CIP R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

Transcription

1 CIP R2 BES Assets Containing Low Impact BCS Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

2 Slide 2 About Me Been with WECC for 5 years 1 ½ years as a Compliance Program Coordinator 2 Years as an Associate Compliance Auditor 1 Year as a Compliance Auditor, Cyber Security OPSGEAR for 1 year Risk JPMorgan Chase for 7 years

3 Slide 3 Agenda Day 1 Recap CIP R2 Low Impact Update Attachment 1 overview Attachment G (per section) Examples of Evidence (per section) Considerations (per section) Questions

4 Slide 4 Day 1 Recap Discussed SDT updates to Low Impact (CIP R2), and Guidelines and Technical Basis Overview of CIP Applied IRC to BILL s BES Assets Determined impact rating for each BES Asset Identified which of BILL s BES Assets fell into Low impact rating

5 Slide x166.jpg

6 Slide 6 Low Impact Progress Changes to Requirement language Added Attachment 1 & 2 Developed a tiered approach to implementation timeline of Low Impact Newly defined terms: Low Impact External Routable Connectivity Low Impact BES Cyber System Electronic Access Point

7 Slide 7 CIP R1 Policies R1. Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: 1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any: Cyber security awareness; Physical security controls; Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and Cyber Security Incident response (NERC, 2015, CIP Cyber Security, p.5)

8 Slide 8 CIP R2 Language R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] Note: An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required. (NERC, 2015, CIP Cyber Security, p.8)

9 Slide 9 Attachment 1 Added Attachment 1 Required Sections for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems (LIBCS). Includes the four (4) subject matter areas that were developed in response to FERC s concerns in Order 791 relative to specific controls and objective criteria for Low-impact BCS: Cyber Security Awareness Physical Security Controls Electronic Access Controls Cyber Security Incident Response

10 Slide 10 Attachment 1 (continued) Provides flexibility on how to apply the required security controls Utilization of High and Medium Impact BCS policies, procedures, and processes for your Low Impact BCS Can develop Cyber Security plans by asset or group of assets

11 Slide 11 Attachment 2 Added Attachment 2 Examples of Evidence for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems High level, non-prescriptive Is not all-inclusive

12 Slide 12 Important Actions/Dates Ballot came back February 2, 2015 Board of Trustees Approval February 12, 2015 Filed with FERC February 13, 2015 Pending Regulatory decision

13 Slide 13 Tiered Approach to Implementation

14 Slide 14 Newly Defined Terms Low Impact External Routable Connectivity (LERC) Direct user-initiated interactive access or a direct device-todevice connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC GOOSE or vendor proprietary protocols). (NERC, 2015, Definition of Terms, p. 1)

15 Slide 15 Newly Defined Terms (continued) Low Impact BES Cyber System Electronic Access Point (LEAP) A Cyber Asset interface that controls Low Impact External Routable Connectivity (LERC). The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems. (NERC, 2015, Definition of Terms, p. 1)

16 Slide 16 Newly Defined Terms What is the reason for them? To differentiate the obligations and implementations of Low Impact BCS from the High and Medium Impact BCS

17 Slide 17 Attachment G: Pre-Audit Data Request Provide: (a) a list of BES assets [R1.3] that contain Low Impact BCS, as determined by the application of the CIP IRC, (b) plan documentation (c) documentation the plans were implemented

18 Slide 18 Audit Approach Does the entity have a list of BES assets containing low impact BES Cyber Systems? Does the entity have documented Cyber Security Plan(s) for low impact BCS? Did the entity implement the plans and controls in Attachment 1?

19 Slide 19 Examples of Evidence Spreadsheet or list of BES assets containing Low Impact BCS Cyber Security Plan(s) documentation Evidence of implementation of the Cyber Security Plan(s) and associated controls

20 Slide 20 Attachment 1 Section 1. Cyber Security Awareness

21 Slide 21 Attachment 1 - Section 1 1. Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices, (which may include associated physical security practices).

22 Slide 22 Attachment G: Pre-Audit Data Request Section 1 Cyber Security Awareness Provide plan documentation including policies, programs, and processes. Provide documentation that the reinforcement of cyber security practices occurred at least once every 15 calendar months.

23 Slide 23 Audit Approach Did the entity document the cyber security practices? Do the practices cover the protection of Low Impact BES Cyber Systems (logical or physical)? What is the entity s process for reinforcing the documented cyber security practices? Did the entity follow the documented processes for reinforcing the cyber security practices once every 15 months?

24 Slide 24 Examples of Evidence Cyber Security Awareness Plan Documentation Evidence of reinforcement Direct Communications s Memos Computer-based training What else?

25 Slide 25 Examples of Evidence Evidence of reinforcement (continued) Indirect Communications Posters Intranet Brochures Company Newsletters Coffee mugs Management Support and Reinforcement Presentations w/ agenda and topics

26 Slide 26 Cyber Security Awareness Considerations Five do s for a Security Awareness program: 1. Ensure executive support and management buyin 2. Make it fun 3. Include posters, newsletters, tips, and reminders 4. Focus on changing behaviors 5. Solicit end-user ideas

27 Slide 27 Security Awareness Resources SANS Securing the Human Resources anning Planning Measuring results Posters

28 Slide 28 Attachment 1 Section 2. Physical Security Controls

29 Speaker Intro: Darren T. Nielsen, CPP, PSP, PCI, CISA, CBRM, CBRA, 25 years Physical Security Experience Marine Corps Veteran (PRP) Retired Law Enforcement Officer 8 years Critical Infrastructure Protection Program ASIS Utilities Security Council - Chair ASIS Physical Security Council Degrees: M.Ad. (Leadership Emphasis) w/distinction- Northern Arizona University BA- Police Science- Ottawa University (Summa Cum Laude)

30 30 OVERVIEW Known Unknown Suggestions

31 Slide 31 Audit Approach-Low Impact shall control physical access, based on need as determined by the responsible entity Need should be a business justification based on a risk determination Risk = Threat x Vulnerability x Consequence

32 Slide 32 Section 2 - Audit Approach Risk = Threat x Vulnerability x Consequence Threat Who or what could damage the facility or asset(s)? Vulnerability How easily could that damage be carried out? Consequence How bad would the damage be in the larger picture? W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

33 Slide 33 Attachment G: CIP R2 Evidence Section 2 Physical Security Controls Provide (a) documentation of the selected controls, (b) an explanation and rationale for the selected controls, and (c) documented policies, procedures, and processes for controlling physical access, specific to those controls. Provide documentation that the selected controls were implemented to control access to the asset, if any, or the location of the BES Cyber System within the asset; and the Cyber Asset containing LEAP, if any.

34 Slide 34 Section 2 - Audit Approach What are the controls the entity selected and why? The why is where the entity should explain how they determined the need for the selected controls ( based on need as determined by the Responsible Entity ) Do the policies, procedures, and processes address the selected controls? Did the entity implement the controls?

35 Slide 35 Section 2 Audit Approach (cont.) Do the selected controls address the Asset or the location of the LIBCS? Does the entity have any LEAPs and do they have controls in place to control physical access to the LEAP?

36 Slide 36 Components of Physical Security Access Control Perimeter or barrier Access Points Doors Windows Ducts Locks and/or Security Guard Monitoring Alert or alarm when the barrier has been crossed Human observation Direct Video Alarm system Logging Who crossed the barrier? When did they cross it?

37 Slide 37 Examples of Evidence Documentation of security controls including rationale for selecting those controls May include: Physical security plan/program Site-specific plans List of controls for each LIBCS Evidence of security control implementation Photographs Direct Observation Access Logs Diagrams/Facility Maps

38 Slide 38 Attachment 1 Section 3. Electronic Access Controls

39 Morgan King, CISSP-ISSAP, CISA Slide 39 Senior Compliance Auditor, Cyber Security

40 Requirement R2, Attachment 1, Section 3 Electronic Access Controls Slide 40 Establishment of boundary protections From devices external to the asset containing the low impact BES Cyber Systems Control communication either into the asset containing low impact BES Cyber System(s) At the low impact BES Cyber System itself Reduce the risks associated with uncontrolled communication using routable protocols or Dial-up Connectivity February 5, 2015

41 Slide 41 Attachment 1 Section 3 3. Electronic Access Controls: Each Responsible Entity shall : 3.1 For LERC, if any, implement a LEAP to permit only necessary inbound and outbound bi-directional routable protocol access; and 3.2 Implement authentication of all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability. February 5, 2015

42 Requirement R2, Attachment 1, Section 3 Guidelines and Technical Basis electronic access control used in the general sense, i.e., to control access, and not in the specific technical sense requiring authentication, authorization, and auditing. Slide 42 February 5, 2015

43 Low Impact External Routable Connectivity (LERC) Slide 43 Direct user-initiated interactive access or a direct device-todevice connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-topoint communications between intelligent electronic devices that use routable communication protocols for time- sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC GOOSE or vendor proprietary protocols). February 5, 2015

44 Slide 44 LERC and ERC LERC Direct user initiated interactive access or a direct device to device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi directional routable protocol connection ERC The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection February 5, 2015

45 Slide 45 Determining LERC Direct user-initiated LERC exists if a person is sitting at another device outside of the asset containing the low impact BES Cyber System Person can connect to logon, configure, read, or interact, etc Device-to-device Devices outside of the asset containing the low impact BES Cyber System sending or receiving bi-directional routable communication from or to the low impact BES Cyber System February 5, 2015

46 Slide 46 IEC Complex protocol that has many uses both intra and inter substation communications Exemption language in the LERC definition is specifically crafted for those time sensitive messages does not exclude Control Center communication but rather excludes the communication between the intelligent electronic devices themselves GOOSE messages are only Layer aware RTU, using a Layer 3 routed protocol to a concentrator-like device communication would not be exempted from the CIP Standards February 5, 2015

47 Slide 47 Attachment G: CIP R2 Evidence Section 3 Electronic Access Controls For all Low Impact BES Assets containing LERC and/or Dial-up Connectivity, provide documentation of the controls designed to protect LIBCS using LERC and/or Dial-up Connectivity: For any LERC, configuration files of its associated LEAP(s). Documented controls and/or configuration files to authenticate all Dial-up Connectivity. Confirmation that the controls been implemented February 5, 2015

48 Slide 48 Guidelines and Technical Basis How does WECC consider G&TB for approach Used for just that guideline and basis Does not address every possible iteration to consider Audit to language of the requirement February 5, 2015

49 Slide 49 Section 3 - Audit Approach Is there LERC and/or Dial-up Connectivity? For any LERC, is there an established LEAP? If so, does that LEAP only permit necessary inbound and outbound access Are there controls to authenticate all Dial-up Connectivity? Have the controls been implemented? February 5, 2015

50 Examples of Evidence Slide 50 Implementing LEAP Configuration files and other documentation showing that inbound and outbound connections for any LEAP(s) are confined to only those the Responsible Entity deems necessary: Restricted IP addresses, ports, or services The entity s rationale for the necessary connections Documentation of Dial-up Connectivity authentication: Dial-out only to a preprogrammed number to deliver data, Dial-back modems, Modems that must be remotely controlled by the control center or control room, and/or Configuration files of dial-up access controls Asset capability exception must be well documented February 5, 2015

51 Reference Models Diagram 1 Host-based firewall Diagram 2 Security device Diagram 3 Location X security device Diagram 4 IP/Serial converter, directly addressable Diagram 6 No direct access, layer 7 break or authentication, no LERC Diagram 5 No bi-directional routable communication, no LERC Diagram 7 Mixed impact Cyber Asset w/ LEAP and EAP *Responsible Entities may have additional configurations not identified below. February 5, 2015

52 Slide 52 Guidance Diagram 1 February 5, 2015

53 Slide 53 Host-Based LEAP /etc/sysconfig/ipchains February 5, 2015

54 Slide 54 Guidance Diagram 2 (NERC, 2014, CIP-003-7: Cyber Security, p. 34) February 5, 2015

55 Slide 55 Diagram 2 LEAP February 5, 2015

59 Slide 59 Additional Considerations Regarding Reference Model - 3, would the topology shown remain valid if both Low Impact BES Assets were connected through a layer 2 switch before connecting to the LEAP shown at Location X and a cyber asset was added at each location that functioned as a authentication break as shown in Reference Model 6? February 5, 2015

60 Slide 60 Additional Considerations February 5, 2015

61 Slide 61 Additional Considerations February 5, 2015

62 Slide 62 Additional Considerations MAC filtering switch(config-if)# switchport port-security mac-address 0011.D9D0.00BE Private VLANs An entity should not consider utilizing layer 2 switch controls to segment mixed BCS Impact ratings Use of site-to-site tunnels February 5, 2015

63 Slide 63 Guidance Diagram 5 February 5, 2015

65 Slide

66 Slide 66 Attachment 1 Section 4. Cyber Security Incident Response

67 Slide 67 Attachment 1 Section 4 Section 4 Cyber Security Incident Response Have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: 4.1 Identification, classification, and response to Cyber Security Incidents; 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law; 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;

68 Slide 68 Attachment 1 Section 4 (cont.) 4.4 Incident handling for Cyber Security Incidents; 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and 4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.

69 Slide 69 Attachment G: CIP R2 Evidence Section 4 Cyber Security Incident Response Provide documentation the Cyber Security Incident Response plan includes the following: Procedures for identifying, classifying, and response to Cyber Security Incidents Procedure for determining whether an incident is reportable and for notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). Procedures for identifying the roles and responsibilities for Cyber Security Incident response by groups or individuals.

70 Slide 70 Attachment G: CIP R2 Evidence Procedures for handling Cyber Security Incidents Procedures for testing the Cyber Security Incident response plan at least once every 36 calendar months. Procedures for updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after an Incident response plan(s) test or an actual incident. Provide documentation the Cyber Security Incident response plan was implemented

71 Slide 71 Section 4 - Audit Approach Does the entity have a Cyber Security Incident Response plan and does it include the six (6) parts ( )? Is there evidence of the performance of testing? Was the plan updated within 180 calendar days after a test or incident? Did the entity have a reportable incident and can they demonstrate they followed the documented procedures?

72 Slide 72 Examples of Evidence Plan documentation including policies, procedures, or process documents with specific information that includes the six (6) parts Documentation of testing of the plan Documentation of any updates made to the plan

73 Cyber Security Incident Response Considerations Slide 73 Was the procedure followed? Was the incident response appropriate? Were the appropriate parties informed in a timely manner? Have changes been made to prevent a new or similar incident? What lessons have been learned form this incident?

74 Slide 74 Attachment G: Disclaimer Disclaimer The attachment G document specific to Low Impact assets is still in progress and may change to some degree, but these basic sets of evidence will be expected in the initial evidence package as of today.

75 Slide 75 Low Impact Lessons Learned None documented at this time As we get closer to April 1, 2017, NERC may provide lessons-learned that specifically address Low Impact BCS and the four (4) subject areas.

76 Slide 76 Mixed Impact Approach Section Section 1. Cyber Security Awareness Section 2. Physical Security Controls Section 3. Electronic Access Controls Section 4. Cyber Security Incident Response Approach Utilize the CIP R1, Security Awareness Program Consider how to demonstrate compliance Utilize CIP R1 Part 1.1, Physical Security Plan to define physical controls Utilize CIP R1, Part 1.2 identified Electronic Access Point Utilize CIP R1-R3 Relevant to Low impact Address the differences, specifically, testing (4.5) and updating the plan (4.6)

77 Slide 77 Low Only Impact Approach Use Attachment 1 as a starting point Add in the details of the plans and what controls you have in place Can be one document or four individual documents WICF is working on a Low Impact Cyber Security Plan

78 Slide 78 Low Impact BCS Audits What can you expect from an audit engagement perspective? Depends on the risk associated with the Low Impact assets and LIBCS A lot of new entities developing these programs WECC to provide more focused outreach? Implementation Study for Low Impact Assets?

79 Slide 79 Low Impact Applicable Requirements CIP R1 R2 Part 1.1 Part 1.2 Part 1.3 Part 2.1 Part 2.2 CIP R1 R2 R3 R4 Part 1.2 R1.2.1 R1.2.2 R1.2.3 R1.2.4

80 Slide 80 References NERC. (2015 January 23) CIP Cyber Security Security Management Controls, draft. Retrieved from: NERC. (2015 January 23) Definitions of Terms used in Standards. Retrieved from: ms_used_in_standard_clean.pdf NERC. (2015 January 23) Implementation Plan, Project CIP Version 5 Revisions. Retrieved from: an_clean.pdf

81 Slide 81 Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security Desk: Cell: