Status
The Standards Committee approved the request to terminate Project 2015-02 Interpretation of CIP-007-5 for Foxguard Solutions on March 20, 2016, since the RFI was withdrawn.
Background
On July 8, 2015, FoxGuard Solutions submitted a request for Interpretation of the terms “source or sources” as used in Table 2 of both CIP-007-5. Requirement R2 of CIP-007-5 references Table 2 as follows:
R2: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-5 Table R2 – Security Patch Management.
Foxguard Solutions is asking for clarity of the following language found in Table 2:
A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.
The NERC Standards Committee accepted the request for Interpretation at the September 23, 2015 meeting.
Standard Affected: CIP-007-5 - Cyber Security - System Security Management
Purpose/Need
FoxGuard Solutions stated that the lack of clarity on what constitutes a “source” could cause Responsible Entities to spend unrecoverable person-hours attempting to monitor individual sources of cyber security patches for hundreds (if not thousands) of operating systems, software applications, network devices and field devices. The possibility of overlooking an available cyber security patch released from the vendor is increased due to the sheer number increased systems / devices now under scope of CIP-007-5. The greatest impact on the Responsible Entity would be for their High and Medium Impact assets.
