Cyber Security Plan Template

<<Name of Co-op>>

Cyber Security Plan <<date>>

Prepared by:

1 of 96

<<Name of Co-op>> Cyber Security Plan

Table of ContentsPreface......................................................4Purpose....................................................4Scope......................................................4Target Audience............................................4Contacts...................................................4

Using the Template...........................................5Executive Summary............................................6Building a Risk Management Program...........................7Risk Management Program Plan...............................8

Addressing People and Policy Risks...........................9Cyber Security Policy......................................9Cyber Security Policy Plan................................10Personnel and Training....................................11Personnel and Training Plan...............................12

Addressing Process Risks....................................13Operational Risks.........................................13Operational Risk Plan.....................................14Insecure Software Development Life Cycle (SDLC) Risks.....15Secure SDLC Plan..........................................16Physical Security Risks...................................17Physical Security Plan....................................18Third-Party Relationship Risks............................18Third-Party Relationship Plan.............................20

Addressing Technology Risks.................................21Network Risks............................................21

Network Security Plan.....................................26Platform Risks...........................................27

Platform Security Plan....................................29Application Layer Risks..................................30

Application Security Plan.................................30Security Requirements and Controls For Each Smart Grid Activity Type

32Advanced Metering Infrastructure (AMI)....................32

2 of 96

Advanced Metering Infrastructure Plan.....................34Meter Data Management (MDM)...............................35Meter Data Management Plan................................36Communication Systems (COMM)..............................36Communication Systems Plan................................38Supervisory Control and Data Acquisition (SCADA)..........38Supervisory Control and Data Acquisition (SCADA) Plan.....41In-Home Display (IHD) / Web Portal Pilots.................41In-Home Display (IHD)/Web Portal Pilots Plan..............42Demand Response over Advanced Metering Infrastructure (AMI) Networks43

Demand Response over Advanced Metering Infrastructure (AMI) NetworksPlan......................................................43Interactive Thermal Storage...............................44Interactive Thermal Storage Plan..........................45Smart Feeder Switching....................................45Smart Feeder Switching Plan...............................46Advanced Volt/VAR Control.................................47Advanced Volt/VAR Control Plan............................47Conservation Voltage Reduction (CVR)......................48Conservation Voltage Reduction (CVR) Plan.................49

Appendix A: Reference Documentation.........................50Security Standards........................................50National Institute of Standards and Technology Special Publications50

Other Guidance Documents..................................52Appendix B: Glossary........................................54Appendix C: Acronyms........................................60Appendix D: Minimum Security Requirements...................61

3 of 96

<<Name of Co-op>> Cyber Security Plan Table of Contents

Preface

Purpose

This plan baselines existing cyber security–related activitiesand controls at our organization against the Guide to Developing aCyber Security and Risk Mitigation Plan. For areas covered by existingprocesses and/or technologies, the plan briefly documents how andwhere this is accomplished. For identified gaps, the plandocuments current deviation from the recommended securitycontrols and specifies whether to accept or mitigate the risk,the actions needed to close the gaps, the responsible party, andthe implementation timeline.

Scope

This plan goes through the cyber security controls that ourorganization already has in place or plans to implement in orderto mitigate the risks introduced by smart grid technologies.

Target Audience

Security team, IT organization, leadership team.

Contacts

The following are the primary individuals who assisted inpreparation of the cyber security plan:

Contact Title Contact E-mail Address<<listindividuals>>

4 of 96

5 of 96

Using the Template

Each section of the template is divided into two subsections. The firstcontains a table for identifying best practices and their current use inthe cooperative:

Figure 1. Use of the Best Practices Table

Using the dropdown box, select the option that best describes thecooperative’s status regarding the best practice.

If the cooperative is fully compliant with the best practice, select“Yes.”

If the cooperative is partially compliant with the best practice,select “Partial.”

If the cooperative is not compliant with the best practice, select“No.”

To list documents where the cooperative’s implementation of the bestpractice is described, use the “Associated Documentation” column.

The second subsection contains a table for listing deviations from therecommended best practices (those marked as “Partial” or “No” in thefirst table), decisions to accept or mitigate the risk posed by notimplementing the best practices, the person or group responsible for therisk’s acceptance or mitigation, the estimated completion date (ifapplicable), and a strategy for mitigating the risk (if applicable).

Figure 2. Use of the Deviation Table

6 of 96

Again, use this table to list all security activities or controls thatare currently either partially in place or not in place. For eachidentified activity or control, describe the way in which thecooperative does not meet the best practice as captured in the Guide toDeveloping a Cyber Security and Risk Mitigation Plan. Use the dropdown box toeither “Accept” or “Mitigate” the risk posed by not implementing thebest practice. Assign a person or group responsible for mitigating oraccepting the risk posed by not implementing the best practice.Provide an estimated completion date of mitigation in the “EstimatedCompletion Date” column, or use “n/a” for risk acceptance. Describethe strategy that will be used to implement the activity or control,or use “n/a” for risk acceptance.

7 of 96

<<Name of Co-op>> Cyber Security Plan Addressing Process Risks

Executive Summary

This document provides checklists of security activities and controls designed to help an electriccooperative improve the security posture of its smart grid. The checklists are drawn from the Guideto Developing a Cyber Security and Risk Mitigation Plan and provide a mechanism to baseline existing securityactivities and controls against recommended best practices, identify gaps, capture the decision forrisk acceptance or mitigation, and document an appropriate plan of action.

Each section contains tables; filling these will help the electric cooperative to:

Identify missing activities and security controls.

Consolidate planned activities and controls per topic.

Prioritize activity and control implementation.

Track activity and control implementation.

It is important to note that implementing security activities and controls should be done with careand sufficient planning. The environment will require testing to ensure that changes to controls donot break important functionality or introduce new risks.

This document provides cyber security planning support in each of the following categories:

8 of 96


People and policy security Operational security Insecure software development life cycle (SDLC) Physical security Third-party relationship Network security Platform security Application security

9 of 96


Building a Risk Management Program

No usable system is 100 percent secure or impenetrable. The goal of a risk management program is toidentify the risks, understand their likelihood and impact on the business, and then put in placesecurity controls that mitigate the risks to a level acceptable to the organization. In addition toassessment and mitigation, a robust risk management program includes ongoing evaluation andassessment of cyber security risks and controls throughout the life cycle of smart grid componentsoftware.

The following checklist summarizes security best practices and controls that an organization shouldconsider implementing. For more details on any of the activities / security controls, please referto the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.

Activity / Security Control Rationale Associated DocumentationChoose anitem.

Provide active executivesponsorship.

Active and visible support fromexecutive management at each stage ofplanning, deploying, and monitoringsecurity efforts is crucial to success.

Choose anitem.

Assign responsibility forsecurity risk management toa senior manager.

Have security risk mitigation, resource-allocation decisions, and policyenforcement roll up to a clearly definedexecutive with the requisite authority.

Choose anitem.

Define the system. Careful system definitions are essentialto the accuracy of vulnerability andrisk assessments and to the selection ofcontrols that will provide adequateassurances of cyber security.

10 of 96



Identify and classifycritical cyber assets.

It is important to understand the assetsthat may need to be protected, alongwith their classification (e.g.,confidential information, privateinformation, etc.). That way an informeddecision can be made as to the controlsneeded to protect these assets,commensurate with risk severity andimpact to the business.

Choose anitem.

Identify and analyze theelectronic securityperimeter(s) (ESPs).

To build a threat model, it is importantto understand the entry points that anadversary may use to go after the assetsof an organization. The threat modelthen becomes an important component ofthe risk assessment.

Choose anitem.

Perform a vulnerabilityassessment.

Realistic assessments of (a) weaknessesin existing security controls and (b)threats and their capabilities createthe basis for estimating the likelihoodof successful attacks. They also help toprioritize remedial actions.

11 of 96



Assess risks to systeminformation and assets.

The risk assessment combines thelikelihood of a successful attack withits assessed potential impact on theorganization’s mission and goals. Ithelps ensure that mitigation effortstarget the highest security risks andthat the controls selected areappropriate and cost-effective for theorganization.

Choose anitem.

Select security controls. Appropriate management, operational, andtechnical controls cost-effectivelystrengthen defenses and lower risklevels. In addition to assessed risks,selection factors might include theorganization’s mission, environment,culture, and budget.

Choose anitem.

Monitor and assess theeffectiveness of controls.

Effective testing and ongoing monitoringand evaluation can provide a level ofconfidence that security controlsadequately mitigate perceived risks.

Risk Management Program PlanThe table below outlines the activities and controls that are currently missing from the riskmanagement of the organization. Each activity row includes columns that describe the plan toimplement the activity, the schedule for implementation, and the party responsible for itsimplementation and maintenance.

12 of 96


Activity /Security Control

Existing GuidelineDeviation

AcceptorMitigate Risk

Responsible Party EstimatedCompletion Date

Mitigation Strategy

Mitigate

13 of 96


Addressing People and Policy Risks

Training people to adopt security conscious behaviors and establishing policies for maintaining asecure environment go a long way toward improving an organization’s overall security posture. Thenext two sections cover the people and policy dimensions of cyber security.

Cyber Security Policy


Assign responsibility fordeveloping, implementing, andenforcing cyber security policy toa senior manager. Ensure that thesenior manager has the requisiteauthority across departments toenforce the policy.

The development and implementationof effective security policies,plans, and procedures require thecollaborative input and efforts ofstakeholders in many departments ofthe organization. Assigning a seniormanager to organize and drive theefforts, with the authority to makeand enforce decisions at each stage,raises the chances of success.

14 of 96



Define security-related roles andresponsibilities.

Employees at virtually everyorganizational level haveresponsibility for some part ofdeveloping or applying securitypolicies and procedures. Definedroles and responsibilities willclarify decision-making authorityand responsibility at each level,along with expected behavior inpolicy implementation. Creating amultidisciplinary oversightcommittee ensures that allstakeholders are represented.

Choose anitem.

Identify security aspects to begoverned by defined policies.

An effective security programrequires policies and proceduresthat address a wide range ofmanagement, personnel, operational,and technical issues.

15 of 96



Document a brief, clear, high-level policy statement for eachaspect identified.

The high-level policy statementsexpress three things: The organization management’s

commitment to the cyber securityprogram.

The high-level direction andrequirements for plans andprocedures addressing each area.

A framework to organize lower-level documents.

Choose anitem.

Reference lower-level policydocuments.

Lower-level policies, plans, andprocedures provide the detailsneeded to put policy into practice.

Choose anitem.

Define the implementation plan andenforcement mechanisms.

A careful rollout of the program,well-documented policies that areaccessible to the personnel theyaffect, and clearly communicatedconsequences of violating policieswill help ensure compliance.

Choose anitem.

Define a policy management plan. This will help maximize complianceby providing mechanisms to: Request, approve, document, and

monitor policy exceptions. Request, approve, implement, and

communicate changes to policies,plans, and procedures.

16 of 96


Cyber Security Policy PlanThe table below outlines the activities and controls that are currently missing from the cybersecurity policy of the organization. Each activity row includes columns that describe the plan toimplement the activity, the schedule for implementation, and the party responsible for itsimplementation and maintenance.





Mitigation Strategy

Chooseanitem.

Personnel and TrainingInsufficiently trained personnel are often the weakest security link in the organization’s securityperimeter and are the target of social engineering attacks. It is therefore crucial to provideadequate security awareness training to all new hires, as well as refresher training to currentemployees on a yearly basis.

The following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities / securitycontrols, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.

17 of 96



Adequately vet candidates forhire.

Provide a level of confidence thatnew hires are trustworthy.

Choose anitem.

Establish a security-awarenessprogram.

Ensure that all personnel have anunderstanding of sensitiveinformation, common security risks,and basic steps to prevent securitybreaches. Further, ensure thatpersonnel develop habits that wouldmake them less susceptible to socialengineering attacks.

Choose anitem.

Train employees who have access toprotected assets.

Ensure that employees who haveelectronic or physical access tocritical assets know how to handlethe assets securely and how toreport and respond to cyber securityincidents.

Choose anitem.

Enforce “least privilege” accessto cyber assets and periodicallyreview access privileges.

Ensure that employees have only theprivileges they need to performtheir jobs.

Personnel and Training PlanThe table below outlines the activities and controls that are currently missing from the personneland training plan of the organization. Each activity row includes columns that describe the plan toimplement the activity, the schedule for implementation, and the party responsible for itsimplementation and maintenance.

18 of 96






Mitigation Strategy

Chooseanitem.

19 of 96


Addressing Process Risks

Process gaps leave the door open to an adversary. For instance, failure to conduct a vulnerabilityassessment of a system when introducing new functionality may allow a security weakness to goundetected. To provide another example, lack of periodic review of system logs may let a breach goundetected. Instituting and following proper security processes is vital to the security of anorganization.

Operational RisksThe following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities / securitycontrols, please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.


Perform periodic risk assessmentand mitigation, including threatanalysis and vulnerabilityassessments.

Maintain a fresh picture of theeffectiveness of the organization’ssecurity control versus threatsfacing the organization.

Choose anitem.

Control, monitor, and log allaccess to protected assets.

Prevent unauthorized access toassets, detect unauthorized accessto assets, and enforceaccountability.

Choose anitem.

Redeploy or dispose of protectedassets securely.

Ensure that the redeployment ordisposal of cyber assets does notinadvertently expose sensitiveinformation to unauthorizedentities.

20 of 96



Define and enforce secure changecontrol and configuration-management processes.

Ensure that system changes do not“break” security controlsestablished to protect cyber assets.

Choose anitem.

Create and document incident-handling policies, plans, andprocedures.

Ensure that the organization isprepared to act quickly andcorrectly to avert or contain damageafter a cyber security incident.

Choose anitem.

Create and document contingencyplans and procedures.

Ensure that the organization isprepared to act quickly andcorrectly to recover critical assetsand continue operations after amajor disruption.

Choose anitem.

Train employees in incidenthandling and contingency plans.

Ensure that personnel responsiblefor responding to cyber incidents ormajor disruptions have a firm graspof response plans and can executethem under stress.

Operational Risk PlanThe table below outlines the activities and controls that are currently missing from theoperational risk plan of the organization. Each activity row includes columns that describe theplan to implement the activity, the schedule for implementation, and the party responsible for itsimplementation and maintenance.

21 of 96






Mitigation Strategy

Chooseanitem.

22 of 96

<<Name of Co-op>> Cyber Security Plan Addressing Technology Risks

Insecure Software Development Life Cycle (SDLC) RisksSecure software is a product of a secure software development process. If the organizationdevelops software internally, it should make sure that it does so by leveraging securityactivities during the various phases of software development.

The following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.


Document misuse / abuse cases. Think of ways in which systemfunctionality can be abused sothat protections can be built into prevent that abuse.

Choose anitem.

Document security requirements. Explicitly call out securityrequirements of the system so thatsoftware can be designed,implemented, and tested to ensurethat these requirements have beenmet.

Choose anitem.

Build a threat model. Enumerate the ways in which anadversary may try to compromisethe system so that the system canbe designed from the get-go toresist such attacks.

23 of 96



Perform architecture riskanalysis.

Compare the system’s architectureagainst a threat model to ensurethat sufficient security controlsare in place to prevent successfulattacks.

Choose anitem.

Define secure implementationguidelines.

Ensure that developers usedefensive programming techniqueswhen implementing the system inorder to avoid introducingsecurity weaknesses.

Choose anitem.

Perform secure code reviews. Ensure that software complies withsecurity implementationguidelines, that security controlsare properly implemented, and thatthe implementation itself does notintroduce any new security risks.

Choose anitem.

Perform risk-based securitytesting.

Run through top risks identifiedduring the threat modeling andarchitecture risk analysisprocesses to ensure that thesystem has been designed andimplemented in a way thatmitigates these risks.

Choose anitem.

Have penetration testingconducted.

Gain assurance from a qualifiedthird party that the softwarebuilt by your organization issecure.

24 of 96



Create a Secure Deployment andOperations Guide.

Provide the teams deploying andoperating the software inproduction with whatever knowledgethey need in order to ensure thatsoftware security requirements aremet.

Secure SDLC PlanThe table below outlines the activities and controls that are currently missing from theSecure SDLC of the organization. Each activity row includes columns that describe the plan toimplement the activity, the schedule for implementation, and the party responsible for itsimplementation and maintenance.





Mitigation Strategy

Chooseanitem.

25 of 96


Physical Security RisksPhysical security measures aimed at protecting critical infrastructure of the smart grid areof paramount importance and form a key element of the overall security strategy. While othercontrols need to exist for defense in depth in case the adversary is successful in gainingphysical access, physical security concerns should not be underestimated.

The following checklist summarizes the various security best practices and controls that youshould consider implementing. For more details on any of the activities / security controls,please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.


Document, implement, andmaintain a physical securityplan.

Ensure that physical security isconsidered in a structured mannerthat can be tracked.

Choose anitem.

The organization must documentand implement the technical andprocedural controls formonitoring physical access atall access points at all times.

Ability to detect unauthorizedaccess attempts. Take appropriateaction if unauthorized accessoccurred.

Choose anitem.

All physical access attempts(successful or unsuccessful)should be logged to a securecentral logging server.

Ability to detect unauthorizedaccess attempts. Take appropriateaction if unauthorized accessoccurred.

Choose anitem.

Physical access logs should beretained for at least 90 days.

Ability to perform historicalanalysis of physical access.

26 of 96



Each physical security systemmust be tested at least onceevery three years to ensure itoperates correctly.

Ensure that proper physicalsecurity posture is maintained.

Choose anitem.

Testing and maintenance recordsmust be maintained at leastuntil the next testing cycle.

Ability to understand what wastested and improve testingprocedures.

Choose anitem.

Outage records must be retainedfor at least one calendar year.

Ability to investigate causes ofoutages and tie them tounauthorized physical access.

Physical Security PlanThe table below outlines the activities and controls that are currently missing from thephysical security of the organization. Each activity row includes columns that describe theplan to implement the activity, the schedule for implementation, and the party responsiblefor its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

27 of 96


Third-Party Relationship RisksThe security posture and practices of cooperative vendors and partners may introduce risksinto the electric cooperative organization. If a cooperative acquires software from a vendorthat did not pay attention to security during the software’s development, that introduces arisk. If a cooperative utilizes a service from a provider that does not take properprecautions to safeguard the data that the cooperative places in its possession, thatintroduces a risk. Such risks must be managed.



Perform due diligence on eachvendor and partner organizationto understand its business,financial, and security trackrecord.

Verify the business, financial,and security reputation of yourvendor / partner organization.

28 of 96



Ask the right questions duringthe request for proposal (RFP)process to understand thesecurity posture and practicesof the partner organization, andin particular whether theirofferings meet yourorganization’s securityrequirements. Compare thesecurity policies and proceduresof a third party against yourorganization’s own securitypolicy to ensure compliance.

Ensure that the security practicesof the vendor / partnerorganization comply with your ownorganization’s security policy.Ensure that the purchasedproduct / service meets yourorganization’s securityrequirements.

Choose anitem.

Review the hiring practices andpersonnel background checks ofyour vendors and partners toensure that they comply withyour organization’s policies.

Make sure that your vendor /partner organization’s backgroundchecks during hiring process areconsistent with your own. Ifpeople who work at your vendor /partner are not trustworthy,neither is anything they produce.

Choose anitem.

Conduct periodic audits andmonitoring of the third-partyorganization to ensure adherenceto their security policies andprocedures.

Make sure that your vendor /partner complies with their ownsecurity policies and procedures.

29 of 96



For software purchases, requesta trusted independent third-party review, to include areport outlining the discoveredsecurity weaknesses in theproduct.

Increase the likelihood that theproduct supplied by your vendor /partner is secure.

Choose anitem.

Ensure that service levelagreements (SLAs) and othercontractual tools are properlyleveraged so that vendors andpartners live up to theirobligations. For instance, if abreach occurs at a partnerorganization, there needs to bea provision to have yourorganization notified of thefull extent of the breach assoon as the information isavailable.

Seek a contractual obligation thathelps your organization transfersome of the security risks.

Choose anitem.

Request evidence from softwarevendors that their SDLC makesuse of building security inactivities.

Ensure that the product suppliedto your organization by yourvendor / partner has been designedand built with security in mind.

30 of 96



Ask your organizations’ vendorsand partners about the processthat they use to ensure thesecurity of the components andservices that they receive fromtheir own suppliers in order toascertain appropriate duediligence.

Ensure that none of the third-party components that yourvendor / partner used in itsproduct or service introducessecurity weaknesses.

Third-Party Relationship PlanThe table below outlines the activities and controls that are currently missing from thethird-party relationship policy of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

31 of 96


Addressing Technology Risks

Information technology (IT) is at the heart of the smart grid. As its spreading use helps thesmart grid achieve higher operational efficiencies, it also makes the electrical grid morevulnerable to cyber security attacks. It is therefore important to ensure that the way inwhich IT is used does not inadvertently provide new avenues of attack to an adversary.Further, IT itself should be applied to institute security controls that will help guard thesmart grid ecosystem against successful attacks, as well as enhance the system’s ability todetect, isolate, and recover from breaches of security.

Network RisksNetworks are the communication pipes that connect everything together, enabling the flow ofinformation. Networks are at the heart of the smart grid because without the information flowthat they enable, smart behavior is not possible. For instance, a system load cannot beadjusted if information from smart meters does not find its way to the SCADA system.Therefore, the energy savings that result from adjusting a load cannot be realized, unless anaction is taken based on reliable information that made its way from the smart meters to theSCADA via a communications network. On the other hand, if an adversary is able to tamper withmeter data in a way that cannot be detected and to thus feed incorrect data to the SCADA, anincorrect action may be taken by the grid, resulting in undesired consequences.

The following checklist summarizes the various security best practices and controls that youshould consider implementing. For more details on any of the activities / security controls,please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.

32 of 96



Restrict user-assigned devices tospecific network segments.

Least privilege through networksegmentation.

Choose anitem.

Firewalls and other boundary securitymechanisms that filter or act as aproxy for traffic moving from networksegment to another of a differentsecurity level should default to a“deny all” stance.

Provide security by default.

Choose anitem.

Requests for allowing additionalservices through a firewall or otherboundary protection mechanism shouldbe approved by the informationsecurity manager.

Centrally manage accessaccording to business need.

Choose anitem.

The flow of electronic communicationsshould be controlled. Client systemsshould communicate with internalservers; these internal serversshould not communicate directly withexternal systems, but should use anintermediate system in yourorganization’s DMZ. The flow oftraffic should be enforced throughboundary protection mechanisms.

Confine sensitive electroniccommunication to establishedtrust zones.

33 of 96



Protect data in transit. Preserve the confidentiality andintegrity of data in transit.

Choose anitem.

Protect domain name service (DNS)traffic.

Ensure that data is routed tothe right parties.

Choose anitem.

Use secure routing protocols orstatic routes.

Avoid the disclosure ofinformation on internal routing.

Choose anitem.

Deny use of source routing. Prevent denial-of-serviceattacks.

Choose anitem.

Use technologies like firewalls andvirtual local area networks (VLANs)to properly segment yourorganization’s network in order toincrease compartmentalization (e.g.,machines with access to businessservices like e-mail should not be onthe same network segment as yourSCADA machines). Routinely review andtest your firewall rules to confirmexpected behavior.

Achieve network segmentation toachieve compartmentalization.

34 of 96



Separate development, test, andproduction environments.

Avoid production data leaks intotest environments. Have controlsin place around access to andchanges in the productionenvironment.

Choose anitem.

Ensure channel security of criticalcommunication links with technologieslike Transport Layer Security (TLS).Where possible, implement Public KeyInfrastructure (PKI) to support two-way mutual certificate-basedauthentication between nodes on yournetwork.

Secure data in transit.

Choose anitem.

Ensure that proper certificate andkey management practices are inplace. Remember that cryptographydoes not help if the encryption keyis easy to compromise. Ensure thatkeys are changed periodically andthat they can be changed right awayin the event of compromise.

Ensure that cryptographicprotection is not underminedthrough improper certificate orkey management.

35 of 96



Ensure confidentiality of datatraversing your networks. If channel-level encryption is not possible,apply data-level encryption toprotect the data traversing yournetwork links.

Secure data in transit.

Choose anitem.

Ensure integrity of data traversingyour networks through use of digitalfingerprints and signed hashes. IfTLS is not used, ensure that otherprotections from man-in-the-middleattacks exist. Use time stamps toprotect against replay attacks.

Preserve data integrity.

Choose anitem.

Ensure availability of datatraversing your networks. If a properacknowledgement (ACK) is not receivedfrom the destination node, ensurethat provisions are in place toresend the packet. If that still doesnot work, reroute the packet via adifferent network link. Implementproper physical security controls tomake your network links harder tocompromise.

Detect failures and promotefault tolerance.

36 of 96



Ensure that only standard, approved,and properly reviewed communicationprotocols are used on your network.

Use proven protocols that havebeen examined for securityweaknesses.

Choose anitem.

Use intrusion detection systems(IDSs) to detect any anomalousbehavior on your network. Ifanomalous behavior is encountered,have a way to isolate the potentiallycompromised nodes on your networkfrom the rest of the network.

Detect intrusions.

Choose anitem.

Ensure that sufficient number of datapoints exist from devices on yournetwork before the smart grid takesany actions based on that data. Nevertake actions based on the data comingfrom network nodes that may have beencompromised.

Avoid taking actions based onincorrect data.

Choose anitem.

Ensure that all settings used on yournetwork hardware have been set totheir secure settings and that youfully understand the settingsprovided by each piece of hardware.Do not assume that default settingsare secure.

Secure configuration.

37 of 96



Disable all unneeded networkservices.

Reduce attack surface.

Choose anitem.

Routinely review your network logsfor anomalous / malicious behaviorvia automated and manual techniques.

Detect intrusion.

Choose anitem.

Ensure that sufficient redundancyexists in your network links so thatrerouting traffic is possible if somelinks are compromised.

Ensure continuity of operations.

Choose anitem.

Before granting users access tonetwork resources, ensure that theyare authenticated and authorizedusing their own individual (i.e.,nonshared) credentials.

Enforce accountability.

Choose anitem.

Limit remote access to your networksto an absolute minimum. Whenrequired, use technologies likeVirtual Private Networks (VPNs,IPSec) to create a secure tunnelafter properly authenticating theconnecting party using theirindividual credentials. In additionto a user name and password, also usean RSA ID-like device to provide anadditional level of authentication.

Prevent unauthorized access.

38 of 96



Implement remote attestationtechniques for your field devices(e.g., smart meters) to ensure thattheir firmware has not beencompromised

Prevent unauthorizedmodification of firmware onfield equipment.

Choose anitem.

Require a heartbeat from your fieldequipment at an interval known to thepiece of equipment and to the serveron your internal network. If aheartbeat is missed or comes at thewrong time, consider treating thatpiece of equipment as compromised /out of order and take appropriateaction.

Detect tampering with fieldequipment.

Choose anitem.

Ensure that the source of networktime is accurate and that accuratetime is reflected on all networknodes for all actions taken andevents logged.

Maintain accurate network time.

Choose anitem.

Document the network access levelthat is needed for each individual orrole at your organization and grantonly the required level of access tothese individuals or roles. Allexceptions should be noted.

Maintain control over access tonetwork resources and keep it toa necessary minimum.

39 of 96



All equipment connected to yournetwork should be uniquely identifiedand approved for use on yourorganization’s network.

Control hardware that getsconnected to your organization’snetwork.

Network Security PlanThe table below outlines the activities and controls that are currently missing from thenetwork security plan of the organization. Each activity row includes columns that describethe plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

40 of 96


Platform RisksEach accessible host on the organization’s network is a potential target for attack.Adversaries will try to compromise these hosts via methods that cannot be mitigated throughnetwork security controls alone. It is imperative to ensure that platform software running onthe organization’s hosts is secure, including (but not limited to) operating system software,database software, Web server software, and application server software. Together these forma software stack on top of which the organization’s custom applications run.



Ensure latest security patchesare applied to all softwarerunning on your network hosts.

Patch known weaknesses so thatthey cannot be exploited.

Choose anitem.

Ensure the latest antivirus /antimalware software runsregularly.

Detect known viruses and/ormalware.

Choose anitem.

Ensure that all unneededservices and interfaces (e.g.,USB) are turned off on thesehosts.

Minimize the attack surface.

Choose anitem.

Ensure that the hosts run onlyservices and applications thatare absolutely necessary.

Minimize the attack surface.

41 of 96



Ensure that system logs arechecked regularly and anyabnormalities investigated.

Detect intrusions / attackattempts (both external andinternal).

Choose anitem.

Run software to monitor for filesystem changes.

Detect system malware infectionsand unauthorized changes.

Choose anitem.

Ensure that all access attemptsand any elevation of privilegesituations are properly loggedand reviewed.

Detect intrusions / attackattempts (both external andinternal).

Choose anitem.

Ensure that passwords are ofsufficient complexity andchanged periodically.


Choose anitem.

Ensure that all securitysettings on your hosts areconfigured with security inmind.


Choose anitem.

Ensure that shared(nonindividual) passwords arenot used to access hosts orapplications running on thesehosts.

Allow for accountability; preventunauthorized access.

42 of 96



Ensure that authentication isrequired prior to gaining accessto any services / applicationsrunning on your network hostsand that it cannot be bypassed.


Choose anitem.

Make use of a centralizeddirectory like LDAP to manageuser credentials and accesspermissions. Ensure that usershave only the minimum privilegesneeded to do their jobfunctions. If an elevation ofprivilege is needed, grant itfor the minimum amount of timeneeded and then return theprivileges to normal.

Enforce the principle of leastprivilege; prevent unauthorizedaccess; make it easy to changepasswords; make it easy to revokeaccess; make it easy to enforcepassword complexity.

Choose anitem.

Ensure that all software updatesare properly signed and comefrom a trusted source.

Malware protection.

Choose anitem.

Prevent the ability to changefield device settings withoutproper authentication. Changesto field device settings shouldbe reported and logged in acentral location. These logsshould be reviewed frequently.

Maintain confidence in data comingfrom field devices by ensuringthat they have not been tamperedwith.

43 of 96



If possible, verify theintegrity of firmware running onfield equipment via remoteattestation techniques. Consultwith the equipment vendor forassistance. If remoteattestation fails, the affectedfield device should beconsidered compromised, andshould be isolated.

Maintain confidence in data comingfrom field devices by ensuringthat they have not been tamperedwith.

Platform Security PlanThe table below outlines the activities and controls that are currently missing from theplatform security plan of the organization. Each activity row includes columns that describethe plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

44 of 96

<<Name of Co-op>> Cyber Security Plan: Security Requirements and Controls For Each Smart Grid Activity Type

Application Layer RisksIn the platform risks section the discussion focused mainly on operating systems and othersoftware making up the software stack on top of which the organization’s custom applicationsrun. If the organization develops or purchases custom software, it is important that thesoftware is developed with security in mind from the get-go to help ensure that it does notcontain any software security weaknesses that may be exploited by adversaries to compromisethe system. To accomplish this the organization needs to makes its software developmentprocess security aware. The software development life cycle (SDLC) activities for doing soare documented in the “Insecure SDLC Risks” section under “Process Risks” earlier in thisdocument.


45 of 96


Activity / SecurityControl

Rationale AssociatedDocumentation

Choose anitem.

Implement securityactivities and gatesinto yourorganization’s SDLC(please refer tochecklist under“Insecure SDLC Risks”section for additionaldetails).

Develop software thatdoes not have securityweaknesses.

Chooseanitem.

Request independentparty software securityassessments of theapplications beingpurchased to gauge thesoftware’s securityposture.

Gain confidence that thethird-party softwareyour organizationpurchases does not havesecurity weaknesses.

Application Security PlanThe table below outlines the activities and controls that are currently missing from theApplication Security Plan of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.

46 of 96






Mitigation Strategy

Chooseanitem.

47 of 96


Security Requirements and Controls For Each Smart Grid Activity Type

The remainder of this document contains each of the 10 activity types that are part of theNational Rural Electric Cooperative Association’s (NRECA’s) smart grid demonstrations andhighlights the security / privacy requirements specific to each. Along with requirements, thesections also contains specific security best practices and controls needed to meet theserequirements. Although many of these best practices and controls have already been notedearlier in this document, the goal here is to specifically highlight security attributes foreach smart grid activity type.

It is important to note that some of these security controls are outside the direct controlof your organization, but instead are under control of your organization’s hardware andsoftware vendors. When that is the case, it is important to choose your vendors wisely andleverage the RFP process to ask the vendors the right questions and gather the right evidencein order to convince your organization that the procured products meet security requirements.

48 of 96


Advanced Metering Infrastructure (AMI)The following checklist summarizes the various security best practices and controls that youshould consider implementing. For more details on any of the activities / security controls,please refer to the descriptions in the Guide to Developing a Cyber Security and Risk Mitigation Plan.



Choose anitem.

Ask software and hardware(with embedded software)vendors for evidence(e.g., third-partyassessment) that theirsoftware is free ofsoftware weaknesses.

Ensure that smart metersand their data are notcompromised.

Choose anitem.

Perform remoteattestation of smartmeters to ensure thattheir firmware has notbeen modified.


49 of 96




Choose anitem.

Make use of thecommunication protocolsecurity extensions(e.g., MultiSpeak®security extensions) toascertain the integrity(including originintegrity) of smart meterdata.


Choose anitem.

Establish and maintainsecure configurationmanagement processes(e.g., when servicingfield devices or updatingtheir firmware).


Choose anitem.

Ensure that all software(developed internally orprocured from a thirdparty) is developed usingsecurity-aware SDLC.


50 of 96




Choose anitem.

Apply a qualified third-party securitypenetration testing totest all hardware andsoftware components priorto live deployment.


Choose anitem.

Decouple identifying end-user information (e.g.,household address, GPScoordinates, etc.) fromthe smart meter. Use aunique identifierinstead.

Preserve user privacy.

Choose anitem.

Implement physicalsecurity controls anddetection mechanisms whentampering occurs.


Choose anitem.

Ensure that a reliablesource of network time ismaintained.

Ensure that timely smartgrid decisions are takenbased on fresh fielddata.

51 of 96




Choose anitem.

Disable the remotedisconnect feature thatallows shut down ofelectricity remotelyusing a smart meter.

Prevent unauthorizeddisruption / shutdown ofsegments of theelectrical grid.

Advanced Metering Infrastructure PlanThe table below outlines the activities and controls that are currently missing from theAdvanced Metering Infrastructure Plan of the organization. Each activity row includes columnsthat describe the plan to implement the activity, the schedule for implementation, and theparty responsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

52 of 96


Meter Data Management (MDM)The following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.



Choose anitem.

Data arriving to bestored in the MDM systemdoes not come from acompromised meter.

Only data fromuncompromised meters isstored in the MDM system.

Choose anitem.

Data arriving to bestored in the MDM systemis syntactically andsemantically valid.

Prevent storing bad datain the MDM system andprevent potentiallyharmful / malicious datafrom compromising thesystem.

53 of 96




Choose anitem.

The system parsing thedata arriving in the MDMsystem should make useof all the appropriatedata validation andexception-handlingtechniques.


Choose anitem.

The MDM system has beendesigned and implementedusing security-awareSDLC.


Choose anitem.

The MDM system haspassed a securitypenetration testconducted by a qualifiedthird party.


Choose anitem.

Cleanse data stored inthe MDM system from allprivate information.

Promote user privacy.

54 of 96




Choose anitem.

Gracefully handledenial-of-serviceattempts (fromcompromised meters).

Protect the MDM systemfrom attacks originatingfrom smart meters.

Meter Data Management PlanThe table below outlines the activities and controls that are currently missing from theMeter Data Management Plan of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

55 of 96


Communication Systems (COMM)The following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.

56 of 96




Choose anitem.

Ensure data integrity. Secure communications.

Choose anitem.

Ensure origin integrity. Secure communications.

Choose anitem.

Use provencommunications protocolswith built-in securitycapabilities.

Secure communications.

Choose anitem.

Ensure confidentialityof data whereappropriate.


Choose anitem.

Ensure proper networksegmentation.

Promotecompartmentalization, leastprivilege, isolation, faulttolerance.

Choose anitem.

Have a third partyperform network securitypenetration testing.

Receive greater assurancethat communications aresecure.

57 of 96




Choose anitem.

Implement sufficientredundancy.

Fault tolerance.

Choose anitem.

Protect from man-in-the-middle attacks.


Choose anitem.

Protect from replayattacks.


Choose anitem.

Use proven encryptiontechniques.


Choose anitem.

Use robust keymanagement techniques.


Communication Systems PlanThe table below outlines the activities and controls that are currently missing from theCommunication Systems Plan of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.

58 of 96






Mitigation Strategy

Chooseanitem.

Supervisory Control and Data Acquisition (SCADA)




Choose anitem.

Appoint a seniorsecurity manager with aclear mandate.

Make security somebody’sresponsibility.

Choose anitem.

Conduct personnelsecurity-awarenesstraining.

Help improve the peopleaspect of security.

59 of 96




Choose anitem.

Apply basic network andsystem IT securitypractices (e.g., regularsecurity patches, runantivirus, etc).

Make your SCADA environmentmore difficult tocompromise.

Choose anitem.

Ensure that softwarerunning in the SCADAenvironment (e.g.,either internal orexternal) has been builtwith security in mindand reviewed forsecurity by a qualifiedthird party.

Protect from the perils ofinsecure software.

Choose anitem.

Enforce the principle ofleast privilege grantinguser access to SCADAresources

Least privilege of access

Choose anitem.

Ensure proper physicalsecurity controls.

Supplement IT securitycontrols with physicalcontrols.

60 of 96




Choose anitem.

Perform monitoring andlogging, and ensure thatpeople can be heldaccountable for theiractions.

Achieve intrusiondetection, forensicanalysis, holding peopleaccountable.

Choose anitem.

Avoid taking criticalcontrol decisionswithout humanconfirmation.

Put the human operator incontrol.

Choose anitem.

Avoid taking criticalcontrol decisions basedon too few data points.

Avoid taking erroneousactions at the SCADA level.

Choose anitem.

Avoid taking criticalcontrol decisions basedon data points fromcompromised fielddevices or based on datathat has been tamperedwith.

Avoid taking erroneousactions at the SCADA level.

61 of 96




Choose anitem.

Ensure proper networksegmentation in theSCADA environment.

Segregate critical controlsystems from the rest ofyour organization’scorporate environment topromotecompartmentalization.

Choose anitem.

Ensure sufficient faulttolerance and redundancyin the SCADAenvironment.

Plan for failure andcontinuation of operations.

Choose anitem.

Develop and testbusiness continuity anddisaster recovery plans.

Plan for failure andcontinuation of operations.

Choose anitem.

Use individual (ratherthan shared) user loginaccounts with strongpasswords.

Prevent unauthorized accessand promote accountability.

Choose anitem.

Ensure that all hardwareauthentication settingshave been changed fromtheir default values.

Prevent unauthorizedaccess.

62 of 96


Supervisory Control and Data Acquisition (SCADA) PlanThe table below outlines the activities and controls that are currently missing from theSupervisory Control and Data Acquisition (SCADA) Plan of the organization. Each activity rowincludes columns that describe the plan to implement the activity, the schedule forimplementation, and the party responsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

63 of 96


In-Home Display (IHD) / Web Portal PilotsThe following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.



Choose anitem.

Ensure that the softwarerunning on IHDs is freeof weaknesses, especiallyif it is remotelyexploitable.

Ensure that attackerscannot remotely controlthe IHDs of users.

Choose anitem.

Ensure the integrity ofdata shown on users’IHDs.

Protect the integrity ofdata sent to the user.

Choose anitem.

If the IHD can send dataupstream (an unusualconfiguration), ensurethe integrity of suchcommunication.

Protect the integrity ofdata received from theuser.

64 of 96




Choose anitem.

Ensure the anonymity andprivacy of data (whereappropriate) pertainingto electricity usagepatterns such that itcannot be tied back tothe consumer.

Protect the privacy ofusers’ electrical usagedata.

Choose anitem.

Perform remote theattestation of IHDs toalert the control centerwhen unauthorizedfirmware updates occur.

Know when IHDs have beentampered with and shouldno longer be trusted.

In-Home Display (IHD)/Web Portal Pilots PlanThe table below outlines the activities and controls that are currently missing from the IHDand Web Portal Pilots Plan of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.

65 of 96






Mitigation Strategy

Chooseanitem.

Demand Response over Advanced Metering Infrastructure (AMI) NetworksThe following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.



Choose anitem.

Same activities andsecurity controls asthose described in the“AMI” section above.

66 of 96


Choose anitem.

Authenticate and validateall control signalscoming from the controlcenter to the smartmeters.

Prevent unauthorizedcontrol of electricdevices in the consumer’shome.

Choose anitem.

Provide consumers afeature to turn offremote control of in-house electric devicesvia smart meters. Sincethis capability wouldlikely lead to someconsumers turning off DMwhen conditions areextreme, such as in anextended heat wave,measures must beimplemented to protectagainst this, such asdisabling the turn-offfunction during suchtimes.

Consumers should have achoice and also defaultoverwrite ability if theirsmart meters becomecompromised.

67 of 96


Demand Response over Advanced Metering Infrastructure (AMI) Networks PlanThe table below outlines the activities and controls that are currently missing from theDemand Response over Advanced Metering Infrastructure (AMI) Networks Plan of theorganization. Each activity row includes columns that describe the plan to implement theactivity, the schedule for implementation, and the party responsible for its implementationand maintenance.





Mitigation Strategy

Chooseanitem.

Interactive Thermal Storage


68 of 96




Choose anitem.

Ensure that the softwarerunning on the devicecontrolling electricwater heaters is free ofsoftware weaknesses,especially if they areremotely exploitable.

Ensure that attackerscannot remotely controlthe electric waterheaters of users.

Choose anitem.

Request third-partysecurity assessment ofall software used tocontrol electric waterheaters.


Choose anitem.

Conduct a securitypenetration test.


Choose anitem.

Build in a mechanism toauthenticate and validatecontrol signals forelectric water heaters.


69 of 96




Choose anitem.

Build safeguards into theoperation of electricwater heaters (e.g., toprevent them from risingabove a certaintemperature, etc.).

Ensure human safety.

Choose anitem.

Provide a manual overridemechanism whereby userscan prevent theirelectric water heatersfrom being controlledremotely.

Ensure human safety.

Interactive Thermal Storage PlanThe table below outlines the activities and controls that are currently missing from theInteractive Thermal Storage Plan of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.

70 of 96






Mitigation Strategy

Chooseanitem.

Smart Feeder SwitchingThe following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.

Activity / Security Control Rationale Associated DocumentationChooseanitem.

Ensure that the softwarecontrolling smart feeder switchingis free of security weaknesses.

Prevent unauthorized electricalpower grid reconfiguration.

Chooseanitem.

Implement physical securitycontrols and detection mechanismswhen tampering occurs.


71 of 96


Activity / Security Control Rationale Associated DocumentationChooseanitem.

Perform sufficient authenticationand validation of all control dataused to reconfigure the electricaldistribution network.


Chooseanitem.

Ensure that a human(s) has toreview and authorize anyelectrical distribution networkreconfiguration.


Chooseanitem.

Build safeguards into thehardware.

Ensure safe behavior whenfailures occur.

Smart Feeder Switching PlanThe table below outlines the activities and controls that are currently missing from SmartFeeder Switching Plan of the organization. Each activity row includes columns that describethe plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.

72 of 96






Mitigation Strategy

Chooseanitem.

Advanced Volt/VAR ControlThe following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.



Choose anitem.

Ensure that thesoftware controllingdistribution feeders isfree of securityweaknesses.

Prevent unauthorizedcontrol of distributionfeeders.

Choose anitem.

Implement physicalsecurity controls anddetection mechanismswhen tampering occurs.


73 of 96




Choose anitem.

Perform sufficientauthentication andvalidation of allcontrol data bound fordistribution feeders.


Choose anitem.

Design automaticcontrol systems tooperate with a human“in the loop” when timepermits.


Choose anitem.

Be sure that safeguardsare built into thehardware.

Ensure safe behavior incase failures occur.

Advanced Volt/VAR Control PlanThe table below outlines the activities and controls that are currently missing from theAdvanced Volt/VAR Control Plan of the organization. Each activity row includes columns thatdescribe the plan to implement the activity, the schedule for implementation, and the partyresponsible for its implementation and maintenance.

74 of 96






Mitigation Strategy

Chooseanitem.

Conservation Voltage Reduction (CVR)The following checklist summarizes the various security best practices and controls that anorganization should consider implementing. For more details on any of the activities /security controls, please refer to the descriptions in the Guide to Developing a Cyber Security and RiskMitigation Plan.



Choose anitem.

Ensure that the softwarecontrolling voltageregulators and monitorsis free of securityweaknesses.

Prevent unauthorizedvoltage reductionbehavior.

75 of 96




Choose anitem.

Implement physicalsecurity controls anddetection mechanisms incase tampering occurs.


Choose anitem.

Perform sufficientauthentication andvalidation of all controldata bound for voltageregulators and comingfrom voltage monitors.


Choose anitem.

Ensure that a human(s)has to review andauthorize any changes tovoltage.


Choose anitem.

Be sure that safeguardsare built into thehardware.

Ensure safe behavior whenfailures occur.

76 of 96


Conservation Voltage Reduction (CVR) PlanThe table below outlines the activities and controls that are currently missing from theConservation Voltage Reduction Plan of the organization. Each activity row includes columnsthat describe the plan to implement the activity, the schedule for implementation, and theparty responsible for its implementation and maintenance.





Mitigation Strategy

Chooseanitem.

77 of 96


Appendix A: Reference Documentation

Security Standards

International Organization for Standardization/International Electrotechnical Commission 27001,Information Security Management System Requirements, October 2005. Specification for an information securitymanagement system. Must be purchased.http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306 .

International Organization for Standardization/International Electrotechnical Commission 27002, Code ofPractice for Information Security Management, 2005. Best practices for developing and deploying an informationsecurity management system. Must be purchased.http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306 .

National Institute of Standards and Technology Federal Information Processing Standards Publication199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. Categorizingimpact levels of information assets, deriving system-level security categorization.http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf .

National Institute of Standards and Technology Federal Information Processing Standards Publication200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. Guidelines for using thesecurity profiles and controls cataloged in NIST SP800-53; families of security controls, minimumrequirements for high-, moderate-, and low-impact systems.http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf.

National Institute of Standards and Technology Special Publications

78 of 96

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf


National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security:The NIST Handbook, October 1995. Elements of security, roles and responsibilities, common threats,security policy, program management. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.

National Institute of Standards and Technology Special Publication 800-16, Information Technology SecurityTraining Requirements: A Role- and Performance-Based Model, April 1998. Learning-continuum model, security literacyand basics, role-based training. http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf .

National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide forInformation Technology Systems, July 2002. Risk management, assessment, mitigation.http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.

National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls forFederal Information Systems and Organizations, August 2009. Security control fundamentals, baselines by system-impact level, common controls, tailoring guidelines, catalog of controls in 18 families.http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf .

National Institute of Standards and Technology Special Publication 800-60, Revision 1, Guide for MappingTypes of Information and Information Systems to Security Categories, August 2008. Security objectives and types ofpotential losses, assignment of impact levels and system security category.http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf.

National Institute of Standards and Technology Special Publication 800-82 (Final Public Draft), Guide toIndustrial Control Systems (ICS) Security, September 2008. Overview of industrial control systems (ICS), threatsand vulnerabilities, risk factors, incident scenarios, security program development.http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf.

79 of 96

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf


National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: AGuide for Managers, October 2006. Governance, awareness and training, capital planning, interconnectingsystems, performance measures, security planning, contingency planning.http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.

National Institute of Standards and Technology Special Publication 800-122 (Draft), Guide to Protecting theConfidentiality of Personally Identifiable Information (PII), January 2009. Identifying, PII, impact levels,confidentiality safeguards, incident response.http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.

National Institute of Standards and Technology Special Publication 800-39(Final Public Draft), IntegratedEnterprise-Wide Risk Management: Organization, Mission, and Information System View, December 2010.http://csrc.nist.gov/publications/drafts/800-39/draft-SP800-39-FPD.pdf.

Other Guidance Documents

Gary McGraw, Software Security: Building Security In, 2006.

National Institute of Standards and Technology IR 7628, Guidelines for Smart Grid Cyber Security, August 2010.Four PDFs available at http://csrc.nist.gov/publications/PubsNISTIRs.html : Introduction to NISTIR 7628, http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-

7628.pdf. Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements,

http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf. Vol. 2, Privacy and the Smart Grid, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf. Vol. 3, Supportive Analyses and References, http://csrc.nist.gov/publications/nistir/ir7628/nistir-

7628_vol3.pdf.

80 of 96

http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

http://csrc.nist.gov/publications/PubsNISTIRs.html

http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf




http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-7628.pdf

http://csrc.nist.gov/publications/nistir/ir7628/introduction-to-nistir-7628.pdf

http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

http://csrc.nist.gov/publications/drafts/800-39/draft-SP800-39-FPD.pdf


North American Electric Reliability Corporation Critical Infrastructure Protection Standards CIP-002through CIP-009, 2009–10. Available at http://www.nerc.com/page.php?cid=2|20: CIP-002-3, Critical Cyber Asset Identification CIP-003-3, Security Management Controls CIP-004-3, Personnel and Training CIP-005-3, Electronic Security Perimeter(s) CIP-006-3, Physical Security of Critical Cyber Assets CIP-007-3, Systems Security Management CIP-008-3, Incident Reporting and Response Handling CIP-009-3, Recovery Plans for Critical Cyber AssetsThe CIP standards are also included in the collected Reliability Standards for the Bulk Electric Systems of North America,June 2010, http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf.

North American Electric Reliability Corporation Glossary of Terms Used in Reliability Standards, February 2008,http://www.nerc.com/files/Glossary_12Feb08.pdf.

81 of 96

http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf

http://www.nerc.com/files/Glossary_12Feb08.pdf

http://www.nerc.com/page.php?cid=2%7C20


Appendix B: Glossary

Adequatesecurity

A set of minimum security requirements that the system is expectedto meet.

Authentication

Verifying the identity of a user, process, or device, often as aprerequisite to allowing access to resources.

Authorization

Refers to verifying a user’s permissions (after the user had beenauthenticated) for accessing certain resources or functionality.

Availability Ensuring timely and reliable access to and use of resources.Boundaryprotection

Monitoring and control of communications at the external boundaryof an information system to prevent and detect malicious and otherunauthorized communications, through the use of boundaryprotection devices (e.g., proxies, gateways, routers, firewalls,guards, encrypted tunnels).

Confidentiality

Preserving authorized restrictions on information access anddisclosure, including means for protecting personal privacy andproprietary information.

Contingency The unexpected failure or outage of a system component, such as agenerator, transmission line, circuit breaker, switch, or otherelectrical element.

Criticalassets

Facilities, systems, and equipment that if destroyed, degraded, orotherwise rendered unavailable would affect the reliability oroperability of the bulk electric system.

Cyber asset Programmable electronic devices and communication networks,including hardware, software, and data.

82 of 96


Cybersecurityincident

Any malicious act or suspicious event that: Compromises, or was an attempt to compromise, the electronic

security perimeter or physical security perimeter of a criticalcyber asset.

Disrupts, or was an attempt to disrupt, the operation of acritical cyber asset.

Electronicsecurityperimeter

The logical border surrounding a network to which critical cyberassets are connected and for which access is controlled.

Identity-based accesscontrol

Access control based on the identity of the user (typicallyrelayed as a characteristic of the process acting on behalf ofthat user) where access authorizations to specific objects areassigned based on user identity.

Impact Damage to an organization’s mission and goals (e.g., the loss ofconfidentiality, integrity, or availability of system informationor operations).

Impact level The assessed degree (high, medium, or low) of potential damage tothe organization’s mission and goals.

Incident An occurrence that actually or potentially jeopardizes theconfidentiality, integrity, or availability of a system or theinformation the system processes, stores, or transmits, or thatconstitutes a violation or imminent threat of violation ofsecurity policies, security procedures, or acceptable usepolicies.

83 of 96


Informationsecurity

The protection of information and information systems fromunauthorized access, use, disclosure, disruption, modification, ordestruction in order to provide confidentiality, integrity, andavailability.

Informationsecuritypolicy

Aggregate of directives, regulations, rules, and practices thatprescribes how an organization manages, protects, and distributesinformation.

Informationsystem

A discrete set of information resources organized for thecollection, processing, maintenance, use, sharing, dissemination,or disposition of information. (Note: Information systems alsoinclude specialized systems such as industrial/process controlssystems, telephone switching and private branch exchange (PBX)systems, and environmental control systems.)

Integrity Guarding against improper information modification or destruction;includes ensuring information nonrepudiation and authenticity.

Managementcontrols

The security controls (i.e., safeguards or countermeasures) of aninformation system that focus on the management of risk and themanagement of information system security.

Networkaccess

Access to an information system by a user (or a process acting onbehalf of a user) communicating through a network (e.g., localarea network, wide area network, Internet).

84 of 96


Nonrepudiation

Protection against an individual falsely denying having performeda particular action. Provides the capability to determine whethera given individual took a particular action, such as creatinginformation, sending a message, approving information, andreceiving a message.

Operationalcontrols

The security controls (i.e., safeguards or countermeasures) of aninformation system that are primarily implemented and executed bypeople (as opposed to systems).

Physicalsecurityperimeter

The physical, completely enclosed (“six-wall”) border surroundingcomputer rooms, telecommunications rooms, operations centers, andother locations in which critical cyber assets are housed and forwhich access is controlled.

Programmablelogiccontroller(PLC)

A digital computer used for the automation of industrialprocesses, such as machinery control in factories.

Potentialimpact

The loss of confidentiality, integrity, or availability could beexpected to have: (i) a limited adverse effect (FIPS 199, low);(ii) a serious adverse effect (FIPS 199, moderate); or (iii) asevere or catastrophic adverse effect (FIPS 199, high) onorganizational operations, organizational assets, or individuals.

Privilegeduser

A user that is authorized (and therefore, trusted) to performsecurity-relevant functions that ordinary users are not authorizedto perform.

85 of 96


Remoteattestation

Remote attestation allows for one party to verify that anotherparty with which it is communicating is not running compromisedsoftware, firmware, or hardware. The approach holds the potentialto identify unauthorized firmware updates and malware infectionsof the smart grid field devices (e.g., smart meters). Remoteattestation includes taking a measurement of the underlyingsoftware stack running on the device, signing that measurementwith the private key that is stored in the device’s TPM (trustedplatform module), and sending it to the party requiringattestation information (e.g., SCADA). The design is such that theprivate key residing in the TPM can only be unsealed if thedevice’s software and hardware had not been modified in anunauthorized fashion. The receiving party can then ascertain thatthe software stack measurement of the remote device corresponds tothe expected configuration by using the public key to verify thesignature.

Additional information on the TPM and remote attestation can befound here:http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary.

86 of 96

http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary

http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary


Risk A measure of the extent to which an entity is threatened by apotential circumstance or event, and typically a function of: (i)the adverse impacts that would arise if the circumstance or eventoccurs; and (ii) the likelihood of occurrence. Information-system-related security risks are those risks that arise from the loss ofconfidentiality, integrity, or availability of information orinformation systems and reflect the potential adverse impacts toorganizational operations (including mission, functions, image, orreputation), organizational assets, individuals, otherorganizations, and the nation.

Riskassessment

The process of identifying risks to organizational operations(including mission, functions, image, reputation), organizationalassets, individuals, other organizations, and the nation,resulting from the operation of an information system. Part ofrisk management incorporates threat and vulnerability analyses,and considers mitigations provided by security controls planned orin place. Synonymous with risk analysis.

Riskcategory

People and policy risks, process risks, and technical risks.

Risk level(severity)

A combination of the likelihood of a damaging event actuallyoccurring and the assessed potential impact on the organization’smission and goals if it does occur.

87 of 96


Riskmanagement

The process of managing risks to organizational operations(including mission, functions, image, reputation), organizationalassets, individuals, other organizations, and the nation,resulting from the operation of an information system. Includes:(i) the conduct of a risk assessment; (ii) the implementation of arisk mitigation strategy; and (iii) employment of techniques andprocedures for the continuous monitoring of the security state ofthe information system.

Role-basedaccesscontrol

Access control based on user roles (i.e., a collection of accessauthorizations a user receives based on an explicit or implicitassumption of a given role). Role permissions may be inheritedthrough a role hierarchy and typically reflect the permissionsneeded to perform defined functions within an organization. Agiven role may apply to a single individual or to severalindividuals.

Securitycategory

The characterization of information or an information system basedon an assessment of the potential impact that a loss ofconfidentiality, integrity, or availability of that information orinformation system would have on organizational operations,organizational assets, individuals, other organizations, and thenation.

Securitycontrol

The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an informationsystem to protect the confidentiality, integrity, and availabilityof the system and its information.

88 of 96


Securitypolicy

A set of high-level criteria for people, process, andtechnological guidance that relates to security of theorganization, its systems, and its data.

Securityrequirements

Requirements levied on an information system that are derived fromapplicable laws, executive orders, directives, policies,standards, instructions, regulations, procedures, ororganizational mission / business case needs to ensure theconfidentiality, integrity, and availability of the informationbeing processed, stored, or transmitted.

Sensitiveinformation

Information whose loss, misuse, or unauthorized access to ormodification of, that could adversely affect the organization, itsemployees, or its customers.

Systemsecurityplan

A formal document that provides an overview of the securityrequirements for an information system and describes the securitycontrols in place or planned for meeting those requirements.

Technicalcontrols

The security controls (i.e., safeguards or countermeasures) for aninformation system that are primarily implemented and executed bythe information system through mechanisms contained in thehardware, software, or firmware components of the system.

89 of 96


Threat Any circumstance or event with the potential to adversely impactorganizational operations (including mission, functions, image, orreputation), organizational assets, individuals, otherorganizations, or the nation through an information system viaunauthorized access, destruction, disclosure, modification ofinformation, and/or denial of service. An alternate definition ofthreat is an actor / adversary who may carry out an attack againstthe organization.

Vulnerability

A specific weakness in an information system, system securityprocedures, internal controls, or implementation that could beexploited or triggered by a threat source.

Vulnerability assessment

Formal description and evaluation of the vulnerabilities in aninformation system.

90 of 96


Appendix C: Acronyms

CIP Critical Infrastructure Protection

DOD Department of Defense

DOE Department of Energy

DHS Department of Homeland Security

EISA Energy Independence and Security Act

FERC Federal Energy Regulatory Commission

ISO International Standards Organization

NERC North American Electric Reliability Corporation

NIST National Institute of Standards

RMF Risk Management Framework

91 of 96


Appendix D: Minimum Security Requirements

The following summaries of minimum security requirements are from NIST FIPS 200, Minimum SecurityRequirements for Federal Information and Information Systems.

Access Control (AC): Organizations must limit information system access to authorized users,processes acting on behalf of authorized users, or devices (including other informationsystems) and to the types of transactions and functions that authorized users are permittedto exercise.

Awareness and Training (AT): Organizations must: (i) ensure that managers and users oforganizational information systems are made aware of the security risks associated with theiractivities and of the applicable laws, Executive Orders, directives, policies, standards,instructions, regulations, or procedures related to the security of organizationalinformation systems; and (ii) ensure that organizational personnel are adequately trained tocarry out their assigned information-security-related duties and responsibilities.

Audit and Accountability (AU): Organizations must: (i) create, protect, and retaininformation system audit records to the extent needed to enable the monitoring, analysis,investigation, and reporting of unlawful, unauthorized, or inappropriate information systemactivity; and (ii) ensure that the actions of individual information system users can beuniquely traced to those users so they can be held accountable for their actions.

92 of 96




Certification, Accreditation, and Security Assessments (CA): Organizations must: (i)periodically assess the security controls in organizational information systems to determineif the controls are effective in their application; (ii) develop and implement plans ofaction designed to correct deficiencies and reduce or eliminate vulnerabilities inorganizational information systems; (iii) authorize the operation of organizationalinformation systems and any associated information system connections; and (iv) monitorinformation system security controls on an ongoing basis to ensure the continuedeffectiveness of the controls.

Configuration Management (CM): Organizations must: (i) establish and maintain baselineconfigurations and inventories of organizational information systems (including hardware,software, firmware, and documentation) throughout the respective system development lifecycles; and (ii) establish and enforce security configuration settings for informationtechnology products employed in organizational information systems.

Contingency Planning (CP): Organizations must establish, maintain, and effectively implementplans for emergency response, backup operations, and postdisaster recovery for organizationalinformation systems to ensure the availability of critical information resources andcontinuity of operations in emergency situations.

Identification and Authentication (IA): Organizations must identify information system users,processes acting on behalf of users, or devices and authenticate (or verify) the identitiesof those users, processes, or devices, as a prerequisite to allowing access to organizationalinformation systems.

93 of 96


Incident Response (IR): Organizations must: (i) establish an operational-incident-handlingcapability for organizational information systems that includes adequate preparation,detection, analysis, containment, recovery, and user response activities; and (ii) track,document, and report incidents to appropriate organizational officials and/or authorities.

Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance onorganizational information systems; and (ii) provide effective controls on the tools,techniques, mechanisms, and personnel used to conduct information system maintenance.

Media Protection (MP): Organizations must: (i) protect information system media, both paperand digital; (ii) limit access to information on information system media to authorizedusers; and (iii) sanitize or destroy information system media before disposal or release forreuse. Organizations must: (i) limit physical access to information systems, equipment, andthe respective operating environments to authorized individuals; (ii) protect the physicalplant and support infrastructure for information systems; (iii) provide supporting utilitiesfor information systems; (iv) protect information systems against environmental hazards; and(v) provide appropriate environmental controls in facilities containing information systems.

Planning (PL): Organizations must develop, document, periodically update, and implementsecurity plans for organizational information systems that describe the security controls inplace or planned for the information systems and the rules of behavior for individualsaccessing the information systems.

94 of 96


Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positionsof responsibility within organizations (including third-party service providers) aretrustworthy and meet established security criteria for those positions; (ii) ensure thatorganizational information and information systems are protected during and after personnelactions such as terminations and transfers; and (iii) employ formal sanctions for personnelfailing to comply with organizational security policies and procedures.

Risk Assessment (RA): Organizations must periodically assess the risk to organizationaloperations (including mission, functions, image, or reputation), organizational assets, andindividuals, resulting from the operation of organizational information systems and theassociated processing, storage, or transmission of organizational information.

System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resourcesto adequately protect organizational information systems; (ii) employ system developmentlifecycle processes that incorporate information security considerations; (iii) employsoftware usage and installation restrictions; and (iv) ensure that third-party providersemploy adequate security measures to protect information, applications, and/or servicesoutsourced from the organization.

System and Communications Protection (SC): Organizations must: (i) monitor, control, andprotect organizational communications (i.e., information transmitted or received byorganizational information systems) at the external boundaries and key internal boundaries ofthe information systems; and (ii) employ architectural designs, software developmenttechniques, and systems engineering principles that promote effective information securitywithin organizational information systems.

95 of 96


System and Information Integrity (SI): Organizations must: (i) identify, report, and correctinformation and information system flaws in a timely manner; (ii) provide protection frommalicious code at appropriate locations within organizational information systems; and (iii)monitor information system security alerts and advisories and take appropriate actions inresponse.

96 of 96