cip 5 - emmos

Wrestling With Compliance

CIP

5

EMMOS Users

Conference

September 14, 2016

2

You Have It All Figured Out… Right…

EMMOS Users Conference

September 14, 2016

3

Bam! That Just Happened!


September 14, 2016

4

Agenda

CIP Version 5 Potential Pinfalls

Risk-Based Compliance Monitoring


September 14, 2016

5

CIP-002-5.1: BES CYBER SYSTEM

CATEGORIZATION


September 14, 2016

6

Requirement Language


September 14, 2016

7

Potential Pinfall!

List/Inventory

• High impact BES Cyber Systems

• Medium impact BES Cyber Systems

• Each asset that contains a low impact BES Cyber System


September 14, 2016

8

Auditor Evidence R1


September 14, 2016

List/Inventory of all assets considered

• Control Centers and backup Control Centers

• Transmission stations and substations

• Generation resources

• Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements

• Special Protection Systems that support the reliable operation of the Bulk Electric System

• Distribution Providers and Protection Systems specified in Applicability section 4.2.1

9

Auditor Evidence 1.1, 1.2, 1.3

List/Inventory by asset

• Cyber Assets

• BES Cyber Assets

• BES Cyber Systems


September 14, 2016

10

Potential Pinfall!

Lessons Learned

• Generation Segmentation

• External Routable Connectivity

Standards Authorization Request Form (SAR)

• Cyber Asset and BES Cyber Asset (BCA) Definitions

• Network and Externally Accessible Devices

• Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations

• Virtualization

• LERC Definition


September 14, 2016

11

CIP-003-6: SECURITY

MANAGEMENT CONTROLS


September 14, 2016

12



September 14, 2016

13

Potential Pinfall!

The term policy refers to one or a collection of written documents that are used to communicate the Responsible Entities’ management goals, objectives and expectations for how the Responsible Entity will protect its BES Cyber Systems.

The use of policies also establishes an overall governance foundation for creating a culture of security and compliance with laws, regulations, and standards.


September 14, 2016

14



September 14, 2016

15

Potential Pinfall!

The terms program and plan are sometimes used in place of documented processes where it makes sense and is commonly understood. For example, documented processes describing a response are typically referred to as plans (i.e., incident response plans and recovery plans). Likewise, a security plan can describe an approach involving multiple procedures to address a broad subject matter.


September 14, 2016

16

Potential Pinfall!

An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.


September 14, 2016

17

Potential Pinfall!

Requirement Implementation Date

CIP-003-6; R1 July 1, 2016

CIP-003-6; Part 1.2 April 1, 2017

CIP-003-6; R2 April 1, 2017

CIP-003-6; R2, Attachment 1, Sec. 1 April 1, 2017

CIP-003-6; R2, Attachment 1, Sec. 2 September 1, 2018

CIP-003-6; R2, Attachment 1, Sec. 3 September 1, 2018

CIP-003-6; R2, Attachment 1, Sec. 4 April 1, 2017

CIP-003-6; R3 July 1, 2016

CIP-003-6; R4 July 1, 2016


September 14, 2016

18

Potential Pinfall!

Project 2016-02 Modifications to CIP Standards

• CIP-003-7

• LERC Definition


September 14, 2016

19

CIP-004-6: PERSONNEL & TRAINING


September 14, 2016

20



September 14, 2016

21

Potential Pinfall!


CIP-004-6; R2, Part 2.2 July 1, 2016

CIP-004-6; R2, Part 2.3 July 1, 2017


September 14, 2016

22



September 14, 2016

23

Potential Pinfall!


CIP-004-6; R3, Part 3.5 July 1, 2016 (or within 7 years of the

previous personnel risk assessment)


September 14, 2016

24



September 14, 2016

25

Potential Pinfall!

Authorize based on need

4.1.3

• Access to designated storage locations, whether physical or electronic, for BES Cyber System Information


September 14, 2016

26



September 14, 2016

27



September 14, 2016

28



September 14, 2016

29



September 14, 2016

30

Potential Pinfall!

● Guidelines and Technical Basis


September 14, 2016

31

Potential Pinfall!

Termination Action Date

• September 14, 2016, 1:25 PM

24 Hours (5.1)

• September 15, 2016,1:25 PM

• Unescorted physical access and Interactive Remote Access


September 14, 2016

32

Potential Pinfall!

Termination Action Effective Date

• September 14, 2016

End of Next Calendar Date (5.3)

• September 15, 2016, 11:59 PM

• Access to the designated storage locations for BES Cyber System Information, whether physical or electronic

30 Calendar Days (5.4, 5.5)

• October 14, 2016

• Non-shared user accounts

• Change password for shared account(s)

10 Calendar Days (5.5)

• October 23, 2016

• If Extenuating Operating Circumstances


September 14, 2016

33



September 14, 2016

34



September 14, 2016

35

Potential Pinfall!

Reassignment or Transfer


Effective Date


• No longer requires retention of that access

End of Next Calendar Day (5.2)

• September 20, 2016, 11:59 PM

• Electronic access to individual accounts and authorized unescorted physical access


September 14, 2016

36

Potential Pinfall!

Reassignment or Transfer

Effective Date


• No longer requires retention of that access


• October 18, 2016

• Change password for shared account(s)


• October 27, 2016

• If Extenuating Operating Circumstances


September 14, 2016

37

CIP-005-5: ELECTRONIC SECURITY

PERIMETER(S)


September 14, 2016

38



September 14, 2016

39



September 14, 2016

40

Potential Pinfall!

New Concepts

• IDS/IPS

• Intermediate System

• Performs access control

• Restricts Interactive Remote Access to only authorized users

• Not located inside the ESP

• Interactive Remote Access

• User-initiated by a person…


September 14, 2016

41

CIP-006-6: PHYSICAL SECURITY OF

BES CYBER SYSTEMS


September 14, 2016

42



September 14, 2016

43



September 14, 2016

44



September 14, 2016

45

Potential Pinfall!

● The entity has designated the large room

with the EMS workstations, which also

contains the smaller data center, as its

PSP.

● Physical access granted to the PSP:

Control Center operators

Control Center managers and supervisors

IT Group

Custodial staff


September 14, 2016

46

Potential Pinfall!


September 14, 2016

Medium Impact

BCS

Medium Impact

BCS

High Impact

BCS

Medium Impact

BCS

A B

47



September 14, 2016

48

Potential Pinfall!


September 14, 2016

For new high or medium impact BES Cyber Systems at Control Centers identified by CIP-002-5.1 which were not identified as Critical Cyber Assets in CIP Version 3, Registered Entities shall not be required to comply with Reliability Standard CIP-006-6, Requirement R1, Part 1.10 until nine calendar months after the effective date of Reliability Standard CIP-006-6.

49

CIP-007-6: SYSTEM SECURITY

MANAGEMENT


September 14, 2016

50



September 14, 2016

51

Potential Pinfall!

Guidelines and Technical Basis

• This requirement is most often accomplished by disabling the corresponding service or program that is listening on the port or configuration settings within the Cyber Asset.


September 14, 2016

52



September 14, 2016

53

Potential Pinfall!

Measure

• An example of evidence may include, but is not limited to, documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage.


September 14, 2016

54



September 14, 2016

55

Potential Pinfall!


CIP-007-6; R2, Part 2.2 July 1, 2016


September 14, 2016

56

Potential Pinfall!


• Responsible Entities are to perform an assessment of security related patches within 35 days of release from their monitored source.


September 14, 2016

57



September 14, 2016

58

Potential Pinfall!


CIP-007-6; R5, Part 5.7 July 1, 2016


September 14, 2016

59

Potential Pinfall!


September 14, 2016

CIP-007-3

• R5

• Account Management - The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

• R5.3.3

• Each password shall be changed at least annually, or more frequently based on risk.

60

CIP-008-5: INCIDENT REPORTING

AND RESPONSE PLANNING


September 14, 2016

61



September 14, 2016

62

Potential Pinfall!

● EOP-004-2


September 14, 2016

63

Potential Pinfall!


September 14, 2016

64

CIP-009-6: RECOVERY PLANS FOR

BES CYBER SYSTEMS


September 14, 2016

65



September 14, 2016

66



September 14, 2016

67



September 14, 2016

68

Potential Pinfall!


• The term recovery plan is used throughout this Reliability Standard to refer to a documented set of instructions and resources needed to recover reliability functions performed by BES Cyber Systems. The recovery plan may exist as part of a larger business continuity or disaster recovery plan, but the term does not imply any additional obligations associated with those disciplines outside of the Requirements.


September 14, 2016

69

CIP-010-2: CONFIGURATION CHANGE

MANAGEMENT AND VULNERABILITY

ASSESSMENTS


September 14, 2016

70



September 14, 2016

71

Potential Pinfall!


• Custom software installed may include scripts developed for local entity functions or other custom software developed for a specific task or function for the entity’s use.


September 14, 2016

72



September 14, 2016

73

Potential Pinfall!

• Transmitting, Transferring Executable

Code

• BES Cyber System, Protected Cyber Asset (PCA)

NOT


September 14, 2016

74

Potential Pinfall!


September 14, 2016

30 consecutive calendar days or less

Directly connected within ESP

• BES Cyber Asset, Network, PCA

Directly connected using:

• Ethernet, USB, Wireless, Near Field, Bluetooth

Used for:

• Data Transfer, Vulnerability Assessment, Maintenance, Troubleshooting

75

Potential Pinfall!

Storage Media

Removable Media


September 14, 2016

76

Potential Pinfall!


September 14, 2016

• Cyber Assets NOT

• Capable of transferring executable code ARE

• Be used to store, copy, move, or access data CAN • Directly connected for 30 consecutive calendar days or

less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset ARE

77

CIP-011-2: INFORMATION

PROTECTION


September 14, 2016

78



September 14, 2016

79



September 14, 2016

80

Potential Pinfall!


September 14, 2016

81

MISCELLANEOUS


September 14, 2016

82

Potential Pinfall!

Electronic Access Control or Monitoring Systems

• Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.


September 14, 2016

83

Potential Pinfall!

Protected Cyber Assets

• One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP.


September 14, 2016

84

RISK-BASED COMPLIANCE

MONITORING


September 14, 2016

85

Risk-based CMEP Overview


September 14, 2016

86

What is Risk-based Compliance?

• Customizable to individual entities

• Forward-looking

• Focused on reliability risks

• Incorporates internal controls

An approach to compliance that is:


September 14, 2016

87

What is Risk-based Compliance?


September 14, 2016

88

Risk-based CMEP Framework


September 14, 2016

En

tity

Co

mp

lian

ce

Overs

igh

t P

lan

CMEP

Tools

I

C

E

I

R

A

Initial Scope Risk

Elements

Scope Focus

Inherent Risk

Assessment

Internal Controls

Evaluation

Oversight

Tool Selection

• Registered Entity Functions

• ERO & Regional Characteristics

• Events

• RISC

Input Input

Scope and Focus for Entities

not participating in ICE

89

Risk Elements

Identification and prioritization of continent-wide and region-specific risks

Applicable North American Electric Reliability Corporation (NERC) Reliability Standards and Requirements are identified for each individual Risk Element

As new risks emerge, Risk Elements can be created or modified


September 14, 2016

90

Critical Infrastructure Protection Risk Element

• Detailed explanation in 2016 CMEP IP

• Remains in 2017 CMEP IP

ERO Risk Element

• System Downtime

• Unauthorized Access

• Corruption of Operational Data

3 Areas of Focus


September 14, 2016

http://www.nerc.com/pa/comp/Reliability Assurance Initiative/2016 CMEP IP_v_2 5_071116_POSTED.pdf

91

CIP Risk Element


September 14, 2016

92

Inherent Risk Assessments

Identify inherent risks posed by an individual entity to the bulk power system (BPS)

Enables CEAs to focus on areas of risk specific to individual entities

Provides more focused approach to compliance oversight

Refines scope of NERC Reliability Standards and Requirements for a compliance engagement


September 14, 2016

93

ERO Common Core CIP Risk Factors

Risk Factor

CRITERIA

RISK LEVEL

LOW MEDIUM HIGH

CIP - Control Center Influence

Entity has Control Center(s)

Entity has GOP control centers containing medium-impact BCS(s)

– or –

Entity has control centers containing medium-impact BCS(s) with control

of more than 15 BES RTUs/PLCs

Entity has high-impact BCS(s)

– or –

Entity has control centers containing medium-impact BCS(s) with control

of more than 40 BES RTUs/PLCs

CIP - Connectivity Entity has low-impact BCSs Entity has low-impact BCSs with at

least one ICCP connection or LERC or medium-impact BCSs

Entity has medium impact BCSs with at least one ICCP connection or high-

impact BCSs


September 14, 2016

94

Internal Controls Evaluation

Identifies key controls and

their effectiveness

Controls identify,

assess, and/or correct

noncompliance with NERC Reliability

Standards and increase reliability

Further refines scope of NERC

Reliability Standards and Requirements

for an engagement


September 14, 2016

95

Oversight Plan/CMEP Tools

Determines the type of compliance engagement activities

• CEAs could engage an entity once every few years

• CEAs could engage an entity multiple times a year

Frequency is dictated by risk based compliance process

• Off-site or on-site audits

• Spot Checks

• Self-certifications

CEAs may utilize a combination of CMEP tools


September 14, 2016

96

Preliminary CIP Scopes

Standard Low BCS Medium BCS High BCS

CIP-002-5.1 R1, R2 R1, R2 R1, R2

CIP-003-6 R1, R2, R3, R4 R1, R3, R4 R1, R3, R4

CIP-004-6 R1, R2, R3, R4, R5 R1, R2, R3, R4, R5

CIP-005-5 R1, R2 R1, R2

CIP-006-6 R1, R2, R3 R1, R2, R3

CIP-007-6 R1, R2, R3, R4, R5 R1, R2, R3, R4, R5

CIP-008-5 R1, R2, R3 R1, R2, R3

CIP-009-6 R1, R2, R3 R1, R2, R3

CIP-010-2 R1, R3, R4 R1, R2, R3, R4

CIP-011-2 R1, R2 R1, R2


September 14, 2016

97

Contact Information

Kenath Carver

Compliance Team Lead

(512) 583-4963

[email protected]

[email protected]

Brent Read

Manager, Risk Assessment

(512) 583-4916

[email protected]


September 14, 2016

mailto:[email protected]



98

Questions?


September 14, 2016

cip 5 - emmos

Documents