Iden%fying & Audi%ng Low Impact BES Assets: A Mock Audit BC Outreach Webinar: Session 2 Salt Lake City UT January 9, 2018

Transcription

1 Iden%fying & Audi%ng Low Impact BES Assets: A Mock Audit BC Outreach Webinar: Session 2 Salt Lake City UT January 9, 2018 Joseph B. Baugh, PhD Senior Compliance Auditor Cyber Security Western Electricity Coordina%ng Council

2 2 Speaker Intro: Dr. Joseph Baugh Electrical U%lity Experience (44+ years) Senior Compliance Auditor, Cyber Security IT Manager & Power Trading/Scheduling Manager IT Program Manager & Project Manager NERC Cer%fied System Operator Barehand Qualified Transmission Lineman Educa%onal Experience Degrees earned: Ph.D., MBA, BS- Computer Science Cer%fica%ons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA- IAM/IEM Academic & Technical Course Teaching Experience (20+ years) Business Strategy, Leadership, and Management Informa%on Technology, IT Security, and Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara%on CIP Compliance workshops and other outreach sessions

3 3 Agenda Review CIP Requirements Review CIP Team audit approach Defining the Inventory of BES Assets CIP Mock Audit Focus on Low Impact BES Assets Ques%ons

4 4 CIP Overview CIP is the first step on CIP Compliance trail All Registered En%%es who perform the BA, DP, GO, GOP, IA, RC, TO, and/or TOP registered func%ons are required to be compliant with CIP CIP adds the DP func%on, TSP func%on drops out Some en%%es may find they are only required to be compliant with CIP (R1 & R2) and with CIP (R1.2, R2, R3, & R4) True, if the IRC applica%on on the en%ty s inventory of BES Assets (see Part R1.i R1.vi) generates Null R1.1 & R1.2 lists Must provide a valid R1.3 list of Low Impact BES Assets Typically requires a reduced scope audit that may be conducted on- site, at WECC offices, or other loca%ons, as necessary

5 5 CIP : Part R1.i R1.vi Each Responsible En%ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] i. Control Centers and backup Control Centers; ii. Transmission sta%ons and substa%ons; iii. Genera%on resources; iv. Systems and facili%es cri%cal to system restora%on, including Blackstart Resources and Cranking Paths and ini%al switching requirements; v. Special Protec%on Systems that support the reliable opera%on of the Bulk Electric System; and vi. For Distribu%on Providers, Protec%on Systems specified in Applicability sec%on above. May generate Low impact BES Assets for R1.3 list under IRC 3.6

6 6 CIP : R1 Inventory of BES Assets Inputs R1 Process Outputs List of High, Medium, & Low Assets List of High & Medium Assets Inputs R1.1 - R1-2 Process: Identify BCS Outputs R1.1, R1.2, Lists List of Low Impact Assets Input R1.3 List Each Responsible En%ty shall implement a process that considers each of the following assets (see Part R1.i- R1.vi) for purposes of parts 1.1 through 1.3:

7 7 CIP Requirements: R2 R1.1, R1.2, R1.3 Lists Inputs R2 Review & Approval Process Outputs Signed and Dated Records En%ty must review iden%fica%ons made in R1 (and update them, if necessary) at least every 15 months [R2.1] The CIP Senior Manager or delegate (as defined in CIP R2 or CIP R3 & R4) must approve the ini%al lists [R2.2] and at least once every 15 months, thereajer: The R1.1, R1.2, and R1.3 lists Include signed and dated null lists, if applicable The en%ty must maintain signed and dated records of the approvals listed above Electronic or physical approvals accepted

8 8 WECC Audit Team Approach Use a methodical approach to deliver consistent results across all en%%es Start with the RSAW supplied by the en%ty as ini%al working papers to document the audit and findings Review the evidence to develop findings Submit data requests for more informa%on, as needed

9 9 WECC Evidence Review Review Ini%al Evidence package supplied by the en%ty in response to the Pre- Audit Request for Informa%on [RFI]: One- line diagrams Specific CIP eviden%ary documents Documented process to iden%fy and categorize the en%ty s BCS and BES Assets Implementa%on of the process (i.e., applica%on of the IRC to the inventory of BES Assets to develop the lists) Reviewed and approved R1.1 R1.3 lists En%ty responses to data requests, as applicable

10 Review entity s documented R1 process Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi] 10 CIP Audit Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset Yes (Continue BCS evaluations) Are any BES assets rated for High or Medium BCS? Add BCS to the appropriate list: R1.1: High Impact BCS, R1.2: Medium Impact BCS Are there more High or Medium BES assets? No (Place all Low BES assets on R1.3 List) Yes (Evaluate High & Medium BES assets for all applicable BCS) No (Continue to R2) R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter. R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter. Entity applies CIP through CIP protections to the components of the three lists, as applicable Team Approach Audit to the Standard Review the evidence: En%ty s documented process Inventory of BES Assets One line diagrams Applica%on of the IRC R1.1, R1.2, R1.3 lists R2 records of current and prior approved versions of R1 & R2 documents (the bookends) DR for addi%onal informa%on, as needed Determine findings Complete the RSAW Develop the Audit Report

11 11 Sample One- Line Diagram

12 12 WECC Audit Team Approach Review the applica%on of the IRC [R1], list of High BCS [R1.1], list of Medium BCS [R1.2], list of Low impact BES Assets [R1.3], even if one or more of these lists are null Compare the lists against the one- lines and BES Asset inventory Hold interviews with the en%ty s CIP SMEs, if necessary If audit is on- site, perform site visits (Trust, but Verify) Validate annual approval documenta%on [R2] Submit DR s, as needed, to clarify compliance Determine findings (NF, PV, or OA) Discuss findings with en%re Cyber Security Team Complete RSAW Prepare CIP audit report (ATL & CPC)

13 13 Pre- Audit CIP Evidence [R1]: Provide documenta%on of the process and its implementa%on to consider each BES asset included in the asset types listed in R1.i - R1.vi to iden%fy the following lists: [R1.1]: A list of High impact BCS at each asset iden%fied by applica%on of Aoachment 1, Sec%on 1. [R1.2]: A list of Medium impact BCS at each asset iden%fied by applica%on of Aoachment 1, Sec%on 2. [R1.3]: A list of iden%fied Low impact BES Assets iden%fied by applica%on of Aoachment 1, Sec%on 3]. [R2]: Signed and dated records of the list reviews and CIP Senior Manager or delegate approvals of the iden%fica%ons required by R1, even if such lists are null.

14 14 CIP- 101 Mock Audit Overview Compare inventory of BES Assets against current defini%on of Bulk Electric System as adopted by the BCUC (BCUC, 2015 July 24, Order RM , p. 15; see also NERC, 2016 May 17, Glossary of Terms, pp ; NERC, 2014 April, BES Defini%on Guidance Document, v2) Did the en%ty iden%fy and document lists of High impact BCS [R1.1], Medium impact BCS [R1.2] and a list of Low impact BES Assets [R1.3] through an applica%on of the Impact Ra%ng Criteria [IRC] (BCUC, 2018 October 1, CIP : AMachment 1, pp )

15 15 The En%ty's BES Asset Iden%fica%on The first step in a normal CIP audit is to review the applica%on of the IRC Starts with an overall Inventory of en%ty BES assets Inventory is validated against the one- line diagram(s) Apply the IRC to validate the R1.x lists

16 16 Defini%on of Control Center One or more facili%es hos%ng opera%ng personnel that monitor and control the Bulk Electric System (BES) in real- %me to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facili%es at two or more loca%ons, or 4) a Generator Operator for genera%on Facili%es at two or more loca%ons. (NERC, 2016 May 17, Glossary of Terms, p. 33)

17 17 Low IRC (Control Centers)

18 18 IRC Medium or Low Impact

19 19 IRC 2.5 and Genera%on Interconnec%ons NERC Lessons Learned document (2015 Oct 1) discusses how En%%es should consider genera%on lead lines or interconnec%on lines as they apply IRC 2.5 A radial generator lead line with no network flows (i.e., no power would flow through the line if the generator is off- line) and with the sole purpose of connec%ng generator output to a networked Transmission system would not qualify as a Transmission Line to be included in the IRC AWV calcula%on May apply to standalone genera%on units and distributed genera%on Facili%es Iden%fy interconnec%on points in the analysis

20 20 Low IRC (Transmission not in Sec%on 2)

21 21 Low IRC (Genera%on not in Sec%on 2)

22 22 Low IRC (Protec%on Systems)

23 23 Low IRC (DP Systems)

24 24 Audit Lists of High & Medium BCS Review the R1.1 list of High impact BCS Review the R1.2 list of Medium impact BCS For most en%%es in this session, both the R1.1 and the R1.2 lists will be null, but must be explicitly: Reviewed by technical SMEs [R2.1], and Approved by the CIP Senior Manager or delegate at least once every 15 calendar months [R2.2]

25 25 Audit List of Low Impact BES Assets Review the R1.3 list of Low impact BES Assets Correlate this list against: The en%ty s inventory of BES Assets The en%ty s one- line diagram The en%ty must provide CIP protec%ons, as applicable, to its Low impact BES Assets

26 26 Validate BES Asset Lists Review and compare the en%ty s one- line diagram to the current lists of BES Assets Did the results seem reasonable? Do the Transmission BES Assets align with the one- line diagram? Did the en%ty provide evidence of net Real Power capability to support Genera%on Facility ra%ngs? Does the audit team have any other ques%ons before moving on to the R1.1, R1.2, and R1.3 lists?

27 27 Low impact BCS Security Controls Provide physical security protec%ons at Low impact BES Assets, in accordance with R2.2 (BCUC, 2018 October 1, CIP , p. 5) Electronic Protec%ons If a Low impact BCS [LIBCS] is contained within a Medium BCS ESP, protect the LIBCS as PCA to the Medium BCS, as applicable If a Low impact BCS has electronic access or dial- up connec%vity, protect it with controls described in accordance with R2.3 (Ibid, p. 5) Future alert: Review NERC CIP for physical and electronic access controls that may be implemented in the BCUC footprint (more on this in Session 3)

28 28 R1.3 List of Low impact BES Assets R1.3 does not require discrete lists of Low impact BES Cyber Systems. However, R1.3 does require a list containing the name of each asset that contains a low impact BES Cyber System. This list should contain all genera%ng plants, transmission sta%ons, certain distribu%on sta%ons, and certain small control centers, that meet one or more of the Sec%on 3 IRC and contain low impact BES Cyber Systems.

29 29 R1.3 List of Low impact BES Assets The en%ty should be prepared to demonstrate that all BES assets (loca%ons) are accounted for on either the list of high impact, medium impact or low impact loca%ons The en%ty should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protec%ons (per CIP R2.2- R2.3)

30 30 Comparing Low impact BES Assets Not all Low impact BES Assets are created equal Low impact covers a wide range of BES loca%ons and Facili%es Within Low impact there are poten%ally vastly different risks and impacts to the reliability of the BES. The CIP Standards don t make a dis%nc%on between a big (i.e., more impacvul) Low impact BES Asset and a small (i.e., less impacvul) Low impact BES Asset Consider the following examples of IRC 2.1 (w/ net Real Power capability [NRPC] calcula%ons and Aggregated Weighted Value [AWV]) and IRC 2.5 (w/ AWV calcula%ons):

31 31 IRC 2.1 Low- impact GO/GOP Examples NRPC = 30 MWs AWV = 0 NRPC = 1400 MWs AWV = 1400 NRPC = 2800 MWs AWV = 3900

32 32 IRC 2.5 Low- impact TO/TOP Examples To SUB C AWV = 0 AWV = 2600 AWV = 5200

33 33 Compliance & Audit Implica%ons Random or sta+s+cal sampling of low impact assets for CIPv5 audit purposes is not appropriate when sampling for Low impact BES Asset site visits Expect the audit team to apply judgmental or non- sta+s+cal sampling based on the audit team s percep%on of risk and impact to the BES Expect more audit aoen%on at Low impact Transmission Facili%es with larger impacts Expect more audit aoen%on at larger Low impact Genera%on plants than at smaller plants, par%cularly those that equal or exceed 1500 MWs net Real Power capability, but which have been segmented to reduce the BCS impact ra%ng under IRC 2.1

34 34 Compliance & Audit Implica%ons Expect more aoen%on at any genera%on plant > 1500 MW NPRC, regardless of control system segmenta%on. The en%ty should be prepared to: Demonstrate how the unit controls are segmented, including computer network diagrams, firewall configura%ons, data flow analysis, etc., Demonstrate the analysis of any common systems at the plant, Explain the analysis and include both %me- based and impact- based components, and Facilitate site visits to any Genera%on plants with >= 1500 MW net Real Power capability.

35 35 Compliance & Audit Implica%ons Expect more aoen%on at any Low impact Transmission substa%on with a significant number of 230kV and/or 345kV lines. The en%ty should be prepared to: Demonstrate how IRC 2.5 was applied Discuss all Transmission lines that were not calculated into the total AWV, e.g.: Excluded as Radial lines serving only load, or Classified as Genera%on Interconnec%on Facili%es. Facilitate poten%al site visits to any Transmission substa%ons that have mixed BCS impact levels

36 36 R1: BES Asset List Review Ques%ons Did the En%ty apply the IRC appropriately? Did the En%ty confer with its RC, PA, and/or TP to consider any Cri%cal Assets rela%ve to Criteria 2.3, 2.6, or 2.8 before moving them to the Low BES Asset list? Applica%on Ques%ons: Did the En%ty consider all BES asset types in R1.i through R1.vi? Did the En%ty review & evaluate all BES Assets through the IRC? Did the En%ty clearly iden%fy and document all BES assets in the appropriate impact ra%ng? Is any addi%onal informa%on necessary?

37 37 The En%ty s Review & Approval Process R1.1, R1.2, R1.3 Lists Inputs R2 Review & Approval Process Outputs Signed and Dated Records The next step in a CIP audit is to determine if the en%ty reviewed the iden%fica%ons of the lists created in R1, even if such lists are null. R1.1 list of High BCS R1.2 list of Medium BCS R1.3 list of Low impact BES assets Review the signed and dated records of the CIP Senior Manager s or delegate s approval of the lists Either electronic or wet- ink signatures are acceptable

38 38 R2: Annual Approval Review Ques%ons Did the En%ty review its R1.1- R1.3 lists at least every 15 calendar months ajer the ini%al iden%fica%ons? Did the En%ty update the lists, as necessary? Did the the En%ty CIP Senior Manager or delegate approve the R1.1- R1.3 lists at least every 15 calendar months ajer the ini%al iden%fica%on, even if such lists are null? Applica%on Ques%ons Did the En%ty provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]? Are any DR s necessary? If so, what addi%onal informa%on is required?

39 39 A Word to the Wise The WECC CIP- 002 team has noted several issues with R2 during transi%on period audits that generated either Recommenda%ons or an Area of Concern [AoC] A Recommenda%on is a sugges%on for improvement, but does not indicate a failure to comply An AoC related to CIP R1 or R2 during a transi%on audit will likely be a Possible Viola%on [PV] ajer October 1, 2018 Several En%%es have prepared nicely defined signature blocks, but failed to cite or include the actual R1.1, R1.2, and R1.3 lists

40 40 Key Issues from the Transi%on An En%ty that only has Low- impact BES Assets [R1.3] should s%ll evaluate its inventory of BES Assets against the IRC, prepare, review, and approve: A null list of High BCS [R1.1] A null list of Medium BCS [R1.2] Be sure to implement your documented R1 process, review the resul%ng three lists, and have the CIP Senior Manager or delegate approve them at least once every 15 calendar months

41 41 Lower- BCS Connec%on to Higher BCS Facili%es may be owned by the same en%ty or different en%%es. If mul%ple en%%es are involved, iden%fy the: Point(s) of connec%on between the en%%es, En%ty responsible for compliance at/around the demarca%on point, and En%ty responsible for CIP physical security compliance. May involve EACMS or LEAP depending on impact ra%ngs and connec%vity characteris%cs. Protect all BCS, as applicable.

42 42 Substa%on BCS Segmenta%on Reference Model 7 (NERC, CIP , Guidelines and Technical Basis, p. 37) provides an illustra%on of mixed- impact BCS within a single BES Asset boundary.

43 Connec%ng Low- impact 43? BES Assets No Backcas%ng impact levels. Similar to the Far- end Relay Lesson Learned. Consider all communica%ons paths. BCA/BCS Owners are obligated to comply with the applicable CIP Standards Performance may be delegated via an opera%ng agreement or other clearly defined binding agreement

44 44 Value- Added Ac%vity: Feedback WECC Audit Teams never prescribe solu%ons, but we do: Brief en%%es on findings Encourage good security prac%ces Discuss examples of industry best prac%ces Provide Recommenda%ons and sugges%ons for improvement, when appropriate Iden%fy any AoC, which may not currently be viola%ons, but may become a Possible Viola%on [PV] in a future audit, if not addressed Support development of a sustainable compliance culture

45 45 Addi%onal Audit Team Member Ac%vi%es Available to address and respond to En%ty ques%ons/ comments Par%cipate in WECC En%ty outreach ac%vi%es: Semi- annual Compliance Workshops (next one in Boise ID), Monthly Open Webinars, and Special events such as this event. Work at Na%onal level: CCTF, Standard Drajing Team, Comment on new Standards and guidance documents, Run CIP pilot studies, and Aoend and present at Cyber Security Conferences, Regional, Na%onal, and Interna%onal Outreach events.

46 46 Summary Audit to the Standard Provide useful feedback to the en%ty Prepare a valid report Be available to CIP personnel at the en%%es Work at Na%onal level

47 47 Remember the Auditor s Mission Just the facts, Ma am, Just the facts!

48 48 References BCUC. (2015 July 24). Order R Retrieved from hop:// DOC_44244_R _BCH_MRS_RPT_8.pdf BCUC. (2018 October 1). CIP Cyber Security Standard BES Cyber System Categoriza'on. Retrieved from hops:// pdf BCUC. (2018 October 1). CIP Cyber Security Security Management Controls. Retrieved from hops:// pdf

49 49 References NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hop:// bes_phase2_reference_document_ _final _clean.pdf NERC. (2016 May 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hop:// %20terms/glossary_of_terms.pdf

50 50 Speaker Contact Informa%on Joseph B. Baugh, Ph.D., MBA PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor - Cyber Security Western Electricity Coordina%ng Council (WECC) jbaugh (at) wecc (dot) biz (C) (O)