100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
NERC CIP v7 Standards and Requirements $11.04   Add to cart

Other

NERC CIP v7 Standards and Requirements

 11 views  0 purchase
  • Course
  • NERC CIP v7 Standards and Requirements
  • Institution
  • NERC CIP V7 Standards And Requirements

NERC CIP v7 Standards and Requirements-CIP-002-5.1 - BES Cyber System Categorization CIP-002 R1 - Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: Control Centers and backup Control Centers, Transmission stations...

[Show more]

Preview 3 out of 26  pages

  • February 24, 2023
  • 26
  • 2024/2025
  • Other
  • Unknown
  • NERC CIP v7 Standards and Requirements
  • NERC CIP v7 Standards and Requirements
avatar-seller
ProfMiaKennedy
NERC CIP v7 Standards and Requirements
CIP-002-5.1 - BES Cyber System Categorization

CIP-002 R1 - Each Responsible Entity shall implement a process that considers
each of the following assets for purposes of parts 1.1 through 1.3: Control Centers
and backup Control Centers, Transmission stations and substations, Generation
resources, Systems and facilities critical to system restoration, including Blackstart
Resources and Cranking Paths and initial switching requirements, Special
Protection Systems that support the reliable operation of the Bulk Electric System;
and For Distribution Providers

CIP-002 R1.1 - Identify each of the high impact BES Cyber Systems according to
Attachment 1, Section 1, if any, at each asset;

CIP-002 R1.2 - Identify each of the medium impact BES Cyber Systems according
to Attachment 1, Section 2, if any, at each asset;

CIP-002 R1.3 - Identify each asset that contains a low impact BES Cyber System
according to Attachment 1, Section 3, if any (a discrete list of low impact BES
Cyber Systems is not required).

CIP-002 R2.1 - Review the identifications in Requirement R1 and its parts (and
update them if there are changes identified) at least once every 15 calendar months,
even if it has no identified items in Requirement R1,

CIP-002 R2.2 - Have its CIP Senior Manager or delegate approve the
identifications required by Requirement R1 at least once every 15 calendar months,
even if it has no identified items in Requirement R1.

CIP-003-7 - Security Management Controls

CIP-003 R1 - Each Responsible Entity shall review and obtain CIP Senior
Manager approval at least once every 15 calendar months for one or more
documented cyber security policies that collectively address the following topics:

,CIP-003 R2 - Each Responsible Entity with at least one asset identified in CIP-002
containing low impact BES Cyber Systems shall implement one or more
documented cyber security plan(s) for its low impact BES Cyber Systems that
include the sections in Attachment 1.

CIP-003 R3 - Each Responsible Entity shall identify a CIP Senior Manager by
name and document any change within 30 calendar days of the change.

CIP-003 R4 - The Responsible Entity shall implement a documented process to
delegate authority, unless no delegations are used. Where allowed by the CIP
Standards, the CIP Senior Manager may delegate authority for specific actions to a
delegate or delegates. These delegations shall be documented, including the name
or title of the delegate, the specific actions delegated, and the date of the
delegation; approved by the CIP Senior Manager; and updated within 30 days of
any change to the delegation. Delegation changes do not need to be reinstated with
a change to the delegator.

CIP-003 Attachment 1 Section 2 - Lows Physical Security Controls: Each
Responsible Entity shall control physical access, based on need as determined by
the Responsible Entity, to (1) the asset or the locations of the low impact BES
Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the
Responsible Entity, that provide electronic access control(s) implemented for
Section 3.1, if any.

CIP-003 Attachment 1 Section 3 - Lows Electronic Access Controls: For each
asset containing low impact BES Cyber System(s) identified pursuant to CIP-002,
the Responsible Entity shall implement electronic access controls to:
3.1 Permit only necessary inbound and outbound electronic access as determined
by the Responsible Entity for any communications that are:
between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset
containing low impact BES Cyber System(s); using a routable protocol when
entering or leaving the asset containing the low impact BES Cyber System(s); and
not used for time-sensitive protection or control functions between intelligent
electronic devices (e.g., communications using protocol IEC TR- 61850-90-5 R-
GOOSE).

, 3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low
impact BES Cyber System(s), per Cyber Asset capability.

CIP-003 Attachment 1 Section 1 - Lows Cyber Security Awareness: Each
Responsible Entity shall reinforce, at least once every 15 calendar months, cyber
security practices (which may include associated physical security practices).

CIP-003 Attachment 1 Section 4 - Lows Cyber Security Incident Response: Each
Responsible Entity shall have one or more Cyber Security Incident response
plan(s), either by asset or group of assets, which shall include:
4.1 Identification, classification, and response to Cyber Security Incidents;
4.2 Determination of whether an identified Cyber Security Incident is a Reportable
Cyber Security Incident and subsequent notification to the Electricity Sector
Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;
4.3 Identification of the roles and responsibilities for Cyber Security Incident
response by groups or individuals;
4.4 Incident handling for Cyber Security Incidents;
4.5 Testing the Cyber Security Incident response plan(s) at least once every 36
calendar months by: (1) responding to an actual Reportable Cyber Security
Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security
Incident; or (3) using an operational exercise of a Reportable Cyber Security
Incident; and
4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180
calendar days after completion of a Cyber Security Incident response plan(s) test or
actual Reportable Cyber Security Incident.

CIP-003 Attachment 1 Section 5 - Lows Transient Cyber Asset and Removable
Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement,
except under CIP Exceptional Circumstances, one or more plan(s) to achieve the
objective of mitigating the risk of the introduction of malicious code to low impact
BES Cyber Systems through the use of Transient Cyber Assets or Removable
Media. The plan(s) shall include:
5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the
use of one or a combination of the following in an ongoing or on-demand manner
(per Transient Cyber Asset capability):

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller ProfMiaKennedy. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $11.04. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

67096 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$11.04
  • (0)
  Add to cart