Hang on it s going to be a wild ride
|
|
- Derek Hudson
- 5 years ago
- Views:
Transcription
1 AGA/EEI Utility Internal Auditor's Training Course Washington, DC August 26, 2015
2 Hang on it s going to be a wild ride
3 There are no NERC CIP Babel Fish "The Babel fish is small, yellow, leech-like, and probably the oddest thing in the universe. It feeds on brain wave energy, absorbing all unconscious frequencies and then excreting telepathically a matrix formed from the conscious frequencies and nerve signals picked up from the speech centres of the brain, the practical upshot of which is that if you stick one in your ear, you can instantly understand anything said to you in any form of language: the speech you hear decodes the brain wave matrix."
4 NERC CIP Secret Decoder Ring (AKA NERC CIP Acronym Guide) BCA - BES Cyber Asset RSAW - Reliability Standard Audit Worksheet BCS - BES Cyber System TCA - Transient Cyber Asset BCSI - BES Cyber System Information TFE - Technical Feasibility Exception BES - Bulk Electric System EACMS - Electronic Access Control or Monitoring System EAP - Electronic Access Point ERC - External Routable Connectivity ESP - Electronic Security Perimeter IRA - Interactive Remote Access IRC - Impact Rating Criteria IS - Intermediate System LEAP - Low Impact BES Cyber System Electronic Access Point LERC - Low Impact External Routable Connectivity PACS - Physical Access Control System PCA - Protected Cyber Asset PRA Personnel Risk Assessment PSP - Physical Security Perimeter RAI - Reliability Assurance Initiative
5 NERC CIP Regulation Development Version 1 Approved in FERC Order 706 on Jan 18, 2008 effective July 1, 2008 Version 2 and 3 Current version Minor changes to address issues raised by FERC Effective dates of Sep 30, 2010 and Oct 1, 2010, respectively Version 4 Approved, then later superseded by V5. Never went into effect Version 5 Transitioning to here Approved in FERC Order 791 on November 26, 2013 Takes effect beginning on April 1, 2016 Version 6 In FERC approval process Combined with Version 7 FERC issued NOPR on July 16, 2015 (comments due September 21, 2015) Voluntary Mandatory 2009 Timeline of CIP Regulation Development 5
6 NERC CIP Standards Full on Jargon Actual regulation titles with links to standards on NERC s website Orange denotes standards currently pending before FERC Version 6 CIP One of these is not like the others CIP Cyber Security BES Cyber System Categorization CIP Cyber Security - Security Management Controls CIP Cyber Security Personnel & Training CIP Cyber Security - Electronic Security Perimeter(s) CIP Cyber Security - Physical Security of BES Cyber Systems CIP Cyber Security - System Security Management CIP Cyber Security - Incident Reporting and Response Planning CIP Cyber Security - Recovery Plans for BES Cyber Systems CIP Cyber Security Config. Change Management & Vulnerability Assessments CIP Cyber Security - Information Protection CIP Physical Security
7 NERC CIP PET (Plain English Translation) CIP-002 What stuff do you have that must be protected? CIP-003 What is your security policy to protect all this stuff, and who s in charge? CIP-004 Who will have access to all your stuff, and how will they be vetted and trained? CIP-005 What are the electronic protective boundaries around all your stuff? CIP-006 What means will you use to physically protect your stuff? CIP-007 How will each item on your list of stuff be protected from harm and inappropriate access? CIP-008 If a security incident occurs that affects your stuff, how will you respond? CIP-009 How will you restore your stuff to working condition if it fails? CIP-010 How will you ensure you always know all about what your stuff is made of? CIP-011 How will you protect the information stored on your stuff? CIP-014 How will you protect your critical substations from physical attacks?
8 Defense in Depth Approach Policies CIP-003 CIP-006 BES Cyber Assets CIP-007 CIP-005 CIP-011 Information Protection Training CIP-004
9 NERC CIP Implementation Deadlines April 1, 2016 High & Medium BCS Control Centers Generation Plants Substations (only control centers can be High) April 1, 2017* Low BCS Substations Generation Plants Control Centers *Assuming FERC issues Version 6 Order before
10 So What s Different? No longer binary (critical/non-critical) Bright line criteria determines criticality BES = CIP
11 More New approach to requirement applicability Applicability assigned on a per requirement basis Three tiers of impact (High, Medium, Low) Over 20 asset categories Complex applicability matrix Location and connectivity based applicability
12 NERC CIPv3 Standard Mechanics Example: CIP pages long All detail is contained in the requirement Limited additional guidance
13 NERC CIPv5 Standard Mechanics Page 6 Example: CIP pages long Detail in multiple locations Page 7 Additional guidance included inside and outside standard
14 NERC CIPv5 Standard Mechanics (Page 51) (Page 59)
15 NERC CIPv5 Standard Mechanics (We re not done yet.) Additional NERC Guidance Documents Multiple Lessons Learned Documents FAQs Implementation Studies
16 Types of Protection Physical Locations that house cyber assets Need to be secured and access Limited (card readers, cages etc.) Electronic Cyber assets need to be protected electronically by creating unique passwords, limiting access, malware prevention etc. Information Certain information needs to be protected and handled carefully whether paper or electronic (drawings, network diagrams, device configurations) 16
17 17
18 So how do you audit this anyway?
19 The old way Performance based Zero defects compliance One size fits all auditing
20 The new way Risk based compliance oversight Controls focused Risk based auditing & enforcement
21 The new way Continent-wide Risk Elements Defined Annually Identify continent-wide risks Prioritize risks based on significance, likelihood, vulnerability, and potential impact to the reliability of the BPS Categorize risks as operational and planning, threats to cyber systems, and/or threats to physical security. Update for emerging risk and mitigated risks Develop Initial Monitoring Scope
22 The new way Inherent Risk Assessment Regional Entities perform an IRA to identify areas of focus and the level of effort needed to monitor compliance Considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition Performed on a periodic basis, with the frequency based on a variety of factors, including, but not limited to, changes to a registered entity and significant changes or emergence of new reliability risks.
23 The new way Internal Controls Evaluation Participation is voluntary Provide information about internal controls that address the risks applicable to the entity and correcting noncompliance Demonstrate effectiveness of such controls Results will further refine CMEP focus
24 The new way Compliance Monitoring and Enforcement Tools CMEP tools will be customized (off-site or onsite audits, spot checks, Self-Certification etc.) based on reliability risks RC, BA and TOP remain on 3 year audit cycle CMEP tools may be adjusted within a given implementation year.
25 The new way Risk Based Enforcement Activities Enforcement activities correlate violations with reliability risk Compliance Exceptions: Streamlined violation resolution process Minimal risk instances of noncompliance are eligible Effectively supersedes Find, Fix, Track and Report (FFT) Self-Logging: Entities with demonstrated effective management practices are allowed to selfidentify, log, assess, and mitigate instances of noncompliance minimal risk instances of noncompliance that will be processed as compliance exceptions. For more details refer to NERC s 2015 ERO Compliance Monitoring and Enforcement Implementation Plan Assurance Initiative/Final_2015 CMEP IP_V_1.2 (Posted_ ).pdf
26 Auditor Roadmap the RSAW is the roadmap for compliance
27 Auditor Roadmap Provides Auditor guidance regarding acceptable demonstration of compliance
28 Implicit vs. Explicit Requirements Be mindful of requirements that are implied rather than explicitly stated. Several Regions have posted positions on implied requirements. Focus on the intent of the Regulation rather than words. Examples of implied requirements Identification of BES cyber systems (BCS) is required but BES cyber assets (BCA) is not. Discrete list of low impact BCS is not required Monitoring is not required for low BCS but incident response is.
29 CIP Identification & Categorization The objective of CIP is to identify Cyber Systems as either high, medium, Systems. (but that s way harder than it Conduct an inventory of all BES cyber assets Group assets into systems Evaluate reliability impact of systems (loss, misuse, compromise, etc.) Consider Impact Rating Criteria aka bright lines Classify systems as BCS High, Medium or Low
30 CIP-003 System Management Controls Applicability Matrix R1 Develop a Cyber Security Policy (highs/mediums) (includes 9 specific topics to be included) R2 Develop Cyber Security Policy (lows) (includes 4 specific topics to be included) R3 Designate a CIP Senior Manager (CSM) R4 Develop a process for CSM delegation of authority (R1-R2 Annual review and approval required every 15 months) *NOTE: pay attention to v6 there are new terms and additional specificity around low policies
31 CIP System Management Controls Policy(ies) must collectively address the following R1 Policy for High/Medium BCS R2 Policy for Low BCS 1. Personnel and training (CIP-004); 2. Electronic Security Perimeters (CIP-005) including Interactive Remote Access 3. Physical security of BES Cyber Systems (CIP-006) 4. System security management (CIP-007); 5. Incident reporting and response planning (CIP-008) 6. Recovery plans for BES Cyber Systems (CIP-009) 7. Configuration change management and vulnerability assessments (CIP-010) 8. Information protection (CIP-011) 9. Declaring and responding to CIP Exceptional Circumstances. 1. Cyber security awareness; 2. Physical security controls; 3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and 4. Cyber Security Incident response.
32 CIP-004 Personnel and Training R1 Security Awareness Program (H,M,L) Security Focused Quarterly Awareness Activities (Annual for low) Intent is to raise general security awareness Documentation: Program not required but recommended Process to ensure appropriate distribution Awareness materials must be retained Performance includes proof of interval execution R2 Roles based Training Program Annually required Training for access of any kind Roles focused in v5 Documentation: Training Program is required Training processes Training content verification Controls to ensure Training is completed prior to access Performance includes random sample
33 CIP-004 Personnel and Training R3 Personnel Risk Assessment Program It s more than a background check Confirm identity, 7-year criminal history, evaluate for risk Documentation: PRA Program document Processes for PRA completion Controls to ensure PRA is complete prior to access Performance includes random sample R4-R5 Access Management & Revocation Programs Must be need based (physical, electronic and information) Review authorization records quarterly Review user accounts and roles annually Remove access within 24-hours for terminations Next calendar day for transfers/reassignments Documentation: Program document(s) required Processes for all activities Performance includes: Random sample
34 CIP-005 Electronic Security Perimeters The purpose of the Electronic Security Perimeter (ESP) is to provide a defensible electronic boundary around BES Cyber System.
35 CIP-005 Electronic Security Perimeters Documentation/Performance: Methods to ensure all in-scope devices reside within an ESP. Methods to identify malicious communications. The location and purpose of each ESP. Inventory of access points, Cyber Assets within the ESP & all devices used in the access control and/or monitoring. Processes detailing how Interactive Remote Access is managed. Diagrams are strongly encouraged. Dial-up authentication procedures.
36 CIP-006 Physical Security of BCS The purpose of the Physical Security Perimeter (PSP) is to provide a defensible physical boundary around BES Cyber System.
37 CIP-006 Physical Security of BCS Documentation/Performance: Physical Security Plans Access Monitoring processes Visitor Control Program PACS Maintenance and Testing Program Access, visitor, & alarm logs (90-day rolling) PSP Diagrams
38 CIP-007 Systems Security Management The purpose of CIP-007 is to protect the individual devices (BCA) inside the ESP.
39 CIP-007 Systems Security Management So how do you protect a device anyway? Allowing only necessary services to run Disabling unnecessary physical connections Installing security patches (new 35 day requirement) Protecting devices from malware and viruses Monitoring for security events (failed log-ins, viruses etc.) Using complex passwords Managing shared passwords
40 CIP-007 Systems Security Management Documentation/Performance: Process for enabling/disabling ports and services with the list of open ports Patch Management Program (recommended) Malware/Virus Protection Processes and Procedures Alerting processes Security Event Logs Account management processes Password complexity requirements Random sampling is common during audits
41 CIP-008 Incident Response The purpose of CIP-008 is ensure you can respond when a cyber incident occurs Develop an Incident Response Plan(s) that defines how the utility will identify, classify, and respond to cyber security incidents. Define the roles and responsibilities of incident responders. Define plans for response to different kinds of incidents. Test plans every 15 months (H,M) 36 months (L). Document any lessons learned from any test or incident and update the plan. Train on the plan as part of annual Training.
42 CIP-008 Incident Response The purpose of CIP-008 is ensure you can respond when a cyber incident occurs Document/Performance: Incident Response Plan Identification and Incident handling processes Regulatory reporting processes Plan testing results with lessons learned Actual incidents (3 year retention)
43 CIP-009 Recovery Planning CIP-009 addresses how you will recover (fix) if devices fail. R1 - Create a recovery plan (or plans) R2 - Test the recovery plan at least once every 15 months. R2 - Test a sample of backup data at least once every 15 months to ensure the backups work. R2 - Do an operational test every 36 months R3 - Document any lessons learned from the recovery plan tests and update the recovery plan as needed.
44 CIP-009 Recovery Planning CIP-009 addresses how you will recover (fix) if devices break. Document/Performance: Information backup including verification Data preservation during an incident Plan exercises Data testing Operational tests Performance Review of backed up data Testing data (at appropriate intervals) Lessons learned
45 CIP-010 Configuration Change Management and Vulnerability Testing Knowing what your devices are made up and knowing when they change R1 Develop a baseline configuration for each device R1 Manage changes to those devices R1 Verify Security Controls R2 Monitor for unplanned changes R3 Conduct a paper Vulnerability Assessment every 15 months -Active VA every 36 months (H)
46 CIP-010 Configuration Change Management and Vulnerability Testing Knowing what your devices are made up and knowing when they change Document/Performance: Documented Baseline configurations of all devices Change Control Processes Defined Security Controls Vulnerability Assessment Plan, Processes & Testing records
47 CIP-011 Information Protection Protecting the sensitive information about your BCS R1 Develop Information Protection Program that identifies, classifies and protects BCSI throughout its lifecycle. R2 Develop disposal and redeployment processes when removing/reusing BCA in a different location BCSI is any information that could be useful to an attacker. May directly tie to the BCS like a network diagram. Or indirectly like physical security plans.
48 CIP-011 Information Protection Protecting the sensitive information about your BCS Document/Performance: Information Protection Program Processes for identifying and protecting BCSI Procedures/Processes for Disposal and Reuse Lists of disposed/reused assets Document labeling Third-party agreements (vendor, contractor etc.)
49 CIP-014 Physical Protection Physical security of Transmission stations/substations, and their associated primary control centers. Applicability R1: Applicability and Risk Assessment R2: Unaffiliated Review R3: Control Center Notification Security R4: Threat and Vulnerability Assessment R5: Security Plan R6: Unaffiliated Review
50 CIP-014 Physical Protection R1 becomes effective October 1, CIP Implementation Timeline R1 Assessment Effective Date 0 Days R2 Verification Effective Days R2.3 Address Discrepancies R Days R3 Notify Control Center R Days R4 Threat and Vulnerability Evaluation R Days R5 Security Plan R Days R6 Review R Days R6.3 Address Discrepancies R Days
51
52 Additional Resources EnergySec NERC CIP Bootcamp Community wiki, webinars, CIPtionary, HipChat NERC CIP V5 Transition webpage Western Interconnection Compliance Forum (WICF) - CIP Focus Group Limited to entities in WECC region only to register
53 Summary Forget what you knew about CIP. Version 5 (and beyond) is a whole new world. CIP is much more complex than it seems on the surface. New focus on controls and reliability risk. Your NERC compliance organization needs your expertise. Don t take the easy way out, it s only going to get harder. Plan for the future, CIP will continue to evolve quickly.
54 Questions and Contact Info Lisa Carrington Regulatory Advisor Arizona Public Service (602)
CYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationCIP V5 Updates Midwest Energy Association Electrical Operations Conference
CIP V5 Updates Midwest Energy Association Electrical Operations Conference May 2015 Bob Yates, CISSP, MBA Principal Technical Auditor ReliabilityFirst Corporation Agenda Cyber Security Standards Version
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-5.1 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals
More informationCIP Version 5 Evidence Request User Guide
CIP Version 5 Evidence Request User Guide Version 1.0 December 15, 2015 NERC Report Title Report Date I Table of Contents Preface... iv Introduction... v Purpose... v Evidence Request Flow... v Sampling...
More informationImplementing Cyber-Security Standards
Implementing Cyber-Security Standards Greg Goodrich TFIST Chair, CISSP New York Independent System Operator Northeast Power Coordinating Council General Meeting Montreal, QC November 28, 2012 Topics Critical
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationImplementation Plan for Version 5 CIP Cyber Security Standards
Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 17, 2012 Note: On September 17, 2012, NERC was alerted that some references in the Initial Performance of Certain Periodic
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationThis draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationPhilip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011
CIP Standards Version 5 Requirements & Status Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company David Revill Georgia Transmission Corporation CSO706 SDT Webinar
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationCompliance: Evidence Requests for Low Impact Requirements
MIDWEST RELIABILITY ORGANIZATION Compliance: Evidence Requests for Low Impact Requirements Jess Syring, CIP Compliance Engineer MRO CIP Low Impact Workshop March 1, 2017 Improving RELIABILITY and mitigating
More informationCIP V5 Implementation Study SMUD s Experience
CIP V5 Implementation Study SMUD s Experience Tim Kelley October 16, 2014 Powering forward. Together. SMUD Fast Facts General Information SMUD employs approximately 2,000 individuals Service area of 900
More informationCIP Cyber Security Configuration Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationQuébec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan
Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan 2017 Annual Implementation Plan Effective Date: January 1, 2017 Approved by the Régie: December 1, 2016 Table
More informationCritical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014
Critical Infrastructure Protection (CIP) Version 5 Revisions Standard Drafting Team Update Industry Webinar September 19, 2014 Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice
More informationNERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks
NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks NERC Standard Requirement Requirement Text Measures ConsoleWorks
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationCompliance Exception and Self-Logging Report Q4 2014
Agenda Item 5 Board of Trustees Compliance Committee Open Session February 11, 2015 Compliance Exception and Self-Logging Report Q4 2014 Action Information Introduction Beginning in November 2013, NERC
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationCyber Security Standards Drafting Team Update
Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications
More informationProject Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA
Project 2016-02 Modifications to CIP Standards Technical Conference April 19, 2016 Atlanta, GA Agenda Welcome Steven Noess NERC Antitrust Compliance Guidelines and Public Announcement* - Al McMeekin Logistics
More informationA. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationCyber Security Reliability Standards CIP V5 Transition Guidance:
Cyber Security Reliability Standards CIP V5 Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards To: Regional Entities and Responsible
More informationCritical Infrastructure Protection Version 5
Critical Infrastructure Protection Version 5 Tobias Whitney, Senior CIP Manager, Grid Assurance, NERC Compliance Committee Open Meeting August 9, 2017 Agenda Critical Infrastructure Protection (CIP) Standards
More informationProject Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives
Project 2014-02 - Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Violation Risk Factor and Justifications The tables
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-1 3. Purpose: Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s)
More informationCyber Security Incident Report
Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New
More informationTechnical Questions and Answers CIP Version 5 Standards Version: June 13, 2014
Technical s and s CIP Version 5 Standards Version: June 13, 2014 This document is designed to convey lessons learned from NERC s various activities. It is not intended to establish new requirements under
More informationAnalysis of CIP-006 and CIP-007 Violations
Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December
More informationEEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,
EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP)
More informationStandard CIP 005 4a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-4a 3. Purpose: Standard CIP-005-4a requires the identification and protection of the Electronic Security Perimeter(s)
More informationCIP Cyber Security Security Management Controls. A. Introduction
CIP-003-7 - Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-7 3. Purpose: To specify consistent and sustainable security
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationCIP Standards Development Overview
CIP Standards Development Overview CSSDTO706 Meeting with Industry Representative August 16 18 NERC Atlanta Office Objectives Historical Timeline CIP-002-4 CIP-005-4 CIP Version 5 August 16-18 CSO706SDT
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationStandard Development Timeline
CIP-003-67(i) - Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationThis section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationNERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System
Application description 04/2017 NERC CIP Compliance Matrix of RUGGEDCOM RUGGEDCOM https://support.industry.siemens.com/cs/ww/en/view/109747098 Warranty and Liability Warranty and Liability Note The Application
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationNERC-Led Technical Conferences
NERC-Led Technical Conferences NERC s Headquarters Atlanta, GA Tuesday, January 21, 2014 Sheraton Phoenix Downtown Phoenix, AZ Thursday, January 23, 2014 Administrative Items NERC Antitrust Guidelines
More informationCyber Threats? How to Stop?
Cyber Threats? How to Stop? North American Grid Security Standards Jessica Bian, Director of Performance Analysis North American Electric Reliability Corporation AORC CIGRE Technical Meeting, September
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationTitle. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.
Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada
More informationStandard CIP 005 2a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationCIP Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-6 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and
More informationReliability Standard Audit Worksheet 1
Reliability Standard Audit Worksheet 1 CIP-006-6 Cyber Security Physical Security of BES Cyber Systems This section to be completed by the Compliance Enforcement Authority. Audit ID: Registered Entity:
More informationLesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015
Lesson Learned CIP Version 5 Transition Program CIP-002-5.1: Communications and Networking Cyber Assets Version: October 6, 2015 Authorized by the Standards Committee on October 29, 2015 for posting as
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationCIP Cyber Security Physical Security of BES Cyber Systems
A. Introduction 1. Title: Cyber Security Physical Security of BES Cyber Systems 2. Number: CIP-006-5 3. Purpose: To manage physical access to BES Cyber Systems by specifying a physical security plan in
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationInteractive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.
Interactive Remote Access Compliance Workshop October 27, 2016 Eric Weston Compliance Auditor Cyber Security 2 Agenda Interactive Remote Access Overview Review of Use Cases and Strategy 1 Interactive Remote
More informationStandards Authorization Request Form
Standards Authorization Request Form When completed, email this form to: sarcomm@nerc.com NERC welcomes suggestions to improve the reliability of the bulk power system through improved reliability standards.
More informationCIP Configuration Change Management & Vulnerability Assessments
CIP-010-2 Configuration Change Management & Vulnerability Assessments FRCC Spring RE Workshop April 17-18, 2018 Objective Change Management to prevent unauthorized modifications to Bulk Electric Systems
More informationPhysical Security Reliability Standard Implementation
Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days,
More informationDraft CIP Standards Version 5
Draft CIP Standards Version 5 Technical Webinar Part 1 Project 2008-06 Cyber Security Order 706 Standards Drafting Team November 15, 2011 Agenda Opening Remarks John Lim, Consolidated Edison, Chair V5
More informationCybersecurity for the Electric Grid
Cybersecurity for the Electric Grid Electric System Regulation, CIP and the Evolution of Transition to a Secure State A presentation for the National Association of Regulatory Utility Commissioners March
More informationLow Impact Generation CIP Compliance. Ryan Walter
Low Impact Generation CIP Compliance Ryan Walter Agenda Entity Overview NERC CIP Introduction CIP-002-5.1, Asset Classification What Should Already be Done CIP-003-7, Low Impact Requirements Tri-State
More informationCIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-6 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in
More informationDraft CIP Standards Version 5
Draft CIP Standards Version 5 Technical Webinar Part 2 Project 2008-06 Cyber Security Order 706 Standards Drafting Team November 29, 2011 Agenda Opening Remarks John Lim, Consolidated Edison, Chair V5
More informationFrequently Asked Questions CIP Version 5 Standards Consolidated FAQs and Answers Version: October 2015
Frequently Asked Questions CIP Version 5 Standards Consolidated FAQs and Answers Version: October 2015 This document is designed to provide answers to questions asked by entities as they transition to
More informationStandard CIP-006-4c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-4c 3. Purpose: Standard CIP-006-4c is intended to ensure the implementation of a physical security
More informationImplementation Plan. Project CIP Version 5 Revisions. January 23, 2015
Implementation Plan Project 2014-02 CIP Version 5 Revisions January 23, 2015 This Implementation Plan for the Reliability Standards developed as part of Project 2014-02 CIP Version 5 Revisions replaces
More informationCIP Cyber Security Recovery Plans for BES Cyber Systems
A. Introduction 1. Title: Cyber Security Recovery Plans for BES Cyber Systems 2. Number: CIP-009-5 3. Purpose: To recover reliability functions performed by BES Cyber Systems by specifying recovery plan
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationBreakfast. 7:00 a.m. 8:00 a.m.
Breakfast 7:00 a.m. 8:00 a.m. Opening Announcements NERC 2015 Standards and Compliance Spring Workshop April 3, 2015 NERC Antitrust Compliance Guidelines It is NERC s policy and practice to obey the antitrust
More informationStandard CIP-006-3c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security
More informationImplementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015
Implementation Plan Project 2014-02 CIP Version 5 Revisions January 23, 2015 This Implementation Plan for the Reliability Standards developed as part of Project 2014 02 CIP Version 5 Revisions replaces
More informationCIP Cyber Security Recovery Plans for BES Cyber Systems
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationNPCC Compliance Monitoring Team Classroom Session
NPCC Compliance Monitoring Team Classroom Session John Muir - Director, Compliance Monitoring Jacqueline Jimenez - Senior Compliance Engineer David Cerasoli, CISSP - Manager, CIP Audits 5/14/2018 1 Compliance
More informationDesigning Secure Remote Access Solutions for Substations
Designing Secure Remote Access Solutions for Substations John R Biasi MBA, CISA, CISSP October 19, 2017 Agenda Brief Biography Interactive Remote Access Dial-Up Access Examples Transient Devices Vendor
More informationCIP Cyber Security Recovery Plans for BES Cyber Systems
A. Introduction 1. Title: Cyber Security Recovery Plans for BES Cyber Systems 2. Number: CIP-009-6 3. Purpose: To recover reliability functions performed by BES Cyber Systems by specifying recovery plan
More informationBetter Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2
Better Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2 David Cerasoli, CISSP Manager, CIP Audits October 30, 2018 Disclaimer The goal of this webinar is to share
More informationVIA ELECTRONIC FILING
VIA ELECTRONIC FILING Ms. Kimberly D. Bose Secretary Federal Energy Regulatory Commission 888 First Street, N.E. Washington, DC 20426 Re: NERC Full Notice of Penalty regarding Unidentified Registered Entity
More informationDRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1
DRAFT Cyber Security Communications between Control Centers Technical Rationale and Justification for Reliability Standard CIP-012-1 March May 2018 NERC Report Title Report Date I Table of Contents Preface...
More informationCIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationLoss of Control Center Functionality: EOP-008-1, CIP-008-3, CIP September 30, 2014
Loss of Control Center Functionality: EOP-008-1, CIP-008-3, CIP-009-3 September 30, 2014 James Williams Lead Compliance Specialist jwilliams.re@spp.org 501.614.3261 Jeremy Withers Senior Compliance Specialist
More informationi-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS
i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS siemens.com/ruggedcom INTERACTIVE REMOTE ACCESS INTELLIGENT ELECTRONIC DEVICES Intelligent Electronic Devices (IEDs) Devices that can provide real-time
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationAdditional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationStandard CIP Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security program
More informationCIP Technical Workshop
CIP Technical Workshop Scott R, Mix, CISSP, NERC CIP Technical Manager Nick Santora, CISSP, CISA, GISP, CIP Cybersecurity Specialist Tobias R. Whitney, Manager, CIP Compliance March 4, 2014 Agenda Welcome
More informationReliability Standard Audit Worksheet 1
Reliability Standard Audit Worksheet 1 CIP-002-5.1 Cyber Security BES Cyber System Categorization This section to be completed by the Compliance Enforcement Authority. Audit ID: Registered Entity: NCR
More information1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationNORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION NARUC Energy Regulatory Partnership Program The Public Services Regulatory Commission of Armenia and The Iowa Utilities Board Janet Amick Senior Utility
More informationSGAS Low Impact Atlanta, GA September 14, 2016
SGAS Low Impact Atlanta, GA September 14, 2016 Lisa Wood, CISA, Security+, CBRA, CBRM Compliance Auditor Cyber Security Western Electricity Coordinating Council Slide 2 Agenda Low Impact Case Study Overview
More informationCIP Cyber Security Security Management Controls. Standard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More information