Information
-
Document No.
-
Audit Title
-
Client / Site
-
Conducted on
-
Prepared by
-
Asset Personnel
1. ID Sections
Infrastructure Dependency Sections
-
Complete sections indicated as critical to assets core operations in the AMQ. Check all sections that have been completed during the IAV.
-
Electric Power Dependency
-
Natural Gas Dependency
-
Communications Dependency
-
Information Technology Dependency
-
Water Dependency
1.1 Electric Power Dependency
Electric Power Dependency
-
Asset Name/Critical Node Name
-
Is the electric power required for the facility for core operations (produce key services, goods)?
General Electric Power Detail
-
What is the primary use for electric power?
-
Describe
-
What primary electric power sources apply?
Internal Electric Power Sources
-
What is the Internal source?
-
What type of power cycle is used by the cogeneration unit? <br><br>* Enter only when you select “Cogeneration Unit on –site” for the types of internal electric power sources?
-
Which fuel(s) are used by the Power Plant/Cogeneration Unit?
-
Specify
-
Does Power Plant/Cogeneration Unit generate enough electricity to handle full facility load?
-
Percent of Peak Facility Demand generated.
-
Does Power Plant/Cogeneration unit provide electricity externally (i.e. the facility has the right to sell energy and capacity to its host utility or the grind)?
-
Electric Power Internal Source Briefing Notes
External Electric Power Sources
-
Electric Power Provider/Supplier Name
-
Unknown
-
Name or Location
-
Describe
-
Name or location (2nd substation)
Electric Power Protective Measures
-
How many electric service connections are there for the facility?
-
Can each service connection handle entire facility load?
-
If there are multiple service connections handle entire facility?
-
Describe
-
Service connections into the facility are located?
-
Are there service connections co-located with other utilities (e.g. utility corridors for natural gas, telecommunications, fiber, water, etc?)
-
Describe
-
Are there protective measures in place inside the building supporting the electrical system (e.g., locked electrical cabinet or room)?
-
Describe
-
Are there protective measures in place outside the building supporting the electrical system (but still within control of facility, e.g., bollards or box around facility-owned transformer)?
-
Describe
-
Electric Power Protective Measures Briefing Notes
Electric Power Back-Up Generation
-
On-Site Back-Up Generation
-
Backup Generator Exists?
-
Type of backup generator (diesel generator, natural gas, other)?
-
Specify
-
Is refueling necessary?
-
Fuel Supplier Name
-
Contracts or procedures are in place for refuel in emergency?
-
Duration of backup generation without refueling?
-
Refuel Unit
-
What is the purpose of backup generation?
-
Is back up routinely tested under load (e.g., with facility functions being served off of the generator in real-time, not just tested to see if it turns on)?
-
How often?
-
Describe
-
Uninterrupted Power System (UPS)/Battery back-up exists on site?
-
Duration of UPS/Battery back-up?
-
Duration Unit
-
What is the purpose of the UPS/Battery back-up?
-
Back Generation Briefing Notes
Electric Power Loss of Service
-
Has the facility experiences electric service outages within the last year?
-
Is there a Contingency/Business Continuity Plan with provider for restoration?
-
Explain
-
Does the facility participate in provider priority plan for restoration?
-
Explain
-
If all electric service is lost (without considering any back-up or alternative mode), how soon would the facility be severely impacted?
-
Once electric service is lost (and any back-up or alternative fuel is employed), what percentage of normal business functions are lost or degraded?
-
Electric Power Loss Briefing Notes
Overall Electric Power Comments
-
Overall Electric Power Comments
Electric Power Commendable
-
Electric Power Commendable
-
Add an additional Electric Power Commendable record
Electric Power Commendable
-
Electric Power Commendable
1.2 Natural Gas Dependency
Natural Gas Dependency
-
Asset Name/Critical Node Name
-
Is natural gas required for the facility for core operations (produce key services, goods)?
General Natural Gas Detail
-
What is the primary goal for natural gas?
- On-site heat/hot water
- Food Preperation
- Facility power
- Steam Generation (cogeneration)
- Heat/Energy for Core Operations
- Used as raw material
- Other
-
Describe
External Natural Gas Sources
-
Natural Gas Supplier
-
How many natural gas service connections are there for the facility?
-
Can each service connection handle entire facility load?
-
If there are multiple service lines, where do the lines enter the facility?
-
Describe
-
Are the main service lines collocated with other utilities (e.g. water utility corridors with eclectic, communications, fiber, water, etc.)?
-
Components of the natural gas supply located inside the building (but within control of facility) are protected from vandalism or accidental damage?
-
Components of the natural gas supply located outside of the building (but still within the control of facility) are protected from vandalism or accidental damage?
-
What is the natural gas distribution system?
-
Natural Gas protective Measures Briefing Notes
Natural Gas Back-Up
-
Is there backup gas or an alternative fuel source (e.g. propane or electricity)?
-
Describe
Natural Gas Loss of Service
-
Has the facility experienced natural gas service outages within the last five years?
-
Is there a Contingency/Business Continuity Plan with provider for restoration?
-
Explain
-
Does the facility participate in provider priority plan for restoration?
-
Explain
-
If all natural gas service is lost (without considering any back-up or alternative mode), how soon would the facility be severely impacted?
-
Once natural gas service is lost (and any back up or alternative fuel is employed), what percentage of normal business functions are lost or degraded?
-
Natural Gas Loss Briefing Notes
Overall Natural Gas Comments
-
Overall Natural Gas Comments
Natural Gas Commendables
-
Natural Gas Commendable
-
Add an additional Natural Gas Commendable
Commendable
-
Natural Gas Commendable
1.3 Communications
Communications Dependency
-
Asset Name/Critical Node
-
Are communications required for the facility for core operations (produce key services, goods)?
General Communications Detail
-
Which of these communication services are critical to facility operations?
- Telephone
- Data (inclu. networking & VOIP)
- Radio LInk
-
What is the primary critical communications mode (mode the loss of which would result in the most severe impact to facility functions)?
Telephone Mode
-
What is the primary critical telephone usage?
-
What is the primary off-premises communications service is utilized?
- Company owned & managed fiber loop
- Company owned & managed direct fiber link
- Leased public network fiber loop (i.e. AT&T)
- Leased direct fiber link (i.e. AT&T)
- General plain old telephone service network (unknown fiber or copper)
- Wireless
Data Mode
-
What is the primary critical data services usage?
-
What is the primary off-premises communications service is utilized?
- Company owned & managed fiber loop
- Company owned & managed direct fiber link
- Leased public network fiber loop (i.e. AT&T)
- Leased direct fiber link (i.e. AT&T)
- General plain old telephone service network (unknown fiber or copper)
- Wireless
Radio Mode
-
What is the primary critical radio usage?
-
What is primary communication service utilized?
- Company owned & managed system
- Leased public network
- Cell phones with radio line (ie. Nextel)
- Cell phones without radios
- Wireless (eg. WiMax)
- SAT Phones
Protective Measures for Primary Critical Communications Mode and Service
-
What protective measures are employed for the primary telecommunication service?
- More than 1 connection (eg. telephone line, data cable or radio tower) at facility
- If more than 1 connection, they are in different locations
- More than one inside terminal/Communications room
- Service connections are located underground
- Service connections terminate in a protected facility/building
- Service connections are not located in a joint, co-located utility corridor
- None
-
Describe
Impact of Loss of Primary Communications Mode & Service
-
Has the facility experienced telecommunication service outages within the last year?
-
Is there a Contingency/Business Continuity Plan with provider for restoration?
-
Explain
-
Does the facility participate in provider priority plan for restoration?
-
Explain
-
If all primary telecommunications service is lost (without considering any back-up or alternative mode), how soon would the facility be severely impacted?
-
If primary mode of telecommunication service is lost, what would you use as back-up?
-
Once the facility is on back-up telecommunications service mode, what percentage of normal business functions are lost or degraded?
Communications Briefing Notes
-
Communications Briefing Notes
Overall Communications Comments
-
Communications Briefing Notes
Communications Commendables
-
Communications Commendable
-
Add an additional Communication Commendable
Commendable
-
Communications Commendable
1.4 IT Dependency
Information Technology Dependency
-
Asset Name/Critical Node Name
-
Is Information Technology required for the facility for core operations (produce key services, goods)?
General Information Technology Detail
-
Do you report cyber security events to external parties (e.g., State Computer Security Incident Response Teams, US-CERT, law enforcement, information sharing forums, others)?
-
Do you consult external sources of vulnerability information and solutions (e.g., United States Computer Emergency Readiness Team (US-CERT), Computer Emergency Response Team Coordination Center (CERT/CC), SysAdmin, Audit, Network, Security (SANS) Institute, system vendors, etc.)?
-
How often are external sources consulted?
Internet Services
-
Are Internet services required for facility core operations?
General Internet Services Detail
-
What are the critical uses for Internet service?
-
Business Network Description
-
What types of control systems are used?
-
SCADA Description
-
PCS Description
-
What is the primary critical Internet mode (mode the loss of which would result in the most severe impact to facility functions)?
-
From which is acquisition of primary critical Internet access obtained?
-
Supplier
-
Describe
Internet Services Protective Measures
-
Have critical systems and components for providing Internet service been identified?
-
Describe
-
Is there more than one service connection (location) at the facility?
-
Are they in different geo-locations?
-
Describe
-
Is the internet service connection co-located with server room?
-
Are service connections located underground?
-
Service connection terminate in a protected room/facility/building?
Internet Loss of Service
-
Has the facility experienced Internet service outages within the last 6 months?
-
Is there a Contingency/Business Continuity Plan with provider for restoration?
-
Describe
-
If primary mode of Internet access is lost completely (and no back-up is employed), within what time period would the facility be degraded?
-
If primary Internet mode is lost, what would be used for back-up at this facility?
-
Once the facility is on back-up mode, what percentage of normal functions are lost or degraded.
Internet Service Briefing Notes
-
Notes
Overall Internet Service Comments
-
Comments
Internal IT Systems
-
Are internal IT systems required for facility core operations?
General Internal IT Systems Detail
-
What are the critical uses for internal IT systems?
-
Business Network Description
-
What types of control systems are used?
-
SCADA Systems
-
PCS
-
What is the primary critical internal IT mode (mode the loss of which would result in the most severe impact to facility functions)?
Primary Internal IT Systems protective measures
-
Have critical systems and components been identified?
-
Describe
-
Are there redundant separated critical servers or network components?
-
Does the facility use Back-up Data Storage?
-
How often are back-ups performed?
-
Are data restores performed and verified (e.g., back-up data is restored and checked to see if it works)?
-
Is access to control/computer rooms and remote equipment is controlled?
-
Describe
-
Is there both a control and business network?
-
Is there network segmentation between control networks and business networks?
-
Describe Segmentation
Remote Access Policy
-
What is the remote access policy?
-
Are there user controls in place for staff?
-
Describe
-
Are there user controls in place for vendors?
-
Describe user controls
-
Can employees use remote access to continue operations during circumstances that may preclude access to the facility (e.g., hurricane aftermath or pandemic situations)?
-
Describe
Wireless Access Policy
-
What is the remote access policy?
Administration Policy
-
Has a cyber security assessment conducted? (internal only, external resources)?
-
Who conducted the cyber security assessment
-
Describe
-
How often?
-
Is there a cyber security plan?
-
Describe
-
Are employees trained on trained on appropriate security practices?
-
How often are Administrators trained on appropriate security practices?
-
How often are general employees trained on appropriate security practices?
-
Are security scans performed?
-
How often are security scans performed?
-
Is encryption used to transmit data?
-
Are standard configurations in place to harden Operating Systems?
-
If yes, select all that apply
- Disable unneeded services/ports
- Apply patches
- Corporate policy to enforce best practices
-
Are isolated test beds used for configuration changes (e.g., isolated system to test new equipment and software)?
Impact of Loss of Primary Internal IT System
-
If primary mode of primary internal IT system is lost completely (and no back-up is employed), within what time period would the facility be degraded?
-
If IT systems are lost, what would be used for back-up?
-
Describe
-
Once the facility is on back-up IT mode, what percentage of normal functions are lost or degraded?
Internal IT System Briefing Notes
-
Notes
Overall Internal IT Systems Comments
-
Comments
Information Technology Commendables
-
IT Commendable
-
Add an additional IT Commendable
IT Commendable
-
IT Commendable
1.5 Water Dependency
Water Dependency
-
Asset Name/Critical Node name
-
Is water required for the facility for core operations (produce key services, goods)?
General Water Detail
-
What is the purpose(s) of water usage?
-
Describe why it's critical to facility operations
-
What primary water sources apply?
Internal Water Sources
-
What type of internal water sources apply?
-
Describe
-
Do on-site sources produce enough water to handle full facility load?
-
Percent of Demand
External Water Sources
-
Water Provider
-
How many water service connections are there for the facility?
-
Can each service connection handle entire facility load?
-
If there are multiple service lines, where do they enter the facility?
-
Describe
-
Are the main service lines collocated with other utilities (e.g., utility corridors with electric, Communications, fiber, etc.)?
-
Are components of the water service located inside of the building (but still within control of facility) protected from vandalism or accidental damage?
-
Describe
-
Are components of the water supply located outside of the building (but still within control of facility) are protected from vandalism or accidental damage?
-
Describe
Loss of Water Service
-
Has the facility experienced water service outages within the last 5 years?
-
Is there a Contingency/Business Continuity Plan with provider for restoration?
-
Explain
-
Does the facility participate in provider priority plan for restoration?
-
Explain
-
Is there on-site water storage?
-
Quantity
-
Quantity type
-
Can on-site storage support full core operations?
-
Duration
-
Duration Type
-
If all water service is lost (without considering any back-up or alternative mode), how soon would the facility be severely impacted?
-
If water service is lost (and any backup is implemented) what percentage of normal business functions are lost or degraded?
Water Briefing Notes
-
Notes
Overall Water Comments
-
Comments
Water Commendables
-
Commendable
-
Add an additional Commendable
Commendable
-
Commendable