CIP Technical Workshop Training/CIP Technical... · 2 RELIABILITY | ACCOUNTABILITY •Welcome...

CIP Technical Workshop

Scott R, Mix, CISSP, NERC CIP Technical Manager

Nick Santora, CISSP, CISA, GISP, CIP Cybersecurity Specialist

Tobias R. Whitney, Manager, CIP Compliance

March 4, 2014

RELIABILITY | ACCOUNTABILITY2

• Welcome

• Overview of FERC Order No. 791

• CIP V5 High-level Overview

• CIP V5 Core Requirements

• Break (15 min)

• Transition Study Progress & Lessons Learned

• Standards Drafting Progress

Agenda


• NERC Antitrust Guidelines It is NERC’s policy and practice to obey the antitrust laws and to avoid

all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition.

• Notice of Open Meeting Participants are reminded that this meeting is public. Speakers should

keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders.

Administrative Issues


Overview of FERC Order No. 791


•Final Rule Issued November 22, 2013

Docket RM13-5

Order No. 791

146 page rule

Published in Federal Register December 3, 2013

Final Rule Highlights


•Effective Date of Final Rule: February 3, 2014

Effective Date for Compliance with all non-periodic requirements: April 1, 2016 for High and Medium ImpactApril 1, 2017 for Low Impact

Compliance with initial performance of periodic requirements as discussed in the Implementation Plan, using an Effective Date of April 1, 2016



• Approved technical requirements

• Approved 19 definitions

• Approved implementation plan

Approved bypass of Version 4

• Approve, with modifications, VRF / VSL



• Submit modified VRF / VSL within 90 days

• Submit two directed changes and one informational filing within one year

IAC

Communications Networks

Survey: 15-minute clause

• Two other directed changes do not have specified time frame

Low Impact BES Cyber Systems

Transitory Devices



• Address concerns with IAC Language

Prefer to have compliance language removed from requirements

Allow for flexibility for addressing concerns

• Supports move away from “zero tolerance” compliance approach for the 17 requirements

• IAC language ambiguous, concerns about inconsistent application, unclear expectations placed on industry

• Submit within one year

IAC Language


• Allow impact-based categorization

May revisit in future

Not persuaded to move blackstart from Low to Medium, but may revisit

Does not consider connectivity, but may revisit

Confirm that Low will not include non-BES assets

BES Cyber Asset Categorization


• Lack of objective criteria for evaluating Low Impact protections “Introduces unacceptable level of ambiguity and

potential inconsistency into the compliance process” Open to alternative approaches “… the criteria NERC proposes for evaluating a

responsible entities’ protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified.”

• No detailed inventory required … list of locations / Facilities OK

Low Impact requirements


• Survey industry about impacts of 15-minute parameter during transition period

What Cyber Assets are included / excluded by the 15-minute parameter

• Informational filing to FERC in one year

• Commission may revisit issue following informational filing

15-Minute Parameter


• Do not direct change to definition

• Directed modifications to address transient devices issues

30-day exemption in Definition


• Devices connected for less than 30-days (USB, laptop, etc)

• Direct modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level

systems

Transient Devices


• Approve definition of Cyber Asset without change

• Direct creation of definition of “communication networks” and requirements to address issues:

Locked wiring closets

Disconnected or locked spare jacks

Protection of cabling by conduit or cable trays

• Submit within one year

• Include discussion in FERC Staff-led conference

Communications Network


• Approve implementation Plan as filed

24-month for High & Medium

36-month for Low

Bypass Version 4

• Support NERC proposal to develop transition guidance and pilot program

• Declined to extend implementation plan

• Not persuaded to allow early shift to V5

However, “issues of early compliance can be addressed by NERC and Registered Entities as appropriate.”

Implementation Plan


• Three Rehearing requests submitted1. Utility Services, Inc.

o Defer start of implementation period to April 1, 2016

2. EEI/EPSA

o Hold a Technical Conference rather than conduct a Survey

o Clarify Implementation Date for High & Medium

o Delay Implementation Date for Low until modifications approved (FERC Directive)

o Hold Technical Conference on Communication Networks in 90 days

Rehearing Requests


3. APPA/NRECA

o Elimination of “IAC” language creates implementation uncertainty

– Standards may become enforceable before IAC changes are approved

o Clarify rationale supporting determination that a Regulatory Flexibility Act analysis is not required

• No timeframe specified for FERC response to Rehearing Requests

Rehearing Requests


• FERC Staff-led technical Conference From P224-225 of Order No. 791

Announced February 27, 2014

Conference held April 29, 2014 starting at 9:00 AM

Topics to be addressed (from conference announcement):

1) whether additional definitions and/or security controls are needed to protect Bulk-Power System communications networks, including remote systems access;

2) the adequacy of the approved CIP version 5 Standards’ protections for Bulk-Power System data being transmitted over data networks; and

3) functional differences between the respective methods utilized for identification, categorization, and specification of appropriate levels of protection for cyber assets using CIP version 5 Standards as compared with those employed within the National Institute of Standards and Technology Security Risk Management Framework.

FERC Staff-led Technical Conference


CIP V5 High-level Overview


CIP Standards – Version 5

• New / Modified Terms: BES Cyber Asset BES Cyber System BES Cyber System

Information CIP Exceptional

Circumstance CIP Senior Manager Control Center Cyber Assets Cyber Security Incident Dial-up Connectivity Electronic Access Control

and Monitoring Systems (EACMS)

Electronic Access Point (EAP) Electronic Security Perimeter

(ESP) External Routable Connectivity Interactive Remote Access Intermediate Device Physical Access Control Systems

(PACS) Physical Security Perimeter

(PSP) Protected Cyber Asset (PCA) Reportable Cyber Security

Incident



• High Impact

– Large Control Centers

– CIP-003 to 009 V4 “plus”

• Medium Impact

– Generation and Transmission

– Control Centers

– Similar to CIP-003 to 009 V4

• All other BES Cyber Systems (Low Impact) must implement a policy to address:

– Cybersecurity Awareness

– Physical Security Controls

– Electronic Access Controls

– Incident Response

High

Non-Critical

Critical

Non-Impactful(Distribution,

Marketing, Business)

Medium

Low

Generation and Transmission

Large Control Centers

V3/V4 V5

Control Centers

Small Control Centers





Rationale,

Guidance &

Changes,

Main

Requirement

and Measure

Applicable Systems for

requirement partRequirement part text Requirement part

Measure text

Requirement part Reference Requirement part change rationale


CIP V5 Core Requirements


• Walk through CIP V5 core technical requirements

• Look at differences from V3/V4

Objectives

• Electronic Security Perimeter(s)CIP-005• Physical Security of BES Cyber

SystemsCIP-006

• Systems Security ManagementCIP-007• Configuration Change Management

and Vulnerability AssessmentsCIP-010


• Introduces reasoning explicitly in the requirement

• Outbound rules now required

• No annual document review required

CIP-005

Part 1.3 - Require inbound and outbound access

permissions, including the reason for granting

access, and deny all other access by default.

EAPs for High and Medium Impact BES Cyber Systems

• Electronic Security Perimeter(s)CIP-005


• The process must identify how to authenticate the user

CIP-005

Part 1.4 - Where technically feasible,

perform authentication when establishing

Dial-up Connectivity with applicable

Cyber Assets.

High and Medium Impact BES Cyber

Systems with Dial-up Connectivity and their

associated: PCAs


• Traffic inspection is part of requirement

• Multiple layers of perimeter protection

• If firewall fails, IDS can trigger a secondary security measure

CIP-005

Part 1.5 - Have one or more methods for detecting known or

suspected malicious communications for both inbound and

outbound communications.

EAPs for High Impact BES Cyber Systems

EAPs for Medium Impact BES Cyber Systems at Control Centers


• Cannot be located in the ESP

• Intermediate System serves as proxy

• Allows for restrictive rules

• Protection from vulnerabilities on remote device

CIP-005

Part 2.1 – Utilize an Intermediate System such that the Cyber

Asset initiating Interactive Remote Access does not directly

access an applicable Cyber Asset.

High Impact BES Cyber Systems and their associated PCA.

Medium Impact BES Cyber Systems with External Routable

Connectivity and their associated PCA


CIP-005


• Initiated from outside the ESP using routable

• Protects Confidentiality and Integrity

CIP-005

Part 2.2 – For all Interactive Remote Access sessions,

utilize encryption that terminates at an Intermediate

System.





• Does not include system to system process communications

• Replaces “strong technical and procedural controls”

• Multi-factor is well know security concept Something you know

Something you have

Something you are

Somewhere you are

CIP-005

Part 2.3 – Require multi-factor authentication for all

Interactive Remote Access sessions.





• Programmatic protections

• Does not require detailed list of individuals with access

CIP-006

• Physical Security of BES Cyber SystemsCIP-006 IAC


• 1 physical access control

• Authorized unescorted physical access

CIP-006

Part 1.2 – Utilize at least one physical access control to

allow unescorted physical access into each applicable

Physical Security Perimeter to only those individuals

who have authorized unescorted physical access.


Connectivity and their associated EACMS, PCA


• 2 physical access controls

• Authorized unescorted physical access

• No single authenticator

CIP-006

Part 1.3 – Where technically feasible, utilize two or

more different physical access controls to collectively

allow unescorted physical access into Physical

Security Perimeters to only those individuals who have

authorized unescorted physical access.

High Impact BES Cyber Systems and their associated

EACMS, PCA


• Maintenance and testing every 24 months

• Includes PACS and local hardware

CIP-006

Part 3.1 – Maintenance and testing of each Physical

Access Control System and locally mounted hardware

or devices at the Physical Security Perimeter at least

once every 24 calendar months to ensure they function

properly.

High Impact BES Cyber Systems and their associated

EACMS, PCA


Requirement R1

• Enable logical ports per device capability Devices with no capability to disable, deemed necessary

• Protect against use of unnecessary physical ports Physical or logical controls

CIP-007

• Systems Security ManagementCIP-007 IAC


• Identification of patch sources

• Entity chooses source for “clock start” on review

CIP-007

Part 2.1 - A patch management process for tracking,

evaluating, and installing cyber security patches for

applicable Cyber Assets. The tracking portion shall

include the identification of a source or sources that

the Responsible Entity tracks for the release of cyber

security patches for applicable Cyber Assets that are

updateable and for which a patching source exists.

High and Medium Impact BES Cyber Systems and

associated EACMS and PACS and PCA

IAC


• 35 day review of applicability

CIP-007

Part 2.2 - At least once every 35 calendar days,

evaluate security patches for applicability that

have been released since the last evaluation from

the source or sources identified in Part 2.1.



IAC


Part 2.3 - For applicable patches identified in Part 2.2, within 35

calendar days of the evaluation completion, take one of the following

actions:

• Apply the applicable patches; or

• Create a dated mitigation plan; or

• Revise an existing mitigation plan.

Mitigation plans shall include the Responsible Entity’s planned

actions to mitigate the vulnerabilities addressed by each security

patch and a timeframe to complete these mitigations.

High and Medium Impact BES Cyber Systems and associated EACMS

and PACS and PCA

CIP-007

• Actions to mitigate vulnerabilities

• Timeframe

IAC


• Plan MUST be executed as defined

• Extensions are allowed

CIP-007

Part 2.4 - For each mitigation plan created or revised

in Part 2.3, implement the plan within the timeframe

specified in the plan, unless a revision to the plan or

an extension to the timeframe specified in Part 2.3 is

approved by the CIP Senior Manager or delegate.



IAC


• Describe how to address malware on BES Cyber Systems Policies

System hardening

White listing

Traditional AV

• Creativity

CIP-007

Part 3.1 - Deploy method(s) to deter, detect, or prevent

malicious code.



IAC


• How to remove the identified malicious code?

• Increased monitoring until removal

• White listing – code does not run, but is still there

• No maximum timeframe prescribed

CIP-007

Part 3.2 - Mitigate the threat of detected malicious

code.



IAC


• Minimum per Cyber Asset capability

CIP-007

Part 4.1 - Log events at the BES Cyber System level (per BES

Cyber System capability) or at the Cyber Asset level (per

Cyber Asset capability) for identification of, and after-the-fact

investigations of, Cyber Security Incidents that includes, as a

minimum, each of the following types of events:

4.1.1. Detected successful login attempts;

4.1.2. Detected failed access attempts and failed login

attempts;

4.1.3. Detected malicious code.

High and Medium Impact BES Cyber Systems and associated

EACMS and PACS and PCA

IAC


• Entity determines security event requiring response

• SEIM, text, e-mail, alarms, displays

CIP-007

Part 4.2 - Generate alerts for security events that the

Responsible Entity determines necessitates an alert,

that includes, as a minimum, each of the following

types of events (per Cyber Asset or BES Cyber

System capability):

4.2.1. Detected malicious code from Part 4.1; and

4.2.2. Detected failure of Part 4.1 event logging.

High Impact BES Cyber Systems and Medium Impact

BES Cyber Systems with External Routable Connectivity

and associated EACMS and PACS and PCA

IAC


• Description of review process

• Any findings

• Dates

CIP-007

Part 4.4 - Review a summarization or sampling of logged

events as determined by the Responsible Entity at

intervals no greater than 15 calendar days to identify

undetected Cyber Security Incidents.

High Impact BES Cyber Systems and associated EACMS

and PCA

IAC


• Added “authorized”

• Storing, losing, sharing passwords not a violation

CIP-007

Part 5.3 - Identify individuals who have authorized access

to shared accounts.

High BES Cyber Systems and associated EACMS and PACS

and PCA


Connectivity and associated EACMS and PACS and PCA

IAC


• Per Cyber Asset Capability

• Hard coded passwords

CIP-007

Part 5.4 - Change known default passwords, per

Cyber Asset capability



IAC


Part 5.5 - For password-only authentication for interactive user

access, either technically or procedurally enforce the following

password parameters:

5.5.1. Password length that is, at least, the lesser of eight

characters or the maximum length supported by the Cyber

Asset; and

5.5.2. Minimum password complexity that is the lesser of three

or more different types of characters (e.g., uppercase

alphabetic, lowercase alphabetic, numeric, non-alphanumeric)

or the maximum complexity supported by the Cyber Asset.

High and Medium Impact BES Cyber Systems and associated

EACMS and PACS and PCA

CIP-007

IAC


• Reduces risk of live password cracking

• No set threshold Prevent false-positives

CIP-007

Part 5.7 - Where technically feasible, either:

• Limit the number of unsuccessful authentication attempts; or

• Generate alerts after a threshold of unsuccessful authentication

attempts.

High Impact BES Cyber Systems and Medium Impact BES Cyber

Systems at Control Centers and associated EACMS and PACS and

PCA

IAC


• Identifies a change management process to be invoked

CIP-010

Part 1.1 - Develop a baseline configuration, individually or by

group, which shall include the following items:

1.1.1. Operating system(s) (including version) or firmware where

no independent operating system exists;

1.1.2. Any commercially available or open-source application

software (including version) intentionally installed;

1.1.3. Any custom software installed;

1.1.4. Any logical network accessible ports; and

1.1.5. Any security patches applied.

High and Medium Impact BES Cyber Systems and associated EACMS

and PACS and PCA

IAC

CIP-010

• Configuration Change Management and Vulnerability AssessmentsCIP-010


• CIP-007-3 R1 procedures are now implicit in meeting requirement

• Explicitly defines CIP-005 and CIP-007 security controls

• No adverse effects of those controls after change

CIP-010

Part 1.4 – For a change that deviates from the existing baseline:

1.4.1. Prior to the change, determine required cyber security

controls in CIP-005 and CIP-007 that could be impacted by the

change;

1.4.2. Following the change, verify that required cyber security

controls determined in 1.4.1 are not adversely affected; and

1.4.3. Document the results of the verification.

High and Medium Impact BES Cyber Systems and their associated

EACMS, PACS, PCA

IAC


• Requires review of both test and production environments

• Important note EACH* change

• If test used, describe ANY* differences

• If production used, method to minimize adverse effects

CIP-010

Part 1.5 – Where technically feasible, for each change that deviates from the

existing baseline configuration:

1.5.1. Prior to implementing any change in the production environment, test

the changes in a test environment or test the changes in a production

environment where the test is performed in a manner that minimizes adverse

effects, that models the baseline configuration to ensure that required cyber

security controls in CIP-005 and CIP-007 are not adversely affected; and

1.5.2. Document the results of the testing and, if a test environment was

used, the differences between the test environment and the production

environment, including a description of the measures used to account for

any differences in operation between the test and production environments.

High Impact BES Cyber Systems

IAC


• Once a month review of malicious or intentional changes

• Investigate unauthorized changes

CIP-010

Part 2.1 –Monitor at least once every 35 calendar days for

changes to the baseline configuration (as described in

Requirement R1, Part 1.1). Document and investigate

detected unauthorized changes.

High Impact BES Cyber Systems and their associated EACMS,

PCA

IAC


• Paper network discovery - review of network connectivity to identified EAP to

the ESP

port and service identification - look for all ports and services and appropriate business justification

vulnerability review - rule set reviews, default accounts, passwords, and network management community strings

wireless review - a review of common wireless networks and their controls to effect BES Cyber Systems comm.

CIP-010

Part 3.1 – At least once every 15 calendar months,

conduct a paper or active vulnerability assessment.

High and Medium Impact BES Cyber Systems and their

associated EACMS, PACS, PCA


• Active network discovery - active discovery tools for devices

port and service identification - nmap

vulnerability review - live vulnerability scanning tools

wireless review - wireless scanning tools

CIP-010

Part 3.1 – At least once every 15 calendar months,

conduct a paper or active vulnerability assessment.




• Again if test environment used, identify differences

• If production is used, minimize adverse effects

CIP-010

Part 3.2 – Where technically feasible, at least once every 36 calendar

months:

3.2.1 Perform an active vulnerability assessment in a test environment, or

perform an active vulnerability assessment in a production environment

where the test is performed in a manner that minimizes adverse effects,

that models the baseline configuration of the BES Cyber System in a

production environment; and

3.2.2 Document the results of the testing and, if a test environment was

used, the differences between the test environment and the production

environment, including a description of the measures used to account for

any differences in operation between the test and production

environments.

High Impact BES Cyber Systems


• Active CVA for introduction of new Cyber Assets

• Replacements and baselines of other Cyber Assets do not count

CIP-010

Part 3.3 – Prior to adding a new applicable Cyber Asset to a

production environment, perform an active vulnerability

assessment of the new Cyber Asset, except for CIP

Exceptional Circumstances and like replacements of the

same type of Cyber Asset with a baseline configuration

that models an existing baseline configuration of the

previous or other existing Cyber Asset.

High Impact BES Cyber Systems and associated EACMS and

PCA


• Results and Action plans of findings

• Define a planned date of completion and status for those findings

CIP-010

Part 3.4 – Document the results of the assessments

conducted according to Parts 3.1, 3.2, and 3.3 and the

action plan to remediate or mitigate vulnerabilities

identified in the assessments including the planned

date of completing the action plan and the execution

status of any remediation or mitigation action items.




• Mapping Document http://www.nerc.com/pa/Stand/Project%20200806%20Cyber%20Security%20Order%20706%20DL/Mapping_Document_012913.pdf

References

CIP-002 CIP-005 CIP-006 CIP-007 CIP-010

ALL 1.2, 1.3, 1.4,

1.5

1.2, 1.3, 1.4 1.1, 1.2 1.1, 1.4, 1.5

2.1,2.2, 2.3 2.1, 2.2 2.1, 2.2, 2.3,

2.4

3.3

3.1, 3.2

4.1, 4.2, 4.4

5.5, 5.7

http://www.nerc.com/pa/Stand/Project 200806 Cyber Security Order 706 DL/Mapping_Document_012913.pdf


Break

15 Minute Break


Transition Study Progress & Lessons Learned


Purpose of the Transition Program

Address V3 to V5 Transition issues.

Provide a clear roadmap for V5

steady-state.

Justifies budget for V5 implementation and compliance.

Foster communication and knowledge sharing.

“Support all entities in the timely, effective, and

efficient transition to CIP Version 5”


CIP V 5 Transition Program Elements

• A new transition guidance will be provided after V5 Order

Periodic Guidance

• 6 entities with strong compliance cultures

• 6-8 month implementation of V5 for certain facilities

• Lessons learned throughout and after study phase

Implementation Study

• Integration with RAI

• Identify means and method to address self-corrective processes and internal controls

Compliance and Enforcement

• New website created for all Transition Program activity

Outreach & Communications

• Quarterly training opportunities will be provided to industry

Training


• An ERO’s strategic initiative to transform the current compliance monitoring and enforcement program that: Focuses on high reliability risk areas

Reduces unnecessary administrative burdens

• Three main goals: Building on the success of Find, Fix and Track (FFT)

Design a compliance program that:

o Recognizes an entity’s risk to reliability

o Appropriately scopes audits and applies proper audit techniques and approaches

o Evaluates and uses management controls to gain reasonable assurance of compliance which promotes reliability

Reduce unnecessary administrative burdens of the compliance monitoring and enforcement program on all stakeholders.

Purpose of RAI


2013 Year End Progress Report

• The first version of auditor handbook was completed.

• Training and rollout efforts to occur in 2014.Auditor Handbook

• The results to-date of pilot programs are being compiled.

• Evaluation criteria has been finalized

• The assessment timeline and 2014 deliverables are set.

Prototypes and Pilot Programs

• User guide to support improved self reporting process completed in December 2013.

• Request for broader industry review in January 2014.

Improvements to Self-Reporting

• Triage process implemented across ERO by January 1, 2014 to expedite disposition of minimal risk issues.

• Enforcement pilots to test aggregation and exercise of enforcement discretion under way.

FFT Enhancements


V5 Compliance and Enforcement Steady State

• V5/RAI Key Program Elements (based on Evaluation Criteria)

Risk Assessment

o The Regional Entity will develop a transparent but customized compliance profile based the Registered Entity’s impact to the Grid.

o The Risk Assessment will be shared with the Registered Entity so that they understand how they will be monitored as part of the compliance profile.

Internal Controls Reliance

o The Registered Entity will develop internal control practices that will be provided and reviewed by the Regional Entity.

o The Regional Entity will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the Risk Assessment

Aggregation of Non-Compliance

o Based on the level of controls reliance and the Risk Assessment, Registered Entities will be able to participate in the aggregation of non-compliance processes.

o Moderate and serious risk non-compliance shall require self-reporting


Transition Study: Lesson Learned

Substation BES Cyber Assets

Configuration Management

High Watermarking

Generation BES Cyber Assets

Migration of TFE’s

Grouping of BES Cyber Assets


Lesson Learned-Substations

Q: We have a control

building inside a substation

that is considered to be a

Medium impact rating. A

transformer has a port on it

that provides data to the

protected systems inside the

control building. Would the

transformer port need to be

protected under the CIP Version 5 standards?

A:The transformer port would

need to be examined to

determine the nature of the

connection. If there is any bi-

directional data flow through the

port, it could be vulnerable to

intrusion. The port would be

within the Electronic Security

Perimeter of the control building

systems and therefore would

need to be a Protected Cyber Asset.


Lessons Learned-Substations

Q: What exactly needs to be

protected in substation yards and

generation plants? We have a few

devices located in the yard of a

substation and are not sure if they

are in scope for protection. These

include:

a) Transformer monitoring

devices

b) Distribution Relays

c) Monitoring PLCs

d) HMI Workstations that control

non-critical assets (soot

blowers, water cannon, etc.).

A: In general, if a device plays a role in BES

reliability or operations, or would be

considered a PCA because of network

connectivity, then it needs to be protected

according to its impact rating (Medium or

Low). It may be helpful to review the

definitions of BES Cyber Asset and BES

Cyber System to verify whether a device

meets the criteria.

A key consideration is to assess when and

where generation or transmission facilities

are tied together electrically, such as at a

distribution interconnection point. When

such facilities are tied together electrically,

they need to be considered together because

ties between low and high sides may mean a

device could take out a transformer. Thus,

with that level of impact on the high side, it is

brought into scope.


Lessons Learned-Config Mgt

Q: How are we going to define “baseline”

on protected assets? CIP-010-1 R1, Part

1.1 identifies five items that make up the

baseline for protected assets;

software/firmware versions, open

source/commercially available software,

custom applications, logical network

accessible ports and applied security

patches. What else will be part of the

baseline; configuration settings (IP

addresses, thresholds for the monitoring

devices, etc.), or any hardware

differences (such as video cards, CPUs,

memory capacity etc.)?

For example, if the addressing on a

relay is changed, or the amount of oil

in a transformer that a device is

monitoring was modified, would this

cause a new baseline to be created?

The relay or device itself would not

change, just one of its monitoring/alarm thresholds.

A: The five items identified in CIP-010, R1,

Part 1.1 are the minimum requirements for

establishing and maintaining a baseline, and

are likely to be checked during an audit.

Information about hardware differences (e.g.,

the video card noted) may apply since it

could affect installed applications and

patches. Other information (e.g., IP address)

may be useful but not required in the

baseline configuration since it differs from

node to node.

While a baseline is typically considered in the

context of servers and other IT equipment, it

also applies to BES Cyber Assets such as

relays.

An example of an approach to evaluating the

criticality of a BES Cyber Asset setting is to

assess the impact that would result from the loss/change of that setting.


Lessons Learned-Config Mgt

Q: What exactly is the

definition of “security” patches

in CIP-010-1, R1, Part R1.1.5?

There are patches that are

labeled as Critical, Important

and Security; which of these (or

any other designations) fall

under the umbrella of CIP-010-1 “security” patches?

A: Requirements pertaining to security

patches are addressed in the same manner

as in previous versions of the CIP

standards. The concept is to distinguish

“security” patches from “functionality”

patches. The standards are focused on

security patches, however that description

is communicated by the vendor. Words like

“critical”, “important” or “security” are

likely good indicators that a patch may be

introducing more than simply new

functionality.

Also be aware that patches themselves

may address multiple types of issues, and

many (and perhaps most) vendors will not

label a patch as being limited to “security”

issues. That is especially true for an

appliance type update, which could include security functions within it.


Lessons Learned-Grouping of BCAs

• BES Cyber Assets are grouped into BES Cyber Systems based primarily on which BES Cyber Assets together perform a common function. For example, an EMS BES Cyber System may consist of a number of human–machine interface workstations, communications servers, processing servers, and database servers. In order for BES Cyber Systems to be properly categorized according to the impact levels in Attachment A of CIP-002-5, grouping should be based on the primary use of the BES Cyber Assets.

• The inventory list developed through this process should indicate the identified groupings. While not required, a name for each individual BES Cyber System may be assigned for reference when demonstrating compliance for the remainder of the requirements of the CIP Version 5 standards. A reason (or reason code) to document the rationale for the grouping would also be beneficial.


Lessons-Learned Scheduling Systems

Some Registered Entities use automated systems to schedule transmission interchanges (also known as e-tags) within their Balancing Authority Area, or with other entities. Entities will need to analyze these systems to determine if they are a BES Cyber System. From a real-time operations perspective, “BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”

Assuming the data associated with the scheduling system is rendered unavailable, degraded, or misused, determine how this could affect reliability functions such as, but not limited to:

• Area Control Error calculations and their use

• Automatic Generation Control operation

• Available Transfer Capability calculations and their use

• Net Scheduled Interchange calculations and their use

• Identification and monitoring of System Operating Limits and Interconnection Reliability Operating Limits

• Identification and monitoring of Flowgates

• Current and next-day planning


Website Updates

http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-

Implementation-Study.aspx

http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx


Effective Dates for Version 5

CIP Version 5 Effective Dates

Requirement Effective Date

Effective Date of Standard April 1, 2016

Requirement-Specific Effective Dates

CIP-002-5 R2 April 1, 2016

CIP-003-5 R1 April 1, 2016

CIP-003-5 R2

for medium and high impact BES Cyber Systems April 1, 2016

CIP-003-5 R2

for low impact BES Cyber Systems April 1, 2017

CIP-007-5 Part 4.4 April 15, 2016

CIP-010-1 Part 2.1 May 6, 2016

CIP-004-5 Part 4.2 July 1, 2016

CIP-004-5 Part 2.3 April 1, 2017

CIP-004-5 Part 4.3 April 1, 2017

CIP-004-5 Part 4.4 April 1, 2017

CIP-006-5 Part 3.1 April 1, 2017

CIP-008-5 Part 2.1 April 1, 2017

CIP-009-5 Part 2.1 April 1, 2017

CIP-009-5 Part 2.2 April 1, 2017

CIP-010-1 Part 3.1 April 1, 2017

CIP-009-5 Part 2.3 April 1, 2018

CIP-010-1 Part 3.2 April 1, 2018

CIP-004-5 Part 3.5 Within 7 years after

previous Personnel Risk

Assessment


CIP V5 Revisions and RAI Timeline


Standards Drafting Progress


Project 2014-02 Overview

• Standards Development Web Page: http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-

Critical-Infrastructure-Protection-Version-5-Revisions.aspx

• SAR Posted & Comment Period complete SAR revisions in progress

• Technical Conferences January 21 & 23, 2014

Atlanta & Phoenix

Summary Posted on “Related Files” page

• First SDT meeting complete February 19-21, 2014, NERC DC Office

http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-Critical-Infrastructure-Protection-Version-5-Revisions.aspx


SDT

• Ten member team Four previous team members

Two Co-Chairs

• Large group of observers

• Meetings run similar to last SDT (V2-V5) Teleconference capability

Observer participation

Small group assignments

Very large “plus” list for communication

• Meeting scheduled mapped out through June First posting in June


SDT

• Four focused teams Teams charged with the four directives from FERC Order

Two SDT members plus observers

Two hour focused phone calls per week in between face-to-face meetings

Results discussed at face-to-face meetings

• Goal of addressing all four directives by end of 2014


Directives

• Identify, Assess & Correct (IAC) Language One-year response to directive

Team consensus to “remove” language

Reviewing previous V5 draft language to determine if/what requirements language updates needed

o E.g., action plans

Considering additional guidance language

Coordination with Compliance and Enforcement departments


Directives

• Low Impact No timeframe on response to directive

Requirements need to contain objective criteria and be auditable

Considering impact on implementation schedule

Coordination with IAC language work


Directives

• Communications Network

One-year response to directive

Definition and requirements

Close gap identified by FERC when “communications network” clause was removed from definition of Cyber Asset

Utilize NIST SP800-53 and ISO 27001 language (referenced in FERC Order)


Directives

• Transient Devices No timeframe on response to directive

Looking at “Maintenance Device” work done by previous SDT

Six specific issues discussed in FERC Order

Considering either new requirements or modification to existing requirements

Considering impact on implementation schedule


Project Schedule

Proposed Timeline for the

Project 2014-02 Standard Drafting Team (SDT)

Anticipated Date Location Event

1/15/2014 - SC Authorizes SAR

1/29/2014 - SC Appoints Standards Drafting Team

2/19/2014-2/21/2014 Washington, DC SDT Meeting

3/18/2014-3/20/2014 Sacramento, CA SDT Meeting

4/22/2014-4/24/2014 TBD SDT Meeting

5/12/2014-5/14/2014 TBD SDT Meeting

6/2/2014 - First 45-Day Comment Period & Ballot Opens

7/17/2014 - First 45-Day Comment Period & Ballot Closes

8/29/2014 - Second 45-Day Comment Period & Ballot Opens

10/13/2014 - Second 45-Day Comment Period & Ballot Closes

10/31/2014 - Final Ballot Opens

11/10/2014 - Final Ballot Closes

11/13/2014 - Presentation to NERC Board of Trustees for Adoption

12/31/2014 -NERC Files Petition with the

Applicable Governmental Authorities

CIP Technical Workshop Training/CIP Technical... · 2 RELIABILITY | ACCOUNTABILITY •Welcome...

Documents

Transcript of CIP Technical Workshop Training/CIP Technical... · 2 RELIABILITY | ACCOUNTABILITY •Welcome...