Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Forward Together • ReliabilityFirst 1
Follow us on LinkedIn and Twitter
2017 Spring Workshop
2016 CIP Violation & Themes Update
Deandra Williams-Lewis, Director of EnforcementKristen Senk, Senior Counsel
Baltimore, MDApril__, 2017
Forward Together • ReliabilityFirst
2016 CIP / Operations & Planning Violations
3
65%
35%
2016 CIP/Operations & Planning
CIP Operations & Planning
Forward Together • ReliabilityFirst
Violation Volume Decreasing
2010: Mandatory Compliance for all CIP Standards Begins; RF commences full scope audits; Entities at beginning stages of CIP implementation
2015: Maturation of CIP programs; Increased use of automated tools; increased outreach
2016: V5 Preparation and Transition
261
163
156
91
111
110
104
0 50 100 150 200 250 300
2010
2011
2012
2013
2014
2015
2016
CIP Violations by Deemed Date
Forward Together • ReliabilityFirst
Majority of Violations are Self-Reported
Larger Entities Drive Volume of Self-Reports
Two audit outliers in 2014 responsible for 92 of 117 audit violations, otherwise steady downward trend
178
132
101 10
8
153
19
1
29 24
0
101
71
117
12
32
0
20
40
60
80
100
120
140
160
180
200
2 0 1 2 2 0 1 3 2 0 1 4 2 0 1 5 2 0 1 6
BY IDENTIFICATION DATESelf-Reports/Self-Logging Self-Certifications/Self-Logging Audit
Forward Together • ReliabilityFirst
Volume Driven by High-Frequency Conduct
Requirements concerning “high-frequency conduct” drive volumeCIP-004, R4 (access: lists for cyber access and physical access; revoking privileges)CIP-006, R1 (physical security of critical cyber assets: physical access logging)CIP-007, R5 (account management: passwords and access lists)
These violations tend to be self-reported and pose a lesser risk• However, can be indicative of systemic issues
0
20
40
60
80
100
120
2008 2009 2010 2011 2012 2013 2014 2015 2016
Most Reported CIP Standards
CIP-006 CIP-007 CIP-004 Remaining CIP
0
20
40
60
80
100
120
140
160
2008 2009 2010 2011 2012 2013 2014 2015 2016
Most Reported CIP Standards
CIP-004/CIP-006/CIP-007 Remaining CIP
Forward Together • ReliabilityFirst
Decrease between Deemed and Reporting Dates
7
Detection and Reporting Duration Improvement
437.46
241.31
277.19
220.57
103.67
0 50 100 150 200 250 300 350 400 450 500
2012
2013
2014
2015
2016
Deem
ed D
ate
Average Days from Violation Start Date to Report Date
Forward Together • ReliabilityFirst
Improved Risk Posture
Year-over-year decrease in severity
75% of CIP violations are Minimal to Moderate risk 9% of CIP violations are serious risk
• Implementation issues• Culture and programmatic issues
2009 2010 2011 2012 2013 2014 2015 2016Minimal 28 144 84 100 59 77 50 7Moderate 27 75 44 28 12 8 3 0Serious 15 14 16 19 9 1 3 0
0
50
100
150
200
250
2009-2016 CIP VIOLATIONS
Forward Together • ReliabilityFirst
Observations
Possible Drivers of Positive Trending• Maturation (both RF and Entities)• Active Monitoring and Enforcement• Trending, Analytics, and Sharing
‒ Assist Visits and Outreach‒ CIP Themes Report‒ Case Study Outreach
Remain Vigilant – Moving Target
Dynamic Regulatory Approach• Focus on continuous improvement• Violations not always indicative of security state
‒ Volume can indicate strong detective controls or weak preventative/corrective controls
‒ Paper compliance does not equal security
• Proactively identify themes and management practices9
Forward Together • ReliabilityFirst
2015 CIP Themes Report
10
2015 Report identified 5 themes:
Forward Together • ReliabilityFirst
Complacency
11
Entities must stay vigilant in ensuring security and compliance.
Forward Together • ReliabilityFirst
Business Unit Silos
12
Gen
erat
ion
Lack of coordination between departments, business units, and different levels of management
Forward Together • ReliabilityFirst
Disassociation
13
SECURITY
COMPLIANCE
Forward Together • ReliabilityFirst
Lack of Awareness
14
SECURITY
Lack of awareness of entity’s capabilities, deficiencies, systems, and processes
Forward Together • ReliabilityFirst
Inadequate Tools
15
Inadequate tools, ineffective use of tools, and overreliance on automation
Forward Together • ReliabilityFirst
Questions & AnswersForward Together ReliabilityFirst
16
Forward Together • ReliabilityFirst
Break
@RFirst_Corp on Twitter
#RFWorkshop
Follow us on Linkedin
Low Impact Effective Dates, Standard Revisions and RSAW Updates
Felek Abbas, NERC, Senior CIP Compliance AdvisorLew Folkerth, RF, Principal Reliability Consultant
RELIABILITY | ACCOUNTABILITY19
Agenda
• Low Impact Effective Dates• Recent CIP Standard Revisions
• CIP-002-5.1a (In Effect)• CIP-003-7 (Pending FERC Approval)
• Recent RSAW Revisions• CIP-002-5.1a (In Effect)• CIP-003-7 (Pending)
RELIABILITY | ACCOUNTABILITY20
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY21
• July 1, 2016 Identify each asset that contains a low impact BES Cyber System [CIP-
002-5.1 R1 Part 1.3] Review the identification of assets [CIP-002-5.1 R2 Part 2.1] CIP Senior Manager (or delegate) approval of identification of assets
[CIP-002-5.1 R2 Part 2.2] Designate a CIP Senior Manager [CIP-003-6 R3]
• On or after July 1, 2016, but before a delegate exercises approval authority Designate CIP Senior Manager delegates, as applicable [CIP-003-6 R4]
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY22
• April 1, 2017 Documented cyber security policies for low impact BES Cyber Systems
[CIP-003-6 R1 Part 1.2] CIP Senior Manager approval of policies for low impact BES Cyber
Systems [CIP-003-6 R1 Part 1.2]
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY23
• April 1, 2017 Document cyber security plan for low impact BES Cyber Systems [CIP-
003-6 R2]o Cyber security awareness [CIP-003-6 Attachment 1 Section 1]o Cyber Security Incident response [CIP-003-6 Attachment 1 Section 4] Implement the plan for cyber security awareness [CIP-003-6
Attachment 1 Section 1]
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY24
• April 1, 2017 Implement the plan for Cyber Security Incident responseo Develop Cyber Security Incident response plan [CIP-003-6
Attachment 1 Sections 4, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6]o Initial test of Cyber Security Incident response plan [CIP-003-6
Attachment 1 Section 4.5]– Per the Implementation Plan for Version 5 CIP Cyber Security Standards,
dated October 26, 2012 and incorporated by reference into the Implementation Plan for CIP Version 5 Revisions, dated January 23, 2015.
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY25
• September 1, 2017 (within 180 calendar days of initial test) Implement the plan for Cyber Security Incident responseo Update of Cyber Security Incident response plan based on initial
test, if needed [CIP-003-6 Attachment 1 Section 4.6]
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY26
• From “Implementation Plan for Version 5 CIP Cyber Security Standards,” October 26, 2012
• Initial Performance of Certain Periodic Requirements Specific Version 5 CIP Cyber Security Standards have periodic
requirements that contain time parameters for subsequent and recurring iterations of the requirement, such as, but not limited to, “. . . at least once every 15 calendar months . . .”, and responsible entities shall comply initially with those periodic requirements as follows:oOn or before the Effective Date of CIP-003-5, Requirement
R2 for the following requirement:– CIP-003-5, Requirement R2
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY27
• From “Implementation Plan, Project 2014-02 CIP Version 5 Revisions”, January 23, 2015
• Initial Performance of Certain Periodic Requirements For those requirements with recurring periodic obligations,
refer to the Version 5 Plan for compliance dates. These compliance dates are not extended by the effective date of CIP Version 5 Revisions.
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY28
• September 1, 2018 Physical Security Controls [CIP-003-6 R2 Attachment 1 Section 2] Electronic Access Controls [CIP-003-6 R2 Attachment 1 Section 3] CIP-003-7 was filed with FERC on March 3, 2017 However, CIP-003-7 is very unlikely to come into effect before
September 1, 2018. You will need to comply with the CIP-003-6 version of these requirements beginning September 1, 2018, until the effective date of CIP-003-7.
Low Impact Effective Dates
RELIABILITY | ACCOUNTABILITY29
Standard RevisionsCIP-002-5.1a
RELIABILITY | ACCOUNTABILITY30
• CIP-002-5.1a – Interpretation of CIP-002-5.1 Effective as of December 27, 2016 Interpretation Requested by EnergySec Interpretations do not change the language of the Standard Interpretations tell us what the Standard means, and has
meant since it became effective
Standard Revisions – In Effect
RELIABILITY | ACCOUNTABILITY31
• CIP-002-5.1a Question 1o Whether the phrase “shared BES Cyber Systems,” means that the
evaluation for Criterion 2.1 shall be performed individually for each discrete BES Cyber System at a single plant location, or collectively for groups of BES Cyber Systems?
Answer 1 Summaryo The evaluation as to whether a BES Cyber System is shared should be
performed individually for each discrete BES Cyber System.
Standard Revisions – In Effect
RELIABILITY | ACCOUNTABILITY32
• CIP-002-5.1a Question 2o Whether the phrase “shared BES Cyber Systems” refers to discrete BES
Cyber Systems that are shared by multiple units, or groups of BES Cyber Systems that could collectively impact multiple units?
Answer 2 Summaryo The phrase “shared BES Cyber Systems” refers to discrete BES Cyber
Systems that are shared by multiple generation units.
Standard Revisions – In Effect
RELIABILITY | ACCOUNTABILITY33
• CIP-002-5.1a Question 3o If the phrase applies collectively to groups of BES Cyber Systems, what
criteria should be used to determine which BES Cyber Systems should be grouped for collective evaluation?
Answer 3o The phrase applies to each discrete BES Cyber System.
Standard Revisions – In Effect
RELIABILITY | ACCOUNTABILITY34
Standard RevisionsCIP-003-7
RELIABILITY | ACCOUNTABILITY35
• Low Impact External Routable Connectivity (LERC) and Low Impact Bulk Electric System (BES) Cyber System Electronic Access Point (LEAP) changes approved by industry in 2016 (CIP-003-7)
• Transient Cyber Assets (TCA) for low impact approved by industry in February, 2017 (CIP-003-7(i))
• NERC Board of Trustees approval in February, 2017 for both sets of changes – as “CIP-003-7”
• Filed with Federal Energy Regulatory Commission (FERC) on March 3, 2017 (prior to the LERC/LEAP deadline of March 31, 2017)
Low Impact Revisions
RELIABILITY | ACCOUNTABILITY36
Low Impact Revisions
Date of Publication in Federal Register Effective Date of CIP-003-7
January 31, 2017 – May 1, 2017 January 1, 2019
May 2, 2017 – August 1, 2017 April 1, 2019
August 2, 2017 – November 1, 2017 July 1, 2019
November 2, 2017 – January 30, 2018 October 1, 2019
January 31, 2018 – May 1, 2018 January 1, 2020
May 2, 2018 – August 1, 2018 April 1, 2020
August 2, 2018 – November 1, 2018 July 1, 2020
November 2, 2018 – January 30, 2019 October 1, 2020
This table assumes an order will become effective 60 days after publication in the Federal Register.
Table 1 – Effective Date of CIP-003-7 Based on Date of Publication of FERC Order in the Federal Register
RELIABILITY | ACCOUNTABILITY37
• Revisions completed in response to directives in FERC Order
• Eliminated “LERC” and “LEAP” definitions Embedded concepts directly into requirement language Updated reference diagrams
• Added Transient Cyber Asset (TCA) for low impact BES Cyber Systems
(Note – additional tasks are underway by the same SDT)
Low Impact Revisions
RELIABILITY | ACCOUNTABILITY38
• All (cyber security protection) requirements for low impact BES Cyber Systems continue to reside in CIP-003 “Low Only Entities” only need to comply with CIP-002 and CIP-
003 (including documentation that there are no high or medium impact BES Cyber Systems - CIP-002, and Policy and Senior Manager actions - CIP-003)
Low Impact Revisions
RELIABILITY | ACCOUNTABILITY39
• Removed the terms Low Impact External Routable Connectivity (LERC) and Low Impact BES Cyber System Electronic Access Point (LEAP) Sections 2 and 3 of Attachments 1 and 2
• The modifications incorporate concepts and select language from the LERC definition into Attachment 1, Section 3 and focus the requirement on implementing electronic access controls for asset(s) containing Low Impact BES Cyber System(s).
LERC/LEAP Revisions
RELIABILITY | ACCOUNTABILITY40
• Uses the phrase “asset containing Low Impact BES Cyber Systems” This means the station, plant, or Control Center that contains the BES
Cyber Systems Physical and cyber security requirements apply to the group of BES Cyber
Systems as a whole, generally implemented as border protections around them
Does not require a discrete list of BES Cyber Systems (but does require a list of “assets containing low impact BES Cyber Systems”)
• Continues to focus protections on “routable communications”
Low Impact Revisions
RELIABILITY | ACCOUNTABILITY41
Revised Language
RELIABILITY | ACCOUNTABILITY42
Revised Language
RELIABILITY | ACCOUNTABILITY43
• Ten reference diagrams• Modified in response to FERC’s concerns dealing with “direct”
communications (as compared to indirect communications) Eliminated references to “direct” communications
• All show routable communications crossing the “asset boundary” Not all show routable communication to low impact BES Cyber Systems
• No reference diagrams for serial-only communications
Reference Diagrams
RELIABILITY | ACCOUNTABILITY44
Reference Model 1
RELIABILITY | ACCOUNTABILITY45
Reference Model 2
RELIABILITY | ACCOUNTABILITY46
Reference Model 3
RELIABILITY | ACCOUNTABILITY47
Reference Model 4
RELIABILITY | ACCOUNTABILITY48
Reference Model 5
RELIABILITY | ACCOUNTABILITY49
Reference Model 6
RELIABILITY | ACCOUNTABILITY50
Reference Model 7
RELIABILITY | ACCOUNTABILITY51
Reference Model 8
RELIABILITY | ACCOUNTABILITY52
Reference Model 9
RELIABILITY | ACCOUNTABILITY53
Reference Model 10
RELIABILITY | ACCOUNTABILITY54
• Modified definitions to include low impact environment concepts
• Added new “Section 5” to Attachments 1 and 2 Consistent with keeping all (cyber security protection) requirements for
low impact BES Cyber Systems continue to reside in CIP-003
• TCA language is modeled after and consistent with TCA language in CIP-010 Allows consistent programs for all TCAs, if desired Eliminated sections which imply “inventory”
TCA for Low Revisions
RELIABILITY | ACCOUNTABILITY55
Transient Cyber Asset (TCA): A Cyber Asset that is: 1. capable of transmitting or transferring executable code, 2. not included in a BES Cyber System, 3. not a Protected Cyber Asset (PCA) associated with high or medium
impact BES Cyber Systems, and 4. directly connected (e.g., using Ethernet, serial, Universal Serial Bus
(USB), or wireless including near field or Bluetooth communication) for 30 consecutive calendar days or less to a:
BES Cyber Asset, network within an Electronic Security Perimeter (ESP) containing high or
medium impact BES Cyber Systems, or PCA associated with high or medium impact BES Cyber Systems.
Examples of TCAs include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
Transient Cyber Asset Revised Definition
RELIABILITY | ACCOUNTABILITY56
Removable Media: Storage media that:1. are not Cyber Assets,2. are capable of transferring executable code,3. can be used to store, copy, move, or access data, and4. are directly connected for 30 consecutive calendar days or less to a: BES Cyber Asset, network within an Electronic Security Perimeter (ESP), containing high or
medium impact BES Cyber Systems, or a Protected Cyber Asset associated with high or medium impact BES Cyber
Systems.Examples of Removable Media include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.
Removable MediaRevised Definition
RELIABILITY | ACCOUNTABILITY57
TCA for Low Revisions
RELIABILITY | ACCOUNTABILITY58
TCA for Low Revisions
RELIABILITY | ACCOUNTABILITY59
TCA for Low Revisions
RELIABILITY | ACCOUNTABILITY60
Recent RSAW Revisions
RELIABILITY | ACCOUNTABILITY61
RSAWs
• RSAW Background– Auditors’ tool– Initial interface with entity
• Posting with new or revised Standard– Comments, not votes– Subject to change based on current audit
practice
RELIABILITY | ACCOUNTABILITY62
RSAWs
• CIP-002-5.1a– Updated revision to 5.1a– Included fixes for minor errata– No substantial changes
RELIABILITY | ACCOUNTABILITY63
RSAWs
• CIP-003-7 R1– Added provisions for the additional policy
topics
RELIABILITY | ACCOUNTABILITY64
RSAWs
• CIP-003-7 R2– Major changes to Section 3– New Section 5– The applicable Sections are now identified in
the Compliance Assessment Approach
RELIABILITY | ACCOUNTABILITY65
RSAWs
Attachment 1For each asset or group of assets containing low impact BES Cyber Systems, verify that the Responsible Entity has documented one or more cyber security plan(s), as specified in Attachment 1, for its low impact BES Cyber Systems that include:1. Cyber security awareness;2. Physical security controls;3. Electronic access controls;4. Cyber Security Incident response; and5. Transient Cyber Asset and Removable Media Malicious Code Risk
Mitigation.
RELIABILITY | ACCOUNTABILITY66
RSAWs
Attachment 1, Section 3For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, verify that the Responsible Entity:1. Has determined the necessary inbound and outbound electronic access for any
communications that are:a. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the
asset containing low impact BES Cyber System(s);b. using a routable protocol when entering or leaving the asset containing the
low impact BES Cyber System(s); andc. not used for time-sensitive protection or control functions between
intelligent electronic devices (e.g. communications using protocol IEC TR-61850-90-5 R-GOOSE).
2. Has implemented electronic access control for any determinations made in (1), above.
3. Has authenticated all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.
RELIABILITY | ACCOUNTABILITY67
RSAWs
Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity, if any, verify the Responsible Entity has a Transient Cyber Asset risk mitigation plan that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems.
The plan should specify whether the Transient Cyber Assets are managed in an ongoing manner, an on-demand manner, or a combination of these.Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity in an ongoing manner, verify that the Transient Cyber Assets have an effective means of mitigating the risk of the introduction of malicious code onto the Transient Cyber Asset.Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity in an on-demand manner, verify that the Responsible Entity has an effective means of assessing a Transient Cyber Asset such that the risk of introducing malicious code onto a low impact BES Cyber System is mitigated.
RELIABILITY | ACCOUNTABILITY68
RSAWs
Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity, verify the Responsible Entity has implemented its plan.Attachment 1, Section 5For Transient Cyber Assets managed by a party other than the Responsible Entity, if any, verify the Responsible Entity has a Transient Cyber Asset risk mitigation plan that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems.Attachment 1, Section 5For Transient Cyber Assets managed by a party other than the Responsible Entity, verify that the Responsible Entity has an effective means of assessing these Transient Cyber Assets such that the risk of introducing malicious code onto a low impact BES Cyber System is mitigated.Attachment 1, Section 5For Transient Cyber Assets managed by a party other than the Responsible Entity, verify the Responsible Entity has implemented its plan.
RELIABILITY | ACCOUNTABILITY69
RSAWs
Attachment 1, Section 5For Removable Media, verify the Responsible Entity has a plan to:1. Detect malicious code on Removable Media using a Cyber
Asset other than a BES Cyber System; and2. mitigate the threat of detected malicious code on the
Removable Media prior to connecting Removable Media to a low impact BES Cyber System.
Attachment 1, Section 5For Removable Media, verify the Responsible Entity has an effective means to:1. Detect malicious code on Removable Media using a Cyber
Asset other than a BES Cyber System; and2. mitigate the threat of detected malicious code on the
Removable Media prior to connecting Removable Media to a low impact BES Cyber System.
For Removable Media, verify the Responsible Entity has implemented its plan.
RELIABILITY | ACCOUNTABILITY70
RSAWs
Note to Auditor:Attachment 1, Section 31. For each asset identified as containing a low impact BES Cyber System(s) per CIP-002, the list of
assets should identify those assets that have routable protocol communications between low impact BES Cyber System(s) and Cyber Asset(s) outside the asset containing the low impact BES Cyber System(s) when entering or leaving the asset and not used for time-sensitive protection or time-sensitive control functions.
a. For these identified assets, obtain as evidence the devices used to control electronic access and the low impact BES Cyber Systems for which they control access.
2. For each asset identified as containing a low impact BES Cyber System(s) per CIP-002, the Responsible Entity has an obligation to determine the necessary inbound and outbound routable protocol communications between low impact BES Cyber System(s) and Cyber Asset(s) outside the asset containing the low impact BES Cyber System(s) when entering or leaving the asset and not used for time-sensitive protection or time-sensitive control functions.
Once this determination has been made and documented, the audit team’s professional judgement cannot override the determination made by the Responsible Entity.
RELIABILITY | ACCOUNTABILITY71
RSAWs
Note to Auditor:Attachment 1, Section 33. For the inbound and outbound communications that the Responsible Entity has determined to be
necessary, the Responsible Entity must identify the electronic access controls used to effectively control access to and from the low impact BES Cyber System(s).
4. The ten reference models included in the Guidelines and Technical Basis section of the standard outline methods that Responsible Entities may reference for their electronic access controls. Reference models 9 and 10 outline approaches for segmenting network traffic such that there is no routable protocol communications to the low impact BES Cyber System(s).
a. Model 9 uses layer-2 network segmentation (VLANs) to control access. The configuration of the devices used to accomplish this must be documented by the Responsible Entity and assessed for its effectiveness in meeting the standard’s objective of controlling access to the low impact BES Cyber System(s).
b. In Model 10, a single device receives both serial traffic destined for low impact BES Cyber System(s) and routable traffic destined for non-BES Cyber Asset(s). The device as depicted in the model, logically isolates the serial traffic from the routable traffic. The configurations for the device must be documented by the Responsible Entity and assessed to determine whether or not the electronic access controls effectively meet the objective of controlling access to the low impact BES Cyber System(s).
RELIABILITY | ACCOUNTABILITY72
RSAWs
Note to Auditor:Attachment 1, Section 51. The phrase “per Transient Cyber Asset capability” grants the Responsible Entity
flexibility to determine the method that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems.
2. The means of verifying the mitigation of the introduction of malicious code to a low impact BES Cyber System differs depending on whether a Transient Cyber Asset is managed by the Responsible Entity in an ongoing or an on-demand manner. The verification for a Transient Cyber Asset managed in an ongoing manner focuses on the process of preventing malware from being introduced to the Transient Cyber Asset. The verification for a Transient Cyber Asset managed in an on-demand manner focuses on the process used to ensure the Transient Cyber Asset may be safely used in a low impact BES Cyber System environment prior to such use. If the Transient Cyber Asset is managed in both an ongoing and an on-demand manner, then both verification techniques should be employed.
RELIABILITY | ACCOUNTABILITY73
• Project 2016-02 Development History:• Modifications to CIP Standards page: http://www.nerc.com/pa/Stand/Pages/Project%202016-
02%20Modifications%20to%20CIP%20Standards.aspx
References
RELIABILITY | ACCOUNTABILITY74
Modifications toAttachment C
Bob YatesPrincipal Technical Auditor
Forward Together • ReliabilityFirst
Modifications to Attachment C
76
Started using new Attachment C in 2017
Based on NERC CIP Version 5 Evidence Request• Made some revisions• Modifications have been shared with NERC and the
other Regions• Plans for NERC and the Regions to get together and
discuss revisions
Forward Together • ReliabilityFirst
Modifications to Attachment C
Level 1 Tab
Green Tabs (populations)
Sample Sets L2 Tab
Level 2 Tab
Level 3 Tab (not currently used)
77
Forward Together • ReliabilityFirst
Modifications to Attachment C
78
Forward Together • ReliabilityFirst
Level 1 Tab
Rows with requested date of Fifty-five (55) business days prior to on-site audit• These requests are for populations that are placed in Green Tabs• Example:
79
Request ID Standard Require-ment
Initial Evidence Request Required in RSAW and NERC Evidence Request Spreadsheet
CIP-002-R1-L1-02 CIP-002-5.1 R1
Provide a listing of all BES assets, of a type listed in the Asset Type field, in service during the audit period for which you have or share compliance responsibility by using the BES Assets tab of this spreadsheet.
CIP-002-R1-L1-04 CIP-002-5.1 R1
Provide a listing of all Cyber Assets that are included in or associated with a high or medium impact BES Cyber System on the CA tab of this spreadsheet.
Forward Together • ReliabilityFirst
Level 1 Tab
Rows with requested date of Thirty (30) business days prior to on-site audit• These requests are for Policies, Programs, Processes, Procedures and
non-population Evidence• Continue to package the PDF evidence your entity submits by Standard • Example:
80
Request ID Standard Require-ment
Initial Evidence Request Required in RSAW and NERC Evidence Request Spreadsheet
CIP-004-R1-L1-01 CIP-004-6 R1
Provide each documented process that addresses the applicable requirement parts in CIP-004-6 R1.
CIP-004-R1-L1-02 CIP-004-6 R1 Part 1.1
Provide evidence of the quarterly reinforcement materials provided to personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.
CIP-004-R2-L1-02 CIP-004-6 R2
Provide each documented program that addresses the applicable requirement parts in CIP-004-6 R2.
Forward Together • ReliabilityFirst
Level 1 Tab
Rows with requested date of “NOTE: Do not send this evidence ahead of time Audit team will review on-site”• CIP-014-2 Evidence• Example:
81
Request ID Standard Require-ment Initial Evidence Request Required in RSAW and NERC Evidence Request Spreadsheet
CIP-014-R1-L1-01 CIP-014-2 R1
Provide results of assessment of substations for applicability under CIP-014-2.
CIP-014-R2-L1-01 CIP-014-2 R2
Provide results of the third party review of the results of the assessment of substations in R1 for applicability under CIP-014-2.
Forward Together • ReliabilityFirst
Green Tabs (Populations)
• BES Assets
• CA
• Low CA
• ESP
• EAP
• PSP
• TCA
82
• TCA Non-RE
• RM
• BCSI
• Personnel
• Reuse
• Disposal
• Incident Response
Forward Together • ReliabilityFirst
Green Tabs (Populations)
Bulk Electric System (BES) Assets • Asset ID• Asset Type• Description• Commission Date• Decommission Date• Location• Contains BES Cyber System - High Impact• Contains BES Cyber System - Medium Impact• Contains BES Cyber System - Low Impact• Does any BES Cyber System have LERC?• Is dial-up connectivity present at this asset?
83
Forward Together • ReliabilityFirst
Green Tabs (Populations)
CA (Cyber Asset)• Cyber Asset ID• Cyber Asset Classification• BES Cyber System ID• Impact Rating• Asset ID• Connected to a Network Via a Routable Protocol?• IP Address• ESP Identifier [If Any]• Accessible via Dial-up Connectivity• Subject to CIP-005-5 R1.4• Is IRA Enabled to this CA?• PSP Identifier [If Any]• Is logging performed at the CA or BCS Level?• If logging is performed at the BCS level, identify the BCS that
this CA is a member of where logging occurs
84
Forward Together • ReliabilityFirst
Green Tabs (Populations)
CA (cont.)• Identify the log collector for the CA or BCS• Date of Activation in a Production Environment, if Activated During the Audit
Period• Date of Deactivation from a Production Environment, if Deactivated During
the Audit Period• Cyber Asset Function• If Cyber Asset Function is Other or needs further explanation, specify• Cyber Asset Vendor• Cyber Asset Model• Operating System or Firmware Type• If Operating System or Firmware Type is Other, please specify• External Routable Connectivity?• System logging capable?• Alerting capable?• Responsible Registered Entity• Function (TO, TOP, GO, GOP, etc.)
85
Forward Together • ReliabilityFirst
Green Tabs (Populations)
ESP (Electronic Security Perimeter)• ESP ID• ESP Description• Network Address• Is External Routable Connectivity Permitted into the ESP?• Is Interactive Remote Access Permitted into this ESP?
EAP (Electronic Access Point)• EAP ID or Interface Name• Cyber Asset ID of EACMS• ESP ID
PSP (Physical Security Perimeter)• PSP ID• PSP Description• Location
86
Forward Together • ReliabilityFirst
Green Tabs (Populations)
TCA (Transient Cyber Asset)• Transient Cyber Asset ID• TCA Management Type• TCA Description
TCA Non-RE (Transient Cyber Asset - Managed by Third Party)
• Transient Cyber Asset ID• Managed by• BES Asset ID Where Used• Cyber Asset ID of BCA/PCA Accessed• Date and Time of Access
RM (Removable Media)• BES Asset ID Where Removable Media is
Authorized for Use
87
Forward Together • ReliabilityFirst
Green Tabs (Populations)
BCSI (BES Cyber System Information)• Designated Storage Location• Storage Type
Reuse (Cyber Asset Released for Reuse)• Cyber Asset ID• Date of Release for Reuse• Date of Prevention of Unauthorized BCSI Retrieval
Disposal (Cyber Asset Disposed)• Cyber Asset ID• Date of Disposal• Date of Prevention of Unauthorized BCSI Retrieval
88
Forward Together • ReliabilityFirst
Green Tabs (Populations)
Personnel• Unique Identifier (Employee Number, Badge Number, etc.)• Individual's Full Name• Personnel Type• Individual's Company• Position/Job Title• Did Access Permissions Change During the Audit Period?• If Individual Was Terminated During the Audit Period, Date of
Termination Action• Was Individual Transferred or Reassigned During the Audit
Period?• Terminated Individual had Access to High Impact BES Cyber
Systems or Associated EACMS?• Electronic Access• Unescorted Physical Access• Access to storage locations for BES Cyber System Information
89
Forward Together • ReliabilityFirst
Green Tabs (Populations)
Incident Response (Cyber Security Incident Response)• CSIRP Designator• Date of Activation• Was the Incident a Test?• Was the Incident Reportable?
90
Forward Together • ReliabilityFirst
Green Tabs (Populations)
Please fill out all fields on all population tabs where populations exist
If there are no populations for a tab enter “no data exists” on the first line
For more information on all the population tabs please see the CIP Version 5 Evidence Request (Attachment C) User Guide on the RF website at Compliance\Guidance on CIP Standards
• CIP Version 5 Evidence Request (Attachment C) User Guide
91
Forward Together • ReliabilityFirst
Sample Sets L2 Tab
Samples selected by RF for use with Level 2 requests
92
Sample Set Request ID Source Tab Population Possible
Grouping Sample Type Insert Sample Set
SS-007-R4-L2-01
CIP-007-R4-L2-04CIP-007-R5-L2-05
CA
Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers
JudgmentalSample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers
SS-007-R4-L2-02
CIP-007-R4-L2-05CIP-007-R4-L2-06
CA
Cyber Assets that are members of or associated with high impact BES Cyber Systems
Judgmental Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems
SS-007-R5-L2-01
CIP-007-R5-L2-01CIP-007-R5-L2-02
CA
Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers or medium impact BES Cyber Systems with External Routable Connectivity
Judgmental
Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers or medium impact BES Cyber Systems with External Routable Connectivity
Forward Together • ReliabilityFirst
Sample Sets L2 Tab
You will receive a spreadsheet for each Standard
The spreadsheets contain tabs for each Sample Set
You will use these Sample Sets as you complete the Level 2 requests
93
Forward Together • ReliabilityFirst
Level 2 Tab
Requests for evidence based on the Sample Sets
When submitting the Level 2 requests, create a separate PDF for each request ID
94
Request ID Standard Require-ment Sample Set Sample Set Description
Sample Set Evidence Request
NOTE TO AUDIT TEAM - Replace <insert date one week prior to Thirty (30) business days prior to on-site audit > with applicable date in rows below
CIP-007-R5-L2-02 CIP-007-6 R5 Part
5.1SS-007-R5-
L2-01
Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers or medium impact BES Cyber Systems with External Routable Connectivity
For each Cyber Asset selected in Sample Set SS-007-R5-L2-01 not covered by an approved TFE, provide evidence that the method(s) provided in response to CIP-007-R5-L2-01 are enforced.
CIP-007-R5-L2-03 CIP-007-6 R5 Part
5.2SS-007-R2-L2-01
Sample of all Cyber Assets on the CA tab
For each Cyber Asset selected in Sample Set SS-007-R2-L2-01, provide the inventory of enabled default or other generic accounts.
CIP-007-R5-L2-04 CIP-007-6 R5 Part
5.2SS-007-R2-L2-01
Sample of all Cyber Assets on the CA tab
For each Cyber Asset selected in Sample Set SS-007-R2-L2-01, provide the method used to identify enabled default or other generic accounts.
CIP-007-R5-L2-05 CIP-007-6 R5 Part
5.3SS-007-R1-L2-01
Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems with External Routable Connectivity
For all shared accounts that exist on each Cyber Asset in Sample Set SS-007-R1-L2-01, provide evidence that individuals with authorized access to those accounts are identified.
Forward Together • ReliabilityFirst
Level 3 Tab
We are not currently using the Level 3 tab
95
Request ID Standard Requirement Sample Set Sample Set Description Sample Set Evidence Request
CIP-007-R4-L3-01 CIP-007-6 R4 Part 4.3 SS-007-R4-L3-01 List of specific dates for specific Cyber Assets
Provide evidence of actual logs for each Cyber Asset and each date in SS-007-R4-L3-01
CIP-010-R3-L3-01 CIP-010-2 R3 Part 3.4 N/A Sample of action plans to remediate vulnerabilities
For the sampled action plans to remediate or mitigate vulnerabilities identified by a vulnerability assessment, provide for each action plan:1. The planned or actual completion date of the action plan.2. The execution status of the action plan. 3. Evidence of the execution of the action plan.
Forward Together • ReliabilityFirst
Summary
Complete Green Tab Populations• Fifty-five (55) business days prior to on-site audit
RF selects Sample Sets and returns Attachment C• Within ten (10) business days
Complete Level 1 Requests for Policies, Programs, Processes, Procedures and non-population evidence• Thirty (30) business days prior to on-site audit• Package as one PDF per Standard• CIP-014-2 evidence is reviewed on-site – DO NOT SEND
Complete Level 2 requests for evidence based on the Sample Sets• Thirty (30) business days prior to on-site audit• Package as one PDF per Request
96
Forward Together • ReliabilityFirst
Links to Attachment C
Attachment C and the Users Guide are located on the RF website at Compliance\Guidance on CIP Standards• CIP Version 5 Evidence Request (Attachment C) User
Guide• CIP Version 5 Evidence Request_RF5 (Attachment C)
97
Forward Together • ReliabilityFirst
Questions & AnswersForward Together ReliabilityFirst
98
Forward Together • ReliabilityFirst 99
Follow us on LinkedIn and Twitter
2017 Spring Workshop
LUNCH
Forward Together • ReliabilityFirst
Send questions using webinar chat
Cyber Security Supply Chain Risk ManagementCorey Sellers, SDT Chair, Southern CompanyReliabilityFirst Spring WorkshopApril 20, 2017
Cyber Security Supply Chain Risk ManagementCorey Sellers, SDT Chair, Southern CompanyReliabilityFirst Spring WorkshopApril 20, 2017
RELIABILITY | ACCOUNTABILITY103
Administrative Items
• NERC Antitrust Guidelines It is NERC’s policy and practice to obey the antitrust laws and to avoid all
conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition.
• Notice of Open Meeting Participants are reminded that this webinar is public. The access number
was widely distributed. Speakers on the call should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders.
RELIABILITY | ACCOUNTABILITY104
[the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.
- Order No. 829, July 2016
• Standard(s) must be filed by September 2017
FERC Order No. 829
RELIABILITY | ACCOUNTABILITY105
Link to draft CIP-013-1
Draft CIP-013-1 as Posted in January
# Requirement Summary
R1 Requires entities to implement one or more documented supply chain risk management plan(s) for mitigating risks to BES Cyber Systems and associated cyber systems
R2 Requires entities to review the plan every 15 calendar months and address new risks or mitigation measures, if any
R3 Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber Systems
R4 Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems
R5 Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems
RELIABILITY | ACCOUNTABILITY106
Proposed Changes to CIP Standards
FERC Order 829
ObjectiveVersion 1 of CIP-013 Version 2 of CIP-013
… plus modifications to other existing CIP Standards
1 – 4
R1 Implement the supply chain cyber security risk management plan for BES Cyber Systems (inclEACMS, PACS, PCAs)
R1 – Develop the supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems, including specific procurement processes
R2 – execute plan(s) from R1
CIP-003-8 (low impact BES Cyber Systems)• R2 Attachment 1 Section 6 added
1 – 4R2 Review plan(s) every 15 months
now R3 but remained essentially the same –Review plan(s) every 15 months
* Review part of CIP-003 R2 changes above
1R3 (software authenticity) R3 removed and moved to >> CIP-010-3 (“software integrity and authenticity”)
• Table R1 Part 1.6 added
2
R4 (vendor remote access) R4 removed and moved to >> CIP-005-6 (“visibility and disabling”)• Table R2 Part 2.4/2.5 added
1 – 4 R5 (Low impact BES Cyber Systems)
Removed No changes
RELIABILITY | ACCOUNTABILITY107
• Focus R1 on High and Medium Impact BES Cyber Systems• Move R1 related (i.e., “procurement” related) Low Impact BES
Cyber System Requirements to CIP-003• Split into two requirements: R1 now “develop one or more… plan(s)” R2 now “implement… plan(s)”
• Specifically note (1) renegotiation or abrogation of existing contracts is not required, (2) actual contract T’s & C’s are out of scope, and (3) vendor performance and adherence to a contract are out of scope
Requirement R1 Key Changes
RELIABILITY | ACCOUNTABILITY108
Requires entities to review the plan every 15 calendar months and address new risks or mitigation measures, if any
• Change to mirror other 15 month review language• No explicit “address new risks or mitigation measures”
requirement
Requirement R2 Key Changes
RELIABILITY | ACCOUNTABILITY109
Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber
• Move this operational requirement into existing CIP standards Received assistance from “CIP Modifications” Standard Drafting Team Proposed change to CIP-010 (Table R1 Part 1.6 added) Will be posted along with CIP-013 and other CIP changes as single package
• Adding phrase “when the method to do so is available to the Responsible Entity from the software source” to account for situations in which a vendor cannot or will not provide needed functionality
Requirement R3 Key Changes
RELIABILITY | ACCOUNTABILITY110
Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems
• Move this operational requirement into existing CIP standards Received assistance from “CIP Modifications” Standard Drafting Team Proposed change to CIP-005 (Table R2 Part 2.4/2.5 added) Will be posted along with CIP-013 and other CIP changes as single package
• Focus on visibility and the ability to disable remote access 2.4 – Have “one or more methods for determining active vendor remote
access sessions” (including IRA and system-to-system) 2.5 – Have “one or more methods to disable active vendor remote access”
(including IRA and system-to-system)
Requirement R4 Key Changes
RELIABILITY | ACCOUNTABILITY111
Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems
• Remove R5 – no new operational requirements on Low Impact BES Cyber Systems
Requirement R5 Key Changes
RELIABILITY | ACCOUNTABILITY112
• 1st formal comment period January 20th – March 6, 2017
• Next formal comment period will being in early May
• SDT is working to develop Implementation Guidance for CIP-013 and CIP-003 modifications based on posted Technical Guidance and Examples document
Standards Development Process
Oct 2016 – Jan 2017Tech Conference1st Formal Balloting
May 20172nd Formal
Comment and Balloting
August 2017NERC Board
Adoption
September 2017Deadline for filing
RELIABILITY | ACCOUNTABILITY113
Contact Information
• Refer to the Project 2016-03 page for more information• Email [email protected] to join the email list• Corey Sellers, Southern Company, SDT Chair Email at [email protected]
• JoAnn Murphy, PJM Interconnection, SDT Vice Chair Email at [email protected]
RELIABILITY | ACCOUNTABILITY114
Send questions using webinar chat
115
AGENDA
• NIPSCO Overview• Company Overview and Compliance Culture
• Introduction of NIPSCO Speakers• Mike Melvin• Mark Kelly• Steve Sumichrast
116
NIPSCO
NIPSCO’s Presentation Expectations
• We want you to walk away with a clear view of our culture of compliance.
• We want to learn from discussions and outcomes• We embrace continuous improvement• We welcome peer feedback
117
NIPSCO
118
NiSource Profile• Fortune 500 Energy Company
– One of five headquartered in Indiana
• Publicly traded– NYSE: NI
• Serving 3.8 million customers – Electricity and natural gas
• Presence in more than 20 states – Gulf Coast to the Midwest
to New England
NiSource Profile
NIPSCO’s Electric Profile
• 468,000 Electric Customers in 20 Counties
• 3,291 MW Generating Capacity• Operates 6 Electric Generating
Facilities (3 Coal, 1 Natural Gas, 2 Hydro)
• 2,800 Miles of Electric Transmission (69kV +)• Interconnects with 5 Major Utilities
(3 in MISO; 2 in PJM)
119
NIPSCO Electric Profile
NIPSCO Program Focus
• Key Focus – Reliability of the Bulk Electric System
• Meet All Compliance Requirements • Good Compliance Governance• Industry Awareness
• Effective Management Systems• Keep us on task• Capture our compliance
policies and evidence
120
NIPSCO Compliance Culture
• Engaged & Focused Senior Leadership
• Dedicated & Robust NERC Compliance Department
• Separate Compliance Governance Function, CEO Direct Report
• Open Communication Channels to CEO & Other Senior Leaders
• Employee Education – Duty to Report Risks & Possible Violations
NIPSCO
NERC Compliance Department CharterThe NERC Compliance Department provides NIPSCO executives with an independent and objective evaluation of adherence to standards required for the reliable operation of Bulk Electric System.
121
122
Chief Operating Officer
Jim Stanley
Senior VP Capital Execution
Mike Finissi
VP Engineering Electric
Russ Atkins
Managing Director Transmission
Matt Holtz
Director NERC Compliance Programs
Mike Melvin
Manager CIP Compliance
Manager Compliance
Training
NIPSCO NERC Compliance Organization
Manager NERC Compliance
Director Compliance Oversight
Noreta Davis
Executive VP & President of
NIPSCO
Violet Sistovaris
Chief Executive Officer
Joseph Hamrock
123
VP Engineering Electric
Russ Atkins – CIP Senior Manager
Managing Director Transmission
Matt Holtz
Director NERC Compliance Programs
Mike Melvin
Manager CIP Compliance
Manager NERC Compliance
Manager Compliance
Training
CIP Compliance EngineerAlan Janik
NIPSCO CIP Compliance
CIP Compliance Engineer
Christie Krsek
CIP Compliance Engineer
Julaine Dyke
CIP Compliance Specialist
Sharon Carnes
124
VP Engineering Electric
Russ Atkins
Managing Director Transmission
Matt Holtz
Manager Ops Technology Security
Frank Dessuit
Leader CIP Applications
Paul Huseman
Leader CIP SystemsSteve Sumichrast
Communication and Control
Leader CIP SecurityMatt York
NIPSCO Operations Technology (OT)
MECS
125
NIPSCO Electric Profile
NIPSCO Generation Facts
Generation Capacity of 3,291 MW
◦ 3 coal-fired generating stations (2,540 MW)
◦ 1 combined cycle generating station (535 MW)
◦ 4 combustion turbines (206 MW)
◦ 2 hydroelectric dams (10 MW)
Transmission system
◦ 353 circuit miles of 345 kV lines
◦ 755 circuit miles of 138 kV lines
◦ 1,687 circuit miles of 69 kV lines
Substations
◦ 56 transmission substations with voltage levels of 345kV, 138kV, 69kV, and 34kV
NIPSCO Transmission Facts
126
NIPSCO Electric Profile
BA/TOP Control Centers
Primary Control Center: Hammond, IN
Backup Control Center: Merrillville, IN
127
NIPSCO Electric Profile
Midcontinent Independent System Operator (MISO)
NIPSCO has been an active member of MISO since 10/01/2003
MISO performs scheduling and Reliability Coordinator functions for NIPSCO
MISO also performs numerous Balancing Authority functions for NIPSCO (JRO00001)
MISO administers the energy market for which NIPSCO is a participant
MISO performs a limited set of TOP functions for NIPSCO (CFR00132)
128
NIPSCO Electric Profile
NERC & RF Registrations
Balancing Authority (CFR) Load Serving Entity (CFR) Transmission Owner Transmission Operator
(CFR) Transmission Planner (CFR) Purchasing Selling Entity Generator Owner Generator Operator Resource Planner (CFR) Distribution Provider
129
NIPSCO Electric Profile
Tripwire Enterprise
• Tripwire Enterprise is a configuration monitoring tool• Allows for tracking, alerting, and reporting on detected changes• This is done typically through Command Output Capture Rules (COCRs)
– Stores results of a command in the application database– Compares the previous results with the most recent version returned from
the COCR– Creates a notification or other type of alert depending on configuration
when a change is detected
130
Tripwire Whitelist Profiler
• Tripwire Whitelist Profiler is an app that is added to Tripwire Enterprise– Allows for a desired or authorized configuration to be set (a whitelist)– Added to Tripwire Enterprise through specific Whitelist Profiler COCRs available for
download from Tripwire Customer Center– Specific NERC CIP rules, policies, and reports are available for download– Tripwire Enterprise monitors the Whitelist Profiler COCRs to monitor for and notify
on detected changes to those states• Works as compliment to Tripwire Enterprise, not as a stand alone product
http://www.tripwire.com/register/tripwire-whitelist-profiler/
131
NIPSCO’s Use of Tripwire Whitelist Profiler
NIPSCO uses Tripwire Whitelist Profiler to:1. Efficiently monitor approved configurations2. Reduce excess noise of detected changes to already approved
configurations3. Quickly and easily report on information related to the approved
configurations
132
Monitoring Approved Configurations
• NISCPO has imported NERC CIP rules for Whitelist Profiler available from Tripwire
• Rules include items necessary for a CIP-010 baseline such as:– Logical network accessible ports– Installed software
• Whitelist Profiler settings are configured in CSV files• Configuration files are analyzed when the rules are run on the node
133
Monitoring Approved Configurations
134
Monitoring Approved Configurations
• Prior to using Tripwire, NIPSCO relied on configuration dump scripts and performed comparisons on the results of those scripts
• Whitelist Profiler allows for configuration monitoring to be done automatically and specifically checks for the authorized settings
• Key benefits:– Increased efficiency in configuration monitoring– Reduced chance for human error in manual comparisons
135
Reducing Excess Noise of Detected Changes
• Potential pitfall of automatic configuration monitoring is the excess noise produced from monitoring too much too often
• NIPSCO has tuned the Whitelist Profiler rules to reduce this noise using:– Whitelist Profiler configuration settings– Regex filters in both the Whitelist Profiler configuration files and
the rules– Adjusted severity levels to only monitor but not report on
information deemed to be less important– Whitelist Profiler Policy rules
136
Reducing Excess Noise of Detected Changes
137
Reducing Excess Noise of Detected Changes
• Whitelist Profiler tags any settings outside the desired configuration as “Unauthorized Items”
• Policy rules store only information that is tagged as “Unauthorized”– Notification is raised only if a detected change is outside the
approved settings– Allows for cases such as ignoring changes to dynamic network
port numbers
138
Reducing Excess Noise of Detected Changes
139
Reporting on Approved Configurations
• Tripwire Whitelist Profiler allows for additional information to be appended to the configuration items
• NIPSCO has included fields for items such as:– Network port business justification– Network port documentation– Software type (Commercial, Open-Source, or Custom)– Comments related to the item– Change ticket number for the authorization of that item
140
Reporting on Approved Configurations
• Additional information in Whitelist Profiler configuration files is appended to the output stored in Tripwire
• Storing the information in the application allows for Tripwire Enterprise reports to contain all the documentation needed for specific items on specific assets
• NIPSCO has built “CIP-010 R1 Baseline Reports” which pull all the information necessary for a CIP-010 R1 baseline
141
Questions?
142
NIPSCO
Forward Together • ReliabilityFirst
Break
@RFirst_Corp on Twitter
#RFWorkshop
Follow us on Linkedin
NERC CIP v5 Journey
Partnering with RF to achieve top decileNERC CIP performance
144
145
Presenters
Chris Plensdorf, Manager NERC [email protected]
George Becker, IT Senior Security [email protected]
NERC Security and ComplianceDTE Electric Company
• DTE Energy – About Us
• Our NERC Security and Compliance Journey
• The Road Ahead – Top Decile Performance
146
DTE Energy, a Michigan based utility
DTE Electric• Electric generation
and distribution• 2.2 million customers• 11,700 MW capacity• Fully regulated
Gas Storage & Pipelines• Transport and store natural
gas• 5 pipelines, 91 Bcf of storage
Power & Industrial Projects• Own and operate energy
related assets• 66 sites, 17 states
Energy Trading• Active physical and
financial gas and power marketing company
75%-80% Utility
20%-25% Non-Utility
DTE Gas• Natural gas
transmission, storage and distribution
• 1.2 million customers• Fully regulated
MM
147
•
148
NERC CIP Regulated Sites•high impact asset locations•medium impact asset locations•low impact asset locations
149
Continuous Improvement (CI) is one of corporate priorities
Our system of corporate priorities
drives our aspiration to be the
“best operated energy company in
North America and a
force for growth in the communities
where we live and serve”
We regularly use CI tools in achieving top decile NERC CIP performance
150
DTE Energy Priority
• Root Cause Analysis• Systematic Problem Solving• Process Innovation/Mapping• Standard Work Instructions
Strategic NERC CI Work
• Embedded Tests• Huddles/PRT• Shared Lessons Learned• Metrics / Scorecard
• DTE Energy – About Us
• Our NERC Security and Compliance Journey
• The Road Ahead – Top Decile Performance
151
Security vulnerabilities identified in RF’s 2014 audit stemmed from four root causes
Root Cause
Lack of senior management engagement
Confusing and ineffective organizational structure
Lack of the necessary dedicated resources
Lack of defined processes, metrics, and controls
152
We’ve taken tangible steps to address these root causes
153
Executive Leadership
New leadership and Organizational
Structure
Dedicated Business Unit Resources
TargetedCommunications
Outreach
Process Controls
Collaborative Partnership with RF
Executive commitment and NCO restructuring enhance compliance posture
New Leadership and Organizational Structure
Executive Leadership
• Director level leadership added to NERC Compliance Organization (NCO)
• NCO transferred to a more central organization within DTE Electric (no longer housed within Electric Distribution)
Senior Executive NERC Committee - Weekly • Leadership transcends business unit “silos” • Clear, top-down message of NERC Security and
Compliance
154
155
Resource allocation and clear program ownership key to improvement
Dedicated Business Unit Resources
• Dedicated resources embedded with Business Units • Assigned Business Unit CIP standard program owners• Weekly Business Unit Liaison meetings• Individual employee goals cascaded to the work plans of
65 business unit liaison and subject matter experts
156
CIP standards divided into 16 programs and assigned to Business Unit, director, manager, SME and NCO partner
CIP v5 Programs Business Unit
CIP Standards and Requirements Director Manager SME NCO
Partner
1 Bulk Electric System Asset Management NCO CIP-0022 Management Controls Program NCO CIP-0033 Security Awareness Program IT CIP-004 R14 CIP Role Based Training NCO CIP-004 R2.1, R2.35 Personnel Risk Assessment Program HR CIP-004 R3
6 Access Management and Revocation ITCIP-004 R2.2, R3.5, R4, R5, CIP-007 R5.3
7 Electronic Security Perimeter Management IT CIP-005
8 Physical Security Program Corp Sec CIP-0069 Systems Security Program IT CIP-007 R1, R3, R5
10 Patch Management Program IT CIP-007 R211 Cyber Systems Monitoring Program IT CIP-007 R412 Incident Response Program IT CIP-008
13 System Recovery Program IT CIP-00914 Change and Configuration Management IT CIP-010 R1, R215 Vulnerability Management Program IT CIP-010 R316 Information Protection Program IT CIP-011
Awareness and culture of compliance fostered through multiple communication touchpoints
157
• Tone at the Top: level setting WebEx by executive leadership • Leadership Engagement: NERC CIP presentation at November
2016 DTE Electric Leadership Forum• Departmental Stand-downs: IT and Corporate Security• Town halls at NERC CIP v5/v6 locations: building engagement
and awareness• Enhanced NERC CIP training content• Improved PSP door signage
Targeted Communications Outreach
158
Sustainment process provides oversight and structure for complying with NERC CIP requirements
Strong process controls through Sustain Project
• Commended by RF during the 2016 Spot Check• Labor intensive manual process• Excel based• Managed and tracked on a weekly cadence
Sustain
Example of a weekly report out
Sustain Project: schedule metric
Collaborative partnership with RF is a key component to DTE’s Journey
Thank you to Lew Folkerth and Dave
Sopata for assistance visits!
159
RF Technical Assistance
Benchmark Coordination
Leadership Engagement• Frequent open conversation between DTE and RF leadership driving
transparency, collaboration and common purpose • DTE VP Matt Paul now serving three-year term on RF board
• Assist Visits- Assist Visits were an underutilized service offered by RF - DTE and RF embarked on a year-long commitment to
monthly assist visits in 2016• Active involvement in our Potential Violation Process
• RF recommended and helped coordinate benchmarking opportunities enabling DTE to learn from high performing NERC programs and companies facing similar challenges
We’ve seen significant improvement as a result of these steps
160
Improved Culture of Compliance
Strong Potential Violation (PV)
Process
Early Implementation
of CIP v5/v6
An improved culture of compliance is evidenced by a willingness to raise your hand and identify defects
Business UnitIdentified
Central NERCOrganization
Identified
2016
161
Defect identification largely occurring at point of activity
BU’s identified 85%of NERC CIP defects • Surfacing of defects is
an integral part of our commitment to continuous improvement (CI)
• This process ultimately drives reduction of security risks
Celebrate the Gap
Potential violation process rapidly surfaces and resolves NERC compliance and security issues
162
0 10 20 30 40 50 60 70 80 90
Self Report
Mitigation Plan
Mitigation PlanEvidence Package
Average business days from issue identification to report submittal
2016 Data
NERC program improvements enabled April 2016 go-live affording valuable learning period for v5/v6 standards
163
• Three month grace period afforded by postponed enactment date• Mock audit successfully completed during early implementation phase• Sustainment process piloted April-June 2016
Early Implementation 2016
• DTE Energy – About Us
• Our NERC Security and Compliance Journey
• The Road Ahead – Top Decile Performance
164
165
We have improvements underway as part of our journey to top decile performance
RF continues key role
Internal Controls Program
Maximo for BES Asset List
Cyber Asset Baseline
Monitoring
Shared Account Management
Early Implementation of NERC CIP v6
166
RF will continue to play a key role moving forward
Collaboration on potential violation
process
Benchmarking recommendations and connections
Assistance with security and NERC CIP
implementation
Transition to Internal Controls Evaluation (ICE)
Risk based internal controls program to provide a framework for systemic compliance
167
Completion of Phase 1 - Fall 2017
NERC BES Asset List on Maximo
168
Automated tools reduce compliance risk
• Transitioning our Bulk Electric System Cyber Systems (BCS) asset list from an excel spreadsheet to the asset and work management tool Maximo
• Supports CIP002 Compliance
Maximo BES Implementation Timeline
Use /Expand
TrainVerify
Build List /Transition
PlanDesign Q3/Q4 2016Q2 2016 Q1 2017 Present -2018
Cyber Asset Baseline Monitoring
169
Automated tools reduce compliance risk
• Tripwire will increase automation of the monthly baseline configuration management from 25% to 90% for our High & Medium NERC CIP Assets
• Supports CIP010 compliance and helps the configuration change management process to become more efficient for asset owners
PlanDesign
BuildInstall
DeployOptimize
Complete/Operate12/29/2016 2/3/2017 7/21/2017 4/18/2018
Tripwire Implementation Timeline
Shared Account Management
170
Automated tools reduce compliance risk
• System level controls to effectively monitor and control the usage of shared and privileged accounts on High/Medium Bulk Electric System (BES) Cyber assets.
• Supports CIP007-5.2, 5.3, 5.4 and CIP004-R5.5 compliance.
September 2017April 2016
Cyber Ark Implementation Timeline
PlanDesign
DataCapture/
ConnectorsBuild Test
Complete/OperateApril 2017 May 2017
Early Implementation for NERC CIP v6 low impact assets
171
• Implementation scheduled March 31st, 2018 (5 months early)• 12,982 FTEs estimated to complete LI physical and electronic
infrastructure upgrades
Early implementation
Low Impact Timeline
3/31/2018 9/1/2018LI Gap
Evaluation
v6Plans & Policies
Infra-structure Upgrades
5 Month Compliance
Pilot4/1/20171/20/2017
Design approach for low impact asset physical and electronic infrastructure upgrades
172
Electronic Protections
• Where feasible, leverage existing NERC CIP High- and Medium-impact approaches
• Use standardized approach at all facilities • Place all Low-impact routable cyber assets behind Low-
impact Electronic Access Point (LEAP) • LEAP placement localized at each site
Physical Protections
Primary Controls:• Physical protection requirements for Non-Routable & Routable LI
BES Assets• Site Perimeter Fencing, Facility Doors
Secondary Controls:• Physical protection for Routable LI BES Assets• Locked Cabinets, Locked Cages, Cyber Locks on Control Panels, etc.
Summary
173
• We have moved the dial on NERC CIP security and compliance and dramatically changed our culture
• RF played a significant role in driving this improvement and will be a key partner moving forward
• With many of the resources and tools coming into place, we now must prove ourselves in the RF 2017 CIP audit and beyond
• We are committed to top decile industry performance by the end of 2018
CIP-014-2Physical SecurityWhat to Expect
April 20, 2017
CIP-014-2
176
• Purpose–To identify and protect Transmission stations and
Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.
How did we get here?• April 16, 2013 PGE’s Metcalf Substation Attack
–52,000 gallons of oil–16 transformers–$15M in damages
• March 7, 2014 FERC directs NERC to submit a physical security reliability standard within 90 days
• May 13, 2014 NERC Board approves CIP-014
• CIP-014-2 Effective 10/2/2015
177
Metcalf Site - Then
178
Metcalf Site - Now
179
Changes Made• Vegetation in close proximity to the substation
fence has been removed
• Chain link fence has been replaced with a solid material (e.g. concrete) that restricts exterior line of sight into the substation
• Additional lighting to ensure better camera visibility of the site
• Additional cameras were installed including PTZ to further enhance security monitoring
180
RF Audit Approach• What the auditor needs to assess compliance
–R1 – Asset Applicability • List of Transmission stations/substations that meet eligibility
requirements for further analysis that meet Applicability Section 4.1.1 criteria
• List of Transmission stations/substations that require risk analysis
• Dated written or electronic documentation of risk assessment for substations/stations that meet Applicability Section 4.1.1 criteria; stations and substations in scope; system one-line diagram(s); risk assessment methodology
– Original documents showing how the risk assessment was performed and by whom (e.g., power flow analysis, system flow analysis, contingency loadings, cascading, etc.)
181
RF Audit Approach –R2 – Third party verification of risk analysis
• Evidence of review of the risk assessment– Dated original documents of review of assessment criteria used in
R1 and the results of that review– PJM and MISO may provide this review if requested
• The third party verification may occur concurrent with or after the risk assessment performed under Requirement R1.
–R3 – Notification to Transmission Operator – if applicable
• Document indicating date and to whom notification was made
182
RF Audit Approach –R4 – Evaluation of potential threats and vulnerabilities
• One assessment PLAN per identified transmission station/substation
– Dated documents showing the Threats and Vulnerabilities assessment methodology and who performed the assessment
» Often current and former local police, FBI, TSA agents may be willing to assist in this assessment
– Examples of some characteristics of the assessment that should be considered in the assessment include:
» Terrain/elevation of surrounding ground or structures providing line of sight
» Line-of-sight distance from approach avenues (distance and direction that armament can be utilized
» Proximity to and speed of adjacent vehicular traffic for vehicle-induced damage
» Proximity to traffic for easy vehicular access and egress (e.g., "drive-by" access)
» Proximity to other targets of interest or critical load (e.g., number of customers affected, densely populated area
183
RF Audit Approach (cont’d)–R4 – Evaluation of potential threats and vulnerabilities
– Be careful:» Assets in different locations may face different threats» Threats and vulnerabilities may vary at night
184
RF Audit Approach –R5 – Develop physical security plan(s)
• Physical security plan(s) to deter, detect, delay, assess, communicate and respond to the threats and vulnerabilities identified in R4
– Resiliency may be considered as an element of the physical security plan
» If resiliency is an element of your physical security plan(s), be sure to DEFINE what you determine to be resiliency
» If you do not define what you determine to be resiliency, the auditor will do it for you
185
RF Audit Approach –R6 – Review of Plans
• Third party to verify plans in R4 and security measures in R5– Document identifying who reviewed your plans, the qualifications of reviewer– Dated and signed statement by reviewer indicating date the review was completed– Dated and signed document indicating changes to your plan(s) recommended by the
reviewer
» NOTE: If changes are recommended by the reviewer, you can:• Accept the recommended changes and modify your TVA in R4 or you
physical security plan(s) identified in R5 OR• Provided a dated and signed document providing the reason(s) for not
modifying the evaluation or security plan(s)
* Review list of qualifying credentials for third party reviewer noted in the CIP-014-2 Standard R6.1
186
RF Audit Approach • R6 Information protection
–Documentation of procedures to protect sensitive or confidential information
• Use of Non-Disclosure Agreement (NDA) for vendors, contractors, and unaffiliated third party reviewers and vendors
• Site layout drawings or depictions (think PSP)• Physical security plans and elements being used (like in a
PSP)• Risk assessments and results• Threats and Vulnerability assessments• Any other information you deem sensitive or confidential
187
CIP-014-2 Implementation Schedule– Flow chart below tracks the various steps required to Comply with CIP-014-2
188
Implementing Physical Security Plan(s)• Implementing the physical security plan(s) for
designated assets– Implementation schedule(s) must be developed for the
physical security plan(s) identified in R5 and verified in R6– The standard is silent as to when the plan(s) are
implemented• Reasonable time lines with accompanying rationale are expected
– Reasonable is defined by Merriam-Webster as:» being in accordance with reason» not extreme or excessive
– Understanding the term reasonable relies on a myriad of factors so be prepared to explain your reasoning to the auditor.
189
Auditing Implemented Physical Security Plan(s)• Once implemented, the auditor will have to verify
that the implemented plan(s)–Addressed the characteristics of the Threat and
Vulnerability Assessment identified in R4–The physical security measures identified in R5 and
verified in R6 are in place.–The verification process can be accomplished by:
• Reviewing photographs and other documentation of each site before and after plan implementation
• Site visit(s) by the auditor• A combination of the two approaches
190
Questions & AnswersForward Together ReliabilityFirst
191