Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Transcription

1 Guide to cyber security/cip specifications and requirements for suppliers September 2016

2 Introduction and context The AltaLink cyber security/cip specification and requirements for suppliers (the standard) addresses: Cyber security risk Compliance requirements for CIP. The overall purpose of the standard is to ensure that cyber security risk is managed appropriately. These slides provide an introduction to each section of the standard more information can be obtained from AltaLink manager, cyber security. It is important that this standard is read in the right context. Not all sections may apply to you if you do not work across all areas of AltaLink s business. Very few suppliers will have access to personal information, but it is critical that those that do, protect it appropriately. Make sure you discuss specific scenarios with AltaLink if you want to understand how the standard impacts you. Note that the standard is evolving and will change over time.

3 Introduction The introduction section provides some context to the standard and background to the standard and requests that suppliers promote good cyber security to their personnel Applicability The applicability of the standard is defined as any goods or services provided to AltaLink so if you supply anything to AltaLink, the standard could apply to you. However, not all goods and services supplied to AltaLink have cyber security implications, so more details on applicable areas are provided below. These sections define the type of goods and services that will need to meet the standard: Information technologies. This means corporate type systems, such as those used for general , developing and managing documents and drawings, enterprise applications (such as SAP), workstations and laptops. Operational technologies. These are the IT-like systems that directly support the bulk electric system, including intelligent devices in a substation and the Energy Management System. For example, a substation HMI is operational technology, as is the SCADA switch in a substation. Importantly, this definition also includes data, such as the configuration of a relay. AltaLink information or personal information. This means any information provided by AltaLink or about AltaLink systems, hardware, software that is not already public knowledge. Personal information means information that is about an identifiable individual, as defined by the Alberta Personal Information Protection Act. Access to AltaLink information or operational networks. This means anyone that has a need to access the networks or information identified by the definitions above. AltaLink supplied or specified product The standard is meant to be achievable and so this section includes the concept that the supplier doesn t have to meet all of the requirements where AltaLink has defined or provided a particular product for the supplier to implement. This means that for example if AltaLink asks a supplier to install a relay that cannot meet the password requirements, then the supplier is not bound to meet those password requirements. The intent of this section is to ensure that suppliers are not put in a position where they have to meet a requirement that is impossible to achieve because of the product specified by AltaLink. Note also that many of the sections allow the supplier to agree a variation with AltaLink if a different approach is needed or a requirement cannot be met.

4 Objective/framework/documentation The objective and framework sections are intended to provide some context. The standard was developed based on an assessment of risks and using the language developed by industry bodies in North America. Documentation needs to be provided to AltaLink in accordance with the defined time periods. AltaLink can request updates to documentation on an ongoing basis.

5 1. CIP requirements This section has been included to identify the specific requirement to meet the critical infrastructure protection standards. These standards are supportive of good cyber security practices. Definitions The CIP standards apply to AltaLink at specific substations and the control centres. CIP also applies to some of the information related to those substations though the CIP information protection program. The standard uses the term CIP systems to mean those devices in-scope for CIP at AltaLink The list of applicable substations and the information protection program can be obtained from AltaLink. Awareness program Suppliers are required to participate in the CIP-specific awareness program provided by AltaLink. This is likely to be communications material such as s and posters. Note that this is in additional to the awareness program that suppliers are required to implement. CIP system access requirements Note that CIP access relates to unescorted physical access and electronic access There are specific CIP requirements for everyone that needs to have access to the CIP systems before they are granted access: Access must be driven by a genuine business need e.g. cannot just grant access to everyone CIP training must be completed A personnel risk assessment must be completed These requirements are expanded below.

6 CIP training CIP training The AltaLink CIP training will be delivered as an e-learning package that is expected to take around 45 minutes to complete. The course material will be provided by AltaLink and it will be delivered through the AltaLink Learning Management System which can be accessed from outside the AltaLink networks To be qualified to work for AltaLink you need to be trained, no different than safety. Training time is at the suppliers cost Note that the training must be retaken every 12 months The current training module has no pass/fail requirements. There are a few short quizzes during the training to help the retention of knowledge Training material has been developed as a common course for all those needing CIP access and it is important to understand the breadth of the CIP requirements so you may have to learn some control centre material even if you do not work in the control centre.

7 CIP personnel risk assessment The CIP personnel risk assessment consists of two parts: Verification of identity Criminal records check Both parts of the risk assessment must be completed by the supplier and records retained for 10 years in case AltaLink needs to validate in the future The criminal records check needs to cover the individual s: Current residence Any other locations where the individual has resided for more than six months in the last seven years There are on-line services available to conduct background checks. Make sure it is a Canada-wide check and also covers any relevant international locations All results of the risk assessment are to be sent to the AltaLink CIP senior manager, both clear and notclear Any results that are incomplete or have a criminal record or where identify cannot be established will be subject to an AltaLink risk assessment before access can be granted. These cases will be assessed by evaluating the risk to AltaLink based on the outcome of the criminal records check The decision on whether or not an individual can have access by AltaLink is final Any new convictions must be notified to AltaLink and may result in the removal of access The background check must be renewed every seven yhears

8 Access revocation Access revocation It is important to ensure that access is removed in a timely way when people no longer have their original need to access AltaLink systems. This is a specific requirement for CIP compliance, with defined time limits, hence the timings stated in the standard. AltaLink has extended this requirement to all systems, in addition to the CIP systems because it is a good way of mitigating risk when an employee leaves The termination requirements are split into two parts: Termination. AltaLink needs to be informed promptly when an individual is terminated. The time requirements also apply for weekends and non-working days Reassignments or transfers. It is not considered to be as great a risk when an employee is reassigned or transferred and so the time constraints are not as stringent. It is still important to remove access in these cases

9 2. Data and information security program This is a program to ensure that AltaLink systems, data and information are securely managed by the supplier organization The specific requirements are for policies, standards and controls to be developed and implemented. These documents are to: Ensure confidentiality Protect against threats Protect against unauthorised access An example could be a standard for information handling The program should be in proportion to the amount of interactions with AltaLink information and the material that needs to be protected This program must support any specific disaster recovery or business continuity requirements that have been specified by AltaLink Note that there is also a general confidentiality statement in this section that supports the other contractual confidentiality provisions.

10 3. Security communications and awareness Suppliers are required to have an information security communications and awareness program. The requirement is to deliver this program to those individuals working with AltaLink information, data and systems The communications need to cover application security and mitigation for security attacks The communications program should also include awareness of the data and information security program.

11 4. Configuration change management The configuration change management includes two aspects of configuration management: Configuration of products and applications supplied to AltaLink Management of configuration of devices used by supplier to connect to AltaLink systems or that process AltaLink confidential information. The requirement to provide information on products and services provided to AltaLink is to ensure ongoing secure operations and covers: Operating systems Firmware (if no operating system) Open-source application software Enabled logical application ports. Additionally, the method of accessing configuration needs to be provided for example in user instructions The general configuration requirement covers laptops, servers and workstations that are used by supplier to connect to AltaLink systems or that process AltaLink confidential information. Suppliers must have a configuration management and change control process that protects vulnerable services and settings. The process needs to cover the standard configuration management activities of planning, identification, control, monitoring and verification.

12 5. Access control The access control requirements cover: Management of authentication credentials and privileges Ability to configure secure locations Secure digital delivery. Management of credentials include the protection against unauthorised privilege escalation so that users cannot exceed their allowed privilege level. There must be an approved method for defining access permissions and user groups to ensure that devices and systems can be securely managed. Changes in personnel that affect the assignment of credentials and controls, such as a change in a domain administrator for a service provided to AltaLink, need to be notified to AltaLink. There also needs to be a confirmation that unauthorised logging devices are not installed. The access allowed to a component on a network to different zones must be able to be configured by AltaLink. This means that a component that is only allowed to access a corporate network must be able to be prevented from bridging to an operational network. The ability to configure the component must be described in documentation provided to AltaLink. The digital delivery method between the Supplier and AltaLink must be agreed prior to delivery. The method may include encryption but this depends on the information to be exchanged and the approach that will be used for exchange (e.g. , secure ftp, DVD).

13 6. Authentication and password policy This section provides the requirements for authentication and passwords, including remote access. These requirements will help protect devices and services against attack from hacking or inadvertent misuse. There are specific requirements in this section that can be deferred through prior agreement with AltaLink, listed below. Otherwise the Supplier must prevent: Multiple concurrent logins with same credentials, to protect against the sharing of passwords The retention of login information between sessions Auto-fill during login Anonymous logins, all to reduce the risk of a successful attack by a hacker. The authentication and authorization protocols must be documented and the product must use authentication protocols that are acceptable to AltaLink. Passwords must be protected and not stored openly or in a way that makes it easy to obtain the passwords. Remote access (i.e. not a local connection to a device) must be secured using multi-factor authentication (such as a token that generates a passcode) that follows the AltaLink standard. Remote access pathways must be documented so that they can be disabled by AltaLink if the risk associated with remote access are unacceptable. The accounts needed for proper operation of a product or service must be documented to ensure that the right access can be maintained and the accounts used can be monitored. Default accounts must be changed to managed accounts using the AltaLink password standards that are available from the Manager, cyber security.

14 7. Log files This section defines the requirements that must be met in relation to logging for devices. It specifically relates to secure aspects of logging. There may be other, operational logging requirements that are specified by AltaLink Includes management of log files and methods for integration to SIEM (e.g. syslog).

15 8. Malware detection and protection This is a requirement to advise on how to prevent malware in relation to product delivery Includes malware protection techniques and or guidance on malware prevention.

16 9. Reliability and adherence to standards Protect confidentiality and integrity of information Ensure no negative impact on operational performance from security measures applied to services or products Comply with interoperability and security standards Use secure disposal methods.

17 10. Secure development spec and reqts Use secure development lifecycle that has been documented Applies to energy delivery system hardware, software, and firmware Needs to ensure that critical security weaknesses are addressed Identify country of origin of components and advise of changes Must describe QA/QC program that includes assessment of cyber weaknesses and vulnerabilities Communicate security related issues to AltaLink.

18 11. Patch management and updates Need a patch management program to ensure patches are provided to AltaLink Includes testing of patches and process for updating This can be based on an existing supplier program e.g. if you supply Microsoft products, the patch management program is that provided by Microsoft.

19 12. Security breach procedures Requirements for notification of security breaches to AltaLink Services - One hour Product five days Cooperate with AltaLink to investigate and address breaches Don t inform third parties of the breach without agreeing with AltaLink Need to notify AltaLink of breach history (last 2 years) during bidding process

20 13. Physical security This section defines physical security requirements that are specific to the components managed by these requirements so general physical security requirements (e.g. types of access card) are not included Any tamper detection systems need to work with AltaLink systems. Further details should be obtained from the AltaLink Manager, cyber security when the system is specified Security systems are a balance between security and hampering day-to-day operations. The impact on operations should be minimised and suppliers need to work with AltaLink to achieve this aim Default access codes need to be reprogramed or removed before systems are provided to AltaLink and the revised codes provided Any communication paths used need to ensure that vulnerabilities are not introduced during communications. This means that communications should be as direct as possible and not routed through additional systems that have lower security levels. This approach needs to be verified in writing The details of security features and security instructions for operations need to be provided to AltaLink so that ongoing operation can be assured Unnecessary software needs to be removed or a risk assessment provided to AltaLink if it cannot be removed. This is to ensure that no additional vulnerabilities are introduced through software that doesn t relate to the primary operation of the device Documentation is required and the documentation needs to include an explanation of the ports and services required for operation. Port and services that are not needed for normal operations need to be disabled. The requirements list the types of ports that need to be included Any backdoor passwords or known methods for bypassing security controls needs to be provided in writing, or a risk assessment of the known vulnerabilities.

21 14. General This section requires other relevant AltaLink polices, standard and processes to be followed As an example, the general AltaLink cyber security policy needs to be followed.

22 More information and key contacts Manager, Cyber security Scott Finch CIP Senior Manager Maureen Higgins Manager, Physical security Dean Young