UNIFIED GRID INTELLIGENCE
Standard CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Standard CIP-006 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should apply Standards CIP-002 through CIP-009 using reasonable business judgment.
Physical Security Plan — The Responsible Entity shall create and maintain a physical security plan, approved by a senior manager or delegate(s) that shall address, at a minimum, the following:
Processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to the Critical Cyber Assets.
Processes to identify all access points through each Physical Security Perimeter and measures to control entry at those access points.
Processes, tools, and procedures to monitor physical access to the perimeter(s).
Procedures for the appropriate use of physical access controls as described in Requirement R3 including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls.
Procedures for reviewing access authorization requests and revocation of access authorization, in accordance with CIP-004 Requirement R4.
Procedures for escorted access within the physical security perimeter of personnel not authorized for unescorted access.
Process for updating the physical security plan within ninety calendar days of any physical security system redesign or reconfiguration, including, but not limited to, addition or removal of access points through the physical security perimeter, physical access controls, monitoring controls, or logging controls.
Cyber Assets used in the access control and monitoring of the Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP-003, Standard CIP-004 Requirement R3, Standard CIP-005 Requirements R2 and R3, Standard CIP-006 Requirement R2 and R3, Standard CIP-007, Standard CIP-008 and Standard CIP-009.
Process for ensuring that the physical security plan is reviewed at least annually.
Physical Access Controls — The Responsible Entity shall document and implement the operational and procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week.
Monitoring Physical Access — The Responsible Entity shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008.
Logging Physical Access — Logging shall record sufficient information to uniquely identify individuals and the time of access twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s).
Access Log Retention — The responsible entity shall retain physical access logs for at least
ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the
requirements of Standard CIP-008.
Maintenance and Testing — The Responsible Entity shall implement a maintenance and testing
program to ensure that all physical security systems under Requirements R2, R3, and R4
Visit the NERC website for more details regarding Critical Infrastructure Protection Standards.
Learn more about how SUBNET can help you meet NERC CIP standards with PowerSYSTEM Center.
Visit the following links to learn more about NERC CIP standards and how SUBNET can help you to comply.