Cyber Security Plan Template
Cyber Security Plan Template
Cyber Security Plan Template
<<date>>
Prepared by:
1 of 63
<<Name of Co-op>> Cyber Security Plan
Table of Contents
Preface...................................................................................................................................... 4
Purpose ................................................................................................................................ 4
Scope .................................................................................................................................... 4
Target Audience.................................................................................................................. 4
Contacts ............................................................................................................................... 4
Using the Template ................................................................................................................. 5
Executive Summary ................................................................................................................ 6
Building a Risk Management Program ................................................................................ 7
Risk Management Program Plan ...................................................................................... 8
Addressing People and Policy Risks ...................................................................................... 9
Cyber Security Policy ......................................................................................................... 9
Cyber Security Policy Plan .............................................................................................. 10
Personnel and Training .................................................................................................... 11
Personnel and Training Plan ........................................................................................... 12
Addressing Process Risks ..................................................................................................... 13
Operational Risks ............................................................................................................. 13
Operational Risk Plan ...................................................................................................... 14
Insecure Software Development Life Cycle (SDLC) Risks ........................................... 15
Secure SDLC Plan ............................................................................................................ 16
Physical Security Risks .................................................................................................... 17
Physical Security Plan ...................................................................................................... 18
Third-Party Relationship Risks ...................................................................................... 18
Third-Party Relationship Plan ........................................................................................ 20
Addressing Technology Risks .............................................................................................. 21
Network Risks ............................................................................................................... 21
Network Security Plan ..................................................................................................... 26
Platform Risks .............................................................................................................. 27
Platform Security Plan ..................................................................................................... 29
Application Layer Risks .............................................................................................. 30
Application Security Plan ................................................................................................ 30
Security Requirements and Controls For Each Smart Grid Activity Type .................... 32
Advanced Metering Infrastructure (AMI) ..................................................................... 32
Advanced Metering Infrastructure Plan ........................................................................ 34
Meter Data Management (MDM) ................................................................................... 35
Meter Data Management Plan ........................................................................................ 36
Communication Systems (COMM)................................................................................. 36
Communication Systems Plan ......................................................................................... 38
Supervisory Control and Data Acquisition (SCADA) ................................................... 38
Supervisory Control and Data Acquisition (SCADA) Plan .......................................... 41
In-Home Display (IHD) / Web Portal Pilots .................................................................. 41
2 of 63
In-Home Display (IHD)/Web Portal Pilots Plan ............................................................ 42
Demand Response over Advanced Metering Infrastructure (AMI) Networks ........... 43
Demand Response over Advanced Metering Infrastructure (AMI) Networks Plan .. 43
Interactive Thermal Storage............................................................................................ 44
Interactive Thermal Storage Plan ................................................................................... 45
Smart Feeder Switching ................................................................................................... 45
Smart Feeder Switching Plan .......................................................................................... 46
Advanced Volt/VAR Control........................................................................................... 47
Advanced Volt/VAR Control Plan .................................................................................. 47
Conservation Voltage Reduction (CVR) ........................................................................ 48
Conservation Voltage Reduction (CVR) Plan................................................................ 49
Appendix A: Reference Documentation ............................................................................. 50
Security Standards ........................................................................................................... 50
National Institute of Standards and Technology Special Publications ........................ 50
Other Guidance Documents ............................................................................................ 52
Appendix B: Glossary ........................................................................................................... 54
Appendix C: Acronyms ........................................................................................................ 60
Appendix D: Minimum Security Requirements ................................................................ 61
3 of 63
<<Name of Co-op>> Cyber Security Plan Table of Contents
Preface
Purpose
This plan baselines existing cyber security–related activities and controls at our organization
against the Guide to Developing a Cyber Security and Risk Mitigation Plan. For areas covered
by existing processes and/or technologies, the plan briefly documents how and where this is
accomplished. For identified gaps, the plan documents current deviation from the
recommended security controls and specifies whether to accept or mitigate the risk, the
actions needed to close the gaps, the responsible party, and the implementation timeline.
Scope
This plan goes through the cyber security controls that our organization already has in place
or plans to implement in order to mitigate the risks introduced by smart grid technologies.
Target Audience
Security team, IT organization, leadership team.
Contacts
The following are the primary individuals who assisted in preparation of the cyber security
plan:
Contact Title Contact E-mail Address
<<list individuals>>
4 of 63
Using the Template
Each section of the template is divided into two subsections. The first contains a table for identifying best
practices and their current use in the cooperative:
Using the dropdown box, select the option that best describes the cooperative’s status regarding the best
practice.
If the cooperative is fully compliant with the best practice, select “Yes.”
If the cooperative is partially compliant with the best practice, select “Partial.”
If the cooperative is not compliant with the best practice, select “No.”
To list documents where the cooperative’s implementation of the best practice is described, use the
“Associated Documentation” column.
The second subsection contains a table for listing deviations from the recommended best practices
(those marked as “Partial” or “No” in the first table), decisions to accept or mitigate the risk posed by not
implementing the best practices, the person or group responsible for the risk’s acceptance or mitigation,
the estimated completion date (if applicable), and a strategy for mitigating the risk (if applicable).
Again, use this table to list all security activities or controls that are currently either partially in
place or not in place. For each identified activity or control, describe the way in which the
cooperative does not meet the best practice as captured in the Guide to Developing a Cyber Security
and Risk Mitigation Plan. Use the dropdown box to either “Accept” or “Mitigate” the risk posed by
not implementing the best practice. Assign a person or group responsible for mitigating or
accepting the risk posed by not implementing the best practice. Provide an estimated completion
date of mitigation in the “Estimated Completion Date” column, or use “n/a” for risk acceptance.
Describe the strategy that will be used to implement the activity or control, or use “n/a” for risk
acceptance.
5 of 63
<<Name of Co-op>> Cyber Security Plan Executive Summary
Executive Summary
This document provides checklists of security activities and controls designed to help an electric cooperative improve the security posture of
its smart grid. The checklists are drawn from the Guide to Developing a Cyber Security and Risk Mitigation Plan and provide a mechanism to
baseline existing security activities and controls against recommended best practices, identify gaps, capture the decision for risk acceptance
or mitigation, and document an appropriate plan of action.
Each section contains tables; filling these will help the electric cooperative to:
Identify missing activities and security controls.
Consolidate planned activities and controls per topic.
Prioritize activity and control implementation.
Track activity and control implementation.
It is important to note that implementing security activities and controls should be done with care and sufficient planning. The environment
will require testing to ensure that changes to controls do not break important functionality or introduce new risks.
This document provides cyber security planning support in each of the following categories:
People and policy security
Operational security
Insecure software development life cycle (SDLC)
Physical security
Third-party relationship
Network security
Platform security
Application security
6 of 63
<<Name of Co-op>> Cyber Security Plan Building a Risk Management Program
7 of 63
<<Name of Co-op>> Cyber Security Plan Building a Risk Management Program
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Mitigate
8 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks
9 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks
10 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
11 of 63
<<Name of Co-op>> Cyber Security Plan Addressing People and Policy Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
12 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
Operational Risks
The following checklist summarizes the various security best practices and controls that an organization should consider implementing. For
more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk
Mitigation Plan.
Activity / Security Control Rationale Associated Documentation
Choose Perform periodic risk assessment and Maintain a fresh picture of the effectiveness of the
an mitigation, including threat analysis and organization’s security control versus threats facing
item. vulnerability assessments. the organization.
Choose Control, monitor, and log all access to protected Prevent unauthorized access to assets, detect
an assets. unauthorized access to assets, and enforce
item. accountability.
Choose Redeploy or dispose of protected assets Ensure that the redeployment or disposal of cyber
an securely. assets does not inadvertently expose sensitive
item. information to unauthorized entities.
Choose Define and enforce secure change control and Ensure that system changes do not “break” security
an configuration- management processes. controls established to protect cyber assets.
item.
Choose Create and document incident-handling policies, Ensure that the organization is prepared to act
an plans, and procedures. quickly and correctly to avert or contain damage
item. after a cyber security incident.
Choose Create and document contingency plans and Ensure that the organization is prepared to act
an procedures. quickly and correctly to recover critical assets and
item. continue operations after a major disruption.
13 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
14 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
15 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
16 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
17 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
18 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
19 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Process Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
20 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Network Risks
Networks are the communication pipes that connect everything together, enabling the flow of information. Networks are at the heart
of the smart grid because without the information flow that they enable, smart behavior is not possible. For instance, a system load
cannot be adjusted if information from smart meters does not find its way to the SCADA system. Therefore, the energy savings that
result from adjusting a load cannot be realized, unless an action is taken based on reliable information that made its way from the
smart meters to the SCADA via a communications network. On the other hand, if an adversary is able to tamper with meter data in a
way that cannot be detected and to thus feed incorrect data to the SCADA, an incorrect action may be taken by the grid, resulting in
undesired consequences.
The following checklist summarizes the various security best practices and controls that you should consider implementing. For more
details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk
Mitigation Plan.
21 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Choose The flow of electronic communications should be Confine sensitive electronic communication
an controlled. Client systems should communicate with to established trust zones.
item. internal servers; these internal servers should not
communicate directly with external systems, but
should use an intermediate system in your
organization’s DMZ. The flow of traffic should be
enforced through boundary protection mechanisms.
22 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Choose Separate development, test, and production Avoid production data leaks into test
an environments. environments. Have controls in place around
item. access to and changes in the production
environment.
Choose Ensure that proper certificate and key management Ensure that cryptographic protection is not
an practices are in place. Remember that cryptography undermined through improper certificate or
item. does not help if the encryption key is easy to key management.
compromise. Ensure that keys are changed
periodically and that they can be changed right away
in the event of compromise.
23 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Choose Ensure availability of data traversing your networks. Detect failures and promote fault tolerance.
an If a proper acknowledgement (ACK) is not received
item. from the destination node, ensure that provisions are
in place to resend the packet. If that still does not
work, reroute the packet via a different network link.
Implement proper physical security controls to make
your network links harder to compromise.
Choose Ensure that only standard, approved, and properly Use proven protocols that have been
an reviewed communication protocols are used on your examined for security weaknesses.
item. network.
Choose Use intrusion detection systems (IDSs) to detect any Detect intrusions.
an anomalous behavior on your network. If anomalous
item. behavior is encountered, have a way to isolate the
potentially compromised nodes on your network
from the rest of the network.
Choose Ensure that sufficient number of data points exist Avoid taking actions based on incorrect data.
an from devices on your network before the smart grid
item. takes any actions based on that data. Never take
actions based on the data coming from network
nodes that may have been compromised.
24 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Choose Ensure that sufficient redundancy exists in your Ensure continuity of operations.
an network links so that rerouting traffic is possible if
item. some links are compromised.
Choose Limit remote access to your networks to an absolute Prevent unauthorized access.
an minimum. When required, use technologies like
item. Virtual Private Networks (VPNs, IPSec) to create a
secure tunnel after properly authenticating the
connecting party using their individual credentials. In
addition to a user name and password, also use an
RSA ID-like device to provide an additional level of
authentication.
Choose Implement remote attestation techniques for your Prevent unauthorized modification of
an field devices (e.g., smart meters) to ensure that their firmware on field equipment.
item. firmware has not been compromised
25 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Choose Ensure that the source of network time is accurate Maintain accurate network time.
an and that accurate time is reflected on all network
item. nodes for all actions taken and events logged.
Choose Document the network access level that is needed for Maintain control over access to network
an each individual or role at your organization and grant resources and keep it to a necessary
item. only the required level of access to these individuals minimum.
or roles. All exceptions should be noted.
Choose All equipment connected to your network should be Control hardware that gets connected to your
an uniquely identified and approved for use on your organization’s network.
item. organization’s network.
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
26 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Platform Risks
Each accessible host on the organization’s network is a potential target for attack. Adversaries will try to compromise these hosts via
methods that cannot be mitigated through network security controls alone. It is imperative to ensure that platform software running
on the organization’s hosts is secure, including (but not limited to) operating system software, database software, Web server
software, and application server software. Together these form a software stack on top of which the organization’s custom
applications run.
The following checklist summarizes the various security best practices and controls that an organization should consider
implementing. For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a
Cyber Security and Risk Mitigation Plan.
Activity / Security Control Rationale Associated Documentation
Choose Ensure latest security patches are applied to Patch known weaknesses so that they cannot be
an all software running on your network hosts. exploited.
item.
Choose Ensure the latest antivirus / antimalware Detect known viruses and/or malware.
an software runs regularly.
item.
Choose Ensure that all unneeded services and Minimize the attack surface.
an interfaces (e.g., USB) are turned off on these
item. hosts.
Choose Ensure that the hosts run only services and Minimize the attack surface.
an applications that are absolutely necessary.
item.
Choose Ensure that system logs are checked regularly Detect intrusions / attack attempts (both
an and any abnormalities investigated. external and internal).
item.
Choose Run software to monitor for file system Detect system malware infections and
an changes. unauthorized changes.
item.
27 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
28 of 63
<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
29 of 63
<<Name of Co-op>> Cyber Security Plan: Addressing Technology Risks
30 of 63
<<Name of Co-op>> Cyber Security Plan: Addressing Technology Risks
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
31 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Security Requirements and Controls For Each Smart Grid Activity Type
The remainder of this document contains each of the 10 activity types that are part of the National Rural Electric Cooperative
Association’s (NRECA’s) smart grid demonstrations and highlights the security / privacy requirements specific to each. Along with
requirements, the sections also contains specific security best practices and controls needed to meet these requirements. Although
many of these best practices and controls have already been noted earlier in this document, the goal here is to specifically highlight
security attributes for each smart grid activity type.
It is important to note that some of these security controls are outside the direct control of your organization, but instead are under
control of your organization’s hardware and software vendors. When that is the case, it is important to choose your vendors wisely
and leverage the RFP process to ask the vendors the right questions and gather the right evidence in order to convince your
organization that the procured products meet security requirements.
32 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
33 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
34 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Choose Data arriving to be stored in the Prevent storing bad data in the MDM
an MDM system is syntactically and system and prevent potentially
item. semantically valid. harmful / malicious data from
compromising the system.
Choose The system parsing the data Prevent storing bad data in the MDM
an arriving in the MDM system should system and prevent potentially
item. make use of all the appropriate harmful / malicious data from
data validation and exception- compromising the system.
handling techniques.
Choose The MDM system has been Prevent storing bad data in the MDM
an designed and implemented using system and prevent potentially
item. security-aware SDLC. harmful / malicious data from
compromising the system.
Choose The MDM system has passed a Prevent storing bad data in the MDM
an security penetration test system and prevent potentially
item. conducted by a qualified third harmful / malicious data from
party. compromising the system.
35 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Choose Gracefully handle denial-of-service Protect the MDM system from attacks
an attempts (from compromised originating from smart meters.
item. meters).
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
36 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
37 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
The following checklist summarizes the various security best practices and controls that an organization should consider implementing.
For more details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and
Risk Mitigation Plan.
38 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
39 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Choose Avoid taking critical control Put the human operator in control.
an decisions without human
item. confirmation.
Choose Avoid taking critical control Avoid taking erroneous actions at the
an decisions based on too few data SCADA level.
item. points.
Choose Avoid taking critical control Avoid taking erroneous actions at the
an decisions based on data points SCADA level.
item. from compromised field devices or
based on data that has been
tampered with.
Choose Ensure proper network Segregate critical control systems from
an segmentation in the SCADA the rest of your organization’s
item. environment. corporate environment to promote
compartmentalization.
Choose Ensure sufficient fault tolerance Plan for failure and continuation of
an and redundancy in the SCADA operations.
item. environment.
Choose Develop and test business Plan for failure and continuation of
an continuity and disaster recovery operations.
item. plans.
Choose Use individual (rather than Prevent unauthorized access and
an shared) user login accounts with promote accountability.
item. strong passwords.
Choose Ensure that all hardware Prevent unauthorized access.
an authentication settings have been
item. changed from their default values.
40 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
Choose Ensure the integrity of data shown Protect the integrity of data sent to
an on users’ IHDs. the user.
item.
41 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Choose Ensure the anonymity and privacy Protect the privacy of users’
an of data (where appropriate) electrical usage data.
item. pertaining to electricity usage
patterns such that it cannot be tied
back to the consumer.
Choose Perform remote the attestation of Know when IHDs have been
an IHDs to alert the control center tampered with and should no
item. when unauthorized firmware longer be trusted.
updates occur.
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
42 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
43 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
The following checklist summarizes the various security best practices and controls that an organization should consider implementing. For more
details on any of the activities / security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation
Plan.
44 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
45 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Choose Ensure that a human(s) has to review and Prevent unauthorized electrical power grid
an authorize any electrical distribution network reconfiguration.
item. reconfiguration.
Choose Build safeguards into the hardware. Ensure safe behavior when failures occur.
an
item.
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
46 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Choose Be sure that safeguards are built Ensure safe behavior in case
an into the hardware. failures occur.
item.
47 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
48 of 63
<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type
Activity / Security Existing Guideline Deviation Accept or Responsible Party Estimated Mitigation Strategy
Control Mitigate Completion
Risk Date
Choose an
item.
49 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation
Security Standards
International Organization for Standardization/International Electrotechnical Commission 27001, Information Security Management System
Requirements, October 2005. Specification for an information security management system. Must be purchased.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306.
International Organization for Standardization/International Electrotechnical Commission 27002, Code of Practice for Information Security
Management, 2005. Best practices for developing and deploying an information security management system. Must be purchased.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306.
National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of
Federal Information and Information Systems, February 2004. Categorizing impact levels of information assets, deriving system-level security
categorization. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.
National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for
Federal Information and Information Systems, March 2006. Guidelines for using the security profiles and controls cataloged in NIST SP800-53;
families of security controls, minimum requirements for high-, moderate-, and low-impact systems.
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf.
National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October
1995. Elements of security, roles and responsibilities, common threats, security policy, program management.
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.
National Institute of Standards and Technology Special Publication 800-16, Information Technology Security Training Requirements: A Role- and
Performance-Based Model, April 1998. Learning-continuum model, security literacy and basics, role-based training.
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.
50 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation
National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.
Risk management, assessment, mitigation. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and
Organizations, August 2009. Security control fundamentals, baselines by system-impact level, common controls, tailoring guidelines, catalog of
controls in 18 families. http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf.
National Institute of Standards and Technology Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories, August 2008. Security objectives and types of potential losses, assignment of impact levels and system security
category. http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf.
National Institute of Standards and Technology Special Publication 800-82 (Final Public Draft), Guide to Industrial Control Systems (ICS) Security,
September 2008. Overview of industrial control systems (ICS), threats and vulnerabilities, risk factors, incident scenarios, security program
development. http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf.
51 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation
National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: A Guide for Managers, October 2006.
Governance, awareness and training, capital planning, interconnecting systems, performance measures, security planning, contingency planning.
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.
National Institute of Standards and Technology Special Publication 800-122 (Draft), Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII), January 2009. Identifying, PII, impact levels, confidentiality safeguards, incident response.
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.
National Institute of Standards and Technology Special Publication 800-39(Final Public Draft), Integrated Enterprise-Wide Risk Management:
Organization, Mission, and Information System View, December 2010. http://csrc.nist.gov/publications/drafts/800-39/draft-SP800-39-FPD.pdf.
National Institute of Standards and Technology IR 7628, Guidelines for Smart Grid Cyber Security, August 2010. Four PDFs available at
http://csrc.nist.gov/publications/PubsNISTIRs.html:
Introduction to NISTIR 7628, http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-7628.pdf.
Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, http://csrc.nist.gov/publications/nistir/ir7628/nistir-
7628_vol1.pdf.
Vol. 2, Privacy and the Smart Grid, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf.
Vol. 3, Supportive Analyses and References, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf.
52 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix A: Reference Documentation
North American Electric Reliability Corporation Critical Infrastructure Protection Standards CIP-002 through CIP-009, 2009–10. Available at
http://www.nerc.com/page.php?cid=2|20:
CIP-002-3, Critical Cyber Asset Identification
CIP-003-3, Security Management Controls
CIP-004-3, Personnel and Training
CIP-005-3, Electronic Security Perimeter(s)
CIP-006-3, Physical Security of Critical Cyber Assets
CIP-007-3, Systems Security Management
CIP-008-3, Incident Reporting and Response Handling
CIP-009-3, Recovery Plans for Critical Cyber Assets
The CIP standards are also included in the collected Reliability Standards for the Bulk Electric Systems of North America, June 2010,
http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf.
North American Electric Reliability Corporation Glossary of Terms Used in Reliability Standards, February 2008,
http://www.nerc.com/files/Glossary_12Feb08.pdf.
53 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary
Appendix B: Glossary
Adequate A set of minimum security requirements that the system is expected to meet.
security
Authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to
resources.
Authorization Refers to verifying a user’s permissions (after the user had been authenticated) for accessing
certain resources or functionality.
Availability Ensuring timely and reliable access to and use of resources.
Boundary Monitoring and control of communications at the external boundary of an information system
protection to prevent and detect malicious and other unauthorized communications, through the use of
boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted
tunnels).
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information.
Contingency The unexpected failure or outage of a system component, such as a generator, transmission
line, circuit breaker, switch, or other electrical element.
Critical assets Facilities, systems, and equipment that if destroyed, degraded, or otherwise rendered
unavailable would affect the reliability or operability of the bulk electric system.
Cyber asset Programmable electronic devices and communication networks, including hardware,
software, and data.
Cyber security Any malicious act or suspicious event that:
incident Compromises, or was an attempt to compromise, the electronic security perimeter or
physical security perimeter of a critical cyber asset.
Disrupts, or was an attempt to disrupt, the operation of a critical cyber asset.
Electronic The logical border surrounding a network to which critical cyber assets are connected and for
security which access is controlled.
perimeter
54 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary
Identity-based Access control based on the identity of the user (typically relayed as a characteristic of the
access control process acting on behalf of that user) where access authorizations to specific objects are
assigned based on user identity.
Impact Damage to an organization’s mission and goals (e.g., the loss of confidentiality, integrity, or
availability of system information or operations).
Impact level The assessed degree (high, medium, or low) of potential damage to the organization’s mission
and goals.
Incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or
availability of a system or the information the system processes, stores, or transmits, or that
constitutes a violation or imminent threat of violation of security policies, security procedures,
or acceptable use policies.
Information The protection of information and information systems from unauthorized access, use,
security disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability.
Information Aggregate of directives, regulations, rules, and practices that prescribes how an organization
security policy manages, protects, and distributes information.
Information A discrete set of information resources organized for the collection, processing, maintenance,
system use, sharing, dissemination, or disposition of information. (Note: Information systems also
include specialized systems such as industrial/process controls systems, telephone switching
and private branch exchange (PBX) systems, and environmental control systems.)
Integrity Guarding against improper information modification or destruction; includes ensuring
information nonrepudiation and authenticity.
Management The security controls (i.e., safeguards or countermeasures) of an information system that focus
controls on the management of risk and the management of information system security.
Network access Access to an information system by a user (or a process acting on behalf of a user)
communicating through a network (e.g., local area network, wide area network, Internet).
55 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary
Nonrepudiation Protection against an individual falsely denying having performed a particular action. Provides
the capability to determine whether a given individual took a particular action, such as
creating information, sending a message, approving information, and receiving a message.
Operational The security controls (i.e., safeguards or countermeasures) of an information system that are
controls primarily implemented and executed by people (as opposed to systems).
Physical security The physical, completely enclosed (“six-wall”) border surrounding computer rooms,
perimeter telecommunications rooms, operations centers, and other locations in which critical cyber
assets are housed and for which access is controlled.
Programmable A digital computer used for the automation of industrial processes, such as machinery control
logic controller in factories.
(PLC)
Potential impact The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited
adverse effect (FIPS 199, low); (ii) a serious adverse effect (FIPS 199, moderate); or (iii) a
severe or catastrophic adverse effect (FIPS 199, high) on organizational operations,
organizational assets, or individuals.
Privileged user A user that is authorized (and therefore, trusted) to perform security-relevant functions that
ordinary users are not authorized to perform.
56 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary
Remote Remote attestation allows for one party to verify that another party with which it is
attestation communicating is not running compromised software, firmware, or hardware. The approach
holds the potential to identify unauthorized firmware updates and malware infections of the
smart grid field devices (e.g., smart meters). Remote attestation includes taking a
measurement of the underlying software stack running on the device, signing that
measurement with the private key that is stored in the device’s TPM (trusted platform
module), and sending it to the party requiring attestation information (e.g., SCADA). The
design is such that the private key residing in the TPM can only be unsealed if the device’s
software and hardware had not been modified in an unauthorized fashion. The receiving party
can then ascertain that the software stack measurement of the remote device corresponds to
the expected configuration by using the public key to verify the signature.
Additional information on the TPM and remote attestation can be found here:
http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary.
Risk A measure of the extent to which an entity is threatened by a potential circumstance or event,
and typically a function of: (i) the adverse impacts that would arise if the circumstance or
event occurs; and (ii) the likelihood of occurrence. Information-system-related security risks
are those risks that arise from the loss of confidentiality, integrity, or availability of information
or information systems and reflect the potential adverse impacts to organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, and the nation.
Risk assessment The process of identifying risks to organizational operations (including mission, functions,
image, reputation), organizational assets, individuals, other organizations, and the nation,
resulting from the operation of an information system. Part of risk management incorporates
threat and vulnerability analyses, and considers mitigations provided by security controls
planned or in place. Synonymous with risk analysis.
Risk category People and policy risks, process risks, and technical risks.
Risk level A combination of the likelihood of a damaging event actually occurring and the assessed
(severity) potential impact on the organization’s mission and goals if it does occur.
57 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary
Risk management The process of managing risks to organizational operations (including mission, functions,
image, reputation), organizational assets, individuals, other organizations, and the nation,
resulting from the operation of an information system. Includes: (i) the conduct of a risk
assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of
techniques and procedures for the continuous monitoring of the security state of the
information system.
Role-based access Access control based on user roles (i.e., a collection of access authorizations a user receives
control based on an explicit or implicit assumption of a given role). Role permissions may be inherited
through a role hierarchy and typically reflect the permissions needed to perform defined
functions within an organization. A given role may apply to a single individual or to several
individuals.
Security category The characterization of information or an information system based on an assessment of the
potential impact that a loss of confidentiality, integrity, or availability of that information or
information system would have on organizational operations, organizational assets,
individuals, other organizations, and the nation.
Security control The management, operational, and technical controls (i.e., safeguards or countermeasures)
prescribed for an information system to protect the confidentiality, integrity, and availability of
the system and its information.
Security policy A set of high-level criteria for people, process, and technological guidance that relates to
security of the organization, its systems, and its data.
Security Requirements levied on an information system that are derived from applicable laws,
requirements executive orders, directives, policies, standards, instructions, regulations, procedures, or
organizational mission / business case needs to ensure the confidentiality, integrity, and
availability of the information being processed, stored, or transmitted.
Sensitive Information whose loss, misuse, or unauthorized access to or modification of, that could
information adversely affect the organization, its employees, or its customers.
System security A formal document that provides an overview of the security requirements for an information
plan system and describes the security controls in place or planned for meeting those
requirements.
58 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix B: Glossary
Technical The security controls (i.e., safeguards or countermeasures) for an information system that are
controls primarily implemented and executed by the information system through mechanisms
contained in the hardware, software, or firmware components of the system.
Threat Any circumstance or event with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or the nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of service. An alternate
definition of threat is an actor / adversary who may carry out an attack against the
organization.
Vulnerability A specific weakness in an information system, system security procedures, internal controls,
or implementation that could be exploited or triggered by a threat source.
Vulnerability Formal description and evaluation of the vulnerabilities in an information system.
assessment
59 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix C: Acronyms
Appendix C: Acronyms
CIP Critical Infrastructure Protection
DOD Department of Defense
DOE Department of Energy
DHS Department of Homeland Security
EISA Energy Independence and Security Act
FERC Federal Energy Regulatory Commission
ISO International Standards Organization
NERC North American Electric Reliability Corporation
NIST National Institute of Standards
RMF Risk Management Framework
60 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix D: Minimum Security Requirements
Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users,
or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to
organizational information systems.
Incident Response (IR): Organizations must: (i) establish an operational-incident-handling capability for organizational information
systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track,
document, and report incidents to appropriate organizational officials and/or authorities.
Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and
(ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to
information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal
or release for reuse. Organizations must: (i) limit physical access to information systems, equipment, and the respective operating
environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii)
provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v)
provide appropriate environmental controls in facilities containing information systems.
Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational
information systems that describe the security controls in place or planned for the information systems and the rules of behavior for
individuals accessing the information systems.
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations
(including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that
organizational information and information systems are protected during and after personnel actions such as terminations and
transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions,
image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and
the associated processing, storage, or transmission of organizational information.
62 of 63
<<Name of Co-op>> Cyber Security Plan: Appendix D: Minimum Security Requirements
System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational
information systems; (ii) employ system development lifecycle processes that incorporate information security considerations; (iii)
employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to
protect information, applications, and/or services outsourced from the organization.
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational
communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key
internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems
engineering principles that promote effective information security within organizational information systems.
System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system
flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information
systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
63 of 63