CIP Technical Workshop Training/CIP Technical... · 2 RELIABILITY | ACCOUNTABILITY •Welcome...
Transcript of CIP Technical Workshop Training/CIP Technical... · 2 RELIABILITY | ACCOUNTABILITY •Welcome...
CIP Technical Workshop
Scott R, Mix, CISSP, NERC CIP Technical Manager
Nick Santora, CISSP, CISA, GISP, CIP Cybersecurity Specialist
Tobias R. Whitney, Manager, CIP Compliance
March 4, 2014
RELIABILITY | ACCOUNTABILITY2
• Welcome
• Overview of FERC Order No. 791
• CIP V5 High-level Overview
• CIP V5 Core Requirements
• Break (15 min)
• Transition Study Progress & Lessons Learned
• Standards Drafting Progress
Agenda
RELIABILITY | ACCOUNTABILITY3
• NERC Antitrust Guidelines It is NERC’s policy and practice to obey the antitrust laws and to avoid
all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition.
• Notice of Open Meeting Participants are reminded that this meeting is public. Speakers should
keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders.
Administrative Issues
RELIABILITY | ACCOUNTABILITY4
Overview of FERC Order No. 791
RELIABILITY | ACCOUNTABILITY5
•Final Rule Issued November 22, 2013
Docket RM13-5
Order No. 791
146 page rule
Published in Federal Register December 3, 2013
Final Rule Highlights
RELIABILITY | ACCOUNTABILITY6
•Effective Date of Final Rule: February 3, 2014
Effective Date for Compliance with all non-periodic requirements: April 1, 2016 for High and Medium ImpactApril 1, 2017 for Low Impact
Compliance with initial performance of periodic requirements as discussed in the Implementation Plan, using an Effective Date of April 1, 2016
Final Rule Highlights
RELIABILITY | ACCOUNTABILITY7
• Approved technical requirements
• Approved 19 definitions
• Approved implementation plan
Approved bypass of Version 4
• Approve, with modifications, VRF / VSL
Final Rule Highlights
RELIABILITY | ACCOUNTABILITY8
• Submit modified VRF / VSL within 90 days
• Submit two directed changes and one informational filing within one year
IAC
Communications Networks
Survey: 15-minute clause
• Two other directed changes do not have specified time frame
Low Impact BES Cyber Systems
Transitory Devices
Final Rule Highlights
RELIABILITY | ACCOUNTABILITY9
• Address concerns with IAC Language
Prefer to have compliance language removed from requirements
Allow for flexibility for addressing concerns
• Supports move away from “zero tolerance” compliance approach for the 17 requirements
• IAC language ambiguous, concerns about inconsistent application, unclear expectations placed on industry
• Submit within one year
IAC Language
RELIABILITY | ACCOUNTABILITY10
• Allow impact-based categorization
May revisit in future
Not persuaded to move blackstart from Low to Medium, but may revisit
Does not consider connectivity, but may revisit
Confirm that Low will not include non-BES assets
BES Cyber Asset Categorization
RELIABILITY | ACCOUNTABILITY11
• Lack of objective criteria for evaluating Low Impact protections “Introduces unacceptable level of ambiguity and
potential inconsistency into the compliance process” Open to alternative approaches “… the criteria NERC proposes for evaluating a
responsible entities’ protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified.”
• No detailed inventory required … list of locations / Facilities OK
Low Impact requirements
RELIABILITY | ACCOUNTABILITY12
• Survey industry about impacts of 15-minute parameter during transition period
What Cyber Assets are included / excluded by the 15-minute parameter
• Informational filing to FERC in one year
• Commission may revisit issue following informational filing
15-Minute Parameter
RELIABILITY | ACCOUNTABILITY13
• Do not direct change to definition
• Directed modifications to address transient devices issues
30-day exemption in Definition
RELIABILITY | ACCOUNTABILITY14
• Devices connected for less than 30-days (USB, laptop, etc)
• Direct modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level
systems
Transient Devices
RELIABILITY | ACCOUNTABILITY15
• Approve definition of Cyber Asset without change
• Direct creation of definition of “communication networks” and requirements to address issues:
Locked wiring closets
Disconnected or locked spare jacks
Protection of cabling by conduit or cable trays
• Submit within one year
• Include discussion in FERC Staff-led conference
Communications Network
RELIABILITY | ACCOUNTABILITY16
• Approve implementation Plan as filed
24-month for High & Medium
36-month for Low
Bypass Version 4
• Support NERC proposal to develop transition guidance and pilot program
• Declined to extend implementation plan
• Not persuaded to allow early shift to V5
However, “issues of early compliance can be addressed by NERC and Registered Entities as appropriate.”
Implementation Plan
RELIABILITY | ACCOUNTABILITY17
• Three Rehearing requests submitted1. Utility Services, Inc.
o Defer start of implementation period to April 1, 2016
2. EEI/EPSA
o Hold a Technical Conference rather than conduct a Survey
o Clarify Implementation Date for High & Medium
o Delay Implementation Date for Low until modifications approved (FERC Directive)
o Hold Technical Conference on Communication Networks in 90 days
Rehearing Requests
RELIABILITY | ACCOUNTABILITY18
3. APPA/NRECA
o Elimination of “IAC” language creates implementation uncertainty
– Standards may become enforceable before IAC changes are approved
o Clarify rationale supporting determination that a Regulatory Flexibility Act analysis is not required
• No timeframe specified for FERC response to Rehearing Requests
Rehearing Requests
RELIABILITY | ACCOUNTABILITY19
• FERC Staff-led technical Conference From P224-225 of Order No. 791
Announced February 27, 2014
Conference held April 29, 2014 starting at 9:00 AM
Topics to be addressed (from conference announcement):
1) whether additional definitions and/or security controls are needed to protect Bulk-Power System communications networks, including remote systems access;
2) the adequacy of the approved CIP version 5 Standards’ protections for Bulk-Power System data being transmitted over data networks; and
3) functional differences between the respective methods utilized for identification, categorization, and specification of appropriate levels of protection for cyber assets using CIP version 5 Standards as compared with those employed within the National Institute of Standards and Technology Security Risk Management Framework.
FERC Staff-led Technical Conference
RELIABILITY | ACCOUNTABILITY20
RELIABILITY | ACCOUNTABILITY21
CIP V5 High-level Overview
RELIABILITY | ACCOUNTABILITY22
CIP Standards – Version 5
• New / Modified Terms: BES Cyber Asset BES Cyber System BES Cyber System
Information CIP Exceptional
Circumstance CIP Senior Manager Control Center Cyber Assets Cyber Security Incident Dial-up Connectivity Electronic Access Control
and Monitoring Systems (EACMS)
Electronic Access Point (EAP) Electronic Security Perimeter
(ESP) External Routable Connectivity Interactive Remote Access Intermediate Device Physical Access Control Systems
(PACS) Physical Security Perimeter
(PSP) Protected Cyber Asset (PCA) Reportable Cyber Security
Incident
RELIABILITY | ACCOUNTABILITY23
CIP Standards – Version 5
• High Impact
– Large Control Centers
– CIP-003 to 009 V4 “plus”
• Medium Impact
– Generation and Transmission
– Control Centers
– Similar to CIP-003 to 009 V4
• All other BES Cyber Systems (Low Impact) must implement a policy to address:
– Cybersecurity Awareness
– Physical Security Controls
– Electronic Access Controls
– Incident Response
High
Non-Critical
Critical
Non-Impactful(Distribution,
Marketing, Business)
Medium
Low
Generation and Transmission
Large Control Centers
V3/V4 V5
Control Centers
Small Control Centers
Generation and Transmission
Generation and Transmission
RELIABILITY | ACCOUNTABILITY24
CIP Standards – Version 5
Rationale,
Guidance &
Changes,
Main
Requirement
and Measure
Applicable Systems for
requirement partRequirement part text Requirement part
Measure text
Requirement part Reference Requirement part change rationale
RELIABILITY | ACCOUNTABILITY25
RELIABILITY | ACCOUNTABILITY26
CIP V5 Core Requirements
RELIABILITY | ACCOUNTABILITY27
• Walk through CIP V5 core technical requirements
• Look at differences from V3/V4
Objectives
• Electronic Security Perimeter(s)CIP-005• Physical Security of BES Cyber
SystemsCIP-006
• Systems Security ManagementCIP-007• Configuration Change Management
and Vulnerability AssessmentsCIP-010
RELIABILITY | ACCOUNTABILITY28
• Introduces reasoning explicitly in the requirement
• Outbound rules now required
• No annual document review required
CIP-005
Part 1.3 - Require inbound and outbound access
permissions, including the reason for granting
access, and deny all other access by default.
EAPs for High and Medium Impact BES Cyber Systems
• Electronic Security Perimeter(s)CIP-005
RELIABILITY | ACCOUNTABILITY29
• The process must identify how to authenticate the user
CIP-005
Part 1.4 - Where technically feasible,
perform authentication when establishing
Dial-up Connectivity with applicable
Cyber Assets.
High and Medium Impact BES Cyber
Systems with Dial-up Connectivity and their
associated: PCAs
RELIABILITY | ACCOUNTABILITY30
• Traffic inspection is part of requirement
• Multiple layers of perimeter protection
• If firewall fails, IDS can trigger a secondary security measure
CIP-005
Part 1.5 - Have one or more methods for detecting known or
suspected malicious communications for both inbound and
outbound communications.
EAPs for High Impact BES Cyber Systems
EAPs for Medium Impact BES Cyber Systems at Control Centers
RELIABILITY | ACCOUNTABILITY31
• Cannot be located in the ESP
• Intermediate System serves as proxy
• Allows for restrictive rules
• Protection from vulnerabilities on remote device
CIP-005
Part 2.1 – Utilize an Intermediate System such that the Cyber
Asset initiating Interactive Remote Access does not directly
access an applicable Cyber Asset.
High Impact BES Cyber Systems and their associated PCA.
Medium Impact BES Cyber Systems with External Routable
Connectivity and their associated PCA
RELIABILITY | ACCOUNTABILITY32
CIP-005
RELIABILITY | ACCOUNTABILITY33
• Initiated from outside the ESP using routable
• Protects Confidentiality and Integrity
CIP-005
Part 2.2 – For all Interactive Remote Access sessions,
utilize encryption that terminates at an Intermediate
System.
High Impact BES Cyber Systems and their associated PCA.
Medium Impact BES Cyber Systems with External Routable
Connectivity and their associated PCA
RELIABILITY | ACCOUNTABILITY34
• Does not include system to system process communications
• Replaces “strong technical and procedural controls”
• Multi-factor is well know security concept Something you know
Something you have
Something you are
Somewhere you are
CIP-005
Part 2.3 – Require multi-factor authentication for all
Interactive Remote Access sessions.
High Impact BES Cyber Systems and their associated PCA.
Medium Impact BES Cyber Systems with External Routable
Connectivity and their associated PCA
RELIABILITY | ACCOUNTABILITY35
• Programmatic protections
• Does not require detailed list of individuals with access
CIP-006
• Physical Security of BES Cyber SystemsCIP-006 IAC
RELIABILITY | ACCOUNTABILITY36
• 1 physical access control
• Authorized unescorted physical access
CIP-006
Part 1.2 – Utilize at least one physical access control to
allow unescorted physical access into each applicable
Physical Security Perimeter to only those individuals
who have authorized unescorted physical access.
Medium Impact BES Cyber Systems with External Routable
Connectivity and their associated EACMS, PCA
RELIABILITY | ACCOUNTABILITY37
• 2 physical access controls
• Authorized unescorted physical access
• No single authenticator
CIP-006
Part 1.3 – Where technically feasible, utilize two or
more different physical access controls to collectively
allow unescorted physical access into Physical
Security Perimeters to only those individuals who have
authorized unescorted physical access.
High Impact BES Cyber Systems and their associated
EACMS, PCA
RELIABILITY | ACCOUNTABILITY38
• Maintenance and testing every 24 months
• Includes PACS and local hardware
CIP-006
Part 3.1 – Maintenance and testing of each Physical
Access Control System and locally mounted hardware
or devices at the Physical Security Perimeter at least
once every 24 calendar months to ensure they function
properly.
High Impact BES Cyber Systems and their associated
EACMS, PCA
RELIABILITY | ACCOUNTABILITY39
Requirement R1
• Enable logical ports per device capability Devices with no capability to disable, deemed necessary
• Protect against use of unnecessary physical ports Physical or logical controls
CIP-007
• Systems Security ManagementCIP-007 IAC
RELIABILITY | ACCOUNTABILITY40
• Identification of patch sources
• Entity chooses source for “clock start” on review
CIP-007
Part 2.1 - A patch management process for tracking,
evaluating, and installing cyber security patches for
applicable Cyber Assets. The tracking portion shall
include the identification of a source or sources that
the Responsible Entity tracks for the release of cyber
security patches for applicable Cyber Assets that are
updateable and for which a patching source exists.
High and Medium Impact BES Cyber Systems and
associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY41
• 35 day review of applicability
CIP-007
Part 2.2 - At least once every 35 calendar days,
evaluate security patches for applicability that
have been released since the last evaluation from
the source or sources identified in Part 2.1.
High and Medium Impact BES Cyber Systems and
associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY42
Part 2.3 - For applicable patches identified in Part 2.2, within 35
calendar days of the evaluation completion, take one of the following
actions:
• Apply the applicable patches; or
• Create a dated mitigation plan; or
• Revise an existing mitigation plan.
Mitigation plans shall include the Responsible Entity’s planned
actions to mitigate the vulnerabilities addressed by each security
patch and a timeframe to complete these mitigations.
High and Medium Impact BES Cyber Systems and associated EACMS
and PACS and PCA
CIP-007
• Actions to mitigate vulnerabilities
• Timeframe
IAC
RELIABILITY | ACCOUNTABILITY43
• Plan MUST be executed as defined
• Extensions are allowed
CIP-007
Part 2.4 - For each mitigation plan created or revised
in Part 2.3, implement the plan within the timeframe
specified in the plan, unless a revision to the plan or
an extension to the timeframe specified in Part 2.3 is
approved by the CIP Senior Manager or delegate.
High and Medium Impact BES Cyber Systems and
associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY44
• Describe how to address malware on BES Cyber Systems Policies
System hardening
White listing
Traditional AV
• Creativity
CIP-007
Part 3.1 - Deploy method(s) to deter, detect, or prevent
malicious code.
High and Medium Impact BES Cyber Systems and
associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY45
• How to remove the identified malicious code?
• Increased monitoring until removal
• White listing – code does not run, but is still there
• No maximum timeframe prescribed
CIP-007
Part 3.2 - Mitigate the threat of detected malicious
code.
High and Medium Impact BES Cyber Systems and
associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY46
• Minimum per Cyber Asset capability
CIP-007
Part 4.1 - Log events at the BES Cyber System level (per BES
Cyber System capability) or at the Cyber Asset level (per
Cyber Asset capability) for identification of, and after-the-fact
investigations of, Cyber Security Incidents that includes, as a
minimum, each of the following types of events:
4.1.1. Detected successful login attempts;
4.1.2. Detected failed access attempts and failed login
attempts;
4.1.3. Detected malicious code.
High and Medium Impact BES Cyber Systems and associated
EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY47
• Entity determines security event requiring response
• SEIM, text, e-mail, alarms, displays
CIP-007
Part 4.2 - Generate alerts for security events that the
Responsible Entity determines necessitates an alert,
that includes, as a minimum, each of the following
types of events (per Cyber Asset or BES Cyber
System capability):
4.2.1. Detected malicious code from Part 4.1; and
4.2.2. Detected failure of Part 4.1 event logging.
High Impact BES Cyber Systems and Medium Impact
BES Cyber Systems with External Routable Connectivity
and associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY48
• Description of review process
• Any findings
• Dates
CIP-007
Part 4.4 - Review a summarization or sampling of logged
events as determined by the Responsible Entity at
intervals no greater than 15 calendar days to identify
undetected Cyber Security Incidents.
High Impact BES Cyber Systems and associated EACMS
and PCA
IAC
RELIABILITY | ACCOUNTABILITY49
• Added “authorized”
• Storing, losing, sharing passwords not a violation
CIP-007
Part 5.3 - Identify individuals who have authorized access
to shared accounts.
High BES Cyber Systems and associated EACMS and PACS
and PCA
Medium Impact BES Cyber Systems with External Routable
Connectivity and associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY50
• Per Cyber Asset Capability
• Hard coded passwords
CIP-007
Part 5.4 - Change known default passwords, per
Cyber Asset capability
High and Medium Impact BES Cyber Systems and
associated EACMS and PACS and PCA
IAC
RELIABILITY | ACCOUNTABILITY51
Part 5.5 - For password-only authentication for interactive user
access, either technically or procedurally enforce the following
password parameters:
5.5.1. Password length that is, at least, the lesser of eight
characters or the maximum length supported by the Cyber
Asset; and
5.5.2. Minimum password complexity that is the lesser of three
or more different types of characters (e.g., uppercase
alphabetic, lowercase alphabetic, numeric, non-alphanumeric)
or the maximum complexity supported by the Cyber Asset.
High and Medium Impact BES Cyber Systems and associated
EACMS and PACS and PCA
CIP-007
IAC
RELIABILITY | ACCOUNTABILITY52
• Reduces risk of live password cracking
• No set threshold Prevent false-positives
CIP-007
Part 5.7 - Where technically feasible, either:
• Limit the number of unsuccessful authentication attempts; or
• Generate alerts after a threshold of unsuccessful authentication
attempts.
High Impact BES Cyber Systems and Medium Impact BES Cyber
Systems at Control Centers and associated EACMS and PACS and
PCA
IAC
RELIABILITY | ACCOUNTABILITY53
• Identifies a change management process to be invoked
CIP-010
Part 1.1 - Develop a baseline configuration, individually or by
group, which shall include the following items:
1.1.1. Operating system(s) (including version) or firmware where
no independent operating system exists;
1.1.2. Any commercially available or open-source application
software (including version) intentionally installed;
1.1.3. Any custom software installed;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied.
High and Medium Impact BES Cyber Systems and associated EACMS
and PACS and PCA
IAC
CIP-010
• Configuration Change Management and Vulnerability AssessmentsCIP-010
RELIABILITY | ACCOUNTABILITY54
• CIP-007-3 R1 procedures are now implicit in meeting requirement
• Explicitly defines CIP-005 and CIP-007 security controls
• No adverse effects of those controls after change
CIP-010
Part 1.4 – For a change that deviates from the existing baseline:
1.4.1. Prior to the change, determine required cyber security
controls in CIP-005 and CIP-007 that could be impacted by the
change;
1.4.2. Following the change, verify that required cyber security
controls determined in 1.4.1 are not adversely affected; and
1.4.3. Document the results of the verification.
High and Medium Impact BES Cyber Systems and their associated
EACMS, PACS, PCA
IAC
RELIABILITY | ACCOUNTABILITY55
• Requires review of both test and production environments
• Important note EACH* change
• If test used, describe ANY* differences
• If production used, method to minimize adverse effects
CIP-010
Part 1.5 – Where technically feasible, for each change that deviates from the
existing baseline configuration:
1.5.1. Prior to implementing any change in the production environment, test
the changes in a test environment or test the changes in a production
environment where the test is performed in a manner that minimizes adverse
effects, that models the baseline configuration to ensure that required cyber
security controls in CIP-005 and CIP-007 are not adversely affected; and
1.5.2. Document the results of the testing and, if a test environment was
used, the differences between the test environment and the production
environment, including a description of the measures used to account for
any differences in operation between the test and production environments.
High Impact BES Cyber Systems
IAC
RELIABILITY | ACCOUNTABILITY56
• Once a month review of malicious or intentional changes
• Investigate unauthorized changes
CIP-010
Part 2.1 –Monitor at least once every 35 calendar days for
changes to the baseline configuration (as described in
Requirement R1, Part 1.1). Document and investigate
detected unauthorized changes.
High Impact BES Cyber Systems and their associated EACMS,
PCA
IAC
RELIABILITY | ACCOUNTABILITY57
• Paper network discovery - review of network connectivity to identified EAP to
the ESP
port and service identification - look for all ports and services and appropriate business justification
vulnerability review - rule set reviews, default accounts, passwords, and network management community strings
wireless review - a review of common wireless networks and their controls to effect BES Cyber Systems comm.
CIP-010
Part 3.1 – At least once every 15 calendar months,
conduct a paper or active vulnerability assessment.
High and Medium Impact BES Cyber Systems and their
associated EACMS, PACS, PCA
RELIABILITY | ACCOUNTABILITY58
• Active network discovery - active discovery tools for devices
port and service identification - nmap
vulnerability review - live vulnerability scanning tools
wireless review - wireless scanning tools
CIP-010
Part 3.1 – At least once every 15 calendar months,
conduct a paper or active vulnerability assessment.
High and Medium Impact BES Cyber Systems and their
associated EACMS, PACS, PCA
RELIABILITY | ACCOUNTABILITY59
• Again if test environment used, identify differences
• If production is used, minimize adverse effects
CIP-010
Part 3.2 – Where technically feasible, at least once every 36 calendar
months:
3.2.1 Perform an active vulnerability assessment in a test environment, or
perform an active vulnerability assessment in a production environment
where the test is performed in a manner that minimizes adverse effects,
that models the baseline configuration of the BES Cyber System in a
production environment; and
3.2.2 Document the results of the testing and, if a test environment was
used, the differences between the test environment and the production
environment, including a description of the measures used to account for
any differences in operation between the test and production
environments.
High Impact BES Cyber Systems
RELIABILITY | ACCOUNTABILITY60
• Active CVA for introduction of new Cyber Assets
• Replacements and baselines of other Cyber Assets do not count
CIP-010
Part 3.3 – Prior to adding a new applicable Cyber Asset to a
production environment, perform an active vulnerability
assessment of the new Cyber Asset, except for CIP
Exceptional Circumstances and like replacements of the
same type of Cyber Asset with a baseline configuration
that models an existing baseline configuration of the
previous or other existing Cyber Asset.
High Impact BES Cyber Systems and associated EACMS and
PCA
RELIABILITY | ACCOUNTABILITY61
• Results and Action plans of findings
• Define a planned date of completion and status for those findings
CIP-010
Part 3.4 – Document the results of the assessments
conducted according to Parts 3.1, 3.2, and 3.3 and the
action plan to remediate or mitigate vulnerabilities
identified in the assessments including the planned
date of completing the action plan and the execution
status of any remediation or mitigation action items.
High and Medium Impact BES Cyber Systems and their
associated EACMS, PACS, PCA
RELIABILITY | ACCOUNTABILITY62
• Mapping Document http://www.nerc.com/pa/Stand/Project%20200806%20Cyber%20Security%20Order%20706%20DL/Mapping_Document_012913.pdf
References
CIP-002 CIP-005 CIP-006 CIP-007 CIP-010
ALL 1.2, 1.3, 1.4,
1.5
1.2, 1.3, 1.4 1.1, 1.2 1.1, 1.4, 1.5
2.1,2.2, 2.3 2.1, 2.2 2.1, 2.2, 2.3,
2.4
3.3
3.1, 3.2
4.1, 4.2, 4.4
5.5, 5.7
RELIABILITY | ACCOUNTABILITY63
RELIABILITY | ACCOUNTABILITY64
Break
15 Minute Break
RELIABILITY | ACCOUNTABILITY65
Transition Study Progress & Lessons Learned
RELIABILITY | ACCOUNTABILITY66
Purpose of the Transition Program
Address V3 to V5 Transition issues.
Provide a clear roadmap for V5
steady-state.
Justifies budget for V5 implementation and compliance.
Foster communication and knowledge sharing.
“Support all entities in the timely, effective, and
efficient transition to CIP Version 5”
RELIABILITY | ACCOUNTABILITY67
CIP V 5 Transition Program Elements
• A new transition guidance will be provided after V5 Order
Periodic Guidance
• 6 entities with strong compliance cultures
• 6-8 month implementation of V5 for certain facilities
• Lessons learned throughout and after study phase
Implementation Study
• Integration with RAI
• Identify means and method to address self-corrective processes and internal controls
Compliance and Enforcement
• New website created for all Transition Program activity
Outreach & Communications
• Quarterly training opportunities will be provided to industry
Training
RELIABILITY | ACCOUNTABILITY68
• An ERO’s strategic initiative to transform the current compliance monitoring and enforcement program that: Focuses on high reliability risk areas
Reduces unnecessary administrative burdens
• Three main goals: Building on the success of Find, Fix and Track (FFT)
Design a compliance program that:
o Recognizes an entity’s risk to reliability
o Appropriately scopes audits and applies proper audit techniques and approaches
o Evaluates and uses management controls to gain reasonable assurance of compliance which promotes reliability
Reduce unnecessary administrative burdens of the compliance monitoring and enforcement program on all stakeholders.
Purpose of RAI
RELIABILITY | ACCOUNTABILITY69
2013 Year End Progress Report
• The first version of auditor handbook was completed.
• Training and rollout efforts to occur in 2014.Auditor Handbook
• The results to-date of pilot programs are being compiled.
• Evaluation criteria has been finalized
• The assessment timeline and 2014 deliverables are set.
Prototypes and Pilot Programs
• User guide to support improved self reporting process completed in December 2013.
• Request for broader industry review in January 2014.
Improvements to Self-Reporting
• Triage process implemented across ERO by January 1, 2014 to expedite disposition of minimal risk issues.
• Enforcement pilots to test aggregation and exercise of enforcement discretion under way.
FFT Enhancements
RELIABILITY | ACCOUNTABILITY70
V5 Compliance and Enforcement Steady State
• V5/RAI Key Program Elements (based on Evaluation Criteria)
Risk Assessment
o The Regional Entity will develop a transparent but customized compliance profile based the Registered Entity’s impact to the Grid.
o The Risk Assessment will be shared with the Registered Entity so that they understand how they will be monitored as part of the compliance profile.
Internal Controls Reliance
o The Registered Entity will develop internal control practices that will be provided and reviewed by the Regional Entity.
o The Regional Entity will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the Risk Assessment
Aggregation of Non-Compliance
o Based on the level of controls reliance and the Risk Assessment, Registered Entities will be able to participate in the aggregation of non-compliance processes.
o Moderate and serious risk non-compliance shall require self-reporting
RELIABILITY | ACCOUNTABILITY71
Transition Study: Lesson Learned
Substation BES Cyber Assets
Configuration Management
High Watermarking
Generation BES Cyber Assets
Migration of TFE’s
Grouping of BES Cyber Assets
RELIABILITY | ACCOUNTABILITY72
Lesson Learned-Substations
Q: We have a control
building inside a substation
that is considered to be a
Medium impact rating. A
transformer has a port on it
that provides data to the
protected systems inside the
control building. Would the
transformer port need to be
protected under the CIP Version 5 standards?
A:The transformer port would
need to be examined to
determine the nature of the
connection. If there is any bi-
directional data flow through the
port, it could be vulnerable to
intrusion. The port would be
within the Electronic Security
Perimeter of the control building
systems and therefore would
need to be a Protected Cyber Asset.
RELIABILITY | ACCOUNTABILITY73
Lessons Learned-Substations
Q: What exactly needs to be
protected in substation yards and
generation plants? We have a few
devices located in the yard of a
substation and are not sure if they
are in scope for protection. These
include:
a) Transformer monitoring
devices
b) Distribution Relays
c) Monitoring PLCs
d) HMI Workstations that control
non-critical assets (soot
blowers, water cannon, etc.).
A: In general, if a device plays a role in BES
reliability or operations, or would be
considered a PCA because of network
connectivity, then it needs to be protected
according to its impact rating (Medium or
Low). It may be helpful to review the
definitions of BES Cyber Asset and BES
Cyber System to verify whether a device
meets the criteria.
A key consideration is to assess when and
where generation or transmission facilities
are tied together electrically, such as at a
distribution interconnection point. When
such facilities are tied together electrically,
they need to be considered together because
ties between low and high sides may mean a
device could take out a transformer. Thus,
with that level of impact on the high side, it is
brought into scope.
RELIABILITY | ACCOUNTABILITY74
Lessons Learned-Config Mgt
Q: How are we going to define “baseline”
on protected assets? CIP-010-1 R1, Part
1.1 identifies five items that make up the
baseline for protected assets;
software/firmware versions, open
source/commercially available software,
custom applications, logical network
accessible ports and applied security
patches. What else will be part of the
baseline; configuration settings (IP
addresses, thresholds for the monitoring
devices, etc.), or any hardware
differences (such as video cards, CPUs,
memory capacity etc.)?
For example, if the addressing on a
relay is changed, or the amount of oil
in a transformer that a device is
monitoring was modified, would this
cause a new baseline to be created?
The relay or device itself would not
change, just one of its monitoring/alarm thresholds.
A: The five items identified in CIP-010, R1,
Part 1.1 are the minimum requirements for
establishing and maintaining a baseline, and
are likely to be checked during an audit.
Information about hardware differences (e.g.,
the video card noted) may apply since it
could affect installed applications and
patches. Other information (e.g., IP address)
may be useful but not required in the
baseline configuration since it differs from
node to node.
While a baseline is typically considered in the
context of servers and other IT equipment, it
also applies to BES Cyber Assets such as
relays.
An example of an approach to evaluating the
criticality of a BES Cyber Asset setting is to
assess the impact that would result from the loss/change of that setting.
RELIABILITY | ACCOUNTABILITY75
Lessons Learned-Config Mgt
Q: What exactly is the
definition of “security” patches
in CIP-010-1, R1, Part R1.1.5?
There are patches that are
labeled as Critical, Important
and Security; which of these (or
any other designations) fall
under the umbrella of CIP-010-1 “security” patches?
A: Requirements pertaining to security
patches are addressed in the same manner
as in previous versions of the CIP
standards. The concept is to distinguish
“security” patches from “functionality”
patches. The standards are focused on
security patches, however that description
is communicated by the vendor. Words like
“critical”, “important” or “security” are
likely good indicators that a patch may be
introducing more than simply new
functionality.
Also be aware that patches themselves
may address multiple types of issues, and
many (and perhaps most) vendors will not
label a patch as being limited to “security”
issues. That is especially true for an
appliance type update, which could include security functions within it.
RELIABILITY | ACCOUNTABILITY76
Lessons Learned-Grouping of BCAs
• BES Cyber Assets are grouped into BES Cyber Systems based primarily on which BES Cyber Assets together perform a common function. For example, an EMS BES Cyber System may consist of a number of human–machine interface workstations, communications servers, processing servers, and database servers. In order for BES Cyber Systems to be properly categorized according to the impact levels in Attachment A of CIP-002-5, grouping should be based on the primary use of the BES Cyber Assets.
• The inventory list developed through this process should indicate the identified groupings. While not required, a name for each individual BES Cyber System may be assigned for reference when demonstrating compliance for the remainder of the requirements of the CIP Version 5 standards. A reason (or reason code) to document the rationale for the grouping would also be beneficial.
RELIABILITY | ACCOUNTABILITY77
Lessons-Learned Scheduling Systems
Some Registered Entities use automated systems to schedule transmission interchanges (also known as e-tags) within their Balancing Authority Area, or with other entities. Entities will need to analyze these systems to determine if they are a BES Cyber System. From a real-time operations perspective, “BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”
Assuming the data associated with the scheduling system is rendered unavailable, degraded, or misused, determine how this could affect reliability functions such as, but not limited to:
• Area Control Error calculations and their use
• Automatic Generation Control operation
• Available Transfer Capability calculations and their use
• Net Scheduled Interchange calculations and their use
• Identification and monitoring of System Operating Limits and Interconnection Reliability Operating Limits
• Identification and monitoring of Flowgates
• Current and next-day planning
RELIABILITY | ACCOUNTABILITY78
Website Updates
http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-
Implementation-Study.aspx
RELIABILITY | ACCOUNTABILITY79
Effective Dates for Version 5
CIP Version 5 Effective Dates
Requirement Effective Date
Effective Date of Standard April 1, 2016
Requirement-Specific Effective Dates
CIP-002-5 R2 April 1, 2016
CIP-003-5 R1 April 1, 2016
CIP-003-5 R2
for medium and high impact BES Cyber Systems April 1, 2016
CIP-003-5 R2
for low impact BES Cyber Systems April 1, 2017
CIP-007-5 Part 4.4 April 15, 2016
CIP-010-1 Part 2.1 May 6, 2016
CIP-004-5 Part 4.2 July 1, 2016
CIP-004-5 Part 2.3 April 1, 2017
CIP-004-5 Part 4.3 April 1, 2017
CIP-004-5 Part 4.4 April 1, 2017
CIP-006-5 Part 3.1 April 1, 2017
CIP-008-5 Part 2.1 April 1, 2017
CIP-009-5 Part 2.1 April 1, 2017
CIP-009-5 Part 2.2 April 1, 2017
CIP-010-1 Part 3.1 April 1, 2017
CIP-009-5 Part 2.3 April 1, 2018
CIP-010-1 Part 3.2 April 1, 2018
CIP-004-5 Part 3.5 Within 7 years after
previous Personnel Risk
Assessment
RELIABILITY | ACCOUNTABILITY80
CIP V5 Revisions and RAI Timeline
RELIABILITY | ACCOUNTABILITY81
RELIABILITY | ACCOUNTABILITY82
Standards Drafting Progress
RELIABILITY | ACCOUNTABILITY83
Project 2014-02 Overview
• Standards Development Web Page: http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-
Critical-Infrastructure-Protection-Version-5-Revisions.aspx
• SAR Posted & Comment Period complete SAR revisions in progress
• Technical Conferences January 21 & 23, 2014
Atlanta & Phoenix
Summary Posted on “Related Files” page
• First SDT meeting complete February 19-21, 2014, NERC DC Office
RELIABILITY | ACCOUNTABILITY84
SDT
• Ten member team Four previous team members
Two Co-Chairs
• Large group of observers
• Meetings run similar to last SDT (V2-V5) Teleconference capability
Observer participation
Small group assignments
Very large “plus” list for communication
• Meeting scheduled mapped out through June First posting in June
RELIABILITY | ACCOUNTABILITY85
SDT
• Four focused teams Teams charged with the four directives from FERC Order
Two SDT members plus observers
Two hour focused phone calls per week in between face-to-face meetings
Results discussed at face-to-face meetings
• Goal of addressing all four directives by end of 2014
RELIABILITY | ACCOUNTABILITY86
Directives
• Identify, Assess & Correct (IAC) Language One-year response to directive
Team consensus to “remove” language
Reviewing previous V5 draft language to determine if/what requirements language updates needed
o E.g., action plans
Considering additional guidance language
Coordination with Compliance and Enforcement departments
RELIABILITY | ACCOUNTABILITY87
Directives
• Low Impact No timeframe on response to directive
Requirements need to contain objective criteria and be auditable
Considering impact on implementation schedule
Coordination with IAC language work
RELIABILITY | ACCOUNTABILITY88
Directives
• Communications Network
One-year response to directive
Definition and requirements
Close gap identified by FERC when “communications network” clause was removed from definition of Cyber Asset
Utilize NIST SP800-53 and ISO 27001 language (referenced in FERC Order)
RELIABILITY | ACCOUNTABILITY89
Directives
• Transient Devices No timeframe on response to directive
Looking at “Maintenance Device” work done by previous SDT
Six specific issues discussed in FERC Order
Considering either new requirements or modification to existing requirements
Considering impact on implementation schedule
RELIABILITY | ACCOUNTABILITY90
Project Schedule
Proposed Timeline for the
Project 2014-02 Standard Drafting Team (SDT)
Anticipated Date Location Event
1/15/2014 - SC Authorizes SAR
1/29/2014 - SC Appoints Standards Drafting Team
2/19/2014-2/21/2014 Washington, DC SDT Meeting
3/18/2014-3/20/2014 Sacramento, CA SDT Meeting
4/22/2014-4/24/2014 TBD SDT Meeting
5/12/2014-5/14/2014 TBD SDT Meeting
6/2/2014 - First 45-Day Comment Period & Ballot Opens
7/17/2014 - First 45-Day Comment Period & Ballot Closes
8/29/2014 - Second 45-Day Comment Period & Ballot Opens
10/13/2014 - Second 45-Day Comment Period & Ballot Closes
10/31/2014 - Final Ballot Opens
11/10/2014 - Final Ballot Closes
11/13/2014 - Presentation to NERC Board of Trustees for Adoption
12/31/2014 -NERC Files Petition with the
Applicable Governmental Authorities
RELIABILITY | ACCOUNTABILITY91