Cyber Security Standards Update: Version 5 with Revisions
|
|
- Godwin Wright
- 8 years ago
- Views:
Transcription
1 Cyber Security Standards Update: Version 5 with Revisions Security Reliability Program 2015
2 Agenda CIP Standards History Version 5 Format Impact Levels NOPR Final Rule References 2 RELIABILITY ACCOUNTABILITY
3 Pre-Version 1 FERC Request for Standard Market Design CIP Standards History o Request from FERC Staff to develop language May 8, 2002 o Modeled after ISO17799 o Transmitted to FERC on July 25, 2002 o Included in Standard Market Design NOPR as Appendix G Urgent Action 1200 o Follow-on to SMD Appendix G work o SAR Developed in 2003, approved April 7, 2003 o UA1200 approved by industry June 26, RELIABILITY ACCOUNTABILITY
4 Version 1 CIP Standards History SAR Effort started August 2003 Requirements drafting started June 8, 2004 Filed with FERC August 28, 2006 Approved by FERC January 18, 2008 Effective July 1, 2008 through January 1, 2010 (phased) 4 RELIABILITY ACCOUNTABILITY
5 CIP Standards History Version 2 SAR started February 2008 Requirements development started October 6, 2008 Low-hanging fruit Filed with FERC May 22, 2009 Approved by FERC September 30, 2009 Effective April 1, 2010 Version 3 (current effective version) Compliance filing to Version 2 Filed with FERC December 29, 2009 Approved by FERC March 31, 2010 Effective October 1, RELIABILITY ACCOUNTABILITY
6 CIP Standards History Version 4 Critical Asset bright-lines Approved by Industry on December 30, 2010 Filed with FERC on February 10, 2011 Approved by FERC on April 19, 2012 Superseded by Version 5 in FERC Order 791 on November 22, RELIABILITY ACCOUNTABILITY
7 Version 5 7 RELIABILITY ACCOUNTABILITY
8 CIP Standards Version 5 D1 Post for 60-day comment and concurrent ballot period November 7, 2011 to January 6, day ballot period (December 17, 2011 January 6, 2012) Multiple separate ballots o One for each standard (10 standards) o One for Implementation Plan o One for Definitions o Single ballot pool 8 RELIABILITY ACCOUNTABILITY
9 CIP Standards Version 5 D2 Post for 40-day comment and concurrent ballot period April 12, 2012 to May 21, day ballot period (May 11, 2012 May 21, 2012) Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 9 RELIABILITY ACCOUNTABILITY
10 CIP Standards Version 5 D3 Post for 30-day comment and concurrent ballot period September 11, 2012 to October 10, day ballot period (October 1, 2012 October 10, 2012) Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 10 RELIABILITY ACCOUNTABILITY
11 CIP Standards Version 5 D4 Post for 10-day recirculation ballot period October 26, 2012 to November 5, 2012 No substantial changes made to standards oclarifications and corrections based on comments received from Draft 3 Changes to existing votes from last successive ballot ono action maintain Draft 3 vote Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 11 RELIABILITY ACCOUNTABILITY
12 Version 5 Ballot Results 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Initial Ballot (January 2012) Successive Ballot (May 2012) Successive Ballot (October 2012) Recirculation Ballot (November 2012) 12 RELIABILITY ACCOUNTABILITY
13 FERC Approval Process Filed with FERC February 1, 2013 (after 5:00 PM on 1/31) FERC Docket RM ,483 page filing (yes, ten thousand pages) Available on NERC Website at: o %20and%20Exhibits%20A-E.pdf o %20DL/Exhibit%20F%20(Part%201%20of%202).pdf o %20DL/Exhibit%20F%20(Part%202%20of%202).pdf o %20DL/Exhibits%20G-H.pdf FERC version at (76MB file) Filings to Canadian Regulators made on February 7, RELIABILITY ACCOUNTABILITY
14 CIP Standards Version 5 CIP-002-5: BES Cyber Asset and BES Cyber System Categorization CIP-003-5: Security Management Controls CIP-004-5: Personnel and Training CIP-005-5: Electronic Security Perimeter(s) CIP-006-5: Physical Security of BES Cyber Systems CIP-007-5: Systems Security Management CIP-008-5: Incident Reporting and Response Planning CIP-009-5: Recovery Plans for BES Cyber Assets and Systems CIP-010-1: Configuration Management and Vulnerability Assessments CIP-011-1: Information Protection 14 RELIABILITY ACCOUNTABILITY
15 SDT s Development Goals Goal 1: To address the remaining requirements-related directives from all CIP related FERC orders, all approved interpretations, and CAN topics within applicable existing requirements. Goal 2: To develop consistent identification criteria of BES Cyber Systems and application of cyber security requirements that are appropriate for the risk presented to the BES. Goal 3: To provide guidance and context for each Standard Requirement. Goal 4: To leverage current stakeholder investments used for complying with existing CIP requirements. Goal 5: To minimize technical feasibility exceptions. Goal 6: To develop requirements that foster a culture of security and due diligence in the industry to complement a culture of compliance. Goal 7: To develop a realistic and comprehensible implementation plan for the industry. 15 RELIABILITY ACCOUNTABILITY
16 CIP Standards Version 5 New / Modified Terms: BES Cyber Asset BES Cyber System BES Cyber System Information CIP Exceptional Circumstance CIP Senior Manager Control Center Cyber Assets Cyber Security Incident Dial-up Connectivity Electronic Access Control and Monitoring Systems (EACMS) Electronic Access Point (EAP) Electronic Security Perimeter (ESP) External Routable Connectivity Interactive Remote Access Intermediate System Physical Access Control Systems (PACS) Physical Security Perimeter (PSP) Protected Cyber Asset (PCA) Reportable Cyber Security Incident 16 RELIABILITY ACCOUNTABILITY
17 BES Cyber Systems Cyber Assets: Programmable electronic devices, and communication networks including the hardware, software, and data in those devices. 17 RELIABILITY ACCOUNTABILITY
18 BES Cyber Systems BES Cyber Asset: A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) 18 RELIABILITY ACCOUNTABILITY
19 BES Cyber Systems BES Cyber System: One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. 19 RELIABILITY ACCOUNTABILITY
20 Electronic Perimeters External Routable Connectivity: The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bidirectional routable protocol connection. Dial-up Connectivity: A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link. 20 RELIABILITY ACCOUNTABILITY
21 Electronic Perimeters Electronic Security Perimeter ( ESP ) : The logical border surrounding a network to which Critical Cyber Assets BES Cyber Systems are connected using a routable protocol and for which access is controlled. Electronic Access Point ( EAP ): A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter. 21 RELIABILITY ACCOUNTABILITY
22 Electronic Perimeters Electronic Access Control or Monitoring Systems ( EACMS ): Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Devices. Protected Cyber Assets ( PCA ): One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 22 RELIABILITY ACCOUNTABILITY
23 Interactive Remote Access Interactive Remote Access: User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. 23 RELIABILITY ACCOUNTABILITY
24 Interactive Remote Access Intermediate System: A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter. 24 RELIABILITY ACCOUNTABILITY
25 Physical Perimeters Physical Security Perimeter ( PSP ): The physical, completely enclosed ( six-wall ) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled. The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled. 25 RELIABILITY ACCOUNTABILITY
26 Physical Perimeters Physical Access Control Systems ( PACS ): Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers. 26 RELIABILITY ACCOUNTABILITY
27 Control Centers Control Center: One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations. 27 RELIABILITY ACCOUNTABILITY
28 Retired Terms Critical Assets Critical Cyber Assets CIP Standards Version 5 28 RELIABILITY ACCOUNTABILITY
29 CIP Standards Version 5 CIP-002 Eliminates the Critical Asset step of the identification process Builds on bright line concepts introduced in CIP Version 3/4 Critical Asset control centers High Other Version 3/4 Critical Assets Medium Some Version 3/4 non-critical assets Medium Transmission now looking at a capacity calculation rather than number of lines at a voltage level o See SRI_Equation_Refinement_May6_2011.pdf Catch-all category for non-specifically categorized Low o Something everywhere within the BES o Programmatic requirement: CIP Requirement R2 29 RELIABILITY ACCOUNTABILITY
30 CIP Standards Version 5 High Impact Large Control Centers CIP-003 to 009 V3/V4 plus Medium Impact Generation and Transmission Control Centers Similar to CIP-003 to 009 V3/V4 All other BES Cyber Systems (Low Impact) must implement a policy to address: Cybersecurity Awareness Physical Security Controls Electronic Access Controls Incident Response V3/V4 Critical Non-Critical Large Control Centers Generation and Transmission Control Centers Generation and Transmission Small Control Centers Generation and Transmission V5 High Medium Low Non-Impactful (Distribution, Marketing, Business) 30 RELIABILITY ACCOUNTABILITY
31 CIP Notes when reading NERC Standards: Capitalization is very important. Capitalized words refer to terms in the NERC Glossary of Terms Used in Reliability Standards ( /Glossary_of_Terms.pdf) Non-capitalized terms do not refer to NERC glossary terms o i.e., Real-time is not the same as real-time o Facilities is not the same as facilities Terms with well known and authoritative definitions defer to those authoritative sources (e.g., FACTS ) Not all terms used have either NERC Glossary definitions or authoritative definitions (e.g., plant ) 31 RELIABILITY ACCOUNTABILITY
32 High Impact Rating (H): Version 5 Impact Rating Criteria Each BES Cyber System used by and located at any of the following: 1.1. Each Control Center or backup Control Center used to perform the functional obligations of the Reliability Coordinator. (V4 1.14) 1.2. Each Control Center or backup Control Center used to perform the functional obligations of the Balancing Authority: 1) for generation equal to or greater than an aggregate of 3000 MW in a single Interconnection, or 2) for one or more of the assets that meet criterion 2.3, 2.6, or 2.9. (V4 1.15) 1.3. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or (V4 1.16) 1.4 Each Control Center or backup Control Center used to perform the functional obligations of the Generator Operator for one or more of the assets that meet criterion 2.1, 2.3, 2.6, or 2.9. (V4 1.17) 32 RELIABILITY ACCOUNTABILITY
33 Version 5 Impact Rating Criteria Medium Impact Rating (M): Each BES Cyber System, not included in Section 1 above, associated with any of the following: 2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection. (V4 1.1) 2.2. Each BES reactive resource or group of resources at a single location (excluding generation Facilities) with an aggregate maximum Reactive Power nameplate rating of 1000 MVAR or greater (excluding those at generation Facilities). The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of resources that in aggregate equal or exceed 1000 MVAR. (V4 1.2) 33 RELIABILITY ACCOUNTABILITY
34 Version 5 Impact Rating Criteria 2.3. Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year. (V4 1.3) 2.4. Transmission Facilities operated at 500 kv or higher. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.6) 34 RELIABILITY ACCOUNTABILITY
35 Version 5 Impact Rating Criteria 2.5. Transmission Facilities that are operating between 200 kv and 499 kv at a single station or substation, where the station or substation is connected at 200 kv or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below. The "aggregate weighted value" for a single station or substation is determined by summing the "weight value per line" shown in the table below for each incoming and each outgoing BES Transmission Line that is connected to another Transmission station or substation. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.7) Voltage Value of a Line less than 200 kv (not applicable) 200 kv to 299 kv kv to 499 kv kv and above 0 Weight Value per Line (not applicable) 35 RELIABILITY ACCOUNTABILITY
36 Version 5 Impact Rating Criteria 2.6. Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies. (V4 1.8 & 1.9) 2.7. Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements. (v4 1.11) 2.8. Transmission Facilities, including generation interconnection Facilities, providing the generation interconnection required to connect generator output to the Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the generation Facilities identified by any Generator Owner as a result of its application of Attachment 1, criterion 2.1 or 2.3. (V4 1.10) 36 RELIABILITY ACCOUNTABILITY
37 Version 5 Impact Rating Criteria 2.9. Each Special Protection System (SPS), Remedial Action Scheme (RAS), or automated switching System that operates BES Elements, that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limits (IROLs) violations for failure to operate as designed or cause a reduction in one or more IROLs if destroyed, degraded, misused, or otherwise rendered unavailable. (V4 1.12) Each system or group of Elements that performs automatic Load shedding under a common control system, without human operator initiation, of 300 MW or more implementing undervoltage load shedding (UVLS) or underfrequency load shedding (UFLS) under a load shedding program that is subject to one or more requirements in a NERC or regional reliability standard. (v4 1.13) 37 RELIABILITY ACCOUNTABILITY
38 Version 5 Impact Rating Criteria Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. (V4 1.15) Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above. (V4 1.16) Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MW in a single Interconnection. (V4 1.17) 38 RELIABILITY ACCOUNTABILITY
39 Low Impact Rating (L) Version 5 Impact Rating Criteria BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 Facilities, of this standard: 3.1. Control Centers and backup Control Centers Transmission stations and substations Generation resources Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements. (V4 1.4 & 1.5) 3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System. (V4 1.12) 3.6. For Distribution Providers, Protection Systems specified in Applicability section above. (V & 1.13) 39 RELIABILITY ACCOUNTABILITY
40 Non-CCA assets in Version 3 are also covered Non-Critical Cyber Assets within an ESP are now named Protected Cyber Assets, are associated with a BES Cyber System, and called out in the Applicable Systems column EACMS and PACS are associated with a BES Cyber System, and are called out in the Applicable Systems column CIP Standards Version 5 40 RELIABILITY ACCOUNTABILITY
41 CIP Standards Version 5 High Water Marking Within an ESP, all systems are treated as if they are at the highest impact level of any system in the same ESP Includes non-impactful Cyber Assets (e.g., market systems, distribution systems, corporate systems) (See definition of PCA) Market System Medium Impact BES Cyber System High Impact BES Cyber System All treated as High Impact BES Cyber Systems Low Impact BES Cyber System All treated as Medium Impact BES Cyber Systems 42 RELIABILITY ACCOUNTABILITY
42 CIP Standards Version 5 Rationale, Guidance & Changes, Main Requirement and Measure Applicable Systems for requirement part Requirement part text Requirement part Measure text Requirement part Reference Requirement part change rationale 43 RELIABILITY ACCOUNTABILITY
43 Format CIP Standards Version 5 Following Results-based Standards format Background section before requirements Requirement and Measurement next to each other Rationale and guidance developed in parallel with requirements Two posting formats one with guidance/rationale text boxes inline; other with guidance and rational text grouped at end Still must audit only to the requirement Guidelines and Technical Basis section at end 44 RELIABILITY ACCOUNTABILITY
44 CIP Standards Version 5 Applicable Systems column in tables What systems the row in the table apply to Listed in each standard Specific phrases consistent across all standards A requirement part (row) may have multiple applicability statements Examples: o High Impact BES Cyber Systems o Medium Impact BES Cyber Systems o Medium Impact BES Cyber Systems at Control Centers o Medium Impact BES Cyber Systems with External Routable Connectivity o Protected Cyber Assets o Electronic Access Control Systems 45 RELIABILITY ACCOUNTABILITY
45 Connectivity No longer a blanket exemption CIP Standards Version 5 Now listed in applicability section Routable Connectivity or Dial-up Connectivity Routable protocol applicability now applies where large volume, real-time communications requirements are listed e.g., logging Low Impact CIP Requirement R2 Programmatic controls (i.e., have a program for ) Requires physical and cyber security protections for locations containing low Does not require lists of every low impact BES Cyber System 46 RELIABILITY ACCOUNTABILITY
46 TFEs CIP Standards Version 5 Attempting to minimize required TFEs (e.g., anti-malware on switches) Reduced from 14 requirements/subs to 8 requirements (13 parts) But still have TFEs (including new ones where existing V1 V4 problems exist) Have added per Cyber Asset capability language to allow strict compliance with the language of the requirement, without requiring a TFE (~5 requirements) Measures Guidance to auditors as well as entities An example of evidence may include, but is not limited to, No longer a meaningless restatement of the requirement 47 RELIABILITY ACCOUNTABILITY
47 Bulleted lists vs. numbered lists Bulleted lists are separated by or CIP Standards Version 5 Bulleted lists imply that not all of the items in the list are required Numbered lists are separated by and Numbered lists imply that all of the items in the lists are required Both bulleted and numbered lists are used in both requirements and measures 48 RELIABILITY ACCOUNTABILITY
48 Features of Version 5 Closes out directives in FERC Order No. 706 (also, FERC Order No. 761 imposed March 31, 2013, filing deadline) Results-based standards Focus on reliability and security-related result Non-technology specific Smarter use of Technical Feasibility Exception (TFE) process Plain language of the requirement, i.e., per device capability Risk-informed systems approach Adopt solutions and tailor security based on function and risk No longer a harsh in or out demarcation for applicability Impact and connectivity informs applicability 49 RELIABILITY ACCOUNTABILITY
49 Systems approach illustration Features of Version 5 Cyber Assets function together as a complex system Identify the system and apply requirements to the whole rather than the part High Watermarking inside boundary 50 RELIABILITY ACCOUNTABILITY
50 Paradigm shift that builds on experience Features of Version 5 Informed by and responsive to implementation and audit lessons from Versions 1 through 3 Framework for establishing a culture of security Balanced flexibility Demonstrates clear accountability for Critical Infrastructure Protection, yet... Allows adaptation of requirements to individual operations Specifies what to achieve, but broad in how to get there 51 RELIABILITY ACCOUNTABILITY
51 CIP Standards Version 5 Proposed Effective Date (from CIP-002-5; all standards use the same language): Months Minimum CIP shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. 2. In those jurisdictions where no regulatory approval is required CIP shall become effective on the first day of the ninth calendar quarter following Board of Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. 52 RELIABILITY ACCOUNTABILITY
52 Implementation issues: CIP Standards Version 5 Specified initial performance of all periodic requirements in implementation plan 24 months following regulatory approval for all requirements Identity Verification does not need to be repeated Discussion of unplanned re-categorization to a higher impact level Discussion of disaster recovery actions Discussion of requirements applied to access control systems (physical and electronic), and Protected Cyber Assets 53 RELIABILITY ACCOUNTABILITY
53 Applicability Section: Section 4.1 Functional Entities CIP Standards Version 5 o Describes which asset owners, based on their functional model designation, and specific ownership of assets, must comply with the standards o May have no qualifications applies to all entities registered for that function Section 4.2 Facilities o Describes which assets must comply with the standards o May have no qualifications applies to all BES assets owned by that function 54 RELIABILITY ACCOUNTABILITY
54 Applicability Example: CIP Standards Version 5 For Distribution Providers only those registered DPs that own specifically called out pieces of equipment, such as UFLS systems, must comply with the standards For those DPs, only the specifically called out pieces of equipment must comply with the standards If a DP does not own any called out equipment, it does not need to comply with the standards If a DP owns a piece of called out equipment, only that called out equipment must comply with the standards 55 RELIABILITY ACCOUNTABILITY
55 CIP Standards Version 5 56 RELIABILITY ACCOUNTABILITY
56 CIP Standards Version 5 57 RELIABILITY ACCOUNTABILITY
57 CIP Standards Version 5 58 RELIABILITY ACCOUNTABILITY
58 CIP through CIP-009-5, CIP-010-1, CIP Results-based Standard format Requirements and measures together Guidance and rational in text boxes Looks bigger CIP Standards Version 5 ~1 printout for Version 5 compared to ~¼ printout for Version 3/4 Includes much more guidance and rationale for each requirement 59 RELIABILITY ACCOUNTABILITY
59 CIP Standards Version 5 CIP Requirements; 5 Parts; Attachment with bright lines for High and Medium CIP Requirements; 13 Parts CIP Requirements; 18 Parts CIP Requirements; 8 Parts CIP Requirements; 13 Parts CIP Requirements; 20 Parts CIP Requirements; 9 Parts CIP Requirements; 10 Parts CIP Requirements; 10 Parts CIP Requirements; 4 Parts Total: 32 Requirements; 110 Parts 60 RELIABILITY ACCOUNTABILITY
60 Version 3 Requirement Counts CIP Requirements; 0 sub-requirements CIP Requirements; 18 sub-requirements CIP Requirements; 12 sub-requirements CIP Requirements; 26 sub-requirements CIP Requirements; 15 sub-requirements CIP Requirements; 34 sub-requirements CIP Requirements; 6 sub-requirements CIP Requirements; 2 sub-requirements Total: 43 Requirements; 113 sub-requirements 61 RELIABILITY ACCOUNTABILITY
61 Sub-Requirements CIP Standards Version 5 Each Requirement / Sub-Requirement is a compliance touch-point Non-compliance with a sub-requirement stands on its own Sub-requirements have independent VSLs (unless rolled-up) Requirement Parts Only the Requirement is a compliance touch-point Cannot be independently in non-compliance with a Part VSLs written only at the Requirement level (making very long and complicated VSL language) Parts allow flexibility in development and implementation of the requirement 62 RELIABILITY ACCOUNTABILITY
62 Version 5 Technical Webinar Draft 1 Technical Webinar on format and CIP-002 Industry lead November 15, 2011 Draft 1 Technical webinar on CIP-003 through CIP-011 Industry lead November 29, 2011 ( 63 RELIABILITY ACCOUNTABILITY
63 Version 5 Webinars Draft 2 Technical Webinar SDT Lead April 10, 2012 Draft 3 Technical Webinar SDT Lead September 21, 2012 ( 64 RELIABILITY ACCOUNTABILITY
64 CIP Standards Version 5 Annual interaction with CAN-0010 now 15 months Monthly requirements changed to 35 days Measures are examples with bulleted lists; format, wording Compliance artifacts in requirements (e.g., documentation of ) LSE (removed), replaced with DP LSE functions changed since original standards development timeframe 300 MW threshold on UFLS/UVLS No justification for a different value Notifications: IROL, must run (resolving as part of V4) IROL s in WECC 65 RELIABILITY ACCOUNTABILITY
65 CIP Standards Version 5 Definition / threshold of Control Center Includes data centers Connectivity (routable, dial-up) Low Impact (policy only) List not required Date tracking (PRA, training, access, etc) Access revocation (reassignments, timing, immediate) Removed 99.9% availability phrasing Difficult to track and audit Interactive Remote Access Clarify encryption and multi-factor authentication points Remove examples from requirements / purpose of encryption 66 RELIABILITY ACCOUNTABILITY
66 CIP Standards Version 5 Ports & Services Physical ports - FERC Directive No remediation plan if install patches within 35 days Allow updates to existing plans rather than new plans all the time Periodic review of patch sources not individual patches Anti-malware clarify system level Per device capability clauses added Password changing / pseudorandom passwords (RuggedCom vulnerability impacts) Evidence Retention (compliance vs. security monitoring) 67 RELIABILITY ACCOUNTABILITY
67 CIP Standards Version 5 Take back reporting requirement from EOP-004 into CIP-008 Guidance on active vs. passive vulnerability assessment V4 bypass language still in implementation plan 68 RELIABILITY ACCOUNTABILITY
68 Issued April 18, 2013 Version 5 NOPR Posted at 75 pages Comments due June 24, 2013 (60 days after publication in Federal Register) Contains 48 specific requests for comment (may be overlap) Proposes 11 directives for change Proposes 16 areas where FERC may direct changes 69 RELIABILITY ACCOUNTABILITY
69 Major Themes: Identify, Assess and Correct language Impact Categorization Version 5 NOPR o No reference to studies supporting bright-line thresholds o No consideration of coordinated attack on multiple low impact systems o Only based on BES impact (i.e., no assessment of confidentiality, integrity or availability ) Low Impact BES cyber Systems o Specificity of requirements o Lack of inventory 70 RELIABILITY ACCOUNTABILITY
70 Definitions: Version 5 NOPR o 15 minute impact in BES Cyber Asset o Generation Control Centers (vs. control rooms) o Removal of communication networks from Cyber Asset o Use of reliability tasks phrase o Intermediate System vs. intermediate device 71 RELIABILITY ACCOUNTABILITY
71 Implementation Plan o Proposes to accept the Version 4 bypass language o Are 24 /36 months necessary? Violation Risk Factors o Inconsistent with prior versions Violation Severity Levels Version 5 NOPR o Inconsistent with Commission guidelines o May need to be modified based on outcome of IAC discussion 72 RELIABILITY ACCOUNTABILITY
72 New Topics (post Order No. 706) Communications Security Version 5 NOPR o Including encryption, protections for serial communications Remote Access (more than proposed Version 5 language?) o May already be covered by Version 5 language NIST topics o Maintenance devices o Separation of duties o Threat / risk based categorization o May include other areas May be others 73 RELIABILITY ACCOUNTABILITY
73 NERC Response: 60 page response (largest response) Version 5 NOPR o ( 20DL/NERC%20Comments%20to%20CIPV5%20NOPR%20_%20FINAL.pdf) Supports standards as filed: o IAC: - Discusses meaning of IAC language - Reliability Benefit of IAC Language - Compliance obligations of IAC language - Consistency with NIST Framework o BES Cyber Asset Categorization and Protection - Supports Facility rating approach - Protections of low impact BES Cyber Assets - Supports not requiring inventory of low impact BES Cyber Assets 74 RELIABILITY ACCOUNTABILITY
74 NERC Response (continued): o Definitions: BES Cyber Asset - 15-minute parameter - 30-day exclusion o Definitions: Control Center - Geographically disperse generating plants o Definitions: Cyber Assets - Removal of communications networks o Definitions: Reliability Tasks - Well-understood term o Definitions: Intermediate Devices - Filing oversight Version 5 NOPR 75 RELIABILITY ACCOUNTABILITY
75 NERC Response (continued): Version 5 NOPR o Implementation Plan: and 36-month timeframes appropriate and necessary - Transition guidance and pilot program o VRF & VSL - Severity of violation as expressed in duration of violation - Not two separate violations o Other Technical Concerns - Technical conferences to discuss issues - Use Reliability Standards Development Process o Remote Access - Concerns addressed in CIP RELIABILITY ACCOUNTABILITY
76 NOPR Comments: 65 files submitted from 62 parties 782 pages Generally supportive of NERC positions o Issues with IAC language o Issues with RFA analysis and estimates (cost & time) Next Steps: Version 5 NOPR FERC must read, summarize and react to all comments while writing final rule 77 RELIABILITY ACCOUNTABILITY
77 Version 5 Final Rule Final Rule Issued November 22, 2013 Docket RM13-5 Order No page rule Published in Federal Register December 3, RELIABILITY ACCOUNTABILITY
78 Final Rule Highlights Effective Date of Final Rule: February 3, 2014 Effective Date for Compliance with all non-periodic requirements: April 1, 2016 for High and Medium Impact April 1, 2017 for Low Impact Compliance with initial performance of periodic requirements as discussed in the Implementation Plan, using an Effective Date of April 1, RELIABILITY ACCOUNTABILITY
79 Approved technical requirements Approved 19 definitions Approved implementation plan Approved bypass of Version 4 Approve, with modifications, VRF / VSL Final Rule Highlights 80 RELIABILITY ACCOUNTABILITY
80 Submit modified VRF / VSL within 90 days Submit two directed changes and one informational filing within one year IAC Communications Networks Survey: 15-minute clause Two other directed changes do not have specified time frame Low Impact BES Cyber Systems Transient Devices Final Rule Highlights 81 RELIABILITY ACCOUNTABILITY
81 Address concerns with IAC Language Prefer to have compliance language removed from requirements Allow for flexibility for addressing concerns Supports move away from zero tolerance compliance approach for the 17 requirements IAC language ambiguous, concerns about inconsistent application, unclear expectations placed on industry Submit within one year IAC Language 82 RELIABILITY ACCOUNTABILITY
82 BES Cyber Asset Categorization Allow impact-based categorization May revisit in future Not persuaded to move blackstart from Low to Medium, but may revisit Does not consider connectivity, but may revisit Confirm that Low will not include non-bes assets 83 RELIABILITY ACCOUNTABILITY
83 Low Impact requirements Lack of objective criteria for evaluating Low Impact protections Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process Open to alternative approaches the criteria NERC proposes for evaluating a responsible entities protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified. No detailed inventory required list of locations / Facilities OK 84 RELIABILITY ACCOUNTABILITY
84 Survey industry about impacts of 15-minute parameter, during transition period What Cyber Assets are included / excluded by the 15- minute parameter Informational filing to FERC in one year 15-Minute Parameter Commission may revisit issue following informational filing 85 RELIABILITY ACCOUNTABILITY
85 30-day exemption in Definition Do not direct change to definition Directed modifications to address transient devices issues 86 RELIABILITY ACCOUNTABILITY
86 Devices connected for less than 30-days (USB, laptop, etc) Transient Devices Direct modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level systems 87 RELIABILITY ACCOUNTABILITY
87 Control Center Accept definition without change 88 RELIABILITY ACCOUNTABILITY
88 Approve definition of Cyber Asset without change Direct creation of definition of communication networks and requirements to address issues: Locked wiring closets Disconnected or locked spare jacks Communications Network Protection of cabling by conduit or cable trays Submit within one year Include discussion in FERC Staff-led conference 89 RELIABILITY ACCOUNTABILITY
89 No need to define phrase Refers to Functional Model tasks Reliability Tasks 90 RELIABILITY ACCOUNTABILITY
90 Intermediate Devices Accept errata filing (Intermediate Devices -> Intermediate Systems) 91 RELIABILITY ACCOUNTABILITY
91 Approve implementation Plan as filed 24-month for High & Medium 36-month for Low Bypass Version 4 Support NERC proposal to develop transition guidance and pilot program Declined to extend implementation plan Not persuaded to allow early shift to V5 Implementation Plan However, issues of early compliance can be addressed by NERC and Registered Entities as appropriate. 92 RELIABILITY ACCOUNTABILITY
92 Approve 30 (of 32) VRFs Move two VRFs from Lower to Medium Modify VSLs: IAC Language Address typographical errors Clarify unexplained elements Submit within 90 days Additional VSL changes will be required for any changed requirement IAC VRF / VSL 93 RELIABILITY ACCOUNTABILITY
93 FERC Staff-led Conference FERC Staff-led conference within 180 days NIST Framework for categorizations (C-I-A) Communications security Remote access Differences between CIP & NIST May produce new or modified directives 94 RELIABILITY ACCOUNTABILITY
94 Issued Dec 13, 2013 Errata Notice Corrects P 16 of order to confirm effective date of standard: This errata notice serves to correct P 16. Specifically, the reference to eighth in the seventh line of P 16 is changed to [ninth]. The sentence as revised would thus read, NERC requests that the CIP version 5 Standards become effective on the first day of the [ninth] calendar quarter after a Final Rule is issued in this docket. 95 RELIABILITY ACCOUNTABILITY
95 VRF/VSL Compliance Filing Updated VRFs & VSLs filed with FERC on May 15, 2014 Response to Order No. 791 VRF modifications filed for: CIP-006-5, Requirement R3 CIP , Requirement R4 VSL modifications filed for CIP-003-5, Requirements R1 and R2 CIP , Requirement R4 CIP-008-5, Requirement R2 CIP-009-5, Requirement R3 Filing approved on July 9, 2014 by Letter Order 96 RELIABILITY ACCOUNTABILITY
96 Steps Forward Any change to the requirements language must be made pursuant to the NERC Standards Process Manual Standards Drafting Team will need to be involved Opportunity for industry command and ballot Two directives with timeframes Must file in prescribed timeframe Desire to address all directives as soon as possible VRF/VSL changes and Survey will happen outside of standards development process 97 RELIABILITY ACCOUNTABILITY
97 References Project Development History: Version 4 page: Version 4 Guidance Document Version 5 page: Version 5 Transition Guidance V5%20Transition%20Guidance%20FINAL.pdf 98 RELIABILITY ACCOUNTABILITY
98 Questions Scott Mix, CISSP Senior CIP Technical Manager
Cyber Security Standards Update: Version 5
Cyber Security Standards Update: Version 5 January 17, 2013 Scott Mix, CISSP CIP Technical Manager Agenda Version 5 Impact Levels Format Features 2 RELIABILITY ACCOUNTABILITY CIP Standards Version 5 CIP
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationCIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationCIP-003-5 Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-5 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and
More informationNERC Cyber Security Standards
SANS January, 2008 Stan Johnson Manager of Situation Awareness and Infrastructure Security Stan.johnson@NERC.net 609-452-8060 Agenda History and Status of Applicable Entities Definitions High Level of
More informationCIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationWhen this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.
CIP-002-5 Cyber Security BES Cyber System Categorization When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard. A.
More informationNB Appendix CIP-004-5.1-NB-1 - Cyber Security Personnel & Training
This appendix establishes modifications to the FERC approved NERC standard CIP-004-5.1 for its specific application in New Brunswick. This appendix must be read with CIP-004-5.1 to determine a full understanding
More informationCIP-005-5 Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-5 3. Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security
More informationCyber Security Compliance (NERC CIP V5)
Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability
More informationCyber Security Standards: Version 5 Revisions. Security Reliability Program 2015
Cyber Security Standards: Version 5 Revisions Security Reliability Program 2015 Overview of Development Activities The Team Standard Drafting Team (SDT) appointed to address these revisions in Project
More informationImplementation Plan for Version 5 CIP Cyber Security Standards
Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 11, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and
More informationAlberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1
A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements
More information152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-14-000]
152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM15-14-000] Revised Critical Infrastructure Protection Reliability Standards (July 16, 2015) AGENCY:
More informationAlberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1
Alberta Reliability Stard A. Introduction 1. Title: 2. Number: 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the bulk electric system from individuals
More informationNorth American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
More informationAlberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5
Alberta Reliability Stard Final Proposed Draft Version 2.0 September 9, 2014 A. Introduction 1. Title: 2. Number: 3. Purpose: To manage physical access to BES cyber systems by specifying a physical security
More informationAlberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5
A. Introduction 1. Title: 2. Number: 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise
More informationNERC CIP Tools and Techniques
NERC CIP Tools and Techniques Supplemental Project - Introduction Webcast Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com (843) 619-0050 October
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More informationCIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014
CIP v5/v6 Implementation Plan CIP v5 Workshop Tony Purgar October 2-3, 2014 Revision History CIP v5/v6 Implementation Plan Change History Date Description Initial Release July 25, 2014 Revision V0.1 August-2014
More informationAlberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5
A. Introduction 1. Title: 2. Number: 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationKEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS
KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS Lenny Mansell Director, Consulting Services 1 January 29, 2014 AGENDA Introduction Multiple paradigm shifts ahead How
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationNotable Changes to NERC Reliability Standard CIP-005-5
MIDWEST RELIABILITY ORGANIZATION Notable Changes to NERC Reliability Standard CIP-005-5 Electronic Security Perimeter(s) Bill Steiner MRO Principal Risk Assessment and Mitigation Engineer MRO CIP Version
More informationCIP-014-1 Physical Security. Nate Roberts CIP Security Auditor I
CIP-014-1 Physical Security Nate Roberts CIP Security Auditor I Notes Critical Infrastructure Protection (CIP) Standard CIP-014-1 is currently pending approval by the Federal Energy Regulatory Commission
More informationStandard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More informationReclamation Manual Directives and Standards
Vulnerability Assessment Requirements 1. Introduction. Vulnerability assessment testing is required for all access points into an electronic security perimeter (ESP), all cyber assets within the ESP, and
More informationAlberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1
External Consultation Draft Version 1.0 December 12, 2013 1. Purpose The purpose of this reliability standard is to set the effective dates for the Version 5 CIP Cyber Security reliability standards and
More information3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities.
A. Introduction 1. Title: Event Reporting 2. Number: EOP-004-2 3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities. 4. Applicability:
More informationNotable Changes to NERC Reliability Standard CIP-010-3
C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Notable Changes to NERC Reliability Standard CIP-010-3 Cyber Security Configuration Change Management and Vulnerability
More informationThe North American Electric Reliability Corporation ( NERC ) hereby submits
December 8, 2009 VIA ELECTRONIC FILING Kirsten Walli, Board Secretary Ontario Energy Board P.O Box 2319 2300 Yonge Street Toronto, Ontario, Canada M4P 1E4 Re: North American Electric Reliability Corporation
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE
R1 Provide Risk Based Assessment Methodology (RBAM) R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased R1.2 Provide evidence
More informationEnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015
EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015 Housekeeping Items Submit questions using control panel Contact
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationEntity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire
Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire Upcoming Audit Date: March 16, 2015 Upcoming Audit Type: O&P Audit Start of Audit Period: March 16, 2012 Date Submitted: Table of Contents
More informationCIP-003-6 R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security
CIP-003-6 R2 BES Assets Containing Low Impact BCS Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security Slide 2 About Me Been with WECC for 5 years 1 ½ years as a Compliance Program Coordinator
More informationRedesigning automation network security
White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationCompleted. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method
NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationLessons Learned CIP Reliability Standards
Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A
More information4.1.1 Generator Owner 4.1.2 Transmission Owner that owns synchronous condenser(s)
A. Introduction 1. Title: Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability 2. Number: MOD-025-2 3. Purpose: To ensure
More informationA. Introduction. B. Requirements. Standard PER-005-1 System Personnel Training
A. Introduction 1. Title: System Personnel Training 2. Number: PER-005-1 3. Purpose: To ensure that System Operators performing real-time, reliability-related tasks on the North American Bulk Electric
More informationCritical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn
Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More information149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM14-15-000; Order No.
149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM14-15-000; Order No. 802] Physical Security Reliability Standard (Issued November 20, 2014) AGENCY:
More informationThe first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationISACA North Dallas Chapter
ISACA rth Dallas Chapter Business Continuity Planning Observations of Critical Infrastructure Environments Ron Blume, P.E. Ron.blume@dyonyx.com 214-280-8925 Focus of Discussion Business Impact Analysis
More informationSecFlow Security Appliance Review
Solution Paper. SecFlow Security Appliance Review NERC CIP version 5 Compliance Enabler July 2014 Abstract The alarming increase in cyber attacks on critical infrastructure poses new risk management challenges
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationBPA Policy 434-1 Cyber Security Program
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy
More informationNERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum
NERC CIP Compliance Dave Powell Plant Engineering and Environmental Performance Presentation to 2009 BRO Forum August 12, 2009 1 NERC CIP 101 What is NERC CIP? CIP Terminology CIP compliance overview CIP
More informationNERC CIP Whitepaper How Endian Solutions Can Help With Compliance
NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in
More informationMidwest Reliability Organization Procedure For NERC PRC-012
Midwest Reliability Organization Procedure For NERC PRC-012 A. Introduction The following procedure developed by the MRO Protective Relay Subcommittee (PRS) and Transmission Assessment Subcommittee (TAS)
More informationStandard CIP 003 1 Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: Standard CIP-003 requires that Responsible Entities have minimum security management controls in place
More informationTechnology Solutions for NERC CIP Compliance June 25, 2015
Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationNERC CIP Compliance 10/11/2011
NERC CIP Compliance 10/11/2011 Authored by Dan Barker, American Transmission Co. Ron Bender, Nebraska Public Power District Richard Burt, Minnkota Power Cooperative, Inc. Marc Child, Great River Energy
More informationCyber Security and Privacy - Program 183
Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationTop 10 Compliance Issues for Implementing Security Programs
www.dyonyx.com Top 10 Compliance Issues for Implementing Security Programs This White Paper articulates the top ten issues that we have encountered in the design and implementation of comprehensive Security
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationSecure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!
Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! October 3, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber
More informationNERC-CIP S MOST WANTED
WHITE PAPER NERC-CIP S MOST WANTED The Top Three Most Violated NERC-CIP Standards What you need to know to stay off the list. www.alertenterprise.com NERC-CIP s Most Wanted AlertEnterprise, Inc. White
More informationHow to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework
How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework Jacques Benoit, Cooper Power Systems Inc., Energy Automations Solutions - Cybectec Robert O Reilly, Cooper
More informationTop Ten Compliance Issues for Implementing the NERC CIP Reliability Standard
Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard The North American Electric Reliability Corporation 1 s (NERC) CIP Reliability Standard is the most comprehensive and pervasive
More information121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION
121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationTOP 10 CHALLENGES. With suggested solutions
NERC CIP VERSION 5 TOP 10 CHALLENGES With suggested solutions 401 Congress Avenue, Suite 1540 Austin, TX 78791 Phone: 512-687- 6224 E- Mail: chumphreys@theanfieldgroup.com Web: www.theanfieldgroup.com
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationReclamation Manual Directives and Standards
Critical Cyber Asset (CCA) Identification Methodology 1. Introduction. A. The Bureau of Reclamation will employ a multi-step methodology to identify CCAs associated with its inventory of critical assets
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationSecurity Policy for External Customers
1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationSecure Substation Automation for Operations & Maintenance
Secure Substation Automation for Operations & Maintenance Byron Flynn GE Energy 1. Abstract Today s Cyber Security requirements have created a need to redesign the Station Automation Architectures to provide
More informationCIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011
CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 1 Purpose Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building
More informationFERC, NERC and Emerging CIP Standards
Protecting Critical Infrastructure and Cyber Assets in Power Generation and Distribution Embracing standards helps prevent costly fines and improves operational efficiency Bradford Hegrat, CISSP, Principal
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationNERC CIP Compliance Gaining Oversight with ConsoleWorks
NERC CIP Compliance Gaining Oversight with ConsoleWorks The current challenge for many Utility companies is finding efficient ways to gain oversight and control over NERC CIP regulation compliance. NERC
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationNERC CIP Implementation Prepared by David Grubbs City of Garland NERC Critical Infrastructure Protection Committee (CIPC) Municipal Systems are well represented on the NERC CIPC Committee David Grubbs,
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationContinuous Compliance for Energy and Nuclear Facility Cyber Security Regulations
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of
More informationNERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More information