https://support.industry.siemens.com/cs/ww/en/view/109747098
Application description � 04/2017
NERC CIP Compliance Matrixof RUGGEDCOM CROSSBOWOperating SystemRUGGEDCOM CROSSBOW
Warranty and Liability
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 2
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Warranty and Liability
Note The Application Examples are not binding and do not claim to be completeregarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These application examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice.If there are any deviations between the recommendations provided in theseapplication examples and other Siemens publications – e.g. Catalogs – thecontents of the other documents have priority.
We do not accept any liability for the information contained in this document.
Any claims against us – based on whatever legal reason – resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract(“wesentliche Vertragspflichten”). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.
Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of the Siemens AG.
Securityinforma-tion
Siemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, solutions, machines, equipment and/ornetworks. They are important components in a holistic industrial securityconcept. With this in mind, Siemens’ products and solutions undergo continuousdevelopment. Siemens recommends strongly that you regularly check forproduct updates.
For the secure operation of Siemens products and solutions, it is necessary totake suitable preventive action (e.g. cell protection concept) and integrate eachcomponent into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more informationabout industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.industry.siemens.com.
Table of Contents
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 3
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Table of ContentsWarranty and Liability .............................................................................................. 21 Overview ......................................................................................................... 42 CIP-005-5.1: Cyber Security – BES Cyber System Categorization .............. 53 CIP-003-6: Cyber Security –Security Management Controls ....................... 74 CIP-04-6: Cyber Security – Personnel & Training ........................................ 95 CIP-005-5: Cyber Security — Electronic Security Perimeter(s) ................. 116 CIP-006-6: Cyber Security — Physical Security of BES Cyber
Systems ........................................................................................................ 147 CIP-007-6: Cyber Security — Systems Security Management .................. 158 CIP-008-5: Cyber Security — Incident Reporting and Response
Planning ........................................................................................................ 259 CIP-009-6: Cyber Security — Recovery Plans for BES Cyber
Systems ........................................................................................................ 2810 CIP-010-2: Cyber Security — Configuration Change Management
and Vulnerability .......................................................................................... 2911 CIP-011-2: Cyber Security — Information Protection ................................ 3412 References .................................................................................................... 3913 Glossary of Terms ........................................................................................ 3914 Related Literature ......................................................................................... 4015 History .......................................................................................................... 40
1 Overview
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 4
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
1 OverviewOn January 21st, 2016, FERC issued Order 822 approving version 6 of the NERCstandards involving revisions to seven NERC Critical Infrastructure ProtectionStandards and six new or modified terms. February 25, 2016 FERC grants themotion requesting an extension of time for the implementation for the v5requirements to match the V6 standards which will generally go into effect on July1, 2016, with the Low Impact and Transient Devices requirements going into effecton April 1, 2017.Siemens’ RUGGEDCOM CROSSBOW is a scalable enterprise software solutiontailored to provide secure, intermediate access to remote IED’s. It wasconceptualized and designed to implement the best practices and procedures fromInformation Technology (IT) and bring it to the Operation Technology (OT)environment, initially with the needs of the Electric Utilities in mind, but positionedfor expansion into other security sensitive markets. Developed as a centralizedsolution to provide strong, two factor authentication for authorized users, it deliverscyber-secure access to remote users for the management of IED’s and theirassociated files. Through RUGGEDCOM CROSSBOW, an IED maintenanceapplication is allowed to remotely communicate with its associated IED’s as if theusers were directly connecting to the device.The proceeding pages will list the NERC CIP standards and requirements for CIPv5 and v6 as they are written to go into effect on July 1, 2016 and how SiemensRUGGEDCOM CROSSBOW can be used to assist as part of CIP program toaddress certain requirements.
2 CIP-005-5.1: Cyber Security – BES Cyber System Categorization
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 5
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
2 CIP-005-5.1: Cyber Security – BES CyberSystem Categorization
PurposeTo identify and categorize BES Cyber Systems and their associated BES Assetsfor the application of cyber security requirements commensurate with the adverseimpact that loss, compromise, or misuse of those BES Cyber Systems could haveon the reliable operation of the BES. Identification and categorization of BES CyberSystems support appropriate protection against compromises that could lead tomis-operation or instability in the BES.
Table 2-1: CIP-005-5.1: Cyber Security – BES Cyber System Categorization
Part Requirement CROSSBOW features to address orsupport the requirement
R1 Each Responsible Entity shall implement a processthat considers each of the following assets forpurposes of parts 1.1 through 1.3: [Violation RiskFactor: High][Time Horizon: Operations Planning]
i. Control Centers and backup Control Centers;ii. Transmission stations and substations;iii. Generation resources;iv. Systems and facilities critical to system
restoration, including Blackstart Resourcesand Cranking Paths and initial switchingrequirements;
v. Special Protection Systems that support thereliable operation of the Bulk Electric System;and
vi. For Distribution Providers, ProtectionSystems specified in Applicability section4.2.1 above.
1.1. Identify each of the high impact BES CyberSystems according to Attachment 1, Section1, if any, at each asset;
1.2. Identify each of the medium impact BESCyber Systems according to Attachment 1,Section 2, if any, at each asset; and
1.3. Identify each asset that contains a low impactBES Cyber System according to Attachment1, Section 3, if any (a discrete list of lowimpact BES Cyber Systems is not required).
CROSSBOW contains a database of allsubstation cyber assets under its control.Integral critical cyber asset reports identify:
· All CCAs (for pre-v5 compatibility)· All cyber assets· High/Medium/Low impact rating· All assets added or edited since a
given date· Key configuration parameters· Current firmware version (for select
device types)
This function of CROSSBOW allows foreasy categorization of impact level (High,Medium, and Low)
M1 Acceptable evidence includes, but is not limited to,dated electronic or physical lists required byRequirement R1, and Parts 1.1 and 1.2.
R2 The Responsible Entity shall: [Violation RiskFactor: Lower] [Time Horizon: OperationsPlanning]
2.1. Review the identifications in Requirement R1and its parts (and update them if there arechanges identified) at least once every 15calendar months, even if it has no identifieditems in Requirement R1, and
Printed Cyber asset report format includesarea for review information, e.g. Reviewername, title, date, & signature. Reports maybe scheduled in advance and emailed toassigned reviewers to ensure timely review.
2 CIP-005-5.1: Cyber Security – BES Cyber System Categorization
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 6
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Requirement CROSSBOW features to address orsupport the requirement
2.2. Have its CIP Senior Manager or delegatesapprove the identifications required byRequirement R1 at least once every 15calendar months, even if it has no identifieditems in Requirement R1.
M2 Acceptable evidence includes, but is not limited to,electronic or physical dated records to demonstratethat the Responsible Entity has reviewed andupdated, where necessary, the identificationsrequired in Requirement R1 and its parts, and hashad its CIP Senior Manager or delegate approvethe identifications required in Requirement R1 andits parts at least once every 15 calendar months,even if it has none identified in Requirement R1and its parts, as required by Requirement R2.
3 CIP-003-6: Cyber Security –Security Management Controls
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 7
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
3 CIP-003-6: Cyber Security –SecurityManagement Controls
PurposeTo specify consistent and sustainable security management controls that establishresponsibility and accountability to protect BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the Bulk ElectricSystem (BES).
Table 3-1: CIP-003-6: Cyber Security – Security Management Controls
Part Requirement CROSSBOW features to address orsupport the requirement
R1 Each Responsible Entity shall review and obtainCIP Senior Manager approval at least once every15 calendar months for one or more documentedcyber security policies that collectively address thefollowing topics: [Violation Risk Factor: Medium][Time Horizon: Operations Planning]1.1. For its high impact and medium impact BES
Cyber Systems, if any:1.1.1. Personnel and training (CIP-004);1.1.2. Electronic Security Perimeters (CIP-
005) including Interactive RemoteAccess;
1.1.3. Physical security of BES CyberSystems (CIP-006);
1.1.4. System security management (CIP-007);
1.1.5. Incident reporting and responseplanning (CIP-008);
1.1.6. Recovery plans for BES Cyber Systems(CIP-009);
1.1.7. Configuration change management andvulnerability assessments (CIP-010);
1.1.8. Information protection (CIP-011); and1.1.9. Declaring and responding to CIP
Exceptional Circumstances.1.2. For its assets identified in CIP-002 containing
low impact BES Cyber Systems, if any:1.2.1. Cyber security awareness;1.2.2. Physical security controls;1.2.3. Electronic access controls for Low
Impact External Routable Connectivity(LERC) and Dial-up Connectivity; and
1.2.4. Cyber Security Incident response
N/A (process documentation requirement)
M1 Examples of evidence may include, but are notlimited to, policy documents; revision history,records of review, or workflow evidence from adocument management system that indicatereview of each cyber security policy at least onceevery 15 calendar months; and documentedapproval by the CIP Senior Manager for eachcyber security policy.
R2 Each Responsible Entity with at least one asset N/A (process documentation requirement)
3 CIP-003-6: Cyber Security –Security Management Controls
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 8
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Requirement CROSSBOW features to address orsupport the requirement
identified in CIP-002 containing low impact BESCyber Systems shall implement one or moredocumented cyber security plan(s) for its lowimpact BES Cyber Systems that include thesections in Attachment 1. [Violation Risk Factor:Lower] [Time Horizon: Operations Planning]
Note: An inventory, list, or discrete identification oflow impact BES Cyber Systems or their BES CyberAssets is not required. Lists of authorized users arenot required.
M2 Evidence shall include each of the documentedcyber security plan(s) that collectively include eachof the sections in Attachment 1 and additionalevidence to demonstrate implementation of thecyber security plan(s). Additional examples ofevidence per section are located in Attachment 2.
R3 Each Responsible Entity shall identify a CIP SeniorManager by name and document any change within 30calendar days of the change. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning]
CROSSBOW administrator can identify theperson/people responsible for NERCcompliance by name and provide them withaccess to reports only.
M3 An example of evidence may include, but is not limited to,a dated and approved document from a high level officialdesignating the name of the individual identified as theCIP Senior Manager.
R4 The Responsible Entity shall implement adocumented process to delegate authority, unlessno delegations are used. Where allowed by theCIP Standards, the CIP Senior Manager maydelegate authority for specific actions to a delegateor delegates. These delegations shall bedocumented, including the name or title of thedelegate, the specific actions delegated, and thedate of the delegation; approved by the CIP SeniorManager; and updated within 30 days of anychange to the delegation. Delegation changes donot need to be reinstated with a change to thedelegator. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]
N/A (process documentation requirement)
M4 An example of evidence may include, but is notlimited to, a dated document, approved by the CIPSenior Manager, listing individuals (by name ortitle) who are delegated the authority to approve orauthorize specifically identified items.
4 CIP-04-6: Cyber Security – Personnel & Training
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 9
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
4 CIP-04-6: Cyber Security – Personnel &Training
PurposeTo minimize the risk against compromise that could lead to mis-operation orinstability in the Bulk Electric System (BES) from individuals accessing BES CyberSystems by requiring an appropriate level of personnel risk assessment, training,and security awareness in support of protecting BES Cyber Systems.
R1Each Responsible Entity shall implement one or more documented processes thatcollectively include each of the applicable requirement parts in CIP-004-6 Table R1– Security Awareness Program. [Violation Risk Factor: Lower] [Time Horizon:Operations Planning]
M1Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-004-6 Table R1– Security Awareness Program and additional evidence to demonstrateimplementation as described in the Measures column of the table.
R2Each Responsible Entity shall implement one or more cyber security trainingprogram(s) appropriate to individual roles, functions, or responsibilities thatcollectively includes each of the applicable requirement parts in CIP-004-6 TableR2 – Cyber Security Training Program. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]
M2Evidence must include the training program that includes each of the applicablerequirement parts in CIP-004-6 Table R2 –Cyber Security Training Program andadditional evidence to demonstrate implementation of the program(s).
R3Each Responsible Entity shall implement one or more documented personnel riskassessment program(s) to attain and retain authorized electronic or authorizedunescorted physical access to BES Cyber Systems that collectively include each ofthe applicable requirement parts in CIP-004-6 Table R3 – Personnel RiskAssessment Program. [Violation Risk Factor: Medium] [Time Horizon: OperationsPlanning]
M3Evidence must include the documented personnel risk assessment programs thatcollectively include each of the applicable requirement parts in CIP-004-6 Table R3– Personnel Risk Assessment Program and additional evidence to demonstrateimplementation of the program(s).
R4Each Responsible Entity shall implement one or more documented accessmanagement program(s) that collectively include each of the applicablerequirement parts in CIP-004-6 Table R4 – Access Management Program.
4 CIP-04-6: Cyber Security – Personnel & Training
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 10
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same DayOperations]
M4Evidence must include the documented processes that collectively include each ofthe applicable requirement parts in CIP-004-6 Table R4 – Access ManagementProgram and additional evidence to demonstrate that the access managementprogram was implemented as described in the Measures column of the table.
Table 4-1: CIP-004-6: Cyber Security – Personnel & Training
Part Requirement CROSSBOW features to address orsupport the requirement
ALL ALL n/a (Process/documentationrequirement)
5 CIP-005-5: Cyber Security — Electronic Security Perimeter(s)
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 11
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
5 CIP-005-5: Cyber Security — ElectronicSecurity Perimeter(s)
PurposeTo manage electronic access to BES Cyber Systems by specifying a controlledElectronic Security Perimeter in support of protecting BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the BES.
R1Each Responsible Entity shall implement one or more documented processes thatcollectively include each of the applicable requirement parts in CIP-005-5 Table R1– Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time Horizon:Operations Planning and Same Day Operations]
M1Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-005-5 Table R1– Electronic Security Perimeter and additional evidence to demonstrateimplementation as described in the Measures column of the table.
Table 5-1: CIP-005-5: Table R1 – Electronic Security Perimeter
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.1 High Impact BESCyber Systems andtheir associated:· PCA
Medium Impact BESCyber Systems andtheir associated:· PCA
All applicable CyberAssets connected toa network via aroutable protocolshall reside within adefined ESP.
An example ofevidence mayinclude, but is notlimited to, a list of allESPs with alluniquely identifiableapplicable CyberAssets connected viaa routable protocolwithin each ESP.
CROSSBOWprovides a report ofall devices using aroutable protocol, byfacility
1.2 High Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA
All External RoutableConnectivitymust be through anidentifiedElectronic AccessPoint (EAP).
An example ofevidence mayinclude, but is notlimited to, networkdiagrams showing allexternal routablecommunication pathsand the identifiedEAPs.
CROSSBOWprovides a report ofall Electronic AccessPoints, by facility
1.3 Electronic AccessPoints for HighImpact BES CyberSystems
Electronic AccessPoints for Medium
Require inbound andoutbound accesspermissions,including the reasonfor granting access,and deny all otheraccess by default.
An example ofevidence mayinclude, but is notlimited to, a list ofrules (firewall, accesscontrol lists, etc.) thatdemonstrate that only
A typicalCROSSBOWimplementationresults in theCROSSBOW serverbeing configured asthe only system
5 CIP-005-5: Cyber Security — Electronic Security Perimeter(s)
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 12
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
Impact BES CyberSystems
permitted access isallowed and that eachaccess rule has adocumented reason.
allowed to connect tothe EAP forinteractive access.This may be enforcedwith certificates,passwords, or othermeans.
1.4 High Impact BESCyber Systems withDial-up Connectivityand their associated:· PCA
Medium Impact BESCyber Systems withDial-up Connectivityand their associated:· PCA
Where technicallyfeasible, performauthentication whenestablishing Dial-upConnectivity withapplicable CyberAssets.
An example ofevidence mayinclude, but is notlimited to, adocumented processthat describes howthe ResponsibleEntity is providingauthenticated accessthrough each dial-upconnection.
CROSSBOWsupports many 3rdparty dial-up EAPs,and providesauthenticated accessto and through them.
1.5 Electronic AccessPoints for HighImpact BES CyberSystems
Electronic AccessPoints for MediumImpact BES CyberSystems at ControlCenters
Have one or moremethods fordetecting known orsuspected maliciouscommunications forboth inbound andoutboundcommunications.
An example ofevidence mayinclude, but is notlimited to,documentation thatmaliciouscommunicationsdetection methods(e.g. intrusiondetection system,application layerfirewall, etc.) areimplemented.
CROSSBOW may beused to aggregatelogs from EAPs, andgenerate alerts underspecific conditions.
R2Each Responsible Entity allowing Interactive Remote Access to BES CyberSystems shall implement one or more documented processes that collectivelyinclude the applicable requirement parts, where technically feasible, in CIP-005-5Table R2 – Interactive Remote Access Management. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning and Same Day Operations]
M2Evidence must include the documented processes that collectively address each ofthe applicable requirement parts in CIP-005-5 Table R2 – Interactive RemoteAccess Management and additional evidence to demonstrate implementation asdescribed in the Measures column of the table.
Table 5-2: CIP-005-5: Table R2 – Interactive Remote Access Management
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
2.1 High Impact BESCyber Systems andtheir associated:· PCA
Utilize anIntermediate Systemsuch that the CyberAsset initiating
Examples ofevidence mayinclude, but are notlimited to, network
CROSSBOW SecureAccess Manager actsas intermediatesystem between
5 CIP-005-5: Cyber Security — Electronic Security Perimeter(s)
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 13
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA
Interactive RemoteAccess does notdirectly access anapplicable CyberAsset.
diagrams orarchitecturedocuments.
clients and the CyberAssets. CROSSBOWpermits access toBES Cyber System orProtected CyberAsset only to thosebeen granted accessprivileges by anauthorizedadministrator.
2.2 High Impact BESCyber Systems andtheir associated:· PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA
For all InteractiveRemote Accesssessions, utilizeencryption thatterminates at anIntermediate System.
An example ofevidence mayinclude, but is notlimited to,architecturedocuments detailingwhere encryptioninitiates andterminates.
CROSSBOW client –servercommunications isalways encrypted.Connections from theserver may beencrypted to EAPswhich support it.
2.3 High Impact BESCyber Systems andtheir associated:· PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:· PCA
Require multi-factorauthentication for allInteractive RemoteAccess sessions.
An example ofevidence mayinclude, but is notlimited to,architecturedocuments detailingthe authenticationfactors used.Examples ofauthenticators mayinclude, but are notlimited to,· Something the
individual knowssuch aspasswords orPINs. This doesnot include UserID;
· Something theindividual hassuch as tokens,digitalcertificates, orsmart cards; or
· Something theindividual is suchas fingerprints,iris scans, orother biometriccharacteristics.
CROSSBOW makesit technically feasibleto secure interactiveaccess to all IEDs,using strong (2-factor) authentication.CROSSBOW’s openarchitecture allowseasy integration withvarious back-endauthenticationservers, such as RSASecurID, RADIUS, orActive Directory.
6 CIP-006-6: Cyber Security — Physical Security of BES Cyber Systems
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 14
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
6 CIP-006-6: Cyber Security — PhysicalSecurity of BES Cyber Systems
PurposeTo manage physical access to Bulk Electric System (BES) Cyber Systems byspecifying a physical security plan in support of protecting BES Cyber Systemsagainst compromise that could lead to mis-operation or instability in the BES.
R1Each Responsible Entity shall implement one or more documented physicalsecurity plan(s) that collectively include all of the applicable requirement parts inCIP-006-6 Table R1 – Physical Security Plan. [Violation Risk Factor: Medium][Time Horizon: Long Term Planning and Same Day Operations]
M1Evidence must include each of the documented physical security plans thatcollectively include all of the applicable requirement parts in CIP-006-6 Table R1 –Physical Security Plan and additional evidence to demonstrate implementation ofthe plan or plans as described in the Measures column of the table.
R2Each Responsible Entity shall implement one or more documented visitor controlprogram(s) that include each of the applicable requirement parts in CIP-006-6Table R2 – Visitor Control Program. [Violation Risk Factor: Medium] [Time Horizon:Same Day Operations.]
M2Evidence must include one or more documented visitor control programs thatcollectively include each of the applicable requirement parts in CIP-006-6 Table R2– Visitor Control Program and additional evidence to demonstrate implementationas described in the Measures column of the table.
R3Each Responsible Entity shall implement one or more documented PhysicalAccess Control System maintenance and testing program(s) that collectivelyinclude each of the applicable requirement parts in CIP-006-6 Table R3 –Maintenance and Testing Program. [Violation Risk Factor: Medium] [Time Horizon:Long Term Planning]
M3Evidence must include each of the documented Physical Access Control Systemmaintenance and testing programs that collectively include each of the applicablerequirement parts in CIP-006-6 Table R3 – Maintenance and Testing Program andadditional evidence to demonstrate implementation as described in the Measurescolumn of the table.
Table 6-1: CIP-006-6: Cyber Security – Physical Security of BES Cyber Systems
Part Requirement CROSSBOW features to address orsupport the requirement
ALL ALL n/a (Process/documentationrequirement)
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 15
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
7 CIP-007-6: Cyber Security — SystemsSecurity Management
PurposeTo manage system security by specifying select technical, operational, andprocedural requirements in support of protecting BES Cyber Systems againstcompromise that could lead to mis-operation or instability in the Bulk ElectricSystem (BES).
R1Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R1 – Ports and Services. [Violation Risk Factor: Medium] [Time Horizon:Same Day Operations]
M1Evidence must include the documented processes that collectively include each ofthe applicable requirement parts in CIP- 007-6 Table R1 – Ports and Services andadditional evidence to demonstrate implementation as described in the Measurescolumn of the table.
Table 7-1: CIP-007-6: Table R1 – Ports and Services
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and3. PCA
Where technicallyfeasible, enable onlylogical networkaccessible ports thathave beendetermined to beneeded by theResponsible Entity,including port rangesor services whereneeded to handledynamic ports. If adevice has noprovision fordisabling orrestricting logicalports on the devicethen those ports thatare open are deemedneeded.
Examples ofevidence mayinclude, but are notlimited to:· Documentation
of the need for allenabled ports onall applicableCyber Assetsand ElectronicAccess Points,individually or bygroup.
· Listings of thelistening ports onthe CyberAssets,individually or bygroup, fromeither the deviceconfigurationfiles, commandoutput (such asnetstat), ornetwork scans ofopen ports; or
· Configurationfiles of host-based firewalls
CROSSBOWdocuments all thedevices it isconnected to andtheir applicable ports.
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 16
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
or other devicelevelmechanisms thatonly allowneeded portsand deny allothers.
1.2 High Impact BESCyber Systems andtheir associated:1. PCA; and2. Nonprogrammable
communicationcomponentslocated insideboth a PSP andan ESP.
Medium Impact BESCyber Systems atControl Centers andtheir associated:1. PCA; and2. Nonprogrammable
communicationcomponentslocated insideboth a PSP andan ESP.
Protect against theuse of unnecessaryphysical input/outputports used fornetwork connectivity,console commands,or Removable Media.
An example ofevidence mayinclude, but is notlimited to,documentationshowing types ofprotection of physicalinput/output ports,either logicallythrough systemconfiguration orphysically using aport lock or signage.
n/a (documentationrequirement)
R2Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R2 – Security Patch Management. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]
M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-007-6 Table R2– Security Patch Management and additional evidence to demonstrateimplementation as described in the Measures column of the table.
Table 7-2: CIP-007-6: Table R2 – Security Patch Management
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
2.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BES
A patch managementprocess for tracking,evaluating, andinstalling cybersecurity patches forapplicable CyberAssets. The tracking
An example ofevidence mayinclude, but is notlimited to,documentation of apatch managementprocess and
SIEMENS performsmonthly regressiontesting ofCROSSBOW againstall supportedoperating systems forcompatibility with
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 17
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
Cyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
portion shall includethe identification of asource or sourcesthat the ResponsibleEntity tracks for therelease of cybersecurity patches forapplicable CyberAssets that areupdateable and forwhich a patchingsource exists.
documentation orlists of sources thatare monitored,whether on anindividual BES CyberSystem or CyberAsset basis.
Microsoft OSpatches. Anotification email issent to all customerswith currentmaintenanceagreements within 3weeks of the releasefrom Microsoft.
2.2 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
At least once every35 calendar days,evaluate securitypatches forapplicability that havebeen released sincethe last evaluationfrom the source orsources identified inPart 2.1.
An example ofevidence mayinclude, but is notlimited to, anevaluation conductedby, referenced by, oron behalf of aResponsible Entity ofsecurity-relatedpatches released bythe documentedsources at least onceevery 35 calendardays.
SIEMENS performsmonthly regressiontesting ofCROSSBOW againstall supportedoperating systems forcompatibility withMicrosoft OSpatches. Anotification email issent to all customerswith currentmaintenanceagreements within 3weeks of the releasefrom Microsoft.
2.3 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
For applicablepatches identified inPart 2.2, within 35calendar days of theevaluationcompletion, take oneof the followingactions:· Apply the
applicablepatches; or
· Create a datedmitigation plan;Or
· Revise anexistingmitigation plan.
Mitigation plans shallinclude theResponsible Entity’splanned actions tomitigate thevulnerabilitiesaddressed by eachsecurity patch and atimeframe tocomplete thesemitigations.
Examples ofevidence mayinclude, but are notlimited to:· Records of the
installation of thepatch (e.g.,exports fromautomated patchmanagementtools that provideinstallation date,verification ofBES CyberSystemComponentsoftwarerevision, orregistry exportsthat showsoftware hasbeen installed);or
· A dated planshowing whenand how thevulnerability willbe addressed, toinclude
CROSSBOW canmonitor devices forcurrent software andconfigurationversions & generatereports.
CROSSBOW may bescripted to applysecurity patches tofield devices
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 18
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
documentation ofthe actions to betaken by theResponsibleEntity to mitigatethe vulnerabilitiesaddressed by thesecurity patchand a timeframefor thecompletion ofthesemitigations.
2.4 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS;
For each mitigationplan created orrevised in Part 2.3,implement the planwithin the timeframespecified in the plan,unless a revision tothe plan or anextension to thetimeframe specifiedin Part 2.3 isapproved by the CIPSenior Manager ordelegate.
An example ofevidence mayinclude, but is notlimited to, records ofimplementation ofmitigations.
n/a (documentationrequirement)
R3Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R3 – Malicious Code Prevention. [Violation Risk Factor: Medium] [TimeHorizon: Same Day Operations]
M3Evidence must include each of the documented processes that collectively includeeach of the applicable requirement parts in CIP-007-6 Table R3 – Malicious CodePrevention and additional evidence to demonstrate implementation as described inthe Measures column of the table.
Table 7-3: CIP-007-6: Table R3 – Malicious Code Prevention
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
3.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems and
Deploy method(s) todeter, detect, orprevent maliciouscode.
An example ofevidence mayinclude, but is notlimited to, records ofthe ResponsibleEntity’s performanceof these processes(e.g., throughtraditional antivirus,
n/a (processdocumentation)
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 19
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
their associated:1. EACMS;2. PACS;3. PCA
system hardening,policies, etc.).
3.2 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Mitigate the threat ofdetected maliciouscode.
Examples ofevidence mayinclude, but are notlimited to:· Records of
responseprocesses formalicious codedetection
· Records of theperformance ofthese processeswhen maliciouscode is detected.
CROSSBOW canaggregate (usingsyslog) notificationsfrom other systemcomponents, andprovide usernotifications.
3.3 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
For those methodsidentified in Part 3.1that use signaturesor patterns, have aprocess for theupdate of thesignatures orpatterns. Theprocess mustaddress testing andinstalling thesignatures orpatterns.
An example ofevidence mayinclude, but is notlimited to,documentationshowing the processused for the updateof signatures orpatterns.
n/a (documentationrequirement)
R4Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R4 – Security Event Monitoring. [Violation Risk Factor: Medium] [TimeHorizon: Same Day Operations and Operations Assessment]
M4Evidence must include each of the documented processes that collectively includeeach of the applicable requirement parts in CIP-007-6 Table R4 – Security EventMonitoring and additional evidence to demonstrate implementation as described inthe Measures column of the table.
Table 7-4: CIP-007-6: Table R4 – Security Event Monitoring
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
4.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and
Log events at theBES Cyber Systemlevel (per BES CyberSystem capability) orat the Cyber Asset
Examples ofevidence mayinclude, but are notlimited to, a paper orsystem generated
CROSSBOW logsactivities (failedaccess attempts andfailed login), andevents for the
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 20
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
level (per CyberAsset capability) foridentification of,and after-the-factinvestigations of,Cyber SecurityIncidents thatincludes, as aminimum, each of thefollowing types ofevents:4.1.1. Detected
successfulloginattempts;
4.1.2. Detectedfailed accessattempts andfailed loginattempts;
4.1.3. Detectedmaliciouscode.
listing of event typesfor which the BESCyber System iscapable of detectingand, for generatedevents, is configuredto log. This listingmust include therequired types ofevents.
devices it isconnected to. It mayaggregate eventsfrom EAPs and otherdevices via syslog,and generate alerts.
4.2 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and3. PCA
Generate alerts forsecurity events thatthe ResponsibleEntity determinesnecessitates an alert,that includes, as aminimum, each of thefollowing types ofevents (per CyberAsset or BES CyberSystem capability):4.2.1. Detected
maliciouscode fromPart 4.1; and
4.2.2. Detectedfailure of Part4.1eventlogging.
Examples ofevidence mayinclude, but are notlimited to, paper orsystem generatedlisting of securityevents that theResponsible Entitydeterminednecessitate alerts,including paper orsystem generated listshowing how alertsare configured.
CROSSBOW hasconfigurable alertsand notifications.Users may benotified withinCROSSBOW, viaemail, or via syslog.
4.3 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems atControl Centers andtheir associated:1. EACMS;2. PACS; and3. PCA
Where technicallyfeasible, retainapplicable event logsidentified in Part 4.1for at least the last 90consecutive calendardays except underCIP ExceptionalCircumstances.
Examples ofevidence mayinclude, but are notlimited to,documentation of theevent log retentionprocess and paper orsystem generatedreports showing logretentionconfiguration set at90 days or greater.
Data may be retainedindefinitely within theCROSSBOWdatabase.
4.4 High Impact BESCyber Systems and
Review asummarization or
Examples ofevidence may
Data may be retainedindefinitely within the
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 21
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
their associated:1. EACMS; and2. PCA
sampling of loggedevents as determinedby the ResponsibleEntity at intervals nogreater than 15calendar days toidentify undetectedCyber SecurityIncidents.
include, but are notlimited to,documentationdescribing the review,any findings from thereview (if any), anddated documentationshowing the reviewoccurred.
CROSSBOWdatabase.
R5Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-007-6Table R5 – System Access Controls. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]
M5Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-007-6 Table 5 –System Access Controls and additional evidence to demonstrate implementationas described in the Measures column of the table.
Table 7-5: CIP-007-6: Table R5 – System Access Controls
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
5.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems atControl Centers andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and3. PCA
Have a method(s) toenforceauthentication ofinteractive useraccess, wheretechnically feasible.
An example ofevidence mayinclude, but is notlimited to,documentationdescribing howaccess isauthenticated.
CROSSBOW makesstrong userauthenticationtechnically feasiblefor all device types,by authenticatingusers credentialsagainst ActiveDirectory, RADIUS,or 2-FactorAuthentication (e.g.:RSA)
5.2 High Impact BESCyber Systems andtheir associated:1. EACMS;
Identify and inventoryall known enableddefault or othergeneric account
An example ofevidence mayinclude, but is notlimited to, a listing of
CROSSBOWgenerally eliminatesthe need for sharedaccounts. Every user
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 22
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
types, either bysystem, by groups ofsystems, by location,or by system type(s).
accounts by accounttypes showing theenabled or genericaccount types in usefor the BES CyberSystem.
has their own uniqueaccount for allactivities. TheCROSSBOW serverbecomes the only“user” that connectsto devices.
5.3 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and3. PCA
Identify individualswho have authorizedaccess to sharedaccounts.
An example ofevidence mayinclude, but is notlimited to, listing ofshared accounts andthe individuals whohave authorizedaccess to eachshared account.
Systems arenormally configuredso that theCROSSBOW systemis the only “user” toaccess deviceaccounts.CROSSBOW thenmanages individualuser accesspermissions.
5.4 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCAMedium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Change knowndefault passwords,per Cyber Assetcapability
Examples ofevidence mayinclude, but are notlimited to:· Records of a
procedure thatpasswords arechanged whennew devices arein production; or
· Documentationin systemmanuals or othervendordocumentsshowing defaultvendorpasswords weregeneratedpseudo-randomlyand are therebyunique to thedevice.
CROSSBOW allowschanging the defaultpassword of alldevices at any giventime to a specific orrandomly generatednew password.
CROSSBOW has abuild-in report toshow all devices andthe age of all currentpasswords.
5.5 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;
For password-onlyauthentication forinteractive useraccess, eithertechnically orprocedurally enforcethe followingpasswordparameters:5.5.1. Password
length that is,
Examples ofevidence mayinclude, but are notlimited to:· System-
generatedreports orscreen-shots ofthe systemenforcedpassword
CROSSBOW canenforce passwordlength andcomplexity rules,specified by devicetype.
Passwords may beautomaticallychanged on aconfigurable time
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 23
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
2. PACS; and3. PCA
at least, thelesser ofeightcharacters orthe maximumlengthsupported bythe CyberAsset; and
5.5.2. Minimumpasswordcomplexitythat is thelesser ofthree or moredifferenttypes ofcharacters(e.g.,uppercasealphabetic,lowercasealphabetic,numeric,non-alphanumeric) or themaximumcomplexitysupported bythe CyberAsset.
parameters,including lengthand complexity;or
· Attestations thatinclude areference to thedocumentedprocedures thatwere followed.
interval.
5.6 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems withExternal RoutableConnectivity and theirassociated:1. EACMS;2. PACS; and
Where technicallyfeasible, forpassword-onlyauthentication forinteractive useraccess, eithertechnically orprocedurally enforcepassword changes oran obligation tochange the passwordat least once every15 calendar months.
Examples ofevidence mayinclude, but are notlimited to:· System-
generatedreports orscreen-shots ofthe systemenforcedperiodicity ofchangingpasswords; or
· Attestations thatinclude areference to thedocumentedprocedures thatwere followed.
CROSSBOWsupports variousback-endauthenticationsystems (ActiveDirectory, RADIUS,RSA SecurID) thatenforce userpassword rules.
5.7 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Where technicallyfeasible, either:Limit the number ofunsuccessfulauthenticationattempts; orGenerate alerts after
Examples ofevidence mayinclude, but are notlimited to:· Documentation
of the accountlockout
CROSSBOW willdisable a useraccount after aconfigurable numberof failed loginattempts.
7 CIP-007-6: Cyber Security — Systems Security Management
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 24
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
Medium Impact BESCyber Systems atControl Centers andtheir associated:1. EACMS;2. PACS; and3. PCA
a threshold ofunsuccessfulauthenticationattempts.
parameters; or· Rules in the
alertingconfigurationshowing how thesystem notifiedindividuals aftera determinednumber ofunsuccessfullogin attempts.
8 CIP-008-5: Cyber Security — Incident Reporting and Response Planning
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 25
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
8 CIP-008-5: Cyber Security — IncidentReporting and Response Planning
PurposeTo mitigate the risk to the reliable operation of the BES as the result of a CyberSecurity Incident by specifying incident response requirements.
R1Each Responsible Entity shall document one or more Cyber Security Incidentresponse plan(s) that collectively include each of the applicable requirement partsin CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications.[Violation Risk Factor: Lower] [Time Horizon: Long Term Planning]
M1Evidence must include each of the documented plan(s) that collectively includeeach of the applicable requirement parts in CIP-008-5 Table R1 – Cyber SecurityIncident Response Plan Specifications.
Table 8-1: CIP-008-5: Table R1 – System Access Control
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.1 High Impact BESCyber SystemsMedium Impact BESCyber Systems
One or moreprocesses to identify,classify, and respondto Cyber SecurityIncidents.
An example ofevidence mayinclude, but is notlimited to, dateddocumentation ofCyber SecurityIncident responseplan(s) that includethe process toidentify, classify, andrespond to CyberSecurity Incidents.
All security eventswithin CROSSBOWare available throughreports, syslog, oremail.
1.2 High Impact BESCyber SystemsMedium Impact BESCyber Systems
One or moreprocesses todetermine if anidentified CyberSecurity Incident is aReportable CyberSecurity Incident andnotify the ElectricitySector InformationSharing and AnalysisCenter (ES-ISAC),unless prohibited bylaw. Initial notificationto the ES-ISAC,which may be only apreliminary notice,shall not exceed onehour from thedetermination of aReportable CyberSecurity Incident.
Examples ofevidence mayinclude, but are notlimited to, dateddocumentation ofCyber SecurityIncident responseplan(s) that provideguidance orthresholds fordetermining whichCyber SecurityIncidents are alsoReportable CyberSecurity Incidentsand documentationof initial notices to theElectricity SectorInformation Sharingand Analysis Center(ES-ISAC).
n/a (documentationrequirement)
8 CIP-008-5: Cyber Security — Incident Reporting and Response Planning
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 26
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.3 High Impact BESCyber SystemsMedium Impact BESCyber Systems
The roles andresponsibilities ofCyber SecurityIncident responsegroups or individuals.
An example ofevidence mayinclude, but is notlimited to, datedCyber SecurityIncident responseprocess(es) orprocedure(s) thatdefine roles andresponsibilities (e.g.,monitoring, reporting,initiating,documenting, etc.) ofCyber SecurityIncident responsegroups or individuals.
n/a (processdocumentationrequirement)
1.4 High Impact BESCyber SystemsMedium Impact BESCyber Systems
Incident handlingprocedures forCyber SecurityIncidents.
An example ofevidence mayinclude, but is notlimited to, datedCyber SecurityIncident responseprocess(es) orprocedure(s) thataddress incidenthandling (e.g.,containment,eradication,recovery/incidentresolution).
n/a (processdocumentationrequirement)
R2Each Responsible Entity shall implement each of its documented Cyber SecurityIncident response plans to collectively include each of the applicable requirementparts in CIP-008-5 Table R2 – Cyber Security Incident Response PlanImplementation and Testing. [Violation Risk Factor: Lower] [Time Horizon:Operations Planning and Real-Time Operations]
M2Evidence must include, but is not limited to, documentation that collectivelydemonstrates implementation of each of the applicable requirement parts in CIP-008-5 Table R2 – Cyber Security Incident Response Plan Implementation andTesting.
Table 8-2: CIP-008-5: Table R2 – Cyber Security Incident Response Plan Implementation and Testing
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
ALL ALL ALL ALL n/a (processdocumentationrequirement)
8 CIP-008-5: Cyber Security — Incident Reporting and Response Planning
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 27
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
R3Each Responsible Entity shall maintain each of its Cyber Security Incidentresponse plans according to each of the applicable requirement parts in CIP-008-5Table R3 – Cyber Security Incident Response Plan Review, Update, andCommunication. [Violation Risk Factor: Lower] [Time Horizon: OperationsAssessment]
M3Evidence must include, but is not limited to, documentation that collectivelydemonstrates maintenance of each Cyber Security Incident response planaccording to the applicable requirement parts in CIP-008-5 Table R3 – CyberSecurity Incident.
Table 8-3: CIP-008-5: Table R3 – Cyber Security Incident Response Plan Review, Update, andCommunication
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
ALL ALL ALL ALL n/a (processdocumentationrequirement)
9 CIP-009-6: Cyber Security — Recovery Plans for BES Cyber Systems
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 28
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
9 CIP-009-6: Cyber Security — RecoveryPlans for BES Cyber Systems
PurposeTo recover reliability functions performed by BES Cyber Systems by specifyingrecovery plan requirements in support of the continued stability, operability, andreliability of the BES.
R1Each Responsible Entity shall have one or more documented recovery plan(s) thatcollectively include each of the applicable requirement parts in CIP-009-6 Table R1– Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon:Long Term Planning]
M1Evidence must include the documented recovery plan(s) that collectively includethe applicable requirement parts in CIP-009-6 Table R1 – Recovery PlanSpecifications.
Table 9-1: CIP-009-6: Table R1 thru R3 – Recovery Plans for BES Cyber Systems
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
ALL ALL ALL ALL n/a (processdocumentationrequirement)
10 CIP-010-2: Cyber Security — Configuration Change Management and Vulnerability
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 29
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
10 CIP-010-2: Cyber Security —Configuration Change Management andVulnerability
PurposeTo prevent and detect unauthorized changes to BES Cyber Systems by specifyingconfiguration change management and vulnerability assessment requirements insupport of protecting BES Cyber Systems from compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).
R1Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-010-2Table R1 – Configuration Change Management. [Violation Risk Factor: Medium][Time Horizon: Operations Planning]
M1Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-010-2 Table R1– Configuration Change Management and additional evidence to demonstrateimplementation as described in the Measures column of the table.
Table 10-1: CIP-010-2: Table R1 – Configuration Change Management
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Develop a baselineconfiguration,individually or bygroup, which shallinclude the followingitems:1.1.1. Operating
system(s)(includingversion) orfirmwarewhere noindependentoperatingsystemexists;
1.1.2. Anycommerciallyavailable oropen-sourceapplicationsoftware(includingversion)intentionallyinstalled;
1.1.3. Any customsoftware
Examples ofevidence mayinclude, but are notlimited to:· A spreadsheet
identifying therequired items ofthe baselineconfiguration foreach CyberAsset,individually or bygroup; or
· A record in anassetmanagementsystem thatidentifies therequired items ofthe baselineconfiguration foreach CyberAsset,individually or bygroup.
CROSSBOW cancreate a baselinerecord for all cyberassets. Reports areavailable whichdocument firmwareversions of all cyberassets.
10 CIP-010-2: Cyber Security — Configuration Change Management and Vulnerability
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 30
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
installed;1.1.4. Any logical
networkaccessibleports; and
1.1.5. Any securitypatchesapplied.
1.2 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Authorize anddocument changesthat deviate from theexisting baselineconfiguration.
Examples ofevidence mayinclude, but are notlimited to:· A change
request recordand associatedelectronicauthorization(performed bythe individual orgroup with theauthority toauthorize thechange) in achangemanagementsystem for eachchange; or
· Documentationthat the changewas performed inaccordance withthe requirement.
CROSSBOW may beused to automatemany devicemonitoring tasks,such as verifyingfirmware version, andcomparing currentconfiguration to anapproved baseline.
Configurationchanges are loggedin the CROSSBOWdatabase.
1.3 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
For a change thatdeviates from theexisting baselineconfiguration, updatethe baselineconfiguration asnecessary within 30calendar days ofcompleting thechange.
An example ofevidence mayinclude, but is notlimited to, updatedbaselinedocumentation with adate that is within 30calendar days of thedate of thecompletion of thechange.
CROSSBOWprovides a simple “1-click” method fortaking a snapshot ofa deviceconfiguration andmarking it asbaseline.
1.4 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and
For a change thatdeviates from theexisting baselineconfiguration:1.4.1. Prior to the
change,determinerequiredcybersecuritycontrols inCIP-005 and
An example ofevidence mayinclude, but is notlimited to, a list ofcyber securitycontrols verified ortested along with thedated test results.
n/a (processrequirement)
10 CIP-010-2: Cyber Security — Configuration Change Management and Vulnerability
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 31
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
3. PCA CIP-007 thatcould beimpacted bythe change;
1.4.2. Following thechange,verify thatrequiredcybersecuritycontrolsdetermined in1.4.1 are notadverselyaffected; and
1.4.3. Documentthe results oftheverification.
1.5 High Impact BESCyber Systems
Where technicallyfeasible, for eachchange that deviatesfrom the existingbaselineconfiguration:1.5.1. Prior to
implementingany changein theproductionenvironment,test thechanges in atestenvironmentor test thechanges in aproductionenvironmentwhere thetest isperformed ina mannerthatminimizesadverseeffects, thatmodels thebaselineconfigurationto ensurethat requiredcybersecuritycontrols inCIP-005 andCIP-007 arenot adverselyaffected; and
An example ofevidence mayinclude, but is notlimited to, a list ofcyber securitycontrols tested alongwith successful testresults and a list ofdifferences betweenthe production andtest environmentswith descriptions ofhow any differenceswere accounted for,including of the dateof the test.
n/a (processrequirement)
10 CIP-010-2: Cyber Security — Configuration Change Management and Vulnerability
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 32
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.5.2. Documentthe results ofthe testingand, if a testenvironmentwas used,thedifferencesbetween thetestenvironmentand theproductionenvironment,including adescription ofthe measuresused toaccount foranydifferences inoperationbetween thetest andproductionenvironments.
R2Each Responsible Entity shall implement one or more documented process(es)that collectively include each of the applicable requirement parts in CIP-010-2Table R2 – Configuration Monitoring. [Violation Risk Factor: Medium] [TimeHorizon: Operations Planning]
M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-010-2 Table R2– Configuration Monitoring and additional evidence to demonstrate implementationas described in the Measures column of the table.
Table 10-2: CIP-010-2: Table R2 – Configuration Monitoring
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
2.1 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PCA
Monitor at least onceevery 35 calendardays for changes tothe baselineconfiguration (asdescribed inRequirement R1,Part 1.1). Documentand investigate
An example ofevidence mayinclude, but is notlimited to, logs from asystem that ismonitoring theconfiguration alongwith records ofinvestigation for any
CROSSBOW may beused to automatemany tasks, such asverifying firmwareversion, andcomparing currentconfiguration to anapproved baseline.Configuration
10 CIP-010-2: Cyber Security — Configuration Change Management and Vulnerability
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 33
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
detectedunauthorizedchanges.
unauthorizedchanges that weredetected.
changes are loggedin the CROSSBOWdatabase andgenerate alerts.
11 CIP-011-2: Cyber Security — Information Protection
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 34
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
11 CIP-011-2: Cyber Security — InformationProtection
PurposeTo prevent unauthorized access to BES Cyber System Information by specifyinginformation protection requirements in support of protecting BES Cyber Systemsagainst compromise that could lead to mis-operation or instability in the BulkElectric System (BES).
R1Each Responsible Entity shall implement one or more documented informationprotection program(s) that collectively includes each of the applicable requirementparts in CIP-011-2 Table R1 – Information Protection. [Violation Risk Factor:Medium] [Time Horizon: Operations Planning]
M1Evidence for the information protection program must include the applicablerequirement parts in CIP-011-2 Table R1 – Information Protection and additionalevidence to demonstrate implementation as described in the Measures column ofthe table.
Table 11-1: CIP-011-2: Table R1 – Configuration Monitoring
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.1 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Medium Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Method(s) to identifyinformation thatmeets the definitionof BES CyberSystem Information.
Examples ofacceptable evidenceinclude, but are notlimited to:· Documented
method toidentify BESCyber SystemInformation fromentity’sinformationprotectionprogram; or
· Indications oninformation (e.g.,labels orclassification)that identify BESCyber SystemInformation asdesignated in theentity’sinformationprotectionprogram; or
· Trainingmaterials thatprovidepersonnel with
n/a (processrequirement)
11 CIP-011-2: Cyber Security — Information Protection
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 35
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
sufficientknowledge torecognize BESCyber SystemInformation; or
· Repository orelectronic andphysical locationdesignated forhousing BESCyber SystemInformation in theentity’sinformationprotectionprogram.
1.2 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Medium Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Procedure(s) forprotecting andsecurely handlingBES Cyber SystemInformation, includingstorage, transit, anduse.
Examples ofacceptable evidenceinclude, but are notlimited to:· Procedures for
protecting andsecurelyhandling, whichinclude topicssuch as storage,security duringtransit, and useof BES CyberSystemInformation; or
· Recordsindicating thatBES CyberSystemInformation ishandled in amannerconsistent withthe entity’sdocumentedprocedure(s).
CROSSBOW hidesor obfuscates BESCyber Systeminformation from allusers exceptauthorizedadministrators.
R2Each Responsible Entity shall implement one or more documented process(es)that collectively include the applicable requirement parts in CIP-011-2 Table R2 –BES Cyber Asset Reuse and Disposal. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]
M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-011-2 Table R2– BES Cyber Asset Reuse and Disposal and additional evidence to demonstrateimplementation as described in the Measures column of the table.
11 CIP-011-2: Cyber Security — Information Protection
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 36
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Table 11-2: CIP-011-2 Table R2 – BES Cyber Asset Reuse and Disposal
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
1.1 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Medium Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Method(s) to identifyinformation thatmeets the definitionof BES CyberSystem Information.
Examples ofacceptable evidenceinclude, but are notlimited to:· Documented
method toidentify BESCyber SystemInformation fromentity’sinformationprotectionprogram; or
· Indications oninformation (e.g.,labels orclassification)that identify BESCyber SystemInformation asdesignated in theentity’sinformationprotectionprogram; or
· Trainingmaterials thatprovidepersonnel withsufficientknowledge torecognize BESCyber SystemInformation; or
· Repository orelectronic andphysical locationdesignated forhousing BESCyber SystemInformation in theentity’sinformationprotectionprogram.
n/a (processrequirement)
1.2 High Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Medium Impact BESCyber Systems andtheir associated:1. EACMS; and2. PACS
Procedure(s) forprotecting andsecurely handlingBES Cyber SystemInformation, includingstorage, transit, anduse.
Examples ofacceptable evidenceinclude, but are notlimited to:· Procedures for
protecting andsecurelyhandling, whichinclude topicssuch as storage,security duringtransit, and use
CROSSBOW hidesor obfuscates BESCyber Systeminformation from allusers exceptauthorizedadministrators.
11 CIP-011-2: Cyber Security — Information Protection
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 37
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
of BES CyberSystemInformation; or
· Recordsindicating thatBES CyberSystemInformation ishandled in amannerconsistent withthe entity’sdocumentedprocedure(s).
R2Each Responsible Entity shall implement one or more documented process(es)that collectively include the applicable requirement parts in CIP-011-2 Table R2 –BES Cyber Asset Reuse and Disposal. [Violation Risk Factor: Lower] [TimeHorizon: Operations Planning]
M2Evidence must include each of the applicable documented processes thatcollectively include each of the applicable requirement parts in CIP-011-2 Table R2– BES Cyber Asset Reuse and Disposal and additional evidence to demonstrateimplementation as described in the Measures column of the table.
Table 11-3: CIP-011-2: Table R2 – BES Cyber Asset Reuse and Disposal
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
2.1 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Prior to the releasefor reuse ofapplicable CyberAssets that containBES Cyber SystemInformation (exceptfor reuse within othersystems identified inthe “ApplicableSystems” column),the ResponsibleEntity shall takeaction to prevent theunauthorizedretrieval of BESCyber SystemInformation from theCyber Asset datastorage media.
Examples ofacceptable evidenceinclude, but are notlimited to:· Records tracking
sanitizationactions taken topreventunauthorizedretrieval of BESCyber SystemInformation suchas clearing,purging, ordestroying; or
· Records trackingactions such asencrypting,retaining in thePhysical SecurityPerimeter orother methods
This is primarily aprocess requirement.CROSSBOW’sscripting capabilitiescould be used tosanitize devices priorto reuse.
11 CIP-011-2: Cyber Security — Information Protection
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 38
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
Part Applicable Systems Requirement MeasuresCROSSBOWfeatures to addressor support therequirement
used to preventunauthorizedretrieval of BESCyber SystemInformation.
2.2 High Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Medium Impact BESCyber Systems andtheir associated:1. EACMS;2. PACS; and3. PCA
Prior to the releasefor reuse ofapplicable CyberAssets that containBES Cyber SystemInformation (exceptfor reuse within othersystems identified inthe “ApplicableSystems” column),the ResponsibleEntity shall takeaction to prevent theunauthorizedretrieval of BESCyber SystemInformation from theCyber Asset datastorage media.
Examples ofacceptable evidenceinclude, but are notlimited to:• Records that
indicate that datastorage mediawas destroyedprior to thedisposal of anapplicable CyberAsset; or
· Records ofactions taken topreventunauthorizedretrieval of BESCyber SystemInformation priorto the disposal ofan applicableCyber Asset.
This is primarily aprocess requirement.CROSSBOW’sscripting capabilitiescould be used tosanitize devices priorto reuse.
12 References
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 39
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
12 References· RUGGEDCOM CROSSBOW User Guide· NERC CIP version 5 and version 6 requirements
(http://www.nerc.com/pa/CI/Comp/Pages/default.aspx)
13 Glossary of TermsBES Bulk Electric SystemCCA Critical Cyber AssetCIP Critical Infrastructure ProtectionEAMCS Electronic Access Control or Monitoring SystemsLEAP Low Impact BES Cyber System Electronic Access PointLERC Low Impact External Routable ConnectivityNERC North American Electric Reliability CorporationPACS Physical Access Control SystemsPCA Protected Cyber Asset
14 Related Literature
NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOWOperating SystemEntry-ID: 109747098, 1.0, 04/2017 40
ãS
iem
ens
AG
2017
All
right
sre
serv
ed
14 Related Literature
Table 14-1
Topic Title / Link
\1\ Siemens IndustryOnline Support
http://support.industry.siemens.com
\2\ Download page ofthis entry
https://support.industry.siemens.com/cs/ww/en/view/109747098
15 History
Table 15-1
Version Date Modifications
V1.0 04/2017 First version