CIP Version 5 Mitigation Best Practices

Transcription

1 Spring Standards & Compliance Workshop CIP Version 5 Mitigation Best Practices Joseph Younger Manager, Enforcement

2 Most Violated Standards Most Violated Standards Rank Standard Violations # Percent 1 CIP % 2 PRC % 3 CIP % Most Violated Standards Rank Standard Violations # Percent 1 CIP % 2 CIP % 3 PRC % 4 CIP % 2

3 Overview Breaking down CIP-004 and CIP-007 by individual requirement Eight of the nine CIP-004 Issues from 2015 involved Access Issues CIP-004-3a, R4 Six of the eight CIP-007 Issues from 2015 involved Account Management Issues CIP-007-3a, R5 3

4 Overview, cont. These are the most frequently violated requirements at Texas RE! 4

5 Agenda Two topics to discuss today in connection with CIP-007 and CIP-004: What is new for these Standard requirements under CIP Version 5? What are some effective mitigation strategies registered entities can employ to avoid recurrence of issues with these new Standard requirements? 5

6 CIP-004, R4 Common Fact Pattern An employee with access to CCAs transfers from one role within the company to another. This new role also changes the employee s electronic and/or physical access needs. WHAT HAD TO HAPPEN UNDER CIP : Revoke the transferring employee s old CCA access rights within 7 days (CIP-004-3a, R4.2) Update the Access List to CCAs within 7 days (CIP-004-3a, R4.1) 6

7 What Goes Wrong COMMON REVOCATION PROCESS Manager/HR Submits a ticket or form to initiate the revocation and update access list HR, Compliance, IT or Supervisor approves revocation request/updates list The transferring manager does not timely trigger the Access Revocation or Access List Updating Processes Does not follow procedures May not be aware that the circumstances require a change Does the revocation, but does not update the list The individual or group tasked with approving the access revocation, implementing the change, and/or updating the Access List fails to do so in a timely manner Responsibilities were not clearly assigned 7

8 Typical Approaches to Mitigation COMMON REVOCATION PROCESS Manager/HR Submits a ticket or form to initiate the revocation and update access list HR, Compliance, IT or Supervisor approves revocation request/updates list Mitigation focuses on human performance errors or needs for clarification within this process. Training on responsibilities for managers, HR, etc. Revising procedures to better define roles, enhance controls over the hand-off processes, and ensure better communication between responsible groups Bolster automated processes, like reminder s 8

9 What is New in CIP-004-6, R4 & R5 Less Stringent Timing Regarding Documentation (R4) More Stringent Timing Regarding Actual Access Revocations (R5) 9

10 What is New in CIP-004-6, R4 & R5 All access revocations have to occur by the end of the next calendar day The new R5 largely eliminates the revocation distinction between terminations, transfers and reassignments Access Lists no longer have to be updated within seven days Quarterly review of authorization records Verification once every 15 months that all electronic access user accounts and categories are correct Verification once every 15 months that access to designated BES Cyber system information storage locations is correct 10

11 Access Revocations For Access Revocations, there is more pressure on your internal processes Transfers, reassignments and other access status change events need to be clearly defined and documented Once a status change is triggered, any requests and approvals must happen within one day after the documented transition period Much greater opportunity for human error 11

12 Effective Revocation Process Initial transfer notification to employee Predetermined date that access is no longer needed. Access automatically terminated. Employee Reassignment or Transfer Authorization New Manager grants access to the reassigned employee 12

13 What is New in CIP-004-6, R5 Documentation: Compliance now focuses on maintaining and periodically reviewing records New standard does not require immediate updates to access lists and authorization records The best practice is to do these steps simultaneously and make the relevant list updates automatic 13

14 Enhanced Mitigation for CIP-004-6, R5 Develop clear procedures that include appropriate updates for access to all accounts and account groups Maintain authorization records as part of the access change process Incorporate review of electronic and physical access privilege records into the required quarterly authorization review process Provides multiple opportunities to ensure that access records are correct Avoids personnel issues 14

15 CIP-007, R5 Common Fact Pattern An employee shares his or her unique password with another member of his or her team. The other employee receiving the password has authorized physical access, but not the appropriate electronic access authorizations. CIP-007-3, R5 and related requirements R5: The entity shall establish, document, and implement technical and procedural controls that enforce access authorization of, and accountability for, all user activity and that minimize the risk of unauthorized system access 5.1: Access permissions for individual and shared accounts should be consistent with the need to know concept Also implicates CIP-004-3a, R4, which requires entities to maintain a list of personnel with authorized access 15

16 The New CIP Version 5 Requirements CIP Version 5 has similar access authorization and password sharing concepts CIP-004-6, R4: P4.1: Process to authorize based on need, as determined by the Responsible Entity CIP-007-6, P5.3: Identify individuals who have authorized access to shared accounts. CIP-004-6, R4 concepts apply if unauthorized access last for a significant period of time 16

17 Typical Approaches to Mitigation Typical mitigation measures have focused on training and procedures Training for employees regarding password sharing policies and need to know issues Enhanced processes and procedures regarding password sharing Entities have also used some technological enhancements such as password and data monitoring software 17

18 Enhanced Mitigation under CIP Version 5 Entities have deployed Electronic Access Control or Monitoring Systems for password management Additional software enhancements build upon prior mitigation measures around training, data monitoring, and process reviews 18

19 Electronic Access Control or Monitoring Systems CORPORATE ACTIVE DIRECTORY NETWORK INTERMEDIATE SYSTEM USER SUBSTATION PLC / Relay / RTU USER CONTROL CENTER 19

20 Effective Mitigation Under CIP Version 5 20

21 Takeaways Regarding Effective Mitigation Look for programmatic and organization deficiencies These can be both technical and managerial in nature Identify human-error drivers Re-train individuals (frequently) and close the gap Keep a clean house Have tools in place to understand the types of activities and interactions on your system, track them and address issues proactively 21

22 Takeaways Regarding Effective Mitigation Restrict situations in which a mistake leads to a violation and give employees the tools to succeed in cases where such opportunities remain. 22

23 Questions? 23