May 2, 2023

The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case StudyROBERT LANDAVAZO, NERC SECURITY COMPLIANCE ADMIN

SLIDE 2 | May 2, 2023

ABOUT ME

ROBERT LANDAVAZO

SLIDE 3 | May 2, 2023

OVERVIEW OF OUR CASE STUDY

THE PMN JOURNEY TO NERC CIP V5

• PNM Background• Organization & functional responsibility• The state of compliance 2012• Re-implementing forgotten solutions• Compliance over time• Current environment• A look at the future, a transtion• Lessons Learned

SLIDE 4 | May 2, 2023

ABOUT PNM RESOURCES

PNM RESOURCES – PNM AND TNMP• Functional Registrations » PNM = BA, DP, GO, GOP, LSE, PA, PSE,  RP, TO, TOP,

TP, TSP » TNMP = DP, LSE, TO, TOP , TP• Subject to Regional Entity(s) = WECC  for PNM & TRE for

TNMP• Generation Capability = 3000+ MW; 8 Plants  (PNM only)• Peak Load = 2600 MW (PNM Only)• Miles of BES Transmission = 15000+ miles at various

BES voltages (PNM and TNMP)• Control Centers =  2 in PNM and 2 for TNMP• Approximate Electric Customers Served = 750,000

SLIDE 5 | May 2, 2023

OBJECTIVE - FUNCTIONAL ALIGNMENT

Streamline support functions of key systems

• Operations systems strategy• Control Systems design• Security/Network Architecture• Control System Security Standards • Enterprise Security and Architecture

Standards• Evaluation of emerging technologies• Project Support

• Energy Management Systems • Generation Management Systems• Plant Control Systems/ Distributed

Controls Systems Applications support

• Historian Systems• DOC/OMS Systems Support• Network/communication configuration

maintenance• Network Diagnostics/ Performance

Management

• CIP Compliance Process/ Procedure Development

• OT Security Operations (security event management/ incident response/forensics)

• Disaster Recovery/Business Continuity

• Security Configuration Management

SLIDE 6 | May 2, 2023

OT STRATEGIC BENEFITS

Support across PNMR “operations” business areas

• Mitigating cyber security risks consistently across the enterprise• Aligning support, compliance, and cyber security skills • Integrating cyber security risk and compliance decision making into 3RD

party contracts and services procurement• Better positioned to support/integrate emerging OT technology and

Smart Grid initiatives • Architecture and systems standardization

SLIDE 7 | May 2, 2023

THE STATE OF COMPLIANCE IN 2012

CIP V3 COMPLIANCE WASN’T EASY AND WASN’T SUSTAINABLE

• Inadequate state of compliance• Support tools were shelfware• Smart team working the hard way• Manual controls• Support system sprawl across

Business Units and Companies• Frequent identification of potential

violations• Looming WECC audit in 2014

8

Chan

ge in

syst

ems,

pro

cess

es, o

r ope

ratio

ns

Time

CIPv3 Audit

The Fate of CIPv3 ComplianceA Model

• Business changes affect compliance

• Massive effort to achieve audit-readiness

• No reason to expect pattern to change

9

A Different Model for Maintaining ComplianceCh

ange

in sy

stem

s, p

roce

sses

, or o

pera

tions

Time

Compliance Audit Deadline or Security

Event

Quarterly Audit Review or Security Assessment

Continuous Security and ComplianceLowers CostIncreases EfficiencyIncreases SecurityReduces Risk

SLIDE 10 | May 2, 2023

BRINGING THE TOOLS BACK TO LIFE

TRANSITIONING TO AUTOMATION

Our Systems’ State:•Systems patched but content not updated and maintained – going through the motions but no care & feeding•Multiple tools untouched for years•Incorrectly configured or missing configs•More failed jobs than successful ones•Poor documentation•Non existent monitoring for health and uptime•Newly discovered issues bring to light more PVs

11

SLIDE 12 | May 2, 2023

THE RESULTS ARE WHAT COUNTS

CURRENT STATE OF COMPLIANCE AT PNM

90 Day Aggregate NERC CIP Compliance1.5 Year Aggregate NERC CIP

Compliance

SLIDE 13 | May 2, 2023

COMPLIANCE TODAY

TRANSITION TO V5

V3 Achieved in 2 years3,500 control pointsCIP-002-3CIP-004-3CIP-005-3CIP-007-3 CIP-009-3

V5 Working towards5,000+ control points by Q1 2016CIP-002-5CIP-004-6CIP-005-5CIP-007-6 CIP-009-6CIP-010-2

Use the NERC Transition Guidance!

SLIDE 14 | May 2, 2023

WHAT’S NEXT?

THE FUTURE STATE OF COMPLIANCE

• “No new people”• Need more tools!

SLIDE 15 | May 2, 2023

STREAMLINING COMPLIANCE

“IT TAKES A VILLAGE”

Automated Workflow for Asset & Change Management(CIP-002, CIP-010)

•Delivers time savings

Automated Workflow for Identity Management( CIP-004, CIP-007 )

•Ensures user account accuracy

VIM Software White List (Future)(CIP-007 R2)

•Minimizing risks•Reducing workload

Substation IED Management (CIP-007, CIP-010)

• Ensures continuous monitor & control

SLIDE 16 | May 2, 2023

ARCHITECTURE

INTEGRATED MONITOR & CONTROL

Tripwire EnterpriseTripwire Log Center IP 360

Secunia VIM

Eaton/CooperYukon IMS

Sigmaflow AlertEnterprise! IDM

HI & MI Control CentersMI Substations

Passive Compliance Monitoring

Active Compliance Monitoring

SLIDE 17 | May 2, 2023

PATHWAY TO CIP V5

Requirement Key Ask Technology SupportPatch Management

35 days or viable mitigation plan

Secunia VIM, Tripwire citede within mitigation plan

Malicious Code Prevention

“deter, detect & prevent” McAfee/Intel Security, Cisco NGFW, and Tripwire

Security Event Logging

Log events – identify & after the fact investigation

Tripwire Log Center & Yukon IMS

Ports & Services Logical network access ports Adding physical in-out ports

Tripwire Enterprise, physical port locks, tamper tape and signage

System Access Control

Verify authentication methods

Tripwire Enterprise and IP360

LEVERAGING TECHNOLOGY

SLIDE 18 | May 2, 2023

ICS-CERT RECENT INCIDENTS

ENERGY INDUSTRY CONTINUES TREND

SLIDE 19 | May 2, 2023

TAKE-AWAYS

BEST PRACTICES

Get the right people working on the right things – OT Org Recognize shortcomings and identify tools to rectify Leverage technology to automate continuous monitoring Ensure that your tools integrate to some degree – single

pane of glass The foundation of security is built on compliance – it isn’t

enough on its own

SLIDE 20 | May 2, 2023

QUESTIONS & CONTACT INFO

Robert LandavazoNERC Security Compliance AdministratorPNM Resourcesrobert.landavazo@pnmresources.com

SLIDE 21 | May 2, 2023

ENERGYSEC SESSION DESCRIPTION

The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case StudyPresenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, TripwireWith countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.