![Page 1: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/1.jpg)
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
CIP-008-5, 009-5, & TFEsMay 14, 2014
CIP v5 Roadshow – Salt Lake City, UT
![Page 2: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/2.jpg)
2
• Applicability• Implementation• CIP-008-5 & 009-5o Overviewo Audit Approacho Tips
• TFEs and CIP v5
Agenda
![Page 3: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/3.jpg)
3
Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5
Goal
![Page 4: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/4.jpg)
4
“To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response
requirements.”
CIP-008-5 Purpose
![Page 5: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/5.jpg)
5
• HIBESCSo High Impact BES Cyber Systems (R1-R3)
• MIBESCSo Medium Impact BES Cyber Systems (R1-R3)
CIP-008-5 Applicability
![Page 6: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/6.jpg)
6
• By April 1, 2016o All of CIP-008-5, except as noted below
• On or before April 1, 2017:o CIP-008-5, Requirement R2, Part 2.1o CIP-008-5, Requirement R3, Part 3.1
CIP-008-5 Implementation
![Page 7: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/7.jpg)
7
• Ingredients of the Cyber Security Incident Response Plano Identify, classify, and respond to Cyber Security
Incident (CSI)o Process to determine if CSI is a Reportable CSI
(RCSI)o Notify ES-ISAC w/in 1hr of determination of
RCSIo Roles and responsibilitieso Incident handling procedures
CIP-008-5 R1 Overview
![Page 8: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/8.jpg)
8
• Documentation requiremento Does the CSIRP addresses each Part of R1?o Does the CSIRP tie all the necessary resources
together?o Revision history with sufficient details
CIP-008-5 R1 Audit Approach
![Page 9: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/9.jpg)
9
• Man on the street(ish) testo Can someone else in your organization pick up the
CSIRP and have everything they need to respond?
• Roles and responsibilities may include contact lists with names/numbers/emails
• Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI
• Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
CIP-008-5 R1 Tips
![Page 10: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/10.jpg)
10
• Annual test of CSIRPo Actual Incidento Papero Operational
• Use the plan during annual test & document any deviations from the plan
• Retain records of Incidents
CIP-008-5 R2 Overview
![Page 11: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/11.jpg)
11
• Performance Requirement:o How has the plan been implemented?o How do you test/exercise the plan?o Did you document deviations from the plan
during exercise/test?o How are records kept and where?
CIP-008-5 R2 Audit Approach
![Page 12: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/12.jpg)
12
• Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right
• It’s ok to get a little creative with test and exercise scenarios
CIP-008-5 R2 Tips
![Page 13: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/13.jpg)
13
• Complete w/in 90 days of test/exercise or actual Incident response:o Document lessons learnedo Update the Plano Notify responsible parties of updates
• Complete w/in 60 days of change in roles/responsibilities/technologyo Update the Plano Notify responsible parties
CIP-008-5 R3 Overview
![Page 14: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/14.jpg)
14
• Performance Requirement:o Updates tracked through revision history or
other means of sufficient detailo Track dates of “triggering” events such as
completion of exercise/Incident, or when roles/responsibilities/technology changed
o Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
CIP-008-5 R3 Audit Approach
![Page 15: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/15.jpg)
15
• Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.
• Suggest outlining how this is supposed to happen in the actual plan
CIP-008-5 R3 Tips
![Page 16: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/16.jpg)
16
CIP-008-5
Questions?
![Page 17: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/17.jpg)
17
Everyone awake?
![Page 18: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/18.jpg)
18
“To recover reliability functions performed by BES Cyber Systems by specifying recovery
plan requirements in support of the continued stability, operability, and reliability
of the BES.”
CIP-009-5 Purpose
![Page 19: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/19.jpg)
19
• HIBESCSo High Impact BES Cyber Systems (2.3)
• MIBESCSACCATAEACMSAPACSo Medium Impact BES Cyber Systems at Control Centers
and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2)
• HIBESCSATAEACMSAPACSo High Impact BES Cyber Systems and their associated
EACMS and PACS (R1-R3 except 2.3)
• MIBESCSATAEACMSAPACSo Medium Impact BES Cyber Systems and their associated
EACMS and PACS (R1 except 1.4)
CIP-009-5 Applicability
![Page 20: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/20.jpg)
20
• By April 1, 2016o All of CIP-009-5, except as noted below
• On or before April 1, 2017:o CIP-009-5, Requirement R2, Parts 2.1, 2.2o CIP-009-5, Requirement R3, Part 3.1
• On or before April 1, 2018:o CIP-009-5, Requirement R2, Part 2.3
CIP-009-5 Implementation
![Page 21: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/21.jpg)
21
• Ingredients of the recovery plano Conditions for activation of the plano Roles and responsibilitieso Process for backup and storageo Process to verify successful completion of
backupso Process to preserve data
CIP-009-5 R1 Overview
![Page 22: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/22.jpg)
22
Backup and Recovery
![Page 23: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/23.jpg)
23
• Documentation requiremento Does the plan (or plans) address all processes
required?o Review associated procedures, flowcharts, etc.o Revision history with sufficient details
CIP-009-5 R1 Audit Approach
![Page 24: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/24.jpg)
24
• Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly
• Regurgitating the Requirement language does not constitute developing a program/process
• Man on the street(ish) testo Can someone else in your organization pick up
the CSIRP and have everything they need to respond?
• Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
CIP-009-5 R1 Tips
![Page 25: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/25.jpg)
25
• Annual test of recovery plano Actual Incidento Papero Operational
• Test representative sample of backups to ensure validity and compatibility
• Operational exercise req’d 1x/36 months for High BES Cyber Systems
CIP-009-5 R2 Overview
![Page 26: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/26.jpg)
26
Test the Plan
![Page 27: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/27.jpg)
27
• Performance Requirement:o How has the plan been implemented?o How do you test/exercise the plan?o Representative sample – how did you
determine the sample set?o Documentation of test/exercise, outcomes &
lessons learned
CIP-009-5 R2 Audit Approach
![Page 28: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/28.jpg)
28
• R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs
• Focus on outputs of R2, what are the deliverables?
• Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months
CIP-009-5 R2 Tips
![Page 29: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/29.jpg)
29
• Complete w/in 90 days of test/exercise or actual recovery:o Document lessons learnedo Update the plano Notify responsible parties of updates
• Complete w/in 60 days of change in roles/responsibilities/technologyo Update the plano Notify responsible parties
CIP-009-5 R3 Overview
![Page 30: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/30.jpg)
30
• Performance Requirement:o Updates tracked through revision history or
other means of sufficient detailo Track dates of “triggering” events such as
completion of exercise/Incident, or when roles/responsibilities/technology changed
o Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
CIP-009-5 R3 Audit Approach
![Page 31: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/31.jpg)
31
• Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.
• Good idea to outline how this is supposed to happen in the actual plan
CIP-009-5 R3 Tips
![Page 32: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/32.jpg)
32
• TFEs will be necessary in v5• Definitive list of Requirements/Parts to be
determined – 9 have “where technically feasible”
• Appendix 4D will be updated to accommodate v5
• webCDMS will be updated as necessary• Streamlined process will remain in place
CIP v5 and TFEs
![Page 33: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/33.jpg)
33
• NERC v3 to v5 mapping document• FERC Order 791• 2011 v5 SDT Presentation• DHS: Developing an Industrial Control Systems C
ybersecurity Incident Response Capability• NIST Computer Security Incident Handling Guide
Resources, References, & Light Reading
![Page 34: Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security](https://reader035.vdocuments.site/reader035/viewer/2022062304/56813493550346895d9b7c8a/html5/thumbnails/34.jpg)
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
O: 801.819.7691
M: 801.837.8425
Questions?