cip-012-1 developments and direction - wecc · •cip-012 is the first differentiated standard for...
TRANSCRIPT
CIP-012-1 Developments and Direction
Morgan King CISSP-ISSAP, CISA
Senior Compliance Auditor, Cyber Security
WECC Compliance Workshop – Boise ID – March 29, 2018
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Impact to Reliability
Ensure entities are aware of new CIP Reliability Standards and WECC's potential audit approach to securing sensitive bulk
electric system data
2
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Agenda
• CIP-012-1 Draft 3
• Technical Rationale
• Implementation Guidance
3
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Control Center
• One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of:
• 1) a Reliability Coordinator, • 2) a Balancing Authority, • 3) a Transmission Operator for transmission Facilities at two or
more locations, or • 4) a Generator Operator for generation Facilities at two or more
locations.(NERC, 2018 March 16, Control Center Definition Revision)
4
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Modifications to the Control Center Definition for the NERC Glossary of Terms
• Previously, for low impact assets it didn’t matter whether it was accurately identified as a plant vs. substation vs. Control Center because the requirements all applied equally
• CIP-012 is the first differentiated standard for Control Centers at low impact, so it’s important to ensure the requirements apply to the intended facilities
5
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Problem
6
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Proposed Control Center
7
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
• One or more facilities, including their associated data centers, that monitor and control the Bulk Electric System (BES) and also host operating personnel who:
1) perform the Real-time reliability-related tasks of a Reliability Coordinator; or2) perform the Real-time reliability-related tasks of a Balancing Authority; or3) perform the Real-time reliability-related tasks of a Transmission Operator for Transmission Facilities at two or more locations; or4) can act independently as the Generator Operator to develop specific dispatch instructions for generation Facilities at two or more locations; or5) can operate or direct the operation of a Transmission Owner’s BES Transmission Facilities in Realtime.
• Operating personnel do not include:
1) plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications; or2) Transmission Owner or Transmission Operator field switching personnel.
CIP-012-1 Modifications
• The second ballot received 63.91% approval.• Based on comments and voting:
– The SDT combined Requirements R1 and R2 – Removed “and control” from Requirement R1– Removed “demarcation” from Requirement part 1.2– Removed “roles” from Requirement part 1.3 – The SDT updated the Technical Rationale and Justification document– The SDT updated the Implementation Guidance document
• The SDT did not add the Planned and Unplanned Change language to the Standard
8
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-012-1 Draft 3
9
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Sensitive Bulk Electric System Data
• Real-time Assessment data– “An evaluation of system conditions using Real-time data to assess existing (pre-
Contingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase angle and equipment limitations. (Real-time Assessment may be provided through internal systems or through third-party services.)”
• Real-time monitoring
• Excludes verbal communications
10
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Security Objective
• Mitigating the risk of unauthorized disclosure or modification of applicable data– Ensuring confidentiality and integrity
• Does CIP-012-1 prescribe a specific solution?– Encryption is not explicitly required, but there may not be many alternatives that
will meet the requirements from a logical approach– Implement controls appropriately tailored to address the risks posed – There are no provisions for Technical Feasibility Exceptions
• Does CIP-012-1 differentiate between entities that own the communication links/gear from those that do not?
11
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Technical Rationale
• No significance or sequence to the requirement parts order
• Typically the RC, BA or TOP will identify all data requiring protection for CIP-012-1 through the TOP-003 and IRO-010 Reliability Standards
• Latitude where security protection is applied
• Security protection may be applied to a Cyber Asset that is not an identified BES Cyber Asset or EACMS
12
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Implementation Guidance
• Implementation Guidance does not prescribe the only approach, but highlights one or more approaches that would be effective in achieving compliance with the standard. Because Implementation Guidance only provides examples, entities may choose alternative approaches that better fit their individual situations.
13
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Documented Plan
• Identify data communications paths to be protected (implied requirement)– Real-time Assessment data– Real-time monitoring data– Identify applied security protection for each path
• If path is to another entity, identify responsibilities for each path– Implementation– Maintenance – Key Management– Etc..
• Data centric approach– Identification of applicable data and applied security protection(s) afforded
14
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Applied Security Protections
• Identification of applied security protections– Physical
• Physical security measures in place protecting the communication link • Applicable Control Center Diagrams (floor plan)
– Confirmed through visual inspection– Labels
• CIP-006-6 R1.10 does not apply
– Logical• Security control monitoring, using an automated monitoring tool to generate reports on the encryption service used to
protect a communications link• Export of device configuration• Control Center Diagrams
• Identification responsibilities when the Control Centers are owned or operated by different Responsible Entities– If only manage one end of a communication link, an entity is not responsible for identifying applied security protection for
neighboring entity whom exchanging data with. – Joint procedure, a memorandum of understanding or meeting minutes between the two parties where responsibilities are
defined. – If responsible for both ends of communication link, must identify where security protection is applied at both ends of the link.
15
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Application of Security
• Locations of applied security protection
– Impact levels of the Control Center
– Different technologies
– Infrastructures
• Does not add additional assets to the scope of the CIP Reliability Standards.
16
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Reference Model of PCC and BCC
17
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Figure 2
18
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Application Server
OperatorWorkstations
Database Server
ICCP Server
ESP Firewall
Entity Alpha’s Primary Control Center
Application Server
OperatorWorkstations
Database Server
ICCP Server
ESP Firewall
Entity Alpha’s Backup Control Center
Application Server
OperatorWorkstations
Database Server
ICCP Server
ESP Firewall
Entity Beta’s Control Center
Communications Carrier
WAN Router WAN Router
WAN Router
Entity Alpha’s CIP-012 security protection applied at the external interface of
the WAN router
Entity Alpha’s CIP-012 security protection applied at the external interface of
the WAN router
Entity Beta’s CIP-012 security protection applied at the external interface of
the WAN router
Figure 3
19
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Application Server
OperatorWorkstations
Database Server
ICCP Server
ESP Firewall
Entity Alpha’s Primary Control Center
Application Server
OperatorWorkstations
Database Server
ICCP Server
ESP Firewall
Entity Alpha’s Backup Control Center
Application Server
OperatorWorkstations
Database Server
ICCP Server
ESP Firewall
Entity Beta’s Control Center
Communications Carrier
WAN Router WAN Router
WAN Router
Entity Alpha’s CIP-012 physical security
protection applied
Entity Beta’s CIP-012 security protection
applied
Telco Demarcation
Point
Telco Demarcation
Point
Physically secured areaPhysically secured area
Encrypted Communications
Entity Alpha’s CIP-012 logical security
protection applied
Entity Alpha’s CIP-012 physical security
protection applied
Entity Alpha’s CIP-012 logical security
protection applied
Security and ResiliencyCIP-012-1 and TOP-001-4
• CIP-012-1
– Addresses the data transfer paths between specified Control Centers and the security of the data exchanged across those paths.
• TOP-001-4
– Addresses the physical components of redundant and diversely routed data exchange infrastructure.
• WECC will discuss further with ERO Enterprise as a whole and ensure that all of the regions have a consistent approach.
20
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Stay Engaged
• WECC encourages all Responsible Entities who own or operate an applicable Control Center to comment on Draft 3.
• Although the final version of CIP-012-1 is yet to be approved by both the NERC Board of Trustees and FERC, entities may choose to begin preparations based on the Draft 3 Requirement R1.
21
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Questions and Contact Information
Morgan King(801)819-7675 – Office
(801)608-6652 – Cell
22
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
References
• Slide 4: NERC, 2018 Jan 31, Glossary of Terms - http://www.nerc.com/files/glossary_of_terms.pdf• Slide 5: (NERC, 2017 Aug 11, Technical Rationale for CIP-012-1, p. 5) -
http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/2016-02_Technical_Rationale_and_Justification_CIP-012-1_08142017.pdf
• Slide 7: NERC, Control Center Modifications - http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx
• Slide 9: NERC, CIP-012-1 Draft 3 -http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-012-1_Standard_Clean_03162018.pdf
• Slide 14: NERC, CIP-012-1 Technical Rational -http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-012-1_Technical_Rationale_Clean_03162018.pdf
• Slide 15: NERC, CIP-012-1 Implementation Guidance -http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-012-1_Implementation_Guidance_clean_03162018.pdf
• Slide 21: NERC, TOP-001-4 - http://www.nerc.com/pa/Stand/Reliability Standards/TOP-001-4.pdf• Slide 24: WECC, Phil O'Donnell TOP-001-4 - https://www.wecc.biz/Administrative/15 2017-11-16 TOP-001-4 Changes
from Version 3.O'Donnell.pdf
23
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L