MIDWEST RELIABILITY ORGANIZATION Compliance: Evidence Requests for Low Impact Requirements Jess Syring, CIP Compliance Engineer MRO CIP Low Impact Workshop March 1, 2017 Improving RELIABILITY and mitigating RISKS to the Bulk Power System
Topics Requirements for Low Impact BES Cyber Systems (LIBCS) Evidence Requests tied to LIBCS Potential change for CIP evidence requests 2
Requirements tied to LIBCS LIBCS Requirements and Enforcement Date CIP-002-5.1a R1 Part 1.3 currently enforceable CIP-002-5.1a R2 currently enforceable CIP-003-6 R1 Part 1.2 April 1, 2017 CIP-003-6 R2 April 1, 2017 (including plans for all sections within Attachment 1) Implementation for Attachment 1 Sections 1 and 4 April 1, 2017 Implementation for Attachment 1 Sections 2 and 3 September 1, 2018 3
BES Cyber System Categorization Evidence CIP-002-5.1a R1 Part 1.3 Documentation of the process for classifying the LIBCS A list of any asset(s) that contain a LIBCS CIP-002-5.1a R2 Documentation that a review has taken place for CIP-002-5.1a R1 Part 1.3 at least once every 15 calendar months Documentation that the CIP Senior Manager or delegate approves the identifications at least once every 15 calendar months Date(s) of when the review(s) take place for both of the above are important in reviewing this information Evidence showing that the review happened needs to be provided even if no asset containing a LIBCS is identified 4
Cyber Security Policies CIP-003-6 R1 Part 1.2 Documentation that a review and approval has taken place for CIP-003-6 documented cyber security policies for LIBCS at least once every 15 calendar months by the CIP Senior Manager Date(s) of when the review(s) and approval(s) take place are important in reviewing this information Documentation will be requested showing that the cyber security policy for asset(s) containing LIBCS includes the following: Cyber security awareness Physical security controls Electronic access controls for Low Impact External Routable Connectivity (LERC) Electronic access controls for Low Impact Dial-up Connectivity Cyber Security Incident response 5
Cyber Security Plans CIP-003-6 R2 Documentation of the cyber security plan(s) for LIBCS Ensure this addresses all sections of Attachment 1 of the requirement A list of the assets that contain a LIBCS, if applicable A list of LIBCS for asset(s) that require LIBCS to be listed explicitly, if applicable For Attachment 1, Section 1 documentation will be requested of the cyber security practice materials provided to personnel who have access to assets containing LIBCS Dates of when the material was provided will be requested as well 6
Physical Security Controls CIP-003-6 R2 Attachment 1, Section 2 Evidence will be requested of the implemented physical security control(s) for LIBCS Sampling will be performed on the asset(s) containing LIBCS and on explicitly listed LIBCS Based on the sample selection, evidence will be requested showing the physical security controls that were implemented to control physical access based on need to: The asset or the location(s) of the LIBCS within the asset; and The LIBCS Electronic Access Points (LEAPs), if any Reminder: The implementation date for this section is September 1, 2018 7
Electronic Access Controls CIP-003-6 R2 Attachment 1, Section 3 Evidence will be requested of the implemented electronic access control(s) for LIBCS Sampling will be performed on the asset(s) and on explicitly listed LIBCS that have Low Impact External Routable Connectivity Evidence will be requested showing the following: Description or diagram of the specific implementation of a LEAP for this asset The inbound and outbound access permissions for each LEAP that controls LERC at this asset, per Cyber Asset capability Documentation that the enabled inbound and outbound permissions are necessary 8
Electronic Access Controls CIP-003-6 R2 Attachment 1, Section 3 (continued) Sampling will be performed on the asset(s) and on explicitly listed LIBCS that have Dialup Connectivity Evidence will be requested showing the following: Description or diagram of the specific implementation of Dial-up Connectivity for the asset For each BES Cyber Asset with Dial-up Connectivity: Documentation that authentication of Dial-up Connectivity has been implemented; or Documentation of the incapability of the BES Cyber Asset to perform authentication Reminder: The implementation date for this section is September 1, 2018 9
Incident Response Plans CIP-003-6 R2 Attachment 1, Section 4 Documentation will be requested of all Cyber Security Incident response plan(s) for LIBCS that include the following: Identification, classification, and response to Cyber Security Incidents Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (E-ISAC), unless prohibited by law Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals Incident handling for Cyber Security Incidents Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: Responding to an actual Reportable Cyber Security Incident Using a drill or tabletop exercise of a Reportable Cyber Security Incident Using an operational exercise of a Reportable Cyber Security Incident 10
Incident Response Plans CIP-003-6 R2 Attachment 1, Section 4 (continued) Evidence requested showing each test or activation of the incident response plan Evidence will be requested that the Cyber Security Incident response plan(s) were reviewed and/or updated within 180 calendar days of the activation or test of the response plan. Evidence is still needed if no changes were determined to be needed after the test or activation of the plan(s) Dates are important for all evidence requested above 11
Potential change for CIP evidence requests MRO is considering using the NERC evidence request worksheet instead of the current MRO RFI spreadsheet The NERC Evidence Request spreadsheet and User Guide can be found on the NERC website in the CIP V5 Transition Program page RSAWs will still be submitted as part of the audit notification and response The NERC evidence request does have tabs for supplying information to be used for sampling purposes MRO will provide notice and a transition period before implementing the NERC evidence request worksheet 12
Questions? 13