Low Impact BES Assets: Best Prac4ces BC Outreach Webinar: Session 3 Salt Lake City UT January 9, 2018

Transcription

1 Low Impact BES Assets: Best Prac4ces BC Outreach Webinar: Session 3 Salt Lake City UT January 9, 2018 Joseph B. Baugh, PhD Senior Compliance Auditor Cyber Security Western Electricity Coordina4ng Council

2 2 Speaker Intro: Dr. Joseph B. Baugh Electrical U4lity Experience (44+ years) Senior Compliance Auditor, Cyber Security IT Manager & Power Trading/Scheduling Manager IT Program Manager & Project Manager NERC Cer4fied System Operator Barehand Qualified Transmission Lineman Educa4onal Experience Degrees earned: Ph.D., MBA, BS- Computer Science Cer4fica4ons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA- IAM/IEM Academic & Technical Course Teaching Experience (20+ years) Business Strategy, Leadership, and Management Informa4on Technology, IT Security, and Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara4on CIP Compliance workshops and other outreach sessions

3 3 Agenda CIP R2 WECC Low Impact Case Study [LICS] Challenges Administra4ve Technical Protec4ng Low impact BES Assets Frequently Asked Ques4ons Lessons Learned Best Prac4ces Differences between CIP and CIP LERC/LEAP vs. electronic access controls Addi4onal protec4ons and controls

4 4 CIP R2 Since BCUC may replace CIP with CIP , en44es may ignore the IAC language in R2 for CIP compliance No adverse impact on R2 compliance is incurred by this ac4on

5 5 LICS Par4cipa4on Details The WECC LICS pilot study ran from October 2015 through May 2016 (Wood, 2016 March 24) Four (4) par4cipants from the WECC region: One (1) mixed impact municipal en4ty This en4ty had prior CIP Cri4cal Cyber Assets [CCA] Some v3 Cri4cal Assets contained higher impact BCS under v5 En4ty iden4fied mul4ple Low impact BES Assets Three (3) Low impact only en44es These en44es had prior null lists of CCA All three iden4fied only Low impact BES Assets CIP compliance experience levels were also mixed

6 6 Low Impact Case Study Goals Ensure an Efficient and Effec/ve Transi/on Understand and address challenges Foster Communica/on and knowledge sharing Iden/fy Guidance Topics

7 7 Administra4ve Challenges Programs, Policies, Procedures, and Plans Reconciling internal defini4ons with NERC defini4ons Upda4ng documenta4on to match Small, but cri4cal staff Staffing the project, if a team member was sick, project progress came to a grinding halt Finding a place to start Picked one or two prototype BES Assets to develop and fine- tune the processes and procedures before rolling it out across the gamut of BES Assets

8 8 Technical Challenges Small Technical Staff Finding 4me to review and create the required documenta4on Mee4ng Compliance AND Security Needs Ensuring requirements are met, also focusing on physical and electronic access controls, securing the network and facili4es, at a reasonable cost Learning Curve Transla4ng compliance language from the Standards to IT and layman language Documen4ng technical issues in an easy- to- grasp manner Bringing field and other personnel into the compliance fold

9 9 LICS FAQ - Policies Do we need to have the policies in one document or can they be separated and 4ed to the associated plan (e.g., awareness, physical access controls, electronic access controls, incident response)? From an audit perspec4ve it doesn't maler how the informa4on is laid out or put together, so long as you have it and can demonstrate it for audit You may choose to have one document with all the policies, or you may choose to have the each policy within the plan documenta4on Provide pointers to the associated sec4on(s) of the alachment, if you do keep the policies together in a separate document

10 10 LICS FAQ - Policies What is the difference between program, policy, plan and procedure? A program is the overarching name for the documenta4on (or the "why") that provides both strategic and tac4cal elements that create compliance A policy is the documenta4on that provides the strategic overview of "what" you will do to become compliant The plans, prac4ces, processes and procedures describe "how" you will perform policy requirements and are part of the tac4cal elements to the program Plans and processes are the overview of how you will be compliant Prac4ces and procedures are the step- by- step details of how you perform compliance tasks

11 11 Low impact Strategic & Tac4cal Elements CIP Compliance Program High & Medium BCS Low-Impact BES Assets Not in Scope for Low impact BES Assets Strategic Elements (Policies) Tactical Elements (Plans) Develop and document Low impact cybersecurity policies Develop and document cybersecurity plans w/ procedures, practices, &/or processes Implement cybersecurity plans and controls

12 12 Audi4ng Low- impact Compliance At audit, the CIP- 003 team will review and validate each strategic and tac4cal step down through the flowchart A prudent en4ty will develop and maintain auditable ar4facts that demonstrate the en4ty documented and implemented a sound CIP- 003 cyber security compliance program with associated policies, plans, processes, and/or procedures that cover all of its applicable Low impact BES Assets

13 13 LICS FAQ R2.1 Awareness What is awareness and what should be included? Webster defines "aware" as knowing that something exists. Awareness is the state of such knowledge In terms of the CIP Guidelines and Technical Basis, awareness would then mean each employee is aware or cognizant of specific cyber security measures These measures may include any or all of the following (CIP , A"achment 2: Sec.on 1, p. 24): Direct communica4ons (for example, e- mails, memos, or computer- based training); Indirect communica4ons (for example, posters, intranet, or brochures); or Management support and reinforcement (for example, presenta4ons or mee4ngs).

14 14 LICS FAQ R2.1 Awareness What are examples of reinforcement? In terms of the CIP R2.1 low- impact cyber security awareness policy, the en4ty should present cybersecurity awareness measures to its personnel at least once every 15 calendar months This is the bare minimum to demonstrate compliance and may be part of an ongoing cybersecurity awareness effort that includes signage, training, case studies, and any other means of raising cybersecurity awareness

15 15 LICS FAQ R2.2 Physical Security Controls Mark Lemery will cover these topics in his presenta4on this aqernoon

16 16 LICS FAQ R2.3 Electronic Access Controls What do I need to implement electronic access controls for external routable connec4ons and/or dial- up connec4vity? Un4l such 4me that addi4onal guidance is provided by BCUC rela4ve to CIP , a prudent en4ty would ensure that any protocol conversion device provides an actual authen4ca4on break between the IP and alached serial devices In the absence of such demonstrated evidence, the audit team may determine that unprotected electronic access is present in the serial devices and take further compliance ac4on

17 17 LICS FAQ R2.3 Electronic Access Controls Do we need to provide a diagram and the configura4on files associated with electronic access controls? While such diagrams and files are not specifically required by CIP , an en4ty should be able to demonstrate the required controls (as defined in the R2.3 policy) are afforded where external routable access or dial- up connec4vity exists into an asset containing Low impact BES Cyber Systems The audit team may check a sampling of Low impact Cyber Assets with electronic access to validate that such devices are protected, as required by the en4ty s electronic access control policy

18 18 LICS FAQ R2.4 Incident Response Is monitoring or intrusion detec4on required? If not, how do I know to respond to an incident if I'm not monitoring for one? No, monitoring is not specifically required. The Standard Draqing Team leq R2.4 as a policy to respond to an incident that somehow created its own awareness Although monitoring is not required by the Standard, as a best cyber security prac4ce, a prudent en4ty would monitor all electronic access points to ensure it becomes aware of any cyber incident in a 4mely manner This issue has been addressed much more extensively in CIP , as well as a recent FERC NOPR (2017 December 21) on incident response and malware

19 19 LICS FAQ R3 CIP Senior Manager Can a CIP Senior Manager be a contractor? No, the CIP Senior Manager is a defined term in the NERC Glossary and specifically states this person must be a single senior management official with overall authority and responsibility (NERC, 2018 January 2, Glossary of Terms, p. 9) for an en4ty s CIP compliance program The BCUC adopted the NERC Glossary dated October 1, 2014 via BCUC Order R (2015 July 15, Ar4cle H, p. 2), including the CIP Senior Manager term (Ibid, p. 16), so this response is equally valid in the BCUC footprint

20 20 LICS FAQ R3 CIP Senior Manager What kind of documenta4on would you expect to see for CIP R3? A document on company leler head that includes the name and 4tle of the CIP Senior Manager, with the date of his or her assignment is sufficient

21 21 LICS FAQ R4 Delega4ons Can the CIP Senior Manager informa4on and delegate informa4on reside in the same document, or do they need to be in separate documents? For audit purposes, R3 and R4 simply must be documented. It doesn't maler if these assignments are in one document or mul4ple documents However, the CIP Senior Manager is generally assigned by the CEO, General Manager, or some other high- level execu4ve. Delegates may be assigned for specific CIP du4es on shorter 4meframes by the CIP Senior Manager, so the audit team generally sees mul4ple documents

22 22 LICS FAQ General Ques4ons If an en4ty opts to combine their low impact policy and plan documenta4on with their High and/or Medium impact documents, how could this informa4on be shared with low impact personnel since there are addi4onal requirements for Highs and Medium BCS pertaining to BESCSI (CIP- 004 R2 and R4)? En44es are allowed to combine their documents for Highs, Mediums, and Lows, but if the combined documenta4on contains BES Cyber System Informa4on (BCSI), an en4ty would need to include everyone with access to the BCSI within the associated programs (e.g., access management) when the en4ty implemented the applicable requirements. This would include individuals who are only associated with Low Impact BCS With that in mind, it may be more feasible to use the High and/ or Medium BCS documenta4on as a star4ng point and develop a specific set of documenta4on for Low- impact BES Assets for use by a wider set of personnel

23 23 LICS FAQ General Ques4ons Can we use our exis4ng system inventory as Low Impact Cyber Assets List knowing it is not required? Even though discrete lists of Low- impact BCS are not required by CIP R1.3, LICS par4cipants found it almost impossible to ensure all required controls were afforded without such lists of applicable Cyber Assets for each LIBCS at each iden4fied and documented Low- impact BES Asset

24 24 LICS Lessons Learned LICS par4cipants were asked these ques4ons during the panel discussion at the WECC Compliance Workshop in La Jolla (Wood, 2016): What are your perspec.ves on necessary resources? What are some of the key conclusions, lessons learned, and recommenda.ons for transi.oning to CIP Version 5 for en..es with assets containing low impact BCS? Did you find any ambiguity in the Requirements? If so, how did you clarify these issues? The responses are captured in the following slides

25 25 LICS Lessons Learned Review the standards and clarify all of the documenta4on requirements for each standard early on Kept each documenta4on requirement as a highlighted ac4on item in all of their draqs Create internal cascading project 4meline w/ deliverables Develop Ganl charts to track tasks and updated, as applicable each week Research, Research, Research Tap unlikely sources such as your commercial insurance carrier/broker One en4ty used a great template from its insurance carrier for its cyber incident response plan

26 26 LICS Lessons Learned Don t be fooled by the generic and oversimplified requirements for policies They are simplis4c by design to allow you the flexibility to build your own workable policies and plans, but they are going to take more 4me to develop and implement than you think, so build some extra 4me into your project 4meline for tes4ng & feedback, budget cycles, and unplanned con4ngencies Engage Subject Maler Experts [SMEs] and plant/field personnel who are going to have to live with the results of your transi4on project early on No use flying 8000 RPMs down the road to a technically unalainable or cost- prohibi4ve goal

27 27 LICS Lessons Learned Have weekly team mee4ngs Even if there s not much to discuss, this prac4ce keeps the project on everyone s radar Make sure all documents at minimum undergo a basic technical and legal review and then a final formawng review Copy & paste is both a blessing and a curse! Avoid business silos If you are coming from the IT side of the house, go shake hands with and learn about the OT environment, as it will allow you to beler understand the assets you re trying to protect The OT side of the house will also gain a beler understanding of why you re doing the things you do to achieve compliance

28 28 Best Prac4ces and Next Steps Approach the Low impact compliance implementa4on as an approved & funded project Develop a sound project plan including tasks, schedules, and an4cipated costs Begin with one or two nearby Low impact BES Assets as part of a prototype program to test and implement electronic and physical security controls Roll out the cyber security training and awareness programs early on to minimize resistance to change from field personnel

29 29 Best Prac4ces and Next Steps Vet documents as they are implemented and make any necessary changes to reflect actual field condi4ons Con4nue to develop and improve electronic and physical security measures and controls during the implementa4on Integrate addi4onal BES Assets on your project 4meline based on the knowledge gained and lessons learned during the prototype phase Develop lists of Cyber Assets during the implementa4on phase, this prac4ce will help greatly during the implementa4on of CIP

30 30 CIP x Standard Versions CIP only requires an en4ty to implement four cyber security policies (R2.1- R2.4) CIP becomes effec4ve October 1, 2018 (BCUC Order R , 2015 July 24) Subsequent versions moved the cyber security policies to R1.2, while R2 now requires more extensive plans, processes, and procedures for Low impact BES Assets CIP was held in abeyance for Bri4sh Columbia due to the pending CIP revision (adopted by NERC Board of Trustees February 9, 2017), which is awai4ng FERC approval in the US FERC proposed approval of CIP on October 26, 2017 in a No4ce of Public Rulemaking [NOPR] published in the Federal Register (2017 October 29), with a comment period ending December 26, 2017

31 31 CIP Items of Interest Since FERC approval of CIP is expected in the first quarter of 2018, a prudent en4ty would review CIP (NERC, 2017 February 9) and prepare for possible BCUC adop4on of that Standard CIP clarifies elements for which electronic access protec4ons need to be applied as directed by FERC to NERC as a condi4on of adop4ng CIP BCUC may not adopt LERC and LEAP terms, which will be re4red from the NERC Glossary upon FERC approval of CIP and addressed as electronic access controls (see NERC, 2017 Feb 9, CIP : A"achment 1 Sec.on 3, p. 22) CIP may be in the next BC Hydro Standard assessment report filed with the BCUC this year

32 32 Key Changes in CIP CIP moved Low impact cyber security policies from R2 to R1.2 (p. 5) and added policies for malicious code mi4ga4on for Transient Cyber Assets [TCA] and Removable Media [RM] (R1.2.5) as well as CIP Excep4onal Circumstances (R1.2.6) R2 references Alachment 1 (pp ), which includes specific provisions for cyber security plans: Sec4on 1: Cyber Security Awareness, Sec4on 2: Physical Security Controls, Sec4on 3: Electronic Access Controls, Sec4on 4: Cyber Security Incident Response, and Sec4on 5: TCA and RM Malicious Code Risk Mi4ga4on. Alachment 2 (pp ) provides examples of evidence for the five sec4on plans cited above

33 Speaker Contact Informa4on Joseph B. Baugh, Ph.D., MBA PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor - Cyber Security Western Electricity Coordina4ng Council (WECC) jbaugh (at) wecc (dot) biz (C) (O)

34 References BCUC. (2015 July 24). Order R Retrieved from hlp:// DOC_44244_R _BCH_MRS_RPT_8.pdf FERC. (2017 October 29). Revised Cri.cal Infrastructure Protec.on Reliability Standard CIP Cyber Security Security Management Controls [No4ce of Public Rulemaking], 18 CFR Part 40, Docket No. RM In Federal Register, 82(206), (pp ). Retrieved from hlps:// /pdf/ pdf FERC. (2017 December 21). Cyber Security Incident Repor.ng Reliability Standards [No4ce of Public Rulemaking], 161 FERC 61, CFR Part 40 Docket Nos. RM and AD Retrieved from hlps:// new/comm- meet/ 2017/122117/E- 1.pdf 34

35 References NERC. (2018 January 2). Glossary of Terms Used in NERC Reliability Standards. Retrieved from hlp:// NERC. (2017 February 9). CIP Cyber Security Security Management Controls [Adopted by NERC Board of Trustees]. Retrieved from hlp:// CIP pdf Wood, L. (2016 March 24). Low Impact Case Study (LICS) Presenta.on/Panel. Presenta4on at WECC Compliance Workshop in La Jolla CA. Retrieved from hlps:// sourcedoc=/administra4ve/13a%20low%20impact%20case %20Study%20March %202016%20Wood.pdf&ac4on=default&DefaultItemOpen=1 35