Laura SchollManaging Director of Stakeholder

Outreach

WECC ComplianceOpen Webinar

Thursday, April 18, 20132:00 pm MT

2

EOP-005-2 – effective July 1, 2013 Reminder

BES Definition Process Update

CIP Version 4 Transition Guidance Update and Audit Approach for FERC Remand on NERC Guidance for CIP-002-R3

Audit Approach for FERC Remand on NERC Guidance for CIP-006 R1.1

US Entities / Periodic Data Submittal (PDS) / 2013 WECC Actively Monitored List (WECC AML)

webCDMS Single User Sign On

AGENDA

Phil O’DonnellManager, Operations and Planning

Audits

EOP-005-2 Reminder April 18, 2013

4

EOP-005-2 REMINDER

• EOP-005-2 is effective July 1, 2013

• R1 requires all TOP’s to have a Restoration Plan “Approved by the RC” on that date.

• The RC’s related restoration standard EOP-006 specifies what they must do for a review of the TOP plans and gives them 30 days to complete the review.

5

EOP-005-2 REMINDER

• As a reminder If TOP’s do not provide your restoration plans to the RC by June 1, 2013 it will be a challenge for you as a TOP to be compliant on July 1. 

• The compliance expectation is for all TOP’s to have an RC approved plan on July 1, 2013. o If the TOP does not have an approved plan on July 1

due to late submittal of its plans for review to the RC it will be considered as non compliant for R1.

Questions?

Phil O’Donnell

Manager, Operations and Planning Audits

podonnell@wecc.biz

Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM

Senior Compliance Auditor – Cyber SecurityWECC: Vancouver WA Office

WECC Open WebinarApril 18, 2013

CIP-002 Topics

8

• 40 years of Electrical Utility Experienceo Transmission Linemano NERC Certified System Operatoro IT Manager & Power Operations Managero 20 years Information Technology & IT Security Experienceo Project Manager & IT Program Managero PMP, CISA, CISSP, CRISC, CISM, NSA-IAM/IEM certs

• 20 years of Educational Experience o Degrees earned: Ph.D., MBA, BS-Computer Scienceo Academic & Technical Course Teaching Experience

Information Technology and IT Security Business Strategy, Leadership, and Management Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation

Speaker Intro: Dr. Joseph Baugh

9

• 142 FERC ¶ 61,204 Docket No. RD12-5-000 o Remanding CIP-002-3 R3 Interpretationo Impact on WECC CIP Audit Approach

• Update on NERC Transition Guidance for CIP-002-4

Agenda

10

• Original interpretation was filed under CIP-002-3a R3.• Although some language in the interpretation refers to

CIP-002-4 R3 (e.g., Section 4, p. 2), Sections 6 & 13 clarify the interpretation also applies to CIP-002-4 R2 (FERC Order, 2013, pp. 4, 6)

• FERC agreed with NERC Q1 interpretation, but considered NERC Q2 interpretation to be faulty (FERC Order, 2013, Section 10, p. 5)

• However, the order remands entire NERC interpretation on CIP-002-4 R2 as the original interpretation was approved on one balloting (FERC Order, 2013, Footnote 12 , p. 5)

142 FERC ¶ 61,204 Docket No. RD12-5-000

11

• Laptops were primarily cited as an example, "the proposed interpretation fails to consider that a computer (e.g., a laptop) used by utility staff or contractors to control the functions and operations of a Critical Asset is, during such usage, 'inherent to or necessary for the operation of a Critical Asset,' and thus falls within the scope of CIP-002-4, Requirement R2" (FERC Order, Section 13, pp. 5-6).

• “laptop computers connected to an EMS network through the Internet and used to supervise control, optimize, and manage generation and transmission systems would be ‘considered essential’” (FERC Order, 2013, Section 17, p. 7)

• In addition, FERC stated the NERC Q2 “interpretation and petition do not provide adequate justification for leaving unprotected cyber assets (e.g., laptop computers) essential to the operation of associated Critical Assets” (FERC Order, 2013, Section 18, p. 7)

142 FERC ¶ 61,204 Docket No. RD12-5-000

12

• Minimal impact to WECC Audit Approach by FERC order on Q1

• WECC Audit Approach considers the examples discussed in the Q1 interpretation: o As illustrative, not prescriptive, ando Provide a minimal list of Cyber Assets, associated

with each Critical Asset identified pursuant to CIP-002-4 R1, that should be considered relative to CIP-002-4 R2, but

o Do not represent an exhaustive list of Cyber Assets that must be considered under CIP-002-4 R2

Impact on WECC CIP Audit Approach [Q1]

13

• Burden to demonstrate essentiality of Cyber Assets for operation of Critical Assets pursuant to CIP-002-4 R2 still lies on entity shoulders. Due diligence in light of the FERC order indicates entities should:o Consider definition of essential (NERC, Identifying Critical Cyber Assets,

Section C, pp. 7-8) in Critical Cyber Asset Identification [CCAID] methodology

o Apply definition to inventory of Cyber Assets associated with each Critical Asset identified and documented pursuant to R2

o Include an evaluation of all laptops, smart phones, and any other Cyber Assets which may be configured for or are capable of, controlling generation or transmission systems and meets one or more of the qualifying characteristics cited above

o Document all evaluations and CCA/non-CCA status of the inventory of all Cyber Assets associated with each Critical Asset identified pursuant to CIP-002-4 R1

Impact on WECC CIP Audit Approach [Q2]

14

• During today’s (April 18, 2013) FERC Sunshine Meeting, FERC proposed a NOPR that would require Registered Entities to maintain compliance efforts with CIP version 3 until CIP version 5 is Approvedo NERC has advised a period of discussion to consider the

FERC action and develop a common approach to future compliance efforts across all regions

• More details in light of the FERC proposal and its impact relative to the WECC Audit Approach will be forthcoming at the June CIPUG in Portland

• See you there

NERC CIP-002-4 Transition Guidance

15

• FERC Order on Interpretation of Reliability Standard. (2013, March 21). 142 FERC ¶ 61, 204. Docket No. RD12-5-000.

• NERC. (2010, June 17). Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets (v1.0).

• NERC. (2013, April 11). Cyber Security Standards Transition Guidance.

References

Joseph B. Baugh, Ph.D., PMP,

CISA, CISSP, CRISC, CISM

Senior Compliance Auditor - Cyber Security

Western Electricity Coordinating Council (WECC)

7400 NE 41st Street, Suite 160

Vancouver, WA  98662

jbaugh (at) wecc (dot) biz 

(C) 520.331.6351 (O) 360.567.4061

Questions?

Mick NeshemSenior Compliance Auditor, Cyber

Security

CIP-006 Interpretation Remand– Audit Implications

April 18, 2013WECC Webinar

18

Processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter (ESP) also reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to the Critical Cyber Assets.

CIP-006-1 R1.1 Requirement

19

• “… Since wiring is not included in the definition of “Cyber Asset,” Requirement R1.1 of CIP-006-1 does not apply to wiring.”

CIP-006 R1.1 NERC Interpretation Response Summary (CIP-006-4)

E-7_Order_Remaning_CIP-006-4_2013.3.21.pdf

20

• “15. …We do not agree that the network cabling (i.e., wires) that gives a communication network its networking capability would be exempt from the CIP Reliability Standards…”

CIP-006 R1.1 FERC Remand- Summary

E-7_Order_Remaning_CIP-006-4_2013.3.21.pdf

21

• 21 …” For Electronic Security Perimeter wiring external to a Physical Security Perimeter, the drafting team interprets the Requirement R1.1 as not limited to measures that are “physical in nature.” The alternative measures may be physical or logical, on the condition that they provide security equivalent or better to a completely enclosed (“six-wall”). Alternative physical control measures may include, but are not limited to, multiple physical access control layers within a non-public, controlled space. Alternative logical control measures may include, but are not limited to, data encryption and/or circuit monitoring to detect unauthorized access or physical tampering.

CIP-006-2 R1.1 NERC Existing Interpretation [Approved by FERC]

E-7_Order_Remaning_CIP-006-4_2013.3.21.pdf

22

• “23. First, by its plain language, the existing interpretation clearly applies to Electronic Security Perimeter wiring. Second, NERC states in the petition supporting the existing Commission-approved interpretation that “the interpretation request [in Docket No. RM06-22-000] discusses connections between multiple Physical Security Perimeters that reside within a single Electronic Security Perimeter.” o Description of “Extended” ESP – WECC Audit Staff

CIP-006 R1.1 FERC Remand- Summary

E-7_Order_Remaning_CIP-006-4_2013.3.21.pdf

23

CIP-006 R1.1 Remand- Summary

24

25

• Doesn’t change• Require encryption or other appropriate

controls to interconnect ESPs through multiple PSPs (Extended ESP concept)

• Discrete ESPs must have CIP-005 Access Points at each discrete ESP location.

• Cabling in between discrete ESPs is exempt from audit (encryption is always a good practice)

WECC Audit Approach

Questions?

Michael (Mick) Neshem

CISA, CISSP, CSSA

Senior Compliance Auditor - Cyber Security

Western Electricity Coordinating Council (WECC)

7400 NE 41st Street, Suite 160

Vancouver, WA  98662

mneshem@wecc.biz 

(C) 360.773.8490 (O) 360.567.4074

Kim IsraelssonLead Data Analyst

US EntitiesPeriodic Data Submittal (PDS)

2013 WECC Actively Monitored List (WECC AML)April 18, 2013

Compliance Open Webinar

28

• PDS Reporting Matrix is available on the WECC Websiteo Identifies PDS Standardso Applicable Functionso Reporting Due Dateso Reporting Formso Submittal Method o PDS Reporting Matrix is located here

Go to www.wecc.biz, select “Compliance,” then “United States,” then “Monitoring Processes,” and then “Periodic Data Submittal”

• Annual Request for UFLS data will be posted in webCDMS on May 1, 2013o Announcement and Training details will be communicated in the next week

Periodic Data Submittal (PDS)

29

• Release of Version 2 of the 2013 WECC AMLo V2 Posted April 17, 2013o Version History has been added o Document is located here

Go to www.wecc.biz, select “Compliance,” then “United States”

2013 WECC Actively Monitored List (WECC AML)

30

• For process questions;o Contact WECC Compliance Support

compliancesupport@wecc.biz 1-801-883-6879

Support

Kim Israelsson

Lead Data Analyst

Western Electricity Coordinating Council

155 North 400 West, Suite 200

Salt Lake City, Utah 84103

801.819.7613

kisraelsson@wecc.biz

Questions?

Domenic DarlingData Analyst II

webCDMS Single User Sign OnApril 18, 2013

Compliance Open Webinar

33

• Registered Entity Users will be able to access webCDMS for multiple entities using a single entity username

• Users will be able to consolidate accounts into a single username, password, and webCARES Digital Certificate

• Announcement and Training details will be communicated in the next week

webCDMS Single User Sign On

34

• For process questions;o Contact WECC Compliance Support

compliancesupport@wecc.biz 1-801-883-6879

Support

Domenic Darling

Data Analyst II

Western Electricity Coordinating Council

155 North 400 West, Suite 200

Salt Lake City, Utah 84103

801.819.7605

ddarling@wecc.biz

Questions?

Laura SchollManaging Director of Stakeholder

Outreach

Upcoming Events

37

• Next Open Webinar - May 16, 2013

• Compliance 101 Webinar - May 23, 2013

• WECC CUG/CIPUG Meetings – Portland, OR

CUG - June 4 - 5, 2013

CIPUG - June 6, 2013

Upcoming Events

Laura Scholl

Managing Director of Stakeholder Outreach

lscholl@wecc.biz

(801) 819-7619

Questions?