Lesson Learned CIP Version 5 Transition Program

Transcription

1 Lesson Learned CIP Version 5 Transition Program CIP-002-5: BES Cyber Assets Version: September 9, 2015 This document is designed to convey lessons learned from NERC s various CIP version 5 transition activities. It is not intended to establish new requirements under NERC s Reliability Standards, to modify the requirements in any existing reliability standards nor provide an Interpretation under Section 7 of the Standard Processes Manual. Additionally, there may be other legitimate ways to fulfill the obligations of the requirements that are not expressed within this supporting document. Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time. Implementation of this lesson learned is not a substitute for compliance with requirements in NERC s Reliability Standards. Purpose The foundational definition for the CIP version 5 Reliability Standards is Cyber Assets. When Cyber Assets meet a threshold of BES impact they become BES Cyber Assets (BCA) which may be grouped by responsible entities into BES Cyber Systems (BCS). In Order 791, the Commission identified the definition of BCA is intended to capture assets involved in real-time operations, such as systems that provide input to an operator for real-time operations or trigger automated real-time operations. This lesson learned document provides examples of approaches used by Implementation Study participants 1 to identify BES Cyber Assets. Participants found that the definitions of Cyber Assets and BES Cyber Assets cover an extremely broad range of sophistication and capability, from server farms running control centers to a printed circuit board in a smart pressure transmitter. There is a level of sophistication or capability below which many of the cyber security controls can no longer be applied. The participants therefore used a risk-based approach in determining their Cyber Assets and resulting BES Cyber Assets. Guidance Study participants used various methods to identify their BES Cyber Systems and the adverse impact due to unavailability, degradation, or misuse. Some study participants assessed each functional system at a site or facility to determine its potential to adversely impact the BES in 15 minutes or less. If there was a 15 minute impact, then that system s individual Cyber Assets associated with that functional system were evaluated for impact. After all functional systems were assessed, all associated Cyber Assets with a 15 minute or less adverse impact were grouped into BES Cyber Systems. These BES Cyber Systems would then be evaluated according to the impact rating criteria identified in CIP Requirement R1, Attachment 1. Other study 1 Ref. Implementation Study Final Report Peachtree Road NE Suite 600, North Tower Atlanta, GA

2 participants identified all Cyber Assets, grouped them into BES Cyber Systems, and evaluated the impact of the resulting system. As described below, study participants considered the device s functions and capabilities to determine whether a device was a BCA, another type of Cyber Asset within the CIP Reliability Standards 2, or out of scope of the standards. Function: Did the device s function directly impact the reliable operation of a BES asset? For example, a protective relay s function is to constantly monitor conditions and operate breakers to protect BES assets. A vibration monitoring system on a generating unit may be configured to trip the unit offline if certain critical equipment s vibration exceeds defined thresholds. These are direct impacts. Other devices such as data historians or digital fault recorders only monitor and/or record information and have no direct impact. Impact Timeframe: Was the impact within 15 minutes or less? As stated in the BES Cyber Asset survey filed with FERC 3, certain devices and systems may have an impact on the reliable operation of a BES asset, but the impact s timeframe is not real time and instead allows sufficient time for operations processes to respond to avoid sudden BES disturbances and resulting Adverse Reliability Impacts. Examples include a fuel handling system at a coal-fired plant that loads the bunkers inside the plant. Any impact to the fuel handling system does not affect generation within 15 minutes as the bunkers usually have many hours of coal supply inside the plant. Security Function: Did the device function as an EACMS, PACS, or Intermediate System? These types of devices, such as firewalls, intrusion prevention systems or physical access controllers and others that perform security functions may indeed have an adverse impact if they are unavailable or misused to allow unauthorized access or deny authorized electronic or physical access, but it is an indirect impact. These devices have their own definitions and requirements in the CIP version 5 Reliability Standards and therefore are not considered BCAs due solely to their impact. Communication Function 4 : Did network devices or other devices involved in communications affect the reliability of the BES asset within 15 minutes when considering the nature and impact of the communications they host? For example, a network switch that directly connects BCAs to each other and is integral to the ability of those BCA s to perform their reliability function within an Electronic Security Perimeter (ESP) were assessed to be a BCA. However, an identical network switch utilized outside of an ESP and used to connect devices to Wide Area Network (WAN) communications equipment may not be a BCA. Connection Duration: Was the device s ability to impact the BES due to the temporary or transient nature of its connectivity? A device that is connected to a BCS or within an ESP for 30 consecutive calendar days or 2 E.g., Protected Cyber Asset (PCA), Electronic Access Control or Monitoring Systems (EACMS), Physical Access Control Systems (PACS) 3 Ref. 4 A Communications and Networking Cyber Assets lesson learned document is currently being drafted.

3 less and used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes is not a BCA 5. Examples include a laptop used by support personnel or a configuration/calibration handset. Capability: The participants recognized that the CIP standard definitions do not address the level of sophistication or capability of programmable electronic devices nor does it define the term programmable. The reliability risk from a cyber perspective posed by a device is often tied to the level of sophistication or capability of that device. Does the device have a level of cyber capability or functionality for which the cyber security controls would be applicable? The risk and potential impact from a compromised operator human-machine interface (HMI) is typically much higher than a single miscalibrated instrument. There are devices that may have an impact, but have no way to change their executing code, have no concept of a user or authentication, have no ports/services, have no network connectivity, no concept of event logs or alerting, no patches or updates, or are located in areas where physical security perimeters cannot be established. For these devices, the ERO will allow (for the purposes of assessing compliance with the standards) Responsible Entities to only protect those devices to the extent capable. However, the upstream devices to which they connect (e.g., PCs, servers, distributed control system (DCS) controller modules, programmable logic controllers (PLC)) often do have sufficient capability, are clearly Cyber Assets, and were considered as BCAs and afforded CIP protections based on their BES impact categorization. For example, some study participants set the scope to be evaluated as those devices that have a microprocessor and can accept firmware, software or logic. Additionally, devices that had a physical or wireless port or a web interface that can be used to flash firmware were considered as Cyber Assets by these study participants and evaluated as BES Cyber Assets. Conversely, generating plants have many instruments and actuators that measure temperatures, pressures, flows, or actuate valves and may be digitally calibrated or configured locally through an interface of some kind (e.g., keypad or handheld configurator) and were considered examples of non-programmable devices by some study participants. However, the controllers to which they were connected (e.g., PLCs, DCS controllers) were considered Cyber Assets and evaluated as BES Cyber Assets. Similarly, substations typically have numerous remote input/output (I/O) modules that allow several copper wire based signals to be consolidated and brought into the control house over a single fiber optic cable. These modules may have internal firmware but there is no field-accessible way to modify the program as configuration is performed using a local DIP switch or the device required field disassembly; these too were considered examples of non-programmable devices by some study participants. The BES Cyber Asset survey provided several examples of devices considered to be Cyber Assets and included for evaluation as BCA s by study participants. As stated in the survey from the NERC comments to the Order 791 Notice of Proposed Rulemaking (NOPR), because there are differences in the way certain Cyber Assets are used across the BES, a determination of whether a particular Cyber Asset meets the definition of a BES Cyber Asset necessarily depends upon the individual facts and circumstances of how an entity uses the Cyber Asset (i.e., the functions of the Cyber Asset and the Facilities, systems or equipment it supports). In response to the survey, the participants identified the following Cyber Asset types at Controls Centers, Transmission 5 Ref. Definition of BES Cyber Asset in the NERC Glossary of Terms and as used in the CIP version 5 Reliability Standards.

4 Station / Substation, and Generation Plants that would typically be evaluated as BES Cyber Asset(s) because these devices may affect the BES within 15 minutes (ref. Table 1): Table 1: Cyber Assets Typically Identified as BES Cyber Assets Control Centers Transmission Station/Substation Generation Plants Application servers Intelligent Electronic Devices (IED) / protective relay Programmable Logic Controller (PLC) Data servers Remote Terminal Unit (RTU) Distributed Control System (DCS) HMI workstations Programmable Logic Controllers (PLC) HMI workstation Data acquisition Data concentrator Application server Data interchange Meter / indicator Data server Computer networking Tap changer Computer networking Communication processing HMI workstation Intelligent Electronic Device (IED)/ relay Precision time device Computer networking Remote Terminal Unit (RTU) Communications processing Examples of devices that may or may not be Cyber Assets but were evaluated and determined not to be a BCA by some study participants included the following types of devices. A solid state relay that allows the user to set when the relay will operate but not how the relay operates. A HART (Highway Addressable Remote Transmitter) compatible smart pressure transmitter A HART compatible smart actuator for a final control element, such as a control valve or damper A handheld HART configurator (the 30 day connection exclusion normally applies to these devices) Output only/sealed devices Media converters and Remote I/O modules (i.e., Copper to fiber converter) Documenting the Rationale Used to Identify BCAs and non-bcas As part of the Implementation Study, participants identified that documenting the approaches they used to evaluate devices to determine which were identified as BCAs and which were not, helped to create a repeatable process. Additionally, documenting the methodology assisted when explaining to the regional auditors and the NERC

5 Implementation Study team why certain devices were determined to not meet the threshold of a BCA. Study participants also chose to document their rationale by either BES Cyber System, groups of similar devices, or device class to reduce the effort required. Observation Study participants noted that the CIP version 5 Reliability Standards did not sufficiently define the programmable electronic device component of the BCA NERC Glossary term, and the considerations provided in this lesson learned helped the study participants to assess and identify their Cyber Assets. Relevant NERC Glossary Terms BES Cyber Asset A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, A Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) BES Cyber System One or more BES Cyber Assets logically grouped by a Responsible Entity to perform one or more reliability tasks for a functional entity. Cyber Assets Programmable electronic devices, including the hardware, software, and data in those devices.

6 Lesson Learned CIP Version 5 Transition Program CIP-002-5: BES Cyber Assets Industry Comments and NERC Responses - Draft Posted September 9, 2015 October 16, 2015 Comments Received CIP-002-5: BES Cyber Assets General Comments Wisconsin Electric Wisconsin Electric supports the feedback comments submitted by the Edison Electric Institute on the BES Cyber Assets Lesson Learned document posted for comments on September 9, MEAG Power MEAG Power supports the comments submitted by EEI. 2 EEI Exelon The observation section acknowledges that the standards do not define programmable electronic devices. As noted above, to change the standard language requires a standard revision project. We understand that this issue is to be referred to standard development for assessment and revision consideration. Inclusion of such referral information would be useful to add to the Observation section. Alternatively, if it is decided that the Lesson Learned document is not the appropriate form to convey the referral information, NERC should communicate in some other form with stakeholders the issues being referred for standards development consideration. Exelon supports the BES Cyber Assets lesson learned document in general, but notes a few key areas in need of adjustment. 3 4 Specific Comments Dominion Power Under the Guidance section; meter / indicator are included in the list of BCAs typically identified at substations. 5

7 meter / indicator types of devices don t perform control functions and do not impact the reliability of the BES within 15 minutes. Further, related to the criteria described in the following paragraph, they are not sophisticated, do not present a high risk or potential impact from compromise, and have no way to change their executing code, have no concept of a user or authentication, have no ports/services, have no [or minimal] network connectivity, no concept of event logs or alerting, no patches or updates, [and/] or are located in areas where physical security perimeters cannot be established. Recommend removing the term or adding clarity for the inclusion. Under the Guidance section; The reliability risk from a cyber perspective posed by a device is often tied to the level of sophistication or capability of that device. Consideration should be given for the level of cyber capability or functionality of the device such that an appropriate level of cyber security controls could be determined and applied. Under the Guidance section; The risk and potential impact from a compromised operator human-machine interface (HMI) is typically much higher than a single miscalibrated instrument. There are devices that may have an impact, but have no way to change their executing code, have no concept of a user or authentication, have no ports/services, have no network connectivity, no concept of event logs or alerting, no patches or updates, or are located in areas where physical security perimeters cannot be established. Add language to the lesson learned document to more directly link the level of cyber

8 capability or functionality of the device to an appropriate level of cyber security controls. ACES In the Purpose section of the Lessons Learned, it states, The participants therefore used a risk-based approach in determining their Cyber Assets and resulting BES Cyber Assets. Nowhere in the requirements does it state or suggest that entities are to use a risk-based approach in identifying BES Cyber Assets. Does this statement lead auditors to now ask entities, Did you use a risk-based approach in identifying your Cyber Assets? Is there a risk to an entity if the answer is No? The introduction of a reference to risk-based approach at this late time could provide uncertainty as to how it should be implemented, and suggest removal of the concept altogether 6 Throughout the Lessons Learned, it is written that a cyber asset can have direct impact or an indirect impact to the BES in 15 minutes. The introduction of an indirect impact, which is an impact that could affect the BES within 15 minutes but is not considered in scope as a BES Cyber Asset, is a new concept and outside the language of the requirements. We recommend these references be removed from the document. Likewise, does the introduction of six criteria (Function, Impact Timeframe, Security Function, Communication Function, Connection Duration and Capability) create an indirect set of requirements by having to identify potential cyber assets by these criteria? Where are these criteria mentioned in the requirements? Do these criteria provide an auditor talking points to an entity as to how or why the entity the criteria was not used to group potential cyber assets? We recommend these references be removed from the document.

9 In the Communication Function section, it states, For example, a network switch that directly connects BCAs to each other and is integral to the ability of those BCA s to perform their reliability function within an Electronic Security Perimeter (ESP) were assessed to be a BCA. Why wouldn t this asset be considered a Protected Cyber Asset instead of a BES Cyber Asset? Is this another example of a direct Impact or risk-based approach? We recommend these references be removed from the document. Some consideration or guidance in the document should have addressed how the Implementation Study identified these BES Cyber Assets into BES Cyber Systems. BES Cyber Systems is a requirement for BES Cyber Assets and should be mentioned as a primary consideration for identifying BES Cyber Assets. Is there a risk-based approach to grouping BES Cyber Assets into BES Systems? EEI For the reasons listed below, we strongly recommend the removal of the following sentence in the second paragraph on page 3: For these devices, the ERO will allow (for the purposes of assessing compliance with the standards) Responsible Entities to only protect those devices to the extent capable. If this sentence is not removed then we do not support it going forward to the Standards Committee for approval under Section The sentence modifies and extends the scope of CIP As clearly provided in the disclaimer, the lesson learned should not establish new requirements, modify the requirements, or provide an interpretation. The combination of this sentence with the language in the sentence before it that refers to devices that may have an impact, but have no way to change their executing code suggests that a non-programmable device should be treated as a programmable device if its 7

10 unavailability, degradation, or misuse would impact the reliability of the BES within 15 minutes. However, the Cyber Asset definition uses the term programmable electronic devices in addition to the impact language. The plain meaning of this term is that the executing code can be changed, e.g., through a port, terminal, or web interface. Although, Responsible Entities could voluntarily choose to go above and beyond strict compliance with the standard and treat all electronic devices as programmable, the Cyber Asset definition does not require this approach. As it stands, the definition of Cyber Asset necessarily allows Responsible Entities to determine whether a device is programmable or non-programmable. 2. The sentence contradicts the next paragraph that describes how study participants evaluated their devices to determine whether they were programmable or nonprogrammable. 3. The inclusion of this sentence is inconsistent with the risk informed approach inherent in the standards. The devices alluded to in the sentence have a limited cyber attack surface and therefore are a very low risk to the reliability of the BES. For these devices, communication is generally over non-routable analog signal networks, which makes their vulnerability to a cyber attack, if any, very low. However, if NERC believes that certain devices commonly considered non-programmable pose a reliability risk to the BES, then the standards development process should be used to address this risk rather than the Section 11 guidance process. 4. Incidentally, even though the devices contemplated by the sentence do not sufficiently qualify as BCAs, they are often located with low, medium or high impact BES Cyber Systems. As a result, these devices will often receive physical protection without being specifically identified as

11 Cyber Assets. They should not be assumed to be unprotected. 5. The scope expansion created by this sentence will significantly increase the potential for noncompliance and confusion among Regional Entities and Responsible Entities on how to enforce and implement CIP Version The sentence will create administrative burdens for NERC, the Regional Entities and Responsible Entities that is not commensurate with the risk to the reliability of the BES. Treating nonprogrammable devices as Cyber Assets and protecting them to the extent capable will significantly increase compliance documentation (including TFEs and device capability documentation). Exelon Purpose Section: Last sentence, risk-based - The last sentence referencing risk-based approaches may be misconstrued. While risk is discussed in the Capability section, a risk assessment is not discussed. The risk discussion in the Capability Section concerns the aspects of device sophistication which is different than it seems the Purpose statement implies. The Purpose statement will still establish the purpose of the discussion without the last sentence. We recommend its removal. 8 Add as one approach - Also in the purpose statement, it would be useful to plainly state that the approach taken by the study participants is one way, but may not be the only way. This reminder could replace the last sentence in the purpose statement to say: This lesson learned presents an approach used by Study participants, but may not be the only approach available to entities. Capability Section:

12 The discussion of device capability is a critical component of this document. The capability around the term programmable is a core challenge that the pilot participants managed. Exelon appreciates the discussion included. First paragraph, ERO language - The sentence: For these devices, the ERO will allow (for the purposes of assessing compliance with the standards) Responsible Entities to only protect those devices to the extent capable should be removed from the Capability section. This sentence is contrary to the concepts used in the approach discussed and it disrupts the flow of the discussion. Exelon supports the EEI comments that articulate the many concerns around this sentence and we join their recommendation to remove it. Second paragraph, some This lesson learned discussed only one approach taken, so for consistency, simply refer to Study participants instead of some Study participants. This will avoid suggesting that another approach was taken by other participants, but not discussed in the paper. Second paragraph, evaluated as BES Cyber Asset (BCA) The following sentence could be misunderstood as meaning that the devices were considered and the evaluation concluded that they were BCAs instead of evaluating to determine whether the device is a BCA or not. Please revise to clarify that the evaluation is to determine whether the device is a BCA, for instance: Additionally, the Study participants considered devices that had a physical or wireless port or a web interface that can be used to flash firmware were considered as to be Cyber Assets by the study

13 participants and then evaluated them to determine whether they meet the as BES Cyber Assets definition. BCA Survey - We support the reference to the information from the BES Cyber Asset survey; however, the description leading up to the table could more clearly distinguish the list as Cyber Assets, but not necessarily BES Cyber Assets. Similarly as requested above, please consider the following revision: The BES Cyber Asset survey provided several examples of devices considered to be Cyber Assets and included for evaluation as BCA s by study participants. As stated in the survey from the NERC comments to the Order 791 Notice of Proposed Rulemaking (NOPR), because there are differences in the way certain Cyber Assets are used across the BES, a determination of whether a particular Cyber Asset meets the definition of a BES Cyber Asset necessarily depends upon the individual facts and circumstances of how an entity uses the Cyber Asset (i.e., the functions of the Cyber Asset and the Facilities, systems or equipment it supports). In response to the survey, the participants identified the following Cyber Asset types at Controls Centers, Transmission Station / Substation, and Generation Plants. These Cyber Assets that would typically be evaluated to determine whether, in use, they meet the 15-minute impact and other criteria of a as BES Cyber Asset(s) because these devices may affect the BES within 15 minutes (ref. Table 1): In addition, the Title of Table 1 implies that the Cyber Assets listed are typically BES Cyber Assets, while the paragraph above the table describes these as Cyber Assets that are typically evaluated to determine if they meet the BES Cyber Asset definition. The former suggests that most of these CAs would be BCAs, but some CAs listed do not fit that scenario. For example, meters may qualify as CAs, but only a few circumstances suggest that they meet the BES CA

14 criteria. We suggest revising the title to: Table 1: Typically Evaluated Cyber Assets. Observation Section: Exelon supports the acknowledgment that the standard language does not define programmable electronic device. For this to change, a standards development project is required. We are aware that this issue is being referred to standards development for consideration. This section should include the statement: The CIP V5 Transition Advisory Group referred the identified issue to be evaluated for standards development. In addition, the title of this section will more clearly draw attention to the future plans by changing from Observation to Referral to Standards Development. Minor edit: In the reference to study participants, sometimes the S in study is capitalized and at times not. It should be consistent. Duke Energy Duke Energy disagrees with the following passage found in the Capability section on page 3 of the document: For these devices, the ERO will allow (for the purposes of assessing compliance with the standards) Responsible Entities to only protect those devices to the extent capable. On its face, the statement appears to the reader to be an expansion of scope, and not one of guidance that may be used by industry stakeholders in their implementation of CIP V5. More importantly, the devices being described in the immediately preceding sentence, are not programmable. They are not Cyber Assets, and thus not in the scope of CIP V5. Duke Energy disagrees with the statements made, and 9

15 recommends that they be removed from the document.