Implementing Cyber-Security Standards

Transcription

1 Implementing Cyber-Security Standards Greg Goodrich TFIST Chair, CISSP New York Independent System Operator Northeast Power Coordinating Council General Meeting Montreal, QC November 28, 2012

2 Topics Critical Infrastructure Protection (CIP) History & Implementations CIP Version 4 and Version 5 Implementation Process & Resources Enforcement Status & Risk Mitigation Task Force on Infrastructure Security & Technology (TFIST) 2

3 CIP History & Implementation History FERC Order 706 SDT appointed August 2008 CIP Version 2 September 2009 CIP Version 3 March 2010 CIP Version 4 April 2014 CIP Version 5 Implementation Period CIP Version 3 Current CIP Version 4 Implementation period began April months CIP Version 5 TBD NERC BOD & FERC Approval Pending 24 month implementation expected Note 1: speculation FERC could order V3 to V5 not confirmed Pending Note 2: Canadian provincial i schedules different 3

4 CIP Implementation Timelines 4

5 CIP Version 4 & 5 Comparison 5

6 CIP Version 4 New Implementation Process Implementation period 6

7 CIP Version 5 Implementation ti Minimum 24 months CIP R2 (policies for Low Impact) minimum 36 months Unplanned changes resulting in new High or Medium impact system 12 months Unplanned changes resulting in for High or Medium impact systems 24 months 7

8 Bright Lines (Criteria in Attachment 1) High BES Impact Medium BES Impact Low BES Impact New CIP-010 Configuration Change Management and Vulnerability Assessments CIP-011 Information Protection CIP Version 5 8

9 Implementation Considerations Size of organization and impact Impacts: Policy Processes Procedures Controls Testing Staff Training Evidence (such as logs and records) New definitions Processes examination & improvement Internal Controls Identify Assess Correct Organization support Staff support 9

10 10

11 11

12 NPCC Region CIP-007 By Requirement NPCC ALL R1 R2 R3 R4 R5 R6 R7 R8 R9 Source: NPCC Staff 12

13 NPCC CIP Violations 70 NPCC NPCC CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Source: NPCC Staff 13

14 CIP Violations CIP-007 Cyber Assets R1 Testing R2 Ports & Services R3 Patch Management R4 Antivirus R5 Access R6 Monitoring & Logs R7 Disposal R8 Vulnerability Assessment R9 - Documentation CIP-005 ESP Boundary Access Logs CIP-006 PSP Access Monitoring CIP-004 Access & Authorization Assets People 14

15 Reduce CIP Risk Reduce cyber assets Architecture Processes Reduce access Staff Improve Training Defense In Depth Layers Improve monitoring Log Layers Access Local & Remote Security Local & Remote Monitoring Access Security Alert if logs not working Capacity and Availability 'CIP Risks Security Logs ~ 1,281,600 = 150 assets * 24 hour/day * 356 days 15

16 NPCC TFIST Task Force on Infrastructure Security and Technology Peer CIP compliance IST-2 Telecommunications IST-4 Cyber Security IST-5 Physical Security Quarterly meetings Weekly conference call if needed Address issues How to Interpretations Security & Technology NERC Critical Infrastructure Protection Committee 16

17 Summary CIP Version 3 Version 4 Currently Compliant CIP Version 4 Implementation Period - 24 months CIP Version 5 Pending NERC BOD and FERC Approval 24 Month Implementation Period unless FERC changes New Bright Line Version 5 Bright Line Update Requirements improved Process changes TFIST is here to help CIP Compliance Cyber & Physical Security Communication 17

18 CIP Version 5 CIP Standard Standard Title Cyber Security BES Cyber System CIP Categorization R1. Cyber Security BES Cyber System CIP Categorization R2. CIP CIP CIP Cyber Security Security Management Controls R1. Cyber Security Security Management Controls R2. Cyber Security Security Management Controls R3. CIP Requirement Requirement Title Asset Impact Rating BES Cyber Systems Asset Impact Rating Asset Review and Update Governance Cyber Security Policies High and Medium Impact BES Cyber Systems Governance Cyber Security Policies Low Impact BES Cyber Systems Governance CIP Senior Manager Cyber Security Security CIP Management Controls R4. Governance Accountability & Delegation Cyber Security Personnel & CIP Training R1. Security Awareness Program Cyber Security Personnel & Cyber Security Training CIP Training R2. Program Cyber Security Personnel & Personnel Risk Assessment CIP Training R3. Program Cyber Security Personnel & Access Management CIP Training R4. Program Cyber Security Personnel & CIP Training R5. Access Revocation CIP CIP CIP Cyber Security Electronic Security Perimeter(s) R1. Cyber Security Electronic Security Perimeter(s) R2. Electronic Security Perimeter Interactive Remote Management Cyber Security Physical Security of BES Cyber Systems R1. Physical Security Plan CIP Standard CIP CIP CIP CIP CIP CIP CIP CIP Standard Title CIP Requirement Requirement Title Cyber Security Physical Security of BES Cyber Systems R2. Visitor Control Program Cyber Security Physical Security of Maintenance and Testing BES Cyber Systems R3. Program Cyber Security Systems Security Management R1. Ports and Services Cyber Security Systems Security Management R2. Security Patch Management Cyber Security Systems Security Management R3. Malicious Code Prevention Cyber Security Systems Security Management R4. Security Event Monitoring Cyber Security Systems Security Management R5. System Access Controls Cyber Security Incident Reporting and Response Planning R1. Cyber Security Incident Response Plan Specifications Cyber Security Incident CIP Cyber Security Incident Reporting and Response Planning R2. Response Plan Implementation and Testing Cyber Security Recovery Plans for CIP BES Cyber Systems R1. Recovery Plan Specifications CIP Recovery Plans for BES Cyber Systems R2. Recovery Plan Implementation and Testing CIP Cyber Security Recovery Plans for BES Cb Cyber Systems R3. Recovery Plan Review, Update and Communication Cyber Security Configuration Change Management and Vulnerability Configuration Change CIP Assessments R1. Management Cyber Security Configuration Change Management and Vulnerability CIP Assessments R2. Configuration Monitoring Cyber Security Configuration Change Management and Vulnerability CIP Assessments R3. Vulnerability Assessments Cyber Security Information CIP Protection R1. Information Protection CIP Cyber Security Information Protection R2. BES Cyber Asset Reuse and Disposal 18

19 The New York Independent d System Operator (NYISO) is a not-for-profit corporation responsible for operating the state s bulk electricity grid, administering New York s competitive wholesale l electricity it markets, conducting comprehensive long-term planning for the state s electric power system, and advancing the technological infrastructure of the electric system serving the Empire State. t 19