NERC-TFE-Cheat Sheet
TFE Cycle
TFE Requirements – Form A
R2.4. Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.
R2.6. Appropriate Use Banner —where technically feasible, electronic access control devices shall display an appropriate use banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner.
R3.1. For dial-up accessible Critical Cyber Assets that use non-routable protocols, the Responsible Entity shall implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible.
R3.2. Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.
R1.1. All Cyber Assets within an Electronic Security Perimeter shall reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to such Cyber Assets.
R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
R3. Security Patch Management — The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).
R3.1. The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades.
R3.2. The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
R4. Malicious Software Prevention — The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
R4.1. The Responsible Entity shall document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.
R4.2. The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address testing and installing the signatures.
R5.3. At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible:
R5.3.1. Each password shall be a minimum of six characters.
R5.3.2. Each password shall consist of a combination of alpha, numeric, and “special” characters.
R5.3.3. Each password shall be changed at least annually, or more frequently based on risk.
R6. Security Status Monitoring — The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security.
R6.1. The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter.
R6.2. The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents.
R6.3. The Responsible Entity shall maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP-008-3.
R6.4. The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days.
R6.5. The Responsible Entity shall review logs of system events related to cyber security and maintain records documenting review of logs.
Class-Type TFE
| Data Storage Device | Physical Access Monitoring System |
| Digital Protective Control Device | Physical Security Perimeter |
| Electronic Access Control System | Relay |
| Electronic Access Monitoring System | RTU |
| Industrial/Process Control System | Server |
| Mainframe Computer | Telecommunications Device |
| Network/Data Communications Device | Transmitters |
| PC/Laptop | Valve Controllers |
| Peripheral Device (e.g. printer) | Class-Type TFE |
| Physical Access Control System | Other |
Basis for TFE
| Not technically possible | Cannot achieve by compliance date |
| Operationally infeasible | Unacceptable safety risks |
| Precluded by technical limitations | Conflicts with other statutory or regulatory requirement |
| Adverse effect on BES reliability | Excessive cost that exceeds reliability benefit |
Note: I used this for personal reference only. Feel free to use it if you have to.
About Us
.:: P|ITC ::.
Perea IT Consulting
Helping small business’s to avoid the painful headache dealing issues with their IT environment.
Building network infrastructure from scratch for SMB clients starting with choosing the right ISP, firewalls, routers, switches and servers then putting it all together to make a secure and reliable network that fits on their budget.
Also providing IT security services such as vulnerability assessment, penetration testing and digital forensics.
For more details please go to Contact Us!
alert(“Hello-World”);
Welcome and thank you for visiting Perea IT Consulting blog. Enjoy you’re stay and have fun!!!
.:: P|ITC ::.
Perea IT Consulting
Contact us:
