Cyber Security Plan Template

Download as pdf or txt
Download as pdf or txt
You are on page 1of 63
At a glance
Powered by AI
The key takeaways are that the document outlines a cyber security plan for an organization, addressing people, processes, and technology risks through policies, training, risk assessments, and security controls.

The purpose of the cyber security plan is to protect the organization's information systems and assets from cyber threats and ensure regulatory compliance.

The plan aims to address people and policy risks, process risks, and technology risks to the organization's information systems and data.

<<Name of Co-op>> Cyber Security Plan

<<date>>

Prepared by:

1 of 63
<<Name of Co-op>> Cyber Security Plan

Table of Contents
Preface...................................................................................................................................... 4
Purpose ................................................................................................................................ 4
Scope .................................................................................................................................... 4
Target Audience.................................................................................................................. 4
Contacts ............................................................................................................................... 4
Using the Template ................................................................................................................. 5
Executive Summary ................................................................................................................ 6
Building a Risk Management Program ................................................................................ 7
Risk Management Program Plan ...................................................................................... 8
Addressing People and Policy Risks ...................................................................................... 9
Cyber Security Policy ......................................................................................................... 9
Cyber Security Policy Plan .............................................................................................. 10
Personnel and Training .................................................................................................... 11
Personnel and Training Plan ........................................................................................... 12
Addressing Process Risks ..................................................................................................... 13
Operational Risks ............................................................................................................. 13
Operational Risk Plan ...................................................................................................... 14
Insecure Software Development Life Cycle (SDLC) Risks ........................................... 15
Secure SDLC Plan ............................................................................................................ 16
Physical Security Risks .................................................................................................... 17
Physical Security Plan ...................................................................................................... 18
Third-Party Relationship Risks ...................................................................................... 18
Third-Party Relationship Plan ........................................................................................ 20
Addressing Technology Risks .............................................................................................. 21
Network Risks ............................................................................................................... 21
Network Security Plan ..................................................................................................... 26
Platform Risks .............................................................................................................. 27
Platform Security Plan ..................................................................................................... 29
Application Layer Risks .............................................................................................. 30
Application Security Plan ................................................................................................ 30
Security Requirements and Controls For Each Smart Grid Activity Type .................... 32
Advanced Metering Infrastructure (AMI) ..................................................................... 32
Advanced Metering Infrastructure Plan ........................................................................ 34
Meter Data Management (MDM) ................................................................................... 35
Meter Data Management Plan ........................................................................................ 36
Communication Systems (COMM)................................................................................. 36
Communication Systems Plan ......................................................................................... 38
Supervisory Control and Data Acquisition (SCADA) ................................................... 38
Supervisory Control and Data Acquisition (SCADA) Plan .......................................... 41
In-Home Display (IHD) / Web Portal Pilots .................................................................. 41

2 of 63
In-Home Display (IHD)/Web Portal Pilots Plan ............................................................ 42
Demand Response over Advanced Metering Infrastructure (AMI) Networks ........... 43
Demand Response over Advanced Metering Infrastructure (AMI) Networks Plan .. 43
Interactive Thermal Storage............................................................................................ 44
Interactive Thermal Storage Plan ................................................................................... 45
Smart Feeder Switching ................................................................................................... 45
Smart Feeder Switching Plan .......................................................................................... 46
Advanced Volt/VAR Control........................................................................................... 47
Advanced Volt/VAR Control Plan .................................................................................. 47
Conservation Voltage Reduction (CVR) ........................................................................ 48
Conservation Voltage Reduction (CVR) Plan................................................................ 49
Appendix A: Reference Documentation ............................................................................. 50
Security Standards ........................................................................................................... 50
National Institute of Standards and Technology Special Publications ........................ 50
Other Guidance Documents ............................................................................................ 52
Appendix B: Glossary ........................................................................................................... 54
Appendix C: Acronyms ........................................................................................................ 60
Appendix D: Minimum Security Requirements ................................................................ 61

3 of 63
<<Name of Co-op>> Cyber Security Plan Table of Contents

Preface

Purpose
This plan baselines existing cyber security–related activities and controls at our organization
against the Guide to Developing a Cyber Security and Risk Mitigation Plan. For areas covered
by existing processes and/or technologies, the plan briefly documents how and where this is
accomplished. For identified gaps, the plan documents current deviation from the
recommended security controls and specifies whether to accept or mitigate the risk, the
actions needed to close the gaps, the responsible party, and the implementation timeline.

Scope
This plan goes through the cyber security controls that our organization already has in place
or plans to implement in order to mitigate the risks introduced by smart grid technologies.

Target Audience
Security team, IT organization, leadership team.

Contacts
The following are the primary individuals who assisted in preparation of the cyber security
plan:
Contact Title Contact E-mail Address
<<list individuals>>

4 of 63
Using the Template

Each section of the template is divided into two subsections. The first contains a table for identifying best
practices and their current use in the cooperative:

Figure 1. Use of the Best Practices Table

Using the dropdown box, select the option that best describes the cooperative’s status regarding the best
practice.
 If the cooperative is fully compliant with the best practice, select “Yes.”
 If the cooperative is partially compliant with the best practice, select “Partial.”
 If the cooperative is not compliant with the best practice, select “No.”

To list documents where the cooperative’s implementation of the best practice is described, use the
“Associated Documentation” column.

The second subsection contains a table for listing deviations from the recommended best practices
(those marked as “Partial” or “No” in the first table), decisions to accept or mitigate the risk posed by not
implementing the best practices, the person or group responsible for the risk’s acceptance or mitigation,
the estimated completion date (if applicable), and a strategy for mitigating the risk (if applicable).

Figure 2. Use of the Deviation Table

Again, use this table to list all security activities or controls that are currently either partially in
place or not in place. For each identified activity or control, describe the way in which the
cooperative does not meet the best practice as captured in the Guide to Developing a Cyber Security
and Risk Mitigation Plan. Use the dropdown box to either “Accept” or “Mitigate” the risk posed by
not implementing the best practice. Assign a person or group responsible for mitigating or
accepting the risk posed by not implementing the best practice. Provide an estimated completion
date of mitigation in the “Estimated Completion Date” column, or use “n/a” for risk acceptance.
Describe the strategy that will be used to implement the activity or control, or use “n/a” for risk
acceptance.

5 of 63
<<Name of Co-op>> Cyber Security Plan Executive Summary

Executive Summary
This document provides checklists of security activities and controls designed to help an electric cooperative improve the security posture of
its smart grid. The checklists are drawn from the Guide to Developing a Cyber Security and Risk Mitigation Plan and provide a mechanism to
baseline existing security activities and controls against recommended best practices, identify gaps, capture the decision for risk acceptance
or mitigation, and document an appropriate plan of action.
Each section contains tables; filling these will help the electric cooperative to:
 Identify missing activities and security controls.
 Consolidate planned activities and controls per topic.
 Prioritize activity and control implementation.
 Track activity and control implementation.
It is important to note that implementing security activities and controls should be done with care and sufficient planning. The environment
will require testing to ensure that changes to controls do not break important functionality or introduce new risks.
This document provides cyber security planning support in each of the following categories:
 People and policy security
 Operational security
 Insecure software development life cycle (SDLC)
 Physical security
 Third-party relationship
 Network security
 Platform security
 Application security

6 of 63
<<Name of Co-op>> Cyber Security Plan Building a Risk Management Program

Building a Risk Management Program


No usable system is 100 percent secure or impenetrable. The goal of a risk management program is to identify the risks, understand their
likelihood and impact on the business, and then put in place security controls that mitigate the risks to a level acceptable to the organization.
In addition to assessment and mitigation, a robust risk management program includes ongoing evaluation and assessment of cyber security
risks and controls throughout the life cycle of smart grid component software.
The following checklist summarizes security best practices and controls that an organization should consider implementing. For more details
on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.

 Activity / Security Control Rationale Associated Documentation


Choose Provide active executive sponsorship. Active and visible support from executive management at
an each stage of planning, deploying, and monitoring
item. security efforts is crucial to success.
Choose Assign responsibility for security risk Have security risk mitigation, resource-allocation
an management to a senior manager. decisions, and policy enforcement roll up to a clearly
item. defined executive with the requisite authority.
Choose Define the system. Careful system definitions are essential to the accuracy of
an vulnerability and risk assessments and to the selection of
item. controls that will provide adequate assurances of cyber
security.
Choose Identify and classify critical cyber It is important to understand the assets that may need to
an assets. be protected, along with their classification (e.g.,
item. confidential information, private information, etc.). That
way an informed decision can be made as to the controls
needed to protect these assets, commensurate with risk
severity and impact to the business.
Choose Identify and analyze the electronic To build a threat model, it is important to understand the
an security perimeter(s) (ESPs). entry points that an adversary may use to go after the
item. assets of an organization. The threat model then becomes
an important component of the risk assessment.

7 of 63
<<Name of Co-op>> Cyber Security Plan Building a Risk Management Program

 Activity / Security Control Rationale Associated Documentation


Choose Perform a vulnerability assessment. Realistic assessments of (a) weaknesses in existing
an security controls and (b) threats and their capabilities
item. create the basis for estimating the likelihood of successful
attacks. They also help to prioritize remedial actions.
Choose Assess risks to system information and The risk assessment combines the likelihood of a
an assets. successful attack with its assessed potential impact on the
item. organization’s mission and goals. It helps ensure that
mitigation efforts target the highest security risks and
that the controls selected are appropriate and cost-
effective for the organization.
Choose Select security controls. Appropriate management, operational, and technical
an controls cost-effectively strengthen defenses and lower
item. risk levels. In addition to assessed risks, selection factors
might include the organization’s mission, environment,
culture, and budget.
Choose Monitor and assess the effectiveness of Effective testing and ongoing monitoring and evaluation
an controls. can provide a level of confidence that security controls
item. adequately mitigate perceived risks.

Risk Management Program Plan


The table below outlines the activities and controls that are currently missing from the risk management of the organization. Each activity
row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for its
implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Mitigate

8 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks

Addressing People and Policy Risks


Training people to adopt security conscious behaviors and establishing policies for maintaining a secure environment go a long way toward
improving an organization’s overall security posture. The next two sections cover the people and policy dimensions of cyber security.

Cyber Security Policy

 Activity / Security Control Rationale Associated Documentation


Choose Assign responsibility for developing, The development and implementation of effective
an implementing, and enforcing cyber security security policies, plans, and procedures require the
item. policy to a senior manager. Ensure that the collaborative input and efforts of stakeholders in
senior manager has the requisite authority many departments of the organization. Assigning a
across departments to enforce the policy. senior manager to organize and drive the efforts,
with the authority to make and enforce decisions at
each stage, raises the chances of success.
Choose Define security-related roles and Employees at virtually every organizational level
an responsibilities. have responsibility for some part of developing or
item. applying security policies and procedures. Defined
roles and responsibilities will clarify decision-
making authority and responsibility at each level,
along with expected behavior in policy
implementation. Creating a multidisciplinary
oversight committee ensures that all stakeholders
are represented.
Choose Identify security aspects to be governed by An effective security program requires policies and
an defined policies. procedures that address a wide range of
item. management, personnel, operational, and technical
issues.

9 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks

 Activity / Security Control Rationale Associated Documentation


Choose Document a brief, clear, high-level policy The high-level policy statements express three
an statement for each aspect identified. things:
item.  The organization management’s commitment to
the cyber security program.
 The high-level direction and requirements for
plans and procedures addressing each area.
 A framework to organize lower-level
documents.
Choose Reference lower-level policy documents. Lower-level policies, plans, and procedures provide
an the details needed to put policy into practice.
item.
Choose Define the implementation plan and A careful rollout of the program, well-documented
an enforcement mechanisms. policies that are accessible to the personnel they
item. affect, and clearly communicated consequences of
violating policies will help ensure compliance.
Choose Define a policy management plan. This will help maximize compliance by providing
an mechanisms to:
item.  Request, approve, document, and monitor policy
exceptions.
 Request, approve, implement, and communicate
changes to policies, plans, and procedures.

Cyber Security Policy Plan


The table below outlines the activities and controls that are currently missing from the cyber security policy of the organization. Each activity
row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for its
implementation and maintenance.

10 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Personnel and Training


Insufficiently trained personnel are often the weakest security link in the organization’s security perimeter and are the target of social
engineering attacks. It is therefore crucial to provide adequate security awareness training to all new hires, as well as refresher training to
current employees on a yearly basis.
The following checklist summarizes the various security best practices and controls that an organization should consider implementing. For
more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk
Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Adequately vet candidates for hire. Provide a level of confidence that new hires are
an trustworthy.
item.
Choose Establish a security-awareness program. Ensure that all personnel have an understanding of
an sensitive information, common security risks, and
item. basic steps to prevent security breaches. Further,
ensure that personnel develop habits that would
make them less susceptible to social engineering
attacks.
Choose Train employees who have access to protected Ensure that employees who have electronic or
an assets. physical access to critical assets know how to
item. handle the assets securely and how to report and
respond to cyber security incidents.

11 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks

 Activity / Security Control Rationale Associated Documentation


Choose Enforce “least privilege” access to cyber assets Ensure that employees have only the privileges they
an and periodically review access privileges. need to perform their jobs.
item.

Personnel and Training Plan


The table below outlines the activities and controls that are currently missing from the personnel and training plan of the organization. Each
activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for
its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

12 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

Addressing Process Risks


Process gaps leave the door open to an adversary. For instance, failure to conduct a vulnerability assessment of a system when introducing
new functionality may allow a security weakness to go undetected. To provide another example, lack of periodic review of system logs may let
a breach go undetected. Instituting and following proper security processes is vital to the security of an organization.

Operational Risks
The following checklist summarizes the various security best practices and controls that an organization should consider implementing. For
more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk
Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Perform periodic risk assessment and Maintain a fresh picture of the effectiveness of the
an mitigation, including threat analysis and organization’s security control versus threats facing
item. vulnerability assessments. the organization.
Choose Control, monitor, and log all access to protected Prevent unauthorized access to assets, detect
an assets. unauthorized access to assets, and enforce
item. accountability.
Choose Redeploy or dispose of protected assets Ensure that the redeployment or disposal of cyber
an securely. assets does not inadvertently expose sensitive
item. information to unauthorized entities.
Choose Define and enforce secure change control and Ensure that system changes do not “break” security
an configuration- management processes. controls established to protect cyber assets.
item.
Choose Create and document incident-handling policies, Ensure that the organization is prepared to act
an plans, and procedures. quickly and correctly to avert or contain damage
item. after a cyber security incident.
Choose Create and document contingency plans and Ensure that the organization is prepared to act
an procedures. quickly and correctly to recover critical assets and
item. continue operations after a major disruption.

13 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

 Activity / Security Control Rationale Associated Documentation


Choose Train employees in incident handling and Ensure that personnel responsible for responding
an contingency plans. to cyber incidents or major disruptions have a firm
item. grasp of response plans and can execute them
under stress.

Operational Risk Plan


The table below outlines the activities and controls that are currently missing from the operational risk plan of the organization. Each activity
row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for its
implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

14 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

Insecure Software Development Life Cycle (SDLC) Risks


Secure software is a product of a secure software development process. If the organization develops software internally, it should
make sure that it does so by leveraging security activities during the various phases of software development.
The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Document misuse / abuse cases. Think of ways in which system functionality can
an be abused so that protections can be built in to
item. prevent that abuse.
Choose Document security requirements. Explicitly call out security requirements of the
an system so that software can be designed,
item. implemented, and tested to ensure that these
requirements have been met.
Choose Build a threat model. Enumerate the ways in which an adversary may
an try to compromise the system so that the system
item. can be designed from the get-go to resist such
attacks.
Choose Perform architecture risk analysis. Compare the system’s architecture against a
an threat model to ensure that sufficient security
item. controls are in place to prevent successful
attacks.
Choose Define secure implementation guidelines. Ensure that developers use defensive
an programming techniques when implementing
item. the system in order to avoid introducing security
weaknesses.

15 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

 Activity / Security Control Rationale Associated Documentation


Choose Perform secure code reviews. Ensure that software complies with security
an implementation guidelines, that security controls
item. are properly implemented, and that the
implementation itself does not introduce any
new security risks.
Choose Perform risk-based security testing. Run through top risks identified during the
an threat modeling and architecture risk analysis
item. processes to ensure that the system has been
designed and implemented in a way that
mitigates these risks.
Choose Have penetration testing conducted. Gain assurance from a qualified third party that
an the software built by your organization is secure.
item.
Choose Create a Secure Deployment and Operations Provide the teams deploying and operating the
an Guide. software in production with whatever
item. knowledge they need in order to ensure that
software security requirements are met.

Secure SDLC Plan


The table below outlines the activities and controls that are currently missing from the Secure SDLC of the organization. Each activity
row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party responsible for
its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

16 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

Physical Security Risks


Physical security measures aimed at protecting critical infrastructure of the smart grid are of paramount importance and form a key
element of the overall security strategy. While other controls need to exist for defense in depth in case the adversary is successful in
gaining physical access, physical security concerns should not be underestimated.
The following checklist summarizes the various security best practices and controls that you should consider implementing. For
more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and
Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Document, implement, and maintain a Ensure that physical security is considered in a
an physical security plan. structured manner that can be tracked.
item.
Choose The organization must document and Ability to detect unauthorized access attempts.
an implement the technical and procedural Take appropriate action if unauthorized access
item. controls for monitoring physical access at all occurred.
access points at all times.
Choose All physical access attempts (successful or Ability to detect unauthorized access attempts.
an unsuccessful) should be logged to a secure Take appropriate action if unauthorized access
item. central logging server. occurred.
Choose Physical access logs should be retained for at Ability to perform historical analysis of physical
an least 90 days. access.
item.
Choose Each physical security system must be tested Ensure that proper physical security posture is
an at least once every three years to ensure it maintained.
item. operates correctly.
Choose Testing and maintenance records must be Ability to understand what was tested and
an maintained at least until the next testing cycle. improve testing procedures.
item.
Choose Outage records must be retained for at least Ability to investigate causes of outages and tie
an one calendar year. them to unauthorized physical access.
item.

17 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

Physical Security Plan


The table below outlines the activities and controls that are currently missing from the physical security of the organization. Each
activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party
responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Third-Party Relationship Risks


The security posture and practices of cooperative vendors and partners may introduce risks into the electric cooperative
organization. If a cooperative acquires software from a vendor that did not pay attention to security during the software’s
development, that introduces a risk. If a cooperative utilizes a service from a provider that does not take proper precautions to
safeguard the data that the cooperative places in its possession, that introduces a risk. Such risks must be managed.
The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.

 Activity / Security Control Rationale Associated Documentation


Choose Perform due diligence on each vendor and Verify the business, financial, and security
an partner organization to understand its reputation of your vendor / partner
item. business, financial, and security track record. organization.

18 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

 Activity / Security Control Rationale Associated Documentation


Choose Ask the right questions during the request for Ensure that the security practices of the vendor /
an proposal (RFP) process to understand the partner organization comply with your own
item. security posture and practices of the partner organization’s security policy. Ensure that the
organization, and in particular whether their purchased product / service meets your
offerings meet your organization’s security organization’s security requirements.
requirements. Compare the security policies
and procedures of a third party against your
organization’s own security policy to ensure
compliance.
Choose Review the hiring practices and personnel Make sure that your vendor / partner
an background checks of your vendors and organization’s background checks during hiring
item. partners to ensure that they comply with your process are consistent with your own. If people
organization’s policies. who work at your vendor / partner are not
trustworthy, neither is anything they produce.
Choose Conduct periodic audits and monitoring of the Make sure that your vendor / partner complies
an third-party organization to ensure adherence with their own security policies and procedures.
item. to their security policies and procedures.
Choose For software purchases, request a trusted Increase the likelihood that the product supplied
an independent third-party review, to include a by your vendor / partner is secure.
item. report outlining the discovered security
weaknesses in the product.
Choose Ensure that service level agreements (SLAs) Seek a contractual obligation that helps your
an and other contractual tools are properly organization transfer some of the security risks.
item. leveraged so that vendors and partners live
up to their obligations. For instance, if a
breach occurs at a partner organization, there
needs to be a provision to have your
organization notified of the full extent of the
breach as soon as the information is available.

19 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

 Activity / Security Control Rationale Associated Documentation


Choose Request evidence from software vendors that Ensure that the product supplied to your
an their SDLC makes use of building security in organization by your vendor / partner has been
item. activities. designed and built with security in mind.
Choose Ask your organizations’ vendors and partners Ensure that none of the third-party components
an about the process that they use to ensure the that your vendor / partner used in its product or
item. security of the components and services that service introduces security weaknesses.
they receive from their own suppliers in order
to ascertain appropriate due diligence.

Third-Party Relationship Plan


The table below outlines the activities and controls that are currently missing from the third-party relationship policy of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

20 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

Addressing Technology Risks


Information technology (IT) is at the heart of the smart grid. As its spreading use helps the smart grid achieve higher operational
efficiencies, it also makes the electrical grid more vulnerable to cyber security attacks. It is therefore important to ensure that the way
in which IT is used does not inadvertently provide new avenues of attack to an adversary. Further, IT itself should be applied to
institute security controls that will help guard the smart grid ecosystem against successful attacks, as well as enhance the system’s
ability to detect, isolate, and recover from breaches of security.

Network Risks
Networks are the communication pipes that connect everything together, enabling the flow of information. Networks are at the heart
of the smart grid because without the information flow that they enable, smart behavior is not possible. For instance, a system load
cannot be adjusted if information from smart meters does not find its way to the SCADA system. Therefore, the energy savings that
result from adjusting a load cannot be realized, unless an action is taken based on reliable information that made its way from the
smart meters to the SCADA via a communications network. On the other hand, if an adversary is able to tamper with meter data in a
way that cannot be detected and to thus feed incorrect data to the SCADA, an incorrect action may be taken by the grid, resulting in
undesired consequences.
The following checklist summarizes the various security best practices and controls that you should consider implementing. For more
details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk
Mitigation Plan.

 Activity / Security Control Rationale Associated Documentation


Choose Restrict user-assigned devices to specific network Least privilege through network
an segments. segmentation.
item.
Choose Firewalls and other boundary security mechanisms Provide security by default.
an that filter or act as a proxy for traffic moving from
item. network segment to another of a different security
level should default to a “deny all” stance.

21 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Requests for allowing additional services through a Centrally manage access according to
an firewall or other boundary protection mechanism business need.
item. should be approved by the information security
manager.

Choose The flow of electronic communications should be Confine sensitive electronic communication
an controlled. Client systems should communicate with to established trust zones.
item. internal servers; these internal servers should not
communicate directly with external systems, but
should use an intermediate system in your
organization’s DMZ. The flow of traffic should be
enforced through boundary protection mechanisms.

Choose Protect data in transit. Preserve the confidentiality and integrity of


an data in transit.
item.
Choose Protect domain name service (DNS) traffic. Ensure that data is routed to the right parties.
an
item.
Choose Use secure routing protocols or static routes. Avoid the disclosure of information on
an internal routing.
item.
Choose Deny use of source routing. Prevent denial-of-service attacks.
an
item.

22 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Use technologies like firewalls and virtual local area Achieve network segmentation to achieve
an networks (VLANs) to properly segment your compartmentalization.
item. organization’s network in order to increase
compartmentalization (e.g., machines with access to
business services like e-mail should not be on the
same network segment as your SCADA machines).
Routinely review and test your firewall rules to
confirm expected behavior.

Choose Separate development, test, and production Avoid production data leaks into test
an environments. environments. Have controls in place around
item. access to and changes in the production
environment.

Choose Ensure channel security of critical communication Secure data in transit.


an links with technologies like Transport Layer Security
item. (TLS). Where possible, implement Public Key
Infrastructure (PKI) to support two-way mutual
certificate-based authentication between nodes on
your network.

Choose Ensure that proper certificate and key management Ensure that cryptographic protection is not
an practices are in place. Remember that cryptography undermined through improper certificate or
item. does not help if the encryption key is easy to key management.
compromise. Ensure that keys are changed
periodically and that they can be changed right away
in the event of compromise.

Choose Ensure confidentiality of data traversing your Secure data in transit.


an networks. If channel-level encryption is not possible,
item. apply data-level encryption to protect the data
traversing your network links.

23 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Ensure integrity of data traversing your networks Preserve data integrity.
an through use of digital fingerprints and signed hashes.
item. If TLS is not used, ensure that other protections from
man-in-the-middle attacks exist. Use time stamps to
protect against replay attacks.

Choose Ensure availability of data traversing your networks. Detect failures and promote fault tolerance.
an If a proper acknowledgement (ACK) is not received
item. from the destination node, ensure that provisions are
in place to resend the packet. If that still does not
work, reroute the packet via a different network link.
Implement proper physical security controls to make
your network links harder to compromise.

Choose Ensure that only standard, approved, and properly Use proven protocols that have been
an reviewed communication protocols are used on your examined for security weaknesses.
item. network.

Choose Use intrusion detection systems (IDSs) to detect any Detect intrusions.
an anomalous behavior on your network. If anomalous
item. behavior is encountered, have a way to isolate the
potentially compromised nodes on your network
from the rest of the network.

Choose Ensure that sufficient number of data points exist Avoid taking actions based on incorrect data.
an from devices on your network before the smart grid
item. takes any actions based on that data. Never take
actions based on the data coming from network
nodes that may have been compromised.

24 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Ensure that all settings used on your network Secure configuration.
an hardware have been set to their secure settings and
item. that you fully understand the settings provided by
each piece of hardware. Do not assume that default
settings are secure.

Choose Disable all unneeded network services. Reduce attack surface.


an
item.
Choose Routinely review your network logs for anomalous / Detect intrusion.
an malicious behavior via automated and manual
item. techniques.

Choose Ensure that sufficient redundancy exists in your Ensure continuity of operations.
an network links so that rerouting traffic is possible if
item. some links are compromised.

Choose Before granting users access to network resources, Enforce accountability.


an ensure that they are authenticated and authorized
item. using their own individual (i.e., nonshared)
credentials.

Choose Limit remote access to your networks to an absolute Prevent unauthorized access.
an minimum. When required, use technologies like
item. Virtual Private Networks (VPNs, IPSec) to create a
secure tunnel after properly authenticating the
connecting party using their individual credentials. In
addition to a user name and password, also use an
RSA ID-like device to provide an additional level of
authentication.

Choose Implement remote attestation techniques for your Prevent unauthorized modification of
an field devices (e.g., smart meters) to ensure that their firmware on field equipment.
item. firmware has not been compromised

25 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Require a heartbeat from your field equipment at an Detect tampering with field equipment.
an interval known to the piece of equipment and to the
item. server on your internal network. If a heartbeat is
missed or comes at the wrong time, consider treating
that piece of equipment as compromised / out of
order and take appropriate action.

Choose Ensure that the source of network time is accurate Maintain accurate network time.
an and that accurate time is reflected on all network
item. nodes for all actions taken and events logged.

Choose Document the network access level that is needed for Maintain control over access to network
an each individual or role at your organization and grant resources and keep it to a necessary
item. only the required level of access to these individuals minimum.
or roles. All exceptions should be noted.

Choose All equipment connected to your network should be Control hardware that gets connected to your
an uniquely identified and approved for use on your organization’s network.
item. organization’s network.

Network Security Plan


The table below outlines the activities and controls that are currently missing from the network security plan of the organization.
Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party
responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

26 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

Platform Risks
Each accessible host on the organization’s network is a potential target for attack. Adversaries will try to compromise these hosts via
methods that cannot be mitigated through network security controls alone. It is imperative to ensure that platform software running
on the organization’s hosts is secure, including (but not limited to) operating system software, database software, Web server
software, and application server software. Together these form a software stack on top of which the organization’s custom
applications run.
The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Ensure latest security patches are applied to Patch known weaknesses so that they cannot be
an all software running on your network hosts. exploited.
item.
Choose Ensure the latest antivirus / antimalware Detect known viruses and/or malware.
an software runs regularly.
item.
Choose Ensure that all unneeded services and Minimize the attack surface.
an interfaces (e.g., USB) are turned off on these
item. hosts.
Choose Ensure that the hosts run only services and Minimize the attack surface.
an applications that are absolutely necessary.
item.
Choose Ensure that system logs are checked regularly Detect intrusions / attack attempts (both
an and any abnormalities investigated. external and internal).
item.
Choose Run software to monitor for file system Detect system malware infections and
an changes. unauthorized changes.
item.

27 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Ensure that all access attempts and any Detect intrusions / attack attempts (both
an elevation of privilege situations are properly external and internal).
item. logged and reviewed.
Choose Ensure that passwords are of sufficient Prevent unauthorized access.
an complexity and changed periodically.
item.
Choose Ensure that all security settings on your hosts Prevent unauthorized access.
an are configured with security in mind.
item.
Choose Ensure that shared (nonindividual) Allow for accountability; prevent unauthorized
an passwords are not used to access hosts or access.
item. applications running on these hosts.
Choose Ensure that authentication is required prior to Prevent unauthorized access.
an gaining access to any services / applications
item. running on your network hosts and that it
cannot be bypassed.
Choose Make use of a centralized directory like LDAP Enforce the principle of least privilege; prevent
an to manage user credentials and access unauthorized access; make it easy to change
item. permissions. Ensure that users have only the passwords; make it easy to revoke access; make
minimum privileges needed to do their job it easy to enforce password complexity.
functions. If an elevation of privilege is
needed, grant it for the minimum amount of
time needed and then return the privileges to
normal.
Choose Ensure that all software updates are properly Malware protection.
an signed and come from a trusted source.
item.

28 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

 Activity / Security Control Rationale Associated Documentation


Choose Prevent the ability to change field device Maintain confidence in data coming from field
an settings without proper authentication. devices by ensuring that they have not been
item. Changes to field device settings should be tampered with.
reported and logged in a central location.
These logs should be reviewed frequently.
Choose If possible, verify the integrity of firmware Maintain confidence in data coming from field
an running on field equipment via remote devices by ensuring that they have not been
item. attestation techniques. Consult with the tampered with.
equipment vendor for assistance. If remote
attestation fails, the affected field device
should be considered compromised, and
should be isolated.

Platform Security Plan


The table below outlines the activities and controls that are currently missing from the platform security plan of the organization.
Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party
responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

29 of 63
<<Name of Co-op>> Cyber Security Plan: Addressing Technology Risks

Application Layer Risks


In the platform risks section the discussion focused mainly on operating systems and other software making up the software stack on
top of which the organization’s custom applications run. If the organization develops or purchases custom software, it is important
that the software is developed with security in mind from the get-go to help ensure that it does not contain any software security
weaknesses that may be exploited by adversaries to compromise the system. To accomplish this the organization needs to makes its
software development process security aware. The software development life cycle (SDLC) activities for doing so are documented in
the “Insecure SDLC Risks” section under “Process Risks” earlier in this document.
The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Implement security activities and Develop software that does not
an gates into your organization’s have security weaknesses.
item. SDLC (please refer to checklist
under “Insecure SDLC Risks”
section for additional details).
Request independent party Gain confidence that the third-
Choose
software security assessments of party software your organization
an
the applications being purchased purchases does not have security
item.
to gauge the software’s security weaknesses.
posture.

Application Security Plan


The table below outlines the activities and controls that are currently missing from the Application Security Plan of the organization.
Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party
responsible for its implementation and maintenance.

30 of 63
<<Name of Co-op>> Cyber Security Plan: Addressing Technology Risks

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

31 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Security Requirements and Controls For Each Smart Grid Activity Type
The remainder of this document contains each of the 10 activity types that are part of the National Rural Electric Cooperative
Association’s (NRECA’s) smart grid demonstrations and highlights the security / privacy requirements specific to each. Along with
requirements, the sections also contains specific security best practices and controls needed to meet these requirements. Although
many of these best practices and controls have already been noted earlier in this document, the goal here is to specifically highlight
security attributes for each smart grid activity type.
It is important to note that some of these security controls are outside the direct control of your organization, but instead are under
control of your organization’s hardware and software vendors. When that is the case, it is important to choose your vendors wisely
and leverage the RFP process to ask the vendors the right questions and gather the right evidence in order to convince your
organization that the procured products meet security requirements.

Advanced Metering Infrastructure (AMI)


The following checklist summarizes the various security best practices and controls that you should consider implementing. For more
details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk
Mitigation Plan.

 Activity / Security Control Rationale Associated Documentation


Choose Ask software and hardware (with Ensure that smart meters and their
an embedded software) vendors for data are not compromised.
item. evidence (e.g., third-party
assessment) that their software is
free of software weaknesses.
Choose Perform remote attestation of smart Ensure that smart meters and their
an meters to ensure that their data are not compromised.
item. firmware has not been modified.

32 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Make use of the communication Ensure that smart meters and their
an protocol security extensions (e.g., data are not compromised.
item. MultiSpeak® security extensions)
to ascertain the integrity (including
origin integrity) of smart meter
data.
Choose Establish and maintain secure Ensure that smart meters and their
an configuration management data are not compromised.
item. processes (e.g., when servicing field
devices or updating their firmware).
Choose Ensure that all software (developed Ensure that smart meters and their
an internally or procured from a third data are not compromised.
item. party) is developed using security-
aware SDLC.
Choose Apply a qualified third-party Ensure that smart meters and their
an security penetration testing to test data are not compromised.
item. all hardware and software
components prior to live
deployment.
Choose Decouple identifying end-user Preserve user privacy.
an information (e.g., household
item. address, GPS coordinates, etc.) from
the smart meter. Use a unique
identifier instead.
Choose Implement physical security Ensure that smart meters and their
an controls and detection mechanisms data are not compromised.
item. when tampering occurs.

33 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Ensure that a reliable source of Ensure that timely smart grid
an network time is maintained. decisions are taken based on fresh
item. field data.
Choose Disable the remote disconnect Prevent unauthorized disruption /
an feature that allows shut down of shutdown of segments of the
item. electricity remotely using a smart electrical grid.
meter.

Advanced Metering Infrastructure Plan


The table below outlines the activities and controls that are currently missing from the Advanced Metering Infrastructure Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

34 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Meter Data Management (MDM)


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.

 Activity / Security Control Rationale Associated Documentation


Choose Data arriving to be stored in the Only data from uncompromised
an MDM system does not come from a meters is stored in the MDM system.
item. compromised meter.

Choose Data arriving to be stored in the Prevent storing bad data in the MDM
an MDM system is syntactically and system and prevent potentially
item. semantically valid. harmful / malicious data from
compromising the system.

Choose The system parsing the data Prevent storing bad data in the MDM
an arriving in the MDM system should system and prevent potentially
item. make use of all the appropriate harmful / malicious data from
data validation and exception- compromising the system.
handling techniques.

Choose The MDM system has been Prevent storing bad data in the MDM
an designed and implemented using system and prevent potentially
item. security-aware SDLC. harmful / malicious data from
compromising the system.

Choose The MDM system has passed a Prevent storing bad data in the MDM
an security penetration test system and prevent potentially
item. conducted by a qualified third harmful / malicious data from
party. compromising the system.

35 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Cleanse data stored in the MDM Promote user privacy.
an system from all private
item. information.

Choose Gracefully handle denial-of-service Protect the MDM system from attacks
an attempts (from compromised originating from smart meters.
item. meters).

Meter Data Management Plan


The table below outlines the activities and controls that are currently missing from the Meter Data Management Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Communication Systems (COMM)


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.

36 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Ensure data integrity. Secure communications.
an
item.
Choose Ensure origin integrity. Secure communications.
an
item.
Choose Use proven communications Secure communications.
an protocols with built-in security
item. capabilities.

Choose Ensure confidentiality of data Secure communications.


an where appropriate.
item.
Choose Ensure proper network Promote compartmentalization, least
an segmentation. privilege, isolation, fault tolerance.
item.
Choose Have a third party perform Receive greater assurance that
an network security penetration communications are secure.
item. testing.

Choose Implement sufficient redundancy. Fault tolerance.


an
item.
Choose Protect from man-in-the-middle Secure communications.
an attacks.
item.
Choose Protect from replay attacks. Secure communications.

37 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


an
item.
Choose Use proven encryption techniques. Secure communications.
an
item.
Choose Use robust key management Secure communications.
an techniques.
item.

Communication Systems Plan


The table below outlines the activities and controls that are currently missing from the Communication Systems Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Supervisory Control and Data Acquisition (SCADA)

The following checklist summarizes the various security best practices and controls that an organization should consider implementing.
For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and
Risk Mitigation Plan.

38 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation

Choose Appoint a senior security manager Make security somebody’s


an with a clear mandate. responsibility.
item.
Choose Conduct personnel security- Help improve the people aspect of
an awareness training. security.
item.
Choose Apply basic network and system Make your SCADA environment more
an IT security practices (e.g., regular difficult to compromise.
item. security patches, run antivirus,
etc).
Choose Ensure that software running in Protect from the perils of insecure
an the SCADA environment (e.g., software.
item. either internal or external) has
been built with security in mind
and reviewed for security by a
qualified third party.
Choose Enforce the principle of least Least privilege of access
an privilege granting user access to
item. SCADA resources
Choose Ensure proper physical security Supplement IT security controls with
an controls. physical controls.
item.
Choose Perform monitoring and logging, Achieve intrusion detection, forensic
an and ensure that people can be held analysis, holding people accountable.
item. accountable for their actions.

39 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation

Choose Avoid taking critical control Put the human operator in control.
an decisions without human
item. confirmation.
Choose Avoid taking critical control Avoid taking erroneous actions at the
an decisions based on too few data SCADA level.
item. points.
Choose Avoid taking critical control Avoid taking erroneous actions at the
an decisions based on data points SCADA level.
item. from compromised field devices or
based on data that has been
tampered with.
Choose Ensure proper network Segregate critical control systems from
an segmentation in the SCADA the rest of your organization’s
item. environment. corporate environment to promote
compartmentalization.
Choose Ensure sufficient fault tolerance Plan for failure and continuation of
an and redundancy in the SCADA operations.
item. environment.
Choose Develop and test business Plan for failure and continuation of
an continuity and disaster recovery operations.
item. plans.
Choose Use individual (rather than Prevent unauthorized access and
an shared) user login accounts with promote accountability.
item. strong passwords.
Choose Ensure that all hardware Prevent unauthorized access.
an authentication settings have been
item. changed from their default values.

40 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Supervisory Control and Data Acquisition (SCADA) Plan


The table below outlines the activities and controls that are currently missing from the Supervisory Control and Data Acquisition
(SCADA) Plan of the organization. Each activity row includes columns that describe the plan to implement the activity, the schedule
for implementation, and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

In-Home Display (IHD) / Web Portal Pilots


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Ensure that the software running Ensure that attackers cannot
an on IHDs is free of weaknesses, remotely control the IHDs of users.
item. especially if it is remotely
exploitable.

Choose Ensure the integrity of data shown Protect the integrity of data sent to
an on users’ IHDs. the user.
item.

41 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose If the IHD can send data upstream Protect the integrity of data
an (an unusual configuration), ensure received from the user.
item. the integrity of such
communication.

Choose Ensure the anonymity and privacy Protect the privacy of users’
an of data (where appropriate) electrical usage data.
item. pertaining to electricity usage
patterns such that it cannot be tied
back to the consumer.

Choose Perform remote the attestation of Know when IHDs have been
an IHDs to alert the control center tampered with and should no
item. when unauthorized firmware longer be trusted.
updates occur.

In-Home Display (IHD)/Web Portal Pilots Plan


The table below outlines the activities and controls that are currently missing from the IHD and Web Portal Pilots Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

42 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Demand Response over Advanced Metering Infrastructure (AMI) Networks


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Same activities and security
an controls as those described in the
item. “AMI” section above.

Choose Authenticate and validate all Prevent unauthorized control of


an control signals coming from the electric devices in the consumer’s
item. control center to the smart meters. home.

Choose Provide consumers a feature to Consumers should have a choice and


an turn off remote control of in-house also default overwrite ability if their
item. electric devices via smart meters. smart meters become compromised.
Since this capability would likely
lead to some consumers turning off
DM when conditions are extreme,
such as in an extended heat wave,
measures must be implemented to
protect against this, such as
disabling the turn-off function
during such times.

Demand Response over Advanced Metering Infrastructure (AMI) Networks Plan


The table below outlines the activities and controls that are currently missing from the Demand Response over Advanced Metering
Infrastructure (AMI) Networks Plan of the organization. Each activity row includes columns that describe the plan to implement the
activity, the schedule for implementation, and the party responsible for its implementation and maintenance.

43 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Interactive Thermal Storage

The following checklist summarizes the various security best practices and controls that an organization should consider implementing. For more
details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation
Plan.

 Activity / Security Control Rationale Associated Documentation


Choose Ensure that the software running Ensure that attackers cannot
an on the device controlling electric remotely control the electric water
item. water heaters is free of software heaters of users.
weaknesses, especially if they are
remotely exploitable.

Choose Request third-party security Ensure that attackers cannot


an assessment of all software used to remotely control the electric water
item. control electric water heaters. heaters of users.

Choose Conduct a security penetration test. Ensure that attackers cannot


an remotely control the electric water
item. heaters of users.

Choose Build in a mechanism to Ensure that attackers cannot


an authenticate and validate control remotely control the electric water
item. signals for electric water heaters. heaters of users.

44 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Build safeguards into the operation Ensure human safety.
an of electric water heaters (e.g., to
item. prevent them from rising above a
certain temperature, etc.).

Choose Provide a manual override Ensure human safety.


an mechanism whereby users can
item. prevent their electric water heaters
from being controlled remotely.

Interactive Thermal Storage Plan


The table below outlines the activities and controls that are currently missing from the Interactive Thermal Storage Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Smart Feeder Switching


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.

45 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Ensure that the software controlling smart feeder Prevent unauthorized electrical power grid
an switching is free of security weaknesses. reconfiguration.
item.
Choose Implement physical security controls and Prevent unauthorized electrical power grid
an detection mechanisms when tampering occurs. reconfiguration.
item.
Choose Perform sufficient authentication and validation Prevent unauthorized electrical power grid
an of all control data used to reconfigure the reconfiguration.
item. electrical distribution network.

Choose Ensure that a human(s) has to review and Prevent unauthorized electrical power grid
an authorize any electrical distribution network reconfiguration.
item. reconfiguration.

Choose Build safeguards into the hardware. Ensure safe behavior when failures occur.
an
item.

Smart Feeder Switching Plan


The table below outlines the activities and controls that are currently missing from Smart Feeder Switching Plan of the organization.
Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation, and the party
responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

46 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Advanced Volt/VAR Control


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Ensure that the software Prevent unauthorized control of
an controlling distribution feeders is distribution feeders.
item. free of security weaknesses.

Choose Implement physical security Prevent unauthorized control of


an controls and detection distribution feeders.
item. mechanisms when tampering
occurs.

Choose Perform sufficient authentication


Prevent unauthorized control of
an and validation of all control data
distribution feeders.
item. bound for distribution feeders.

Choose Design automatic control systems Prevent unauthorized control of


an to operate with a human “in the distribution feeders.
item. loop” when time permits.

Choose Be sure that safeguards are built Ensure safe behavior in case
an into the hardware. failures occur.
item.

Advanced Volt/VAR Control Plan


The table below outlines the activities and controls that are currently missing from the Advanced Volt/VAR Control Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

47 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

Conservation Voltage Reduction (CVR)


The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
 Activity / Security Control Rationale Associated Documentation
Choose Ensure that the software Prevent unauthorized voltage
an controlling voltage regulators and reduction behavior.
item. monitors is free of security
weaknesses.

Choose Implement physical security Prevent unauthorized voltage


an controls and detection mechanisms reduction behavior.
item. in case tampering occurs.

Choose Perform sufficient authentication Prevent unauthorized voltage


an and validation of all control data reduction behavior.
item. bound for voltage regulators and
coming from voltage monitors.

Choose Ensure that a human(s) has to Prevent unauthorized voltage


an review and authorize any changes reduction behavior.
item. to voltage.

48 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

 Activity / Security Control Rationale Associated Documentation


Choose Be sure that safeguards are built Ensure safe behavior when failures
an into the hardware. occur.
item.

Conservation Voltage Reduction (CVR) Plan


The table below outlines the activities and controls that are currently missing from the Conservation Voltage Reduction Plan of the
organization. Each activity row includes columns that describe the plan to implement the activity, the schedule for implementation,
and the party responsible for its implementation and maintenance.

Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.

49 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation

Appendix A: Reference Documentation

Security Standards

International Organization for Standardization/International Electrotechnical Commission 27001, Information Security Management System
Requirements, October 2005. Specification for an information security management system. Must be purchased.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306.

International Organization for Standardization/International Electrotechnical Commission 27002, Code of Practice for Information Security
Management, 2005. Best practices for developing and deploying an information security management system. Must be purchased.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306.

National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of
Federal Information and Information Systems, February 2004. Categorizing impact levels of information assets, deriving system-level security
categorization. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for
Federal Information and Information Systems, March 2006. Guidelines for using the security profiles and controls cataloged in NIST SP800-53;
families of security controls, minimum requirements for high-, moderate-, and low-impact systems.
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf.

National Institute of Standards and Technology Special Publications

National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October
1995. Elements of security, roles and responsibilities, common threats, security policy, program management.
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.

National Institute of Standards and Technology Special Publication 800-16, Information Technology Security Training Requirements: A Role- and
Performance-Based Model, April 1998. Learning-continuum model, security literacy and basics, role-based training.
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.

50 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation

National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.
Risk management, assessment, mitigation. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.

National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and
Organizations, August 2009. Security control fundamentals, baselines by system-impact level, common controls, tailoring guidelines, catalog of
controls in 18 families. http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf.

National Institute of Standards and Technology Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories, August 2008. Security objectives and types of potential losses, assignment of impact levels and system security
category. http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf.

National Institute of Standards and Technology Special Publication 800-82 (Final Public Draft), Guide to Industrial Control Systems (ICS) Security,
September 2008. Overview of industrial control systems (ICS), threats and vulnerabilities, risk factors, incident scenarios, security program
development. http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf.

51 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation

National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: A Guide for Managers, October 2006.
Governance, awareness and training, capital planning, interconnecting systems, performance measures, security planning, contingency planning.
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.

National Institute of Standards and Technology Special Publication 800-122 (Draft), Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII), January 2009. Identifying, PII, impact levels, confidentiality safeguards, incident response.
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.

National Institute of Standards and Technology Special Publication 800-39(Final Public Draft), Integrated Enterprise-Wide Risk Management:
Organization, Mission, and Information System View, December 2010. http://csrc.nist.gov/publications/drafts/800-39/draft-SP800-39-FPD.pdf.

Other Guidance Documents

Gary McGraw, Software Security: Building Security In, 2006.

National Institute of Standards and Technology IR 7628, Guidelines for Smart Grid Cyber Security, August 2010. Four PDFs available at
http://csrc.nist.gov/publications/PubsNISTIRs.html:
 Introduction to NISTIR 7628, http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-7628.pdf.
 Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, http://csrc.nist.gov/publications/nistir/ir7628/nistir-
7628_vol1.pdf.
 Vol. 2, Privacy and the Smart Grid, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf.
 Vol. 3, Supportive Analyses and References, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf.

52 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation

North American Electric Reliability Corporation Critical Infrastructure Protection Standards CIP-002 through CIP-009, 2009–10. Available at
http://www.nerc.com/page.php?cid=2|20:
 CIP-002-3, Critical Cyber Asset Identification
 CIP-003-3, Security Management Controls
 CIP-004-3, Personnel and Training
 CIP-005-3, Electronic Security Perimeter(s)
 CIP-006-3, Physical Security of Critical Cyber Assets
 CIP-007-3, Systems Security Management
 CIP-008-3, Incident Reporting and Response Handling
 CIP-009-3, Recovery Plans for Critical Cyber Assets
The CIP standards are also included in the collected Reliability Standards for the Bulk Electric Systems of North America, June 2010,
http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf.

North American Electric Reliability Corporation Glossary of Terms Used in Reliability Standards, February 2008,
http://www.nerc.com/files/Glossary_12Feb08.pdf.

53 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary

Appendix B: Glossary

Adequate A set of minimum security requirements that the system is expected to meet.
security
Authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to
resources.
Authorization Refers to verifying a user’s permissions (after the user had been authenticated) for accessing
certain resources or functionality.
Availability Ensuring timely and reliable access to and use of resources.
Boundary Monitoring and control of communications at the external boundary of an information system
protection to prevent and detect malicious and other unauthorized communications, through the use of
boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted
tunnels).
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information.
Contingency The unexpected failure or outage of a system component, such as a generator, transmission
line, circuit breaker, switch, or other electrical element.
Critical assets Facilities, systems, and equipment that if destroyed, degraded, or otherwise rendered
unavailable would affect the reliability or operability of the bulk electric system.
Cyber asset Programmable electronic devices and communication networks, including hardware,
software, and data.
Cyber security Any malicious act or suspicious event that:
incident  Compromises, or was an attempt to compromise, the electronic security perimeter or
physical security perimeter of a critical cyber asset.
 Disrupts, or was an attempt to disrupt, the operation of a critical cyber asset.
Electronic The logical border surrounding a network to which critical cyber assets are connected and for
security which access is controlled.
perimeter

54 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary

Identity-based Access control based on the identity of the user (typically relayed as a characteristic of the
access control process acting on behalf of that user) where access authorizations to specific objects are
assigned based on user identity.
Impact Damage to an organization’s mission and goals (e.g., the loss of confidentiality, integrity, or
availability of system information or operations).
Impact level The assessed degree (high, medium, or low) of potential damage to the organization’s mission
and goals.
Incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or
availability of a system or the information the system processes, stores, or transmits, or that
constitutes a violation or imminent threat of violation of security policies, security procedures,
or acceptable use policies.
Information The protection of information and information systems from unauthorized access, use,
security disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability.
Information Aggregate of directives, regulations, rules, and practices that prescribes how an organization
security policy manages, protects, and distributes information.
Information A discrete set of information resources organized for the collection, processing, maintenance,
system use, sharing, dissemination, or disposition of information. (Note: Information systems also
include specialized systems such as industrial/process controls systems, telephone switching
and private branch exchange (PBX) systems, and environmental control systems.)
Integrity Guarding against improper information modification or destruction; includes ensuring
information nonrepudiation and authenticity.
Management The security controls (i.e., safeguards or countermeasures) of an information system that focus
controls on the management of risk and the management of information system security.
Network access Access to an information system by a user (or a process acting on behalf of a user)
communicating through a network (e.g., local area network, wide area network, Internet).

55 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary

Nonrepudiation Protection against an individual falsely denying having performed a particular action. Provides
the capability to determine whether a given individual took a particular action, such as
creating information, sending a message, approving information, and receiving a message.
Operational The security controls (i.e., safeguards or countermeasures) of an information system that are
controls primarily implemented and executed by people (as opposed to systems).
Physical security The physical, completely enclosed (“six-wall”) border surrounding computer rooms,
perimeter telecommunications rooms, operations centers, and other locations in which critical cyber
assets are housed and for which access is controlled.
Programmable A digital computer used for the automation of industrial processes, such as machinery control
logic controller in factories.
(PLC)
Potential impact The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited
adverse effect (FIPS 199, low); (ii) a serious adverse effect (FIPS 199, moderate); or (iii) a
severe or catastrophic adverse effect (FIPS 199, high) on organizational operations,
organizational assets, or individuals.
Privileged user A user that is authorized (and therefore, trusted) to perform security-relevant functions that
ordinary users are not authorized to perform.

56 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary

Remote Remote attestation allows for one party to verify that another party with which it is
attestation communicating is not running compromised software, firmware, or hardware. The approach
holds the potential to identify unauthorized firmware updates and malware infections of the
smart grid field devices (e.g., smart meters). Remote attestation includes taking a
measurement of the underlying software stack running on the device, signing that
measurement with the private key that is stored in the device’s TPM (trusted platform
module), and sending it to the party requiring attestation information (e.g., SCADA). The
design is such that the private key residing in the TPM can only be unsealed if the device’s
software and hardware had not been modified in an unauthorized fashion. The receiving party
can then ascertain that the software stack measurement of the remote device corresponds to
the expected configuration by using the public key to verify the signature.

Additional information on the TPM and remote attestation can be found here:
http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary.

Risk A measure of the extent to which an entity is threatened by a potential circumstance or event,
and typically a function of: (i) the adverse impacts that would arise if the circumstance or
event occurs; and (ii) the likelihood of occurrence. Information-system-related security risks
are those risks that arise from the loss of confidentiality, integrity, or availability of information
or information systems and reflect the potential adverse impacts to organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, and the nation.
Risk assessment The process of identifying risks to organizational operations (including mission, functions,
image, reputation), organizational assets, individuals, other organizations, and the nation,
resulting from the operation of an information system. Part of risk management incorporates
threat and vulnerability analyses, and considers mitigations provided by security controls
planned or in place. Synonymous with risk analysis.
Risk category People and policy risks, process risks, and technical risks.
Risk level A combination of the likelihood of a damaging event actually occurring and the assessed
(severity) potential impact on the organization’s mission and goals if it does occur.
57 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary

Risk management The process of managing risks to organizational operations (including mission, functions,
image, reputation), organizational assets, individuals, other organizations, and the nation,
resulting from the operation of an information system. Includes: (i) the conduct of a risk
assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of
techniques and procedures for the continuous monitoring of the security state of the
information system.
Role-based access Access control based on user roles (i.e., a collection of access authorizations a user receives
control based on an explicit or implicit assumption of a given role). Role permissions may be inherited
through a role hierarchy and typically reflect the permissions needed to perform defined
functions within an organization. A given role may apply to a single individual or to several
individuals.
Security category The characterization of information or an information system based on an assessment of the
potential impact that a loss of confidentiality, integrity, or availability of that information or
information system would have on organizational operations, organizational assets,
individuals, other organizations, and the nation.
Security control The management, operational, and technical controls (i.e., safeguards or countermeasures)
prescribed for an information system to protect the confidentiality, integrity, and availability of
the system and its information.
Security policy A set of high-level criteria for people, process, and technological guidance that relates to
security of the organization, its systems, and its data.
Security Requirements levied on an information system that are derived from applicable laws,
requirements executive orders, directives, policies, standards, instructions, regulations, procedures, or
organizational mission / business case needs to ensure the confidentiality, integrity, and
availability of the information being processed, stored, or transmitted.
Sensitive Information whose loss, misuse, or unauthorized access to or modification of, that could
information adversely affect the organization, its employees, or its customers.
System security A formal document that provides an overview of the security requirements for an information
plan system and describes the security controls in place or planned for meeting those
requirements.

58 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary

Technical The security controls (i.e., safeguards or countermeasures) for an information system that are
controls primarily implemented and executed by the information system through mechanisms
contained in the hardware, software, or firmware components of the system.
Threat Any circumstance or event with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or the nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of service. An alternate
definition of threat is an actor / adversary who may carry out an attack against the
organization.
Vulnerability A specific weakness in an information system, system security procedures, internal controls,
or implementation that could be exploited or triggered by a threat source.
Vulnerability Formal description and evaluation of the vulnerabilities in an information system.
assessment

59 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix C: Acronyms

Appendix C: Acronyms
CIP Critical Infrastructure Protection
DOD Department of Defense
DOE Department of Energy
DHS Department of Homeland Security
EISA Energy Independence and Security Act
FERC Federal Energy Regulatory Commission
ISO International Standards Organization
NERC North American Electric Reliability Corporation
NIST National Institute of Standards
RMF Risk Management Framework

60 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix D: Minimum Security Requirements

Appendix D: Minimum Security Requirements


The following summaries of minimum security requirements are from NIST FIPS 200, Minimum Security Requirements for Federal
Information and Information Systems.
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of
authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized
users are permitted to exercise.
Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are
made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies,
standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that
organizational personnel are adequately trained to carry out their assigned information-security-related duties and responsibilities.
Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent
needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information
system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they
can be held accountable for their actions.
Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in
organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of
action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize
the operation of organizational information systems and any associated information system connections; and (iv) monitor
information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of
organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system
development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed
in organizational information systems.
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response,
backup operations, and postdisaster recovery for organizational information systems to ensure the availability of critical information
resources and continuity of operations in emergency situations.
61 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix D: Minimum Security Requirements

Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users,
or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to
organizational information systems.
Incident Response (IR): Organizations must: (i) establish an operational-incident-handling capability for organizational information
systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track,
document, and report incidents to appropriate organizational officials and/or authorities.
Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and
(ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to
information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal
or release for reuse. Organizations must: (i) limit physical access to information systems, equipment, and the respective operating
environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii)
provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v)
provide appropriate environmental controls in facilities containing information systems.
Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational
information systems that describe the security controls in place or planned for the information systems and the rules of behavior for
individuals accessing the information systems.
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations
(including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that
organizational information and information systems are protected during and after personnel actions such as terminations and
transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions,
image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and
the associated processing, storage, or transmission of organizational information.

62 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix D: Minimum Security Requirements

System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational
information systems; (ii) employ system development lifecycle processes that incorporate information security considerations; (iii)
employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to
protect information, applications, and/or services outsourced from the organization.
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational
communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key
internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems
engineering principles that promote effective information security within organizational information systems.
System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system
flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information
systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.

63 of 63

You might also like