joseph b. baugh, ph.d., pmp, cisa, cissp, crisc, cism senior compliance auditor – cyber security...
TRANSCRIPT
![Page 1: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/1.jpg)
Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor – Cyber SecurityWECC: Vancouver WA Office
CIP-002-5 Outreach SessionCIP v5 Roadshow
Salt Lake CityMay 14-15, 2014
![Page 2: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/2.jpg)
2
• Over 40 years of Electrical Utility Experienceo Transmission Linemano NERC Certified System Operatoro IT Manager & Power Operations Managero 20 years Information Technology & IT Security Experienceo Project Manager & IT Program Managero PMP, CISA, CISSP, CRISC, CISM, NSA-IAM/IEM certs
• 20 years of Educational Experience o Degrees earned: Ph.D., MBA, BS-Computer Scienceo Academic & Technical Course Teaching Experience
Information Technology and IT Security Business Strategy, Leadership, and Management Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation
Speaker Intro: Dr. Joseph Baugh
![Page 3: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/3.jpg)
3
• The contents of this presentation represent sound practices based on WECC’s understanding of CIP-002-5.1, however:o WECC neither provides prescriptive solutions nor endorses specific
vendors, tools, or products for compliance with CIP Standards.o The processes and applications discussed in this presentation
represent one approach toward compliance efforts for CIP-002-5.1, but this is not the only possible method.
o WECC will not provide the actual spreadsheets used to explicate the processes described in this presentation to entities or other interested parties.
o Blind adherence to any process does not guarantee compliance.o Each Registered Entity is responsible for demonstrating its
compliance with CIP-002-5.1 in a manner befitting the entity’s registered functions and operational requirements relative to the reliability of the BES.
WECC Disclaimer
![Page 4: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/4.jpg)
4
• Definition of Terms• Mapping CIP-002-x Compliance Evolution• Review CIP-002-5.1• CIP-002-5.1 Process Overview• Breaking Down the Process Steps
oDemonstrating Compliance through Auditable Processes
• Questions
Agenda
![Page 5: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/5.jpg)
5
• Current Bulk Electric System [BES] Definition – o Expires June 30, 2014o As defined by the Regional Reliability
Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition (NERC, 2013 Nov, Glossary of Terms, p. 12).
Definition of Terms - BES
![Page 6: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/6.jpg)
6
• New Bulk Electric System [BES] Definition o Effective July 1, 2014o Unless modified by the lists shown below
[Emphasis Added], all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy (NERC, 2013 Nov, Glossary of Terms, pp. 13-20).
o New definition maps to an extensive list of Inclusions and Exclusions (NERC, 2014 April, BES Definition Reference Document, pp. 1-66).
Definition of Terms - BES
![Page 7: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/7.jpg)
7
• Impact Rating Criteria (CIP-002-5.1 – Attachment 1, pp. 14-16)o 1. High Impact Rating (H)
Each BES Cyber System used by and located at any of the following: (See IRC 1.1 – 1.4)
o 2. Medium Impact Rating (M)
Each BES Cyber System, not included in Section 1 above, associated with any of the following: (See IRC 2.1 – 2.13)
o 3. Low Impact Rating (L)
BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 ‐ Applicability, part 4.2 – Facilities, of this standard: (See IRC 3.1 – 3.6)
Definition of Terms - IRC
![Page 8: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/8.jpg)
8
• BES Cyber Asset (BCA) – Effective April 1, 2016o A Cyber Asset that if rendered unavailable, degraded, or misused would,
within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.
o Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact.
o Each BES Cyber Asset is included in one or more BES Cyber Systems. o (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar
days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) (NERC, 2013 Nov, Glossary of Terms, p. 9).
Definition of Terms - BCA
![Page 9: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/9.jpg)
9
• BES Cyber System (BCS) – Effective April 1, 2016oOne or more BES Cyber Assets logically
grouped by a responsible entity to perform one or more reliability tasks for a functional entity (NERC, 2013 Nov, Glossary of Terms, p. 10).
Definition of Terms - BCS
![Page 10: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/10.jpg)
10
• Reliability Taskso Identified in the NERC Functional Model as listed
under the various Functions, “the Model provides the framework on which the NERC Reliability Standards are developed and applied. To ensure that this framework remains viable, the Model itself is governed by a set of “guiding principles” that define a Function's Tasks and establish the relationships between the functional entities which are responsible for meeting the requirements in the NERC Reliability Standards that correspond to these Tasks” (NERC, 2009 Nov, Functional Model v5, p. 11).
Definition of Terms - Reliability Tasks
![Page 11: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/11.jpg)
11
• Reliability Taskso FERC also commented on reliability tasks in the
CIPv5 Final Ruling, “we believe that the NERC Functional Model is the basis for the phrase “reliability task” while the Guidelines and Technical Basis section provides clarity on how the term applies to the CIP version 5 Standards” (FERC, 2013, Order 791: P. 156, p. 72774)
Definition of Terms - Reliability Tasks
![Page 12: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/12.jpg)
12
• Reliability Taskso In order to identify BES Cyber Systems,
Responsible Entities determine whether the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional entity’s responsibilities as defined in its relationships with other functional entities in the NERC Functional Model (NERC, 2013 Nov, CIP-002-5.1, p. 5).
Definition of Terms - Reliability Tasks
![Page 13: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/13.jpg)
13
• BES Reliability Operating Services (BROS)o The concept of BES reliability operating service
is useful in providing Responsible Entities with the option of a defined process for scoping those Systems that would be subject to CIP‐002‐5.1 (NERC, 2013 Nov, CIP-002-5.1, pp. 17-18).
oWECC recommends a good review of BROS details (NERC, 2013 Nov, CIP-002-5.1, pp. 18-22) relative to your specific Registered Functions prior to application of the IRC and subsequent BCS identification.
Definition of Terms - BROS
![Page 14: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/14.jpg)
14
• The BROS “includes a number of named BES reliability operating services. These named services include” (NERC, 2013 Nov, CIP-002-5.1, p. 18): o Dynamic Response to BES conditionso Balancing Load and Generationo Controlling Frequency (Real Power)o Controlling Voltage (Reactive Power)o Managing Constraintso Monitoring & Controlo Restoration of BESo Situational Awarenesso Inter‐Entity Real‐Time Coordination and Communication
Definition of Terms - BROS
![Page 15: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/15.jpg)
15
• The BROS may provide guidance to determine which BCS are applicable to a specific Registered Function (NERC, 2013 Nov, CIP-002-5.1, p. 18).
Definition of Terms - BROS
![Page 16: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/16.jpg)
16
CIP-002-x Compliance Evolution
![Page 17: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/17.jpg)
17
The CIP-002-5.1 Compliance ModelCIP-002-5.1
BES Cyber System Categorization
R1: Instead of identifying Critical Assets as in previous versions, the Responsible Entity must Identify Facilities, systems, or equipment (see R1.i-R1.vi, p. 6 for assets that must be considered) that meet the Impact Rating Criteria [IRC] (CIP-002-5.1 Attachment 1, pp. 14-16) as high impact BCS (R1.1), medium impact BCS (R1.2), or low impact (R1.3) assets.
Using the lists of Facilities, systems, or equipment identified through the application of the IRC, the Responsible Entity must identify and categorize its BES Cyber Systems as high impact or medium impact. BES Cyber Systems not identified as high impact or medium impact default to Low impact.
New standard identifies BES Cyber Systems as a grouping of BES Cyber Assets because it allows entities to apply some requirements at a system level rather than an individual asset level.
R2: Annual review (R2.1) and approval (R2.2) of the High and Medium BES Cyber System Lists (R1.1, R1.2) and the list of Low Impact BES Assets (R1.3).
The initial reviews and approval pursuant to R2 must occur on or before April 1, 2016 and must occur at least once every 15 calendar months after the initial review and approval.
![Page 18: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/18.jpg)
18
• Specific Version 5 CIP Cyber Security Standards have periodic requirements that contain time parameters for subsequent and recurring iterations of the requirement, such as, but not limited to, “. . . at least once every 15 calendar months . . .”, and responsible entities shall comply initially with those periodic requirements as follows (Implementation Plan, p. 2):
1. On or before the Effective Date of the Version 5 CIP Cyber Security Standards for the following requirements: • CIP-002-5, Requirement R2 • April 1, 2016
CIP-002-5.1 Compliance Date
![Page 19: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/19.jpg)
19
• R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
i. Control Centers and backup Control Centers;
ii. Transmission stations and substations;
iii. Generation resources;
iv. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
CIP-002-5.1: R1
![Page 20: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/20.jpg)
20
• Process: “a series of actions or operations conducing to an end.”
• Two schools of thought on the R1 process flow
• Top-down process first evaluates the inventory of BES Assets against the IRC
• Bottom-up process evaluates the inventory of BES Cyber Assets against the IRC
R1: …shall implement a process…
![Page 21: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/21.jpg)
Top-Down Process Flow Chart Groups
![Page 22: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/22.jpg)
22
• Start with inventory of BES Assets
• Which BES Definition?• Apply the IRC to identify
High- & Medium-Impact Facilities
• All other BES Assets and applicable Distribution Assets (IRC 3.6) default to Low-Impact
Beginning the Process
![Page 23: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/23.jpg)
23
• Start with your BES Assets as defined in R1.i-R1.v, plus Distribution Assets, if any, from R1.vio Apply a logical process to identify your High,
Medium, and Low impact rated Facilitieso Applicable Distribution Protection Systems default to
Low impact (IRC 3.6), add their host facilities to Low Impact List (R1.3)
• Whichever methodology you ultimately use is up to each entity, however, be sure to document and review your considerations to ensure you have not let any BCA or BCS slip through the cracks.
Deriving the R1.1-R1.3 Lists
![Page 24: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/24.jpg)
24
High IRC (Control Centers)
![Page 25: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/25.jpg)
25
Medium IRC (Control Centers)
![Page 26: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/26.jpg)
26
• Criterion 2.11 contains the term “aggregate highest rated net Real Power capability of the preceding 12 calendar months.”
• Also applicable to criterion 2.1 for generation resources.• A best practice would be to use the calculation material found
in the new MOD-025-2 standard (see NERC, 2014 March 20, MOD-025-2: Attachment 2, pp. 17-20), including this specific formula:o “Net Real Power Capability (*MW) equals Gross Real Power
Capability (*MW) minus Aux Real Power connected at the same bus (*MW) minus tertiary Real Power connected at the same bus(*MW)” (p. 19).
• The highest calculated value(s) for the preceding 12 calendar month period is/are acceptable as valid audit evidence for Criteria 2.1 and 2.11.
What is Net Real Power Capability?
![Page 27: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/27.jpg)
27
Low IRC (Control Centers)
![Page 28: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/28.jpg)
28
R1.i: Example of Auditable Process
![Page 29: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/29.jpg)
29
Medium IRC (Transmission)
![Page 30: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/30.jpg)
30
Medium IRC (Transmission)
![Page 31: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/31.jpg)
31
Medium IRC (Transmission)
![Page 32: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/32.jpg)
32
Medium / Low IRC (Transmission)
![Page 33: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/33.jpg)
33
R1.ii: Example of Auditable Process
![Page 34: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/34.jpg)
34
Medium IRC (Generation)
![Page 35: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/35.jpg)
35
Medium / Low IRC (Generation)
![Page 36: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/36.jpg)
36
R1.iii-iv: Example of Auditable Process
![Page 37: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/37.jpg)
37
Medium IRC (Protection Systems)
![Page 38: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/38.jpg)
38
Low IRC (Protection Systems)
![Page 39: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/39.jpg)
39
R1.v-vi: Example of Auditable Process
![Page 40: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/40.jpg)
40
• R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: …
1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;
1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and
1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
CIP-002-5.1: R1.1-R1.3
![Page 41: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/41.jpg)
41
R1: Identify and Document BCS
• Use list of High- & Medium-impact BES Assets
• Identify BCA associated with each BES Asset
• Logically group BCA into BCS
• Document BCS on R1.1 or R1.2 list, as appropriate
![Page 42: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/42.jpg)
42
• Develop an auditable process to examine each High and Medium impact Facilityo Examine inventory of
BCA at each Facilityo Consider reliability
functionso Group BCA into logical
BCSo Identify PCA, EACMS,
and PACS
R1.1-R1.2: Identifying BCS
![Page 43: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/43.jpg)
43
Process to Identify BCS
![Page 44: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/44.jpg)
44
• Determine whether the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional entity’s responsibilities as defined in its relationships with other functional entities in the NERC Functional Model (CIP-002-5.1, p. 5).
• Ensures the initial scope for consideration includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable operation of the BES. (CIP-002-5.1, p. 5).
Consider Reliable Operation of the BES
![Page 45: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/45.jpg)
45
• BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes (CIP-002-5.1, p. 5).
• Do not consider redundancy in the application of the 15-minute time threshold (CIP-002-5.1, p. 5).
• 15-minute limitation will typically "result in the identification of SCADA, Energy Management Systems, transmission protection systems, and generation control systems as BES Cyber Assets” (FERC, 2013, Order 791: P. 123, p. 72771).
Consider Real-Time Operations
![Page 46: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/46.jpg)
46
• Protected Cyber Assetso Examples may include, to the extent they are within the ESP: file
servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP-002-5.1, p. 6)
o May also be lower impact BCA or BCS by virtue of the high-water mark (CIP-005-5, p. 14)
• Electronic Access Control or Monitoring Systems o Examples include: Electronic Access Points, Intermediate Systems,
authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems (CIP-002-5.1, p. 6)
• Physical Access Control Systemso Examples include: authentication servers, card systems, and badge
control systems (CIP-002-5.1, p. 6).
Consider Ancillary BES Cyber Assets
![Page 47: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/47.jpg)
47
Identifying BES Cyber Assets
• Identify if the Cyber Asset meets the definition of BCA
• Check for length of installationo If < 30 days,
determine if the Cyber Asset is a transient device.
• Group into logical BCS with associated PCA
![Page 48: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/48.jpg)
48
• Entity determines level of granularity of a BCSo There may be one or more BCA within a given BCSo Consider the BROS for your registrations
• In transitioning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Critical Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an entity can organize their documented implementation of the requirements and compliance efforts (CIP-002-5.1, 2013, p. 4)
Grouping BCA into BCS
![Page 49: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/49.jpg)
49
Examples of BCS
Graphic Source: http://www.sas.com/news/preleases/energy-visual-analytics.html
![Page 50: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/50.jpg)
50
• Energy Management Systems (EMS)• Automatic Generation Control (AGC)• SCADA systems• Network Management Systems (NMS)• PI systems (Historians)• ICCP systems (Communications)
Examples of BCA Groupings: BA/TOP
![Page 51: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/51.jpg)
51
Examples of BCA Groupings: BA/TOP
Graphic Source: http://www.energy.siemens.com/us/pool/hq/automation/control-center/control_center_details.jpg
![Page 52: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/52.jpg)
52
• SCADA Component Systems• RTU Systems (Telecommunications)• Protective Relay Systems
Examples of BCA Groupings: TO/TOP
![Page 53: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/53.jpg)
53
Examples of BCA Groupings: TO/TOP
Graphic Source: Pacific Northwest National Laboratory (Dagle, J., 2010 Jan)Retrieved from http://publicintelligence.net/scada-a-deeper-look/
![Page 54: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/54.jpg)
54
Pilot Study Lesson-Learned: TO/TOP
![Page 55: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/55.jpg)
55
• Programmable Electronic Devices [PEDs]o aka Intelligent Electronic Devices [IEDs]
• Found as data aggregators for CTs/PTs• May be located in breaker cabinets• Evaluate to determine if the PED/IED meets
BCA criteria• If so, consider inclusion in Protective Relay
BCS
Pilot Study Lesson-Learned: TO/TOP
![Page 56: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/56.jpg)
56
• Digital Control System (DCS)• Control Air System (CAS)• Water Demineralization System• Coal Handling System• Gas Control System• Environmental Monitoring System• RTU (Communications)• Generator Protection Systems (Relays)
Examples of BCA Groupings: GO/GOP
![Page 57: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/57.jpg)
57
Examples of BCA Groupings: GO/GOPGraphic Source: https://www.fujielectric.com/company/tech/pdf/r51-3/06.pdf
![Page 58: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/58.jpg)
58
• How is the 1,500 MW threshold defined?• What about segregated systems?• What is a segregated system?• What is a common-mode vulnerability?
Pilot Study Lesson-Learned: GO/GOP
![Page 59: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/59.jpg)
59
• High Impact BCS,• High Impact BCS w/ Dial-up Connectivity,• High Impact BCS w/ External Routable Connectivity,• Medium Impact BCS,• Medium Impact BCS at Control Centers,• Medium Impact BCS w/ Dial-up Connectivity,• Medium Impact BCS w/ External Routable
Connectivity,• Protected Cyber Assets [PCA], and • Electronic Access Points [EAP] (CIP-005-5, pp. 4-5)
Consider BCS Types
![Page 60: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/60.jpg)
60
R1.1: Example of Auditable Process
![Page 61: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/61.jpg)
61
R1.1: Example of Auditable Process
![Page 62: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/62.jpg)
62
• Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact rating
• BCS associated with a Low impact BES Asset also become Low impact BCS.
• At this time, all you need to do is list the Low Impact BES Assets to satisfy R1.3.
• Comply with CIP-003-5 R2
R1.3: Example of Auditable Process
![Page 63: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/63.jpg)
63
• R2. The Responsible Entity shall
2.1 Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1.
R2: Review and Approve the Lists
![Page 64: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/64.jpg)
64
R1.3 Lists: What to Do? CIP-003-5 R2
Stay tuned for future developments
![Page 65: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/65.jpg)
65
Review and Approve Lists
![Page 66: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/66.jpg)
66
• Review and document initial R1.1 - R1.3 lists (R2.1)o Document CIP Senior Manager approval of the
R1.1-R1.3 lists (R2.2)o Ensure review & approval cycle does not
exceed the 15-month limitation (R2.2)
• Review (and update) lists, as necessary, and approve subsequent R1.1-R1.3 lists (R2.1-R2.2)o Maintain documentation of reviews and
approvals for audit period to demonstrate compliance to audit team
R2: Example of Auditable Process
![Page 67: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/67.jpg)
67
• FERC. (2013 December 3). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5-000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf
• NERC. (2009 November 30). Reliability Functional Model (v5, pp. 1-55). Retrieved from http://www.nerc.com/files/Functional_Model_V5_Final_2009Dec1.pdf
• NERC. (2012 October 26). Implementation Plan for Version 5 CIP Cyber Security Standards. Retrieved from http://www.nerc.com/pa/Stand/CIP00251RD/Implementation_Plan_clean_4_(2012-1024-1352).pdf
References
![Page 68: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/68.jpg)
68
• NERC. (2013 November 21). Glossary of Terms Used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf
• NERC. (2013 November 22). CIP-002-5.1 – Cyber Security – BES Cyber System Categorization. Retrieved from http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-002-5.1&title=Cyber%20Security%20—%20BES%20Cyber%20System%20Categorization&jurisdiction=null
• NERC. (2014 April). Bulk Electric System Definition Reference Document. Retrieved from http://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Definition%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf
References
![Page 69: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/69.jpg)
69
CIP-002-5.1 Presentation Revision History
Version Change History Date By
v1Developed initial presentation for SLC Outreach
01/21/14 J. Baugh
v2 Minor changes for SLC Outreach 02/01/14 J. Baugh
v3 Added IRC slides for SMUD presentation 02/16/14 J. Baugh
v4Added examples of BCS Groupings for MDR Outreach
03/13/14 J. Baugh
v5 Minor changes for SMUD Outreach 05/03/14 J. Baugh
v6
Added slides to discuss Pilot Study lessons learned proposals; Included discussion on Net Real Power Capability; Added revision history for SLC Outreach
05/09/14 J. Baugh
![Page 70: Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP-002-5 Outreach Session CIP](https://reader035.vdocument.in/reader035/viewer/2022081421/56649dd25503460f94ac96af/html5/thumbnails/70.jpg)
Joseph B. Baugh, Ph.D., PMP
CISA, CISSP, CRISC, CISM
Senior Compliance Auditor - Cyber Security
Western Electricity Coordinating Council (WECC)
7400 NE 41st Street, Suite 320
Vancouver, WA 98662
jbaugh (at) wecc (dot) biz
(C) 520.331.6351 (O) 801.734.8357
Questions?