CIP-013-1: Compliance Auditing Approach

Reliability and Security Webinar

March 24, 2020

Holly PetersonSenior Compliance Auditor—

Cyber Security

Effective Date Audit Approaches Review CIP-013-1

• Requirements & Applicability• Audit Approach

Internal Controls Frequently Asked Questions

• Resources Recent Activities

2

Agenda

For high- and medium-impact BES Cyber Systems, entities will learn about required SCRM and what to expect at audits when those measures are verified after the effective date of CIP-013-1.

3

Objective

FERC Order 829 directed NERC to develop new or modified standards to address supply chain risk management to include four objectives:• Software integrity and authenticity• Vendor remote access• Information system planning• Vendor risk management and procurement

controls

4

History

CIP-013-1 is mandatory and enforceable on July 1, 2020

Audits beginning October 1, 2020 could include CIP-013-1

5

CIP-013-1 Audit Approach Overview

R1Review R1 plan

& processes, including R1.2.1 through R1.2.6

Develop R1 RSAW Narrative

& R1 Finding

R2Review

applicable R2 procurement

implementations for audit period

Develop R2 RSAW Narrative

& R2 Finding

R3Review R3 review & approval

documents for audit period

Develop R3 RSAW Narrative

& R3 Finding

Addresses the directive in Order No. 829 to identify and document cybersecurity risks

Security objective: ensure entities consider cybersecurity risks from vendor products or services

6

R1.1—Develop R1 Plan(s)

People, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract to supply BES Cyber Systems and related services• Does not include other NERC registered entities providing

reliability services (e.g., BA or RC)

Vendor, as used in the standard, may include: • (i) developers or manufacturers of information systems,

system components, or information system services; • (ii) product resellers; or • (iii) system integrators.

Reference: CIP-013-1 Rationale, p. 12

7

Vendor Definition

Addresses the directive in Order No. 829 for procurement controls to address the provision and verification of security concepts

Objective: For entities to include these topics in their plans so procurement and contract negotiation processes address the applicable risks

8

R1.2—Plan Objectives

9

R1 Audit ApproachFor R1 verifications, audit team will review: Applicability of high- or medium-

impact BCS R1 Risk Identification & Assessment

methodology• BCS lists• Product & service types• Procurement templates• R2 implementation plan• R3 review & approval plan

R1 plan(s) addressing required six R1.2 topics

Null List of Applicable High or Medium BCS

Reported?

CIP-013-1 Not Applicable to

Entities with No High or Medium

BCS

Addresses the directive in Order No. 829 for implementing the R1 plan to include security objectives for supply chain management

Applies to implementation of new procurements• Not required to renegotiate or rescind existing

contracts

10

R2—Implementing Plans

For R2 verifications, audit team will review:

• List of applicable R2 procurements effective after July 1, 2020, through end of audit period◦ Complete “Procurement” worksheet

from ERO Enterprise Evidence Request Tool (v4.0)

• Implementation evidence for sampled procurements◦ Identification & assessment of

cybersecurity risk(s) specific to six topics of R1.2

11

R2 Audit Approach

Unique IDs—unique identifier or name associated with the procurement

BES Cyber System Impact Level—high/medium

Description—brief description of the products or services or vendor transition(s) associated with the procurement

Planning start and end dates—planning dates associated with the procurement (leave blank if unknown)

Procuring start and end dates—procuring dates associated with the procurement (leave blank if unknown)

Reference: CIP Evidence Request Tool User Guide, v4.0

12

Procurement Worksheet

NERC sampling method will be used For each unique ID/procurement sampled, evidence

of:• Identification and assessment of cybersecurity risk(s)

specific to six topics of R1.2

Note: Procurement documentation may be redacted to indicate only sections specific to CIP-013-1 R2 implementations

13

R2 Level 2 Sample Set

Addresses Order No. 829 directives for entities to periodically reassess selected controls for supply chain cybersecurity risk management

Periodic assessments keep plans relevant to current and emerging supply-chain-related concerns and vulnerabilities

14

R3—Review & Approval

For R3 verifications, audit team will review: Evidence of the most recent

review and approval Evidence the R1 plan(s) and

its parts were reviewed and approved by the CIP Senior Manager or delegate(s) at least once every 15 calendar months during the audit period

15

R3 Audit Approach

Verification of R1 plan(s) include both R1.1 and R1.2 • Confirm relevant parts integrated with CIP-005-6 and CIP-

010-3 processes or methods

R2 list of all applicable procurements during the audit period after July 1, 2020• Description of procurement

◦ BCS, type, vendor, product, services

• Sample in accordance with NERC method• Documentation for sampled procurements will be requested

R3 evidence of reviews and approvals

16

Recap: CIP-013-1 Evidence

What is an internal control relative to compliance?• One or more processes that ensure an entity meets its objectives

and goals for operational effectiveness, efficiency, and accurate reporting to demonstrate compliance with the NERC Reliability Standards, Requirements, and/or Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards

To develop a strong set of internal controls for CIP-013-1, an entity must develop and document its R1, R2, and R3 plan(s), processes, and procedures

17

Internal Controls

Audit team may also:• Identify and assess any

applicable R1–R3 internal controls

• Assess what internal risks and potential failure points were considered

• Evaluate time-related tasks and related workflows

18

CIP-013 Internal Controls

What is the obligation to mitigate an identified risk, if the vendor does not agree under the contract, for example, shipping and delivery?• A vendor’s intentional or unintentional ability to

adhere to the conditions of an agreement as it relates to CIP-013-1 should be identified and assessed as a risk. As with all risks, it is the responsibility of the registered entity to mitigate them. As an example, the registered entity may address this risk by implementing internal controls and processes like using reputable shippers, tracking shipments, and requiring signatures on delivery.

19

Common Questions

What if your processes in CIP-013-1 R1 Part 1.1 identified cybersecurity risk(s) with a vendor and you still proceed with products or services from that vendor?• Any identified security risks should have some

form of mitigation to reduce risk(s); simply accepting the risks is not enough, unless the analysis shows no other reasonable mitigations are available.

20

Common Questions

If an existing contract is in place with a vendor before July 1, 2020, but amended after that date, will CIP-013-1 apply?• The risk assessment should be performed on the

vendor, product, or service as dictated by the R1 plan. The registered entity’s R1 plan determines where and how the risk assessment is performed. While the action to renegotiate or rescind existing contracts is not required, it is expected that mitigations are implemented to address the risks of these elements not being contractually binding on the vendor.

21

Common Questions

All procurements of products or services for applicable high- or medium-impact BES Cyber Systems that occur on or after the effective date (July 1, 2020) are in scope for the CIP-013-1 procurement planning processes and R2 implementation.

However, CIP-005-6 (R2 Parts 2.4 and 2.5), and CIP-010-3 (R1 Part 1.6) become effective on July 1, 2020, and apply to all high- and medium-impact BES Cyber Systems, including existing applicable BES Cyber Systems.

22

Remember

Would we be found non-compliant if our R1 plan included a provision for an after-the-fact risk assessment to be conducted in emergency situations? • CIP-013-1 applies to any procurement regardless of

the scenario, including an emergency. CIP-013-1 is silent to any special provisions such as emergency procurements. You may identify certain hardware, software, or services that may be used during emergencies and perform risk assessments in planning for these situations to mitigate the supply chain risk.

23

Common Questions

What about using purchasing cards in emergency situations?• Although the standard does not directly address

emergency procurements, an entity could consider including language in its R1 plan to address the potential use of purchasing cards in emergency situations. The entity should document (a) the emergency procurement process in the R1 plan, along with (b) documentation that entity personnel or approved contractors verified after-the-fact risks and mitigations of the procurement.

24

Common Questions

CIP-013-1 Implementation Guidance ERO Endorsed Compliance Guidance CIPC & Supply Chain Working Group 2019 Small Group Advisory Session FAQ WICF partnership Potential sources of information on current

SCRM concerns:• NERC or the E-ISAC• ICS-CERT• CCIRC

25

Additional SCRM Resources

Project 2019-03 in progress • CIP-013-2 will have inclusion of EACMS and PACS

associated with high- and medium-impact BES Cyber Systems

Draft 1 initial ballot & commenting ended March 11, 2020

In-person meeting this week Draft 2 posting April 22 to June 8, 2020?

• Draft guidance and rationale included with this posting

26

Recent SCRM Activities

May 2019 NERC Staff Report: Cyber Security Supply Chain Risks• Identified several supply chain risks associated with

low-impact BCS, but had not yet recommended adding low-impact BCS as applicable systems in the upcoming revisions

• NERC staff expects entities that own only low-impact BES Cyber Systems to develop SCRM programs tailored to their unique risk profiles and priorities

• The APPA/NRECA developed white papers to provide considerations for smaller entities in developing such programs

27

Low impact & SCRM

Collected data from 1000+ organizations to understand the implications of supply chain vulnerabilities not yet covered by CIP• 37% of entities have a mix of high-, medium-, and low-impact

• 63% of entities have only low-impact assets

Combined effect of a coordinated cyberattack could greatly affect BES reliability beyond the local area

More than 50% of all low-impact generation resources allow third-party electronic access

“NERC staff recommends modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity.”

28

Section 1600 Data Request Results

Given the seriousness of recent documented threats to the electrical grid from vendor products, services, and through vendor networks, and the upcoming effective date of CIP-013-1 (July 1, 2020), a prudent entity is already making significant progress toward: • Developing and documenting its R1 SCRM plan

• Preparing a R2 implementation project plan, and

• Establishing a timely R3 review and approval process

29

Preparing for SCRM Compliance

Contact:Holly PetersonSenior Compliance Auditor—Cyber Securityhpeterson@wecc.org

30