how to balance nerc cipv6 vs. cipv5 compliance
TRANSCRIPT
![Page 1: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/1.jpg)
How to Balance NERC CIPv6 vs. NERC CIPv5 Compliance
![Page 2: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/2.jpg)
2
Nick SantoraCEO
Twitter: @curricula
Tim ErlinSr. Director, Product Management
Tripwire
Twitter: @terlin
![Page 3: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/3.jpg)
3
Agenda
CIPv6 Changes
How CIPv6 Affects Your Personnel
Three Critical Steps to Take Before July
Q&A
![Page 4: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/4.jpg)
4
Changes in CIPv6
WORDSWORDSWORDS
Reading standards can be difficult
![Page 5: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/5.jpg)
5
Changes in CIPv6
Low Impact Assets Transient Devices and Removable Media
Logical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
![Page 6: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/6.jpg)
6
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
Attachment 1 Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident
Response
![Page 7: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/7.jpg)
7
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
Attachment 1 Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident
Response
Attachment 2 Documentation Documentation Documentation Documentation
![Page 8: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/8.jpg)
8
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
If you use transient cyber assets and removable media ….
…Then you need a plan for:• Transient Asset Management• Transient Asset Authorization• Vulnerability Mitigation• Malicious Code Mitigation• Unauthorized Use Mitigation
Removable Media Authorization
Removable Media Malicious Code Mitigation
![Page 9: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/9.jpg)
9
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
If you use transient cyber assets and removable media ….
…Then you need a plan for:• Transient Asset Management• Transient Asset Authorization• Vulnerability Mitigation• Malicious Code Mitigation• Unauthorized Use Mitigation
Removable Media Authorization
Removable Media Malicious Code Mitigation … and training!
Effective Date Now April 1st 2017
![Page 10: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/10.jpg)
10
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
If you can’t implement the required physical controls, you can implement compensating logical controls: - Encryption- Monitoring- “an equally effective logical control”
“The entity is under no obligation to justify or explain why it chose logicalprotections over physical protections identified in the requirement.”
![Page 11: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/11.jpg)
11
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
FERC Order 791:
“[T]he Commission is concerned that the proposed language is overly-vague, lacking basic definition and guidance that is needed, for example, to distinguish a successful internal control program from one that is inadequate.”
![Page 12: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/12.jpg)
12
CIPv6 Compliance DatesIt’s not all about July 1st 2016
July 1st 2016
CIP-003-6 1.2 4/1/2017CIP-003-6 R2 4/1/2017CIP-003-6 A1-1 4/1/2017CIP-003-6 A1-2 9/1/2018CIP-003-6 A1-3 9/1/2018CIP-003-6 A1-4 4/1/2017CIP-006-6 1.10 7/1/2016 or 4/1/2017CIP-007-6 1.2 7/1/2016 or 4/1/2017CIP-010-2 R4 4/1/2017
Low Impact Assets
Conditional Deadlines
Transient/Removable
![Page 13: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/13.jpg)
13
How CIPv6 Affects Your Personnel
• Training program
• Awareness program
• Transient and Removable
• Risks to education
![Page 14: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/14.jpg)
14
Training Program
![Page 15: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/15.jpg)
15
What Is Required?
9 Objective Statements
![Page 16: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/16.jpg)
16
What Is Required?
Training Prior To Access
![Page 17: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/17.jpg)
17
What is Required?
Re-train Every CIP Year
![Page 18: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/18.jpg)
18
What Will Auditors Look For?
“Regurgitating the Requirement language does not constitute developing a policy, program,process, or procedure.”
WECC Presentation
![Page 19: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/19.jpg)
19
Role Based Training
![Page 20: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/20.jpg)
20
Awareness Program
![Page 21: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/21.jpg)
21
Awareness Program
High and Medium Low
![Page 22: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/22.jpg)
22
Transient and Removable
What Is Required?
![Page 23: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/23.jpg)
23
Transient and Removable
When?
![Page 24: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/24.jpg)
24
Transient and Removable
Why implement after training?
![Page 25: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/25.jpg)
25
Risks in Education
Not It Million Dollar Filing Cabinet
![Page 26: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/26.jpg)
26
Three Critical Steps
NERC CIPv5 Preparation
April 1st
![Page 27: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/27.jpg)
27
Three Critical Steps
NERC CIPv5 Preparation FOUND TIME
April 1st July 1st
![Page 28: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/28.jpg)
28
Three Critical Steps
NERC CIPv5 Preparation FOUND TIME
April 1st July 1st
What should you do with the time remaining before the July deadline?
![Page 29: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/29.jpg)
29
Critical Step 1: Conduct a Mock AuditThere is no compliance without audit
Identify areas of weakness in compliance or evidence.
Establish responses for actual audit Develop mitigation plans for non-compliance
![Page 30: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/30.jpg)
30
Critical Step 2: Review Your Training Programs
![Page 31: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/31.jpg)
31
Critical Step 3: Automate Or Die
Compliant Automated
![Page 32: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/32.jpg)
32
www.getcurricula.com www.tripwire.com
![Page 33: How to Balance NERC CIPv6 vs. CIPv5 Compliance](https://reader034.vdocument.in/reader034/viewer/2022051520/58ed98191a28ab8e598b46d7/html5/thumbnails/33.jpg)
tripwire.com | @TripwireInc
Q & A