CIP Technical Workshop

Transcription

1 CIP Technical Workshop Scott R, Mix, CISSP, NERC CIP Technical Manager Nick Santora, CISSP, CISA, GISP, CIP Cybersecurity Specialist Tobias R. Whitney, Manager, CIP Compliance March 4, 2014

2 Agenda Welcome Overview of FERC Order No. 791 CIP V5 High-level Overview CIP V5 Core Requirements Break (15 min) Transition Study Progress & Lessons Learned Standards Drafting Progress 2

3 Administrative Issues NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. Notice of Open Meeting Participants are reminded that this meeting is public. Speakers should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders. 3

4 Overview of FERC Order No

5 Final Rule Highlights Final Rule Issued November 22, 2013 Docket RM13-5 Order No page rule Published in Federal Register December 3,

6 Final Rule Highlights Effective Date of Final Rule: February 3, 2014 Effective Date for Compliance with all non-periodic requirements: April 1, 2016 for High and Medium Impact April 1, 2017 for Low Impact Compliance with initial performance of periodic requirements as discussed in the Implementation Plan, using an Effective Date of April 1,

7 Final Rule Highlights Approved technical requirements Approved 19 definitions Approved implementation plan Approved bypass of Version 4 Approve, with modifications, VRF / VSL 7

8 Final Rule Highlights Submit modified VRF / VSL within 90 days Submit two directed changes and one informational filing within one year IAC Communications Networks Survey: 15-minute clause Two other directed changes do not have specified time frame Low Impact BES Cyber Systems Transitory Devices 8

9 IAC Language Address concerns with IAC Language Prefer to have compliance language removed from requirements Allow for flexibility for addressing concerns Supports move away from zero tolerance compliance approach for the 17 requirements IAC language ambiguous, concerns about inconsistent application, unclear expectations placed on industry Submit within one year 9

10 BES Cyber Asset Categorization Allow impact-based categorization May revisit in future Not persuaded to move blackstart from Low to Medium, but may revisit Does not consider connectivity, but may revisit Confirm that Low will not include non-bes assets 10

11 Low Impact requirements Lack of objective criteria for evaluating Low Impact protections Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process Open to alternative approaches the criteria NERC proposes for evaluating a responsible entities protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified. No detailed inventory required list of locations / Facilities OK 11

12 15-Minute Parameter Survey industry about impacts of 15-minute parameter during transition period What Cyber Assets are included / excluded by the 15-minute parameter Informational filing to FERC in one year Commission may revisit issue following informational filing 12

13 30-day exemption in Definition Do not direct change to definition Directed modifications to address transient devices issues 13

14 Transient Devices Devices connected for less than 30-days (USB, laptop, etc) Direct modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level systems 14

15 Communications Network Approve definition of Cyber Asset without change Direct creation of definition of communication networks and requirements to address issues: Locked wiring closets Disconnected or locked spare jacks Protection of cabling by conduit or cable trays Submit within one year Include discussion in FERC Staff-led conference 15

16 Implementation Plan Approve implementation Plan as filed month for High & Medium 36-month for Low Bypass Version 4 Support NERC proposal to develop transition guidance and pilot program Declined to extend implementation plan Not persuaded to allow early shift to V5 However, issues of early compliance can be addressed by NERC and Registered Entities as appropriate.

17 Rehearing Requests Three Rehearing requests submitted 1. Utility Services, Inc. o Defer start of implementation period to April 1, EEI/EPSA o o o o Hold a Technical Conference rather than conduct a Survey Clarify Implementation Date for High & Medium Delay Implementation Date for Low until modifications approved (FERC Directive) Hold Technical Conference on Communication Networks in 90 days 17

18 Rehearing Requests 3. APPA/NRECA o o Elimination of IAC language creates implementation uncertainty Standards may become enforceable before IAC changes are approved Clarify rationale supporting determination that a Regulatory Flexibility Act analysis is not required No timeframe specified for FERC response to Rehearing Requests 18

19 FERC Staff-led Technical Conference FERC Staff-led technical Conference From P of Order No. 791 Announced February 27, 2014 Conference held April 29, 2014 starting at 9:00 AM Topics to be addressed (from conference announcement): 1) whether additional definitions and/or security controls are needed to protect Bulk-Power System communications networks, including remote systems access; 2) the adequacy of the approved CIP version 5 Standards protections for Bulk-Power System data being transmitted over data networks; and 3) functional differences between the respective methods utilized for identification, categorization, and specification of appropriate levels of protection for cyber assets using CIP version 5 Standards as compared with those employed within the National Institute of Standards and Technology Security Risk Management Framework. 19

20 20

21 CIP V5 High-level Overview 21

22 CIP Standards Version 5 New / Modified Terms: BES Cyber Asset BES Cyber System BES Cyber System Information CIP Exceptional Circumstance CIP Senior Manager Control Center Cyber Assets Cyber Security Incident Dial-up Connectivity Electronic Access Control and Monitoring Systems (EACMS) Electronic Access Point (EAP) Electronic Security Perimeter (ESP) External Routable Connectivity Interactive Remote Access Intermediate Device Physical Access Control Systems (PACS) Physical Security Perimeter (PSP) Protected Cyber Asset (PCA) Reportable Cyber Security Incident 22

23 CIP Standards Version 5 High Impact Large Control Centers CIP-003 to 009 V4 plus Medium Impact Generation and Transmission Control Centers Similar to CIP-003 to 009 V4 All other BES Cyber Systems (Low Impact) must implement a policy to address: Cybersecurity Awareness Physical Security Controls Electronic Access Controls Incident Response V3/V4 Critical Non-Critical Large Control Centers Generation and Transmission Control Centers Generation and Transmission Small Control Centers Generation and Transmission V5 High Medium Low Non-Impactful (Distribution, Marketing, Business) 23

24 CIP Standards Version 5 Rationale, Guidance & Changes, Main Requirement and Measure Applicable Systems for requirement part Requirement part text Requirement part Measure text Requirement part Reference Requirement part change rationale 24

25 25

26 CIP V5 Core Requirements 26

27 Objectives Walk through CIP V5 core technical requirements Look at differences from V3/V4 CIP-005 CIP-006 CIP-007 CIP-010 Electronic Security Perimeter(s) Physical Security of BES Cyber Systems Systems Security Management Configuration Change Management and Vulnerability Assessments 27

28 CIP-005 CIP-005 Electronic Security Perimeter(s) Part Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. EAPs for High and Medium Impact BES Cyber Systems Introduces reasoning explicitly in the requirement Outbound rules now required No annual document review required 28

29 CIP-005 Part Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. High and Medium Impact BES Cyber Systems with Dial-up Connectivity and their associated: PCAs The process must identify how to authenticate the user 29

30 CIP-005 Part Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. EAPs for High Impact BES Cyber Systems EAPs for Medium Impact BES Cyber Systems at Control Centers Traffic inspection is part of requirement Multiple layers of perimeter protection If firewall fails, IDS can trigger a secondary security measure 30

31 CIP-005 Part 2.1 Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. High Impact BES Cyber Systems and their associated PCA. Medium Impact BES Cyber Systems with External Routable Connectivity and their associated PCA Cannot be located in the ESP Intermediate System serves as proxy Allows for restrictive rules Protection from vulnerabilities on remote device 31

32 CIP

33 CIP-005 Part 2.2 For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. High Impact BES Cyber Systems and their associated PCA. Medium Impact BES Cyber Systems with External Routable Connectivity and their associated PCA Initiated from outside the ESP using routable Protects Confidentiality and Integrity 33

34 CIP-005 Part 2.3 Require multi-factor authentication for all Interactive Remote Access sessions. High Impact BES Cyber Systems and their associated PCA. Medium Impact BES Cyber Systems with External Routable Connectivity and their associated PCA Does not include system to system process communications Replaces strong technical and procedural controls Multi-factor is well know security concept Something you know Something you have Something you are Somewhere you are 34

35 CIP-006 CIP-006 Physical Security of BES Cyber Systems IAC Programmatic protections Does not require detailed list of individuals with access 35

36 CIP-006 Part 1.2 Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access. Medium Impact BES Cyber Systems with External Routable Connectivity and their associated EACMS, PCA 1 physical access control Authorized unescorted physical access 36

37 CIP-006 Part 1.3 Where technically feasible, utilize two or more different physical access controls to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access. High Impact BES Cyber Systems and their associated EACMS, PCA 2 physical access controls Authorized unescorted physical access No single authenticator 37

38 CIP-006 Part 3.1 Maintenance and testing of each Physical Access Control System and locally mounted hardware or devices at the Physical Security Perimeter at least once every 24 calendar months to ensure they function properly. High Impact BES Cyber Systems and their associated EACMS, PCA Maintenance and testing every 24 months Includes PACS and local hardware 38

39 CIP-007 CIP-007 Systems Security Management IAC Requirement R1 Enable logical ports per device capability Devices with no capability to disable, deemed necessary Protect against use of unnecessary physical ports Physical or logical controls 39

40 CIP-007 Part A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. IAC High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA Identification of patch sources Entity chooses source for clock start on review 40

41 CIP-007 Part At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA IAC 35 day review of applicability 41

42 CIP-007 Part For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions: Apply the applicable patches; or Create a dated mitigation plan; or Revise an existing mitigation plan. IAC Mitigation plans shall include the Responsible Entity s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations. High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA Actions to mitigate vulnerabilities Timeframe 42

43 CIP-007 Part For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. IAC High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA Plan MUST be executed as defined Extensions are allowed 43

44 CIP-007 Part Deploy method(s) to deter, detect, or prevent malicious code. High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA IAC Describe how to address malware on BES Cyber Systems Policies System hardening White listing Traditional AV Creativity 44

45 CIP-007 Part Mitigate the threat of detected malicious code. IAC High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA How to remove the identified malicious code? Increased monitoring until removal White listing code does not run, but is still there No maximum timeframe prescribed 45

46 CIP-007 Part Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: Detected successful login attempts; Detected failed access attempts and failed login attempts; Detected malicious code. IAC High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA Minimum per Cyber Asset capability 46

47 CIP-007 Part Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability): Detected malicious code from Part 4.1; and Detected failure of Part 4.1 event logging. IAC High Impact BES Cyber Systems and Medium Impact BES Cyber Systems with External Routable Connectivity and associated EACMS and PACS and PCA Entity determines security event requiring response SEIM, text, , alarms, displays 47

48 CIP-007 Part Review a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents. IAC High Impact BES Cyber Systems and associated EACMS and PCA Description of review process Any findings Dates 48

49 CIP-007 Part Identify individuals who have authorized access to shared accounts. High BES Cyber Systems and associated EACMS and PACS and PCA Medium Impact BES Cyber Systems with External Routable Connectivity and associated EACMS and PACS and PCA IAC Added authorized Storing, losing, sharing passwords not a violation 49

50 CIP-007 Part Change known default passwords, per Cyber Asset capability IAC High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA Per Cyber Asset Capability Hard coded passwords 50

51 CIP-007 Part For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: IAC Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset. High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA 51

52 CIP-007 Part Where technically feasible, either: Limit the number of unsuccessful authentication attempts; or Generate alerts after a threshold of unsuccessful authentication attempts. IAC High Impact BES Cyber Systems and Medium Impact BES Cyber Systems at Control Centers and associated EACMS and PACS and PCA Reduces risk of live password cracking No set threshold Prevent false-positives 52

53 CIP-010 CIP- 010 CIP-010 Configuration Change Management and Vulnerability Assessments Part Develop a baseline configuration, individually or by group, which shall include the following items: IAC Operating system(s) (including version) or firmware where no independent operating system exists; Any commercially available or open-source application software (including version) intentionally installed; Any custom software installed; Any logical network accessible ports; and Any security patches applied. High and Medium Impact BES Cyber Systems and associated EACMS and PACS and PCA Identifies a change management process to be invoked 53

54 CIP-010 Part 1.4 For a change that deviates from the existing baseline: Prior to the change, determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change; Following the change, verify that required cyber security controls determined in are not adversely affected; and Document the results of the verification. IAC High and Medium Impact BES Cyber Systems and their associated EACMS, PACS, PCA CIP R1 procedures are now implicit in meeting requirement Explicitly defines CIP-005 and CIP-007 security controls No adverse effects of those controls after change 54

55 Requires review of both test and production environments Important note EACH* change If test used, describe ANY* differences If production used, method to minimize adverse effects CIP-010 Part 1.5 Where technically feasible, for each change that deviates from the existing baseline configuration: Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected; and Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. High Impact BES Cyber Systems IAC 55

56 CIP-010 Part 2.1 Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. IAC High Impact BES Cyber Systems and their associated EACMS, PCA Once a month review of malicious or intentional changes Investigate unauthorized changes 56

57 CIP-010 Part 3.1 At least once every 15 calendar months, conduct a paper or active vulnerability assessment. High and Medium Impact BES Cyber Systems and their associated EACMS, PACS, PCA Paper network discovery - review of network connectivity to identified EAP to the ESP port and service identification - look for all ports and services and appropriate business justification vulnerability review - rule set reviews, default accounts, passwords, and network management community strings wireless review - a review of common wireless networks and their controls to effect BES Cyber Systems comm. 57

58 CIP-010 Part 3.1 At least once every 15 calendar months, conduct a paper or active vulnerability assessment. High and Medium Impact BES Cyber Systems and their associated EACMS, PACS, PCA Active network discovery - active discovery tools for devices port and service identification - nmap vulnerability review - live vulnerability scanning tools wireless review - wireless scanning tools 58

59 CIP-010 Part 3.2 Where technically feasible, at least once every 36 calendar months: Perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration of the BES Cyber System in a production environment; and Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. High Impact BES Cyber Systems Again if test environment used, identify differences If production is used, minimize adverse effects 59

60 CIP-010 Part 3.3 Prior to adding a new applicable Cyber Asset to a production environment, perform an active vulnerability assessment of the new Cyber Asset, except for CIP Exceptional Circumstances and like replacements of the same type of Cyber Asset with a baseline configuration that models an existing baseline configuration of the previous or other existing Cyber Asset. High Impact BES Cyber Systems and associated EACMS and PCA Active CVA for introduction of new Cyber Assets Replacements and baselines of other Cyber Assets do not count 60

61 CIP-010 Part 3.4 Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action items. High and Medium Impact BES Cyber Systems and their associated EACMS, PACS, PCA Results and Action plans of findings Define a planned date of completion and status for those findings 61

62 References Mapping Document 20Security%20Order%20706%20DL/Mapping_Document_ pdf CIP-002 CIP-005 CIP-006 CIP-007 CIP-010 ALL 1.2, 1.3, 1.4, , 1.3, , , 1.4, ,2.2, , , 2.2, 2.3, , , 4.2, ,

63 63

64 Break 15 Minute Break 64

65 Transition Study Progress & Lessons Learned 65

66 Purpose of the Transition Program Address V3 to V5 Transition issues. Provide a clear roadmap for V5 steady-state. Justifies budget for V5 implementation and compliance. Foster communication and knowledge sharing. Support all entities in the timely, effective, and efficient transition to CIP Version 5 66

67 CIP V 5 Transition Program Elements Periodic Guidance A new transition guidance will be provided after V5 Order Implementation Study 6 entities with strong compliance cultures 6-8 month implementation of V5 for certain facilities Lessons learned throughout and after study phase Compliance and Enforcement Integration with RAI Identify means and method to address self-corrective processes and internal controls Outreach & Communications New website created for all Transition Program activity Training Quarterly training opportunities will be provided to industry 67

68 Purpose of RAI An ERO s strategic initiative to transform the current compliance monitoring and enforcement program that: Focuses on high reliability risk areas Reduces unnecessary administrative burdens Three main goals: Building on the success of Find, Fix and Track (FFT) Design a compliance program that: o Recognizes an entity s risk to reliability o Appropriately scopes audits and applies proper audit techniques and approaches o Evaluates and uses management controls to gain reasonable assurance of compliance which promotes reliability Reduce unnecessary administrative burdens of the compliance monitoring and enforcement program on all stakeholders. 68

69 2013 Year End Progress Report Auditor Handbook The first version of auditor handbook was completed. Training and rollout efforts to occur in Prototypes and Pilot Programs The results to-date of pilot programs are being compiled. Evaluation criteria has been finalized The assessment timeline and 2014 deliverables are set. Improvements to Self-Reporting User guide to support improved self reporting process completed in December Request for broader industry review in January FFT Enhancements Triage process implemented across ERO by January 1, 2014 to expedite disposition of minimal risk issues. Enforcement pilots to test aggregation and exercise of enforcement discretion under way. 69

70 V5 Compliance and Enforcement Steady State V5/RAI Key Program Elements (based on Evaluation Criteria) Risk Assessment o The Regional Entity will develop a transparent but customized compliance profile based the Registered Entity s impact to the Grid. o The Risk Assessment will be shared with the Registered Entity so that they understand how they will be monitored as part of the compliance profile. Internal Controls Reliance o The Registered Entity will develop internal control practices that will be provided and reviewed by the Regional Entity. o The Regional Entity will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the Risk Assessment Aggregation of Non-Compliance o Based on the level of controls reliance and the Risk Assessment, Registered Entities will be able to participate in the aggregation of non-compliance processes. o Moderate and serious risk non-compliance shall require self-reporting 70

71 Transition Study: Lesson Learned Substation BES Cyber Assets Configuration Management High Watermarking Generation BES Cyber Assets Migration of TFE s Grouping of BES Cyber Assets 71

72 Lesson Learned-Substations Q: We have a control building inside a substation that is considered to be a Medium impact rating. A transformer has a port on it that provides data to the protected systems inside the control building. Would the transformer port need to be protected under the CIP Version 5 standards? A:The transformer port would need to be examined to determine the nature of the connection. If there is any bidirectional data flow through the port, it could be vulnerable to intrusion. The port would be within the Electronic Security Perimeter of the control building systems and therefore would need to be a Protected Cyber Asset. 72

73 Lessons Learned-Substations Q: What exactly needs to be protected in substation yards and generation plants? We have a few devices located in the yard of a substation and are not sure if they are in scope for protection. These include: a) Transformer monitoring devices b) Distribution Relays c) Monitoring PLCs d) HMI Workstations that control non-critical assets (soot blowers, water cannon, etc.). A: In general, if a device plays a role in BES reliability or operations, or would be considered a PCA because of network connectivity, then it needs to be protected according to its impact rating (Medium or Low). It may be helpful to review the definitions of BES Cyber Asset and BES Cyber System to verify whether a device meets the criteria. A key consideration is to assess when and where generation or transmission facilities are tied together electrically, such as at a distribution interconnection point. When such facilities are tied together electrically, they need to be considered together because ties between low and high sides may mean a device could take out a transformer. Thus, with that level of impact on the high side, it is brought into scope. 73

74 Lessons Learned-Config Mgt Q: How are we going to define baseline on protected assets? CIP R1, Part 1.1 identifies five items that make up the baseline for protected assets; software/firmware versions, open source/commercially available software, custom applications, logical network accessible ports and applied security patches. What else will be part of the baseline; configuration settings (IP addresses, thresholds for the monitoring devices, etc.), or any hardware differences (such as video cards, CPUs, memory capacity etc.)? For example, if the addressing on a relay is changed, or the amount of oil in a transformer that a device is monitoring was modified, would this cause a new baseline to be created? The relay or device itself would not change, just one of its monitoring/alarm thresholds. A: The five items identified in CIP-010, R1, Part 1.1 are the minimum requirements for establishing and maintaining a baseline, and are likely to be checked during an audit. Information about hardware differences (e.g., the video card noted) may apply since it could affect installed applications and patches. Other information (e.g., IP address) may be useful but not required in the baseline configuration since it differs from node to node. While a baseline is typically considered in the context of servers and other IT equipment, it also applies to BES Cyber Assets such as relays. An example of an approach to evaluating the criticality of a BES Cyber Asset setting is to assess the impact that would result from the loss/change of that setting. 74

75 Lessons Learned-Config Mgt Q: What exactly is the definition of security patches in CIP-010-1, R1, Part R1.1.5? There are patches that are labeled as Critical, Important and Security; which of these (or any other designations) fall under the umbrella of CIP security patches? A: Requirements pertaining to security patches are addressed in the same manner as in previous versions of the CIP standards. The concept is to distinguish security patches from functionality patches. The standards are focused on security patches, however that description is communicated by the vendor. Words like critical, important or security are likely good indicators that a patch may be introducing more than simply new functionality. Also be aware that patches themselves may address multiple types of issues, and many (and perhaps most) vendors will not label a patch as being limited to security issues. That is especially true for an appliance type update, which could include security functions within it. 75

76 Lessons Learned-Grouping of BCAs BES Cyber Assets are grouped into BES Cyber Systems based primarily on which BES Cyber Assets together perform a common function. For example, an EMS BES Cyber System may consist of a number of human machine interface workstations, communications servers, processing servers, and database servers. In order for BES Cyber Systems to be properly categorized according to the impact levels in Attachment A of CIP-002-5, grouping should be based on the primary use of the BES Cyber Assets. The inventory list developed through this process should indicate the identified groupings. While not required, a name for each individual BES Cyber System may be assigned for reference when demonstrating compliance for the remainder of the requirements of the CIP Version 5 standards. A reason (or reason code) to document the rationale for the grouping would also be beneficial. 76

77 Lessons-Learned Scheduling Systems Some Registered Entities use automated systems to schedule transmission interchanges (also known as e-tags) within their Balancing Authority Area, or with other entities. Entities will need to analyze these systems to determine if they are a BES Cyber System. From a real-time operations perspective, BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise. Assuming the data associated with the scheduling system is rendered unavailable, degraded, or misused, determine how this could affect reliability functions such as, but not limited to: Area Control Error calculations and their use Automatic Generation Control operation Available Transfer Capability calculations and their use Net Scheduled Interchange calculations and their use Identification and monitoring of System Operating Limits and Interconnection Reliability Operating Limits Identification and monitoring of Flowgates Current and next-day planning 77

78 Website Updates Implementation-Study.aspx 78

79 Effective Dates for Version 5 CIP Version 5 Effective Dates Requirement Effective Date Effective Date of Standard April 1, 2016 Requirement-Specific Effective Dates CIP R2 April 1, 2016 CIP R1 April 1, 2016 CIP R2 for medium and high impact BES Cyber Systems April 1, 2016 CIP R2 for low impact BES Cyber Systems April 1, 2017 CIP Part 4.4 April 15, 2016 CIP Part 2.1 May 6, 2016 CIP Part 4.2 July 1, 2016 CIP Part 2.3 April 1, 2017 CIP Part 4.3 April 1, 2017 CIP Part 4.4 April 1, 2017 CIP Part 3.1 April 1, 2017 CIP Part 2.1 April 1, 2017 CIP Part 2.1 April 1, 2017 CIP Part 2.2 April 1, 2017 CIP Part 3.1 April 1, 2017 CIP Part 2.3 April 1, 2018 CIP Part 3.2 April 1, 2018 CIP Part 3.5 Within 7 years after previous Personnel Risk Assessment 79

80 CIP V5 Revisions and RAI Timeline 80

81 81

82 Standards Drafting Progress 82

83 Project Overview Standards Development Web Page: Critical-Infrastructure-Protection-Version-5-Revisions.aspx SAR Posted & Comment Period complete SAR revisions in progress Technical Conferences January 21 & 23, 2014 Atlanta & Phoenix Summary Posted on Related Files page First SDT meeting complete February 19-21, 2014, NERC DC Office 83

84 SDT Ten member team 84 Four previous team members Two Co-Chairs Large group of observers Meetings run similar to last SDT (V2-V5) Teleconference capability Observer participation Small group assignments Very large plus list for communication Meeting scheduled mapped out through June First posting in June

85 SDT Four focused teams Teams charged with the four directives from FERC Order Two SDT members plus observers Two hour focused phone calls per week in between face-toface meetings Results discussed at face-to-face meetings Goal of addressing all four directives by end of

86 Directives Identify, Assess & Correct (IAC) Language One-year response to directive Team consensus to remove language Reviewing previous V5 draft language to determine if/what requirements language updates needed o E.g., action plans Considering additional guidance language Coordination with Compliance and Enforcement departments 86

87 Directives Low Impact No timeframe on response to directive Requirements need to contain objective criteria and be auditable Considering impact on implementation schedule Coordination with IAC language work 87

88 Directives Communications Network One-year response to directive Definition and requirements Close gap identified by FERC when communications network clause was removed from definition of Cyber Asset Utilize NIST SP and ISO language (referenced in FERC Order) 88

89 Directives Transient Devices No timeframe on response to directive Looking at Maintenance Device work done by previous SDT Six specific issues discussed in FERC Order Considering either new requirements or modification to existing requirements Considering impact on implementation schedule 89

90 Project Schedule Proposed Timeline for the Project Standard Drafting Team (SDT) Anticipated Date Location Event 1/15/ SC Authorizes SAR 1/29/ SC Appoints Standards Drafting Team 2/19/2014-2/21/2014 Washington, DC SDT Meeting 3/18/2014-3/20/2014 Sacramento, CA SDT Meeting 4/22/2014-4/24/2014 TBD SDT Meeting 5/12/2014-5/14/2014 TBD SDT Meeting 6/2/ First 45-Day Comment Period & Ballot Opens 7/17/ First 45-Day Comment Period & Ballot Closes 8/29/ Second 45-Day Comment Period & Ballot Opens 10/13/ Second 45-Day Comment Period & Ballot Closes 10/31/ Final Ballot Opens 11/10/ Final Ballot Closes 90 11/13/ Presentation to NERC Board of Trustees for Adoption 12/31/ NERC Files Petition with the Applicable Governmental Authorities

91 91