SGAS Low Impact Atlanta, GA September 14, 2016

Transcription

1 SGAS Low Impact Atlanta, GA September 14, 2016 Lisa Wood, CISA, Security+, CBRA, CBRM Compliance Auditor Cyber Security Western Electricity Coordinating Council

2 Slide 2 Agenda Low Impact Case Study Overview Key Conclusions, Challenges, Recommendations Questions September 14, 2016 Western Electricity Coordinating Council

3 Slide 3 Low Impact Case Study Goals Ensure an Efficient and Effective Transition Understand and address challenges Foster Communication and knowledge sharing Identify Guidance Topics September 14, 2016 Western Electricity Coordinating Council

4 Slide 4 Case study ran from October 2015 through May 2016 Four (4) Participants Selected One (1) Mixed Impact Entity Three (3) Low Only Entities Participation Details September 14, 2016 Western Electricity Coordinating Council

5 Slide 5 LICS Key Conclusions, Challenges, Recommendations September 14, 2016 Western Electricity Coordinating Council

6 Slide 6 Resource Impact Used on-hand resources Small Critical/Technical Staff If a team member was sick, the project came to a halt Finding time to review and create the required LERC/LEAP documentation Used on hand resources, but brought in a 3 rd party based on their size with 40+ configuration files September 14, 2016 Western Electricity Coordinating Council

7 Slide 7 Participant Challenges CIP R1.3 not required to have a discreet list, but found it much easier to have the lists for the SMEs to be able to implement Programs, Policies, Procedures, and Plans Reconciling internal definitions with the NERC definitions Updated documentation to match September 14, 2016 Western Electricity Coordinating Council

8 Slide 8 Low Impact Strategy & Tactics September 14, 2016 Western Electricity Coordinating Council

9 Slide 9 Participant Challenges Reference Models Identifying where they already had equipment addressing the LEAP control Understanding how to demonstrate the LEAP configurations If using a firewall, understand the ACLs and configuration files needed in order to meet the LEAP expectations, and being able to demonstrate this September 14, 2016 Western Electricity Coordinating Council

10 Slide 10 LERC and LEAP Challenges Communication Gap/Learning curve - understanding the new terminology and being able to explain it to the technical people. Translating compliance language (BCS, LERC/LEAP) to IT language (Low Only and Mixed Impact) Understanding the Environment Most practical approach is to have a detailed inventory of your environment so you can document and understand the interactions of the cyber assets (Low Only) Developed a network diagram of entire network, identifying ESPs, PSPs, LERCs, LEAPs. They needed to understand the environment to determine where they had LERC and in turn needed LEAPs (Mixed Impact) September 14, 2016 Western Electricity Coordinating Council

11 Slide 11 Additional Points Vendors seemed to be stuck in High or Medium realm and not keyed into CIP R2 Attachment 1, 2, and G&TB (Specifically, Section 3.1) Compliance AND Security Ensuring requirements are met, while focusing on physical and electronic access controls, securing the network and facilities, at a reasonable cost September 14, 2016 Western Electricity Coordinating Council

12 Slide 12 Participant Recommendations Don t make it more difficult or bigger than it is. Lean on existing policies already in place. Plug in early, something will always pop-up and potentially impact the project. Build some extra time into your project timeline for testing & feedback, budget cycles, and unplanned contingencies Review the standards/requirements and clarify all of the documentation requirements for each standard early on Research, Research, Research - Tap unlikely resources such as your commercial insurance carrier/broker One participant used a great template from their insurance carrier for their cyber incident response plan Don t be fooled by the generic and oversimplified requirements for policies and requirements - They are simplistic by design to allow you the flexibility for workable policies and plans September 14, 2016 Western Electricity Coordinating Council

13 Slide 13 Recommendations (cont.) Engage SMEs and plant/field personnel who are going to have to live with the results of your creations early on Have weekly team meetings even if there s not much to discuss, it keeps the project on everyone s radar Make sure all documents, at minimum, undergo a basic technical and legal review and then a final formatting review cut & paste is a blessing and a curse! If you are coming from the IT side of the house, go shake hands with and learn about the OT environment, as it will allow you to better understand the assets you re trying to protect September 14, 2016 Western Electricity Coordinating Council

14 Slide 14 Physical Security and Electronic Access Controls September 14, 2016 Western Electricity Coordinating Council

15 Slide 15 Physical Security Controls All participants already had at least the minimum controls in place Gate, fence, key pads, key cards, video monitoring, 24/7 staff WECC recommended being forward looking and consider how they may address future control requirements September 14, 2016 Western Electricity Coordinating Council

16 16 Electronic Access Controls 3. Electronic Access Controls: Each Responsible Entity shall : 3.1 For LERC, if any, implement a LEAP to permit only necessary inbound and outbound bi-directional routable protocol access; and 3.2 Implement authentication of all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability. September 14, 2016 Western Electricity Coordinating Council

17 17 CIP Perspective CIP maturity New to controls compliance Footprint September 14, 2016 Western Electricity Coordinating Council

18 18 Low Impact BES Asset Substation A /24 Substation B /24 SONET RING DEMARC Layer 2 Switch September 14, 2016 SCADA Servers Low Impact Control Center /24 Operator Consoles

19 19 Low Impact BES Asset Substation A /24 Substation B /24 SONET RING DEMARC Transparent Firewall September 14, 2016 SCADA Servers Low Impact Control Center /24 Operator Consoles

20 20 Managed Firewall Will compliance evidence require actual configuration files, demonstrating access controls for each designated electronic access control? September 14, 2016 Western Electricity Coordinating Council

21 21 Managed Firewall September 14, 2016 Western Electricity Coordinating Council

22 22 Managed Firewall Evidence September 14, 2016 Western Electricity Coordinating Council

23 23 Managed Firewall Evidence User logs in with their network username and password then they are granted access No one has access to anything without a login September 14, 2016 Western Electricity Coordinating Council

24 24 Firewall Configuration September 14, 2016 Western Electricity Coordinating Council

25 25 Inventory List Non-BES Cyber Asset Low impact BES Cyber System September 14, 2016 Western Electricity Coordinating Council

26 26 Inventory List Non-BES Cyber Asset Low impact BES Cyber System September 14, 2016 Western Electricity Coordinating Council

27 MGT CONSOLE USB PWR FAN ALM STS HA TMP 27 Breaking LERC Substation RTU/COM Processor/Security Break/Protocol Break Communication Path External VLAN Internal VLAN PA HA1 HA2 DEMARC To Next Substation Intra-Substation Network September 14, 2016 Western Electricity Coordinating Council

28 Slide 28 Reference Model 6 (NERC, 2014, CIP-003-6: Cyber Security, p. 38) September 14, 2016 Western Electricity Coordinating Council

29 29 FAQs/Lessons Learned What constitutes a protocol/authentication/security break for LERC? September 14, 2016 Western Electricity Coordinating Council

30 Slide 30 Questions Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security Desk: Cell: September 14, 2016 Western Electricity Coordinating Council

31 Auditing Low Impact BES Cyber Systems Scott R. Mix, CISSP, NERC CIP Technical Manager NERC Small Group Advisory Sessions Low Impact Webinar September 14, 2016

32 Disclaimer The information contained in this presentation is preliminary, and represents a possible approach being considered by the ERO as of the fall of 2015, and updated with Standard Drafting Team initial draft posting in the late summer of These approaches are subject to review and modification as the ERO finalizes the audit approaches in response to pre-audit outreach conducted before the effective date of the requirements. These approaches are also subject to review and modification based on further modifications to the requirements by standards development actions. 2

33 Agenda Lists Not all Low Impact Locations are Equal Possible Audit Approaches Sampling Connectivity (LERC) Generation Transmission Control Centers Physical Security Security Awareness Incident Response Mixed Environments 3

34 Low Impact Lists Discrete lists of Low Impact BES Cyber Systems are not required HOWEVER: A list containing the name of each asset that contains a low impact BES Cyber System is required (CIP Requirement R1 Part 1.3 Identify each asset that contains a low impact BES Cyber System ) This would be a list of generating plants, transmission stations, certain distribution stations, and certain small control centers, that contain low impact BES Cyber Systems 4

35 Low Impact Lists The entity should be prepared to demonstrate that all BES assets (locations) are accounted for on either the list of high impact, medium impact or low impact locations (note: a list of high or medium impact locations is not specifically required, but can be surmised by looking at lists of high impact and medium impact BES Cyber Systems, if they exist) The entity should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protections, and are included in incident response plans 5

36 Low Impact Lists Similarly, lists of personnel with access to low impact BES Cyber Systems is not required HOWEVER: The entity should be prepared to demonstrate how it determines whether personnel have a need to access the low impact BES Cyber Systems The entity should be prepared to demonstrate how the electronic security protections and physical protections are implemented to ensure that only personnel that have a need have access The entity should be prepared to demonstrate that all those personnel have had access to the security awareness materials 6

37 Low Impact Lists Even though BES Cyber Asset / BES Cyber System lists are not required for compliance, it is in the entity s best interest to maintain lists to ensure that all low impact BES Cyber Systems are properly secured with both physical and electronic controls Station, plant, or Control Center drawings showing all Cyber Assets at the location, drawings showing computer network paths through identified access control devices, and drawings of physical locations to demonstrate required physical access control may be beneficial in demonstrating compliance These lists will not be assessed for completeness only to help the entity tell its story 7

38 Not All Low Impact Locations are Equal Low impact covers a wide range of BES locations and Facilities Within low impact there are potentially vastly different BES impacts The CIP Standards don t make a distinction between a big (i.e., more impactful) low impact site and a small (i.e., less impactful) low impact site Consider the following field examples: 8

39 Not All Low Impact Locations are Equal 115 kv 115 kv 9 Transmission Considerations 69 kv

40 Not All Low Impact Locations are Equal 345 kv 345 kv 115 kv 10 Transmission Considerations

41 Not All Low Impact Locations are Equal To SUB A 345 kv 345 kv To SUB B 115 kv 115 kv 11 Transmission Considerations

42 Not All Low Impact Locations are Equal 30 MW 115 kv Generation Considerations 12

43 Not All Low Impact Locations are Equal 700 MW 700 MW 230 kv Generation Considerations 13

44 Not All Low Impact Locations are Equal 4 x 700 MW (with segmented control systems) 345 kv Generation Considerations 14

45 Compliance Implications Pure random sampling of low impact assets for audit purposes is not appropriate Random sampling within specific subsets of low impact assets may be appropriate Expect risk and impact based judgmental sampling Expect more audit attention at low impact locations with larger impact Expect more audit attention to larger generation plants than at smaller plants 15

46 Auditing Connectivity The following audit approach is based on the initial draft posting of the LERC changes The SDT will be analyzing comments from industry and making changes in response to those comments The audit approach will need to be updated after the next posting 16

47 Auditing Connectivity In order to determine if LERC is present, expect a number of questions: 1. Is there any routable protocol communications in the wide area network used to communication with assets containing low impact BES Cyber Systems? If no, then there is no LERC If yes, then further questions are needed Expect to be asked for network drawings, configurations, etc. to support your answer 17

48 Auditing Connectivity 2. For each low impact location (asset), is there routable protocol communications in the wide area network connecting to that location? If no, there is no LERC at that location If yes, there is LERC, and additional questions will be asked Expect to be asked for network drawings, configurations, etc. to support your answer 18

49 Auditing Connectivity 3. Does the routable communication connect in any way to the low impact BES Cyber Systems? If no, describe how the routable communication is isolated from the low impact BES Cyber Systems Logical or physical separation is allowed If yes, describe how the low impact BES Cyber Systems are protected from external routable access Firewall, proxy, application protocol break, authentication, etc. Expect to be asked for network drawings, configurations, etc. to support your answer 19

50 Auditing Connectivity Once LERC has been determined to exist at an asset, the low impact BES Cyber Systems must all be protected logically Expect to be asked for network drawings showing that all low impact BES Cyber Systems are appropriately protected Detailed inventory lists are not required, but high-level network drawings may be beneficial for describing what needs to be protected Detailed inventory lists may be provided (at the entity s option) to help support decisions, but the detailed lists will not themselves be subject to audit 20

51 Low Impact Audit Evidence Since lists of BES Cyber Assets / Systems are not required, what kinds of evidence are appropriate? Since there are no device-specific requirements, lists aren t needed Requirements are for border protection or systemlevel recovery 21

52 Low Impact Audit Evidence Existing as-built documentation and drawings should provide sufficient detail to allow the ERO to determine whether protections are put into place Drawings show connectivity Drawings show high-level component detail Drawings allow auditors to determine whether all required logical protections (e.g., access control devices) are put into place Drawings can indicate physical locations that need to be protected (or at least identify what needs physical protection) Drawings can show what systems need incident response plans 22

53 Possible Low Impact Evidence 23 Source: (modified)

54 Possible Low Impact Evidence 24 Source: gration%20considerations%20for%20large%20scale%20iec% %20systems.pdf (modified)

55 Possible Low Impact Evidence Corporate Workstation No Connectivity 25 Source: gration%20considerations%20for%20large%20scale%20iec% %20systems.pdf (modified)

56 LERC The entity should be prepared to provide a list of access control devices, and indicate which (assets containing) low impact BES Cyber Systems are associated with each device The entity should be prepared to demonstrate rationale for what constitutes necessary inbound and outbound bi-directional routable protocol access The entity should be prepared to demonstrate the access control lists that ensure that only necessary inbound and outbound connections are allowed 26

57 LERC Expect that large or complicated access control devices may receive additional inspection to ensure that all traffic between different low impact BES Cyber Systems is correctly filtered Expect that access control devices at Control Centers will be audited concurrently with the Control Centers 27

58 Dial-up The entity should be prepared to demonstrate Dial-up Connectivity protections at low impact BES Cyber System locations, the authentication methods in place, and any per Cyber Asset capabilities documented 28

59 Large Generation Based on inherent risk and impact, expect more attention at any generation plant > 1500 MW The entity should be prepared to demonstrate how the unit controls are segregated, including computer network diagrams, firewall configurations, data flow analysis, etc. The entity should be prepared to demonstrate the analysis of any common systems at the plant - Expect the analysis to include both a time-based component as well as an impact-based component The entity should be prepared to allow inspection of any common control rooms that have control of >1500 MW of generation 29

60 Larger Low Impact Transmission Based on inherent risk and impact, expect more attention at large networked transmission stations For example: Transmission stations that have multiple lines, but with some excluded from the IRC 2.5 calculation because they are generator interconnection lines Transmission stations that have multiple lines, but connect to only two other Transmission stations Transmission stations that have multiple lines, with large capacity connections to non-bes facilities The requirements are the same, but they may be more likely to be reviewed as part of the audit 30

61 Control Center Based on inherent risk and impact, expect more attention at Balancing Authority and multi-function Control Centers Based on inherent risk and impact, expect more attention if the control center is close to a medium impact threshold 31

62 Physical Security Low Impact physical security is significantly different than that required for CIP-014 CIP-014 uses medium impact transmission as a starting point Much of existing physical protections (e.g., for copper theft protection, or for human safety) should be leveraged: Fencing, locked gates, lighting, cameras, motion sensing, etc. Physical security is required for all low impact BES Cyber System locations regardless of electronic connectivity 32

63 Physical Security Physical Security applies to both the BES asset locations (i.e., generation plants, transmission stations, control centers) as well as to locations containing access control devices These might be at BES locations containing low impact BES Cyber Systems, BES locations containing medium impact BES Cyber Systems, at telecommunication hub locations, or at Control Centers 33

64 Physical Security The entity should be prepared to demonstrate how it controls access to the BES asset or access control device If the access control method is electronic card, the entity should be prepared to demonstrate how it provisions and manages access cards, and determines what accesses are assigned to those cards, including procedures for revocation of the access once access is no longer required. If the access control method is a brass key, the entity should be prepared to demonstrate its key management procedures, including how those keys are assigned or provisioned, lock core management, lost key processes, and revocation of the key once access is no longer required. 34

65 Physical Security The entity should be prepared to demonstrate how it assesses the based on need clause of the requirement If the access determination method is job title, the entity should be prepared to demonstrate how the job description provides justification for access. If the access determination method is job location, the entity should be prepared to demonstrate how personnel are assigned to job locations. The entity should be prepared to demonstrate it has procedures for assigning and revoking access regardless of the method. 35

66 Physical Security Since access control devices can be located at field locations, Control Centers, or at other locations (e.g., communications hubs), the entity should be prepared to produce a list of locations containing access control devices, especially if they are located outside of BES assets. Physical access to the access control devices has the same set of requirements as access to the low impact BES Cyber Systems as described above. 36

67 Physical Security The entity should be prepared to demonstrate that all Low Impact BES Cyber Systems and access control devices have been afforded the appropriate protections. Drawings, floor plans, etc. are acceptable, so long as they provide sufficient detail to indicate that all required BES Cyber Systems and access control devices are included Detailed inventory lists are not required, and reviews will be conducted at a high level 37

68 Cyber Security Awareness The entity should be prepared to demonstrate that cyber security awareness materials have been made available Materials and audit approaches are the same as for high and medium Examples include s, posters, meeting presentations, etc. Specific actions are similar to CIP Requirement R1 Part 1.1, but a change interval of 15 months rather than 3 months. 38

69 Incident Response The entity should be prepared to demonstrate it has the required procedure documentation and evidence that the procedure has been followed Specific actions are similar to CIP-008-5, but relaxed testing timeframes (36 months rather than 15 months) and plan update timeframes (180 days rather than 90 days). 39

70 Mixed High/Med and Low The low impact requirements are not expected to be implemented in a vacuum Entities with low impact BES Cyber Systems as well as high or medium impact BES Cyber Systems may take advantage of existing programs or procedures, for example: Cyber Security Awareness materials and delivery may be the same for all impact levels Physical Security plan documentation developed for CIP Requirement R1, Part 1.1 may include sections on how physical security controls are applied to locations containing low impact BES Cyber Systems 40

71 Mixed High/Med and Low Examples continued: Configuration and management of electronic access controls may be similar for access control devices and EACMS containing EAPs (e.g., common vendor, common equipment, common configuration tools, common procedures for requesting and granting access, common administrative staff) Cyber Security Incident Response procedures may share procedural documentation for all impact levels The entity should be prepared to demonstrate procedures for applicability and note differences between high/medium impact and low impact, if any 41

72 42

73 What is the Implementation Timeframe for Low Impact? Scott R. Mix, CISSP, NERC CIP Technical Manager NERC Small Group Advisory Sessions Low Impact Webinar September 14, 2016

74 Agenda Implementation Plan Language Already required as of 7/1/2016 Required on 4/1/17 Required on 9/1/2018 2

75 Implementation Plan Language V5 Proposed Effective Date for Version 5 CIP Cyber Security Standards Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP as follows: Months Minimum The Version 5 CIP Cyber Security Standards, except for CIP R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP through CIP do not become effective, and CIP through CIP remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.2 2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees approval, and CIP R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. 3

76 Implementation Plan Language V6 Effective Dates (for CIP Version 6) The effective dates for each of the proposed Reliability Standards and NERC Glossary terms are provided below. Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The compliance date for those particular sections represents the date that entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date. 1. CIP Cyber Security Security Management Controls Reliability Standard CIP shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Where approval by an applicable governmental authority is not required, the standard shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date the standard is adopted by the NERC Board of Trustees, or as otherwise provided for in that jurisdiction. 4

77 Implementation Plan Language V6 Compliance Date for CIP-003-6, Requirement R1, Part 1.2 Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R1, Part 1.2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP Compliance Date for CIP-003-6, Requirement R2 Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP Compliance Date for CIP-003-6, Attachment 1, Section 1 Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 1 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP Compliance Date for CIP-003-6, Attachment 1, Section 2 Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 2 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP

78 Implementation Plan Language V6 Compliance Date for CIP-003-6, Attachment 1, Section 3 Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 3 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP Compliance Date for CIP-003-6, Attachment 1, Section 4 Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 4 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP

79 FERC Effective Dates FERC approved CIP V5 on November 22, 2013, with an effective date of the order of February 3, 2014 (based on publication in the Federal Register), making CIP V5 effective April 1, 2016 FERC approved the CIP V6 changes on January 21, 2016, with an effective date of the order of March 31, 2016 (based on publication in the Federal Register), making the V6 changes effective July 1, 2016 FERC action on February 25, 2016 aligned all CIP V5 & V6 compliance dates to July 1,

80 Already Required as of 7/1/2016 CIP CIP Requirement R3 CIP Requirement R4 8

81 Already Required as of 7/1/2016 There were no changes to CIP done as part of the CIP V6 SDT effort The approved CIP V5 Implementation Plan therefore remained unchanged for CIP

82 Already Required as of 7/1/2016 CIP : CIP Requirement R1 requires identification of all high impact BES Cyber Systems, medium impact BES Cyber Systems, and identifying each asset that contains a low impact BES Cyber System CIP Requirement R2 requires the process be repeated, at least every 15 calendar months, and the CIP Senior Manager approved the identifications in Requirement R1 10

83 Already Required as of 7/1/2016 CIP Requirement R3 Requirement R3 unchanged as part of CIP V6 SDT effort (not discussed in the CIP V6 Implementation Plan) Requires the identification of a CIP Senior Manager CIP Senior Manager must approve the identifications made in CIP , Requirement R2 11

84 Already Required as of 7/1/2016 CIP Requirement R4 Requirement R4 unchanged as part of CIP V6 SDT effort (not discussed in the CIP V6 Implementation Plan) Requires the creation of a documented process to delegate the approvals of the CIP Senior Manager, unless no delegations are used. CIP approvals may be delegated 12

85 Required on 4/1/2017 CIP Requirement R1, Part 1.2 CIP Requirement R2, Attachment 1, Section 1 CIP Requirement R2, Attachment 1, Section 4 13

86 Required on 4/1/2017 CIP Requirement R1, Part 1.2 Requires the creation of cyber security policies for: 1. Cyber security awareness 2. Physical security controls 3. Electronic access controls for Low Impact External Routable Connectivity [Communications] (LERC and Dial-up Connectivity 4. Cyber Security Incident Response Must be approved by the CIP Senior Manager (no delegation allowed) 14

87 Required on 4/1/2017 CIP Requirement R2, Attachment 1, Section 1 Requires that each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices). 15

88 Required on 4/1/2017 CIP Requirement R2, Attachment 1, Section 4 Requires that Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: 4.1 Identification, classification, and response to Cyber Security Incidents; 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E-ISAC), unless prohibited by law; 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals; 16

89 Required on 4/1/ Incident handling for Cyber Security Incidents; 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and 4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident. 17

90 Required on 4/1/2017 Note: In order to properly develop policy (Section 1) and incident response (Section 4), physical (Section 2) and electronic (Section 3) access control procedures (i.e., the controls to be implemented) need to be initially developed, but they will not themselves be subject to audit 18

91 Required on 9/1/2018 CIP Requirement R2, Attachment 1, Section 2 CIP Requirement R2, Attachment 1, Section 3 19

92 Required on 9/1/2018 CIP Requirement R2, Attachment 1, Section 2 (draft language) Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any. 20

93 Required on 9/1/2018 CIP Requirement R2, Attachment 1, Section 3 (draft language) Electronic Access Controls: Each Responsible Entity shall: 3.1 Implement electronic access control(s) for LERC, if any, to permit only necessary electronic access to low impact BES Cyber System(s). 3.2 Implement authentication for all Dial up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability. 21

94 Required on 9/1/2018 All physical and electronic access control protections must be in place at all assets containing low impact BES Cyber Assets or BES Cyber Systems by 9/1/

95 23

96 Upcoming Low Impact Requirements Scott R. Mix, CISSP, NERC CIP Technical Manager NERC Small Group Advisory Sessions Low Impact Webinar September 14, 2016

97 Agenda LERC changes Transient Cyber Assets at Low Impact assets Control Center communications Transmission Operator Control Centers CIP Exceptional Circumstances Cyber Asset and BES Cyber Asset (BCA) Definitions Network and Externally Accessible Devices Virtualization 2

98 LERC Changes Initial comment period and ballot complete Proposed that LERC becomes the property of a BES asset (e.g., station, plant, Control Center) Likely minimal technical differences between V6 and proposed changes May have increased documentation to demonstrate all LERC possibilities Significant volume of comments from industry SDT will be meeting in 2 weeks to discuss comments and make changes in response 3

99 LERC Changes Since LERC is the property of a BES asset, it may exist even if there are no routable connections to low impact BES Cyber Systems Logical or physical network separation is an effective control Firewall-like filtering, data diodes, proxy services, etc may be used if connections are required Auditors were going to ask about it anyhow 4

100 Transient Cyber Assets at Low impact Assets Currently in development by SDT Includes Transient Cyber Assets and Removable Media Modeled after requirements in CIP-010, but adjusted to account for technical differences (no ESP, PCA) No obligation for authorization or software vulnerability mitigation Places in CIP-003 as Section 5 of Attachments 1 and 2 5

101 Control Center Communications FERC Order specifically include low impact Control Centers in the order SDT continues to work on details What data is to be protected Risk-based approach to protections High-watermarking of communications link (??) 6

102 Transmission Operations Control Centers SDT is continuing to work on the issue Developing a white paper for posting to industry 7

103 CIP Exceptional Circumstances SDT Considering adding CIP Exceptional Circumstances to additional requirements Probably no change to low impact 8

104 Cyber Asset and BES Cyber Asset (BCA) Definitions SDT is evaluating whether changes to the core definitions (Cyber Asset, BES Cyber Asset) are necessary May impact designation of low impact BES Cyber Systems Also looking at other modifications, which are not germane to low impact 9

105 Network and Externally Accessible Devices Probably minimal to no impact for low impact BES Cyber Systems 10

106 Virtualization SDT is investigating how to include virtualization concepts into the CIP Standards May include server, network and storage virtualization May impact low impact Control Centers (all virtualization technologies), as well as stations (primarily virtual network) 11

107 12