CIP-012-1 Developments and Direction

Morgan King CISSP-ISSAP, CISA

Senior Compliance Auditor, Cyber Security

WECC Compliance Workshop – Boise ID – March 29, 2018

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Impact to Reliability

Ensure entities are aware of new CIP Reliability Standards and WECC's potential audit approach to securing sensitive bulk

electric system data

2

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Agenda

• CIP-012-1 Draft 3

• Technical Rationale

• Implementation Guidance

3

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Control Center

• One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of:

• 1) a Reliability Coordinator, • 2) a Balancing Authority, • 3) a Transmission Operator for transmission Facilities at two or

more locations, or • 4) a Generator Operator for generation Facilities at two or more

locations.(NERC, 2018 March 16, Control Center Definition Revision)

4

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Modifications to the Control Center Definition for the NERC Glossary of Terms

• Previously, for low impact assets it didn’t matter whether it was accurately identified as a plant vs. substation vs. Control Center because the requirements all applied equally

• CIP-012 is the first differentiated standard for Control Centers at low impact, so it’s important to ensure the requirements apply to the intended facilities

5

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Problem

6

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Proposed Control Center

7

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• One or more facilities, including their associated data centers, that monitor and control the Bulk Electric System (BES) and also host operating personnel who:

1) perform the Real-time reliability-related tasks of a Reliability Coordinator; or2) perform the Real-time reliability-related tasks of a Balancing Authority; or3) perform the Real-time reliability-related tasks of a Transmission Operator for Transmission Facilities at two or more locations; or4) can act independently as the Generator Operator to develop specific dispatch instructions for generation Facilities at two or more locations; or5) can operate or direct the operation of a Transmission Owner’s BES Transmission Facilities in Realtime.

• Operating personnel do not include:

1) plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications; or2) Transmission Owner or Transmission Operator field switching personnel.

CIP-012-1 Modifications

• The second ballot received 63.91% approval.• Based on comments and voting:

– The SDT combined Requirements R1 and R2 – Removed “and control” from Requirement R1– Removed “demarcation” from Requirement part 1.2– Removed “roles” from Requirement part 1.3 – The SDT updated the Technical Rationale and Justification document– The SDT updated the Implementation Guidance document

• The SDT did not add the Planned and Unplanned Change language to the Standard

8

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-012-1 Draft 3

9

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Sensitive Bulk Electric System Data

• Real-time Assessment data– “An evaluation of system conditions using Real-time data to assess existing (pre-

Contingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase angle and equipment limitations. (Real-time Assessment may be provided through internal systems or through third-party services.)”

• Real-time monitoring

• Excludes verbal communications

10

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Security Objective

• Mitigating the risk of unauthorized disclosure or modification of applicable data– Ensuring confidentiality and integrity

• Does CIP-012-1 prescribe a specific solution?– Encryption is not explicitly required, but there may not be many alternatives that

will meet the requirements from a logical approach– Implement controls appropriately tailored to address the risks posed – There are no provisions for Technical Feasibility Exceptions

• Does CIP-012-1 differentiate between entities that own the communication links/gear from those that do not?

11

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Technical Rationale

• No significance or sequence to the requirement parts order

• Typically the RC, BA or TOP will identify all data requiring protection for CIP-012-1 through the TOP-003 and IRO-010 Reliability Standards

• Latitude where security protection is applied

• Security protection may be applied to a Cyber Asset that is not an identified BES Cyber Asset or EACMS

12

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Implementation Guidance

• Implementation Guidance does not prescribe the only approach, but highlights one or more approaches that would be effective in achieving compliance with the standard. Because Implementation Guidance only provides examples, entities may choose alternative approaches that better fit their individual situations.

13

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Documented Plan

• Identify data communications paths to be protected (implied requirement)– Real-time Assessment data– Real-time monitoring data– Identify applied security protection for each path

• If path is to another entity, identify responsibilities for each path– Implementation– Maintenance – Key Management– Etc..

• Data centric approach– Identification of applicable data and applied security protection(s) afforded

14

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Applied Security Protections

• Identification of applied security protections– Physical

• Physical security measures in place protecting the communication link • Applicable Control Center Diagrams (floor plan)

– Confirmed through visual inspection– Labels

• CIP-006-6 R1.10 does not apply

– Logical• Security control monitoring, using an automated monitoring tool to generate reports on the encryption service used to

protect a communications link• Export of device configuration• Control Center Diagrams

• Identification responsibilities when the Control Centers are owned or operated by different Responsible Entities– If only manage one end of a communication link, an entity is not responsible for identifying applied security protection for

neighboring entity whom exchanging data with. – Joint procedure, a memorandum of understanding or meeting minutes between the two parties where responsibilities are

defined. – If responsible for both ends of communication link, must identify where security protection is applied at both ends of the link.

15

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Application of Security

• Locations of applied security protection

– Impact levels of the Control Center

– Different technologies

– Infrastructures

• Does not add additional assets to the scope of the CIP Reliability Standards.

16

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Reference Model of PCC and BCC

17

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Figure 2

18

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Application Server

OperatorWorkstations

Database Server

ICCP Server

ESP Firewall

Entity Alpha’s Primary Control Center

Application Server

OperatorWorkstations

Database Server

ICCP Server

ESP Firewall

Entity Alpha’s Backup Control Center

Application Server

OperatorWorkstations

Database Server

ICCP Server

ESP Firewall

Entity Beta’s Control Center

Communications Carrier

WAN Router WAN Router

WAN Router

Entity Alpha’s CIP-012 security protection applied at the external interface of

the WAN router

Entity Alpha’s CIP-012 security protection applied at the external interface of

the WAN router

Entity Beta’s CIP-012 security protection applied at the external interface of

the WAN router

Figure 3

19

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Application Server

OperatorWorkstations

Database Server

ICCP Server

ESP Firewall

Entity Alpha’s Primary Control Center

Application Server

OperatorWorkstations

Database Server

ICCP Server

ESP Firewall

Entity Alpha’s Backup Control Center

Application Server

OperatorWorkstations

Database Server

ICCP Server

ESP Firewall

Entity Beta’s Control Center

Communications Carrier

WAN Router WAN Router

WAN Router

Entity Alpha’s CIP-012 physical security

protection applied

Entity Beta’s CIP-012 security protection

applied

Telco Demarcation

Point

Telco Demarcation

Point

Physically secured areaPhysically secured area

Encrypted Communications

Entity Alpha’s CIP-012 logical security

protection applied

Entity Alpha’s CIP-012 physical security

protection applied

Entity Alpha’s CIP-012 logical security

protection applied

Security and ResiliencyCIP-012-1 and TOP-001-4

• CIP-012-1

– Addresses the data transfer paths between specified Control Centers and the security of the data exchanged across those paths.

• TOP-001-4

– Addresses the physical components of redundant and diversely routed data exchange infrastructure.

• WECC will discuss further with ERO Enterprise as a whole and ensure that all of the regions have a consistent approach.

20

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Stay Engaged

• WECC encourages all Responsible Entities who own or operate an applicable Control Center to comment on Draft 3.

• Although the final version of CIP-012-1 is yet to be approved by both the NERC Board of Trustees and FERC, entities may choose to begin preparations based on the Draft 3 Requirement R1.

21

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Questions and Contact Information

Morgan King(801)819-7675 – Office

(801)608-6652 – Cell

mking@wecc.biz

22

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

References

• Slide 4: NERC, 2018 Jan 31, Glossary of Terms - http://www.nerc.com/files/glossary_of_terms.pdf• Slide 5: (NERC, 2017 Aug 11, Technical Rationale for CIP-012-1, p. 5) -

http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/2016-02_Technical_Rationale_and_Justification_CIP-012-1_08142017.pdf

• Slide 7: NERC, Control Center Modifications - http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx

• Slide 9: NERC, CIP-012-1 Draft 3 -http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-012-1_Standard_Clean_03162018.pdf

• Slide 14: NERC, CIP-012-1 Technical Rational -http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-012-1_Technical_Rationale_Clean_03162018.pdf

• Slide 15: NERC, CIP-012-1 Implementation Guidance -http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-012-1_Implementation_Guidance_clean_03162018.pdf

• Slide 21: NERC, TOP-001-4 - http://www.nerc.com/pa/Stand/Reliability Standards/TOP-001-4.pdf• Slide 24: WECC, Phil O'Donnell TOP-001-4 - https://www.wecc.biz/Administrative/15 2017-11-16 TOP-001-4 Changes

from Version 3.O'Donnell.pdf

23

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L