Lisa Wood, CISA, CBRM, CBRACompliance Auditor, Cyber Security

CIP v5 RoadshowMay 14-15, 2014

CIP-003-5 Security Management Controls

2

• Differences and relations to current requirements

• Audit approach• Possible pitfalls to look for while

transitioning to version 5• Implementation tips

Agenda

3

Each Responsible Entity, for its high impact and medium impact BES Cyber Systems shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: • 1.1 Personnel & training (CIP‐004); • 1.2 Electronic Security Perimeters (CIP‐005) including Interactive Remote Access; • 1.3 Physical security of BES Cyber Systems (CIP‐006); • 1.4 System security management (CIP‐007); • 1.5 Incident reporting and response planning (CIP‐008); • 1.6 Recovery plans for BES Cyber Systems (CIP‐009); • 1.7 Configuration change management and vulnerability

assessments (CIP‐010); • 1.8 Information protection (CIP‐011); and • 1.9 Declaring and responding to CIP Exceptional Circumstances

Note: Implementation of these policies is addressed in standards CIP-004-5 through CIP-011-1, therefore it is not part of this requirement

CIP 003-5 R1 Differences

CIP 003-5 R1CIP 003-3 R1

4

• “A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.” (NERC, 2014, Glossary of Terms, p. 19)

What is a CIP Exceptional Circumstance?

5

• Is there a documented policy or policies that address the nine (9) topics?o There can either be a single policy that covers all topics

or an individual policy for each

• Do the policies specifically state High and Medium Impact BES Cyber systems?

CIP-003-5 R1 Audit Approach

6

• Cyber Security Policy:o Was it reviewed by CIP Senior Manager once

every 15 calendar months Evidence of review/approval including wet ink or

electronic signature and version control/revision history with action and date

If document is in a document management system, provide a screen shot of what the CIP Senior Manager reviewed, and include an approval signature page associated with the reviewed document

CIP-003-5 R1 Audit Approach (cont.)

7

• Policy doesn’t address all identified topics in the requirement

• Not consistently reviewing every 15 monthso Current annual schedule may not meet

requiremento Notifications and Alerts may not get updated

CIP-003-5 R1 – Possible Pitfall

8

• Set-up or update annual review notifications and alerts to meet 15 calendar month criteria

• Address High and Medium in policies• Review Best Practices: Managing Evidence

Presentation

http://www.wecc.biz/compliance/outreach/Lists/101Links/AllItems.aspx

CIP-003-5 R1 Implementation tips

9

R2. Each Responsible Entity for its assets identified in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]• 2.1 Cyber security awareness;• 2.2 Physical security controls;• 2.3 Electronic access controls for external routable protocol

connections and Dial‐up Connectivity; and• 2.4 Incident response to a Cyber Security Incident.

An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required (NERC, 2012, CIP-003-5, p. 5)

CIP-003-5 R2 New Requirement

10

o P 106: “[W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s protections for Low Impact assets.” (FERC, 2013, Order 791, p. 72769)

CIP‐002‐5, R1, Part R1.3 = Low Impact BES Cyber Systems

11

• The Standard Drafting Team (SDT) has been hard at worko The SDT is still working on the requirements,

measures, and rationale. o Nothing is definitive as of yeto Have changed to table format

CIP-003-5 R2 Progress

12

R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing low impact BES Cyber Systems), shall:

CIP-003-5 R2 Current Draft

13

• R2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity

CIP-003 R2 Draft (continued)

14

• 2.4 Incident Response to Cyber Incidents

CIP-003 R2 Draft (continued)

15

• 2.5 Cyber Security Awareness

CIP-003 R2 Draft (continued)

16

• Standard Drafting Team (SDT) must complete work by February 3, 2015

• Draft goes to industry for comment June 2, 2014

• If you’d like to get involved, contact Ryan Stewart with NERC at: ryan.stewart@nerc.net

CIP-003-5 R2 Firm Dates

17

CIP-003-5 R2 Comment Form

18

• Entity may not know what Low Impact BES Cyber Systems are

• Not consistently reviewing every 15 monthso Current annual schedule may not meet

requiremento Notifications and Alerts may not get updated

• Policies may not address all parts of the requirement

CIP-003-5 R2 – Possible Pitfall

19

• Stay on top of WECC’s outreach for more direction on Low Impact BES Cyber Systems

• Update annual review notifications and alerts to meet version 5 timeline

CIP-003-5 R2 Implementation tips

20

• Each Responsible Entity shall:o Identify a CIP Senior Manager by name

o Document any change within 30 calendar days of the change

CIP-003-5 R3 No Change

CIP 003-3 R2.1 R2.2 CIP 003-5 R3

21

• CIP Senior Manager’s nameo Include the date identified

• Version control and revision historyo Include action specific to the change and include dates.

Note: If you are not retaining the original document designating the CIP Senior Manager, entities still need to demonstrate compliance with the standard on or before April 1, 2016. We recommend reaffirming the CIP Senior Manager on or before April 1, 2016 and provide that document as evidence.

CIP-003-5 R3 Audit Approach

22

• Entity did not identify CIP Senior Manager by name and did not include the date identified

• Changes to the CIP Senior Manager were not documented within 30 calendar days

CIP-003-5 R3 – Possible Pitfall

23

• Update processes to ensure there are steps for documenting changes within 30 calendar days

CIP-003-5 R3 Implementation tips

24

• The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used

• CIP Senior Manager may delegate authority for specific actionso Include delegates name or title, the specific actions delegated, and

the date of the delegation;

• Approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation

• Delegation changes do not need to be reinstated with a change to the delegator.

CIP-003-5 R4 Minor Clarifications

CIP 003-3 R2.3 CIP 003-5 R4

25

• Were there any delegations?• Who was delegated and what were they

delegated to do?• Was the delegation approved by the CIP

Senior Manager?

CIP-003-5 R4 Audit Approach

26

• Entity did not document a process to delegate authority

• Entity did not Identify delegates by name and did not include the date identified or specific actions delegated

• The CIP Senior manager did not approve the delegation

CIP-003-5 R4 – Possible Pitfall

27

• Document a process for delegating authority, and ensure the process addresses the specific requirements

• Follow the documented process

CIP 003-5 R4 Implementation tips

28

• Reorganized to only include elements of policy and cyber security program governance.

CIP-003-5 Modifications

CIP 003-3 R3

CIP 003-3 R6 CIP 010-1

CIP 003-3 R4

CIP 003-3 R5

CIP 011-1

CIP 004-5

29

• Know what is required for each BES cyber system(s)

• Attend future WECC outreach events to get further clarity on Low Impact BES Cyber Systems.

Wrap-up

30

• FERC. (2013 November 22). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5-000. In Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf

• NERC. (2014 March 12). Glossary of Terms Used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf

• NERC. (2012 November 26). CIP-003-5 – Cyber Security – Security Management Controls. Retrieved from http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-003-5&title=Cyber%20Security%20-%20Security%20Management%20Controls&jurisdiction=null

References

Lisa Wood, CISA, CBRM, CBRA

Compliance Auditor, Cyber Security

lwood@wecc.biz

Desk: 801-819-7601

Cell: 801-300-0225

Questions?