low impact bes cyber systems cip-003-6 r1 and r2 · low impact bes cyber systems cip-003-6 r1 and...
Post on 29-Mar-2020
13 Views
Preview:
TRANSCRIPT
Low Impact BES Cyber Systems
CIP-003-6 R1 and R2
June 3, 2015
Steven Keller, CISA, CRISC, CISSP Lead Compliance Specialist – CIP 501-688-1633 skeller.re@spp.org
CIP V5 Low Impact Assets Coverage
• What is a Low Impact BES Cyber Asset?
• How we got here
• Where we are going
• Things to Consider
• Audit Approach
2
What is a Low Impact Asset?
• BES Cyber System (BCS) that has not been categorized as High or Medium Impact Criteria
• R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower][Time Horizon: Operations Planning]
3
How we got here - FERC
• FERC issued Order 791 in Nov. 2013 which is now effective
• Order had four directives: 1. Identify Assess and Correct language
2. Communication Networks
3. Low Impact BES Cyber Systems
4. Transient Devices
• Registered Entities with only Low Impact BCS only have to comply CIP-002-5.1 and CIP-003-6
4
How we got here – FERC, cont.
• FERC concerned with lack of objective criteria for evaluating Low Impact protections – “Introduces unacceptable level of ambiguity and
potential inconsistency into the compliance process” – Open to alternative approaches – “… the criteria NERC proposes for evaluating a
responsible entities’ protections for Low Impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified”
5
Implementation Date for Low Impact BCS
6
Audit Approach Hints…
• An inventory, list, or discrete identification of Low Impact BCS or their BES Cyber Assets is not required
• BUT!!!! – A list containing the name of “each asset that contains a
Low Impact BES Cyber System” is required, such as a list of: Generating plants
Transmission stations
Certain distribution stations
Certain “small” control centers that contain Low Impact BCS
Blackstart resources and cranking paths
7
Audit Approach Hints…
• Must demonstrate that Low Impact BCS locations have been afforded electronic and physical protections, and are included in recovery plans To Repeat:
• DON’T have to identify a discrete list of Low Impact BCS
• DO have to demonstrate compliance with CIP-003-6 R2 for each Low Impact BCS – A list of Low Impact BCS at each asset may be helpful
8
CIP-003-6 R1.2
• R1.2 For its assets identified in CIP-002 containing Low Impact BES Cyber Systems, if any: – 1.2.1. Cyber security awareness;
– 1.2.2. Physical security controls;
– 1.2.3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and
– 1.2.4. Cyber Security Incident response
9
CIP-003-6 R2
• Each Responsible Entity with at least one asset identified in CIP-002 containing Low Impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its Low Impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] – Note: An inventory, list, or discrete identification of Low
Impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.
10
CIP-003-6 R2 Attachment 1
• Section 1 – Cyber Security Awareness – Shall reinforce cyber security practices at least every 15
months
– May include physical security practices
11
CIP-003-6 R2 Attachment 1
• Section 2 – Physical Security Controls – Shall control physical access, based on need as
determined by the Responsible Entity to: the Low Impact BCS within the asset
the Low Impact BCS Electronic Access Points (LEAPs), if any
12
CIP-003-6 R2 Attachment 1
• Section 3 – Electronic Access Controls – 3.1 For Low Impact External Routable Connectivity
(LERC), if any, implement a LEAP (Low Impact Electronic Access Point) to permit only necessary inbound and outbound bi-directional routable protocol access
– 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Asset capability
13
New Definitions - LERC • “LERC – Low Impact External Routable Connectivity - Direct
user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection.”
• Example: SCADA communicating to a low impacting RTU in the substation
14
LERC Exemption
• “Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition”
• Examples of this communication include, but are not limited to: – IEC 61850
– GOOSE
– Vendor proprietary protocols
15
New Definitions - LEAP
• “LEAP – Low Impact BES Cyber System Electronic Access Point - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.”
16
CIP-003-6 R2 Attachment 1
• Section 4 – Cyber Security Incident Response Plan(s) – 4.1 Identification, Classification and Response to a
Cyber Security Incident
– 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;
– 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;
17
CIP-003-6 R2 Attachment 1, con’t.
• Section 4 – Cyber Security Incident Response Plan(s) – 4.4 Incident handling for Cyber Security Incidents;
– 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident
18
CIP-003-6 R2 Attachment 1, con’t.
• Section 4 – Cyber Security Incident Response Plan(s) – 4.6 Updating the Cyber Security Incident response
plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.
19
Example: Acme Power’s Low Impact BCS
• The following Acme Low Impact BCS have: – Electronic access controls
– Physical security controls
– Cyber security awareness (strong passwords, virus protection, etc.)
– Are included in a cyber incident response plan
1. Substation Alpha
2. Substation Beta
3. Substation Charlie
4. Edison Coal Plant
5. Acme Primary Control Center
20
Example: Acme’s R2 Evidence
• For Acme’s 5 listed BCS, evidence of: – Electronic access controls
Network diagram, access control list
Documentation of electronic protection
– Physical security controls Documentation of card readers, key locks, etc.
– Cyber security awareness Security policies, awareness training (posters, learning modules)
– Cyber incident response plan Copy of the plan
21
Summary
• Be sure to follow CIP-002-5.1 and CIP-003-6 for Low Impact BCS
• A list of discrete, Low Impact BCS is not required but may be helpful
• You must have a list of assets containing Low Impact BCS
• Even if the asset contains Low Impact BCS, it must be on the Low Impact list even if the asset also contains High or Medium BCS
22
February 10th 2015 NERC CIP V5 Compliance Project - Progress Project Status
Low Impact Facilities/Assets and
BES Cyber Systems
CIP-003 R1 and R2
June 3, 2015
Enel Green Power North America
Natalie Johnson, NERC Compliance Manager Natalie.Johnson@enel.com David Campbell, CIP Compliance Program Manager David.Campbell@enel.com
June 3, 2015 CIP-003 Low Impact BES Assessment
Contents
2
› Introduction and Who We Are
› CIP Project Progress
› Low Impact Assessment › Moving Forward
June 3, 2015 CIP-003 Low Impact BES Assessment 3
Introduction
› EGPNA has 1 Medium Impact Control Room
› EGPNA has 8 Low Impact Wind Facilities
› The Focus of this presenation is how we are preparing to meet CIP Requirements for Low Impact
› This is an example of what one company is doing and our approach
This document contains proprietary information of Enel Green Power SpA and should only be used by the recipient in relation to the purposes for which it was received. Any form of reproduction or dissemination without the explicit consent of Enel Green Power SpA is prohibited.
June 3, 2015 CIP-003 Low Impact BES Assessment
Who Are We?
Technology Capacity
Hydro 317 MW
Wind 1,665 MW
Geothermal 72 MW
Solar 29 MW
Total 2,083 MW
Enel Green Power North America (EGP-NA), a subsidiary of Enel Green Power, is an industry leading owner and operator
of renewable energy plants in North America with projects operating and under development in 21 U.S. states and two
Canadian Provinces. With nearly 100 plants in operation representing an installed capacity of more than 2GW, EGP-NA’s
portfolio includes a diverse mix of hydropower, geothermal, wind and solar renewable energies.
Since 2010, EGP-NA has undergone rapid expansion in the U.S., more than doubling its total installed capacity and
already has more than 400 MW currently in construction. The company employs more than 350 people in North America
that hold strong managerial, technical and financial expertise.
Enel Green Power North America
June 3, 2015 CIP-003 Low Impact BES Assessment
EGP-NA NERC Compliance Structure
EGPNA CEO
ICT Director - Generation CIP Sr. Manager
NERC Compliance
Manager
CIP Compliance Program Manager
ICT Operations
*Deployment plan ongoing to build compliance support staff for CIP roles and responsibilities
EGPNA Compliance
Officer
Legal Oversight, Approvals
Management, Coordination, Facilitation, Training
June 3, 2015 CIP-003 Low Impact BES Assessment
EGP-NA NERC Compliance Structure NERC CIP Stakeholders
6
CIP Compliance Program Manager
Info
rmat
ion
Com
mun
icat
ions
Te
chno
logy
Hum
an R
esou
rces
Ope
ratio
ns a
nd M
aint
enan
ce
Faci
litie
s
Lega
l
CIP Stakeholders
June 3, 2015 CIP-003 Low Impact BES Assessment
CIP Project Progress
Policies Procedures Workflows Templates
NERC CIP Area # BES Cyber System Categorization 1 Security Management Controls 3 Personnel & Training 2 Electronic Security Perimeter 1 Physical Security 2 System Security Management 1 Incident Management 1 Recovery Plans 1 Configuration change mgmt & VA 1 Information Protection 1
Total # of Policies 14
NERC CIP Area # BES Cyber System Categorization 2 Security Management Controls 2 Personnel & Training 9 Electronic Security Perimeter 3 Physical Security 5 System Security Management 10 Incident Management 3 Recovery Plans 3 Configuration change mgmt & VA 4 Information Protection 3
Total # of Procedures 44
NERC CIP Area # BES Cyber System Categorization 1 Security Management Controls 0 Personnel & Training 9 Electronic Security Perimeter 3 Physical Security 4 System Security Management 7 Incident Management 3 Recovery Plans 2 Configuration change mgmt & VA 3 Information Protection 2
Total # of Workflows 34
NERC CIP Area # BES Cyber System Categorization 3 Security Management Controls 2 Personnel & Training 5 Electronic Security Perimeter 1 Physical Security 2 System Security Management 4 Incident Management 2 Recovery Plans 3 Configuration change mgmt & VA 4 Information Protection 1
Total # of Templates 27
Docs Alignement
EGP-NA has developed approx. 120 documents in order to support the CIP transition
June 3, 2015 CIP-003 Low Impact BES Assessment
Low Impact Facilities Assessment
Methodology
Evaluation based on CIP-002-5.1 BES Assets and/or BES Cyber Systems Bright Line Criteria
Two Approaches
Approach 1 - Inventory and categorize facilities, then identify and classify Cyber Systems (facility-centric, or top-down), A methodology to determine qualifying BES assets and BES Facilities
Output
Facilities Evaluation Step 1
BES Cyber Systems Evaluation
Step 2
Approach 2 - The second approach is the opposite, beginning with a BES Cyber Systems inventory, then a cross-reference to facilities (cyber systems centric, or bottom up)
BES Cyber Systems Evaluation
Step 1 Facilities Evaluation
Step 2
(discrete list(s) are
not required)
June 3, 2015 CIP-003 Low Impact BES Assessment
Facilities Evaluation Process CIP-002-5.1 Attachment 1 – Impact Rating Criteria
• Generation resources and Control Centers evaluated against Attachment 1, Sections 1.1 to 1.4 (High Impact) and 2.1 through 2.13 (Med Impact) bright line criteria
• Any facilities that do not meet the criteria in 1.1 to 1.4 (High Impact) and 2.1 through 2.13 (Med Impact) and also meet the applicability qualifications in Section 4 (Applicability, part 4.2) are evaluated against sections 3.1 to 3.6 (Low Impact) bright line criteria
Facilitiessection 1.1 to 1.4 criteria
section 2.1 to 2.13 criteria
section 3.1 criteria
section 3.2 criteria
section 3.3 criteria
section 3.4 criteria
section 3.5 criteria
section 3.6 criteria
Generation Resource A no no no no yes no no noGeneration Resource B no no no no yes no no noGeneration Resource C no no no no yes no no noGeneration Resource D no no no no yes no no noGeneration Resource E no no no no yes no no no
CIP-002-5.1 Attachment 1Facilties Evaluation Categorizing Low Impact
Att 1 section 3.3 Generation resources.
June 3, 2015 CIP-003 Low Impact BES Assessment
Facilities Evaluation Example
CIP-002-5.1 Attachment 1 – Impact Rating Criteria
• List all facilities in far left column
• List all bright line criteria across the header
• Apply each asset against each criteria from Attachment 1, sections 1, 2 and 3
• Excel file has a revision history with signature
Key Features of Evaluation Spreadsheet
*CIP-002-5.1 – pg4 - an entity might choose to view an entire plant control system as a single BES Cyber System Pg31 – Under Low Impact Categorization, assets with routable connectivity are protected under cyber security awareness, physical access control, electronic access control, and incident response
June 3, 2015 CIP-003 Low Impact BES Assessment
BES Cyber System / Asset Determination Approach 2
• Routable communications paths into the BES Asset that permit External Routable Connectivity (ERC) or Interactive Remote Access (IRA)
• Non-Routable communications paths and endpoints into the BES
Asset that permit IRA • Identification of communication boundaries and access point
placement • Identification of physical boundaries and access point placement
*Reference: MRO Standards Application Guide - Cyber Asset Procedure, Section 4 Diagram 2 pg. 7,11
*example workflow
June 3, 2015 CIP-003 Low Impact BES Assessment
Low BES Asset Candidate Assessment
BES Asset Classification
Low BES Asset Candidate Information BES Asset Connectivity Criteria
BES Asset Category BES Asset Name BES Asset Abbreviation
BES Facility Association Communication service details for the BES Asset?
CIPV5 R1.i - R1.vi Category of the BES
Asset
Name of Registered_Entity_X BES Asset where the communications line(s) enters
Abbreviation of Registered_Entity_X BES Asset
Is there a BES Facility located at
the BES Asset?
Does the BES Asset have a
communications line(s) transporting
a routable protocol?
Does the BES Asset have a
communications line(s)
transporting a serial protocol?
Does the BES Asset have a communications
line(s) transporting a dial-up connection?
Inventory of Communications Lines (required only if the BES Asset Classification is Low BES Asset (LBA)
BES Asset Boundary Protections
Communication Service Type
Communication Line Service Provider
Communication Line Identifier
Destination Asset Name
Description (optional)
Functional Group Name Connectivity Attributes Accessibility Attributes
Low Impact Access Point(s) (LEAPs)
Example: Leased, Privately owned
etc.
Name of the communications line service provider. If
privately owned, enter Registered_Entity_X.
Unique ID associated to the
billing of the service, or if
privately-owned any unique ID that
exists for inventorying
purposes
Name of Registered_Entity_X Asset where the commuinication line terminates.
This is necessary if placing Low Impact
Access Points to electronic
boundaries in an upstream central
location.
Enter a brief description of the communications
line, or other data about the related
application or function of the
service.
Name Registered_E
ntity_X Functional
Group responsible
for the Cyber Asset
Dial-up Serial Routable
Protocol
Routable Protocol
Type (i.e. IP)
Routable Protocol Network
Address(es) (i.e. IP Subnet
Address)
Low-impact
External Routable
Connectivity (LERC)
Interactive Remote Access (IRA)
cyber boundary
physical boundary
*Reference: MRO Standards Application Guide – Low Impact.xls attachment
Low Impact Candidate Identification Rationale: Low Impact BES Assets consist of BES Assets that contain BES Facilities that did not qualifying as High or Medium impact pursuant to Attachment 1 High and Medium Impact Criteria *if determined to be located in a Low BES Facility .
June 3, 2015 CIP-003 Low Impact BES Assessment
Moving Forward CIP-003 R2 – Cybersecurity Policy for Low Impact BES Cyber Systems
Requirement Approach
1.2.1 Cybersecurity Awareness
As determined by EGP-NA utilize CIP-004 Policy for Medium Impact • Online training courses tracked in Learning
Management System • Distribute media electronically
1.2.2 Physical Security Controls
As determined by EGP-NA utilize CIP-006 R1.2 & R1.3 procedures for Physical Security at Medium Impact BES Assets • Documentation of key locks and authorized
users
1.2.3 Electronic Access Controls for Low Impact External Routable Connectivity
(LERC)
As determined by EGP-NA utilize CIP-005 R1&R2 procedures for Med Impact BES Assets • Document users access • Track access approval, change, and
revocation
1.2.4 Cybersecurity Incident Response
As determined by EGP-NA utilize CIP-008 R1-R3 procedures for Med Impact BES Assets • Tabletop exercises relevant to low impact
environment • Service desk support covering Med Impact
Facility
June 3, 2015 CIP-003 Low Impact BES Assessment
Questions?
Thank you!
top related