Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Similar documents
Compliance: Evidence Requests for Low Impact Requirements

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Alberta Reliability Standard Cyber Security Incident Reporting and Response Planning CIP-008-AB-5

Alberta Reliability Standard Cyber Security Electronic Security Perimeter(s) CIP-005-AB-5

CIP V5 Implementation Study SMUD s Experience

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP Cyber Security Security Management Controls. A. Introduction

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP Cyber Security Critical Cyber As s et Identification

Cyber Threats? How to Stop?

Standard CIP Cyber Security Critical Cyber Asset Identification

Draft CIP Standards Version 5

Low Impact BES Cyber Systems. Cyber Security Security Management Controls CIP Dave Kenney

CYBER SECURITY POLICY REVISION: 12

Standard CIP Cyber Security Critical Cyber Asset Identification

CIP Cyber Security Security Management Controls

Standard Development Timeline

requirements in a NERC or Regional Reliability Standard.

Standard Development Timeline

Standard Development Timeline

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Standard Development Timeline

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Reliability Standard Audit Worksheet 1

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

Standard Development Timeline

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Standard Development Timeline

Summary of FERC Order No. 791

Additional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Low Impact Generation CIP Compliance. Ryan Walter

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

Standard Development Timeline

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Systems Security Management

CIP Cyber Security Personnel & Training

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

New Brunswick 2018 Annual Implementation Plan Version 1

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Loss of Control Center Functionality: EOP-008-1, CIP-008-3, CIP September 30, 2014

CIP Cyber Security Personnel & Training

CIP Cyber Security Critical Cyber Asset Identification. Rationale and Implementation Reference Document

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Lesson Learned CIP Version 5 Transition Program

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan

CIP Cyber Security Incident Reporting and Response Planning

Cyber Attacks on Energy Infrastructure Continue

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Cyber Security Reliability Standards CIP V5 Transition Guidance:

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Cybersecurity for the Electric Grid

Please contact the undersigned if you have any questions concerning this filing.

Standard CIP Cyber Security Electronic Security Perimeter(s)

Implementation Plan for Version 5 CIP Cyber Security Standards

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Recovery Plans for BES Cyber Systems

NERC and Regional Coordination Update

CIP Cyber Security Recovery Plans for BES Cyber Systems

Critical Cyber Asset Identification Security Management Controls

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

Security Standards for Electric Market Participants

NB Appendix CIP NB-0 - Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Electronic Security Perimeter(s)

Cyber Security Incident Report

CIP Cyber Security Recovery Plans for BES Cyber Systems

DRAFT. Standard 1300 Cyber Security

October 2, CIP-014 Report Physical Security Protection for High Impact Control Centers Docket No. RM15-14-

Standard CIP Cyber Security Electronic Security Perimeter(s)

NERC CIP Information Protection

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

CIP Cyber Security Physical Security of BES Cyber Systems

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Draft Version: August 18, 2015

NERC-Led Technical Conferences

CIP Cyber Security Configuration Management and Vulnerability Assessments

A. Introduction. Page 1 of 22

Standards Authorization Request Form

2017 MRO Performance Areas and an Update on Inherent Risk Assessments

CIP Cyber Security Security Management Controls. Standard Development Timeline

Standard Development Timeline

CIP Cyber Security Information Protection

Physical Security Reliability Standard Implementation

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

primary Control Center, for the exchange of Real-time data with its Balancing

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Transcription:

Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada Inc. V2 1

Acciona s Worldwide Operations Title 2

Title North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards: Only two (2) applicable NERC CIP Standards: 1. NERC Reliability Standard CIP-002-5.1a Cyber Security BES Cyber System Categorization (NERC CIP-002) Effective Date: July 01, 2016 Purpose: To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES. 2. NERC Reliability Standard CIP-003-6 Cyber Security Security Management Controls (NERC CIP-002) Effective Date: July 01, 2016 Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES). 3

high, medium & NERC CIP-002 Requirements NERC CIP-002-5.1a - Cyber Security BES Cyber System Categorization: Two Requirements; Effective Date = July 01, 2016 (NERC CIP-002-5.1) Requirement R1: Identify the impact rating of BES Cyber Systems: high impact: Four bright line criteria medium impact: 13 bright line criteria low impact: 6 bright line criteria Requirement R2: There are two parts to Requirement R2: Review the assessment completed for Requirement R1 every 15 calendar months. CIP Senior Manager shall approve the assessment completed for R1 every 15 calendar months. 4

Systematic Approach NERC Defined Terms: Cyber Assets: Programmable electronic devices, including the hardware, software, and data in those devices. BES Cyber Asset (BAC): A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. BES Cyber System: One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. The Systematic Approach to Limit Scope 1: Identify the BES reliability operating service (BROS) provided. 2: Identify BES Cyber Systems associated with the BROS. 3: Identify associated BES Cyber Assets. 4: Apply NERC CIP Requirements. 5

Systematic Approach 1: Identify the BES reliability operating services provided (BROS) Determine if your entity provides any of the following BROS applicable to a Generator Owner (GO) or Generator Operator (GOP). Entity Registration BROS Dynamic Response to BES conditions X X X X X X Balancing Load and Generation X X X X X X X Controlling Frequency (Real Power) X X X Controlling Voltage (Reactive Power) X X X X Managing Constraints X X X Monitoring & Control X X Restoration of BES X X Situational Awareness X X X X Inter-Entity Real-Time Coordination and Communication RC BA TOP TO DP GOP GO X X X X X X Considering the followings systems, not all inclusive: Protection Systems Active Power Controllers Ramp Rate Controllers Voltage Regulators/Controllers Devices Receiving Dispatch signals from Reliability Entities SCADA systems / HMIs Devices transmitting data to Reliability Entities 6

Systematic Approach 2: Identify BES Cyber Systems associated with the BROS Determine if any the identified BROS being provided contain cyber systems, if yes, then these are your BES Cyber Systems. Questions to ask: How do I connect to these BROS: intranet, virtual private network, remotely, SCADA? How does the identified BROS perform their service, does it use cyber connections? 3: Identify associated BES Cyber Assets Using the identified BES Cyber Systems determine the BES Cyber Assets associated with these BES Cyber Systems. Consider the following Cyber Assets: Routers Switches PLCs Servers RTACs Firewalls 4: Apply NERC CIP Requirements Apply the applicable NERC CIP-003 requirements to the identified BES Cyber Assets. Tip: Limit CIP scope to the extent possible by: Separating networks, only including BES Cyber Assets, allowing access based on business need, only devices that have routable protocols, etc. 7

NERC CIP-003 Requirements NERC CIP-003-6-Cyber Security Security Management Controls; Requirements: Four Requirements; Effective Date = various Requirement R3: Effective Date = July 01, 2016 Identify a CIP Senior Manager by name. Document any change to the CIP Senior Manager within 30 days of the change. Requirement R4: Effective Date = July 01, 2016 Documented process to delegate CIP Senior Manager authority, if delegation occurs. Document delegations with: name & title of delegate, date of delegation, specific actions delegated, and CIP Senior Manager approval Any changes to the delegation need to be documented within 30 days of the change. Continued on the next slide 8

NERC CIP-003 Requirements NERC CIP-003-6-Cyber Security Security Management Controls; Requirements: Requirement R1 & R1.2: Effective Date = April 01, 2017 Please note Requirement R1.1 is not applicable to. CIP Senior Manager shall approve the cyber security policies every 15 calendar months that address: Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident Response Requirement R2: Effective Date = various Documented cyber security plans for that address: Section1: Cyber Security Awareness: Effective Date = April 01, 2017 Section 2: Physical Security Controls: Effective Date = September 01, 2018 Section 3: Electronic Access Controls: Effective Date = September 01, 2018 Section 4: Cyber Security Incident Response: Effective Date = April 01, 2017 9

NERC CIP-003 Requirements Section 4: Effective Date = April 01, 2017 Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: 4.1 Identification, classification, and response to Cyber Security Incidents; 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law; 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals; 4.4 Incident handling for Cyber Security Incidents; 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1)responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security 4.6 Updating the Cyber Security Incident response plan (s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident. Continued on the next slide 10

NERC CIP-003 Requirements Section 4: Effective Date = April 01, 2017 Cyber Security Incident Response: Considerations, Tips and Possible Synergies: Can you reference your event reporting procedure developed for NERC Standard EOP-004 Event Reporting to complete require external reporting? high & medium impact NERC CIP Standards to Reference: NERC CIP-008 Cyber Security Incident Reporting and Response Planning NERC CIP-009 Cyber Security Recovery Plans for BES Cyber Systems 11

NERC CIP-003 Requirements Section 3: Effective Date = September 01, 2018 Electronic Access Controls; AKA Cyber Security: Each Responsible Entity shall: 3.1 For Low Impact External Routable Connectivity (LERC), if any, implement a Low Impact BES Cyber System Electronic Access Point (LEAP) to permit only necessary inbound and outbound bi-directional routable protocol access; and 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability. Considerations, Tips and Possible Synergies: Do third parties (OEMs, contactors, etc.) access your BES Cyber Systems? Do you allow individual VPN access/remote desktop connections to your BES Cyber Systems? Consider creating multiple networks that separate generation operations from general business activities. Understand traffic in the firewalls and use whitelisting techniques. Control Centers, data centers, data historians. Password polices. high & medium impact NERC CIP Standards to Reference: NERC CIP-005 Cyber Security Electronic Security Perimeter(s) NERC CIP-007 Cyber Security System Security Management NERC CIP-010 Cyber Security Configuration Change Management and Vulnerability Assessments 12

NERC CIP-003 Requirements Section 2: Effective Date = September 01, 2018 Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any. Considerations, Tips and Possible Synergies: Consider all auxiliary equipment used in the operation of BES Cyber Assets including but not limited to: batteries, electrical panels, WTG switches, meteorological tower switches, fiber junction boxes, etc. Categorize areas of the generation assets/control Center including, but not limited to: WTG, metrological towers, substations, relay and switchgear rooms, server rooms, SCADA consoles, Ethernet ports, key lock boxes. Consider limiting access to need, based on the categorization. Protect all areas that contain BES Cyber Assets and/or limit access to BES Cyber Systems. Understand who, why and how people access your areas that contain BES Cyber Systems. Implement key control policies. high & medium impact NERC CIP Standards to Reference: NERC CIP-006 Cyber Security Physical Security of BES Cyber Systems 13

NERC CIP-003 Requirements Section 1: Effective Date = April 01, 2017 Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices). Considerations, Tips and Possible Synergies: Discuss policies and plans developed for NERC CIP-003 compliance such as, Cyber Security Incident Response, Physical Security Controls, Electronic Access Controls. Limit scope to personnel who have access either physical or cyber to BES Cyber Systems. high & medium impact NERC CIP Standards to Reference: NERC CIP-004 Cyber Security Personnel and Training 14

medium impact BES Cyber Systems General Information Where is medium impact most likely to occur: Control Centers NERC CIP-002, Attachment 1, Criteria 2.11: Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. Requirements: Personnel and training (CIP-004) Electronic Security Perimeters (CIP-005) including Interactive Remote Access Physical security of BES Cyber Systems (CIP-006) System security management (CIP-007) Incident reporting and response planning (CIP-008) Recovery plans for BES Cyber Systems (CIP-009) Configuration change management and vulnerability assessments (CIP-010) Information protection (CIP-011) General Information Must be compliant with a medium impact NERC CIP Reliability Standards prior to becoming medium impact. 15

low impact CIP NERC vs. Alberta Reliability Standards (ARS) General Information Please note the applicability has been reduced for the purposes of this presentation; each responsible entity should completed their own applicability assessment.) Applicable Functional Entities: 4.1.3. & 4.1.4. the operator and legal owner of an aggregated generating facility Applicable facilities, systems, and equipment owned by each Responsible Entity in subsection 4.1: 4.2.2. Responsible Entities listed in subsection 4.1 other than a legal owner of an electric distribution system are responsible for: 4.2.2.1. each transmission facility that is part of the bulk electric system except each transmission facility that: 4.2.2.1.3. radially connects only to one or more aggregated generating facilities with a combined maximum authorized real power of less than or equal to 67.5 MW and does not connect a contracted blackstart resource; or 4.2.2.1.4 radially connects to load and one or more aggregated generating facilities that have a combined maximum authorized real power of less than or equal to 67.5 MW 4.2.2.4. an aggregated generating facility that is: 4.2.2.4.1. directly connected to the bulk electric system and has a maximum authorized real power rating greater than 67.5 MW 4.2.2.5. control centres and backup control centres Requirements: The low impact requirements for the Alberta Reliability Standards are extremely similar to NERC s low impact requirements 16

CIP Reference Material Project 2014-02 CIP Version 5 Revisions Implementation Plan http://www.nerc.com/pa/stand/cip0036rd/cip_implementation_plan_clean_ferc_03112015.pdf NERC Compliance Guide and Standard Application Guides http://www.nerc.com/pa/comp/guidance/pages/default.aspx Midwest Reliability Organization Standard Application Guide CIP-002 https://www.midwestreliability.org/mrodocuments/cip-002-5.1%20standard%20application%20guide.pdf Midwest Reliability Organization Standard Application Guide CIP-003 Low Impact https://www.midwestreliability.org/mrodocuments/cip%20003-6%20r2%20standard%20application%20guide.pdf Bulk Electric System Definition Reference Document Version 2.0 April 2014 http://www.nerc.com/pa/rapa/bes%20dl/bes_phase2_reference_document_20140325_final_clean.pdf Glossary of Terms Used in NERC Reliability Standards http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf NERC CIP V5 Transition Program http://www.nerc.com/pa/ci/pages/transition-program.aspx NERC CIP Reliability Standards Enforceable http://www.nerc.net/standardsreports/standardssummary.aspx Alberta CIP Reliability Standards Enforceable https://www.aeso.ca/rules-standards-and-tariff/alberta-reliability-standards/ Alberta Consolidated Authoritative Document Glossary https://www.aeso.ca/assets/uploads/consolidated-authoritative-document-glossary-october-1-2017.pdf 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback