Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
9/24/14
1
CIP-‐101: Making the Transi9on CIP-‐002-‐3 to CIP-‐002-‐5.1 Mock Audit
Henderson, NV September 24-‐25, 2014
Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor – Cyber Security Western Electricity Coordina9ng Council
Speaker Intro: Dr. Joseph Baugh • 40+ years Electrical U9lity Experience
– Senior Compliance Auditor, Cyber Security – IT Manager & Power Trading/Scheduling Manager – IT Program Manager & Project Manager – PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs – NERC Cer9fied System Operator – Barehand Qualified Transmission Lineman
• 20 years of Educa9onal Experience – Degrees earned: Ph.D., MBA, BS-‐Computer Science – Academic & Technical Course Teaching Experience
• PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara9on • Business Strategy, Leadership, and Management • Informa9on Technology and IT Security • Project Management
September 24-‐25, 2014 Western Electricity Coordina9ng Council
2
WECC CIP-‐101 Disclaimer • The WECC Cyber Security team has
created a mythical Registered En9ty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.
• Any resemblance of BILL to any actual Registered En9ty is purely coincidental.
• All evidence presented, auditor comments, and findings made in regard to BILL during this presenta9on and the mock audit are fic99ous, but are representa9ve of audit team ac9vi9es during an actual CIP Compliance audit.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
3
9/24/14
2
Agenda
• Class Introduc9ons – Name, Title, Organiza9on, Interest in CIP-‐002
• Review CIP-‐002-‐5.1 Requirements • Review CIPv5 Transi9on Guidance • Review CIP-‐002-‐5.1 Team audit approach • CIP-‐002-‐5.1 Mock Audit Overview • The BILL Mock Audit • Ques9ons September 24-‐25, 2014 Western Electricity Coordina9ng Council
4
CIP-‐002-‐5.1 Overview • CIP-‐002-‐5.1 is the first step on CIP Compliance trail • All Registered En99es who perform the BA, DP, GO, GOP, IA,
RC, TO, and/or TOP registered func9ons are required to be compliant with CIP-‐002-‐5.1.
• CIP-‐002-‐5.1 replaces LSE with the DP func9on, TSP func9on drops out.
• Some en99es may find they are only required to be compliant with CIP-‐002-‐5.1 R1-‐R2 & CIP-‐003-‐5 R2-‐R4. – Typically requires a reduced scope audit that will be conducted at WECC offices or other loca9ons, as necessary.
– True if IRC applica9on generates Null R1.1 & R1.2.lists. – Must also provide a valid R1.3 list of Low Impact BES Assets. – Pending Low Impact BCS Requirements discussed in CIP-‐003-‐6 R2.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
5
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
CIP-‐002-‐5.1: R1 • Each Responsible En9ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
September 24-‐25, 2014 Western Electricity Coordina9ng Council
6
Inputs
R1Process
Outputs
Inventory of
BES Assets
List of High, Medium,
& Low Assets
9/24/14
3
CIP-‐002-‐5.1: R1 • Each Responsible En9ty shall implement a process that
considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] – i. Control Centers and backup Control Centers; – ii. Transmission sta9ons and substa9ons; – iii. Genera9on resources; – iv. Systems and facili9es cri9cal to system restora9on, including Blackstart Resources and Cranking Paths and ini9al switching requirements;
– v. Special Protec9on Systems that support the reliable opera9on of the Bulk Electric System; and
– vi. For Distribu9on Providers, Protec9on Systems specified in Applicability sec9on 4.2.1 above.
• Generates Low impact BES assets for R1.3 list
September 24-‐25, 2014 Western Electricity Coordina9ng Council
7
CIP-‐002-‐5.1: R1.1 -‐ R1.3 • Each Responsible En9ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: – 1.1. Iden9fy each of the high impact BES Cyber Systems according to Aiachment 1, Sec9on 1, if any, at each asset;
– 1.2. Iden9fy each of the medium impact BES Cyber Systems according to Aiachment 1, Sec9on 2, if any, at each asset; and
– 1.3. Iden9fy each asset that contains a low impact BES Cyber System according to Aiachment 1, Sec9on 3, if any (a discrete list of low impact BES Cyber Systems is not required).
September 24-‐25, 2014 Western Electricity Coordina9ng Council
8
CIP-‐002-‐5.1 Requirements: R2 • En9ty must review iden9fica9ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]
• The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3, R4) must approve the ini9al lists [R2.2] and at least once every 15 months, thereamer: – The R1.1, R1.2, and R1.3 lists – Include signed and dated null lists, if applicable
• The en9ty must maintain signed and dated records of the approvals listed above. – Electronic or physical approvals accepted
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
9/24/14
4
CIP-‐002-‐5.1: Direc9on • CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transi9on period in lieu of the CIP-‐002-‐3 R2 list of Cri9cal Assets (Op9on 3).
• Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Op9on 3).
• Compliance date for Low impact BES Assets on April 1, 2017. – Specific Low impact control modifica9ons are under review by industry and oversight groups [See CIP-‐003-‐6 R2]
– Currently, four programma9c controls from CIP-‐003-‐5 R2 – Don’t ignore, but don’t priori9ze for now.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
10
CIPv5 Transi9on Guidance • As a prac'cal ma>er, NERC understands that Responsible En''es cannot complete transi'on to the CIP V5 Standards in a single instance; rather, transi'on to full implementa'on will occur over a period of 'me as Responsible En''es develop the necessary procedures, soNware, facili'es, or other relevant capabili'es necessary for effec've compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2)
September 24-‐25, 2014 Western Electricity Coordina9ng Council
11
CIPv5 Transi9on Guidance • To help ensure that they are fully compliant with the CIP V5 Standards upon the effec've date, Responsible En''es may need or prefer to transi'on from compliance with the requirements of the CIP V3 Standards to implementa'on of the requirements of the CIP V5 Standards during the Transi'on Period. As such, there may be a period of 'me prior to the effec've date of the CIP V5 Standards date when Responsible En''es begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are s'll mandatory and enforceable. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2).
September 24-‐25, 2014 Western Electricity Coordina9ng Council
12
9/24/14
5
CIP v5 Transi9on Guidance
• WECC recommends en99es with sound CIPv3 compliance programs immediately start transi9oning to CIPv5 compliance – Freeze your CIPv3 program – Roll forward the compa9ble parts of CIPv3 – Integrate the remaining elements of CIPv5
• Not a huge burden for CIP-‐002-‐5.1 compliance, but may present challenges for other Standards.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
13
CIP v5 Transi9on Op9ons*
*see Op9ons Table (NERC, 2014 Aug 12, Transi'on Guidance, p. 5)
September 24-‐25, 2014 Western Electricity Coordina9ng Council
14
BILL Documents Op9on 3 Slide 15
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9/24/14
6
WECC Audit Team Approach
• Use a methodical approach to deliver consistent results across all en99es.
• Use the RSAW supplied by the en9ty as ini9al working papers to document the audit and findings.
• Review Ini9al Evidence package supplied by the en9ty in response to Aiachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 eviden9ary documents
September 24-‐25, 2014 Western Electricity Coordina9ng Council
16
CIP-‐002-‐5.1 Audit Team Approach
• Audit to the Standard. • Review the Evidence:
– Inventory of BES Assets – One line diagrams – Applica9on of the IRC – R1.1, R1.2, R1.3 lists. – R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)
• DR for addi9onal informa9on, as needed.
• Complete the RSAW • Develop the Audit Report
17
Are there more High or Medium BES
assets?
Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]
Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset
Yes (Continue BCS evaluations)
No (Continue to R2)
Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets
Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable
R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.
R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.
Are any BES assets rated as High or Medium?
Yes (Evaluate High & Medium BES assets for all applicable BCS)
No (Place all Low BES assets on R1.3 List)
Add BCS to the appropriate list:R1.1: High Impact BCS,
R1.2: Medium Impact BCS
WECC Audit Team Approach • Review the applica9on of the IRC [R1], list of High BCS [R1.1], list
of Medium BCS [R1.2], list of Low Impact BES Assets [R1.3], even if such lists are null.
• Compare the lists against the one-‐lines and BES Asset inventory • If full Compliance audit:
– Hold interviews with the en9ty’s CIP SMEs – Perform site visits (Trust, but Verify)
• Validate annual approval documenta9on [R2] • Submit DR’s, as needed, to clarify compliance • Determine findings (NF, PV, or OEA) • Discuss findings with en9re Cyber Security Team • Complete RSAW • Prepare CIP audit report (ATL & CPC) September 24-‐25, 2014 Western Electricity Coordina9ng Council
18
9/24/14
7
Aiachment G*: CIP-‐002-‐5.1 Evidence • [R1]: Provide documenta9on of the process and its
implementa9on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden9fy the following lists: – [R1.1]: A list of High impact BCS at each asset iden9fied by applica9on of Aiachment 1, Sec9on 1.
– [R1.2]: A list of Medium impact BCS at each asset iden9fied by applica9on of Aiachment 1, Sec9on 2.
– [R1.3]: A list of iden9fied Low impact BES Assets iden9fied by applica9on of Aiachment 1, Sec9on 3].
• [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the iden9fica9ons required by R1, even if such lists are null.
* 2015 Aiachment G document is s9ll in progress and may change to some degree, but these basic sets of evidence will expected in the ini9al evidence package.
Slide 19
September 24-‐25, 2014 Western Electricity Coordina9ng Council
WECC Audit Team Approach
• Submit Data Requests [DRs] for any addi9onal informa9on that will support the en9ty’s compliance efforts, e.g.:
– Prior documenta9on to provide bookends – Address any ques9ons or concerns
September 24-‐25, 2014 Western Electricity Coordina9ng Council
20
CIP-‐101 Mock Audit Overview • BILL declared Op9on 3 of the recent NERC CIPv5 Transi9on
Guidance (NERC, 2014 Sept 17, p. ). • Bill compared inventory of BES Assets against current
defini9on of Bulk Electric System (NERC, 2014 Sept 17, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini9on Guidance Document, v2)
• BILL iden9fied and documented lists of High and Medium Impact BCS and a list of Low Impact BES Assets through an applica9on of the Impact Ra9ng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: A>achment 1, pp. 14-‐16),
• BILL requires a full Compliance audit on CIP-‐002-‐5.1 through CIP-‐011-‐1 – First week: Discovery phase at WECC offices – Second week: Compliance audit at BILL office
September 24-‐25, 2014 Western Electricity Coordina9ng Council
21
9/24/14
8
CIP-‐101 Mock Audit Overview • This session covers a mock audit of CIP-‐002-‐5.1 only
• The mock audit squeezes 2 weeks of audit ac9vi9es into a few hours. – Sample DR’s – Mock Interview – Site Visits – Use the RSAW as the guiding document – Present and review evidence for each requirement – What do YOU think is the appropriate finding for each requirement?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
22
CIP-‐101 Mock Audit
• Walk through audit process in more detail • Explain the differences between a reduced scope off-‐site audit and a full Compliance audit
• The Mock Audit simulates a Compliance audit of Billiam Power Company [BILL]
• BILL is registered with NERC as a BA, DP, GO, GOP, LSE, TO, TOP, TP, and TSP.
• For the CIP audit, the BA, DP, GO, GOP, TO, and TOP func9ons are in scope.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
23
Review Ini9al Evidence
• Received from the en9ty in the ini9al evidence package
• Responses to data requests in Aiachment G • Informa9on contained in en9ty response to the RSAWs
• Sets the stage for the ini9al audit review – Discovery phase at the WECC offices
• Followed up by addi9onal Data Requests as needed
September 24-‐25, 2014 Western Electricity Coordina9ng Council
24
9/24/14
9
The BILL System* • Billiam Power Company’s (hereamer referred to by its NERC acronym, BILL) Balancing Authority (BA) area is effec9vely within the boundaries of the three coun9es on the western edge of Some State, bordered by Another State on the north and the Almost Mountains on the East and South. These three coun9es occupy about 15% of the land area of the state and contain about 20% of the state's popula9on.
• BILL is registered as a BA, DP, GO, GOP, LSE, TO, TOP, TP, TSP
September 24-‐25, 2014 Western Electricity Coordina9ng Council
25
The BILL System (Genera9on) • BILL’s primary genera9on sta9on is located in eastern Whatchamacallit County. The BILL genera9on sta9on has two 1,000 MW fossil fuel genera9ng units. The output of these units supports BILL’s na9ve load and any available excess energy is marketed throughout the WECC Interconnec9on.
• BILL owns and operates nine Combus9on Turbines (averaging 30 MWs each) located near various consumer load centers throughout the service territory. These CT’s are primarily used as peaking units and for voltage and frequency support during the summer months.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
26
The BILL System (Genera9on) • BILL also owns and operates the BILL-‐3 Hydroelectric plant on the Sweet William River. BILL-‐3 has a nameplate ra9ng of 100 MW. This hydro unit is Blackstart capable and is connected to the BILL Genera9on Sta9on through a dedicated 115 kV line that runs 87 miles from Sub3 to Sub1.
• Total BILL genera9on capacity is 2,380 MWs.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
27
9/24/14
10
The BILL System (Transmission) • There are two synchronous 345 kV inter9es with adjacent BA’s that define the BILL BA area. These 9es are with XXXX Electrical U9lity and YYYY Federal Power District at Sub1, which is adjacent to the BILL Genera9on Sta9on.
• The BES por9on of BILL's BA area, its 345 kV, 230 kV, and 115 kV facili9es, include 190 miles of 345 kV transmission lines, 450 miles of 230 kV lines, and 973 miles of 115 kV lines.
• BILL owns and operates two 345kV substa9ons, 25 230 kV substa9ons, and 52 115 kV substa9ons throughout its service territory. BILL serves its na9ve residen9al and commercial load through its 115 kV and 230 kV transmission facili9es.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
28
The BILL System (Control Centers) • BILL’s Genera9on and Transmission Facili9es are monitored and operated from the Primary Control Center (PCC) located at the corporate headquarters in Big Bill City. BILL also maintains a hot stand-‐by Back-‐up Control Center (BUCC) located in its opera9ons center in Liile Bill City, which is approximately 50 miles from the PCC.
• BILL is a summer peaking BA and BILL's BA all-‐9me area peak load was recorded on July 20, 2010 at 2,482 MWs.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
29
BILL One-‐Line Diagram 30
9/24/14
11
BILL’s BES Asset Iden9fica9on • The first step in a normal CIP-‐002-‐5.1 audit is to review the applica9on of the IRC – Starts with an overall Inventory of en9ty BES assets. – Did the en9ty use the new BES Defini9on to exclude any BES Assets?
• If so, review and validate those exclusions – Use the IRC to iden9fy and document the R1.x lists
September 24-‐25, 2014 Western Electricity Coordina9ng Council
31
High IRC (Control Centers)
Medium IRC (Control Centers)
9/24/14
12
Low IRC (Control Centers)
R1.i: Example of Auditable Process
BILL’s BES Asset Iden9fica9on • Were applicable BES assets evaluated rela9ve to IRC criteria 2.3. 2.6. or 2.8?
• Did BILL demonstrate coordina9on with the applicable registered func9on(s)? – If not, should we submit a data request?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
36
9/24/14
13
Medium IRC (Transmission)
Medium IRC (Transmission)
Medium IRC (Transmission)
9/24/14
14
Medium / Low IRC (Transmission)
R1.ii: Example of Auditable Process
Medium IRC (Genera9on)
9/24/14
15
Medium / Low IRC (Genera9on)
R1.iii-‐iv: Example of Auditable Process
Medium IRC (Protec9on Systems)
9/24/14
16
Low IRC (Protec9on Systems)
R1.v-‐vi: Example of Auditable Process
List of High & Medium BES assets
• Review the list of High BES assets • Review the list of Medium BES assets • Compare both lists to the lists developed for:
– R1.1: High impact BCS – R1.2: Medium impact BCS
Slide 48
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9/24/14
17
Compare 2013 List of Cri9cal Assets
• For the next several years, CIP Auditors will be comparing the results of the applica9on of the IRC to iden9fy High and Medium BCS (primarily the BES assets containing such BCS) to the prior CIP-‐002-‐3 lists of Cri9cal Assets and lists of Cri9cal Cyber Assets and evaluate any significant differences
• This may not generate a PV, but it is guaranteed to generate discussions.
Slide 49
September 24-‐25, 2014 Western Electricity Coordina9ng Council
List of Low Impact BES Assets
• Review the list of Low Impact BES Assets • Correlate this list against the en9ty’s inventory of BES Assets and the list of High and Medium BCS loca9ons.
Slide 50
September 24-‐25, 2014 Western Electricity Coordina9ng Council
BILL BES Assets: 2013 Control Centers
September 24-‐25, 2014 Western Electricity Coordina9ng Council
51
9/24/14
18
BILL BES Assets: 2014 Control Centers
September 24-‐25, 2014 Western Electricity Coordina9ng Council
52
BILL BES Assets: 2013 Substa9ons
September 24-‐25, 2014 Western Electricity Coordina9ng Council
53
BILL BES Assets: 2014 Substa9ons
September 24-‐25, 2014 Western Electricity Coordina9ng Council
54
9/24/14
19
BILL BES Assets: 2013 Genera9on
September 24-‐25, 2014 Western Electricity Coordina9ng Council
55
BILL BES Assets: 2014 Genera9on
September 24-‐25, 2014 Western Electricity Coordina9ng Council
56
BILL BES Assets: 2013 Special Systems
September 24-‐25, 2014 Western Electricity Coordina9ng Council
57
9/24/14
20
BILL BES Assets: 2014 Special Systems
September 24-‐25, 2014 Western Electricity Coordina9ng Council
58
Validate BES Asset Lists • Review and compare the prior lists of CIP-‐002-‐3 R2 Cri9cal
Assets to the current lists of High and Medium BES Assets • Did the results seem reasonable? • Did the en9ty opt to reduce its number of Transmission
Assets through the applica9on of the BES Defini9on? • If so, did the en9ty provide valid ra9onale for all
exclusions? • Do the Transmission BES Medium Assets align with the
one-‐line diagram? • Did the en9ty provide evidence of net Real Power
capability to support Genera9on Facility ra9ngs? • Does the audit team have any other ques9ons before
moving on to the R1.1, R1.2, and R1.3 lists?
Slide 59
September 24-‐25, 2014 Western Electricity Coordina9ng Council
BILL BES Assets: 2013 Cri9cal Assets
September 24-‐25, 2014 Western Electricity Coordina9ng Council
60
9/24/14
21
BILL BES Assets: 2014 High & Medium BES Assets
September 24-‐25, 2014 Western Electricity Coordina9ng Council
61
2013 Cri9cal Assets vs. 2014 High & Medium BES Assets – Net Changes
• Control Centers (High BCS) – Both Control Centers move from CA list to High BES asset list
• Substa9ons (Medium BCS) – Subs 1 and 2 move from CA list to Medium BES asset list – Add 4 (Subs 4, 7, 8, 11) to Medium BES asset list – 1 (Sub 3, Blackstart Cranking Path) moves to Low BES asset – Other Transmission subs become Low BES Assets
• Genera9on Units (Medium and/or Low BCS) – Big Bill Sta9on is a Medium BES asset – Blackstart unit becomes Low BES asset – Combus9on turbines becomes Low BES assets
• Special Protec9on Systems (BCS Not Applicable) – No change
September 24-‐25, 2014 Western Electricity Coordina9ng Council
62
R1: BES Asset Lists Review Ques9ons • Did BILL apply the IRC appropriately? • Does BILL need to confer with its RC, PA, or TP to consider any Cri9cal Assets rela9ve to Criteria 2.3, 2.6, or 2.8?
• Applica9on Ques9ons – Did BILL consider all BES asset types in R1.i through R1.vi? – Did BILL review and evaluate all BES Assets through the IRC? – Did BILL clearly iden9fy and document all BES assets in the appropriate impact ra9ng?
• Is any addi9onal informa9on necessary before we look at the BCS groupings? – If so, do we submit a DR?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
63
9/24/14
22
Iden9fying High and Medium BCS • R1. Each Responsible En9ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: …
– 1.1. Iden9fy each of the high impact BES Cyber Systems according to Aiachment 1, Sec9on 1, if any, at each asset;
– 1.2. Iden9fy each of the medium impact BES Cyber Systems according to Aiachment 1, Sec9on 2, if any, at each asset; and
– 1.3. Iden9fy each asset that contains a low impact BES Cyber System according to Aiachment 1, Sec9on 3, if any (a discrete list of low impact BES Cyber Systems is not required).
Slide 64
September 24-‐25, 2014 Western Electricity Coordina9ng Council
R1: Iden9fy and Document BCS
• Add Low-‐impact BES assets to the R1.3 list
• Use lists of High-‐ & Medium-‐impact BES assets • Iden9fy BCA associated with
each BES Asset. • Logically group BCA into BCS. • Document BCS on R1.1 or
R1.2 list, as appropriate.
Slide 65
September 24-‐25, 2014 Western Electricity Coordina9ng Council
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
R1.1-‐R1.2: Iden9fying BCS • Develop an auditable
process to examine each High and Medium impact Facility
• Examine inventory of BCA at each Facility
• Consider reliability func9ons
• Group BCA into logical BCS
• Iden9fy PCA, EACMS, and PACS
Slide 66
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9/24/14
23
Process to Iden9fy BCS Slide 67
September 24-‐25, 2014 Western Electricity Coordina9ng Council
CIP-002-5 requires the identification of High & Medium impact BCS, but it may be a good idea to consider & identify the different types of BCS (CIP-005-5, pp. 4-5) and associated Cyber Assets (CIP-002-5, p. 6) at this point to facilitate later determinations in the Applicability Matrices of other CIP standards:
• High Impact BCS• High Impact BCS w/ Dial-up
Connectivity• High Impact BCS w/ External
Routable Connectivity• Medium Impact BCS• Medium Impact BCS at Control
Centers• Medium Impact BCS w/ Dial-up
Connectivity• Medium Impact BCS with
External Routable Connectivity• PCA• EACM• PACS
Are there More High or
Medium Facilities?
Use the inventory of BES Cyber Assets at the High- or Medium- Facility to identify and
list R1.1 and R1.2 BES Cyber Systems (BCS) at each such facility
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the Facility
Yes
No
Consider Reliable Opera9on of the BES • Determine whether the BES Cyber Systems perform
or support any BES reliability func9on according to those reliability tasks iden9fied for their reliability func9on and the corresponding func9onal en9ty’s responsibili9es as defined in its rela9onships with other func9onal en99es in the NERC Func9onal Model (CIP-‐002-‐5.1, p. 5).
• Ensures the ini9al scope for considera9on includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable opera9on of the BES. (CIP-‐002-‐5.1, p. 5).
Slide 68
September 24-‐25, 2014 Western Electricity Coordina9ng Council
Consider Real-‐Time Opera9ons • BES Cyber Assets are those Cyber Assets that, if
rendered unavailable, degraded, or misused, would adversely impact the reliable opera9on of the BES within 15 minutes (CIP-‐002-‐5.1, p. 5).
• Do not consider redundancy in the applica9on of the 15-‐minute 9me threshold (CIP-‐002-‐5.1, p. 5).
• 15-‐minute limita9on will typically "result in the iden9fica9on of SCADA, Energy Management Systems, transmission protec9on systems, and genera9on control systems as BES Cyber Assets” (FERC, 2013, Order 791, P. 123, p. 72771).
Slide 69
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9/24/14
24
Consider Ancillary BES Cyber Assets • Protected Cyber Assets [PCA]
• Examples may include, to the extent they are within the ESP: file servers, mp servers, 9me servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP-‐002-‐5.1, p. 6)
• May also be lower impact BCA or BCS by virtue of the high-‐water mark (CIP-‐005-‐5, p. 14)
• Electronic Access Control or Monitoring Systems [EACMS] • Examples include: Electronic Access Points, Intermediate Systems,
authen9ca9on servers (e.g., RADIUS servers, Ac9ve Directory servers, Cer9ficate Authori9es), security event monitoring systems, and intrusion detec9on systems (CIP-‐002-‐5.1, p. 6)
• Physical Access Control Systems [PACS] • Examples include: authen9ca9on servers, card systems, and badge control
systems (CIP-‐002-‐5.1, p. 6).
Slide 70
September 24-‐25, 2014 Western Electricity Coordina9ng Council
BILL’s BCS Iden9fica9on
• The next step in a CIP-‐002-‐5.1 audit is to review the en9ty’s development of the R1.1 through R1.3 lists.
• Starts with the iden9fied lists of High and Medium impact BES assets.
• Uses the inventory of BES Cyber Assets at each such BES asset to iden9fy and document a list of High and Medium BCS, even if such lists are null.
• Good idea to start with any exis9ng lists of CCAs at applicable CIPv3 Cri9cal Assets.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
71
2014 BCS: Primary Control Center
September 24-‐25, 2014 Western Electricity Coordina9ng Council
72
9/24/14
25
2013 CCAs: Backup Control Center
September 24-‐25, 2014 Western Electricity Coordina9ng Council
73
2013 CCAs: SUB1
September 24-‐25, 2014 Western Electricity Coordina9ng Council
74
2012 Null Lists CCAs: Genera9on & Subs
September 24-‐25, 2014 Western Electricity Coordina9ng Council
75
9/24/14
26
2013 Null Lists CCAs: Genera9on & Subs
September 24-‐25, 2014 Western Electricity Coordina9ng Council
76
Iden9fying BES Cyber Assets • Iden9fy if the Cyber Asset meets the defini9on of BCA
• Check for length of installa9on
• If < 30 days, determine if the Cyber Asset is a transient device.
• Group into logical BCS with associated PCA
Slide 77
September 24-‐25, 2014 Western Electricity Coordina9ng Council
Grouping BCA into BCS • En9ty determines level of granularity of a BCS
– There may be one or more BCA within a given BCS – Consider the BROS for your registra9ons
• In transi'oning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Cri'cal Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an en'ty can organize their documented implementa'on of the requirements and compliance efforts (CIP-‐002-‐5.1, 2013, p. 4)
Slide 78
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9/24/14
27
Examples of BCS Slide 79
Western Electricity Coordina9ng Council September 24-‐25, 2014
EMS BCS
Generation BCS Generation
BCS
Generation BCS
Transmission BCS
Transmission BCS
Examples of BCA Groupings: BA/TOP
• Energy Management Systems (EMS) • Automa9c Genera9on Control (AGC) • SCADA systems • Network Management Systems (NMS) • PI systems (Historians) • ICCP systems (Communica9ons)
Slide 80
September 24-‐25, 2014 Western Electricity Coordina9ng Council
ESP
Examples of BCA Groupings: BA/TOP
Graphic Source: hip://www.energy.siemens.com/us/pool/hq/automa9on/control-‐center/control_center_details.jpg
High BCS
High BCS
High BCS
High BCS
High BCS
PCA PCA
PCA
PCAPCA
PCA Low or No BCS
Low or No BCSESP
9/24/14
28
Examples of BCA Groupings: BA/TOP
• SCADA Component Systems • RTU Systems (Telecommunica9ons) • Protec9ve Relay Systems
Slide 82
September 24-‐25, 2014 Western Electricity Coordina9ng Council
Examples of BCA Groupings: TO/TOP Graphic Source: Pacific Northwest Na9onal Laboratory (Dagle, J., 2010 Jan) Retrieved from hip://publicintelligence.net/scada-‐a-‐deeper-‐look/
SCADA Component BCS
EMS BCS
EMS BCS
RTU BCS
Protective Relay BCS
Examples of BCA Groupings: GO/GOP
• Digital Control System (DCS) • Control Air System (CAS) • Water Demineraliza9on System • Coal Handling System • Gas Control System • Environmental Monitoring System • RTU (Communica9ons) • Generator Protec9on Systems (Relays)
Slide 84
September 24-‐25, 2014 Western Electricity Coordina9ng Council
9/24/14
29
Examples of BCA Groupings: GO/GOP Graphic Source: hips://www.fujielectric.com/company/tech/pdf/r51-‐3/06.pdf
Medium BCSPCA
PCA
Medium BCS
PCA
Medium BCS Medium BCS
Low BCS
Consider BCS Types • High Impact BCS, • High Impact BCS w/ Dial-‐up Connec9vity, • High Impact BCS w/ External Routable Connec9vity, • Medium Impact BCS, • Medium Impact BCS at Control Centers, • Medium Impact BCS w/ Dial-‐up Connec9vity, • Medium Impact BCS w/ External Routable Connec9vity,
• Protected Cyber Assets [PCA], and • Electronic Access Points [EAP] (CIP-‐005-‐5, pp. 4-‐5)
Slide 86
September 24-‐25, 2014 Western Electricity Coordina9ng Council
R1.1: Example of Auditable Process Slide 87
Western Electricity Coordina9ng Council September 24-‐25, 2014
9/24/14
30
R1.1: Example of Auditable Process Slide 88
Western Electricity Coordina9ng Council September 24-‐25, 2014
R1.3: Example of Auditable Process
• Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact ra9ng and should be placed on the R1.3 list
• BCS associated with a Low impact BES Asset also become Low impact BCS.
• At this 9me, all you need to do is list the Low Impact BES Assets to sa9sfy R1.3.
• Comply with CIP-‐003-‐6 R2 for specific technical controls
Slide 89
September 24-‐25, 2014 Western Electricity Coordina9ng Council
BILL’s Review & Approval Process
• The next step in a CIP-‐002-‐5.1 audit is to review the iden9fica9ons of the lists created in R1, even if such lists are null. – R1.1 list of High BCS – R1.2 list of Medium BCS – R1.3 list of Low-‐impact BES assets
• Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
90
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
9/24/14
31
R2: Annual Approval Review Ques9ons
• Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months amer the ini9al iden9fica9ons?
• Did BILL update the lists, as necessary? • Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months amer the ini9al iden9fica9on, even if such lists are null?
• Applica9on Ques9ons – Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?
• Are any DR’s necessary? – If so, what addi9onal informa9on is required?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
91
On-‐Site Ac9vi9es: The Interview
• Set up through an interview DR the prior week • Typically held on Monday of the on-‐site week immediately amer the opening presenta9on
• Examines the en9ty’s understanding of and approach to R1-‐R4
• Cover any areas of concern raised through the ini9al evidence review
• Schedule follow-‐up interview(s), if needed, amer the site visits
September 24-‐25, 2014 Western Electricity Coordina9ng Council
92
On-‐site ac9vi9es: Mock Interview
• Need four volunteers – You are BILL SMEs – No, you don’t get to prac9ce
• We will ask a series of ques9ons that we generally ask all CIP-‐002 SMEs
• Also ask ques9ons of concern, if indicated by the ini9al review of the evidence
• The Interview Ques9on Set
September 24-‐25, 2014 Western Electricity Coordina9ng Council
93
9/24/14
32
On-‐site ac9vi9es: Mock Interview
• What did we learn from the interview? • What was the key issue from an audit perspec9ve?
• Should we find a PV for this issue? • Why or why not?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
94
On-‐Site Ac9vi9es: Site Visit • Set up through a site visit DR the prior week • I9nerary determined through review of the ini9al evidence • Trust, but verify. Why? • Depending on en9ty size, this may involve 100% valida9on or a sta9s9cal sampling:
• Where? – Control Centers – Genera9on Facili9es – Transmission Facili9es
• What? – High and Medium BCS – A sampling of Low Impact BES Assets
September 24-‐25, 2014 Western Electricity Coordina9ng Council
95
On-‐Site Ac9vi9es: Site Visit • Who?
– CIP-‐002-‐5.1 Sub-‐Team • Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL • Works in conjunc9on with CIP-‐005 sub-‐team
– CIP-‐005-‐5 Sub-‐Team • Validates Electronic Access Points [EAPs] and Electronic Access Control and Monitoring devices [EACMs].
• Confirms ESP boundaries – CIP-‐006-‐5 Sub-‐Team
• Validates PSPs and Physical Access Controls, such as PACS, cameras, logs, etc.
• My colleague provided an overview on CIP-‐006 audit ac9vi9es earlier.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
96
9/24/14
33
On-‐Site Ac9vi9es: CIP-‐002-‐5.1 Site Visit • What?
– Validate lists of BCS – Validate null lists of BCS (if applicable) – Look for aberra9ons from the lists – Hold informal interviews with en9ty SMEs
• When? – Visit remote sites during the off-‐site audit week. – Most Control Centers on Tuesday of the on-‐site audit week
– May extend to Wednesday depending on number of sites visited, distances traveled, resource constraints, etc.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
97
On-‐Site Ac9vi9es: BILL Site Visits • Visit the Primary and Backup Control Centers
– 100% valida9on of High BCS, PCA, etc. in both loca9ons – Talk to Operators & SMEs
• Visit the BILL Genera9on Sta9on, the Hydro Blackstart Facility, and a sampling of the CT units.
• Visit SUB1, SUB2, SUB3, SUB11 – Validate the Medium BCS, PCA, etc. – Talk with en9ty SMEs
• Visit a sampling of Low-‐impact BES assets (SUB26, SUB53) – Validate presences of Low BCS, – Review CIP-‐003-‐6 R2 controls.
• Site Visit Ques9ons – Why validate the BCS at a given site? – Why ask ques9ons of en9ty SMEs? – What do the auditors expect to find?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
98
BILL Site Visits: Control Centers • Visited the Primary Control Center
– 100% valida9on of High BCS – Found nothing out of the ordinary.
• Visited the Backup Control Center – 100% valida9on of High BCS – Found nothing out of the ordinary.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
99
9/24/14
34
Site Visits: Genera9on Units • Visited BILL Genera9on Sta9on
– Validated Medium BCS and Low BCS – Found nothing out of the ordinary.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
100
Site Visits: Substa9ons • Visited Sub 1
– 100% valida9on of Medium BCS – Found nothing out of the ordinary.
• Visited Subs 2, 4, 7, 8, & 11 – Validated Medium BCS. – No9ced something strange here.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
101
Site Visits: What Did We See? What is this device and what is
it doing here in the subs?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
102
9/24/14
35
On-‐Site Ac9vi9es: Site Visit • What did we learn from the site visit?
• Tour Notes DR
• Why do we validate Null lists of CCAs? • What was the main concern with the unexpected devices?
• Should we DR for addi9onal informa9on? • Would another interview be more effec9ve? • Does this situa9on call for an R3 PV finding? • Why or why not?
September 24-‐25, 2014 Western Electricity Coordina9ng Council
103
Discussing the Findings • Discuss with whole Cyber Security Team • Is there a PV for the undocumented devices?
– R1.2: Undeclared Medium BCS? • BCA at the Combus9on Turbines • Does the en9ty have documenta9on from its TP or PA/PC that exempts the CTs from Criterion 2.3?
– R1.2: Incorrect iden9fica9on of Medium BCS w/Dial-‐up Connec9vity?
• The Substa9on Modems • Determine the scope of a poten9al PV
– How do we do this? • Complete the CIP-‐002-‐5.1 Findings Table in RSAW • Submit to the ATL and CPC for the Closeout Presenta9on
September 24-‐25, 2014 Western Electricity Coordina9ng Council
104
Value-‐Added Ac9vity: Feedback
• WECC Audit Teams never Prescribe Solu9ons, but we do describe: – Brief en99es on findings – Encourage good security prac9ces – Discuss examples of industry best prac9ces – Iden9fy areas of concern, which may not be viola9ons, but which could stand improvements
– Provide sugges9ons, when appropriate • Support development of a sustainable compliance culture
September 24-‐25, 2014 Western Electricity Coordina9ng Council
105
9/24/14
36
Audit Documenta9on: The RSAW • An auditor is judged by the quality of his or her working papers. – Complete the RSAW – Review evidence and notes for final determina9ons
– DR for any final needed informa9on
– Document Findings
September 24-‐25, 2014 Western Electricity Coordina9ng Council
106
Audit Documenta9on
• Auditors review evidence, find facts, and report findings – Turn PVs over to the Enforcement team – Enforcement team depends heavily on the quality of auditor documenta9on
• Be Literate, be Concise, but above all else, Be Accurate.
• If it’s not wriien down, it didn’t happen.
September 24-‐25, 2014 Western Electricity Coordina9ng Council
107
Post-‐Audit Auditor Ac9vi9es
• The Audit Report – Work with ATL & CPC – Verify findings and other informa9on related to audited standard(s)
• Document findings in webCDMS – PV & OEA findings only
• Work with WECC Enforcement personnel to support Inves9ga9ons as SME for audit processes and findings
September 24-‐25, 2014 Western Electricity Coordina9ng Council
108
9/24/14
37
Post-‐Audit Auditor Ac9vi9es • Par9cipate in en9ty Outreach ac9vi9es, such as this event and CIPUG mee9ngs
• Be available and responsive to address en9ty ques9ons/comments
• Work at Na9onal level – CCWG – Draming teams – Comment on new Standards, CANs, etc. – Aiend and present at Conferences – CIPv5 Pilot Study
September 24-‐25, 2014 Western Electricity Coordina9ng Council
109
Summary
• Audit to the Standard • Provide useful feedback to the en9ty • Prepare a valid report • Be available to CIP personnel at the en99es • Work at Na9onal level
September 24-‐25, 2014 Western Electricity Coordina9ng Council
110
Remember the Auditor’s Mission
Just the facts, Ma’am,
Just the facts!
September 24-‐25, 2014 Western Electricity Coordina9ng Council
111
9/24/14
38
References • FERC. (2013 December 3). Order No. 791: Version 5 Cri'cal
Infrastructure Protec'on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hip://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf
• NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hip://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&9tle=Cyber%20Security%20—%20BES%20Cyber%20System%20Categoriza9on&jurisdic9on=null
• NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hip://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Defini9on%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf
September 24-‐25, 2014 Western Electricity Coordina9ng Council
112
References
• NERC. (2014 August 12). Cyber Security Standards Transi'on Guidance: ERO Compliance and Enforcement Ac'vi'es during the Transi'on to the CIP Version 5 Reliability Standards. Retrieved from hip://www.nerc.com/pa/CI/Documents/V3-‐V5%20Transi9on%20Guidance%20FINAL.pdf
• NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hip://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf
Slide 113
September 24-‐25, 2014 Western Electricity Coordina9ng Council
Speaker Contact Informa9on
Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina9ng Council (WECC) 7400 NE 41st Street, Suite 320 Vancouver, WA 98662 jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 801.734.8357
Slide 114
September 24-‐25, 2014 Western Electricity Coordina9ng Council