CIP-005-6

and

CIP-010-3

New Requirements

Overview

August 15, 2019

John Graminski, MBA/TM, CISSP

Senior Compliance Auditor, Cyber Security

Agenda

▪ Objective

▪ Background

▪ CIP-005-6

• New Requirements Overview

• Takeaways

▪ CIP-010-3

• New Requirements Overview

• Takeaways

▪ Implementation Date

▪ Summary

▪ Questions & Answers

2

Objective

To raise awareness and give an overview

of the new requirements of CIP-005-6 and

CIP-010-3

3

Background

▪ CIP-005-5 and CIP-010-2 are being modified as part of Project 2016-

03 Cyber Security Supply Chain Risk Management.

▪ Under FERC Order No. 829, Page 1, project develops a new or

modified standard to address “supply chain risk management for

industrial control system hardware, software, and computing and

networking services associated with bulk electric system

operations”.

▪ Includes the new Standard CIP-013-1, Supply Chain Risk

Management.

▪ Also includes the modified Standards CIP-005-6 and CIP-010-3,

which contain new requirements for supply chain risk

management.

4

CIP-005-6 New Requirements

5

CIP-005-6 New Requirements

6

CIP-005-6 Takeaways

▪ R2, Parts 2.4 and 2.5 scope—Covers all remote access

sessions with vendors, including Interactive Remote

Access and system-to-system remote access.

▪ Part 2.4 objective—Give entities visibility of all active

vendor remote access sessions.

▪ Part 2.5 objective—Give entities the ability to disable

any active remote access sessions in case of a system

breach (FERC Order No. 829, Page 52).

7

CIP-010-3 New Requirements

8

CIP-010-3 Takeaways

▪ R1, Part 1.6 scope—Covers all changes that deviate from an existing baseline configuration associated with baseline items in—

• Part 1.1.1—Operating systems,

• Part 1.1.2—Commercially available or open-source application software, and

• Part 1.1.5—Security patches applied.

▪ R1, Part 1.6.1 objective—Entities verify the identity of the software source.

▪ R1, Part 1.6.2 objective—Entities verify the integrity of the software taken from the source.

9

Implementation Date

The implementation date for CIP-005-6 and

CIP-010-3 is July 1, 2020; at which time the

Standards will be mandatory and enforceable.

Refer to Project 2016-03 Cyber Security Supply Chain Risk Management (July 2017) for

more information:

https://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainMan

agement.aspx

10

Summary

CIP-005-6 and CIP-010-3 include the following new Requirements:

▪ CIP-005-6, Requirement 2, Part 2.4 requires entities to have one

or more methods for determining active vendor remote access

sessions.

▪ CIP-005-6 Requirement 2, Part 2.5 requires entities to have one

or more methods to disable active remote access sessions for

vendors.

▪ CIP-010-3 Requirement 1, Part 1.6, for changes to the baseline

configuration, requires entities to verify the identity of a

software source, and to verify the integrity of the software taken

from the source.

11

Contact:

John Graminski, MBA/TM, CISSPSenior Compliance Auditor, Cyber Security

jgraminski@wecc.org

(360) 823-2452 (Office)

(801) 707-2516 (Cell)

12