cip v5 advanced workshop from cip-‐002-‐3 to cip-‐002-‐5.1: a
TRANSCRIPT
CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A Mock Audit
Salt Lake City UT September 10, 2015
Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor – Cyber Security Western Electricity CoordinaPng Council
Speaker Intro: Dr. Joseph Baugh • 40+ years Electrical UPlity Experience
– Senior Compliance Auditor, Cyber Security – IT Manager & Power Trading/Scheduling Manager – IT Program Manager & Project Manager – PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs – NERC CerPfied System Operator – Barehand Qualified Transmission Lineman
• 20 years of EducaPonal Experience – Degrees earned: Ph.D., MBA, BS-‐Computer Science – Academic & Technical Course Teaching Experience
• PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparaPon • Business Strategy, Leadership, and Management • InformaPon Technology and IT Security • Project Management
September 10, 2015 Western Electricity CoordinaPng Council
2
WECC CIP-‐101 Disclaimer • The WECC Cyber Security team has
created a mythical Registered EnPty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the WECC CIP audit processes.
• Any resemblance of BILL to any actual Registered EnPty is purely coincidental.
• All evidence presented, auditor comments, and findings made in regard to BILL during this presentaPon and the mock audit are ficPPous, but are representaPve of audit team acPviPes during an actual CIP Compliance audit.
September 10, 2015 Western Electricity CoordinaPng Council
3
Agenda
• Review CIP-‐002-‐5.1 Team audit approach • CIP-‐002-‐5.1 Mock Audit Overview • The BILL Mock Audit • QuesPons
September 10, 2015 Western Electricity CoordinaPng Council
4
CIP-‐002-‐5.1 Audit Overview • CIP-‐002-‐5.1 is the first step on CIP Compliance trail • All Registered EnPPes who perform the BA, DP, GO, GOP, IA,
RC, TO, and/or TOP registered funcPons are required to be compliant with CIP-‐002-‐5.1.
• CIP-‐002-‐5.1 replaces LSE with the DP funcPon, TSP funcPon drops out.
• Some enPPes may find they are only required to be compliant with CIP-‐002-‐5.1 R1-‐R2 & CIP-‐003-‐6 R2-‐R4. – Typically requires a reduced scope audit that will be conducted at WECC offices or other locaPons, as necessary.
– True if IRC applicaPon generates Null R1.1 & R1.2.lists. – Must also provide a valid R1.3 list of Low Impact BES Assets. – Follow Low Impact BCS Requirements discussed in CIP-‐003-‐6 R2.
September 10, 2015 Western Electricity CoordinaPng Council
5
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
CIP-‐002-‐5.1: R1 • Each Responsible EnPty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
September 10, 2015 Western Electricity CoordinaPng Council
6
Inputs
R1Process
Outputs
Inventory of
BES Assets
List of High, Medium,
& Low Assets
CIP-‐002-‐5.1 Requirements: R2 • EnPty must review idenPficaPons made in R1 (and update them, if necessary) at least every 15 months [R2.1]
• The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3, R4) must approve the iniPal lists [R2.2] and at least once every 15 months, thereaeer: – The R1.1, R1.2, and R1.3 lists – Include signed and dated null lists, if applicable
• The enPty must maintain signed and dated records of the approvals listed above. – Electronic or physical approvals accepted
September 10, 2015 Western Electricity CoordinaPng Council
7
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
CIP-‐002-‐5.1: DirecPon • CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transiPon period in lieu of the CIP-‐002-‐3 R2 list of CriPcal Assets (OpPon 3).
• Focus on High BCS (R1.1) and Medium BCS (R1.2) lists for immediate CIPv5 compliance efforts.
• Compliance date for Low impact BES Assets on April 1, 2017. – Specific Low impact control modificaPons are pending approval by FERC [See CIP-‐003-‐6 R2]
– Don’t ignore, but don’t prioriPze for now. September 10, 2015 Western Electricity CoordinaPng Council
8
BILL Documents OpPon 3 Slide 9
September 10, 2015 Western Electricity CoordinaPng Council
WECC Audit Team Approach
• Use a methodical approach to deliver consistent results across all enPPes.
• Use the RSAW supplied by the enPty as iniPal working papers to document the audit and findings.
• Review IniPal Evidence package supplied by the enPty in response to Amachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 evidenPary documents
September 10, 2015 Western Electricity CoordinaPng Council
10
CIP-‐002-‐5.1 Audit Team Approach
• Audit to the Standard. • Review the Evidence:
– Inventory of BES Assets – One line diagrams – ApplicaPon of the IRC – R1.1, R1.2, R1.3 lists. – R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)
• DR for addiPonal informaPon, as needed.
• Complete the RSAW • Develop the Audit Report
11
Are there more High or Medium BES
assets?
Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]
Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset
Yes (Continue BCS evaluations)
No (Continue to R2)
Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets
Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable
R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.
R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.
Are any BES assets rated as High or Medium?
Yes (Evaluate High & Medium BES assets for all applicable BCS)
No (Place all Low BES assets on R1.3 List)
Add BCS to the appropriate list:R1.1: High Impact BCS,
R1.2: Medium Impact BCS
September 10, 2015 Western Electricity CoordinaPng Council
WECC Audit Team Approach • Review the applicaPon of the IRC [R1], list of High BCS [R1.1], list
of Medium BCS [R1.2], list of Low Impact BES Assets [R1.3], even if such lists are null.
• Compare the lists against the one-‐lines and BES Asset inventory • If full Compliance audit:
– Hold interviews with the enPty’s CIP SMEs – Perform site visits (Trust, but Verify)
• Validate annual approval documentaPon [R2] • Submit Data Requests [DR], as needed, to clarify compliance • Determine findings (NF, PV, or OEA) • Discuss findings with enPre Cyber Security Team • Complete RSAW • Prepare CIP audit report (ATL & CPC) September 10, 2015 Western Electricity CoordinaPng Council
12
Amachment G*: CIP-‐002-‐5.1 Evidence • [R1]: Provide documentaPon of the process and its
implementaPon to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to idenPfy the following lists: – [R1.1]: A list of High impact BCS at each asset idenPfied by applicaPon of Amachment 1, SecPon 1.
– [R1.2]: A list of Medium impact BCS at each asset idenPfied by applicaPon of Amachment 1, SecPon 2.
– [R1.3]: A list of idenPfied Low impact BES Assets idenPfied by applicaPon of Amachment 1, SecPon 3].
• [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the idenPficaPons required by R1, even if such lists are null.
* 2015 Amachment G document is sPll in progress and may change to some degree, but these basic sets of evidence will expected in the iniPal evidence package.
Slide 13
September 10, 2015 Western Electricity CoordinaPng Council
WECC Audit Team Approach
• Submit Data Requests [DRs] for any addiPonal informaPon beyond the Amachment G submission that will support the enPty’s compliance efforts, e.g.:
– Prior documentaPon to provide bookends – Address any quesPons or concerns
September 10, 2015 Western Electricity CoordinaPng Council
14
CIP-‐101 Mock Audit Overview • BILL declared OpPon 3 of the NERC CIPv5 TransiPon
Guidance (NERC, 2014 Aug 12, p. 5). • Bill compared inventory of BES Assets against current
definiPon of Bulk Electric System (NERC, 2014 Sept 17, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini4on Guidance Document, v2)
• BILL idenPfied and documented lists of High and Medium Impact BCS and a list of Low Impact BES Assets through an applicaPon of the Impact RaPng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: ADachment 1, pp. 14-‐16),
• BILL requires a full Compliance audit on CIP-‐002-‐5.1 through CIP-‐011-‐2 – First week: Discovery phase at WECC offices – Second week: Compliance audit at BILL office
September 10, 2015 Western Electricity CoordinaPng Council
15
CIP-‐101 Mock Audit Overview • This session covers a mock audit of CIP-‐002-‐5.1 only
• The mock audit squeezes 2 weeks of audit acPviPes into a few hours. – Sample DR’s – Mock Interview – Site Visits – Use the RSAW as the guiding document – Present and review evidence for each requirement – What do YOU think is the appropriate finding for each requirement?
September 10, 2015 Western Electricity CoordinaPng Council
16
CIP-‐101 Mock Audit
• Walk through audit process in more detail • Explain the differences between a reduced scope off-‐site audit and a full Compliance audit
• The Mock Audit simulates a Compliance audit of Billiam Power Company [BILL]
• BILL is registered with NERC as a BA, DP, GO, GOP, LSE, TO, TOP, TP, and TSP.
• For the CIP audit, the BA, DP, GO, GOP, TO, and TOP funcPons are in scope.
September 10, 2015 Western Electricity CoordinaPng Council
17
Review IniPal Evidence
• Received from the enPty in the iniPal evidence package
• Responses to data requests in Amachment G • InformaPon contained in enPty response to the RSAWs
• Sets the stage for the iniPal audit review – Discovery phase at the WECC offices
• Followed up by addiPonal Data Requests as needed
September 10, 2015 Western Electricity CoordinaPng Council
18
The BILL System* • Billiam Power Company’s (hereaeer referred to by its NERC acronym, BILL) Balancing Authority (BA) area is effecPvely within the boundaries of the three counPes on the western edge of Some State, bordered by Another State on the north and the Almost Mountains on the East and South. These three counPes occupy about 15% of the land area of the state and contain about 20% of the state's populaPon.
• BILL is registered as a BA, DP, GO, GOP, LSE, TO, TOP, TP, TSP
September 10, 2015 Western Electricity CoordinaPng Council
19
The BILL System (GeneraPon) • BILL’s primary generaPon staPon is located in eastern Whatchamacallit County. The BILL generaPon staPon has two 1,000 MW fossil fuel generaPng units. The output of these units supports BILL’s naPve load and any available excess energy is marketed throughout the WECC InterconnecPon.
• BILL owns and operates nine CombusPon Turbines (averaging 30 MWs each) located near various consumer load centers throughout the service territory. These CT’s are primarily used as peaking units and for voltage and frequency support during the summer months.
September 10, 2015 Western Electricity CoordinaPng Council
20
The BILL System (GeneraPon) • BILL also owns and operates the BILL-‐3 Hydroelectric plant on the Sweet William River. BILL-‐3 has a nameplate raPng of 100 MW. This hydro unit is Blackstart capable and is connected to the BILL GeneraPon StaPon through a dedicated 115 kV line that runs 87 miles from Sub3 to Sub1.
• Total BILL generaPon capacity is 2,380 MWs.
September 10, 2015 Western Electricity CoordinaPng Council
21
The BILL System (Transmission) • There are two synchronous 345 kV interPes with adjacent BA’s that define the BILL BA area. These Pes are with XXXX Electrical UPlity and YYYY Federal Power District at Sub1, which is adjacent to the BILL GeneraPon StaPon.
• The BES porPon of BILL's BA area, its 345 kV, 230 kV, and 115 kV faciliPes, include 190 miles of 345 kV transmission lines, 450 miles of 230 kV lines, and 973 miles of 115 kV lines.
• BILL owns and operates two 345kV substaPons, 25 230 kV substaPons, and 52 115 kV substaPons throughout its service territory. BILL serves its naPve residenPal and commercial load through its 115 kV and 230 kV transmission faciliPes.
September 10, 2015 Western Electricity CoordinaPng Council
22
The BILL System (Control Centers) • BILL’s GeneraPon and Transmission FaciliPes are monitored and operated from the Primary Control Center (PCC) located at the corporate headquarters in Big Bill City. BILL also maintains a hot stand-‐by Back-‐up Control Center (BUCC) located in its operaPons center in Limle Bill City, which is approximately 50 miles from the PCC.
• BILL is a summer peaking BA and BILL's BA all-‐Pme area peak load was recorded on July 20, 2010 at 2,482 MWs.
September 10, 2015 Western Electricity CoordinaPng Council
23
BILL One-‐Line Diagram 24
September 10, 2015 Western Electricity CoordinaPng Council
BILL’s BES Asset IdenPficaPon • The first step in a normal CIP-‐002-‐5.1 audit is to review the applicaPon of the IRC – Starts with an overall Inventory of enPty BES assets. – Did the enPty use the new BES DefiniPon to exclude any BES Assets?
• If so, review and validate those exclusions – Use the IRC to idenPfy and document the R1.x lists
September 10, 2015 Western Electricity CoordinaPng Council
25
High IRC (Control Centers)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 26
Medium IRC (Control Centers)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 27
Low IRC (Control Centers)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 28
R1.i: Example of Auditable Process
September 10, 2015 Western Electricity CoordinaPng Council
Slide 29
BILL’s BES Asset IdenPficaPon • Were applicable BES assets evaluated relaPve to IRC criteria 2.3. 2.6. or 2.8?
• Did BILL demonstrate coordinaPon with the applicable registered funcPon(s)? – If not, should we submit a data request?
September 10, 2015 Western Electricity CoordinaPng Council
30
Medium IRC (Transmission)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 31
Medium IRC (Transmission)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 32
Medium IRC (Transmission)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 33
Medium / Low IRC (Transmission)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 34
R1.ii: Example of Auditable Process
September 10, 2015 Western Electricity CoordinaPng Council
Slide 35
Medium IRC (GeneraPon)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 36
Medium / Low IRC (GeneraPon)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 37
R1.iii-‐iv: Example of Auditable Process
September 10, 2015 Western Electricity CoordinaPng Council
Slide 38
Medium IRC (ProtecPon Systems)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 39
Low IRC (ProtecPon Systems)
September 10, 2015 Western Electricity CoordinaPng Council
Slide 40
R1.v-‐vi: Example of Auditable Process
September 10, 2015 Western Electricity CoordinaPng Council
Slide 41
List of High & Medium BES assets
• Review the list of High BES assets • Review the list of Medium BES assets • Compare both lists to the lists developed for:
– R1.1: High impact BCS – R1.2: Medium impact BCS
Slide 42
September 10, 2015 Western Electricity CoordinaPng Council
Compare 2013 List of CriPcal Assets
• For the next several years, CIP Auditors will be comparing the results of the applicaPon of the IRC to idenPfy High and Medium BCS (primarily the BES assets containing such BCS) to the prior CIP-‐002-‐3 lists of CriPcal Assets and lists of CriPcal Cyber Assets and evaluate any significant differences
• This may not generate a PV, but it is guaranteed to generate discussions.
Slide 43
September 10, 2015 Western Electricity CoordinaPng Council
List of Low Impact BES Assets
• Review the list of Low Impact BES Assets. • Correlate this list against the enPty’s inventory of BES Assets and the list of High and Medium BCS locaPons.
Slide 44
September 10, 2015 Western Electricity CoordinaPng Council
BILL BES Assets: 2013 Control Centers
September 10, 2015 Western Electricity CoordinaPng Council
45
BILL BES Assets: 2014 Control Centers
September 10, 2015 Western Electricity CoordinaPng Council
46
BILL BES Assets: 2013 SubstaPons
September 10, 2015 Western Electricity CoordinaPng Council
47
BILL BES Assets: 2014 SubstaPons
September 10, 2015 Western Electricity CoordinaPng Council
48
BILL BES Assets: 2013 GeneraPon
September 10, 2015 Western Electricity CoordinaPng Council
49
BILL BES Assets: 2014 GeneraPon
September 10, 2015 Western Electricity CoordinaPng Council
50
BILL BES Assets: 2013 Special Systems
September 10, 2015 Western Electricity CoordinaPng Council
51
BILL BES Assets: 2014 Special Systems
September 10, 2015 Western Electricity CoordinaPng Council
52
Validate BES Asset Lists • Review and compare the prior lists of CIP-‐002-‐3 R2 CriPcal
Assets to the current lists of High and Medium BES Assets • Did the results seem reasonable? • Did the enPty opt to reduce its number of Transmission
Assets through the applicaPon of the BES DefiniPon? • If so, did the enPty provide valid raPonale for all
exclusions? • Do the Transmission BES Medium Assets align with the
one-‐line diagram? • Did the enPty provide evidence of net Real Power
capability to support GeneraPon Facility raPngs? • Does the audit team have any other quesPons before
moving on to the R1.1, R1.2, and R1.3 lists?
Slide 53
September 10, 2015 Western Electricity CoordinaPng Council
BILL BES Assets: 2013 CriPcal Assets
September 10, 2015 Western Electricity CoordinaPng Council
54
BILL BES Assets: 2014 High & Medium BES Assets
September 10, 2015 Western Electricity CoordinaPng Council
55
2013 CriPcal Assets vs. 2014 High & Medium BES Assets – Net Changes
• Control Centers (High BCS) – Both Control Centers move from CA list to High BES asset list
• SubstaPons (Medium BCS) – Subs 1 and 2 move from CA list to Medium BES asset list – Add 4 (Subs 4, 7, 8, 11) to Medium BES asset list – 1 (Sub 3, Blackstart Cranking Path) moves to Low BES asset – Other Transmission subs become Low BES Assets
• GeneraPon Units (Medium and/or Low BCS) – Big Bill StaPon is a Medium BES asset – Blackstart unit becomes Low BES asset – CombusPon turbines becomes Low BES assets
• Special ProtecPon Systems (BCS Not Applicable) – No change
September 10, 2015 Western Electricity CoordinaPng Council
56
R1: BES Asset Lists Review QuesPons • Did BILL apply the IRC appropriately? • Does BILL need to confer with its RC, PA, or TP to consider any CriPcal Assets relaPve to Criteria 2.3, 2.6, or 2.8?
• ApplicaPon QuesPons – Did BILL consider all BES asset types in R1.i through R1.vi? – Did BILL review and evaluate all BES Assets through the IRC? – Did BILL clearly idenPfy and document all BES assets in the appropriate impact raPng?
• Is any addiPonal informaPon necessary before we look at the BCS groupings? – If so, do we submit a DR?
September 10, 2015 Western Electricity CoordinaPng Council
57
Mapping V3 CA & CCA to V5 BCS Slide 58
September 10, 2015 Western Electricity CoordinaPng Council
• High Impact BCS (IRC 1.1 − 1.4) – Large Control Centers
• Medium Impact BCS (IRC 2.1 − 2.13) – Control Centers – GeneraPon FaciliPes – Transmission FaciliPes
• Low Impact BCS (IRC 3.1 − 3.6) – All other BES Assets – Applicable DP Assets (Sect. 4.2.1) – Must implement one or more CIP-‐003-‐6 policies to address:
• Cyber Security Awareness • Physical Security Controls • Electronic Access Controls • Cyber Security Incident Response
V3 BES Assets & Cyber Assets > BES Assets > V5 BCS
Cri3cal Assets & Cri3cal
Cyber Assets
Non-‐Cri3cal Assets & Non-‐Cri3cal Cyber
Assets
IdenPfying High and Medium BCS • R1. Each Responsible EnPty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: …
– 1.1. IdenPfy each of the high impact BES Cyber Systems according to Amachment 1, SecPon 1, if any, at each asset;
– 1.2. IdenPfy each of the medium impact BES Cyber Systems according to Amachment 1, SecPon 2, if any, at each asset; and
– 1.3. Iden3fy each asset that contains a low impact BES Cyber System according to Amachment 1, SecPon 3, if any (a discrete list of low impact BES Cyber Systems is not required).
Slide 59
September 10, 2015 Western Electricity CoordinaPng Council
R1: IdenPfy and Document BCS
• Add Low-‐impact BES assets to the R1.3 list
• Use lists of High-‐ & Medium-‐impact BES assets • IdenPfy BCA associated with
each BES Asset. • Logically group BCA into BCS. • Document BCS on R1.1 or
R1.2 list, as appropriate.
Slide 60
September 10, 2015 Western Electricity CoordinaPng Council
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
IdenPfying BES Cyber Assets [BCA]
Slide 61
September 10, 2015 Western Electricity CoordinaPng Council
• IdenPfy all Cyber Assets at the BES Asset – Consider all Programmable Electronic Devices [PED]
– Apply the definiPon of the BCA
• Group BCA into BCS
Identify each Cyber Asset at the BES Asset
EMS/SCADA, transmission protection or
generation control system?
For each High or Medium BES Asset
Yes
No
Add BCA to list for
grouping into BCS
Adverse impact within 15
minutes?
Yes
No
Are theremore Cyber
Assets at BES Asset?
Yes
NoGroup BCA into
BCS
Identify as non-BCA
Consider Real-‐Time OperaPons • BES Cyber Assets are those Cyber Assets that, if
rendered unavailable, degraded, or misused, would adversely impact the reliable operaPon of the BES within 15 minutes (CIP-‐002-‐5.1, p. 5).
• Do not consider redundancy in the applicaPon of the 15-‐minute Pme threshold (CIP-‐002-‐5.1, p. 5).
• 15-‐minute limitaPon will typically "result in the idenPficaPon of SCADA, Energy Management Systems, transmission protecPon systems, and generaPon control systems as BES Cyber Assets” (FERC, 2013, Order 791, P. 123, p. 72771).
Slide 62
September 10, 2015 Western Electricity CoordinaPng Council
BCA IdenPficaPon Lesson Learned Examples of BCA (in Progress)
• Digital relays • Remote Terminal Units (RTUs) • Phasor measurement units (PMUs) • Phasor data concentrators (PDCs) • Programmable automaPon controllers (PAC), Programmable Logic Controllers (PLC)
• CommunicaPons processors • Servers (applicaPon, database, etc.) and workstaPons (e.g., HMIs)
• Local Area Network (LAN) switches
Slide 63
September 10, 2015 Western Electricity CoordinaPng Council
BCA IdenPficaPon Lesson Learned Examples of non-‐BCA (in Progress)
• A solid state relay that allows the user to set when the relay will operate but not how the relay operates.
• A HART (Highway Addressable Remote Transmimer) compaPble smart pressure transmimer
• A HART compaPble smart actuator for a final control element, such as a control valve or damper
• A handheld HART configurator (the 30 day connecPon exclusion normally applies to these devices)
• Output only/sealed devices • Media converters and Remote I/O modules (i.e., Copper to fiber converter)
Slide 64
September 10, 2015 Western Electricity CoordinaPng Council
What about Tie-‐line Meters? • A very hot topic currently being discussed by WECC with NERC and the other regions.
• Also known as Interchange meters • DisPnct from Revenue meters • IdenPfied as essenPal to the reliability of the BES with real-‐Pme impact (<= 6 second polling interval) under the BAL-‐005-‐0.2b Standard [e.g., R8, R12].
• Support the BROS (e.g., Balancing Load and GeneraPon; Managing Constraints; Inter-‐EnPty CoordinaPon)
Slide 65
September 10, 2015 Western Electricity CoordinaPng Council
What about Tie-‐line Meters? • In the absence of guidance to the contrary from NERC &/or FERC, WECC’s posiPon is a prudent enPty will idenPfy Pe-‐line and interchange meters as BCA at the host Facility, group them into BCS, and afford them the full protecPons of the CIP v5 Standards, Requirements, and Parts, as applicable.
• See also FAQ #77 (NERC, 2015 April 1, Frequently Asked Ques4ons: CIP Version 5 Standards, pp. 5-‐6).
Slide 66
September 10, 2015 Western Electricity CoordinaPng Council
Consider Ancillary Cyber Assets • Protected Cyber Assets [PCA]
• Examples may include, to the extent they are within the ESP: file servers, ep servers, Pme servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP-‐002-‐5.1, p. 6)
• May also be lower impact BCS by virtue of the high-‐water mark (CIP-‐005-‐5, p. 14)
• Electronic Access Control or Monitoring Systems [EACMS] • Examples include: Electronic Access Points, Intermediate Systems,
authenPcaPon servers (e.g., RADIUS servers, AcPve Directory servers, CerPficate AuthoriPes), security event monitoring systems, and intrusion detecPon systems (CIP-‐002-‐5.1, p. 6)
• Physical Access Control Systems [PACS] • Examples include: authenPcaPon servers, card systems, and badge control
systems (CIP-‐002-‐5.1, p. 6).
Slide 67
September 10, 2015 Western Electricity CoordinaPng Council
Grouping BCA into BCS • EnPty determines level of granularity of a BCS
– There may be one or more BCA within a given BCS – Consider the BROS for your registraPons
• In transi4oning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Cri4cal Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an en4ty can organize their documented implementa4on of the requirements and compliance efforts (CIP-‐002-‐5.1, 2013, p. 4)
Slide 68
September 10, 2015 Western Electricity CoordinaPng Council
R1.1-‐R1.2: IdenPfying BCS • Develop an auditable
process to examine each High and Medium impact Facility
• Examine inventory of BCA at each Facility
• Consider reliability funcPons
• Group BCA into logical BCS
• IdenPfy PCA, EACMS, and PACS
Slide 69
September 10, 2015 Western Electricity CoordinaPng Council
Process to IdenPfy BCS Slide 70
September 10, 2015 Western Electricity CoordinaPng Council
CIP-002-5 requires the identification of High & Medium impact BCS, but it may be a good idea to consider & identify the different types of BCS (CIP-005-5, pp. 4-5) and associated Cyber Assets (CIP-002-5, p. 6) at this point to facilitate later determinations in the Applicability Matrices of other CIP standards:
• High Impact BCS• High Impact BCS w/ Dial-up
Connectivity• High Impact BCS w/ External
Routable Connectivity• Medium Impact BCS• Medium Impact BCS at Control
Centers• Medium Impact BCS w/ Dial-up
Connectivity• Medium Impact BCS with
External Routable Connectivity• PCA• EACM• PACS
Are there More High or
Medium Facilities?
Use the inventory of BES Cyber Assets at the High- or Medium- Facility to identify and
list R1.1 and R1.2 BES Cyber Systems (BCS) at each such facility
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the Facility
Yes
No
Consider Reliable OperaPon of the BES • Determine whether the BES Cyber Systems perform
or support any BES reliability funcPon according to those reliability tasks idenPfied for their reliability funcPon and the corresponding funcPonal enPty’s responsibiliPes as defined in its relaPonships with other funcPonal enPPes in the NERC FuncPonal Model (CIP-‐002-‐5.1, p. 5).
• Ensures the iniPal scope for consideraPon includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable operaPon of the BES. (CIP-‐002-‐5.1, p. 5).
Slide 71
September 10, 2015 Western Electricity CoordinaPng Council
Grouping BCA into BCS Lesson Learned (In Progress)
Slide 72
September 10, 2015 Western Electricity CoordinaPng Council
Grouping by FuncPon
Grouping BCA into BCS Lesson Learned (In Progress)
Slide 73
September 10, 2015 Western Electricity CoordinaPng Council
Grouping across SubstaPons
Grouping BCA into BCS Lesson Learned (In Progress)
Slide 74
September 10, 2015 Western Electricity CoordinaPng Council
Grouping by FuncPon and LocaPon
Grouping BCA into BCS Lesson Learned (In Progress)
Slide 75
September 10, 2015 Western Electricity CoordinaPng Council
Grouping by LocaPon
Grouping BCA into BCS Lesson Learned (In Progress)
Slide 76
September 10, 2015 Western Electricity CoordinaPng Council
Grouping by ConnecPvity
Examples of BCS Slide 77
Western Electricity CoordinaPng Council September 10, 2015
EMS BCS
Generation BCS Generation
BCS
Generation BCS
Transmission BCS
Transmission BCS
Examples of BCA Groupings: BA/TOP
• Energy Management Systems (EMS) • AutomaPc GeneraPon Control (AGC) • SCADA systems • Network Management Systems (NMS) • PI systems (Historians) • ICCP systems (CommunicaPons)
Slide 78
September 10, 2015 Western Electricity CoordinaPng Council
ESP
Examples of BCA Groupings: BA/TOP
Graphic Source: hmp://www.energy.siemens.com/us/pool/hq/automaPon/control-‐center/control_center_details.jpg
High BCS
High BCS
High BCS
High BCS
High BCS
PCA PCA
PCA
PCAPCA
PCA Low or No BCS
Low or No BCSESP
September 10, 2015 Western Electricity CoordinaPng Council
Slide 79
Examples of BCA Groupings: BA/TOP
• SCADA Component Systems • RTU Systems (TelecommunicaPons) • ProtecPve Relay Systems
Slide 80
September 10, 2015 Western Electricity CoordinaPng Council
Examples of BCA Groupings: TO/TOP Graphic Source: Pacific Northwest NaPonal Laboratory (Dagle, J., 2010 Jan) Retrieved from hmp://publicintelligence.net/scada-‐a-‐deeper-‐look/
SCADA Component BCS
EMS BCS
EMS BCS
RTU BCS
Protective Relay BCSSeptember 10, 2015 Western Electricity CoordinaPng Council
Slide 81
Examples of BCA Groupings: GO/GOP
• Digital Control System (DCS) • Control Air System (CAS) • Water DemineralizaPon System • Coal Handling System • Gas Control System • Environmental Monitoring System • RTU (CommunicaPons) • Generator ProtecPon Systems (Relays)
Slide 82
September 10, 2015 Western Electricity CoordinaPng Council
Examples of BCA Groupings: GO/GOP Graphic Source: hmps://www.fujielectric.com/company/tech/pdf/r51-‐3/06.pdf
Medium BCSPCA
PCA
Medium BCS
PCA
Medium BCS Medium BCS
Low BCS
September 10, 2015 Western Electricity CoordinaPng Council
Slide 83
Consider BCS Types • High Impact BCS, • High Impact BCS w/ Dial-‐up ConnecPvity, • High Impact BCS w/ External Routable ConnecPvity, • Medium Impact BCS, • Medium Impact BCS at Control Centers, • Medium Impact BCS w/ Dial-‐up ConnecPvity, • Medium Impact BCS w/ External Routable ConnecPvity,
• Protected Cyber Assets [PCA], and • Electronic Access Points [EAP] (CIP-‐005-‐5, pp. 4-‐5)
Slide 84
September 10, 2015 Western Electricity CoordinaPng Council
Medium BCS Example • Keep in mind, all
Requirements applicable to Medium BCS also apply to: • Medium BCS at
Control Centers, • Medium BCS with
ERC • Medium BCS with
Dialup ConnecPvity
September 10, 2015 Western Electricity CoordinaPng Council
Slide 85
Requirements Applicable to Medium BCS
Requirements Applicable to
Medium BCS at Control Centers
Requirements Applicable to Medium
BCS with Dialup
Connectivity
Requirements Applicable toMedium BCS
with ERC
BILL’s BCS IdenPficaPon
• The next step in a CIP-‐002-‐5.1 audit is to review the enPty’s development of the R1.1 through R1.3 lists.
• Starts with the idenPfied lists of High and Medium impact BES assets.
• Uses the inventory of BES Cyber Assets at each such BES asset to idenPfy and document a list of High and Medium BCS, even if such lists are null.
• Good idea to start with any exisPng lists of CCAs at applicable CIPv3 CriPcal Assets.
September 10, 2015 Western Electricity CoordinaPng Council
86
2014 BCS: Primary Control Center
September 10, 2015 Western Electricity CoordinaPng Council
87
2013 CCAs: Backup Control Center
September 10, 2015 Western Electricity CoordinaPng Council
88
2013 CCAs: SUB1
September 10, 2015 Western Electricity CoordinaPng Council
89
2012 Null Lists CCAs: GeneraPon & Subs
September 10, 2015 Western Electricity CoordinaPng Council
90
2013 Null Lists CCAs: GeneraPon & Subs
September 10, 2015 Western Electricity CoordinaPng Council
91
IdenPfying BES Cyber Assets • IdenPfy if the Cyber Asset meets the definiPon of BCA
• Check for length of installaPon
• If < 30 days, determine if the Cyber Asset is a transient device.
• Group into logical BCS with associated PCA
Slide 92
September 10, 2015 Western Electricity CoordinaPng Council
R1.1: Example of Auditable Process Slide 93
Western Electricity CoordinaPng Council September 10, 2015
R1.1: Example of Auditable Process Slide 94
Western Electricity CoordinaPng Council September 10, 2015
R1.3: Example of Auditable Process
• Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact raPng and should be placed on the R1.3 list
• BCS associated with a Low impact BES Asset also become Low impact BCS.
• At this Pme, all you need to do is list the Low Impact BES Assets to saPsfy R1.3.
• Comply with CIP-‐003-‐6 R2 for specific technical controls
Slide 95
September 10, 2015 Western Electricity CoordinaPng Council
BILL’s Review & Approval Process
• The next step in a CIP-‐002-‐5.1 audit is to review the idenPficaPons of the lists created in R1, even if such lists are null. – R1.1 list of High BCS – R1.2 list of Medium BCS – R1.3 list of Low-‐impact BES assets
• Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.
September 10, 2015 Western Electricity CoordinaPng Council
96
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
R2: Annual Approval Review QuesPons
• Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months aeer the iniPal idenPficaPons?
• Did BILL update the lists, as necessary? • Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months aeer the iniPal idenPficaPon, even if such lists are null?
• ApplicaPon QuesPons – Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?
• Are any DR’s necessary? – If so, what addiPonal informaPon is required?
September 10, 2015 Western Electricity CoordinaPng Council
97
On-‐Site AcPviPes: The Interview
• Set up through an interview DR the prior week • Typically held on Monday of the on-‐site week immediately aeer the opening presentaPon
• Examines the enPty’s understanding of and approach to R1 and R2
• Cover any areas of concern raised through the iniPal evidence review
• Schedule follow-‐up interview(s), if needed, aeer the site visits
September 10, 2015 Western Electricity CoordinaPng Council
98
On-‐site acPviPes: Mock Interview
• Need four volunteers – You are BILL SMEs – No, you don’t get to pracPce
• We will ask a series of quesPons that we generally ask all CIP-‐002 SMEs
• Also ask quesPons of concern, if indicated by the iniPal review of the evidence
• The Interview QuesPon Set
September 10, 2015 Western Electricity CoordinaPng Council
99
On-‐site acPviPes: Mock Interview
• What did we learn from the interview? • What was the key issue from an audit perspecPve?
• Should we find a PV for this issue? • Why or why not?
September 10, 2015 Western Electricity CoordinaPng Council
100
On-‐Site AcPviPes: Site Visit • Set up through a site visit DR the prior week • IPnerary determined through review of the iniPal evidence • Trust, but verify. Why? • Depending on enPty size, this may involve 100% validaPon or a staPsPcal sampling:
• Where? – Control Centers – GeneraPon FaciliPes – Transmission FaciliPes
• What? – High and Medium BCS – A judgmental sampling of Low Impact BES Assets
September 10, 2015 Western Electricity CoordinaPng Council
101
On-‐Site AcPviPes: Site Visit • Who?
– CIP-‐002-‐5.1 Sub-‐Team • Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL • Works in conjuncPon with CIP-‐005 sub-‐team
– CIP-‐005-‐5 Sub-‐Team • Validates Electronic Access Points [EAPs] and Electronic Access Control and Monitoring devices [EACMs].
• Confirms ESP boundaries – CIP-‐006-‐5 Sub-‐Team
• Validates PSPs and Physical Access Controls, such as PACS, cameras, logs, etc.
• My colleague provided an overview on CIP-‐006 audit acPviPes earlier.
September 10, 2015 Western Electricity CoordinaPng Council
102
On-‐Site AcPviPes: CIP-‐002-‐5.1 Site Visit • What?
– Validate lists of BCS – Validate null lists of BCS (if applicable) – Look for aberraPons from the lists – Hold informal interviews with enPty SMEs
• When? – Visit remote sites during the off-‐site audit week. – Most Control Centers on Tuesday of the on-‐site audit week
– May extend to Wednesday depending on number of sites visited, distances traveled, resource constraints, etc.
September 10, 2015 Western Electricity CoordinaPng Council
103
On-‐Site AcPviPes: BILL Site Visits • Visit the Primary and Backup Control Centers
– 100% validaPon of High BCS, PCA, etc. in both locaPons – Talk to Operators & SMEs
• Visit the BILL GeneraPon StaPon, the Hydro Blackstart Facility, and a sampling of the CT units.
• Visit SUB1, SUB2, SUB3, SUB11 – Validate the Medium BCS, PCA, etc. – Talk with enPty SMEs
• Visit a sampling of Low-‐impact BES assets (SUB26, SUB53) – Validate presences of Low BCS, – Review CIP-‐003-‐6 R2 controls.
• Site Visit QuesPons – Why validate the BCS at a given site? – Why ask quesPons of enPty SMEs? – What do the auditors expect to find?
September 10, 2015 Western Electricity CoordinaPng Council
104
BILL Site Visits: Control Centers • Visited the Primary Control Center
– 100% validaPon of High BCS – Found nothing out of the ordinary.
• Visited the Backup Control Center – 100% validaPon of High BCS – Found nothing out of the ordinary.
September 10, 2015 Western Electricity CoordinaPng Council
105
Site Visits: GeneraPon Units • Visited BILL GeneraPon StaPon
– Validated Medium BCS and Low BCS – Found nothing out of the ordinary.
September 10, 2015 Western Electricity CoordinaPng Council
106
Site Visits: SubstaPons • Visited Sub 1
– 100% validaPon of Medium BCS – Found nothing out of the ordinary.
• Visited Subs 2, 4, 7, 8, & 11 – Validated Medium BCS. – NoPced something strange here.
September 10, 2015 Western Electricity CoordinaPng Council
107
Site Visits: What Did We See? What is this device and what is
it doing here in the subs?
September 10, 2015 Western Electricity CoordinaPng Council
108
On-‐Site AcPviPes: Site Visit • What did we learn from the site visit?
• Tour Notes DR
• Why do we validate Low-‐impact BES Assets? • What was the main concern with the unexpected devices?
• Should we DR for addiPonal informaPon? • Would another interview be more effecPve? • Does this situaPon call for a PV? • Why or why not?
September 10, 2015 Western Electricity CoordinaPng Council
109
Discussing the Findings • Discuss with whole Cyber Security Team • Is there a PV for the undocumented devices?
– R1.2: Undeclared Medium BCS? • BCA at the CombusPon Turbines • Does the enPty have documentaPon from its TP or PA/PC that exempts the CTs from Criterion 2.3?
– R1.2: Incorrect idenPficaPon of Medium BCS w/Dial-‐up ConnecPvity?
• The SubstaPon Modems • Determine the scope of a potenPal PV
– How do we do this? • Complete the CIP-‐002-‐5.1 Findings Table in RSAW • Submit to the ATL and CPC for the Closeout PresentaPon
September 10, 2015 Western Electricity CoordinaPng Council
110
Value-‐Added AcPvity: Feedback
• WECC Audit Teams never Prescribe SoluPons, but we do describe: – Brief enPPes on findings – Encourage good security pracPces – Discuss examples of industry best pracPces – IdenPfy areas of concern, which may not be violaPons, but which could stand improvements
– Provide suggesPons, when appropriate • Support development of a sustainable compliance culture
September 10, 2015 Western Electricity CoordinaPng Council
111
Audit DocumentaPon: The RSAW • An auditor is judged by the quality of his or her working papers. – Complete the RSAW – Review evidence and notes for final determinaPons
– DR for any final needed informaPon
– Document Findings
September 10, 2015 Western Electricity CoordinaPng Council
112
Audit DocumentaPon
• Auditors review evidence, find facts, and report findings – Turn PVs over to the Enforcement team – Enforcement team depends heavily on the quality of auditor documentaPon
• Be Literate, be Concise, but above all else, Be Accurate.
• If it’s not wrimen down, it didn’t happen.
September 10, 2015 Western Electricity CoordinaPng Council
113
Post-‐Audit Auditor AcPviPes
• The Audit Report – Work with ATL & CPC – Verify findings and other informaPon related to audited standard(s)
• Document findings in webCDMS – PV & OEA findings only
• Work with WECC Enforcement personnel to support InvesPgaPons as SME for audit processes and findings
September 10, 2015 Western Electricity CoordinaPng Council
114
Post-‐Audit Auditor AcPviPes • ParPcipate in enPty Outreach acPviPes, such as this event and CIPUG meePngs
• Be available and responsive to address enPty quesPons/comments
• Work at NaPonal level – CCWG – Draeing teams – Comment on new Standards, CANs, etc. – Amend and present at Conferences – CIPv5 Pilot Study
September 10, 2015 Western Electricity CoordinaPng Council
115
Summary
• Audit to the Standard • Provide useful feedback to the enPty • Prepare a valid report • Be available to CIP personnel at the enPPes • Work at NaPonal level
September 10, 2015 Western Electricity CoordinaPng Council
116
Remember the Auditor’s Mission
Just the facts, Ma’am,
Just the facts!
September 10, 2015 Western Electricity CoordinaPng Council
117
References • FERC. (2013 December 3). Order No. 791: Version 5 Cri4cal
Infrastructure Protec4on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hmp://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf
• NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza4on. Retrieved from hmp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&Ptle=Cyber%20Security%20—%20BES%20Cyber%20System%20CategorizaPon&jurisdicPon=null
• NERC. (2014 April). Bulk Electric System Defini4on Reference Document (Version 2). Retrieved from hmp://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20DefiniPon%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf
September 10, 2015 Western Electricity CoordinaPng Council
118
References
• NERC. (2014 August 12). Cyber Security Standards Transi4on Guidance: ERO Compliance and Enforcement Ac4vi4es during the Transi4on to the CIP Version 5 Reliability Standards. Retrieved from hmp://www.nerc.com/pa/CI/Documents/V3-‐V5%20TransiPon%20Guidance%20FINAL.pdf
• NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hmp://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf
Slide 119
September 10, 2015 Western Electricity CoordinaPng Council
Speaker Contact InformaPon
Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity CoordinaPng Council (WECC) 7400 NE 41st Street, Suite 320 Vancouver, WA 98662 jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 801.734.8357
Slide 120
September 10, 2015 Western Electricity CoordinaPng Council