Cyber Security Supply Chain Risk Management

Similar documents
Supply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard Development Timeline

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Critical Cyber Asset Identification Security Management Controls

CIP Standards Development Overview

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Standard CIP Cyber Security Critical Cyber Asset Identification

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP Cyber Security Critical Cyber Asset Identification

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Technical Guidance and Examples

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Implementation Plan for Version 5 CIP Cyber Security Standards

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

CYBER SECURITY POLICY REVISION: 12

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Standard CIP Cyber Security Systems Security Management

Standard CIP 007 4a Cyber Security Systems Security Management

Standards Authorization Request Form

Standard CIP 007 3a Cyber Security Systems Security Management

Compliance: Evidence Requests for Low Impact Requirements

Standard CIP Cyber Security Electronic Security Perimeter(s)

Cyber Security Standards Drafting Team Update

Physical Security Reliability Standard Implementation

CIP Cyber Security Configuration Management and Vulnerability Assessments

Implementing Cyber-Security Standards

CIP Cyber Security Personnel & Training

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

October 2, 2017 VIA ELECTRONIC FILING

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Standard Development Timeline

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Standard CIP Cyber Security Security Management Controls

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

CIP Cyber Security Security Management Controls. Standard Development Timeline

CIP Cyber Security Personnel & Training

162 FERC 61,044 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ]

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP Cyber Security Systems Security Management

BILLING CODE P DEPARTMENT OF ENERGY. Federal Energy Regulatory Commission. 18 CFR Part 40. [Docket No. RM ]

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard Development Timeline

Standard Development Timeline

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

Standard Development Timeline

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

CIP Cyber Security Systems Security Management

Project CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016

Standards Authorization Request Form

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP Cyber Security Security Management Controls. A. Introduction

Summary of FERC Order No. 791

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Standard CIP-006-3c Cyber Security Physical Security

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Proposed Clean and Redline for Version 2 Implementation Plan

Analysis of CIP-006 and CIP-007 Violations

Standard CIP Cyber Security Electronic Security Perimeter(s)

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Meeting Notes Project Modifications to CIP Standards Drafting Team June 28-30, 2016

The North American Electric Reliability Corporation ( NERC ) hereby submits

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

ERO Enterprise Strategic Planning Redesign

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

CIP Cyber Security Recovery Plans for BES Cyber Systems

Standard Development Timeline

Draft CIP Standards Version 5

Standard CIP Cyber Security Physical Security

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP Cyber Security Critical Cyber As s et Identification

NERC and Regional Coordination Update

Critical Infrastructure Protection Version 5

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP-006-1a Cyber Security Physical Security

Re: North American Electric Reliability Corporation Docket No. RM

Standard Development Timeline

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Additional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015

NERC Relay Loadability Standard Reliability Standards Webinar November 23, 2010

NERC-Led Technical Conferences

Standard Development Timeline

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Transcription:

Cyber Security Supply Chain Risk Management JoAnn Murphy, SDT Vice Chair, PJM Interconnection May 31, 2017 FERC Order No. 829 [the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward looking, objective driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. Order No. 829, July 2016 Four objectives as they relate to cyber security of BES Cyber Systems: Software integrity and authenticity Vendor remote access including machine to machine Including security considerations during information system planning Vendor risk management and procurement controls Note: Plans use a risk based approach to allow flexibility to responsible entities as to how to meet those objective. (see Order No. 829 P.13) 2 1

Summary of Proposed Changes FERC Order 829 Objective 1 4 1 4 Version 1 of CIP 013 1 R1 Implement the supply chain cyber security risk management plan for BES Cyber Systems (including Electronic Access Control and Monitoring Systems, Personnel Access Control Systems, and Protected Cyber Assets) R2 Review plan(s) every 15 months Version 2 of CIP 013 1 R1 Develop the supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems, including specific procurement processes R2 implement plan(s) from R1 now R3 but remained essentially the same Review plan(s) every 15 months plus modifications to other existing CIP Standards No change proposed changes to CIP 003 to cover low impact BES Cyber Systems have been removed No change 1 R3 (software authenticity) R3 removed and moved to >> CIP 010 3 ( software integrity and authenticity ) Table R1 Part 1.6 added R4 (vendor remote access) R4 removed and moved to >> CIP 005 6 ( visibility and disabling ) Table R2 Part 2.4/2.5 added 2 3 R5 (Low impact BES Cyber Systems) Removed No change CIP-013-1 (draft 2) R1-R3 Summary* R1: Develop a supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. R1.1: Process(es) used in planning for the procurement of BES Cyber Systems R1.2: Process(es) used in procuring BES Cyber Systems that address the following: o 1.2.1. Notification by the vendor of vendor identified incidents; o 1.2.2. Coordination of responses to vendor identified incidents; o 1.2.3. Notification by vendors when access should no longer be granted; o 1.2.4. Disclosure by vendors of known vulnerabilities; o 1.2.5. Verification of software integrity and authenticity of software/patches; and o 1.2.6. Coordination of controls for IRA and system to system remote access. *Refer to CIP 013 1 (Draft 2) for specific language for each Requirement 4 2

CIP-013-1 (draft 2) R1-R3 Summary* R2: Implement the plan(s) from R1. R2 specifically notes: o Renegotiation or abrogation of existing contracts not required, o Actual contract terms and conditions are out of scope, and o Vendor performance and adherence to a contract are out of scope. R3. Obtain CIP Senior Manager (or delegate) approval of its plan(s) in R1 at least once every 15 calendar months. Previously CIP 013 1 (draft 1) R2 *Refer to CIP 013 1 (Draft 2) for specific language for each Requirement 5 CIP-010-3 (draft) Summary Previously CIP 013 1 (draft 1) R3: Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber. Moved this operational requirement into existing CIP standard Proposed change to CIP 010 3 (Table R1 Part 1.6 added) Added when the method to do so is available to the Entity from the software source to account for situations in which a vendor is unwilling or unable provide needed functionality. 6 3

CIP-005-3 (draft) Summary Previously CIP 013 1 (draft 1) R4: Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems. Moved this operational requirement into existing CIP standard Proposed change to CIP 005 6 (Table R2 Part 2.4/2.5 added) Focus on visibility and the ability to disable remote access 2.4 Have one or more methods for determining active vendor remote access sessions (including IRA and system to system) 2.5 Have one or more methods to disable active vendor remote access (including IRA and system to system) 7 Summary R5 Change Previously CIP 013 1 (draft 1) R5: Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems Removed R5 No new planning or procurement plans or policies for Low Impact BES Cyber Systems No new operational requirements on Low Impact BES Cyber Systems. 8 4

Implementation Plan and Guidance Implementation Plan: Changed from 12 to 18 months SDT developed Implementation Guidance to provide examples of approaches for complying with CIP 013 1. The draft includes the following examples: Risk based approach to developing Cyber Security Supply Chain Risk Management plans (R1) o Processes for planning BES Cyber Systems that identify and assess cyber security risks from vendor products or services (R1.1) o Request for proposal or negotiation provisions to address topics (R1.2) Processes for periodically reviewing and approving plans (R3) Implementation Guidance has been submitted for endorsement per NERC s Compliance Guidance Policy 9 Standards Development Process Oct 2016 Mar 2017 Tech Conference 1 st Formal Balloting May 2017 2 nd Formal Comment and Balloting August 2017 NERC Board Adoption September 2017 Deadline for filing 1 st formal comment period January 20 March 6, 2017 2 nd formal comment period May 2 June 15, 2017 10 5

Contact Information Refer to the Project 2016 03 page for more information Email mark.olson@nerc.net to join the email list Corey Sellers, Southern Company, SDT Chair Email at mcseller@southernco.com JoAnn Murphy, PJM Interconnection, SDT Vice Chair Email at joann.murphy@pjm.com 11 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback