Data Sheet

Emerson’s Response to
NERC Reliability
Standard CIP 003-8 for
Transient Cyber Asset(s)

Introduction
NERC CIP-003-8, effective January 1, 2020, requires Responsible Entities to address Transient Cyber Assets
(TCA) and Removable Media Malicious Code Risk Mitigation. This new standard requires Responsible Entities
to address how Transient Cyber Assets and removable media are handled within their control system
environments. As a key service provider to many power generating stations and water/wastewater facilities in
the United States, Emerson’s project and field service engineers may utilize their Emerson-issued laptop to
perform work on a Responsible Entity’s distributed control system. The use of Emerson-provided laptops on low
impact BES Cyber Systems may be considered a Transient Cyber Asset(s) and subject to Section 5.2 of NERC
CIP-003-8.

NERC CIP 003-8

Reliability Standard CIP-003-8 improves upon Commission-approved CIP-003-7 by explicitly requiring
Responsible Entities to implement those actions they deem necessary to mitigate the introduction of malicious
code to low impact BES Cyber Systems from Transient Cyber Assets managed by third-parties, such as
vendors or contractors. The Responsible Entity must determine which actions, if any, are necessary based on a
review of the third-party’s mitigation practices. Additionally, the Responsible Entity must implement the action
before connecting the Transient Cyber Asset to its low impact BES Cyber System. The proposed requirement
helps ensure that Responsible Entities protect their low impact BES Cyber Systems at an appropriate level of
security when allowing other parties to use their own Transient Cyber Assets on low impact BES Cyber
Systems.

Section 5.2 of NERC CIP-003-8 states that for TCAs managed by a party other than the Responsible Entity, the
Responsible Entity should use one or a combination of the following prior to connecting the TCA to a low impact
BES Cyber System (based on TCA capability):
 Review of antivirus update level;
 Review of antivirus update process used by the party;
 Review of application whitelisting used by the party;
 Review use of live operating system and software executable only from read-only media;
 Review of system hardening used by the party
Or
 Other method(s) to mitigate the introduction of malicious code

Page - 1
PWS_010473 [1]
Emerson’s Response to NERC CIP 003-8 for Transient Devices Data Sheet

This data sheet describes the configuration and maintenance of Emerson-issued laptops that may be
considered Transient Cyber Assets and specifically addresses Section 5.2 of NERC CIP 003-8 to help ensure
that Responsible Entities have the information needed to support their NERC CIP compliance programs.

Emerson’s Security Strategy

Emerson leverages a Defense-in-Depth strategy that protects our business systems, company-issued laptops and
other electronic devices from internal and external threats. Emerson’s strategy, which is reviewed on a regular
basis, was developed using well-known frameworks and industry best practices.

Malware Prevention
Antivirus software is installed on all Emerson endpoints and updated regularly. Advanced threat detection
software, also installed on all Emerson laptops and servers, provides additional protection to Emerson IT assets.
Alerts generated by Emerson's malware prevention tools are monitored by an Incident Response Team and
action is taken as needed.

Operating Systems and Security Patching

All operating systems are reviewed and approved by Emerson’s Enterprise IT group before use. The group’s
policy requires that patches are applied monthly and compliance is regularly monitored by Emerson IT
leadership. Non-compliance is reported to the appropriate stakeholders and requires immediate action.

System Hardening
Emerson follows system hardening best practices and performs common hardening activities such as reducing
access and removing unneeded services on Emerson-issued devices. Emerson also leverages the Center for
Internet Security (CIS) Benchmarks as a guideline for system hardening to help ensure that our systems are
configured securely. System configurations are implemented per Emerson’s group policy or within build images
used throughout the organization.

Other Security Measures

In addition to the security measures detailed above, Emerson’s project and service teams are required to
complete mandatory annual cybersecurity training and quarterly NERC CIP awareness training to help ensure
they are up-to-date with cybersecurity related-topics. Emerson recognizes the importance of securing critical
infrastructure and supports our customers by helping to ensure that their systems are protected.

For More Information

If you require more information regarding this topic in support of your NERC CIP compliance programs, please
contact Emerson’s SureService Team or your local sales representative.

©2019 Emerson. All rights reserved. The Emerson logo is a trademark and service mark of Emerson Electric Co. Ovation™ is a mark of one of the Emerson Automation Solutions family
of business units. All other marks are the property of their respective owners. The contents of this publication are presented for information purposes only, and while effort has been made
to ensure their accuracy, they are not to be construed as warranties or guarantees, express or implied, regarding the products or services described herein or their use or applicability. All
sales are governed by our terms and conditions, which are available on request. We reserve the right to modify or improve the designs or specifications of our products at any time without
notice.

Page - 2
PWS_010473 [1]