Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

CIP-004-5 Personnel & TrainingMay 14 , 2014

CIP v5 Roadshow – Salt Lake City, UT

2

• Applicability

• Implementation

• CIP-004-5 R1-R5o Overviewo Audit Approacho Tips

Agenda

3

Positives:o Important ingredient in the

stew of reliabilityo Adds flavor to an

organizationo Improves overall health of

the BESo Peel back layers of

evidence

Negatives:o It stinkso Makes people cryo Known to aggravate certain

medical conditionso Causes indigestiono Can be dryo Known to cause shock

Compliance is like an onion…

4

Communicate WECC’s audit approach for each Requirement of CIP-004-5

Goal

5

“To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of

personnel risk assessment, training, and security awareness in support of protecting BES

Cyber Systems.”

CIP-004-5 Purpose

6

Regurgitating the Requirement language does not constitute developing a policy, program,

process, or procedure.

Policy, Program, Process, Procedure…

7

• HIBESCS• MIBESCS• HIBESCSATAEACMSAPACS• HIBESCSATAEACMS• MIBESCSWERCATAEACMSAPACS

CIP-004-5 Extreme Acronyms

8

• HIBESCSo High Impact BES Cyber Systems (R1)

• MIBESCSo Medium Impact BES Cyber Systems (R1)

• HIBESCSATAEACMSAPACSo High Impact BES Cyber Systems and their associated EACMS and

PACS (R2-R5 except 5.5)

• HIBESCSATAEACMSo High Impact BES Cyber Systems and their associated EACMS (Part

5.5 only)

• MIBESCSWERCATAEACMSAPACSo Medium Impact BES Cyber Systems with external routable

connectivity and their associated EACMS and PACS (R2-R5 except 5.5)

CIP-004-5 Applicability

9

• By April 1, 2016o CIP-004-5 R1-R5 except as noted below…

• On or before July 1, 2016:o CIP-004-5, R4, Part 4.2

• On or before April 1, 2017:o CIP-004-5, R2, Part 2.3o CIP-004-5, R4, Part 4.3, Part 4.4

• Within 7 years after last PRA performed:o CIP-004-5, Requirement R3, Part 3.5

CIP-004-5 Implementation

10

• Security Awareness Programo Reinforce cyber (and physical) security

practiceso Once each calendar quarter

• High & Medium BESCS

CIP-004-5 R1 Overview

11

• Documented process covering all of R1• Quarterly reinforcement• Evidence demonstrating:o Contento Delivery method

CIP-004-5 R1 Audit Approach

12

• Informational program reinforcing logical and physical security practices

• Strong awareness programs leverage various content and content delivery methods

• R1 applies to High and Medium BES Cyber Systems

CIP-004-5 R1 Tips

13

• Cyber security training specific to roles, functions, responsibilitieso Training content specified in 2.1.1 – 2.1.9o Train PRIOR to granting accesso Refresh annually (at least 1x/15 months)

• High & Medium (w/ERC) BESCS + EACM + PACS

CIP-004-5 R2 Overview

14

Training

15

• Documented role-based training programso e.g. Sys Admin vs. Operator vs. Security Guard

• Does training cover 2.1.1 – 2.1.9?• Validate training prior to accesso Compare dates

• Validate annual refresh• Review controls in place to ensure timely

delivery of training and annual refreshers

CIP-004-5 R2 Audit Approach

16

• You have flexibility to develop customized/personalized training program(s)

• Don’t get too granular with role-based training

• Not intended to be technical training• CIP Exceptional Circumstances – consider

how it applies to your organization

CIP-004-5 R2 Tips

17

• All programs and policies specified throughout CIP-004-5 require CIP Senior Manager approval.

False

Quiz Time!!

18

• Personnel risk assessmento Confirm identityo 7-year criminal history checko Process & criteria to evaluate resultso PRAs for contractors & vendorso Renewal process

CIP-004-5 R3 Overview

19

Personnel Risk Assessment

20

• Documented PRA process – does it include:o Identity validationo 7-year criminal historyo Supporting documentation if 7 years cannot be

completedo Evaluation of results

• Tracking PRA dates - initial & renewal• Evaluate controls in place to ensure timely

completion, renewal, and tracking of PRAs

CIP-004-5 R3 Audit Approach

21

• Criteria or process to evaluate criminal history (3.3) is NEW – clearly identify criteria or evaluation process & associated outputs

• Check that PRA dates are PRIOR to access granted dates

• Be prepared to request PRA evidence from vendors & contractors

• PRAs performed for v3 don’t need to be re-done for v5

CIP-004-5 R3 Tips

22

• Access Management Programo Access authorization process covering:

Cyber Physical BES Cyber System Information

o Quarterly verification of authorizationo Annual verification of:

Privileges to BES Cyber Systems Access to BES Cyber System Information

CIP-004-5 R4 Overview

23

Access Management

24

• Documented access management program – does it address all aspects of 4.1 – 4.4, including deliverables?

• Validate quarterly & annual reviews• Validate access grants against system

records• Evaluate controls related to access list

maintenance, and quarterly & annual reviews

CIP-004-5 R4 Audit Approach

25

• Quarterly reviews = compare individuals actually provisioned against authorization records

• Annual review = more detailed to ensure least privilege is enabled

• Work towards evolving beyond spreadsheets and paper forms

• Continue tracking individuals and their role-based access rights

• Consider separation of duties: provisioner vs. reviewer

CIP-004-5 R4 Tips

26

• Documented access revocation processo Terminations

Initiate removal of ability for physical and interactive remote access immediately and complete w/in 24 hours

Revoke logical/physical access to designated storage locations by end of next calendar day

Revoke non-shared user accounts w/in 30 days Change shared account passwords w/in 30 days

o Transfers/Reassignments: Revoke logical & physical access by end of next

business day Change shared account passwords w/in 30 days

CIP-004-5 R5 Overview

27

Access Revocation

28

• Processes for terminations and transfers/reassignments

• Does the processes cover everything in 5.1 through 5.5?

• Do your processes point to procedures detailing how each action is carried out?

• Proof of performance: records, lists, screenshots, tickets, emails, system reports, forms, etc.

CIP-004-5 R5 Audit Approach

29

• Define start trigger for termination/transfer process• Read Part 5.1 carefully – deliberate wording.

Document how you define ability to access• NEW – designated storage locations, whether physical

or electronic, for BES Cyber System Information – identify and document

• NEW – extenuating operating circumstances (changing shared account passwords 5.5) – define, document, and track

• Part 5.5 only applies to High Impact BES CA and associated EACMS

• Workflow diagrams are an auditors best friend

CIP-004-5 R5 Tips

30

• NERC v3 to v5 mapping document (pp. 8-11)

• FERC Order 791 (pp. 15-16)

• 2011 v5 SDT Presentation (pp. 36-46)

Resources, References, & Light Reading

Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

O: 801.819.7691

M: 801.837.8425

bcarr@wecc.biz

Questions?