welcome to the cip workshop! - southwest power pool cip workshop... · 2016. 5. 24. · welcome to...

Welcome to the CIP Workshop!

SPP.org ->Regional Entity ->2016 CIP Workshop to:

• Download materials • Submit anonymous question/comment

Wireless Select “SPP GUEST” network. A login page will open. Enter your email address.

You may also email comments or questions to [email protected].

May 24 8:00-8:20 Welcome and Introductory Remarks Dave Christiano, SPP RE Trustee

8:20-9:20 1 - Low Impact Auditing Scott Mix, NERC

9:20-9:35 Break

9:35-10:35 2 - C2M2: Cybersecurity Capability Maturity Model Matt Light, Deloitte Larry Saxon, OG&E10:35-10:45 Break

10:45-11:45 3 - CIP Standard Drafting Team Activities Phil Huff, AECC 11:45-1:00 Lunch

1:00-1:45 4 - Keynote Address Gerry Cauley, NERC

1:45-2:15 5 - Personnel Risk Assessment for Non-Employee Personnel Sushil Subedi, SPP RE

2:15-2:30 Break

2:30-3:30 6 - DHS Protective Security Advisor Overview Chad Johnston, Dept. Homeland Security 3:30-3:50 Coffee and Snack Break

3:50-4:20 7 - Protecting your Physical Security Perimeter Steven Keller, SPP RE 4:20-5:00 8 - Patch Management Outside Control Center Megan Wagner, Westar

May 258:00-8:10 Opening Remarks

8:10-9:10 9 - CIP-014-2 and Physical Security Carl Herron, NERC

9:10-9:20 Break

9:20-10:00 10 - Remote Access for EMS Vendors Mike Lotz, City of Independence Jeff Milstead, CLECO

10:00-10:30 11 - How I Learned to Stop Worrying and Love Cyber Security Donna Maskil-Thompson, BPU 10:30-10:40 Break

10:40-11:20 12 - Would CIP Standards Have Saved the Ukraine? Kevin Perry, SPP RE 11:20-11:50 13 - Observations From Our CIP V5 Outreach Visits Shon Austin, SPPRE Robert Vaughn, SPP RE 11:50-12:00 Evaluation and Closing Ron Ciesiel, SPP RE

12:00 Box Lunches

2016 SPP RE CIP Workshop SPP Corporate Center, Little Rock

May 24 8:00-8:20 Welcome and Introductory Remarks Dave Christiano, SPP RE Trustee

8:20-9:20 1 - Low Impact Auditing Scott Mix, NERC

9:20-9:35 Break

9:35-10:35 2 - C2M2: Cybersecurity Capability Maturity Model Matt Light, Deloitte Larry Saxon, OG&E10:35-10:45 Break

10:45-11:45 3 - CIP Standard Drafting Team Activities Phil Huff, AECC 11:45-1:00 Lunch

1:00-1:45 4 - Keynote Address Gerry Cauley, NERC

1:45-2:15 5 - Personnel Risk Assessment for Non-Employee Personnel Sushil Subedi, SPP RE

2:15-2:30 Break

2:30-3:30 6 - DHS Protective Security Advisor Overview Chad Johnston, Dept. Homeland Security 3:30-3:50 Coffee and Snack Break

3:50-4:20 7 - Protecting your Physical Security Perimeter Steven Keller, SPP RE 4:20-5:00 8 - Patch Management Outside Control Center Megan Wagner, Westar

May 258:00-8:10 Opening Remarks

8:10-9:10 9 - CIP-014-2 and Physical Security Carl Herron, NERC

9:10-9:20 Break

9:20-10:00 10 - Remote Access for EMS Vendors Mike Lotz, City of Independence Jeff Milstead, CLECO

10:00-10:30 11 - How I Learned to Stop Worrying and Love Cyber Security Donna Maskil-Thompson, BPU 10:30-10:40 Break

10:40-11:20 12 - Would CIP Standards Have Saved the Ukraine? Kevin Perry, SPP RE 11:20-11:50 13 - Observations From Our CIP V5 Outreach Visits Shon Austin, SPPRE Robert Vaughn, SPP RE 11:50-12:00 Evaluation and Closing Ron Ciesiel, SPP RE

12:00 Box Lunches

124C

CP

U R

OO

M

106

STO

RA

GE

FIRST FLO

OR

- PUB

LIC SPA

CES

LEGEN

D

AU

DITO

RIU

M

RE

STR

OO

MS

BR

EA

K R

OO

MN

OR

TH

PAR

KIN

G D

ECK

YOU

AR

E HER

E

BU

SIN

ES

S C

EN

TER

AB

C

DE

OU

TSID

E S

MO

KIN

G A

RE

A

CO

NFE

RE

NC

E R

OO

MS

MA

IN EN

TRA

NC

E

Auditorium

Break R

oom/

Lunch

Smoking

Vending Machines

Restroom

s

Restroom

s

Auditing Low Impact BES Cyber SystemsScott R. Mix, CISSP, NERC Senior CIP Technical ManagerSPP RE CIP WorkshopMay 24, 2016

RELIABILITY | ACCOUNTABILITY2

Disclaimer

The information contained in this presentation is preliminary, and represents a possible approach being considered by the ERO as of the fall of 2015. These approaches are subject to review and modification as the ERO finalizes the audit approaches in response to pre-audit outreach conducted before the effective date of the requirements.These approaches are also subject to review and modification based on further directives from FERC and subsequent modifications to the requirements by standards development actions.


• Lists• Not all Low Impact Locations are Equal• Possible Audit Approaches Sampling Connectivity o Low Impact External Routable Connectivity (LERC)o Low Impact BES Cyber System Access Point (LEAP)

Generation Transmission Control Centers Physical Security Security Awareness Incident Response Mixed Environments

• WECC Low Impact Case Study Implementation Lessons Learned

Agenda


•Discrete lists of Low Impact BES Cyber Systems are not required

•HOWEVER:• A list containing the name of “each asset that contains a low

impact BES Cyber System” is required (CIP-002-5.1 Requirement R1 Part 1.3 “Identify each asset that contains a low impact BES Cyber System …”)

• This would be a list of generating plants, transmission stations, certain distribution stations, and certain “small” control centers, that contain low impact BES Cyber Systems

Low Impact Lists


• The entity should be prepared to demonstrate that all BES assets (locations) are accounted for on either the list of high impact, medium impact or low impact locations (note: a list of high or medium impact locations is not specifically required, but can be surmised by looking at lists of high impact and medium impact BES Cyber Systems, if they exist)

• The entity should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protections, and are included in incident response plans

Low Impact Lists


• Similarly, lists of personnel with access to low impact BES Cyber Systems are not required

•HOWEVER:• The entity should be prepared to demonstrate how it

determines whether personnel have a “need” to access the low impact BES Cyber Systems

• The entity should be prepared to demonstrate how the electronic security protections and physical protections are implemented to ensure that only personnel that have a “need” have access

• The entity should be prepared to demonstrate that all those personnel have had access to the security awareness materials

Low Impact Lists


•Even though BES Cyber Asset / BES Cyber System lists are not required for compliance, it is in the entity’s best interest to maintain lists to ensure that all low impact BES Cyber Systems are properly secured with both physical and electronic controls• Station, plant, or Control Center drawings showing all Cyber

Assets at the location, drawings showing computer network paths through identified LEAPS, and drawings of physical locations to demonstrate required physical access control may be beneficial in demonstrating compliance

• These lists will not be assessed for completeness – only to help the entity “tell its story”

Low Impact Lists


Not All Low Impact Locations are Equal

• “Low impact” covers a wide range of BES locations and Facilities

• Within “low impact” there are potentially vastly different BES impacts• The CIP Standards don’t make a distinction between a “big”

(i.e., more impactful) low impact site and a “small” (i.e., less impactful) low impact site

• Consider the following field examples:



115 kV 115 kV

69 kVTransmissionConsiderations



345 kV 345 kV

115 kV

TransmissionConsiderations



345 kV 345 kV

115 kV115 kV

To SUB BTo SUB A

TransmissionConsiderations



30 MW

115 kV

Generation Considerations



700 MW 700 MW

230 kV




4 x 700 MW(with segmented control systems)

345 kV



Compliance Implications

• Pure random sampling of low impact assets for audit purposes is not appropriate• Random sampling within specific subsets of low impact assets

may be appropriate

• Expect risk and impact based judgmental sampling• Expect more audit attention at low impact locations

with larger impact• Expect more audit attention to larger generation plants

than at smaller plants


Auditing Connectivity

• In order to determine if LERC/LEAP is present, expect a number of questions:1. Is there any routable protocol communications in the wide

area network used to communication with assets containing low impact BES Cyber Systems?

• If no, then there is no LERC, and no requirement for LEAP• If yes, then further questions are needed• Expect to be asked for network drawings, configurations,

etc. to support your answer



2. For each low impact “location” (asset), is there routable protocol communications in the wide area network connecting to that location?

• If no, there is no LERC at that location• If yes, further questions will be asked• Expect to be asked for network drawings, configurations,




3. Does the routable communications connect to the low impact BES Cyber Systems (including reference model 4 considerations, pg 34 of CIP-002-5)?

• If no, there is no LERC at that location- Example: stand-alone computer in transmission station

used for time entry and work orders- Note there may be modifications to this concept in

response to FERC Order No. 822• If yes, then there may be LERC at the location• Note that any routable protocol communications to the BES

Cyber Assets may trigger LERC- LERC is not restricted to only telemetry and control

communications• Expect to be asked for network drawings, configurations,




4. Are there “protocol breaks” of any kind (see reference model 5 or 6, pg 35 and 36 of CIP-002-5) in the local area portion of the communications path?

• If yes, expect to be asked to provide details of the protocol break- Note there may be modifications to this concept in

response to FERC Order No. 822• If no, then there is LERC at the location, and a LEAP should

be identified- The Cyber Asset containing the LEAP may be located at

the asset, or may be located remote to the asset• Expect to be asked for network drawings, configurations,




• Once LERC has been determined to exist at an asset, the low impact BES Cyber Systems must all be protected logically

• Expect to be asked for network drawings showing that all low impact BES Cyber Systems are appropriately protected• Detailed inventory lists are not required, but high-level

network drawings may be beneficial for describing what needs to be protected

• Detailed inventory lists may be provided (at the entity’s option) to help support decisions, but the detailed lists will not themselves be subject to audit


Low Impact Audit Evidence

• Since lists of BES Cyber Assets / Systems are not required, what kinds of evidence are appropriate?

• Since there are no device-specific requirements, lists aren’t needed

• Requirements are for border protection or system-level recovery


Low Impact Audit Evidence

• Existing “as-built” documentation and drawings should provide sufficient detail to allow the ERO to determine whether protections are put into place• Drawings show connectivity• Drawings show high-level component detail• Drawings allow auditors to determine whether all required

logical protections (e.g., LERC/LEAP) are put into place• Drawings can indicate physical locations that need to be

protected (or at least identify what needs physical protection)• Drawings can show what systems need incident response

plans


Possible Low Impact Evidence

Source: http://www.intea.hr/uploads/control_system.jpg(modified)

http://www.intea.hr/uploads/control_system.jpg


Possible Low Impact Evidence

Source: http://www.ucaiug.org/Meetings/CIGRE_2014/USB%20Promo%20Content/SEL/Technical%20Papers/Integration%20Considerations%20For%20Large%20Scale%20IEC%2061850%20Systems.pdf (modified)

LEAP

http://www.ucaiug.org/Meetings/CIGRE_2014/USB%20Promo%20Content/SEL/Technical%20Papers/Integration%20Considerations%20For%20Large%20Scale%20IEC%2061850%20Systems.pdf


LERC/LEAP

• The entity should be prepared to provide a list of LEAP devices, and indicate which (assets containing) low impact BES Cyber Systems are associated with each LEAP

• The entity should be prepared to demonstrate rationale for what constitutes “necessary inbound and outbound bi-directional routable protocol access”

• The entity should be prepared to demonstrate the access control lists that ensure that only “necessary inbound and outbound” connections are allowed


LERC/LEAP

• Expect that large or complicated LEAP devices may receive additional inspection to ensure that all traffic between different low impact BES Cyber Systems is correctly filtered

• Expect that LEAP devices at Control Centers will be audited concurrently with the Control Centers


Dial-up

• The entity should be prepared to demonstrate Dial-up Connectivity protections at low impact BES Cyber System locations, the authentication methods in place, and any “per Cyber Asset” capabilities documented


Large Generation

• Based on inherent risk and impact, expect more attention at any generation plant > 1500 MW• The entity should be prepared to demonstrate how the unit

controls are segregated, including computer network diagrams, firewall configurations, data flow analysis, etc.

• The entity should be prepared to demonstrate the analysis of any common systems at the plant

- Expect the analysis to include both a time-based component as well as an impact-based component

• The entity should be prepared to allow inspection of any common control rooms that have control of >1500 MW of generation


Larger Low Impact Transmission

• Based on inherent risk and impact, expect more attention at large networked transmission stations• For example, transmission stations that have multiple lines,

but with some excluded from the IRC 2.5 calculation because of being generator interconnection lines

• The requirements are the same, but they may be more likely to be reviewed as part of the audit


Control Center

• Based on inherent risk and impact, expect more attention at Balancing Authority and multi-function Control Centers

• Based on inherent risk and impact, expect more attention if the control center is close to a medium impact threshold


Physical Security

• Low Impact physical security is significantly different than that required for CIP-014• CIP-014 uses medium impact transmission as an input

• Much of existing physical protections (e.g., for copper theft protection, or for human safety) should be leveraged:• Fencing, locked gates, lighting, cameras, motion sensing, etc.

• Physical security is required for all low impact BES Cyber System locations regardless of electronic connectivity


Physical Security

• Physical Security applies to both the BES asset locations (i.e., generation plants, transmission stations, control centers) as well as to locations containing Low Impact BES Cyber System Electronic Access Points (LEAPs)• These might be at BES locations containing low impact BES

Cyber Systems, BES locations containing medium impact BES Cyber Systems, at telecommunication hub locations, or at Control Centers


Physical Security

• The entity should be prepared to demonstrate how it controls access to the BES asset or LEAP device• If the access control method is electronic card, the entity

should be prepared to demonstrate how it provisions and manages access cards, and determines what accesses are assigned to those cards, including procedures for revocation of the access once access is no longer required.

• If the access control method is a “brass key”, the entity should be prepared to demonstrate its key management procedures, including how those keys are assigned or provisioned, lock core management, lost key processes, and revocation of the key once access is no longer required.


Physical Security

• The entity should be prepared to demonstrate how it assesses the “based on need” clause of the requirement• If the access determination method is “job title”, the entity

should be prepared to demonstrate how the job description provides justification for access.

• If the access determination method is “job location”, the entity should be prepared to demonstrate how personnel are assigned to job locations.

• The entity should be prepared to demonstrate is has procedures for “assigning” and “revoking” access regardless of the method.


Physical Security

• Since LEAPs can be located at “field locations,” Control Centers, or at other locations (e.g., communications hubs), the entity should be prepared to produce a list of locations containing LEAPs, especially if they are located outside of BES assets.• Physical access to the LEAP devices has the same set of

requirements as access to the low impact BES Cyber Systems as described above.


Physical Security

• The entity should be prepared to demonstrate that all Low Impact BES Cyber Systems and LEAP devices have been afforded the appropriate protections.

• Drawings, floor plans, etc. are acceptable, so long as they provide sufficient detail to indicate that all required BES Cyber Systems and LEAP devices are included• Detailed inventory lists are not required, and reviews will be

conducted at a high level


Cyber Security Awareness

• The entity should be prepared to demonstrate that cyber security awareness materials have been made available• Materials and audit approaches are the same as for high

and medium• Examples include emails, posters, meeting presentations,

etc.• Specific actions are similar to CIP-004-6 Requirement

R1 Part 1.1, but a “change interval” of 15 months rather than 3 months.


Incident Response

• The entity should be prepared to demonstrate it has the required procedure documentation and evidence that the procedure has been followed

• Specific actions are similar to CIP-008-5, but relaxed testing timeframes (36 months rather than 15 months) and plan update timeframes (180 days rather than 90 days).


Mixed High/Med and Low

• The low impact requirements are not expected to be implemented in a vacuum

• Entities with low impact BES Cyber Systems as well as high or medium impact BES Cyber Systems may take advantage of existing programs or procedures, for example:• Cyber Security Awareness materials and delivery may be

the same for all impact levels• Physical Security plan documentation developed for CIP-

006-6 Requirement R1, Part 1.1 may include sections on how physical security controls are applied to locations containing low impact BES Cyber Systems


Mixed High/Med and Low

• Examples continued:• Configuration and management of electronic access

controls may be similar for LEAPs and EACMS containing EAPs (e.g., common vendor, common equipment, common configuration tools, common procedures for requesting and granting access, common administrative staff)

• Cyber Security Incident Response procedures may share procedural documentation for all impact levels

• The entity should be prepared to demonstrate procedures for applicability and note differences between high/medium impact and low impact, if any


Implementation Lessons Learned

Observations from WECC Low Impact Study:• Don’t make it more difficult or bigger than it is. Lean on existing

policies already in place.• Plug in early, something will always pop-up and potently

impact the project. Build some extra time into your project timeline for testing & feedback, budget cycles, and unplanned contingencies

• Review the standards/requirements and clarify all of the documentation requirements for each standard early on

• Research, Research, Research - Tap unlikely resources such as your commercial insurance carrier/broker – One participant used a great template from their insurance carrier for their cyber incident response plan


Implementation Lessons Learned

• Don’t be fooled by the generic and oversimplified requirements for policies and requirements - They are simplistic by design to allow you the flexibility for workable policies and plans

• Engage SMEs and plant/field personnel who are going to have to live with the results of your creations early on

• Have weekly team meetings – even if there’s not much to discuss, it keeps the project on everyone’s radar

• Make sure all documents, at minimum, undergo a basic technical and legal review and then a final formatting review –cut & paste is a blessing and a curse!

• If you are coming from the IT side of the house, go shake hands with and learn about the OT environment, as it will allow you to better understand the assets you’re trying to protect

Integrated Security

5/17/2016 1

2

Security at OGE - Agenda

Program Vision

Integrated Security Capabilities

Roadmap & Closing Gaps

Measuring success

Key Take Aways

3

Security Vision

OGE Security will be aware of its adversaries (threats) with an effective prevention, detection, defense and response strategy. Security will protect personnel and also those cyber and physical assets enabling OGE’s business and operational capabilities.

Advantages of C2M2

Establish long-term investment strategy

Measure success

Communicate direction and strategy to Board of Directors and other senior leaders.

4

Integrated Security Capabilities

The starting point was to identify the rudimentary capabilities of successful security programs

5

Current state/future state

6

OGE has matured its security capabilities using a prioritized approach since 2013Based on security maturity dimensions established by the Department of Energy

2013 Model developed with onsite guidance from DOE.

Key Takeaways

Extend C2M2 to allow for the integration of cyber and physical security.

Develop a long-term strategy using a tool like C2M2 is key to a successful program.

Using C2M2 for communicating to senior leaders has proven quite beneficial.

Apply C2M2 to all initiatives, e.g. compliance, NERC Alerts, projects to counter threats & eliminate vulnerabilities, etc.

Use of C2M2 requires a long-term commitment by security leaders.

5/17/2016 8

Questions?

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)

A Brief Overview

SPP RE WorkshopMay 24, 2016

1 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Agenda

About Me

Brief History: Why was the ES-C2M2 Developed?

Overview of the Model

Alignment with the NIST Framework

Questions


ES-C2M2 Experience:

Member of the ES-C2M2 development team while at DOE

Conducted over a dozen assessments using the ES-C2M2

ES-C2M2 program manager prior to leaving DOE

Deloitte Advisory Experience:

Supported the NERC CIP v5 implementation at a large IOU

Responsible for strengthening cybersecurity programs through governance, policies, procedures and implementation of cybersecurity technologies

About MeManager, Deloitte AdvisoryCyber Risk ServicesDenver, CO

Prior:NERC / ES-ISAC: Cybersecurity Specialist [CRISP Program Manager]US Department of Energy: Infrastructure Analyst [ES-C2M2, RMP]


Brief HistoryWhy was the ES-C2M2 developed?

Purpose:

• Strengthen cybersecurity capabilities in the electricity subsector• Enable utilities to effectively and consistently evaluate and benchmark cybersecurity

capabilities• Share knowledge, best practices, and relevant references within the subsector as a

means to improve cybersecurity capabilities• Enable utilities to prioritize actions and investments to improve cybersecurity

History:

• Developed by DOE in partnership with DHS and collaboration with industry experts

• Conducted over a dozen pilot evaluations with utilities during development

• Briefed to White House staff and released in May 2012


Overview of the ModelStructure


Overview of the ModelDomains


Overview of the ModelMaturity Indicator Level (MIL)


Overview of the ModelPutting it together

Domain: Identity and Access ManagementPurpose: Create and manage identities for entities that may be granted logical or physical access to the organization’s assets. Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational objectives.

Objectives:1. Establish and Maintain Identities2. Control Access3. Management Activities


Overview of the ModelOutput

Scoring ReportTotal Number of Practices for

that Domain (cumulative)


Alignment with the NIST FrameworkExample

Function: Identify

Category Subcategory Informative References

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.


Alignment with the NIST FrameworkMapping ES-C2M2 to the NIST Framework

Function: Protect


Questions?

Contact Info:

Matt LightDeloitte Advisory, Cyber RiskDenver, [email protected]

mailto:[email protected]

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting,business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2016 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited


Backup Slides


NIST FrameworkFramework Implementation Approach


NIST FrameworkTier vs. MIL

Project 2016-02CIP ModificationsStandard Drafting Team Update

Project 2016-02 Modifications to CIP

Standards SPP RE CIP Workshop

May 24, 2016

Slide Content Developed by Margaret Powell, Exelon Corporation

Presented by Philip Huff, Arkansas Electric Cooperative

Topics

CIP Standards Development History

Revision Project Components

The Drafting Team

Work So Far and What’s Next

CIP Development History

Order 706

Issued on January 18, 2008

FERC directed more that 100 modifications to the CIP Standards

January 31, 2013, NERC filed the CIP Version 5 (CIP V5) suite of standards

Order 791

On November 22, 2013, FERC approved CIP V5

Directed modifications

CIP V5 Transition Study

Approved by FERC in Order 791

Order 822

Issued on January 21, 2016, FERC approved CIP V5 revisions

Effective date is March 31, 2016

Directed modifications

CIP V5 Transition Advisory Group (V5TAG)

In 2014, NERC initiated a program to help industry transition from CIP V3 standards to CIP V5 – the CIP V5 Implementation Study and the V5 Transition Advisory Group (V5TAG)

V5TAG’s Composition

Regional Entity Participants

Registered Entity Participation

NERC and FERC

The goal of the transition program is to improve industry’s understanding of the technical security requirements for CIP V5, as well as the expectations for compliance and enforcement - CIP V5 Transition Program website: http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

CIP Modifications Project –V5TAG Tasks

Critical Infrastructure Protection (CIP) V5 Transition Advisory Group (V5TAG) transferred four issues to the CIP V5 Revisions Standard Drafting Team (SDT):

Cyber Asset and BES Cyber Asset Definitions

Network and Externally Accessible Devices

Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations

Virtualization

Cyber Asset and BES Cyber Asset Definitions

As foundational to the CIP V5 standards, the understanding of Cyber Asset and BCA terms impacts the scope of the applicable requirements. The V5TAG recommends the following enhancements:

Clarify the intent of “programmable” in Cyber Asset.

Clarify and focus the definition of “BES Cyber Asset” including:

Focusing the definition so that it does not subsume all other cyber asset types.

Considering a lower bound to the term ‘adverse’ in “adverse impact”.

Clarifying the double impact criteria (cyber asset affects a facility and that facility affects the reliable operation of the BES) such that “N-1 contingency” is not a valid methodology that can eliminate an entire site and all of its Cyber Assets from scope.

Network and Externally Accessible Devices

V5TAG recommends improving clarity within the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including:

The 4.2.3.2 exemption phrase “between discrete Electronic Security Perimeters”

The meaning of the word ‘associated’ in the ERC definition.

The applicability of ERC including the concept of the term “directly” used in the phrase “cannot be directly accessed through External Routable Connectivity” within the Applicability section.

The IRA definition placement of the phrase “using a routable protocol” in the definition and with respect to Dial-up Connectivity.

The Guidelines and Technical Basis sentence, “If dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies.”

Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations

V5TAG is aware of multiple interpretations of the language “used to perform the functional obligation of” in CIP-002-5.1 Attachment 1, section 2.12 and recommends clarification of:

The applicability of requirements on a TO Control Center that performs the functional obligations of a TOP, particularly if the TO has the ability to operate switches, breakers and relays in the BES.

The definition of Control Center.

The language scope of “perform the functional obligations of” throughout the Attachment 1 criteria.

Virtualization

CIP V5 standards do not specifically address virtualization

Because of the increasing use of virtualization in industrial control system environments, V5TAG asked that the SDT consider CIP-005 and the definitions of Cyber Asset and Electronic Access Point (EAP) regarding permitted architecture and the security risks of network, server and storage virtualization technologies.

CIP Modifications Project –FERC Tasks

FERC Order 822 directs three areas for modification:

Protection of transient electronic devices used at low-impact BES Cyber Systems

Protections for communication network components between control centers

Refinement of the Low Impact External Routable Connectivity (LERC) definition (Revision deadline of March 31, 2017)

FERC Order 822

32. Accordingly, we direct that NERC, pursuant to section 215(d)(5) of the FPA, develop modifications to the CIP Reliability Standards to provide mandatory protection for transient devices used at Low Impact BES Cyber Systems based on the risk posed to bulk electric system reliability. While NERC has flexibility in the manner in which it addresses the Commission’s concerns, the proposed modifications should be designed to effectively address the risks posed by transient devices to Low Impact BES Cyber Systems in a manner that is consistent with the risk-based approach reflected in the CIP version 5 Standards.

FERC Order 822

53. Therefore, we adopt the NOPR proposal and direct that NERC, pursuant to section 215(d)(5) of the FPA, develop modifications to the CIP Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).

FERC Order 822

73. Therefore, pursuant to section 215(d)(5) of the FPA, we direct NERC to develop a modification to provide the needed clarity, within one year of the effective date of this Final Rule. We agree with NERC and other commenters that a suitable means to address our concern is to modify the Low Impact External Routable Connectivity definition consistent with the commentary in the Guidelines and Technical Basis section of CIP-003-6.

CIP Modifications Project -Interpretation

On December 9, 2015, the Standards Committee assigned a request for interpretation (RFI) to the CIP Modifications SDT:

BES Cyber System Categorization under CIP-002-5.1, Requirement 1, Part 1.2

Happenings To Date

March 10-March 23 – SDT nominations period

March 23-April 21 – SAR comment period

April 19 NERC-led Workshop

April 20, 2016 – SC confirmed SDT members

The CIP Standard Drafting Team

Name Entity

Chair Margaret Powell Exelon

Vice Chair Christine Hasha Electric Reliability Council of Texas

Vice Chair David Revill Georgia Transmission Corporation

Members Steven Brain Dominion

Jay Cribb Southern Company

Mikhail Falkovich Public Service Enterprise Group

Jennifer Flandermeyer Kansas City Power and Light

Tom Foster PJM Interconnection

Richard Kinas Orlando Utilities Commission

Forrest Krigbaum Bonneville Power Administration

Philippe Labrosse Hydro-Quebec TransEnergie

Mark Riley Associated Electric Cooperative, Inc.

Zach Trublood Sacramento Municipal Utility District

What’s Next …

May 24-26, 2016 – Initial SDT meeting in Atlanta

Subgroup Assignment

Project Plan

Meeting Expectations

SAR Comments

LERC Definition

Team expects to meet monthly in person and conduct working conference calls in between

Questions?

Personnel Risk Assessment for Non-Employee PersonnelMay 24, 2016

Sushil SubediSPP RE

CIP-004-3/R3

2

Non employee Personnel Risk Assessment (PRA) process under CIP V3

3

• Vendors may perform the PRA on behalf of the Registered Entity

• The vendor typically sends the Registered Entity a notification with the list of people assigned to access their system

• Under CIP V6, this is not acceptable.

CIP-004-6/Part 3.4

PRA for contractors and Service Vendors

4

CIP-004-6/Parts 3.1-3.3

5

• Part 3.1- Process to confirm identity

• Part 3.2- Process to perform a seven-year criminal history records check that includes current residence, and other locations where the individual has resided for six consecutive months or more

• Part 3.3 - Criteria or process to evaluate criminal history records check for authorizing access

Non-Employee PRA

Non Employee PRA

Entity performs all PRA

(Option 1)

Evaluate contractors like your employees

Vendor performs PRA

(Option 2)See Slide 9

No PRA was done(Option 3)

Criteria in Slide 9 cannot be achieved

No electronic access

Limit physical access to escorted

only

6

Registered Entity performs PRA - Option 1

7

• Registered Entity performs the PRA for everyone requiring access, including the contractors– Evaluate contractors like your own employees

Vendor performs PRA - Option 2

8

• Registered Entity allows vendor to conduct the PRA:– Registered Entity needs to have a process providing

reasonable assurance that: PRA was done to the Standard

Registered Entity has accepted the vendor’s program

– If Registered Entity doesn’t accept vendor’s process or criteria: Registered Entity and vendor must reach an agreement as to

acceptable process and criteria, or

Vendor cannot perform the PRA on behalf of the Registered Entity

Vendor performs PRA - Option 2

Vendor performs PRA

Entity reviews Vendor’s criteria

or process for PRA

Entity accepts vendor’s criteria

Entity doesn’t accept vendor’s

criteria

Entity and Vendor

negotiate acceptable

criteria

Vendor evaluates

results under agreed upon

procedure

Vendor evaluates

results under Entity’s criteria

9

Possible examples of reasonable assurance

10

• Copy of vendor’s PRA process

• Contractual agreement between Registered Entity and vendor to perform PRA

• Record of correspondence between Registered Entity and vendor

• Redacted copy of the PRA

• Copy of third-party invoice to the vendor

• Contractual right to audit vendor’s PRA process

• Independent audit report of vendor's PRA process

Non employee PRA under CIP V6 - Option 3

11

• Provide no electronic access and limit physical access to escorted access only

Summary:

12

• Registered Entity must be able to demonstrate that PRAs for contractors or vendors were performed according to CIP 004-6, Parts 3.1 through 3.3.

• Registered Entity owns the risk from allowing someone access their system.

• The risk must be managed by the Registered Entity and cannot be transferred.

SPP RE CIP Team• Kevin Perry, Director of Critical Infrastructure Protection

(501) 614-3251

• Shon Austin, Lead Compliance Specialist-CIP(501) 614-3273

• Steven Keller, Lead Compliance Specialist-CIP(501) 688-1633

• Jeremy Withers, Senior Compliance Specialist-CIP(501) 688-1676

• Robert Vaughn, Compliance Specialist II-CIP(501) 482-2301

• Sushil Subedi, Compliance Specialist II-CIP(501) 482-2332

13







National Protection and Programs DirectorateDepartment of Homeland Security

The Office of Infrastructure Protection

Southwest Power Pool CIP Workshop

May 24, 2016

Protective Security Advisor Overview

2

Role of DHS

Unify a national effort to secure America

Prevent and deter terrorist attacks

Protect against and respond to threats and hazards to the Nation

Respond to and recover from acts of terrorism, natural disaster, or other emergencies

Coordinate the protection of our Nation’s critical infrastructure

across all sectors

3

Threats May Come from All Hazards

Courtesy of FEMA

4

National Preparedness Goal

Defines what it means for the whole community to be prepared for all types of disasters and emergencies

The goal is “a more secure and

resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.”

Courtesy of DHS

5

Prevention: Prevent, avoid, or stop an imminent, threatened, or actual act of terrorism

Protection: Protect our citizens, residents, visitors, and assets against the greatest threats and hazards in a manner that allows our interests, aspirations, and way of life to thrive

Mitigation: Reduce the loss of life and property by lessening the impact of future disasters

Response: Respond quickly to save lives, protect property and the environment, and meet basic human needs in the aftermath of a catastrophic incident

Recovery: Recover through a focus on the timely restoration, strengthening, and revitalization of infrastructure, housing, and a sustainable economy, as well as the health, social, cultural, historic, and environmental fabric of communities affected by a catastrophic incident

National Preparedness Goal (cont.)Organizes 31 core capabilities into 5 mission areas

6

National Response Framework

Guides how the Nation conducts all-hazards response

Documents the key response principles, roles, and structures that organize national response

Allows first responders, decision-makers, and supporting entities to provide a unified national response

Courtesy of DHS

Comprehensive plan and unifying structure for the public and private sector to enhance the protection and resilience of critical infrastructure

Partnership model

Risk management framework

Roles, responsibilities, and authorities

7

National Infrastructure Protection

Plan (NIPP)

Courtesy of DHS

Drives internal Department of Homeland Security (DHS) programs and activities

Guides programs and activities for:

Other Federal agencies and departments

State, local, tribal, and territorial governments

Critical infrastructure owners and operators

8

NIPP (cont.)

Courtesy of DHS

9

Presidential Policy Directive-21

Presidential Policy Directive-21: Critical Infrastructure Security

and Resilience directs the Executive Branch to: Develop a situational awareness capability that addresses both

physical and cyber aspects of how infrastructure is functioning in near-real time

Understand the cascading consequences of infrastructure failures Evaluate and mature the public-private partnership Update the National Infrastructure Protection Plan Develop comprehensive research and development plan

10

Critical Infrastructure Defined

“Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.”

Source: National Infrastructure Protection Plan 2013

Courtesy of FEMA

Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food and Agriculture Government Facilities

11

Critical Infrastructure Sectors

Healthcare and Public Health Information Technology Nuclear Reactors, Materials,

and Waste Transportation Systems Water and Wastewater Systems

Courtesy of DHS

12

Security and Resilience Challenges

A majority of critical infrastructure is privately owned

DHS has limited legal authority to regulate security practices of private industry Exceptions: National Protection and Programs Directorate Office

of Infrastructure Protection (high-risk chemicals), Transportation Security Administration, and United States Coast Guard

DHS; Sector-Specific Agencies; other Federal entities; the private sector; and State, local, tribal, and territorial governments all have roles and responsibilities in critical infrastructure protection

13

Protective Security Coordination Division

Department of Homeland Security

(DHS)

National Protection and Programs

Directorate (NPPD)

Office of Infrastructure Protection (IP)

Protective Security Coordination

Division (PSCD)

Leads the national effort to protect critical infrastructure from all hazards by managing risk and enhancing resilience through collaboration with the critical infrastructure community

Leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure

Provides strategic coordination and field operations support to reduce risk to the nation’s critical infrastructure from a

terrorist attack or natural disaster

Ensures a homeland that is safe, secure, and resilient against terrorism and other hazards

14

PSCD Mission Areas

Conduct Security Surveys, Gap Analysis, and Assessments

Conduct Outreach Activities

Support National Special Security Events (NSSEs) and Special Event Activity Rating (SEAR) Events

Respond to Incidents

Provide Improvised Explosive Device (IED) Awareness & Risk Mitigation Training

15

Protective Security Advisors

PSAs are field-deployed personnel who serve as critical infrastructure security specialists Regional Directors (RDs) oversee and manage the PSA program in their

respective region State, local, tribal, and territorial (SLTT) and private sector link to

DHS infrastructure protection resources Coordinate vulnerability assessments, training, and other DHS products

and services Provide a vital link for information sharing in steady state and incident

response Assist facility owners and operators with obtaining security clearances

During contingency events, PSAs support the response, recovery, and reconstitution efforts of the States by serving as pre-designated Infrastructure Liaisons (IL) and Deputy ILs at the Joint Field Offices

16

Protective Security Advisor Locations

Courtesy of DHS

17

Protected Critical Infrastructure

Information Established under the Critical

Infrastructure Information Act of 2002

Protects voluntarily submitted critical infrastructure information from: Freedom of Information Act State and local sunshine laws Civil litigation proceedings Regulatory usage

Provides private sector with legal protections and “peace of mind.”

Courtesy of DHS

18

Examples of Critical Infrastructure

Information Protected information defined by the Critical Infrastructure

Information Act includes: Threats – Actual, potential, or threatened interference with, attack

on, compromise of, or incapacitation of a critical asset Vulnerabilities – Ability to resist threats, including assessments or

estimates of vulnerability Operational experience – Any past operational problem or

planned or past solution including repair, recovery, or extent of incapacitation

Any information normally available in the public domain will not be protected

19

Enhanced Critical Infrastructure

Protection Visit Establishes and enhances DHS’s relationship with critical

infrastructure owners and operators, informs them of the importance of their facilities, and reinforces the need for continued vigilance

During an Enhanced Critical Infrastructure Protection (ECIP) visit, PSAs focus on coordination, outreach, training, and education

ECIP visits are often followed by security surveys using the Infrastructure Survey Tool (IST) or Rapid Survey Tool (RST), or delivery of other IP services

20

Infrastructure Survey Tool

The IST is a web-based vulnerability survey tool that applies weighted scores to identify infrastructure vulnerabilities and trends across sectors

Facilitates the consistent collection of security information Physical Security Security Force Security Management Information Sharing Protective Measures Dependencies

21

Infrastructure Survey Tool (cont.)

Generates the Protective Measures Index and Resilience Measurement Index

The tool allows DHS and facility owners and operators to: Identify security gaps Compare a facility’s security in relation to similar facilities Track progress toward improving critical infrastructure security

The Dashboards highlight areas of potential concern and feature options to view the impact of potential enhancements to protection and resilience measure

The written report, developed from the IST data, contains a description of the facility and its vulnerabilities as well as recommendations to mitigate identified vulnerabilities

22

Infrastructure Survey Tool (cont.)

Courtesy of DHS

23

IST Survey Data Categories

Facility Information Contacts Facility Overview Information Sharing* Protective Measures Assessment* Criticality* Security Management Profile* Security Areas/Assets Additional DHS Products/Services Criticality Appendix Images

Security Force* Physical Security*

Building Envelope Delivery/Vehicle Access Control Parking Site’s Security Force

Intrusion Detection System (IDS)/Close Circuit Television (CCTV)

Access Control Security Lighting

Cyber Vulnerability Dependencies*

* Comparative analysis provided

24

Dashboards and Information Sharing

Greater understanding of the most

significant changes and trends.

Notional Information

Areas individually separated into Physical Security, Security Management, Security Force, Information Sharing, and Protective Measures. Owner/Operator can make adjustments and see improvements to individual area and overall Protective Measure Index (PMI).

25

Dashboard – Physical Security

Example

Notional Information

26

Infrastructure Visualization Program

Infrastructure Visualization Program ((IVP) A data collection and presentation medium that supports critical

infrastructure security, special event planning, and response operations by leveraging assessment data and other relevant materials

Integrates assessment data with immersive video, geospatial, and hypermedia data

Assists facility owners and operators, local law enforcement, and emergency response personnel to prepare for, respond to, and manage critical infrastructure, National Special Security Events (NSSEs), high-level special events, and contingency operations

27

Infrastructure Visualization Program

(cont.)

The Regional Resiliency Assessment Program (RRAP) began in 2009 as a pilot program out of efforts to assess security of individual critical assets

The goal is to identify opportunities for regional homeland security officials and critical infrastructure partners to strengthen resilience to all hazards

The RRAP process identifies critical infrastructure security and resilience gaps; dependencies; interdependencies; cascading effects; and State, local, tribal, and territorial government capability gaps

Regional Resiliency Assessment

Program

28

29

Regional Resiliency Assessment

Program (cont.) The RRAP process identifies critical infrastructure security,

resilience, dependencies, interdependencies, cascading effects, and State, local, tribal, and territorial agency capability gaps

Conducted 57 RRAP projects from Fiscal Year (FY) 2009 through FY 2015 Diverse and dynamic set of critical infrastructure topics, sectors,

and regions

Secure information sharing platform for IED incident information, evolving IED tactics, lessons learned, and counter-IED preparedness information

Builds knowledge and preparedness capabilities, filling vital gaps in information sharing

30

Courtesy of TRIPwire

TRIPwireTechnical Resource for Incident Prevention

Diverse curriculum of training designed to build counter-IED core capabilities, such as:

Increases knowledge and ability to detect, prevent, protect against, and respond to bombing threats

31

Courtesy of DHS OBP

Vehicle-Borne IED (VBIED) Detection Protective Measures IED Search Procedures

IED Counterterrorism Detection Surveillance Detection Bomb Threat Management

Counter-IED Training & Awareness

Joint DHS-FBI program that promotes private sector point-of-sale awareness and suspicious activity reporting to prevent misuse of dual-use explosive precursor chemicals and components commonly used in IEDs

Increases prevention opportunities by building a network of aware and vigilant private sector partners

32

Courtesy of DHS/FBI

Bomb-Making Materials Awareness Program (BMAP)

Counter-IED Training & Awareness

The counter-IED capability and readiness assessment program uses a consistent, repeatable analytical methodology, field surveys, and web-accessible database for Bomb Squads, SWAT, Explosive Detection Canine Teams, and Public Safety Dive Teams

Increases knowledge of counter-IED capabilities at the unit, State, regional, and national-level in relation to relevant local or national preparedness goals

Over 1,500 units assessed since 2005

33

Courtesy of NCCAD

NCCADNational Counter-IED Capabilities Analysis Database

NYS mandated use of NCCAD in Homeland Security Grant Program justifications: 2008, Bomb Squads 2011, Explosive Canine Detection Teams 2013, SWAT

NYS’s NCCAD strategy addresses counter-IED capability gaps and directs investments on a State-wide basis

Other states are looking to NYS as a model

34

Courtesy of New

York State

Homeland Security

and Emergency

Services

NCCAD (cont.)Case Study: NCCAD Use by the State of New York (NYS)

Courtesy of FBI

A systematic process fusing counter-IED education, capability analysis, training, and planning tailored to the unique requirements of high-risk jurisdictions providing: Enhanced multi-agency, multi-

jurisdiction IED prevention, protection, and response capabilities

Integrated with National Preparedness System, including grant process and regional planning

Over 75 workshops with after-action reports since 2007

35

Courtesy of DHS OBP

MJIEDSPMulti-Jurisdiction IED Security Planning

36

Homeland Security Information

Network (HSIN) HSIN (https://hsin.dhs.gov/) is DHS’s primary technology tool for trusted

information sharing

HSIN – Critical Infrastructure (HSIN-CI) enables direct communication between: DHS Federal, State, and local governments Critical infrastructure owners and operators

Content includes: Planning and Preparedness Incident Reporting and Updates Situational Awareness Education and Training

https://hsin.dhs.gov/

37

InfraGard

https://www.infragard.org

InfraGard is an information-sharing and analysis effort serving the interests of and combining the knowledge base of a wide range of members

At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and the private sector

InfraGard is an association of businesses, academic institutions, State and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States

https://www.infragard.org/

Increase awareness of the infrastructure mission and build a baseline of security and resilience knowledge throughout the Nation

Identify Common Vulnerabilities, Potential Indicators of Terrorist Activity, and associated Protective Measures, along with actions that can be undertaken to enhance resilience

38

Infrastructure Protection Report Series

Courtesy of DHS

39

DHS Cyber Security Evaluations

40

DHS Cyber Security Evaluations

41

Summary

Facilitate local field activities in coordination with other DHS offices

Provide partners with effective vulnerability and gap analyses, bombing prevention capability analyses, and the development of protective measures to identify emerging needs and areas for investment

Through data collection, assessment, and analysis, DHS can generate products for Federal, State, and local officials and private sector owners and operators that drive initiatives, such as infrastructure protection grant programs and research and development requirements

42

How Can You Help?

Engage with PSAs and other partners on critical infrastructure protection programs and initiatives

Encourage participation in efforts to identify, assess, and secure critical infrastructure in your community

Communicate local concerns related to critical infrastructure protection

Enhanced security and resilience depends on developing and strengthening partnerships between all entities with a role in critical infrastructure protection

For more information, visit:www.dhs.gov/critical-infrastructureChad JohnstonProtective Security Advisory - [email protected]

Physical Security Perimeters under CIP Version 5/6 Under CIP-006 Versions 1 through 3, Requirement R1, Registered Entities were required to have a physical security plan that ensured all Cyber Assets within an Electronic Security Perimeter resided within an identified Physical Security Perimeter (PSP). The PSP had to be a fully enclosed six-wall boundary with identified and controlled access points. CIP-004 Versions 1 through 3 required personnel with access to the protected Cyber Assets to undergo a personnel risk assessment and security training before access was granted. There was a formal definition of Physical Security Perimeter, very similar to the CIP Version 5/6 definition. The definition and explicit requirements of the Standards were sufficiently permissive as to allow an overarching Physical Security Perimeter, such as an entire building, with zoned access areas therein. With CIP Versions 5 and 6, the expectations surrounding the physical protection of certain Cyber Assets subject to the CIP Standards have been tightened down. The requirements for completion of training and the PRA before granting access are essentially unchanged. However, the concept of zoned access areas within the PSP is no longer allowed by the strict language of the Version 5/6 Standards. This white paper outlines the new physical access control expectations applicable to High Impact BES Cyber Systems and Medium Impact BES Cyber Systems with External Routable Connectivity, and their associated Electronic Access Control or Monitoring Systems (EACMS) and Protected Cyber Assets (PCAs). First, the definition of Physical Security Perimeter was revised to be “the physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control Systems reside, and for which access is controlled.” Does this, by itself, support the position that zoned access is not permitted within a more broadly defined and documented PSP? No, it does not clearly do so. It simply establishes that you have to define a boundary around BES Cyber Assets, BES Cyber Systems, and Electronic Access Control Systems, and you have to control access into that boundary. The definition of PSP serves as a foundation for the Requirement Parts, themselves. The zone issue is revealed in the language of the relevant Requirement Parts, cited below. CIP-006-5/6, Part 1.2 is applicable to Medium Impact BES Cyber Systems with External Routable Connectivity and their associated EACMS and PCAs. The Part requires the entity to “utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access.” CIP-006-5/6, Part 1.3 is applicable to High Impact BES Cyber Systems and their associated EACMS and PCAs. The Part requires the entity to “where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access.” The pertinent parts of the requirement statements are highlighted in red. Basically, both Parts 1.2 and 1.3 require the entity to allow unescorted physical access to only those individuals who have authorized unescorted physical access to the BES Cyber Systems and their associated EACMS and PCAs located within the defined boundary. All others must be treated as visitors with ingress/egress logging and continuous escort. And this is where the language of the

Requirement Part is important. Consider the following drawing of the Registered Entity’s facility with the PSP noted:

The Registered Entity has declared the majority of the building containing High Impact BES Cyber Systems as a PSP and has documented the PSP with the red border depicted. The building has a number of rooms with floor-to-ceiling walls and single or double-wide doors. The small red symbols next to perimeter doors identify where dual factor card readers have been placed to control access into the defined PSP. The small green symbols next to certain doors identify where single factor card readers have been placed. There are six rooms of significance, labeled with “A”, “B”, “C”, “D”, “E”, and “F”. Room A is the data center. Room B is the Transmission Operations Control Center. Room C is the Generation Operations Control Center. Room D is the networking/telecommunications equipment room. Room E is the battery room. And Room F is the UPS room. The remaining spaces on the floor are common spaces such as the restrooms, conference rooms, offices, and the break room. There are BES Cyber Systems in Rooms A, B, C, and D. For the purposes of simplifying this example, accept that the Registered Entity has authorized four employees to have unescorted access into the defined PSP. James is a Transmission Operator. George is a Generation Operator. Frank is the System Administrator. And Allen works in the Facilities department and maintains the UPS and batteries.

D A F

E

B

C

With the PSP defined as drawn, the Registered Entity has declared a single PSP encompassing all of the access-controlled spaces within the PSP. Per the referenced Requirement Parts, the Registered Entity must restrict access into the PSP to only those personnel with authorized unescorted access. The expectation is that once inside, any person with authorized unescorted access into the PSP can essentially go anywhere within the PSP. After all, the individual is authorized to be there without escort and to have authorized unescorted physical access to the BES Cyber Systems, EACMS, and PCAs within the PSP. While there are card readers controlling entrance into the six labeled spaces, all four employees are authorized unescorted access to the BES Cyber Systems, EACMS, and PCAs within the PSP, and the additional card readers are superfluous from a CIP compliance point of view. So, if the Registered Entity allows anyone who has unauthorized access into the PSP to go anywhere within the PSP, or at least anywhere where BES Cyber Systems and their associated EACMS and PCAs are located, there is a single PSP and the Registered Entity’s documented PSP and accompanying controls are compliant. But, that is not the case. George, who performs the generation operations functions, cannot enter the Transmission Operations Control Center (Room B) because his responsibilities also include an aspect of market operations. He can only access the common spaces and the Generation Operations Control Center (Room C) where his operator console is located. James works in the Transmission Operations Control Center and thus has access to Room B and the common spaces. Because James is not also performing market functions, he is not prohibited by FERC regulations from entering the Generation Operations Control Center, but the Registered Entity has determined to require Transmission Operations personnel to be treated as visitors in the Generation Operations Control Center. James does not have authorized unescorted access into the Generation Operations Control Center (Room C). Neither George nor James have been given access into the data center (Room A). They also do not have access into the networking/telecommunications room (Room D), the battery room (Room E), or the UPS room (Room F). Frank, the system administrator, is authorized to go anywhere in the building, including all six of the labeled rooms. Allen, who works in the Facilities department, is only authorized access into the UPS and battery rooms (Rooms E and F). And, in keeping with the mixed authorizations, the Registered Entity has placed card readers at all of the doors into the six labeled rooms and has coded the applicable access rights onto each of the four employee’s badges. Now, let’s revisit the Requirement Part. The requirement is to only allow unescorted physical access into the PSP to only those individuals who have authorized unescorted physical access. That is clearly stated in the language of Requirement Parts 1.2 and 1.3. And, the PSP is “the physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control Systems reside, and for which access is controlled” per the definition of PSP. All four employees are permitted access into the building itself, with free access to all of the common spaces. The Registered Entity can and has declared the building, with the exception of the reception area as a PSP, as depicted in the diagram, with the boundaries as shown in red. So far, so good, but it does not stop there. Remember, James, George, Frank, and Allen are the only company employees who have authorized unescorted access into the depicted PSP, but not everyone has full access everywhere within the documented PSP. Anyone without authorized unescorted access into an access-controlled space containing BES Cyber Systems, EACMS, or PCA must be treated as a visitor. There are four zones within the PSP documented by the Registered Entity, each with different access permissions. The access permissions coded on the four employees’ badges are as follows:

Building Zone 1 Zone 2 Zone 3 Zone 4

James X X George X X Frank X X X X X Allen X X The four zones configured in the Physical Access Control System are:

1. Rooms A and D 2. Room B 3. Room C 4. Rooms E and F

Because of where the BES Cyber Systems, EACMS, and PCAs are located, and the way access is granted, the Registered Entity now has a choice. They can, and should continue to control access to the entire building. But, since there are no BES Cyber Systems, EACMS, or PCAs in the common spaces, the building overall really does not have to be declared a PSP. But, in consideration of CIP-006-6, Part 1.10, it is still a good idea to declare the majority of the building a PSP so that the data cabling between the data center and the two Control Centers is protected as the cabling traverses the corridor between Room A and Rooms B and C. Rooms B and C are each a PSP since there are different authorized unescorted access permissions. Rooms A and D can be combined into a single PSP since anyone with access into the data center (Room A) also has unrestricted access into the networking/telecommunications room (Room D). The Registered Entity has chosen to restrict access into the UPS and battery rooms (Rooms E and F), but since there are no BES Cyber Systems, EACMS, or PCAs in those two rooms, they are not a CIP-required PSP. So, the three PSPs that must be defined are

1. Rooms A and D 2. Room B 3. Room C

The Registered Entity has implemented access controls to define the three zones areas on the floor as PSPs and the four employee badges have been coded with the authorized access zones. The Registered Entity has also chosen to continue declaring the majority of the building a PSP after considering the implications of CIP-006-6, Part 1.10. To be compliant with the requirement, the Registered Entity needs to update its floor diagram to reflect the three additional PSPs as shown below and to replace the controlling single factor badge readers with dual factor badge readers. The Registered Entity also needs to establish visitor access controls and logging for each of the three additional PSPs. The three zones that must be PSPs at a minimum are shown in blue and the dual factor badge readers into the defined PSPs are indicated by the small red symbols in the following diagram.

Registered Entities with Cyber Assets subject to CIP-006, Versions 5 and 6, Requirement Parts 1.2 or 1.3 are strongly encouraged to review their current Physical Security Perimeter Design and revise their protection controls as necessary to comply with the expectations of the New CIP Standards.

D

A F

E

B

C

May 24, 2016

1

Protecting your Physical Security Perimeter (PSP)

Steven KellerLead Compliance Specialist - [email protected]

Discussion Topics• PSP Under CIP V3

• PSP Under CIP V5 Revision (High and Medium)– Requirements of your PSP

– 1 PSP

– 2 PSPs

– Two Factor authentication

2

PSP under V3• PSP Requirements under V3

– Create a Plan

– “Six-wall” border: The physical, completely enclosed (“six-wall”) border

surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled.

– Identification of Access Points

– Physical Access Controls

– Physical Access Control Systems

– Monitoring and Logging

3

PSP under V5 Revisions• PSP Requirements under V5 Revision

– New definition of Physical Security Perimeter: The physical border surrounding locations in which BES Cyber

Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled.

– Similar Controls under V3 Logging and Monitoring

Controls to restrict access to BES Cyber Assets

Alerting to unauthorized access

4

CIP-006-5/6 Part 1.2

• Part 1.2 requires the entity to “utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access.”

• Applicable to Medium Impact BES Cyber Systems with External Routable Connectivity and their associated Electronic Access Control or Monitoring System (EACMS) and Protected Cyber Asset (PCA)

5

CIP-006-5/6 Part 1.3

• The Part requires the entity to “where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access.”

• Applicable to High Impact BES Cyber Systems and their associated EACMS and PCAs

6

Sample PSP Facility

7

Sample PSP Facility

8

DAF

E

B

C

Scenario of Access defined.

Building Zone 1 Zone 2 Zone 3 Zone 4

James X X

George X X

Frank X X X X X

Allen X X

9

The four zones configured in the Physical Access Control System are:1. Rooms A and D 2. Room B3. Room C4. Rooms E and F

PSP Zoned Access under CIP-006-5/6

10

DAF

E

B

C

Recap of the PSPs

11

• The three PSPs that must be defined are– Rooms A and D

– Room B

– Room C

Low Impact PSP

12

• Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any

• Does not require a logging and access controls systems as high/medium

• Simple as a locked door or a chained fence

How not to Protect your PSP

13

Helpful Resources

• NERC V5 Page

• SPP RE CIP V5 Guidance Page– Contains links to:

NERC Version 5 Transition Home Page

FERC CIP Version 5 Filings

SPP RE presentations, webinars, and videos

14

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

http://www.spp.org/regional-entity/cip-v5/


(501) 614-3251






15







Patch Management Outside Control CenterMay 24, 2016

Taking Reliability to heart.

2016 SPP RE CIP Workshop

2016 SPP RE CIP WORKSHOP

Westar’s Medium Impact Substations

• Medium Impact Substations • No External Routable Connectivity

• Multiple Vendors (ABB, SEL, GE)

• Multiple Versions of firmware

2


Initial Security “Patch” Evaluation

• Locate current firmware installed

• Contact vendors to collect current firmware version

• Review the version upgrades in between to determine if any were security related.


Firmware Evaluation


Vendor Information


Device Information


Firmware Installation or Mitigation

• Create Mitigation Plan• Develop remediation until upgrade can be installed• Work with Operations to determine when outage can be taken• Determine installation date

• Upgrade firmware version• Document in work order system


For devices not evaluated previously…

When does the 35 day evaluation start?

• July 1, 2016

• Recommend start early


Questions

[email protected]

785.575.1852

9


CIP-014-02 Physical Security Site Visits

Carl Herron, Principal CIP- Physical Security Advisor (NERC)


• Voluntary and Informal (NERC and Regions)• Seventeen Entities in five different Regions visited, as of

February 2016.• Discuss plans and challenges for implementation of CIP-014-02 • Provides opportunity for collaborative discussion regarding the

requirements• Focus on security plan effectiveness

CIP-014-02 Site Visits


• Remarkable progress• Physical security plans focused on mitigating risks from specific

threats• Commitment to purpose of the standard very encouraging to

the ERO Enterprise• Coordination and outreach from 2015 to inform 2016 approach

Regional Entity workshops• Collaboration with industry groups on guidance as necessary• Critical Infrastructure Protection Committee working groups• Webinars



• Common Theme: Timelines for implementing security and resiliency measures. Third party reviewer – can third party participate in R4 and R5. Scope of security plans. Defining characteristics of the assets identified as required by R1. What data and security plan information will be requested. Insider threat concerns. Confidentiality of CIP-014 sites and information. Multiple owners of critical sub stations. Tiered approach.



• Number of assets critical under the standard Per Region Q4 2015 – Q1 2016

• Defining characteristics of the assets identified as critical Per Region Q4 2015 – Q1 2016

• Scope of security plans By Q4 2016 Information obtained Guided Self-Certs, Off-site Audits, Audits Consider compliance monitoring schedule

ERO to Monitor Implementation


Timing and Approach

• Self-certification timing November 2015: Communicated in CMEP Implementation Plan.

• March 15, 2016: Notice to all TOs, including request for answers to the limited questions.

• Webinar March 17, 2016 over 200 participants.• May 2, 2016: Information due from all TOs.• FERC Audits in 2016 in coordination with the ERO Enterprise.• Minimize duplication of efforts.


R4 Threat and Vulnerabilities Assessment

• Threat Assessment – Tools and Methods Industry history. Company/Substation history and Incidents. Fusion Centers. Design Basis Threat(DBT) - EISAC. OE-417 Electric Disturbance Events Report.



• Vulnerabilities Assessment – Considerations Security Gaps Physical/Human. Policy and Procedures. Geographic Challenges.


R5 Security Plan

• Security Plans should address Threats and Vulnerabilities identified.

• Two part plan - security response and security measures.

• Detect and Response.

Threats/VulnerabilitiesSecurity PlanSecurity Measures


Quarterly Report to BOT

• Quarterly report to the Board of Trustees on progress and review of industry implantation of CIP-014-2.

• Number of assets critical under CIP-014-2. • Defining characteristics of asset identified as critical.


Quarterly Report to BOT

• Scope of security plans(security measures and response).• Timeline for implementation of security measures.

Methodology for CIP-005-5 R2 - Interactive Remote Access Management• Fully meets or exceeds the intent of CIP-005-5 R2

• R2.1 – Utilizes an intermediate server (Jump host)• R2.2 – Utilizes encryption • R2.3 – Provides second unique factor of authentication (something you know,

have, or are)

• Simplistic solution to implement and maintain• Easy administration and scalability• Minimal learning curve for interactive access users• Must support RDP and SSH protocols

Pros

• Push notifications eliminate passcode hassles

• Supports a wide-variety of technologies

• No need for extra token device• Intuitive administration interface

(duosecurity.com)• Easy to set up new users• Simple and scalable licensing

model

• Dependencies:• third-party servers• corporate internet connection• reliable cellular or Wi-Fi

connection for smartphone• Connectivity could fail at a

critical time (must have a contingency in place)

• New policies surrounding loss of users’ (often personal) smartphone?

Cons

https://duosecurity.com/

Duo push authentication1st Authentication (Active Directory) 2nd Authentication (Duo Push) 2nd Authentication (Duo App)

RDP

SSH

Smart Phone

Remote Access for EMS Vendors

Mike LotzCIP Cybersecurity Coordinator

Independence Power & Light

IPL’s EMS Vendor

• Open Systems International (OSI)

• Quick on-site support is not logistically possible

• High network availability requires 24x7 phone and remote support

• Remote access is a must when EMS issues arise

Remote Access for EMS Vendors 2

CIP Technical Requirements • CIP-005-5 R2

– High Impact BES Cyber Systems and their associated: PCA

– Medium Impact BES Cyber Systems with External Routable Connectivity and their associated: PCA

• Part 2.1– Utilize an Intermediate System such that the Cyber Asset initiating

Interactive Remote Access does not directly access an applicable Cyber Asset.

• Part 2.2 – For all Interactive Remote Access sessions, utilize encryption that

terminates at an Intermediate System.• Part 2.3

– Require multi-factor authentication for all Interactive Remote Access sessions.


OSI’s Remote Access Solution

• Bomgar is used for OSI support

– Allows IPL to share screens with OSI technicians on a view only or control basis for troubleshooting

– Bomgar is hosted at OSI

– IPL and OSI electronically log remote access account usage

– Bomgar is used in a multitude of industries


CIP Access Prerequisites

• Prior to granting remote access to OSI technicians

– Approved OSI Personnel Risk Assessment must be verified

– INDN’s CIP training must be completed

– An INDN access form must be completed and approved


Remote Access Process

• At the pre-arranged support time

– An OSI technician will enter the secure operation center using their employee badge

– IPL calls OSI’s main telephone number, then the extension of the OSI technician

– IPL verifies the full name of the OSI technician


Remote Access Process• Authorized IPL employee

– Authenticates to their corporate computer

– Utilizes an encrypted multi-factor authenticated session to the IPL Intermediate System located in the IPL DMZ

– Navigates to OSI’s https site, using a web browser from the IPL Intermediate System


Remote Access Process• Authorized OSI technician (inside physically secured

operations center)

– Authenticates to their remote access system

– Provides IPL a unique Bomgar session ID over the phone

• IPL accepts the encrypted Bomgar session with either view or control access


Remote Access Process

• OSI is now viewing IPL’s Intermediate System

• From the Intermediate System, OSI uses an RDP session and authenticates into the desired system in the IPL ESP

• Upon session completion IPL will disable the account used by OSI and change the password


Multi-Layered Remote Access Security

• IPL initiates contact with OSI for remote support

• OSI ad-hoc remote access is not allowed

• IPL and OSI physically secure the systems used for remote access

• Only authorized OSI technicians are allowed access

• IPL manages the OSI support account and password


Multi-Layered Remote Access Security• Remote access of IPL’s EMS can only occur from inside

OSI’s secured operations center• Multi-factor authentication is used to connect to the INDN

Intermediate System over encrypted connections • IPL allows view only access, unless control access is

absolutely needed• At any time, IPL can stop the Bomgar session or limit the

access to view only


Questions


5/11/2016

1

Cybersecurity AwarenessKeeping your audience engaged and aware

Donna Maskil-Thompson, CIP Senior ManagerSPP CIP Workshop - May 2016

© 2016 BPU - Public 1

Also known as…

“How I learned to Stop Worrying and Love Cybersecurity Awareness”- Bobby Gray – BPU NERC Compliance Officer, 2015


5/11/2016

2

Agenda

• Creating a Strategy

• Instructional Design – ADDIE Model

• Adult Learner Characteristics

• Measuring Effectiveness of Program

• Addendum -Examples BPU Cybersecurity Awareness Program


Create a Strategy

• Topics and Themes

• Tools and Resources

• Frequency

• Re-evaluate every 90 days


5/11/2016

3

Instructional Design – ADDIE Model

Analyze

Design

Develop

Implement

Evaluate


Analyze

• Who needs to be trained? (IdentifyRoles)

– Audience Characteristics

– Prior knowledges and skills

• What information do they need tounderstand?

– Goals and Objectives

• Learning Environment– Class size, Type of instruction etc.

– Timeline


5/11/2016

4

Adult Attention Span

Attention Span – 8 minutes

“Is this worth my time?”


Adult Learning Styles

• Visual – remember what they haveread, seen

• Auditory – remember thingsthrough hearing or saying outloud

• Kinesthetic (Tactile) – rememberthrough experience, feelings


5/11/2016

5

Time limits

Break presentations into a series of 5minute experiences

Try and limit your presentation to 20minutes


Solve a Problem

• Use real examples

• Give solutions to solve realproblems

• Request Feedback. EncourageSelf-Reporting


5/11/2016

6

Earn Respect

“Seek respect, not attention. It lastslonger.”

― Ziad K. Abdelnour


Lighten up

“No one will ever claim that theyexperienced Death ByPowerPoint because they felt likedying due to excessive fun during apresentation”

- Leslie Belnap

Source: How-to Conquer Short Attention Spans, 2015


5/11/2016

7

Adult Learning Theory- Design

• Be collaborative

• “Voluntary Participation” – it must fit their needs!

• “Mutual respect” – Know your audience

Resource: Understanding and Facilitating Adult Learning, Stephen Brookfield, 1991


Remember

Do not read your slides verbatim!

Address audience needs

Take feedback seriously and edit


5/11/2016

8

Training Needs Assessment

1. Schedule a meeting with sample audience

2. Brainstorm - Determine common themes and topics.

3. Determine which areas/needs are most important

4. Determine the desired outcomes from the training to addressthese needs.

Outcomes = measures of success (validation)


Needs Assessment Checklist

Know what the organization is trying toaccomplish.

Know the history of training within theorganization.

What "needs" will be addressed by thetraining?

Any recent process or procedure changes?Incidents or process failures?

What resources are available for training?

Who needs to be trained?

Who can serve as subject matter experts?

Are any staff going to do the training?

Which companies provide training materials?

What are the Knowledge, Skills, and Abilities?

Review Job Descriptions and Org Charts.


5/11/2016

9

Analyze -Developing a Strategy

List 3 objectives of your Cyber Security Awareness Program

Examples:

• Protect the confidentiality, integrity and availability of BES Cyber Systems and relatedInformation.

• Minimize cost of security incidents and potential issues of non-compliance.

• The human factor – ensure every employee knows that security is their responsibility.

Attendance or completion of mandatory training should not be considered an objective!


Design

• Determine instructional methods

• Design an Assessment Plan and Course Outline

• Create “Storyboards”/Prototypes– Narratives – Scenarios – Stories– Abstract Concepts– Parts and Components– Motion and Paths– Maps, Charts and Statistical Data– Concrete Ideas– Metaphors

• Think about what engages your audience


5/11/2016

10

Design – for the User

• Look and Feel

• User interface

– Graphics, Animation, Sound –

– Pop culture vs Employee “Actors”

• Modules by Theme or Complete Program?

• KEY – Make it memorable


Design

• Communicate Policy/Regulations

– Entertain

– Engage

– Reward


5/11/2016

11

Develop

• Create the syllabus

• Develop Course (from the Storyboards)– Powerpoint, PDF, etc.– Use color, graphics, gamification!

• Develop Assessment items

Think of training aids and other learning materials


Expert Knowledge

• FBI, US-CERT

• Cybersecurity Product Demos/Blogs

• Professional groups

– ASIS

– ISACA

– ISC2

– IASAP


5/11/2016

12

In the News


Source: www.informationisbeautiful.net


5/11/2016

13

Implement

• Put the Plan into action

• Train the Trainer

• Launch Course


Evaluation

Formative Evaluation

• Monitors learning to provide feedback– point in time

• Identifies strengths and weaknesses/target areas

• Use for “test” or “sample” groupbefore rolling program out to entireaudience

Summative Evaluation

• Evaluate student learning at the endof the course

• Compares to another standard orbenchmark

• Example – 100% Assessment Scores

Survey your audience – collect feedback and revise as needed!


5/11/2016

14

Measuring Effectiveness

How do you measureeffectiveness?

• Internal Control Testing

• Maturity Models

• Analysis of Incident reports


Internal Controls

• The policies, procedures, practices and organizational structuresdesigned to provide reasonable assurance that business objectiveswill be achieved and undesired events will be prevented ordetected and corrected.

Reference - ISACA Glossary -(formerly known as Information SystemsAudit and Control Association


5/11/2016

15

Writing Control Objectives

• What is the objective of thiscontrol?

– Prevent

– Detect

– Correct

• How does it effectively mitigaterisk?

– SMART criteria


Source: ISACA Online, COBIT 5https://cobitonline.isaca.org/books/framework/pdf/framework-chapter08-section02.pdf


5/11/2016

16

COBIT 5 vs COBIT 4.1

COBIT 5 Maturity Model (explained) COBIT 4.1 Maturity Model


Cybersecurity Capability MaturityModel (ES-C2M2)


5/11/2016

17

Analysis of Incidents- RCA

Root Cause Analysis (RCA) involves investigating the patterns ofnegative effects, finding hidden flaws in the system, and discoveringspecific actions that contributed to the problem.


In closing…

Users want to learn something theycan use

You can make Cybersecurity FUN

Keep it current with the news.

MAKE IT INTERESTING.


5/11/2016

18


Questions


5/11/2016

19

Addendum

The following slides are examples from BPU’s Cybersecurity AwarenessProgram

If you wish to reuse any of the materials, please notify BPUCompliance team via email ([email protected])


BPU Topics (Sample)

• Social Engineering – Phishing/Spearphishing

• Passwords

• Mobile Device Security

• Incident Reporting and Response

• Physical Security

• June – Phish Week (same time as Shark Week)

• September -National Emergency Preparedness Month

• October – Cybersecurity Awareness Month

© 2016 BPU - Confidential 38

5/11/2016

20

Phishing


Cybersecurity Awareness MonthOctober 1-2 – Stop. Think. Connect. Best Practices for All Digital Citizens

This basic advice is a guiding principle so that we can navigate the Internet ‒ and our digital lives ‒ safely and more securely.

October 5-9 - Creating a Culture of Cybersecurity at Work

Provide resources that help BPU establish a culture of cybersecurity. Emphasis will focus on employee education and a riskmanagement approach to cybersecurity

October 13-16 - Connected Communities and Families: Staying Protected While We Are Always Connected

We will share simple ways we can protect ourselves and those around us along with what we can do if impacted by a breach,cybercrime or other issue.

October 19-23 - Your Evolving Digital Life

Highlights where we were, where we are today and how we can keep our digital lives safer and more secure with emergingtechnology.

October 26-30 - Building the Next Generation of Cyber Professionals

Information about cybersecurity careers as well as the need for the ongoing Internet safety and security education towardbuilding cyber-literate digital citizens.


5/11/2016

21

Physical Security – Badges

• Wear your badge

• Do not leave in your car in plainview

• If someone asks to see yourbadge, show them.

• If you lose your badge, reportimmediately


Visitor Access Control

• Clearly identifies visitors

• Relationship between Safety andSecurity


Could CIP Standards have prevented the Ukraine Attack?Kevin B. PerryDirector, Critical Infrastructure [email protected] 1

Ukraine Attack

2

Ukraine AttackAnatomy of the Attack• The technical components of the attack included:

Spear phishing to gain access to the business networks Identification of BlackEnergy 3 at impacted oblenergos Theft of credentials from the business networks The use of virtual private networks (VPNs) to enter the ICS

network The use of existing remote access tools or issuing commands

directly from a remote station similar to an operator HMI Serial‐to‐ethernet communications devices impacted at

firmware level The use of a modified KillDisk to erase master boot record of

impacted organization systems as well as the targeted deletion of some logs

Use of Uninterruptible Power Supply systems to impact connected load with a scheduled service outage

Telephone denial‐of‐service attack on the call center

3

Ukraine AttackThe ICS Kill Chain

4

Ukraine AttackStage 1 - ReconnaissanceAttack Action

No observation of reconnaissance activities by the targeted energy companies

Reconnaissance is assumed to have occurred Three Oblenergos (distribution companies) targeted

Targeting and final attack plans were highly coordinated

Targets utilized high levels of automation in distribution systems, enabling the attack

Response CIP-011-2, R1: Information Protection Program Look beyond CIP Environment

Public postings of corporate information including organizational information, job postings, procurement solicitations and announcements

5

Ukraine AttackStage 1 – Weaponization/TargetingAttack Action

Direct access to Internet-connected devices was not necessary

Microsoft Office documents (Excel and Word) were embedded with Black Energy 3 malware

Response Cannot interdict the attackers at the point they are preparing

the malware of choice Cannot assume next attack will use the same malware Black Energy 3 gave the attackers a foothold in the targeted

companies’ networks

6

Ukraine AttackStage 1- Deliver/Exploit/InstallAttack Action

Malicious Office documents delivered via email in a Spear Phishing campaign IT network and admin personnel targeted

Required recipients to open the infected attachments and then enable macros

Enabling macros allowed Black Energy 3 to be installed on the victim’s PC

Response Disable Macros Application White Listing

7

Ukraine AttackStage 1 – C2 and ActAttack Action

The Black Energy 3 malware connected to command and control systems, allowing attackers to: Perform information gathering and enable access using available

Cyber Asset functionality

Move deeper into organization’s networks

Blend into systems as authorized users

Formulate a plan for Stage 2 of the attack

For more than six months, the attackers were able to: Harvest user credentials

Escalate privileges

Laterally move around the network

Discover systems and networks

Establish a persistent presence

8

Ukraine AttackStage 1 – C2 and ActResponse

Works primarily in the corporate network environment and would need to expand beyond BES operational technology environments for early interdiction

CIP-003-6, R1: Cyber security policies and procedures are foundational to any cyber security program

CIP-004-6, R1: Security Awareness programs should emphasize recognizing social engineering activities

CIP-004-6, R2: Cyber security training, including incident response and recovery

CIP-007-6, R2: Security patching closes exploitable vulnerabilities CIP-007-6, R3: Anti-malware deters malware exploits CIP-007-6, R4: Security monitoring and alerting CIP-007-6, R5: User access controls, including least privileges

required CIP-008-5, R1: Incident response plans, including response to

suspected or actual social engineering attempts CIP-009-6, R1: Recovery plans for restoring compromised Cyber

Assets

9

Ukraine AttackStage 2 – Develop and TestAttack Action

Typically performed in the attacker’s networks, which limits visibility

Attackers were able to: Interact with the three distinct Distribution Management System

environments

Develop malicious firmware for the serial-to-ethernet devices

Practice

• Response Attacker presence must detected in the network during this

stage of activities

10

Ukraine AttackStage 2 - DeliverAttack Action

Available functionality of Cyber Assets used to enter the environment permitting direct interaction with the ICS components VPN access used to get into the IT environment

Looked like authorized users

VPN tunnel was presumably encrypted, a normal feature of VPN access, masking attackers from observation

Existing remote administration tools used to conduct the attack

Response CIP-004-6, R1: Awareness training should include recognition

of suspicious activity and procedures for reporting it CIP-004-6, R2: Detailed cyber security training, appropriate

for the operations staff, should include procedures for incident recognition and reporting

11

Ukraine AttackStage 2 - Deliver• Response (continued)

CIP-004-6, R4: Quarterly access review detects unauthorized accounts and annual review detects unauthorized permissions

CIP-005-5, R1: Tight ingress and egress firewall rules limit exploitable access paths to protected Cyber Assets

CIP-005-5, R2: Multi-factor authentication of VPN access and use of an Intermediate System can prevent unauthorized Interactive Remote Access

CIP-007-6, R1: Closing unnecessary ports reduces attack surface of Cyber Assets

CIP-007-6, R4: Access monitoring can detect abnormal user activity

CIP-007-6, R5: Strong user access controls, including least privileges and strong, regularly changed passwords, can reduce the risk of exploit

CIP-008-6, R1: Robust incident response plan essential to early detection and interdiction

CIP-010-2, R2: Monitoring for unexpected changes to baseline can detect malicious updates to Cyber Assets

CIP-011-2, R2: Protection of BES Cyber System information, including operator instructions, can limit attacker’s ability to learn enough about a target system to craft a successful attack

12

Ukraine AttackStage 2 – Install/ModifyAttack Action

Attackers completed the Install/Modify steps Installed malicious software (customized KillDisk)

Possible preparation to disrupt Uninterruptible Power Supply

Possible positioning of malicious firmware for upload to serial-to-ethernet devices

Control of the operator workstations, locking out operators from consoles

Response CIP-004-6, R1: Awareness training should include recognition

of suspicious activity and reporting procedures CIP-004-6, R2: Detailed cyber security training, appropriate

for the operations staff, should include procedures for incident recognition and reporting

13

Ukraine AttackStage 2 – Execute ICS AttackAttack Action

Attackers used operator console functionality (HMI) to open breakers in at least 27 substations across the three distribution companies

Malicious firmware was uploaded to the serial-to-ethernetdevices, effectively “bricking” the devices and disabling remote operational control of the substations

Uninterruptible Power Supply systems were taken offline, killing power to the operational systems

KillDisk wiped certain workstations, servers, and an HMI card inside an RTU, rendering the affected Cyber Assets unusable, and deleted logs and system events on other systems

Customer Support Center phone system flooded with bogus calls (denial of service attack)

14

Ukraine AttackStage 2 – Execute ICS AttackResponse

CIP-008-5, R1: Incident response plan should address a variety of events of varying severity and duration, including multi-system cyber attacks

CIP-008-5, R2: Incident response plan should be regularly tested to determine effectiveness, as well as to train responders

CIP-009-6, R1: Following a successful compromise of a Cyber Asset, system recovery plans necessary to restore Cyber Asset to normal functionality Recovery Plans should envision a variety of failure scenarios, up to

and including catastrophic loss of the facility

Recovery plans should consider prioritization of recovery in the event of multiple failures

CIP-009-6, R2: Recovery plans should be tested, to include full system restoration, to verify plan feasibility and to train staff responsible for restoration activities

15

Ukraine AttackFor More Information• Thanks to the Electricity Information Sharing and Analysis

Center (E-ISAC) and the SANS Institute for collaboration on this presentation E-ISAC Contact Information:

Web site: https://www.esisac.comEmail: [email protected]: (404) 446-9780 #2

• Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case, March 18, 2016 E-ISAC Secure Portal (requires user account):

https://www.esisac.com/collaboration#/document/4185 SANS Website (need to cut and paste into a browser):

https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf#__utma=216335632.1686484662.1457545401.1457545401.1460576012.2&__utmb=216335632.11.8.1460576065651&__utmc=216335632&__utmx=-&__utmz=216335632.1457545401.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&__utmv=-&__utmk=184167141

16

https://www.esisac.com/


https://www.esisac.com/collaboration#/document/4185


(501) 614-3251






17







May 25, 2016

1

Observations From Our CIP V5 Outreach Visits

Robert VaughnCompliance Specialist II – CIP

Shon AustinLead Compliance Specialist –CIP

PrefaceThe CIP team visited numerous Registered Entities during Version 5 outreach sessions over the past year, and we would like to share some observations

2

Observations• Staffing

– CIP teams were either improperly staffed or lacked depth of personnel to the existing CIP team

– Many team members’ CIP duties were secondary to their main job

– Some Registered Entities have added to their CIP teams with contractors or hired specialized Subject Matter Experts (SMEs)

• Management Support– Provide time to fully develop CIP process and procedures

– Many Registered Entities had a very strong “tone at the top” to promote CIP activities

3

Observations

• There was a lack of understanding of how to categorize risk and controls– Understanding of performance and output

– Many Registered Entities were asking “What do I need to do to comply?”

• Lack of mature controls and processes– No consistent and repeatable processes

– No development of a process trail Providing evidence to show compliance from A to Z

4

Observations

• Confusion regarding configuration/use of the Intermediate System

• Finding overly permissive firewall rules, especially in outbound rules

• Confusion over quarterly and annual access review expectations

• One Electronic Security Perimeter (ESP) spanning multiple geographically distant Physical Security Perimeters (PSPs)

• Virtualization

5

Observations

• Nested PSPs– Not recognizing the nuance between V3 and V5 for V3

equivalent requirements

• Software Baseline configuration including scripting– Request for Information (RFI) for this topic has been

submitted to NERC

• Confusion of the concepts around Low Impact External Routable Connectivity (LERC) and Low Impact BES Cyber System Electronic Access Point (LEAP)– A key issue is the remote LEAP

6

Take a ways

• There is a distinct change between CIP V3 and CIP V5

• We see Registered Entities putting effort into making the change from a compliance-based program to a performance/outcome-based program

• We appreciate the communication with Registered Entities about the transition to CIP V5; this has allowed SPP RE to gauge impact prior to an audit

• SPP RE hopes that this level of communication continues after CIP V5 goes live on July 1

7


(501) 614-3251






8





