CIP 5 - EMMOS

Wrestling With Compliance

EMMOS Users

Conference

September 14, 2016

You Have It All Figured Out… Right…

EMMOS Users Conference

September 14, 2016

Bam! That Just Happened!

September 14, 2016

Agenda

CIP Version 5 Potential Pinfalls

Risk-Based Compliance Monitoring

September 14, 2016

CIP-002-5.1: BES CYBER SYSTEM

CATEGORIZATION

September 14, 2016

Requirement Language

September 14, 2016

Potential Pinfall!

List/Inventory

• High impact BES Cyber Systems

• Medium impact BES Cyber Systems

• Each asset that contains a low impact BES Cyber System

September 14, 2016

Auditor Evidence R1

September 14, 2016

List/Inventory of all assets considered

• Control Centers and backup Control Centers

• Transmission stations and substations

• Generation resources

• Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements

• Special Protection Systems that support the reliable operation of the Bulk Electric System

• Distribution Providers and Protection Systems specified in Applicability section 4.2.1

Auditor Evidence 1.1, 1.2, 1.3

List/Inventory by asset

• Cyber Assets

• BES Cyber Assets

• BES Cyber Systems

September 14, 2016

Potential Pinfall!

Lessons Learned

• Generation Segmentation

• External Routable Connectivity

Standards Authorization Request Form (SAR)

• Cyber Asset and BES Cyber Asset (BCA) Definitions

• Network and Externally Accessible Devices

• Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations

• Virtualization

• LERC Definition

September 14, 2016

CIP-003-6: SECURITY

MANAGEMENT CONTROLS

September 14, 2016

Potential Pinfall!

The term policy refers to one or a collection of written documents that are used to communicate the Responsible Entities’ management goals, objectives and expectations for how the Responsible Entity will protect its BES Cyber Systems.

The use of policies also establishes an overall governance foundation for creating a culture of security and compliance with laws, regulations, and standards.

September 14, 2016

Potential Pinfall!

The terms program and plan are sometimes used in place of documented processes where it makes sense and is commonly understood. For example, documented processes describing a response are typically referred to as plans (i.e., incident response plans and recovery plans). Likewise, a security plan can describe an approach involving multiple procedures to address a broad subject matter.

September 14, 2016

Potential Pinfall!

An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.

September 14, 2016

Potential Pinfall!

Requirement Implementation Date

CIP-003-6; R1 July 1, 2016

CIP-003-6; Part 1.2 April 1, 2017

CIP-003-6; R2 April 1, 2017

CIP-003-6; R2, Attachment 1, Sec. 1 April 1, 2017

CIP-003-6; R2, Attachment 1, Sec. 2 September 1, 2018

CIP-003-6; R2, Attachment 1, Sec. 3 September 1, 2018

CIP-003-6; R2, Attachment 1, Sec. 4 April 1, 2017

CIP-003-6; R3 July 1, 2016

CIP-003-6; R4 July 1, 2016

September 14, 2016

Potential Pinfall!

Project 2016-02 Modifications to CIP Standards

• CIP-003-7

• LERC Definition

September 14, 2016

CIP-004-6: PERSONNEL & TRAINING

September 14, 2016

Potential Pinfall!

CIP-004-6; R2, Part 2.2 July 1, 2016

CIP-004-6; R2, Part 2.3 July 1, 2017

September 14, 2016

Potential Pinfall!

CIP-004-6; R3, Part 3.5 July 1, 2016 (or within 7 years of the

previous personnel risk assessment)

September 14, 2016

Potential Pinfall!

Authorize based on need

• Access to designated storage locations, whether physical or electronic, for BES Cyber System Information

September 14, 2016

Potential Pinfall!

● Guidelines and Technical Basis

September 14, 2016

Potential Pinfall!

Termination Action Date

• September 14, 2016, 1:25 PM

24 Hours (5.1)

• September 15, 2016,1:25 PM

• Unescorted physical access and Interactive Remote Access

September 14, 2016

Potential Pinfall!

Termination Action Effective Date

• September 14, 2016

End of Next Calendar Date (5.3)

• September 15, 2016, 11:59 PM

• Access to the designated storage locations for BES Cyber System Information, whether physical or electronic

30 Calendar Days (5.4, 5.5)

• October 14, 2016

• Non-shared user accounts

• Change password for shared account(s)

10 Calendar Days (5.5)

• October 23, 2016

• If Extenuating Operating Circumstances

September 14, 2016

Potential Pinfall!

Reassignment or Transfer

Effective Date

• No longer requires retention of that access

End of Next Calendar Day (5.2)

• September 20, 2016, 11:59 PM

• Electronic access to individual accounts and authorized unescorted physical access

September 14, 2016

Potential Pinfall!

Reassignment or Transfer

Effective Date

• No longer requires retention of that access

• October 18, 2016

• Change password for shared account(s)

• October 27, 2016

• If Extenuating Operating Circumstances

September 14, 2016

CIP-005-5: ELECTRONIC SECURITY

PERIMETER(S)

September 14, 2016

Potential Pinfall!

New Concepts

• IDS/IPS

• Intermediate System

• Performs access control

• Restricts Interactive Remote Access to only authorized users

• Not located inside the ESP

• Interactive Remote Access

• User-initiated by a person…

September 14, 2016

CIP-006-6: PHYSICAL SECURITY OF

BES CYBER SYSTEMS

September 14, 2016

Potential Pinfall!

● The entity has designated the large room

with the EMS workstations, which also

contains the smaller data center, as its

● Physical access granted to the PSP:

Control Center operators

Control Center managers and supervisors

IT Group

Custodial staff

September 14, 2016

Potential Pinfall!

September 14, 2016

Medium Impact

High Impact

Medium Impact

September 14, 2016

Potential Pinfall!

September 14, 2016

For new high or medium impact BES Cyber Systems at Control Centers identified by CIP-002-5.1 which were not identified as Critical Cyber Assets in CIP Version 3, Registered Entities shall not be required to comply with Reliability Standard CIP-006-6, Requirement R1, Part 1.10 until nine calendar months after the effective date of Reliability Standard CIP-006-6.

CIP-007-6: SYSTEM SECURITY

MANAGEMENT

September 14, 2016

Potential Pinfall!

Guidelines and Technical Basis

• This requirement is most often accomplished by disabling the corresponding service or program that is listening on the port or configuration settings within the Cyber Asset.

September 14, 2016

Potential Pinfall!

Measure

• An example of evidence may include, but is not limited to, documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage.

September 14, 2016

Potential Pinfall!

CIP-007-6; R2, Part 2.2 July 1, 2016

September 14, 2016

Potential Pinfall!

• Responsible Entities are to perform an assessment of security related patches within 35 days of release from their monitored source.

September 14, 2016

Potential Pinfall!

CIP-007-6; R5, Part 5.7 July 1, 2016

September 14, 2016

Potential Pinfall!

September 14, 2016

CIP-007-3

• R5

• Account Management - The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

• R5.3.3

• Each password shall be changed at least annually, or more frequently based on risk.

CIP-008-5: INCIDENT REPORTING

AND RESPONSE PLANNING

September 14, 2016

Potential Pinfall!

● EOP-004-2

September 14, 2016

Potential Pinfall!

September 14, 2016

CIP-009-6: RECOVERY PLANS FOR

BES CYBER SYSTEMS

September 14, 2016

Potential Pinfall!

• The term recovery plan is used throughout this Reliability Standard to refer to a documented set of instructions and resources needed to recover reliability functions performed by BES Cyber Systems. The recovery plan may exist as part of a larger business continuity or disaster recovery plan, but the term does not imply any additional obligations associated with those disciplines outside of the Requirements.

September 14, 2016

CIP-010-2: CONFIGURATION CHANGE

MANAGEMENT AND VULNERABILITY

ASSESSMENTS

September 14, 2016

Potential Pinfall!

• Custom software installed may include scripts developed for local entity functions or other custom software developed for a specific task or function for the entity’s use.

September 14, 2016

Potential Pinfall!

• Transmitting, Transferring Executable

• BES Cyber System, Protected Cyber Asset (PCA)

September 14, 2016

Potential Pinfall!

September 14, 2016

30 consecutive calendar days or less

Directly connected within ESP

• BES Cyber Asset, Network, PCA

Directly connected using:

• Ethernet, USB, Wireless, Near Field, Bluetooth

Used for:

• Data Transfer, Vulnerability Assessment, Maintenance, Troubleshooting

Potential Pinfall!

Storage Media

Removable Media

September 14, 2016

Potential Pinfall!

September 14, 2016

• Cyber Assets NOT

• Capable of transferring executable code ARE

• Be used to store, copy, move, or access data CAN • Directly connected for 30 consecutive calendar days or

less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset ARE

CIP-011-2: INFORMATION

PROTECTION

September 14, 2016

Potential Pinfall!

September 14, 2016

MISCELLANEOUS

September 14, 2016

Potential Pinfall!

Electronic Access Control or Monitoring Systems

• Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.

September 14, 2016

Potential Pinfall!

Protected Cyber Assets

• One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP.

September 14, 2016

RISK-BASED COMPLIANCE

MONITORING

September 14, 2016

Risk-based CMEP Overview

September 14, 2016

What is Risk-based Compliance?

• Customizable to individual entities

• Forward-looking

• Focused on reliability risks

• Incorporates internal controls

An approach to compliance that is:

September 14, 2016

What is Risk-based Compliance?

September 14, 2016

Risk-based CMEP Framework

September 14, 2016

Initial Scope Risk

Elements

Scope Focus

Inherent Risk

Assessment

Internal Controls

Evaluation

Oversight

Tool Selection

• Registered Entity Functions

• ERO & Regional Characteristics

• Events

• RISC

Input Input

Scope and Focus for Entities

not participating in ICE

Risk Elements

Identification and prioritization of continent-wide and region-specific risks

Applicable North American Electric Reliability Corporation (NERC) Reliability Standards and Requirements are identified for each individual Risk Element

As new risks emerge, Risk Elements can be created or modified

September 14, 2016

Critical Infrastructure Protection Risk Element

• Detailed explanation in 2016 CMEP IP

• Remains in 2017 CMEP IP

ERO Risk Element

• System Downtime

• Unauthorized Access

• Corruption of Operational Data

3 Areas of Focus

September 14, 2016

CIP Risk Element

September 14, 2016

Inherent Risk Assessments

Identify inherent risks posed by an individual entity to the bulk power system (BPS)

Enables CEAs to focus on areas of risk specific to individual entities

Provides more focused approach to compliance oversight

Refines scope of NERC Reliability Standards and Requirements for a compliance engagement

September 14, 2016

ERO Common Core CIP Risk Factors

Risk Factor

CRITERIA

RISK LEVEL

LOW MEDIUM HIGH

CIP - Control Center Influence

Entity has Control Center(s)

Entity has GOP control centers containing medium-impact BCS(s)

– or –

Entity has control centers containing medium-impact BCS(s) with control

of more than 15 BES RTUs/PLCs

Entity has high-impact BCS(s)

– or –

Entity has control centers containing medium-impact BCS(s) with control

of more than 40 BES RTUs/PLCs

CIP - Connectivity Entity has low-impact BCSs Entity has low-impact BCSs with at

least one ICCP connection or LERC or medium-impact BCSs

Entity has medium impact BCSs with at least one ICCP connection or high-

impact BCSs

September 14, 2016

Internal Controls Evaluation

Identifies key controls and

their effectiveness

Controls identify,

assess, and/or correct

noncompliance with NERC Reliability

Standards and increase reliability

Further refines scope of NERC

Reliability Standards and Requirements

for an engagement

September 14, 2016

Oversight Plan/CMEP Tools

Determines the type of compliance engagement activities

• CEAs could engage an entity once every few years

• CEAs could engage an entity multiple times a year

Frequency is dictated by risk based compliance process

• Off-site or on-site audits

• Spot Checks

• Self-certifications

CEAs may utilize a combination of CMEP tools

September 14, 2016

Preliminary CIP Scopes

Standard Low BCS Medium BCS High BCS

CIP-002-5.1 R1, R2 R1, R2 R1, R2

CIP-003-6 R1, R2, R3, R4 R1, R3, R4 R1, R3, R4

CIP-004-6 R1, R2, R3, R4, R5 R1, R2, R3, R4, R5

CIP-005-5 R1, R2 R1, R2

CIP-006-6 R1, R2, R3 R1, R2, R3

CIP-007-6 R1, R2, R3, R4, R5 R1, R2, R3, R4, R5

CIP-008-5 R1, R2, R3 R1, R2, R3

CIP-009-6 R1, R2, R3 R1, R2, R3

CIP-010-2 R1, R3, R4 R1, R2, R3, R4

CIP-011-2 R1, R2 R1, R2

September 14, 2016

Contact Information

Kenath Carver

Compliance Team Lead

(512) 583-4963

kenath.carver@texasre.org

cip@texasre.org

Brent Read

Manager, Risk Assessment

(512) 583-4916

brent.read@texasre.org

September 14, 2016

Questions?

September 14, 2016

CIP 5 - EMMOS

Documents

Welcome! [] 2 Presentation.pdf · 12-07-2017 · 10. 12. 14. 16. 18. 20. CIP-005-5, R1. CIP-005-5, R2. 19 (57.6%) 16 (64%) 14 (42.4%) 9 (36%) CIP -005 -5 Noncompliance. 7/1/2016

Smart Grid Roadmap Update - EMMOS

Lesson Learned CIP Version 5 Transition Program

CIP-003-8 - Cyber Security — Security Management Controls Standards/CIP-003-8.pdf · CIP-003-8 - Cyber Security — Security Management Controls . Page 3 of 59. 5. Effective Dates:

Draft CIP Standards Version 5

Lessons Learned from Commission-Led CIP Reliability Audits · 2020. 5. 12. · CIP-004-3, CIP-005-3, CIP-006-3, CIP-007-3, CIP-008-3, and CIP-009-3. 13. The NERC Glossary defines

CIP-005-5 6 — Cyber Security – Electronic Security Perimeter(s) 201603 Cyber... · 2017. 5. 2. · CIP-005-5 6 — Cyber Security – Electronic Security Perimeter(s) Page 4 of

Update in NERC CIP Activities June 5, 2014

10 cip rome cip

EMMOS 2013 Renewable Resource Integration Training

CIP-013-1: Compliance Auditing Approach · CIP-013-1 is mandatory and enforceable on July 1, 2020 Audits beginning October 1, 2020 could include CIP-013-1. 5. CIP-013-1 Audit Approach

ABB NERC CIP · PDF file · 2015-05-25abb nerc cip v5 special interest group low asset discussion and future cip versions & compliance activity november 5, 2014

CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Virtualization, Cloud and CIP - WECC · •CIP-005-5 Part 2.2 –For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. •CIP-006-6

CIP-008-5 — Cyber Security — Incident Reporting and ... 200806 Cyber... · CIP-008-5 — Cyber Security — Incident Reporting and Response Planning 4.1.8 Transmission Owner 4.2

CIP-002-5 Implementation Guide

Automating for NERC CIP-007-5-R1

CIP -007 -5 Cyber Security Systems Security Management · CIP -007 -5 Cyber Security Systems Security Management 4.1.7 Transmission Operator 4.1.8 Transmission Owner 4.2. Facilities:

CIP-005-5 — Cyber Security – Electronic Security Perimeter(s) Standards/CIP-005-5.pdfCIP-005-5 — Cyber Security – Electronic Security Perimeter(s) 4.1.8 Transmission Owner

Bulletin CIP. n°5 - rotary-cip-france.org