CIP Compliance Workshop Boise, ID March 29, 2018

Transcription

1 CIP Compliance Workshop Boise, ID March 29, 2018 Mark Lemery, MSc, CPP, PSP Auditor, Cyber and Physical Security

2 2 Impact on Reliability Identify WECC s audit approach and inform entities of physical security best practices for protecting BES Cyber Systems.

3 3 Overview Introduction Purpose & Applicability Definitions Requirements & Parts Review Audit Approach & Results Audit Prep Tips for Success Q & A

4 4 Speaker Intro Bio Mark Lemery, MSc, CPP, PSP 25+ years Intelligence & Security Experience Nation State & Non-state Threats/Threat Actors Compliance Auditor, Physical and Cyber Security CIP-006, CIP-014 US Air Force (Retired) Intelligence Officer All-source Intelligence Operations, Analysis & Targeting (SIGINT, GEOINT, HUMINT, MASINT) Deployments: Somalia/Kenya, Turkey, Iraq, Kosovo, Afghanistan Education: MSc, Strategic Intelligence National Intelligence University, Washington, DC CIP Program Manager at Utah SIAC (State Law Enforcement Intelligence Fusion Center) Critical Infrastructure Protection (CIP) Program Manager State Lead for Private Sector Outreach/Education/Training Partnered w/dhs Protective Security Advisor (PSA) for Utah

5 5 Disclaimer The information contained in this presentation is drawn from our current understanding of this Standard and its Requirements as of the presentation date. The WECC audit approach and information contained within this presentation is subject to change based on future guidance.

6 CIP Cyber Security: Physical Security of BES Cyber Systems 6 Manage physical access to BES Cyber Systems via Physical Security Plan, Visitor Control Program, PACS Maintenance & Testing Program Applies to High & Medium Impact BCSI, based on CIP categorization

7 CIP R1: Implement Documented Physical Security Plan 7 Ensure physical access to BCSI is restricted & managed Implementation of a documented Physical Security Plan PNCs & AOCs: Hard Keys: Failure to implement or fully document hard key management system or program with same rigor as applied to electronic physical access control & badges #1 PNC & AOC Shared Facilities: Failure to implement own CIP program or execute agreements to indicate compliance responsibility

8 FERC 2017 Staff Report: Physical Key Management 8 However, the physical keys still provide access to PSPs and should be afforded the same level of control as for electronic access. (such as PACS ID badges)

9 R1 Part 1.1: 9 Operational or Procedural Controls PNCs & AOCs: Failure to define operational or procedural controls to restrict physical access Failure to ensure all PACS are identified & afforded required protections Failure to implement documented plan for PACS devices

10 10 PACS Cyber Assets that control, alert, or log PSP access Typically includes Control Panels, Servers & Workstations Excludes locally mounted hardware or devices If PACS inside PSP, while no additional obligation to comply with Parts 1.1, 1.6 & 1.7, WECC recommends entities implement PACS-specific controls beyond those resident in the PSP

11 Part 1.2: 11 PSP Access Single-factor Authentication Typical Physical Access Control Methods: Card Key: Electronic access; access rights predefined in computer database Special Locks: Locks w/ restricted key systems; remotely operated magnetic locks; man-trap systems Security Personnel: May be on or off-site Other Authentication Devices: Biometric, keypad, token, or other equivalent devices controlling physical access into PSP

12 Part 1.3: PSP Access Two-factor Authentication 12 Requires Two of the Following: Something You Know: Pin Code Something You Have: Card Key; Physical Key Something You Are: Biometric Scanner; Fingerprint, Retina Scanner. Hand Geometry For physically layered protection, no single authenticator allowed to provide access through both layers (example: locked gate with locked control building) Same key or access device cannot provide access to both layers

13 Part 1.4: PSP - Monitor for Unauthorized Access 13 Physical Access Monitoring Methods: Alarm Systems: To indicate interior motion or when a door, gate, or window has been opened without authorization Human Observation of Access Points: By security personnel who are also controlling physical access PNCs & AOCs: Entity failed to implement a program to monitor for unauthorized PSP access

14 Part 1.5: PSP Alarm or Alert within 15 Minutes 14 Alarm or alert after detecting unauthorized access from Part 1.4 Issued within 15 minutes; 15 minute closure of alarm not required Personnel receiving alarm must be identified in BES Cyber Security Incident Response Plan Documented 15 minute acknowledgement is reviewed at audit & is expected to demonstrate compliance PNCs & AOCs: Entity failed to implement a program to issue an alarm or alert w/in 15 minutes

15 Part 1.6: PACS Monitor for Unauthorized Access 15 CIP requires utilization of at least one physical access control for PACS assets located outside of a PSP Security Best Practice: Entities should apply same physical access controls to PACS panels & servers located in PSP; same as for PACS assets outside of a PSP PNCs & AOCs: Entity failed to monitor PACS for unauthorized physical access to PACS Cascading impact of failing to properly identify or categorize PACS assets

16 Part 1.7: PACS Alarm or Alert within 15 Minutes 16 Typically, most PACS panels/cabinets outside of PSP utilize door tamper switches, electronic card reader or hard keys PNCs & AOCs: Entity failed to issue an alarm or alert for unauthorized PACS access w/in 15 mins Cascading impact of failing to properly identify or categorize PACS assets

17 Part 1.8: PSP Log Access 17 Physical Access Logging Methods: Computerized Logging: Electronic logs (via PACS) Video Recording: Of sufficient quality to determine identity Note: Video system used in this way, i.e. for other than post-incident forensic analysis, is a PACS & must be protected as such Manual Logging: Log book or sign-in sheet Note: Logging of exit not required

18 Part 1.9: PSP 90 Day Access Log Retention 18 Retain Physical Access Logs for at Least Ninety/90 Calendar Days When submitting evidence, please submit access logs for multiple personnel & multiple PSP access points

19 Part 1.10: Restrict Physical Access to Cabling 19

20 Part 1.10: Restrict Physical Access to Cabling 20 Example: 2 separate PSPs in same building, or PSPs in different buildings, but inside the same Electronic Security Perimeter (ESP) Either physically protect cabling & components that leave a PSP (via armored cabling, steel or aluminum tubing or conduit, or secured cable trays) Or protect via data encryption, circuit monitoring (such as communications loss), or equally effective logical protections

21 CIP R2: Implement Documented Visitor Control Program 21 Implementation of a documented Visitor Control Program

22 Part 2.1: PSP Visitors - Continuous Escorted Access 22 Require continuous escort of PSP visitors When submitting evidence, please submit logs for multiple personnel & for multiple PSP access points

23 Part 2.2: PSP Visitors Manual or Automated Logging 23 Visitor logging should capture each visit; does not need to capture each entry or exit of each visitor Audit team recommends documenting actual escort vice a POC, to ensure any visitor follow-up is with the person with relevant knowledge PNCs & AOCs: Entity failed to ensure manual or automated logging Entity failed to ensure PSP logs maintained for each individual PSP Entity failed to ensure visitor logs included POC responsible for visitor

24 FERC 2017 Staff Report: Use of Manual Visitor Logs 24 The use of manual logs led to failures to record pieces of [required] information the risk could be lowered if highly visible instructions were located near each manual log.

25 Part 2.3: PSP Visitors 90 Day Visitor Log Retention 25 Retain Visitor Logs for at Least Ninety/90 Calendar Days When submitting evidence, please submit visitor logs for multiple personnel & multiple PSP access points

26 26 CIP R3: Implement PACS Maintenance & Testing Program Implementation of a documented PACS Maintenance & Testing Program AOCs: Current state of disrepair of many PACS devices at substations could result in future non-compliance Ensure situational awareness of PACS device operational status at all times Note: Expansion of Audit Scope possible if maintenance issues observed during site visits

27 Part 3.1: PACS & PSP Maintenance & Testing Every 24 Months 27 Includes testing of locally mounted hardware or devices used in controlling, alerting or logging PSP access Physical security controls unrelated to CIP PACS used for protection of BES Cyber Systems are out of scope for CIP-006-6, but may be relevant for CIP or CIP compliance

28 28 PACS Cyber Assets that control, alert, or log PSP access Typically Includes Control Panels, Servers & Workstations Excludes locally mounted hardware or devices If PACS inside PSP, while no additional obligation to comply with Parts 1.1, 1.6 & 1.7, WECC recommends entities implement PACS-specific controls beyond those resident in the PSP

29 29 Documentation Audit Prep - Tips for Success Physical Security Plan clear links to Requirements & Parts Asset/File Name continuity across RSAW, Physical Security Plan, PSP Diagrams & Physical Access Logs/Visitor Logs Ensure access control and alarm logs submitted as initial evidence or in response to DR only contain entries for PSP access points and/or PACS assets located outside of a PSP PACS Location, Number, Type Indicate specific location and type on PSP and/or other diagrams

30 30 Audit Prep - Tips for Success Shared Facilities Clearly implement own program or execute agreements to clearly indicate compliance responsibilities PSP Documentation/Diagrams Clearly identified PSP What are the access points? How is access controlled? PACS: location, number & type For PACS assets outside of a PSP, please provide diagram showing their location, number & type as well

31 Door alarmed Door alarmed NW Camera out NE Camera out MAIN ENTRANCE Card Reader 0 in Camera out CR 1 out Secured Door Camera In Door alarmed SW Camera out SE Camera out Door alarmed Sample Substation Control House PSP Diagram

32 Camera 1 In CR 01 IN CR 02 OUT Camera 2 Out Sample Substation Control Center PSP Diagram Access point= PSP=

33 33 Hard Key Management Audit Prep - Tips for Success Same key should not provide access to both PSP & non-psp doors When & how keys are to be used? Which PSP doors have hard key lock access? Who has access to hard keys; who has been issued them? How is use of hard key logged? Is an alarm triggered when door is opened? Can a single key (AKA: Factor) provide access to a High Impact PSP? Visitors Regularly review manual visitor logs for completeness

34 Physical Security Support Physical Security Work Group (PSWG) By entities, for entities Join today! WECC CIP Team just a phone call away We re here to help! Always willing to provide our audit approach

35 35 Contact CIP Compliance Audit Team Gary King, CPP, PSP CIP Sr. Compliance Auditor (801) Mark Lemery, CPP, PSP CIP Compliance Auditor (801) Brady Phelps, CPP, PSP CIP Compliance Auditor (520)