Critical Infrastructure Protection (CIP) Version 5 …...2014/09/25 · Critical Infrastructure...

Critical Infrastructure Protection (CIP) Version 5 Revisions

Standard Drafting Team UpdateMarisa Hecht and Ryan Stewart, NERCSeptember 25, 2014

RELIABILITY | ACCOUNTABILITY2

• Directed changes to four main areas: Identify, Assess, and Correct (IAC) – Filing deadline Feb. 3, 2015o Remove or modify the IAC language, retain the substantive provisions, and

clarify the obligations for compliance Communication Networks – Filing deadline Feb. 3, 2015o Define communication networks and create new or modified Reliability

Standards to protect the nonprogrammable components of communication networks (e.g. cables and wires)

Low Impact Assets – No filing deadlineo Add objective criteria from which to judge the sufficiency of controls

Transient Devices – No filing deadlineo Develop new or modified Reliability Standards for transient devices (e.g. thumb

drives and laptops)

FERC Order 791 Highlights


• Development Steps• CIP-003-6 Revisions Attachments 1 and 2 Two New Definitions

• CIP-010-2 Revisions Attachments 1 and 2 Revised Definitions

• -X Posting• Implementation Plan

Discussion Topics


• Standard Drafting Team (SDT) appointed to address these revisions in Project 2014-02. Maggy Powell, Exelon Philip Huff, AECC David Revill, GTC Jay Cribb, Southern Company Forrest Krigbaum, BPA David Dockery, AECI Greg Goodrich, NYISO Christine Hasha, ERCOT Steve Brain, Dominion Scott Saunders, SMUD

Standard Drafting Team Roster


• SDT and observers participated in aggressive development schedule from February to September Ten hours of conference calls per week, including subgroup calls focused

on each directive area Six face-to-face SDT meetings

• Participation from variety of stakeholders ensured that the SDT considered different perspectives from industry, government, and NERC

Overview of Development Activities


• Two technical conferences in January to gather stakeholder input prior to development

• Three webinars, including one during development• Extensive outreach by SDT members to industry• Speaking engagements at Regional Entities, CIPC, workshops,

and other forums

Overview of Outreach Activities


• Initial comment period and ballot ended July 16, 2014

• Standard drafting team (SDT) received over 200 pages of comments

• SDT met July 29-31, 2014 and August 19-21, 2014 to revise the standards based on stakeholder comments

• Latest revisions and consideration of comments posted for additional comment and ballot period Sept 3-Oct 17, 2014

Development Steps

Directive Area StandardWeighted

Segment Vote

Communication Networks

CIP-006-6 76.20%

CIP-007-6 78.35%

Identify, Assess, Correct CIP-009-6 85.29%

Lows Impact Assets CIP-003-6 35.72%

Transient Devices

CIP-004-6 80.71%

CIP-010-2 49.48%

CIP-011-2 82.51%

Definitions 78.52%


• Define external routable protocol path• Security awareness timeframes• More guidance• Inventory implications• Requirement placement

CIP-003-6 Comment Themes


• Requirement R1 addresses policies for all impact levels• Part 1.1 includes high and medium

CIP-003-6, Requirement R1


• Requirement R1, Part 1.2 now includes lows topics in policies

CIP-003-6, Requirement R1 (continued)


• Attachment 1 – Required Elements for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems

• Attachment 2 – Examples of Evidence for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems

CIP-003-6, Requirement R2 (continued)


• Cyber Security Awareness

CIP-003-6 Attachments, Element 1


CIP-003-6 New Definitions

• Low Impact BES Cyber System Electronic Access Point (LEAP) A Cyber Asset interface that allows Low Impact External Routable

Connectivity. The Cyber Asset may reside at a location external to the asset or assets containing low impact BES Cyber Systems. The Low Impact BES Cyber System Electronic Access Point is not an Electronic Access Control or Monitoring System.

• Low Impact External Routable Connectivity (LERC) Bi-directional routable communications between low impact BES Cyber

System(s) and Cyber Assets outside the asset containing those low impact BES Cyber System(s). Communication protocols created for Intelligent Electronic Device (IED) to IED communication for protection and/or control functions from assets containing low impact BES Cyber Systems are excluded (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).


• Physical Access Controls



• Electronic Access Controls



Use Case 1


Use Case 2


• Cyber Security Incident Response



• Cyber Security Incident Response

CIP-003-6 Attachments, Element 4(continued)


CIP-003-6 Implementation Plan

• Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, element 1 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.




• Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, element 3 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.




Standard/Req. Revision Compliance Date

CIP-003-6 1-Apr-16

CIP-003-6, R1, P1.2 Policy 1-Apr-17

CIP-003-6, R2 Plan 1-Apr-17

CIP-003-6, A1, E1 Sec Awareness 1-Apr-17

CIP-003-6, A1, E2 Phys Access 1-Apr-18

CIP-003-6, A1, E3 Elec. Access 1-Sep-18

CIP-003-6, A1, E4 Incident Resp 1-Apr-17


• Authorization• Inspection• Vendor-managed devices• “Prior to use”• More guidance

CIP-010-2 Comment Themes


CIP-010-2 Revised Definitions

• BES Cyber Asset (BCA): A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. A Transient Cyber Asset is not a BES Cyber Asset.


CIP-010-2 Revised Definitions (continued)

• Protected Cyber Assets (PCA): One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Transient Cyber Asset is not a Protected Cyber Asset.



• Removable Media: Portable mediaMedia, directly connected for 30 consecutive calendar days or less, capable of transmitting executable code to: (1) a BES Cyber Asset, (2) a network within an ESP, or (3) a Protected Cyber Asset that can be used to store, copy, move, and/or access data. Removable Media are not Cyber Assets. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. A Cyber Asset is not Removable Media.



• Transient Cyber Asset: A Cyber Asset, (e.g., using Ethernet, serial, Universal Serial Bus, and wireless including near field and Bluetooth communication) directly connected for 30 consecutive calendar days or less, capable of transmitting executable code to: (1) a BES Cyber Asset, (2) a network within an ESP, or (3) a Protected Cyber Asset. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.


CIP-010-2, Requirement R4

• Attachment 1 – Required Elements for Plans for Transient Cyber Assets and Removable Media

• Attachment 2 – Examples of Evidence for Plans for Transient Cyber Assets and Removable Media



• Transient Cyber Asset(s) Owned or Managed by the Responsible Entity 1.1 – Transient Cyber Asset management 1.2 – Transient Cyber Asset authorization 1.3 – Security vulnerability mitigation 1.4 – Introduction of malicious code mitigation 1.5 – Risk of unauthorized use mitigation

• Measures Important to note if an entity does not use Transient Cyber Asset(s),

examples of evidence include, but are not limited to a statement, policy, or other document that states the Responsible Entity does not use Transient Cyber Asset(s).



• Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors 2.1 – Security vulnerability mitigation 2.2 – Malicious code mitigation 2.3 – Additional mitigation actions necessary?

• Measures Important to note if a Transient Cyber Asset is unable to perform any of

the capabilities, evidence may include system documentation developed by the vendor or Responsible Entity that identifies why the Transient Cyber Asset cannot perform the capability.



• Removable Media 3.1 – Removable Media authorization 3.2 – Malicious code mitigation

• Entities have a high level of control for Removable Media that are going to be connected to their BES Cyber Assets.


Role of Guidance

• In response to comments, SDT expanded Guidelines and Technical Basis

• Stakeholders are encouraged to thoroughly consider the Guidelines and Technical Basis sections

• Guidance is to help clarify the requirement language, but not change the scope or intent of the requirement


Implementation Timeline


-X Posting

• Purpose of the posting is as a practical contingency• -X decouples the IAC and Communication Network revisions

from the Low Impact and Transient Device revisions• Single ballot for the –X package• Approval of the –X standards enables the SDT to meet the

FERC filing deadline of February 3, 2015 should the Lows or Transient Device revisions fail in the second ballot

• All proposed revisions will be subject to final ballot


• NERC will no longer pursue Section 1600 to meet directive regarding BES Cyber Asset definition

• NERC will coordinate with implementation study participants, regions, and other entities, as necessary, to answer questions in FERC Order No. 791

• Filing deadline of February 3, 2015

BES Cyber Asset Directive


Next Steps

• Additional comment period – September 3-October 17, 2014• Ballot period – October 8-17, 2014• SDT meeting October 22-24, 2014 – ERCOT (Austin, TX)• Targeted final ballot – October 31-November 10, 2014• Targeted NERC Board of Trustees meeting to approve revisions

– November 13, 2014• The SDT appreciates your support

CIP Version 5 Transition

Steven Noess, Director of Compliance AssuranceTobias Whitney, Manager of CIP Assurance2014 Standards and Compliance Fall WorkshopSeptember 25, 2014


Purpose of the Transition Program

Transitioning entities confident in implementation

Vision 2016: smooth transition to CIP Version 5

“Support all entities in the timely, effective, and efficient transition to CIP Version 5”


• Confidence in transition• Compliance on effective date• Transparency and guidance

Goals of the Transition Program


CIP Market Segmentation

Type 1“New High and

Medium”

Large Substation

Mix

No V3 compliance

history

<100 Entities

Type 2“Legacy V3”

Large Substation

Mix

Significant V3 History

<300 Entities

Type 3“Large Entity

w/Low”

Large Substation &

Gen Mix

Significant V3 History

<300 Entities

Type 4“Small Entity

w/Low”

Small Substation &

Gen Mix

No V3 Compliance

History

>1400 Entities

2016 2017


Transition Guidance Highlights

• CIP Version 5 supported during the transition period Entities supported in early transition Recommendations and Areas of Concern compared to PVs

• Off-site Audits suspended Additional outreach Proactively identify Type 1 entities

• Flexible approach in identifying scope during the transition: V3 Risk-Based Assessment Methodology (RBAM) Continue to use the V4 bright-line criteria Use V5 High-Medium-Low impact rating criteria


Transition Factors

• Pre-enforcement audit assistance Monitor/preview implementation in non-audit context Promote engagement on implementation progress Ensure meaningful dialogue on challenges and hurdles Provide input to V5 Transition Advisory Group Incorporate key questions and topics across regions


Compliance Monitoring During the Transition Period


• New and upgraded/replaced Critical Cyber Assets resulting from planned change must be fully compliant upon commissioning. Consistent with both V3 and V5 implementation plan documents During the Transition Period, compliance may be with either the CIP V3 or

CIP V5 standards. Flexibility, but V5 compliant on V5’s effective date Examples include planned replacement of the SCADA/EMS and planned

conversion from a non-routable to a routable protocol in a Transmission substation or generating plant.

Changes to Existing CAs/CCAs


• NERC, Regions, and stakeholder group Topics to support confidence in implementing Version 5 Partner with regions and stakeholders Meets approximately monthly

• Team composition: Implementation study participants Standard Drafting Team representation NERC and Regional Entity staff

• Role Prioritizes and supports unity of approach on references to enhance

stakeholder understanding and implementation of the standards Additional topics for enhanced training/guidance

V5 Transition Advisory Group


• Far-end Relay• Programmable Devices• Generation Segmentation • Virtualization (Networks and Servers)• Serial Devices that are accessed remotely• Control Centers operated by TOs and non-registered BAs• Interactive Remote Access (Scripts and Mgt consoles)• Generation Interconnection (definition)• Shared Substations• Mixed Trust EACMs• General FAQs

Lesson Learned Status


Key Next Steps

• Implementation Study Report (October 2014) CIP Program Management Level Feedback Identification of Lesson Learned

• Monthly Lesson Learned Comment Posting Period Far-end Relay (October) Generation Segmentation (October)

• CIP Version 5 FAQs Five-ten posted per month

• Final Version 5 RSAWs (Q4)• RAI – CIP V5 Program Document (Q4)


Transition Elements

Continuous Outreach

Compliance and Enforcement

Periodic Guidance

Training

Physical SecurityCIP-014-1

Stephen Crutchfield, NERC Standards Developer 2014 Standards and Compliance Fall WorkshopSeptember 25, 2014


• Background on CIP-014-1, Physical Security Standard FERC Order Summary NOPR Concerns

• Applicability and Requirements• Implementation

Agenda


• On March 7, 2014 – FERC Order: Perform a risk assessment to identify facilities that, if rendered inoperable

or damaged, could result in instability, uncontrolled separation, or cascading failures on the Bulk-Power System (BPS).

Evaluate the potential threats and vulnerabilities to those identified facilities.

Develop and implement a security plan designed to protect against physical attacks to those identified facilities based on the assessment of the potential threats and vulnerabilities to their physical security.

Background


• Additionally, FERC directed that the proposed Standard(s) should also Include confidentiality provisions for sensitive or confidential information. Include a procedure for a third party to verify the list of identified facilities

and allow the verifying entity, as well as FERC, to add or remove facilities from the list of critical facilities.

Include a procedure for a third party to review the evaluation of threats and vulnerabilities and the security plan.

Require that the identification of the facilities, the assessment of the potential risks and vulnerabilities, and the security plans be periodically reevaluated and revised to ensure their continued effectiveness.

Background


• Overview of Physical Security Notice of Proposed Rulemaking (NOPR) July 17, 2014 Proposes to approve CIP-014-1 and NERC to modify the standard in two

respects:o Include a procedure to allow governmental authorities to add or subtract

facilities from an entity’s list of critical facilities.o Remove the term “widespread” from CIP-014-1.

In addition to comments on the proposed directives, FERC is seeking comments on:o Applicability to Generator Owners (GOs) and Generator Operators (GOPs) – FERC

proposes to approve the applicability of CIP-014-1 without the inclusion of GOs and GOPs.

o Third-Party Recommendations – FERC proposes to approve CIP-014’s approach to third-party review and verification.

NOPR


Proposes to direct NERC to submit two informational filings addressing need to include all “High Impact” control centers and addressing resiliency measures that can be taken to maintain the reliable operation following loss of critical facilities.

NOPR (continued)


• CIP-014-1 Purpose: “To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.”*

*Note: (“widespread” proposed for removal by FERC in NOPR issued July 17, 2014)

Overview


• The applicability of proposed CIP-014-1 starts with those Transmission Owners that own Transmission facilities that meet the bright line criteria in Reliability Standard CIP-002-5.1 for a “medium impact” rating.

• The Standard Drafting Team (SDT) sought to ensure that entities could apply the same set of criteria to assist with identification of facilities under CIP Version 5 and proposed CIP-014-1.

• By application of the requirements, only certain Transmission Operators that are notified under the standard’s Requirement R3 have obligations under the standard.

Applicability


• The first three requirements of CIP-014-1 require Transmission Owners to: Perform risk assessments to identify those Transmission

stations/substations that meet the “medium impact” criteria from CIP-002-5.1, and their associated primary control centers

Arrange for a third party verification of the identifications; and Notify Transmission Operators (TOPs) of identified primary control

centers. Periodically repeat the risk assessments Only an entity that owns or operates one or more of the identified

facilities has further obligations in Requirements R4 through R6. If an entity identifies a null set after applying Requirements R1 through

R2, the rest of the standard does not apply.

Requirements R1-R3


• The final three requirements of CIP-014-1 require: The evaluation of potential threats and vulnerabilities of a physical attack

to the facilities identified and verified according to the earlier requirements,

The development and implementation of a security plan(s) designed in response to the evaluation, and

A third party review of the evaluation and security plan(s) (as directed in the order).

Requirements R4-R6


• Critical facility identification must be verified by third party Directed by FERC order Verifier must be Planning Coordinator (PC), Transmission Planner (TP),

Reliability Coordinator (RC), or entity with transmission planning experience

Verification may recommend addition/subtraction

• Threat evaluation and security plan must be reviewed by third party Directed by FERC order Reviewer must meet certain experience criteria Review may recommend changes to security plan

Third-Party Verifications and Reviews


• Physical Security Order, Paragraph 10: “…NERC should include in the Reliability Standards a procedure that will

ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.”

Addressed in Requirement R2, Part 2.4 and Requirement R6, Part 6.4.

• CIP-014-1, Section 1.4. Additional Compliance Information Confidentiality: To protect the confidentiality and sensitive nature of the

evidence for demonstrating compliance with this standard, all evidence will be retained at the Transmission Owner’s and Transmission Operator’s facilities.

Confidentiality


• TO identify critical facilities on or before the effective date of CIP-014-1 (six months following FERC approval)

• Tiered implementation timeline for balance of requirements (within 15 months)

• Security Plan implementation may specify timelines for completion of security measures

• ERO to monitor implementation

CIP-014-1 Implementation


• NOPR proposing approval issued July 17, 2014• NOPR proposes to direct two modifications: Governmental authorities may add or subtract from critical facilities Revise certain wording that may narrow scope (“widespread”)

• Directed two informational filings: “High Impact” Control Centers (six months of effective date of final rule) Possible resiliency measures, in addition to those required by standard,

following loss of critical facilities (one year of effective date of final rule)

FERC Proposes Approval


• Critical facility identification: complete before effective date (six months following FERC approval) Standard filed with FERC May 23, 2014 NOPR proposing approval (with directives) issued July 17, 2014

• Tiered timeline for balance of requirements (within 15 months)• Training and other coordination Audit and Enforcement Common approaches (Planning Committee, regional groups, etc.)

Implementation


• NERC Board of Trustees directed NERC management to monitor and assess implementation on ongoing basis: Number of assets critical under the standard Defining characteristics of the assets identified as critical Scope of security plans (types of security and resiliency contemplated) Timelines included for implementing security and resiliency measures Industry’s progress in implementing the standard

ERO to Monitor Implementation


CIP-014-1 Implementation Timeline


Information

• NERC Standards Developer, Steve Crutchfield Email at [email protected] Telephone: 609-651-9455

Project Web Page is: http://www.nerc.com/pa/Stand/Pages/Project-2014-04-Physical-Security.aspx CIP-014-1 Standard may be found here:

http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-014-1&title=Physical%20Security&jurisdiction=United%20States

mailto:[email protected]

http://www.nerc.com/pa/Stand/Pages/Project-2014-04-Physical-Security.aspx

http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-014-1&title=Physical%20Security&jurisdiction=United%20States

Critical Infrastructure Protection (CIP) Version 5 …...2014/09/25 · Critical Infrastructure...

Documents

Transcript of Critical Infrastructure Protection (CIP) Version 5 …...2014/09/25 · Critical Infrastructure...