . M1. A cceptable evidence include s , but is not limited to , dated electronic or physical lists required by Requirement R1 , and P arts 1.1 and 1.2 .
PAGE – 8 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 8 of 37 The CEA shall keep the last audit records and all requested and submitted subsequent audit records. 1.3. Compliance Monitoring and Assessment Processes: Compliance Audit Self – Certification Spot Checking Comp liance Investigation Self – Reporting Complaint 1.4. Additional Compliance Information None
PAGE – 9 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 9 of 37 2. Table of Compliance Elements R # Time Horizon VRF Violation Severity Levels (CIP – 002 – 5 .1 a ) Lower VSL Moderate VSL High VSL Severe VSL R1 Operations Planning High For Responsible Entities with more than a total of 40 BES assets in Requirement R1, five percent or fewer BES assets have not been considered according to Requirement R1; OR For Responsible Entities with a total of 40 or fewer BES assets , 2 or fewer BES assets in Requirement R1, have not been considered according to Requirement R1; OR For Responsible Entities with more than a total of 100 high and medium impact BES Cyber For Responsible Entities with more than a total of 40 BES assets in Requirement R1, more than five percent but less than or equal to 10 percent of BES assets have not been considered , according to Requirement R 1; OR For Responsible Entities with a total of 40 or fewer BES assets, more than two, but fewer than or equal to four BES assets in Requirement R1, have not been considered according to Requirement R1; OR For Responsible Entities with more than a total of 40 BE S assets in Requirement R1, more than 10 percent but less than or equal to 15 percent of BES assets have not been consider ed, according to Requirement R1; OR For Responsible Entities with a total of 40 or fewer BES assets, more than four, but fewer than or equal to six BES assets in Requirement R1, have not been considered according to Requirement R1; OR For Responsible Entities with more than a total of 40 BES assets in Requirement R1, more than 15 percent of BES assets have not been consider ed, according to Requirement R1; OR For Responsible Entities with a total of 40 or fewer BES assets, more than six BES assets in Requirement R1, have not been consider ed according to Requirement R1; OR For Responsible Entities with more than a total of 100 high and medium impact BES Cyber
PAGE – 10 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 10 of 37 R # Time Horizon VRF Violation Severity Levels (CIP – 002 – 5 .1 a ) Lower VSL Moderate VSL High VSL Severe VSL Systems, five percent or fewer of identified BES Cyber Systems have not been categorized or have been incorrectly categorized at a lower category; OR For Responsible En tities with a total of 100 or fewer high and medium impact BES Cyber Systems, five or fewer identified BES Cyber Systems have not been categorized or have been incorrectly categorized at a lower category. OR For Responsible Entities with more than a total of 100 high and medium impact BES Cyber For Responsible Entities with more than a total of 100 high and medium impact BES Cyber Systems, more than five percent but less than or equal to 10 percent of identified BES Cyber Systems have not been categorized or have been incorrectly categorized at a lower category; OR For Responsible Entities with a total of 100 or fewer high and medium impact and BES Cyber Systems, more than five but less than or equal to 10 identified BES Cyber Systems have not been categorized or have been incorrectly For Responsible Entities with more than a total of 100 high or medium impact BES Cyber Systems, more than 10 percent but less than or equal to 15 percent of identified BES Cyber Systems have not been categorized or have been incorrectly categorized at a lower category; OR For Responsible Entities with a total of 100 or fewer high or medium impact and BES Cyber Assets, more than 10 but less than or equal to 15 identified BES Cyber Assets have not been categorized or have been incorrectly Systems, more than 15 percent of identified BES Cyber Systems have not been ca tegorized or have been incorrectly categorized at a lower category; OR For Responsible Entities with a total of 100 or fewer high and medium impact BES Cyber Systems, more than 15 identified BES Cyber Systems have not been categorized or have been incorrec tly categorized at a lower category. OR For Responsible Entities with more than a total of 100 high and medium impact BES Cyber
PAGE – 11 ============
CIP – 002 – 5 .1 a Cyber Security BES Cyber System Categorization Page 11 of 37 R # Time Horizon VRF Violation Severity Levels (CIP – 002 – 5 .1 a ) Lower VSL Moderate VSL High VSL Severe VSL Systems, five percent or fewer high or medium BES Cyber Systems have not been identified ; OR For Responsible Entities with a total of 100 or fewer high and medium impact BES Cyber Systems, five or fewer high or mediu m BES Cyber Systems have not been identified . categorized at a lower category. OR For Responsible Entities with more than a total of 100 high and medium impact BES Cyber Systems, more than five percent but less than or equal to 10 percent high or medium BES Cyber Systems have not been identified ; OR For Responsible Entities with a total of 100 or fewer high and medium impact BES Cyber Systems, more than five but less than or equal to 10 high or medium BES Cyber Systems have not been identified . categorized at a lower category. OR F or Responsible Entities with more than a total of 100 high and medium impact BES Cyber Systems, more than 10 percent but less than or equal to 1 5 percent high or medium BES Cyber Systems have not been identified ; OR For Responsible Entities with a total of 100 or fewer high and medium impact BES Cyber Systems, more than 10 but less than or equal to 1 5 high or medium BES Cyber Systems have not been identified . Systems, more than 15 percent of high or medium impact BES Cyber Systems have not been identified ; OR For Responsible Entities with a total of 100 or fewer high and medium impact BES Cyber Systems, more than 15 high or medium impact BES Cyber Systems have not been identified .
121 KB – 37 Pages