CIP-006-5 Workshop
October 3, 2014
Mike Ketchens
Sr. Technical Auditor,
Compliance Monitoring
Purpose of V5 transition Presentation
Provide a basic overview of the changes
• Provide a high level understanding of
Requirements of Standard CIP-006-5
Answer questions to assist your
compliance efforts
2
Forward Together • ReliabilityFirst Summary of CIP-006-5 Changes
Physical Security Program
 Must define the operational or procedural controls to
restrict physical access
 Removed current “6 wall” wording to instead require
that physical access to BES Cyber Systems is restricted
and properly managed
 For High Impact BES Cyber Systems, added the need to
utilize two or more different and complementary physical
access controls to restrict physical access
 Maintenance
3
and testing Physical Access Control System
and locally mounted hardware or devices from at least
once every 3 years to at least once every 24 calendar
months
Forward Together • ReliabilityFirst Physical Security of BES Cyber Systems
A new Purpose….and some new
language
• To manage physical access to “BES
Cyber Systems” by specifying a
physical security plan in support of
protecting BES Cyber Systems against
compromise that could lead to
misoperation or instability in the BES.
4
Forward Together • ReliabilityFirst New language to assist going forward
• High Impact BES Cyber Systems –
• Medium Impact BES Cyber Systems–
• Medium Impact BES Cyber Systems without
External Routable Connectivity –
• Medium Impact BES Cyber Systems with
External Routable Connectivity –
Excludes Cyber Assets in the BES Cyber System that cannot be directly accessed
through External Routable Connectivity.
5
Forward Together • ReliabilityFirst Word of caution…
Some subrequirements in CIP-006-5 have
different Requirements based on the impact
level. For example, R1.1 and R1.2 refer to
Medium Impact BES Cyber Systems while R1.3
is specific to High Impact BES Cyber Systems.
NOTE: There is no penalty for adopting the more
stringent requirements for High Impact BES
Cyber Assets to Medium Impact BES Cyber
Assets. The reverse is not true.
6
Forward Together • ReliabilityFirst New language (Continued)
• Physical Access Control Systems (PACS) –
Applies to each Physical Access Control
System associated with a referenced High
or Medium Impact BES Cyber System.
7
Forward Together • ReliabilityFirst New language (Continued)
• Protected Cyber Assets (PCA) – Applies to each
Protected Cyber Asset associated with a referenced High
or Medium Impact BES Cyber System. (Commonly
referred to as NCCA in V3)
• Electronic Access Control or Monitoring Systems
(EACMS) – Applies to each Electronic Access Control or
Monitoring System associated with a referenced High or
Medium Impact BES Cyber System. Examples may
include, but are not limited to firewalls, authentication
servers, and log monitoring and alerting systems.
8
Forward Together • ReliabilityFirst CIP-006-5 —R1 – Summary R1.1-R1.3
R1 requires the Registered Entity to “implement One or More
documented physical security plan(s) that COLLECTIVELY
include all applicable requirements in CIP-006-5 Table R1.
R1.1 Define operational or procedural controls to restrict
physical access to Medium Impact BES Cyber Systems
without External Routable Connectivity. (No six-wall boundary
required BUT …)
R1.2 Utilize AT LEAST one physical access control to allow
access into Medium Impact BES Cyber Systems with External
Routable Connectivity (EACMs and Protected Cyber Assets)
PSP
R1.3 For High Impact BES Cyber Systems, utilize TWO or
MORE different access controls to collectively allow access
(TFE Eligible)
9
Forward Together • ReliabilityFirst CIP-006-5 —R1.3 – Access Control
 Two forms of physical access control means
access needs to require two of the following:
1. Something you know (PIN, password, etc.)
2. Something you are (biometrics, security guard
identity verification, etc.)
3. Something you have (Hard key, token, card
key, etc.)
10
Forward Together • ReliabilityFirst CIP-006-5 —R1.3 – Examples
Methods of physical access control may include:
 Card Key: A means of electronic access where the access rights
of the card holder are predefined in a computer database.
Access rights may differ from one perimeter to another.
 Special Locks: These include, but are not limited to, locks with
“restricted key” systems, magnetic locks that can be operated
remotely, and “man‐trap” systems.
 Security Personnel: Personnel responsible for controlling
physical access who may reside on‐site or at a monitoring
station.
 Other Authentication Devices: Biometric, keypad, token, or other
equivalent devices that control physical access into the Physical
Security Perimeter.
11
Forward Together • ReliabilityFirst CIP-006-5 —R1 – Summary R1.4-R1.6
R1 requires the Registered Entity to “implement One or More
documented physical security plan(s) that COLLECTIVELY
include all applicable requirements in CIP-006-5 Table R1.
R1.4 For High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity and
their associated EACMS and PCA, monitor for unauthorized
access into a PSP.
R1.5 For High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity and
their associated EACMS and PCA, issue an alarm or alert in
response to detected unauthorized access into a PSP within 15
minutes of detection.
12
R1.6 For High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity,
monitor EACH Physical Access Control System (PACS) for
unauthorized physical access to a Physical Access Control
System.
Forward Together • ReliabilityFirst CIP-006-5 —R1 – Summary R1.7-R1.9
R1 requires the Registered Entity to “implement One or More
documented physical security plan(s) that COLLECTIVELY
include all applicable requirements in CIP-006-5 Table R1.
R1.7 For High Impact BES Cyber Systems and Medium Impact BES
Cyber Systems with External Routable Connectivity, issue an alarm
or alert in response to detected unauthorized physical access to a
Physical Access Control System within 15 minutes of detection.
R1.8 For High Impact BES Cyber Systems and Medium Impact BES
Cyber Systems with External Routable Connectivity and their
associated EACMS and PCA, log entry of each individual with
authorized unescorted physical access into each PSP with
information to identify the individual and date and time of entry.
R1.9 For High Impact BES Cyber Systems and Medium Impact BES
Cyber Systems with External Routable Connectivity and their
associated EACMS and PCA, retain logs for at least ninety (90)
calendar days.
13
Forward Together • ReliabilityFirst CIP-006-5 —R1 – Summary R1.10
R1 requires the Registered Entity to “implement One or More
documented physical security plan(s) that COLLECTIVELY
include all applicable requirements in CIP-006-5 Table R1.
R1.10 For High Impact BES Cyber Systems and their
associated PCA, AND Medium Impact BES Cyber Systems at
Control Centers and their associated PCA
• Restrict physical access to cabling and other
nonprogrammable communications components used for
connection between applicable Cyber Systems within the
same ESP when such cabling and components are located
outside a PSP.
• Where physical access restrictions cannot be established:
• Encrypt data transmission OR
• Monitor the status of the communication link and issue
an alarm or alert in response to detected
communication failures within 15 minutes OR
• Implement an equally effective logical protection
14
Forward Together • ReliabilityFirst CIP-006-5 —R2 – Summary R2.1-R2.2
R2 requires the Registered Entity to implement One or More
documented visitor control program(s) that include each of
applicable requirements in CIP-006-5 Table R2
R2.1 For High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity and
their associated EACMS and PCA, require continuous escorted
access of visitors (individuals who are provided access but not
authorized unescorted physical access) within each PSP except
during CIP Exceptional Circumstances.
R2.2 For High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity and
their associated EACMS and PCA, require manual or
automated logging of visitors into (Initial) and final exit from the
PSP that includes date and time of the INITIAL entry and exit
and the name of escort except during CIP Exceptional
Circumstances.
15
Forward Together • ReliabilityFirst CIP-006-5 —R2 – Summary R2.3
R2 requires the Registered Entity to implement One or More
documented visitor control program(s) that include each of
applicable requirements in CIP-006-5 Table R2
R2.3 For High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity and
their associated EACMS and PCA, retain visitor logs for at least
ninety (90) calendar days.
16
Forward Together • ReliabilityFirst CIP-006-5 —R3 – Summary R3
R3 requires the Registered Entity to maintain and test
Physical Access Control Systems to ensure they
function properly.
R3 For High Impact BES Cyber Systems and Medium
Impact BES Cyber Systems with External Routable
Connectivity and their associated EACMS and PCA,
maintain and test each Physical Access Control System
and locally mounted hardware or devices at the PSP at
least once every twenty four (24) calendar months to
ensure they function properly.
17
Forward Together • ReliabilityFirst Areas to closely monitor
Physical Access Control and Monitoring
 Is BES Cyber System High Impact or Medium Impact with or without
External Routable Connectivity
 Clear and identified Physical Security Perimeters and Physical Access
Control System used to authorize and log entry
 Key Control Program
• When and how hard keys are to be used
• What PSP has hard key lock access
• Who has access to hard keys
• How is the use of a hard key logged
• Is an alarm triggered when the door is opened
• PRA and Training up to date
 Unescorted Visitor Logging
• Visitor/escort forgets to log out.
• Ability to retrieve data (for example, via cameras)
• Regularly review logs to ensure completeness of logs.
 Response time
• Within 15 minutes of alarm
18
Forward Together • ReliabilityFirst Questions & Answers
Forward Together ReliabilityFirst Forward Together • ReliabilityFirst