NPCC Compliance Monitoring Team Classroom Session

Similar documents
Compliance: Evidence Requests for Low Impact Requirements

Better Practice Elements for Audit Preparation

Better Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2

Low Impact BES Cyber Systems. Cyber Security Security Management Controls CIP Dave Kenney

Reliability Standard Audit Worksheet 1

Designing Secure Remote Access Solutions for Substations

Standard Development Timeline

Standard Development Timeline

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

Reliability Standard Audit Worksheet 1

Reliability Standard Audit Worksheet 1

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Low Impact Generation CIP Compliance. Ryan Walter

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Standard Development Timeline

SGAS Low Impact Atlanta, GA September 14, 2016

Reliability Standard Audit Worksheet 1

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP-006-4c Cyber Security Physical Security

Reliability Standard Audit Worksheet 1

CIP Version 5 Evidence Request User Guide

Reliability Standard Audit Worksheet 1

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

New Brunswick 2018 Annual Implementation Plan Version 1

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

CIP Configuration Change Management & Vulnerability Assessments

CIP Cyber Security Security Management Controls. A. Introduction

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Implementing Cyber-Security Standards

CYBER SECURITY POLICY REVISION: 12

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Reliability Standard Audit Worksheet 1

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Standard CIP Cyber Security Physical Security

DRAFT Reliability Standard Audit Worksheet 1

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

CIP Cyber Security Configuration Management and Vulnerability Assessments

Physical Security Reliability Standard Implementation

Standard CIP Cyber Security Electronic Security Perimeter(s)

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

CIP 005 R2: Electronic Access Controls

Implementation Plan for Version 5 CIP Cyber Security Standards

Reliability Standard Audit Worksheet 1

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

CIP Standards Development Overview

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard Development Timeline

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Standards Authorization Request Form

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Reliability Standard Audit Worksheet 1

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Draft CIP Standards Version 5

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

NERC CIP Compliance Matrix of RUGGEDCOM ROX II Operating System

Project CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016

Cyber Security Supply Chain Risk Management

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Project Modifications to CIP Standards. Consideration of Comments Initial Comment Period

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Additional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015

Standard CIP 007 3a Cyber Security Systems Security Management

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Lesson Learned CIP Version 5 Transition Program CIP R1: Grouping BES Cyber Assets Version: March 2, 2014

Draft CIP Standards Version 5

CIP Technical Workshop

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Standards Development Update

Hang on it s going to be a wild ride

NERC-Led Technical Conferences

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

Critical Cyber Asset Identification Security Management Controls

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

Critical Infrastructure Protection Version 5

Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan

A. Introduction. Page 1 of 22

CIP Baseline Configuration Management Overview. FRCC Spring Compliance Workshop April 14-16, 2015

Reliability Standard Audit Worksheet 1

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities

Cyber Threats? How to Stop?

Reliability Standard Audit Worksheet 1

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Access Control and CIP 10/20/2011

CIP Cyber Security Security Management Controls

March 10, 2016 VIA ELECTRONIC FILING

Out-of-Band Management

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Standard CIP Cyber Security Security Management Controls

Transcription:

NPCC Compliance Monitoring Team Classroom Session John Muir - Director, Compliance Monitoring Jacqueline Jimenez - Senior Compliance Engineer David Cerasoli, CISSP - Manager, CIP Audits 5/14/2018 1

Compliance Monitoring Team Member Introductions Audit Process Audit Preparation Insights Update on CIP-003-7 Implementation Open Forum for Questions 5/14/2018 2

Audit Process John Muir Director, Compliance Monitoring 5/14/2018 3

Audit Process Day 0 Notification Letter with Pre-Audit Survey and Data Request ~Day 10 Initial Audit Briefing Conference Call Day 30 Pre-Audit Submittal and Data Request due Day 90 RSAWs and Evidence submittal due (End Day of Audit Period) Days 90 120 - Auditors review submittal and send requests for additional evidence as necessary. Day 120 Start of on-site audit or expected completion date of off-site audit Day 150 Draft Report issued -2 weeks allowed for comments Day 165 Comments due Day 170 Final Report Issued Refer to Our March 23, 2018 Presentation available on the NPCC Web site. Compliance / Documents / Compliance Webinars 5/14/2018 4

Audit Preparation Insights Jacqueline Jimenez Senior Compliance Engineer 5/14/2018 5

Audit Submittal Issues Only evidence submitted is an attestation. Overload of non-specific evidence - data dumping. Specific evidence documents identified, but are not annotated. Incomplete narrative when filling out RSAWs. 5/14/2018 6

PRC-005 O&P Audit Submittal Issues R3. In order to verify maintenance intervals are being respected, auditors may request evidence from before the start of the audit period to get the previous maintenance and the current maintenance dates and records to verify the intervals. 5/14/2018 7

O&P Audit Submittal Issues When providing PRC-005 evidence, do not repeat the same information for each relay provided that is general, but needed information. Provide that information once, i.e. cover page with all of the common statements, then provide the individual test records annotated. Provide clear identification of records to correlated sample set spreadsheet. 5/14/2018 8

O&P Audit Submittal Issues Provide one-line diagrams (GO, GOP, DP) clearly identifying the demarcation point. 5/14/2018 9

This is a good example the section is highlighted and then a bubble of the requirement it is satisfying Annotated evidence Good: Examples The section is highlighted with a word bubble of the requirement it is satisfying. 5/14/2018 10

This is a good example the section is highlighted and then a bubble of the requirement it is satisfying Annotated evidence Bad: Examples Providing a document with no highlighting to identify the section to be reviewed or references to the exact page. This can result in the auditors asking follow-up questions. 5/14/2018 11

PRC-005 submittal Good: Examples Relay test records where all pertinent information is highlighted. Spreadsheet containing data by substation, that provided explanation of the spreadsheet and very clear column headings, i.e. component, description, manufacturer/model, operates/trips, test dates (last, current, future) 5/14/2018 12

PRC-005 submittal Bad: Examples Relay test record with 313 pages of evidence. No pertinent information highlighted or annotated. Spreadsheet with no column headings or test dates provided. 5/14/2018 13

Examples Non-applicable requirement Good: Entity policy, procedure or document which supports the non-applicability of the requirement. Another entity s (RC, TOP, etc.) policy or procedure that corroborates the non-applicability of the requirement. In conjunction with other documentation, an attestation. 5/14/2018 14

Examples Non-applicable requirement Bad: Stating the requirement is not applicable without any supporting evidence or reason explaining why the requirement is not applicable. 5/14/2018 15

CIP-003-7, Attachment 1 Sections 2, 3 and 5 David Cerasoli, CISSP Manager, CIP Audits 5/14/2018 16

This film has been modified from its original version. It has been edited to run in the time allotted. Please refer to the actual CIP-003-7 standard and its implementation plan before making any compliance decisions. 5/14/2018 17

CIP-003-7 Compliance Timeline CIP-003-7 and its implementation plan were approved by FERC on April 19, 2018. The effective date of CIP-003-7 is January 1, 2020. You are still required to comply with all of CIP- 003-6 except Att. 1, Sections 2 and 3. You now have until January 1, 2020 to comply with CIP-003-7, Att. 1, Sections 2 and 3. LERC and LEAP will be retired immediately prior to the effective date of CIP-003-7. 5/14/2018 18

Summary of CIP-003-7, Attachment 1 Responsible entities with at least one low impact BES Cyber System are required to implement a cyber security plan for its low impact BES Cyber System that include all five sections in Attachment 1. Section 1. Cyber Security Awareness Section 2. Physical Security Controls Section 3. Electronic Access Controls Section 4. Cyber Security Incident Response Section 5. TCA and Removable Media Malicious Code Risk Mitigation 5/14/2018 19

Attachment 1, Cont. You are not required to maintain a list of low impact BES Cyber Assets, but we strongly suggest that you do. You are allowed to apply existing policies, procedures, and processes for your high or medium impact BES Cyber Systems to your low impact BES Cyber Systems. 5/14/2018 20

Mapping of Att. 1 to the other CIP Standards Section 1. Cyber Security Awareness Plan CIP-004-6, R1 - Security Awareness Section 2. Physical Security Controls CIP-006-6, R1 - Physical Security Plan, Access Controls Section 3. Electronic Access Controls CIP-005-5, R1 - Electronic Security Perimeter Section 4. Cyber Security Incident Response CIP-008-5, R1 - Cyber Security Incident Response Plan Section 5. Transient Cyber Assets (TCAs) and Removable Media Malicious Code Risk Mitigation CIP-010-2 Attachment 1 - Plans for TCAs and Removable Media 5/14/2018 21

What s new in CIP-003-7 Attachment 1? 5/14/2018 22

Section 2 Physical Security Controls LEAP was removed, but you are still required to control physical access to your low impact BES Cyber Systems and the Cyber Assets that provide electronic access controls. 5/14/2018 23

Section 3 Electronic Access Controls LERC and LEAP have been removed. However, you are still required to control electronic access and protect Dial-up connections, except where communication is used for time-sensitive protection or control functions between Intelligent Electronic Devices. 5/14/2018 24

Section 5 - TCA and Removable Media Malicious Code Risk Mitigation This new section will require you to mitigate the risk of introduction of malicious code to low impact BES Cyber Systems from TCAs and Removable Media. 5/14/2018 25

Section 5, Cont. You can choose whether to manage your TCAs in an ongoing or on-demand manner. - Ongoing is active management - On-demand is immediately prior to connecting a TCA to your BES Cyber System 5/14/2018 26

Section 5, Cont. 3rd party TCAs will need to be checked for use of one or more of the following before they are connected to your BES Cyber Systems: Review of antivirus update level Review of antivirus update process used by the party Review of application whitelisting used by the party Review use of live operating system and software executable only from read-only media Review of system hardening used by the party; or Other method(s) to mitigate the introduction of malicious code. 5/14/2018 27

Section 5, Cont. You will need a method for detecting and mitigating the threat of detected malicious code for Removable Media. 5/14/2018 28

What might NPCC Auditors ask for auditing Sections 2, 3 and 5? 5/14/2018 29

General Requests 1. Your Cyber Security Plan 2. List of BES Cyber Systems / Assets 3. Electronic Access Controls device configuration 4. We may want to visually inspect the BES Cyber System, associated Cyber Assets and the physical locations where they reside. 5/14/2018 30

Section 2 Physical Security Controls Does your Cyber Security Plan cover physical security controls for your low impact BES Cyber Systems and associated access controls? Describe your rationale for determining who needs physical access to your BES Cyber System locations? Where are the low impact BES Cyber Systems and their associated electronic access controls located? Did you actually implement the controls documented in your Cyber Security Plan? 5/14/2018 31

Section 3 Electronic Access Controls Does your Cyber Security Plan cover electronic access controls for your low impact BES Cyber Systems? Is there routable connectivity to your BES Cyber Systems? If yes, how is access control performed for inbound and outbound access? Is there Dial-up connectivity to your BES Cyber Systems? If yes, are there controls to authenticate all Dial-up Connectivity? Have the controls documented in your Cyber Security Plan actually been implemented? 5/14/2018 32

Section 5 TCAs and Removable Media Does your Cyber Security Plan cover TCAs and Removable Media? Do you actually have any TCAs, 3 rd party TCAs and/or Removable Media? If yes, how do you keep track of TCAs and Removable media, e.g., spreadsheet or database? Are you managing your TCAs in an ongoing or ondemand manner? What sort of malicious code prevention, detection and/or mitigation tools or methods are you using? 5/14/2018 33

Questions NPCCCompliance@NPCC.org 5/14/2018 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback