CIP-013-1: Compliance Auditing Approach · CIP-013-1 is mandatory and enforceable on July 1, 2020...
Transcript of CIP-013-1: Compliance Auditing Approach · CIP-013-1 is mandatory and enforceable on July 1, 2020...
CIP-013-1: Compliance Auditing Approach
Reliability and Security Webinar
March 24, 2020
Holly PetersonSenior Compliance Auditor—
Cyber Security
Effective Date Audit Approaches Review CIP-013-1
• Requirements & Applicability• Audit Approach
Internal Controls Frequently Asked Questions
• Resources Recent Activities
2
Agenda
For high- and medium-impact BES Cyber Systems, entities will learn about required SCRM and what to expect at audits when those measures are verified after the effective date of CIP-013-1.
3
Objective
FERC Order 829 directed NERC to develop new or modified standards to address supply chain risk management to include four objectives:• Software integrity and authenticity• Vendor remote access• Information system planning• Vendor risk management and procurement
controls
4
History
CIP-013-1 is mandatory and enforceable on July 1, 2020
Audits beginning October 1, 2020 could include CIP-013-1
5
CIP-013-1 Audit Approach Overview
R1Review R1 plan
& processes, including R1.2.1 through R1.2.6
Develop R1 RSAW Narrative
& R1 Finding
R2Review
applicable R2 procurement
implementations for audit period
Develop R2 RSAW Narrative
& R2 Finding
R3Review R3 review & approval
documents for audit period
Develop R3 RSAW Narrative
& R3 Finding
Addresses the directive in Order No. 829 to identify and document cybersecurity risks
Security objective: ensure entities consider cybersecurity risks from vendor products or services
6
R1.1—Develop R1 Plan(s)
People, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract to supply BES Cyber Systems and related services• Does not include other NERC registered entities providing
reliability services (e.g., BA or RC)
Vendor, as used in the standard, may include: • (i) developers or manufacturers of information systems,
system components, or information system services; • (ii) product resellers; or • (iii) system integrators.
Reference: CIP-013-1 Rationale, p. 12
7
Vendor Definition
Addresses the directive in Order No. 829 for procurement controls to address the provision and verification of security concepts
Objective: For entities to include these topics in their plans so procurement and contract negotiation processes address the applicable risks
8
R1.2—Plan Objectives
9
R1 Audit ApproachFor R1 verifications, audit team will review: Applicability of high- or medium-
impact BCS R1 Risk Identification & Assessment
methodology• BCS lists• Product & service types• Procurement templates• R2 implementation plan• R3 review & approval plan
R1 plan(s) addressing required six R1.2 topics
Null List of Applicable High or Medium BCS
Reported?
CIP-013-1 Not Applicable to
Entities with No High or Medium
BCS
Addresses the directive in Order No. 829 for implementing the R1 plan to include security objectives for supply chain management
Applies to implementation of new procurements• Not required to renegotiate or rescind existing
contracts
10
R2—Implementing Plans
For R2 verifications, audit team will review:
• List of applicable R2 procurements effective after July 1, 2020, through end of audit period◦ Complete “Procurement” worksheet
from ERO Enterprise Evidence Request Tool (v4.0)
• Implementation evidence for sampled procurements◦ Identification & assessment of
cybersecurity risk(s) specific to six topics of R1.2
11
R2 Audit Approach
Unique IDs—unique identifier or name associated with the procurement
BES Cyber System Impact Level—high/medium
Description—brief description of the products or services or vendor transition(s) associated with the procurement
Planning start and end dates—planning dates associated with the procurement (leave blank if unknown)
Procuring start and end dates—procuring dates associated with the procurement (leave blank if unknown)
Reference: CIP Evidence Request Tool User Guide, v4.0
12
Procurement Worksheet
NERC sampling method will be used For each unique ID/procurement sampled, evidence
of:• Identification and assessment of cybersecurity risk(s)
specific to six topics of R1.2
Note: Procurement documentation may be redacted to indicate only sections specific to CIP-013-1 R2 implementations
13
R2 Level 2 Sample Set
Addresses Order No. 829 directives for entities to periodically reassess selected controls for supply chain cybersecurity risk management
Periodic assessments keep plans relevant to current and emerging supply-chain-related concerns and vulnerabilities
14
R3—Review & Approval
For R3 verifications, audit team will review: Evidence of the most recent
review and approval Evidence the R1 plan(s) and
its parts were reviewed and approved by the CIP Senior Manager or delegate(s) at least once every 15 calendar months during the audit period
15
R3 Audit Approach
Verification of R1 plan(s) include both R1.1 and R1.2 • Confirm relevant parts integrated with CIP-005-6 and CIP-
010-3 processes or methods
R2 list of all applicable procurements during the audit period after July 1, 2020• Description of procurement
◦ BCS, type, vendor, product, services
• Sample in accordance with NERC method• Documentation for sampled procurements will be requested
R3 evidence of reviews and approvals
16
Recap: CIP-013-1 Evidence
What is an internal control relative to compliance?• One or more processes that ensure an entity meets its objectives
and goals for operational effectiveness, efficiency, and accurate reporting to demonstrate compliance with the NERC Reliability Standards, Requirements, and/or Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
To develop a strong set of internal controls for CIP-013-1, an entity must develop and document its R1, R2, and R3 plan(s), processes, and procedures
17
Internal Controls
Audit team may also:• Identify and assess any
applicable R1–R3 internal controls
• Assess what internal risks and potential failure points were considered
• Evaluate time-related tasks and related workflows
18
CIP-013 Internal Controls
What is the obligation to mitigate an identified risk, if the vendor does not agree under the contract, for example, shipping and delivery?• A vendor’s intentional or unintentional ability to
adhere to the conditions of an agreement as it relates to CIP-013-1 should be identified and assessed as a risk. As with all risks, it is the responsibility of the registered entity to mitigate them. As an example, the registered entity may address this risk by implementing internal controls and processes like using reputable shippers, tracking shipments, and requiring signatures on delivery.
19
Common Questions
What if your processes in CIP-013-1 R1 Part 1.1 identified cybersecurity risk(s) with a vendor and you still proceed with products or services from that vendor?• Any identified security risks should have some
form of mitigation to reduce risk(s); simply accepting the risks is not enough, unless the analysis shows no other reasonable mitigations are available.
20
Common Questions
If an existing contract is in place with a vendor before July 1, 2020, but amended after that date, will CIP-013-1 apply?• The risk assessment should be performed on the
vendor, product, or service as dictated by the R1 plan. The registered entity’s R1 plan determines where and how the risk assessment is performed. While the action to renegotiate or rescind existing contracts is not required, it is expected that mitigations are implemented to address the risks of these elements not being contractually binding on the vendor.
21
Common Questions
All procurements of products or services for applicable high- or medium-impact BES Cyber Systems that occur on or after the effective date (July 1, 2020) are in scope for the CIP-013-1 procurement planning processes and R2 implementation.
However, CIP-005-6 (R2 Parts 2.4 and 2.5), and CIP-010-3 (R1 Part 1.6) become effective on July 1, 2020, and apply to all high- and medium-impact BES Cyber Systems, including existing applicable BES Cyber Systems.
22
Remember
Would we be found non-compliant if our R1 plan included a provision for an after-the-fact risk assessment to be conducted in emergency situations? • CIP-013-1 applies to any procurement regardless of
the scenario, including an emergency. CIP-013-1 is silent to any special provisions such as emergency procurements. You may identify certain hardware, software, or services that may be used during emergencies and perform risk assessments in planning for these situations to mitigate the supply chain risk.
23
Common Questions
What about using purchasing cards in emergency situations?• Although the standard does not directly address
emergency procurements, an entity could consider including language in its R1 plan to address the potential use of purchasing cards in emergency situations. The entity should document (a) the emergency procurement process in the R1 plan, along with (b) documentation that entity personnel or approved contractors verified after-the-fact risks and mitigations of the procurement.
24
Common Questions
CIP-013-1 Implementation Guidance ERO Endorsed Compliance Guidance CIPC & Supply Chain Working Group 2019 Small Group Advisory Session FAQ WICF partnership Potential sources of information on current
SCRM concerns:• NERC or the E-ISAC• ICS-CERT• CCIRC
25
Additional SCRM Resources
Project 2019-03 in progress • CIP-013-2 will have inclusion of EACMS and PACS
associated with high- and medium-impact BES Cyber Systems
Draft 1 initial ballot & commenting ended March 11, 2020
In-person meeting this week Draft 2 posting April 22 to June 8, 2020?
• Draft guidance and rationale included with this posting
26
Recent SCRM Activities
May 2019 NERC Staff Report: Cyber Security Supply Chain Risks• Identified several supply chain risks associated with
low-impact BCS, but had not yet recommended adding low-impact BCS as applicable systems in the upcoming revisions
• NERC staff expects entities that own only low-impact BES Cyber Systems to develop SCRM programs tailored to their unique risk profiles and priorities
• The APPA/NRECA developed white papers to provide considerations for smaller entities in developing such programs
27
Low impact & SCRM
Collected data from 1000+ organizations to understand the implications of supply chain vulnerabilities not yet covered by CIP• 37% of entities have a mix of high-, medium-, and low-impact
• 63% of entities have only low-impact assets
Combined effect of a coordinated cyberattack could greatly affect BES reliability beyond the local area
More than 50% of all low-impact generation resources allow third-party electronic access
“NERC staff recommends modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity.”
28
Section 1600 Data Request Results
Given the seriousness of recent documented threats to the electrical grid from vendor products, services, and through vendor networks, and the upcoming effective date of CIP-013-1 (July 1, 2020), a prudent entity is already making significant progress toward: • Developing and documenting its R1 SCRM plan
• Preparing a R2 implementation project plan, and
• Establishing a timely R3 review and approval process
29
Preparing for SCRM Compliance
Contact:Holly PetersonSenior Compliance Auditor—Cyber [email protected]
30