1 cip-006-1 physical security of critical cyber assets a compliance perspective lew folkerth cip...

1

CIP-006-1Physical Security of Critical Cyber Assets

A Compliance Perspective

Lew Folkerth

CIP Compliance Workshop

Baltimore, MD

August 19-20, 2009

© ReliabilityFirst Corporation

2

Governance Annotated Text of the Standard

• Annotations are NOT authoritative, they are commentary only Pre-audit questions

• Are intended to streamline the audit process• Some go beyond what is required by the standard for informational

purposes• Are intended to help organize information used for compliance• Are intended as a starting point for review of the compliance

documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the

standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member

organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation.


3

CIP-006-1 R1Annotated Text

R1. Physical Security Plan — The Responsible Entity shall create and maintain1 a physical security plan, approved by a senior manager or delegate(s)2 that shall address, at a minimum, the following:

1While “implement” is not specifically stated, FERC Order 706 P 75 indicates that implementation of the Plan is expected. CIP-006-2 contains the requirement to “implement.” It is expected that CIP-006-2 will be in force by the time CIP-006-1 enters the “Auditably Compliant” stage.

2CIP-003-1 R2 is not referenced here. Therefore, the senior manager need not be the same manager designated in CIP-003-1 R2.


4

CIP-006-1 R1Annotated Text (cont’d)

R1.1. Processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures3 to control physical access to the Critical Cyber Assets.

3Order 706 P 560 requires any use of the “alternative measures” clause to be treated as a Technical Feasibility Exception.

Physical Security Perimeter: The physical, completely enclosed (“six-wall”) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled.


5


R1.2. Processes to identify all access points4 through each Physical Security Perimeter and measures to control entry5 at those access points.

R1.3. Processes, tools, and procedures to monitor physical access to the perimeter(s).

4Access points may consist of doors, windows, elevators and other such means of access. Generally, any opening in the six-wall boundary large enough to admit a person should be considered an access point.

5Note that each entry to each Physical Security Perimeter must be controlled (and logged per R4). No mention is made of exit from the Physical Security Perimeter.


6


R1.4. Procedures for the appropriate use of physical access controls as described in Requirement R3 including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls.

R1.5. Procedures for reviewing access authorization requests and revocation of access authorization, in accordance with CIP-004 Requirement R4.

R1.6. Procedures for escorted access6 within the physical security perimeter of personnel not authorized for unescorted access.

6The definition of what it means to be escorted is not stated in the standard. The entity should make this determination as part of its Physical Security Plan.


7


R1.7. Process for updating the physical security plan within ninety calendar days of any physical security system redesign or reconfiguration, including, but not limited to, addition or removal of access points through the physical security perimeter, physical access controls, monitoring controls, or logging controls.

R1.8. Cyber Assets used in the access control and monitoring of the Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP-003, Standard CIP-004 Requirement R3, Standard CIP-005 Requirements R2 and R3, Standard CIP-006 Requirement R2 and R3, Standard CIP-007, Standard CIP-008 and Standard CIP-009.


8


R1.9. Process for ensuring that the physical security plan is reviewed at least annually7

7See the discussion of time-based terminology in the CIP-002 presentation.


9

CIP-006-1 R1Items for Consideration – Pre-audit

1. Describe the processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within a Physical Security Perimeter.

a. Describe any circumstances where alternative measures to control physical access to the Critical Cyber Assets were necessary.

b. Do any communications networks within an Electronic Security Perimeter span multiple Physical Security Perimeters? Examples include network segments common to separate Physical Security Perimeters within the same building, network segments common to two or more buildings or structures on a common campus, and network segments common to two or more geographically disperse locations (including the use of technologies such as Ethernet over SONET).


10

CIP-006-1 R1 Items for Consideration – Pre-audit (cont’d)

2. How are all access points through the Physical Security Perimeter identified and access controlled?

3. How is physical access to the Physical Security Perimeter monitored?

4. Describe the following processes:

a. Visitor pass management.

b. Loss of physical access credentials.

5. How are personnel, including vendor and contractor staff, made aware of prohibited, inappropriate use of physical access controls?


11

CIP-006-1 R1 Items for Consideration – Pre-audit (cont’d)

6. How are requests for access authorization and access revocation reviewed?

7. Describe your escorted access process. How do you ensure continuous escort of visitors?

8. How do you ensure the physical security plan is updated within 90 days of any physical security system redesign or reconfiguration?

9. How do you ensure the physical security plan is reviewed at least annually?


12

CIP-006-1 R1Possible Audit Approach

For each Electronic Security Perimeter, identify the Responsible Entity’s associated physical security plan. The language of the standard indicates that each Entity must have one physical security plan. Note that the Responsible Entity may have one physical security plan per function for which the entity is registered.


13

CIP-006-1 R1Possible Audit Approach (cont’d)

For each physical security plan identified above, verify:•The plan contains processes to ensure that all Cyber Assets within an Electronic Security Perimeter are also protected by a Physical Security Perimeter. The plan must require the establishment of a six-wall boundary where such a boundary is physically possible. If it is not possible to establish a six-wall boundary, then the plan must specify alternate measures to protect the Physical Security Perimeter.•The plan contains processes to identify all access points through the Physical Security Perimeter.•The plan contains measures to control access through the physical access points.•The plan identifies processes, tools and procedures for monitoring physical access to the Physical Security Perimeter.


14


For each physical security plan identified above, verify:•The plan contains procedures for the appropriate use of physical access controls. Said procedures shall address, at minimum:

• Visitor pass management;• Response to loss of authentication credentials such as key,

access card, etc.• Prohibition of inappropriate use of physical access controls. This

also requires a definition of inappropriate use.•The plan contains or references procedures for authorization of physical access requests and for revocation of access privileges pursuant to CIP-004 R4.


15


For each physical security plan identified above, verify:•The plan contains provisions for protecting Cyber Assets used in access control and monitoring of the Physical Security Perimeter. Such Cyber Assets must be afforded the protective measures as specified in:

• CIP-003-1 Requirements R1, R2, R3, R4, R5 and R6• CIP-004-1 Requirement R3• CIP-005-1 Requirements R2 and R3• CIP-006-1 Requirements R2 and R3• CIP-007-1 Requirements R1, R2, R3, R4, R5, R6, R7, R8 and R9• CIP-008-1 Requirements R1 and R2• CIP-009-1 Requirements R1, R2, R3, R4 and R5


16


For each physical security plan identified above, verify:•The plan contains a provision requiring a review of the physical security plan at least annually.


17


For a sample of Physical Security Perimeters, examine the Physical Security Perimeter documentation to ensure:•All Cyber Assets within the associated Electronic Security Perimeter reside within the Physical Security Perimeter. Where physically possible, a six-wall boundary must be established as the Physical Security Perimeter. If it is not possible to establish said six-wall boundary, then the Responsible Entity must deploy alternate measures to protect the Physical Security Perimeter. Note that when a six-wall boundary is not possible, acceptance of risk is not an option. In such cases some form of alternate measure must be deployed to control entry to the Physical Security Perimeter.•All access points through the Physical Security perimeter are identified.


18


For a sample of Physical Security Perimeters, examine the Physical Security Perimeter to ensure:•The Physical Security Perimeter is completely enclosed by a six-wall boundary. In the case where an alternative measure to a six-wall boundary was implemented:

• Confirm that installation of a six-wall boundary was not possible;

• Confirm that the alternative measures are adequate to control access to the Critical Cyber Assets; and

• Confirm that the alternative measures have been implemented.•For a sample of Cyber Assets within the associated Electronic Security Perimeter, examine the Cyber Asset to assure it resides within the Physical Security Perimeter.•Procedures for unescorted access are observed.


19


R2. Physical Access Controls — The Responsible Entity shall document and implement the operational and procedural controls1 to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. The Responsible Entity shall implement one or more2 of the following physical access methods:

1Operational and procedural controls are those processes, whether implemented in hardware such as a card key system, or implemented as procedural instructions to people such as security guards, designed to control access to the Physical Security Perimeter.

2FERC in Order 706 P 572 stated a preference for “defense in depth,” or implementation of two or more complementary security measures. Until this preference is adopted into the standard, one physical defensive measure is sufficient for compliance with CIP-006-1.


20


R2.1. Card Key: A means of electronic access where the access rights of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another.

R2.2. Special Locks: These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “man-trap” systems.

R2.3. Security Personnel: Personnel responsible for controlling physical access who may reside on-site or at a monitoring station3.

R2.4. Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access to the Critical Cyber Assets.

3A central station where multiple access points may be monitored by camera or other method.


21

CIP-006-1 R2 Items for Consideration – Pre-audit

1. Describe the operational and procedural controls are implemented to manage physical access at access points to the Physical Security Perimeter.

a. Are there any physical access points for which 24-hour/7-day access control cannot be implemented?

b. Are there any personnel, including vendors and contractors, who can bypass the physical access controls? For example, janitorial staff in a leased office environment.


22


For a sample of Physical Security Perimeters, examine the documentation of the physical access controls for each access point. Ensure the documentation addresses:•Continuous control of access to the Physical Security Perimeter.•The mechanism used to control access includes one or more of the following:

• Card key;• Special locks;• Security personnel; and/or• Biometric, keypad, token or other authentication

device.


23


For a sample of Physical Security Perimeters, examine the measures implemented to confirm control of entry at each access point.


24


R3. Monitoring Physical Access — The Responsible Entity shall document and implement the technical and procedural controls for monitoring physical access1 at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts2 shall be reviewed immediately3 and handled in accordance with the procedures specified in Requirement CIP-008. One or more of the following monitoring methods shall be used4:

1Monitoring requires the recognition of both authorized and unauthorized access attempts.

2As there may be many innocuous reasons for an unauthorized access attempt to be signaled by an automated system, the entity will presumably investigate and filter out those innocuous unauthorized attempts before invoking the incident response provisions of CIP-008-1.


25


R3. Monitoring Physical Access — The Responsible Entity shall document and implement the technical and procedural controls for monitoring physical access1 at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts2 shall be reviewed immediately3 and handled in accordance with the procedures specified in Requirement CIP-008. One or more of the following monitoring methods shall be used4:

3The dictionary definition of “immediately” says, “Without interval of time.” In the context of this standard it should be understood as meaning “without unnecessary or undue delay.”

4This is a rare case where the standard is prescriptive. The entity may implement alarms or human observation or both. By the language of the standard nothing else is acceptable.


26


R3.1. Alarm Systems: Systems that alarm to indicate a door, gate or window has been opened without authorization. These alarms must provide for immediate notification3 to personnel responsible for response5.

R3.2. Human Observation of Access Points: Monitoring of physical access points by authorized personnel as specified in Requirement R2.3.

3The dictionary definition of “immediately” says, “Without interval of time.” In the context of this standard it should be understood as meaning “without unnecessary or undue delay.”

5The personnel responsible for response are not necessarily those responsible for incident handling per CIP-008-1.


27


1. Describe the technical and procedural controls for monitoring physical access at access points to the Physical Security Perimeter.

a. Are there any physical access points for which 24-hour/7-day access monitoring cannot be implemented?

b. How are unauthorized access attempts detected and handled?


28


For a sample of Physical Security Perimeters, examine the documentation of the controls for monitoring physical access at each access point to ensure:•Monitoring is performed continuously at each access point.•Unauthorized access attempts are reviewed immediately.•Unauthorized access attempts are handled in accordance with the incident response procedure developed pursuant to CIP-008.•One or both of the following methods is used:

• Alarm systems which provide immediate notification of unauthorized access attempts to response personnel; and/or

• Human observation of access points.


29


For a sample of Physical Security Perimeters:•Examine the measures implemented to monitor entry at each access point.•If any access point to the Physical Security Perimeter uses an alarm system, select one access point and observe the response as a representative of the Responsible Entity triggers the alarm system. Ensure designated response personnel are notified immediately.


30


R4. Logging Physical Access — Logging shall record sufficient information to uniquely identify individuals1 and the time of access twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using one or more of the following logging methods or their equivalent:

1If shared or “loaner” credentials are used, such as in the case of a forgotten key card, some mechanism must be in place to uniquely identify the user of such credentials.


31


R4.1. Computerized Logging: Electronic logs produced by the Responsible Entity’s selected access control and monitoring method.

R4.2. Video Recording: Electronic capture of video images of sufficient quality to determine identity2.

2The resulting images must be able to reliably identify each individual gaining access.


32


R4.3. Manual Logging: A log book or sign-in sheet, or other record of physical access maintained by security or other personnel3 authorized to control and monitor physical access as specified in Requirement R2.3.

3The language of this sub-requirement makes it clear that unsupervised sign-in is not permitted.


33


1. How is physical access logged?


34


For a sample of Physical Security Perimeters, examine the documentation of logging mechanisms at each access point to ensure:•Logging of entry at the access point is continuous.•Logging identifies the individual obtaining access.•Logging identifies the date and time access was granted.•Logging is performed using at least one of the following methods:•Computerized logging;•Video recording; or•Manual logging.


35


For a sample of Physical Security Perimeters, examine the logging mechanisms at a sample of access points to ensure:•Logging of entry at each access point is continuous.•Logging identifies the individual obtaining access. If shared or “loaner” access credentials are sometimes used, ensure a log is kept of the assignment and return of these access credentials.•If computerized logging is used, examine a sample of the log to ensure:

• Individuals are identified; and• The date and time of access are recorded.


36


For a sample of Physical Security Perimeters, examine the logging mechanisms at a sample of access points to ensure:•If video recording is used, review a sample of such recording to ensure the images are of sufficient quality to determine an individual’s identity.•If manual logging is used, examine the log to ensure:

• Individual identities are recorded; • The authorizing party is recorded; and• Date and time of entry are recorded.


37


R5. Access Log Retention — The responsible entity shall retain physical access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-0081

1Three calendar years


38


1. How are access logs retained for the required minimum 90-day period?

2. How are access logs related to reportable incidents retained for the required three-year period?


39


For the logs reviewed pursuant to Requirement R4 above, ensure the physical access logs are kept for at least 90 calendar days.

Ensure provision is made to keep logs related to reportable incidents in accordance with the requirements of CIP-008-1.


40


R6. Maintenance and Testing — The Responsible Entity shall implement a maintenance and testing program to ensure that all physical security systems under Requirements R2, R3, and R4 function properly. The program must include, at a minimum, the following:

R6.1. Testing and maintenance of all physical security mechanisms on a cycle no longer than three years1.

7See the discussion of time-based terminology in the CIP-002 presentation.


41


R6.2. Retention of testing and maintenance records2 for the cycle determined by the Responsible Entity in Requirement R6.1.

2The installation of a new physical security system may be reasonably presumed to have been the initial testing and maintenance of the system. Systems older than the cycle time identified in the testing and maintenance program must have been tested and maintained no longer than one cycle ago at the initial compliance date. In other words, a clock starts at the last documented testing and maintenance date (or the installation date) for each system. If the time on that clock exceeds the identified cycle time, then the testing and maintenance for that physical security system is overdue.


42


R6.3. Retention of outage records3 regarding access controls, logging, and monitoring for a minimum of one calendar year4.

3Retention of outage records implies the requirement to keep outage records.

4See the separate discussion of time-based terminology above. This is an unusual situation in that records need only be kept for one calendar year. The most conservative reading of this language would indicate that outage records need be kept for only the current calendar year. Any correction of this deficiency must be done through an interpretation or revision of the standard via the standards development process.


43


1. How are physical access controls tested? Are physical access controls at high traffic, readily accessible sites (such as control centers) tested more frequently than remote, infrequently accessed sites (such as substations)?

2. How are outages of physical access control, logging, and monitoring systems detected and logged?


44


For each Physical Security Perimeter, identify the Responsible Entity’s associated maintenance and testing program for physical security systems. The language of the standard indicates that each Entity must have one maintenance and testing program. Note that the Responsible Entity may have one maintenance and testing program per function for which the entity is registered.


45


For each maintenance and testing program identified, ensure:•The maintenance and testing program applies to all systems used for:

• Physical access control;• Physical access monitoring;• Physical access alerting; and• Physical access logging.

•The maintenance and testing program ensures that all applicable systems function properly.


46


For each maintenance and testing program identified, ensure:•The maintenance and testing program is executed on a cycle determined by the Responsible Entity. Said cycle may not be longer than three years.•The maintenance and testing program requires records of the results of execution of the program to be kept for at least one full cycle.•The maintenance and testing program requires outage records to be kept for all applicable systems.•The maintenance and testing program requires a retention period of one calendar year for outage records.


47


For a sample of Physical Security Perimeters, examine the schedule for execution of the maintenance and testing program. If no execution of the program has yet occurred, no further action is needed. If an execution of the program has occurred, examine the records of the most recent execution of the program.

For a sample of Physical Security Perimeters, examine the outage records for all applicable systems. Ensure the outage records are kept for at least one year.


1 cip-006-1 physical security of critical cyber assets a compliance perspective lew folkerth cip...

Documents

physical security plan

time cip

electronic security

access points4

means of access

r1annotated text contdr1

authoritative text

governanceannotated