cip version 5 transition (gallo) - society of corporate compliance and ethics …€¦ · ·...

1

1

Transitioning from Version 3 to Version 5 of the NERC Critical

Infrastructure Protection Reliability Standards

Andrew Gallo

Director, Reliability Compliance Austin Energy

Education/Training

• J.D (1985)

• Certified Compliance & Ethics Professional (CCEP since 2009)

Career

• Most Recently:

– Austin Energy: Director, Reliability Compliance, June 2010 ‐ Present

– Calpine: VP Regulatory Compliance, 2010

– Seattle City Light: Chief Compliance Officer, 2008 ‐2010

– ERCOT: Asst. General Counsel, 2002 – 2008

Roles

• Member of NERC Standards Committee

• NERC Quality Reviewer

• Chair, Texas RE Regional Standards Committee

• Past Chair – Texas RE NERC Standards Review Subcommittee (NSRS)

• Past Chair – ERCOT NERC Reliability Working Group (NRWG)

Speaker

2

2

Background

3

• CIP Version 1

– Approved 1/18/2008 (Order 706)

– Effective 7/1/2008 (18 CFR Part 40)

– FERC Order with directives: • Remove “Reasonable Business Judgment” and “Acceptance of Risk”

• Address Technical Feasibility Exceptions

• CIP Version 2

– Effective 4/1/2010 to 9/30/2010

– Minor changes (Low‐hanging fruit)

• CIP Version 3

– Approved 3/31/2010

– Effective 10/1/2010 to 4/1/2016

How We Got Here

4

3

• News Reports

– Congress Concerns

– White House (Cybersecurity Framework) Concerns

Why New Version(s)

5

• Versions 1, 2 & 3 ‐ Disorganized– Change Control / Information Protection / Governance

– Vulnerability Assessments in two Standards

• Too much discretion to industry– Risk‐Based Assessment Methodology (RBAM) = Too few in‐scope

assets

• Perceived “loopholes”

• NERC Action before FERC or Congress– FERC: “Progress Being Made on Cybersecurity Guidelines, but Key

Challenges Remain to be Addressed” – Feb. 14, 2012

Why New Version(s) (cont’d)

6

4

• Approved 4/19/2012 (Order 761)

• Replaced RBAM with “bright line”

• Effective 4/1/14, postponed to 10/1/2014, except…………..

• Switch from Risk‐Based Assessment Methodology (RBAM) to “Bright‐line”– But kept “Critical Assets” and “Critical Cyber Assets” (CCAs)

• Bright‐line (CIP‐002‐4)– 17 criteria

– Tied to operational Standards (IROL, Black Start, Contingency Reserves)

• No technical changes in other Standards

• Never became effective– Skipped to V5

NERC CIP Version 4

7

Ignore (sort of)

• 1.1 – Gen Plants ≥ 1500 MWs

• 1.2 – Reactive resources ≥ 1000 MVAR

• 1.3 – “RMR” resources

• 1.4 – Black Start resources

• 1.5 – Cracking Paths

• 1.6 – Transmission facilities ≥ 500 kV

• 1.7 ‐ Transmission facilities ≥ 300 kV and connected to 3 other facilities ≥ 300 kV

• 1.8 – Transmission facilities deemed “critical” by RC, PA or TP

Version 4 Bright‐Line Criteria

8

5

• 1.9 – Flexible AC Transmission Systems (FACTS) deemed “critical” by RC, PA or TP

• 1.10 – Transmission facilities which, if lost or compromised, would cause the loss of gen from criteria 1.1 or 1.3

• 1.11 – Transmission facilities necessary for NPIRs

• 1.12 – SPS/RAS which, if lost, would affect an Interconnection Reliability Operating Limit (IROL)

• 1.13 – Load shedding systems ≥ 300 MW w/o human intervention

• 1.14 – RC Control Centers (and back‐ups)


9

• 1.15 – Control Centers (and back‐ups) used to control gen at multiple plant locations and identified in 1.1, 1.3 or 1.4. Each control center (and back‐up) used to control gen ≥ 1500 MW

• 1.16 – Control Center (and back‐up) used by a TOP which includes control of at least one asset identified in 1.2, 1.5 –1.12

• 1.17 – BA Control Center (and back‐up) which includes at least one asset from 1.1, 1.3, 1.4, 1.13


10

6

• Approved 11/22/2013 (Order 791)

• Effective 4/1/2016 (mostly)

• Still not entirely finished……..

– “Identify, Assess & Correct”

– Transient Devices (thumb drives; laptops)

– “Communication Network” definition

– Security Controls for Low Impact assets

• Final Ballot closed 2/2/15

NERC CIP Version 5

11

• CIP Version 5 Effective Dates

New Versions

12

7

• CIP V5 = priorities shift– Primarily focuses on improving security instead of “compliance”

– A turning point for the CIP Standards

– Compliance is important but can leave security gaps

• compliant ≠ secure

– Version 5 tries to combine compliance and security by achieving compliance through security

• Structure Corrections– Versions 1 – 4

• Change Control and Information Protection embedded in Governance standard

– Change Control: CIP‐003‐3, R6

– Info Protection: CIP‐003‐3, R4

– Version 5

• CIP‐010‐5: Change Control / Vulnerability Assessments

• CIP‐011‐5: Information Protection

CIP Version 5 ‐ Approach

13

• New Format

– Background section

– Requirements/Measures (usually w/ table)

• Suggested evidence

– Guidelines and Technical Basis

• Transition Period – 11/22/13 to 4/1/16 (Now)

– Entities may maintain V3 RBAM

– May adopt bright‐line criteria (compliance will not address black start units and cranking paths)

– Entities must identify when requested

CIP Version 5 – Approach (cont’d)

14

8

• Move from “Critical Assets” and “Critical Cyber Assets” to BES Cyber Assets and BES Cyber Systems

• High/Medium/Low Impact BES Cyber Systems

• External Routable Connectivity (ERC)

Version 5 ‐Major Changes

15

Not verbatim

• Annual – Once every 15 months (or less)

• BES Cyber Asset –Cyber Asset if rendered unavailable/degraded/ misusedwould, w/n 15 minutes, adversely impact Facilitie(s), system(s) or equipment, which, if destroyed/degraded/rendered unavailable (as needed) would affect reliable operation of Bulk Electric System (BES)

• BES Cyber System – ≥ 1 BES Cyber Asset logically grouped to perform reliability task(s) (aka BROS)

• BES Reliability Operating Service – BES Cyber Systems in‐scope under V5 (b/c of impact on BES reliability)

– Dynamic Response to BES conditions– Balancing Load and Generation– Controlling Frequency (Real Power)– Controlling Voltage (Reactive Power)– Managing Constraints– Monitoring & Control– BES Restoration– Situational Awareness– Inter‐Entity Real‐Time Coordination and Communication

Version 5 – New Definitions

16

9

• BROS by Registration

Version 5 – New Definitions (cont’d)

17

• Electronic Access Control or Monitoring System (EACMS) ‐ Cyber Assets performing electronic access control or monitoring of Electronic Security Perimeter (ESP) or BES Cyber Systems (includes Intermediate Systems) (previously ACM)

• Physical Access Control System (PACS) ‐ Cyber Assets which control, alert or log access to the Physical Security Perimeter (PSP) (exc. locally mounted hardware or devices) at PSP (e.g. motion sensors, electronic lock control mechanisms and badge readers)

• Protected Cyber Asset (PCA) ‐ ≥ 1 Cyber Asset connected using a routable protocol w/n or on an ESP which is not part of the highest impact BES Cyber System w/n the same ESP (previously NCCA)

– Impact rating of PCA = the highest rated BES Cyber System in same ESP

– Cyber Asset is not a PCA if connected to either a Cyber Asset within the ESP or the network within the ESP for ≤ 30 consecutive days and used for data transfer, vulnerability assessment, maintenance or troubleshooting purposes (aka “transient device” ‐ e.g. troubleshooter laptop)

Version 5 – New Definitions

18

10

• Low Impact BES Cyber System Electronic Access Point (LEAP) ‐ Cyber Asset interface which allows Low Impact External Routable Connectivity

– Cyber Asset may reside at a location external to the asset(s) containing low impact BES Cyber System

– LEAP is not an Electronic Access Control or Monitoring System

• Low Impact External Routable Connectivity (LERC) ‐ Bi‐directional routable communications between low impact BES Cyber System(s) and Cyber Assets outside the asset containing the low impact BES Cyber System(s)

– Communication protocols created for Intelligent Electronic Device (IED) to IED communication for protection and/or control functions from assets containing low impact BES Cyber Systems are excluded (e.g. IEC 61850 GOOSE or vendor proprietary protocols)


19

• BES Cyber System Information (BCSI) ‐ Information about BES Cyber System which could be used to gain unauthorized access or pose a security threat to BES Cyber System

– Does not include individual pieces of information which, by themselves, do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems (e.g. device names, individual IP addresses w/o context, ESP name or policy statements).

– Examples of BCSI: security procedures or security information about BES Cyber Systems, PACS and EACMS not publicly available and which could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of BES Cyber System


20

11

• FERC ordered NERC to:– Revise or remove “Identify, Assess and Correct” language

– Define communication networks and create new/modified Standards to protect nonprogrammable components of communication networks (e.g. cables and wires)

– Add objective criteria re: sufficiency of controls for Low Impact assets

– Develop new or modified Standards for Transient Devices (e.g. thumb drives and laptops)

• NERC Project 2014‐02– Removed “identify, assess, and correct” language

– Address security controls for Low Impact assets

– Develop requirements to protect transient electronic devices

– Define “communication networks” and develop new/modified standards to address protection of communication networks

– (More later…..maybe)

V5 Problems/Issues (FERC Order 791)

21

Transition from Version 3

to

Version 5

22

12

• This presentation contains general information about legal matters. The information is not advice and you should not treat it as such. I am not your lawyer.

• Limitation of warranties

– The information in this presentation is provided “as is” without any representations or warranties, express or implied. I make no representations or warranties in relation to the legal information in this presentation.

• Without limiting the generality of the foregoing paragraph, I do not warrant that:

– the information in this presentation will be constantly available, or available at all; or

– the information in this presentation is complete, true, accurate, up‐to‐date or non‐misleading.

• You should not rely on the information in this presentation as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter, you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice or commence or discontinue any legal action because of information in this presentation.

• Nothing in this disclaimer will limit any liabilities in any way not permitted under applicable law or exclude any liabilities which may not be excluded under applicable law.

• I’m just doing the best I can like the rest of you……….

Disclaimer

23

Asset Identification Options

24

• Option 1 – Continue to comply with all CIP V3 Standards during Transition Period

• Option 2 – Begin transitioning to compliance w/ some or all CIP V5 Standards

• Option 3 ‐ Adopt V5 “High” and “Medium” Impact Rating Criteria (CIP‐002‐5.1, Attachment 1) in lieu of RBAM

13

Critical Asset Identification – Option 1

25


26

• Responsible Entities which adopted CIP V4 Critical Asset Criteria may continue in lieu of RBAM

• Adoption of V4 Criteria must have occurred before 8/12/14

• Critical Assets identified per criteria 1.4 and 1.5 (Black Start Resources and Cranking Paths) not subject to CIP V3 but TOP Control Centers controlling Cranking Path assets will be treated as Critical Assets

• Annually approve adoption of V4 Critical Asset Criteria

14


27

• May adopt V5 “High” and “Medium” Impact Rating Criteria (CIP-002-5.1, Attachment 1) in lieu of RBAM

• Do so at any time

• May immediately adopt V5 criteria to derive “Critical Asset” list

• May remove Critical Assets and CCAs if they do not satisfy V5 “High” or “Medium” impact criteria

• Annually approve adoption of V5 Impact Rating Criteria

Critical Asset Identification

28

15

High Impact BES Cyber Systems

29

• Control Center (or backup) used to perform obligations of:

• Reliability Coordinator (C1.1)

• Balancing Authority (C1.2)

• For generation ≥ aggregate of 3000 MW in a single Interconnection, or

• For ≥ 1 assets meeting criterion 2.3 (RMR), 2.6 (IROL) or 2.9 (SPS/RAS)

• Transmission Operator for ≥ 1 assets meeting criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9 or 2.10 (C1.3)

• Generator Operator for ≥ 1 assets meeting criterion 2.1, 2.3, 2.6 or 2.9 (C1.4)

Medium Impact BES Cyber Systems

30

• Generation at a single plant with aggregate highest rated net Real Power capability (preceding 12 months) ≥ 1500 MW in a single Interconnection (C2.1)

• Only BES Cyber Systems which could, w/n 15 minutes, adversely impact reliable operation of units which aggregate ≥ 1500 MW in one Interconnection

• BES reactive resource(s) at one location (excl. gen Facilities) w/ aggregate max. Reactive Power rating ≥ 1000 MVAR (C2.2)

• Only BES Cyber Systems which could, w/n 15 minutes, adversely impact reliable operation of resources which aggregate ≥ 1000 MVAR

• Gen Facility designated by Planning Coordinator or Transmission Planner as necessary to avoid Adverse Reliability Impact in the planning horizon > 1 year (RMR) (C2.3)

16

Medium Impact BES Cyber Systems (cont’d)

31

• Transmission Facilities operated at ≥ 500 kV (C2.4)

• Collector bus for gen plant ≠ “Transmission Facility”

• Generation at one plant or Transmission Facilities at one station identified by Reliability Coordinator, Planning Coordinator or Transmission Planner as critical to derive Interconnection Reliability Operating Limit (IROL) and associated contingencies (C2.6)

• Transmission Facilities identified as essential to meet Nuclear Plant Interface Requirements (C2.7)

• Transmission Facilities (incl. gen interconnection) to connect generator output to the Transmission Systems which, if destroyed/degraded/misused/rendered unavailable, would result in loss of gen Facilities from criterion 2.1 (>1500MW) or 2.3 (RMR) (C2.8)

• System/group of Elements performing under-voltage load shedding (UVLS) or under-frequency load shedding (UFLS), w/o human initiation, of ≥ 300 MW under a load shedding program subject to ≥ 1 NERC or regional standards (C2.10)


32

• Transmission Facilities operating between 200 kV and 499 kV at a single station if that station is connected at ≥ 200 kV to 3 or more other Transmission stations and w/ "aggregate weighted value" >3000 according to table below (C2.5)

• “Aggregate weighted value" = sum of the "weight value per line" in table for each incoming and outgoing BES Transmission Line connected to another Transmission station

• Collector bus for gen plant ≠ “Transmission Facility”

17


33

• Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching System which, if destroyed/degraded/ misused/rendered unavailable, would cause ≥ 1 IROL violation for failure to operate or cause a reduction in ≥ 1 IROL if destroyed/ degraded/misused/rendered unavailable (C2.9)

• Control Center (or backup) not deemed “High Impact” used to perform obligations of:

• Generator Operator for aggregate highest rated net Real Power capability ≥ 1500 MW in one Interconnection (C2.11)

• Transmission Operator (C2.12)

• Balancing Authority for gen ≥ 1500 MW in one Interconnection (C2.13)

Low Impact BES Cyber Systems

34

• BES Cyber Systems not “High” or “Medium” impact and associated w/ assets meeting the applicability qualifications in Section 4:

• Control Centers (and backup) (C3.1)

• Transmission stations and substations (C3.2)

• Generation resources (C3.3)

• Systems and facilities critical to system restoration, including Black Start Resources and Cranking Paths/initial switching requirements (C3.4)

• SPS supporting reliable operation of BES (C3.5)

• For Distribution Providers, Protection Systems specified in Applicability Section 4.2.1 (C3.6)

18

Critical Asset Identification

35

• Apply CIP V5 High, Medium and Low criteria:

• Read each criterion as “Critical Asset” evaluation criterion

• Do not consider BES Cyber Systems at the assets

• Any asset matching “High” or “Medium” criteria is a “Critical Asset”

Updated Critical Cyber Asset List

36

• After updating Critical Asset list, apply CIP-002-3, R3 to create CCA list

• Any newly-identified CCAs associated w/ newly-identified Critical Assets need not comply w/ V3

• Flag newly-identified CCAs in your CCA list

• Those CCAs must comply w/ V5 per the V5 Implementation Plan

• Immediately remove from CCA list all CCAs associated w/ removed Critical Assets

• Will most likely be “low” impact under V5

• Resumed compliance (CIP V5) will be per CIP V5 Implementation Plan

http://www.nerc.com/pa/Stand/CIP00251RD/Implementation_Plan_clean_4_(2012-1024-1352).pdf

19

• Original CCAs still on CCA list after applying V4 or V5 criteria:– No lapse of CIP compliance permitted

– Must maintain CIP V3 compliance (subject to CIP V5 Transition Guidance)

– Replacement Cyber Assets must comply w/ CIP V3 or V5 upon commissioning

• New or upgraded/replaced CCAs resulting from plannedchange must comply upon commissioning (e.g. SCADA system replacement or upgrade; change from non‐routable protocol to routable protocol)

• May comply with V3 or V5 during Transition Period


37

• Planned change which elevates a BES Cyber System to higher category (e.g. medium to high) during Transition Period must comply with higher impact V5 requirements by the effective date of the requirement– e.g. Planned increase in gen resulting in higher categorization of BES

Cyber Systems at Control Center

• Unplanned changes must comply by later of V5 effective date or date in V5 Implementation Plan• e.g. Criteria 2.3 and 2.6 notifications


38

20

Compliance Monitoring during Transition Period

39


40

Regional Entity will issue

an RFI with sectionoptions in advance.

21


41

• Mitigation of Open Enforcement Action (OEA) should focus on full compliance w/ “Mostly Compatible” V5 Requirement– Includes violations before 8/12/14 CIP V5 Transition Guidance*

– Full compliance w/ V5 by V5 effective date

– Unmitigated OEA cannot extend the CIP V5 compliance date

* http://www.nerc.com/pa/CI/Documents/V3‐V5%20Transition%20Guidance%20FINAL.pdf


42

22

• Don’t go away

• Existing TFEs carried forward to equivalent V5 Requirements:

• New TFEs for V5 (no V3 equivalent):

Technical Feasibility Exceptions (TFEs)

43

• Existing V3 TFEs w/ no equivalent V5 Requirement = terminated on V5 effective date:

Technical Feasibility Exceptions (TFEs)

44

23

CIP V5 Transition in Practice

45

STEP 1: “Top‐Down”1. Apply CIP‐002‐5.1 Bright Line criteria

a) Review one‐line drawings to find facilities meeting “High” and “Medium” Impact criteria

b) Verify findings w/ SMEs

2. High and Medium facilities = “Critical Assets”

a) Flag newly‐identified Critical Assets

3. Apply CIP‐002‐3, R3 to create CCA list

a) Newly‐identified CCAs associated w/ newly‐identified Critical Assets need not comply w/ V3

b) Flag newly‐identified CCAs in CCA list

c) Newly‐identified CCAs must comply w/ V5 per the V5 Implementation Plan

Two‐Step Transition Approach

46

24

4. To prepare for V5 compliance, identify BES Cyber Assets/Systems

a) Identify BES Reliability Operating Services (BROS) at High and Medium facilities

1) Part of Guidance

2) SCADA/EMS, etc.

b) Identify BES Cyber Systems used by and located at each High and Medium facility

c) Inventory supporting Cyber Assets

d) Apply “15 minute” criteria to identify BES Cyber Assets


47

STEP 2: “Bottom‐Up”(To minimize possibility of missing in‐scope BES Cyber Assets)

1. Apply “15 minute criteria” to current CCA list to identify potential BES Cyber Assets• Cyber assets currently in‐scope under CIP‐002‐3

2. Determine if identified BES Cyber Assets are “used by” and “located at” identified High or Medium impact locations


48

25

• Need not look at all BROS across entire footprint and search for systems part of those BROS at this time– Doing so would require much effort identifying BES Cyber Systems at

Low Impact locations (w/ no need for identification yet)

– Instead:

1. Identify High and Medium impact assets (facilities);

2. Determine BROS at those High and Medium assets;

3. Identify the systems making up the BROS (i.e. the BES Cyber Systems associated with those BROS)

• No other BROS or BES Cyber Systems need be identified at this time

• Efforts to identify and address Low Impact BES Cyber Systems can be postponed b/c compliance isn’t required until 4/1/17

V5 Compliance

49

Cascading High Impact Issue

50

• Can each BES Cyber Asset be a discrete BES Cyber System?– NERC Lessons Learned document:*

"…while the relay at the adjacent substation is associated with the BES Transmission line, the relay does not become a medium impact BES Cyber System because the BES Transmission line is not a criterion 2.5 Transmission Facility."

High

RTU

Med

RTU

Low

RTU

Transmission Line

* NERC Lesson Learned - CIP Version 5 Transition Program, CIP-002-5 Requirement R1: Impact Rating of Relays (Far-End Relay), September 8, 2014

26

NERC Response to FERC Order 791

51

• FERC ordered NERC to:– Revise or remove “Identify, Assess and Correct” language

– Define communication networks and create new/modified Standards to protect nonprogrammable components of communication networks (e.g. cables and wires)

– Add objective criteria re: sufficiency of controls for Low Impact assets

– Develop new or modified Standards for Transient Devices (e.g. thumb drives and laptops)

• NERC Project 2014‐02– Removed “identify, assess, and correct” language

– Address security controls for Low Impact assets

– Develop requirements to protect transient electronic devices

– Define “communication networks” and develop new/modified standards to address protection of communication networks

V5 Problems/Issues (FERC Order 791)

52

27

• Removed “identify, assess and correct” language (V6)

• CIP‐003‐7

– Revised to include low impact assets and require Cyber Security Plan which includes:

• Cyber Security awareness

• Physical Security controls for asset and LEAP

• Electronic Access controls – for LERC, must have a LEAP (!)

• Cyber Security incident response

– Entities w/ High or Medium Impact assets can use the same Cyber Security Plan for low impact

• CIP‐004‐7

– Adds training requirement for Transient Cyber Assets and Removable Media (Part 2.1)

Response to FERC Order 791

53

Response to FERC Order 791 (cont’d)

54

• CIP‐010‐3

– Adds R4 to require one or more documented plans for Transient Cyber Assets and Removable Media to address:

• Transient Cyber Asset management

• Authorization for use of Transient Cyber Assets or Removable Media

• Software Vulnerability Mitigation (patching, read‐only media, system hardening, other)

• Prevention of malicious code (antivirus, whitelisting, other)

• Unauthorized use (restricted physical access, full‐disk encryption, multi‐factor authorization, other)

• CIP‐011‐3

– Adds protection of information stored on Transient Cyber Assets or Removable Media

28

Overview of Version 5 CIP Standards

55

• R1 ‐ Identify High, Medium and Low Impact BES Cyber Systems based on criteria in Attachment 1 (CIP‐002‐3, R2, R3)

• R2.1 – Review identifications at least every 15 months (CIP‐002‐3, R4)

• R2.2 – Have CIP Sr. Mgr approve at least every 15 months (CIP‐002‐3, R4)

CIP‐002

56

29

• R1 – Review and have approved at least every 15 months Cyber Security Policy covering prescribed topics. (different for H/M and L) (CIP‐003‐3, R1)

• R2 – Implement cyber security plan for Low Impact BES Cyber Systems. Review identifications at least every 15 months. (CIP‐003‐3, R1)

• R3 – Identify CIP Sr. Mgr and update w/n 30 days of change. (CIP‐003‐3, R2, R2.1, R2.2)

• R4 – Have a process for delegating authority; document delegations; update w/n 30 days of change. (CIP‐003‐3, R2.3, R2.4)

CIP‐003

57

• R1 – Security Awareness Program (as prescribed); at least once per calendar quarter. (CIP‐004‐3,R1)

• R2 – Cyber Security Training before granting access; performed at least once every 15 months. (CIP‐004‐3, R2)

• R3 – Personnel Risk Assessment Program (identity;, 7‐year criminal history; process to evaluate criminal history; process to ensure PRA is performed). (CIP‐004‐3, R3)

• R4 – Access Management Program for BES Cyber Assets and information; quarterly review; verify user accounts at least once every 15 months. (CIP‐003‐3, R5; CIP‐004‐3, R4; CIP‐006‐3, R1)

• R5 – Access Revocation Program (w/n 24 hours or end of next day or 30 days); includes shared accts. (CIP‐003‐3, R5; CIP‐004‐3, R4; CIP‐007‐3, R5)

CIP‐004

58

30

• R1 –

– All applicable Cyber Assets must be in an ESP;

– all ERC must be through an EAP;

– inbound/outbound access permissions;

– authentication for dial‐up access;

– have control for detecting malicious communications

– (in‐ and out‐bound)

(CIP‐005‐3, R1, R2, R3)• R2 –

– Use Intermediate System for Interactive Remote Access;

– use encryption;

– require multi‐factor authentication

(CIP‐005‐3, R2)

CIP‐005

59

• R1 – Physical Security Plan, including:

– operational or procedural controls;

– if possible, two or more physical access controls;

– monitor for unauthorized access to a PSP;

– issue alarms/alerts for unauthorized access w/n 15 minutes of detection;

– monitor PACS for unauthorized physical access (incl. alarm/alert);

– perform logging at entry points;

– retain physical access logs for at least 90 days;

– restrict physical access to cables for devices w/n the same ESP if cables are outside a PSP (if access cannot be restricted, encrypt, monitor comm links and use alarms/alerts or use alternate protection)

(CIP‐006‐3, R1, R4‐R7)

CIP‐006

60

31

• R2 ‐ Visitor Control Program – Continuous escort;

– Manual or automated visitor logging in and out of PSP;

– Retain logs at least 90 days)

(CIP‐006‐3, R1)

• R3 – PACS maintenance/testing program; at least every 24 months

(CIP‐006‐3, R8)

CIP‐006 (cont’d)

61

• R1 – Process to:– Ensure enabling only ports/services needed by the entity;

– Disable/restrict unneeded ports/services;

– Protect against use of unnecessary physical ports

(CIP‐007‐3, R2)

• R2 – Process for patch management:– Track, evaluate, install;

– Identify source of tracking (e.g. vendor web site or KB);

– Evaluate for applicability at least every 35 days;

– Apply patch or mitigate risk associated w/ patch;

– Timely implement mitigation plan as approved by CIP Sr. Mgr.

(CIP‐007‐3, R3)

CIP‐007

62

32

• R3 – Process to: – Deploy methods to deter/detect/prevent malicious code;

– Mitigate threat of detected malicious code;

– Update signatures

(CIP‐007‐3, R4)

• R4 –

• Log events of Cyber Security Incidents at BES Cyber System or Cyber Asset level (incl. at least successful log‐ins, failed access attempts/log‐ins, malicious code);

• Generate alerts of malicious code and failed event logging;

• Retain logs at least 90 days;

• Review log events at least every 15 days

(CIP‐007‐3, R6)


63

• R5 – Process to:– Authenticate interactive user access (where technically feasible);

– Identify and inventory all known enabled default or other generic accounts by system, group of systems, location or system type;

– Identify individuals w/ authorized access to shared accounts;

– Change default passwords;

– For password‐only authentication, enforce password parameters (≥ 8 characters; ≥ 3 different character types);

– Where technically feasible, enforce password changes at least every 15 months;

– Where technically feasible, limit the number of unsuccessful authentication attempts;

– Generate alerts after the number of unsuccessful authentication attempts

(CIP‐007‐3, R5)


64

33

• R1 – Cyber Security Incident Response Plan including:– Identify, classify and respond to Cyber Security Incidents (CSI);

– Determine if event is reportable;

– Provide for reporting;

– Roles/responsibilities of response team;

– Incident handling procedures

(CIP‐008‐3, R1)

• R2 –– Test CSIRP at least every 15 months (actual event, paper/tabletop

exercise or operational exercise);

– Use CSIRP when responding to a reportable CSI or performing an exercise;

– Document deviations from plan;

– Retain records of reportable CSIs

(CIP‐008‐3, R1, R2)

CIP‐008

65

• R3 –– Maintain CSIRP no later than 90 days after CSIRP test or actual CSI;

– Document lessons learned;

– Update CSIRP based on lessons learned;

– Notify responders of any changes;

– No later than 60 days after change in roles/responsibilities or technology, update the CSIRP and notify responders of changes

(CIP‐008‐3, R1)


66

34

• R1 – Recovery Plans:– Conditions for activation;

– Roles/responsibilities of responders;

– Processes for back‐up/storage of info needed for recovery;

– Processes to verify successful completion of back‐ups and to address back‐up failures;

– Preserve data for determining cause of CSI (data preservation should not impede or restrict recovery)

(CIP‐009‐3, R1, R4)

CIP‐009

67

• R2 – Implement recovery plan to include:– Test the plan at least every 15 months (by recovery from actual

event or paper drill/exercise or operational exercise);

– Test a sample of info used to recover functionality at least every 15 months (actual recovery can sub for test);

– Test recovery plan referenced in R1 at least once every 36 months with an operational exercise in environment representative of production environment (actual recovery can sub for test)

(CIP‐009‐3, R2, R5)


68

35

• R3 –– Maintain recovery plan(s);

– No later than 90 days after a test or actual recovery:

• document lessons learned (or document the absence of lessons),

• update plan based on lessons learned,

• notify responders of changes;

– No later than 60 days after change in roles/responsibilities or technology which would impact recovery plan, update the plan and notify responders of changes

(CIP‐009‐3, R3)


69

• R1 – Implement a documented process to develop a baseline configuration (individually or by group) including: – O/S or firmware,

– commercially‐available or open‐source applications (incl. version),

– custom software,

– logical network accessible ports and security patches applied;

– authorize and document changes deviating from base line (i.e. change control);

– update baseline w/n 30 days after changes;

– before change, determine cyber security controls which could be impacted by change;

– after change, verify cyber security controls were not adversely affected;

– document results of verification;

CIP‐010

70

36

• R1 – Implement a documented process to develop a baseline configuration (individually or by group) including: – before changes, test change in environment akin to production (or in

production) to ensure cyber security controls will not be adversely affected;

– document test results

(CIP‐003‐3, R6; CIP‐005‐3, R2, R5; CIP‐007‐3, R1, R9)

• R2 – Implement a documented process to monitor at least every 35 days for changes to baseline configuration and document/investigate unauthorized changes,

(CIP‐003‐3, R6)


71

• R3.1, R3.2 ‐ Implement a documented process to:

– at least once every 15 months, conduct a paper or active vulnerability assessment;

– where technically feasible, at least very 36 months, perform a VA in a test environment or prod environment in a manner minimizing adverse effects;

– document test results (and, if test environment used, document differences between test and prod environments)

(CIP‐005‐3, R4)


72

37

• R3.3, R3.4 – Before adding a new asset to prod environment:

– perform an active VA on new asset (exc. under exceptional circumstances or for like‐kind replacements);

– document results of assessment under R3.1, R3.2 and R3.3 and any action plan to mitigate identified vulnerabilities (including planned completion date of mitigation and execution status of mitigation plan)

(CIP‐007‐3, R1)


73

• R4 – Implement a documented plan for Transient Cyber Assets and Removable Media to:

– ensure compliance w/ Standards and/or apply applicable requirements on‐demand before using device;

– authorize users (only those w/ business need);

– perform patching/system hardening;

– mitigate software vulnerabilities;

– prevent malicious code;

– prevent authorized use (restrict physical access, full‐disk encryption, multi‐factor authentication, other)


74

38

• R1 – Implement a documented information protection program which includes: identifying BCSI, procedures for protecting BCSI (incl. storage, transit and use)

(CIP‐003‐3, R4)

• R2 ‐ Implement a documented process which includes:

– prior to reuse of in‐scope assets, take actions to prevent unauthorized retrieval of BCSI from storage media;

– prior to disposal of in‐scope assets, take actions to prevent unauthorized retrieval of BCSI from storage media (or destroy data storage media)

(CIP‐007‐3, R7)

CIP‐011

75

• NERC Cyber Security Reliability Standards CIP V5 Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards– http://www.nerc.com/pa/CI/Documents/V3‐

V5%20Transition%20Guidance%20FINAL.pdf

• Implementation Plan for Version 5 CIP Cyber Security Standards– http://www.nerc.com/pa/Stand/CIP00251RD/Implementation_Plan

_clean_4_(2012‐1024‐1352).pdf

• V3 – V5 Compatibility Tables– http://www.nerc.com/pa/CI/Documents/V3‐

V5%20Compatibility%20Tables.pdf

Resources

76

39

Questions

77