CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Similar documents
CIP Standards Development Overview

Cyber Security Standards Drafting Team Update

Cyber Security Supply Chain Risk Management

CIP Cyber Security Standards. Development Update

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Physical Security Reliability Standard Implementation

The North American Electric Reliability Corporation ( NERC ) hereby submits

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Please contact the undersigned if you have any questions concerning this filing.

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Standard Development Timeline

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

CIP Cyber Security Configuration Management and Vulnerability Assessments

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

CIP Substation Security Project Update

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Standard Development Timeline

CIP Cyber Security Incident Reporting and Response Planning

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Standard CIP-006-4c Cyber Security Physical Security

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

ERO Enterprise Strategic Planning Redesign

Cyber Threats? How to Stop?

Proposed Clean and Redline for Version 2 Implementation Plan

Analysis of CIP-006 and CIP-007 Violations

Standard CIP-006-3c Cyber Security Physical Security

Critical Infrastructure Protection Version 5

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Standard Development Timeline

NERC and Regional Coordination Update

Draft CIP Standards Version 5

Standard CIP Cyber Security Critical Cyber Asset Identification

Implementing Cyber-Security Standards

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Standard CIP Cyber Security Critical Cyber Asset Identification

Unofficial Comment Form

Meeting Notes Project Modifications to CIP Standards Drafting Team June 28-30, 2016

Standard Development Timeline

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

NERC-Led Technical Conferences

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Standard CIP Cyber Security Critical Cyber As s et Identification

Standards Authorization Request Form

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

Implementation Plan for Version 5 CIP Cyber Security Standards

Standard CIP Cyber Security Critical Cyber As s et Identification

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

# Name Duration

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Purpose. ERO Enterprise-Endorsed Implementation Guidance

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Standard CIP 007 4a Cyber Security Systems Security Management

Smart Grid Standards and Certification

CIP Version 5 Transition. Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014

Critical Cyber Asset Identification Security Management Controls

CIP Cyber Security Personnel & Training

Cyber Security Incident Report

Re: North American Electric Reliability Corporation Docket No. RM

Standard Development Timeline

Unofficial Comment Form 1st Draft of PRC-005-3: Protection System and Automatic Reclosing Maintenance (Project )

CIP Cyber Security Security Management Controls. Standard Development Timeline

Standards Authorization Request Form

CIP Cyber Security Recovery Plans for BES Cyber Systems

Industry Webinar. Project Single Points of Failure. August 23, 2018

Compliance Enforcement Initiative

Project Retirement of Reliability Standard Requirements

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard Development Timeline

Standard CIP Cyber Security Incident Reporting and Response Planning

CIP Technical Workshop

CIP Standards Development Overview

CIP Cyber Security Critical Cyber Asset Identification. Rationale and Implementation Reference Document

Standard Development Timeline

June 4, 2014 VIA ELECTRONIC FILING. Veronique Dubois Régie de l'énergie Tour de la Bourse 800, Place Victoria Bureau 255 Montréal, Québec H4Z 1A2

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP Cyber Security Personnel & Training

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Supply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016

CIP Configuration Change Management & Vulnerability Assessments

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

Standard CIP 007 3a Cyber Security Systems Security Management

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

CIP Cyber Security Physical Security of BES Cyber Systems

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Modifications to TOP and IRO Standards

Standards. Howard Gugel, Director of Standards Board of Trustees Meeting February 11, 2016

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

SECURITY PLAN CREATION GUIDE

requirements in a NERC or Regional Reliability Standard.

Standard CIP Cyber Security Physical Security

BCI Principles & Criteria: Revision

MT. SAN ANTONIO COLLEGE 2018 Educational and Facilities Master Plan HMC ARCHITECTS // COLLABORATIVE BRAIN TRUST

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Summary of FERC Order No. 791

Transcription:

CIP Standards Update SANS Process Control & SCADA Security Summit March 29, 2010 Michael Assante Patrick C Miller

Background FERC s Cyber Security Order 706 directed extensive modifications of CIP-002 through CIP-009 (Version 1) Address the near term specific directives Version 2 Address issues from FERC Approval of Version 2 (Sep 30, 2009) Version 3 Current Phase Address remaining issues from FERC Order 706 and as raised by industry in the SAR Version 4 2

CIP Version 4 Key Guiding Principles The CIP Standards will: Build on work already done complying with Version 1, including industry s experience and investment Address the complex nature of BES functions and interconnected Cyber Systems, both within and between multiple organizations Provide Entities with reasonable flexibility in applying equivalent security controls on the basis of compensating controls, cyber system characteristics, and operating environment considerations Include all Cyber Systems with potential to adversely impact the reliability of the BES if lost, misused, or compromised 3

Summary of CIP-002 Version 4 All BES Subsystems identified and mapped to impact levels based on pre-determined criteria Criteria for high, medium, and low impacts on Reliability Functions developed in collaboration with representatives of the CIP Standard Drafting Team, Operating Committee and Planning Committee All BES Cyber Systems identified and categorized with the highest impact level of its associated BES Subsystems Senior Manager approval of identification and categorization of BES Subsystems and BES Cyber Systems 4

Differences Between Versions Versions 1 / 2 / 3 Asset types to consider Critical Assets Critical Cyber Assets Critical / Not Critical One size fits all security Version 4 Reliability Functions BES Subsystems BES Cyber Systems Impact Levels (High, Medium, Low) Security commensurate with BES reliability impact 5

Recap of Activities Version 2 Standards Effective Date 4/1/2010 Version 3 Standards Submitted to FERC Awaiting Action by FERC Will be effective start of 2 nd ordinal quarter following approval Version 4 Standards Informal Comment Period on CIP-002-4d1

Current Status CIP-002-4d1 550 pages of comments submitted by industry for informal comment period SDT reviewing and reacting to comments Simplifying definitions and concepts Relationship of CIP-002-4 with CIP-003-4 through CIP-009-4 Bright line thresholds for BES impact

Current Status CIP-003-4 through CIP-009-4 Bottom Up vs. Top Down I.e., start at low impact Relationship to existing work (ISA-99, NIST SP800-53, etc.) Directives in FERC Order 706 Organization of requirements Numbering of Version 4 standards Formatting of multiple requirements statements for each requirement (e.g., H, M, L; Gen, Trans, CC; communications)

Current Status Recent Phoenix Meeting Preparing for next informal posting in May Significant work on refining CIP-003-4 through CIP-009-4 requirements 40-50% complete for posting Further refinement of CIP-002-4 80% complete for posting Six sub-teams meeting weekly to prepare for next full meeting in April Schedule for completion by end of year Includes time for quality input from NERC Standards staff

Schedule CIP-002-4 NOT to be filed separately in June 2010 CIP-002-4 through CIP-009-4 filed (with FERC) together in December 2010 Informal Comment Period for CIP-002-4 through CIP-009-4 scheduled to start early May 2010 Technical Workshop by SDT in May Planning increased communications with the industry Formal Comment Period scheduled to begin in July 2010, with concurrent ballot pool formation Initial Ballot in September 2010 Second ballot scheduled for October 2010 File with regulators December 20, 2010

Technical Feasibility Exceptions FERC s recent position FERC approved process, but expressed concerns Added CIP-006.R1.1 and CIP-007.R3 Questioned usefulness of Class-Based TFEs Compensating measures must be equal or better security Uniform Part A forms across all Regions Concerned about potential abuse NERC issued Process Bulletin 2010-001 11

Conclusion CIP Version 4 is an important step towards a more holistic approach to BES cyber security Tiered security protection can target resources more effectively Industry stakeholder input and constructive comments are key to success of this industry effort to protect the cyber security of the BES 12

For More Information Contacts: Michael Assante Vice President and CSO NERC michael.assante@nerc.net Patrick C Miller Technical Director CIP Practice, ICF International pmiller3@icfi.com 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback