CIP Compliance Workshop Boise, ID March 29, 2018

Similar documents
Reliability Standard Audit Worksheet 1

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP-006-3c Cyber Security Physical Security

CIP Cyber Security Physical Security of BES Cyber Systems

Standard CIP Cyber Security Physical Security

CIP Cyber Security Physical Security of BES Cyber Systems

CIP Cyber Security Physical Security of BES Cyber Systems

Standard CIP Cyber Security Physical Security

Standard CIP-006-1a Cyber Security Physical Security

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

CYBER SECURITY POLICY REVISION: 12

CIP Cyber Security Configuration Management and Vulnerability Assessments

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CIP Cyber Security Physical Security of BES Cyber Systems

Compliance: Evidence Requests for Low Impact Requirements

Analysis of CIP-006 and CIP-007 Violations

Summary of FERC Order No. 791

Facility Security Policy

Critical Cyber Asset Identification Security Management Controls

CIP Version 5 Evidence Request User Guide

DATA SECURITY THE PROTECTION OF YOUR INFORMATION IS OUR PRIME DIRECTIVE

CIP V5 Implementation Study SMUD s Experience

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Standard CIP 004 3a Cyber Security Personnel and Training

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard Development Timeline

Standard CIP Cyber Security Electronic Security Perimeter(s)

Compliance Exception and Self-Logging Report Q4 2014

NPCC Compliance Monitoring Team Classroom Session

Standard CIP Cyber Security Electronic Security Perimeter(s)

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

CIP Cyber Security Personnel & Training

Lesson Learned CIP Version 5 Transition Program

Implementation Plan for Version 5 CIP Cyber Security Standards

NERC CIP in the Real World on a Real Budget

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Live Webinar: Best Practices in Substation Security November 17, 2014

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Standard CIP 007 3a Cyber Security Systems Security Management

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Security Standards for Electric Market Participants

How AlienVault ICS SIEM Supports Compliance with CFATS

Critical Infrastructure Protection Version 5

Standard CIP 007 4a Cyber Security Systems Security Management

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Implementing Cyber-Security Standards

CIP Cyber Security Personnel & Training

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Cyber Security Supply Chain Risk Management

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Frequently Asked Questions CIP Version 5 Standards April 1, 2015

CIP Cyber Security Systems Security Management

CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Systems Security Management

CIP Substation Security Project Update

DRAFT. Standard 1300 Cyber Security

Purpose. ERO Enterprise-Endorsed Implementation Guidance

CIP Cyber Security Recovery Plans for BES Cyber Systems

Centeris Data Centers - Security Procedure. Revision Date: 2/28/2018 Effective Date: 2/28/2018. Site Information

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Physical and Environmental Security Standards

Out-of-Band Management

Security Principles for Stratos. Part no. 667/UE/31701/004

NERC-Led Technical Conferences

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

NERC Staff Organization Chart Budget 2017

Lesson Learned CIP Version 5 Transition Program CIP R1: Grouping BES Cyber Assets Version: March 2, 2014

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Bryan Carr PMP, CISA Compliance Auditor Cyber Security. Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013

Securing the Grid and Your Critical Utility Functions. April 24, 2017

CIP Cyber Security Security Management Controls. A. Introduction

Standard Development Timeline

Standard CIP Cyber Security Systems Security Management

CIP Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Security Management Controls

December 30, 2015 VIA ELECTRONIC FILING

Project Physical Security Directives Mapping Document

Watson Developer Cloud Security Overview

Reliability Standard Audit Worksheet 1

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Low Impact BES Cyber Systems. Cyber Security Security Management Controls CIP Dave Kenney

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Standard Development Timeline

Lesson Learned CIP Version 5 Transition Program CIP R1: Grouping BES Cyber Assets Version: September 8, 2015

Access Control and CIP 10/20/2011

Transcription:

CIP-006-6 Compliance Workshop Boise, ID March 29, 2018 Mark Lemery, MSc, CPP, PSP Auditor, Cyber and Physical Security

2 Impact on Reliability Identify WECC s audit approach and inform entities of physical security best practices for protecting BES Cyber Systems.

3 Overview Introduction Purpose & Applicability Definitions Requirements & Parts Review Audit Approach & Results Audit Prep Tips for Success Q & A

4 Speaker Intro Bio Mark Lemery, MSc, CPP, PSP 25+ years Intelligence & Security Experience Nation State & Non-state Threats/Threat Actors Compliance Auditor, Physical and Cyber Security CIP-006, CIP-014 US Air Force (Retired) Intelligence Officer All-source Intelligence Operations, Analysis & Targeting (SIGINT, GEOINT, HUMINT, MASINT) Deployments: Somalia/Kenya, Turkey, Iraq, Kosovo, Afghanistan Education: MSc, Strategic Intelligence National Intelligence University, Washington, DC CIP Program Manager at Utah SIAC (State Law Enforcement Intelligence Fusion Center) Critical Infrastructure Protection (CIP) Program Manager State Lead for Private Sector Outreach/Education/Training Partnered w/dhs Protective Security Advisor (PSA) for Utah

5 Disclaimer The information contained in this presentation is drawn from our current understanding of this Standard and its Requirements as of the presentation date. The WECC audit approach and information contained within this presentation is subject to change based on future guidance.

CIP-006-6 Cyber Security: Physical Security of BES Cyber Systems 6 Manage physical access to BES Cyber Systems via Physical Security Plan, Visitor Control Program, PACS Maintenance & Testing Program Applies to High & Medium Impact BCSI, based on CIP-002-5.1 categorization

CIP-006-6 R1: Implement Documented Physical Security Plan 7 Ensure physical access to BCSI is restricted & managed Implementation of a documented Physical Security Plan PNCs & AOCs: Hard Keys: Failure to implement or fully document hard key management system or program with same rigor as applied to electronic physical access control & badges #1 PNC & AOC Shared Facilities: Failure to implement own CIP-006-6 program or execute agreements to indicate compliance responsibility

FERC 2017 Staff Report: Physical Key Management 8 However, the physical keys still provide access to PSPs and should be afforded the same level of control as for electronic access. (such as PACS ID badges)

R1 Part 1.1: 9 Operational or Procedural Controls PNCs & AOCs: Failure to define operational or procedural controls to restrict physical access Failure to ensure all PACS are identified & afforded required protections Failure to implement documented plan for PACS devices

10 PACS Cyber Assets that control, alert, or log PSP access Typically includes Control Panels, Servers & Workstations Excludes locally mounted hardware or devices If PACS inside PSP, while no additional obligation to comply with Parts 1.1, 1.6 & 1.7, WECC recommends entities implement PACS-specific controls beyond those resident in the PSP

Part 1.2: 11 PSP Access Single-factor Authentication Typical Physical Access Control Methods: Card Key: Electronic access; access rights predefined in computer database Special Locks: Locks w/ restricted key systems; remotely operated magnetic locks; man-trap systems Security Personnel: May be on or off-site Other Authentication Devices: Biometric, keypad, token, or other equivalent devices controlling physical access into PSP

Part 1.3: PSP Access Two-factor Authentication 12 Requires Two of the Following: Something You Know: Pin Code Something You Have: Card Key; Physical Key Something You Are: Biometric Scanner; Fingerprint, Retina Scanner. Hand Geometry For physically layered protection, no single authenticator allowed to provide access through both layers (example: locked gate with locked control building) Same key or access device cannot provide access to both layers

Part 1.4: PSP - Monitor for Unauthorized Access 13 Physical Access Monitoring Methods: Alarm Systems: To indicate interior motion or when a door, gate, or window has been opened without authorization Human Observation of Access Points: By security personnel who are also controlling physical access PNCs & AOCs: Entity failed to implement a program to monitor for unauthorized PSP access

Part 1.5: PSP Alarm or Alert within 15 Minutes 14 Alarm or alert after detecting unauthorized access from Part 1.4 Issued within 15 minutes; 15 minute closure of alarm not required Personnel receiving alarm must be identified in BES Cyber Security Incident Response Plan Documented 15 minute acknowledgement is reviewed at audit & is expected to demonstrate compliance PNCs & AOCs: Entity failed to implement a program to issue an alarm or alert w/in 15 minutes

Part 1.6: PACS Monitor for Unauthorized Access 15 CIP-006-6 requires utilization of at least one physical access control for PACS assets located outside of a PSP Security Best Practice: Entities should apply same physical access controls to PACS panels & servers located in PSP; same as for PACS assets outside of a PSP PNCs & AOCs: Entity failed to monitor PACS for unauthorized physical access to PACS Cascading impact of failing to properly identify or categorize PACS assets

Part 1.7: PACS Alarm or Alert within 15 Minutes 16 Typically, most PACS panels/cabinets outside of PSP utilize door tamper switches, electronic card reader or hard keys PNCs & AOCs: Entity failed to issue an alarm or alert for unauthorized PACS access w/in 15 mins Cascading impact of failing to properly identify or categorize PACS assets

Part 1.8: PSP Log Access 17 Physical Access Logging Methods: Computerized Logging: Electronic logs (via PACS) Video Recording: Of sufficient quality to determine identity Note: Video system used in this way, i.e. for other than post-incident forensic analysis, is a PACS & must be protected as such Manual Logging: Log book or sign-in sheet Note: Logging of exit not required

Part 1.9: PSP 90 Day Access Log Retention 18 Retain Physical Access Logs for at Least Ninety/90 Calendar Days When submitting evidence, please submit access logs for multiple personnel & multiple PSP access points

Part 1.10: Restrict Physical Access to Cabling 19

Part 1.10: Restrict Physical Access to Cabling 20 Example: 2 separate PSPs in same building, or PSPs in different buildings, but inside the same Electronic Security Perimeter (ESP) Either physically protect cabling & components that leave a PSP (via armored cabling, steel or aluminum tubing or conduit, or secured cable trays) Or protect via data encryption, circuit monitoring (such as communications loss), or equally effective logical protections

CIP-006-6 R2: Implement Documented Visitor Control Program 21 Implementation of a documented Visitor Control Program

Part 2.1: PSP Visitors - Continuous Escorted Access 22 Require continuous escort of PSP visitors When submitting evidence, please submit logs for multiple personnel & for multiple PSP access points

Part 2.2: PSP Visitors Manual or Automated Logging 23 Visitor logging should capture each visit; does not need to capture each entry or exit of each visitor Audit team recommends documenting actual escort vice a POC, to ensure any visitor follow-up is with the person with relevant knowledge PNCs & AOCs: Entity failed to ensure manual or automated logging Entity failed to ensure PSP logs maintained for each individual PSP Entity failed to ensure visitor logs included POC responsible for visitor

FERC 2017 Staff Report: Use of Manual Visitor Logs 24 The use of manual logs led to failures to record pieces of [required] information the risk could be lowered if highly visible instructions were located near each manual log.

Part 2.3: PSP Visitors 90 Day Visitor Log Retention 25 Retain Visitor Logs for at Least Ninety/90 Calendar Days When submitting evidence, please submit visitor logs for multiple personnel & multiple PSP access points

26 CIP-006-6 R3: Implement PACS Maintenance & Testing Program Implementation of a documented PACS Maintenance & Testing Program AOCs: Current state of disrepair of many PACS devices at substations could result in future non-compliance Ensure situational awareness of PACS device operational status at all times Note: Expansion of Audit Scope possible if maintenance issues observed during site visits

Part 3.1: PACS & PSP Maintenance & Testing Every 24 Months 27 Includes testing of locally mounted hardware or devices used in controlling, alerting or logging PSP access Physical security controls unrelated to CIP-006-6 PACS used for protection of BES Cyber Systems are out of scope for CIP-006-6, but may be relevant for CIP-003-6 or CIP-014-2 compliance

28 PACS Cyber Assets that control, alert, or log PSP access Typically Includes Control Panels, Servers & Workstations Excludes locally mounted hardware or devices If PACS inside PSP, while no additional obligation to comply with Parts 1.1, 1.6 & 1.7, WECC recommends entities implement PACS-specific controls beyond those resident in the PSP

29 Documentation Audit Prep - Tips for Success Physical Security Plan clear links to Requirements & Parts Asset/File Name continuity across RSAW, Physical Security Plan, PSP Diagrams & Physical Access Logs/Visitor Logs Ensure access control and alarm logs submitted as initial evidence or in response to DR only contain entries for PSP access points and/or PACS assets located outside of a PSP PACS Location, Number, Type Indicate specific location and type on PSP and/or other diagrams

30 Audit Prep - Tips for Success Shared Facilities Clearly implement own program or execute agreements to clearly indicate compliance responsibilities PSP Documentation/Diagrams Clearly identified PSP What are the access points? How is access controlled? PACS: location, number & type For PACS assets outside of a PSP, please provide diagram showing their location, number & type as well

Door alarmed Door alarmed NW Camera out NE Camera out MAIN ENTRANCE Card Reader 0 in Camera out CR 1 out Secured Door Camera In Door alarmed SW Camera out SE Camera out Door alarmed Sample Substation Control House PSP Diagram

Camera 1 In CR 01 IN CR 02 OUT Camera 2 Out Sample Substation Control Center PSP Diagram Access point= PSP=

33 Hard Key Management Audit Prep - Tips for Success Same key should not provide access to both PSP & non-psp doors When & how keys are to be used? Which PSP doors have hard key lock access? Who has access to hard keys; who has been issued them? How is use of hard key logged? Is an alarm triggered when door is opened? Can a single key (AKA: Factor) provide access to a High Impact PSP? Visitors Regularly review manual visitor logs for completeness

Physical Security Support Physical Security Work Group (PSWG) By entities, for entities Join today! https://www.wecc.biz/oc/pages/pswg.aspx WECC CIP Team just a phone call away We re here to help! Always willing to provide our audit approach

35 Contact CIP Compliance Audit Team CIP@wecc.biz Gary King, CPP, PSP CIP Sr. Compliance Auditor (801) 455-8364 gking@wecc.biz Mark Lemery, CPP, PSP CIP Compliance Auditor (801) 440-8817 mlemery@wecc.biz Brady Phelps, CPP, PSP CIP Compliance Auditor (520) 249-6350 bphelps@wecc.biz

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback