Identifying & Auditing Low Impact BES Assets: A Mock Audit · 2018-01-05 · –Senior Compliance Auditor, Cyber Security –IT Manager & Power Trading/Scheduling Manager –IT Program

Identifying & Auditing Low Impact BES Assets: A Mock Audit

BC Outreach Webinar: Session 2 Salt Lake City UT – January 9, 2018

Joseph B. Baugh, PhD

Senior Compliance Auditor – Cyber Security

Western Electricity Coordinating Council

Speaker Intro: Dr. Joseph Baugh

• Electrical Utility Experience (44+ years)– Senior Compliance Auditor, Cyber Security– IT Manager & Power Trading/Scheduling Manager– IT Program Manager & Project Manager – NERC Certified System Operator– Barehand Qualified Transmission Lineman

• Educational Experience – Degrees earned: Ph.D., MBA, BS-Computer Science– Certifications: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-IAM/IEM – Academic & Technical Course Teaching Experience (20+ years)

• Business Strategy, Leadership, and Management • Information Technology, IT Security, and Project Management• PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation • CIP Compliance workshops and other outreach sessions

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

2

Agenda

• Review CIP-002-5.1 Requirements

• Review CIP-002-5.1 Team audit approach

• Defining the Inventory of BES Assets

• CIP-002-5.1 Mock Audit

– Focus on Low Impact BES Assets

• Questions


3

CIP-002-5.1 Overview

• CIP-002-5.1 is the first step on CIP Compliance trail

• All Registered Entities who perform the BA, DP, GO, GOP, IA, RC, TO, and/or TOP registered functions are required to be compliant with CIP-002-5.1

• CIP-002-5.1 adds the DP function, TSP function drops out

• Some entities may find they are only required to be compliant with CIP-002-5.1 (R1 & R2) and with CIP-003-5 (R1.2, R2, R3, & R4)– True, if the IRC application on the entity’s inventory of BES Assets

(see Part R1.i – R1.vi) generates Null R1.1 & R1.2 lists

– Must provide a valid R1.3 list of Low Impact BES Assets

– Typically requires a reduced scope audit that may be conducted on-site, at WECC offices, or other locations, as necessary


4

CIP-002-5.1: Part R1.i – R1.vi• Each Responsible Entity shall implement a process that

considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning]– i. Control Centers and backup Control Centers; – ii. Transmission stations and substations; – iii. Generation resources; – iv. Systems and facilities critical to system restoration, including

Blackstart Resources and Cranking Paths and initial switching requirements;

– v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and

– vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

• May generate Low impact BES Assets for R1.3 list under IRC 3.6


5

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outp

uts

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Inpu

t

R1.3List

CIP-002-5.1: R1

• Each Responsible Entity shall implement a process that considers each of the following assets (see Part R1.i-R1.vi) for purposes of parts 1.1 through 1.3:


Inp

uts

R1Process

Outp

uts

Inventory of

BES Assets

List of High, Medium,

& Low Assets

6

CIP-002-5.1 Requirements: R2

• Entity must review identifications made in R1 (and update them, if necessary) at least every 15 months [R2.1]

• The CIP Senior Manager or delegate (as defined in CIP-003-3 R2 or CIP-003-6 R3 & R4) must approve the initial lists [R2.2] and at least once every 15 months, thereafter:– The R1.1, R1.2, and R1.3 lists

– Include signed and dated null lists, if applicable

• The entity must maintain signed and dated records of the approvals listed above– Electronic or physical approvals accepted


Inpu

ts

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Ou

tpu

ts

Signed and Dated

Records

7

WECC Audit Team Approach

• Use a methodical approach to deliver consistent results across all entities

• Start with the RSAW supplied by the entity as initial working papers to document the audit and findings

• Review the evidence to develop findings

• Submit data requests for more information, as needed


8

WECC Evidence Review

• Review Initial Evidence package supplied by the entity in response to the Pre-Audit Request for Information [RFI]:– One-line diagrams

– Specific CIP-002-5.1 evidentiary documents• Documented process to identify and categorize the entity’s BCS

and BES Assets

• Implementation of the process (i.e., application of the IRC to the inventory of BES Assets to develop the lists)

• Reviewed and approved R1.1 – R1.3 lists

• Entity responses to data requests, as applicable


9

CIP-002-5.1 Audit Team Approach

• Audit to the Standard• Review the evidence:

– Entity’s documented process– Inventory of BES Assets – One line diagrams– Application of the IRC– R1.1, R1.2, R1.3 lists– R2 records of current and prior

approved versions of R1 & R2 documents (the bookends)

• DR for additional information, as needed

• Determine findings • Complete the RSAW• Develop the Audit Report


10

Sample One-Line Diagram


11

WECC Audit Team Approach

• Review the application of the IRC [R1], list of High BCS [R1.1], list of Medium BCS [R1.2], list of Low impact BES Assets [R1.3], even if one or more of these lists are null

• Compare the lists against the one-lines and BES Asset inventory

• Hold interviews with the entity’s CIP SMEs, if necessary• If audit is on-site, perform site visits (Trust, but Verify)• Validate annual approval documentation [R2]• Submit DR’s, as needed, to clarify compliance• Determine findings (NF, PV, or OA)• Discuss findings with entire Cyber Security Team• Complete RSAW• Prepare CIP audit report (ATL & CPC)


12

Pre-Audit CIP-002-5.1 Evidence

• [R1]: Provide documentation of the process and its implementation to consider each BES asset included in the asset types listed in R1.i - R1.vi to identify the following lists: – [R1.1]: A list of High impact BCS at each asset identified by

application of Attachment 1, Section 1.

– [R1.2]: A list of Medium impact BCS at each asset identified by application of Attachment 1, Section 2.

– [R1.3]: A list of identified Low impact BES Assets identified by application of Attachment 1, Section 3].

• [R2]: Signed and dated records of the list reviews and CIP Senior Manager or delegate approvals of the identifications required by R1, even if such lists are null.


13

CIP-101 Mock Audit Overview

• Compare inventory of BES Assets against current definition of Bulk Electric System as adopted by the BCUC (BCUC, 2015 July 24, Order RM-38-15, p. 15; see also NERC, 2016 May 17, Glossary of Terms, pp. 23-26; NERC, 2014 April, BES Definition Guidance Document, v2)

• Did the entity identify and document lists of High impact BCS [R1.1], Medium impact BCS [R1.2] and a list of Low impact BES Assets [R1.3] through an application of the Impact Rating Criteria [IRC] (BCUC, 2018 October 1, CIP-002-5.1: Attachment 1, pp. 14-16)


14

The Entity's BES Asset Identification

• The first step in a normal CIP-002-5.1 audit is to review the application of the IRC

– Starts with an overall Inventory of entity BES assets

– Inventory is validated against the one-line diagram(s)

– Apply the IRC to validate the R1.x lists


15

Definition of Control Center

• One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: – 1) a Reliability Coordinator,

– 2) a Balancing Authority,

– 3) a Transmission Operator for transmission Facilities at two or more locations, or

– 4) a Generator Operator for generation Facilities at two or more locations. (NERC, 2016 May 17, Glossary of Terms, p. 33)


16

Low IRC (Control Centers)


17

IRC 2.5 - Medium or Low Impact


18

IRC 2.5 and Generation Interconnections

• NERC Lessons Learned document (2015 Oct 1) discusses how Entities should consider generation lead lines or interconnection lines as they apply IRC 2.5

• A radial generator lead line with no network flows (i.e., no power would flow through the line if the generator is off-line) and with the sole purpose of connecting generator output to a networked Transmission system would not qualify as a Transmission Line to be included in the IRC AWV calculation

• May apply to standalone generation units and distributed generation Facilities

• Identify interconnection points in the analysis


19

Low IRC (Transmission not in Section 2)


20

Low IRC (Generation not in Section 2)


21

Low IRC (Protection Systems)


22

Low IRC (DP Systems)


23

Audit Lists of High & Medium BCS

• Review the R1.1 list of High impact BCS

• Review the R1.2 list of Medium impact BCS

• For most entities in this session, both the R1.1 and the R1.2 lists will be null, but must be explicitly:

– Reviewed by technical SMEs [R2.1], and

– Approved by the CIP Senior Manager or delegate at least once every 15 calendar months [R2.2]


24

Audit List of Low Impact BES Assets

• Review the R1.3 list of Low impact BES Assets

• Correlate this list against:

– The entity’s inventory of BES Assets

– The entity’s one-line diagram

• The entity must provide CIP-003-5 protections, as applicable, to its Low impact BES Assets


25

Validate BES Asset Lists

• Review and compare the entity’s one-line diagram to the current lists of BES Assets

• Did the results seem reasonable?

• Do the Transmission BES Assets align with the one-line diagram?

• Did the entity provide evidence of net Real Power capability to support Generation Facility ratings?

• Does the audit team have any other questions before moving on to the R1.1, R1.2, and R1.3 lists?


26

Low impact BCS Security Controls

• Provide physical security protections at Low impact BES Assets, in accordance with R2.2 (BCUC, 2018 October 1, CIP-003-5, p. 5)

• Electronic Protections– If a Low impact BCS [LIBCS] is contained within a Medium

BCS ESP, protect the LIBCS as PCA to the Medium BCS, as applicable

– If a Low impact BCS has electronic access or dial-up connectivity, protect it with controls described in accordance with R2.3 (Ibid, p. 5)

• Future alert: Review NERC CIP-003-7 for physical and electronic access controls that may be implemented in the BCUC footprint (more on this in Session 3)


27

R1.3 List of Low impact BES Assets

• R1.3 does not require discrete lists of Low impact BES Cyber Systems.

• However, R1.3 does require a list containing the name of “each asset that contains a low impact BES Cyber System.”

– This list should contain all generating plants, transmission stations, certain distribution stations, and certain “small” control centers, that meet one or more of the Section 3 IRC and contain low impact BES Cyber Systems.


28

R1.3 List of Low impact BES Assets

– The entity should be prepared to demonstrate that all BES assets (locations) are accounted for on either the list of high impact, medium impact or low impact locations

– The entity should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protections (per CIP-003-5 R2.2-R2.3)


29

Comparing Low impact BES Assets• Not all Low impact BES Assets are created equal

– “Low impact” covers a wide range of BES locations and Facilities

– Within “Low impact” there are potentially vastly different risks and impacts to the reliability of the BES.

– The CIP Standards don’t make a distinction between a “big” (i.e., more impactful) Low impact BES Asset and a “small” (i.e., less impactful) Low impact BES Asset

• Consider the following examples of IRC 2.1 (w/ net Real Power capability [NRPC] calculations and Aggregated Weighted Value [AWV]) and IRC 2.5 (w/ AWV calculations):


30

IRC 2.1 Low-impact GO/GOP Examples


NRPC = 30 MWsAWV = 0



31

IRC 2.5 Low-impact TO/TOP Examples


AWV = 0 AWV = 2600 AWV = 5200

To SUB C

32

Compliance & Audit Implications

• Random or statistical sampling of low impact assets for CIPv5 audit purposes is not appropriate when sampling for Low impact BES Asset site visits

• Expect the audit team to apply judgmental or non-statistical sampling based on the audit team’s perception of risk and impact to the BES– Expect more audit attention at Low impact Transmission

Facilities with larger impacts– Expect more audit attention at larger Low impact

Generation plants than at smaller plants, particularly those that equal or exceed 1500 MWs net Real Power capability, but which have been segmented to reduce the BCS impact rating under IRC 2.1


33


• Expect more attention at any generation plant > 1500 MW NPRC, regardless of control system segmentation. The entity should be prepared to:– Demonstrate how the unit controls are segmented,

including computer network diagrams, firewall configurations, data flow analysis, etc.,

– Demonstrate the analysis of any common systems at the plant,

– Explain the analysis and include both time-based and impact-based components, and

– Facilitate site visits to any Generation plants with >= 1500 MW net Real Power capability.


34


• Expect more attention at any Low impact Transmission substation with a significant number of 230kV and/or 345kV lines. The entity should be prepared to: – Demonstrate how IRC 2.5 was applied

– Discuss all Transmission lines that were not calculated into the total AWV, e.g.:

• Excluded as Radial lines serving only load, or

• Classified as Generation Interconnection Facilities.

– Facilitate potential site visits to any Transmission substations that have mixed BCS impact levels


35

R1: BES Asset List Review Questions

• Did the Entity apply the IRC appropriately?• Did the Entity confer with its RC, PA, and/or TP to

consider any Critical Assets relative to Criteria 2.3, 2.6, or 2.8 before moving them to the Low BES Asset list?

• Application Questions:– Did the Entity consider all BES asset types in R1.i through

R1.vi?– Did the Entity review & evaluate all BES Assets through the

IRC?– Did the Entity clearly identify and document all BES assets in

the appropriate impact rating?

• Is any additional information necessary?


36

The Entity’s Review & Approval Process

• The next step in a CIP-002-5.1 audit is to determine if the entity reviewed the identifications of the lists created in R1, even if such lists are null.– R1.1 list of High BCS– R1.2 list of Medium BCS– R1.3 list of Low impact BES assets

• Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists– Either electronic or “wet-ink” signatures

are acceptable


Inpu

ts

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Ou

tpu

ts

Signed and Dated

Records

37

R2: Annual Approval Review Questions

• Did the Entity review its R1.1-R1.3 lists at least every 15 calendar months after the initial identifications?

• Did the Entity update the lists, as necessary?• Did the the Entity CIP Senior Manager or delegate

approve the R1.1-R1.3 lists at least every 15 calendar months after the initial identification, even if such lists are null?

• Application Questions– Did the Entity provide evidence of periodic list reviews

[R2.1] and signed and dated approvals [R2.2]?

• Are any DR’s necessary? – If so, what additional information is required?


38

A Word to the Wise• The WECC CIP-002 team has noted several issues with

R2 during transition period audits that generated either Recommendations or an Area of Concern [AoC]

• A Recommendation is a suggestion for improvement, but does not indicate a failure to comply

• An AoC related to CIP-002-5.1 R1 or R2 during a transition audit will likely be a Possible Violation [PV] after October 1, 2018

• Several Entities have prepared nicely defined signature blocks, but failed to cite or include the actual R1.1, R1.2, and R1.3 lists


39

Key Issues from the Transition

• An Entity that only has Low-impact BES Assets [R1.3] should still evaluate its inventory of BES Assets against the IRC, prepare, review, and approve:– A null list of High BCS [R1.1]

– A null list of Medium BCS [R1.2]

• Be sure to implement your documented R1 process, review the resulting three lists, and have the CIP Senior Manager or delegate approve them at least once every 15 calendar months


40

Lower-BCS Connection to Higher BCS

• Facilities may be owned by the same entity or different entities.

• If multiple entities are involved, identify the: – Point(s) of connection between the entities,

– Entity responsible for compliance at/around the demarcation point, and

– Entity responsible for CIP-006-5 physical security compliance.

• May involve EACMS or LEAP depending on impact ratings and connectivity characteristics.

• Protect all BCS, as applicable.

41


Substation BCS Segmentation


• Reference Model –7 (NERC, CIP-003-6, Guidelines and Technical Basis, p. 37) provides an illustration of mixed-impact BCS within a single BES Asset boundary.

42

Connecting Low-impact BES Assets

43


• No “Backcasting” impact levels.

• Similar to the Far-end Relay Lesson Learned.

• Consider all communications paths.

• BCA/BCS Owners are obligated to comply with the applicable CIP Standards– Performance may be delegated

via an operating agreement or other clearly defined binding agreement

?

Value-Added Activity: Feedback

• WECC Audit Teams never prescribe solutions, but we do:– Brief entities on findings

– Encourage good security practices

– Discuss examples of industry best practices

– Provide Recommendations and suggestions for improvement, when appropriate

– Identify any AoC, which may not currently be violations, but may become a Possible Violation [PV] in a future audit, if not addressed

• Support development of a sustainable compliance culture


44

Additional Audit Team Member Activities

• Available to address and respond to Entity questions/comments

• Participate in WECC Entity outreach activities: – Semi-annual Compliance Workshops (next one in Boise ID),– Monthly Open Webinars, and– Special events such as this event.

• Work at National level:– CCTF,– Standard Drafting Team,– Comment on new Standards and guidance documents, – Run CIP pilot studies, and– Attend and present at Cyber Security Conferences, Regional,

National, and International Outreach events.


45

Summary

• Audit to the Standard

• Provide useful feedback to the entity

• Prepare a valid report

• Be available to CIP personnel at the entities

• Work at National level


46

Remember the Auditor’s Mission


Just the facts,

Ma’am,

Just the facts!

47

References

• BCUC. (2015 July 24). Order R-38-15. Retrieved from http://www.bcuc.com/Documents/Orders/2015/DOC_44244_R-38-15_BCH_MRS_RPT_8.pdf

• BCUC. (2018 October 1). CIP-002-5.1 – Cyber Security Standard – BES Cyber System Categorization. Retrieved from https://www.wecc.biz/Reliability/CIP-002-5.1.pdf

• BCUC. (2018 October 1). CIP-003-5 – Cyber Security — Security Management Controls. Retrieved from https://www.wecc.biz/Reliability/CIP-003-5.pdf


48

http://www.bcuc.com/Documents/Orders/2015/DOC_44244_R-38-15_BCH_MRS_RPT_8.pdf

https://www.wecc.biz/Reliability/CIP-002-5.1.pdf

https://www.wecc.biz/Reliability/CIP-003-5.pdf

References

• NERC. (2014 April). Bulk Electric System Definition Reference Document (Version 2). Retrieved from http://www.nerc.com/pa/RAPA/BES%20DL/bes_phase2_reference_document_20140325_final_clean.pdf

• NERC. (2016 May 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf


49

http://www.nerc.com/pa/RAPA/BES DL/bes_phase2_reference_document_20140325_final_clean.pdf

http://www.nerc.com/pa/stand/glossary of terms/glossary_of_terms.pdf

Speaker Contact Information

Joseph B. Baugh, Ph.D., MBAPMP, CISA, CISSP, CRISC, CISM

Senior Compliance Auditor -Cyber Security

Western Electricity Coordinating Council (WECC)

jbaugh (at) wecc (dot) biz

(C) 520.331.6351

(O) 360.600.6631W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

50