109745672 NERC CIP Compliance Matrix ROS ... - Siemens · PDF fileWarranty and Liability NERC...

https://support.industry.siemens.com/cs/ww/en/view/109745672

Application description 03/2017

NERC CIP Compliance Matrixof RUGGEDCOM ROSOperating SystemRUGGEDCOM ROS


Warranty and Liability

NERC CIP Compliance Matrix of RUGGEDCOM ROS OperatingSystemEntry-ID: 109745672, 1.0, 03/2017 2

S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

Warranty and Liability

Note The Application Examples are not binding and do not claim to be completeregarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These application examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice.If there are any deviations between the recommendations provided in theseapplication examples and other Siemens publications – e.g. Catalogs – thecontents of the other documents have priority.

We do not accept any liability for the information contained in this document.

Any claims against us – based on whatever legal reason – resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract(“wesentliche Vertragspflichten”). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.

Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of the Siemens AG.

Securityinforma-tion

Siemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, solutions, machines, equipment and/ornetworks. They are important components in a holistic industrial securityconcept. With this in mind, Siemens’ products and solutions undergo continuousdevelopment. Siemens recommends strongly that you regularly check forproduct updates.

For the secure operation of Siemens products and solutions, it is necessary totake suitable preventive action (e.g. cell protection concept) and integrate eachcomponent into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more informationabout industrial security, visit http://www.Siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.industry.Siemens.com.

http://www.siemens.com/industrialsecurity

http://support.industry.siemens.com/

Table of Contents


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

Table of ContentsWarranty and Liability ................................................................................................. 2

1 Overview............................................................................................................. 4

2 CIP-005-5: Cyber Security – Electronic Security Perimeter(s)..................... 6

3 CIP-007-6: Cyber Security – Systems Security Management ...................... 9

4 CIP-010-2: Cyber Security – Configuration Change Management andVulnerability ..................................................................................................... 19

5 References ....................................................................................................... 26

6 Glossary of Terms ........................................................................................... 26

7 Related Literature ............................................................................................ 27

8 History............................................................................................................... 27

1 Overview


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

1 OverviewNOTICE The content of this document will review how the RUGGEDCOM ROS operating

system can assist in complying with NERC CIP version 5 and version 6requirements. To fully comply and meet NERC CIP requirements requires aprogram which includes a combination of tools, documentation, process andtraining. The RUGGEDCOM ROS operating system can be one of the tools usedto help address some of these requirements. If there are any questions orconcerns in meeting any of the NERC CIP requirements, it is recommended thatyou contact your regional NERC Auditor.

This document describes how the RUGGEDCOM ROS operating system supportsthe latest security requirements specified by NERC CIP. On January 21st 2016FERC issued Order 822 approving version 6 of the NERC standards involvingrevisions to seven NERC Critical Infrastructure Protection Standards and six newor modified terms. February 25, 2016, FERC granted the motion requesting anextension of time for the implementation for the V5 requirements to match the V6standards which generally went into effect on July 1, 2016, with the Low Impactand Transient Devices requirements going into effect on April 1, 2017. Moreinformation is available at North American Electric Reliability Corporation website:

http://www.nerc.com/pa/CI/Comp/Pages/default.aspx

The RUGGEDCOM Ethernet Switches/Routers are high port density Layer 2/Layer3 Ethernet routing and switching platforms designed to operate in harshenvironments. This product family can withstand high levels of electromagneticinterference, radio frequency interference and a wide temperature range of -40 °Cto +85 °C (-40 to 185 °F). These devices are designed to meet the challengingclimatic and environmental demands found in utility, industrial and military networkapplications.

This document applies to the Siemens RUGGEDCOM switches based on ROSv4.2 or later, that manages RS9XX, RSG2XXX, RSG920P and RMC8388 Seriesproducts, providing reliability and performance when it is needed most. The cybersecurity and networking features make them ideally suited for creating secureEthernet networks for mission critical, real-time, control applications in hashenvironments.

The following pages will describe the most product relevant NERC CIP standardsand requirements from CIP v5 and v6. They will also outline how RUGGEDCOMROS can be used to assist as part of CIP program to address certain requirements.More product information can be found through Siemens RUGGEDCOM onlinemanuals with specific security recommendations and considerations.

Meanwhile, there are a few NERC CIP requirements as listed below that areprocess and/or documentation focused. They are not directly applicable toSiemens products, therefore not detailed in this document. However they should bealso taken into consideration during system design, service and operations.


1 Overview


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

Table 1-1

Standard Title

CIP-002-5 BES Cyber System Categorization

CIP-003-6 Security Management Controls

CIP-004-6 Personnel & Training

CIP-006-6 Physical Security of BES Cyber Systems

CIP-008-5 Incident Reporting and Response Planning

CIP-009-6 Recovery Plans for BES Cyber Systems

CIP-011-2 Information Protection

CIP-014-2 Physical Security

2 CIP-005-5: Cyber Security – Electronic Security Perimeter(s)


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

2 CIP-005-5: Cyber Security – ElectronicSecurity Perimeter(s)

Purpose

To manage electronic access to BES Cyber Systems by specifying a controlledElectronic Security Perimeter in support of protecting BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the BES.

R1

Each Responsible Entity shall implement one or more documented processes thatcollectively include each of the applicable requirement parts in Table 2-1: Table R1– Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time Horizon:Operations Planning and Same Day Operations].

M1

Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in Table 2-1: Table R1– Electronic Security Perimeter and additional evidence to demonstrateimplementation as described in the Measures column of the table.

Table 2-1: Table R1 – Electronic Security Perimeter

PartApplicableSystems

Requirement MeasuresROS features toaddress or supportthe requirement

1.1 High Impact BESCyber Systems andtheir associated:

PCA

Medium Impact BESCyber Systems andtheir associated:

PCA

All applicable CyberAssets connected toa network via aroutable protocolshall reside within adefined ESP.

An example ofevidence mayinclude, but is notlimited to, a list of allESPs with alluniquely identifiableapplicable CyberAssets connected viaa routable protocolwithin each ESP.

n/a(Process/documentationrequirement)

1.2 High Impact BESCyber Systems withExternal RoutableConnectivity andtheir associated:

PCA

Medium Impact BESCyber Systems withExternal RoutableConnectivity andtheir associated:

PCA

All External RoutableConnectivitymust be through anidentifiedElectronic AccessPoint (EAP).

An example ofevidence mayinclude, but is notlimited to, networkdiagrams showing allexternal routablecommunication pathsand the identifiedEAPs.

1.3 Electronic AccessPoints for HighImpact BES CyberSystems

Require inbound andoutbound accesspermissions,including the reason

An example ofevidence mayinclude, but is notlimited to, a list of



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed



Electronic AccessPoints for MediumImpact BES CyberSystems

for granting access,and deny all otheraccess by default.

rules (firewall,access control lists,etc.) thatdemonstrate thatonly permittedaccess is allowedand that each accessrule has adocumented reason.

1.4 High Impact BESCyber Systems withDial-up Connectivityand their associated:

PCA

Medium Impact BESCyber Systems withDial-up Connectivityand their associated:

PCA

Where technicallyfeasible, performauthentication whenestablishing Dial-upConnectivity withapplicable CyberAssets.

An example ofevidence mayinclude, but is notlimited to, adocumented processthat describes howthe ResponsibleEntity is providingauthenticated accessthrough each dial-upconnection.

Not supported in ROS.

1.5 Electronic AccessPoints for HighImpact BES CyberSystems

Electronic AccessPoints for MediumImpact BES CyberSystems at ControlCenters

Have one or moremethods fordetecting known orsuspected maliciouscommunications forboth inbound andoutboundcommunications.

An example ofevidence mayinclude, but is notlimited to,documentation thatmaliciouscommunicationsdetection methods(e.g. intrusiondetection system,application layerfirewall, etc.) areimplemented.

ROS does not providean embedded anti-virusor malware protectionsoftware.

R2

Each Responsible Entity allowing Interactive Remote Access to BES CyberSystems shall implement one or more documented processes that collectivelyinclude the applicable requirement parts, where technically feasible, in Table 2-2:Table R2 – Interactive Remote Access Management. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning and Same Day Operations].

M2

Evidence must include the documented processes that collectively address each ofthe applicable requirement parts in Table 2-2: Table R2 – Interactive RemoteAccess Management and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.

Table 2-2: Table R2 – Interactive Remote Access Management

Part Applicable Systems Requirement MeasuresROS features toaddress or supportthe requirement

2.1 High Impact BES Utilize an Examples of ROS can be



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


Cyber Systems andtheir associated:

PCA

Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:

PCA

Intermediate Systemsuch that the CyberAsset initiatingInteractive RemoteAccess does notdirectly access anapplicable CyberAsset.

evidence mayinclude, but are notlimited to, networkdiagrams orarchitecturedocuments.

accessed via anintermediate systemvia standard CLIscripted commands


PCA


PCA

For all InteractiveRemote Accesssessions, utilizeencryption thatterminates at anIntermediate System.

An example ofevidence mayinclude, but is notlimited to,architecturedocuments detailingwhere encryptioninitiates andterminates.

Remote access toROS is implementedvia encryptedcommunications(SSH/SFTP,HTTPS/SSL/TLS,RADIUS, TACACS+,SNMPv3). Passwordsare salted andhashed. Allconfigurations can bestored in Encryptedformat.


PCA


PCA

Require multi-factorauthentication for allInteractive RemoteAccess sessions.

An example ofevidence mayinclude, but is notlimited to,architecturedocuments detailingthe authenticationfactors used.Examples ofauthenticators mayinclude, but are notlimited to,

Something theindividual knowssuch aspasswords orPINs. This doesnot include UserID;

Something theindividual hassuch as tokens,digital certificates,or smart cards; or

Something theindividual is suchas fingerprints,iris scans, orother biometriccharacteristics.

ROS can providestrong single factorauthentication;however if multiplefactors are required,using AAA server(s)is recommended.

3 CIP-007-6: Cyber Security – Systems Security Management


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

3 CIP-007-6: Cyber Security – SystemsSecurity Management

Purpose

To manage system security by specifying select technical, operational, andprocedural requirements in support of protecting BES Cyber Systems againstcompromise that could lead to misoperation or instability in the Bulk ElectricSystem (BES).

R1

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 3-1: Portsand Services. [Violation Risk Factor: Medium] [Time Horizon: Same DayOperations.]

M1

Evidence must include the documented processes that collectively include each ofthe applicable requirement parts in Table 3-1: Ports and Services and additionalevidence to demonstrate implementation as described in the Measures column ofthe table.

Table 3-1: Ports and Services


1.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA

Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and3. PCA

Where technicallyfeasible, enable onlylogical networkaccessible ports thathave beendetermined to beneeded by theResponsible Entity,including port rangesor services whereneeded to handledynamic ports. If adevice has noprovision for disablingor restricting logicalports on the devicethen those ports thatare open are deemedneeded.

Examples of evidencemay include, but arenot limited to: Documentation of

the need for allenabled ports onall applicableCyber Assets andElectronic AccessPoints, individuallyor by group.

Listings of thelistening ports onthe Cyber Assets,individually or bygroup, from eitherthe deviceconfiguration files,command output(such as netstat),or network scansof open ports; or

Configuration filesof host-basedfirewalls or otherdevice levelmechanisms thatonly allow neededports and deny allothers.

Logical accessibleports in ROS devicescan be disabled asneeded.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


1.2 High Impact BESCyber Systems andtheir associated:1. PCA; and2. Nonprogrammab

lecommunicationcomponentslocated insideboth a PSP andan ESP.

Medium Impact BESCyber Systems atControl Centers andtheir associated:1. PCA; and2. Nonprogrammab

lecommunicationcomponentslocated insideboth a PSP andan ESP.

Protect against theuse of unnecessaryphysical input/outputports used fornetwork connectivity,console commands,or Removable Media.

An example ofevidence mayinclude, but is notlimited to,documentationshowing types ofprotection of physicalinput/output ports,either logicallythrough systemconfiguration orphysically using a portlock or signage.

ROS supportsadministrationmaintenance andconfiguration througha serial console port,which is protected bystrong authentication.

Multiple failed loginattempts will belogged on the system,security events will belogged, and the useraccount will beblocked after anumber of incorrectlogin attempts. Userdocument details allports on the deviceincluding accesspossibilities.

Physical ports can bedisabled as needed.

R2

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 3-2:Security Patch Management. [Violation Risk Factor: Medium] [Time Horizon:Operations Planning].

M2

Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in Table 3-2: SecurityPatch Management and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.

Table 3-2: Security Patch Management



Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA

A patch managementprocess for tracking,evaluating, andinstalling cybersecurity patches forapplicable CyberAssets. The trackingportion shall includethe identification of asource or sourcesthat the ResponsibleEntity tracks for therelease of cybersecurity patches for

An example ofevidence mayinclude, but is notlimited to,documentation of apatch managementprocess anddocumentation or listsof sources that aremonitored, whetheron an individual BESCyber System orCyber Asset basis.

For RUGGEDCOMswitches/routersbased on ROS,firmware can bereloaded and updatedindividually, whichensures thepatchability of thesystem.During a firmwareupdate process, thedevice is fullyoperational. A rebootis required to



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


applicable CyberAssets that areupdateable and forwhich a patchingsource exists.

activatethe newfirmware version onthe alternate partition.The period of non-operabilityis limited to the boottime. If an interruptionof normal operationsis unacceptable,the use of redundantsystems can ensureuninterruptedoperation.For RUGGEDCOMswitches/routersbased on ROS,Siemens has apatch managementprocess in placeaccording to whichdocuments allfirmware releases,featureenhancements andbug fixes in atraceable manner.Updates are madeavailable by Siemensfree of charge. Thecorrespondinginstallation isusually performed bythe system operatoror the servicetechnicianresponsible forsystem maintenance.



At least once every35 calendar days,evaluate securitypatches forapplicability that havebeen released sincethe last evaluationfrom the source orsources identified inPart 2.1.

An example ofevidence mayinclude, but is notlimited to, anevaluation conductedby, referenced by, oron behalf of aResponsible Entity ofsecurity-relatedpatches released bythe documentedsources at least onceevery 35 calendardays.



For applicablepatches identified inPart 2.2, within 35calendar days of theevaluationcompletion, take oneof the followingactions: Apply the

applicablepatches; or

Create a datedmitigation plan;Or

Revise anexisting mitigationplan.

Mitigation plans shallinclude theResponsible Entity’splanned actions to

Examples ofevidence mayinclude, but are notlimited to: Records of the

installation of thepatch (e.g.,exports fromautomated patchmanagementtools that provideinstallation date,verification ofBES CyberSystemComponentsoftware revision,or registryexports that showsoftware hasbeen installed);or

n/a(Process/documentation requirement)



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


mitigate thevulnerabilitiesaddressed by eachsecurity patch and atimeframe tocomplete thesemitigations.

A dated planshowing whenand how thevulnerability willbe addressed, toincludedocumentation ofthe actions to betaken by theResponsibleEntity to mitigatethe vulnerabilitiesaddressed by thesecurity patchand a timeframefor thecompletion ofthese mitigations.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS;

For each mitigationplan created orrevised in Part 2.3,implement the planwithin the timeframespecified in the plan,unless a revision tothe plan or anextension to thetimeframe specified inPart 2.3 is approvedby the CIP SeniorManager or delegate.

An example ofevidence mayinclude, but is notlimited to, records ofimplementation ofmitigations.

R3

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 3-3:Malicious Code Prevention. [Violation Risk Factor: Medium] [Time Horizon: SameDay Operations].

M3

Evidence must include each of the documented processes that collectively includeeach of the applicable requirement parts in Table 3-3: Malicious Code Preventionand additional evidence to demonstrate implementation as described in theMeasures column of the table.

Table 3-3: Malicious Code Prevention




Deploy method(s) todeter, detect, orprevent maliciouscode.

An example ofevidence mayinclude, but is notlimited to, records ofthe ResponsibleEntity’s performanceof these processes

ROS is a monolithicbinary which only runson ROS devices. Nocode can be added orchanged to this binary.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed



Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS;3. PCA

(e.g., throughtraditional antivirus,system hardening,policies, etc.).



Mitigate the threat ofdetected maliciouscode.

Examples ofevidence mayinclude, but are notlimited to: Records of

responseprocesses formalicious codedetection

Records of theperformance ofthese processeswhen maliciouscode is detected.



For those methodsidentified in Part 3.1that use signaturesor patterns, have aprocess for theupdate of thesignatures orpatterns. Theprocess mustaddress testing andinstalling thesignatures orpatterns.

An example ofevidence mayinclude, but is notlimited to,documentationshowing the processused for the updateof signatures orpatterns.


R4

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 3-4:Security Event Monitoring. [Violation Risk Factor: Medium] [Time Horizon: SameDay Operations and Operations Assessment.]

M4

Evidence must include each of the documented processes that collectively includeeach of the applicable requirement parts in Table 3-4: Security Event Monitoringand additional evidence to demonstrate implementation as described in theMeasures column of the table.

Table 3-4: Security Event Monitoring




Log events at theBES Cyber Systemlevel (per BES CyberSystem capability) orat the Cyber Assetlevel (per Cyber

Examples ofevidence mayinclude, but are notlimited to, a paper orsystem generatedlisting of event types

Security relevantactions, events anderrors are logged,including bothsuccessful and failedlogin attempts. Most



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed




Asset capability) foridentification of,and after-the-factinvestigations of,Cyber SecurityIncidents thatincludes, as aminimum, each ofthe following types ofevents:

4.1.1 Detectedsuccessfulloginattempts;

4.1.2 Detectedfailed accessattempts andfailed loginattempts;

4.1.3 Detectedmaliciouscode.

for which the BESCyber System iscapable of detectingand, for generatedevents, is configuredto log. This listingmust include therequired types ofevents.

logs allow some level ofconfiguration andcustomization.ROS does not generatelogs when a binary isnot accepted (maliciousor otherwise).


Medium Impact BESCyber Systems withExternal RoutableConnectivity andtheir associated:1. EACMS;2. PACS; and3. PCA

Generate alerts forsecurity events thatthe ResponsibleEntity determinesnecessitates an alert,that includes, as aminimum, each ofthefollowing types ofevents (per CyberAsset or BES CyberSystem capability):4.2.1 Detected

maliciouscode fromPart 4.1; and

4.2.2 Detectedfailure of Part4.1eventlogging.

Examples ofevidence mayinclude, but are notlimited to, paper orsystem generatedlisting of securityevents that theResponsible Entitydeterminednecessitate alerts,including paper orsystem generated listshowing how alertsare configured.

Not a ROS function.


Medium Impact BESCyber Systems atControl Centers andtheir associated:1. EACMS;2. PACS; and3. PCA

Where technicallyfeasible, retainapplicable event logsidentified in Part 4.1for at least the last90 consecutivecalendar days exceptunder CIPExceptionalCircumstances.

Examples ofevidence mayinclude, but are notlimited to,documentation of theevent log retentionprocess and paper orsystem generatedreports showing logretentionconfiguration set at90 days or greater.

See ROS support inPart 4.1 complianceresponse. Logs can beexported to RemoteSyslog for retention.

4.4 High Impact BESCyber Systems and

Review asummarization or

Examples ofevidence may

n/a(Process/documentation



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed



their associated:1. EACMS; and2. PCA

sampling of loggedevents asdetermined by theResponsible Entity atintervals no greaterthan 15 calendardays to identifyundetected CyberSecurity Incidents.

include, but are notlimited to,documentationdescribing thereview, any findingsfrom the review (ifany), and dateddocumentationshowing the reviewoccurred.

requirement)

R5

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 3-5:System Access Controls. [Violation Risk Factor: Medium] [Time Horizon:Operations Planning].

M5

Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in Table 3-5: SystemAccess Controls and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.

Table 3-5: System Access Control




Medium Impact BESCyber Systems atControl Centers andtheir associated:1. EACMS;2. PACS; and3. PCA


Have a method(s) toenforceauthentication ofinteractive useraccess, wheretechnically feasible.

An example ofevidence mayinclude, but is notlimited to,documentationdescribing howaccess isauthenticated.

Users must beauthenticated toperform actions on thesystem. When a weakpassword is configured,ROS will raise an alarm,send SNMP traps andlog messages in thesyslog. Password lengthis enforced. Passwordsdon’t expire.Authentication is eitherROS based or via AAAserver. User sessionstimeout for all IPservices. Brute forceprotection is available.

5.2 High Impact BESCyber Systems andtheir associated:1. EACMS;

Identify andinventory all knownenabled default orother generic

An example ofevidence mayinclude, but is notlimited to, a listing of




S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed



2. PACS; and3. PCA


account types, eitherby system, bygroups of systems,by location, or bysystem type(s).

accounts by accounttypes showing theenabled or genericaccount types in usefor the BES CyberSystem.



Identify individualswho have authorizedaccess to sharedaccounts.

An example ofevidence mayinclude, but is notlimited to, listing ofshared accounts andthe individuals whohave authorizedaccess to eachshared account.



Change knowndefault passwords,per Cyber Assetcapability

Examples ofevidence mayinclude, but are notlimited to:

Records of aprocedure thatpasswords arechanged whennew devices arein production; or

Documentation insystem manualsor other vendordocumentsshowing defaultvendorpasswords weregeneratedpseudo-randomlyand are therebyunique to thedevice.

Password changes aresupported in ROS.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and

For password-onlyauthentication forinteractive useraccess, eithertechnically orprocedurally enforcethe followingpasswordparameters:

5.5.1 Passwordlength that is,


System-generatedreports orscreen-shots ofthe systemenforcedpasswordparameters,

Password length isconfigurable in ROS.See ROS support inPart 5.1 complianceresponse.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed



3. PCA at least, thelesser of eightcharacters orthe maximumlengthsupported bythe CyberAsset; and

5.5.2 Minimumpasswordcomplexitythat is thelesser of threeor moredifferent typesof characters(e.g.,uppercasealphabetic,lowercasealphabetic,numeric, non-alphanumeric)or themaximumcomplexitysupported bythe CyberAsset.

including lengthand complexity;or

Attestations thatinclude areference to thedocumentedprocedures thatwere followed.


Medium Impact BESCyber Systems withExternal RoutableConnectivity andtheir associated:1. EACMS; and2. PACS

Where technicallyfeasible, forpassword-onlyauthentication forinteractive useraccess, eithertechnically orprocedurally enforcepassword changesor an obligation tochange thepassword at leastonce every 15calendar months.


System-generatedreports orscreen-shots ofthe systemenforcedperiodicity ofchangingpasswords; or

Attestations thatinclude areference to thedocumentedprocedures thatwere followed.

This is aprocess/documentationrequirement, ROSsupports passwordchanges.


Medium Impact BESCyber Systems atControl Centers and

Where technicallyfeasible, either:

Limit the numberof unsuccessfulauthenticationattempts; or

Generate alertsafter a thresholdof unsuccessful


Documentationof the accountlockoutparameters; or

Rules in the

ROS provides bruteforce attack prevention.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed



their associated:1. EACMS;2. PACS; and3. PCA

authenticationattempts.

alertingconfigurationshowing how thesystem notifiedindividuals after adeterminednumber ofunsuccessfullogin attempts.

4 CIP-010-2: Cyber Security – Configuration Change Management and Vulnerability


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

4 CIP-010-2: Cyber Security – ConfigurationChange Management and Vulnerability

Purpose

To prevent and detect unauthorized changes to BES Cyber Systems by specifyingconfiguration change management and vulnerability assessment requirements insupport of protecting BES Cyber Systems from compromise that could lead tomisoperation or instability in the Bulk Electric System (BES).

R1

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 4-1:Configuration Change Management. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning].

M1

Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in Table 4-1:Configuration Change Management and additional evidence to demonstrateimplementation as described in the Measures column of the table.

Table 4-1: Configuration Change Management




Develop a baselineconfiguration,individually or bygroup, which shallinclude the followingitems:1.1.1. Operating

system(s)(includingversion) orfirmwarewhere noindependentoperatingsystemexists;

1.1.2. Anycommerciallyavailable oropen-sourceapplicationsoftware(includingversion)intentionallyinstalled;

1.1.3. Any customsoftwareinstalled;

1.1.4. Any logical


A spreadsheetidentifying therequired items ofthe baselineconfiguration foreach CyberAsset,individually or bygroup; or

A record in anassetmanagementsystem thatidentifies therequired items ofthe baselineconfiguration foreach CyberAsset,individually or bygroup.

The informationrequired to comply isviewable from eitherthe ROS user interfaceor RUGGEDCOMNMS.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


networkaccessibleports; and

1.1.5. Any securitypatchesapplied.



Authorize anddocument changesthat deviate from theexisting baselineconfiguration.


A change requestrecord andassociatedelectronicauthorization(performed bythe individual orgroup with theauthority toauthorize thechange) in achangemanagementsystem for eachchange; or

Documentationthat the changewas performed inaccordance withthe requirement.

n/a (Process/documentationrequirement)



For a change thatdeviates from theexisting baselineconfiguration, updatethe baselineconfiguration asnecessary within 30calendar days ofcompleting thechange.

An example ofevidence mayinclude, but is notlimited to, updatedbaselinedocumentation with adate that is within 30calendar days of thedate of thecompletion of thechange.


Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and

For a change thatdeviates from theexisting baselineconfiguration:1.4.1. Prior to the

change,determinerequiredcyber securitycontrols inCIP-005 andCIP-007 that

An example ofevidence mayinclude, but is notlimited to, a list ofcyber securitycontrols verified ortested along with thedated test results.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


3. PCA could beimpacted bythe change;

1.4.2. Following thechange,verify thatrequiredcyber securitycontrolsdetermined in1.4.1 are notadverselyaffected; and

1.4.3. Documentthe results oftheverification.

1.5 High Impact BESCyber Systems

Where technicallyfeasible, for eachchange that deviatesfrom the existingbaselineconfiguration:1.5.1. Prior to

implementingany changein theproductionenvironment,test thechanges in atestenvironmentor test thechanges in aproductionenvironmentwhere thetest isperformed ina manner thatminimizesadverseeffects, thatmodels thebaselineconfigurationto ensure thatrequiredcyber securitycontrols inCIP-005 andCIP-007 arenot adverselyaffected; and

1.5.2. Documentthe results ofthe testingand, if a testenvironment

An example ofevidence mayinclude, but is notlimited to, a list ofcyber securitycontrols tested alongwith successful testresults and a list ofdifferences betweenthe production andtest environmentswith descriptions ofhow any differenceswere accounted for,including of the dateof the test.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


was used, thedifferencesbetween thetestenvironmentand theproductionenvironment,including adescription ofthe measuresused toaccount foranydifferences inoperationbetween thetest andproductionenvironments.

R2

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in Table 4-2:Configuration Monitoring. [Violation Risk Factor: Medium] [Time Horizon:Operations Planning].

M2

Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in Table 4-2:Configuration Monitoring and additional evidence to demonstrate implementationas described in the Measures column of the table.

Table 4-2: Configuration Monitoring


2.1 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PCA

Monitor at least onceevery 35 calendardays for changes tothe baselineconfiguration (asdescribed inRequirement R1, Part1.1). Document andinvestigate detectedunauthorizedchanges.

An example ofevidence mayinclude, but is notlimited to, logs from asystem that ismonitoring theconfiguration alongwith records ofinvestigation for anyunauthorizedchanges that weredetected.

The ROSconfiguration can bedownloaded andcompared to baselineas required. ROSindicates aconfiguration changevia SNMP traps andvia logs.



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

R3

Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-010-2Table R3.

M3

Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-010-2 TableR3.

Table 4-3: Vulnerability Assessments



Medium Impact BESCyber Systemsand their associated:1. EACMS;2. PACS; and3. PCA

At least once every15 calendarmonths, conduct apaper or activevulnerabilityassessment.


A documentlisting the date ofthe assessment(performed atleast once every15 calendarmonths), thecontrolsassessed foreach BES CyberSystem alongwith the methodof assessment;or

A documentlisting the date ofthe assessmentand the output ofany tools used toperform theassessment.

n/a (Process/documentationrequirement)

3.2 High Impact BESCyber Systems

Where technicallyfeasible, at leastonce every 36calendar months:3.2.1 Perform anactive vulnerabilityassessment in a testenvironment, orperform anactive vulnerabilityassessment

An example ofevidence mayinclude, but is notlimited to, adocument listing thedate of theassessment(performed at leastonce every 36calendar months),the output of the



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


in a productionenvironmentwhere the test isperformed ina manner thatminimizesadverse effects, thatmodelsthe baselineconfiguration ofthe BES CyberSystem in aproductionenvironment; and3.2.2 Document theresults of thetesting and, if a testenvironment wasused, thedifferences betweenthe testenvironment and theproductionenvironment,including adescription of themeasures used toaccount forany differences inoperationbetween the test andproductionenvironments.

tools used to performthe assessment, anda list of differencesbetween theproduction and testenvironments withdescriptions of howany differences wereaccounted for inconducting theassessment.

3.3 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PCA

Prior to adding a newapplicable CyberAsset to a productionenvironment, performan active vulnerabilityassessment of thenew Cyber Asset,except for CIPExceptionalCircumstances andlike replacements ofthe same type ofCyber Asset with abaselineconfiguration thatmodels an existingbaselineconfiguration of theprevious or otherexisting Cyber Asset.

An example ofevidence mayinclude, but is notlimited to, adocument listing thedate of theassessment(performed prior tothe commissioning ofthe new Cyber Asset)and the output of anytools used to performthe assessment.


Document the resultsof the assessmentsconducted accordingto Parts 3.1, 3.2, and3.3 and the actionplan to remediate ormitigate

An example ofevidence mayinclude, but is notlimited to, adocument listing theresults or the reviewor assessment, a list



S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed


Medium Impact BESCyber Systemsand their associated:1. EACMS;2. PACS; and3. PCA

vulnerabilitiesidentified in theassessmentsincluding the planneddate of completingthe action plan andthe execution statusof any remediation ormitigation actionitems.

of action items,documentedproposed dates ofcompletion for theaction plan, andrecords of the statusof the action items(such as minutes of astatus meeting,updates in a workorder system, or aspreadsheet trackingthe action items).

R4

Each Responsible Entity, for its high impact and medium impact BES CyberSystems and associated Protected Cyber Assets, shall implement, except underCIP Exceptional Circumstances, one or more documented plan(s) for TransientCyber Assets and Removable Media.

M4

Evidence shall include each of the documented plan(s) for Transient Cyber Assetsand Removable Media that collectively include each of the applicable sections inAttachment and additional evidence to demonstrate implementation of plan(s) forTransient Cyber Assets and Removable Media. Additional examples of evidenceper section are located in Attachment. If a Responsible Entity does not useTransient Cyber Asset(s) or Removable Media, examples of evidence include, butare not limited to, a statement, policy, or other document that states theResponsible Entity does not use Transient Cyber Asset(s) or Removable Media.

Table 4-4

Part RequirementROS features to address or supportthe requirement

ALL ALL n/a (Process/documentationrequirement)

5 References


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

5 References RUGGEDCOM ROS User Guide

NERC CIP version 5 and version 6 requirements(http://www.nerc.com/pa/CI/Comp/Pages/default.aspx)

6 Glossary of TermsBES Bulk Electric System

CCA Critical Cyber Asset

CIP Critical Infrastructure Protection

EAMCS Electronic Access Control or Monitoring Systems

EAP Electronic Access Point

ESP Electronic Security Perimeter

LEAP Low Impact BES Cyber System Electronic Access Point

LERC Low Impact External Routable Connectivity

NERC North American Electric Reliability Corporation

OS Operating System

PACS Physical Access Control Systems

PCA Protected Cyber Asset


7 Related Literature


S

iem

en

sA

G2

01

7A

llri

gh

tsre

serv

ed

7 Related Literature

Table 7-1

Topic Title / Link

\1\ Siemens IndustryOnline Support

http://support.industry.Siemens.com

\2\ Download page ofthis entry


8 History

Table 8-1

Version Date Modifications

V1.0 03/2017 First version

http://support.industry.siemens.com/


109745672 NERC CIP Compliance Matrix ROS ... - Siemens · PDF fileWarranty and Liability NERC...

Documents

Transcript of 109745672 NERC CIP Compliance Matrix ROS ... - Siemens · PDF fileWarranty and Liability NERC...