aga/eei utility internal auditor's training course ... · 2009 voluntary mandatory version 1...
TRANSCRIPT
AGA/EEI Utility Internal Auditor's Training CourseWashington, DCAugust 26, 2015
Hang on it’s going to be a
wild ride…
There are no NERC CIP Babel Fish…
"The Babel fish is small, yellow, leech-like, and probably the oddest thing in the universe. It feeds on brain wave energy, absorbing all unconscious frequencies and then excreting telepathically a matrix formed from the conscious frequencies and nerve signals picked up from the speech centres of the brain, the practical upshot of which is that if you stick one in your ear, you can instantly understand anything said to you in any form of language: the speech you hear decodes the brain wave matrix."
NERC CIP Secret Decoder Ring(AKA NERC CIP Acronym Guide)
BCA - BES Cyber Asset RSAW - Reliability Standard Audit Worksheet
BCS - BES Cyber System TCA - Transient Cyber Asset
BCSI - BES Cyber System Information TFE - Technical Feasibility Exception
BES - Bulk Electric System
EACMS - Electronic Access Control or Monitoring System
EAP - Electronic Access Point
ERC - External Routable Connectivity
ESP - Electronic Security Perimeter
IRA - Interactive Remote Access
IRC - Impact Rating Criteria
IS - Intermediate System
LEAP - Low Impact BES Cyber System Electronic Access Point
LERC - Low Impact External Routable Connectivity
PACS - Physical Access Control System
PCA - Protected Cyber Asset
PRA – Personnel Risk Assessment
PSP - Physical Security Perimeter
RAI - Reliability Assurance Initiative
NERC CIP Regulation Development
5
Timeline of CIP Regulation Development
2009MandatoryVoluntary
Version 1 Approved in FERC Order 706 on Jan 18, 2008 – effective July 1, 2008
Version 2 and 3 Current versionMinor changes to address issues raised by FERCEffective dates of Sep 30, 2010 and Oct 1, 2010, respectively
Version 4Approved, then later superseded by V5. Never went into effect
Version 5 Transitioning to hereApproved in FERC Order 791 on November 26, 2013Takes effect beginning on April 1, 2016
Version 6 In FERC approval processCombined with Version 7 FERC issued NOPR on July 16, 2015 (comments due September 21, 2015)
CIP-002-5 – Cyber Security — BES Cyber System CategorizationCIP-003-6 – Cyber Security - Security Management ControlsCIP-004-6 – Cyber Security — Personnel & TrainingCIP-005-5 – Cyber Security - Electronic Security Perimeter(s) CIP-006-6 – Cyber Security - Physical Security of BES Cyber Systems CIP-007-6 – Cyber Security - System Security Management CIP-008-5 – Cyber Security - Incident Reporting and Response Planning CIP-009-6 – Cyber Security - Recovery Plans for BES Cyber Systems CIP-010-2 – Cyber Security – Config. Change Management & Vulnerability Assessments
CIP-011-2 – Cyber Security - Information Protection
CIP-014-2 Physical Security
NERC CIP Standards – Full on Jargon• Actual regulation titles with links to standards on NERC’s website• Orange denotes standards currently pending before FERC “Version 6”• CIP-014-2 - One of these is not like the others…
CIP-002 – What stuff do you have that must be protected?CIP-003 – What is your security policy to protect all this stuff, and who’s in charge?CIP-004 – Who will have access to all your stuff, and how will they be vetted and trained?CIP-005 – What are the electronic protective boundaries around all your stuff?CIP-006 – What means will you use to physically protect your stuff?CIP-007 – How will each item on your list of stuff be protected from harm and inappropriate access?CIP-008 – If a security incident occurs that affects your stuff, how will you respond?CIP-009 – How will you restore your stuff to working condition if it fails?CIP-010 – How will you ensure you always know all about what your stuff is made of?CIP-011 – How will you protect the information stored on your stuff?CIP-014 – How will you protect your critical substations from physical attacks?
NERC CIP PET (Plain English Translation)
Defense in Depth Approach
CIP-006
CIP-007
CIP-005
PoliciesCIP-003
TrainingCIP-004
BES Cyber Assets
CIP-011
Information Protection
NERC CIP Implementation Deadlines
9
April 1, 2016• High & Medium BCS• Control Centers• Generation Plants• Substations
(only control centers can be High)
April 1, 2017*• Low BCS• Substations• Generation Plants• Control Centers
*Assuming FERC issues Version 6 Order before 12-31-2015
So What’s Different?
• No longer binary (critical/non-critical)
• Bright line criteria determines criticality
• BES = CIP
New approach to requirement applicability• Applicability assigned on a
per requirement basis
• Three tiers of impact (High, Medium, Low)
• Over 20 asset categories
• Complex applicability matrix
• Location and connectivity based applicability
More…
NERC CIPv3 Standard Mechanics
Example: CIP-007-3• 8 pages long• All detail is contained in the requirement• Limited additional guidance
NERC CIPv5 Standard MechanicsPage 6
Page 7
Example: CIP-007-5• 68 pages long
• Detail in multiple locations
• Additional guidance included inside and outside standard
NERC CIPv5 Standard Mechanics(Page 51)
(Page 59)
NERC CIPv5 Standard Mechanics(We’re not done yet….)
http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx
Additional NERC Guidance Documents• Multiple Lessons Learned Documents• FAQs• Implementation Studies
Types of Protection
• Physical– Locations that house cyber assets Need to be secured and access Limited (card readers, cages etc.)
• Electronic– Cyber assets need to be protected electronically by creating unique passwords, limiting access, malware prevention etc.
• Information– Certain information needs to be protected and handled
carefully whether paper or electronic (drawings, network diagrams, device configurations)
16
17
So how do you audit this anyway?
The old way…
• Performance based
• Zero defects compliance
• One size fits all auditing
The new way…• Risk based compliance oversight• Controls focused• Risk based auditing & enforcement
The new way…Continent-wide Risk Elements Defined
• Annually Identify continent-wide risks
• Prioritize risks based on significance, likelihood, vulnerability, and potential impact to the reliability of the BPS
• Categorize risks as operational and planning, threats to cyber systems, and/or threats to physical security.
• Update for emerging risk and mitigated risks
• Develop Initial Monitoring Scope
The new way…Inherent Risk Assessment
Considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition
Performed on a periodic basis, with the frequency based on a variety of factors, including, but not limited to, changes to a registered entity and significant changes or emergence of new reliability risks.
Regional Entities perform an IRA to identify areas of focus and the level of effort needed to monitor compliance
The new way…Internal Controls Evaluation
• Participation is voluntary
• Provide information about internal controls that address the risks applicable to the entity and correcting noncompliance
• Demonstrate effectiveness of such controls
• Results will further refine CMEP focus
The new way…Compliance Monitoring and Enforcement Tools
• CMEP tools will be customized (off-site or on-site audits, spot checks, Self-Certification etc.)based on reliability risks
• RC, BA and TOP remain on 3 year audit cycle
• CMEP tools may be adjusted within a given implementation year.
The new way…Risk Based Enforcement Activities
• Enforcement activities correlate violations with reliability risk
• Compliance Exceptions:• Streamlined violation resolution process• Minimal risk instances of noncompliance are eligible• Effectively supersedes Find, Fix, Track and Report (FFT)
• Self-Logging:• Entities with demonstrated effective management practices are allowed to self-
identify, log, assess, and mitigate instances of noncompliance minimal risk instances of noncompliance that will be processed as compliance exceptions.
For more details refer to NERC’s “2015 ERO Compliance Monitoring and Enforcement Implementation Plan”
www.nerc.com/pa/comp/Reliability Assurance Initiative/Final_2015 CMEP IP_V_1.2 (Posted_08172015).pdf
Auditor Roadmap…
the
RSAW
is the
roadmap
for
compliance
Auditor Roadmap…Provides Auditor guidance regarding acceptable demonstration of compliance
Implicit vs. Explicit Requirements
• Be mindful of requirements that are implied rather than explicitly stated.
• Several Regions have posted positions on implied requirements.
• Focus on the intent of the Regulation rather than words.
• Examples of implied requirements– Identification of BES cyber systems (BCS) is required but BES cyber
assets (BCA) is not.
– Discrete list of low impact BCS is not required
– Monitoring is not required for low BCS but incident response is.
CIP-002-5Identification & Categorization
The objective of CIP-002-5 is to identify Cyber Systems as either high, medium, Systems. (but that’s way harder than it
• Conduct an inventory of all BES cyber assets
• Group assets into systems
• Evaluate reliability impact of systems (loss, misuse, compromise, etc.)
• Consider Impact Rating Criteria aka “bright lines”
• Classify systems as BCS High, Medium or Low
CIP-003System Management ControlsApplicability Matrix
R1 – Develop a Cyber Security Policy (highs/mediums)(includes 9 specific topics to be included)
R2 – Develop Cyber Security Policy (lows)(includes 4 specific topics to be included)
R3 – Designate a CIP Senior Manager (CSM)
R4 – Develop a process for CSM delegation of authority
(R1-R2 Annual review and approval required every 15 months)
*NOTE: pay attention to v6 there are new terms and additional specificity around low policies
CIP-003-6System Management Controls
Policy(ies) must collectively address the following…R1 – Policy for High/Medium BCS R2 – Policy for Low BCS
1. Personnel and training (CIP-004);
2. Electronic Security Perimeters (CIP-005) including Interactive Remote Access
3. Physical security of BES Cyber Systems (CIP-006)
4. System security management (CIP-007);
5. Incident reporting and response planning (CIP-008)
6. Recovery plans for BES Cyber Systems (CIP-009)
7. Configuration change management and vulnerability assessments (CIP-010)
8. Information protection (CIP-011)
9. Declaring and responding to CIP Exceptional Circumstances.
1. Cyber security awareness;
2. Physical security controls;
3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and
4. Cyber Security Incident response.
CIP-004Personnel and Training
R1 Security Awareness Program (H,M,L)• Security Focused• Quarterly Awareness Activities (Annual for low)• Intent is to raise general security awareness• Documentation:
• Program not required – but recommended• Process to ensure appropriate distribution• Awareness materials must be retained• Performance includes proof of interval execution
R2 Roles based Training Program • Annually required Training for access of any kind• Roles focused in v5• Documentation:
• Training Program is required• Training processes• Training content verification• Controls to ensure Training is completed prior to access• Performance includes random sample
CIP-004Personnel and Training
R3 Personnel Risk Assessment Program• It’s more than a background check• Confirm identity, 7-year criminal history, evaluate for risk• Documentation:
• PRA Program document• Processes for PRA completion• Controls to ensure PRA is complete prior to access• Performance includes random sample
R4-R5 Access Management & Revocation Programs• Must be need based (physical, electronic and information)• Review authorization records quarterly• Review user accounts and roles annually• Remove access within 24-hours for terminations• Next calendar day for transfers/Reassignments• Documentation:
• Program document(s) required• Processes for all activities• Performance includes: Random sample
CIP-005Electronic Security Perimeters
The purpose of the Electronic Security Perimeter (ESP) is to provide a defensible electronic boundary around BES Cyber System.
CIP-005Electronic Security Perimeters
Documentation/Performance:
• Methods to ensure all in-scope devices reside within an ESP.
• Methods to identify malicious communications.
• The location and purpose of each ESP.
• Inventory of access points, Cyber Assets within the ESP & all devices used in the access control and/or monitoring.
• Processes detailing how Interactive Remote Access is managed.
• Diagrams are strongly encouraged.
• Dial-up authentication procedures.
CIP-006Physical Security of BCS
The purpose of the Physical Security Perimeter (PSP) is to provide a defensible physical boundary around BES Cyber System.
CIP-006Physical Security of BCS
Documentation/Performance:
• Physical Security Plans
• Access Monitoring processes
• Visitor Control Program
• PACS Maintenance and Testing Program
• Access, visitor, & alarm logs (90-day rolling)
• PSP Diagrams
CIP-007Systems Security Management
The purpose of CIP-007 is to protect the individual devices (BCA) inside the ESP.
CIP-007Systems Security Management
So how do you protect a device anyway? • Allowing only necessary services to run
• Disabling unnecessary physical connections
• Installing security patches (new 35 day requirement)
• Protecting devices from malware and viruses
• Monitoring for security events (failed log-ins, viruses etc.)
• Using complex passwords
• Managing shared passwords
CIP-007Systems Security Management
Documentation/Performance:
• Process for enabling/disabling ports and services with the list of open ports
• Patch Management Program (recommended)
• Malware/Virus Protection Processes and Procedures
• Alerting processes
• Security Event Logs
• Account management processes
• Password complexity requirements
• Random sampling is common during audits
CIP-008Incident Response
The purpose of CIP-008 is ensure you can respond when a cyber incident occurs
• Develop an Incident Response Plan(s) that defines how the utility will identify, classify, and respond to cyber security incidents.
• Define the roles and responsibilities of incident responders.
• Define plans for response to different kinds of incidents.
• Test plans every 15 months (H,M) 36 months (L).
• Document any “lessons learned” from any test or incident and update the plan.
• Train on the plan as part of annual Training.
CIP-008Incident Response
The purpose of CIP-008 is ensure you can respond when a cyber incident occurs
Document/Performance:
• Incident Response Plan
• Identification and Incident handling processes
• Regulatory reporting processes
• Plan testing results with lessons learned
• Actual incidents (3 year retention)
CIP-009Recovery Planning
CIP-009 addresses how you will recover (fix) if devices fail.
• R1 - Create a recovery plan (or plans)
• R2 - Test the recovery plan at least once every 15 months.
• R2 - Test a sample of backup data at least once every 15 months to ensure the backups work.
• R2 - Do an operational test every 36 months
• R3 - Document any “lessons learned” from the recovery plan tests and update the recovery plan as needed.
CIP-009Recovery Planning
CIP-009 addresses how you will recover (fix) if devices break.
Document/Performance:
• Information backup including verification• Data preservation during an incident• Plan exercises• Data testing• Operational tests• Performance• Review of backed up data• Testing data (at appropriate intervals)
• Lessons learned
CIP-010Configuration Change Management and Vulnerability Testing
Knowing what your devices are made up and knowing when they change
• R1 – Develop a baseline configuration for each device
• R1 – Manage changes to those devices
• R1 – Verify Security Controls
• R2 – Monitor for unplanned changes
• R3 – Conduct a paper Vulnerability Assessment every 15 months-Active VA every 36 months (H)
CIP-010Configuration Change Management and Vulnerability Testing
Knowing what your devices are made up and knowing when they change
Document/Performance:
• Documented Baseline configurations of all devices
• Change Control Processes
• Defined Security Controls
• Vulnerability Assessment Plan, Processes & Testing records
CIP-011Information Protection
Protecting the sensitive information about your BCS
• R1 – Develop Information Protection Program that identifies, classifies and protects BCSI throughout its lifecycle.
• R2 – Develop disposal and redeployment processes when removing/reusing BCA in a different location
BCSI is any information that could beuseful to an attacker. May directly tie to the BCS like a network diagram. Or indirectly like physical security plans.
CIP-011Information Protection
Protecting the sensitive information about your BCS
Document/Performance:
• Information Protection Program
• Processes for identifying and protecting BCSI
• Procedures/Processes for Disposal and Reuse
• Lists of disposed/reused assets
• Document labeling
• Third-party agreements (vendor, contractor etc.)
CIP-014Physical Protection
Physical security of Transmission stations/substations, and their associated primary control centers.
R1: Applicability and Risk Assessment
R2: Unaffiliated Review
R3: Control Center Notification
ApplicabilityR4: Threat and Vulnerability Assessment
R5: Security Plan
R6: Unaffiliated Review
Security
CIP-014Physical Protection
R1 becomes effective October 1, 2015.
CIP-014-1 Implementation Timeline
R1 Assessment Effective Date 0 Days
R2 Verification Effective + 90 90 Days
R2.3 Address Discrepancies R2.2 + 60 150 Days
R3 Notify Control Center R2 + 7 157 Days
R4 Threat and Vulnerability Evaluation R2 + 120 270 Days
R5 Security Plan R2 + 120 270 Days
R6 Review R5 + 90 360 Days
R6.3 Address Discrepancies R6.2 + 60 420 Days
Additional Resources
• EnergySec– NERC CIP Bootcamp
– Community wiki, webinars, CIPtionary, HipChat
– www.energysec.org
• NERC CIP V5 Transition webpage– http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx
• Western Interconnection Compliance Forum (WICF) -CIP Focus Group– Limited to entities in WECC region only
– www.wicf.biz to register
Summary…
• Forget what you knew about CIP. Version 5 (and beyond) is a whole new world.
• CIP is much more complex than it seemson the surface.
• New focus on controls and reliability risk.
• Your NERC compliance organization needs your expertise.
• Don’t take the easy way out, it’s only going to get harder.
• Plan for the future, CIP will continue to evolve quickly.
Questions and Contact Info
Lisa CarringtonRegulatory AdvisorArizona Public Service(602) [email protected]