Low Impact BES Cyber Systems Cyber Security Security Management Controls CIP-003-6 Dave Kenney November 9, 2016
Presentation Agenda Outreach Observations/Audit Approach Cyber Security Awareness Physical Security Controls Electronic Access Controls for Low Impact LERC and Dialup Connectivity Cyber Security Incident Response Presentable Evidence 2
What is Low Impact? BES Cyber Systems not included in High or Medium assets that meet the applicability qualifications in Section 4 of Attachment 1 of CIP-002-5.1
Compliance vs. Security Information Security in general, is the practice of defending information from unauthorized access, use, discloser, disruption, modification, inspection, recording or destruction Compliance in general, describes the ability to act according to an order, set of rules or request
LERC and LEAP Low Impact External Routable Connectivity (LERC) - Bi-directional routable communications between low impact BES Cyber System(s) and Cyber Assets outside the asset containing those Low Impact BES Cyber System(s) Low Impact BES Cyber System Electronic Access Point (LEAP) A Cyber Asset interface that allows Low Impact External Routable Connectivity. The Cyber Asset may reside at a location external to the asset or assets containing Low Impact BES Cyber System(s)
CIP-003-6 Effective Dates CIP-003-6 Effective Date 7/1/2016 April July Nov Jan April Sept Dec Jan. Aug. Sept Dec CIP-003-6 Req. 1/3/4 4/1/2017 CIP-003-6 Req. 1 Part 1.2 CIP-003-6 Req. 2 9/1/2018 CIP-003-6 Req. 2, Attach. 1 Sec. 2/3 CIP-003-6 Req. 2 Attach. 1 Sec. 1/4 6
Standard and Requirement Effective Dates CIP-003-6 effective on July 1, 2016 Requirement 1 Apr. 1, 2016 Requirement 1, Part 1.2 Apr. 1, 2017 Requirement 2 Apr. 1, 2017 Requirement 2, Attachment 1, Section 1 Apr. 1, 2017 Requirement 2, Attachment 1, Section 2 Sept. 1, 2018 Requirement 2, Attachment 1, Section 3 Sept. 1, 2018 Requirement 2, Attachment 1, Section 4 Apr. 1, 2017 Requirement 3 July 1, 2016 Requirement 4 July 1, 2016
Outreach Observations The following points have been noticed during FRCC Outreach session: Inventory Although not required, an inventory and network diagram(s) are highly recommended and can assist the audit team in understanding the environment Network Diagrams the initial data request can be a high level network diagram
Outreach Observation An entity may have more than one incident management plan. This may be based on what they are registered to perform It will be helpful to review detective, preventative and corrective controls pertaining to physical and electronic key management and access card control
Audit Approach Typical Evidence Provided by Entity: Documentation of entity access controls and explanation of implementation of processes as documented Documentation of policies that are clearly signed, dated and approved by the CIP Senior Manager Documentation that processes are being appropriately and consistently applied across all business units.
Audit Approach Documentation and explanation of shared facilities and how protections are provided This may be documented in CFR, JRO or MOU It is not unusual that an entity may have more than one Incident Response plans based on their registered function, i.e. Generation, Transmission, etc.
Cyber Security Awareness
Cyber Security Awareness Cyber Security Awareness - Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices) Evidence: Direct Communications emails, memos or evidence of computer based training Indirect Communications Posters, Brochures or Intranet Management Support and Reinforcement Presentations or meetings Make sure all personnel have access to Cyber Security Awareness material
Physical Security Controls 16
Physical Security Controls Physical Security Controls - Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to: the Asset or the location of Low Impact BES Cyber System within the asset and the Low Impact BES Cyber System Electronic Access Points (LEAPs); if any
Evidence for Physical Security Controls Evidence can include any of the following documentation of the selected Access control(s): Card Locks Gates Fences Locks Perimeter Controls (such as Video Monitoring) Alarm Systems (for Monitoring) Human Observation Other (Operational, Procedural, or Technical)
Electronic Access Controls With LERC and Dial-up Connectivity
Electronic Access Controls Each Responsible Entity shall: For LERC, if any, implement a LEAP to permit only necessary inbound and outbound bi-directions routable protocol access Implement authentication for all Dial-up Connectivity, if any, that provided access to low impact BES Cyber Systems, per Cyber Asset capability
Electronic Access Controls Evidence Electronic Access Controls Network Diagram(s) Restrictive IP Addresses, Ports and Services Firewall Configuration files (LEAP Devices) Dial-up Connectivity Network Diagram(s) Evidence of Dual-factor authentication Restrictive IP Addresses, Ports and Services Intermediate system information
Cyber Security Incident Response
Cyber Security Incident Response Cyber Security Incident Response - Each Responsible Entity shall have one or more Cyber Security Incident Response plan(s), either by asset or group of assets, which shall include: Identification, classification and response to the Cyber Security Incidents Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification of the Electricity Information Sharing and Analysis Center (E-ISAC)
Cyber Security Incident Response Cyber Security Incident Response - Each Responsible Entity shall have one or more Cyber Security Incident Response plan(s), either by asset or group of assets, which shall include: Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals Incident handling for Cyber Security Incidents
Cyber Security Incident Response Testing the Cyber Security Incident Response plan(s) at least once every 36 Calendar months by: 1) responding to an actual Reportable Cyber Security Incident or 2) using a drill or tabletop exercise of a Reportable Cyber Security Incident or 3) using an operational exercise of a Reportable Cyber Security Incident Updating the Cyber Security Incident Response plan(s). if needed, within 180 Calendar days after completion of a Cyber Security Incident Response plan(s) test or actual Reportable incident
Evidence for Cyber Security Incident Response Evidence dated and signed document(s) such as Policies, Procedures, process documents of one or more Cyber Security Incident Response plan(s) developed by the asset or group of assets that include the following process: To identify, classify and respond to Cyber Security Incidents; to determine whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and for notifying the Electricity Information Sharing and Analysis Center (E-ISAC)
Evidence for Cyber Security Incident Response To identify and document the roles and responsibilities for Cyber Security Incident response by groups or individuals (e.g., initiating, documenting, monitoring, reporting, etc) For incident handling of a Cyber Security Incident (e.g., containment, eradication, or recovery/incident resolution)
Evidence for Cyber Security Incident Response For testing the plan(s) along with the dated documentation that a test has been completed at least once every 36 calendar months To update, as needed, the Cyber Security Incident Response plan(s) within 180 calendar days after completed of a test or actual Reportable Cyber Security Incident
Presentable Evidence
Presentable Evidence Network diagrams/one-line Diagrams/LEAP Configurations (High Level) Pictures and/or video(s) tours of the asset (facility) with Low Impact BES Cyber Systems Dial-up Connectivity Protections and Controls Document Compensating Control (if required) Users and/or Configuration Guides from Vendor(s) Letters or Directives from Vendor(s)
Security Resources InfraGard - https://www.infragard.org/ Department of Homeland Security - https://www.dhs.gov/ Department of Energy (OE-417) - https://www.oe.netl.doe.gov/oe417/form/home.aspx# NERC E-ISAC - https://www.esisac.com/ Center for Internet Security - https://msisac.cisecurity.org/ Security Awareness - http://www.csoonline.com/category/security-awareness/ Physical Security - https://www.asisonline.org/pages/default.aspx
32
LOW IMPACT Final Questions 33