AGA/EEI Utility Internal Auditor's Training CourseWashington, DCAugust 26, 2015

Hang on it’s going to be a

wild ride…

There are no NERC CIP Babel Fish…

"The Babel fish is small, yellow, leech-like, and probably the oddest thing in the universe. It feeds on brain wave energy, absorbing all unconscious frequencies and then excreting telepathically a matrix formed from the conscious frequencies and nerve signals picked up from the speech centres of the brain, the practical upshot of which is that if you stick one in your ear, you can instantly understand anything said to you in any form of language: the speech you hear decodes the brain wave matrix."

NERC CIP Secret Decoder Ring(AKA NERC CIP Acronym Guide)

BCA - BES Cyber Asset RSAW - Reliability Standard Audit Worksheet

BCS - BES Cyber System TCA - Transient Cyber Asset

BCSI - BES Cyber System Information TFE - Technical Feasibility Exception

BES - Bulk Electric System

EACMS - Electronic Access Control or Monitoring System

EAP - Electronic Access Point

ERC - External Routable Connectivity

ESP - Electronic Security Perimeter

IRA - Interactive Remote Access

IRC - Impact Rating Criteria

IS - Intermediate System

LEAP - Low Impact BES Cyber System Electronic Access Point

LERC - Low Impact External Routable Connectivity

PACS - Physical Access Control System

PCA - Protected Cyber Asset

PRA – Personnel Risk Assessment

PSP - Physical Security Perimeter

RAI - Reliability Assurance Initiative

NERC CIP Regulation Development

5

Timeline of CIP Regulation Development

2009MandatoryVoluntary

Version 1 Approved in FERC Order 706 on Jan 18, 2008 – effective July 1, 2008

Version 2 and 3 Current versionMinor changes to address issues raised by FERCEffective dates of Sep 30, 2010 and Oct 1, 2010, respectively

Version 4Approved, then later superseded by V5. Never went into effect

Version 5 Transitioning to hereApproved in FERC Order 791 on November 26, 2013Takes effect beginning on April 1, 2016

Version 6 In FERC approval processCombined with Version 7 FERC issued NOPR on July 16, 2015 (comments due September 21, 2015)

CIP-002-5 – Cyber Security — BES Cyber System CategorizationCIP-003-6 – Cyber Security - Security Management ControlsCIP-004-6 – Cyber Security — Personnel & TrainingCIP-005-5 – Cyber Security - Electronic Security Perimeter(s) CIP-006-6 – Cyber Security - Physical Security of BES Cyber Systems CIP-007-6 – Cyber Security - System Security Management CIP-008-5 – Cyber Security - Incident Reporting and Response Planning CIP-009-6 – Cyber Security - Recovery Plans for BES Cyber Systems CIP-010-2 – Cyber Security – Config. Change Management & Vulnerability Assessments

CIP-011-2 – Cyber Security - Information Protection

CIP-014-2 Physical Security

NERC CIP Standards – Full on Jargon• Actual regulation titles with links to standards on NERC’s website• Orange denotes standards currently pending before FERC “Version 6”• CIP-014-2 - One of these is not like the others…

CIP-002 – What stuff do you have that must be protected?CIP-003 – What is your security policy to protect all this stuff, and who’s in charge?CIP-004 – Who will have access to all your stuff, and how will they be vetted and trained?CIP-005 – What are the electronic protective boundaries around all your stuff?CIP-006 – What means will you use to physically protect your stuff?CIP-007 – How will each item on your list of stuff be protected from harm and inappropriate access?CIP-008 – If a security incident occurs that affects your stuff, how will you respond?CIP-009 – How will you restore your stuff to working condition if it fails?CIP-010 – How will you ensure you always know all about what your stuff is made of?CIP-011 – How will you protect the information stored on your stuff?CIP-014 – How will you protect your critical substations from physical attacks?

NERC CIP PET (Plain English Translation)

Defense in Depth Approach

CIP-006

CIP-007

CIP-005

PoliciesCIP-003

TrainingCIP-004

BES Cyber Assets

CIP-011

Information Protection

NERC CIP Implementation Deadlines

9

April 1, 2016• High & Medium BCS• Control Centers• Generation Plants• Substations

(only control centers can be High)

April 1, 2017*• Low BCS• Substations• Generation Plants• Control Centers

*Assuming FERC issues Version 6 Order before 12-31-2015

So What’s Different?

• No longer binary (critical/non-critical)

• Bright line criteria determines criticality

• BES = CIP

New approach to requirement applicability• Applicability assigned on a

per requirement basis

• Three tiers of impact (High, Medium, Low)

• Over 20 asset categories

• Complex applicability matrix

• Location and connectivity based applicability

More…

NERC CIPv3 Standard Mechanics

Example: CIP-007-3• 8 pages long• All detail is contained in the requirement• Limited additional guidance

NERC CIPv5 Standard MechanicsPage 6

Page 7

Example: CIP-007-5• 68 pages long

• Detail in multiple locations

• Additional guidance included inside and outside standard

NERC CIPv5 Standard Mechanics(Page 51)

(Page 59)

NERC CIPv5 Standard Mechanics(We’re not done yet….)

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

Additional NERC Guidance Documents• Multiple Lessons Learned Documents• FAQs• Implementation Studies

Types of Protection

• Physical– Locations that house cyber assets Need to be secured and access Limited (card readers, cages etc.)

• Electronic– Cyber assets need to be protected electronically by creating unique passwords, limiting access, malware prevention etc.

• Information– Certain information needs to be protected and handled

carefully whether paper or electronic (drawings, network diagrams, device configurations)

16

17

So how do you audit this anyway?

The old way…

• Performance based

• Zero defects compliance

• One size fits all auditing

The new way…• Risk based compliance oversight• Controls focused• Risk based auditing & enforcement

The new way…Continent-wide Risk Elements Defined

• Annually Identify continent-wide risks

• Prioritize risks based on significance, likelihood, vulnerability, and potential impact to the reliability of the BPS

• Categorize risks as operational and planning, threats to cyber systems, and/or threats to physical security.

• Update for emerging risk and mitigated risks

• Develop Initial Monitoring Scope

The new way…Inherent Risk Assessment

Considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition

Performed on a periodic basis, with the frequency based on a variety of factors, including, but not limited to, changes to a registered entity and significant changes or emergence of new reliability risks.

Regional Entities perform an IRA to identify areas of focus and the level of effort needed to monitor compliance

The new way…Internal Controls Evaluation

• Participation is voluntary

• Provide information about internal controls that address the risks applicable to the entity and correcting noncompliance

• Demonstrate effectiveness of such controls

• Results will further refine CMEP focus

The new way…Compliance Monitoring and Enforcement Tools

• CMEP tools will be customized (off-site or on-site audits, spot checks, Self-Certification etc.)based on reliability risks

• RC, BA and TOP remain on 3 year audit cycle

• CMEP tools may be adjusted within a given implementation year.

The new way…Risk Based Enforcement Activities

• Enforcement activities correlate violations with reliability risk

• Compliance Exceptions:• Streamlined violation resolution process• Minimal risk instances of noncompliance are eligible• Effectively supersedes Find, Fix, Track and Report (FFT)

• Self-Logging:• Entities with demonstrated effective management practices are allowed to self-

identify, log, assess, and mitigate instances of noncompliance minimal risk instances of noncompliance that will be processed as compliance exceptions.

For more details refer to NERC’s “2015 ERO Compliance Monitoring and Enforcement Implementation Plan”

www.nerc.com/pa/comp/Reliability Assurance Initiative/Final_2015 CMEP IP_V_1.2 (Posted_08172015).pdf

Auditor Roadmap…

the

RSAW

is the

roadmap

for

compliance

Auditor Roadmap…Provides Auditor guidance regarding acceptable demonstration of compliance

Implicit vs. Explicit Requirements

• Be mindful of requirements that are implied rather than explicitly stated.

• Several Regions have posted positions on implied requirements.

• Focus on the intent of the Regulation rather than words.

• Examples of implied requirements– Identification of BES cyber systems (BCS) is required but BES cyber

assets (BCA) is not.

– Discrete list of low impact BCS is not required

– Monitoring is not required for low BCS but incident response is.

CIP-002-5Identification & Categorization

The objective of CIP-002-5 is to identify Cyber Systems as either high, medium, Systems. (but that’s way harder than it

• Conduct an inventory of all BES cyber assets

• Group assets into systems

• Evaluate reliability impact of systems (loss, misuse, compromise, etc.)

• Consider Impact Rating Criteria aka “bright lines”

• Classify systems as BCS High, Medium or Low

CIP-003System Management ControlsApplicability Matrix

R1 – Develop a Cyber Security Policy (highs/mediums)(includes 9 specific topics to be included)

R2 – Develop Cyber Security Policy (lows)(includes 4 specific topics to be included)

R3 – Designate a CIP Senior Manager (CSM)

R4 – Develop a process for CSM delegation of authority

(R1-R2 Annual review and approval required every 15 months)

*NOTE: pay attention to v6 there are new terms and additional specificity around low policies

CIP-003-6System Management Controls

Policy(ies) must collectively address the following…R1 – Policy for High/Medium BCS R2 – Policy for Low BCS

1. Personnel and training (CIP-004);

2. Electronic Security Perimeters (CIP-005) including Interactive Remote Access

3. Physical security of BES Cyber Systems (CIP-006)

4. System security management (CIP-007);

5. Incident reporting and response planning (CIP-008)

6. Recovery plans for BES Cyber Systems (CIP-009)

7. Configuration change management and vulnerability assessments (CIP-010)

8. Information protection (CIP-011)

9. Declaring and responding to CIP Exceptional Circumstances.

1. Cyber security awareness;

2. Physical security controls;

3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and

4. Cyber Security Incident response.

CIP-004Personnel and Training

R1 Security Awareness Program (H,M,L)• Security Focused• Quarterly Awareness Activities (Annual for low)• Intent is to raise general security awareness• Documentation:

• Program not required – but recommended• Process to ensure appropriate distribution• Awareness materials must be retained• Performance includes proof of interval execution

R2 Roles based Training Program • Annually required Training for access of any kind• Roles focused in v5• Documentation:

• Training Program is required• Training processes• Training content verification• Controls to ensure Training is completed prior to access• Performance includes random sample

CIP-004Personnel and Training

R3 Personnel Risk Assessment Program• It’s more than a background check• Confirm identity, 7-year criminal history, evaluate for risk• Documentation:

• PRA Program document• Processes for PRA completion• Controls to ensure PRA is complete prior to access• Performance includes random sample

R4-R5 Access Management & Revocation Programs• Must be need based (physical, electronic and information)• Review authorization records quarterly• Review user accounts and roles annually• Remove access within 24-hours for terminations• Next calendar day for transfers/Reassignments• Documentation:

• Program document(s) required• Processes for all activities• Performance includes: Random sample

CIP-005Electronic Security Perimeters

The purpose of the Electronic Security Perimeter (ESP) is to provide a defensible electronic boundary around BES Cyber System.

CIP-005Electronic Security Perimeters

Documentation/Performance:

• Methods to ensure all in-scope devices reside within an ESP.

• Methods to identify malicious communications.

• The location and purpose of each ESP.

• Inventory of access points, Cyber Assets within the ESP & all devices used in the access control and/or monitoring.

• Processes detailing how Interactive Remote Access is managed.

• Diagrams are strongly encouraged.

• Dial-up authentication procedures.

CIP-006Physical Security of BCS

The purpose of the Physical Security Perimeter (PSP) is to provide a defensible physical boundary around BES Cyber System.

CIP-006Physical Security of BCS

Documentation/Performance:

• Physical Security Plans

• Access Monitoring processes

• Visitor Control Program

• PACS Maintenance and Testing Program

• Access, visitor, & alarm logs (90-day rolling)

• PSP Diagrams

CIP-007Systems Security Management

The purpose of CIP-007 is to protect the individual devices (BCA) inside the ESP.

CIP-007Systems Security Management

So how do you protect a device anyway? • Allowing only necessary services to run

• Disabling unnecessary physical connections

• Installing security patches (new 35 day requirement)

• Protecting devices from malware and viruses

• Monitoring for security events (failed log-ins, viruses etc.)

• Using complex passwords

• Managing shared passwords

CIP-007Systems Security Management

Documentation/Performance:

• Process for enabling/disabling ports and services with the list of open ports

• Patch Management Program (recommended)

• Malware/Virus Protection Processes and Procedures

• Alerting processes

• Security Event Logs

• Account management processes

• Password complexity requirements

• Random sampling is common during audits

CIP-008Incident Response

The purpose of CIP-008 is ensure you can respond when a cyber incident occurs

• Develop an Incident Response Plan(s) that defines how the utility will identify, classify, and respond to cyber security incidents.

• Define the roles and responsibilities of incident responders.

• Define plans for response to different kinds of incidents.

• Test plans every 15 months (H,M) 36 months (L).

• Document any “lessons learned” from any test or incident and update the plan.

• Train on the plan as part of annual Training.

CIP-008Incident Response

The purpose of CIP-008 is ensure you can respond when a cyber incident occurs

Document/Performance:

• Incident Response Plan

• Identification and Incident handling processes

• Regulatory reporting processes

• Plan testing results with lessons learned

• Actual incidents (3 year retention)

CIP-009Recovery Planning

CIP-009 addresses how you will recover (fix) if devices fail.

• R1 - Create a recovery plan (or plans)

• R2 - Test the recovery plan at least once every 15 months.

• R2 - Test a sample of backup data at least once every 15 months to ensure the backups work.

• R2 - Do an operational test every 36 months

• R3 - Document any “lessons learned” from the recovery plan tests and update the recovery plan as needed.

CIP-009Recovery Planning

CIP-009 addresses how you will recover (fix) if devices break.

Document/Performance:

• Information backup including verification• Data preservation during an incident• Plan exercises• Data testing• Operational tests• Performance• Review of backed up data• Testing data (at appropriate intervals)

• Lessons learned

CIP-010Configuration Change Management and Vulnerability Testing

Knowing what your devices are made up and knowing when they change

• R1 – Develop a baseline configuration for each device

• R1 – Manage changes to those devices

• R1 – Verify Security Controls

• R2 – Monitor for unplanned changes

• R3 – Conduct a paper Vulnerability Assessment every 15 months-Active VA every 36 months (H)

CIP-010Configuration Change Management and Vulnerability Testing

Knowing what your devices are made up and knowing when they change

Document/Performance:

• Documented Baseline configurations of all devices

• Change Control Processes

• Defined Security Controls

• Vulnerability Assessment Plan, Processes & Testing records

CIP-011Information Protection

Protecting the sensitive information about your BCS

• R1 – Develop Information Protection Program that identifies, classifies and protects BCSI throughout its lifecycle.

• R2 – Develop disposal and redeployment processes when removing/reusing BCA in a different location

BCSI is any information that could beuseful to an attacker. May directly tie to the BCS like a network diagram. Or indirectly like physical security plans.

CIP-011Information Protection

Protecting the sensitive information about your BCS

Document/Performance:

• Information Protection Program

• Processes for identifying and protecting BCSI

• Procedures/Processes for Disposal and Reuse

• Lists of disposed/reused assets

• Document labeling

• Third-party agreements (vendor, contractor etc.)

CIP-014Physical Protection

Physical security of Transmission stations/substations, and their associated primary control centers.

R1: Applicability and Risk Assessment

R2: Unaffiliated Review

R3: Control Center Notification

ApplicabilityR4: Threat and Vulnerability Assessment

R5: Security Plan

R6: Unaffiliated Review

Security

CIP-014Physical Protection

R1 becomes effective October 1, 2015.

CIP-014-1 Implementation Timeline

R1 Assessment Effective Date 0 Days

R2 Verification Effective + 90 90 Days

R2.3 Address Discrepancies R2.2 + 60 150 Days

R3 Notify Control Center R2 + 7 157 Days

R4 Threat and Vulnerability Evaluation R2 + 120 270 Days

R5 Security Plan R2 + 120 270 Days

R6 Review R5 + 90 360 Days

R6.3 Address Discrepancies R6.2 + 60 420 Days

Additional Resources

• EnergySec– NERC CIP Bootcamp

– Community wiki, webinars, CIPtionary, HipChat

– www.energysec.org

• NERC CIP V5 Transition webpage– http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

• Western Interconnection Compliance Forum (WICF) -CIP Focus Group– Limited to entities in WECC region only

– www.wicf.biz to register

Summary…

• Forget what you knew about CIP. Version 5 (and beyond) is a whole new world.

• CIP is much more complex than it seemson the surface.

• New focus on controls and reliability risk.

• Your NERC compliance organization needs your expertise.

• Don’t take the easy way out, it’s only going to get harder.

• Plan for the future, CIP will continue to evolve quickly.

Questions and Contact Info

Lisa CarringtonRegulatory AdvisorArizona Public Service(602) 250-2516Lisa.Carrington@aps.com