Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

Transcription

1 Internal Controls And Good Utility Practices Ruchi Ankleshwaria Manager, Compliance Risk Analysis

2 2 Introduction Joined WECC in March years of industry experience prior to joining WECC 4 years at a BA/TO/TOP/GO/GOP in WECC as an EMS engineer and project controls engineer 2 years as a project manager Electrical Engineer Master in Business Administration Certified Project Management Professional (PMP)

3 3 Objective Share examples of internal controls that were considered effective during Internal Control Evaluation or CIP V5 outreach.

4 4 Benefit to you Know what is WECC looking for? Use as guidance for Internal Control Program Already have the control? Document it for WECC s ICE evaluation Not implemented yet? Consideration for implementing it

5 5 Internal Controls Evaluation Process Expectation of the Standard Focus on Risks List of Controls Review of Control Design Test Effectiveness of Controls

6 6 Internal Controls Evaluation Process Expectation of the Standard Focus on Risks List of Controls Review of Control Design Test Effectiveness of Controls

7 7

8 8 Criteria for Good Controls Should be implemented at least for a year Management Approval/Notification Combination of Manual and Automatic control Preventive, Detective or Corrective Control

9 9 Area Of Focus CIP R2 CIP R1 CIP R2 CIP R2

10 10 CIP R2 - Controls Security Patch Management

11 11 CIP R2 Requirement Expectation Patches installation documented Systems identified Applications identified Patches installed or Update Mitigation Patch Source identified Patches evaluated Patch tracking planned Patches identified Patches tracked

12 12 CIP R2 Possible Points of Failure Failure to track a security patch Failure to evaluate a security patch Failure to install a security patch or update the mitigation plan

13 13 CIP R2- Failure Point Failure to track a security patch

14 CIP R2 Examples of Good Utility Technical Controls Practice Automated scanning tool that detects what is running and alerts of any changes to a system Automated tools to scan devices and determine if up to date or if any patches are available for the system Task management tools to ensure periodic tasks are being completed Administrative controls Limited user rights that prevent the unplanned installation of software Manual Controls Change control peer reviews to verify no unexpected changes Checklist to ensure application gets added to patch tracking procedures when a new software is added 14

15 15 CIP R2- Failure Point Failure to evaluate a security patch

16 CIP R2 Examples of Good Utility Technical Controls Practice Tools that will automatically notify of applicable patches Task management tools to ensure periodic tasks are being completed Manual Control Peer review to ensure security patch evaluation is done as per the defined criteria 16 Procedural Controls Reminders for periodic tasks. Clear criteria and assignments for what makes a patch applicable, and who can make that determination

17 17 CIP R2- Failure Point Failure to install a security patch or update the mitigation plan

18 CIP R2 Examples of Good Utility Technical Controls Practice Centralized patch management so admins don t have to go to each individual machine for applying patches. Technical tool that can scan to verify patch was applied Manual Controls Random sample verifications to ensure technical controls are working. Manual verification or audits that procedures were followed and documentation is accurate. Procedural Controls Checklist to ensure all steps are complete as part of patch install Limited user rights preventing personnel from patching their own machines when they feel like it. 18

19 19 CIP R1 - Controls Configuration Change Management

20 20 CIP R1- Requirement Expectation Identify all applicable systems Update baseline for any changes Document Baseline for devices Test to ensure security controls are not adversely impacted Create authorization procedures for changes to baseline Create security controls verification procedures Identify potential impacts to security controls

21 21 CIP R1- Possible Points of Failure Inaccurate Baseline Changes made inappropriately Failure to document changes to the baseline accurately

22 CIP R1 Examples of Good Utility Practice Inaccurate Baseline Method for developing and Maintaining baseline Automated scanning Manual Review Ensure Confidentiality, Integrity and Availability (CIA) of the list Limited Write Privileges to change baseline Location of Baseline Protection from Unauthorized changes 22

23 CIP R1 Examples of Good Utility Practice Changes Made Inappropriately 23 Have authorization criteria for changes Have process map of common scenarios that can affect security controls Peer review process to verify impact of changes

24 CIP R1 Examples of Good Utility Practice Failure to document changes to the baseline accurately Have automated system that can update baseline upon changes 24 Peer Review to ensure documentation is accurate Periodic update to management for changes to baseline

25 25 CIP R2 - Controls BES Cyber System Categorization - Review & Approval

26 26 CIP R2 Conduct annual physical walk down review of BCS to verify that the master list of BCS is accurate. Automated scanning tools to identify IP enabled devices Automated system that can notify of upcoming tasks and can escalate notifications depending on the time remaining to complete the tasks Ensure CIA of the list

27 27 CIP R2 - Controls Cyber Security Personnel & Training

28 28 CIP R2 Automated program to track training Add periodic check to verify the access list. Periodic reviews to ensure the training is being completed as required Automated/periodic notification to management

29 Upcoming Changes 29

30 30 Upcoming Changes to ICE Process Update ICE Survey Questions for CIP V5 Changes in timing for performing ICE Use ICE for long term Monitoring Strategy Focus on subset of Inherent Risks

31 31 Summary Focus on Standard expectation & failure points Focus on combination of Automated and Manual Controls Combination of Preventive, Detective and Corrective Control

32 32 Questions Ruchi Ankleshwaria Phone: (801)