Low Impact BES Cyber Systems. Cyber Security Security Management Controls CIP Dave Kenney

Similar documents
Compliance: Evidence Requests for Low Impact Requirements

CIP Cyber Security Security Management Controls. A. Introduction

CIP Cyber Security Security Management Controls

Standard Development Timeline

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Additional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015

Standard Development Timeline

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Low Impact Generation CIP Compliance. Ryan Walter

NPCC Compliance Monitoring Team Classroom Session

CYBER SECURITY POLICY REVISION: 12

Standard Development Timeline

SGAS Low Impact Atlanta, GA September 14, 2016

Standard CIP Cyber Security Physical Security

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard Development Timeline

Critical Cyber Asset Identification Security Management Controls

Designing Secure Remote Access Solutions for Substations

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Standard CIP-006-1a Cyber Security Physical Security

Alberta Reliability Standard Cyber Security Incident Reporting and Response Planning CIP-008-AB-5

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Standard CIP Cyber Security Physical Security

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

CIP Cyber Security Incident Reporting and Response Planning

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training

Project CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

Standard CIP Cyber Security Incident Reporting and Response Planning

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP 004 3a Cyber Security Personnel and Training

Standard Development Timeline

Standard Development Timeline

CIP Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Recovery Plans for BES Cyber Systems

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Recovery Plans for BES Cyber Systems

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Reliability Standard Audit Worksheet 1

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

DRAFT. Standard 1300 Cyber Security

Reliability Standard Audit Worksheet 1

Cyber Security Incident Report

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Alberta Reliability Standard Cyber Security Electronic Security Perimeter(s) CIP-005-AB-5

CIP Cyber Security Electronic Security Perimeter(s)

Reliability Standard Audit Worksheet 1

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

CIP 005 R2: Electronic Access Controls

Reliability Standard Audit Worksheet 1

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

CIP Cyber Security Physical Security of BES Cyber Systems

Security Standards for Electric Market Participants

Loss of Control Center Functionality: EOP-008-1, CIP-008-3, CIP September 30, 2014

Project Modifications to CIP Standards. Consideration of Comments Initial Comment Period

Standard CIP Cyber Security Security Management Controls

Standard Development Timeline

CIP Version 5 Evidence Request User Guide

CIP Cyber Security Physical Security of BES Cyber Systems

CIP Cyber Security Implementation

CIP Cyber Security Systems Security Management

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Cyber Security Standards Drafting Team Update

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

CIP Substation Security Project Update

Meeting Notes Project Modifications to CIP Standards Drafting Team June 28-30, 2016

Standard CIP 007 3a Cyber Security Systems Security Management

CIP Cyber Security Configuration Management and Vulnerability Assessments

CIP Configuration Change Management & Vulnerability Assessments

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

TOP for Transmission Operators

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

A. Introduction. Page 1 of 22

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Implementation Plan for Version 5 CIP Cyber Security Standards

Compliance Exception and Self-Logging Report Q4 2014

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

CIP V5 Implementation Study SMUD s Experience

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.

Transcription:

Low Impact BES Cyber Systems Cyber Security Security Management Controls CIP-003-6 Dave Kenney November 9, 2016

Presentation Agenda Outreach Observations/Audit Approach Cyber Security Awareness Physical Security Controls Electronic Access Controls for Low Impact LERC and Dialup Connectivity Cyber Security Incident Response Presentable Evidence 2

What is Low Impact? BES Cyber Systems not included in High or Medium assets that meet the applicability qualifications in Section 4 of Attachment 1 of CIP-002-5.1

Compliance vs. Security Information Security in general, is the practice of defending information from unauthorized access, use, discloser, disruption, modification, inspection, recording or destruction Compliance in general, describes the ability to act according to an order, set of rules or request

LERC and LEAP Low Impact External Routable Connectivity (LERC) - Bi-directional routable communications between low impact BES Cyber System(s) and Cyber Assets outside the asset containing those Low Impact BES Cyber System(s) Low Impact BES Cyber System Electronic Access Point (LEAP) A Cyber Asset interface that allows Low Impact External Routable Connectivity. The Cyber Asset may reside at a location external to the asset or assets containing Low Impact BES Cyber System(s)

CIP-003-6 Effective Dates CIP-003-6 Effective Date 7/1/2016 April July Nov Jan April Sept Dec Jan. Aug. Sept Dec CIP-003-6 Req. 1/3/4 4/1/2017 CIP-003-6 Req. 1 Part 1.2 CIP-003-6 Req. 2 9/1/2018 CIP-003-6 Req. 2, Attach. 1 Sec. 2/3 CIP-003-6 Req. 2 Attach. 1 Sec. 1/4 6

Standard and Requirement Effective Dates CIP-003-6 effective on July 1, 2016 Requirement 1 Apr. 1, 2016 Requirement 1, Part 1.2 Apr. 1, 2017 Requirement 2 Apr. 1, 2017 Requirement 2, Attachment 1, Section 1 Apr. 1, 2017 Requirement 2, Attachment 1, Section 2 Sept. 1, 2018 Requirement 2, Attachment 1, Section 3 Sept. 1, 2018 Requirement 2, Attachment 1, Section 4 Apr. 1, 2017 Requirement 3 July 1, 2016 Requirement 4 July 1, 2016

Outreach Observations The following points have been noticed during FRCC Outreach session: Inventory Although not required, an inventory and network diagram(s) are highly recommended and can assist the audit team in understanding the environment Network Diagrams the initial data request can be a high level network diagram

Outreach Observation An entity may have more than one incident management plan. This may be based on what they are registered to perform It will be helpful to review detective, preventative and corrective controls pertaining to physical and electronic key management and access card control

Audit Approach Typical Evidence Provided by Entity: Documentation of entity access controls and explanation of implementation of processes as documented Documentation of policies that are clearly signed, dated and approved by the CIP Senior Manager Documentation that processes are being appropriately and consistently applied across all business units.

Audit Approach Documentation and explanation of shared facilities and how protections are provided This may be documented in CFR, JRO or MOU It is not unusual that an entity may have more than one Incident Response plans based on their registered function, i.e. Generation, Transmission, etc.

Cyber Security Awareness

Cyber Security Awareness Cyber Security Awareness - Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices) Evidence: Direct Communications emails, memos or evidence of computer based training Indirect Communications Posters, Brochures or Intranet Management Support and Reinforcement Presentations or meetings Make sure all personnel have access to Cyber Security Awareness material

Physical Security Controls 16

Physical Security Controls Physical Security Controls - Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to: the Asset or the location of Low Impact BES Cyber System within the asset and the Low Impact BES Cyber System Electronic Access Points (LEAPs); if any

Evidence for Physical Security Controls Evidence can include any of the following documentation of the selected Access control(s): Card Locks Gates Fences Locks Perimeter Controls (such as Video Monitoring) Alarm Systems (for Monitoring) Human Observation Other (Operational, Procedural, or Technical)

Electronic Access Controls With LERC and Dial-up Connectivity

Electronic Access Controls Each Responsible Entity shall: For LERC, if any, implement a LEAP to permit only necessary inbound and outbound bi-directions routable protocol access Implement authentication for all Dial-up Connectivity, if any, that provided access to low impact BES Cyber Systems, per Cyber Asset capability

Electronic Access Controls Evidence Electronic Access Controls Network Diagram(s) Restrictive IP Addresses, Ports and Services Firewall Configuration files (LEAP Devices) Dial-up Connectivity Network Diagram(s) Evidence of Dual-factor authentication Restrictive IP Addresses, Ports and Services Intermediate system information

Cyber Security Incident Response

Cyber Security Incident Response Cyber Security Incident Response - Each Responsible Entity shall have one or more Cyber Security Incident Response plan(s), either by asset or group of assets, which shall include: Identification, classification and response to the Cyber Security Incidents Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification of the Electricity Information Sharing and Analysis Center (E-ISAC)

Cyber Security Incident Response Cyber Security Incident Response - Each Responsible Entity shall have one or more Cyber Security Incident Response plan(s), either by asset or group of assets, which shall include: Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals Incident handling for Cyber Security Incidents

Cyber Security Incident Response Testing the Cyber Security Incident Response plan(s) at least once every 36 Calendar months by: 1) responding to an actual Reportable Cyber Security Incident or 2) using a drill or tabletop exercise of a Reportable Cyber Security Incident or 3) using an operational exercise of a Reportable Cyber Security Incident Updating the Cyber Security Incident Response plan(s). if needed, within 180 Calendar days after completion of a Cyber Security Incident Response plan(s) test or actual Reportable incident

Evidence for Cyber Security Incident Response Evidence dated and signed document(s) such as Policies, Procedures, process documents of one or more Cyber Security Incident Response plan(s) developed by the asset or group of assets that include the following process: To identify, classify and respond to Cyber Security Incidents; to determine whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and for notifying the Electricity Information Sharing and Analysis Center (E-ISAC)

Evidence for Cyber Security Incident Response To identify and document the roles and responsibilities for Cyber Security Incident response by groups or individuals (e.g., initiating, documenting, monitoring, reporting, etc) For incident handling of a Cyber Security Incident (e.g., containment, eradication, or recovery/incident resolution)

Evidence for Cyber Security Incident Response For testing the plan(s) along with the dated documentation that a test has been completed at least once every 36 calendar months To update, as needed, the Cyber Security Incident Response plan(s) within 180 calendar days after completed of a test or actual Reportable Cyber Security Incident

Presentable Evidence

Presentable Evidence Network diagrams/one-line Diagrams/LEAP Configurations (High Level) Pictures and/or video(s) tours of the asset (facility) with Low Impact BES Cyber Systems Dial-up Connectivity Protections and Controls Document Compensating Control (if required) Users and/or Configuration Guides from Vendor(s) Letters or Directives from Vendor(s)

Security Resources InfraGard - https://www.infragard.org/ Department of Homeland Security - https://www.dhs.gov/ Department of Energy (OE-417) - https://www.oe.netl.doe.gov/oe417/form/home.aspx# NERC E-ISAC - https://www.esisac.com/ Center for Internet Security - https://msisac.cisecurity.org/ Security Awareness - http://www.csoonline.com/category/security-awareness/ Physical Security - https://www.asisonline.org/pages/default.aspx

32

LOW IMPACT Final Questions 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback