CIP-007-7 Systems and Security Management
Best Practices
Carl R. Bench
CIP Auditor, CBRA/CBRM
CIP-007-7 Requirements
• CIP-007-7
– R1 Ports and Services
– R2 Security Patch Management
– R3 Malicious Code Prevention
– R4 Security Event Monitoring
– R5 System Access Control
CIP-007 V3 to V5 New Additions:
• CIP-007-7 R1.2 – NEW – restrict physical ports
• CIP-007-7 R2.1 – NEW – identify patch sources
• CIP-007-7 R4.3 – NEW – Alerts
• CIP-007-7 R5.7 – NEW – unsuccessful login thresholds and
alerts
Project 200806 Cyber Security Order 706 DL_Mapping_Document_012913.pdf
New Terms:
•
•
•
•
BES Cyber Asset
BES Cyber
Cyber Asset
Protected Cyber Asset
NERC Glossary of Termshttp://www.nerc.com/files/glossary_of_terms.pdf
Implementation Study:
• Differences between the CIP Version 3 and CIP Version 5 standards;
• Technical security practices needed to meet the CIP Version 5
requirements; and
• Practices to demonstrate compliance with the CIP Version 5
requirements, including effective management practices to address any
noncompliance
Implementation Study:
Going forward, NERC will continue to work with study participants to
address compliance and enforcement matters.
Based on the Implementation Study, NERC and the Regional Entities
developed a report that identifies key conclusions, lessons learned,
and recommendations for transition to Version 5.
Reference:
http://www.nerc.com/pa/CI/Pages/Transition-Program-V5Implementation-Study.aspx
Lessons Learned CIP-007-7 R1.2
CIP-007-7 R1.2: Protecting Physical Ports
Description: Summary of Key Lessons Learned and FAQs (Table 7)
How can tamper tape be used to protect ports to comply with
this requirement?
CIP-007-7 Part 1.2
Asset level requirement
Lessons Learned CIP-007-7 R1.2 (continued)
How can tamper tape be used?
• Detect if a physical port has been used
• Signage to detect and deter access
• Serial/Signing tape can be recorded and documented for consistency
Note: While tamper tape and other similar methods of signage do not prevent
unauthorized personnel from accessing these ports, they can be a useful part of a
defense-in-depth type of control to remind and deter personnel from unauthorized
use of the physical ports.
Reference:
(CIP-007-5 R1 Part 1.2: Protecting Physical Ports: Tamper Tape)
(Summary of Key Lessons Learned and FAQs (Table 7))
Port Locks
Physical Access to Ports
Question
• Signage for physical port protection (CIP—007-7 R1.2) – Is it
acceptable to place signs at the PSP doors, rather than on each
individual device port?
– NO, this is a BES Cyber Asset specific requirement. There must be clear
notice regarding the use of physical ports or a physical/electronic method
to ensure that ports are not inadvertently connected to a network/device.
Policies also need to be in place to control the use of transient devices
(USB stick, etc.)
• Would a Cyber Asset locked in a cage meet this requirement?
– No, the required control needs to be applied at the BES Cyber Asset level
Part 1.2 Audit Approach
• Verify the entity has documented one or more processes
which address this Part.
• Protections provided to unnecessary physical input/output
ports may include, but are not limited to:
a. Logically disabling
b. Physically disabling
c. Physical signage
Part 1.2 Evidence
Sample of BES Cyber Systems:
a. The list of all BES Cyber Assets and Cyber Assets which comprise the BES
Cyber System.
b. The list of all PCA associated with the BES Cyber System.
c. The list of all nonprogrammable communication components associated
with the BES Cyber System and located inside both a PSP and an ESP
Provide the following evidence:
Documentation of the protections provided to physical input/output ports
(capable of network connectivity, console commands, or Removable
Media) that are not required for operations
Lessons Learned CIP-007-7 R2.1
CIP-007-7 R2.1: Identifying sources for patch management:
(Summary of Key Lessons Learned and FAQ’s Table 7)
Question: How should the appropriate sources for obtaining
security patches be determined and documented?
CIP-007-7 Security Patch Management Part 2.1
Asset level requirement
Patch Sources
• Electricity Sector Information Sharing and Analysis Center (ES-ISAC)
https://www.esisac.com/
• Common Vulnerabilities and Exposures
http://cve.mitre.org/
• BugTraq
http://www.securityfocus.com/vulnerabilities
• National Vulnerability Database
http://nvd.nist.gov/
• ICS-CERT
http://ics-cert.us-cert.gov/all-docs-feed
Guidelines
• DHS
– “Quarterly Report on Cyber Vulnerabilities of Potential Risk to Control
Systems”
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-39_Feb13.pdf
• ICS-CERT
– “Recommended Practice for Patch Management of Control Systems”
http://ics-cert.uscert.gov/sites/default/files/recommended_practices/PatchManagem
entRecommendedPractice_Final.pdf
Evidence- Part 2.1
• Patch management requires a documented process
• List of sources monitored for BES Cyber Systems and/or BES
Cyber Assets
• List of Cyber Assets and software used for patch management
• A process for tracking, evaluating and installing cyber security
patches
• Applicable to BES Cyber Systems that are accessible remotely
as well as standalone systems
End of Life Evidence
Document vendor end dates
Document BES Cyber Systems (and BES Cyber Assets) affected
Ensure latest applicable patch is implemented
Deploy mitigating measures for vulnerabilities not able to
patch
• Where possible, implement mitigating measures for the newly
identified vulnerability
•
•
•
•
Patch Update Issues
• Cyber Security focused
⁻ Requirement does not cover patches that are purely functionality
related, with no cyber security impact
⁻ Cyber Asset Baseline documentation with patch tracking (CIP-010-2 Part
1.1.5)
⁻ Operating system/firmware, commercially available software or opensource application software, custom software
Cyber Security software patches
----------- ALERT------------• Hardware vendors (source) may provide security patches and
security upgrades to mitigate/eliminate vulnerabilities
identified in their drivers and firmware
• These need to be patched or have a documented mitigation
plan for the applicable devices per CIP-007-7 Part 2.1, 2.2, and
2.3
[CIP-007-7 part 2.1] Audit Approach – what are we
looking for?
• Documented procedures for the tracking, evaluating, testing and
implementation of patches and updates
• Evidence of monitoring for all installed software and firmware (CIP010-2)
₋ Develop a list of all monitored applications/OS/firmware
₋ Identify and document processes and sources for notifications of updates
₋ Look to vendors where possible
• Evidence of identification and evaluation of applicability within 35
days of availability
[CIP-007-7 part 2.1] Audit Approach – what are we
looking for?
• Evidence of implementation of patches as defined in
documented procedures, evidence of testing prior to release to
production
• Evidence of the patch analysis and implementation of
compensating measures if applicable patch/updates will not be
implemented within 30 days
₋ Document risk of NOT implementing patches/updates – expectation
of implementation
Part 3.2 Lessons Learned
CIP-007-7 Mitigate the threat of detected malicious code:
Question: Are entities required to mitigate the threat of detected
malicious code regardless of the methods they choose to deter,
detect, or prevent malicious code?
CIP-007-7 Table R3 – Malicious Code Prevention
Part 3.2 Data Request
• List of all instances of detected malicious code, including:
–
–
–
–
–
–
–
Type of malicious code detected
Date the malicious code was detected
Applicable Systems affected by the malicious code, if any
Method of detection
Mitigation actions taken
Date the mitigation actions were taken
If the threat of the detected malicious code has not been fully mitigated,
the action plan, including timetable, to complete the mitigation
Part 3.2 Sample of Interview Questions
• Describe the malicious code identification and mitigation
processes?
• Have Cyber Security Events been identified as a result of
malicious code?
• Have mitigation activities been performed? Please describe
these efforts.
Part 3.2 Evidence
• Documentation of events
• Mitigation processes completed
• How does the mitigation efforts specifically address the
malicious code?
Part 3.2 Audit Approach
• Verify the entity has documented one or more processes which address
this Part
• Verify the entity uses one or more methods to detect malicious code
• For each instance of detected malicious code reviewed, verify the
mitigating steps taken are consistent with the process and mitigate the
threat of the malicious code
Results-based Requirement: The Requirement assumes malicious code will
be detected – the entity is therefore required to do so, but the approaches
used to perform this detection are not specified.
References
•
CIP-007-7 — Cyber Security – Systems Security Management dated November 25, 2014 from,
http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/CIP-007-7_CLEAN.pdf
•
DRAFT NERC Reliability Standard Audit Worksheet, RSAW Version: RSAW CIP-007-7 Draft3v0 Revision Date:
December 10, 2014 from: http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/CIP-0077%20RSAW%20-%20DRAFT3v0.pdf
•
NERC Consideration of Issues and Directives, Federal Energy Regulatory Commission Order No. 791 November
25, 2014, from:
http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/Consideration_of_Issues_and_Directives_C
LEAN.pdf
•
NERC Mapping Document: Project 2014-02-CIP Version 5 Revisions Mapping Document Showing Translation of
the Version 5 standards to into CIP-003-7, CIP-004-7, CIP-006-6, CIP-007-7, CIP-009-6, CIP-010-3, and CIP-011-3
(CIP-002-5.1, CIP-005-5, and CIP-008-5 were not modified) from,
http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/Mapping_Document_CLEAN.pdf
Questions?