Do you know about Heavyweight NERC CIP 011-1?

Our electric grids needs IT security protection. NERC CIP 011-1 delivers the knockout punch to do so.

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011 1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection

CIP 002-1 Critical Cyber Asset Identification

CIP 003-1 Security Management Controls

CIP 004-1 Personnel and Training

CIP 005-1 Electronic Security Perimeter(s)

CIP 006-1 Physical Security of Critical Cyber Assets

CIP 007-1 Systems Security Management

CIP 008-1 Incident Reporting and Response Planning

CIP 009-1 Recovery Plans for Critical Cyber Assets

CIP 010-1 BES Cyber System Categorization ( in draft)

CIP 011 1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them. In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations.

The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training

CIP-011-1 Table R3 – Cyber Security Training

CIP-011-1 Table R5 – Physical Security for BES Cyber Systems

CIP-011-1 Table R5 – Physical Security for BES Cyber Systems

CIP-011-1 Table R6 – Physical Access Control Systems

 CIP-011-1 Table R7 – Account Management Specifications

CIP-011-1 Table R8 – Account Management Implementation

CIP-011-1 Table R9 – Access Revocation

CIP-011-1 Table R9 – Access Revocation

CIP-011-1 Table R10 – Account Access Control Specifications

CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation

CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management

CIP-011-1 Table R13 – Remote Access Revocation

CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls

CIP-011-1 Table R15 – Malicious Code

CIP-011-1 Table R16 – Security Patch Management

 CIP-011-1 Table R17 – System Hardening

CIP-011-1 Table R18 – Security Event Monitoring

 CIP-011-1 Table R19 – Communications and Data Integrity

 CIP-011-1 Table R20 – Electronic Boundary Protection

CIP-011-1 Table R21 – System Boundary Protection

CIP-011-1 Table R22 – Protective Cyber Systems

CIP-011-1 Table R23 – Configuration Change Management

CIP-011-1 Table R23 – Configuration Change Management

CIP-011-1 Table R24 – Information Protection

CIP-011-1 Table R25 – Media Sanitization

CIP-011-1 Table R26 – Maintenance

CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications

CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications

CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications

CIP-011-1 Table R30 – Recovery Plan Specifications CIP-011-1 Table R31 – Recovery Plan Testing Specifications CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2011 IDG Communications, Inc.