View
2
Download
0
Category
Preview:
Citation preview
Wrestling With Compliance
CIP
5
EMMOS Users
Conference
September 14, 2016
2
You Have It All Figured Out… Right…
EMMOS Users Conference
September 14, 2016
3
Bam! That Just Happened!
EMMOS Users Conference
September 14, 2016
4
Agenda
CIP Version 5 Potential Pinfalls
Risk-Based Compliance Monitoring
EMMOS Users Conference
September 14, 2016
5
CIP-002-5.1: BES CYBER SYSTEM
CATEGORIZATION
EMMOS Users Conference
September 14, 2016
6
Requirement Language
EMMOS Users Conference
September 14, 2016
7
Potential Pinfall!
List/Inventory
• High impact BES Cyber Systems
• Medium impact BES Cyber Systems
• Each asset that contains a low impact BES Cyber System
EMMOS Users Conference
September 14, 2016
8
Auditor Evidence R1
EMMOS Users Conference
September 14, 2016
List/Inventory of all assets considered
• Control Centers and backup Control Centers
• Transmission stations and substations
• Generation resources
• Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements
• Special Protection Systems that support the reliable operation of the Bulk Electric System
• Distribution Providers and Protection Systems specified in Applicability section 4.2.1
9
Auditor Evidence 1.1, 1.2, 1.3
List/Inventory by asset
• Cyber Assets
• BES Cyber Assets
• BES Cyber Systems
EMMOS Users Conference
September 14, 2016
10
Potential Pinfall!
Lessons Learned
• Generation Segmentation
• External Routable Connectivity
Standards Authorization Request Form (SAR)
• Cyber Asset and BES Cyber Asset (BCA) Definitions
• Network and Externally Accessible Devices
• Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations
• Virtualization
• LERC Definition
EMMOS Users Conference
September 14, 2016
11
CIP-003-6: SECURITY
MANAGEMENT CONTROLS
EMMOS Users Conference
September 14, 2016
12
Requirement Language
EMMOS Users Conference
September 14, 2016
13
Potential Pinfall!
The term policy refers to one or a collection of written documents that are used to communicate the Responsible Entities’ management goals, objectives and expectations for how the Responsible Entity will protect its BES Cyber Systems.
The use of policies also establishes an overall governance foundation for creating a culture of security and compliance with laws, regulations, and standards.
EMMOS Users Conference
September 14, 2016
14
Requirement Language
EMMOS Users Conference
September 14, 2016
15
Potential Pinfall!
The terms program and plan are sometimes used in place of documented processes where it makes sense and is commonly understood. For example, documented processes describing a response are typically referred to as plans (i.e., incident response plans and recovery plans). Likewise, a security plan can describe an approach involving multiple procedures to address a broad subject matter.
EMMOS Users Conference
September 14, 2016
16
Potential Pinfall!
An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.
EMMOS Users Conference
September 14, 2016
17
Potential Pinfall!
Requirement Implementation Date
CIP-003-6; R1 July 1, 2016
CIP-003-6; Part 1.2 April 1, 2017
CIP-003-6; R2 April 1, 2017
CIP-003-6; R2, Attachment 1, Sec. 1 April 1, 2017
CIP-003-6; R2, Attachment 1, Sec. 2 September 1, 2018
CIP-003-6; R2, Attachment 1, Sec. 3 September 1, 2018
CIP-003-6; R2, Attachment 1, Sec. 4 April 1, 2017
CIP-003-6; R3 July 1, 2016
CIP-003-6; R4 July 1, 2016
EMMOS Users Conference
September 14, 2016
18
Potential Pinfall!
Project 2016-02 Modifications to CIP Standards
• CIP-003-7
• LERC Definition
EMMOS Users Conference
September 14, 2016
19
CIP-004-6: PERSONNEL & TRAINING
EMMOS Users Conference
September 14, 2016
20
Requirement Language
EMMOS Users Conference
September 14, 2016
21
Potential Pinfall!
Requirement Implementation Date
CIP-004-6; R2, Part 2.2 July 1, 2016
CIP-004-6; R2, Part 2.3 July 1, 2017
EMMOS Users Conference
September 14, 2016
22
Requirement Language
EMMOS Users Conference
September 14, 2016
23
Potential Pinfall!
Requirement Implementation Date
CIP-004-6; R3, Part 3.5 July 1, 2016 (or within 7 years of the
previous personnel risk assessment)
EMMOS Users Conference
September 14, 2016
24
Requirement Language
EMMOS Users Conference
September 14, 2016
25
Potential Pinfall!
Authorize based on need
4.1.3
• Access to designated storage locations, whether physical or electronic, for BES Cyber System Information
EMMOS Users Conference
September 14, 2016
26
Requirement Language
EMMOS Users Conference
September 14, 2016
27
Requirement Language
EMMOS Users Conference
September 14, 2016
28
Requirement Language
EMMOS Users Conference
September 14, 2016
29
Requirement Language
EMMOS Users Conference
September 14, 2016
30
Potential Pinfall!
● Guidelines and Technical Basis
EMMOS Users Conference
September 14, 2016
31
Potential Pinfall!
Termination Action Date
• September 14, 2016, 1:25 PM
24 Hours (5.1)
• September 15, 2016,1:25 PM
• Unescorted physical access and Interactive Remote Access
EMMOS Users Conference
September 14, 2016
32
Potential Pinfall!
Termination Action Effective Date
• September 14, 2016
End of Next Calendar Date (5.3)
• September 15, 2016, 11:59 PM
• Access to the designated storage locations for BES Cyber System Information, whether physical or electronic
30 Calendar Days (5.4, 5.5)
• October 14, 2016
• Non-shared user accounts
• Change password for shared account(s)
10 Calendar Days (5.5)
• October 23, 2016
• If Extenuating Operating Circumstances
EMMOS Users Conference
September 14, 2016
33
Requirement Language
EMMOS Users Conference
September 14, 2016
34
Requirement Language
EMMOS Users Conference
September 14, 2016
35
Potential Pinfall!
Reassignment or Transfer
• September 14, 2016
Effective Date
• September 19, 2016
• No longer requires retention of that access
End of Next Calendar Day (5.2)
• September 20, 2016, 11:59 PM
• Electronic access to individual accounts and authorized unescorted physical access
EMMOS Users Conference
September 14, 2016
36
Potential Pinfall!
Reassignment or Transfer
Effective Date
• September 19, 2016
• No longer requires retention of that access
30 Calendar Days (5.5)
• October 18, 2016
• Change password for shared account(s)
10 Calendar Days (5.5)
• October 27, 2016
• If Extenuating Operating Circumstances
EMMOS Users Conference
September 14, 2016
37
CIP-005-5: ELECTRONIC SECURITY
PERIMETER(S)
EMMOS Users Conference
September 14, 2016
38
Requirement Language
EMMOS Users Conference
September 14, 2016
39
Requirement Language
EMMOS Users Conference
September 14, 2016
40
Potential Pinfall!
New Concepts
• IDS/IPS
• Intermediate System
• Performs access control
• Restricts Interactive Remote Access to only authorized users
• Not located inside the ESP
• Interactive Remote Access
• User-initiated by a person…
EMMOS Users Conference
September 14, 2016
41
CIP-006-6: PHYSICAL SECURITY OF
BES CYBER SYSTEMS
EMMOS Users Conference
September 14, 2016
42
Requirement Language
EMMOS Users Conference
September 14, 2016
43
Requirement Language
EMMOS Users Conference
September 14, 2016
44
Requirement Language
EMMOS Users Conference
September 14, 2016
45
Potential Pinfall!
● The entity has designated the large room
with the EMS workstations, which also
contains the smaller data center, as its
PSP.
● Physical access granted to the PSP:
Control Center operators
Control Center managers and supervisors
IT Group
Custodial staff
EMMOS Users Conference
September 14, 2016
46
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
Medium Impact
BCS
Medium Impact
BCS
High Impact
BCS
Medium Impact
BCS
A B
47
Requirement Language
EMMOS Users Conference
September 14, 2016
48
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
For new high or medium impact BES Cyber Systems at Control Centers identified by CIP-002-5.1 which were not identified as Critical Cyber Assets in CIP Version 3, Registered Entities shall not be required to comply with Reliability Standard CIP-006-6, Requirement R1, Part 1.10 until nine calendar months after the effective date of Reliability Standard CIP-006-6.
49
CIP-007-6: SYSTEM SECURITY
MANAGEMENT
EMMOS Users Conference
September 14, 2016
50
Requirement Language
EMMOS Users Conference
September 14, 2016
51
Potential Pinfall!
Guidelines and Technical Basis
• This requirement is most often accomplished by disabling the corresponding service or program that is listening on the port or configuration settings within the Cyber Asset.
EMMOS Users Conference
September 14, 2016
52
Requirement Language
EMMOS Users Conference
September 14, 2016
53
Potential Pinfall!
Measure
• An example of evidence may include, but is not limited to, documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage.
EMMOS Users Conference
September 14, 2016
54
Requirement Language
EMMOS Users Conference
September 14, 2016
55
Potential Pinfall!
Requirement Implementation Date
CIP-007-6; R2, Part 2.2 July 1, 2016
EMMOS Users Conference
September 14, 2016
56
Potential Pinfall!
Guidelines and Technical Basis
• Responsible Entities are to perform an assessment of security related patches within 35 days of release from their monitored source.
EMMOS Users Conference
September 14, 2016
57
Requirement Language
EMMOS Users Conference
September 14, 2016
58
Potential Pinfall!
Requirement Implementation Date
CIP-007-6; R5, Part 5.7 July 1, 2016
EMMOS Users Conference
September 14, 2016
59
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
CIP-007-3
• R5
• Account Management - The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.
• R5.3.3
• Each password shall be changed at least annually, or more frequently based on risk.
60
CIP-008-5: INCIDENT REPORTING
AND RESPONSE PLANNING
EMMOS Users Conference
September 14, 2016
61
Requirement Language
EMMOS Users Conference
September 14, 2016
62
Potential Pinfall!
● EOP-004-2
EMMOS Users Conference
September 14, 2016
63
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
64
CIP-009-6: RECOVERY PLANS FOR
BES CYBER SYSTEMS
EMMOS Users Conference
September 14, 2016
65
Requirement Language
EMMOS Users Conference
September 14, 2016
66
Requirement Language
EMMOS Users Conference
September 14, 2016
67
Requirement Language
EMMOS Users Conference
September 14, 2016
68
Potential Pinfall!
Guidelines and Technical Basis
• The term recovery plan is used throughout this Reliability Standard to refer to a documented set of instructions and resources needed to recover reliability functions performed by BES Cyber Systems. The recovery plan may exist as part of a larger business continuity or disaster recovery plan, but the term does not imply any additional obligations associated with those disciplines outside of the Requirements.
EMMOS Users Conference
September 14, 2016
69
CIP-010-2: CONFIGURATION CHANGE
MANAGEMENT AND VULNERABILITY
ASSESSMENTS
EMMOS Users Conference
September 14, 2016
70
Requirement Language
EMMOS Users Conference
September 14, 2016
71
Potential Pinfall!
Guidelines and Technical Basis
• Custom software installed may include scripts developed for local entity functions or other custom software developed for a specific task or function for the entity’s use.
EMMOS Users Conference
September 14, 2016
72
Requirement Language
EMMOS Users Conference
September 14, 2016
73
Potential Pinfall!
• Transmitting, Transferring Executable
Code
• BES Cyber System, Protected Cyber Asset (PCA)
NOT
EMMOS Users Conference
September 14, 2016
74
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
30 consecutive calendar days or less
Directly connected within ESP
• BES Cyber Asset, Network, PCA
Directly connected using:
• Ethernet, USB, Wireless, Near Field, Bluetooth
Used for:
• Data Transfer, Vulnerability Assessment, Maintenance, Troubleshooting
75
Potential Pinfall!
Storage Media
Removable Media
EMMOS Users Conference
September 14, 2016
76
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
• Cyber Assets NOT
• Capable of transferring executable code ARE
• Be used to store, copy, move, or access data CAN • Directly connected for 30 consecutive calendar days or
less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset ARE
77
CIP-011-2: INFORMATION
PROTECTION
EMMOS Users Conference
September 14, 2016
78
Requirement Language
EMMOS Users Conference
September 14, 2016
79
Requirement Language
EMMOS Users Conference
September 14, 2016
80
Potential Pinfall!
EMMOS Users Conference
September 14, 2016
81
MISCELLANEOUS
EMMOS Users Conference
September 14, 2016
82
Potential Pinfall!
Electronic Access Control or Monitoring Systems
• Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.
EMMOS Users Conference
September 14, 2016
83
Potential Pinfall!
Protected Cyber Assets
• One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP.
EMMOS Users Conference
September 14, 2016
84
RISK-BASED COMPLIANCE
MONITORING
EMMOS Users Conference
September 14, 2016
85
Risk-based CMEP Overview
EMMOS Users Conference
September 14, 2016
86
What is Risk-based Compliance?
• Customizable to individual entities
• Forward-looking
• Focused on reliability risks
• Incorporates internal controls
An approach to compliance that is:
EMMOS Users Conference
September 14, 2016
87
What is Risk-based Compliance?
EMMOS Users Conference
September 14, 2016
88
Risk-based CMEP Framework
EMMOS Users Conference
September 14, 2016
En
tity
Co
mp
lian
ce
Overs
igh
t P
lan
CMEP
Tools
I
C
E
I
R
A
Initial Scope Risk
Elements
Scope Focus
Inherent Risk
Assessment
Internal Controls
Evaluation
Oversight
Tool Selection
• Registered Entity Functions
• ERO & Regional Characteristics
• Events
• RISC
Input Input
Scope and Focus for Entities
not participating in ICE
89
Risk Elements
Identification and prioritization of continent-wide and region-specific risks
Applicable North American Electric Reliability Corporation (NERC) Reliability Standards and Requirements are identified for each individual Risk Element
As new risks emerge, Risk Elements can be created or modified
EMMOS Users Conference
September 14, 2016
90
Critical Infrastructure Protection Risk Element
• Detailed explanation in 2016 CMEP IP
• Remains in 2017 CMEP IP
ERO Risk Element
• System Downtime
• Unauthorized Access
• Corruption of Operational Data
3 Areas of Focus
EMMOS Users Conference
September 14, 2016
91
CIP Risk Element
EMMOS Users Conference
September 14, 2016
92
Inherent Risk Assessments
Identify inherent risks posed by an individual entity to the bulk power system (BPS)
Enables CEAs to focus on areas of risk specific to individual entities
Provides more focused approach to compliance oversight
Refines scope of NERC Reliability Standards and Requirements for a compliance engagement
EMMOS Users Conference
September 14, 2016
93
ERO Common Core CIP Risk Factors
Risk Factor
CRITERIA
RISK LEVEL
LOW MEDIUM HIGH
CIP - Control Center Influence
Entity has Control Center(s)
Entity has GOP control centers containing medium-impact BCS(s)
– or –
Entity has control centers containing medium-impact BCS(s) with control
of more than 15 BES RTUs/PLCs
Entity has high-impact BCS(s)
– or –
Entity has control centers containing medium-impact BCS(s) with control
of more than 40 BES RTUs/PLCs
CIP - Connectivity Entity has low-impact BCSs Entity has low-impact BCSs with at
least one ICCP connection or LERC or medium-impact BCSs
Entity has medium impact BCSs with at least one ICCP connection or high-
impact BCSs
EMMOS Users Conference
September 14, 2016
94
Internal Controls Evaluation
Identifies key controls and
their effectiveness
Controls identify,
assess, and/or correct
noncompliance with NERC Reliability
Standards and increase reliability
Further refines scope of NERC
Reliability Standards and Requirements
for an engagement
EMMOS Users Conference
September 14, 2016
95
Oversight Plan/CMEP Tools
Determines the type of compliance engagement activities
• CEAs could engage an entity once every few years
• CEAs could engage an entity multiple times a year
Frequency is dictated by risk based compliance process
• Off-site or on-site audits
• Spot Checks
• Self-certifications
CEAs may utilize a combination of CMEP tools
EMMOS Users Conference
September 14, 2016
96
Preliminary CIP Scopes
Standard Low BCS Medium BCS High BCS
CIP-002-5.1 R1, R2 R1, R2 R1, R2
CIP-003-6 R1, R2, R3, R4 R1, R3, R4 R1, R3, R4
CIP-004-6 R1, R2, R3, R4, R5 R1, R2, R3, R4, R5
CIP-005-5 R1, R2 R1, R2
CIP-006-6 R1, R2, R3 R1, R2, R3
CIP-007-6 R1, R2, R3, R4, R5 R1, R2, R3, R4, R5
CIP-008-5 R1, R2, R3 R1, R2, R3
CIP-009-6 R1, R2, R3 R1, R2, R3
CIP-010-2 R1, R3, R4 R1, R2, R3, R4
CIP-011-2 R1, R2 R1, R2
EMMOS Users Conference
September 14, 2016
97
Contact Information
Kenath Carver
Compliance Team Lead
(512) 583-4963
kenath.carver@texasre.org
cip@texasre.org
Brent Read
Manager, Risk Assessment
(512) 583-4916
brent.read@texasre.org
EMMOS Users Conference
September 14, 2016
98
Questions?
EMMOS Users Conference
September 14, 2016
Recommended