bryan carr pmp, cisa compliance auditor – cyber security...bryan carr pmp, cisa compliance auditor...
TRANSCRIPT
![Page 1: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/1.jpg)
Bryan Carr PMP, CISA Compliance Auditor – Cyber Security
TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT
September 24, 2013
![Page 2: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/2.jpg)
2
• Joined WECC in August 2012 • Before WECC – CIP Compliance Program
Manager at PacifiCorp • Prior years experience in project and program
management
About Me
![Page 3: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/3.jpg)
3
TFEs – A Comprehensive History Current (New) TFE Process Overview TFE Scenarios & Pointers CIP v5 and TFEs
Topics for Today
![Page 4: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/4.jpg)
4
TFE – Technical Feasibility Exception ROP – NERC Rules of Procedure EMS – Energy Management System DCS – Distributed Control System SCADA – Seriously?
A.C.R.O.N.Y.M.S.
![Page 5: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/5.jpg)
5
• Phrases used in the Standards: o “…where technically feasible…” o “…due to technical limitations…”
• FERC Order 706 – January 18, 2008 o ‘technically feasible’ and ‘technical feasibility’
appear ~185 times throughout Order 706 (includes comments and references)
o TFE process developed by NERC and proposed as Appendix 4D to the Rules of Procedure
TFEs – Why?
![Page 6: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/6.jpg)
6
“A TFE does not relieve the Responsible Entity of its obligation to comply with the Applicable Requirement. Rather, a TFE authorizes an alternative (to Strict Compliance) means of compliance with the Applicable Requirement through the use of compensating measures and/or mitigating measures that achieve at least a comparable level of security for the Bulk Electric System as would Strict Compliance with the Applicable Requirement.” (Appendix 4D, Section 3.2)
Exception from…
![Page 7: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/7.jpg)
7
According to Appendix 4D –
How many Requirements allow TFEs?
14
![Page 8: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/8.jpg)
8
Appendix 4D – Section 1.3 Scope • CIP-005 R2.4 – Technical/procedural controls for external interactive • CIP-005 R2.6 – Appropriate use banner (Paragraph 81) • CIP-005 R3.1 – Monitoring for dial-up CCAs • CIP-005 R3.2 – Detect and alert for unauthorized access attempts • CIP-006 R1.1* – Completely enclosed six-wall border • CIP-007 R2.3 – Disabling unused ports/services • CIP-007 R3* – (R3.2) Implementation of security patches • CIP-007 R4 – Anti-virus/malware software • CIP-007 R5.3 – Passwords • CIP-007 R5.3.1 – Password length • CIP-007 R5.3.2 – Password complexity • CIP-007 R5.3.3 – Password expiration • CIP-007 R6 – Monitor system events (logging) • CIP-007 R6.3 – Maintain logs of system events
TFEs – Where?
*Does not use “technically feasible” or “technical limitations” language, BOLD indicates most common TFEs requested
![Page 9: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/9.jpg)
9
• Your EMS network has 15 switches and 3 routers, none of which support installation of anti-virus software.
• Is a TFE allowed/required? Yes
• Standard(s) & Requirement(s)? CIP-007 R4
• How many TFEs? 1
TFE Scenario 1
![Page 10: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/10.jpg)
10
• Your plant DCS has 5 controllers that do not support or enforce six character complex passwords, in fact, they don’t support passwords at all.
• Is a TFE allowed/required? Yes
• Standard(s) & Requirement(s)? CIP-007 R5.3
• How many TFEs? 1
TFE Scenario 2
![Page 11: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/11.jpg)
11
• TCP ports 22, 161, and 1080 are open on five workstations, three network switches, and seven relays. Vendor states that these ports are not required for normal or emergency operation, but cannot be disabled due to system instability concerns.
• TFE allowed/required? Yes
• What Standard(s) & Requirement(s)? CIP-007 R2.3
• How many TFEs? 3
TFE Scenario 3
![Page 12: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/12.jpg)
12
• New process = current process • FERC recently (Sep 3, 2013) approved
proposed revisions to Appendix 4D • PLEASE read, re-read, and read again current
Appendix 4D (Effective: September 3, 2013) • Use current (new) process starting November
1, 2013 • WECC is working to develop processes using
available tools – webCDMS, etc.
TFEs – In Transition
![Page 13: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/13.jpg)
13
• No Part A or Part B • No quarterly or annual reports • Expedited review and approval process • Four device categories: Network, Server/
Workstation, Relay, Other • Emphasis placed on annual Self-
Certification and verification at audit
New TFE Process Highlights
![Page 14: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/14.jpg)
14
How many active TFEs in the WECC region?
1,292
![Page 15: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/15.jpg)
15
Section 3.0 • Not technically feasible* • Operationally infeasible/adverse affect* • Cannot be achieved by compliance date • Safety risks • Conflict with other statute or regulation • Incur excessive cost
Basis for Approval
*Most common basis for TFE request
![Page 16: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/16.jpg)
16
Section 4.1 • Relay
o Protection, differential, line, etc. • Workstation/Server • Network/Communications
o Switch, router, firewall, protocol converter, etc. • Other
o Time clock, printer, controller, etc.
Device Types/Categories
![Page 17: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/17.jpg)
17
• Device/installation manuals
• Other vendor/manufacturer information
• Trust but verify, because we will
Know Your Environment
![Page 18: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/18.jpg)
18
Two Possibilities:
1. New TFE request (Initial Submission)
2. Material Change Request/Report
TFE Request
![Page 19: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/19.jpg)
19
• “A change in facts that modifies Required Information in connection with an approved TFE. Examples of a Material Change could include, but are not limited to an increase in device count (but not a decrease), change in compensating measures, change in statement of basis for approval for the TFE, a change in the expiration date of the TFE, or a Responsible Entity achieving Strict Compliance with the Applicable Requirement.” (Appendix 4D, Section 2.17)
Material Change
![Page 20: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/20.jpg)
20
• New term introduced: Material Change Report • Defined as: “A report submitted by the Responsible Entity
to the Regional Entity in the event there is a Material Change to the facts underlying an approved TFE – pursuant to Section 4.0. (proposed Appendix 4D, Section 2.18)
• Think…amendment
Material Change Report (MCR)
![Page 21: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/21.jpg)
21
• Timing of MCR Submission? o No specific timelines initially outlined in revised
Appendix 4D, however, current proposal (in response to FERC request) is to require MCR “…within thirty (30) days of identification or discovery of the Material Change.” (Section 6.5)
o General Rule: Upon being placed into production as a CCA, EACM, non-CCA in the ESP, or PACS, device(s) must either (a) be strictly compliant with all Standards & Requirements, or (b) have the necessary TFE(s) filed as allowed by the Standard/Appendix 4D.
Material Change Report
![Page 22: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/22.jpg)
22
• 15 fields = Required Information o Category (asset class) o Device ID (entity defined – hostname or other unique identifier) o Physical location of device (i.e. name of Critical Asset) o Actual or estimated date in which device is placed into production o Proposed TFE expiration date (if any) o Actual TFE expiration date (if any) o CIP Standard o CIP Requirement o Has the TFE been filed with other Regions o Basis for approval (not technically possible, etc.) o Compensating/mitigating measures o Completion date of compensating/mitigating measures o TFE related to self-cert or self report o Has this TFE been previously approved o TFE ID of previously approved TFE
Information to Track
![Page 23: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/23.jpg)
23
• webCDMS will be modified to include necessary fields for MCRs/new TFEs
• Spreadsheet is an example to show necessary fields
OATI webCDMS Changes
![Page 24: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/24.jpg)
24
• All accepted, approved, and amended TFEs will stay as is through the transition period o Any TFEs pending approval, acceptance or
amendment will be reviewed by WECC as usual and final disposition determined.
o Once fully approved, no further action unless Material Changes are necessary, then (after Nov. 1) the new process is followed.
What about existing TFEs?
![Page 25: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/25.jpg)
25
• How many requirements allow/require TFEs in CIP v5?
• CIP v5 leverages “…per asset capability” verbiage to reduce the need for TFEs
• Drafting team didn’t intend for “where technically feasible” to automatically trigger the need for a TFE
CIP v5 and TFEs
![Page 26: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/26.jpg)
26
• Just a phone call away
• Always willing to provide our “audit approach”
At Your Service
![Page 27: Bryan Carr PMP, CISA Compliance Auditor – Cyber Security...Bryan Carr PMP, CISA Compliance Auditor – Cyber Security TFEs – Soup to Nuts CIP 101 – Salt Lake City, UT ... management](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed7ff63f90a4a344d62e998/html5/thumbnails/27.jpg)
Bryan Carr, PMP Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 [email protected]
Questions?