idenbfying low impact bes assets

Iden%fying Low Impact BES Assets San Ramon, California

July 7-‐8, 2015

Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM

Senior Compliance Auditor – Cyber Security Western Electricity Coordina%ng Council

Speaker Intro: Dr. Joseph Baugh •  Electrical U%lity Experience (40+ years)

–  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs –  NERC Cer%fied System Operator –  Barehand Qualified Transmission Lineman

•  Educa%onal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  Academic & Technical Course Teaching Experience (20 years)

•  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara%on •  Business Strategy, Leadership, and Management •  Informa%on Technology and IT Security •  Project Management

July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA

2

WECC Low Impact Disclaimer •  The WECC Cyber Security team has

created a mythical Registered En%ty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.

•  Any resemblance of BILL to any actual Registered En%ty is purely coincidental.

•  All evidence presented, auditor comments, and findings made in regard to BILL during this presenta%on are fic%%ous, but are representa%ve of audit team ac%vi%es during an actual CIP Compliance audit.


3

Agenda

•  Review CIP-‐002-‐5.1 Requirements •  Review CIPv5 Transi%on Guidance •  Review CIP-‐002-‐5.1 Team audit approach •  CIP-‐002-‐5.1 Mock Audit Overview

– Focusing on Low Impact BES Assets

•  Ques%ons


4

CIP-‐002-‐5.1 Overview •  CIP-‐002-‐5.1 is the first step on CIP Compliance trail •  All Registered En%%es who perform the BA, DP, GO, GOP, IA, RC, TO, and/or TOP registered func%ons are required to be compliant with CIP-‐002-‐5.1.

•  CIP-‐002-‐5.1 replaces LSE with the DP func%on, TSP func%on drops out.

•  Some en%%es may find they are only required to be compliant with CIP-‐002-‐5.1 (R1 & R2) and with CIP-‐003-‐6 (R1.2, R2, R3, & R4). –  True, if the IRC applica%on generates Null R1.1 & R1.2 lists. – Must provide a valid R1.3 list of Low Impact BES Assets. –  Typically requires a reduced scope audit that may be conducted on-‐site, at WECC offices, or other loca%ons, as necessary.


5

Mapping V3 CA & CCA to V5 BCS Slide 6


•  High Impact BCS (IRC 1.1 − 1.4) –  Large Control Centers

•  Medium Impact BCS (IRC 2.1 − 2.13) –  Control Centers –  Genera%on Facili%es –  Transmission Facili%es

•  Low Impact BCS (IRC 3.1 − 3.6) –  All other BES Assets –  Applicable DP Assets (Sect. 4.2.1) –  Must implement one or more CIP-‐003-‐6 policies to address:

•  Cyber Security Awareness •  Physical Security Controls •  Electronic Access Controls •  Cyber Security Incident Response

V3 BES Assets & Cyber Assets > BES Assets > V5 BCS

Cri3cal Assets & Cri3cal

Cyber Assets

Non-‐Cri3cal Assets & Non-‐Cri3cal Cyber

Assets

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

CIP-‐002-‐5.1: R1 •  Each Responsible En%ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:


7

Inputs

R1Process

Outputs

Inventory of

BES Assets

List of High, Medium,

& Low Assets

CIP-‐002-‐5.1: R1 •  Each Responsible En%ty shall implement a process that

considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] –  i. Control Centers and backup Control Centers; –  ii. Transmission sta%ons and substa%ons; –  iii. Genera%on resources; –  iv. Systems and facili%es cri%cal to system restora%on, including Blackstart Resources and Cranking Paths and ini%al switching requirements;

–  v. Special Protec%on Systems that support the reliable opera%on of the Bulk Electric System; and

–  vi. For Distribu%on Providers, Protec%on Systems specified in Applicability sec%on 4.2.1 above.

•  Generates Low impact BES Assets for R1.3 list


8

CIP-‐002-‐5.1: R1.1 -‐ R1.3 •  Each Responsible En%ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: –  1.1. Iden%fy each of the high impact BES Cyber Systems according to Ajachment 1, Sec%on 1, if any, at each asset;

–  1.2. Iden%fy each of the medium impact BES Cyber Systems according to Ajachment 1, Sec%on 2, if any, at each asset; and

–  1.3. Iden%fy each asset that contains a low impact BES Cyber System according to Ajachment 1, Sec%on 3, if any (a discrete list of low impact BES Cyber Systems is not required).


9

CIP-‐002-‐5.1 Requirements: R2 •  En%ty must review iden%fica%ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]

•  The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3 & R4) must approve the ini%al lists [R2.2] and at least once every 15 months, thereaner: –  The R1.1, R1.2, and R1.3 lists –  Include signed and dated null lists, if applicable

•  The en%ty must maintain signed and dated records of the approvals listed above. –  Electronic or physical approvals accepted


10

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

CIP-‐002-‐5.1: Direc%on •  CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transi%on period in lieu of the CIP-‐002-‐3 R2 list of Cri%cal Assets (Op%on 3).

•  Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Op%on 3).

•  Ini%al compliance date for Low impact BES Assets on April 1, 2017. –  Specific Low impact controls and evalua%on criteria are under review by oversight groups [See CIP-‐003-‐6 R2]


11

CIPv5 Transi%on Guidance •  As a prac'cal ma>er, NERC understands that Responsible En''es cannot complete transi'on to the CIP V5 Standards in a single instance; rather, transi'on to full implementa'on will occur over a period of 'me as Responsible En''es develop the necessary procedures, soNware, facili'es, or other relevant capabili'es necessary for effec've compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2)


12

CIPv5 Transi%on Guidance •  To help ensure that they are fully compliant with the CIP V5 Standards upon the effec've date, Responsible En''es may need or prefer to transi'on from compliance with the requirements of the CIP V3 Standards to implementa'on of the requirements of the CIP V5 Standards during the Transi'on Period. As such, there may be a period of 'me prior to the effec've date of the CIP V5 Standards date when Responsible En''es begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are s'll mandatory and enforceable. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2).


13

CIP v5 Transi%on Op%ons*

*see Op%ons Table (NERC, 2014 Aug 12, Transi'on Guidance, p. 5)


14

BILL Documents Op%on 3 Slide 15


WECC Audit Team Approach

•  Use a methodical approach to deliver consistent results across all en%%es.

•  Use the RSAW supplied by the en%ty as ini%al working papers to document the audit and findings.

•  Review Ini%al Evidence package supplied by the en%ty in response to Ajachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 eviden%ary documents


16

CIP-‐002-‐5.1 Audit Team Approach

•  Audit to the Standard. •  Review the Evidence:

–  Inventory of BES Assets –  One line diagrams –  Applica%on of the IRC –  R1.1, R1.2, R1.3 lists. –  R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)

•  DR for addi%onal informa%on, as needed.

•  Complete the RSAW •  Develop the Audit Report

17


Are there more High or Medium BES

assets?

Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]

Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset

Yes (Continue BCS evaluations)

No (Continue to R2)

Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets

Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable

R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.

R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.

Are any BES assets rated as High or Medium?

Yes (Evaluate High & Medium BES assets for all applicable BCS)

No (Place all Low BES assets on R1.3 List)

Add BCS to the appropriate list:R1.1: High Impact BCS,

R1.2: Medium Impact BCS

BILL’s One-‐Line Diagram Slide 18


BESNET Process •  En%ty must ini%ate a BESNET request •  Two BESNET Request Types Available:

–  Defini%on Request –  Excep%on Request

•  A Defini%on Request does not need to be submijed through the BESNET process.

•  An Excep%on Request must be completed and approved or rejected through the BESNET process

•  Excep%on Requests cannot be declared and will not be reviewed or approved at audit

•  En%ty should provide BESNET no%fica%on of NERC approval of the Excep%on Request in evidence package (see Ajachment G).

Slide 19


BESNET Defini%on Request •  Self-‐Determined No%fica%on [SDN] •  Applied for change in status as provided by the BES Defini%on

(NERC, 2014 April, BES Reference Document). •  Iden%fies specific BES Element(s) under considera%on for: –  Inclusion (SDN-‐I: Add BES Element), or –  Exclusion (SDN-‐E: Remove BES Element)

•  May cover con%guous BES Elements (e.g., include Mul%ple Generators [I2], or exclude Radial Elements [E1])

•  The audit team may request documenta%on of the SDN at audit

Slide 20


BESNET Excep%on Request •  Based on Appendix 5C (NERC, 2014 July 1) to the NERC Rules of

Procedure •  Allows (a) Exclusion of BES Elements that would normally be

included, and (b) Inclusion of BES Elements that would normally be excluded by the BES Defini%on (NERC, 2014 July 1, Sec%on 3.1)

•  Request must be specific rela%ve to desired changes (Sec%on 4.5) •  Must undergo ini%al screening and substan%ve review by WECC, if

ini%ally disapproved, must be sent to technical review panel prior to Recommenda%on to NERC (Sec%on 5.0)

•  Final approval or rejec%on rests with NERC (Sec%ons 8.0 -‐ 9.0) •  Requires a mandatory cer%fica%on by the en%ty sta%ng the

Approved Excep%on Basis is unchanged every three years, otherwise the Excep%on will automa%cally expire (Sec%on 11.3)

Slide 21


WECC Audit Team Approach •  Review the applica%on of the IRC [R1], list of High BCS [R1.1], list

of Medium BCS [R1.2], list of Low impact BES Assets [R1.3], even if such lists are null.

•  Compare the lists against the one-‐lines and BES Asset inventory •  If full Compliance audit:

–  Hold interviews with the en%ty’s CIP SMEs –  Perform site visits (Trust, but Verify)

•  Validate annual approval documenta%on [R2] •  Submit DR’s, as needed, to clarify compliance •  Determine findings (NF, PV, or OEA) •  Discuss findings with en%re Cyber Security Team •  Complete RSAW •  Prepare CIP audit report (ATL & CPC) July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA

22

Ajachment G*: CIP-‐002-‐5.1 Evidence •  [R1]: Provide documenta%on of the process and its

implementa%on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden%fy the following lists: –  [R1.1]: A list of High impact BCS at each asset iden%fied by applica%on of Ajachment 1, Sec%on 1.

–  [R1.2]: A list of Medium impact BCS at each asset iden%fied by applica%on of Ajachment 1, Sec%on 2.

–  [R1.3]: A list of iden%fied Low impact BES Assets iden%fied by applica%on of Ajachment 1, Sec%on 3].

•  [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the iden%fica%ons required by R1, even if such lists are null.

* 2015 Ajachment G document is s%ll in progress and may change to some degree, but these basic sets of evidence will expected in the ini%al evidence package.

Slide 23


CIP-‐101 Mock Audit Overview •  BILL declared Op%on 3 of the NERC CIPv5 Transi'on Guidance (NERC, 2014 August 12, p. 5).

•  Bill compared inventory of BES Assets against current defini%on of Bulk Electric System (NERC, 2014 Dec 31, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini%on Guidance Document, v2)

•  BILL iden%fied and documented lists of High and Medium Impact BCS, even if such lists are null, and a list of Low Impact BES Assets through an applica%on of the Impact Ra%ng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: A>achment 1, pp. 14-‐16)


24

BILL’s BES Asset Iden%fica%on •  The first step in a normal CIP-‐002-‐5.1 audit is to review the applica%on of the IRC – Starts with an overall Inventory of en%ty BES assets. – Did the en%ty use the BES Defini%on Request process to include new BES Assets or exclude extant BES Assets?

•  Does the en%ty have documenta%on and approval for all Exclusions and/or Excep%ons?

•  Review and validate the documenta%on

– Apply the IRC to validate the R1.x lists


25

High IRC (Control Centers)


Slide 26

Medium IRC (Control Centers)


Slide 27

Low IRC (Control Centers)


Slide 28

R1.i: Example of Auditable Process


Slide 29

BILL’s BES Asset Iden%fica%on •  Were applicable BES assets evaluated rela%ve to IRC criteria 2.3. 2.6. or 2.8?

•  Did BILL demonstrate coordina%on with the applicable registered func%on(s)? –  If not, should we submit a data request?


30

Medium IRC (Transmission)


Slide 31



Slide 32



Slide 33

Medium / Low IRC (Transmission)


Slide 34

R1.ii: Example of Auditable Process


Slide 35

Medium IRC (Genera%on)


Slide 36

Medium / Low IRC (Genera%on)


Slide 37

R1.iii-‐iv: Example of Auditable Process


Slide 38

Medium IRC (Protec%on Systems)


Slide 39

Low IRC (Protec%on Systems)


Slide 40

Low IRC (DP Systems)


Slide 41

R1.v-‐vi: Example of Auditable Process


Slide 42

List of High & Medium BES assets

•  Review the list of High BES assets •  Review the list of Medium BES assets

– For some en%%es in this session, both lists may be null

•  Iden%fy BCA at each such BES Asset and group into High-‐ or Medium-‐impact BCS

•  Provide the full protec%ons of CIP-‐003-‐6 through CIP-‐011-‐2 to these BCS, as applicable.

Slide 43


List of Low Impact BES Assets

•  Review the list of Low impact BES Assets •  Correlate this list against the en%ty’s inventory of BES Assets

Slide 44


Validate BES Asset Lists •  Review and compare the prior lists of CIP-‐002-‐3 R2 Cri%cal

Assets to the current lists of High and Medium BES Assets •  Did the results seem reasonable? •  Did the en%ty opt to reduce its number of Transmission

Assets through an appropriate applica%on of the BESNET? •  If so, does the en%ty have documented approval for all

claimed exclusions ? •  Do the Transmission BES Medium Assets align with the

one-‐line diagram? •  Did the en%ty provide evidence of net Real Power

capability to support Genera%on Facility ra%ngs? •  Does the audit team have any other ques%ons before

moving on to the R1.1, R1.2, and R1.3 lists?

Slide 45


List all Low impact BES Assets •  BILL must provide CIP-‐003-‐6 R1.2 & R2 protec%ons, as applicable, to its Low impact BES Assets

•  Zero (0) Low impact Control Centers –  Both Control Centers have High-‐impact BCS

•  Sixty-‐Five (65) Low impact Transmission Substa%ons, including Cranking Paths and assuming no substa%ons were removed via the BESNET process –  Six substa%ons w/ Medium-‐impact BCS

•  Ten (10) Low impact Genera%on Sites, including the 100 MW Blackstart Resource at Bill-‐3 substa%on –  The 2000 MW BILL Genera%on Sta%on loca%on > 1500 MW net Real Power capability threshold in IRC 2.1

Slide 46


IRC 2.1: Segmen%ng Genera%on BCS •  Can BILL segment the BCS at the Genera%on loca%on to reduce the BCS impact levels to Low?

•  Document the segmenta%on efforts carefully

•  Heed Lesson-‐Learned from pilot study


Slide 47

Genera%on BCS Segmenta%on Requirement: Title Descrip3on CIP-‐002-‐5 R1: Impact ra%ng of genera%on resources (genera%on segmenta%on)

What op%ons are available to categorize the impact ra%ng of BES Cyber Assets at plants greater than 1500 MW?

Impact of the Lesson Learned on WECC Audit Approach

This LL describes the op%ons used by pilot study par%cipants for iden%fying BCS located at genera%on plant sites with a net Real Power capability => 1500 MWs. The LL provides two op%ons for protec%ng BCS at such genera%on sites: A.  Protect the BCS as Medium-‐impact at a single loca%on, in which the all CIP

standards are applicable B.  Segment the Genera%ng Units and their Associated BCS to ensure no BCS could

have an adverse impact on any combina%on of units =>1500 MWs within 15 minutes. If this op%on is chosen, the en%ty must provide sufficient evidence that all BCS have been segmented effec%vely, such that no common-‐mode vulnerabili%es exist that could cause the loss >= 1500 MW at the plant site.

48

Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA July 7, 2015

Genera%on BCS Segmenta%on Acceptable Evidence of Genera3on Segmenta3on

This evidence could include engineering analyses that demonstrate effec%ve segmenta%on of, for example:

•  Systems protected by the segmented unit network. •  Components shared by mul%ple genera%ng units or group of units, and

analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable opera%on of the BES within 15 minutes.

•  BES Cyber Systems shared by mul%ple genera%ng units or group of units, and analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable opera%on of the BES within 15 minutes.

•  Network interfaces between each genera%ng unit or group of units and external networks (e.g., firewall rules).

49


Genera%on BCS Segmenta%on Impact of the Lesson Learned on WECC Audit Approach

When reviewing en%ty BCS evalua%ons rela%ve to IRC 2.1, WECC will expect evidence that indicates the en%ty evaluated the aggregate highest net rated Real Power capability of the preceding 12 calendar months to establish the genera%on plant’s net output rela%ve to the 1500 MW threshold. If the plant net output equals or exceeds the 1500 MW threshold, WECC will expect documenta%on demonstra%ng all BCS, including, but not limited to, DCS, fuel, air, and water support systems at the plant were examined to test the second condi%on in IRC 2.1 of an adverse impact within 15 minutes for any combina%on of units that equal or exceed 1500 MW. BCS that meet both condi%ons should be classified as Medium-‐impact BCS, while BCS that fail one or both condi%ons should be classified as Low impact BCS (the dual condi%ons are also true for IRC 2.2).

50


IRC 2.5: Segmen%ng Substa%on BCS

•  Can BILL have mixed impact BCS at its substa%ons?

Slide 51


Substa%on BCS Segmenta%on •  Up to this point, WECC has been recommending that en%%es segregate their substa%on Facili%es by control buildings based on the language in IRC 2.5, "rela%ve to "Transmission Facili'es that are opera'ng between 200kV and 499kV at a single sta*on or substa*on [Emphasis added], …" (CIP-‐002-‐5.1, A>achment 1, p. 15)

•  On further review, the prac%ce of segrega%ng Transmission Facili%es by voltage levels appears to be supported by language in the Overall Applica'on sec%on, "Responsible En''es have flexibility in how they group Facili'es, systems, and equipment at a loca'on" (CIP-‐002-‐5.1, p. 23), as well as graphically in Reference Model – 7 (CIP-‐003-‐6, Guidelines and Technical Basis, p. 37).

Slide 52


Iden%fying Substa%on BCS •  Aner discussions with other regions and NERC, although the overall impact ra%ng for a single Transmission sta%on or substa%on is determined by its connec%on to other sta%ons or substa%ons and the calcula%on of the aggregated weighted value, there is some la%tude for segrega%ng mixed-‐impact levels at substa%ons (i.e., Medium BCS and Low BCS).

•  IRC 2.4 describes Medium BCS at 500kV and above. •  IRC 2.5 describes Medium BCS grouped from BCA associated with Transmission Facili%es operated between 200kV and 499kv in a qualifying substa%on that meets the three-‐substa%on connec%vity and Aggregated Weighted Value [AWV] threshold criteria.

•  En%%es may have lower voltage levels, at a single loca%on, that do not qualify as Medium-‐impact under IRC 2.5

Slide 53


Substa%on BCS Segmenta%on Slide 54


•  Reference Model – 7 (CIP-‐003-‐6, Guidelines and Technical Basis, p. 37) provides an illustra%on of mixed-‐impact BCS within a single BES Asset boundary.

Substa%on BCS Protec%ons •  Provide Physical Security protec%ons at substa%on control building with mixed-‐impact BCS at the Medium BCS level, as applicable.

•  Electronic Protec%ons –  If a Low impact BCS is contained within a Medium BCS ESP, protect the LIBCS as PCA to the Medium BCS, as applicable.

–  If a Low impact BCS has LERC and is segregated electronically from Medium BCS, protect it in accordance with CIP-‐003-‐6 R1.2.3 (p. 5) and R2 (A>achment 1, Sec'on 3, p. 20).

Slide 55


Substa%on BCS Caveats •  For BES Cyber Assets associated with a transformer that spans the boundary between Medium-‐impact and Low impact Transmission Facili%es (e.g., transformer differen%al relays), WECC recommends such BCA be grouped with the higher impact BCS, even if located on the low-‐side of the transformer.

•  If IRC 2.6 and/or 2.8 apply to a specific substa%on, treat all BCS at that substa%on as Medium-‐impact, regardless of voltage levels, and protect as applicable.

•  Consider and apply high-‐water marks, as applicable. •  Document all segmenta%on evalua%ons carefully and completely for future audits.

Slide 56


R1.3 List of Low impact BES Assets

•  R1.3 does not require discrete lists of Low impact BES Cyber Systems.

•  However, R1.3 does require a list containing the name of “each asset that contains a low impact BES Cyber System.” – This list should contain all genera%ng plants, transmission sta%ons, certain distribu%on sta%ons, and certain “small” control centers, that contain low impact BES Cyber Systems.

Slide 57


R1.3 List of Low impact BES Assets – The en%ty should be prepared to demonstrate that all BES assets (loca%ons) are accounted for on either the list of high impact, medium impact or low impact loca%ons (note: a list of high or medium impact loca%ons is not specifically required, but can be surmised by looking at lists of high impact and medium impact BES Cyber Systems, if they exist)

– The en%ty should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protec%ons, and are included in recovery plans

Slide 58


Comparing Low impact BES Assets •  Not all Low impact BES Assets are created equal

–  “Low impact” covers a wide range of BES loca%ons and Facili%es

– Within “Low impact” there are poten%ally vastly different risks and impacts to the reliability of the BES.

–  The CIP Standards don’t make a dis%nc%on between a “big” (i.e., more impac{ul) Low impact BES Asset and a “small” (i.e., less impac{ul) Low impact BES Asset

•  Consider the following examples of IRC 2.1 (w/ net Real Power capability [NRPC] calcula%ons) and IRC 2.5 (w/ Aggregated Weighted Value [AWV] calcula%ons):

Slide 59


IRC 2.1 & IRC 2.5 Low-‐impact Examples Slide 60


AWV = 0 AWV = 2600 AWV = 5200

NRPC = 30 MWs AWV = 0

NRPC = 1400 MWs AWV = 1400

NRPC = 2800 MWs AWV = 3900

2.1

2.5

Compliance & Audit Implica%ons •  Random or sta*s*cal sampling of low impact assets for CIPv5 audit purposes is not appropriate when sampling for Low impact BES Asset site visits.

•  Expect the audit team to apply judgmental or non-‐sta*s*cal sampling based on the audit team’s percep%on of risk and impact to the BES. –  Expect more audit ajen%on at Low impact Transmission Facili%es with larger impacts.

–  Expect more audit ajen%on at larger Low impact Genera%on plants than at smaller plants, par%cularly those that equal or exceed 1500 MWs net Real Power capability

Slide 61


Compliance & Audit Implica%ons •  Expect more ajen%on at any genera%on plant > 1500 MW NPRC, regardless of control system segmenta%on. The en%ty should be prepare to: – Demonstrate how the unit controls are segmented, including computer network diagrams, firewall configura%ons, data flow analysis, etc.

– Demonstrate the analysis of any common systems at the plant.

–  Explain the analysis and include both %me-‐based and impact-‐based components.

–  Facilitate site visits to any Genera%on plants that contain >= 1500 MW net Real Power capability.

Slide 62


Compliance & Audit Implica%ons •  Expect more ajen%on at any Low impact Transmission substa%on with a significant number of 230kV and 345kV lines. The en%ty should be prepared to: – Demonstrate how IRC 2.5 was applied – Discuss all Transmission lines that were not calculated into the total AWV, e.g.:

•  Removed under the BESNET process as radial feeds serving only Load or other legi%mate exclusions, or

•  Classified as Genera%on Interconnec%on Facili%es. – Facilitate site visits to any Transmission substa%ons that have mixed BCS impact levels

Slide 63


R1: BES Asset Lists Review Ques%ons •  Did BILL apply the IRC appropriately? •  Does BILL need to confer with its RC, PA, or TP to consider any Cri%cal Assets rela%ve to Criteria 2.3, 2.6, or 2.8 before moving them to the Low BES Asset list?

•  Applica%on Ques%ons: – Did BILL consider all BES asset types in R1.i through R1.vi? – Did BILL review & evaluate all BES Assets through the IRC? – Did BILL clearly iden%fy and document all BES assets in the appropriate impact ra%ng?

•  Is any addi%onal informa%on necessary?


64

BILL’s Review & Approval Process

•  The next step in a CIP-‐002-‐5.1 audit is to determine if the en%ty reviewed the iden%fica%ons of the lists created in R1, even if such lists are null. –  R1.1 list of High BCS –  R1.2 list of Medium BCS –  R1.3 list of Low impact BES assets

•  Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.


65

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

R2: Annual Approval Review Ques%ons

•  Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months aner the ini%al iden%fica%ons?

•  Did BILL update the lists, as necessary? •  Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months aner the ini%al iden%fica%on, even if such lists are null?

•  Applica%on Ques%ons –  Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?

•  Are any DR’s necessary? –  If so, what addi%onal informa%on is required?


66

Audit Ac%vi%es: The Interview

•  Set up through an interview DR the prior week •  Typically held on Monday of the on-‐site week immediately aner the opening presenta%on

•  Examines the en%ty’s understanding of and approach to R1-‐R2

•  Cover any areas of concern raised through the ini%al evidence review

•  Schedule follow-‐up interview(s), if needed, aner the site visits


67

Audit Ac%vi%es: Site Visits •  Set up through a site visit DR •  I%nerary determined through review of the ini%al evidence •  Trust, but verify. Why? •  Depending on en%ty size and number of BES Assets, this may

involve 100% valida%on or valida%on of a sampling of BES Assets (as previously discussed):

•  Where? –  Control Centers (both PCC and BCC) –  Genera%on Facili%es –  Transmission Facili%es

•  What? –  In BILL’s case, site visits will include High and Medium BCS, as well as a judgmental sampling of Low Impact BES Assets


68

Audit Ac%vi%es: General Site Visits •  Who?

– CIP-‐002-‐5.1 Audit Team •  Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL •  Works in conjunc%on with CIP-‐005 & CIP-‐006 sub-‐teams

– CIP-‐005-‐5 Audit Team •  Iden%fies sites with Electronic Remote Access [ERC] and/or Low impact Electronic Remote Connec%vity [LERC]

•  Validates Electronic Access Points [EAP] and/or Low Impact Electronic Access Points [LEAPs].

– CIP-‐006-‐6 Audit Team •  Validates Physical Access Controls, rela%ve to CIP-‐006-‐6 and CIP-‐003-‐6, R2 (for Low impact BES Assets).


69

Audit Ac%vi%es: Low-‐impact Site Visits

•  CIP-‐002-‐5.1 Audit Team –  Validates R1.3 lists, schedules visits to a non-‐sta%s%cal sampling of Low-‐impact BES Assets.

– Works in conjunc%on with CIP-‐005 & CIP-‐006 sub-‐teams

•  CIP-‐005-‐5 Audit Team [CIP-‐003-‐6 R2, Aj. 1, Sec%on 3] –  Iden%fies sites with LERC and validates LEAP controls –  Validates authen%ca%on for LIBCS w/ Dial-‐up Connec%vity

•  CIP-‐006-‐6 Audit Team [CIP-‐003-‐6 R2, Aj. 1, Sec%on 2] –  Validates Low-‐impact Physical Security controls


70

Audit Ac%vi%es: Site Visits •  What?

–  Validate High and Medium impact BCS (if applicable) – Discuss CIP-‐003-‐6 R2 protec%ons at Low impact BES Assets –  Look for aberra%ons from the lists – Hold informal interviews with en%ty SMEs

•  When? –  Typically during the audit week – May occur before the audit week, depending on number of sites visited, distances traveled, resource constraints, etc.


71

Value-‐Added Ac%vity: Feedback

•  WECC Audit Teams never prescribe solu%ons, but we do describe: –  Brief en%%es on findings –  Encourage good security prac%ces – Discuss examples of industry best prac%ces –  Iden%fy areas of concern, which may not be viola%ons, but which could stand improvements

–  Provide sugges%ons, when appropriate •  Support development of a sustainable compliance culture.


72

Post-‐Audit Auditor Ac%vi%es •  Par%cipate in en%ty outreach ac%vi%es, such as this event and CIPUG mee%ngs

•  Be available and responsive to address en%ty ques%ons/comments

•  Work at Na%onal level –  CCWG – Draning teams –  Comment on new Standards, CANs, etc. – Ajend and present at Conferences –  CIPv5 Pilot Study and Outreach


73

Summary

•  Audit to the Standard •  Provide useful feedback to the en%ty •  Prepare a valid report •  Be available to CIP personnel at the en%%es •  Work at Na%onal level


74

Remember the Auditor’s Mission

Just the facts, Ma’am,

Just the facts!


75

References •  FERC. (2013 December 3). Order No. 791: Version 5 Cri'cal Infrastructure

Protec'on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hjp://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf

•  NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hjp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&%tle=Cyber%20Security%20—%20BES%20Cyber%20System%20Categoriza%on&jurisdic%on=null

•  NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hjp://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Defini%on%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf


76

References •  NERC. (2014 July 1). Appendix 5C: Procedure for Reques'ng and Receiving an

Excep'on from the Applica'on of the the NERC Defini'on of Bulk Electric System. Retrieved from hjp://www.nerc.com/FilingsOrders/us/RuleOfProcedureDL/Appendix_5C_ProcForReqAndRecExFromAppOfNERCDefBES_20140701.pdf

•  NERC. (2014 August 12). Cyber Security Standards Transi'on Guidance: ERO Compliance and Enforcement Ac'vi'es during the Transi'on to the CIP Version 5 Reliability Standards. Retrieved from hjp://www.nerc.com/pa/CI/Documents/V3-‐V5%20Transi%on%20Guidance%20FINAL.pdf

•  NERC. (2014 December 31). Glossary of Terms used in NERC Reliability Standards. Retrieved from hjp://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf

•  NERC. (2015 February 12). CIP-‐003-‐6 – Cyber Security — Security Management Controls. Retrieved from hjp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐003-‐6&%tle=Cyber%20Security%20-‐%20Security%20Management%20Controls&jurisdic%on=null


77

Speaker Contact Informa%on

Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina%ng Council (WECC) jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631

Slide 78
