low impact bes cyber systems cip-003-6 r1 and r2 · low impact bes cyber systems cip-003-6 r1 and...

Low Impact BES Cyber Systems

CIP-003-6 R1 and R2

June 3, 2015

Steven Keller, CISA, CRISC, CISSP Lead Compliance Specialist – CIP 501-688-1633 [email protected]

CIP V5 Low Impact Assets Coverage

• What is a Low Impact BES Cyber Asset?

• How we got here

• Where we are going

• Things to Consider

• Audit Approach

2

What is a Low Impact Asset?

• BES Cyber System (BCS) that has not been categorized as High or Medium Impact Criteria

• R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower][Time Horizon: Operations Planning]

3

How we got here - FERC

• FERC issued Order 791 in Nov. 2013 which is now effective

• Order had four directives: 1. Identify Assess and Correct language

2. Communication Networks

3. Low Impact BES Cyber Systems

4. Transient Devices

• Registered Entities with only Low Impact BCS only have to comply CIP-002-5.1 and CIP-003-6

4

How we got here – FERC, cont.

• FERC concerned with lack of objective criteria for evaluating Low Impact protections – “Introduces unacceptable level of ambiguity and

potential inconsistency into the compliance process” – Open to alternative approaches – “… the criteria NERC proposes for evaluating a

responsible entities’ protections for Low Impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified”

5

Implementation Date for Low Impact BCS

6

Audit Approach Hints…

• An inventory, list, or discrete identification of Low Impact BCS or their BES Cyber Assets is not required

• BUT!!!! – A list containing the name of “each asset that contains a

Low Impact BES Cyber System” is required, such as a list of: Generating plants

Transmission stations

Certain distribution stations

Certain “small” control centers that contain Low Impact BCS

Blackstart resources and cranking paths

7

Audit Approach Hints…

• Must demonstrate that Low Impact BCS locations have been afforded electronic and physical protections, and are included in recovery plans To Repeat:

• DON’T have to identify a discrete list of Low Impact BCS

• DO have to demonstrate compliance with CIP-003-6 R2 for each Low Impact BCS – A list of Low Impact BCS at each asset may be helpful

8

CIP-003-6 R1.2

• R1.2 For its assets identified in CIP-002 containing Low Impact BES Cyber Systems, if any: – 1.2.1. Cyber security awareness;

– 1.2.2. Physical security controls;

– 1.2.3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and

– 1.2.4. Cyber Security Incident response

9

CIP-003-6 R2

• Each Responsible Entity with at least one asset identified in CIP-002 containing Low Impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its Low Impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] – Note: An inventory, list, or discrete identification of Low

Impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.

10

CIP-003-6 R2 Attachment 1

• Section 1 – Cyber Security Awareness – Shall reinforce cyber security practices at least every 15

months

– May include physical security practices

11


• Section 2 – Physical Security Controls – Shall control physical access, based on need as

determined by the Responsible Entity to: the Low Impact BCS within the asset

the Low Impact BCS Electronic Access Points (LEAPs), if any

12


• Section 3 – Electronic Access Controls – 3.1 For Low Impact External Routable Connectivity

(LERC), if any, implement a LEAP (Low Impact Electronic Access Point) to permit only necessary inbound and outbound bi-directional routable protocol access

– 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Asset capability

13

New Definitions - LERC • “LERC – Low Impact External Routable Connectivity - Direct

user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection.”

• Example: SCADA communicating to a low impacting RTU in the substation

14

LERC Exemption

• “Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition”

• Examples of this communication include, but are not limited to: – IEC 61850

– GOOSE

– Vendor proprietary protocols

15

New Definitions - LEAP

• “LEAP – Low Impact BES Cyber System Electronic Access Point - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.”

16


• Section 4 – Cyber Security Incident Response Plan(s) – 4.1 Identification, Classification and Response to a

Cyber Security Incident

– 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;

– 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;

17

CIP-003-6 R2 Attachment 1, con’t.

• Section 4 – Cyber Security Incident Response Plan(s) – 4.4 Incident handling for Cyber Security Incidents;

– 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident

18

CIP-003-6 R2 Attachment 1, con’t.

• Section 4 – Cyber Security Incident Response Plan(s) – 4.6 Updating the Cyber Security Incident response

plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.

19

Example: Acme Power’s Low Impact BCS

• The following Acme Low Impact BCS have: – Electronic access controls

– Physical security controls

– Cyber security awareness (strong passwords, virus protection, etc.)

– Are included in a cyber incident response plan

1. Substation Alpha

2. Substation Beta

3. Substation Charlie

4. Edison Coal Plant

5. Acme Primary Control Center

20

Example: Acme’s R2 Evidence

• For Acme’s 5 listed BCS, evidence of: – Electronic access controls

Network diagram, access control list

Documentation of electronic protection

– Physical security controls Documentation of card readers, key locks, etc.

– Cyber security awareness Security policies, awareness training (posters, learning modules)

– Cyber incident response plan Copy of the plan

21

Summary

• Be sure to follow CIP-002-5.1 and CIP-003-6 for Low Impact BCS

• A list of discrete, Low Impact BCS is not required but may be helpful

• You must have a list of assets containing Low Impact BCS

• Even if the asset contains Low Impact BCS, it must be on the Low Impact list even if the asset also contains High or Medium BCS

22

February 10th 2015 NERC CIP V5 Compliance Project - Progress Project Status

Low Impact Facilities/Assets and

BES Cyber Systems

CIP-003 R1 and R2

June 3, 2015

Enel Green Power North America

Natalie Johnson, NERC Compliance Manager [email protected] David Campbell, CIP Compliance Program Manager [email protected]

mailto:[email protected]

mailto:[email protected]

June 3, 2015 CIP-003 Low Impact BES Assessment

Contents

2

› Introduction and Who We Are

› CIP Project Progress

› Low Impact Assessment › Moving Forward

June 3, 2015 CIP-003 Low Impact BES Assessment 3

Introduction

› EGPNA has 1 Medium Impact Control Room

› EGPNA has 8 Low Impact Wind Facilities

› The Focus of this presenation is how we are preparing to meet CIP Requirements for Low Impact

› This is an example of what one company is doing and our approach

This document contains proprietary information of Enel Green Power SpA and should only be used by the recipient in relation to the purposes for which it was received. Any form of reproduction or dissemination without the explicit consent of Enel Green Power SpA is prohibited.


Who Are We?

Technology Capacity

Hydro 317 MW

Wind 1,665 MW

Geothermal 72 MW

Solar 29 MW

Total 2,083 MW

Enel Green Power North America (EGP-NA), a subsidiary of Enel Green Power, is an industry leading owner and operator

of renewable energy plants in North America with projects operating and under development in 21 U.S. states and two

Canadian Provinces. With nearly 100 plants in operation representing an installed capacity of more than 2GW, EGP-NA’s

portfolio includes a diverse mix of hydropower, geothermal, wind and solar renewable energies.

Since 2010, EGP-NA has undergone rapid expansion in the U.S., more than doubling its total installed capacity and

already has more than 400 MW currently in construction. The company employs more than 350 people in North America

that hold strong managerial, technical and financial expertise.

Enel Green Power North America


EGP-NA NERC Compliance Structure

EGPNA CEO

ICT Director - Generation CIP Sr. Manager

NERC Compliance

Manager

CIP Compliance Program Manager

ICT Operations

*Deployment plan ongoing to build compliance support staff for CIP roles and responsibilities

EGPNA Compliance

Officer

Legal Oversight, Approvals

Management, Coordination, Facilitation, Training


EGP-NA NERC Compliance Structure NERC CIP Stakeholders

6

CIP Compliance Program Manager

Info

rmat

ion

Com

mun

icat

ions

Te

chno

logy

Hum

an R

esou

rces

Ope

ratio

ns a

nd M

aint

enan

ce

Faci

litie

s

Lega

l

CIP Stakeholders


CIP Project Progress

Policies Procedures Workflows Templates

NERC CIP Area # BES Cyber System Categorization 1 Security Management Controls 3 Personnel & Training 2 Electronic Security Perimeter 1 Physical Security 2 System Security Management 1 Incident Management 1 Recovery Plans 1 Configuration change mgmt & VA 1 Information Protection 1

Total # of Policies 14


Total # of Procedures 44


Total # of Workflows 34


Total # of Templates 27

Docs Alignement

EGP-NA has developed approx. 120 documents in order to support the CIP transition


Low Impact Facilities Assessment

Methodology

Evaluation based on CIP-002-5.1 BES Assets and/or BES Cyber Systems Bright Line Criteria

Two Approaches

Approach 1 - Inventory and categorize facilities, then identify and classify Cyber Systems (facility-centric, or top-down), A methodology to determine qualifying BES assets and BES Facilities

Output

Facilities Evaluation Step 1

BES Cyber Systems Evaluation

Step 2

Approach 2 - The second approach is the opposite, beginning with a BES Cyber Systems inventory, then a cross-reference to facilities (cyber systems centric, or bottom up)

BES Cyber Systems Evaluation

Step 1 Facilities Evaluation

Step 2

(discrete list(s) are

not required)


Facilities Evaluation Process CIP-002-5.1 Attachment 1 – Impact Rating Criteria

• Generation resources and Control Centers evaluated against Attachment 1, Sections 1.1 to 1.4 (High Impact) and 2.1 through 2.13 (Med Impact) bright line criteria

• Any facilities that do not meet the criteria in 1.1 to 1.4 (High Impact) and 2.1 through 2.13 (Med Impact) and also meet the applicability qualifications in Section 4 (Applicability, part 4.2) are evaluated against sections 3.1 to 3.6 (Low Impact) bright line criteria

Facilitiessection 1.1 to 1.4 criteria

section 2.1 to 2.13 criteria

section 3.1 criteria






Generation Resource A no no no no yes no no noGeneration Resource B no no no no yes no no noGeneration Resource C no no no no yes no no noGeneration Resource D no no no no yes no no noGeneration Resource E no no no no yes no no no

CIP-002-5.1 Attachment 1Facilties Evaluation Categorizing Low Impact

Att 1 section 3.3 Generation resources.


Facilities Evaluation Example

CIP-002-5.1 Attachment 1 – Impact Rating Criteria

• List all facilities in far left column

• List all bright line criteria across the header

• Apply each asset against each criteria from Attachment 1, sections 1, 2 and 3

• Excel file has a revision history with signature

Key Features of Evaluation Spreadsheet

*CIP-002-5.1 – pg4 - an entity might choose to view an entire plant control system as a single BES Cyber System Pg31 – Under Low Impact Categorization, assets with routable connectivity are protected under cyber security awareness, physical access control, electronic access control, and incident response


BES Cyber System / Asset Determination Approach 2

• Routable communications paths into the BES Asset that permit External Routable Connectivity (ERC) or Interactive Remote Access (IRA)

• Non-Routable communications paths and endpoints into the BES

Asset that permit IRA • Identification of communication boundaries and access point

placement • Identification of physical boundaries and access point placement

*Reference: MRO Standards Application Guide - Cyber Asset Procedure, Section 4 Diagram 2 pg. 7,11

*example workflow


Low BES Asset Candidate Assessment

BES Asset Classification

Low BES Asset Candidate Information BES Asset Connectivity Criteria

BES Asset Category BES Asset Name BES Asset Abbreviation

BES Facility Association Communication service details for the BES Asset?

CIPV5 R1.i - R1.vi Category of the BES

Asset

Name of Registered_Entity_X BES Asset where the communications line(s) enters

Abbreviation of Registered_Entity_X BES Asset

Is there a BES Facility located at

the BES Asset?

Does the BES Asset have a

communications line(s) transporting

a routable protocol?

Does the BES Asset have a

communications line(s)

transporting a serial protocol?

Does the BES Asset have a communications

line(s) transporting a dial-up connection?

Inventory of Communications Lines (required only if the BES Asset Classification is Low BES Asset (LBA)

BES Asset Boundary Protections

Communication Service Type

Communication Line Service Provider

Communication Line Identifier

Destination Asset Name

Description (optional)

Functional Group Name Connectivity Attributes Accessibility Attributes

Low Impact Access Point(s) (LEAPs)

Example: Leased, Privately owned

etc.

Name of the communications line service provider. If

privately owned, enter Registered_Entity_X.

Unique ID associated to the

billing of the service, or if

privately-owned any unique ID that

exists for inventorying

purposes

Name of Registered_Entity_X Asset where the commuinication line terminates.

This is necessary if placing Low Impact

Access Points to electronic

boundaries in an upstream central

location.

Enter a brief description of the communications

line, or other data about the related

application or function of the

service.

Name Registered_E

ntity_X Functional

Group responsible

for the Cyber Asset

Dial-up Serial Routable

Protocol

Routable Protocol

Type (i.e. IP)

Routable Protocol Network

Address(es) (i.e. IP Subnet

Address)

Low-impact

External Routable

Connectivity (LERC)

Interactive Remote Access (IRA)

cyber boundary

physical boundary

*Reference: MRO Standards Application Guide – Low Impact.xls attachment

Low Impact Candidate Identification Rationale: Low Impact BES Assets consist of BES Assets that contain BES Facilities that did not qualifying as High or Medium impact pursuant to Attachment 1 High and Medium Impact Criteria *if determined to be located in a Low BES Facility .


Moving Forward CIP-003 R2 – Cybersecurity Policy for Low Impact BES Cyber Systems

Requirement Approach

1.2.1 Cybersecurity Awareness

As determined by EGP-NA utilize CIP-004 Policy for Medium Impact • Online training courses tracked in Learning

Management System • Distribute media electronically

1.2.2 Physical Security Controls

As determined by EGP-NA utilize CIP-006 R1.2 & R1.3 procedures for Physical Security at Medium Impact BES Assets • Documentation of key locks and authorized

users

1.2.3 Electronic Access Controls for Low Impact External Routable Connectivity

(LERC)

As determined by EGP-NA utilize CIP-005 R1&R2 procedures for Med Impact BES Assets • Document users access • Track access approval, change, and

revocation

1.2.4 Cybersecurity Incident Response

As determined by EGP-NA utilize CIP-008 R1-R3 procedures for Med Impact BES Assets • Tabletop exercises relevant to low impact

environment • Service desk support covering Med Impact

Facility


Questions?

Thank you!

low impact bes cyber systems cip-003-6 r1 and r2 · low impact bes cyber systems cip-003-6 r1 and...

Documents