Rapid7 NERC-CIP Compliance Guide

North American Electric Reliability Corporation
(NERC)
Compliance Guide
August 2012

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095
617.247.1717 www.rapid7.com
What is NERC?
The North American Electric Reliability Corporation (NERC)
is a not-for-profit corporation whose mission is to improve the
reliability of the critical systems that create and transport
electricity around the continent. In NERC’s jargon, these critical
systems are called “bulk power systems.”
What does reliability really mean? Reliability = Adequacy + Security
Adequacy: Adequacy means having sufficient resources to provide customers with a continuous supply of electricity
at the proper voltage and frequency, virtually all of the time. In this case, “resources” refers to a combination of
electricity generation and transmission facilities, which produce and deliver electricity. Maintaining adequacy requires
system operators and planners to take into account both scheduled and reasonably expected unscheduled outages of
equipment, while maintaining a constant balance between supply and demand.
Security: Security is perceived as the ability of the bulk power system to:
• Withstand sudden, unexpected disturbances, such as short circuits or unanticipated loss of system elements
due to natural causes.
• Withstand disturbances caused by man-made physical or cyber attacks.
The bulk power system must be planned, designed, built and operated in a manner that takes into account modern
threats and more traditional risks to security.
Who must be NERC compliant?
All bulk power system owners, operators, and users must comply with approved NERC reliability standards. These
entities are required to register with NERC through the appropriate regional entity.
The process for registration is described in the NERC Rules of Procedure, Section 500 and Appendix 5A.
The list of all organizations that are registered and therefore subject to compliance can be found on this page:
Compliance Registry files (NRC). This list is updated monthly.
Who is responsible for NERC compliance?
NERC relies on eight regional entities to monitor compliance with the NERC standards of bulk power system owners,
operators, and users within their regional boundaries.
The members of the regional entities come from all segments of the electric industry: investor-owned utilities, federal
power agencies, rural electric cooperatives, state, municipal and provincial utilities, independent power producers,
power marketers, and end-use customers.
Compliance enforcement methods include regularly scheduled compliance audits, random spot checks, and specific
investigations when warranted by indications that a standard may have been violated.

The NERC audit
The NERC and its related regions have primary responsibilities to:
• Develop an overall audit schedule
• Initiate the audit process for an entity
• Develop and deliver audit criteria and associated documentation to audited entities
• Identify the audit team members
• Coordinate audited entity questionnaires
• Publish the audit findings
Overview of the audit process
1. Entities being audited are informed at least sixty calendar days prior to the on-site audit through the receipt
of a request for information and a questionnaire.
2. Entities have seven calendar days to provide the requested information, and must submit the completed
questionnaire no later than thirty calendar days prior to the audit.
3. The audit team is tasked with reviewing an entity’s questionnaire responses and documentation, performing
the on-site audit, and preparing a report of its findings.
4. The final audit report is posted on the NERC website within sixty calendar days of the completion of the audit.
5. Within forty-five calendar days of the date of audit report posting, the audited entities must supply a response
plan to NERC addressing the report recommendations, including a timeline for implementation. This response
plan will be published on the NERC website when submitted by the entity.
For detailed information about the audit process see: NERC Readiness Audit Procedure
What are the consequences of non-compliance?
Whenever a possible violation is discovered, a thorough review is conducted based on the following considerations:
• The underlying facts and circumstances
• The Reliability Standard at issue
• The potential and actual level of risk to reliability, including mitigating factors
• The registered entity’s compliance program
• The registered entity’s compliance history

Based on this examination, NERC could either issue:
• A formal “Notice of Penalty” (NOP) for alleged violations that constitute a High or Medium risk.
• A formal notice of “Find, Fix, Track and Report” (FFT) in case of alleged violations that constitute a minimal
risk.
• A dismissal.
The details of the investigation are provided to the Federal Energy Regulatory Commission (FERC) in the U.S., or to
applicable governmental authorities in Canada. The information becomes publicly available on the NERC’s website.
What is the NERC compliance framework?
There are 14 sets of reliability standards subject to enforcement:
1. Resource and Demand Balancing (BAL)
2. Communications (COM)
3. Critical Infrastructure Protection (CIP)
4. Emergency Preparedness and Operations (EOP)
5. Facilities Design, Connections, and Maintenance (FAC)
6. Interchange Scheduling and Coordination (INT)
7. Interconnection Reliability Operations and Coordination (IRO)
8. Modeling, Data, and Analysis (MOD)
9. Nuclear (NUC)
10. Personnel Performance, Training, and Qualiﬁcations (PER)
11. Protection and Control (PRC)
12. Transmission Operations (TOP)
13. Transmission Planning (TPL)
14. Voltage and Reactive (VAR)
In the context of Information Technology, and more speciﬁcally, in the context of cyber threats, “Critical Infrastructure
Protection” (CIP) is the set of relevant standards.

The Critical Infrastructure Protection (CIP) Standards
This guideline is based on NERC CIP version 4, applicable as of June 25, 2012.
NERC-CIP consists of the following standards:
CIP-001 Sabotage Reporting Requirements related to the communication
of information concerning sabotage events to
appropriate parties.
Disturbances or unusual occurrences
suspected or determined to be caused
by sabotage shall be reported to the
appropriate systems, governmental agencies,
and regulatory bodies.
CIP-002 Critical Cyber Asset Identiﬁcation Requirements related to the identiﬁcation
and documentation of the critical cyber
assets associated with the critical assets that
support the reliable operation of the Bulk
Electric System.
CIP-003 Security Management Controls Requirements related to minimal security
general management controls that must
be in place to protect critical cyber assets
and associated information: Cyber Security
Policy, Security Responsibilities, Information
Protection, and Access Control to critical
cyber asset information.
CIP-004 Personnel & Training Requirements related to the security
awareness program, security policies,
procedures trainings, and access
management.
CIP-005 Electronic Security Perimeter(s) Requirements related to the protection
of access points to Electronic Security
Perimeters: access controls, monitoring,
vulnerability assessment, and
documentation.
CIP-006 Physical Security of Critical Cyber
Assets
Requirements related to the physical
protection of cyber assets: physical access
control, monitoring, logging physical access,
log retention, maintenance and testing of
physical controls.

CIP-007 Systems Security Management Requirements related to testing procedures
prior to production, ports and services
usage, patch management, malicious
software prevention, account management,
system event monitoring, disposal or
redeployment, vulnerability assessment, and
documentation.
CIP-008 Incident Reporting and Response
Planning
Requirements related to the identification,
classification, response, and reporting of
Cyber Security Incidents related to critical
cyber assets: Incident response plans and
documentation.
CIP-009 Recovery Plans for Critical Cyber
Assets
Requirements related to business continuity,
disaster recovery techniques, and practices
associated with the cyber assets: Recovery
Plans, Exercises, Change Control, Backup and
Restore, Testing Backup Media.
How can organizations comply with NERC?
Each of the above standards includes:
• A description of the standard’s purpose
• The list of responsible entities to which the standard applies
• The list of associated requirements
• The list of measures to demonstrate compliance
• The associated compliance monitoring and enforcement process
• The associated data retention policy
• The associated Violation Risk Factors (VRFs) and Violation Severity Levels (VSLs) matrix (determination of risk
factors and severity levels according to the identified gaps).
» Note: The VRF represents the pre-violation potential risk that a standard would pose to the bulk power system if it were
violated.
» A VSL is a post-violation measure of the severity of the violation.
» The VSL and VRF are combined to help NERC establish base penalty ranges for particular violations.

How Rapid7 can help
Rapid7 has extensive experience partnering with energy and utility entities such as Sempra Energy, Pedernales Electric
Company, and Southern Company to help them with the complex regulatory environment of the energy sector. Rapid7
provides full end-to-end security solutions and services for energy and utility entities to help them meet NERC-CIP
requirements.
Rapid7 Nexpose is a security risk intelligence solution that proactively supports the entire vulnerability management
lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting, and mitigation.
In the context of the NERC-CIP, Nexpose helps registered entities to:
• Take inventory of their cyber asset systems, services, and installed applications within the Electronic Security
Perimeter(s).
• Detect sensitive data on their critical cyber assets environment by allowing file searching so that if Nexpose
gains access to an asset’s file system in the scanning process, it can search for and retrieve files in that
system.
• Take inventory of open ports and associated services by performing either manual or scheduled discovery
scans.
• Configure asset scanning and reporting based on criteria such as device type, software type, operating system
type, or geographic location.
• Automate the task of asset discovery and identification within the Electronic Security Perimeter(s).
• Automate the process for tracking types of operating systems and applications installed on each system,
including information about versions and patch levels.
• Catalog all software -including any malicious software- by using the latest fingerprinting technologies to
identify systems, services, and installed applications within the Electronic Security Perimeter(s).
• Detect the presence of unauthorized software within Electronic Security Perimeter(s) and notify designated
organizational officials through alerts generated on an automated mechanism
• Generate easy-to-use detailed reports with role-based access controls to allow organizations to share
information easily.
• Discover accounts that were terminated, and review results either in the UI or report format, and then use the
data to feed information access and management policies.
• Audit users and groups on all cyber assets within the Electronic Security Perimeter(s).
• Test the efficiency of access control systems and policies for critical cyber asset information.
• Test the external and internal boundaries defenses of Electronic Security Perimeter(s).
• Test the external and internal boundaries defenses whenever new cyber assets are added or significant

changes are made to existing cyber assets within the Electronic Security Perimeter(s).
• Perform comprehensive unified vulnerability scanning of all the electronic access points to the Electronic
Security Perimeter(s).
• Detect misconfigurations, and identify missing patches and malicious software.
• Perform on-going scheduled and ad-hoc scanning of Web applications.
• Provide an automated mechanism to compare the results of vulnerability scans over time to determine trends
in information system vulnerabilities.
• Get a detailed action plan to remediate or mitigate vulnerabilities, including a sequenced remediation
roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in
ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA.
• Set up automated monitoring access controls, including limited number of login attempts, password length
requirements, allowable special characters, and other login ID access control policies.
• Setup automated monitoring of software policy settings and misconfigurations, including Web browser
patching levels, up-to-date firewalls, IDS/IPS system patches, and configuration settings for Web applications,
including their underlying database servers, network ports, protocols, services, and log policies.
• Deliver auditable and reportable events on vulnerabilities throughout the Electronic Security Perimeter(s).
• Get top-down visibility of the real risk to cyber assets and business operations, enabling them to organize and
prioritize thousands of assets and quickly focus on the items that pose the greatest risk.
• Apply risk scoring to measure violations against established desktop and server configuration management
policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and
database applications.
• Alert of policy violations or misconfigurations.
Rapid7 Metasploit is a penetration testing solution that helps enterprise vulnerability management programs to test
how well their perimeter holds up against real world attacks.
In the context of the NERC-CIP, Metasploit helps registered entities to:
• Test the external and internal boundaries defenses of the Electronic Security Perimeter(s).
• Test the level of accessibility and exploitability of critical cyber assets.
• Test the efficiency of access control systems and policies within the Electronic Security Perimeter(s).
• Survey hosts for use of approved authentication measures.
• Audit password length/complexity and authentication methods.
• Enable internal Red Team staffs to perform both scheduled and ad-hoc penetration testing of Electronic
Security Perimeter(s).

• Determine the exploitability of identified vulnerabilities.
• Determine if a hacker could access and steal electronic protected information through Web applications.
• Support incident responses by providing details on vulnerabilities and misconfigurations that were exploited,
as well as remediation steps to prevent future exploits.
Rapid7 Consulting Services help registered entities to:
• Define and refine the scope of their Electronic Security Perimeter(s).
• Evaluate their security controls pertaining to:
• Communication procedures
• Cyber asset inventory
• Cyber security policies
• Leadership
• Exception handling
• Protection of critical information
• Access controls and change management
• Awareness and personal training
• Personal risk management and physical access management
• Protection of Electronic Security Perimeters
• Physical protection of cyber critical assets
• Testing procedures
• Open ports and services management, patch managements
• Disposal
• Cyber vulnerability assessments
• Documentation
• Incident response plans
• Identify gaps in their security program, determine if security policies are being followed in actual day-to-day
operations, and provide guidance on developing missing control policies and procedures required to secure
cyber assets and sensitive information.
• Recommend best practices to optimize data security, including system access policies that limit access to
system components and sensitive data to only those whose job roles absolutely require such access.

• Provide customizable security awareness training to users of their organizational information systems.
• Provide vulnerability management security training and certification to managers and users of organizational
information systems requiring knowledge and technical abilities to detect and validate vulnerabilities on the
IT infrastructure, determine the associated risk severity, write IT risk reports, and apply mitigations through
remediation and control.
• Perform an independent analysis and penetration test on delivered information systems, information system
components, and information technology products within their Electronic Security Perimeter(s).
• Audit their recovery plans to identify any gaps that should be addressed in order to successfully backup and
restore systems, and establish procedures to ensure business process continuity and private protection while
operating in emergency mode.
• Assist them in writing documentation required by NERC-CIP.
Rapid7 community, SecurityStreet, helps registered entities to:
• Stay up-to-date with the latest developments in the vulnerability management and information security areas.
Security Rule standards Nexpose Metasploit
Consulting
Services
CIP-001 Sabotage Reporting
R1-R4 Communication procedures and guidelines 
CIP-002 Critical Cyber Asset Identification
R1-Develop a list of its identified Critical Assets 
R2-Critical Cyber Asset Identification  
R3-Annual Approval 
CIP-003 Security Management Controls
R1-Cyber Security Policy 
R2-Leadership 
R3-Exceptions 
R4-Information Protection  
R5-Access Control  
CIP-004 Personnel & Training
R1-Awareness 
R2-Training 
R3-Personnel Risk Assessment 
R4-Access 
CIP-005 Electronic Security Perimeter(s)

Security Rule standards Nexpose Metasploit
Consulting
Services
R1-Electronic Security Perimeter  
R2-Electronic Access Controls   
R3-Monitoring Electronic Access  
R4-Cyber Vulnerability Assessment   
R5-Documentation Review and Maintenance 
CIP-006 Physical Security of Critical Cyber Assets
R1-Physical Security Plan 
R2-Protection of Physical Access Control Systems 
R3-Protection of Electronic Access Control Systems 
R4-Physical Access Controls 
R5-Monitoring Physical Access 
R6-Logging Physical Access 
R7-Access Log Retention 
R8-Maintenance and Testing 
CIP-007 Systems Security Management
R1-Test Procedures   
R2-Ports and Services   
R3-Security Patch Management   
R4-Malicious Software Prevention  
R5-Account Management   
R6-Security Status Monitoring  
R7-Disposal or Redeployment 
R8-Cyber Vulnerability Assessment   
R9-Documentation Review and Maintenance 
CIP-008 Incident Reporting and Response Planning
R1-Cyber Security Incident Response Plan   
R2-Cyber Security Incident Documentation   
CIP-009 Recovery Plans for Critical Cyber Assets
R1-Recovery Plans  
R2-Exercises 
R3-Change Control 

Rapid7 Solution for NERC-CIP Compliance
The section goes into detail about the nine NERC-CIP Security Standards. Each standard is outlined by the title,
version number, and associated requirements. It also addresses Violation Risk Factors (VRF) and how Rapid7 Nexpose,
Metasploit, and Consulting Services help with meeting compliance.
CIP-001 Sabotage Reporting
# CIP-001-2a
Associated Requirements:
Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity
shall:
# Requirements VRF
R1 Have procedures for the recognition of and for making operating
personnel aware of sabotage events on its facilities and multi-site
sabotage affecting larger portions of the Interconnection.
-
R2 Have procedures for the communication of information concerning
sabotage events to appropriate parties in the Interconnection.
-
R3 Provide its operating personnel with sabotage response guidelines,
including information about which personnel should be contacted to
report disturbances due to sabotage events.
-
R4 Establish applicable communications contacts with local Federal
Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP)
ofﬁcials, and develop reporting procedures as appropriate to the
circumstances.
-
» Note: VRFs are undefined.
Use Rapid7 Consulting Services to:
• Evaluate your communication procedures and response guidelines, identify gaps, and provide guidance on
developing missing procedures.

CIP-002 Critical Cyber Asset Identification
# CIP-002-4a
# Requirements VRF
R1 The Responsible Entity shall develop a list of its identified Critical
Assets determined through an annual application of the criteria
contained in CIP-002-4 Attachment 1 – Critical Asset Criteria. The
Responsible Entity shall update this list as necessary, and review it
at least annually.
H
R2 Critical Cyber Asset Identification — Using the list of critical
assets, the Responsible Entity shall develop a list of associated
critical cyber assets essential to the operation of the critical
assets. The Responsible Entity shall review this list at least
annually, and update it as necessary.
H
R3 Annual Approval — The senior manager or delegate(s) shall
annually approve the list of critical assets and the list of critical
cyber assets. The Responsible Entity shall keep a signed and dated
record of the senior manager or delegate(s)’s approval of these
lists (even if such lists are null).
L
Use Rapid7 Nexpose to:
• Take inventory of your cyber asset systems, services, and installed applications using the latest fingerprinting
technologies.
• Get top-down visibility of risk to your cyber assets and business operations, enabling you to organize and
prioritize thousands of assets and quickly focus on the items that pose the greatest risk.
• Get a clear map of the Real Risk posed to your critical cyber assets by the identified vulnerabilities across your
organization’s IT landscape.
• Evaluate your security controls pertaining to the cyber asset inventory, and provide guidance on developing
missing control policies and procedures.

CIP-003 Security Management Controls
# CIP-003-4
Associated requirements:
# Requirements VRF
R1 Cyber Security Policy — The Responsible Entity shall document and
implement a cyber security policy that represents management’s
commitment and ability to secure its Critical Cyber Assets. The
Responsible Entity shall, at minimum, ensure the following:
M
R1.1 The cyber security policy addresses the requirements in Standards CIP-
002-4 through CIP-009-4, including provisions for emergency situations.
L
R1.2 The cyber security policy is readily available to all personnel who have
access to, or are responsible for, Critical Cyber Assets.
L
R1.3 Annual review and approval of the cyber security policy by the senior
manager assigned pursuant to R2.
L
R2 Leadership — The Responsible Entity shall assign a single senior manager
with overall responsibility and authority for leading and managing the
entity’s implementation of, and adherence to, Standards CIP-002-4
through CIP-009-4.
L
R2.1 The senior manager shall be identiﬁed by name, title, and date of
designation.
L
R2.2 Changes to the senior manager must be documented within thirty
calendar days of the effective date.
L
R2.3 Where allowed by Standards CIP-002-4 through CIP-009-4, the senior
manager may delegate authority for speciﬁc actions to a named
delegate or delegates. These delegations shall be documented in the
same manner as R2.1 and R2.2, and approved by the senior manager.
L
R2.4 The senior manager or delegate(s) shall authorize and document any
exceptions from the requirements of the cyber security policy.
L
R3 Exceptions — Instances where the Responsible Entity cannot conform
to its cyber security policy must be documented as exceptions and
authorized by the senior manager or delegate(s).
L
R3.1 Exceptions to the Responsible Entity’s cyber security policy must be
documented within thirty days of being approved by the senior manager
or delegate(s).
L

R3.2 Documented exceptions to the cyber security policy must include an
explanation as to why the exception is necessary and any compensating
measures for the exception.
L
R3.3 Authorized exceptions to the cyber security policy must be reviewed
and approved annually by the senior manager or delegate(s) to ensure
the exceptions are still required and valid. Such review and approval
shall be documented.
M
R4 Information Protection — The Responsible Entity shall implement
and document a program to identify, classify, and protect information
associated with Critical Cyber Assets.
M
R4.1 The critical cyber asset information to be protected shall include, at a
minimum and regardless of media type, operational procedures, lists as
required in Standard CIP-002-4, network topology or similar diagrams,
floor plans of computing centers that contain critical cyber assets,
equipment layouts of critical cyber assets, disaster recovery plans,
incident response plans, and security configuration information.
M
R4.1 The Responsible Entity shall classify information to be protected
under this program based on the sensitivity of the critical cyber asset
information.
L
R4.2 The Responsible Entity shall, at least annually, assess adherence to
its critical cyber asset information protection program, document
the assessment results, and implement an action plan to remediate
deficiencies identified during the assessment.
L
R5 Access Control — The Responsible Entity shall document and implement
a program for managing access to protected critical cyber asset
information.
L
R5.1 The Responsible Entity shall maintain a list of designated personnel who
are responsible for authorizing logical or physical access to protected
information.
R5.1.1. Personnel shall be identified by name, title, and the information
for which they are responsible for authorizing access.
R5.1.2. The list of personnel responsible for authorizing access to
protected information shall be verified at least annually.
L

R5.2 The Responsible Entity shall review, at least annually, the access
privileges to protected information to confirm that access privileges
are correct and that they correspond with the Responsible Entity’s
needs and appropriate personnel roles and responsibilities.
L
R5.3 The Responsible Entity shall assess and document, at least annually, the
processes for controlling access privileges to protected information.
L
R6 Change Control and Configuration Management — The Responsible
Entity shall establish and document a process of change control
and configuration management for adding, modifying, replacing, or
removing critical cyber asset hardware or software. They shall also
implement supporting configuration management activities to identify,
control and document all entity or vendor related changes to hardware
and software components of critical cyber assets pursuant to the
change control process.
L
• Detect sensitive data on your critical cyber assets environment by allowing file searching so that if Nexpose
gains access to an asset’s file system in the scanning process, it can search for and retrieve files in that
system.
• Generate easy-to-use detailed reports combined with role-based access controls to allow organizations to
share information easily.
• Audit users and groups on your critical cyber assets.
• Discover accounts that were terminated, and review results either in the UI or in report format, and then use
the data to feed your information access and management policies.
• Set up automated monitoring access controls (including adherence to policies for role-based access) to
validate enforcement of access restrictions.
• Test the efficiency of access control systems and policies for critical cyber asset information.
• Provide an automated mechanism to detect the presence of unauthorized software on critical cyber assets,
and notify designated organizational officials through automated alerts.
• Evaluate your security controls pertaining to cyber security policies, leadership, exception handling,
protection of critical information, access controls, and change management.
• Identify gaps in your security program, determine if security policies are being followed in actual day-to-day
your cyber assets and sensitive information.

CIP-004 Personnel & Training
# CIP-004-4
# Requirements VRF
R1 Awareness — The Responsible Entity shall establish, document,
implement, and maintain a security awareness program to ensure
personnel with authorized cyber or authorized unescorted physical
access to critical cyber assets receive on-going reinforcement in sound
security practices.
L
R2 Training — The Responsible Entity shall establish, document,
implement, and maintain an annual cyber security training program for
personnel having authorized cyber or authorized unescorted physical
access to critical cyber assets. The cyber security training program
shall be reviewed annually, at a minimum, and shall be updated
whenever necessary.
L
R2.1 This program will ensure that all personnel having such access to critical
cyber assets, including contractors and service vendors, are trained
prior to being granted such access except in speciﬁed circumstances
such as an emergency.
M
R2.2 Training shall cover the policies, access controls, and procedures,
as developed for the critical cyber assets covered by CIP-004-4, and
include, at a minimum, the following required items appropriate to
personnel roles and responsibilities:
R2.2.1. The proper use of critical cyber assets; (L)
R2.2.2. Physical and electronic access controls to critical cyber
assets; (L)
R2.2.3. The proper handling of critical cyber asset information; and,
(L)
R2.2.4. Action plans and procedures to recover or re-establish critical
cyber assets and access following a Cyber Security Incident. (L)
M
R2.3 The Responsible Entity shall maintain documentation that training is
conducted at least annually, including information such as the date
training was completed, and attendance records.
L

R3 Personnel Risk Assessment —The Responsible Entity shall have a
documented personnel risk assessment program in accordance with
federal, state, provincial, and local laws, and subject to existing
collective bargaining unit agreements for personnel with authorized
cyber or authorized unescorted physical access to critical cyber assets.
A personnel risk assessment shall be conducted pursuant to that
program, prior to the personnel being granted such access, except in
specified circumstances such as an emergency.
M
R3.1 The Responsible Entity shall ensure that each assessment conducted
at least includes identity verification (e.g., Social Security Number
verification in the U.S.) and a seven-year criminal check. The
Responsible Entity may conduct more detailed reviews, as permitted
by law and subject to existing collective bargaining unit agreements,
depending upon the criticality of the position.
L
R3.2 The Responsible Entity shall update each personnel risk assessment
for a specific cause and/or at least every seven years after the initial
personnel risk assessment.
L
R3.3 The Responsible Entity shall document the results of personnel risk
assessments of its personnel with authorized cyber or authorized
unescorted physical access to critical cyber assets, and the personnel
risk assessments of contractor and service vendor personnel with such
access are conducted pursuant to Standard CIP-004-4.
L
R4 Access — The Responsible Entity shall maintain list(s) of personnel with
authorized cyber or authorized unescorted physical access to critical
cyber assets, including their specific electronic and physical access
rights to critical cyber assets.
L
R4.1 The Responsible Entity shall review the list(s) of its personnel who
have such access to critical cyber assets quarterly, and update the
list(s) within seven calendar days of any change of personnel with such
access to critical cyber assets, or any change in the access rights of
such personnel. The Responsible Entity shall ensure access list(s) for
contractors and service vendors are properly maintained.
L
R4.2 The Responsible Entity shall revoke such access to critical cyber assets
within 24 hours for personnel terminated for cause, and within seven
calendar days for personnel who no longer require such access to
critical cyber assets.
M

• Provide customizable security awareness training to users of your organizational information systems.
• Provide vulnerability management security training and certiﬁcation to managers and users of organizational
information systems requiring knowledge and technical abilities to detect and validate vulnerabilities on the
IT infrastructure, determine the associated risk severity, write IT risk reports, and apply mitigations through
remediation and control.
• Evaluate the security controls pertaining to awareness and personal training, personal risk management, and
physical access management.
your cyber assets and related information.
CIP-005 Electronic Security Perimeter(s)
#CIP-005-4a
# Requirements VRF
R1 Electronic Security Perimeter — The Responsible Entity shall ensure
that every critical cyber asset resides within an Electronic Security
Perimeter. The Responsible Entity shall identify and document
the Electronic Security Perimeter(s) and all access points to the
perimeter(s).
M
R1.1 Access points to the Electronic Security Perimeter(s) shall include any
externally connected communication end points (for example, dial-
up modems) terminating at any device within the Electronic Security
Perimeter(s).
M
R1.2 For a dial-up accessible critical cyber asset that uses a non-routable
protocol, the Responsible Entity shall deﬁne an Electronic Security
Perimeter for that single access point at the dial-up device.
M
R1.3 Communication links connecting discrete Electronic Security
Perimeters shall not be considered part of the Electronic Security
Perimeter. However, end points of these communication links within
the Electronic Security Perimeter(s) shall be considered access points
to the Electronic Security Perimeter(s).
M

R1.4 Any non-critical cyber asset within a defined Electronic Security
Perimeter shall be identified and protected pursuant to the
requirements of Standard CIP-005-4a.
M
R1.5 Cyber assets used in the access control and/or monitoring of the
Electronic Security Perimeter(s) shall be afforded the protective
measures as a specified in Standard CIP- 003-4; Standard CIP-004-
4 Requirement R3; Standard CIP-005-4a Requirements R2 and R3;
Standard CIP-006-4c Requirement R3; Standard CIP-007-4 Requirements
R1 and R3 through R9; Standard CIP-008-4; and Standard CIP-009-4.
M
R1.6 The Responsible Entity shall maintain documentation of Electronic
Security Perimeter(s), all interconnected critical and non-critical
cyber assets within the Electronic Security Perimeter(s), all electronic
access points to the Electronic Security Perimeter(s) and the Cyber
Assets deployed for the access control and monitoring of these access
points.
L
R2 Electronic Access Controls — The Responsible Entity shall implement
and document the organizational processes and technical and
procedural mechanisms for control of electronic access at all electronic
access points to the Electronic Security Perimeter(s).
M
R2.1 These processes and mechanisms shall use an access control model
that denies access by default, such that explicit access permissions
must be specified.
M
R2.2 At all access points to the Electronic Security Perimeter(s), the
Responsible Entity shall enable only ports and services required for
operations and for monitoring cyber assets within the Electronic
Security Perimeter, and shall document, individually or by specified
grouping, the configuration of those ports and services.
M
R2.3 The Responsible Entity shall implement and maintain a procedure for
securing dial-up access to the Electronic Security Perimeter(s).
M
R2.4 Where external interactive access into the Electronic Security
Perimeter has been enabled, the Responsible Entity shall implement
strong procedural or technical controls at the access points to ensure
authenticity of the accessing party where technically feasible.
M

R2.5 The required documentation shall, at least, identify and describe:
R2.5.1. The processes for access request and authorization.
R2.5.2. The authentication methods.
R2.5.3. The review process for authorization rights, in accordance
with Standard CIP-004-4 Requirement R4.
R2.5.4. The controls used to secure dial-up accessible connections.
L
R2.6 Appropriate Use Banner — Where technically feasible, electronic access
control devices shall display an appropriate use banner on the user
screen upon all interactive access attempts. The Responsible Entity
shall maintain a document identifying the content of the banner.
L
R3 Monitoring ElectronicAccess — The Responsible Entity shall implement
and document an electronic or manual process for monitoring and
logging access at access points to the Electronic Security Perimeter(s)
twenty-four hours a day, seven days a week.
M
R3.1 For dial-up accessible critical cyber assets that use non-routable
protocols, the Responsible Entity shall implement and document
monitoring processes at each access point to the dial-up device where
technically feasible.
M
R3.2 Where technically feasible, the security monitoring processes shall
detect and alert of attempts at accesses and/or actual unauthorized
accesses. These alerts shall provide appropriate notiﬁcation to
designated response personnel. Where alerting is not technically
feasible, the Responsible Entity shall review or otherwise assess access
logs for attempts at accesses and/or actual unauthorized accesses at
least every ninety calendar days.
M
R4 Cyber VulnerabilityAssessment — The Responsible Entity shall perform
a cyber vulnerability assessment of the electronic access points to the
Electronic Security Perimeter(s) at least annually. The vulnerability
assessment shall include, at a minimum, the following:
M
R4.1 A document identifying the vulnerability assessment process; L
R4.2 A review to verify that only ports and services required for operations
at these access points are enabled;
M

R4.3 The discovery of all access points to the Electronic Security Perimeter; M
R4.4 A review of controls for default accounts, passwords, and network
management community strings;
M
R4.5 Documentation of the results of the assessment, the action plan to
remediate or mitigate vulnerabilities identified in the assessment, and
the execution status of that action plan.
M
R5 Documentation Review and Maintenance — The Responsible Entity
shall review, update, and maintain all documentation to support
compliance with the requirements of Standard CIP-005- 4a.
L
R5.1 The Responsible Entity shall ensure that all documentation required by
Standard CIP- 005-4a reflect current configurations and processes and
shall review the documents and procedures referenced in Standard
CIP-005-4a at least annually.
L
R5.2 The Responsible Entity shall update the documentation to reflect
modifications of the network or controls within ninety calendar days
of the change.
L
R5.3 The Responsible Entity shall retain electronic access logs for at least
ninety calendar days. Logs related to reportable incidents shall be
kept in accordance with the requirements of Standard CIP-008-4.
L
• Take inventory of your cyber asset systems, services, and installed applications within the Electronic Security
Perimeter(s).
• Detect the presence of unauthorized software within Electronic Security Perimeter(s) and notify designated
organizational officials through alerts generated on an automated mechanism. Perform comprehensive unified
vulnerability scanning of all the electronic access points to the Electronic Security Perimeter(s).
• Get easy-to-use detailed reports combined with role-based access controls to allow organizations to share
information easily.
• Provide an automated mechanism to compare the results of vulnerability scans over time to determine trends
in information system vulnerabilities.
• Audit users and groups on critical cyber assets.
• Test the efficiency of your access control systems and policies.

• Test the external and internal boundaries defenses of your Electronic Security Perimeter(s).
• Set up automated monitoring access controls, including a limited number of login attempts, password length
requirements, allowable special characters, and other login ID access control policies.
• Get a detailed action plan to remediate or mitigate vulnerabilities, including a sequenced remediation
roadmap with time estimates for each task, which can then be managed either through Nexpose’s built-in
ticket system or through a leading help desk system such as Remedy, Peregrine, Tivoli, or CA.
• Deliver auditable and reportable events on vulnerabilities throughout the Electronic Security Perimeter(s).
Use Rapid7 Metasploit to:
• Test the efficiency of your access control systems and policies within the Electronic Security Perimeter(s).
• Test the external and internal boundaries defenses of the Electronic Security Perimeter(s).
• Perform your external and internal penetration testing of cyber critical assets to determine if a hacker could
access and steal sensitive cyber information. Penetration testing includes network-layer and application-
layer tests. Penetration testing is conducted using Nexpose in conjunction with a variety of specialized tools
including Metasploit, the leading open-source penetration testing platform with the world’s largest database
of public, tested exploits.
• Define and refine the scope of your Electronic Security Perimeter(s).
• Evaluate the security controls pertaining to the protection of your Electronic Security Perimeters.
your cyber assets and data.
• Assist you in writing documentation required by NERC-CIP.
components, and information technology products within your Electronic Security Perimeter(s).

CIP-006 Physical Security of Critical Cyber Assets
#CIP-006-4d
Associated requirements:
# Requirements VRF
R1 Physical Security Plan — The Responsible Entity shall document,
implement, and maintain a physical security plan, approved by the
senior manager or delegate(s) that shall address, at a minimum, the
following:
-
R1.1 All Cyber Assets within an Electronic Security Perimeter shall reside
within an identified Physical Security Perimeter. Where a completely
enclosed (“six-wall”) border cannot be established, the Responsible
Entity shall deploy and document alternative measures to control
physical access to such cyber assets.
-
R1.2 Identification of all physical access points through each Physical Security
Perimeter and measures to control entry at those access points.
-
R1.3 Processes, tools, and procedures to monitor physical access to the
perimeter(s).
-
R1.4 Appropriate use of physical access controls as described in Requirement
R4, including visitor pass management, response to loss, and prohibition
of inappropriate use of physical access controls.
-
R1.5 Review of access authorization requests and revocation of access
authorization, in accordance with CIP-004-4 Requirement R4
-
R1.6 A visitor control program for visitors (personnel without authorized
unescorted access to a Physical Security Perimeter), containing at a
minimum the following:
R1.6.1. Logs (manual or automated) to document the entry and exit
of visitors, including the date and time of entrances and exits from
Physical Security Perimeters.
R1.6.2. Continuous escorted access of visitors within the Physical
Security Perimeter.
-
R1.7 Update of the physical security plan within thirty calendar days of the
completion of any physical security system redesign or reconfiguration,
including, but not limited to, addition or removal of access points
through the Physical Security Perimeter, physical access controls,
monitoring controls, or logging controls.
-
R1.8 Annual review of the physical security plan. -

R2 Protection of Physical Access Control Systems — Cyber assets that
authorize and/or log access to the Physical Security Perimeter(s),
exclusive of hardware at the Physical Security Perimeter access point,
such as electronic lock control mechanisms and badge readers, shall:
-
R2.1 Be protected from unauthorized physical access. -
R2.2 Be afforded the protective measures specified in Standard CIP-003-4;
Standard CIP- 004-4 Requirement R3; Standard CIP-005-4 Requirements
R2 and R3; Standard CIP- 006-4 Requirements R4 and R5; Standard CIP-
007-4; Standard CIP-008-4; and Standard CIP-009-4.
-
R3 Protection of Electronic Access Control Systems — Cyber assets used
in the access control and/or monitoring of the Electronic Security
Perimeter(s) shall reside within an identified Physical Security Perimeter.
-
R4 Physical Access Controls — The Responsible Entity shall document and
implement the operational and procedural controls to manage physical
access at all access points to the Physical Security Perimeter(s) twenty-
four hours a day, seven days a week.
The Responsible Entity shall implement one or more of the following
physical access methods:
• Card Key: A means of electronic access where the access rights
of the card holder are predefined in a computer database. Access
rights may differ from one perimeter to another.
• Special Locks: These include, but are not limited to, locks with
“restricted key” systems, magnetic locks that can be operated
remotely, and “man-trap” systems.
• Security Personnel: Personnel responsible for controlling physical
access that may reside on-site or at a monitoring station.
• Other Authentication Devices: Biometric, keypad, token, or other
equivalent devices that control physical access to the critical
cyber assets.
-

R5 Monitoring Physical Access — The Responsible Entity shall document
and implement the technical and procedural controls for monitoring
physical access at all access points to the Physical Security Perimeter(s)
twenty-four hours a day, seven days a week. Unauthorized access
attempts shall be reviewed immediately and handled in accordance
with the procedures specified in Requirement CIP-008-4. One or more
of the following monitoring methods shall be used:
• Alarm Systems: Systems that raise an alarm to indicate a door,
gate, or window has been opened without authorization. These
alarms must provide immediate notification to the personnel
responsible for response.
• Human Observation of Access Points: Monitoring of physical
access points by authorized personnel as specified in
Requirement R4.
-
R6 Logging Physical Access — Logging shall record sufficient information
to uniquely identify individuals and their times of access, twenty-four
hours a day, seven days a week. The Responsible Entity shall implement
and document the technical and procedural mechanisms for logging
physical entry at all access points to the Physical Security Perimeter(s)
using one or more of the following logging methods or their equivalent:
• Computerized Logging: Electronic logs produced by the
Responsible Entity’s selected access control and monitoring
method.
• Video Recording: Electronic capture of video images of sufficient
quality to determine identities.
• Manual Logging: A log book or sign-in sheet, or other record
of physical access maintained by security or other personnel
authorized to control and monitor physical access as specified in
Requirement R4.
-
R7 Access Log Retention — The Responsible Entity shall retain physical
access logs for at least ninety calendar days. Logs related to reportable
incidents shall be kept in accordance with the requirements of Standard
CIP-008-4.
-

R8 Maintenance and Testing — The Responsible Entity shall implement a
maintenance and testing program to ensure that all physical security
systems under Requirements R4, R5, and R6 function properly. The
program must include, at a minimum, the following:
-
R8.1 Testing and maintenance of all physical security mechanisms on a cycle
that is no longer than three years.
-
R8.2 Retention of testing and maintenance records for the cycle determined
by the Responsible Entity in Requirement R8.1.
-
R8.3 Retention of outage records regarding access controls, logging, and
monitoring for a minimum of one calendar year.
-
• Evaluate the security controls pertaining to the physical protection of your cyber critical assets.
operations, and provide guidance on developing missing control policies and procedures.
CIP-007 Systems Security Management
#CIP-007-4
# Requirements VRF
R1 Test Procedures — The Responsible Entity shall ensure that new Cyber
Assets and significant changes to existing cyber assets within the
Electronic Security Perimeter do not adversely affect existing cyber
security controls. For purposes of Standard CIP-007-4, a significant
change shall, at a minimum, include implementation of security
patches, cumulative service packs, vendor releases, and version
upgrades of operating systems, applications, database platforms, or
other third-party software or firmware.
M
R1.1 The Responsible Entity shall create, implement, and maintain cyber
security test procedures in a manner that minimizes adverse effects on
the production system and/or its operation.
M
R1.2 The Responsible Entity shall document that testing is performed in a
manner that reflects the production environment.
L

R1.3 The Responsible Entity shall document test results. L
R2 Ports and Services — The Responsible Entity shall establish, document,
and implement a process to ensure that only those ports and services
required for normal and emergency operations are enabled.
M
R2.1 The Responsible Entity shall enable only those ports and services
required for normal and emergency operations.
M
R2.2 The Responsible Entity shall disable other ports and services, including
those used for testing purposes, prior to production use of all cyber
assets inside the Electronic Security Perimeter(s).
M
R2.3 In the case where unused ports and services cannot be disabled due
to technical limitations, the Responsible Entity shall document the
compensating measure(s) applied to mitigate risk exposure.
M
R3 Security Patch Management — The Responsible Entity, either separately
or as a component of the documented conﬁguration management
process speciﬁed in CIP-003-4 Requirement R6, shall establish,
document, and implement a security patch management program for
tracking, evaluating, testing, and installing applicable cyber security
software patches for all cyber assets within the Electronic Security
Perimeter(s).
L
R3.1 The Responsible Entity shall document the assessment of security
patches and security upgrades for applicability within thirty calendar
days of availability of the patches or upgrades.
L
R3.2 The Responsible Entity shall document the implementation of security
patches. In any case where the patch is not installed, the Responsible
Entity shall document compensating measure(s) applied to mitigate
risk exposure.
L
R4 Malicious Software Prevention — The Responsible Entity shall use anti-
virus software and other malicious software (“malware”) prevention
tools where technically feasible to detect, prevent, deter, and mitigate
the introduction, exposure, and propagation of malware on all cyber
assets within the Electronic Security Perimeter(s).
M

R4.1 The Responsible Entity shall document and implement anti-virus and
malware prevention tools. In the case where anti-virus software and
malware prevention tools are not installed, the Responsible Entity shall
document compensating measure(s) applied to mitigate risk exposure.
M
R4.2 The Responsible Entity shall document and implement a process for the
update of anti-virus and malware prevention “signatures.” The process
must address testing and installing the signatures.
M
R5 Account Management — The Responsible Entity shall establish,
implement, and document technical and procedural controls that
enforce access authentication of, and accountability for, all user
activity, and that minimize the risk of unauthorized system access.
L
R5.1 The Responsible Entity shall ensure that individual and shared system
accounts and authorized access permissions are consistent with the
concept of “need to know” with respect to work functions performed.
R5.1.1. The Responsible Entity shall ensure that user accounts are
implemented as approved by designated personnel. Refer to Standard
CIP-003-4 Requirement R5. (L)
R5.1.2. The Responsible Entity shall establish methods, processes, and
procedures that generate logs of sufﬁcient detail to create historical
audit trails of individual user account access activity for a minimum of
ninety days. (L)
R5.1.3. The Responsible Entity shall review, at least annually, user
accounts to verify that access privileges are in accordance with Standard
CIP-003-4 Requirement R5 and Standard CIP-004-4 Requirement R4. (M)
M
R5.2 The Responsible Entity shall implement a policy to minimize and
manage the scope and acceptable use of administrator, shared, and
other generic account privileges - including factory default accounts.
R5.2.1. The policy shall include the removal, disabling, or renaming
of such accounts where possible. For such accounts that must remain
enabled, passwords shall be changed prior to putting any system into
service. (M)
R5.2.2. The Responsible Entity shall identify those individuals with
access to shared accounts. (L)
R5.2.3. Where such accounts must be shared, the Responsible Entity
shall have a policy for managing the use of such accounts that limits
access to only those with authorization, an audit trail of the account
use (automated or manual), and steps for securing the account in the
event of personnel changes (for example, change in assignment or
termination). (M)
L

R5.3 At a minimum, the Responsible Entity shall require and use passwords,
subject to the following, as technically feasible:
R5.3.1. Each password shall be a minimum of six characters. (L)
R5.3.2. Each password shall consist of a combination of alpha, numeric,
and “special” characters. (L)
R5.3.3. Each password shall be changed at least annually, or more
frequently based on risk. (M)
L
R6 Security Status Monitoring — The Responsible Entity shall ensure that
all cyber assets within the Electronic Security Perimeter, as technically
feasible, implement automated tools or organizational process controls
to monitor system events that are related to cyber security.
L
R6.1 The Responsible Entity shall implement and document the organizational
processes and technical and procedural mechanisms to monitor for
security events on all cyber assets within the Electronic Security
Perimeter.
M
R6.2 The security monitoring controls shall issue automated or manual alerts
for detected Cyber Security Incidents.
M
R6.3 The Responsible Entity shall maintain logs of system events related to
cyber security, where technically feasible, to support incident response
as required in Standard CIP-008-4.
M
R6.4 The Responsible Entity shall retain all logs speciﬁed in Requirement R6
for ninety calendar days.
L
R6.5 The Responsible Entity shall review logs of system events related to
cyber security, and maintain records documenting review of logs.
L
R7 Disposal or Redeployment — The Responsible Entity shall establish and
implement formal methods, processes, and procedures for disposal or
redeployment of cyber assets within the Electronic Security Perimeter(s)
as identiﬁed and documented in Standard CIP-005-4.
L
R7.1 Prior to the disposal of such assets, the Responsible Entity shall destroy
or erase the data storage media to prevent unauthorized retrieval of
sensitive cyber security or reliability data.
L
R7.2 Prior to redeployment of such assets, the Responsible Entity shall, at
a minimum, erase the data storage media to prevent unauthorized
retrieval of sensitive cyber security or reliability data.
L

R7.3 The Responsible Entity shall maintain records that such assets were
disposed of or redeployed in accordance with documented procedures.
L
R8 Cyber Vulnerability Assessment — The Responsible Entity shall perform
a cyber vulnerability assessment of all cyber assets within the Electronic
Security Perimeter at least annually. The vulnerability assessment shall
include, at a minimum, the following:
L
R8.1 A document identifying the vulnerability assessment process. L
R8.2 A review to verify that only ports and services required for operation of
the cyber assets within the Electronic Security Perimeter are enabled.
M
R8.3 A review of controls for default accounts. M
R8.4 Documentation of the results of the assessment, the action plan to
remediate or mitigate vulnerabilities identified in the assessment, and
the execution status of that action plan.
M
R9 Documentation Review and Maintenance — The Responsible Entity
shall review and update the documentation specified in Standard CIP-
007-4 at least annually. Changes resulting from modifications to the
systems or controls shall be documented within thirty calendar days of
the change being completed.
L
• Test your external and internal boundaries defenses whenever new cyber assets are added or significant
changes are made to existing cyber assets within the Electronic Security Perimeter.
• Detect misconfigurations, identify missing patches and malicious software.
• Perform on-going scheduled and ad-hoc scanning of Web applications.
• Get a detailed, sequenced remediation roadmap with time estimates for each task, which can then be
managed either through Nexpose’s built-in ticket system or through a leading help desk system such as
Remedy, Peregrine, Tivoli, or CA.
• Take inventory of systems, open ports, and associated services by performing either manual or scheduled
discovery scans.
• Configure asset scanning and reporting based on specific criteria such as device type, software type, operating
system type, or geographic location.
• Automate the task of asset discovery and identification within the Electronic Security Perimeter(s).
• Automate tracking types of operating systems and applications installed on each system, including versions
and patch levels.

• Catalog all software -including any malicious software- by using the latest fingerprinting technologies to
identify systems, services, and installed applications within the Electronic Security Perimeter(s).
• Setup automated monitoring of software policy settings and misconfigurations, including Web browser
patching levels, up-to-date firewalls, IDS/IPS system patches, and configuration settings for Web applications,
including their underlying database servers, network ports, protocols, services, and log policies.
• Apply risk scoring to measure violations against established desktop and server configuration management
policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and
database applications.
• Alert of policy violations or misconfigurations.
• Audit users and groups on all cyber assets within the Electronic Security Perimeter(s).
• Set up automated monitoring access controls (including adherence to policies for role-based access) to
validate enforcement of access restrictions.
Use Rapid7 Metasploit to:
• Enable your internal Red Team staff to perform both scheduled and ad-hoc penetration testing of your
Electronic Security Perimeter(s).
• Determine the exploitability of identified vulnerabilities.
• Perform external and internal penetration testing and use reporting to document findings, either to prepare
for external audit or to conduct a security assessment in-house.
• Test the external and internal boundaries defenses upon infrastructure changes.
• Test the level of accessibility and exploitability of critical cyber assets.
• Determine if a hacker could access and steal electronic protected information through Web applications.
• Test the efficiency of the access control systems and policies.
• Evaluate the security controls pertaining to testing procedures, open ports and services management, patch
management, disposal, and cyber vulnerability assessments and documentation.
your cyber assets and related information from external threats.

• Assist you in writing documentation required by NERC-CIP.
components, and information technology products within your Electronic Security Perimeter(s).
CIP-008 Incident Reporting and Response Planning
#CIP-008-04
Associated Requirements
# Requirements VRF
R1 Cyber Security Incident Response Plan — The Responsible Entity
shall develop and maintain a Cyber Security Incident response plan
and implement the plan in response to Cyber Security Incidents. The
Cyber Security Incident response plan shall address, at a minimum, the
following:
L
R1.1 Procedures to characterize and classify events as reportable Cyber
Security Incidents.
L
R1.2 Response actions, including roles and responsibilities of Cyber Security
Incident response teams, Cyber Security Incident handling procedures,
and communication plans.
L
R1.3 Process for reporting Cyber Security Incidents to the Electricity Sector
Information Sharing and Analysis Center (ES-ISAC). The Responsible
Entity must ensure that all reportable Cyber Security Incidents are
reported to the ES-ISAC, either directly or through an intermediary.
L
R1.4 Process for updating the Cyber Security Incident response plan within
thirty calendar days of any changes.
L
R1.5 Process for ensuring that the Cyber Security Incident response plan is
reviewed at least annually.
L
R1.6 Process for ensuring the Cyber Security Incident response plan is tested
at least annually. A test of the Cyber Security Incident response plan
can range from a paper drill, to a full operational exercise, to the
response to an actual incident.
L
R2 Cyber Security Incident Documentation — The Responsible Entity
shall keep relevant documentation related to Cyber Security Incidents
reportable per Requirement R1.1 for three calendar years.
L

• Get a clear map of the Real Risk posed by the identified vulnerabilities across your organization’s IT landscape.
Nexpose is the only product that includes real exploit and malware intelligence combined with CVSS base
scores, temporal scoring, environment considerations (e.g., any mitigating controls in place), and asset
criticality for risk classification.
• Get a detailed, sequenced remediation roadmap with time estimates for each task which can then be
managed either through Nexpose’s built-in ticket system or through a leading help desk system such as
Remedy, Peregrine, Tivoli, or CA.
Use Rapid7 Nexpose and Metasploit to:
• Support your incident responses by providing details on vulnerabilities and misconfigurations that were
exploited, as well as remediation steps to prevent future exploits.
• Evaluate your security controls pertaining to your incident response plan, identify gaps in your security
program, determine if security policies are being followed in actual day-to-day operations, and provide
guidance on developing missing control policies and procedures required to secure your cyber assets and
related information from external threats
CIP-009 Recovery Plans for Critical Cyber Assets
#CIP-009-4
# Requirements VRF
R1 Recovery Plans — The Responsible Entity shall create and annually
review recovery plan(s) for critical cyber assets. The recovery plan(s)
shall address at a minimum the following:
M
R1.1 Specific required actions in response to events or conditions of varying
duration and severity that would activate the recovery plan(s).
M
R1.2 Defined roles and responsibilities of responders. M
R2 Exercises — The recovery plan(s) shall be exercised at least annually.
An exercise of the recovery plan(s) can range from a paper drill, to a
full operational exercise, to recovery from an actual incident.
L

R3 Change Control — Recovery plan(s) shall be updated to reflect any
changes or lessons learned as a result of an exercise or the recovery
from an actual incident. Updates shall be communicated to personnel
responsible for the activation and implementation of the recovery
plan(s) within thirty calendar days of the change being completed.
L
R4 Backup and Restore — The recovery plan(s) shall include processes
and procedures for the backup and storage of information required
to successfully restore critical cyber assets. For example, backups
may include spare electronic components or equipment, written
documentation of configuration settings, tape backup, etc.
L
R5 Testing Backup Media — Information essential to recovery that is
stored on backup media shall be tested at least annually to ensure
that the information is available. Testing can be completed off site.
L
• Ensure continuous logging of historical scan data showing a device’s previous state.
• Use automated utility to save duplicates of data to a backup server.
• Audit your recovery plans to identify any gaps that should be addressed in order to successfully backup and
restore systems, and establish procedures to ensure business process continuity and private protection while
operating in emergency mode.
To see how Rapid7’s IT Security Risk Management suite can benefit your organization, visit Rapid7.com.

Rapid7 NERC-CIP Compliance Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Rapid7 NERC-CIP Compliance Guide

Similar to Rapid7 NERC-CIP Compliance Guide (20)

More from Rapid7

More from Rapid7 (14)

Recently uploaded

Recently uploaded (20)

Rapid7 NERC-CIP Compliance Guide