cip v5 advanced workshop from cip-‐002-‐3 to cip-‐002-‐5.1: a

120
CIP v5 Advanced Workshop From CIP0023 to CIP0025.1: A Mock Audit Salt Lake City UT September 10, 2015 Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security Western Electricity CoordinaPng Council

Upload: phungquynh

Post on 28-Jan-2017

256 views

Category:

Documents


8 download

TRANSCRIPT

Page 1: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP  v5  Advanced  Workshop  From  CIP-­‐002-­‐3  to  CIP-­‐002-­‐5.1:  A  Mock  Audit  

Salt  Lake  City  UT  September  10,  2015  

Joseph  B.  Baugh,  PhD,  PMP,    CISA,  CISSP,  CRISC,  CISM  

Senior  Compliance  Auditor  –  Cyber  Security  Western  Electricity  CoordinaPng  Council  

   

Page 2: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Speaker  Intro:  Dr.  Joseph  Baugh  •  40+  years  Electrical  UPlity  Experience  

–  Senior  Compliance  Auditor,  Cyber  Security  –  IT  Manager  &  Power  Trading/Scheduling  Manager  –  IT  Program  Manager  &  Project  Manager    –  PMP,  CISSP,  CISA,  CRISC,  CISM,  NSA-­‐IAM/IEM  certs  –  NERC  CerPfied  System  Operator  –  Barehand  Qualified  Transmission  Lineman  

•  20  years  of  EducaPonal  Experience    –  Degrees  earned:  Ph.D.,  MBA,  BS-­‐Computer  Science  –  Academic  &  Technical  Course  Teaching  Experience  

•  PMP,  CISA,  CISSP,  CISM,  ITIL,  &  Cisco  exam  preparaPon    •  Business  Strategy,  Leadership,  and  Management    •  InformaPon  Technology  and  IT  Security    •  Project  Management  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

2  

Page 3: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

WECC  CIP-­‐101  Disclaimer  •  The  WECC  Cyber  Security  team  has  

created  a  mythical  Registered  EnPty,  Billiam  Power  Company  (BILL)  and  fabricated  evidence  to  illustrate  key  points  in  the  WECC  CIP  audit  processes.  

•  Any  resemblance  of  BILL  to  any  actual  Registered  EnPty  is  purely  coincidental.  

•  All  evidence  presented,  auditor  comments,  and  findings  made  in  regard  to  BILL  during  this  presentaPon  and  the  mock  audit  are  ficPPous,  but  are  representaPve  of  audit  team  acPviPes  during  an  actual  CIP  Compliance  audit.    

September  10,  2015   Western  Electricity  CoordinaPng  Council  

3  

Page 4: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Agenda      

•  Review  CIP-­‐002-­‐5.1  Team  audit  approach  •  CIP-­‐002-­‐5.1  Mock  Audit  Overview  •  The  BILL  Mock  Audit  •  QuesPons  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

4  

Page 5: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐002-­‐5.1  Audit  Overview  •  CIP-­‐002-­‐5.1  is  the  first  step  on  CIP  Compliance  trail  •  All  Registered  EnPPes  who  perform  the  BA,  DP,  GO,  GOP,  IA,  

RC,  TO,  and/or  TOP  registered  funcPons  are  required  to  be  compliant  with  CIP-­‐002-­‐5.1.  

•  CIP-­‐002-­‐5.1  replaces  LSE  with  the  DP  funcPon,  TSP  funcPon  drops  out.    

•  Some  enPPes  may  find  they  are  only  required  to  be  compliant  with  CIP-­‐002-­‐5.1  R1-­‐R2  &  CIP-­‐003-­‐6  R2-­‐R4.  –  Typically  requires  a  reduced  scope  audit  that  will  be  conducted  at  WECC  offices  or  other  locaPons,  as  necessary.  

–  True  if  IRC  applicaPon  generates  Null  R1.1  &  R1.2.lists.  –  Must  also  provide  a  valid  R1.3  list  of  Low  Impact  BES  Assets.  –  Follow  Low  Impact  BCS  Requirements  discussed  in  CIP-­‐003-­‐6  R2.  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

5  

Page 6: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

CIP-­‐002-­‐5.1:  R1  •  Each  Responsible  EnPty  shall  implement  a  process  that  considers  each  of  the  following  assets  for  purposes  of  parts  1.1  through  1.3:  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

6  

Inputs

R1Process

Outputs

Inventory of

BES Assets

List of High, Medium,

& Low Assets

Page 7: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐002-­‐5.1  Requirements:  R2    •  EnPty  must  review  idenPficaPons  made  in  R1  (and  update  them,  if  necessary)  at  least  every  15  months  [R2.1]  

•  The  CIP  Senior  Manager  or  delegate  (as  defined  in  CIP-­‐003-­‐3  R2  or  CIP-­‐003-­‐6  R3,  R4)  must  approve  the  iniPal  lists  [R2.2]    and  at  least  once  every  15  months,  thereaeer:  –  The  R1.1,  R1.2,  and  R1.3  lists  –  Include  signed  and  dated  null  lists,  if  applicable  

•  The  enPty  must  maintain  signed  and  dated  records  of  the  approvals  listed  above.  –  Electronic  or  physical  approvals  accepted  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

7  

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

Page 8: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐002-­‐5.1:  DirecPon  •  CIP-­‐002-­‐5  R1.1  -­‐  R1.3  are  applicable  for  the  transiPon  period  in  lieu  of  the  CIP-­‐002-­‐3  R2  list  of  CriPcal  Assets  (OpPon  3).    

•  Focus  on  High  BCS  (R1.1)  and  Medium  BCS  (R1.2)  lists  for  immediate  CIPv5  compliance  efforts.  

•  Compliance  date  for  Low  impact  BES  Assets  on  April  1,  2017.  – Specific  Low  impact  control  modificaPons  are  pending  approval  by  FERC  [See  CIP-­‐003-­‐6  R2]  

– Don’t  ignore,  but  don’t  prioriPze  for  now.  September  10,  2015   Western  Electricity  CoordinaPng  Council  

8  

Page 9: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  Documents  OpPon  3    Slide    9  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 10: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

WECC  Audit  Team  Approach  

•  Use  a  methodical  approach  to  deliver  consistent  results  across  all  enPPes.  

•  Use  the  RSAW  supplied  by  the  enPty  as  iniPal  working  papers  to  document  the  audit  and  findings.  

•  Review  IniPal  Evidence  package  supplied  by  the  enPty  in  response  to  Amachment  G:  – One-­‐line  diagrams  (we’ll  see  the  BILL  one-­‐line  later)  – Specific  CIP-­‐002-­‐5.1  evidenPary  documents  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

10  

Page 11: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐002-­‐5.1  Audit  Team  Approach  

•  Audit  to  the  Standard.  •  Review  the  Evidence:  

–  Inventory  of  BES  Assets    –  One  line  diagrams  –  ApplicaPon  of  the  IRC  –  R1.1,  R1.2,  R1.3  lists.  –  R2  records  of  current  and  prior  approved  versions  of  R1  &  R2  documents  (the  Bookends)  

•  DR  for  addiPonal  informaPon,  as  needed.  

•  Complete  the  RSAW  •  Develop  the  Audit  Report  

11  

Are there more High or Medium BES

assets?

Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]

Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset

Yes (Continue BCS evaluations)

No (Continue to R2)

Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets

Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable

R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.

R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.

Are any BES assets rated as High or Medium?

Yes (Evaluate High & Medium BES assets for all applicable BCS)

No (Place all Low BES assets on R1.3 List)

Add BCS to the appropriate list:R1.1: High Impact BCS,

R1.2: Medium Impact BCS

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 12: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

WECC  Audit  Team  Approach  •  Review  the  applicaPon  of  the  IRC  [R1],  list  of  High  BCS  [R1.1],  list  

of  Medium  BCS  [R1.2],  list  of  Low  Impact  BES  Assets  [R1.3],  even  if  such  lists  are  null.  

•  Compare  the  lists  against  the  one-­‐lines  and  BES  Asset  inventory    •  If  full  Compliance  audit:  

–  Hold  interviews  with  the  enPty’s  CIP  SMEs  –  Perform  site  visits  (Trust,  but  Verify)  

•  Validate  annual  approval  documentaPon  [R2]  •  Submit  Data  Requests  [DR],  as  needed,  to  clarify  compliance  •  Determine  findings  (NF,  PV,  or  OEA)  •  Discuss  findings  with  enPre  Cyber  Security  Team  •  Complete  RSAW  •  Prepare  CIP  audit  report  (ATL  &  CPC)  September  10,  2015   Western  Electricity  CoordinaPng  Council  

12  

Page 13: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Amachment  G*:  CIP-­‐002-­‐5.1  Evidence  •  [R1]:  Provide  documentaPon  of  the  process  and  its  

implementaPon  to  consider  each  BES  asset  included  in  the  asset  types  listed  in  R1.i  -­‐  R1.vi  to  idenPfy  the  following  lists:    –  [R1.1]:  A  list  of  High  impact  BCS  at  each  asset  idenPfied  by  applicaPon  of  Amachment  1,  SecPon  1.  

–  [R1.2]:  A  list  of  Medium  impact  BCS  at  each  asset  idenPfied  by  applicaPon  of  Amachment  1,  SecPon  2.  

–  [R1.3]:  A  list  of  idenPfied  Low  impact  BES  Assets  idenPfied  by  applicaPon  of  Amachment  1,  SecPon  3].  

•  [R2]:  Signed  and  dated  records  of  the  CIP  Senior  Manager  or  delegate  reviews  and  approvals  of  the  idenPficaPons  required  by  R1,  even  if  such  lists  are  null.  

 *  2015  Amachment  G  document  is  sPll  in  progress  and  may  change  to  some  degree,  but  these  basic  sets  of  evidence  will  expected  in  the  iniPal  evidence  package.  

 Slide    13  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 14: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

WECC  Audit  Team  Approach  

•  Submit  Data  Requests  [DRs]  for  any  addiPonal  informaPon  beyond  the  Amachment  G  submission  that  will  support  the  enPty’s  compliance  efforts,  e.g.:  

– Prior  documentaPon  to  provide  bookends  – Address  any  quesPons  or  concerns  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

14  

Page 15: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐101  Mock  Audit  Overview  •  BILL  declared  OpPon  3  of  the  NERC  CIPv5  TransiPon  

Guidance  (NERC,  2014  Aug  12,  p.  5).  •  Bill  compared  inventory  of  BES  Assets  against  current  

definiPon  of  Bulk  Electric  System  (NERC,  2014  Sept  17,  Glossary  of  Terms,  pp.  18-­‐21;  NERC,  2014  April,  BES  Defini4on  Guidance  Document,  v2)  

•  BILL  idenPfied  and  documented  lists  of  High  and  Medium  Impact  BCS  and  a  list  of  Low  Impact  BES  Assets  through  an  applicaPon  of  the  Impact  RaPng  Criteria  [IRC]  (NERC,  2013  Nov  22,  CIP-­‐002-­‐5.1:  ADachment  1,  pp.  14-­‐16),      

•  BILL  requires  a  full  Compliance  audit  on  CIP-­‐002-­‐5.1  through  CIP-­‐011-­‐2  –  First  week:  Discovery  phase  at  WECC  offices  –  Second  week:  Compliance  audit  at  BILL  office  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

15  

Page 16: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐101  Mock  Audit  Overview  •  This  session  covers  a  mock  audit  of  CIP-­‐002-­‐5.1  only  

•  The  mock  audit  squeezes  2  weeks  of  audit  acPviPes  into  a  few  hours.  –  Sample  DR’s  – Mock  Interview  –  Site  Visits  – Use  the  RSAW  as  the  guiding  document  –  Present  and  review  evidence  for  each  requirement  – What  do  YOU  think  is  the  appropriate  finding  for  each  requirement?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

16  

Page 17: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

CIP-­‐101  Mock  Audit  

•  Walk  through  audit  process  in  more  detail  •  Explain  the  differences  between  a  reduced  scope  off-­‐site  audit  and  a  full  Compliance  audit  

•  The  Mock  Audit  simulates  a  Compliance  audit  of  Billiam  Power  Company  [BILL]  

•  BILL  is  registered  with  NERC  as  a  BA,  DP,  GO,  GOP,  LSE,  TO,  TOP,  TP,  and  TSP.  

•  For  the  CIP  audit,  the  BA,  DP,  GO,  GOP,  TO,  and  TOP  funcPons  are  in  scope.  

 September  10,  2015   Western  Electricity  CoordinaPng  Council  

17  

Page 18: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Review  IniPal  Evidence  

•  Received  from  the  enPty  in  the  iniPal  evidence  package  

•  Responses  to  data  requests  in  Amachment  G  •  InformaPon  contained  in  enPty  response  to  the  RSAWs  

•  Sets  the  stage  for  the  iniPal  audit  review  – Discovery  phase  at  the  WECC  offices  

•  Followed  up  by  addiPonal  Data  Requests  as  needed  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

18  

Page 19: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

The  BILL  System*  •  Billiam  Power  Company’s  (hereaeer  referred  to  by  its  NERC  acronym,  BILL)  Balancing  Authority  (BA)  area  is  effecPvely  within  the  boundaries  of  the  three  counPes  on  the  western  edge  of  Some  State,  bordered  by  Another  State  on  the  north  and  the  Almost  Mountains  on  the  East  and  South.  These  three  counPes  occupy  about  15%  of  the  land  area  of  the  state  and  contain  about  20%  of  the  state's  populaPon.  

•  BILL  is  registered  as  a  BA,  DP,  GO,  GOP,  LSE,  TO,  TOP,  TP,  TSP    

September  10,  2015   Western  Electricity  CoordinaPng  Council  

19  

Page 20: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

The  BILL  System  (GeneraPon)  •  BILL’s  primary  generaPon  staPon  is  located  in  eastern  Whatchamacallit  County.    The  BILL  generaPon  staPon  has  two  1,000  MW  fossil  fuel  generaPng  units.  The  output  of  these  units  supports  BILL’s  naPve  load  and  any  available  excess  energy  is  marketed  throughout  the  WECC  InterconnecPon.    

•  BILL  owns  and  operates  nine  CombusPon  Turbines    (averaging  30  MWs  each)  located  near  various  consumer  load  centers  throughout  the  service  territory.  These  CT’s  are  primarily  used  as  peaking  units  and  for  voltage  and  frequency  support  during  the  summer  months.    

September  10,  2015   Western  Electricity  CoordinaPng  Council  

20  

Page 21: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

The  BILL  System  (GeneraPon)  •  BILL  also  owns  and  operates  the  BILL-­‐3  Hydroelectric  plant  on  the  Sweet  William  River.  BILL-­‐3  has  a  nameplate  raPng  of  100  MW.  This  hydro  unit  is  Blackstart  capable  and  is  connected  to  the  BILL  GeneraPon  StaPon  through  a  dedicated  115  kV  line  that  runs  87  miles  from  Sub3  to  Sub1.      

•  Total  BILL  generaPon  capacity  is  2,380  MWs.  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

21  

Page 22: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

The  BILL  System  (Transmission)  •  There  are  two  synchronous  345  kV  interPes  with  adjacent  BA’s  that  define  the  BILL  BA  area.  These  Pes  are  with  XXXX  Electrical  UPlity  and  YYYY  Federal  Power  District  at  Sub1,  which  is  adjacent  to  the  BILL  GeneraPon  StaPon.      

•  The  BES  porPon  of  BILL's  BA  area,  its  345  kV,  230  kV,  and  115  kV  faciliPes,  include  190  miles  of  345  kV  transmission  lines,  450  miles  of  230  kV  lines,  and  973  miles  of  115  kV  lines.    

•  BILL  owns  and  operates  two  345kV  substaPons,  25  230  kV  substaPons,  and  52  115  kV  substaPons  throughout  its  service  territory.  BILL  serves  its  naPve  residenPal  and  commercial  load  through  its  115  kV  and  230  kV  transmission  faciliPes.    

September  10,  2015   Western  Electricity  CoordinaPng  Council  

22  

Page 23: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

The  BILL  System  (Control  Centers)  •  BILL’s  GeneraPon  and  Transmission  FaciliPes  are  monitored  and  operated  from  the  Primary  Control  Center  (PCC)  located  at  the  corporate  headquarters  in  Big  Bill  City.  BILL  also  maintains  a  hot  stand-­‐by  Back-­‐up  Control  Center  (BUCC)  located  in  its  operaPons  center  in  Limle  Bill  City,  which  is  approximately  50  miles  from  the  PCC.    

•  BILL  is  a  summer  peaking  BA  and  BILL's  BA  all-­‐Pme  area  peak  load  was  recorded  on  July  20,  2010  at  2,482  MWs.    

September  10,  2015   Western  Electricity  CoordinaPng  Council  

23  

Page 24: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  One-­‐Line  Diagram  24  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 25: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL’s  BES  Asset  IdenPficaPon  •  The  first  step  in  a  normal  CIP-­‐002-­‐5.1  audit  is  to  review  the  applicaPon  of  the  IRC  – Starts  with  an  overall  Inventory  of  enPty  BES  assets.  – Did  the  enPty  use  the  new  BES  DefiniPon  to  exclude  any  BES  Assets?  

•  If  so,  review  and  validate  those  exclusions  – Use  the  IRC  to  idenPfy  and  document  the  R1.x  lists  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

25  

Page 26: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

High  IRC  (Control  Centers)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    26  

Page 27: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  IRC  (Control  Centers)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    27  

Page 28: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Low  IRC  (Control  Centers)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    28  

Page 29: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.i:  Example  of  Auditable  Process  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    29  

Page 30: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL’s  BES  Asset  IdenPficaPon  •  Were  applicable  BES  assets  evaluated  relaPve  to  IRC  criteria  2.3.  2.6.  or  2.8?    

•  Did  BILL  demonstrate  coordinaPon  with  the  applicable  registered  funcPon(s)?  –  If  not,  should  we  submit  a  data  request?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

30  

Page 31: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  IRC  (Transmission)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    31  

Page 32: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  IRC  (Transmission)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    32  

Page 33: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  IRC  (Transmission)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    33  

Page 34: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  /  Low  IRC  (Transmission)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    34  

Page 35: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.ii:  Example  of  Auditable  Process  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    35  

Page 36: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  IRC  (GeneraPon)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    36  

Page 37: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  /  Low  IRC  (GeneraPon)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    37  

Page 38: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.iii-­‐iv:  Example  of  Auditable  Process  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    38  

Page 39: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  IRC  (ProtecPon  Systems)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    39  

Page 40: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Low  IRC  (ProtecPon  Systems)  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    40  

Page 41: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.v-­‐vi:  Example  of  Auditable  Process  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    41  

Page 42: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

List  of  High  &  Medium  BES  assets  

•  Review  the  list  of  High  BES  assets  •  Review  the  list  of  Medium  BES  assets  •  Compare  both  lists  to  the  lists  developed  for:  

– R1.1:  High  impact  BCS  – R1.2:  Medium  impact  BCS  

 Slide    42  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 43: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Compare  2013  List  of  CriPcal  Assets  

•  For  the  next  several  years,  CIP  Auditors  will  be  comparing  the  results  of  the  applicaPon  of  the  IRC  to  idenPfy  High  and  Medium  BCS  (primarily  the  BES  assets  containing  such  BCS)  to  the  prior  CIP-­‐002-­‐3  lists  of  CriPcal  Assets  and  lists  of  CriPcal  Cyber  Assets  and  evaluate  any  significant  differences  

•  This  may  not  generate  a  PV,  but  it  is  guaranteed  to  generate  discussions.  

 Slide    43  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 44: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

List  of  Low  Impact  BES  Assets  

•  Review  the  list  of  Low  Impact  BES  Assets.    •  Correlate  this  list  against  the  enPty’s  inventory  of  BES  Assets  and  the  list  of  High  and  Medium  BCS  locaPons.    

 Slide    44  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 45: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2013  Control  Centers  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

45  

Page 46: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2014  Control  Centers  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

46  

Page 47: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2013  SubstaPons  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

47  

Page 48: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2014  SubstaPons  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

48  

Page 49: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2013  GeneraPon  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

49  

Page 50: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2014  GeneraPon  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

50  

Page 51: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2013  Special  Systems  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

51  

Page 52: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2014  Special  Systems  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

52  

Page 53: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Validate  BES  Asset  Lists  •  Review  and  compare  the  prior  lists  of  CIP-­‐002-­‐3  R2  CriPcal  

Assets  to  the  current  lists  of  High  and  Medium  BES  Assets  •  Did  the  results  seem  reasonable?  •  Did  the  enPty  opt  to  reduce  its  number  of  Transmission  

Assets  through  the  applicaPon  of  the  BES  DefiniPon?  •  If  so,  did  the  enPty  provide  valid  raPonale  for  all  

exclusions?  •  Do  the  Transmission  BES  Medium  Assets  align  with  the  

one-­‐line  diagram?  •  Did  the  enPty  provide  evidence  of  net  Real  Power  

capability  to  support  GeneraPon  Facility  raPngs?  •  Does  the  audit  team  have  any  other  quesPons  before  

moving  on  to  the  R1.1,  R1.2,  and  R1.3  lists?  

 Slide    53  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 54: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:  2013  CriPcal  Assets  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

54  

Page 55: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  BES  Assets:    2014  High  &  Medium  BES  Assets  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

55  

Page 56: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

2013  CriPcal  Assets  vs.  2014  High  &  Medium  BES  Assets  –  Net  Changes  

•  Control  Centers  (High  BCS)  –  Both  Control  Centers  move  from  CA  list  to  High  BES  asset  list  

•  SubstaPons  (Medium  BCS)  –  Subs  1  and  2  move  from  CA  list  to  Medium  BES  asset  list  –  Add  4  (Subs  4,  7,  8,  11)  to  Medium  BES  asset  list  –  1  (Sub  3,  Blackstart  Cranking  Path)  moves  to  Low  BES  asset  –  Other  Transmission  subs  become  Low  BES  Assets  

•  GeneraPon  Units  (Medium  and/or  Low  BCS)  –  Big  Bill  StaPon  is  a  Medium  BES  asset  –  Blackstart  unit  becomes  Low  BES  asset  –  CombusPon  turbines  becomes  Low  BES  assets  

•  Special  ProtecPon  Systems  (BCS  Not  Applicable)  –  No  change  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

56  

Page 57: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1:  BES  Asset  Lists  Review  QuesPons  •  Did  BILL  apply  the  IRC  appropriately?  •  Does  BILL  need  to  confer  with  its  RC,  PA,  or  TP  to  consider  any  CriPcal  Assets  relaPve  to  Criteria  2.3,  2.6,  or  2.8?  

•  ApplicaPon  QuesPons  –  Did  BILL  consider  all  BES  asset  types  in  R1.i  through  R1.vi?  –  Did  BILL  review  and  evaluate  all  BES  Assets  through  the  IRC?  –  Did  BILL  clearly  idenPfy  and  document  all  BES  assets  in  the  appropriate  impact  raPng?  

•  Is  any  addiPonal  informaPon  necessary  before  we  look  at  the  BCS  groupings?    –  If  so,  do  we  submit  a  DR?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

57  

Page 58: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Mapping  V3  CA  &  CCA  to  V5  BCS    Slide    58  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

•  High  Impact  BCS  (IRC  1.1  −  1.4)  –  Large  Control  Centers  

•  Medium  Impact  BCS  (IRC  2.1  −  2.13)  –  Control  Centers  –  GeneraPon  FaciliPes  –  Transmission  FaciliPes  

•  Low  Impact  BCS  (IRC  3.1  −  3.6)    –  All  other  BES  Assets    –  Applicable  DP  Assets  (Sect.  4.2.1)  –  Must  implement  one  or  more  CIP-­‐003-­‐6  policies  to  address:  

•  Cyber  Security  Awareness  •  Physical  Security  Controls  •  Electronic  Access  Controls  •  Cyber  Security  Incident  Response  

 

V3  BES  Assets    &  Cyber  Assets   >  BES  Assets  >     V5  BCS  

Cri3cal  Assets  &  Cri3cal  

Cyber  Assets  

Non-­‐Cri3cal  Assets  &  Non-­‐Cri3cal  Cyber  

Assets  

Page 59: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

IdenPfying  High  and  Medium  BCS  •  R1.  Each  Responsible  EnPty  shall  implement  a  process  that  considers  each  of  the  following  assets  for  purposes  of  parts  1.1  through  1.3:  …  

–  1.1.  IdenPfy  each  of  the  high  impact  BES  Cyber  Systems  according  to  Amachment  1,  SecPon  1,  if  any,  at  each  asset;  

–  1.2.  IdenPfy  each  of  the  medium  impact  BES  Cyber  Systems  according  to  Amachment  1,  SecPon  2,  if  any,  at  each  asset;  and  

–  1.3.  Iden3fy  each  asset  that  contains  a  low  impact  BES  Cyber  System  according  to  Amachment  1,  SecPon  3,  if  any  (a  discrete  list  of  low  impact  BES  Cyber  Systems  is  not  required).  

 Slide    59  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 60: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1:  IdenPfy  and  Document  BCS  

•  Add  Low-­‐impact  BES  assets  to  the  R1.3  list  

•  Use  lists  of  High-­‐  &  Medium-­‐impact  BES  assets  •  IdenPfy  BCA  associated  with  

each  BES  Asset.  •  Logically  group  BCA  into  BCS.  •  Document  BCS  on  R1.1  or  

R1.2  list,  as  appropriate.  

 Slide    60  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

Page 61: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

IdenPfying  BES  Cyber  Assets  [BCA]  

 Slide    61  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

•  IdenPfy  all  Cyber  Assets  at  the  BES  Asset  –  Consider  all  Programmable  Electronic  Devices  [PED]  

– Apply  the  definiPon  of  the  BCA  

•  Group  BCA  into  BCS  

Identify each Cyber Asset at the BES Asset

EMS/SCADA, transmission protection or

generation control system?

For each High or Medium BES Asset

Yes

No

Add BCA to list for

grouping into BCS

Adverse impact within 15

minutes?

Yes

No

Are theremore Cyber

Assets at BES Asset?

Yes

NoGroup BCA into

BCS

Identify as non-BCA

Page 62: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Consider  Real-­‐Time  OperaPons  •  BES  Cyber  Assets  are  those  Cyber  Assets  that,  if  

rendered  unavailable,  degraded,  or  misused,  would  adversely  impact  the  reliable  operaPon  of  the  BES  within  15  minutes  (CIP-­‐002-­‐5.1,  p.  5).  

•  Do  not  consider  redundancy  in  the  applicaPon  of  the  15-­‐minute  Pme  threshold  (CIP-­‐002-­‐5.1,  p.  5).  

•  15-­‐minute  limitaPon  will  typically  "result  in  the  idenPficaPon  of  SCADA,  Energy  Management  Systems,  transmission  protecPon  systems,  and  generaPon  control  systems  as  BES  Cyber  Assets”  (FERC,  2013,  Order  791,  P.  123,  p.  72771).  

 Slide    62  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 63: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BCA  IdenPficaPon  Lesson  Learned    Examples  of  BCA  (in  Progress)  

•  Digital  relays  •  Remote  Terminal  Units  (RTUs)  •  Phasor  measurement  units  (PMUs)  •  Phasor  data  concentrators  (PDCs)  •  Programmable  automaPon  controllers  (PAC),  Programmable  Logic  Controllers  (PLC)  

•  CommunicaPons  processors  •  Servers  (applicaPon,  database,  etc.)  and  workstaPons  (e.g.,  HMIs)  

•  Local  Area  Network  (LAN)  switches  

 Slide    63  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 64: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BCA  IdenPficaPon  Lesson  Learned    Examples  of  non-­‐BCA  (in  Progress)  

•  A  solid  state  relay  that  allows  the  user  to  set  when  the  relay  will  operate  but  not  how  the  relay  operates.  

•  A  HART  (Highway  Addressable  Remote  Transmimer)  compaPble  smart  pressure  transmimer  

•  A  HART  compaPble  smart  actuator  for  a  final  control  element,  such  as  a  control  valve  or  damper  

•  A  handheld  HART  configurator  (the  30  day  connecPon  exclusion  normally  applies  to  these  devices)  

•  Output  only/sealed  devices  •  Media  converters  and  Remote  I/O  modules  (i.e.,  Copper  to  fiber  converter)    

 Slide    64  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 65: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

What  about  Tie-­‐line  Meters?  •  A  very  hot  topic  currently  being  discussed  by  WECC  with  NERC  and  the  other  regions.  

•  Also  known  as  Interchange  meters  •  DisPnct  from  Revenue  meters  •  IdenPfied  as  essenPal  to  the  reliability  of  the  BES  with  real-­‐Pme  impact  (<=  6  second  polling  interval)  under  the  BAL-­‐005-­‐0.2b  Standard  [e.g.,  R8,  R12].  

•  Support  the  BROS  (e.g.,  Balancing  Load  and  GeneraPon;  Managing  Constraints;  Inter-­‐EnPty  CoordinaPon)  

 Slide    65  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 66: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

What  about  Tie-­‐line  Meters?  •  In  the  absence  of  guidance  to  the  contrary  from  NERC  &/or  FERC,  WECC’s  posiPon  is  a  prudent  enPty  will  idenPfy  Pe-­‐line  and  interchange  meters  as  BCA  at  the  host  Facility,  group  them  into  BCS,  and  afford  them  the  full  protecPons  of  the  CIP  v5  Standards,  Requirements,  and  Parts,  as  applicable.  

•  See  also  FAQ  #77  (NERC,  2015  April  1,  Frequently  Asked  Ques4ons:  CIP  Version  5  Standards,  pp.  5-­‐6).    

 Slide    66  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 67: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Consider  Ancillary  Cyber  Assets  • Protected  Cyber  Assets  [PCA]  

•  Examples  may  include,  to  the  extent  they  are  within  the  ESP:  file  servers,  ep  servers,  Pme  servers,  LAN  switches,  networked  printers,  digital  fault  recorders,  and  emission  monitoring  systems  (CIP-­‐002-­‐5.1,  p.  6)  

•  May  also  be  lower  impact  BCS  by  virtue  of  the  high-­‐water  mark  (CIP-­‐005-­‐5,  p.  14)  

• Electronic  Access  Control  or  Monitoring  Systems  [EACMS]  •  Examples  include:  Electronic  Access  Points,  Intermediate  Systems,  

authenPcaPon  servers  (e.g.,  RADIUS  servers,  AcPve  Directory  servers,  CerPficate  AuthoriPes),  security  event  monitoring  systems,  and  intrusion  detecPon  systems  (CIP-­‐002-­‐5.1,  p.  6)  

• Physical  Access  Control  Systems  [PACS]  •  Examples  include:  authenPcaPon  servers,  card  systems,  and  badge  control  

systems  (CIP-­‐002-­‐5.1,  p.  6).  

 Slide    67  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 68: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Grouping  BCA  into  BCS  •  EnPty  determines  level  of  granularity  of  a  BCS  

–  There  may  be  one  or  more  BCA  within  a  given  BCS  –  Consider  the  BROS  for  your  registraPons  

•  In  transi4oning  from  version  4  [and  version  3]  to  version  5,  a  BES  Cyber  System  can  be  viewed  simply  as  a  grouping  of  Cri4cal  Cyber  Assets  (as  that  term  is  used  in  version  4  [and  version  3]).  The  CIP  Cyber  Security  Standards  use  the  “BES  Cyber  System”  term  primarily  to  provide  a  higher  level  for  referencing  the  object  of  a  requirement…  Another  reason  for  using  the  term  “BES  Cyber  System  is  to  provide  a  convenient  level  at  which  an  en4ty  can  organize  their  documented  implementa4on  of  the  requirements  and  compliance  efforts  (CIP-­‐002-­‐5.1,  2013,  p.  4)  

 Slide    68  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 69: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.1-­‐R1.2:  IdenPfying  BCS  •  Develop  an  auditable  

process  to  examine  each  High  and  Medium  impact  Facility  

•  Examine  inventory  of  BCA  at  each  Facility  

•  Consider  reliability  funcPons  

•  Group  BCA  into  logical  BCS  

•  IdenPfy  PCA,  EACMS,  and  PACS  

 Slide    69  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 70: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Process  to  IdenPfy  BCS    Slide    70  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

CIP-002-5 requires the identification of High & Medium impact BCS, but it may be a good idea to consider & identify the different types of BCS (CIP-005-5, pp. 4-5) and associated Cyber Assets (CIP-002-5, p. 6) at this point to facilitate later determinations in the Applicability Matrices of other CIP standards:

• High Impact BCS• High Impact BCS w/ Dial-up

Connectivity• High Impact BCS w/ External

Routable Connectivity• Medium Impact BCS• Medium Impact BCS at Control

Centers• Medium Impact BCS w/ Dial-up

Connectivity• Medium Impact BCS with

External Routable Connectivity• PCA• EACM• PACS

Are there More High or

Medium Facilities?

Use the inventory of BES Cyber Assets at the High- or Medium- Facility to identify and

list R1.1 and R1.2 BES Cyber Systems (BCS) at each such facility

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the Facility

Yes

No

Page 71: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Consider  Reliable  OperaPon  of  the  BES  •  Determine  whether  the  BES  Cyber  Systems  perform  

or  support  any  BES  reliability  funcPon  according  to  those  reliability  tasks  idenPfied  for  their  reliability  funcPon  and  the  corresponding  funcPonal  enPty’s  responsibiliPes  as  defined  in  its  relaPonships  with  other  funcPonal  enPPes  in  the  NERC  FuncPonal  Model  (CIP-­‐002-­‐5.1,  p.  5).      

•  Ensures  the  iniPal  scope  for  consideraPon  includes  only  those  BES  Cyber  Systems  and  their  associated  BES  Cyber  Assets  that  perform  or  support  the  reliable  operaPon  of  the  BES.  (CIP-­‐002-­‐5.1,  p.  5).    

 Slide    71  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 72: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Grouping  BCA  into  BCS    Lesson  Learned  (In  Progress)  

 Slide    72  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Grouping  by  FuncPon  

Page 73: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Grouping  BCA  into  BCS    Lesson  Learned  (In  Progress)  

 Slide    73  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Grouping  across  SubstaPons  

Page 74: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Grouping  BCA  into  BCS    Lesson  Learned  (In  Progress)  

 Slide    74  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Grouping  by  FuncPon  and  LocaPon    

Page 75: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Grouping  BCA  into  BCS    Lesson  Learned  (In  Progress)  

 Slide    75  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Grouping  by  LocaPon    

Page 76: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Grouping  BCA  into  BCS    Lesson  Learned  (In  Progress)  

 Slide    76  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Grouping  by  ConnecPvity  

Page 77: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Examples  of  BCS  Slide  77  

Western  Electricity  CoordinaPng  Council  September  10,  2015  

EMS BCS

Generation BCS Generation

BCS

Generation BCS

Transmission BCS

Transmission BCS

Page 78: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Examples  of  BCA  Groupings:  BA/TOP  

•  Energy  Management  Systems  (EMS)  •  AutomaPc  GeneraPon  Control  (AGC)  •  SCADA  systems  •  Network  Management  Systems  (NMS)  •  PI  systems  (Historians)  •  ICCP  systems  (CommunicaPons)  

 Slide    78  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 79: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

ESP

Examples  of  BCA  Groupings:  BA/TOP  

Graphic  Source:  hmp://www.energy.siemens.com/us/pool/hq/automaPon/control-­‐center/control_center_details.jpg  

High BCS

High BCS

High BCS

High BCS

High BCS

PCA PCA

PCA

PCAPCA

PCA Low or No BCS

Low or No BCSESP

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    79  

Page 80: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Examples  of  BCA  Groupings:  BA/TOP  

•  SCADA  Component  Systems  •  RTU  Systems  (TelecommunicaPons)  •  ProtecPve  Relay  Systems  

 Slide    80  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 81: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Examples  of  BCA  Groupings:  TO/TOP  Graphic  Source:  Pacific  Northwest  NaPonal  Laboratory  (Dagle,  J.,  2010  Jan)  Retrieved  from  hmp://publicintelligence.net/scada-­‐a-­‐deeper-­‐look/  

SCADA Component BCS

EMS BCS

EMS BCS

RTU BCS

Protective Relay BCSSeptember  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    81  

Page 82: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Examples  of  BCA  Groupings:  GO/GOP  

•  Digital  Control  System  (DCS)  •  Control  Air  System  (CAS)  •  Water  DemineralizaPon  System  •  Coal  Handling  System  •  Gas  Control  System  •  Environmental  Monitoring  System  •  RTU  (CommunicaPons)  •  Generator  ProtecPon  Systems  (Relays)  

 Slide    82  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 83: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Examples  of  BCA  Groupings:  GO/GOP  Graphic  Source:  hmps://www.fujielectric.com/company/tech/pdf/r51-­‐3/06.pdf  

Medium BCSPCA

PCA

Medium BCS

PCA

Medium BCS Medium BCS

Low BCS

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    83  

Page 84: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Consider  BCS  Types  •  High  Impact  BCS,  •  High  Impact  BCS  w/  Dial-­‐up  ConnecPvity,  •  High  Impact  BCS  w/  External  Routable  ConnecPvity,  •  Medium  Impact  BCS,  •  Medium  Impact  BCS  at  Control  Centers,  •  Medium  Impact  BCS  w/  Dial-­‐up  ConnecPvity,  •  Medium  Impact  BCS  w/  External  Routable  ConnecPvity,  

•  Protected  Cyber  Assets  [PCA],  and    •  Electronic  Access  Points  [EAP]  (CIP-­‐005-­‐5,  pp.  4-­‐5)  

 Slide    84  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 85: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Medium  BCS  Example  •  Keep  in  mind,  all  

Requirements  applicable  to  Medium  BCS  also  apply  to:  •  Medium  BCS  at  

Control  Centers,  •  Medium  BCS  with  

ERC  •  Medium  BCS  with  

Dialup  ConnecPvity  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

 Slide    85  

Requirements Applicable to Medium BCS

Requirements Applicable to

Medium BCS at Control Centers

Requirements Applicable to Medium

BCS with Dialup

Connectivity

Requirements Applicable toMedium BCS

with ERC

Page 86: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL’s  BCS  IdenPficaPon  

•  The  next  step  in  a  CIP-­‐002-­‐5.1  audit  is  to  review  the  enPty’s  development  of  the  R1.1  through  R1.3  lists.  

•  Starts  with  the  idenPfied  lists  of  High  and  Medium  impact  BES  assets.  

•  Uses  the  inventory  of  BES  Cyber  Assets  at  each  such  BES  asset  to  idenPfy  and  document  a  list  of  High  and  Medium  BCS,  even  if  such  lists  are  null.  

•  Good  idea  to  start  with  any  exisPng  lists  of  CCAs  at  applicable  CIPv3  CriPcal  Assets.  

 September  10,  2015   Western  Electricity  CoordinaPng  Council  

86  

Page 87: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

2014  BCS:  Primary  Control  Center  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

87  

Page 88: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

2013  CCAs:  Backup  Control  Center  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

88  

Page 89: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

2013  CCAs:  SUB1  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

89  

Page 90: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

2012  Null  Lists  CCAs:  GeneraPon  &  Subs  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

90  

Page 91: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

2013  Null  Lists  CCAs:  GeneraPon  &  Subs  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

91  

Page 92: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

IdenPfying  BES  Cyber  Assets  • IdenPfy  if  the  Cyber  Asset  meets  the  definiPon  of  BCA  

• Check  for  length  of  installaPon  

•  If  <  30  days,  determine  if  the  Cyber  Asset  is  a  transient  device.  

• Group  into  logical  BCS  with  associated  PCA  

 Slide    92  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 93: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.1:  Example  of  Auditable  Process  Slide  93  

Western  Electricity  CoordinaPng  Council  September  10,  2015  

Page 94: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.1:  Example  of  Auditable  Process  Slide  94  

Western  Electricity  CoordinaPng  Council  September  10,  2015  

Page 95: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R1.3:  Example  of  Auditable  Process  

•  Any  BES  Asset  (i.e.  Facility)  not  rated  as  High  or  Medium  defaults  to  a  Low  Impact  raPng  and  should  be  placed  on  the  R1.3  list  

•  BCS  associated  with  a  Low  impact  BES  Asset  also  become  Low  impact  BCS.    

•  At  this  Pme,  all  you  need  to  do  is  list  the  Low  Impact  BES  Assets  to  saPsfy  R1.3.    

•  Comply  with  CIP-­‐003-­‐6  R2  for  specific  technical  controls  

 Slide    95  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 96: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL’s  Review  &  Approval  Process  

•  The  next  step  in  a  CIP-­‐002-­‐5.1  audit  is  to  review  the  idenPficaPons  of  the  lists  created  in  R1,  even  if  such  lists  are  null.  –  R1.1  list  of  High  BCS  –  R1.2  list  of  Medium  BCS  –  R1.3  list  of  Low-­‐impact  BES  assets  

•  Review  the  signed  and  dated  records  of  the  CIP  Senior  Manager’s  or  delegate’s  approval  of  the  lists.  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

96  

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

Page 97: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

R2:  Annual  Approval  Review  QuesPons  

•  Did  BILL  review  its  R1.1-­‐R1.3  lists  at  least  every  15  calendar  months  aeer  the  iniPal  idenPficaPons?  

•  Did  BILL  update  the  lists,  as  necessary?  •  Did  the  BILL  CIP  Senior  Manager  or  delegate  approve  the  R1.1-­‐R1.3  lists  at  least  every  15  calendar  months  aeer  the  iniPal  idenPficaPon,  even  if  such  lists  are  null?  

•  ApplicaPon  QuesPons  –  Did  BILL  provide  evidence  of  periodic  list  reviews  [R2.1]  and  signed  and  dated  approvals  [R2.2]?  

•  Are  any  DR’s  necessary?    –  If  so,  what  addiPonal  informaPon  is  required?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

97  

Page 98: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐Site  AcPviPes:  The  Interview    

•  Set  up  through  an  interview  DR  the  prior  week  •  Typically  held  on  Monday  of  the  on-­‐site  week  immediately  aeer  the  opening  presentaPon  

•  Examines  the  enPty’s  understanding  of  and  approach  to  R1  and  R2  

•  Cover  any  areas  of  concern  raised  through  the  iniPal  evidence  review  

•  Schedule  follow-­‐up  interview(s),  if  needed,  aeer  the  site  visits  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

98  

Page 99: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐site  acPviPes:  Mock  Interview  

•  Need  four  volunteers  – You  are  BILL  SMEs  – No,  you  don’t  get  to  pracPce  

•  We  will  ask  a  series  of  quesPons  that  we  generally  ask  all  CIP-­‐002  SMEs  

•  Also  ask  quesPons  of  concern,  if  indicated  by  the  iniPal  review  of  the  evidence  

•  The  Interview  QuesPon  Set  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

99  

Page 100: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐site  acPviPes:  Mock  Interview  

•  What  did  we  learn  from  the  interview?  •  What  was  the  key  issue  from  an  audit  perspecPve?  

•  Should  we  find  a  PV  for  this  issue?  •  Why  or  why  not?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

100  

Page 101: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐Site  AcPviPes:  Site  Visit    •  Set  up  through  a  site  visit  DR  the  prior  week  •  IPnerary  determined  through  review  of  the  iniPal  evidence  •  Trust,  but  verify.  Why?  •  Depending  on  enPty  size,  this  may  involve  100%  validaPon  or  a  staPsPcal  sampling:  

•  Where?  –  Control  Centers  –  GeneraPon  FaciliPes  –  Transmission  FaciliPes  

•  What?  –  High  and  Medium  BCS  –  A  judgmental  sampling  of  Low  Impact  BES  Assets  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

101  

Page 102: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐Site  AcPviPes:  Site  Visit    •  Who?  

–  CIP-­‐002-­‐5.1  Sub-­‐Team  •  Validates  R1.1,  R1.2,  and  R1.3  lists,  even  if  such  lists  are  NULL  •   Works  in  conjuncPon  with  CIP-­‐005  sub-­‐team  

–  CIP-­‐005-­‐5  Sub-­‐Team  •  Validates  Electronic  Access  Points  [EAPs]  and  Electronic  Access  Control  and  Monitoring  devices  [EACMs].  

•  Confirms  ESP  boundaries  –  CIP-­‐006-­‐5  Sub-­‐Team  

•  Validates  PSPs  and  Physical  Access  Controls,  such  as  PACS,  cameras,  logs,  etc.    

•  My  colleague  provided  an  overview  on  CIP-­‐006  audit  acPviPes  earlier.  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

102  

Page 103: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐Site  AcPviPes:  CIP-­‐002-­‐5.1  Site  Visit  •  What?  

–  Validate  lists  of  BCS  –  Validate  null  lists  of  BCS  (if  applicable)  –  Look  for  aberraPons  from  the  lists    – Hold  informal  interviews  with  enPty  SMEs  

•  When?    –  Visit  remote  sites  during  the  off-­‐site  audit  week.  – Most  Control  Centers  on  Tuesday  of  the  on-­‐site  audit  week  

– May  extend  to  Wednesday  depending  on  number  of  sites  visited,  distances  traveled,  resource  constraints,  etc.  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

103  

Page 104: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐Site  AcPviPes:  BILL  Site  Visits  •  Visit  the  Primary  and  Backup  Control  Centers    

–  100%  validaPon  of  High  BCS,  PCA,  etc.  in  both  locaPons  –  Talk  to  Operators  &  SMEs  

•  Visit  the  BILL  GeneraPon  StaPon,  the  Hydro  Blackstart  Facility,  and  a  sampling  of  the  CT  units.  

•  Visit  SUB1,  SUB2,  SUB3,  SUB11  –  Validate  the  Medium  BCS,  PCA,  etc.  –  Talk  with  enPty  SMEs  

•  Visit  a  sampling  of  Low-­‐impact  BES  assets  (SUB26,  SUB53)  –  Validate  presences  of  Low  BCS,    –  Review  CIP-­‐003-­‐6  R2  controls.  

•  Site  Visit  QuesPons  –  Why  validate  the  BCS  at  a  given  site?  –  Why  ask  quesPons  of  enPty  SMEs?  –  What  do  the  auditors  expect  to  find?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

104  

Page 105: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

BILL  Site  Visits:  Control  Centers    •  Visited  the  Primary  Control  Center    

– 100%  validaPon  of  High  BCS  – Found  nothing  out  of  the  ordinary.  

•  Visited  the  Backup  Control  Center    – 100%  validaPon  of  High  BCS  – Found  nothing  out  of  the  ordinary.  

 

September  10,  2015   Western  Electricity  CoordinaPng  Council  

105  

Page 106: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Site  Visits:  GeneraPon  Units  •  Visited  BILL  GeneraPon  StaPon  

– Validated  Medium  BCS  and  Low  BCS    – Found  nothing  out  of  the  ordinary.  

 

September  10,  2015   Western  Electricity  CoordinaPng  Council  

106  

Page 107: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Site  Visits:  SubstaPons    •  Visited  Sub  1  

– 100%  validaPon  of  Medium  BCS    – Found  nothing  out  of  the  ordinary.  

•  Visited  Subs  2,  4,  7,  8,  &  11  – Validated  Medium  BCS.  – NoPced  something  strange  here.  

 

September  10,  2015   Western  Electricity  CoordinaPng  Council  

107  

Page 108: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Site  Visits:  What  Did  We  See?  What  is  this  device  and  what  is  

it  doing  here  in  the  subs?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

108  

Page 109: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

On-­‐Site  AcPviPes:  Site  Visit    •  What  did  we  learn  from  the  site  visit?  

•  Tour  Notes  DR  

•  Why  do  we  validate  Low-­‐impact  BES  Assets?  •  What  was  the  main  concern  with  the  unexpected  devices?  

•  Should  we  DR  for  addiPonal  informaPon?  •  Would  another  interview  be  more  effecPve?  •  Does  this  situaPon  call  for  a  PV?  •  Why  or  why  not?  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

109  

Page 110: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Discussing  the  Findings  •  Discuss  with  whole  Cyber  Security  Team  •  Is  there  a  PV  for  the  undocumented  devices?  

–  R1.2:  Undeclared  Medium  BCS?  •  BCA  at  the  CombusPon  Turbines  •  Does  the  enPty  have  documentaPon  from  its  TP  or  PA/PC  that  exempts  the  CTs  from  Criterion  2.3?  

–  R1.2:  Incorrect  idenPficaPon  of  Medium  BCS  w/Dial-­‐up  ConnecPvity?  

•  The  SubstaPon  Modems  •  Determine  the  scope  of  a  potenPal  PV  

–  How  do  we  do  this?  •  Complete  the  CIP-­‐002-­‐5.1  Findings  Table  in  RSAW  •  Submit  to  the  ATL  and  CPC  for  the  Closeout  PresentaPon  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

110  

Page 111: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Value-­‐Added  AcPvity:  Feedback  

•  WECC  Audit  Teams  never  Prescribe  SoluPons,  but  we  do  describe:  –  Brief  enPPes  on  findings  –  Encourage  good  security  pracPces  – Discuss  examples  of  industry  best  pracPces  –  IdenPfy  areas  of  concern,  which  may  not  be  violaPons,  but  which  could  stand  improvements  

–  Provide  suggesPons,  when  appropriate  •  Support  development  of  a  sustainable  compliance  culture  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

111  

Page 112: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Audit  DocumentaPon:  The  RSAW  •  An  auditor  is  judged  by  the  quality  of  his  or  her  working  papers.  –  Complete  the  RSAW  –  Review  evidence  and  notes  for  final  determinaPons  

– DR  for  any  final  needed  informaPon  

– Document  Findings  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

112  

Page 113: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Audit  DocumentaPon  

•  Auditors  review  evidence,  find  facts,  and  report  findings  – Turn  PVs  over  to  the  Enforcement  team  – Enforcement  team  depends  heavily  on  the  quality  of  auditor  documentaPon  

•  Be  Literate,  be  Concise,  but  above  all  else,  Be  Accurate.    

•  If  it’s  not  wrimen  down,  it  didn’t  happen.  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

113  

Page 114: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Post-­‐Audit  Auditor  AcPviPes  

•  The  Audit  Report  – Work  with  ATL  &  CPC  – Verify  findings  and  other  informaPon  related  to  audited  standard(s)  

•  Document  findings  in  webCDMS  – PV  &  OEA  findings  only  

•  Work  with  WECC  Enforcement  personnel  to  support  InvesPgaPons  as  SME  for  audit  processes  and  findings  

 September  10,  2015   Western  Electricity  CoordinaPng  Council  

114  

Page 115: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Post-­‐Audit  Auditor  AcPviPes  •  ParPcipate  in  enPty  Outreach  acPviPes,  such  as  this  event  and  CIPUG  meePngs  

•  Be  available  and  responsive  to  address  enPty  quesPons/comments  

•  Work  at  NaPonal  level  –  CCWG  – Draeing  teams  –  Comment  on  new  Standards,  CANs,  etc.  – Amend  and  present  at  Conferences  –  CIPv5  Pilot  Study  

   

September  10,  2015   Western  Electricity  CoordinaPng  Council  

115  

Page 116: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Summary  

•  Audit  to  the  Standard  •  Provide  useful  feedback  to  the  enPty  •  Prepare  a  valid  report  •  Be  available  to  CIP  personnel  at  the  enPPes  •  Work  at  NaPonal  level  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

116  

Page 117: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Remember  the  Auditor’s  Mission  

Just the facts, Ma’am,

Just the facts!

September  10,  2015   Western  Electricity  CoordinaPng  Council  

117  

Page 118: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

References  •  FERC.  (2013  December  3).  Order  No.  791:  Version  5  Cri4cal  

Infrastructure  Protec4on  Reliability  Standards.  18  CFR  Part  40:  145  FERC  ¶  61,160:  Docket  No.  RM13-­‐5-­‐000.  Published  in  Federal  Register:  Vol.  78,  No.  232  (pp.  72756-­‐72787).  Retrieved  from  hmp://www.gpo.gov/fdsys/pkg/FR-­‐2013-­‐12-­‐03/pdf/2013-­‐28628.pdf    

•  NERC.  (2013  November  22).  CIP-­‐002-­‐5.1  –  Cyber  Security  Standard  –  BES  Cyber  System  Categoriza4on.  Retrieved  from  hmp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-­‐002-­‐5.1&Ptle=Cyber%20Security%20—%20BES%20Cyber%20System%20CategorizaPon&jurisdicPon=null    

•  NERC.  (2014  April).  Bulk  Electric  System  Defini4on  Reference  Document  (Version  2).  Retrieved  from  hmp://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20DefiniPon%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf      

September  10,  2015   Western  Electricity  CoordinaPng  Council  

118  

Page 119: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

References    

•  NERC.  (2014  August  12).  Cyber  Security  Standards  Transi4on  Guidance:  ERO  Compliance  and  Enforcement  Ac4vi4es  during  the  Transi4on  to  the  CIP  Version  5  Reliability  Standards.  Retrieved  from  hmp://www.nerc.com/pa/CI/Documents/V3-­‐V5%20TransiPon%20Guidance%20FINAL.pdf    

•  NERC.  (2014  September  17).  Glossary  of  Terms  used  in  NERC  Reliability  Standards.  Retrieved  from  hmp://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf    

 Slide    119  

September  10,  2015   Western  Electricity  CoordinaPng  Council  

Page 120: CIP v5 Advanced Workshop From CIP-‐002-‐3 to CIP-‐002-‐5.1: A

Speaker  Contact  InformaPon  

Joseph  B.  Baugh,  Ph.D.,    PMP,  CISA,  CISSP,  CRISC,  CISM  Senior  Compliance  Auditor  -­‐  Cyber  Security  Western  Electricity  CoordinaPng  Council  (WECC)  7400  NE  41st  Street,  Suite  320  Vancouver,  WA    98662  jbaugh  (at)  wecc  (dot)  biz    (C)  520.331.6351    (O)  801.734.8357  

 Slide    120  

September  10,  2015   Western  Electricity  CoordinaPng  Council