NERC – Requirements
NERC-CIP Control | Support | AIE Rules | Reports | Investigations |
|---|---|---|---|---|
05‐5 R1 1.5 Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. | Direct | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
007‐5 R3. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP‐007‐5 Table R3 – Malicious Code Prevention. 3.1 Deploy method(s) to deter, detect, or prevent malicious code. 3.2 Mitigate the threat of detected malicious code. 3.3 For those methods identified in Part 3.1 that use signatures or patterns, have a process for the updated of the signatures or patterns. The process must address testing and installing the signatures or patterns. | Augmented | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Patches or Signatures Updated Detail |
008‐5 R1. Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber Security Incident Response Plan Specifications. 1.1 One or more processes to identify, classify, and respond to Cyber Security Incidents. 1.2 One or more processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident and notify the Electricity Sector Information Sharing and Analysis Center (ES‐ISAC), unless prohibited by law. Initial notification to the ES‐ISAC, which may be only a preliminary notice, shall not exceed one hour from the determination of a Reportable Cyber Security Incident. 1.3 The roles and responsibilities of Cyber Security Incident response groups or individuals. 1.4 Incident handling procedures for Cyber Security Incidents. | Augmented | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Hos Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Un-Auth Ports/Apps NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
008‐5 R2. Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in CIP‐008‐5 Table R2 – Cyber Security Incident Response Plan Implementation and Testing. 2.1 Test each Cyber Security Incident response plan(s) at least once every 15 calendar months:
2.2 Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a Reportable Cyber Security Incident or performing an exercise of a Reportable Cyber Security Incident. Document deviations from the plan(s) taken during the response to the incident or exercise. 2.3 Retain records related to Reportable Cyber Security Incidents. | Augmented | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Detail NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
008‐5 R3. Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable requirement parts in CIP‐008‐ 5 Table R3 – Cyber Security Incident Response Plan Review, Update, and Communication. 3.1 No later than 90 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident response: 3.1.1. Document any lessons learned or document the absence of any lessons learned; 3.1.2. Update the Cyber Security Incident response plan based on any documented lessons learned associated with the plan; and 3.1.3. Notify each person or group with a defined role in the Cyber Security Incident response plan of the updates to the Cyber Security Incident response plan based on any documented lessons learned. 3.2 No later than 60 calendar days after a change to the roles or responsibilities, Cyber Security Incident response groups or individuals, or technology that the Responsible Entity determines would impact the ability to execute the plan: 3.2.1. Update the Cyber Security Incident response plan(s); and 3.2.2. Notify each person or group with a defined role in the Cyber Security Incident response plan of the updates. | Augmented | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: Status Change of Dvc Connected to Host NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary | NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
007 R5. 5.3 Identify individuals who have Authorized access to shared accounts. | Augment | NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule | NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary | NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail |
007‐3 R6. Security Status Monitoring ‐ The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. R6.1. The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter. R6.2. The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents. R6.3. The Responsible Entity shall maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP‐008‐3. R6.4. The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days. R6.5. The Responsible Entity shall review logs of system events related to cyber security and maintain records documenting review of logs. | Augmented | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Rule NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Vendor Act Management Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Priv Act Management Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Term Act Management Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Default Act Management Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Applications Accessed by User NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Access Failure Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Vendor Act Management Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Priv Act Management Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Term Act Management Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Default Act Management Rule | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Host Authentication Success Detail |
007‐5 R4. 4.2 Generate alerts for security events that the Responsible Entity determines necessitates, an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability): 4.2.1 Detected malicious code from Part 4.1; and 4.2.2 Detected failure of Part 4.1 event logging. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Failure (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Access Failure Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Authentication Failure Summary NERC-CIP: Access Failure Summary NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Summary NERC-CIP: Vendor Act Auth/Accs Success Summary NERC-CIP: Vendor Act Management Summary NERC-CIP: Priv Act Auth/Accs Failure Summary NERC-CIP: Priv Act Auth/Accs Success Summary NERC-CIP: Priv Act Management Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Success Summary NERC-CIP: Default Act Management Summary NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Host Authentication Success Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Detail NERC-CIP: Vendor Act Auth/Accs Success Detail NERC-CIP: Vendor Act Management Detail NERC-CIP: Priv Act Auth/Accs Failure Detail NERC-CIP: Priv Act Auth/Accs Success Detail NERC-CIP: Priv Act Management Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail NERC-CIP: Default Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Success Detail NERC-CIP: Default Act Management Detail NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Patches or Signatures Updated Detail |
007‐5 R4. 4.3 Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. | Augment | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Vendor Act Management Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Priv Act Management Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Term Act Management Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Default Act Management Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Access Failure Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Authentication Failure Summary NERC-CIP: Access Failure Summary NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Summary NERC-CIP: Vendor Act Auth/Accs Success Summary NERC-CIP: Vendor Act Management Summary NERC-CIP: Priv Act Auth/Accs Failure Summary NERC-CIP: Priv Act Auth/Accs Success Summary NERC-CIP: Priv Act Management Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Success Summary NERC-CIP: Default Act Management Summary NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Host Authentication Success Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Detail NERC-CIP: Vendor Act Auth/Accs Success Detail NERC-CIP: Vendor Act Management Detail NERC-CIP: Priv Act Auth/Accs Failure Detail NERC-CIP: Priv Act Auth/Accs Success Detail NERC-CIP: Priv Act Management Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail NERC-CIP: Default Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Success Detail NERC-CIP: Default Act Management Detail NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Patches or Signatures Updated Detail |
007‐5 R4. 4.4 Review and summarization of sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents. | Augment | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Vendor Act Management Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Priv Act Management Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Term Act Management Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Default Act Management Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr Remote Auth Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Status Change of Dvc Connected to Host Rule NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Access Failure Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Authentication Failure Summary NERC-CIP: Access Failure Summary NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Summary NERC-CIP: Vendor Act Auth/Accs Success Summary NERC-CIP: Vendor Act Management Summary NERC-CIP: Priv Act Auth/Accs Failure Summary NERC-CIP: Priv Act Auth/Accs Success Summary NERC-CIP: Priv Act Management Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Success Summary NERC-CIP: Default Act Management Summary NERC-CIP: Vulnerability Detected Summary NERC-CIP: Top Targeted Assets Summary NERC-CIP: Top Targeted Application Summary NERC-CIP: Top Suspicious Login Summary NERC-CIP: Top Attacker Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Security Failure Exec Summary NERC-CIP: Security Events Exec Summary NERC-CIP: Security Event Summary by Asset NERC-CIP: Security Event Summary by Application NERC-CIP: Misuse by Origin Login Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Summary NERC-CIP: ESP Network denied Ingress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Alarm and Response Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Host Authentication Success Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Detail NERC-CIP: Vendor Act Auth/Accs Success Detail NERC-CIP: Vendor Act Management Detail NERC-CIP: Priv Act Auth/Accs Failure Detail NERC-CIP: Priv Act Auth/Accs Success Detail NERC-CIP: Priv Act Management Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail NERC-CIP: Default Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Success Detail NERC-CIP: Default Act Management Detail NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Data Loss Defender Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: System Critical/Error Status Detail NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Patches or Signatures Updated Detail |
007‐5 R5. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP‐007‐5 Table R5 – System Access Controls. 5.1 Have a method(s) to enforce Authentication of interactive user access, where technically feasible. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Rule NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Default Act Auth/Accs Failure Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Access Failure Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Authentication Failure Summary NERC-CIP: Access Failure Summary NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Summary NERC-CIP: Vendor Act Auth/Accs Success Summary NERC-CIP: Vendor Act Management Summary NERC-CIP: Priv Act Auth/Accs Failure Summary NERC-CIP: Priv Act Auth/Accs Success Summary NERC-CIP: Priv Act Management Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Success Summary NERC-CIP: Default Act Management Summary | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Failed Host Access NERC-CIP: Host Authentication Success Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Detail NERC-CIP: Vendor Act Auth/Accs Success Detail NERC-CIP: Vendor Act Management Detail NERC-CIP: Priv Act Auth/Accs Failure Detail NERC-CIP: Priv Act Auth/Accs Success Detail NERC-CIP: Priv Act Management Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail NERC-CIP: Default Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Success Detail NERC-CIP: Default Act Management Detail |
004‐5 R5. 5.5 For termination actions, change passwords for shared account(s) known to the user within 30 calendar days of the termination action. For reassignments or transfers, change passwords for shared account(s) known to the user within 30 calendar days following the date the Responsible Entity determines that the individual no longer requires retention of that access. If the Responsible Entity determines and documents that extenuating operating circumstances require a longer time period, change the password(s) within 10 calendar days following the end of the operating circumstances. | Augmented | NERC-CIP: Physical Access Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Term Act Management Rule | NERC-CIP: Physical Access Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary NERC-CIP: Account Management Activity NERC-CIP: Password Modified Summary | NERC-CIP: Physical Access Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail NERC-CIP: Account Management Activity NERC-CIP: Password Modified Detail |
004‐5 R5. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented access revocation programs that collectively include each of the applicable requirement parts in CIP‐004‐ 5 Table R5 – Access Revocation. 5.1 A process to initiate removal of an individual's ability for unescorted physical access and Interactive Remote Access upon a termination action, and complete the removals within 24 hours of the termination action (Removal of the ability for access may be different than deletion, disabling, revocation, or removal of all access rights.) 5.2 For reassignments or transfers, revoke the individual's Authorized electronic access to individual accounts and Authorized unescorted physical access that the Responsible Entity determines are not necessary by the end of the next calendar day following the date that the Responsible Entity determines that the individual no longer requires retention of that access. 5.3 For terminations actions, revoke the individual's access to the designated storage locations for BES Cyber System Information, whether physical or electronic (unless already revoked according to Requirement R5.1), by the end of the next calendar day following the effective date of the termination action. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail |
004‐5 R5. 5.4 For termination actions, revoke the individual's non‐ shared user accounts (unless already revoked according to Parts 5.1 or 5.3) within 30 calendar days of the effective date of the termination action. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail |
004‐5 R4. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented access management programs that collectively include each of the applicable requirement parts in CIP‐004‐5 Table R4 – Access Management Program. 4.1 Process to Authorize based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 4.1.1 Electronic access; 4.1.2 Unescorted physical access into a Physical Perimeter; and 4.1.3 Access to designated storage locations, whether physical or electronic, for BES Cyber System Information. 4.2 Verify at least once each calendar quarter that individuals with active electronic access or unescorted physical access have Authorization records. 4.3 For electronic access, verify at least once every 15 calendar months that all user accounts, user account groups, or user role categories, and their specific, associated privileges are correct and are those that the Responsible Entity determines are necessary. 4.4 Verify at least once every 15 calendar months that access to the designated storage locations for BES Cyber System Information, whether physical or electronic, are correct and are those that the Responsible Entity determines are necessary for performing assigned work functions. | Augmented | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Rule NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Vendor Act Management Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Success Rule NERC-CIP: Priv Act Management Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Shared Act Management Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Success Rule NERC-CIP: Term Act Management Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Default Act Management Rule | NERC-CIP: Physical Access Summary NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Authentication Failure Summary NERC-CIP: Access Failure Summary NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Summary NERC-CIP: Vendor Act Auth/Accs Success Summary NERC-CIP: Vendor Act Management Summary NERC-CIP: Priv Act Auth/Accs Failure Summary NERC-CIP: Priv Act Auth/Accs Success Summary NERC-CIP: Priv Act Management Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Success Summary NERC-CIP: Shared Act Management Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Success Summary NERC-CIP: Term Act Management Summary NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Success Summary NERC-CIP: Default Act Management Summary | NERC-CIP: Physical Access Detail NERC-CIP: Account Management Activity NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Host Authentication Success Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Detail NERC-CIP: Vendor Act Auth/Accs Success Detail NERC-CIP: Vendor Act Management Detail NERC-CIP: Priv Act Auth/Accs Failure Detail NERC-CIP: Priv Act Auth/Accs Success Detail NERC-CIP: Priv Act Management Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Success Detail NERC-CIP: Shared Act Management Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Success Detail NERC-CIP: Term Act Management Detail NERC-CIP: Default Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Success Detail NERC-CIP: Default Act Management Detail |
006‐5 R1. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented Physical plans that collectively include all of the applicable requirement parts in CIP‐006‐5 Table R1 – Physical Plan. 1.1 Define operational or procedural controls to restrict physical access. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule | NERC-CIP: Physical Access Summary | NERC-CIP Physical Access Detail |
006‐5 R1. 1.2 Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Perimeter to only those individuals who have Authorized unescorted physical access. 1.3 Where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Perimeters to only those individuals who have Authorized unescorted physical access. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule | NERC-CIP: Physical Access Summary | NERC-CIP Physical Access Detail |
006‐5 R1. 1.4 Monitor for unauthorized access through a physical access point into a Physical Perimeter. 1.5 Issue an alarm or alert in response to detected unauthorized access through a physical access point into a Physical Perimeter to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection. 1.6 Monitor each Physical Access Control System for unauthorized physical access to a Physical Access Control System. 1.7 Issue an alarm or alert in response to detected unauthorized physical access to a Physical Access Control System to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of the detection. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule | NERC-CIP: Physical Access Summary | NERC-CIP Physical Access Detail |
006‐5 R1. 1.8 Log (through automated means or by personnel who control entry) entry of each individual with Authorized unescorted physical access into each Physical Perimeter, with information to identify the individual and date and time of entry. | Augmented | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule | NERC-CIP: Physical Access Summary | NERC-CIP Physical Access Detail |
006‐5 R1. 1.9 Retain physical access logs of entry of individuals with Authorized unescorted physical access into each Physical Perimeter for at least ninety calendar days. | Direct | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule | NERC-CIP: Physical Access Summary | NERC-CIP Physical Access Detail |
006‐5 R2. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented visitor control programs that include each of the applicable requirement parts in CIP‐006‐5 Table R2 – Visitor Control Program. 2.1 Require continuous escorted access of visitors (individuals who are provided access but are not Authorized for unescorted physical access) within each Physical Perimeter, except during CIP Exceptional Circumstances. 2.2 Require manual or automated logging of visitor entry into and exit from the Physical Perimeter that includes date and time of the initial entry and last exit, the visitor’s name, and the name of an individual point of contact responsible for the visitor, except during CIP Exceptional Circumstances. 2.3 Retain visitor logs for at least ninety calendar days. | Augmented | NERC-CIP: Physical Access Failure Rule NERC-CIP: Physical Access Success Rule NERC-CIP: Suspicious Physical Access Rule | NERC-CIP: Physical Access Summary | NERC-CIP Physical Access Detail |
007‐5 R2. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP‐007‐5 Table R2 – Security Patch Management. 2.1 A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. 2.2 At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1 2.3 For applicable patches identified in Part 2.2, within 35 calendar days of evaluation completion, take one of the following actions:
Mitigation plans shall include the Responsible Entity's planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations. 2.4 For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. | Augment | N/A | NERC-CIP: Patches or Signatures Updated Summary | NERC-CIP: Patches or Signatures Updated Detail |
007 R5. 5.4 Change known default passwords, per Cyber Asset capability 5.5 For password‐only Authentication for interactive user access, either technically or procedurally enforce the following password parameters: 5.5.1 Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and 5.5.2 Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non‐ alphanumeric) or the maximum complexity supported by the Cyber Asset. | Augmented | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Suspicious Activity Rule NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: System Critical/Error Status NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: Concur VPN From Multiple Cities NERC-CIP: Concur VPN from Multiple Countries NERC-CIP: Concr VPN from Mltpl Regions NERC-CIP: Concurrent VPN from Same User NERC-CIP: Vulnerability Detected Rule NERC-CIP: Malware Detected Rule NERC-CIP: Attack Detected Rule NERC-CIP: Compromise Detected Rule | NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: System Critical/Error Status Summary NERC-CIP: Compromise Detected Summary NERC-CIP: Vulnerability Detected Summary NERC-CIP: Malware Detected Summary NERC-CIP: Attack Detected Summary NERC-CIP: Suspicious Activity Summary NERC-CIP: Password Modified Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary | NERC-CIP: Compromise Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: Vulnerability Detected Detail NERC-CIP: Suspicious Activity Detail NERC-CIP: Malware Detected Detail NERC-CIP: Attack Detected Detail NERC-CIP: Int Acct Created, Used, Deleted NERC-CIP: System Critical/Error Status Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
007 R5. 5.6 Where technically feasible, for password‐only Authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. | Augmented | N/A | NERC-CIP: Password Modified Summary | N/A |
005‐5 R1. Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in CIP‐005‐5 Table R1 – Electronic Security Perimeter. 1.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. | Augmented | NERC-CIP: System Critical/Error Status Rule NERC-CIP: Rogue WAP Detected Rule NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out | NERC-CIP: Non-encrypted protocol NERC-CIP: System Critical/Error Status Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Denied Ingress Summary NERC-CIP: ESP Network Allowed Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: Rogue WAP Detected Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary | NERC-CIP: Non-encrypted protocol (AIE, Report, Investigation) NERC-CIP: System Critical/Error Status Detail (AIE, Report, Investigation) NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Rogue WAP Detected Detail |
005‐5 R1 1.2 All External Routable Connectivity must be through an identified Electronic Access Point (EAP). | Augment | NERC-CIP: System Critical/Error Status Rule NERC-CIP: Rogue WAP Detected Rule NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out | NERC-CIP: Non-encrypted protocol NERC-CIP: System Critical/Error Status Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Denied Ingress Summary NERC-CIP: ESP Network Allowed Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: Rogue WAP Detected Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary | NERC-CIP: Non-encrypted protocol NERC-CIP: System Critical/Error Status Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: Rogue WAP Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
005‐5 R1 1.3 Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. | Augmented | NERC-CIP: System Critical/Error Status Rule NERC-CIP: Rogue WAP Detected Rule NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: Non-encrypted protocol NERC-CIP: System Critical/Error Status Summary NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Denied Ingress Summary NERC-CIP: ESP Network Allowed Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: Account Management Activity NERC-CIP: Authentication Failure Summary NERC-CIP: Access Failure Summary NERC-CIP: Failed File Access (Linux) NERC-CIP: Failed File Access (Windows) NERC-CIP: Host Authentication Success Summary NERC-CIP: Rogue WAP Detected Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary | NERC-CIP: Non-encrypted protocol NERC-CIP: System Critical/Error Status Detail NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: Account Management Activity NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: Host Authentication Success Detail NERC-CIP: Rogue WAP Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
007 R5. 5.7 Where technically feasible, either:
| Direct | NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Vendor Act Auth/Accs Failure Rule NERC-CIP: Priv Act Auth/Accs Failure Rule NERC-CIP: Shared Act Auth/Accs Failure Rule NERC-CIP: Term Act Auth/Accs Failure Rule NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Account Locked or Disabled Rule | NERC-CIP: Host Authentication Summary NERC-CIP: Authentication Failure Summary NERC-CIP: VPN Node Registration Failure (Auth) NERC-CIP: VPN Node Registration Failure (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Summary NERC-CIP: Priv Act Auth/Accs Failure Summary NERC-CIP: Shared Act Auth/Accs Failure Summary NERC-CIP: Term Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Account Locked or Disabled Summary | NERC-CIP: Host Authentication Success Detail NERC-CIP: Authentication Failure Detail NERC-CIP: Access Failure Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) NERC-CIP: Vendor Act Auth/Accs Failure Detail NERC-CIP: Priv Act Auth/Accs Failure Detail NERC-CIP: Shared Act Auth/Accs Failure Detail NERC-CIP: Term Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Failure Detail |
005‐5 R1 1.4 Where technically feasible, perform Authentication when establishing Dial‐up Connectivity with applicable Cyber Assets.
| Direct
| NERC-CIP: Rogue WAP Detected Rule NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Fail (Auth) NERC-CIP: VPN Node Registration Fail (unAuth) NERC-CIP: Port Misuse: FTP NERC-CIP: Port Misuse: HTTP NERC-CIP: Port Misuse: SSH In NERC-CIP: Port Misuse: SSH Out NERC-CIP: ESP Network Denied Egress Rule NERC-CIP: ESP Network Denied Ingress Rule NERC-CIP: ESP Network Allowed Egress Rule NERC-CIP: ESP Network Allowed Ingress Rule | NERC-CIP: ESP Network Denied Egress Summary NERC-CIP: ESP Network Denied Ingress Summary NERC-CIP: ESP Network Allowed Egress Summary NERC-CIP: ESP Network Allowed Ingress Summary NERC-CIP: Rogue WAP Detected Summary NERC-CIP: Concur VPN Auths Same User NERC-CIP: VPN Node Registration Failure Summary (Auth) NERC-CIP: VPN Node Registration Failure Summary (un-Auth) NERC-CIP: Port Misuse Summary | NERC-CIP: ESP Ingress/Egress Net Detail NERC-CIP: Rogue WAP Detected Detail NERC-CIP: Concur VPN Auths Same User Detail NERC-CIP: VPN Node Registration Failure Detail (Auth) NERC-CIP: VPN Node Registration Failure Detail (un-Auth) |
007 R5. 5.2 Identify and inventory all known enabled default or other generic account types, either by system, by grouped of systems, by location, or by system type(s). | Augment | NERC-CIP: Default Act Auth/Accs Failure Rule NERC-CIP: Default Act Management Rule | NERC-CIP: Default Act Auth/Accs Failure Summary NERC-CIP: Default Act Auth/Accs Success Summary NERC-CIP: Default Act Management Summary | NERC-CIP: Default Act Auth/Accs Failure Detail NERC-CIP: Default Act Auth/Accs Success Detail NERC-CIP: Default Act Management Detail |
010‐1 R1. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP‐010‐1 Table R1 – Configuration Change Management. 1.1 Develop a baseline configuration, individually or by group, which shall include the following items: 1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists; 1.1.2. Any commercially available or open‐source application software (including version) intentionally installed; 1.1.3. Any custom software installed; 1.1.4. Any logical network accessible ports; and 1.1.5. Any security patches applied. 1.2 Authorize and document changes that deviate from the existing baseline configuration. | Augmented | NERC-CIP: Config/Policy Change NERC-CIP: Software Installation Rule NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Summary by Asset NERC-CIP: Software Installation Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Change in Software Config (Window) NERC-CIP: Change in Software Config (Linux) NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Detail NERC-CIP: Software Installation Detail NERC-CIP: Patches or Signatures Updated Detail NERC-CIP: Windows Firewall Change Detail |
010‐1 R1. 1.3 For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. | Augmented | NERC-CIP: Config/Policy Change NERC-CIP: Software Installation Rule NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Summary by Asset NERC-CIP: Software Installation Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Change in Software Config (Windows) NERC-CIP: Change in Software Config (Linux) NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Detail NERC-CIP: Software Installation Detail NERC-CIP: Patches or Signatures Updated Detail NERC-CIP: Windows Firewall Change Detail |
010‐1 R1.
1.4 For a change that deviates from the existing baseline configuration:
1.4.1. Prior to the change, determine required cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change;
1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and
1.4.3. Document the results of the verification. | Augmented | NERC-CIP: Config/Policy Change NERC-CIP: Software Installation Rule NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Summary by Asset NERC-CIP: Software Installation Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Change in Software Config (Windows) NERC-CIP: Change in Software Config (Linux) NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Detail NERC-CIP: Software Installation Detail NERC-CIP: Patches or Signatures Updated Detail NERC-CIP: Windows Firewall Change Detail |
010‐1 R1.
1.5 Where technically feasible, for each change that deviates from the existing baseline configuration:
1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP‐005 and CIP‐ 007 are not adversely affected; and 1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. | Augmented | NERC-CIP: Config/Policy Change NERC-CIP: Software Installation Rule NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Summary by Asset NERC-CIP: Software Installation Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Change in Software Config (Windows) NERC-CIP: Change in Software Config (Linux) NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Detail NERC-CIP: Software Installation Detail NERC-CIP: Patches or Signatures Updated Detail NERC-CIP: Windows Firewall Change Detail |
010‐1 R2. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring. 2.1 Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. | Augmented | NERC-CIP: Config/Policy Change NERC-CIP: Software Installation Rule NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Summary by Asset NERC-CIP: Software Installation Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Change in Software Config (Windows) NERC-CIP: Change in Software Config (Linux) NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change Summary NERC-CIP: Status Change of Dvc Connected to Host | NERC-CIP: Config/Policy Change Detail NERC-CIP: Software Installation Detail NERC-CIP: Patches or Signatures Updated Detail NERC-CIP: Windows Firewall Change Detail |
010‐1 R3. Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in CIP‐010‐1 Table R3– Vulnerability Assessments. 3.1 At least once every 15 calendar months, conduct a paper or active vulnerability assessment. | Augmented | NERC-CIP: Config/Policy Change NERC-CIP: Software Installation Rule NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change NERC-CIP: Status Change of Dvc Connected to Host NERC-CIP: Vulnerability Detected Rule | NERC-CIP: Config/Policy Change Summary by Asset NERC-CIP: Software Installation Summary NERC-CIP: Patches or Signatures Updated Summary NERC-CIP: Change in Software Config (Windows) NERC-CIP: Change in Software Config (Linux) NERC-CIP: Software Status Change After Attack NERC-CIP: System Time Change After Attack NERC-CIP: Windows Firewall Change Summary NERC-CIP: Status Change of Dvc Connected to Host NERC-CIP: Vulnerability Detected Summary | NERC-CIP: Config/Policy Change Detail NERC-CIP: Software Installation Detail NERC-CIP: Patches or Signatures Updated Detail NERC-CIP: Windows Firewall Change Detail NERC-CIP: Vulnerability Detected Detail |
011‐1 R1. Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP‐011‐1 Table R1 – Information Protection. 1.1 Method(s) to identify information that meets the definition of BES Cyber System Information. 1.2 Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use. | Augmented | NERC-CIP: Backup Critical/Error Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule NERC-CIP: Files Deleted by Admin NERC-CIP: Priv Group Access Granted Rule | NERC-CIP: Backup Critical/Error Status Summary NERC-CIP: Backup Ops Status Summary NERC-CIP: Object Creation/Disposal Summary NERC-CIP: System File Permission Change (Linux) NERC-CIP: System File Permission Change (Windows) NERC-CIP: Group/Role Created Summary NERC-CIP: Group/Role Deleted Summary NERC-CIP: Group/Role Modified Summary NERC-CIP: Priv Group Access Granted Summary NERC-CIP: Status Change of Dvc Connected to Host NERC-CIP: Data Loss Defender Summary NERC-CIP: Files Deleted by Admin NERC-CIP: Failed File Access NERC-CIP: Non-encrypted protocol | NERC-CIP: Backup Critical/Error Status Detail NERC-CIP: Group/Role Created Detail NERC-CIP: Group/Role Deleted Detail NERC-CIP: Group/Role Modified Detail NERC-CIP: Priv Group Access Granted Detail NERC-CIP: Data Loss Defender Detail NERC-CIP: Non-encrypted protocol |
009‐5 R1.
1.5 One or more processes to preserve data, per Cyber Asset capability, for determining the cause of a Cyber Security Incident that triggers activation of the recovery plan(s). Data preservation should not impede or restrict recovery. | Augmented | NERC-CIP: Backup Critical/Error Rule NERC-CIP: Data Destruction Rule NERC-CIP: Data Exfiltration Rule NERC-CIP: Data Loss Prevention Rule | NERC-CIP: Backup Critical/Error Status Summary NERC-CIP: Backup Ops Status Summary NERC-CIP: Data Loss Defender Summary | NERC-CIP: Backup Critical/Error Status Detail NERC-CIP: Data Loss Defender Detail |
009‐5 R1. Each Responsible Entity shall have one or more documented recovery plans that collectively include each of the applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan Specifications. 1.1 Conditions for activation of the recovery plan(s). 1.2 Roles and responsibilities of responders. 1.3 One or more processes for the backup and storage of information required to recover BES Cyber System functionality. | Augmented | NERC-CIP: Backup Critical/Error Rule | NERC-CIP: Backup Critical/Error Status Summary NERC-CIP: Backup Ops Status Summary | NERC-CIP: Backup Critical/Error Status Detail |
009‐5 R1. 1.4 One or more processes to verify the successful completion of the backup processes in Part 1.3 and to address any backup failures. | Augmented | NERC-CIP: Backup Critical/Error Rule | NERC-CIP: Backup Critical/Error Status Summary NERC-CIP: Backup Ops Status Summary | NERC-CIP: Backup Critical/Error Status Detail |