Debriefing: NERC CIP 011

STatus of NERC CIP version 4, how to navigate NERC web page to find changes to the CIP standard

A few weeks ago I wrote about the anticipated positive aspects of NERC CIP 011. I received comments and questions about timing of approval and implementation, as well as a request to briefly clarify the intent of the current standards. So here goes.

Approval Status of CIP Version 4 Standards

 NERC CIP 011 was approved by the NERC Board of Trustees on January 24, 2011, and is now collectively called CIP Version 4 standards; CIP 002-4 throughCIP-009-4. My understanding is the standards have been recently filed with FERC for approval for the US, and they have similarly been filed for approval with a variety of Canadian provincial authorities for consideration.

Once approved, CIP Version 4 standards will completely replace the current CIP standards.

To assist those wishing to receive first hand updates on CIP developments directly from the NERC site, I’m providing a navigation guide to get you directly to where you need to go:

1. NERC CIP home page:

2. In the top blue banner, click “Standards”

3. In the drop-down menu, click “Standards under development”.

4. In the search box in the upper right, search for “CIP”.

5. Select “CIP 011-1”

6. Click on “Project 2008-6- Cyber Security – Phase II Standards” (Jan 31, 2011)

7. This page shows you the current status of approval and you can review each standard during its various versions of iteration.

Summary of Current NERC CIP Standards

The current standards can be reviewed on the NERC site by clicking “Standards” in the top blue banner, and then “Reliability Standards” and then finally click Critical Infrastructure Protection (CIP) or just click:|20

As they now stand, here’s what they mean:

  • CIP 001-1a Sabotage Detection

Identify and report on anomalous activities. Triage to determine if they constitute possible sabotage and report accordingly.

  • CIP 002-3 and 002-4

Critical Cyber Asset Identification Identify key cyber assets, including hardware, software, and processes, with the use of a risk analysis. The NIST risk analysis methodology is described in an accompanying document.

  • CIP 003-3 Security Management Controls Implement control points for the critical assets identified in CIP 002. In my opinion this standard is not sufficiently proscriptive, but version 4 will add immensely.
  • CIP 004-3 Personnel and Training

Training employees on how to comply with physical security access controls as well as IT security awareness training.

  • CIP 005-2a, 005-3, and 005-4 Electronic Security Perimeter(s)

Just like it sounds for IT perimeter security, but overlaying the standard on some of the other standards. Again in my opinion this standard is insufficient in specific security controls: deterrent, preventative, detective, corrective, recovery, and compensating. I’m looking forward to Version 4!

  • CIP 006-3c and 006-4Physical Security of Critical Cyber Assets

Ditto for CIP 005 but for physical security.

  • CIP 007-3 and 007-4 Systems Security Management

This is the compliance piece; monitoring, testing, gap analysis, for logical (technical), physical, and policy control points. It includes having test or audit plans and actually implementing the plans.

  • CIP 008-3 Incident Reporting and Response Planning

This standard identifies compliance requirements for incident reporting plans for other CIP standards, but does not really identify how to create and test a process for incident monitoring / analysis and triage / reporting.

  • CIP 009-3 and 009-4 Recovery Plans for Critical Cyber Assets

Ditto for CIP 008-3 but for DRP.

  • CIP 010-1 BES Cyber System Categorization ( in draft) This is a superset of CIP 002 cyber asset identification, to include the systems to which cyber assets belong. This is more in-line with classic IT security as a compromised system can provide an attack vector to one of its subsystems.

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.