Low-impact NERC CIP Requirements · 10/19/2016 · necessary inbound and outbound bi-directional...

Low-impact NERC CIP Requirements

Look Out For What's Coming!!

Panelists:- Bryan Carr,SeniorConsultant- LeonardChamberlin,SeniorConsultantModerator:- PatrickMiller,ManagingPartner

October19,2016

8338NEAlderwoodRoad,Suite120,Portland,OR97220|800.805.7411www.archersecuritygroup.com |[email protected] 10/19/16

Introductions§ Bryan Carr - Panelist

o Ex-utility compliance staffo Ex-WECC CIP auditor

§ Leonard Chamberlin - Panelisto Ex-utility staffo Ex-FERC CIP audit staff

§ Patrick Miller - Moderatoro Ex-utility compliance staffo Ex-WECC Manager of Audits and Investigations


Assumptions of Understanding

§ NERC CIP§ Terminology (e.g. - BES, BCA, etc.)§ High, Medium, Low Criteria


Impact Levels – High/Med/Low• The degree to which CIP must

be implemented depends on the impact rating of the system, i.e. the risk associated with it

• There are well over 100 individual requirements in the CIP standards

• However, only 6 aspects are in-scope for Low-impact BES Cyber Systems (BCS) under v6


Asset Identification§ CIP-002-5.1

o R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning]

o 1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).

§ (BTW – this was due on 7/1/2016!)


Cyber Security Plan§ CIP-003-6

o R1. Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]

o 1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any: - 1.2.1. Cyber security awareness; - 1.2.2. Physical security controls; - 1.2.3. Electronic access controls for Low Impact External Routable

Connectivity (LERC) and Dial-up Connectivity; and - 1.2.4. Cyber Security Incident response


Cyber Security Awareness

§ CIP-003-6 Attachment 1, Section 1oCyber Security Awareness: Each Responsible

Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).


Cyber Security Awareness§ CIP-003-6 Attachment 2, Section 1§ Section 1 - Cyber Security Awareness: An example of

evidence for Section 1 may include, but is not limited to, documentation that the reinforcement of cyber security practices occurred at least once every 15 calendar months. The evidence could be documentation through one or more of the following methods: o Direct communications (for example, e-mails, memos, or

computer-based training); o Indirect communications (for example, posters, intranet,

or brochures); or o Management support and reinforcement (for example,

presentations or meetings).


Cyber Security Awareness• Cyber Security Awareness must be

implemented 1x/15 mos.– Email distribution– Signage– Training (leverage existing CIP-004 training)– Other methods?


Physical Security Controls• CIP-003-6 Attachment 1, Section 2• Physical Security Controls: Each

Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any.


Physical Security Controls• CIP-003-6 Attachment 2, Section 2• Physical Security Controls: Examples of

evidence for Section 2 may include, but are not limited to: – Documentation of the selected access

control(s) (e.g., card key, locks, perimeter controls), monitoring controls (e.g., alarm systems, human observation), or other operational, procedural, or technical physical security controls that control physical access to both: • The asset, if any, or the locations of the low impact

BES Cyber Systems within the asset; and • The Cyber Asset, if any, containing a LEAP.


Physical Security Controls• Control physical access• Pros vs. Cons of using the Asset vs.

the areas that contain Low BCS


Electronic Access Controls§ LERC = Low Impact External Routable

Connectivity§ LEAP = Low Impact BES Cyber System

Electronic Access Point


Electronic Access Controls§ CIP-003-6 Attachment 1, Section 3

o Electronic Access Controls: Each Responsible Entity shall: o 3.1 For LERC, if any, implement a LEAP to permit only

necessary inbound and outbound bi-directional routable protocol access; and

o 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.


Electronic Access Controls§ CIP-003-6 Attachment 2, Section 3§ Electronic Access Controls: Examples of evidence for

Section 3 may include, but are not limited to: o Documentation showing that inbound and outbound

connections for any LEAP(s) are confined to only those the Responsible Entity deems necessary (e.g., by restricting IP addresses, ports, or services); and

o Documentation of authentication for Dial-up Connectivity (e.g., dial out only to a preprogrammed number to deliver data, dial-back modems, modems that must be remotely controlled by the control center or control room, or access control on the BES Cyber System).


Electronic Access Controls


Incident Response§ CIP-003-6, Attachment 1, Section 4

o Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:

o 4.1 Identification, classification, and response to Cyber Security Incidents; o 4.2 Determination of whether an identified Cyber Security Incident is a

Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;

o 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;

o 4.4 Incident handling for Cyber Security Incidents; o 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36

calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and

o 4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.


Incident Response§ CIP-003-6, Attachment 2, Section 4§ Cyber Security Incident Response: An example of evidence for Section

4 may include, but is not limited to, dated documentation, such as policies, procedures, or process documents of one or more Cyber Security Incident response plan(s) developed either by asset or group of assets that include the following processes: o 1. to identify, classify, and respond to Cyber Security Incidents; to determine

whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and for notifying the Electricity Sector Information Sharing and Analysis Center (ES-ISAC);

o 2. to identify and document the roles and responsibilities for Cyber Security Incident response by groups or individuals (e.g., initiating, documenting, monitoring, reporting, etc.);

o 3. for incident handling of a Cyber Security Incident (e.g., containment, eradication, or recovery/incident resolution);

o 4. for testing the plan(s) along with the dated documentation that a test has been completed at least once every 36 calendar months; and

o 5. to update, as needed, Cyber Security Incident response plan(s) within 180 calendar days after completion of a test or actual Reportable Cyber Security Incident.


Incident Response§ One or more Incident

Response Plans§ Configure assets to

forward logging / alerting to monitoring system

§ See Something – Say Something!


Think about the future…§ 4/1/2017 – Security Awareness & IncResp§ 9/1/2018 – Electronic & Physical Security

Where do we go from here?

§ FERC Order 822 – Issued Jan 21, 2016oDirected NERC to make changes to the CIP

Standards, three specifically directed at Low Impact BCS-Transient Cyber Assets- LERC definition-Communication networks between Control

Centers

10/19/168338NEAlderwoodRoad,Suite120,Portland,OR97220|800.805.7411www.archersecuritygroup.com |[email protected]

Transient Cyber Assets

§ “…we direct NERC to develop modifications to the CIP Reliability Standards to address our concerns regarding: (1) the need for mandatory protection for transient electronic devices used at Low Impact BES Cyber Systems in a manner that effectively addresses, and is appropriately tailored to address, the risk posed by those assets…”


LERC

§ “…we direct NERC to modify the definition of Low Impact External Routable Connectivity in order to eliminate ambiguities in the language.”


Communication Networks

§ “…the Commission directs NERC to develop modifications to CIP-006-6 to require protections for communication network components and data communicated between all bulk electric system Control Centers according to the risk posed to the bulk electric system.”


NERC SDT

§ NERC initiated Project 2016-02 Modifications to CIP StandardsoConvened to address a myriad of issues,

including those directed in FERC Order 822oDivided into sub-teams to more efficiently

address needsoGet plugged in!-Send request to join the current CIP SDT

distribution list to: [email protected]


NERC SDT Roster


LERC v1§ Direct user-initiated interactive access or a direct

device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition(examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).


LERC v2§ Routable protocol communication that

crosses the boundary of an asset containing one or more low impact BES Cyber System(s), excluding communications between intelligent electronic devices used for time-sensitive protection or control functions between non-Control Center BES assets containing low impact BES Cyber Systems including, but not limited to, IEC 61850 GOOSE or vendor proprietary protocols.


The Envelope Please…§ Three items up for industry comment and

ballot:o LERC v2 definitionoModifications to CIP-003-7 R1.2.3 and

Attachment 1 – Sections 2 & 3o Implementation plan

§ Industry Responseo Bring us another


Transient Cyber AssetsSDT proposed definition:

A Cyber Asset that is:1. capable of transmitting or transferring executable code;2. not included in a BES Cyber System;3. not a Protected Cyber Asset (PCA) associated with high or medium impact BES Cyber Systems; and4. directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless including near field or Bluetooth communication) for 30 consecutive calendar days or less to a:• BES Cyber Asset,§ network within an Electronic Security Perimeter containing high or

medium impact BES Cyber Systems, or§ PCA associated with high or medium impact BES Cyber Systems.

Examples of Transient Cyber Assets include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.


Transient Cyber Assets

§ Possible posting for industry comment and ballot by end of this month (Oct).


Communication Networks

§ Ongoing discussions§ ”Super ESP” concept floated§ Challenges found in categorizing

“sensitive bulk electric system data” communicated between Control Centers

§ Address “data at rest” as well§ Taken somewhat of a back seat to LERC

and other priorities10/19/168338NEAlderwoodRoad,Suite120,Portland,OR97220|800.805.7411

www.archersecuritygroup.com |[email protected]

Super ESP


Downstream Effects

§ Carefully consider each modification to Low Impact BCS requirements

§ Even small changes will translate into significant burden due to number and geographical dispersion of Low Impact BCS

§ Get plugged in, be educated, comment and vote


Summary

§ Three major areas of change for Low BCSo LERC definitiono Transient Cyber AssetsoCommunications between Control Centers


Q&A


Low-impact NERC CIP Requirements · 10/19/2016 · necessary inbound and outbound bi-directional...

Documents

Transcript of Low-impact NERC CIP Requirements · 10/19/2016 · necessary inbound and outbound bi-directional...