Bryan Carr PMP, CISA Compliance Auditor – Cyber Security

TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT

September 24, 2013

2

•  Joined WECC in August 2012 •  Before WECC – CIP Compliance Program

Manager at PacifiCorp •  Prior years experience in project and program

management

About Me

3

TFEs – A Comprehensive History Current (New) TFE Process Overview TFE Scenarios & Pointers CIP v5 and TFEs

Topics for Today

4

TFE – Technical Feasibility Exception ROP – NERC Rules of Procedure EMS – Energy Management System DCS – Distributed Control System SCADA – Seriously?

A.C.R.O.N.Y.M.S.

5

•  Phrases used in the Standards: o “…where technically feasible…” o “…due to technical limitations…”

•  FERC Order 706 – January 18, 2008 o ‘technically feasible’ and ‘technical feasibility’

appear ~185 times throughout Order 706 (includes comments and references)

o TFE process developed by NERC and proposed as Appendix 4D to the Rules of Procedure

TFEs – Why?

6

“A TFE does not relieve the Responsible Entity of its obligation to comply with the Applicable Requirement. Rather, a TFE authorizes an alternative (to Strict Compliance) means of compliance with the Applicable Requirement through the use of compensating measures and/or mitigating measures that achieve at least a comparable level of security for the Bulk Electric System as would Strict Compliance with the Applicable Requirement.” (Appendix 4D, Section 3.2)

Exception from…

7

According to Appendix 4D –

How many Requirements allow TFEs?

14

8

Appendix 4D – Section 1.3 Scope •  CIP-005 R2.4 – Technical/procedural controls for external interactive •  CIP-005 R2.6 – Appropriate use banner (Paragraph 81) •  CIP-005 R3.1 – Monitoring for dial-up CCAs •  CIP-005 R3.2 – Detect and alert for unauthorized access attempts •  CIP-006 R1.1* – Completely enclosed six-wall border •  CIP-007 R2.3 – Disabling unused ports/services •  CIP-007 R3* – (R3.2) Implementation of security patches •  CIP-007 R4 – Anti-virus/malware software •  CIP-007 R5.3 – Passwords •  CIP-007 R5.3.1 – Password length •  CIP-007 R5.3.2 – Password complexity •  CIP-007 R5.3.3 – Password expiration •  CIP-007 R6 – Monitor system events (logging) •  CIP-007 R6.3 – Maintain logs of system events

TFEs – Where?

*Does not use “technically feasible” or “technical limitations” language, BOLD indicates most common TFEs requested

9

•  Your EMS network has 15 switches and 3 routers, none of which support installation of anti-virus software.

•  Is a TFE allowed/required? Yes

•  Standard(s) & Requirement(s)? CIP-007 R4

•  How many TFEs? 1

TFE Scenario 1

10

•  Your plant DCS has 5 controllers that do not support or enforce six character complex passwords, in fact, they don’t support passwords at all.

•  Is a TFE allowed/required? Yes

•  Standard(s) & Requirement(s)? CIP-007 R5.3

•  How many TFEs? 1

TFE Scenario 2

11

•  TCP ports 22, 161, and 1080 are open on five workstations, three network switches, and seven relays. Vendor states that these ports are not required for normal or emergency operation, but cannot be disabled due to system instability concerns.

•  TFE allowed/required? Yes

•  What Standard(s) & Requirement(s)? CIP-007 R2.3

•  How many TFEs? 3

TFE Scenario 3

12

•  New process = current process •  FERC recently (Sep 3, 2013) approved

proposed revisions to Appendix 4D •  PLEASE read, re-read, and read again current

Appendix 4D (Effective: September 3, 2013) •  Use current (new) process starting November

1, 2013 •  WECC is working to develop processes using

available tools – webCDMS, etc.

TFEs – In Transition

13

•  No Part A or Part B •  No quarterly or annual reports •  Expedited review and approval process •  Four device categories: Network, Server/

Workstation, Relay, Other •  Emphasis placed on annual Self-

Certification and verification at audit

New TFE Process Highlights

14

How many active TFEs in the WECC region?

1,292

15

Section 3.0 •  Not technically feasible* •  Operationally infeasible/adverse affect* •  Cannot be achieved by compliance date •  Safety risks •  Conflict with other statute or regulation •  Incur excessive cost

Basis for Approval

*Most common basis for TFE request

16

Section 4.1 •  Relay

o Protection, differential, line, etc. •  Workstation/Server •  Network/Communications

o Switch, router, firewall, protocol converter, etc. •  Other

o Time clock, printer, controller, etc.

Device Types/Categories

17

•  Device/installation manuals

•  Other vendor/manufacturer information

•  Trust but verify, because we will

Know Your Environment

18

Two Possibilities:

1.  New TFE request (Initial Submission)

2.  Material Change Request/Report

TFE Request

19

•  “A change in facts that modifies Required Information in connection with an approved TFE. Examples of a Material Change could include, but are not limited to an increase in device count (but not a decrease), change in compensating measures, change in statement of basis for approval for the TFE, a change in the expiration date of the TFE, or a Responsible Entity achieving Strict Compliance with the Applicable Requirement.” (Appendix 4D, Section 2.17)

Material Change

20

•  New term introduced: Material Change Report •  Defined as: “A report submitted by the Responsible Entity

to the Regional Entity in the event there is a Material Change to the facts underlying an approved TFE – pursuant to Section 4.0. (proposed Appendix 4D, Section 2.18)

•  Think…amendment

Material Change Report (MCR)

21

•  Timing of MCR Submission? o No specific timelines initially outlined in revised

Appendix 4D, however, current proposal (in response to FERC request) is to require MCR “…within thirty (30) days of identification or discovery of the Material Change.” (Section 6.5)

o General Rule: Upon being placed into production as a CCA, EACM, non-CCA in the ESP, or PACS, device(s) must either (a) be strictly compliant with all Standards & Requirements, or (b) have the necessary TFE(s) filed as allowed by the Standard/Appendix 4D.

Material Change Report

22

•  15 fields = Required Information o  Category (asset class) o  Device ID (entity defined – hostname or other unique identifier) o  Physical location of device (i.e. name of Critical Asset) o  Actual or estimated date in which device is placed into production o  Proposed TFE expiration date (if any) o  Actual TFE expiration date (if any) o  CIP Standard o  CIP Requirement o  Has the TFE been filed with other Regions o  Basis for approval (not technically possible, etc.) o  Compensating/mitigating measures o  Completion date of compensating/mitigating measures o  TFE related to self-cert or self report o  Has this TFE been previously approved o  TFE ID of previously approved TFE

Information to Track

23

•  webCDMS will be modified to include necessary fields for MCRs/new TFEs

•  Spreadsheet is an example to show necessary fields

OATI webCDMS Changes

24

•  All accepted, approved, and amended TFEs will stay as is through the transition period o Any TFEs pending approval, acceptance or

amendment will be reviewed by WECC as usual and final disposition determined.

o Once fully approved, no further action unless Material Changes are necessary, then (after Nov. 1) the new process is followed.

What about existing TFEs?

25

•  How many requirements allow/require TFEs in CIP v5?

•  CIP v5 leverages “…per asset capability” verbiage to reduce the need for TFEs

•  Drafting team didn’t intend for “where technically feasible” to automatically trigger the need for a TFE

CIP v5 and TFEs

26

•  Just a phone call away

•  Always willing to provide our “audit approach”

At Your Service

Bryan Carr, PMP Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 bcarr@wecc.biz

Questions?