Low Impact BES Assets: Best Prac4ces BC Outreach Webinar: Session 3 Salt Lake City UT January 9, 2018
|
|
- Sabina Weaver
- 5 years ago
- Views:
Transcription
1 Low Impact BES Assets: Best Prac4ces BC Outreach Webinar: Session 3 Salt Lake City UT January 9, 2018 Joseph B. Baugh, PhD Senior Compliance Auditor Cyber Security Western Electricity Coordina4ng Council
2 2 Speaker Intro: Dr. Joseph B. Baugh Electrical U4lity Experience (44+ years) Senior Compliance Auditor, Cyber Security IT Manager & Power Trading/Scheduling Manager IT Program Manager & Project Manager NERC Cer4fied System Operator Barehand Qualified Transmission Lineman Educa4onal Experience Degrees earned: Ph.D., MBA, BS- Computer Science Cer4fica4ons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA- IAM/IEM Academic & Technical Course Teaching Experience (20+ years) Business Strategy, Leadership, and Management Informa4on Technology, IT Security, and Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara4on CIP Compliance workshops and other outreach sessions
3 3 Agenda CIP R2 WECC Low Impact Case Study [LICS] Challenges Administra4ve Technical Protec4ng Low impact BES Assets Frequently Asked Ques4ons Lessons Learned Best Prac4ces Differences between CIP and CIP LERC/LEAP vs. electronic access controls Addi4onal protec4ons and controls
4 4 CIP R2 Since BCUC may replace CIP with CIP , en44es may ignore the IAC language in R2 for CIP compliance No adverse impact on R2 compliance is incurred by this ac4on
5 5 LICS Par4cipa4on Details The WECC LICS pilot study ran from October 2015 through May 2016 (Wood, 2016 March 24) Four (4) par4cipants from the WECC region: One (1) mixed impact municipal en4ty This en4ty had prior CIP Cri4cal Cyber Assets [CCA] Some v3 Cri4cal Assets contained higher impact BCS under v5 En4ty iden4fied mul4ple Low impact BES Assets Three (3) Low impact only en44es These en44es had prior null lists of CCA All three iden4fied only Low impact BES Assets CIP compliance experience levels were also mixed
6 6 Low Impact Case Study Goals Ensure an Efficient and Effec/ve Transi/on Understand and address challenges Foster Communica/on and knowledge sharing Iden/fy Guidance Topics
7 7 Administra4ve Challenges Programs, Policies, Procedures, and Plans Reconciling internal defini4ons with NERC defini4ons Upda4ng documenta4on to match Small, but cri4cal staff Staffing the project, if a team member was sick, project progress came to a grinding halt Finding a place to start Picked one or two prototype BES Assets to develop and fine- tune the processes and procedures before rolling it out across the gamut of BES Assets
8 8 Technical Challenges Small Technical Staff Finding 4me to review and create the required documenta4on Mee4ng Compliance AND Security Needs Ensuring requirements are met, also focusing on physical and electronic access controls, securing the network and facili4es, at a reasonable cost Learning Curve Transla4ng compliance language from the Standards to IT and layman language Documen4ng technical issues in an easy- to- grasp manner Bringing field and other personnel into the compliance fold
9 9 LICS FAQ - Policies Do we need to have the policies in one document or can they be separated and 4ed to the associated plan (e.g., awareness, physical access controls, electronic access controls, incident response)? From an audit perspec4ve it doesn't maler how the informa4on is laid out or put together, so long as you have it and can demonstrate it for audit You may choose to have one document with all the policies, or you may choose to have the each policy within the plan documenta4on Provide pointers to the associated sec4on(s) of the alachment, if you do keep the policies together in a separate document
10 10 LICS FAQ - Policies What is the difference between program, policy, plan and procedure? A program is the overarching name for the documenta4on (or the "why") that provides both strategic and tac4cal elements that create compliance A policy is the documenta4on that provides the strategic overview of "what" you will do to become compliant The plans, prac4ces, processes and procedures describe "how" you will perform policy requirements and are part of the tac4cal elements to the program Plans and processes are the overview of how you will be compliant Prac4ces and procedures are the step- by- step details of how you perform compliance tasks
11 11 Low impact Strategic & Tac4cal Elements CIP Compliance Program High & Medium BCS Low-Impact BES Assets Not in Scope for Low impact BES Assets Strategic Elements (Policies) Tactical Elements (Plans) Develop and document Low impact cybersecurity policies Develop and document cybersecurity plans w/ procedures, practices, &/or processes Implement cybersecurity plans and controls
12 12 Audi4ng Low- impact Compliance At audit, the CIP- 003 team will review and validate each strategic and tac4cal step down through the flowchart A prudent en4ty will develop and maintain auditable ar4facts that demonstrate the en4ty documented and implemented a sound CIP- 003 cyber security compliance program with associated policies, plans, processes, and/or procedures that cover all of its applicable Low impact BES Assets
13 13 LICS FAQ R2.1 Awareness What is awareness and what should be included? Webster defines "aware" as knowing that something exists. Awareness is the state of such knowledge In terms of the CIP Guidelines and Technical Basis, awareness would then mean each employee is aware or cognizant of specific cyber security measures These measures may include any or all of the following (CIP , A"achment 2: Sec.on 1, p. 24): Direct communica4ons (for example, e- mails, memos, or computer- based training); Indirect communica4ons (for example, posters, intranet, or brochures); or Management support and reinforcement (for example, presenta4ons or mee4ngs).
14 14 LICS FAQ R2.1 Awareness What are examples of reinforcement? In terms of the CIP R2.1 low- impact cyber security awareness policy, the en4ty should present cybersecurity awareness measures to its personnel at least once every 15 calendar months This is the bare minimum to demonstrate compliance and may be part of an ongoing cybersecurity awareness effort that includes signage, training, case studies, and any other means of raising cybersecurity awareness
15 15 LICS FAQ R2.2 Physical Security Controls Mark Lemery will cover these topics in his presenta4on this aqernoon
16 16 LICS FAQ R2.3 Electronic Access Controls What do I need to implement electronic access controls for external routable connec4ons and/or dial- up connec4vity? Un4l such 4me that addi4onal guidance is provided by BCUC rela4ve to CIP , a prudent en4ty would ensure that any protocol conversion device provides an actual authen4ca4on break between the IP and alached serial devices In the absence of such demonstrated evidence, the audit team may determine that unprotected electronic access is present in the serial devices and take further compliance ac4on
17 17 LICS FAQ R2.3 Electronic Access Controls Do we need to provide a diagram and the configura4on files associated with electronic access controls? While such diagrams and files are not specifically required by CIP , an en4ty should be able to demonstrate the required controls (as defined in the R2.3 policy) are afforded where external routable access or dial- up connec4vity exists into an asset containing Low impact BES Cyber Systems The audit team may check a sampling of Low impact Cyber Assets with electronic access to validate that such devices are protected, as required by the en4ty s electronic access control policy
18 18 LICS FAQ R2.4 Incident Response Is monitoring or intrusion detec4on required? If not, how do I know to respond to an incident if I'm not monitoring for one? No, monitoring is not specifically required. The Standard Draqing Team leq R2.4 as a policy to respond to an incident that somehow created its own awareness Although monitoring is not required by the Standard, as a best cyber security prac4ce, a prudent en4ty would monitor all electronic access points to ensure it becomes aware of any cyber incident in a 4mely manner This issue has been addressed much more extensively in CIP , as well as a recent FERC NOPR (2017 December 21) on incident response and malware
19 19 LICS FAQ R3 CIP Senior Manager Can a CIP Senior Manager be a contractor? No, the CIP Senior Manager is a defined term in the NERC Glossary and specifically states this person must be a single senior management official with overall authority and responsibility (NERC, 2018 January 2, Glossary of Terms, p. 9) for an en4ty s CIP compliance program The BCUC adopted the NERC Glossary dated October 1, 2014 via BCUC Order R (2015 July 15, Ar4cle H, p. 2), including the CIP Senior Manager term (Ibid, p. 16), so this response is equally valid in the BCUC footprint
20 20 LICS FAQ R3 CIP Senior Manager What kind of documenta4on would you expect to see for CIP R3? A document on company leler head that includes the name and 4tle of the CIP Senior Manager, with the date of his or her assignment is sufficient
21 21 LICS FAQ R4 Delega4ons Can the CIP Senior Manager informa4on and delegate informa4on reside in the same document, or do they need to be in separate documents? For audit purposes, R3 and R4 simply must be documented. It doesn't maler if these assignments are in one document or mul4ple documents However, the CIP Senior Manager is generally assigned by the CEO, General Manager, or some other high- level execu4ve. Delegates may be assigned for specific CIP du4es on shorter 4meframes by the CIP Senior Manager, so the audit team generally sees mul4ple documents
22 22 LICS FAQ General Ques4ons If an en4ty opts to combine their low impact policy and plan documenta4on with their High and/or Medium impact documents, how could this informa4on be shared with low impact personnel since there are addi4onal requirements for Highs and Medium BCS pertaining to BESCSI (CIP- 004 R2 and R4)? En44es are allowed to combine their documents for Highs, Mediums, and Lows, but if the combined documenta4on contains BES Cyber System Informa4on (BCSI), an en4ty would need to include everyone with access to the BCSI within the associated programs (e.g., access management) when the en4ty implemented the applicable requirements. This would include individuals who are only associated with Low Impact BCS With that in mind, it may be more feasible to use the High and/ or Medium BCS documenta4on as a star4ng point and develop a specific set of documenta4on for Low- impact BES Assets for use by a wider set of personnel
23 23 LICS FAQ General Ques4ons Can we use our exis4ng system inventory as Low Impact Cyber Assets List knowing it is not required? Even though discrete lists of Low- impact BCS are not required by CIP R1.3, LICS par4cipants found it almost impossible to ensure all required controls were afforded without such lists of applicable Cyber Assets for each LIBCS at each iden4fied and documented Low- impact BES Asset
24 24 LICS Lessons Learned LICS par4cipants were asked these ques4ons during the panel discussion at the WECC Compliance Workshop in La Jolla (Wood, 2016): What are your perspec.ves on necessary resources? What are some of the key conclusions, lessons learned, and recommenda.ons for transi.oning to CIP Version 5 for en..es with assets containing low impact BCS? Did you find any ambiguity in the Requirements? If so, how did you clarify these issues? The responses are captured in the following slides
25 25 LICS Lessons Learned Review the standards and clarify all of the documenta4on requirements for each standard early on Kept each documenta4on requirement as a highlighted ac4on item in all of their draqs Create internal cascading project 4meline w/ deliverables Develop Ganl charts to track tasks and updated, as applicable each week Research, Research, Research Tap unlikely sources such as your commercial insurance carrier/broker One en4ty used a great template from its insurance carrier for its cyber incident response plan
26 26 LICS Lessons Learned Don t be fooled by the generic and oversimplified requirements for policies They are simplis4c by design to allow you the flexibility to build your own workable policies and plans, but they are going to take more 4me to develop and implement than you think, so build some extra 4me into your project 4meline for tes4ng & feedback, budget cycles, and unplanned con4ngencies Engage Subject Maler Experts [SMEs] and plant/field personnel who are going to have to live with the results of your transi4on project early on No use flying 8000 RPMs down the road to a technically unalainable or cost- prohibi4ve goal
27 27 LICS Lessons Learned Have weekly team mee4ngs Even if there s not much to discuss, this prac4ce keeps the project on everyone s radar Make sure all documents at minimum undergo a basic technical and legal review and then a final formawng review Copy & paste is both a blessing and a curse! Avoid business silos If you are coming from the IT side of the house, go shake hands with and learn about the OT environment, as it will allow you to beler understand the assets you re trying to protect The OT side of the house will also gain a beler understanding of why you re doing the things you do to achieve compliance
28 28 Best Prac4ces and Next Steps Approach the Low impact compliance implementa4on as an approved & funded project Develop a sound project plan including tasks, schedules, and an4cipated costs Begin with one or two nearby Low impact BES Assets as part of a prototype program to test and implement electronic and physical security controls Roll out the cyber security training and awareness programs early on to minimize resistance to change from field personnel
29 29 Best Prac4ces and Next Steps Vet documents as they are implemented and make any necessary changes to reflect actual field condi4ons Con4nue to develop and improve electronic and physical security measures and controls during the implementa4on Integrate addi4onal BES Assets on your project 4meline based on the knowledge gained and lessons learned during the prototype phase Develop lists of Cyber Assets during the implementa4on phase, this prac4ce will help greatly during the implementa4on of CIP
30 30 CIP x Standard Versions CIP only requires an en4ty to implement four cyber security policies (R2.1- R2.4) CIP becomes effec4ve October 1, 2018 (BCUC Order R , 2015 July 24) Subsequent versions moved the cyber security policies to R1.2, while R2 now requires more extensive plans, processes, and procedures for Low impact BES Assets CIP was held in abeyance for Bri4sh Columbia due to the pending CIP revision (adopted by NERC Board of Trustees February 9, 2017), which is awai4ng FERC approval in the US FERC proposed approval of CIP on October 26, 2017 in a No4ce of Public Rulemaking [NOPR] published in the Federal Register (2017 October 29), with a comment period ending December 26, 2017
31 31 CIP Items of Interest Since FERC approval of CIP is expected in the first quarter of 2018, a prudent en4ty would review CIP (NERC, 2017 February 9) and prepare for possible BCUC adop4on of that Standard CIP clarifies elements for which electronic access protec4ons need to be applied as directed by FERC to NERC as a condi4on of adop4ng CIP BCUC may not adopt LERC and LEAP terms, which will be re4red from the NERC Glossary upon FERC approval of CIP and addressed as electronic access controls (see NERC, 2017 Feb 9, CIP : A"achment 1 Sec.on 3, p. 22) CIP may be in the next BC Hydro Standard assessment report filed with the BCUC this year
32 32 Key Changes in CIP CIP moved Low impact cyber security policies from R2 to R1.2 (p. 5) and added policies for malicious code mi4ga4on for Transient Cyber Assets [TCA] and Removable Media [RM] (R1.2.5) as well as CIP Excep4onal Circumstances (R1.2.6) R2 references Alachment 1 (pp ), which includes specific provisions for cyber security plans: Sec4on 1: Cyber Security Awareness, Sec4on 2: Physical Security Controls, Sec4on 3: Electronic Access Controls, Sec4on 4: Cyber Security Incident Response, and Sec4on 5: TCA and RM Malicious Code Risk Mi4ga4on. Alachment 2 (pp ) provides examples of evidence for the five sec4on plans cited above
33 Speaker Contact Informa4on Joseph B. Baugh, Ph.D., MBA PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor - Cyber Security Western Electricity Coordina4ng Council (WECC) jbaugh (at) wecc (dot) biz (C) (O)
34 References BCUC. (2015 July 24). Order R Retrieved from hlp:// DOC_44244_R _BCH_MRS_RPT_8.pdf FERC. (2017 October 29). Revised Cri.cal Infrastructure Protec.on Reliability Standard CIP Cyber Security Security Management Controls [No4ce of Public Rulemaking], 18 CFR Part 40, Docket No. RM In Federal Register, 82(206), (pp ). Retrieved from hlps:// /pdf/ pdf FERC. (2017 December 21). Cyber Security Incident Repor.ng Reliability Standards [No4ce of Public Rulemaking], 161 FERC 61, CFR Part 40 Docket Nos. RM and AD Retrieved from hlps:// new/comm- meet/ 2017/122117/E- 1.pdf 34
35 References NERC. (2018 January 2). Glossary of Terms Used in NERC Reliability Standards. Retrieved from hlp:// NERC. (2017 February 9). CIP Cyber Security Security Management Controls [Adopted by NERC Board of Trustees]. Retrieved from hlp:// CIP pdf Wood, L. (2016 March 24). Low Impact Case Study (LICS) Presenta.on/Panel. Presenta4on at WECC Compliance Workshop in La Jolla CA. Retrieved from hlps:// sourcedoc=/administra4ve/13a%20low%20impact%20case %20Study%20March %202016%20Wood.pdf&ac4on=default&DefaultItemOpen=1 35
Iden%fying & Audi%ng Low Impact BES Assets: A Mock Audit BC Outreach Webinar: Session 2 Salt Lake City UT January 9, 2018
Iden%fying & Audi%ng Low Impact BES Assets: A Mock Audit BC Outreach Webinar: Session 2 Salt Lake City UT January 9, 2018 Joseph B. Baugh, PhD Senior Compliance Auditor Cyber Security Western Electricity
More informationSGAS Low Impact Atlanta, GA September 14, 2016
SGAS Low Impact Atlanta, GA September 14, 2016 Lisa Wood, CISA, Security+, CBRA, CBRM Compliance Auditor Cyber Security Western Electricity Coordinating Council Slide 2 Agenda Low Impact Case Study Overview
More informationCIP V5 Updates Midwest Energy Association Electrical Operations Conference
CIP V5 Updates Midwest Energy Association Electrical Operations Conference May 2015 Bob Yates, CISSP, MBA Principal Technical Auditor ReliabilityFirst Corporation Agenda Cyber Security Standards Version
More informationJoseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor Cyber Security WECC: Vancouver WA Office
Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor Cyber Security WECC: Vancouver WA Office CIP-101: CIP-002 v3 to v5 Transition WECC Office: Salt Lake City UT September 24-25,
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationCIP Cyber Security Security Management Controls. A. Introduction
CIP-003-7 - Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-7 3. Purpose: To specify consistent and sustainable security
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationUnofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)
Unofficial Comment Form Project 2016-02 Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i) Do not use this form for submitting comments. Use the electronic form to submit
More informationStandard Development Timeline
CIP-003-67(i) - Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationCritical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014
Critical Infrastructure Protection (CIP) Version 5 Revisions Standard Drafting Team Update Industry Webinar September 19, 2014 Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice
More informationLow Impact BES Cyber Systems. Cyber Security Security Management Controls CIP Dave Kenney
Low Impact BES Cyber Systems Cyber Security Security Management Controls CIP-003-6 Dave Kenney November 9, 2016 Presentation Agenda Outreach Observations/Audit Approach Cyber Security Awareness Physical
More informationA. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationStandard Development Timeline
CIP 003 7 Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationIntroduction to Securing Critical Infrastructure
Her kan tekst skrives Her kan tekst skrives Introduction to Securing Critical Infrastructure Her kan tekst skrives Keith Frederick CISSP, CAP, CRISC, Author securenok.com Topics A)acks on the Oil and Gas
More informationNERC-Led Technical Conferences
NERC-Led Technical Conferences NERC s Headquarters Atlanta, GA Tuesday, January 21, 2014 Sheraton Phoenix Downtown Phoenix, AZ Thursday, January 23, 2014 Administrative Items NERC Antitrust Guidelines
More informationGDPR ESSENTIALS END-USER COMPLIANCE TRAINING. Copyright 2018 Logical Operations, Inc. All rights reserved.
GDPR ESSENTIALS END-USER COMPLIANCE TRAINING 1 POTENTIAL MAXIMUM GDPR PENALTY 2 WHAT IS DATA PRIVACY? MOST NOTABLE US/CA PRIVACY LAWS Federal Trade Commission Act, Sec4on 5 California Online Privacy Protec4on
More informationThis draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationCIP Standards Development Overview
CIP Standards Development Overview CSSDTO706 Meeting with FERC Technical Staff July 28, 2011 Objectives Historical Timeline CIP-002-4 CIP-005-4 CIP Version 5 2 Project 2008-06 Overview FERC Order 706 SDT
More informationProject Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA
Project 2016-02 Modifications to CIP Standards Technical Conference April 19, 2016 Atlanta, GA Agenda Welcome Steven Noess NERC Antitrust Compliance Guidelines and Public Announcement* - Al McMeekin Logistics
More informationPhysical Security Reliability Standard Implementation
Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days,
More informationCompliance: Evidence Requests for Low Impact Requirements
MIDWEST RELIABILITY ORGANIZATION Compliance: Evidence Requests for Low Impact Requirements Jess Syring, CIP Compliance Engineer MRO CIP Low Impact Workshop March 1, 2017 Improving RELIABILITY and mitigating
More informationAdditional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCIP Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-6 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and
More informationProject CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016
Project 2016-02 CIP Modifications Webinar on Revisions in Response to LERC Directive August 16, 2016 Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust
More informationStandard CIP 005 4a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-4a 3. Purpose: Standard CIP-005-4a requires the identification and protection of the Electronic Security Perimeter(s)
More informationProject Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives
Project 2014-02 - Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Violation Risk Factor and Justifications The tables
More informationCritical Infrastructure Protection Version 5
Critical Infrastructure Protection Version 5 Tobias Whitney, Senior CIP Manager, Grid Assurance, NERC Compliance Committee Open Meeting August 9, 2017 Agenda Critical Infrastructure Protection (CIP) Standards
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationNPCC Compliance Monitoring Team Classroom Session
NPCC Compliance Monitoring Team Classroom Session John Muir - Director, Compliance Monitoring Jacqueline Jimenez - Senior Compliance Engineer David Cerasoli, CISSP - Manager, CIP Audits 5/14/2018 1 Compliance
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationLow Impact Generation CIP Compliance. Ryan Walter
Low Impact Generation CIP Compliance Ryan Walter Agenda Entity Overview NERC CIP Introduction CIP-002-5.1, Asset Classification What Should Already be Done CIP-003-7, Low Impact Requirements Tri-State
More informationStandard CIP 005 2a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationBetter Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2
Better Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2 David Cerasoli, CISSP Manager, CIP Audits October 30, 2018 Disclaimer The goal of this webinar is to share
More informationImplementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015
Implementation Plan Project 2014-02 CIP Version 5 Revisions January 23, 2015 This Implementation Plan for the Reliability Standards developed as part of Project 2014 02 CIP Version 5 Revisions replaces
More informationCIP Version 5 Evidence Request User Guide
CIP Version 5 Evidence Request User Guide Version 1.0 December 15, 2015 NERC Report Title Report Date I Table of Contents Preface... iv Introduction... v Purpose... v Evidence Request Flow... v Sampling...
More informationMeeting Notes Project Modifications to CIP Standards Drafting Team June 28-30, 2016
Meeting Notes Project 2016-02 Modifications to CIP Standards Drafting Team June 28-30, 2016 Exelon Chicago, IL Administrative 1. Introductions / Chair s Remarks The meeting was brought to order by S. Crutchfield
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationPhilip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011
CIP Standards Version 5 Requirements & Status Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company David Revill Georgia Transmission Corporation CSO706 SDT Webinar
More informationImplementing Cyber-Security Standards
Implementing Cyber-Security Standards Greg Goodrich TFIST Chair, CISSP New York Independent System Operator Northeast Power Coordinating Council General Meeting Montreal, QC November 28, 2012 Topics Critical
More informationBusiness Case Components
How to Build A SOC Agenda Mission Business Case Components Regulatory requirements SOC Terminology Technology Components Events categories Staff Requirements Organiza>on s Considera>ons Training Requirements
More informationCyber Security Reliability Standards CIP V5 Transition Guidance:
Cyber Security Reliability Standards CIP V5 Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards To: Regional Entities and Responsible
More informationAnalysis of CIP-006 and CIP-007 Violations
Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December
More informationImplementation Plan. Project CIP Version 5 Revisions. January 23, 2015
Implementation Plan Project 2014-02 CIP Version 5 Revisions January 23, 2015 This Implementation Plan for the Reliability Standards developed as part of Project 2014-02 CIP Version 5 Revisions replaces
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationAdditional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationprimary Control Center, for the exchange of Real-time data with its Balancing
A. Introduction 1. Title: Reliability Coordination Monitoring and Analysis 2. Number: IRO-002-5 3. Purpose: To provide System Operators with the capabilities necessary to monitor and analyze data needed
More informationStandard CIP-006-3c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security
More informationERO Enterprise Strategic Planning Redesign
ERO Enterprise Strategic Planning Redesign Mark Lauby, Senior Vice President and Chief Reliability Officer Member Representatives Committee Meeting February 10, 2016 Strategic Planning Redesign Current
More informationEEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,
EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP)
More informationOPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith
OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1 CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Cyber Security Incident Reporting Reliability Standards ) ) Docket Nos. RM18-2-000 AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC
More informationCyber Security Standards Drafting Team Update
Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationSummary of FERC Order No. 791
Summary of FERC Order No. 791 On November 22, 2013, the Federal Energy Regulatory Commission ( FERC or Commission ) issued Order No. 791 adopting a rule that approved Version 5 of the Critical Infrastructure
More informationReliability Standard Audit Worksheet 1
Reliability Standard Audit Wksheet 1 CIP-004-6 Cyber Security Personnel & Training This section to be completed by the Compliance Enfcement Authity. Audit ID: Registered Entity: NCR Number: Compliance
More informationDesigning Secure Remote Access Solutions for Substations
Designing Secure Remote Access Solutions for Substations John R Biasi MBA, CISA, CISSP October 19, 2017 Agenda Brief Biography Interactive Remote Access Dial-Up Access Examples Transient Devices Vendor
More informationCIP Cyber Security Security Management Controls. Standard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationDraft CIP Standards Version 5
Draft CIP Standards Version 5 Technical Webinar Part 2 Project 2008-06 Cyber Security Order 706 Standards Drafting Team November 29, 2011 Agenda Opening Remarks John Lim, Consolidated Edison, Chair V5
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-5.1 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals
More informationQuali&es of an Effec&ve CISO
Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA, PA-QSA Vice President- K3DES LLC mike.villegas@k3des.com November 13, 2015 1 Abstract Hiring a Chief Informa?on Security
More informationStandard CIP-006-4c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-4c 3. Purpose: Standard CIP-006-4c is intended to ensure the implementation of a physical security
More informationModifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on
Modifying an Exis.ng Commercial Product for Cryptographic Module Evalua.on ICMC16 O?awa, Canada 18-20 May 2016 Presented by Alan Gornall Introduc.on I provide cer.fica.on support to my clients: compliance
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationStandards Authorization Request Form
Standards Authorization Request Form When completed, email this form to: sarcomm@nerc.com NERC welcomes suggestions to improve the reliability of the bulk power system through improved reliability standards.
More informationVendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner
Vendor Management: SSAE 18 Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner Audio Handouts Questions Welcome Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationFERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC
: ERO Performance and Initiatives June 4, 2015 Chairman Bay, Commissioners, and fellow panelists, I appreciate the opportunity to address the topics identified for the third panel of today s important
More information163 FERC 61,032 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ; Order No.
163 FERC 61,032 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM17-11-000; Order No. 843] Revised Critical Infrastructure Protection Reliability Standard CIP-003-7
More informationA. Introduction. Page 1 of 22
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationHang on it s going to be a wild ride
AGA/EEI Utility Internal Auditor's Training Course Washington, DC August 26, 2015 Hang on it s going to be a wild ride There are no NERC CIP Babel Fish "The Babel fish is small, yellow, leech-like, and
More informationInteractive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.
Interactive Remote Access Compliance Workshop October 27, 2016 Eric Weston Compliance Auditor Cyber Security 2 Agenda Interactive Remote Access Overview Review of Use Cases and Strategy 1 Interactive Remote
More informationThis section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationCIP Cyber Security Configuration Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-1 3. Purpose: Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s)
More informationPurpose. ERO Enterprise-Endorsed Implementation Guidance
Lesson Learned CIP Version 5 Transition Program CIP-002-5.1 Requirement R1: Impact Rating of Generation Resource Shared BES Cyber Systems Version: January 29, 2015 Authorized by the Standards Committee
More informationAssessing Medical Device. Cyber Risks in a Healthcare. Environment
Assessing Medical Device Medical Devices Security Cyber Risks in a Healthcare Phil Englert Director Technology Operations Environment Catholic Health Ini
More informationStandard CIP Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-4 3. Purpose: Standard CIP-003-4 requires that Responsible Entities have minimum security management controls in
More informationBreakfast. 7:00 a.m. 8:00 a.m.
Breakfast 7:00 a.m. 8:00 a.m. Opening Announcements NERC 2015 Standards and Compliance Spring Workshop April 3, 2015 NERC Antitrust Compliance Guidelines It is NERC s policy and practice to obey the antitrust
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Foundation for Resilient Societies ) Docket No. AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION IN OPPOSITION
More informationBryan Carr PMP, CISA Compliance Auditor Cyber Security. Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013
Bryan Carr PMP, CISA Compliance Auditor Cyber Security Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013 About Me Joined WECC in August 2012 Before WECC CIP Compliance Program
More informationReliability Standard Audit Worksheet 1
Reliability Standard Audit Worksheet 1 CIP-006-6 Cyber Security Physical Security of BES Cyber Systems This section to be completed by the Compliance Enforcement Authority. Audit ID: Registered Entity:
More informationCompliance Exception and Self-Logging Report Q4 2014
Agenda Item 5 Board of Trustees Compliance Committee Open Session February 11, 2015 Compliance Exception and Self-Logging Report Q4 2014 Action Information Introduction Beginning in November 2013, NERC
More informationWECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017
WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017 155 North 400 West, Suite 200 Salt Lake City, Utah 84103-1114 WECC Internal Controls Evaluation Process
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationImpacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities
Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities NRECA TechAdvantage March 2014 Patti Metro Manager, Transmission & Reliability Standards NRECA
More informationCIP Standards Development Overview
CIP Standards Development Overview CSSDTO706 Meeting with Industry Representative August 16 18 NERC Atlanta Office Objectives Historical Timeline CIP-002-4 CIP-005-4 CIP Version 5 August 16-18 CSO706SDT
More informationCyber Security Incident Report
Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New
More informationTitle. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.
Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada
More informationCIP Compliance Workshop Boise, ID March 29, 2018
CIP-006-6 Compliance Workshop Boise, ID March 29, 2018 Mark Lemery, MSc, CPP, PSP Auditor, Cyber and Physical Security 2 Impact on Reliability Identify WECC s audit approach and inform entities of physical
More information