CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

Transcription

1 CIP v5/v6 Implementation Plan CIP v5 Workshop Tony Purgar October 2-3, 2014

2 Revision History CIP v5/v6 Implementation Plan Change History Date Description Initial Release July 25, 2014 Revision V0.1 August-2014 Various content edits based on CIP SDT work from June through present. V0.2 9/8/14 Updated CIP v5 Transition guidance slides V0.3 9/11/14 Edits from internal CIP SME Peer Review V0.4 9/18/14 Edits added per ERO Workshop - added new slide 26. Updated links to NERC resources. Formatting updates to RF CIP v5 Focus group slides. V0.5 9/19/14 Per the Project CIP Version 5 Revisions Standard webinar on 9/19/14: Revised slides 3,14,21 Added slides V0.6 9/26/14 Revised title slide. Added LERP and LEAP to CIP Terms slide. Minor edits for finalization. 2

3 Agenda What is CIP v5/v6? How is CIP v5/v6 Different from v3? The makeup of CIP v5/v6 New / Modified Terms Facilities Comparison Decrypting v5/v6 - Reliability Standard Format / Structure CIP v3-v5 Transition Guidance Highlights CIP v5/v6 Work in Progress FERC Order 791 v5 Key Dates CIP v5 Implementation for Periodic Requirements CIP vx/v6 Implementation Timeline Proposal CIP v6 Implementation Timeline Proposals CIP v6 Implementation Next Steps RF CIP v5 Focus Group Q & A 3

4 What is CIP v5/v6? CIP v5 contains revisions to the initial Cyber Security Standards (CIP through CIP-009-1) mandated by FERC Order 706. CIP v6 includes revisions to v5 mandated by FERC Order 791. v6 will consist of: CIP CIP CIP CIP CIP CIP CIP CIP CIP CIP-011-2

5 How is CIP v5/v6 Different from v3? Second generation of cyber security standards Provides greater clarity for some requirements Takes some requirements to the next level Results Based Standards Impact Rating criteria for applicable assets Graduated applicability of requirements (H/M/L) Some level of protection for a wide range of systems (low impact) Not intended for a zero-tolerance environment 5

6 New / Modified CIP Terms BES Cyber Asset (BCA)* Protected Cyber Asset (PCA)* BES Cyber System (BCS) BES Cyber System Information CIP Exceptional Circumstances Impact Rating Criteria (IRC) Removable Media* Transient Cyber Asset* Low Impact BES Cyber System Electronic Access Point (LEAP)** Low Impact External Routable Connectivity (LERC)** * Terms to be effective on the same compliance date as Reliability standard CIP Requirement R4 ** Terms introduced with CIP NOTE: This is not an all inclusive list of new/modified terms. 6

7 CIP v3/v4 to v5 Facilities Comparison 7

8 Decrypting CIP v5/v6 Rationale, Summary of Changes Main Requirement & Measure Applicable Systems for Requirement Part Requirement Part Text Requirement Part Measure Text 8 Requirement Part Reference Requirement Part Change Rationale

9 Decrypting CIP v5/v6 9 v5/v6 Format Introduction Standard Title, Number, Purpose, Applicability Effective Dates Background Requirements and Measures Requirements, Measures Tables addressing Requirement Part #, Applicable Systems, Language, and Measures Compliance Compliance Monitoring Process Tables of Compliance Elements Requirement, Time Horizon, VRF, VSLs Guidelines and Technical Basis at end Still will only audit to the requirement

10 CIP v3-v5 Transition Guidance Highlights Issued August 12, 2014 Allows for smooth transition to new standards No expectation that there is a single point in time to move from compliance with v3 to compliance with v5 until v5 effective dates Provides guidance and flexibility for implementing changes to achieve compliance with v5 without undue concerns regarding compliance with v3 Chart of compatible requirements Spreadsheet identifying how to upgrade to v5 and stay Mostly Compatible to v3 If fail to do either v3 or v5, then compliance issue CIP audits during implementation period to focus on v5 transition Phase-in of v5 criteria encouraged For further support, refer to the SPP RE CIP Version 5 Transition Guidance presentation: % pdf 10

11 CIP v5/v6 Work in Progress Standard Drafting Team FERC directed NERC to modify certain aspects of v5: Identify, Assess, and Correct language (IAC) Communication Networks (CN) Low Impact Assets (LIA) Transient Devices (TD) Filing deadline = February 3, 2015 for (IAC) and (CN) directives (LIA) and (TD) do not have a deadline but SDT s goal is to address by Filing deadline. 11

12 CIP v5/v6 Work in Progress Standard Drafting Team Proposed Changes Identify, Assess, and Correct language Removed language from all 17 requirements Communication Networks CIP Requirement R1, new Part 1.10 added address security controls needed to protect the nonprogrammable components of communications networks Low Impact Assets CIP Requirement R2, new Parts added Address the lack of objective criteria for Low Impact BES Cyber Systems 12

13 CIP v5/v6 Work in Progress Standard Drafting Team Proposed Changes Transient Devices CIP Requirement R4 added address the FERC directive to consider the following security controls: device authorization as it relates to users and locations software authorization security patch management malware prevention detection controls for unauthorized physical access to a transient device processes and procedures for connecting transient devices to systems at different security classification levels 13

14 CIP v5/v6 Work in Progress 14 Standard Drafting Team Proposed Changes Status Initial ballot recently completed (6/2/14 7/16/14) Low Impact Assets (CIP-003) and Transient Devices (CIP-010) did not receive enough Yes votes Currently being modified to address industry comments 8/26/14: To meet the FERC-imposed February 3, 2015 filing deadline for (IAC) and (CN) directives and maintain momentum on the non-deadline (LIA) and (TD) directives, SDT is balloting standards addressing (IAC) and (CN) directives without language addressing the (LIA) and (TD) directives, as version X. However, SDT to continue revising the standards to address (LIA) and (TD) directives to meet the FERC deadline. IAC/CN-only revisions = Version X Standards CIP-003-X, CIP-004-X, CIP-007-X, CIP-010-X, CIP-011-X IAC/CN/LIA/TD revisions = Version 6 Standards CIP-003-6, CIP-004-6, CIP-006-6, CIP-007-6, CIP-009-6, CIP-010-2, CIP Comment period in process (9/3/14 10/17/14) Additional Ballots and Non Binding Polls (10/8/14 10/17/14) Hoping to go to FERC (with version 6) by end of the year

15 FERC Order 791 v5 Key Dates Commission Approval 11/22/2013 Publication in Federal Register 12/3/2013 FERC Order Effective Date 2/3/ days after publication in Federal Register Effective Date for Compliance with all non-periodic requirements: High and Medium Impact 4/1/2016 Low Impact 4/1/2017 Based on SDT work addressing issues identified by FERC in Order 791, Implementation Timeline Proposals, addressing Low Impact, are being developed and will be addressed in the following slides. 15

16 CIP v5 Implementation for Periodic Requirements Compliance with initial performance of Certain Periodic Requirements as discussed in the Implementation Plan: Using an Effective Date of 4/1/2016 Specific v5 CIP Standards have periodic requirements that contain time parameters for subsequent and recurring iterations of the requirement, such as, but not limited to,.at least once every 15 calendar months, and responsible entities shall comply initially with those periodic requirements as follows: 16

17 CIP v5 Implementation for Periodic Requirements Requirement Implementation Plan Calculated Note Language Date CIP R2 on or before 4/1/2016 CIP R1 on or before 4/1/2016 * CIP R2 Low Impact 4/1/2017 (One extra year) CIP Part 4.4 Within 14 days following 4/15/2016 (Date Plus 14 days) CIP Part 2.1 Within 35 days following 5/6/2016 (Date plus 35 days) CIP Part calendar months following 7/1/2016 (Date plus 3 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2017 (Date plus 12 months) CIP Part calendar months following 4/1/2018 (Date plus 24 months) CIP Part calendar months following 4/1/2018 (Date plus 24 months) CIP Part 3.5 Within 7 years after previous PRA (Based on prior PRA) * Currently under SDT revision to address FERC directive and industry concerns 17

18 CIP v5 Implementation for Periodic Requirements 18

19 CIP vx/v6 Implementation Timeline Proposal Compliance Date for CIP-003-X/6, CIP-004-X/6, CIP-006-6, CIP-007-X/6, CIP , CIP-010-X/2, CIP-011-X/2 Reliability Standard CIP-00#-# shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Where approval by an applicable governmental authority is not required, the standard shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date the standard is adopted by the NERC Board of Trustees, or as otherwise provided for in that jurisdiction. Compliance Date for CIP-003-X/6, R2 (covered in vx/v6 Implementation Plans) Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP Compliance Date for CIP-006-6, Requirement R1, Part 1.10 For new high or medium impact BES Cyber Systems at Control Centers identified by CIP which were not identified as Critical Cyber Assets in CIP Version 3, Registered Entities shall not be required to comply with Reliability Standard CIP-006-6, Requirement R1, Part 1.10 until nine calendar months after the effective date of Reliability Standard CIP

20 CIP vx/v6 Implementation Timeline Proposal Compliance Date for CIP-007-X/6, Requirement R1, Part 1.2 (covered in vx/v6 Implementation Plans) Registered Entities shall not be required to comply with the elements of Reliability Standard CIP-007-6, Requirement R1, Part 1.2 that apply to PCAs and nonprogrammable communication components located inside a PSP and inside an ESP and associated with High and Medium Impact BES Cyber Systems until six/nine calendar months after the effective date of Reliability Standard CIP Compliance Date for CIP-010-2, Requirement R4 (Removed from vx Implementation Plan) Registered Entities shall not be required to comply with Reliability Standard CIP-010-2, Requirement R4 until nine calendar months after the effective date of Reliability Standard CIP New and Modified NERC Glossary Terms The new and modified NERC Glossary Terms BES Cyber Asset, Protected Cyber Asset, Removable Media, and Transient Cyber Asset shall become effective on the same compliance date as when Reliability Standard CIP-010-2, Requirement R4 is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Unplanned Changes Resulting in Low Impact Categorization (covered in vx Implementation Plan) For unplanned changes resulting in a low impact categorization where previously the asset containing BES Cyber Systems had no categorization, the responsible entity shall comply with all Requirements applicable to Low Impact BES Cyber Systems within 12 calendar months following the identification and categorization of the affected BES Cyber System. 20

21 CIP v6 Implementation Timeline Proposals 8/12/14: The SDT continued its work on the CIP Version 5 Revisions Implementation Plan for low impact assets and had identified two proposals. Feedback on each of the proposals was collected to identify pros/cons and justifications that the SDT considered prior to the next ballot. The two Implementation Plan proposals were: Tier by Asset Plan Tiers 21

22 CIP v6 Implementation Timeline Proposals Proposal #1 Tier by Asset This option phases the implementation by low impact asset type. In this approach the SDT proposes the implementation date of the CIP- 003, R2 policies and development of the management plan, cyber security incident response and cyber security awareness as April 1, 2017; the original implementation date approved with CIP Version 5. However, this option establishes a phased implementation by asset type for physical access controls and electronic access controls using the following criterion: 1. Control Centers, Generation greater than 1000MW and substations greater than 300kV would set April 1, 2017 as the implementation date. 2. Generation between MW, substations rated between kV would be provided eight additional months from the original implementation date; setting the new implementation date as January 1, All other low impact assets would be provided 16 additional months from the original implementation date; setting the new implementation date as September 1,

23 CIP v6 Implementation Timeline Proposals Proposal #2: Plan Tiers This option phases the implementation by item area within the Attachment. Again in this approach the SDT proposes the implementation of the CIP- 003, R2 policies and development of the management plan, cyber security incident response and cyber security awareness to April 1, 2017; the original implementation date approved with CIP Version 5. For physical access controls, the SDT is proposing to provide an additional year from the original implementation date, setting the new implementation date as April 1, For electronic access controls, the SDT is proposing to provide an additional 16 months from the original implementation date, setting the new implementation date as September 1,

24 CIP v6 Implementation Timeline Proposals For submission in the 2 nd ballot, Proposal #2 was selected Proposed CIP Implementation Plan Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, element 1 (Cyber Security Awareness) until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, element 2 (Physical Access Controls) until the later of April 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, element 3 (Electronic Access Controls) until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, element 4 (Cyber Security Incident Response) until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP

25 CIP v6 Implementation Timeline Proposals 25 Worksheet shows the revisions and proposed implementation timeline Key Items: Targeted NERC BOT Approval date and Implementation clock starts when FERC approves revs

26 CIP v6 Implementation Next Steps Additional comment period September 3-October 17, 2014 Ballot period October 8-17, 2014 SDT meeting October 22-24, 2014 ERCOT (Austin, TX) Targeted final ballot October 31-November 10, 2014 Targeted NERC Board of Trustees meeting to approve revisions November 13, 2014 Stay tuned for further industry communications and monitor the Referenced NERC Sites at the back of this presentation!!! 26

27 RF CIP v5 Focus Group Q&A June-2014: RF held a CIP v5 Focus Group with select stakeholders to discuss CIP v5 Dayton Power & Light FirstEnergy American Electric Power Calpine MISO Wolverine Duquesne Light Company PJM Very Successful!! Feedback and Questions were collected and are addressed in the following slides. 27

28 RF CIP v5 Focus Group Q&A Gap analysis from v3 to v5? Please refer to the v3 v5 Compatibility Tables on the NERC CIP v5 transition program website: V5%20Compatibility%20Tables.pdf What was the entities level of planning for v5? Please refer to DPL lessons learned slides and NERC CIP v5 transition program website for further information from all pilots: 28

29 RF CIP v5 Focus Group Q&A One group has transitioned to v5 and one has not within a registration. How should this situation be handled? The following is from Section 5, page 8, of the CIP V5 Transition Guidance: NERC understands that an audit may occur while a Responsible Entity is in the course of transitioning multiple locations or facilities to compliance with a CIP V5 requirement and that all such locations or facilities may not be at the same stage of CIP V5 implementation. In that case, the declaration sent to the Regional Entity should define by category, location, or requirement where V5 or V3 requirements should apply, or should otherwise make clear to the Regional Entity where disparities in applying V5 or V3 requirements exist. 29

30 RF CIP v5 Focus Group Q&A Different entities have different implementations. Due to v5, new entities have been called into scope. Can you make any recommendations of how to implement things based on the type of entity: Large, Small, Muni, etc Please refer to the following NERC CIP v5 links for further information: CIP Transition Program: CIP Standards v5 Revisions: Infrastructure-Protection-Version-5-Revisions.aspx CIP v5 Implementation Study: Implementation-Study.aspx v3-v5 Transition Guidance FINAL: V5%20Transition%20Guidance%20FINAL.pdf v3-v5 Compatibility Tables: V5%20Compatibility%20Tables.pdf 30

31 RF CIP v5 Focus Group Q&A Guidance/Frequently Asked Questions from the Transition Study? Please refer to NERC CIP v5 transition program website for further information from all pilots: 31

32 RF CIP v5 Focus Group Q&A Multi-regional entity with Primary Data Center in one region and the backup in another region. Do they just show that the same controls from the primary apply to the backup? Sufficient (quantity) and appropriate (quality) evidence would be required for review by the audit team to verify this assertion by the MRRE. Will they be audited by both regions? This Multi-Regional Registered Entity (MRRE) would be audited by an audit team comprised of auditors from each Regional Entity that the registered entity is registered with. The audit would typically be done at one time, agreed upon by the multi-regional auditors and the MRRE. 32

33 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance Is there transition guidance in laymen's language and what does it mean to the auditor? Please refer to the following NERC CIP v5 links for further information: CIP Transition Program: CIP v5 Implementation Study: Implementation-Study.aspx v3-v5 Transition Guidance FINAL: V5%20Transition%20Guidance%20FINAL.pdf v3-v5 Compatibility Tables: V5%20Compatibility%20Tables.pdf 33

34 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance What are the requirements for third-party hosted systems (i.e. relation to the treatment of scheduling systems)? The requirement for third-party hosted systems is the same as for in house systems that meet the criteria of a BCA, PCA, EACM or PACS device. What requirements can we officially transition early to and still be in compliant with v3? CIP Transition Program: Program.aspx v3-v5 Transition Guidance FINAL: V5%20Transition%20Guidance%20FINAL.pdf v3-v5 Compatibility Tables: V5%20Compatibility%20Tables.pdf 34

35 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance What are some suggested approaches to tracking of baseline configurations for Security Patches? Baselines can be tracked using a number of different methods such as paper, spreadsheet, database system and commercial software. With the more stringent requirements around baselines in CIP-010 you will want to utilize a spreadsheet at the very least and may want to look into developing a database or purchasing available commercial software. How are Scheduling Systems viewed in v5? See Lessons Learned for BES Impact of Transmission Scheduling Systems How does RAI align with v5 as well as with V5 audit efforts? Please refer to the document Identify, Assess, and Correct and Reliability Assurance Initiative FAQs document (dated 6/2/14) at: CIP Standards v5 Revisions: Infrastructure-Protection-Version-5-Revisions.aspx 35

36 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance Depth of Training - During the Gap Analysis, there was much conversation about training of new hires, tribal knowledge, ability to ensure consistent procedural application, and documents written at a 5th grade level; while this might not be a question, perhaps you can try to ascertain how deep our training/documentation will need to go for audit purposes. Detailed work level instructions not just what but how Templates for evidence, reports, legends, etc. Auditors would expect to see the same type of evidence consistent with what has been provided for previous audits or at previous Compliance Monitoring Activities. Please review the Measures, included with the v5 Requirements, as examples of expected evidence to be provided by the audited entity. 36

37 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance How to handle hosted solutions (like a managed security services provider) under CIP v5? The Hosted solutions need to meet all the requirements and should be handled just as if they were in house. Will the transition to controls based auditing (through RAI) occur at exactly the same time as CIP v5 implementation, or on some other schedule? RF is not performing controls based auditing. RF is performing Grid Reliability Improvement and Performance Model (GRIPM) Appraisals, on a volunteer basis, as a means of assessing an entity s overarching internal controls as they apply to 16 RF defined Management Practices. GRIPM Appraisals are conducted separate from audits. See Erik Johnson Manager, Entity Development for more information regarding the GRIPM Appraisal Method. 37

38 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance How will audits be handled when a portion of the period was under CIP v3 regulations and a portion was under CIP v5? Please refer to the following NERC CIP v5 links for further information: CIP Transition Program: v3-v5 Transition Guidance FINAL: V5%20Transition%20Guidance%20FINAL.pdf v3-v5 Compatibility Tables: V5%20Compatibility%20Tables.pdf Draft Guidance Industry Feedback: %20Transition%20Guidance%20Draft%20for%20CIP%20V5.pdf 38

39 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance What is the definition of BES Cyber Systems and how are they to be identified? BES Cyber System = One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. See Lessons Learned for Grouping BES Cyber Assets Transient Devices: What is needed in order to track and demonstrate compliance? Transient Devices requirements are currently under development by Standards drafting team and addressed under CIP R4. Please refer to the CIP Standards v5 Revisions for latest information: 39

40 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance Visitor Tracking: Is there a time limit around how long a visitor can be out of the PSP before having to sign in again? Refer to the Guidelines and Technical Basis section of CIP There is not a specific timeframe specified in the requirement, however, the rationale does state that Part 2.2 addresses multi entry scenarios of the same person in a day (log first entry and last exit). The Guidelines and Technical Basis also states that the logging of visitors should capture each visit of the individual and does not need to capture each entry or exit during that visit. This is meant to allow a visitor to temporarily exit the Physical Security Perimeter to obtain something they left in their vehicle or outside the area without requiring a new log entry for each and every entry during the visit. 15 minute impact? Refer to the Background and Guidelines and Technical Basis sections of CIP

41 RF CIP v5 Focus Group Q&A CIP v3-v5 Transition Guidance Is there, or will there be, guidelines for various BES Cyber Systems? Looking for additional guidance on what is the impact by BES cyber systems? Refer to the Guidelines and Technical Basis section of CIP Refer to NERC Lessons Learned documentation available at Revisions.aspx 41

42 Resources Refer to resources available on the NERC site: NERC CIPC Presentation on Transition Guidance CIP Transition Program: CIP Standards v5 Revisions: Version-5-Revisions.aspx CIP v5 Implementation Study: v3-v5 Transition Guidance FINAL: v3-v5 Compatibility Tables: Draft Guidance Industry Feedback: %20Transition%20Guidance%20Draft%20for%20CIP%20V5.pdf 42

43 Questions & Answers Forward Together ReliabilityFirst