MIDWEST RELIABILITY ORGANIZATION CIP 101 for … 101 for Low...History of the CIP Standards...

C L A R I T Y ▪ A S S U R A N C E ▪ R E S U L T S

M I D W E S TR E L I A B I L I TYO R G A NI Z A T I O N

Improving RELIABILITY and mitigating RISKS to the Bulk Power System

CIP 101 for Low Impact BES Cyber Systems

Bill Steiner, MRO Risk Assessment and Mitigation PrincipalMRO CIP Low Impact WorkshopMarch 1, 2017

CLARITY ▪ ASSURANCE ▪ RESULTS

Topics

Purpose and history of the NERC Critical Infrastructure Protection (CIP) StandardsApplicability of CIP V5 Low ImpactKey definitionsUseful CIP V5 materials

2


Purpose of NERC CIP Standards

Address security of cyber assets essential to the reliable operation of the electric grid• CIP standards are controls for Cyber Security• CIP standards are not software functionality controls

NERC CIP is the only set of mandatory cybersecurity standards in place across the critical infrastructures (water, gas, etc.) of the United States

3


In the Beginning

4

(UA1200)


History of the CIP Standards•High-level, and prior to mandatory compliance•Approved one day before the August 14, 2003 blackout (unrelated)

UA1200(2003)

• First enforceable Cybersecurity standards for Bulk Power System, use of RBAM (Risk-Based Assessment Methodology) to determine Critical Assets

CIP V1(2008)

•Minor changes to CIP V1 - Annual review of additional processes, removed ability to “accept risk” in lieu of requirements

CIP V2(2009)

•Minor changes to CIP V2 – escort of visitors• In effect from October 1, 2010 until June 30, 2016 (almost 6 years)

CIP V3(2010)

•Use of a Bright-Line Criteria (BLC) instead of RBAM•Never became enforceable, due to timing of CIP V5

CIP V4(2012)

• Impact Rating Criteria (IRC) instead of BLC or RBAM, changes in technical requirements, concept of BES Cyber Systems instead of CCAs

CIP V5+(2013)

5


History of the CIP StandardsCIP V5+

CIP V5 increased the number of CIP Standards from 8 (CIP-002 through CIP-009) to 10 (CIP-002 through CIP-011)• CIP-002-5 through CIP-009-5• CIP-010-1• CIP-011-1

6



When FERC approved CIP V5, it directed NERC to make changesSo...CIP V5 (currently enforceable) is now:

7

• CIP-002-5.1a • CIP-007-6• CIP-003-6 • CIP-008-5• CIP-004-6 • CIP-009-6• CIP-005-5 • CIP-010-2• CIP-006-6 • CIP-011-2



Upcoming CIP-related Standards in the balloting/approval process:

8

• CIP-013-1 Supply Chain Risk Management• CIP-003-7 Low Impact LEAP/LERC and TCA changes


Applicability of CIP V5

Like the rest of the NERC Standards, start with the definition of Bulk Electric System (BES)

In general, BES includes:• Transmission elements connected at 100kV or higher• Generation unit greater than 20MVA• Generation facility greater than 75 MVA• Blackstart Resources

For more information, see NERC’s BES Definition page• www.nerc.com ->Initiatives -> BES Definition• http://www.nerc.com/pa/RAPA/Pages/BES.aspx• http://www.nerc.com/pa/RAPA/BES%20DL/bes_phase2_reference_document_20140325_final_clean.pdf

9

http://www.nerc.com/

http://www.nerc.com/pa/RAPA/Pages/BES.aspx

http://www.nerc.com/pa/RAPA/BES%20DL/bes_phase2_reference_document_20140325_final_clean.pdf


BES Definition Resources

10


BES Definition Resources

11



MRO Standards Committee CIP Subject Matter Expert Team (SMET) CIP-002-5.1 Standard Application Guide (SAG)• https://www.midwestreliability.org/MRODocuments/CIP-002-

5.1%20Standard%20Application%20Guide.pdf

MRO Standards Committee CIP Subject Matter Expert Team (SMET) CIP-003-6 R2 Standard Application Guide (SAG)• https://www.midwestreliability.org/MRODocuments/CIP%20003-

6%20R2%20Standard%20Application%20Guide.pdf

12

https://www.midwestreliability.org/MRODocuments/CIP-002-5.1%20Standard%20Application%20Guide.pdf

https://www.midwestreliability.org/MRODocuments/CIP%20003-6%20R2%20Standard%20Application%20Guide.pdf



Functional Registration• BA (Balancing Authority)• GO (Generator Owner)• GOP (Generator Operator)• IA (Interchange Authority)• RC (Reliability Coordinator)• TO (Transmission Owner)• TOP (Transmission Operator)

13



Functional Registration (continued)• DP (Distribution Provider) with any of the following

—Underfrequency Load Shedding (UFLS) or UndervoltageLoad Shedding (UVLS) that:

• Is part of a load shedding program, subject to NERC Standards; AND• Performs automatic load shedding under a common control system, without human operator initiation,

of 300 MW or more

—Remedial Action Scheme (RAS) subject to NERC Standards—Transmission Protection System subject to NERC Standards—Cranking Path

14


UFLS/UVLS CIP V5 Applicability

Each UFLS or UVLS System that:• Is part of a Load shedding program that is subject to NERC Standards; AND• Performs automatic Load shedding under a common control system owned by the entity,

without human operator initiation, of 300 MW or more

In other words, the Standards are meant to apply security controls to prevent an attacker from compromising a single cyber asset/system and shedding 300MW or more

15


UFLS/UVLS Applicability Example

Entity has 400MW of UFLS• 20 relays on separate feeders, with 20MW of load each• Each relay typically senses the local frequency and makes the determination to trip,

independent of the other relays

In this case, the most load that can be shed under a common control system is 20MWNone of the UFLS relays in this example would be subject to CIP V5

16



If you are not registered as a TO, TOP, GO, GOP, BA, RC, IA, or a DP with one of these types of systems, then CIP V5 does NOT apply• No need to go any further with determination of which Facilities are impacted• CIP V5 does not apply, not even Low Impact

For everyone else, the focus is on the Impact Rating Criteria (Attachment 1 of CIP-002-5.1)

17


Impact Rating Criteria

Attachment 1 is used to categorize all BES Cyber Systems as Low, Medium, or High Impact• Only Control Centers can be High• Largest Impact BES Facilities are Medium• Everything not High or Medium is Low

—“All BES Cyber Systems for Facilities not included in Attachment 1 – Impact Rating Criteria, Criteria 1.1 to 1.4 and Criteria 2.1 to 2.11 default to be low impact.” (CIP-002-5.1a p.5)

18


Guidelines and Technical Basis

CIP-002-5.1 is 34 pages long• CIP-002-3 was 3 pages long

CIP V5 Standards contain “notes” from the Standard Drafting Team (SDT) giving further guidance on the language of the Requirements, and why certain decisions were made in the drafting process

There are some inconsistencies

When in doubt, use the language of the Requirement

19


NERC Glossary of Terms

A number of new defined terms for CIP V5• http://www.nerc.com/files/glossary_of_terms.pdf• These definitions are crucial to understanding and applying the CIP V5 requirements

Retirement of:• Critical Asset (CA)• Critical Cyber Asset (CCA)• LEAP/LERC – Low Impact definitions expected to be retired upon approval of CIP-003-7

20

http://www.nerc.com/files/glossary_of_terms.pdf


CIP V5 Key DefinitionsCyber Asset

Cyber Asset• Programmable electronic devices, including the hardware, software, and data

in those devices

21


Programmable Electronic Device

22

Programmable Electronic Device: Not a Glossary Term• Consider:

—Has an HMI—Software or firmware settings that are user configurable—Remote connection capability—Updateable software or firmware

• Workstations• Intelligent Electronic Devices (IEDs)


CIP V5 Key DefinitionsBES Cyber Asset

BES Cyber Asset (BCA)• A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of

its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.

• Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact.

• Each BES Cyber Asset is included in one or more BES Cyber System(s).• A BES Cyber Asset can not be a Transient Cyber Asset.

23


BES Cyber Asset (BCA)Examples

Microprocessor-based protective relayData ConcentratorEnergy Management System (EMS) serverSystem Operator ConsoleData HistorianRemote Terminal Unit (RTU)

24


CIP V5 Key DefinitionsTransient Cyber Asset

25

Transient Cyber Asset:• A Cyber Asset that

—(i) is capable of transmitting or transferring executable code,—(ii) is not included in a BES Cyber System,—(iii) is not a Protected Cyber Asset (PCA),—(iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including

near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA, and

—Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes


CIP V5 Key DefinitionsBES Cyber System

BES Cyber System (BCS)• One or more BES Cyber Assets logically grouped by a responsible entity to

perform one or more reliability tasks for a functional entity

Examples of BCS:• All protective relays at a substation• EMS• Generation Control System (GCS)• Windows servers in an EMS or GCS

26


BCA vs. BCS

A BCS is a group of BCAsSubstation example:

• Substation has three relays• Two are BCAs• BCS grouping is up to you (more on that later)

27

Not a BCA since it’s not a Cyber Asset

BCS Option 1BCS Option 2


CIP V5 Key DefinitionsDial-Up Connectivity

Dial-up Connectivity• A data communication link that is established when the communication equipment dials a

phone number and negotiates a connection with the equipment on the other end of the link

Just because a modem is being used, does not mean it is using Dial-up Connectivity

28


CIP V5 Key DefinitionsPhysical Security Perimeter

Physical Security Perimeter• The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or

Electronic Access Control or Monitoring Systems reside, and for which access is controlled• Not a Low Impact concept, but a LIBCS could reside within a PSP

Examples include server rooms, substation control houses, etc.

29


CIP V5 Key DefinitionsElectronic Security Perimeter

Electronic Security Perimeter (ESP)• The logical border surrounding a network to which BES Cyber Systems are connected using a

routable protocol• Not a Low Impact concept, but a LIBCS could reside within an ESP

—If so, the LIBCS would become a PCA

Think of an ESP as a network boundary

30


CIP V5 Key DefinitionsElectronic Access Point

Electronic Access Point (EAP)• A Cyber Asset interface on an Electronic Security Perimeter that allows routable

communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter

Example of PSP, ESP, EAP:

31

Routable Protocol to Control Center EMS

SubstationA



SubstationA

CIP V5 Key DefinitionsPhysical Access Control Systems

Physical Access Control Systems (PACS)• Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of

locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers

32


CIP V5 Key DefinitionsElectronic Access Control or Monitoring Systems

Electronic Access Control or Monitoring Systems (EACMS)• Cyber Assets that perform electronic access control or electronic access monitoring of the

Electronic Security Perimeter(s) or BES Cyber Systems —Includes Intermediate Systems

33


SubstationA


CIP V5 Key DefinitionsProtected Cyber Assets

Protected Cyber Asset (PCA)• One or more Cyber Assets connected using a routable protocol within or on an Electronic

Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter

• The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP

• A Protected Cyber Asset it is not a Transient Cyber Asset

34


Protected Cyber Assets“High Watermark”

PCAs are used to implement a “High Watermark” conceptEven though they are not a BCA, they must be protected if they are in the ESP with a BCS that is not Low Impact

35

PCA


Substation A


Assets (assets)

Assets (assets) - facilities• Control Centers and Backup Control Centers• Transmission stations and substations• Generation resources• System restoration facilities (Blackstart, Cranking Paths, and initial switching requirements)• Protection Systems

36


Control Center

37

Control Center:• One or more facilities hosting operating

personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including associated data centers, of:

— a Reliability Coordinator, — a Balancing Authority, — a Transmission Operator for transmission

Facilities at two or more locations, or — a Generator Operator for generation Facilities

at two or more locations


Other Definitions

BES Cyber System Information (BES CSI)

CIP Exceptional Circumstance

CIP Senior Manager

Cyber Security Incident

External Routable Connectivity

Interactive Remote Access

Intermediate System

38


Useful CIP V5 Materials

Useful Materials:• MRO Standards Committee CIP SME Team CIP-002-5.1 SAG• MRO Standards Committee CIP SME Team CIP-003-6 SAG (presented today!)• NERC BES Definition• NERC Glossary of Terms• “Guidelines and Technical Basis” section of Standards

39


Questions?

40

MIDWEST RELIABILITY ORGANIZATION CIP 101 for … 101 for Low...History of the CIP Standards...

Documents

Transcript of MIDWEST RELIABILITY ORGANIZATION CIP 101 for … 101 for Low...History of the CIP Standards...