ATTACHMENT E

to Order R-38-15
Page 245 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

A. Introduction
1. Title: Cyber Security — Incident Reporting and Response Planning
2. Number: CIP-008-5
3. Purpose: To mitigate the risk to the reliable operation of the BES as the result of a
Cyber Security Incident by specifying incident response requirements.
4. Applicability:
4.1. Functional Entities: For the purpose of the requirements contained herein, the
following list of functional entities will be collectively referred to as “Responsible
Entities.” For requirements in this standard where a specific functional entity or
subset of functional entities are the applicable entity or entities, the functional entity
or entities are specified explicitly.
4.1.1 Balancing Authority
4.1.2 Distribution Provider that owns one or more of the following Facilities, systems,
and equipment for the protection or restoration of the BES:
4.1.2.1 Each underfrequency Load shedding (UFLS) or undervoltage Load shedding
(UVLS) system that:
4.1.2.1.1 is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional Reliability Standard; and
4.1.2.1.2 performs automatic Load shedding under a common control system
owned by the Responsible Entity, without human operator initiation,
of 300 MW or more.
4.1.2.2 Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.1.2.3 Each Protection System (excluding UFLS and UVLS) that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERC or Regional Reliability Standard.
4.1.2.4 Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s) to be started.
4.1.3 Generator Operator
4.1.4 Generator Owner
4.1.5 Interchange Coordinator or Interchange Authority
4.1.6 Reliability Coordinator
4.1.7 Transmission Operator

*Mandatory BC Effective Date: October 1, 2018

ATTACHMENT E
to Order R-38-15
Page 246 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

4.1.8 Transmission Owner

4.2. Facilities: For the purpose of the requirements contained herein, the following
Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above
are those to which these requirements are applicable. For requirements in this
standard where a specific type of Facilities, system, or equipment or subset of
Facilities, systems, and equipment are applicable, these are specified explicitly.
4.2.1 Distribution Provider: One or more of the following Facilities, systems and
equipment owned by the Distribution Provider for the protection or restoration
of the BES:
4.2.1.1 Each UFLS or UVLS System that:
4.2.1.1.1 is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional Reliability Standard; and
4.2.1.1.2 performs automatic Load shedding under a common control system
owned by the Responsible Entity, without human operator initiation,
of 300 MW or more.
4.2.1.2 Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.2.1.3 Each Protection System (excluding UFLS and UVLS) that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERC or Regional Reliability Standard.
4.2.1.4 Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s) to be started.
4.2.2 Responsible Entities listed in 4.1 other than Distribution Providers:
All BES Facilities.
4.2.3 Exemptions: The following are exempt from Standard CIP-008-5:
4.2.3.1 Cyber Assets at Facilities regulated by the Canadian Nuclear Safety
Commission.
4.2.3.2 Cyber Assets associated with communication networks and data
communication links between discrete Electronic Security Perimeters.
4.2.3.3 The systems, structures, and components that are regulated by the Nuclear
Regulatory Commission under a cyber security plan pursuant to 10 C.F.R.
Section 73.54.
4.2.3.4 For Distribution Providers, the systems and equipment that are not included
in section 4.2.1 above.

Page 2 of 24
ATTACHMENT E
to Order R-38-15
Page 247 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

4.2.3.5 Responsible Entities that identify that they have no BES Cyber Systems
categorized as high impact or medium impact according to the CIP-002-5
identification and categorization processes.
5. Effective Dates*: See footnote page 1.
1. 24 Months Minimum – CIP-008-5 shall become effective on the later of July 1,
2015, or the first calendar day of the ninth calendar quarter after the effective
date of the order providing applicable regulatory approval.
2. In those jurisdictions where no regulatory approval is required, CIP-008-5 shall
become effective on the first day of the ninth calendar quarter following Board of
Trustees’ approval, or as otherwise made effective pursuant to the laws
applicable to such ERO governmental authorities.

6. Background:
Standard CIP-008-5 exists as part of a suite of CIP Standards related to cyber security.
CIP-002-5 requires the initial identification and categorization of BES Cyber Systems.
CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1,
and CIP-011-1 require a minimum level of organizational, operational, and procedural
controls to mitigate risk to BES Cyber Systems. This suite of CIP Standards is referred
to as the Version 5 CIP Cyber Security Standards.
Most requirements open with, “Each Responsible Entity shall implement one or more
documented [processes, plan, etc] that include the applicable items in [Table
Reference].” The referenced table requires the applicable items in the procedures for
the requirement’s common subject matter.
The term documented processes refers to a set of required instructions specific to the
Responsible Entity and to achieve a specific outcome. This term does not imply any
particular naming or approval structure beyond what is stated in the requirements.
An entity should include as much as it believes necessary in their documented
processes, but they must address the applicable requirements in the table.
The terms program and plan are sometimes used in place of documented processes
where it makes sense and is commonly understood. For example, documented
processes describing a response are typically referred to as plans (i.e., incident
response plans and recovery plans). Likewise, a security plan can describe an
approach involving multiple procedures to address a broad subject matter.
Similarly, the term program may refer to the organization’s overall implementation of
its policies, plans and procedures involving a subject matter. Examples in the
standards include the personnel risk assessment program and the personnel training
program. The full implementation of the CIP Cyber Security Standards could also be
referred to as a program. However, the terms program and plan do not imply any
additional requirements beyond what is stated in the standards.
Responsible Entities can implement common controls that meet requirements for
multiple high and medium impact BES Cyber Systems. For example, a single training

Page 3 of 24
ATTACHMENT E
to Order R-38-15
Page 248 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

program could meet the requirements for training personnel across multiple BES
Cyber Systems.
Measures for the initial requirement are simply the documented processes
themselves. Measures in the table rows provide examples of evidence to show
documentation and implementation of applicable items in the documented processes.
These measures serve to provide guidance to entities in acceptable records of
compliance and should not be viewed as an all-inclusive list.
Throughout the standards, unless otherwise stated, bulleted items in the
requirements and measures are items that are linked with an “or,” and numbered
items are items that are linked with an “and.”
Many references in the Applicability section use a threshold of 300 MW for UFLS and
UVLS. This particular threshold of 300 MW for UVLS and UFLS was provided in Version
1 of the CIP Cyber Security Standards. The threshold remains at 300 MW since it is
specifically addressing UVLS and UFLS, which are last ditch efforts to save the Bulk
Electric System. A review of UFLS tolerances defined within regional reliability
standards for UFLS program requirements to date indicates that the historical value of
300 MW represents an adequate and reasonable threshold value for allowable UFLS
operational tolerances.
“Applicable Systems” Columns in Tables:
Each table has an “Applicable Systems” column to further define the scope of systems
to which a specific requirement row applies. The CSO706 SDT adapted this concept
from the National Institute of Standards and Technology (“NIST”) Risk Management
Framework as a way of applying requirements more appropriately based on impact
and connectivity characteristics. The following conventions are used in the
“Applicable Systems” column as described.

• High Impact BES Cyber Systems – Applies to BES Cyber Systems categorized as
high impact according to the CIP-002-5 identification and categorization
processes.
• Medium Impact BES Cyber Systems – Applies to BES Cyber Systems categorized as
medium impact according to the CIP-002-5 identification and categorization
processes.

Page 4 of 24
ATTACHMENT E
to Order R-38-15
Page 249 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

B. Requirements and Measures

R1. Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications. [Violation
Risk Factor: Lower] [Time Horizon: Long Term Planning].
M1. Evidence must include each of the documented plan(s) that collectively include each of the applicable requirement parts in
CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications.

CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications

Part Applicable Systems Requirements Measures
1.1 High Impact BES Cyber Systems One or more processes to identify, An example of evidence may include,
Medium Impact BES Cyber Systems classify, and respond to Cyber but is not limited to, dated
Security Incidents. documentation of Cyber Security
Incident response plan(s) that include
the process to identify, classify, and
respond to Cyber Security Incidents.

1.2 High Impact BES Cyber Systems One or more processes to determine Examples of evidence may include,
if an identified Cyber Security Incident but are not limited to, dated
Medium Impact BES Cyber Systems
is a Reportable Cyber Security documentation of Cyber Security
Incident and notify the Electricity Incident response plan(s) that provide
Sector Information Sharing and guidance or thresholds for
Analysis Center (ES-ISAC), unless determining which Cyber Security
prohibited by law. Initial notification Incidents are also Reportable Cyber
to the ES-ISAC, which may be only a Security Incidents and documentation
preliminary notice, shall not exceed of initial notices to the Electricity
one hour from the determination of a Sector Information Sharing and
Reportable Cyber Security Incident. Analysis Center (ES-ISAC).

Page 5 of 24
ATTACHMENT E
to Order R-38-15
Page 250 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

CIP-008-5 Table R1 – Cyber Security Incident Response Plan Specifications

Part Applicable Systems Requirements Measures
1.3 High Impact BES Cyber Systems The roles and responsibilities of Cyber An example of evidence may include,
Security Incident response groups or but is not limited to, dated Cyber
Medium Impact BES Cyber Systems
individuals. Security Incident response process(es)
or procedure(s) that define roles and
responsibilities (e.g., monitoring,
reporting, initiating, documenting,
etc.) of Cyber Security Incident
response groups or individuals.

1.4 High Impact BES Cyber Systems Incident handling procedures for An example of evidence may include,
Medium Impact BES Cyber Systems Cyber Security Incidents. but is not limited to, dated Cyber
Security Incident response process(es)
or procedure(s) that address incident
handling (e.g., containment,
eradication, recovery/incident
resolution).

Page 6 of 24
ATTACHMENT E
to Order R-38-15
Page 251 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

R2. Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP-008-5 Table R2 – Cyber Security Incident Response Plan
Implementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-Time
Operations].
M2. Evidence must include, but is not limited to, documentation that collectively demonstrates implementation of each of
the applicable requirement parts in CIP-008-5 Table R2 – Cyber Security Incident Response Plan Implementation and
Testing.

CIP-008-5 Table R2 – Cyber Security Incident Response Plan Implementation and Testing
Part Applicable Systems Requirements Measures

2.1 High Impact BES Cyber Systems Test each Cyber Security Incident Examples of evidence may include,
response plan(s) at least once every but are not limited to, dated evidence
Medium Impact BES Cyber Systems
15 calendar months: of a lessons-learned report that
includes a summary of the test or a
• By responding to an actual
compilation of notes, logs, and
Reportable Cyber Security
communication resulting from the
Incident;
test. Types of exercises may include
• With a paper drill or tabletop
discussion or operations based
exercise of a Reportable Cyber
exercises.
Security Incident; or
• With an operational exercise of a
Reportable Cyber Security
Incident.

Page 7 of 24
ATTACHMENT E
to Order R-38-15
Page 252 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

CIP-008-5 Table R2 – Cyber Security Incident Response Plan Implementation and Testing
Part Applicable Systems Requirements Measures

2.2 High Impact BES Cyber Systems Use the Cyber Security Incident Examples of evidence may include,
response plan(s) under Requirement but are not limited to, incident
Medium Impact BES Cyber Systems
R1 when responding to a Reportable reports, logs, and notes that were
Cyber Security Incident or performing kept during the incident response
an exercise of a Reportable Cyber process, and follow-up
Security Incident. Document documentation that describes
deviations from the plan(s) taken deviations taken from the plan during
during the response to the incident or the incident or exercise.
exercise.

2.3 High Impact BES Cyber Systems Retain records related to Reportable An example of evidence may include,
Medium Impact BES Cyber Systems Cyber Security Incidents. but is not limited to, dated
documentation, such as security logs,
police reports, emails, response forms
or checklists, forensic analysis results,
restoration records, and post-incident
review notes related to Reportable
Cyber Security Incidents.

Page 8 of 24
ATTACHMENT E
to Order R-38-15
Page 253 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

R3. Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP-008-5 Table R3 – Cyber Security Incident Response Plan Review, Update, and
Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations Assessment].
M3. Evidence must include, but is not limited to, documentation that collectively demonstrates maintenance of each Cyber
Security Incident response plan according to the applicable requirement parts in CIP-008-5 Table R3 – Cyber Security
Incident.

Page 9 of 24
ATTACHMENT E
to Order R-38-15
Page 254 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

CIP-008-5 Table R3 – Cyber Security Incident Response Plan

Review, Update, and Communication
Part Applicable Systems Requirements Measures

3.1 High Impact BES Cyber Systems No later than 90 calendar days after An example of evidence may include,
Medium Impact BES Cyber Systems completion of a Cyber Security Incident but is not limited to, all of the
response plan(s) test or actual following:
Reportable Cyber Security Incident
1. Dated documentation of post
response:
incident(s) review meeting notes
3.1.1. Document any lessons learned or follow-up report showing
or document the absence of lessons learned associated with
any lessons learned; the Cyber Security Incident
response plan(s) test or actual
3.1.2. Update the Cyber Security
Incident response plan based Reportable Cyber Security Incident
on any documented lessons response or dated documentation
stating there were no lessons
learned associated with the
plan; and learned;
2. Dated and revised Cyber Security
3.1.3. Notify each person or group
Incident response plan showing
with a defined role in the Cyber
any changes based on the lessons
Security Incident response plan
learned; and
of the updates to the Cyber
Security Incident response plan 3. Evidence of plan update
based on any documented distribution including, but not
lessons learned. limited to:
• Emails;
• USPS or other mail service;
• Electronic distribution system;
or
• Training sign-in sheets.

Page 10 of 24
ATTACHMENT E
to Order R-38-15
Page 255 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

CIP-008-5 Table R3 – Cyber Security Incident Response Plan

Review, Update, and Communication
Part Applicable Systems Requirements Measures

3.2 High Impact BES Cyber Systems No later than 60 calendar days after a An example of evidence may include,
Medium Impact BES Cyber Systems change to the roles or responsibilities, but is not limited to:
Cyber Security Incident response
1. Dated and revised Cyber
groups or individuals, or technology
Security Incident response plan
that the Responsible Entity determines
with changes to the roles or
would impact the ability to execute the responsibilities, responders or
plan:
technology; and
3.2.1. Update the Cyber Security 2. Evidence of plan update
Incident response plan(s); and
distribution including, but not
3.2.2. Notify each person or group limited to:
with a defined role in the Cyber • Emails;
Security Incident response plan • USPS or other mail service;
of the updates. • Electronic distribution
system; or
• Training sign-in sheets.

Page 11 of 24
ATTACHMENT E
to Order R-38-15
Page 256 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

C. Compliance
1. Compliance Monitoring Process:
1.1. Compliance Enforcement Authority:
The British Columbia Utilities Commission

1.2. Evidence Retention:

The following evidence retention periods identify the period of time an entity is required to
retain specific evidence to demonstrate compliance. For instances where the evidence
retention period specified below is shorter than the time since the last audit, the CEA may ask
an entity to provide other evidence to show that it was compliant for the full time period since
the last audit.
The Responsible Entity shall keep data or evidence to show compliance as identified below
unless directed by its CEA to retain specific evidence for a longer period of time as part of an
investigation:
• Each Responsible Entity shall retain evidence of each requirement in this standard for three
calendar years.
• If a Responsible Entity is found non-compliant, it shall keep information related to the non-
compliance until mitigation is complete and approved or for the time specified above,
whichever is longer.
• The CEA shall keep the last audit records and all requested and submitted subsequent audit
records.
1.3. Compliance Monitoring and Assessment Processes:
• Compliance Audit
• Self-Certification
• Spot Checking
• Compliance Investigation
• Self-Reporting
• Complaint
1.4. Additional Compliance Information:
• None

Page 12 of 24
ATTACHMENT E
to Order R-38-15
Page 257 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

2. Table of Compliance Elements

R# Time VRF Violation Severity Levels (CIP-008-5)

Horizon
Lower VSL Moderate VSL High VSL Severe VSL

R1 Long Term Lower N/A N/A The Responsible Entity The Responsible Entity
Planning has developed the has not developed a
Cyber Security Cyber Security
Incident response Incident response plan
plan(s), but the plan with one or more
does not include the processes to identify,
roles and classify, and respond
responsibilities of to Cyber Security
Cyber Security Incidents. (1.1)
Incident response OR
groups or individuals.
(1.3) The Responsible Entity
has developed a Cyber
OR Security Incident
The Responsible Entity response plan, but the
has developed the plan does not include
Cyber Security one or more
Incident response processes to identify
plan(s), but the plan Reportable Cyber
does not include Security Incidents.
incident handling (1.2)
procedures for Cyber OR
Security Incidents.
(1.4) The Responsible Entity
has developed a Cyber
Security Incident
response plan, but did
Page 13 of 24
ATTACHMENT E
to Order R-38-15
Page 258 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

R# Time VRF Violation Severity Levels (CIP-008-5)

Horizon
Lower VSL Moderate VSL High VSL Severe VSL
not provide at least
preliminary
notification to ES-ISAC
within one hour from
identification of a
Reportable Cyber
Security Incident. (1.2)

R2 Operations Lower The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
Planning has not tested the has not tested the has not tested the has not tested the
Cyber Security Cyber Security Cyber Security Cyber Security
Real-time
Incident response Incident response Incident response Incident response
Operations
plan(s) within 15 plan(s) within 16 plan(s) within 17 plan(s) within 18
calendar months, not calendar months, not calendar months, not calendar months
exceeding 16 calendar exceeding 17 calendar exceeding 18 calendar between tests of the
months between tests months between tests months between tests plan. (2.1)
of the plan. (2.1) of the plan. (2.1) of the plan. (2.1)
OR
OR The Responsible Entity
The Responsible Entity did not retain relevant
did not document records related to
deviations, if any, Reportable Cyber
from the plan during a Security Incidents.
test or when a (2.3)
Reportable Cyber
Security Incident
occurs. (2.2)

R3 Operations Lower The Responsible Entity The Responsible Entity The Responsible Entity The Responsible Entity
Assessment has not notified each has not updated the has neither has neither
person or group with
Page 14 of 24
ATTACHMENT E
to Order R-38-15
Page 259 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

R# Time VRF Violation Severity Levels (CIP-008-5)

Horizon
Lower VSL Moderate VSL High VSL Severe VSL
a defined role in the Cyber Security documented lessons documented lessons
Cyber Security Incident response plan learned nor learned nor
Incident response based on any documented the documented the
plan of updates to the documented lessons absence of any lessons absence of any
Cyber Security learned within 90 and learned within 90 and lessons learned within
Incident response less than 120 calendar less than 120 calendar 120 calendar days of a
plan within greater days of a test or actual days of a test or actual test or actual incident
than 90 but less than incident response to a incident response to a response to a
120 calendar days of a Reportable Cyber Reportable Cyber Reportable Cyber
test or actual incident Security Incident. Security Incident. Security Incident.
response to a (3.1.2) (3.1.1) (3.1.1)
Reportable Cyber
OR OR
Security Incident.
(3.1.3) The Responsible Entity The Responsible Entity
has not notified each has not updated the
person or group with a Cyber Security
defined role in the Incident response plan
Cyber Security based on any
Incident response plan documented lessons
of updates to the learned within 120
Cyber Security calendar days of a test
Incident response plan or actual incident
within 120 calendar response to a
days of a test or actual Reportable Cyber
incident response to a Security Incident.
Reportable Cyber (3.1.2)
Security Incident.
OR
(3.1.3)
The Responsible Entity
OR
has not updated the
Page 15 of 24
ATTACHMENT E
to Order R-38-15
Page 260 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

R# Time VRF Violation Severity Levels (CIP-008-5)

Horizon
Lower VSL Moderate VSL High VSL Severe VSL
The Responsible Entity Cyber Security
has not updated the Incident response
Cyber Security plan(s) or notified
Incident response each person or group
plan(s) or notified with a defined role
each person or group within 90 calendar
with a defined role days of any of the
within 60 and less following changes that
than 90 calendar days the responsible entity
of any of the following determines would
changes that the impact the ability to
responsible entity execute the plan: (3.2)
determines would
• Roles or
impact the ability to
responsibilities, or
execute the plan: (3.2)
• Cyber Security
• Roles or Incident response
responsibilities, or groups or individuals,
• Cyber Security or
Incident response • Technology
groups or individuals, changes.
or
• Technology
changes.

Page 16 of 24
ATTACHMENT E
to Order R-38-15
Page 261 of 748
CIP-008-5 — Cyber Security — Incident Reporting and Response Planning

D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.

Page 17 of 24
ATTACHMENT E
to Order R-38-15
Page 262 of 748
Guidelines and Technical Basis

Guidelines and Technical Basis

Section 4 – Scope of Applicability of the CIP Cyber Security Standards

Section “4. Applicability” of the standards provides important information for Responsible
Entities to determine the scope of the applicability of the CIP Cyber Security Requirements.

Section “4.1. Functional Entities” is a list of NERC functional entities to which the standard
applies. If the entity is registered as one or more of the functional entities listed in Section 4.1,
then the NERC CIP Cyber Security Standards apply. Note that there is a qualification in Section
4.1 that restricts the applicability in the case of Distribution Providers to only those that own
certain types of systems and equipment listed in 4.2. Furthermore,

Section “4.2. Facilities” defines the scope of the Facilities, systems, and equipment owned by
the Responsible Entity, as qualified in Section 4.1, that is subject to the requirements of the
standard. As specified in the exemption section 4.2.3.5, this standard does not apply to
Responsible Entities that do not have High Impact or Medium Impact BES Cyber Systems under
CIP-002-5’s categorization. In addition to the set of BES Facilities, Control Centers, and other
systems and equipment, the list includes the set of systems and equipment owned by
Distribution Providers. While the NERC Glossary term “Facilities” already includes the BES
characteristic, the additional use of the term BES here is meant to reinforce the scope of
applicability of these Facilities where it is used, especially in this applicability scoping section.
This in effect sets the scope of Facilities, systems, and equipment that is subject to the
standards.
Requirement R1:
The following guidelines are available to assist in addressing the required components of a
Cyber Security Incident response plan:
• Department of Homeland Security, Control Systems Security Program, Developing an
Industrial Control Systems Cyber Security Incident Response Capability, 2009, online at
http://www.us-cert.gov/control_systems/practices/documents/final-
RP_ics_cybersecurity_incident_response_100609.pdf
• National Institute of Standards and Technology, Computer Security Incident Handling
Guide, Special Publication 800-61 revision 1, March 2008, online at
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf
For Part 1.2, a Reportable Cyber Security Incident is a Cyber Security Incident that has
compromised or disrupted one or more reliability tasks of a functional entity. It is helpful to
distinguish Reportable Cyber Security Incidents as one resulting in a necessary response action.
A response action can fall into one of two categories: Necessary or elective. The distinguishing
characteristic is whether or not action was taken in response to an event. Precautionary
measures that are not in response to any persistent damage or effects may be designated as
elective. All other response actions to avoid any persistent damage or adverse effects, which
include the activation of redundant systems, should be designated as necessary.

Page 18 of 24
ATTACHMENT E
to Order R-38-15
Page 263 of 748
Guidelines and Technical Basis

The reporting obligations for Reportable Cyber Security Incidents require at least a preliminary
notice to the ES-ISAC within one hour after determining that a Cyber Security Incident is
reportable (not within one hour of the Cyber Security Incident, an important distinction). This
addition is in response to the directive addressing this issue in FERC Order No. 706, paragraphs
673 and 676, to report within one hour (at least preliminarily). This standard does not require
a complete report within an hour of determining that a Cyber Security Incident is reportable,
but at least preliminary notice, which may be a phone call, an email, or sending a Web-based
notice. The standard does not require a specific timeframe for completing the full report.
Requirement R2:
Requirement R2 ensures entities periodically test the Cyber Security Incident response plan.
This includes the requirement in Part 2.2 to ensure the plan is actually used when testing. The
testing requirements are specifically for Reportable Cyber Security Incidents.
Entities may use an actual response to a Reportable Cyber Security Incident as a substitute for
exercising the plan annually. Otherwise, entities must exercise the plan with a paper drill,
tabletop exercise, or full operational exercise. For more specific types of exercises, refer to the
FEMA Homeland Security Exercise and Evaluation Program (HSEEP). It lists the following four
types of discussion-based exercises: seminar, workshop, tabletop, and games. In particular, it
defines that, “A tabletop exercise involves key personnel discussing simulated scenarios in an
informal setting. Table top exercises (TTX) can be used to assess plans, policies, and
procedures.”
The HSEEP lists the following three types of operations-based exercises: Drill, functional
exercise, and full-scale exercise. It defines that, “[A] full-scale exercise is a multi-agency, multi-
jurisdictional, multi-discipline exercise involving functional (e.g., joint field office, Emergency
operation centers, etc.) and ‘boots on the ground’ response (e.g., firefighters decontaminating
mock victims).”
In addition to the requirements to implement the response plan, Part 2.3 specifies entities must
retain relevant records for Reportable Cyber Security Incidents. There are several examples of
specific types of evidence listed in the measure. Entities should refer to their handling
procedures to determine the types of evidence to retain and how to transport and store the
evidence. For further information in retaining incident records, refer to the NIST Guide to
Integrating Forensic Techniques into Incident Response (SP800-86). The NIST guideline includes
a section (Section 3.1.2) on acquiring data when performing forensics.
Requirement R3:
This requirement ensures entities maintain Cyber Security Incident response plans. There are
two requirement parts that trigger plan updates: (1) lessons learned from Part 3.1 and (2)
organizational or technology changes from Part 3.2.
The documentation of lessons learned from Part 3.1 is associated with each Reportable Cyber
Security Incident and involves the activities as illustrated in Figure 1, below. The deadline to
document lessons learned starts after the completion of the incident in recognition that
complex incidents on complex systems can take a few days or weeks to complete response

Page 19 of 24
ATTACHMENT E
to Order R-38-15
Page 264 of 748
Guidelines and Technical Basis

activities. The process of conducting lessons learned can involve the response team discussing
the incident to determine gaps or areas of improvement within the plan. Any documented
deviations from the plan from Part 2.2 can serve as input to the lessons learned. It is possible
to have a Reportable Cyber Security Incident without any documented lessons learned. In such
cases, the entity must retain documentation of the absence of any lessons learned associated
with the Reportable Cyber Security Incident.

Figure 1: CIP-008-5 R3 Timeline for Reportable Cyber Security Incidents

The activities necessary to complete the lessons learned include updating the plan and
distributing those updates. Entities should consider meeting with all of the individuals involved
in the incident and documenting the lessons learned as soon after the incident as possible. This
allows more time for making effective updates to the plan, obtaining any necessary approvals,
and distributing those updates to the incident response team.
The plan change requirement in Part 3.2 is associated with organization and technology
changes referenced in the plan and involves the activities illustrated in Figure 2, below.
Organizational changes include changes to the roles and responsibilities people have in the plan
or changes to the response groups or individuals. This may include changes to the names or
contact information listed in the plan. Technology changes affecting the plan may include
referenced information sources, communication systems or ticketing systems.

Figure 2: Timeline for Plan Changes in 3.2

Page 20 of 24
ATTACHMENT E
to Order R-38-15
Page 265 of 748
Guidelines and Technical Basis

Rationale:

During the development of this standard, references to prior versions of the CIP standards and
rationale for the requirements and their parts were embedded within the standard. Upon BOT
approval, that information was moved to this section.

Rationale for R1:

The implementation of an effective Cyber Security Incident response plan mitigates the risk to
the reliable operation of the BES caused as the result of a Cyber Security Incident and provides
feedback to Responsible Entities for improving the security controls applying to BES Cyber
Systems. Preventative activities can lower the number of incidents, but not all incidents can be
prevented. A preplanned incident response capability is therefore necessary for rapidly
detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were
exploited, and restoring computing services. An enterprise or single incident response plan for
all BES Cyber Systems may be used to meet the Requirement. An organization may have a
common plan for multiple registered entities it owns.
Summary of Changes: Wording changes have been incorporated based primarily on industry
feedback to more specifically describe required actions.
Reference to prior version: (Part 1.1) CIP-008, R1.1
Change Description and Justification: (Part 1.1)
“Characterize” has been changed to “identify” for clarity. “Response actions” has been changed
to “respond to” for clarity.
Reference to prior version: (Part 1.2) CIP-008, R1.1
Change Description and Justification: (Part 1.2)
Addresses the reporting requirements from previous versions of CIP-008. This requirement part
only obligates entities to have a process for determining Reportable Cyber Security Incidents.
Also addresses the directive in FERC Order No. 706, paragraphs 673 and 676 to report within
one hour (at least preliminarily).
Reference to prior version: (Part 1.3) CIP-008, R1.2
Change Description and Justification: (Part 1.3)
Replaced incident response teams with incident response “groups or individuals” to avoid the
interpretation that roles and responsibilities sections must reference specific teams.
Reference to prior version: (Part 1.4) CIP-008, R1.2
Change Description and Justification: (Part 1.4)
Conforming change to reference new defined term Cyber Security Incidents.

Page 21 of 24
ATTACHMENT E
to Order R-38-15
Page 266 of 748
Guidelines and Technical Basis

Rationale for R2:

The implementation of an effective Cyber Security Incident response plan mitigates the risk to
the reliable operation of the BES caused as the result of a Cyber Security Incident and provides
feedback to Responsible Entities for improving the security controls applying to BES Cyber
Systems. This requirement ensures implementation of the response plans. Requirement Part
2.3 ensures the retention of incident documentation for post event analysis.
This requirement obligates entities to follow the Cyber Security Incident response plan when an
incident occurs or when testing, but does not restrict entities from taking needed deviations
from the plan. It ensures the plan represents the actual response and does not exist for
documentation only. If a plan is written at a high enough level, then every action during the
response should not be subject to scrutiny. The plan will likely allow for the appropriate
variance in tactical decisions made by incident responders. Deviations from the plan can be
documented during the incident response or afterward as part of the review.
Summary of Changes: Added testing requirements to verify the Responsible Entity’s response
plan’s effectiveness and consistent application in responding to a Cyber Security Incident(s)
impacting a BES Cyber System.
Reference to prior version: (Part 2.1) CIP-008, R1.6
Change Description and Justification: (Part 2.1)
Minor wording changes; essentially unchanged.
Reference to prior version: (Part 2.2) CIP-008, R1.6
Change Description and Justification: (Part 2.2)
Allows deviation from plan(s) during actual events or testing if deviations are recorded for
review.
Reference to prior version: (Part 2.3) CIP-008, R2
Change Description and Justification: (Part 2.3)
Removed references to the retention period because the Standard addresses data retention in
the Compliance Section.

Rationale for R3:

Conduct sufficient reviews, updates and communications to verify the Responsible Entity’s
response plan’s effectiveness and consistent application in responding to a Cyber Security
Incident(s) impacting a BES Cyber System. A separate plan is not required for those requirement
parts of the table applicable to High or Medium Impact BES Cyber Systems. If an entity has a
single Cyber Security Incident response plan and High or Medium Impact BES Cyber Systems,
then the additional requirements would apply to the single plan.
Summary of Changes: Changes here address the FERC Order 706, Paragraph 686, which
includes a directive to perform after-action review for tests or actual incidents and update the

Page 22 of 24
ATTACHMENT E
to Order R-38-15
Page 267 of 748
Guidelines and Technical Basis

plan based on lessons learned. Additional changes include specification of what it means to
review the plan and specification of changes that would require an update to the plan.
Reference to prior version: (Part 3.1) CIP-008, R1.5
Change Description and Justification: (Part 3.1)
Addresses FERC Order 706, Paragraph 686 to document test or actual incidents and lessons
learned.
Reference to prior version: (Part 3.2) CIP-008, R1.4
Change Description and Justification: (Part 3.2)
Specifies the activities required to maintain the plan. The previous version required entities to
update the plan in response to any changes. The modifications make clear the changes that
would require an update.

Version History

Version Date Action Change Tracking

1 1/16/06 R3.2 — Change “Control Center” to 3/24/06
“control center.”
2 9/30/09 Modifications to clarify the
requirements and to bring the
compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business
judgment.
Replaced the RRO with the RE as a
Responsible Entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authority.
3 Updated version number from -2 to -3
In Requirement 1.6, deleted the
sentence pertaining to removing
component or system from service in
order to perform testing, in response to
FERC order issued September 30, 2009.
3 12/16/09 Approved by the NERC Board of Update
Trustees.
3 3/31/10 Approved by FERC.

Page 23 of 24
ATTACHMENT E
to Order R-38-15
Page 268 of 748
Guidelines and Technical Basis

4 12/30/10 Modified to add specific criteria for Update

Critical Asset identification.
4 1/24/11 Approved by the NERC Board of Update
Trustees.
5 11/26/12 Adopted by the NERC Board of Modified to
Trustees. coordinate with
other CIP
standards and to
revise format to
use RBS
Template.
5 11/22/13 FERC Order issued approving CIP-008-5.
5 7/9/14 FERC Letter Order issued approving CIP-008-5
VRFs and VSLs revisions to certain CIP Requirement R2,
standards. VSL table under
Severe, changed
from 19 to 18
calendar months.

Page 24 of 24