CIP-003-7 - Cyber Security — Security Management Controls
Attachment 1 Required Sections for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems Responsible Entities shall include each of the sections provided below in the cyber security plan(s) required under Requirement R2. Responsible Entities with multiple-impact BES Cyber Systems ratings can utilize policies, procedures, and processes for their high or medium impact BES Cyber Systems to fulfill the sections for the development of low impact cyber security plan(s). Each Responsible Entity can develop a cyber security plan(s) either by individual asset or groups of assets. Section 1. Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices). Section 2. Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any. Section 3. Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to: 3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are: i. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s); ii. using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and iii. not used for time-sensitive protection or control functions between intelligent electronic devices (e.g., communications using protocol IEC TR- 61850-90-5 R-GOOSE). Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability. Section 4. Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: 4.1 Identification, classification, and response to Cyber Security Incidents; 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the 3.2
Page 22 of 57
Made with FlippingBook - Online magazine maker