Access Control and CIP 10/20/2011

Transcription

1 Access Control and CIP 10/20/2011

2 Agenda Access Control Requirements Impact on Entities Risk Discussion Response Discussion Future pursuit 2 RELIABILITY ACCOUNTABILITY

3 Let s Talk CIP 3 RELIABILITY ACCOUNTABILITY

4 The CIP You Know Critical Assets Bulk Electric System CCA s Covered by CIP Critical Cyber Assets Other Cyber Assets Covered by CIP 4 RELIABILITY ACCOUNTABILITY

5 The CIP You Thought You Knew Bulk Electric System CCA s Covered by CIP Critical Assets Critical Cyber Assets Sufficiency Reviews / CIP V4 Attachment 1 CIP V4 / V5 changes BES Definition Changes RFI on essential / CIP V5 changes Other Cyber Assets Covered by CIP 5 RELIABILITY ACCOUNTABILITY

6 The CIP You Don t Know Critical Assets Bulk Electric System CCA s Covered by CIP Critical Cyber Assets Other Cyber Assets Covered by CIP 6 RELIABILITY ACCOUNTABILITY

7 Access Control Requirements 7 RELIABILITY ACCOUNTABILITY

8 Access Control CIP-003 R5 Requirement language: R5. Access Control The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. R5.1. The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. 8 RELIABILITY ACCOUNTABILITY

9 Access Control CIP-003 R5 CIP-004 R4 Requirement language: R4 Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. 9 RELIABILITY ACCOUNTABILITY

10 Access Control Physical Security Perimeter Critical Assets Bulk Electric System Access Control Electronic Security Perimeter CCA s Covered by CIP Critical Cyber Assets Other Cyber Assets Covered by CIP 10 RELIABILITY ACCOUNTABILITY

11 Access Control CIP-003 R5 CIP-004 R4 CIP-005 R1.5, R2 Requirement language: R1.5. Cyber Assets used in the access control and /or monitoring of the Electronic Security Perimeter(s) 11 RELIABILITY ACCOUNTABILITY

12 Access Control CIP-003 R5 CIP-004 R4 CIP-005 R1.5, R2 CIP-006 R1 R6 all Requirement language: R2. Protection of Physical Access Control Systems Cyber Assets that authorize and /or log access to the Physical Security Perimeter(s) 12 RELIABILITY ACCOUNTABILITY

13 Impact on Entities 13 RELIABILITY ACCOUNTABILITY

14 Impact of Requirements Assets Physical Protection Electronic Protection Lists of individual access Information Physical Protection Electronic Protection Lists of individuals who control access People Qualifications for access (PRA / Training) Approval for access Removal of access 14 RELIABILITY ACCOUNTABILITY

15 Risk Discussion 15 RELIABILITY ACCOUNTABILITY

16 Risks 1 Million Dollars a day per day - per violation 16 RELIABILITY ACCOUNTABILITY

17 Risks Standards with Access Control Requirements 17 RELIABILITY ACCOUNTABILITY

18 Risks Information Assets 18 RELIABILITY ACCOUNTABILITY

19 Risks Everything is an island 19 RELIABILITY ACCOUNTABILITY

20 Response Discussion 20 RELIABILITY ACCOUNTABILITY

21 Response ACAT Avoid Control Accept Transfer 21 RELIABILITY ACCOUNTABILITY

22 Response Everything is an island Build Bridges 22 RELIABILITY ACCOUNTABILITY

23 Response Risk Control Project Goals Active Policy Enforcement Reduce Compliance Risk Increase Situational Awareness 23 RELIABILITY ACCOUNTABILITY

24 Response Reduce Compliance Risk Unique Id Simplify quarterly review Reduce human performance errors Increase Situational Awareness Employee actions Training records PRA records Reporting Active Policy Enforcement Trigger Notification Disable physical access Disable cyber access 24 RELIABILITY ACCOUNTABILITY

25 Response Connections: Corporate HR Corporate LMS 3 rd party PRA Operations Tech Directory Services Network Auth Physical Security App Proprietary DB Operations Tech Test Systems 25 RELIABILITY ACCOUNTABILITY

26 Future Pursuits 26 RELIABILITY ACCOUNTABILITY

27 Future Control Center Implementation Increased awareness of events o Operator authentication o Operator multiple physical locations o Operator log on duration Increased inputs to include system events and awareness data feeds 27 RELIABILITY ACCOUNTABILITY

28 Future Field Implementations Substation environments Gen station environments Non-CIP FERC regulations Natural Gas facilities 28 RELIABILITY ACCOUNTABILITY

29 Future Everything is an island 29 RELIABILITY ACCOUNTABILITY

30 Future 30 RELIABILITY ACCOUNTABILITY

31 Future 31 RELIABILITY ACCOUNTABILITY

32 Future 32 RELIABILITY ACCOUNTABILITY

33 Questions 33 RELIABILITY ACCOUNTABILITY