© cyber security consulting - all rights reserved understanding the nerc critical infrastructure...
TRANSCRIPT
copy Cyber SECurity Consulting - All rights reserved
wwwindustryconsultingorg
Understanding the NERC Understanding the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
William T Shaw PhD CISSPPrincipal ndash Cyber SECurity ConsultingCyber SECurity Consulting
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC StandardsUnderstanding the NERC Standards
The general objective of the NERC CIP standards are to insure that computer automation systems and
communication networks essential to the reliable supply of electric power to the nation are reasonably protected
against attacks from a range of credible threat sources and that a sustaining program is established to maintain the
viability and effectiveness of such protections
copy Cyber SECurity Consulting - All rights reserved
The ThreatThe Threat
A terrorist attack on electrical infrastructure that causes widespread long-term power outages which result in health and human safety impacts economic impacts damage to other civil military and industrial infrastructure and opens up security vulnerabilities
Physical attacksbull Damagedestroy key facilitiesbull Invade and take control of key facilities
Cyber (Electronic) attacksbull Disabledisrupt critical systemsbull Take control of critical systemsbull Corrupt critical systems
copy Cyber SECurity Consulting - All rights reserved
A Brief TimelineA Brief Timeline
911
-200
1 A
ttac
ksW
hite
hous
e Is
sues
Dire
ctiv
es
DH
S I
ssue
s D
irect
ives
NE
RC
rel
ease
s U
AS
-12
00N
orth
east
Bla
ckou
t oc
curs
NE
RC
upd
ates
to
1300
NE
RC
rev
ises
as
CIP
sN
ER
C d
esig
nate
d E
RO
FE
RC
man
date
s C
IPs
20012002
20032004
20052006
20072008
20092010
Today
Mus
t be
aud
itabl
y co
mpl
iant
Three years
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1200 =gt 1300 Standard requirements1201 Cyber Security Policy1201 Cyber Security Policy
1202 Critical Cyber Assets1202 Critical Cyber Assets
1203 Electronic Security Perimeter1203 Electronic Security Perimeter
1204 Electronic Access Controls1204 Electronic Access Controls
1205 Physical Security Perimeter1205 Physical Security Perimeter
1206 Physical Access Controls1206 Physical Access Controls
1207 Personnel1207 Personnel
1208 Monitoring Physical Access1208 Monitoring Physical Access
1209 Monitoring Electronic Access1209 Monitoring Electronic Access
1210 Information Protection1210 Information Protection
1211 Training1211 Training
1212 Systems Management1212 Systems Management
1213 Test Procedures1213 Test Procedures
1214 Electronic Incident Response Actions1214 Electronic Incident Response Actions
1215 Physical Incident Response Actions1215 Physical Incident Response Actions
1216 Recovery Plans1216 Recovery Plans
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1300 =gt CIPs Standard requirements
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
CIP 001 Sabotage ReportingCIP 001 Sabotage Reporting
CIP 002 Critical Cyber AssetsCIP 002 Critical Cyber Assets
CIP 003 Security Management ControlsCIP 003 Security Management Controls
CIP 004 Personnel amp TrainingCIP 004 Personnel amp Training
CIP 005 Electronic SecurityCIP 005 Electronic Security
CIP 006 Physical Security of CCACIP 006 Physical Security of CCA
CIP 007 Systems Security ManagementCIP 007 Systems Security Management
CIP 008 Incident ReportingResponse PlanningCIP 008 Incident ReportingResponse Planning
CIP 009 Recovery Plans for CCACIP 009 Recovery Plans for CCA
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC StandardsUnderstanding the NERC Standards
The general objective of the NERC CIP standards are to insure that computer automation systems and
communication networks essential to the reliable supply of electric power to the nation are reasonably protected
against attacks from a range of credible threat sources and that a sustaining program is established to maintain the
viability and effectiveness of such protections
copy Cyber SECurity Consulting - All rights reserved
The ThreatThe Threat
A terrorist attack on electrical infrastructure that causes widespread long-term power outages which result in health and human safety impacts economic impacts damage to other civil military and industrial infrastructure and opens up security vulnerabilities
Physical attacksbull Damagedestroy key facilitiesbull Invade and take control of key facilities
Cyber (Electronic) attacksbull Disabledisrupt critical systemsbull Take control of critical systemsbull Corrupt critical systems
copy Cyber SECurity Consulting - All rights reserved
A Brief TimelineA Brief Timeline
911
-200
1 A
ttac
ksW
hite
hous
e Is
sues
Dire
ctiv
es
DH
S I
ssue
s D
irect
ives
NE
RC
rel
ease
s U
AS
-12
00N
orth
east
Bla
ckou
t oc
curs
NE
RC
upd
ates
to
1300
NE
RC
rev
ises
as
CIP
sN
ER
C d
esig
nate
d E
RO
FE
RC
man
date
s C
IPs
20012002
20032004
20052006
20072008
20092010
Today
Mus
t be
aud
itabl
y co
mpl
iant
Three years
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1200 =gt 1300 Standard requirements1201 Cyber Security Policy1201 Cyber Security Policy
1202 Critical Cyber Assets1202 Critical Cyber Assets
1203 Electronic Security Perimeter1203 Electronic Security Perimeter
1204 Electronic Access Controls1204 Electronic Access Controls
1205 Physical Security Perimeter1205 Physical Security Perimeter
1206 Physical Access Controls1206 Physical Access Controls
1207 Personnel1207 Personnel
1208 Monitoring Physical Access1208 Monitoring Physical Access
1209 Monitoring Electronic Access1209 Monitoring Electronic Access
1210 Information Protection1210 Information Protection
1211 Training1211 Training
1212 Systems Management1212 Systems Management
1213 Test Procedures1213 Test Procedures
1214 Electronic Incident Response Actions1214 Electronic Incident Response Actions
1215 Physical Incident Response Actions1215 Physical Incident Response Actions
1216 Recovery Plans1216 Recovery Plans
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1300 =gt CIPs Standard requirements
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
CIP 001 Sabotage ReportingCIP 001 Sabotage Reporting
CIP 002 Critical Cyber AssetsCIP 002 Critical Cyber Assets
CIP 003 Security Management ControlsCIP 003 Security Management Controls
CIP 004 Personnel amp TrainingCIP 004 Personnel amp Training
CIP 005 Electronic SecurityCIP 005 Electronic Security
CIP 006 Physical Security of CCACIP 006 Physical Security of CCA
CIP 007 Systems Security ManagementCIP 007 Systems Security Management
CIP 008 Incident ReportingResponse PlanningCIP 008 Incident ReportingResponse Planning
CIP 009 Recovery Plans for CCACIP 009 Recovery Plans for CCA
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
The ThreatThe Threat
A terrorist attack on electrical infrastructure that causes widespread long-term power outages which result in health and human safety impacts economic impacts damage to other civil military and industrial infrastructure and opens up security vulnerabilities
Physical attacksbull Damagedestroy key facilitiesbull Invade and take control of key facilities
Cyber (Electronic) attacksbull Disabledisrupt critical systemsbull Take control of critical systemsbull Corrupt critical systems
copy Cyber SECurity Consulting - All rights reserved
A Brief TimelineA Brief Timeline
911
-200
1 A
ttac
ksW
hite
hous
e Is
sues
Dire
ctiv
es
DH
S I
ssue
s D
irect
ives
NE
RC
rel
ease
s U
AS
-12
00N
orth
east
Bla
ckou
t oc
curs
NE
RC
upd
ates
to
1300
NE
RC
rev
ises
as
CIP
sN
ER
C d
esig
nate
d E
RO
FE
RC
man
date
s C
IPs
20012002
20032004
20052006
20072008
20092010
Today
Mus
t be
aud
itabl
y co
mpl
iant
Three years
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1200 =gt 1300 Standard requirements1201 Cyber Security Policy1201 Cyber Security Policy
1202 Critical Cyber Assets1202 Critical Cyber Assets
1203 Electronic Security Perimeter1203 Electronic Security Perimeter
1204 Electronic Access Controls1204 Electronic Access Controls
1205 Physical Security Perimeter1205 Physical Security Perimeter
1206 Physical Access Controls1206 Physical Access Controls
1207 Personnel1207 Personnel
1208 Monitoring Physical Access1208 Monitoring Physical Access
1209 Monitoring Electronic Access1209 Monitoring Electronic Access
1210 Information Protection1210 Information Protection
1211 Training1211 Training
1212 Systems Management1212 Systems Management
1213 Test Procedures1213 Test Procedures
1214 Electronic Incident Response Actions1214 Electronic Incident Response Actions
1215 Physical Incident Response Actions1215 Physical Incident Response Actions
1216 Recovery Plans1216 Recovery Plans
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1300 =gt CIPs Standard requirements
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
CIP 001 Sabotage ReportingCIP 001 Sabotage Reporting
CIP 002 Critical Cyber AssetsCIP 002 Critical Cyber Assets
CIP 003 Security Management ControlsCIP 003 Security Management Controls
CIP 004 Personnel amp TrainingCIP 004 Personnel amp Training
CIP 005 Electronic SecurityCIP 005 Electronic Security
CIP 006 Physical Security of CCACIP 006 Physical Security of CCA
CIP 007 Systems Security ManagementCIP 007 Systems Security Management
CIP 008 Incident ReportingResponse PlanningCIP 008 Incident ReportingResponse Planning
CIP 009 Recovery Plans for CCACIP 009 Recovery Plans for CCA
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
A Brief TimelineA Brief Timeline
911
-200
1 A
ttac
ksW
hite
hous
e Is
sues
Dire
ctiv
es
DH
S I
ssue
s D
irect
ives
NE
RC
rel
ease
s U
AS
-12
00N
orth
east
Bla
ckou
t oc
curs
NE
RC
upd
ates
to
1300
NE
RC
rev
ises
as
CIP
sN
ER
C d
esig
nate
d E
RO
FE
RC
man
date
s C
IPs
20012002
20032004
20052006
20072008
20092010
Today
Mus
t be
aud
itabl
y co
mpl
iant
Three years
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1200 =gt 1300 Standard requirements1201 Cyber Security Policy1201 Cyber Security Policy
1202 Critical Cyber Assets1202 Critical Cyber Assets
1203 Electronic Security Perimeter1203 Electronic Security Perimeter
1204 Electronic Access Controls1204 Electronic Access Controls
1205 Physical Security Perimeter1205 Physical Security Perimeter
1206 Physical Access Controls1206 Physical Access Controls
1207 Personnel1207 Personnel
1208 Monitoring Physical Access1208 Monitoring Physical Access
1209 Monitoring Electronic Access1209 Monitoring Electronic Access
1210 Information Protection1210 Information Protection
1211 Training1211 Training
1212 Systems Management1212 Systems Management
1213 Test Procedures1213 Test Procedures
1214 Electronic Incident Response Actions1214 Electronic Incident Response Actions
1215 Physical Incident Response Actions1215 Physical Incident Response Actions
1216 Recovery Plans1216 Recovery Plans
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1300 =gt CIPs Standard requirements
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
CIP 001 Sabotage ReportingCIP 001 Sabotage Reporting
CIP 002 Critical Cyber AssetsCIP 002 Critical Cyber Assets
CIP 003 Security Management ControlsCIP 003 Security Management Controls
CIP 004 Personnel amp TrainingCIP 004 Personnel amp Training
CIP 005 Electronic SecurityCIP 005 Electronic Security
CIP 006 Physical Security of CCACIP 006 Physical Security of CCA
CIP 007 Systems Security ManagementCIP 007 Systems Security Management
CIP 008 Incident ReportingResponse PlanningCIP 008 Incident ReportingResponse Planning
CIP 009 Recovery Plans for CCACIP 009 Recovery Plans for CCA
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1200 =gt 1300 Standard requirements1201 Cyber Security Policy1201 Cyber Security Policy
1202 Critical Cyber Assets1202 Critical Cyber Assets
1203 Electronic Security Perimeter1203 Electronic Security Perimeter
1204 Electronic Access Controls1204 Electronic Access Controls
1205 Physical Security Perimeter1205 Physical Security Perimeter
1206 Physical Access Controls1206 Physical Access Controls
1207 Personnel1207 Personnel
1208 Monitoring Physical Access1208 Monitoring Physical Access
1209 Monitoring Electronic Access1209 Monitoring Electronic Access
1210 Information Protection1210 Information Protection
1211 Training1211 Training
1212 Systems Management1212 Systems Management
1213 Test Procedures1213 Test Procedures
1214 Electronic Incident Response Actions1214 Electronic Incident Response Actions
1215 Physical Incident Response Actions1215 Physical Incident Response Actions
1216 Recovery Plans1216 Recovery Plans
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1300 =gt CIPs Standard requirements
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
CIP 001 Sabotage ReportingCIP 001 Sabotage Reporting
CIP 002 Critical Cyber AssetsCIP 002 Critical Cyber Assets
CIP 003 Security Management ControlsCIP 003 Security Management Controls
CIP 004 Personnel amp TrainingCIP 004 Personnel amp Training
CIP 005 Electronic SecurityCIP 005 Electronic Security
CIP 006 Physical Security of CCACIP 006 Physical Security of CCA
CIP 007 Systems Security ManagementCIP 007 Systems Security Management
CIP 008 Incident ReportingResponse PlanningCIP 008 Incident ReportingResponse Planning
CIP 009 Recovery Plans for CCACIP 009 Recovery Plans for CCA
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Evolution of the StandardsEvolution of the Standards
NERC 1300 =gt CIPs Standard requirements
1301 Security Management Controls1301 Security Management Controls
1302 Critical Cyber Assets1302 Critical Cyber Assets
1303 Personnel amp Training1303 Personnel amp Training
1304 Electronic Security1304 Electronic Security
1305 Physical Security1305 Physical Security
1306 Systems Security Management1306 Systems Security Management
1307 Incident Response Planning1307 Incident Response Planning
1308 Recovery Plans1308 Recovery Plans
CIP 001 Sabotage ReportingCIP 001 Sabotage Reporting
CIP 002 Critical Cyber AssetsCIP 002 Critical Cyber Assets
CIP 003 Security Management ControlsCIP 003 Security Management Controls
CIP 004 Personnel amp TrainingCIP 004 Personnel amp Training
CIP 005 Electronic SecurityCIP 005 Electronic Security
CIP 006 Physical Security of CCACIP 006 Physical Security of CCA
CIP 007 Systems Security ManagementCIP 007 Systems Security Management
CIP 008 Incident ReportingResponse PlanningCIP 008 Incident ReportingResponse Planning
CIP 009 Recovery Plans for CCACIP 009 Recovery Plans for CCA
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Important TermsImportant Terms
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a
(1) significant impact on the ability to serve large quantities of customers for an extended period of time
(2) would have a detrimental impact on the reliability or operability of the Bulk Electric System
(3) or would cause significant risk to public health and safety
Note that when NERC went from the initial 1200 standard to the later 1300 standard Note that when NERC went from the initial 1200 standard to the later 1300 standard (and to the CIPs) one of the major changes was the broadening of the definition of (and to the CIPs) one of the major changes was the broadening of the definition of Critical AssetsCritical Assets to make the definition far more generalized and to put the to make the definition far more generalized and to put the responsibility for specifically identifying those assets into the hands of the responsible responsibility for specifically identifying those assets into the hands of the responsible entities entities
Also note that no specific quantization was provided for ldquolarge quantities of Also note that no specific quantization was provided for ldquolarge quantities of customersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquocustomersrdquo ldquoextended period of timerdquo or ldquosignificant riskrdquo
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Cyber Assets Those programmable electronic devices and communications networks including hardware software and data that are used in the operation of the power system
Critical Cyber Assets Those Cyber Assets essential to the reliable operation of CriticalAssets
Critical Assets Facilities systems and equipment which if destroyed damaged or degraded or otherwise rendered unavailable would have a significant impact on the ability to serve large quantities of customers for an extended period of time would have a detrimental impact on the reliability or operability of the Bulk Electric System or would cause significant risk to public health and safety
AssetsCyberAssetsCritical
Assets
CriticalCyberAssets
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
G
G
G
G
G
G
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
Load
DG
DG
Transmission Grid Distribution GridSub-Transmission
Distributedgeneration
Generating Plants
Transmissionsubstation
Transmissionlines
Systeminterconnect
Distributionsubstations
Electrical Grid 101Electrical Grid 101
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
ECAR mdash East Central Area Reliability Coordination Agreement ERCOT mdash Electric Reliability Council of Texas FRCC mdash Florida Reliability Coordinating Council MAAC mdash Mid-Atlantic Area Council MAIN mdash Mid-America Interconnected Network
MAPP mdash Mid-Continent Area Power Pool NPCC mdash Northeast Power Coordinating Council SERC mdash Southeastern Electric Reliability Council SPP mdash Southwest Power Pool WSCC mdash Western Systems Coordinating Council
Electrical Grid 101 ndash Continental NetworkElectrical Grid 101 ndash Continental Network
Western Interconnect Eastern Interconnect
Texas Interconnect
California ISO
New England ISONew YorkISO
Regional Reliability Councils - NERC
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Regional AuthorityRegional Authoritybull RTORTObull ISOISObull EMSEMS
Critical Cyber AssetsCritical Cyber Assets
Adjacent Entity EMSAdjacent Entity EMS Adjacent Entity EMSAdjacent Entity EMSSCADAEMSSCADAEMS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS Power Plant DCSPower Plant DCS
Substation ControlsSubstation Controls
Power Plant DCSPower Plant DCS
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Critical Assets (Power System)Critical Assets (Power System)
bull Control Centers and backupalternate Control Centers
bull Control Center systems (SCADAEMS) and equipment used for telemetry monitoring amp control AGC power system real-time modeling (state estimation) real-time inter-utility data exchanges (ICCP links)
bull Transmission substation equipment supporting an interconnection Reliability Operating Limit (IROL)
bull Generating plantsresources that meet or exceed 80 of the largest single contingency within an operating region
bull Generation control centers with total generation that meets or exceeds 80 of the largest single contingency within an operating region
bull Systems equipment and facilities needed for system restoration including black-start capabilities and substations on transmission lines needed for initial system restoration
bull Systems equipment and facilities needed for automated load shedding on systems capable of shedding 300 MW or more load
bull Any other assets that if damaged degraded or made unavailable would impact the reliability of the electric grid and bulk electric system
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Potential Critical Cyber Assets Potential Critical Cyber Assets
bull Computer systems (SCADAEMS DCS DA etc)
bull Servers
bull Communications equipment
bull Substation IEDs automation equipment
bull Remote Terminal Units (RTUs)
bull Workstations amp Operator Consoles
bull Engineering PCs
bull Communication circuits
bull Routers switches and gateways
bull RDBMS
bull Historians
bull Computer-devices that use ldquoroutablerdquo protocols (IP-based) on a network that
extends outside of a substation control center or generating plant
bull Computer-devices that support remote telephone LAN or Internet access
bull Wireless LAN equipment
bull Files databases software backup media documentation manuals etc
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP 00x
Compliance Schedule for Most Entities
Compliance Schedule ndash GeneralizedCompliance Schedule ndash Generalized
R1R2R3R4
Rx
Begin WorkBegin WorkSubstantial CompletionSubstantial CompletionCompletionCompletionAuditable ComplianceAuditable Compliance
diams
diams
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
diamsdiamsdiamsdiams
TodayEach CIP is composed of a set of requirements
Most requirements must achieve AC by
end of 2010
Some requirements must achieve AC by end of 2009
CIP 001 is in place for all utilities 002-009are the main effort now
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-001 Sabotage ReportingCIP-001 Sabotage Reporting
Required Initial Actions
Create employee awareness of the need to monitor for and formally report any attempt to sabotage facilities or assets and to contact responsible entities (such as the FBI) and provide written reporting using NERC-issued forms and formats Establish formal contacts at the FBI and maintain audit records
Required On-Going Actions
Establish a policy and procedures that insure that employees know their responsibilities and the mechanisms for reporting in a timely manner
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-002 Critical Cyber AssetsCIP-002 Critical Cyber Assets
Required Initial Actions
Create an inventory of Critical power system Assets and then using a risk assessment methodology identify the associated Critical Cyber Assets that are essential for the proper operation and availability of those Critical Assets Assign responsibility for overseeing this activity to a senior manager
bull R1 ndash Define a risk-based methodology for critical asset identificationbull R1 ndash Identify and inventory critical electric system assets bull R2 ndash Identify and inventory critical cyber assets bull R3 ndash Perform annual (and as-needed) reviews of these inventories
Required On-Going Actions
Establish a policy and procedures that insure that these inventories are reviewed and updated at least annually and within 90 days of whenever a Critical Asset is added removed from service or operationally modified Audit trail documentation should be maintained for at least one year
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
ThreatVulnerability AssessmentThreatVulnerability Assessment
Normally the ldquoriskrdquo assessment process includes a vulnerability and threat assessment component These are used to identify and rate threats and attack modalities in alignment with identified vulnerabilities
NERCFERC have essentially stated that there are credible and probable threat agents and that the risk of a physical andor cyber (electronic) attack is sufficiently probable enough to justify the countermeasures mandated in the CIPs
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Public Health and Safety
Customer outages
Outage duration
Power system stability
Power generation
impacts
Very serious consequences
Numerous Deaths and
serious injuries
250000 gt customers
Duration in terms of months
Major transmission line outages
gt10000 Mw put offline
Major consequences
Scattered deaths or serious injuries
100000 gt customers
Duration in terms of weeks
Limited inter-tie disruption
gt1000 Mw put offline
Minor consequences
Minor non-life threatening
injuries
Thousands of customers
Duration in terms of days
Temporary islanding
gt100 Mw put offline
Insignificant consequences
None of significance
Hundreds of customers
Duration in terms of hours
No impact Tolerable generation
outage
Risk-Based AssessmentsRisk-Based Assessments
Category of consequences of an attack
Sev
erity
of
cons
eque
nces
Example of a possible consequence rating chart
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-003 Security Management ControlsCIP-003 Security Management Controls
Required Initial Actions
Create an overarching security management program with associated policies guidelines baselines and procedures that will insure the on-going attention to and priority of security as a corporate objective and requirement
bull R1 ndash Develop document and implement a cyber security policy covering at the minimum the eight CIP standards bull R2 ndash Assign a senior manager to be responsible and accountablebull R3 ndash Document and justify all exceptions to the policybull R4 ndash Establish information protection policies and proceduresbull R5 ndash Implement policies and procedures for information access controlsbull R6 ndash Implement a change-management procedure for all critical cyber assets
Required On-Going Actions
Establish a policy and procedures that insure that employees are aware of and adhering to the stated policies and procedures and insure that an annual review is made of the compliance exceptions and of the efficacy of the policies and procedures Audit trail information should be retained for at least one year
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Security PoliciesSecurity Policies
Security PolicyInformation Security PoliciesOrganizational SecurityInformation Security InfrastructureSecurity Of Third-Party AccessOutsourcing
AssetInformation Classification And ControlAccountability For AssetInformation ClassificationInformation access procedures
PersonnelBackground checksHiring and termination proceduresNDA requirementsJob rotationseparation of dutiesSecurity In Job Definition And ResourcingUser TrainingResponding To Security Incidents And Malfunctions
Physical And Environmental SecuritySecure Areas (security perimeter)Equipment SecurityGeneral ControlsMonitoring and auditing
Communications And Operations ManagementOperational Procedures And ResponsibilitiesSystem Planning And AcceptanceProtection Against Malicious SoftwareHousekeepingMedia Handling and SecurityExchanges Of Information And Software
PhysicalElectronic Access ControlBusiness Requirement For Access ControlUser Access ManagementUser ResponsibilitiesNetwork Access ControlOperating System Access ControlApplication Access ControlMonitoring System Access And UseMobile Computing
Auditing and Review Policy
Systems Development And MaintenanceSecurity Requirements Of SystemsSecurity In Application SystemsCryptographic ControlsSecurity Of System FilesSecurity In Development And Support Processes
Operational Continuity ManagementIncident reportingresponseRecovery planning and testing
ComplianceCompliance With Legal Requirements (SOXHIPPA)Compliance with NERC 12001300Reviews Of Security Policy And Technical ComplianceSystem Audit Considerations
High-Level Information Security PolicyDetailed Information Security PolicyTelecommuting and Portable ComputerPDACell phone Security PolicyManagement IssuesAccess ControlBackup And Media StorageCommunications LinksCommunications LinksSystem ManagementTravel ConsiderationsPhysical Security
External Communications Security PolicyPersonal Computer Security PolicyDocument OverviewBusiness Use OnlyConfiguration ControlAccess ControlVirusesBackupDestructionDocumentationNetworkingPhysical SecurityManagement
Electronic Mail PolicyIM PolicyWeb Browsing Policy
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Security Policies Security Policies (Cont)(Cont)
Computer Network Security PolicyPurposeScopeGeneral PolicyResponsibilitiesSystem Access ControlEnd-User PasswordsPassword System Set-UpLogon and Logoff ProcessSystem PrivilegesEstablishment Of Access PathsComputer Viruses Worms And Trojan HorsesData And Program BackupEncryptionPortable ComputersRemote PrintingPrivacyLogs And Other Systems Security ToolsHandling Network Security InformationPatch management and installationPhysical Security Of Computer And Communications GearExceptions and violations
Internet Security Policy For UsersIntroductionInformation IntegrityInformation ConfidentialityPublic RepresentationsIntellectual Property RightsAccess ControlPersonal UsePrivacy ExpectationsReporting Security Problems
Privacy Policy - StringentOverview And ApplicabilityDefinitionsSpecific RequirementsInformation To Be Given To The IndividualIndividuals Right Of Access To DataIndividuals Right To ObjectDisclosure Of Personal Data To Third PartiesProcessing Confidentiality And SecurityMonitoring Of Internal Activities
Privacy Policy - Lenient Company Intentions and Management ResponsibilitiesDisclosure Of Private InformationAppropriate Handling of Private InformationPrivate Information on Computer and Communication SystemActivity Monitoring (computer phone FAX)Handling Personnel InformationPrivate Information from Job SeekersPrivate Information About Customers Vendors
Web Privacy Policy
Data Classification PolicyAccess ControlClassification LabelsLabelingThird-Party InteractionsShipping And HandlingDeclassification And DowngradingDestruction And DisposalPhysical SecuritySpecial Considerations For Secret Information
External Party Information Disclosure Policy Determining If Disclosure Is AppropriateResolving Problems With Disclosure ProcessesRequired Disclosure RecordsPreparing Information For Disclosure
Information Ownership Policy
Firewall PolicyDownload Policy
Security Awareness-Raising MethodsIn PersonIn WritingOn SystemsOn Other Things
External Network Interface Security Policy HarmonizationAccess Control ConsiderationsEncryption And Public Key Infrastructure ConsiderationsChange Control And Contingency Planning ConsiderationsNetwork Management Considerations
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-004 Personnel amp TrainingCIP-004 Personnel amp Training
Required Initial Actions
Create a program with policies and procedures and routine audit and verification to insure personnel have job-appropriate access rights cyber security training and are suitable for the positions of trust assigned to them
bull R1 ndash Implement a security awareness program to focus all personnel on security issuesbull R2 ndash Establish detailed cyber security training including procedural and policy training for all personnel with physical and electronic access rightsbull R3 ndash Perform background criminal and financial checks on all personnel with physical and electronic access rightsbull R4 ndash Identify and document the personnel needing access rights and relate access rights to job requirements
Required On-Going Actions
Establish a program of on-going security awareness and HR procedures that initially and periodically (re)qualify personnel that are to have secure access Review and adjust access rights as personnel status and job descriptions change
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-005 Electronic SecurityCIP-005 Electronic Security
Required Initial Actions
Identify and document the full range of electronic access points that provide an interface into critical cyber assets the account management of all computer assets and perform a vulnerability assessment to identify potential weaknesses and threats to cyber security
bull R1 ndash Identify the electronic security perimeter and all access pointsbull R2 ndash Establish electronic access controls with strong authenticationbull R3 ndash Monitor and review all electronic access to critical systemsbull R4 ndash Perform a cyber vulnerability assessment that identifies and addresses all electronic perimeter access points tests for open ports and services and improper account management bull R5 ndash Classify protect and establish policies and procedures in regards to the information and documentation resulting from this process
Required On-Going Actions
Establish a program and procedures that protect the resulting documentation and insures that vulnerability assessments are performed and evaluated on a periodic basis and that appropriate countermeasures are deployed as needed
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Electronic Security Perimeter The logical border surrounding a network to which Critical Cyber
Assets are connected and for which access is controlled
The issue here is to identify The issue here is to identify ALLALL communication interfaces communication interfaces - Telephone [leaseddialcellular] - Telephone [leaseddialcellular] - LAN WAN WLAN - LAN WAN WLAN - Privatepublic Networks - Privatepublic Networks - ldquoSNEAKERnetrdquo (portable devicesmedia) - ldquoSNEAKERnetrdquo (portable devicesmedia) - Other - Other
If they provide access to your critical cyber assets then insure that they are If they provide access to your critical cyber assets then insure that they are actually requiredactually required and if so and if so properly protectedproperly protected using suitable technological using suitable technological countermeasures Included in this requirement is a need for effective electronic countermeasures Included in this requirement is a need for effective electronic authentication authentication and for and for access monitoringaccess monitoring and and intrusion detectionintrusion detection
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
SCADAEMS SystemFacility
LAN
GatewayGatewayWeb serverWeb server
EmailEmail
TelCo
INTERNETINTERNET
TelCo
WAN
A relatedsystem
UnprotectedMODEM
The Electronic PerimeterThe Electronic Perimeter
ISP
Dial-outbackup
RTUsRTUs
x
x
x x
x
x xPhysicalmedia
WiFiWiFiAPAP
Doubly-connectedworkstations
x
xPortable devices
x
Storagedevices
x
DeptLAN
Corporate
SCADALAN
Backup siteSCADAEMS System
TransmissionSubstations
TelCo
Leased T1 lineLeased T1 line
IP t
o t
he s
ub
stati
on
IP t
o t
he s
ub
stati
on
TelCo
Dial-inIED access
x
x
x
x
Establishing the ldquoElectronic PerimeterrdquoEstablishing the ldquoElectronic Perimeterrdquo
Regional balancing authority
Transmission Operator or Reliability
Coordinator
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoElectronic PerimeterrdquoDefending the ldquoElectronic Perimeterrdquo
Intrusion Detection (NIDSHIDS) Systems
Strong (multi-factor) authentication
Encryption on portable mediadevices
VPNEncryption on communication circuits
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-006 Physical Security of Critical Cyber AssetsCIP-006 Physical Security of Critical Cyber Assets
Required Initial Actions
Create a program to insure that physical access to cyber assets is restricted to authorized personnel that personnel authentication is adequate that access is recorded and that attempts at unauthorized access are detected and foiled
bull R1 ndash Establish the physical security plan and perimeter that contains all of the critical cyber assets and identify all access points into that perimeterbull R2 ndash Establish physical access controls at all access pointsbull R3 ndash Monitor access into the security perimeter in a manner that precludes undetected access bull R4 ndash Log and record all access into the security perimeterbull R5 - Retain a log of all access attempts either successful or unauthorizedbull R6 ndash Establish procedures and a program to periodically test all access controls and monitoring methodologies and record a log of outages
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Physical Security of Critical Cyber Assets Physical Security of Critical Cyber Assets (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures that insure that physical access rights are correctly assigned and reviewed whenever personnel status and job requirements change Maintain adequate access control measures and monitoring as well as an auditable log for all of this and periodically verify the proper function of access controls and monitoring mechanisms
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Important Terms Important Terms (cont)(cont)
Physical Security Perimeter The physical six-wall border surrounding computer rooms telecommunication rooms operation centers and other locations in
which Critical Cyber Assets are housed and for which access is controlled
The issue here is to identity the The issue here is to identity the physical locationphysical location of all critical cyber assets (and of all critical cyber assets (and their support infrastructure) and insure that physical their support infrastructure) and insure that physical access restrictionsaccess restrictions and and controlscontrols are provided to keep them inaccessible to unauthorized personnel are provided to keep them inaccessible to unauthorized personnel Included in this requirement is the implementation of suitable ldquostrongrdquo Included in this requirement is the implementation of suitable ldquostrongrdquo identificationauthentication technologies and use of 247 identificationauthentication technologies and use of 247 access monitoringaccess monitoring and and access loggingaccess logging at all perimeter access points at all perimeter access points
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FacilityFacility
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
SCADA OperationsSCADA Operations
Limited monitoredcontrolled access pointsLimited monitoredcontrolled access points
ControlledControlledMonitoredMonitored
AccessAccess
Control RoomControl Room
Computerserver RoomComputerserver Room
Office AreasOffice Areas TelecomLAN RoomTelecomLAN Room
Monitored hallwaysMonitored hallways
SeparateSeparateAccessAccessRightsRights
Establishing the ldquoPhysical PerimeterrdquoEstablishing the ldquoPhysical Perimeterrdquo
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Defending the ldquoPhysical PerimeterrdquoDefending the ldquoPhysical Perimeterrdquo
Visual monitoring using cameras and recorders
Access control systems with alarms and sensors
Walls doors cages barriers and locks
Guards at entryexit points and patrolling
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-007 Systems Security ManagementCIP-007 Systems Security Management
Required Initial Actions
Create a system security management program that establishes and enforces good cyberIT procedures and policies in the use of addition to and modification of critical cyber assets and systems
bull R1 ndash Establish suitable testing procedures for all new systems and major system changes and upgradesbull R2 ndash Disable unnecessary TCPUDP ports and OS services on all critical systems and implement other measures where this is not possible bull R3 ndash Establish a patch management program and procedures to track and install security patches into critical cyber systems in an operationally safe mannerbull R4 ndash Establish an anti-virus management program and procedures to perform malware scanning and detection on a periodic basis and to update virus detection software on critical cyber systems in an operationally safe manner
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Systems Security Management Systems Security Management (Cont)(Cont)
Required On-Going Actions
Establish a program and procedures to insure that the requirements listed are regularly reviewed and renewed as required to maintain adequate security
Required Initial Actions (cont)
bull R5 ndash Establish an account management program and procedures to insure ldquostrongrdquo user authentication proper assignment of user rights based on need and tracking of user activitiesbull R6 ndash Put in place monitoring technologies that track electronic access attempts into the security perimeter and provide automatic notification of security violation attempts (NIDSHIDS)bull R7 ndash Establish policies and procedures for retirement and disposal of critical cyber assets and audit trails for such assetsbull R8 ndash Perform cyber vulnerability assessments on a periodic basis and use the resulting findings to guide countermeasure deployment and remediation effortsbull R9 ndash Establish a document management review and revision program that insures that documentation remains accurate and updated
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-008 Incident Reporting amp Response PlanningCIP-008 Incident Reporting amp Response Planning
Required Initial Actions
Create policies and procedures that guide personnel through the process of reporting documenting responding to and recovering from cyber incidents and insure that all applicable personnel are regularly trained on these procedures and that procedures are validated and modified as required
bull R1 ndash Establish and document a security incident response plan that insures compliance with the NERC IAW program and that guides personnel through the process of reporting and response including defining responsibilities and incident categorizationbull R2 ndash Document incidents and captureretain applicable collateral documentation that supports incident investigation
Required On-Going Actions
Establish policies and procedures that insure the validity and effectiveness of procedures and amends them as needed and that enforces the regular rehearsal of critical procedures by applicable personnel
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
CIP-009 Recovery Plans for Critical Cyber AssetsCIP-009 Recovery Plans for Critical Cyber Assets
Required Initial Actions
Create a program to develop and test written procedures and training programs bull R1 ndash Create document validate and train personnel on recovery procedures for critical cyber assets and systemsbull R2 ndash Schedule and execute periodic drills on the procedures in an operationally appropriate mannerbull R3 ndash Update and re-validate procedures whenever changes are made to them and insure proper communication of such changes to personnelbull R4 ndash Establish procedures and processes for making and securing backup images of critical systems and information assets and create a cache of all materials tools and other items needed to successfully restore critical cyber assets to full operationbull R5 ndash Periodically perform a test of the backup media to verify it is still usable and suitable for backup operations
Required On-Going Actions
Establish a program to regularly review adjust and update policies and also practice the procedures to insure recovery can be achieved
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Self Assessment ProcessNERC Self Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodologystandardKey methodologystandard
NERCNERC12001200
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Cyber Securing SCADA SystemsCyber Securing SCADA Systems
NERC Compliance ProcessNERC Compliance ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate systemcomponent systemcomponent testcommissioningtestcommissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
amp auditsamp audits
Key methodologystandardKey methodologystandard
Structured Structured auditaudit
Testing and validation phaseTesting and validation phase
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FERCrsquos position on the NERC FERCrsquos position on the NERC
Critical Infrastructure Protection Critical Infrastructure Protection
(CIP-002 through CIP-009) Standards(CIP-002 through CIP-009) Standards
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Recent FERC News UpdatesRecent FERC News Updates
August 1 2007 mdash The Federal Energy Regulatory Commission (FERC) recently proposed to approve a set of reliability standards to help safeguard the nations bulk electric power supply system against potential disruptions from cyber attacks The North American Electric Reliability Corporation (NERC) developed the proposed reliability standards (CIPs) and submitted them to the Commission for approval on August 28 2006 In December 2006 Commission staff issued a preliminary analysis of the cyber security reliability standards and allowed for public comment In the July 19 2007 Notice of Proposed Rulemaking (NOPR) the Commission proposes to approve the eight cyber security reliability standards
The NOPR also calls for NERC to develop modifications to address specific concerns identified by the Commission
As of the beginning of 2008 FERC had issued a mandate requiring the compliance with the NERC CIPs although NERC was asked to continue work on the identified issues
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets Currently there is little guidance in the standard
FERC rejects language in the CIP reliability standards referring to ldquoreasonable business judgmentrdquo FERC finds that it is unreasonable in the context of implementing sect 215 of the Federal Power Act to allow each user owner or operator to determine compliance with the CIP reliability standards based on its own ldquobusiness standardsrdquo
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FERC Comments on NERC CIPsFERC Comments on NERC CIPs
FERC also proposes to approve NERCrsquos implementation plan which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period According to the implementation plan entities must ldquobegin workrdquo on compliance upon registration with NERC must be ldquosubstantially compliantrdquo within 12 months of registration and must be ldquocompliantrdquo within 24 months of registration Entities must ultimately be ldquoauditably compliantrdquo by 2009 for certain requirements and by 2010 for the remaining requirements
For the interim period before an entity achieves ldquoauditably compliantrdquo status FERC proposes that NERC develop a self-certification process to assess the status of compliance and if necessary assist entities in achieving full compliance in a timely manner
Further FERC proposes to direct NERC to add a cyber security assessment to NERCrsquos existing readiness review process
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Discretion and Business Judgment
All eight of the standards begin with the statement that the Responsible Entity should interpret and apply the standard using ldquoreasonable business judgmentrdquo This language allows for a broad interpretation of each standard which will result in varying levels of cyber critical asset identification implementation measurement auditing and compliance of the standards The CIP Standards give a Responsible Entity too much latitude in deciding how secure they need to be In addition CIP-002 states that this standard requires the identification of Critical Cyber Assets through a ldquorisk-based assessment methodologyrdquo FERC argued that this first standard is the key to achieving a successful framework and affects the implementation of the remaining standards However with no real guidance given and leaving the identification methodology up to the individual Responsible Entity the result of asset identification will vary significantly with each Responsible Entity
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Defining Compliance
FERC stated that ldquothe most critical element of a Cyber SecurityStandard is the Requirementsrdquo because they will define what a Responsible Entity must do to be compliant and establish an enforceable obligation However all of the CIP Standards allow too much flexibility and discretion in identifying ldquoexceptionsrdquo or areas where the Responsible Entity can document instances where they cannot conform to the cyber security policy FERC has stated that the auditable compliance timetable extends too far
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
FERC Concerns with CIPsFERC Concerns with CIPs
1048707 Applicability
Based on the language in the CIPs some entities may interpret that they are too small to be included in these standards Other entities may interpret that they are excluded If the mission of NERC is to ensure the reliability and security of the nationrsquos electric grid all entities small or large must be included and categorized as a Responsible Entity FERCs assessment is that it is not the size of an entity that is critical but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected controlsystems
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Control Centers)(Control Centers)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Balancing Authority Transmission Operators amp Reliability CoordinatorsRequired to self-certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 1 Compliance Schedule ndash Table 1 (Other Facilities)(Other Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diamsdiams
diams
diamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiams
diams
BWBWSCSCCCACAC
diams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Transmission Service Providers Regional Reliability Organizations and TSPs TOPs and BAs NOT required to Self-Certify compliance to the prior 1200 Urgent Action Standard
Compliance Schedule ndash Table 2 Compliance Schedule ndash Table 2 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
diamsdiamsdiamsdiams
diams
diamsdiams
diams
diams
diamsdiams
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
2007 2008 2009 2010Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities (IAs TOs etc) required to register during 2006
Compliance Schedule ndash Table 3 Compliance Schedule ndash Table 3 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diamsdiamsdiams
diams
diams
diamsdiams
diams
diams
diams
diams
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Registration Plus
Q1 Q2 Q3 Q4 Q5 Q6 Q3 Q7 Q8 Q9 Q10 Q11
CIP 002
CIP 003
CIP 004
CIP 005
CIP 006
Compliance Schedule for Responsible Entities Registering in 2007 and Thereafter
Compliance Schedule ndash Table 4 Compliance Schedule ndash Table 4 (All Facilities)(All Facilities)
R1R2R3R4
R1R2R3R4R5R6
R1R2R3R4
R1R2R3R4R5
R1R2R3R4R5R6
CIP 007
R1R2R3R4R5R6R7R8R9
R1R2
R1R2R3R4R5
CIP 009
CIP 008
BWBWSCSCCCACAC
diams
diamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiamsdiams
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions
copy Cyber SECurity Consulting - All rights reserved
Understanding the NERC CIP StandardsUnderstanding the NERC CIP Standards
William T Shaw PhD CISSPPresident ndash Cyber SECurity ConsultingCyber SECurity Consulting
Questions Questions