Hang on it s going to be a wild ride

Transcription

1 AGA/EEI Utility Internal Auditor's Training Course Washington, DC August 26, 2015

2 Hang on it s going to be a wild ride

3 There are no NERC CIP Babel Fish "The Babel fish is small, yellow, leech-like, and probably the oddest thing in the universe. It feeds on brain wave energy, absorbing all unconscious frequencies and then excreting telepathically a matrix formed from the conscious frequencies and nerve signals picked up from the speech centres of the brain, the practical upshot of which is that if you stick one in your ear, you can instantly understand anything said to you in any form of language: the speech you hear decodes the brain wave matrix."

4 NERC CIP Secret Decoder Ring (AKA NERC CIP Acronym Guide) BCA - BES Cyber Asset RSAW - Reliability Standard Audit Worksheet BCS - BES Cyber System TCA - Transient Cyber Asset BCSI - BES Cyber System Information TFE - Technical Feasibility Exception BES - Bulk Electric System EACMS - Electronic Access Control or Monitoring System EAP - Electronic Access Point ERC - External Routable Connectivity ESP - Electronic Security Perimeter IRA - Interactive Remote Access IRC - Impact Rating Criteria IS - Intermediate System LEAP - Low Impact BES Cyber System Electronic Access Point LERC - Low Impact External Routable Connectivity PACS - Physical Access Control System PCA - Protected Cyber Asset PRA Personnel Risk Assessment PSP - Physical Security Perimeter RAI - Reliability Assurance Initiative

5 NERC CIP Regulation Development Version 1 Approved in FERC Order 706 on Jan 18, 2008 effective July 1, 2008 Version 2 and 3 Current version Minor changes to address issues raised by FERC Effective dates of Sep 30, 2010 and Oct 1, 2010, respectively Version 4 Approved, then later superseded by V5. Never went into effect Version 5 Transitioning to here Approved in FERC Order 791 on November 26, 2013 Takes effect beginning on April 1, 2016 Version 6 In FERC approval process Combined with Version 7 FERC issued NOPR on July 16, 2015 (comments due September 21, 2015) Voluntary Mandatory 2009 Timeline of CIP Regulation Development 5

6 NERC CIP Standards Full on Jargon Actual regulation titles with links to standards on NERC s website Orange denotes standards currently pending before FERC Version 6 CIP One of these is not like the others CIP Cyber Security BES Cyber System Categorization CIP Cyber Security - Security Management Controls CIP Cyber Security Personnel & Training CIP Cyber Security - Electronic Security Perimeter(s) CIP Cyber Security - Physical Security of BES Cyber Systems CIP Cyber Security - System Security Management CIP Cyber Security - Incident Reporting and Response Planning CIP Cyber Security - Recovery Plans for BES Cyber Systems CIP Cyber Security Config. Change Management & Vulnerability Assessments CIP Cyber Security - Information Protection CIP Physical Security

7 NERC CIP PET (Plain English Translation) CIP-002 What stuff do you have that must be protected? CIP-003 What is your security policy to protect all this stuff, and who s in charge? CIP-004 Who will have access to all your stuff, and how will they be vetted and trained? CIP-005 What are the electronic protective boundaries around all your stuff? CIP-006 What means will you use to physically protect your stuff? CIP-007 How will each item on your list of stuff be protected from harm and inappropriate access? CIP-008 If a security incident occurs that affects your stuff, how will you respond? CIP-009 How will you restore your stuff to working condition if it fails? CIP-010 How will you ensure you always know all about what your stuff is made of? CIP-011 How will you protect the information stored on your stuff? CIP-014 How will you protect your critical substations from physical attacks?

8 Defense in Depth Approach Policies CIP-003 CIP-006 BES Cyber Assets CIP-007 CIP-005 CIP-011 Information Protection Training CIP-004

9 NERC CIP Implementation Deadlines April 1, 2016 High & Medium BCS Control Centers Generation Plants Substations (only control centers can be High) April 1, 2017* Low BCS Substations Generation Plants Control Centers *Assuming FERC issues Version 6 Order before

10 So What s Different? No longer binary (critical/non-critical) Bright line criteria determines criticality BES = CIP

11 More New approach to requirement applicability Applicability assigned on a per requirement basis Three tiers of impact (High, Medium, Low) Over 20 asset categories Complex applicability matrix Location and connectivity based applicability

12 NERC CIPv3 Standard Mechanics Example: CIP pages long All detail is contained in the requirement Limited additional guidance

13 NERC CIPv5 Standard Mechanics Page 6 Example: CIP pages long Detail in multiple locations Page 7 Additional guidance included inside and outside standard

14 NERC CIPv5 Standard Mechanics (Page 51) (Page 59)

15 NERC CIPv5 Standard Mechanics (We re not done yet.) Additional NERC Guidance Documents Multiple Lessons Learned Documents FAQs Implementation Studies

16 Types of Protection Physical Locations that house cyber assets Need to be secured and access Limited (card readers, cages etc.) Electronic Cyber assets need to be protected electronically by creating unique passwords, limiting access, malware prevention etc. Information Certain information needs to be protected and handled carefully whether paper or electronic (drawings, network diagrams, device configurations) 16

17 17

18 So how do you audit this anyway?

19 The old way Performance based Zero defects compliance One size fits all auditing

20 The new way Risk based compliance oversight Controls focused Risk based auditing & enforcement

21 The new way Continent-wide Risk Elements Defined Annually Identify continent-wide risks Prioritize risks based on significance, likelihood, vulnerability, and potential impact to the reliability of the BPS Categorize risks as operational and planning, threats to cyber systems, and/or threats to physical security. Update for emerging risk and mitigated risks Develop Initial Monitoring Scope

22 The new way Inherent Risk Assessment Regional Entities perform an IRA to identify areas of focus and the level of effort needed to monitor compliance Considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition Performed on a periodic basis, with the frequency based on a variety of factors, including, but not limited to, changes to a registered entity and significant changes or emergence of new reliability risks.

23 The new way Internal Controls Evaluation Participation is voluntary Provide information about internal controls that address the risks applicable to the entity and correcting noncompliance Demonstrate effectiveness of such controls Results will further refine CMEP focus

24 The new way Compliance Monitoring and Enforcement Tools CMEP tools will be customized (off-site or onsite audits, spot checks, Self-Certification etc.) based on reliability risks RC, BA and TOP remain on 3 year audit cycle CMEP tools may be adjusted within a given implementation year.

25 The new way Risk Based Enforcement Activities Enforcement activities correlate violations with reliability risk Compliance Exceptions: Streamlined violation resolution process Minimal risk instances of noncompliance are eligible Effectively supersedes Find, Fix, Track and Report (FFT) Self-Logging: Entities with demonstrated effective management practices are allowed to selfidentify, log, assess, and mitigate instances of noncompliance minimal risk instances of noncompliance that will be processed as compliance exceptions. For more details refer to NERC s 2015 ERO Compliance Monitoring and Enforcement Implementation Plan Assurance Initiative/Final_2015 CMEP IP_V_1.2 (Posted_ ).pdf

26 Auditor Roadmap the RSAW is the roadmap for compliance

27 Auditor Roadmap Provides Auditor guidance regarding acceptable demonstration of compliance

28 Implicit vs. Explicit Requirements Be mindful of requirements that are implied rather than explicitly stated. Several Regions have posted positions on implied requirements. Focus on the intent of the Regulation rather than words. Examples of implied requirements Identification of BES cyber systems (BCS) is required but BES cyber assets (BCA) is not. Discrete list of low impact BCS is not required Monitoring is not required for low BCS but incident response is.

29 CIP Identification & Categorization The objective of CIP is to identify Cyber Systems as either high, medium, Systems. (but that s way harder than it Conduct an inventory of all BES cyber assets Group assets into systems Evaluate reliability impact of systems (loss, misuse, compromise, etc.) Consider Impact Rating Criteria aka bright lines Classify systems as BCS High, Medium or Low

30 CIP-003 System Management Controls Applicability Matrix R1 Develop a Cyber Security Policy (highs/mediums) (includes 9 specific topics to be included) R2 Develop Cyber Security Policy (lows) (includes 4 specific topics to be included) R3 Designate a CIP Senior Manager (CSM) R4 Develop a process for CSM delegation of authority (R1-R2 Annual review and approval required every 15 months) *NOTE: pay attention to v6 there are new terms and additional specificity around low policies

31 CIP System Management Controls Policy(ies) must collectively address the following R1 Policy for High/Medium BCS R2 Policy for Low BCS 1. Personnel and training (CIP-004); 2. Electronic Security Perimeters (CIP-005) including Interactive Remote Access 3. Physical security of BES Cyber Systems (CIP-006) 4. System security management (CIP-007); 5. Incident reporting and response planning (CIP-008) 6. Recovery plans for BES Cyber Systems (CIP-009) 7. Configuration change management and vulnerability assessments (CIP-010) 8. Information protection (CIP-011) 9. Declaring and responding to CIP Exceptional Circumstances. 1. Cyber security awareness; 2. Physical security controls; 3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and 4. Cyber Security Incident response.

32 CIP-004 Personnel and Training R1 Security Awareness Program (H,M,L) Security Focused Quarterly Awareness Activities (Annual for low) Intent is to raise general security awareness Documentation: Program not required but recommended Process to ensure appropriate distribution Awareness materials must be retained Performance includes proof of interval execution R2 Roles based Training Program Annually required Training for access of any kind Roles focused in v5 Documentation: Training Program is required Training processes Training content verification Controls to ensure Training is completed prior to access Performance includes random sample

33 CIP-004 Personnel and Training R3 Personnel Risk Assessment Program It s more than a background check Confirm identity, 7-year criminal history, evaluate for risk Documentation: PRA Program document Processes for PRA completion Controls to ensure PRA is complete prior to access Performance includes random sample R4-R5 Access Management & Revocation Programs Must be need based (physical, electronic and information) Review authorization records quarterly Review user accounts and roles annually Remove access within 24-hours for terminations Next calendar day for transfers/reassignments Documentation: Program document(s) required Processes for all activities Performance includes: Random sample

34 CIP-005 Electronic Security Perimeters The purpose of the Electronic Security Perimeter (ESP) is to provide a defensible electronic boundary around BES Cyber System.

35 CIP-005 Electronic Security Perimeters Documentation/Performance: Methods to ensure all in-scope devices reside within an ESP. Methods to identify malicious communications. The location and purpose of each ESP. Inventory of access points, Cyber Assets within the ESP & all devices used in the access control and/or monitoring. Processes detailing how Interactive Remote Access is managed. Diagrams are strongly encouraged. Dial-up authentication procedures.

36 CIP-006 Physical Security of BCS The purpose of the Physical Security Perimeter (PSP) is to provide a defensible physical boundary around BES Cyber System.

37 CIP-006 Physical Security of BCS Documentation/Performance: Physical Security Plans Access Monitoring processes Visitor Control Program PACS Maintenance and Testing Program Access, visitor, & alarm logs (90-day rolling) PSP Diagrams

38 CIP-007 Systems Security Management The purpose of CIP-007 is to protect the individual devices (BCA) inside the ESP.

39 CIP-007 Systems Security Management So how do you protect a device anyway? Allowing only necessary services to run Disabling unnecessary physical connections Installing security patches (new 35 day requirement) Protecting devices from malware and viruses Monitoring for security events (failed log-ins, viruses etc.) Using complex passwords Managing shared passwords

40 CIP-007 Systems Security Management Documentation/Performance: Process for enabling/disabling ports and services with the list of open ports Patch Management Program (recommended) Malware/Virus Protection Processes and Procedures Alerting processes Security Event Logs Account management processes Password complexity requirements Random sampling is common during audits

41 CIP-008 Incident Response The purpose of CIP-008 is ensure you can respond when a cyber incident occurs Develop an Incident Response Plan(s) that defines how the utility will identify, classify, and respond to cyber security incidents. Define the roles and responsibilities of incident responders. Define plans for response to different kinds of incidents. Test plans every 15 months (H,M) 36 months (L). Document any lessons learned from any test or incident and update the plan. Train on the plan as part of annual Training.

42 CIP-008 Incident Response The purpose of CIP-008 is ensure you can respond when a cyber incident occurs Document/Performance: Incident Response Plan Identification and Incident handling processes Regulatory reporting processes Plan testing results with lessons learned Actual incidents (3 year retention)

43 CIP-009 Recovery Planning CIP-009 addresses how you will recover (fix) if devices fail. R1 - Create a recovery plan (or plans) R2 - Test the recovery plan at least once every 15 months. R2 - Test a sample of backup data at least once every 15 months to ensure the backups work. R2 - Do an operational test every 36 months R3 - Document any lessons learned from the recovery plan tests and update the recovery plan as needed.

44 CIP-009 Recovery Planning CIP-009 addresses how you will recover (fix) if devices break. Document/Performance: Information backup including verification Data preservation during an incident Plan exercises Data testing Operational tests Performance Review of backed up data Testing data (at appropriate intervals) Lessons learned

45 CIP-010 Configuration Change Management and Vulnerability Testing Knowing what your devices are made up and knowing when they change R1 Develop a baseline configuration for each device R1 Manage changes to those devices R1 Verify Security Controls R2 Monitor for unplanned changes R3 Conduct a paper Vulnerability Assessment every 15 months -Active VA every 36 months (H)

46 CIP-010 Configuration Change Management and Vulnerability Testing Knowing what your devices are made up and knowing when they change Document/Performance: Documented Baseline configurations of all devices Change Control Processes Defined Security Controls Vulnerability Assessment Plan, Processes & Testing records

47 CIP-011 Information Protection Protecting the sensitive information about your BCS R1 Develop Information Protection Program that identifies, classifies and protects BCSI throughout its lifecycle. R2 Develop disposal and redeployment processes when removing/reusing BCA in a different location BCSI is any information that could be useful to an attacker. May directly tie to the BCS like a network diagram. Or indirectly like physical security plans.

48 CIP-011 Information Protection Protecting the sensitive information about your BCS Document/Performance: Information Protection Program Processes for identifying and protecting BCSI Procedures/Processes for Disposal and Reuse Lists of disposed/reused assets Document labeling Third-party agreements (vendor, contractor etc.)

49 CIP-014 Physical Protection Physical security of Transmission stations/substations, and their associated primary control centers. Applicability R1: Applicability and Risk Assessment R2: Unaffiliated Review R3: Control Center Notification Security R4: Threat and Vulnerability Assessment R5: Security Plan R6: Unaffiliated Review

50 CIP-014 Physical Protection R1 becomes effective October 1, CIP Implementation Timeline R1 Assessment Effective Date 0 Days R2 Verification Effective Days R2.3 Address Discrepancies R Days R3 Notify Control Center R Days R4 Threat and Vulnerability Evaluation R Days R5 Security Plan R Days R6 Review R Days R6.3 Address Discrepancies R Days

51

52 Additional Resources EnergySec NERC CIP Bootcamp Community wiki, webinars, CIPtionary, HipChat NERC CIP V5 Transition webpage Western Interconnection Compliance Forum (WICF) - CIP Focus Group Limited to entities in WECC region only to register

53 Summary Forget what you knew about CIP. Version 5 (and beyond) is a whole new world. CIP is much more complex than it seems on the surface. New focus on controls and reliability risk. Your NERC compliance organization needs your expertise. Don t take the easy way out, it s only going to get harder. Plan for the future, CIP will continue to evolve quickly.

54 Questions and Contact Info Lisa Carrington Regulatory Advisor Arizona Public Service (602)