IEEE 1686-2013 pdf download

IEEE 1686-2013 pdf download.IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities.
— Control and monitoring of physical access to the secure perimeter housing the lED
— lED password administration
— Control of sensitive lED documents (technical manuals, schematics. etc.)
— Real time monitoring of lED conditions and alarming
— Security awareness training of utility personnel
— Security plans and procedures for non-utility personnel (system integrators, panel suppliers, contract maintenance suppliers, etc.)
Control of sensitive drawings and files
It is also important to note that adherence to every subclause of this standard may not be required for a specific cyber security program. Users may elect to implement procedural and administrative elements of a cyber security program that may serve to make elements of this standard redundant and/or superfluous. For example, some IEDs can have electronic access remotely enabled and disabled through supervisory control and data acquisition (SCADA). For these devices, implementing a verifiable manual access request procedure (e.g., a verbal request to the SCADA control center) may eliminate the need for unique user ID/passwords for electronic access and the lED features associated with password administration would not be required in that security program.
This standard provides a set of features, functions, and practices for IEDs and lED configuration software that is deemed to require security for electronic access (local or remote) for functions such as:
— Configuration
— Data access Diagnostics
Firmware upgrades
— Configuration software upgrade
— Manually forced data or operation
A cyber security program can use this standard to assess how new or existing IEDs meet the significant security issues addressed in this standard. The fact that a new or existing lED does not meet this standard does not imply that an effective security program is not capable of securing the lED per a particular security program’s requirements. In this case, this standard will help users identify what features a separate system should have in order to raise the security level of an lED.
4.2 Applicability
This standard can be applied to any lED. Although the standard is designed to provide the tools and features for a user to implement an lED security effort in response to NERC CIP requirements [I35]. the standard is applicable to any lED where the user requires security, accountability, and auditability in the configuration and maintenance of the lED.
This standard does not address which devices should be required to meet the standard. Each user must assess their specific situation and choose where the standard should apply in their particular case. Issues affecting this choice include, but arc not limited to, the following:
TED classification (critical/non-critical infrastructure)
— User’s cyber security plan and procedures
— Communication and local area network (LAN)/wide area network (WAN) facilities
— Protection and control system architecture
4.3 Implementing lED security
The implementation of a security posture for IEDs and their configuration software is a combination of technology and procedures. Technology alone will not produce the desired results without the implementation and enforcement of a set of complementary security procedures. Additionally, security procedures and technology arc often developed in conjunction with one another with considerations given to such things as operational costs, user practices, manpower constraints, and communications capabilities.
This standard defines the functions and features to be provided in IEDs to accommodate CIP programs. It is recognized, however, that in some cases, the functions and features may require some adaptation or relaxation to meet a user’s specific situation. As an example, this standard calls for at least ten unique uscrlD/passwords for the lED. In a very small utility such as a municipality, there may not be ten users who require access, and therefore tile requirement is not substantiated. For a very large utility with an lED maintenance force that covers a wide geographical area, ten individual passwords may not be enough. In such cases, tile user must identify to the lED provider where tile user’s requirements differ or exceed tile standard.
Further, the failure of an lED to meet every clause of this standard does not necessarily preclude its use in a secure environment. It is possible the deficiency may be overcome by procedural or administrative technology, architecture, or other measures.
4.4 Proper use of this standard
4.4.1 IEEE Std 1686 requirements
The proper use of this standard requires the following three elements:
a) Proper citation of the standard
b) TOC to the standard
c) Analysis and verification by the user of the TED offering
4.4.2 Proper citation
The proper citation of this standard in a procurement document is as follows:
The lED shall meet or exceed the requirements established in IEEE Std I 686, Standard for Intelligent Electronic Devices Cyber Security Capabilities.