Whitepaper

North American Electric Reliability Corporation

Critical Infrastructure Protection (NERC CIP)
and ISA/IEC 62443 Comparative Analysis
www.isagca.org
Table of Contents

Table of Contents ............................................................................................................................ 1

Acknowledgments ........................................................................................................................... 2
Executive Summary .......................................................................................................................... 3
Summary Figures ............................................................................................................................. 8
Detailed Analysis
Table 1 – CIP-013-2 Analysis ............................................................................................................ 9
Table 2 – Highlighting Key ISA/IEC 62443 Requirements ............................................................... 10
Table 3 – Exceeding the NERC CIP Standards ................................................................................. 11
Table 4 – CIP Requirements Not Met by ISA/IEC 62443 ................................................................. 12
Table 5 – Technical Requirements Comparison .............................................................................. 13

Copyright © 2024 International Society of Automation. All rights reserved.

Page 1 of 33
Acknowledgments

The Utilities Technology Council, Cumulys and the International Society of Automation Global
Cybersecurity Alliance (ISAGCA) prepared this report. This document is an interpretation of the ISA/IEC
62443 series of standards to facilitate awareness and appropriate applications of the standards. It is not
a product of the ISA99 committee that develops the standards, and as such may not represent the views
of the committee.

C. Briggs (Utilities Technology Council)

C. Muehrcke (Global Software Engineering representing ISAGCA)
A. Ristaino (ISA Global Cybersecurity Alliance)
T. Whitney (Cumulys Solutions Inc)

Page 2 of 33
Executive Summary

The purpose of this paper is to demonstrate that, with few exceptions, the technical cybersecurity
capabilities needed to comply with the North American Electric Reliability Corporation (NERC) Critical
Infrastructure Protection (CIP) Standards are substantially supported by the existing international ISA/IEC
62443 product cybersecurity standards. Therefore, entities responsible for NERC CIP compliance could
benefit from leveraging existing ISA/IEC 62443 product certification programs in their procurement
processes. Requirement-level mappings from NERC CIP-002-CIP-014 to the ISA/IEC 62443 standards
align with supplier process requirements, as well as product security capabilities necessary to meet asset
owner requirements under NERC CIP.

Background

The NERC CIP Standards have been in place since 2008. Since then, asset owners and operators have
been solely responsible for complying with approximately one hundred fifty requirement parts
encompassing thirteen standards:

Currently Enforceable NERC CIP Standards:

1. CIP-002: Bulk Electric System (BES) Cyber System Categorization

2. CIP-003: Security Management Controls

3. CIP-004: Personnel and Training

4. CIP-005: Electronic Security Perimeter(s)

5. CIP-006: Physical Security of BES Cyber Systems

6. CIP-007: System Security Management

7. CIP-008: Incident Reporting and Response Planning

8. CIP-009: Recovery Plans for BES Cyber Systems

9. CIP-010: Configuration Change Management and Vulnerability Assessments

10. CIP-011: Information Protection

11. CIP-012: Communications between Control Centers

12. CIP-013: Supply Chain Risk Management

13. CIP-014: Physical Security

Of these standards and requirements that address procedures and processes entities use to manage the
day-to-day security of operations, many requirements entail specific efforts to configure technologies

Page 3 of 33
and systems to mitigate their cybersecurity risk to the grid. In those cases, owners and operators are
dependent on the system’s capability to be configured to address a wide array of CIP technical controls.
Of the total enforceable CIP Standards, it has been determined that 62 of the CIP requirements support
system-level configuration as a means to demonstrate compliance.

Since the early years of the CIP standards, a series of industry standards was developed by the
International Society of Automation (ISA) through the ISA99 1 committee to address cybersecurity for
operational technologies (OT). In 2009, the first of a series of OT security controls was released: ISA-
99.00.01-2007, titled “Security for Industrial Automation and Control Systems: Concepts, Terminology,
and Models.” 2 Shortly thereafter, ISA and the International Electrotechnical Commission (IEC) agreed to
collaborate on the development of these standards, which today are recognized as the ISA/IEC 62443
standards.3 Several of these standards explicitly address the product development lifecycle and technical
security capabilities of products. Third-party certifications against these standards have been available
since the standards were published. This paper focuses on the cybersecurity development practices and
technical capabilities described in the following ISA/IEC 62443 standards in relation to the security of
supplier products:

• ISA/IEC 62443-4-1 – Product security development lifecycle requirements

• ISA/IEC 62443-3-3 – System security requirements and security levels
• ISA/IEC 62443-4-2 – Technical security requirements for IACS components

While the ISA/IEC 62443 standards have been in existence nearly as long as the CIP standards have been
enforceable, minimal work has been done to recognize how the CIP-applicable assets and system-
related requirements can be verified by an asset owner/operator as part of its procurement process for a
supplier’s OT product.

CIP-013 Supply Chain Risk Management

The supply chain risk management standards, approved by the Federal Energy Regulatory Commission in
2018, were developed to help mitigate the risk of third-party suppliers and their impact on the bulk
electric system. With regard to ISA/IEC 62443, the standard that addresses “product security
development lifecycle requirements” (ISA/IEC 62443-4-1) was developed to provide purchasing
organizations with assurances that key supplier controls to integrate security into products were
addressed. Given the similarities in purpose between the CIP-013 and ISA/IEC 62443-4-1, a detailed
analysis was performed to compare the two sets of requirements. The results showed that the supply
chain risk management technical requirements in CIP-013-2, CIP-005-7 and CIP-010-4 are substantially
addressed by ISA/IEC 62443 requirements (see Table 1 below). Furthermore, a certification of supplier
conformity to the lifecycle requirements standard (4-1) provides the utility asset owner with assurances
about the supplier’s practices and organizational controls for developing and supporting secure software

1 https://www.isa.org/standards-and-publications/isa-standards/isa-standards-committees/isa99
2 https://www.isa.org/products/isa-tr99-00-01-2007-security-technologies-for
3 https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

Page 4 of 33
and technologies. In fact, an ISA/IEC 62443-4-1 security capabilities vendor certification can be a proxy
for the procurement aspect of the supply chain risk assessment requirement included in CIP-013-2 R1
(see Table 1):

“One or more process(es) used in planning for the procurement of BES Cyber Systems and their
associated EACMS and PACS to identify and assess cyber security risk(s) to the Bulk Electric
System from vendor products or services resulting from: (i) procuring and installing vendor
equipment and software; and (ii) transitions from one vendor(s) to another vendor(s)”

Technical Product Security Capabilities

In addition to analyzing the similarities in supplier security practices in CIP-013-2 and ISA/IEC 62443-4-1,
this white paper analyzed how the ISA/IEC 62443 standards can support compliance with the CIP
technical requirements. This includes a pre-purchase evaluation of grid technologies and products as
well as their ability to be configured to meet the control objectives of the full body of NERC CIP
technical requirements.

With respect to product security capabilities, the ISA/IEC 62443 standard has two parts. The first is 3-3,
which describes the security capabilities of integrated systems such as an energy management system,
which might be comprised of numerous related subsystems such as a master station, engineer’s desktop
and an operator workstation. An evaluation for ISA/IEC 62443-3-3 system certification assesses the
security configurations of the integrated system as a whole to determine its adherence to the security
capabilities required by the standard for security levels one through four. The second product standard is
4-2, which focuses on the security of individual components. For instance, a utility may purchase a
remote terminal unit (RTU) or a protection relay to communicate to a system at a substation. The
RTU/relay can be considered a component of the asset owner's SCADA system, and the RTU/relay device
itself can be evaluated for certification to ISA/IEC 62443-4-2 independently of other systems or system
components. This recognition of systems versus components is very similar to the concept of BES Cyber
Asset and BES Cyber Systems in the NERC CIP Standards.4 Component categories which may be
evaluated for certification against ISA/IEC 62443-4-2 component requirements are listed below:

Software Applications - one or more software programs and their

dependencies that are used to interface with the process or the
control system itself (for example, configuration software and
historian)

4 https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-002-5.1a.pdf

Page 5 of 33
 Embedded Devices -special purpose device running embedded
software designed to directly monitor, control or actuate an industrial
process

Host Devices - general purpose device running an operating system

(for example, Microsoft Windows OS or Linux) capable of hosting one
or more software applications, data stores or functions from one or
more suppliers

Network Device - device that facilitates data flow between devices or

restricts the flow of data, but may not directly interact with a control
process

The study reported in this paper exhaustively analyzed whether the relationship between ISA/IEC 62443-
3-3 and ISA/IEC 62443-4-2 requirements could be a proxy for meeting the technical requirements of the
CIP Standards. The resulting analysis has determined that suppliers and their products that conform to
3-3 or 4-2 directly support nearly all the technical system capabilities required to achieve NERC CIP
compliance. The charts in the Summary Figures section have been provided to illustrate the analysis
performed and key takeaways. These are summarized as follows:

• 100% of the CIP-013-2 controls can be verified by a conformity assessment that covers product
security development lifecycle requirements in ISA/IEC 62443-4-1. 5 (See Table 1)

• There are many important security best practices that exceed the CIP Standards verified in
technical security requirements for IACS components under ISA/IEC 62443-4-2 certifications
(See Table 2 for notable capabilities among these; Table 3 is the complete list.)

• Only three of 62 technical security requirements of the CIP Standards are not addressed by
conformity assessments that cover system security requirements and security levels in 62443-3-3
or technical security requirements for IACS components in ISA/IEC 62443-4-2 (See Table 4.)
• 95% of the technical security controls in the CIP standards can be verified by conformity
assessments that cover system security requirements and security levels (62443-3-3) or technical
security requirements for IACS components (62443-4-2) certifications (See Table 5.)

5 Under 62443, any vendor accessing a system has the role of service provider (for integration or maintenance), which is distinguished
from the role of product supplier. Therefore, the aspects of CIP-013-2 R1.2.3 and R1.2.6 regarding communication about controls for
vendor access, are addressed by 62443-2-4 Security program requirements for IACS service providers rather than by 62443-4-1. It is
expected that independent validation to requirements of 62443-2-4 for a utility’s service providers, would also provide significant
support for NERC CIP compliance, although an analysis of this topic is beyond the scope of the present study.

Page 6 of 33
Conclusion

In conclusion, the supply chain risk management process is ideally suited to ensure that key
cybersecurity capabilities are addressed by vendor or OEM supplied products. By recognizing the
relationship between the NERC CIP standards and the ISA/IEC 62443 standards, industry can leverage
the certifications offered for the ISA/IEC 62443 family of standards to help ensure compliance to NERC
CIP standards. Additionally, the ISA/IEC 62443 series includes a variety of internationally recognized
requirements that are evaluated and verified. Through certifications obtained during the project
planning or procurement process, CIP-applicable assets can largely be validated to meet the asset
owner/operator’s regulatory mandates prior to the implementation of the technology. ISA/IEC 62443
can be a catalyst for reducing the security burden of asset owners while enabling a clear path for
suppliers to demonstrate effective, globally recognized and independently verified cybersecurity best
practices.

Further Reading

To learn more about the ISA Global Cybersecurity Alliance (ISAGCA) and its work on adoption and
advocacy for the ISA/IEC 62443 series of standards, visit www.isagca.org.

To learn more about conformance certifications to the ISA/IEC 62443 series of standards through
ISASecure, visit www.isasecure.org.

For more information about the ISA/IEC 62443 series of standards, visit www.isa.org/62443standards.

Page 7 of 33
Summary Figures

Page 8 of 33
Detailed Analysis
Table 1 – CIP-013-2 Analysis
CIP-013-2 controls independently validated by ISA/IEC 62443-4-1 Certifications of Suppliers

Part 1.2 CIP-013-2 ISA/IEC 62443 4-1 Related Requirement

1.2.1. Notification by the vendor of vendor- DM-1 - Receiving Notifications of Security-Related

identified incidents related to the Issues
products or services provided to the DM-5 - Disclosing Security-Related Issues
Responsible Entity that pose cyber
security risk to the Responsible Entity
1.2.2. Coordination of responses to vendor- SI-1 - Security Implementation Review
identified incidents related to the DM-1 - Receiving Notifications of Security-Related
products or services provided to the Issues
Responsible Entity that pose cyber DM-2 - Reviewing Security-Related Issues
security risk to the Responsible Entity DM-4 Addressing Security-Related Issues
DM-5 - Disclosing Security-Related Issues
SUM-1 – Security Update Qualification
SUM-2 - Security Update Documentation
SUM-3 - Dependent Component or OS Security
Update Documentation
SUM-5 - Timely Delivery of Security Patches
1.2.3 Notification by vendors when remote SG-2 - Defense in Depth Measures Expected in the
or onsite access should no longer be Environment
granted to vendor representatives SG-6 - Account Management Guidelines
1.2.4 Disclosure by vendors of known SVV-2 - Threat Mitigation Testing
vulnerabilities related to the products SVV-3 - Vulnerability Testing
or services provided to the Responsible SVV-4 - Penetration Testing
Entity DM-1 - Receiving Notifications of Security-Related
Issues
DM-5 - Disclosing Security-Related Issues
1.2.5 Verification of software integrity and SM-6 - File Integrity
authenticity of all software and patches SM-7 - Development Environment Security
provided by the vendor for use in the SUM-4 - Security Update Delivery
BES
1.2.6 Coordination of controls for vendor- SR-1 - Product Security Context
initiated remote access SD-1 - Secure Design Principles
SG-1 - Product Defense in Depth
SG-2 - Defense in Depth Measures Expected in the
Environment

Page 9 of 33
Table 2 – Highlighting Key ISA/IEC 62443 Requirements
Highlighting Key ISA/IEC 62443-4-2 Component Requirements that Exceed the NERC CIP Requirements

Req # ISA/IEC 62443-4-2 Req Name Req Description

CR 1.2 Software process and device Component shall provide the capability to identify
identification and authentication itself and authenticate to any other component
(software application, embedded devices, host
devices and network devices), according to ISA/IEC
62443-3-3 [11] SR1.2.
If the component, as in the case of an application,
is running in the context of a human user, in
addition, the identification and authentication of
the human user according to ISA/IEC 62443-3-3
[11] SR1.1 may be part of the component
identification and authentication process towards
the other components.

Embedded device, host or network system shall

provide the capability to provision and protect the
EDR 3.12
Provisioning product supplier roots confidentiality, integrity and authenticity of
HDR 3.12
of trust - protection product supplier keys and data to be used as one
NDR 3.12
or more “roots of trust” at the time of
manufacture of the device.

The network component shall provide the

capability to protect against any communication
NDR 5.2 RE(2) Island mode
through the control system boundary (also termed
island mode)

Components shall provide the capability to

CR 7.1 Denial of Service (DoS) Protection maintain essential functions when operating in a
degraded mode as the result of a DoS event.

Components shall provide the capability to limit

CR 7.2 Resource management the use of resources by security functions to
protect against resource exhaustion.

Page 10 of 33
Table 3 – Exceeding the NERC CIP Standards
Highlighting ISA/IEC 62443-4-2 Component Requirements that Exceed the NERC CIP Requirements

Req # ISA/IEC 62443-4-2 Req Name Req # ISA/IEC 62443-4-2 Req Name
CR 1.2 RE(1) Unique identification and
CR 2.12 RE(1) Non-repudiation for all users
authentication
Public key infrastructure (PKI) CR 3.5 Input validation
CR 1.8
certificates
Strength of public key-based CR 3.6 Deterministic output
CR 1.9A-F authentication - check validity of
signature of a given certificate CR 3.7 Error handling
Hardware security for public key-
CR 1.9 RE(1) CR 3.9 RE(1) Audit records on write-once media
based authentication
CR 1.10 Authenticator feedback EDR 3.12
Provisioning product supplier roots
HDR 3.12
Unsuccessful login attempts - of trust - protection
CR 1.11B NDR 3.12
response Provisioning asset owner roots of
Strength of symmetric key-based HDR 3.13A
CR 1.14A trust - protection
authentication - establish trust Provisioning asset owner roots of
Strength of symmetric key-based HDR 3.13B
trust - inside zone
CR 1.14B-D authentication - secure storage for
shared secret HDR 3.14 Integrity of the boot process
Hardware security for symmetric HDR 3.14
CR 1.14 RE(1) Authenticity of the boot process
key-based authentication RE(1)
CR 2.1 RE(3) Supervisor override NDR 5.2 RE(2) Island mode

CR 2.1 RE(4) Dual approval NDR 5.2 RE(3) Fail close

CR 2.5B Session lock - removal General purpose, person-to-person

NDR 5.3
communication restrictions
CR 2.7 Concurrent session control NDR 5.4 Application partitioning
Response to audit processing Network and security configuration
CR 2.10A failures - maintain essential CR 7.1
settings
functions Manage communication load from
Response to audit processing CR 7.1 RE(1)
CR 2.10B component
failures - actions taken
CR 7.2 Resource management
CR 2.11 RE(1) Time synchronization
Machine-readable reporting of
CR 7.6 RE(1)
CR 2.11 RE(2) Protection of time source integrity current security settings

CR 2.12 Non-repudiation

Page 11 of 33
Table 4 – CIP Requirements Not Met by ISA/IEC 62443
Technical Requirements Within NERC CIP Standards Not Supported by ISA/IEC 62443

Standard Requirement or Part Applicability

CIP-005-7 Part 2.1 High Impact BES Cyber
For all Interactive Remote Access, Systems and their associated:
utilize an Intermediate System such • PCA
that the Cyber Asset initiating
Interactive Remote Access does not Medium Impact BES Cyber
directly access an applicable Cyber Systems and their associated:
Asset. • PCA
CIP-005-7 Part 2.2 High Impact BES Cyber
For all Interactive Remote Access Systems and their associated:
sessions, utilize encryption that • PCA
terminates at an Intermediate
System. Medium Impact BES Cyber
Systems and their associated:
• PCA
CIP-012-2 Part 1.2 Identification of method(s) used to mitigate Control Centers
the risk(s) posed by the loss of the ability to
communicate Real-time Assessment and Real-time
monitoring data between Control Centers;
• Identification of alternative communication paths
or methods between Control Centers
• Procedures explaining the use of alternative
systems or methods for providing for the
availability of the data
• Service level agreements with carriers containing
high availability provisions
• Availability or uptime reports for equipment
supporting the transmission of Real-time
Assessment and Real-time monitoring data

Page 12 of 33
Table 5 – Technical Requirements Comparison
Technical Requirements within NERC CIP Standards Supported by ISA/IEC 62443-3-3 (System) and ISA/IEC
62443-4-2 (Component) Standards

Applicable ISA/IEC 62443 System and

Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-003-9 Attachment 1, Section 3: System:
3.1 Permit only necessary inbound and SR 1.13 - Access via untrusted networks
outbound electronic access as SR 5.1 RE(1) - Physical network segmentation
determined by the Responsible Entity for SR 5.1 RE(3) - Logical and physical isolation of
any communications that are: critical networks
i. between a low impact BES Cyber
System(s) and a Cyber Asset(s) outside the Embedded device, network device, host
asset containing low impact BES Cyber device, software application:
System(s); NDR 1.13 RE(1) - Access via untrusted
ii. using a routable protocol when entering networks
or leaving the asset containing the low NDR 5.2 RE(1) - Zone boundary protection
impact BES Cyber System(s); and iii. not
used for time‐sensitive protection or control
functions between intelligent electronic
devices (e.g., communications using
protocol IECTR‐61850‐90‐5 R‐GOOSE).

CIP-003-9 Attachment 1, Section 3.2 System:

Authenticate all Dial‐up Connectivity, if any, SR 1.13 - Access via untrusted networks
that provides access to low impact BES SR 1.1 Human user identification and
Cyber System(s), per Cyber Asset capability. authentication
SR 1.2 RE(1) - Unique identification and
authentication

Embedded device, network device, host

device, software application:
CR 1.1 - Human user identification and
authentication
CR 1.2 RE(1) - Unique identification and
authentication

Page 13 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-003-9 Attachment 1 System:
Part 5.1 SR 3.2 - Malicious Code Protection
For Transient Cyber Asset(s) managed by SR 2.3(a) - Preventing the use of portable and
the Responsible Entity, if any, the mobile devices
use of one or a combination of the SR 2.3(b) - Requiring context specific
following in an ongoing or on‐demand authorization
manner (per Transient Cyber Asset SR 2.4 (b) - Requiring proper authentication
capability): and authorization for origin of the code
• Antivirus software, including manual or
managed updates of signatures or Embedded device, network device, host
patterns; device, software application:
• Application whitelisting; or CR 2.2 - Wireless use control
• Other method(s) to mitigate the (Components)
introduction of malicious code. NDR 2.4 RE(1) - Mobile code authenticity
check
HDR 3.2 RE1 - Report version of code
protection

Page 14 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-003-9 Attachment 1 System:
5.2 For Transient Cyber Asset(s) managed SR 3.2 - Malicious Code Protection
by a party other than the Responsible SR 2.3 - Use control for portable and mobile
Entity, if any: devices
5.2.1 Use one or a combination of the SR 2.3 (a) - Preventing the use of portable and
following prior to connecting the Transient mobile devices
Cyber Asset to a low impact BES Cyber SR 2.3 (b) - Requiring context specific
System (per Transient Cyber Asset authorization
capability): SR 2.4 - Mobile code
• Review of antivirus update level; SR 2.4 (b) - Requiring proper authentication
• Review of antivirus update process and authorization for origin of the code
used by the party;
• Review of application whitelisting used Embedded device, network device, host
by the party; device, software application:
• Review use of live operating system CR 2.2 - Wireless use control
and software executable only from (Components)
read‐only media; NDR 2.4 RE(1) - Mobile code authenticity
• Review of system hardening used by check
the party; or SAR/EDR/HDR/NDR 3.2 - Protection from
• Other method(s) to mitigate the malicious code
introduction of malicious code HDR 3.2 RE1 - Report version of code
protection
5.2.2 For any method used pursuant to
5.2.1, Responsible Entities shall
determine whether any additional
mitigation actions are necessary and
implement such actions prior to connecting
the Transient Cyber Asset.

CIP-003-9 Attachment 1 System:

5.3 For Removable Media, the use of each SR 3.2 - Malicious Code Protection
of the following: SR 2.3 - Use control for portable and mobile
5.3.1 Method(s) to detect malicious code devices
on Removable Media using a Cyber Asset SR 2.3 (a) - Preventing the use of portable and
other than a BES Cyber System; and mobile devices
5.3.2 Mitigation of the threat of detected SR 2.3 (b) - Requiring context specific
malicious code on the Removable Media authorization
prior to connecting Removable Media to a
low impact BES Cyber System Embedded device, network device, host
device, software application:
CR 2.2 - Wireless use control
(Components)

Page 15 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
NDR 2.4 RE(1) - Mobile code authenticity
check
SAR/EDR/HDR/NDR 3.2 - Protection from
malicious code
HDR 3.2 RE1 - Report version of code
protection

CIP-003-9 Attachment 1 System:

Part 6: Vendor Electronic Remote Access SR 1.13 - Access via untrusted networks
Security Controls SR 2.3 RE (1) - Enforcement of security status
of portable and mobile devices
6.1 One or more method(s) for determining SR 2.7 - Concurrent session control
vendor electronic remote access

CIP-003-9 Attachment 1 System:

Part 6: Vendor Electronic Remote Access SR 2.6 - Remote session termination
Security Controls SR 5.2 - RE 2 Island mode
SR 5.2 - RE3 Fail close
6.2 One or more method(s) for disabling
vendor electronic remote access;

CIP-003-9 Attachment 1 System:

Part 6: Vendor Electronic Remote Access SR 5.2 - Zone boundary protection
Security Controls
Embedded device, network device, host
6.3 One or more method(s) for detecting device, software application:
known or suspected inbound and NDR 5.2 - Zone boundary protection
outbound malicious communications for
vendor electronic remote access

CIP-003-9 Attachment 2 System:

Section 3.1: Electronic Access Controls: SR 5.1 - Network segmentation
Documentation…or lists of implemented SR 5.2 - Zone Boundary protection
electronic access controls (e.g., access
control lists restricting IP addresses, ports, Embedded device, network device, host
or services; implementing unidirectional device, software application:
gateways) NDR 5.2 - Zone boundary protection
CR 5.1 - Network segmentation

Page 16 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-003-9 Attachment 2 System:
Section 3.2: Documentation of SR 1.13 - Access via untrusted networks
authentication for Dial‐up Connectivity
(e.g., dial out only to a preprogrammed Embedded device, network device, host
number to deliver data, dial‐back modems, device, software application:
modems that must be remotely controlled CR 1.1 - Human user identification and
by the control center or control room, or authentication
access control on the BES Cyber System) CR 1.2 - Unique identification and
authentication
NDR 1.13 - Access via untrusted networks
CIP-004-7 Part 4.1 System:
Process to authorize based on need, as SR 1.3 - Account management
determined by the Responsible Entity, SR 1.4 - Identifier management
except for CIP Exceptional SR 1.5A - Authenticator management
Circumstances: SR 2.1 - Authorization enforcement
4.1.1. Electronic access SR 2.1 RE(1) - Authorization enforcement for
all users

Embedded device, network device, host

device, software application:
CR 1.3 - Account management
CR 1.4 - Identifier management
CR 1.5A - Identifier management
CR 2.1 - Authorization enforcement
CR 2.1 RE(1) - Authorization enforcement for
all users
CIP-004-7 Part 6.1 System:
Prior to provisioning, authorize (unless SR 1.3 - Account management
already authorized according to Part 4.1.) SR 1.4 - Identifier management
based on need, as determined by the SR 1.5A - Authenticator management
Responsible Entity, except for CIP SR 2.1 - Authorization enforcement
Exceptional Circumstances: SR 2.1 RE(1) - Authorization enforcement for
6.1.1. Provisioned electronic access to all users
electronic BCSI
Embedded device, network device, host
device, software application:
CR 1.3 - Account management
CR 1.4 - Identifier management
CR 1.5A - Identifier management
CR 2.1 - Authorization enforcement
CR 2.1 RE(1) - Authorization enforcement for
all users

Page 17 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-005-7 Part 1.1 System:
All applicable Cyber Assets connected SR 5.1 - Network segmentation
to a network via a routable protocol SR 5.4 - Application partitioning
shall reside within a defined Electronic
Security Perimeter (ESP). Embedded device, network device, host
device, software application:
CR 5.1 - Network segmentation

CIP-005-7 Part 1.2 System:

All External Routable Connectivity must SR 5.2 - Zone boundary protection
be through an identified Electronic
Access Point (EAP). Embedded device, network device, host
device, software application:
NDR 5.2 - Zone boundary protection

CIP-005-7 Part 1.3 System:

Require inbound and outbound access SR 5.2 RE(1) - Deny by default, allow by
permissions, including the reason for exception
granting access, and deny all other
access by default. Embedded device, network device, host
device, software application:
NDR 5.2 RE(1) - Deny all, permit by exception
CIP-005-7 Part 1.4 System:
Where technically feasible, perform S-IAC-13 - Access via untrusted networks
authentication when establishing Dialup
Connectivity with applicable Cyber Embedded device, network device, host
Assets. device, software application:
CR 1.1 - Human user identification and
authentication
CR 1.1 RE(1) - Unique identification and
authentication
CIP-005-7 Part 1.5 System:
Have one or more methods for SR 1.13 - Access via untrusted networks
detecting known or suspected SR 5.3 - General purpose, person-to-person
malicious communications for both communication restrictions
inbound and outbound SR 6.2 - Continuous monitoring
communications.
Embedded device, network device, host
device, software application:
CR 6.2 - Continuous monitoring
NDR 1.13 - Access via untrusted networks
NDR 5.3 - General purpose, person-to-person
communication restrictions

Page 18 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-005-7 Part 2.1 n/a
For all Interactive Remote Access,
utilize an Intermediate System such
that the Cyber Asset initiating
Interactive Remote Access does not
directly access an applicable Cyber
Asset.

CIP-005-7 Part 2.2 n/a

For all Interactive Remote Access
sessions, utilize encryption that
terminates at an Intermediate
System.

CIP-005-7 Part 2.3 System:

Require multi-factor authentication SR 1.1 - Multifactor authentication for
for all Interactive Remote Access untrusted networks
sessions.
Embedded device, network device, host
device, software application:
CR 1.1 RE(2) - Multifactor authentication for
all interfaces
CIP-005-7 Part 2.4 System:
Have one or more methods for SR 1.13 - Access via untrusted networks
determining active vendor remote SR 2.5 - Session Lock
access sessions (including Interactive
Remote Access and system-to-system Embedded device, network device, host
remote access). device, software application:
CR 2.5A - Session lock – initiation

CIP-005-7 Part 2.5 System:

Have one or more method(s) to SR 3.8 RE (1) - Invalidation of session IDs after
disable active vendor remote access session termination
(including Interactive Remote Access SR 2.6 - Remote session termination
and system-to-system remote access).
Embedded device, network device, host
device, software application:
CR 2.6 - Remote session termination
CR 3.8A - Session integrity

Page 19 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-005-7 Part 3.1 System:
Have one or more method(s) to SR 1.1 RE(1) - Unique identification and
determine authenticated vendor initiated authentication
remote connections. SR 3.8 - Unique session ID generation and
recognition
SR 2.6 - Remote session termination

CIP-005-7 Part 3.2 System:

Have one or more method(s) to terminate SR-3.8 RE(1) - Invalidation of session IDs after
authenticated vendor initiated remote session termination
connections and control the ability to SR 2.6 - Remote session termination
reconnect.
Embedded device, network device, host
device, software application:
CR 2.5A - Session lock - initiation
CR 2.6 - Remote session termination
CR 3.8A - Session integrity
CIP-006-6 Part 1.6 Embedded device, network device, host
Monitor each Physical Access Control device, software application:
System for unauthorized physical EDR 3.11 - Physical tamper resistance and
access to a Physical Access Control detection
System. HDR 3.11 - Physical tamper resistance and
detection
NDR 3.11 - Physical tamper resistance and
detection
EDR 3.13 - Use of physical diagnostic and test
interfaces
HDR 3.13 - Use of physical diagnostic and test
interfaces
HDR 3.13 - Use of physical diagnostic and test
interfaces
EDR 3.13 RE(1) - Active monitoring
HDR 3.13 RE(1) - Active monitoring
NDR 3.13 RE(1) - Active monitoring
CIP-006-6 Part 1.7 Embedded device, network device, host
Issue an alarm or alert in response to device, software application:
detected unauthorized physical access EDR 3.11 RE(1) - Notification of a tampering
to a Physical Access Control System to attempt
the personnel identified in the BES HDR 3.11 RE(1) - Notification of a tampering
Cyber Security Incident response plan attempt
within 15 minutes of the detection. NDR 3.11 RE(1) - Notification of a tampering
attempt

Page 20 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-007-6 Part 1.1 System:
Where technically feasible, enable only SR 7.7 - Least functionality
logical network accessible ports that
have been determined to be needed by Embedded device, network device, host
the Responsible Entity, including port device, software application:
ranges or services where needed to EDR 2.13 - Use of physical diagnostic and test
handle dynamic ports. If a device has interfaces
no provision for disabling or restricting HDR 2.13 - Use of physical diagnostic and test
logical ports on the device, then those interfaces
ports that are open are deemed NDR 2.13 - Use of physical diagnostic and test
needed. interfaces
EDR 2.13 RE(1) - Active monitoring
HDR 2.13 RE(1) - Active monitoring
NDR 2.13 RE(1) - Active monitoring
CR 7.7 - Least functionality
CIP-007-6 Part 1.2 System:
Protect against the use of unnecessary SR 7.7 - Least functionality
physical input/output ports used for
network connectivity, console Embedded device, network device, host
commands, or Removable Media. device, software application:
EDR 2.13 - Use of physical diagnostic and test
interfaces
HDR 2.13 - Use of physical diagnostic and test
interfaces
NDR 2.13 - Use of physical diagnostic and test
interfaces
EDR 2.13 RE(1) - Active monitoring
HDR 2.13 RE(1) - Active monitoring
NDR 2.13 RE(1) - Active monitoring
CR 7.7 - Least functionality

Page 21 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-007-6 Part 2.1 62443-4-1 Product security development
A patch management process for lifecycle requirements
tracking, evaluating and installing
cyber security patches for applicable SM-2 - Security update documentation
Cyber Assets. The tracking portion SUM-3 - Dependent component or operating
shall include the identification of a system security update documentation
source or sources that the
Responsible Entity tracks for the System:
release of cyber security patches for Section 0.3 - Using 62443-4-1 ISA/EC 62443-
applicable Cyber Assets that are 3-3)
updateable and for which a patching
source exists. Embedded device, network device, host
device, software application:
CCSC 4 Software development process
(ISA/IEC 62443-4-2)
CIP-007-6 Part 3.1 System:
Deploy method(s) to deter, detect or SR 3.2 - Malicious Code Protection
prevent malicious code. SR 3.2 RE(1) - Malicious code protection at
entry and exit points

Embedded device, network device, host

device, software application:
SAR 3.2 - Protection from malicious code
EDR 3.2 - Protection from malicious code
HDR 3.2 - Protection from malicious code
NDR 3.2 - Protection from malicious code

CIP-007-6 Part 3.2 System:

Mitigate the threat of detected SR 3.2 - Malicious Code Protection
malicious code SR 3.2 RE(1) - Malicious code protection at
entry and exit points

Embedded device, network device, host

device, software application:
SAR 3.2 - Protection from malicious code
EDR 3.2 - Protection from malicious code
HDR 3.2 - Protection from malicious code
NDR 3.2 - Protection from malicious code

Page 22 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-007-6 Part 3.3 System:
For those methods identified in Part SR 3.2 Malicious code protection
3.1 that use signatures or patterns,
have a process for the update of the
signatures or patterns. The process
must address testing and installing the
signatures or patterns.

CIP-007-6 Part 4.1 System:

Log events at the BES Cyber System SR 1.11 - Unsuccessful login attempts
level (per BES Cyber System capability) SR 2.8 - Auditable events
or at the Cyber Asset level (per Cyber SR 2.8 RE1 - Centrally managed system wide
Asset capability) for identification of, audit trail
and after-the-fact investigations of,
Cyber Security Incidents that include, Embedded device, network device, host
as a minimum, each of the following device, software application:
types of events: CR 1.11A - Unsuccessful login attempts - limit
4.1.1. Detected successful login number
attempts; CR 2.8 - Auditable events - categories
4.1.2. Detected failed access
attempts and failed login
attempts;
4.1.3. Detected malicious code

CIP-007-6 Part 4.2 System:

Generate alerts for security events SR 1.11 - Unsuccessful login attempts
that the Responsible Entity SR 2.8 - Auditable events
determines necessitates an alert that SR 2.8 RE(1) - Centrally managed system wide
includes, as a minimum, each of the audit trail
following types of events (per Cyber SR 2.9 RE(1) - Audit storage capacity - warn
Asset or BES Cyber System capability): when threshold reached
4.2.1. Detected malicious code from SR 2.10 - Response to audit processing failures
Part 4.1; and SR 3.4 RE(2) - Automated notification of
4.2.2. Detected failure of Part 4.1 integrity violations
event logging. SR 6.2 – Continuous monitoring

Embedded device, network device, host

device, software application:
CR 2.8 - Auditable events – categories
CR 2.9 RE(1) - Audit storage capacity - warn
when threshold reached
CR 6.2 - Continuous monitoring

Page 23 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CR 2.10 - Response to audit processing
failures
CR 3.4 RE2 - Automated notification of
integrity violations
EDR 3.11 - Notification of a tampering
attempt
HDR 3.11 - Notification of a tampering
attempt
NDR 3.11 - Notification of a tampering
attempt

CIP-007-6 Part 5.1 System:

Have a method(s) to enforce SR 1.1 - Human user identification and
authentication of interactive user access, authentication
where technically feasible. SR 1.1 RE(1) - Unique identification and
authentication
SR 1.1 RE(3) - Multifactor authentication for all
networks
SR 1.5 - Authenticator management

Embedded device, network device, host

device, software application:
CR 1.1 - Human user identification and
authentication
CR 1.1 RE(1) - Unique identification and
authentication
CR 1.5 - Authenticator management

CIP-007-6 Part 5.2 System:

Identify and inventory all known enabled SR 1.5 - Change default authenticators
default or other generic account types, SR 1.3 RE(1) - Unified account management
either by system, by groups of systems, by
location or by system type(s). Embedded device, network device, host
device, software application:
CR 1.5B - Authenticator management -
change default authenticators

Page 24 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-007-6 Part 5.4 System:
Change known default passwords, per SR 1.5 - Change default authenticators
Cyber Asset capability
Embedded device, network device, host
device, software application:
CR 1.5B - Authenticator management -
change default authenticators

CIP-007-6 Part 5.5 System:

For password-only authentication for SR 1.7 - Strength of password-based
interactive user access, either technically authentication
or procedurally enforce the following
password parameters: Embedded device, network device, host
5.5.1. Password length that is, at least, device, software application:
the lesser of eight characters or CR 1.7 - Strength of password-based
the maximum length supported by authentication
the Cyber Asset; and
5.5.2. Minimum password complexity
that is the lesser of three or more
different types of characters (e.g.,
uppercase alphabetic, lowercase
alphabetic, numeric, nonalphanumeric) or
the maximum complexity supported by the
Cyber Asset.
CIP-007-6 Part 5.6 System:
Where technically feasible, for SR 1.7 RE(1) - Password generation and
password-only authentication for lifetime restrictions for human users
interactive user access, either
technically or procedurally enforce Embedded device, network device, host
password changes or an obligation to device, software application:
change the password at least once CR 1.7 RE(1) - Password generation and
every 15 calendar months. lifetime restrictions for human users

CIP-007-6 Part 5.7 System:

Where technically feasible, either: SR 1.11 - Unsuccessful login attempts
- Limit the number of unsuccessful
authentication attempts; or Embedded device, network device, host
- Generate alerts after a threshold of device, software application:
unsuccessful authentication attempts. CR 1.11A - Unsuccessful login attempts - limit
number

Page 25 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-009-6 Part 1.3 System:
One or more processes for the backup SR 7.3 – Control System Backup
and storage of information required SR 7.3 RE(1) - Backup verification
to recover BES Cyber System functionality SR 7.4 - SUT recovery and reconstitution

Embedded device, network device, host

device, software application:
CR 7.3 - Control system backup
CR 7.3 RE(1) - Backup integrity verification
CR 7.4 - Control system recovery and
reconstitution
CIP-009-6 Part 1.4 System:
One or more processes to verify the SR 7.3 - Backup verification
successful completion of the backup
processes in Part 1.3 and to address Embedded device, network device, host
any backup failures. device, software application:
CR 7.3 RE(1) - Backup integrity verification

CIP-009-6 Part 1.5 System:

One or more processes to preserve SR 7.3 - Control system backup
data, per Cyber Asset capability, for
determining the cause of a Cyber Embedded device, network device, host
Security Incident that triggers device, software application:
activation of the recovery plan(s). CR 7.3 - Control system backup
Data preservation should not impede
or restrict recovery.

CIP-010-4 Part 1.1 62443-4-1-SG-3 - Security Hardening

Develop a baseline configuration, Guidelines
individually or by group, which shall include
the following items: System:
1.1.1. Operating system(s) (including SR 7.6 - Network and security configuration
version) or firmware where no settings
independent operating system exists; SR 7.8 - SUT component inventory
1.1.2. Any commercially available or
open-source application software (including Embedded device, network device, host
version) intentionally installed; device, software application:
1.1.3. Any custom software installed; CR 7.6 - Network and security configuration
1.1.4. Any logical network accessible settings
ports; and CR 7.8 - Control system component inventory
1.1.5. Any security patches applied.

Page 26 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-010-4 Part 1.4 62443-4-1- 5.2.1 SM-1 - Development
For a change that deviates from the Processes
existing baseline configuration:
1.4.1. Prior to the change, determine System:
required cyber security controls SR 3.3 - Security functionality verification
in CIP-005 and CIP-007 that could SR 7.8 - SUT component inventory
be impacted by the change;
1.4.2. Following the change, verify that Embedded device, network device, host
required cyber security controls device, software application:
determined in 1.4.1 are not CR 3.3 Security functionality verification
adversely affected; and
1.4.3. Document the results of the
verification.

CIP-010-4 Part 1.6 Embedded device, network device, host

Prior to a change that deviates from the device, software application:
existing baseline configuration associated EDR 3.10 - Support for updates
with baseline items in Parts 1.1.1, 1.1.2, EDR 3.10 RE(1) - Update authenticity and
and 1.1.5, and when the method to do so integrity
is available to the Responsible Entity from HDR 3.10 - Support for updates
the software source: HDR 3.10 RE(1) - Update authenticity and
1.6.1. Verify the identity of the software integrity
source; and NDR 3.10 - Support for updates
1.6.2. Verify the integrity of the software NDR 3.10 RE(1) - Update authenticity and
obtained from the software source. integrity

CIP-010-4 Attachment 1 System:

1.1. Transient Cyber Asset Management: SR 2.3 - Use control for portable and mobile
Responsible Entities shall manage devices
Transient Cyber Asset(s), individually or by SR 2.3 RE(1) - Enforcement of security status
group: (1) in an ongoing manner of portable and mobile devices
to ensure compliance with applicable
requirements at all times, (2) in an on Embedded device, network device, host
demand manner applying the applicable device, software application:
requirements before connection to SAR 2.4A-C - Mobile code - control execution
a BES Cyber System, or (3) a combination of EDR 2.4A-C - Mobile code - control transfer by
both (1) and (2) above. user
HDR 2.4A-C - Mobile code - integrity check
NDR 2.4 RE(1) - Mobile code authenticity
check

Page 27 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-010-4 Attachment 1 System:
1.2. Transient Cyber Asset Authorization: SR 2.3 - Use control for portable and mobile
For each individual or group of Transient devices
Cyber Asset(s), each Responsible Entity shall
authorize: Embedded device, network device, host
1.2.1. Users, either individually or by group device, software application:
or role; SAR 2.4A-C - Mobile code - control execution
1.2.2. Locations, either individually or by EDR 2.4A-C - Mobile code - control transfer by
group; and user
1.2.3. Uses, which shall be limited to what HDR 2.4A-C - Mobile code - integrity check
is necessary to perform business functions. NDR 2.4 RE(1) - Mobile code authenticity
check

CIP-010-4 Attachment 1 System:

1.3. Software Vulnerability Mitigation: Use SR 2.3 - Use control for portable and mobile
one or a combination of the following devices
methods to achieve the objective of
mitigating the risk of vulnerabilities Embedded device, network device, host
posed by unpatched software on the device, software application:
Transient Cyber Asset (per Transient SAR 2.4A-C - Mobile code - control execution
Cyber Asset capability): EDR 2.4A-C - Mobile code - control transfer by
• Security patching, including manual or user
managed updates; HDR 2.4A-C - Mobile code - integrity check
• Live operating system and software NDR 2.4 RE(1) - Mobile code authenticity
executable only from read-only media; check
• System hardening; or
• Other method(s) to mitigate software
vulnerabilities.

CIP-010-4 Attachment 1 System:

1.4. Introduction of Malicious Code SR 2.3 - Use control for portable and mobile
Mitigation: Use one or a combination of the devices
following methods to achieve the objective
of mitigating the introduction of malicious Embedded device, network device, host
code (per Transient Cyber Asset capability): device, software application:
• Antivirus software, including manual or SAR 2.4A-C - Mobile code - control execution
managed updates of signatures or patterns; EDR 2.4A-C - Mobile code - control transfer by
• Application whitelisting; or user
• Other method(s) to mitigate the HDR 2.4A-C - Mobile code - integrity check
introduction of malicious code. NDR 2.4 RE(1) - Mobile code authenticity
check

Page 28 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-010-4 Attachment 1 System:
1.5. Unauthorized Use Mitigation: Use one SR 2.3 - Use control for portable and mobile
or a combination of the following devices
methods to achieve the objective of
mitigating the risk of unauthorized use Embedded device, network device, host
of Transient Cyber Asset(s): device, software application:
• Restrict physical access; SAR 2.4A-C - Mobile code - control execution
• Full-disk encryption with EDR 2.4A-C - Mobile code - control transfer by
authentication; user
• Multi-factor authentication; or HDR 2.4A-C - Mobile code - integrity check
• Other method(s) to mitigate the risk of NDR 2.4 RE(1) - Mobile code authenticity
unauthorized use check
CIP-010-4 Attachment 1 System:
2.1. Software Vulnerabilities Mitigation: Use SR 2.3 - Use control for portable and mobile
one or a combination of the following devices
methods to achieve the objective of
mitigating the risk of vulnerabilities posed Embedded device, network device, host
by unpatched software on the Transient device, software application:
Cyber Asset (per Transient Cyber Asset SAR 2.4A-C - Mobile code - control execution
capability): EDR 2.4A-C - Mobile code - control transfer by
• Review of installed security patch(es); user
• Review of security patching process HDR 2.4A-C - Mobile code - integrity check
used by the party; NDR 2.4 RE(1) - Mobile code authenticity
• Review of other vulnerability mitigation check
performed by the party; or
• Other method(s) to mitigate software
vulnerabilities.

Page 29 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-010-4 Attachment 1 System:
2.2. Introduction of malicious code SR 2.3 - Use control for portable and mobile
mitigation: Use one or a combination of the devices
following methods to achieve the objective
of mitigating malicious code (per
Transient Cyber Asset capability): Embedded device, network device, host
• Review of antivirus update level; device, software application:
• Review of antivirus update process SAR 2.4A-C - Mobile code - control execution
used by the party; EDR 2.4A-C - Mobile code - control transfer by
• Review of application whitelisting used user
by the party; HDR 2.4A-C - Mobile code - integrity check
• Review use of live operating system NDR 2.4 RE(1) - Mobile code authenticity
and software executable only from check
read-only media;
• Review of system hardening used by
the party; or
• Other method(s) to mitigate malicious
code.

CIP-010-4 Attachment 1 System:

2.3. For any method used to mitigate SR 2.3 - Use control for portable and mobile
software vulnerabilities or malicious code devices
as specified in 2.1 and 2.2, Responsible
Entities shall determine whether any Embedded device, network device, host
additional mitigation actions are necessary device, software application:
and implement such actions prior to SAR 2.4A-C - Mobile code - control execution
connecting the Transient Cyber Asset. EDR 2.4A-C - Mobile code - control transfer by
user
HDR 2.4A-C - Mobile code - integrity check
NDR 2.4 RE(1) - Mobile code authenticity
check
CIP-010-4 Attachment 1 System:
3.1. Removable Media Authorization: For SR 2.3 - Use control for portable and mobile
each individual or group of Removable devices
Media, each Responsible Entity shall
authorize: Embedded device, network device, host
3.1.1. Users, either individually or by group device, software application:
or role; and SAR 2.4A-C - Mobile code - control execution
3.1.2. Locations, either individually or by EDR 2.4A-C - Mobile code - control transfer by
group. user
HDR 2.4A-C - Mobile code - integrity check
NDR 2.4 RE(1) - Mobile code authenticity
check

Page 30 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-010-4 Attachment 1 System:
3.2. Malicious Code Mitigation: To achieve SR 2.3 - Use control for portable and mobile
the objective of mitigating the threat devices
of introducing malicious code to high
impact or medium impact BES Cyber Embedded device, network device, host
Systems and their associated Protected device, software application:
Cyber Assets, each Responsible Entity shall: SAR 2.4A-C - Mobile code - control execution
3.2.1. Use method(s) to detect malicious EDR 2.4A-C - Mobile code - control transfer by
code on Removable Media using a user
Cyber Asset other than a BES Cyber System HDR 2.4A-C - Mobile code - integrity check
or Protected Cyber Assets; and NDR 2.4 RE(1) - Mobile code authenticity
3.2.2. Mitigate the threat of detected check
malicious code on Removable Media
prior to connecting the Removable Media
to a high impact or medium impact BES
Cyber System or associated Protected Cyber
Assets.

CIP-011-3 Part 1.2 System:

Method(s) to protect and securely SR 4.1 - Information confidentiality
handle BCSI to mitigate risks of SR 4.1 RE(1) - Protection of confidentiality at
compromising confidentiality rest or in transit via untrusted networks
SR 4.2 - Information persistence
SR 4.2 RE(1) - Purging of shared memory
resources

Embedded device, network device, host

device, software application:
CR 4.1A - Information confidentiality - at rest
CR 4.1B - Information confidentiality - in
transit
CR 4.2 - Information persistence
CIP-011-3 Part 2.1 System:
Prior to the release for reuse of SR 4.2 - Information persistence
applicable Cyber Assets that contain
BCSI (except for reuse within other Embedded device, network device, host
systems identified in the “Applicable device, software application:
Systems” column), the Responsible CR 4.2 - Information persistence
Entity shall take action to prevent the CR 4.2 RE(1) - Erase of shared memory
unauthorized retrieval of BCSI from resources
the Cyber Asset data storage media.

Page 31 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-011-3 Part 2.2 System:
Prior to the disposal of applicable SR 4.2 - Information persistence
Cyber Assets that contain BCSI, the
Responsible Entity shall take action to Embedded device, network device, host
prevent the unauthorized retrieval of device, software application:
BCSI from the Cyber Asset or destroy CR 4.2 - Information persistence
the data storage media. CR 4.2 RE(1) - Erase of shared memory
resources

CIP-012-2 Part 1.1 - Identification of method(s) used System:

to mitigate the risk(s) posed by SR 3.1 - Communication integrity
unauthorized disclosure and unauthorized SR 3.1 RE(1) - Cryptographic integrity
modification protection
of data used in Real-time Assessment and SR 4.1 - Information confidentiality
Real-time monitoring while such data is SR 4.1 RE(1) - Protection of confidentiality at
being transmitted between Control rest or in transit via untrusted networks
Centers; SR 4.2 RE(2) - Protection of confidentiality
1.1. Identification of method(s) used to across zone boundaries
mitigate the risk(s) posed by unauthorized
disclosure and unauthorized modification
of data used in Real-time Assessment and Embedded device, network device, host
Real-time monitoring while such data is device, software application:
being transmitted between Control CR 3.1 - Communication integrity
Centers; CR 4.1 B - Information confidentiality
• Methods of mitigation used to protect CR 4.2 RE(1) - Erase of shared memory
against the unauthorized disclosure resources
and unauthorized modification of the
data (e.g., data masking,
encryption/decryption) while such data
is being transmitted between Control
Centers
• Physical access restrictions to
unencrypted portions of the network

Page 32 of 33
 Applicable ISA/IEC 62443 System and
Standard Requirement Part or Attachment Reference
Component and Security Requirements
CIP-012-2 Part 1.2 Identification of method(s) used to n/a
mitigate the risk(s) posed by the loss of the
ability to communicate Real-time
Assessment and Real-time monitoring data
between Control Centers;
• Identification of alternative
communication paths or methods
between Control Centers
• Procedures explaining the use of
alternative systems or methods for
providing for the availability of the data
• Service level agreements with carriers
containing high availability provisions
• Availability or uptime reports for
equipment supporting the transmission
of Real-time Assessment and Real-time
monitoring data

CIP-012-2 Part 1.3 Identification of method(s) used to System:

initiate the recovery of communication links SR 7.4 - Control system recovery and
used to transmit Real-time reconstitution
Assessment and Real-time monitoring data
between Control Centers;
• Contract, memorandum of
understanding, meeting minutes,
agreement or other information
outlining the methods used
for recovery
• Methods for the recovery of links such
as standard operating procedures,
applicable sections of CIP-009 recovery
plan(s), or similar technical recovery
plans
• Documentation of the process to
restore assets and systems that provide
communications
• Process or procedure to contact a
communications link vendor to initiate
and or verify restoration of service

Page 33 of 33