Upload
tripwire
View
5.475
Download
2
Embed Size (px)
Citation preview
How to Balance NERC CIPv6 vs. NERC CIPv5 Compliance
2
Nick SantoraCEO
Twitter: @curricula
Tim ErlinSr. Director, Product Management
Tripwire
Twitter: @terlin
3
Agenda
CIPv6 Changes
How CIPv6 Affects Your Personnel
Three Critical Steps to Take Before July
Q&A
4
Changes in CIPv6
WORDSWORDSWORDS
Reading standards can be difficult
5
Changes in CIPv6
Low Impact Assets Transient Devices and Removable Media
Logical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
6
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
Attachment 1 Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident
Response
7
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
Attachment 1 Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident
Response
Attachment 2 Documentation Documentation Documentation Documentation
8
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
If you use transient cyber assets and removable media ….
…Then you need a plan for:• Transient Asset Management• Transient Asset Authorization• Vulnerability Mitigation• Malicious Code Mitigation• Unauthorized Use Mitigation
Removable Media Authorization
Removable Media Malicious Code Mitigation
9
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
If you use transient cyber assets and removable media ….
…Then you need a plan for:• Transient Asset Management• Transient Asset Authorization• Vulnerability Mitigation• Malicious Code Mitigation• Unauthorized Use Mitigation
Removable Media Authorization
Removable Media Malicious Code Mitigation … and training!
Effective Date Now April 1st 2017
10
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
If you can’t implement the required physical controls, you can implement compensating logical controls: - Encryption- Monitoring- “an equally effective logical control”
“The entity is under no obligation to justify or explain why it chose logicalprotections over physical protections identified in the requirement.”
11
Changes in CIPv6Low Impact Assets Transient Devices and
Removable MediaLogical Controls for Physical Security
Identifies, assesses and corrects
• CIP 003-6 • CIP-004-6• CIP-010-2
• CIP-006-6 • CIP-004-6• CIP-007-6• CIP-009-6• CIP-011-2
FERC Order 791:
“[T]he Commission is concerned that the proposed language is overly-vague, lacking basic definition and guidance that is needed, for example, to distinguish a successful internal control program from one that is inadequate.”
12
CIPv6 Compliance DatesIt’s not all about July 1st 2016
July 1st 2016
CIP-003-6 1.2 4/1/2017CIP-003-6 R2 4/1/2017CIP-003-6 A1-1 4/1/2017CIP-003-6 A1-2 9/1/2018CIP-003-6 A1-3 9/1/2018CIP-003-6 A1-4 4/1/2017CIP-006-6 1.10 7/1/2016 or 4/1/2017CIP-007-6 1.2 7/1/2016 or 4/1/2017CIP-010-2 R4 4/1/2017
Low Impact Assets
Conditional Deadlines
Transient/Removable
13
How CIPv6 Affects Your Personnel
• Training program
• Awareness program
• Transient and Removable
• Risks to education
14
Training Program
15
What Is Required?
9 Objective Statements
16
What Is Required?
Training Prior To Access
17
What is Required?
Re-train Every CIP Year
18
What Will Auditors Look For?
“Regurgitating the Requirement language does not constitute developing a policy, program,process, or procedure.”
WECC Presentation
19
Role Based Training
20
Awareness Program
21
Awareness Program
High and Medium Low
22
Transient and Removable
What Is Required?
23
Transient and Removable
When?
24
Transient and Removable
Why implement after training?
25
Risks in Education
Not It Million Dollar Filing Cabinet
26
Three Critical Steps
NERC CIPv5 Preparation
April 1st
27
Three Critical Steps
NERC CIPv5 Preparation FOUND TIME
April 1st July 1st
28
Three Critical Steps
NERC CIPv5 Preparation FOUND TIME
April 1st July 1st
What should you do with the time remaining before the July deadline?
29
Critical Step 1: Conduct a Mock AuditThere is no compliance without audit
Identify areas of weakness in compliance or evidence.
Establish responses for actual audit Develop mitigation plans for non-compliance
30
Critical Step 2: Review Your Training Programs
31
Critical Step 3: Automate Or Die
Compliant Automated
32
www.getcurricula.com www.tripwire.com
tripwire.com | @TripwireInc
Q & A