Welcome to the CIP Workshop!

Transcription

1 Welcome to the CIP Workshop! Download SPP.org ->Regional Entity ->2015 CIP Workshop: Questions or Comments? [email protected] Please wait for a microphone Submit via online form on workshop web page (will generate to staff from [email protected]) Meeting Room Wireless Select the SWPP2015 network and use password swpp2015

2 Tuesday, June 2 7:30-8:00 Registration and light breakfast 8:00-8: Welcome Terry Bassham, CEO, KCPL Ron Ciesiel, General Manager, SPP RE 8:30-9: Preparing for a V5 Audit (RSAWS and evidence) Lew Folkerth, Reliability First 9:30-9:45 Break 9:45-10: Identifying BES Cyber Systems Kevin Perry, SPP RE 10:35-10:50 Break 10:50-11: Grouping BES Cyber Systems Laura Cox, Westar Josh Roper, KCPL 11:50-1:00 Lunch 1:00-2: Lessons Learned/FAQ Documents Tom Hofstetter, NERC 2:00-2:10 Break 2:10-3: Virtualization Jeremy Withers, SPP RE Tom Hofstetter, NERC 3:10-3:40 Snack and Coffee Break 3:40-4: Interactive Remote Access Shon Austin, SPP RE 4:20-5:00 Open CIP Q&A all CIP topics welcome! Wednesday, June 3 7:30-8:00 Registration and light breakfast 8:00-8:10 Welcome 8:10-8: External Routable Connectivity Robert Vaughn, SPP RE 8:50-9:00 Break 9:00-10: Low Impact BES Cyber Systems, CIP-003 Steven Keller, SPP RE Natalie Johnson, David Campbell, ENEL 10:00-10:15 Break 10:15-10: Technical Feasibility Exceptions (TFEs) Tom Hofstetter, NERC 10:50-11: Transient Devices and Removable Media Kevin Perry, SPP RE 11:20-11:30 Break 11:30-12:00 Open CIP Q&A all CIP topics welcome! 12:00-1:00 Lunch The workshop is followed by the RTO Compliance Forum for members and Registered Entities, which requires separate registration.

3 CIP v5 RSAWs and Evidence Lew Folkerth, PE, CISSP, CISA, GCFA SPP RE CIP Workshop June 2, 2015

4 Agenda RSAWs The Role of the RSAW Development Overview and Strategy Organization and Structure Navigation Compliance Assessment Approach Tips Evidence Policy/Process/ Procedure Populations Sample Sets Sampling Strategies Applicability IRA and ICE Considerations 2 Forward Together ReliabilityFirst

5 RSAWS 3 Forward Together ReliabilityFirst

6 The Role of the RSAW The RSAW is required in this part only 4 Forward Together ReliabilityFirst

7 The Role of the RSAW How the RSAW is Used Before an audit, RSAWs may be used by an entity to organize compliance efforts and prepare for compliance monitoring actions. During an audit, RSAWs are used as a tool to organize compliance evidence and to communicate an entity s compliance approach to the audit team. During and after an audit, RSAWs are used by audit teams to organize, execute, and document a compliance assessment as part of the Entity Compliance Oversight Plan. 5 Forward Together ReliabilityFirst

8 CIP v5 RSAW Development Overview NERC/Region core development team Development began in early 2013 Draft 1 had extensive evidence requests and guidance Based on comments, Draft 2 had evidence requests and most of the guidance removed Advised by additional Region specialists Posted four times for industry review/comment Three meetings with 791 SDT Final review by NERC legal staff Final version posted 5/8/2015 for public use 6 Forward Together ReliabilityFirst

9 RSAW Development Strategy One RSAW per Standard - TFE and CIP Exceptional Circumstance review embedded in the applicable Requirements One section per Part, rather than one section per Requirement Minimal guidance included In most cases, audit review is based on outcomes (actual work performed), rather than documentation 7 Forward Together ReliabilityFirst

10 RSAW Structure 8 General Information Cover Page Findings Page Subject Matter Experts Page Footer Additional Information Repeated for each Requirement: Text of Requirement and/or Part Question(s), if applicable Compliance Narrative Evidence Table Evidence Reviewed Compliance Assessment Approach Note(s) to Auditor, if applicable Forward Together ReliabilityFirst

11 Cover Page Audit Information Applicability Color Coding 9 Forward Together ReliabilityFirst

12 Findings Page 10 Forward Together ReliabilityFirst

13 SME List/Page Footer 11 Forward Together ReliabilityFirst

14 Requirement and Part The CIP v5 RSAWs are organized by Part rather than Requirement. Each part may have different Applicable Systems, and therefore different sample sets. 12 Forward Together ReliabilityFirst

15 Questions Questions may be asked for circumstances beyond those covered in the Compliance Assessment Approach. In this case, any shared compliance responsibility needs to be communicated to the audit team so the proper review can be performed. 13 Forward Together ReliabilityFirst

16 Compliance Narrative The Compliance Narrative is the place to tell the compliance monitoring team how you approach compliance with this Part. This may be the most important section of the RSAW. 14 Forward Together ReliabilityFirst

17 Evidence Provided 15 Forward Together ReliabilityFirst

18 Compliance Assessment Approach 16 Forward Together ReliabilityFirst

19 Navigation Collapse/Expand Select Section 17 Forward Together ReliabilityFirst

20 RSAW Compliance Assessment Approach Types of Review Documentation Review Does the required documentation exist? Does the required documentation look reasonable and complete? Process Evaluation Does the process include the required steps? Is the process adequate to ensure security? Is the process adequate to ensure compliance? Outcome Verification Has the entity performed the compliance tasks required by the Standard? Has the entity adequately secured its assets as intended by the Standard? 18 Forward Together ReliabilityFirst

21 RSAW Compliance Assessment Approach Types of Review Documentation Review Does the required documentation exist? Does the required documentation look reasonable and complete? Process Evaluation Does the process include the required steps? Is the process adequate to ensure security? Is the process adequate to ensure compliance? Outcome Verification Compliance Audit Has the entity performed the compliance tasks required by the Standard? Has the entity adequately secured its assets as intended by the Standard? 19 Forward Together ReliabilityFirst

22 RSAW Compliance Assessment Approach Types of Review Documentation Review Does the required documentation exist? Does the required documentation look reasonable and complete? Process Evaluation Does the process include the required steps? Is the process adequate to ensure security? Is the process adequate to ensure compliance? Outcome Verification Part of Internal Controls Evaluation Has the entity performed the compliance tasks required by the Standard? Has the entity adequately secured its assets as intended by the Standard? 20 Forward Together ReliabilityFirst

23 RSAW CAA Special Considerations Proving a Negative Review process Review implementation of process Sample negative results Attestation last resort Example CIP R1 BES Cyber Assets Implied Requirements Requirements not explicitly stated but implied by the language Example CIP R1 Part 1.1 Identification of PCA 21 Forward Together ReliabilityFirst

24 Example CAA CIP R1 Part Process Evaluation Verify a process exists for the identification of ESPs. Verify the process requires that all applicable Cyber Assets reside within an ESP. Outcome Verification/Show a Negative From the inventory of Cyber Assets associated with one or more high or medium impact BES Cyber Systems, identify all Cyber Assets connected to a network with a routable protocol. Verify each of the Cyber Assets is protected by a defined ESP, and that no BES Cyber Assets networked via a routable protocol have been missed. Outcome Verification/Implied Requirement After the ESP is defined, verify the implied requirement of identifying any PCA within the ESP has been completed. Forward Together ReliabilityFirst

25 Example CAA CIP R1 Part 1.1 Process Evaluation Does the Cyber Security Incident response plan contain the required steps? A process evaluation is needed since this Requirement does not call for implementation of the plan. That happens in R2. 23 Forward Together ReliabilityFirst

26 Example CAA CIP-004 R3 Part 3.3 Process Evaluation Does the process contain the required steps? Documentation Review Review documentation that the process was implemented. This may include a review of a redacted personnel risk assessment, or other documentation may be reviewed to verify compliance. This is due to the extremely sensitive nature of the compliance evidence. 24 Forward Together ReliabilityFirst

27 Example CAA CIP R2 Part Forward Together ReliabilityFirst

28 Example CAA CIP R2 Part 2.3 Process Evaluation Does the patch management process have the required steps? Do the required steps include the creation of mitigation plans with the required elements? 26 Forward Together ReliabilityFirst

29 Example CAA CIP R2 Part 2.3 Outcome Verification Did the patch management process result in systems that are patched as required, or are unpatched systems part of a mitigation plan? Documentation Review Did any mitigation plan include the required elements? 27 Forward Together ReliabilityFirst

30 Tips for Using the RSAWs Avoid unnecessary redundancy use references where possible; otherwise copy and paste. If a process applies to an entire Requirement, describe it in one Part and make reference to it elsewhere. The Compliance Narrative is your best opportunity to tell an audit team how you meet compliance. Pay attention to any Notes to Auditor. They re meant for you, too. 28 Forward Together ReliabilityFirst

31 EVIDENCE 29 Forward Together ReliabilityFirst

32 Evidence Overview Initial Evidence Request Sampling Populations (minimal detail) BES Cyber Systems Cyber Assets Assets Personnel CIP Exceptional Circumstances Technical Feasibility Exceptions Compliance Documents Policy Process Plan Program Procedure Initial Sampling Multiple Sample Sets Sample set appropriate to Requirement and/or Part Evidence specific to each Requirement Additional sampling may be advisable 30 Forward Together ReliabilityFirst

33 Evidence Types Compliance Documents Policy Process Plan Program Procedure Evidence of Compliance Pertaining to: Cyber Assets BES Cyber Systems Assets Personnel CIP Exceptional Circumstances Technical Feasibility Exceptions 31 Forward Together ReliabilityFirst

34 Sampling Guideline Sampling Overview Current Guideline updated September 4, References RAT-STATS New revision in progress Will be an Addendum to the ERO Compliance Auditor Handbook CIP-specific Addendum is planned by the end of 2015 Sampling Process (greatly simplified) Determine sample size Choose sampling method Select sample 32 Forward Together ReliabilityFirst

35 Sample Sets Expect to see different sample sets, such as: High impact BES Cyber Systems Cyber Assets of an Applicable System Electronic Security Perimeters Cyber Assets within a specific set of ESPs As the sampling methodologies take shape, the development team will attempt to minimize redundancy, but this will be difficult due to the divergent applicability of the Parts of some Requirements. The following slide demonstrates some of the complexity. 33 Forward Together ReliabilityFirst

36 Applicability Cyber Asset Cyber Asset Type Member of BES Cyber System Associated BES Cyber System Applicability CIP Impact Rating ERC R1.1 R1.2 R2.1 R2.2 R2.3 R2.4 R3.1 R3.2 R3.3 R4.1 R4.2 R4.3 R4.4 R5.1 R5.2 R5.3 R5.4 R5.5 R5.6 R5.7 MAINEMS1 BESCA MAINEMS H Y 20 MAINEMS2 BESCA MAINEMS H Y 20 MAINHIS1 PCA H 20 MAINFW1 EACMS MAINEMS H 19 MAINPAC1 PACS MAINEMS H 18 SUB1RTU1 BESCA SUB1A M Y 16 SUB1SEL411 BESCA SUB1B M N 11 SUB1FW1 EACMS SUB1A M 16 SUB1PAC1 PACS SUB1A M 16 SUB1PAC2 PACS SUB1B M 11 Number of Applicable Parts As you can see, the number of applicable parts varies widely depending on the type of Cyber Asset under consideration. This will make the sampling process far more complex than that of CIPv3. 34 Forward Together ReliabilityFirst

37 IRA and ICE IRA Inherent Risk Assessment Based on registrations, entity size, compliance history, etc. Determines initial scope of compliance assessment Provides risk levels to other processes ICE Internal Controls Evaluation Based on voluntary review of internal controls Can affect: Scope of compliance assessment Depth of compliance assessment (e.g., sample size) Frequency of audits 35 Forward Together ReliabilityFirst

38 Questions & Answers Forward Together ReliabilityFirst Forward Together ReliabilityFirst

39 Identifying BES Cyber Systems CIP Compliance Workshop June 2, 2015 Kevin B. Perry Director, Critical Infrastructure Protection

40 Topics Guidance on Exemption (Section ) HVDC Facilities Control Center Criteria Criterion 2.1 Criterion 2.5 Criteria 2.3 and 2.6 Audit Considerations 2

41 Exemption Section An exemption appears as Section in each of the CIP V5 Standards Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. Works well if there are two discrete Electronic Security Perimeters (ESPs) Doesn t work so well if there is only one (or no) ESP Also a cart-before-the-horse issue Must identify BES Cyber Systems before identifying ESP 3

42 Exemption Section Communication/networking Cyber Assets are not automatically exempt from the CIP V5 Standards How do you know what is in, and what is out? You need a proxy for the ESP as you identify BES Cyber Assets and group them into BES Cyber Systems Recently released NERC Guidance Memorandum introduces the concept of a demarcation point Can also serve as the ESP proxy 4

43 Exemption Section Exempt Demarc Proxy ESP Possible Demarcation Points Proxy ESP Demarc ESP ESP Control Center Substation 5

44 Exemption Section ESP Demarc Proxy ESP Exempt Demarc Possible Demarcation Points Proxy ESP ESP Control Center Substation 6

45 HVDC Facilities The Impact Rating Criteria are focused on Facilities operated at AC (alternating current) voltages The Guidelines and Technical Basis section of CIP is silent on the issue of DC (direct current) Facilities So, how does a Registered Entity apply the Impact Rating Criteria to HVDC Facilities? AC Voltage is phase to phase HVDC circuits do not have phases, but they have poles The pole-to-pole/return voltage differential can be used as a substitute for phase-to-phase AC voltages 7

46 HVDC Facilities For bi-pole circuits, the pole-to-pole current differential is the effective voltage for the purposes of the Criteria A bi-pole DC circuit operated at +/- 250 kv would be treated as a 500 kv Facility For monopole with earth return circuits or for symmetrical monopole circuits, the circuit voltage rating is the effective voltage If a circuit can be operated in monopole or bi-pole mode, the effective voltage is the bi-pole current differential 8

47 HVDC Facilities Back-to-Back converter stations are treated the same as bi-pole HVDC Transmission lines Multi-terminal systems (two converter stations linked by HVDC Transmission lines) are treated at the same voltage as the HVDC Transmission line 9

48 Control Center Criteria Control Center Definition: One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations. The facility must meet the definition of Control Center for the Impact Rating Criteria to apply Look carefully at your generator operations 10

49 Control Center Criteria The Impact Rating Criteria is applicable to Control Centers performing the functional obligations of a Reliability Coordinator, Balancing Authority, Transmission Operator, or Generator Operator The Registered Entity does not need to be registered as a RC, BA, TOP, or GOP to have a Control Center performing the functional obligations of one of those registrations BES Cyber Systems associated with the Control Center must be used by the Control Center and also must be located at the Control Center 11

50 Criterion 2.1 Applies to generating plants, not individual generating units The plant must have an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection 12

51 Criterion 2.1 It is possible to have a plant exceeding the 1500 MW threshold yet have only Low Impact BES Cyber Systems Plant control systems can be segregated in such a manner that there are no shared systems exceeding the 1500 MW threshold Many BES Cyber Systems can be configured to stay below the 1500 MW threshold At audit, be prepared to demonstrate how the plant systems and networks are configured to assure the segregation 13

52 Criterion 2.5 Applies to Transmission stations and substations operated between 200 and 499 kv Additional qualifiers : The station or substation must be connected at 200 kv, or higher voltages to three or more other Transmission stations or substations The combination of Transmission lines yields an "aggregate weighted value" exceeding 3000 BES Cyber Systems associated with any Facility (high or low side) operated at 200 to 499 kv are Medium impacting 14

53 Criterion 2.5 For a Transmission line to be considered a Transmission Facility and included in the Impact Rating Criterion 2.5 calculation, the line must be used for network flow of the Bulk Electric System and connected to another Transmission station or substation A radial line is not a Transmission line A generator lead line is the line at any voltage between the generator and the first connected substation where Transmission lines are present - it is not a Transmission line 15

54 Criterion 2.5 The Criterion applies even if the high side of the station or substation is operated at 500 kv or above Applies to the 345 kv side of a 500/345 kv substation, but only if the substation meets the Criteria 2.5 qualifying characteristics It is possible to have a 500/345 kv substation where BES Cyber Systems associated with the 500 kv Facilities are Medium impacting but the BES Cyber Systems associated with the 345 kv Facilities are Low impacting 16

55 Criteria 2.3 and 2.6 The Reliability Coordinator, Planning Coordinator, or Transmission Planner designates the generation or Transmission facility with impact The registered entity is responsible for identifying BES Cyber Systems associated with the identified Facility All associated BES Cyber Systems are Medium Impact Segregation of control systems in a generating plant will not reduce the impact categorization BES Transmission Facilities operated below 200 kv are not exempt 17

56 Audit Considerations Explicit requirements in CIP : List of High and Medium Impact BES Cyber Systems List of assets containing a Low Impact BES Cyber System Additional requirement: Every Cyber Asset satisfying the definition of BES Cyber Asset must be a member of at least one BES Cyber System And while we are on the subject You can group BES Cyber Assets into BES Cyber Systems differently on a requirement by requirement basis 18

57 Audit Considerations You will need to show your work Demonstrate that every BES Cyber Asset has been identified Be prepared to demonstrate why a Cyber Asset is not a BES Cyber Asset Demonstrate that every BES Cyber Asset is a member of at least one BES Cyber System If you regroup based on requirement, demonstrate that every BES Cyber Asset is accounted for in each regrouping Compliance means more than just producing two lists 19

58 Helpful Resources NERC Website Links: CIP V5 Transition Home Page CIP V5 Standards and Implementation Plan CIP V5 Transition Guidance CIP V5 Transition Study Lessons Learned Project (Physical Security) CIP CIP Implementation Plan CIP-014 Revisions SAR SPP RE CIP V5 Transition Page 20

59 SPP RE CIP Team Kevin Perry, Director of Critical Infrastructure Protection (501) Shon Austin, Lead Compliance Specialist-CIP (501) Steven Keller, Lead Compliance Specialist-CIP (501) Jeremy Withers, Senior Compliance Specialist-CIP (501) Robert Vaughn, Compliance Specialist II-CIP (501)

60 Kansas City Power & Light CIP and Grouping BES Cyber Systems Board of Directors Meeting - February 11, 2014 CONFIDENTIAL RESTRICTED

61 KCP&L Overview More than 830,800 customers Service Territory Diverse Generation Mix Approximately 6600 MW of Generation Customer Base Residences.. 730,800 Commercial Firms... 97,400 Industrial and Other.... 2,600 Coal... 85% Nuclear % Natural Gas and Oil.... 1% Wind...2% Board of Directors Meeting - February 11, 2014 CONFIDENTIAL RESTRICTED

62 KCP&L CIP v5 Sites in Scope Multiple High Control Centers Backup Control Centers Associated data centers A Single Medium generating station Two generators which combined meet the 1500mw threshold 5-10 Medium Substations Possibly 3 Low Control Centers We are examining the usefulness of the Cyber Systems that create the low control centers, may remove them to lower the potential impact to the BES of any issues Scores of low generating stations and substations 3

63 Step 1 Workshop Based Approach Top Down vs. Bottom Up vs. Hybrid Generation, T&D, and IT Representatives Break the silos Share perspectives and experience Skilled Facilitator Impartial! Must know the language and translate between groups Must ask the probing questions that elicits more information 4

64 Process Overview Documented Annual Repeatable Evidenced T o p D o w n B o t t o m U p 5 5/29/

65 Purpose of the Workshops Find the Facilities and Ratings Primary Goals: Create a list of facilities that meet the BES definition Determine the facility impact rating **Special Note** You are prequalifying the systems at the facility, the facility doesn t have an impact rating, the BES Cyber Systems do Document why the rating is appropriate How to do it: 1. Before the workshop, ask the IT, T&D, and Generation asset owners to create and bring an inventory of all facilities to the workshop 2. Using the inventory, apply the BES definition to each facility 3. For BES sites, use the Bright Line Criteria to define impact rating 4. Focus on identifying the High and Medium impact sites The why is important - can we make changes to modify (reduce) the BES Cyber System s impact to the BES if an issue occurs? 6

66 Sample Applicability

67 Sample Facility Impact

68 Purpose of the Workshops Find the Cyber Systems Top Down Approach Identify Cyber Systems supporting the facilities Ask a lot of questions about day to day operations Follow up on extraordinary circumstances Listen for key words Create system clouds (buckets) Get the buckets of systems identified Refer to the CIP v3 guidance document for identifying essential systems Eliminate redundancies Ensure common language One cloud needs to be a low system general cloud Examine the system clouds based on the BROS 9

69 Identification of BES Cyber Systems 10

70 Grouping By Function - Generation DCS Coal Handling System Water Purification General Plant Support 11

71 Results of Assessment BROS GO BES Cyber System 15 Minute Impact (Y/N) Externally Routable (Y/N) Dynamic Response DCS Relays Generator Controls Turbine Controls Y N N N Y N Y Y Balancing Load & DCS Y Y Generation Controlling Frequency DCS Turbine Controls Y N Y Y Controlling Voltage DCS Relays Generator Controls Managing Constraints Monitoring and Control Restoration Situation Awareness Inter-Entity Coordination DCS Y Y Y N N Y N Y 12

72 Step 2 Perform an Inventory Bottom Up Approach Primary Goals: Create a comprehensive CIP inventory of each facility s assets How to do it: Have an inventory tracking system/process defined before you even start Don t underestimate how complicated this really is You need everyone with Cyber Assets at the facility to attend the inventory Use a labeling system (if you don t have one) to assist in tracking Don t bring the system clouds to the inventory If definitions shift (PED), it will cause rework in this and subsequent steps 13

73 Inventory Label Example 14

74 New Asset Entry Division Generation Request Type New Asset Unique ID Host Name Gen-##### #%$#%$#%$#% CIP Location Generator 1 Cyber System Generator DCS ESP PSP Main Gen ESP 1 PSP Gen 2 Operating System Controller OS Physical Location Details $(*&^#$(*&(#$ Manufacturer Good Manufacturer Type of Device Controller Owning Department Generation Model Number #$(&^#$(*& Serial Number Firmware $(*#&(#*$& OS 6.8 CONTROLLER

75 Step 3 Assign Cyber Assets to System Clouds Hybrid approach Primary Goals: Every Cyber Asset assigned to a cloud How to do it: Assign every Cyber Asset to a system cloud If the Cyber Asset doesn t fit in an established system cloud: Create a new system cloud Determine that it is a low asset and assign it to the low system cloud 16

76 Grouping By Function - Generation Controls Coal Handling System Water Purification General Plant Support 17

77 Step 4 Create BES Cyber Systems Primary Goals: BES Cyber Systems are created How to do it: Determine the high watermark of the Cyber Assets in the cloud Examine the cloud for potential breakdown into sub-clouds Balance the high watermark against the Cyber Assets in the cloud If there is too much diversity in the system, separate clouds may make sense Examine the clouds for potential consolidation Similar systems, in multiple clouds, with similar watermarks, with similar functions could be put together 18

78 Controls Cloud OSC Router NIDS Terminal 1 Workstation 1 Terminal 2 DMZ Switch Workstation 3 PLC Workstation 2 PED Distributed Controls System OSC Router Air Quality Controls Terminal 2 DMZ Switch Workstation 2 PLC Workstation 1 NIDS PED Terminal 1 19 Workstation 3

79 Specific Tools and Processes Microsoft System Center Long term solution for MCDL, Asset Inventory, Configuration Inventory, and change management for those functions SharePoint / AgilePoint Platform interim solution for Asset Inventory, needed to keep CIP-002 moving forward while MSC is being configured Industrial Defender receives logs, configuration monitoring Nexpose Scanners scan the network for many things Tripwire used for log examination 20

80 Creating BES Systems Special Considerations How can we ensure every asset was found Extensive Inventory work T&D, Generation, and IT Extensive inventory procedure created and followed to ensure every device is accounted for (walk the room, walk the racks, walk each shelf) How can we ensure every asset is in a BES Cyber System Inventory/Change Management tools require a selection from a preapproved BES Cyber System list to input an asset in the Master CIP Device List Internal Controls used to guarantee accuracy Clear communication and training for all employees System controls- notify when Cyber Assets are added to the network EMS - Nexpose Scanner, Industrial Defender, Tripwire Generation Industrial Defender Apply the 15 minute rule to Cyber Systems, but you should also apply the 15 minute rule to each device to aid in subdividing the clouds 21

81 Creating BES Systems Special Considerations Does the environment change the pros and cons of BES Cyber System creation? BES Cyber System creation should consider the function and all capabilities of the Cyber Systems, and also the operational support and management of the Cyber Systems Creating BES Cyber Systems differently for different standards? CIP v5 is too complex for us to try this Benefit to reliability or security isn t clear Removing PCA assets from Electronic Security Perimeters? DMZ or CAFE environments Don t leave the front line guessing! Corporate Goals for CIP Program: Mandatory process/procedure alignment Mandatory evidence artifact alignment Mandatory tool alignment, unless tools must vary due to environment differences 22

82 Creating BES Systems Special Considerations External Routable Connectivity External routable connectivity can drive system separations Separating ERC Cyber Systems from non-erc Cyber Systems is helpful, non-erc Cyber Systems outside the ESP holding ERC Cyber Systems will have smaller surface areas to attack and can solve operational and compliance issues, especially in the Generation environment Systems without ERC don t need: Electronic Security Perimeters Physical Security Perimeters Personal Risk Assessments Training Requirement Removed (Security Awareness Training stays) If you have Cyber Systems with and without ERC, you can use the same processes (meet the higher ERC level requirements), but you don t have to manage the employees around the non-erc system the same way 23

83 Generation Cyber System Creation 1 What s in Scope One Medium Generating Station with routable connectivity Two units, both must be affected to reach 1500 mw threshold System Creation DCS is the only in-scope Cyber System Dividing the DCS wasn t an option due to mechanical configuration of equipment at the site We could have tried some odd things to affect parts of DCS, but would have potentially lowered unit reliability and security Strategic decisions to move PCAs into a DMZ or CAFÉ environment are still being made Clear goal to move as many PCAs as possible out of the ESP Firewall rule headaches versus PCA requirements need to be balanced PED tracking Blanket Statements? 24

84 Generation Cyber System Creation 2 Asset Tracking Inventory, Asset Labeling Industrial Defender will let us know if the process isn t followed (if an ID client is installed part of commissioning process) Front line personnel performing changes trained and entering change information AgilePoint / SharePoint, moving to Microsoft System Center when the system is ready Special Considerations PED definition clarification won t affect the plant Cyber Systems, no PEDs or groups of PEDs affect both units Generating environment poses unique challenges Outages and Summer operations tie up a lot or resources Sprawling environment creates a lot of tracking issues Confined environments in buildings make PSP creation difficult Managing contractors and PSPs will be difficult during outages Scanning the DCS would probably trip the units, creates unique challenges for tool selection Network latency issues 25

85 Ovation ESP Corporate Firewall A&B LAN GPS Antenna Unit 2 OVATION DATA HIGHWAY Access Point: Router Switch OSC Router GPS Clock IP Traffic SW33 Ovation IP Traffic Net IP Traffic Ovation IP Traffic Net SW11 Ovation Core Network Switch NIDS PriFan OutSW23 OVATION SECURITY NETWORK Switch Unit 1 OVATION DATA HIGHWAY UNIT 2 OVATION DATA HIGHWAY drop101 SecFan OutSW24 ID NAS Terminal Drop Terminal Terminal DMZ Switch Ovation DMZ Router DMZ Network Jump Host 1 Logging Mgmt Server Pi Server 26 Printer Drop Terminal

86 Transmission & Distribution Cyber System Creation 1 What s in Scope? 5-10 Medium Substations No external routable connectivity Cyber System Creation Each substation systems stand alone Functionally, this made the most sense to us, eases management of the Cyber Assets/Cyber Systems Approximately 5 BES Cyber Systems per substation, all medium, functional and management considerations drove system creation Protective Relays Logical to group together RTUs Stand alone due to their criticality Communication radio, telecom, microwave (all serial) Metering meters for AGC Security cameras, badge readers, etc. 27

87 Transmission & Distribution Cyber System Creation 2 Asset Tracking Inventory, asset labeling Manual notification to T&D compliance support when update is needed, manual entry of update into tracking system SharePoint / AgilePoint Platform, moving to Microsoft System Center when the system is ready Special Considerations Removing nonessential systems from the ESPs is still a primary concern, lowers the potential attack surface and increase security PED inventory completed before PED definition was clarified to include configurable devices, rework was necessary Previous understanding was microprocessor based relays only Now solid state and electromechanical relays are in scope Inventory workload estimated to triple from the clarification Integration with WMS would be ideal, but we aren t using a large WMS right now 28

88 IT Control Centers 1 What s in Scope? High Generation and T&D control centers, backup control centers, data centers Cyber System Creation EMS is our High Impact Cyber System CIP version 3 in-scope Cyber Assets / Cyber System New EMS install is finishing now, planning for v5 informed design Design focused on removing as many PCAs from ESP as possible One large ESP for the entire environment, help meet CIP 005-3, R1.3 Utilizing encryption between physical locations creates one ESP to satisfy the requirement in CIP 005-3, R1.3 Potential issues protecting communications links KCPL avoids issues protecting 3 rd party communication links b/c we own the fiber between the PSPs, no PEDs outside of PSPs 29

89 IT Control Centers 2 Asset Tracking Inventory, Asset Labeling, Regular Inventory Checks Industrial Defender, Nexpose, Tripwire will let us know if the process isn t followed Front line personnel performing changes trained and entering change information, approval goes through QA personnel Microsoft System Center Special Considerations PED definition clarification hasn t affected the EMS environment, Cyber Asset that could have been affected already had Ethernet and was in ESP All physical hardware in the ESP, virtualization in CAFE and DMZ PI wasn t an issue because we are using a Cronus application Leave scanning tools in the ESP, otherwise causes firewall issues Move the management consoles to CAFE or DMZ 30

90 EMS ESP 31

91 Questions

92 2015 SPP RE CIP Workshop Grouping BES Cyber Systems June 2, 2015 Taking Reliability to heart.

93 Westar s High and Medium Scope HIGH Control Centers (2) and associated Data Centers Primary and Backup MEDIUM Generation Facility Substations (12) Without External Routable Connectivity 2015 SPP RE CIP WORKSHOP 2

94 BES Cyber Systems Control Centers Functional approach 5 BES Cyber Systems SCADA Network Infrastructure SCADA Configuration ICCP Server Infrastructure Support 2015 SPP RE SPRING WORKSHOP 3

95 Generation BES Cyber Systems System Approach Ovation Composer DCS Soot Blowing Air Compressor (SBAC) 2015 SPP RE SPRING WORKSHOP 4

96 Substation BES Cyber Systems BES Cyber Assets without External Routable Connectivity Location specific All BES Cyber Assets at each substation will be in one BCS 2015 SPP RE SPRING WORKSHOP 5

97 Associated Evidence Enter: 1 = True, 0 = False EMS System BES Cyber System Impact Rating: High BES Cyber Systems and Cyber Assets System Supports a BES Reliability Operating Service (BROS)? BES Cyber Systems (BCS) Status In ESP? In PSP? PCA Status? Physical Access Control System PACS? Monitoring & Control SCADA System 1 BCS 1 1 No 0 0 Network Infrastructure 1 BCS 1 1 No 0 0 SCADA Configuration 1 BCS 1 1 No 0 0 ICCP Server 1 BCS 1 1 No 0 0 Infrastructure Support 1 BCS 1 1 No SPP RE SPRING WORKSHOP 6

98 Associated Evidence R1.2 Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset Generation IT & I&C Enter: 1 = True, 0 = False BES Cyber System Impact Rating: Medium/Low BES Cyber Systems and Cyber Assets System Supports a BES Reliabilit y Operatin g Service (BROS)? BES Cyber Systems (BCS) Status In ESP? In PSP? PCA Status? Physical Access Control System PACS? Monitor Adverse ing & Impact in Control <15 min? Bentley 1 BCS 1 1 No 0 0 No Low PI 1 BCS 1 1 No 0 0 No Low Ovation (HMI) 1 BCS 1 1 No 0 0 Yes Medium InfiNet (DCS) 1 BCS 1 1 No 0 0 Yes Medium H20 1 BCS 1 1 No 0 0 No Low FIS 1 BCS 1 1 No 0 0 No Low NNET 1 BCS 1 1 No 0 0 No Low Composer 1 BCS 1 1 No 0 0 Yes Medium SBAC 1 BCS 1 1 No 0 0 Yes Medium DBDoc 1 BCS 1 1 No 0 0 No Low Coal Handling 1 BCS 1 1 No 0 0 No Low 2015 SPP RE SPRING WORKSHOP 7

99 Factors to Consider when grouping Location Connectivity (Routable vs. Nonroutable) BES Cyber Assets that serve a common function of protecting the BES BES Cyber Assets that are subject to the same software patching requirement. BES Cyber Assets that share the same impact rating SPP RE SPRING WORKSHOP 8

100 Questions SPP RE SPRING WORKSHOP 9

101 CIP Version 5 Transition Program Lessons Learned & FAQs Tom Hofstetter, CIP Auditor June 2, 2015

102 Disclaimer Not speaking for the Commission, for NERC, for SPP- RE, etc. These are dynamic issues, so content, descriptions, and musings may be an educated guess about who s responsible, what it is, where it s going, when it s likely, why it s needed, or how it s done Any perceived guidance on specific approaches for implementing the CIP V5 Standards is unintentional o compliance is dependent on how it is implemented o there may be other ways to comply with the Standards that are not discussed I focus on system-wide TFE issues; details typically can be addressed by the Region 2 RELIABILITY ACCOUNTABILITY

103 Lessons Learned and FAQs Topic Lesson Learned or FAQ Date Posted for Stakeholder Comment Generation Segmentation Lesson Learned October 23, 2014 Far-End Relay Lesson Learned October 23, 2014 BES Impact of Transmission FAQ April 24, 2015 Scheduling Systems Grouping of BES Cyber Systems Lesson Learned March 2, 2015 Shared Equipment at a FAQ April 1, 2015 Substation Virtualization Lesson Learned April 17, 2015 Intrusion Detection Systems FAQ April 30, 2015 Interactive Remote Access Lesson Learned January 8, 2015 Mixed Trust EACMS Lesson Learned January 8, 2015 Multiple Physical Access FAQ April 1, 2015 Controls Protecting Physical Ports FAQ April 1, 2015 At a glance: 23 original topics 50 FAQs 7 LLs 57 topics via Section 11 5 issues addressed by NERC Identifying Sources of Patch Management Mitigating Threat of Detected Malicious Code Vulnerability Testing of Physical Access Controls FAQ April 30, 2015 FAQ November 25, 2014 FAQ April 1, RELIABILITY ACCOUNTABILITY

104 Lessons Learned & FAQ Document effective approaches to implementation or compliance Suggestions on how to comply Somewhat prescriptive but not binding Uses industry comment and vetting approach 4 RELIABILITY ACCOUNTABILITY

105 Guidance: Effective Approaches to Comply Section 11 Guidance Development Process 5 RELIABILITY ACCOUNTABILITY

106 NERC Communications Used when question is not about approaches to implementation nor compliance Rather, used to address questions regarding the meaning of a particular requirement or term Defers to Standard Drafting Team portions of the record : Guidelines and Technical Basis Comment responses Issued April 21, RELIABILITY ACCOUNTABILITY

107 Far-end Relay Generation Segmentation Mixed Trust EACMs Interactive Remote Access Grouping of BES Cyber Systems Virtualization (Networks and Servers) 3rd Party Notifications of medium impact assets* Generation Interconnection * Programmable Electronic Devices * Serial Devices that are accessed remotely * Network devices as BES Cyber Systems * Control Centers operated by TOs and non-registered BAs * General FAQs * - Not Issued as Lessons Learned or FAQ Status 7 RELIABILITY ACCOUNTABILITY

108 Far-end Relay (AKA Transfer-Trip) What s Trending with CIP V5 Transition Status: Approved by Standards Committee and Posted as Final. The far-end relay does not automatically inherit a Medium impact categorization if the near-end substation satisfies the qualifications of Criterion RELIABILITY ACCOUNTABILITY

109 Generation Segmentation What s Trending with CIP V5 Transition Status: Approved by Standards Committee and Posted as Final. BES Cyber Systems associated with a generating plant in excess of 1500 MW Net Real Power Capability can be segmented such that there are no Medium impacting BES Cyber Systems. Includes a discussion of evidence required to demonstrate sufficient segregation. 9 RELIABILITY ACCOUNTABILITY

110 What s Trending with CIP V5 Transition Mixed Trust Electronic Access Control or Monitoring Systems Status: Addressing industry comments The issue is whether corporate resources (Active Directory servers, remote access authentication servers, log servers, Intrusion Detection Systems, etc.) supporting both corporate and Electronic Security Perimeter access control are Electronic Access Control or Monitoring Systems. Current position is that if the Cyber Asset is providing electronic access control or monitoring support to the CIP environment, the Cyber Asset is an EACMS for the purposes of CIP compliance. 10 RELIABILITY ACCOUNTABILITY

111 What s Trending with CIP V5 Transition Interactive Remote Access (Scripts and Management Consoles) Status: Addressing industry comments provide guidance on implementing security controls for the use of Interactive Remote Access. Open question is whether scripts under programmatic control and actions performed by management consoles constitute Interactive Remote Access. 11 RELIABILITY ACCOUNTABILITY

112 Grouping of BES Cyber Systems Status: Addressing industry comments What s Trending with CIP V5 Transition Purpose is to describe useful methods to group BES Cyber Assets into BES Cyber Systems (BCS). 12 RELIABILITY ACCOUNTABILITY

113 What s Trending with CIP V5 Transition 3rd Party Notifications of medium impact assets Status: Issued as a NERC Communication and not a Lessons Learned For IRC 2.3 and 2.6 Reliability Coordinator, Planning Coordinator, or Transmission Planner addresses the Facility (generation or transmission) The asset owning registered entity must then determine which BES Cyber Assets or BES Cyber Systems support the identified Facility 13 RELIABILITY ACCOUNTABILITY

114 Generation Interconnection (IRC 2.5) What s Trending with CIP V5 Transition Status: Issued as a NERC Communication and not a Lessons Learned The question is whether the line (sometimes referred to as the generator lead line) operated at transmission voltages between a generating plant and a transmission substation is a Transmission Facility for the purposes of the CIP Impact Rating Criteria. Position is for transmission line to be considered a Transmission Facility and included in the Criterion 2.5 calculation, the line must be used for network flow of the Bulk Electric System and connected to another Transmission station or substation. 14 RELIABILITY ACCOUNTABILITY

115 Programmable Electronic Devices (PED) What s Trending with CIP V5 Transition Status: Issued as a NERC Communication and not a Lessons Learned Went back to the official record of the Standard Drafting Team and determined that questions raised were already addressed Programmable electronic device (PED) Is an electronic device which can execute a sequence of instructions loaded to it through software or firmware, and configuration of an electronic device is included in programmable. - SDT Considerations of for V5 Posting 15 RELIABILITY ACCOUNTABILITY

116 Virtualization (Networks and Servers) Status: To be issued as a Lessons Learned What s Trending with CIP V5 Transition The concern with virtualization is when there is a mixed trust environment The standards do not do a good job of addressing the technology For virtual servers where a mixed trust environment is being used there will be a lot of scrutiny of security controls in place For networks using mixed trust will need to see that the appropriate Electronic Access Point Controls are in place for the device 16 RELIABILITY ACCOUNTABILITY

117 Serial Devices that are accessed remotely Status: Issued as a NERC Communication and not a Lessons Learned ERC definition ability to access What s Trending with CIP V5 Transition The position is that terminal server/gateways that are connected using external routable connectivity with serial devices on the back end, and that perform no application-level processing are external routable connectivity all the way to the serial device. They must be within an ESP and have protection of an Electronic Access Point. 17 RELIABILITY ACCOUNTABILITY

118 What s Trending with CIP V5 Transition Serial devices with ERC: Use a dumb converter (e.g., a terminal server No application-level processing or proxying of traffic Data passed from routable connection to serial connection with no application-level processing Require an EACMS 18 RELIABILITY ACCOUNTABILITY

119 What s Trending with CIP V5 Transition Serial devices without ERC: Use application proxy converter (e.g., a data concentrator or application gateway ) Application or protocol break between routable network and serial device Data passes through application-level filtering or conversion 19 RELIABILITY ACCOUNTABILITY

120 Network Devices and BES Cyber Systems What s Trending with CIP V5 Transition Status: Issued as a NERC Communication and not a Lessons Learned Exclusion: Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. Network devices can be considered BCAs based on the BCA definition, especially if inside ESPs ERO will use discretion to exempt any Cyber Assets associated with non-routable communication networks/links that would be exempt if they were routable communication between discrete ESPs 20 RELIABILITY ACCOUNTABILITY

121 What s Trending with CIP V5 Transition Control Centers operated by TOs and non-registered BAs Status: Issued as a NERC Communication and not a Lessons Learned High Impact Rating (H) o 1.3 Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or Medium Impact Rating (M) o Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above. 21 RELIABILITY ACCOUNTABILITY

122 What s Trending with CIP V5 Transition Control Centers operated by TOs and non-registered Bas Went back to the official record of the Standard Drafting Team and determined it was clearly addressed that the SDT intent was the functions you are performing and not how you are registered. 22 RELIABILITY ACCOUNTABILITY

123 General Frequently Asked Questions (FAQs) What s Trending with CIP V5 Transition 3 are already posted on the V5 Transition Program page on the NERC web site as Technical FAQs 34 FAQs were posted for industry comment April 2 with comments due by May 15. More FAQs posted May 1; comments due June RELIABILITY ACCOUNTABILITY

124 References CIP Version 5 Transition page: 24 RELIABILITY ACCOUNTABILITY

125 Questions Tom Hofstetter, CISA, CISSP CIP Compliance Auditor

126 Virtualization and CIP Compliance June 2, 2015 Jeremy Withers, CISSP, Security+, Network+, CISA Senior Compliance Specialist CIP

127 What is Virtualization? The simulation of the software and/or hardware upon which other software runs. Virtualization refers to the creation of a virtual, as opposed to an actual (or physical), computer hardware platform, storage device, or computer network resources. 2

128 Pros and Cons of Virtualization Pros Lower overall costs Efficient resource utilization Redundancy Energy efficiency savings Cons High upfront costs Server sprawls 3

129 Audit Approach Auditors will treat virtual assets the same as physical assets. Evidence of compliance will be virtually the same. 4

130 Virtual Server Example 5

131 Virtualization and CIP Compliance CIP BES Cyber System Identification Medium Impact BES Cyber System DAC1 BES Cyber Asset DAC2 BES Cyber Asset HIS Protected Cyber Asset Does not have 15 minute impact on reliability Host machine/hypervisor BES Cyber Asset Host machine/hypervisor must inherit the impact categorization as the highest impacting BES Cyber Asset that can run on that Host Machine 6

132 Virtualization and CIP Compliance CIP Personnel and Training Personnel with access to any portion of the virtual server must be properly trained Personnel with access to any portion of the virtual server must have Personnel Risk Assessments performed CIP Electronic Security Perimeter(s) The Host Machine/Hypervisor, Guest Machines, and all network connectivity must fully reside within an Electronic Security Perimeter (ESP) 7

133 Virtualization and CIP Compliance CIP Physical Security of BES Cyber Systems The Host machine/hypervisor must be physically protected CIP System Security Management The need for the enabled listening ports must be documented for the Host machine/hypervisor and all guest machines Patches must be evaluated for the Host/Hypervisor and all guest machines 8

134 Virtualization and CIP Compliance CIP Recovery Plans for BES Cyber Systems Build and restore procedures for Host machine/hypervisor and guests CIP Configuration Change Management and Vulnerability Assessments Baseline documentation for Host machine/hypervisor and guests Virtualization may be used as a testing environment Conduct a vulnerability assessment on Host machine/hypervisor and guests 9

135 Virtual Local Area Network Example 10

136 Virtualization and CIP Compliance CIP BES Cyber System Identification Medium Impact BES Cyber System SCADA L2 Switch BES Cyber Asset Medium Impact BES Cyber System VLAN 10 assets BES Cyber Assets VLAN 20 assets BES Cyber Assets Electronic Access Control or Monitoring Systems SCADA Firewall Electronic Access Point (EAP) Intermediate System 11

137 Virtualization and CIP Compliance CIP Electronic Security Perimeter(s) All External Routable Connectivity must go through the SCADA Firewall (EAP) The Intermediate System must be used for all Interactive Remote Access 12

138 Summary Make sure you classify your virtual assets properly It s very important to protect your host machine Provide evidence for how your virtual assets meet the CIP requirements, the same as you would for your physical assets 13

139 Managing Interactive Remote Access 2015 CIP Compliance Workshop June 2, 2015 Shon Austin Lead Compliance Specialist

140 Objectives What is Interactive Remote Access? Which requirements are associated with Interactive Remote Access? Migrating from V3 to V5 (example implementation solutions) Avoid the most common sticking points/potential issues Questions and Summary 2

141 What is Interactive Remote Access Interactive Remote Access - Effective 4/1/16 - Interactive Remote Access is defined as: User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. 3

142 What is Interactive Remote access Intermediate System is defined in the NERC Glossary of Terms as: a Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter. (ESP) The Intermediate System acts as proxy between the Cyber Asset initiating the external communication and the cyber assets within the ESP. 4

143 What is Interactive Remote access Intermediate system can be broken into a collection of systems Number of functions (e.g., protocol break or proxy, encryption termination, and multi-factor authentication) Mix and Match 5

144 Applicable Systems High Impact BES Cyber Systems and their associated PCA Medium Impact BES Cyber Systems with External Routable Connectivity* (ERC*) and their associated PCA *This is addressed in SPP RE External Routable Connectivity presentation. 6

145 Requirement Part Use an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset Part Use encryption that terminates at an Intermediate System for all Interactive Remote Access Part Use multi-factor (i.e., at least two) authentication to manage all Interactive Remote Access sessions 7

146 Implementing Part 2.1 Part Use an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset Identify your entity s requirements for allowing Interactive Remote Access To increase overall security posture, place the Intermediate System(s) into a demilitarized zone (DMZ) a defined, protected network with both ingress and egress filtering rules in place The Intermediate System can be used to access Cyber Assets in mixed environments These system can have different impact ratings inside the ESP as well as be outside the ESP 8

147 Implementing Part 2.1 Establish a criteria for determining which applications should reside on the Intermediate System Need to know Ensure Interactive Remote Access must be managed by the Intermediate System Cyber Asset initiating the external communication does not have direct external access Cannot RDP directly to SCADA system within an ESP from outside the ESP Not a pass through RDP from the intermediate System must be a new session from the Intermediate System 9

148 Implementing Part 2.1 Interactive Remote Access is NOT System-to system communications Despite the fact that the protocol can used for Interactive Remote Access 10

149 Implementing Part 2.2 Part Use encryption that terminates at an Intermediate System for all Interactive Remote Access Encryption between the Cyber Asset initiating communication and the Intermediate System(s) Where is encryption required to terminate? There is confusion regarding where encryption must terminate Encryption only required on the non-secure side of the Intermediate System 11

150 How to implement Part 2.3 Part Use multi-factor (i.e., at least two) authentication to manage all Interactive Remote Access sessions Implement multi-factor authentication use authentication factors from at least two of three generally accepted categories : Something you know (the knowledge factor) (e.g., a password or personal identification number or PIN) Something you have (the possession factor) (e.g., a one-time password token or a smart-card) Something you are (the inherence factor) (e.g., fingerprint or iris pattern) 12

151 How to implement Part 2.3 An additional authentication factors outside of the classical paradigm When implemented reduces the shortcomings associated with traditional (static) password Location factors - the authenticator's current location GPS device (Smartphone) 13

152 How to implement Part 2.3 Where does multi-factor authentication have to be performed? Before gaining access to a system inside the ESP Can a Intermediate System be accessed directly for Interactive Remote Access without performing multifactor authentication? No. Must ensure multi-factor authentication cannot be by bypassed when attempting Interactive Remote Access to assets within the ESP 14

153 How Interactive Remote Access s vulnerabilities are reduced in V5 (from V3) 15

154 EMS SysAdmin via Remote PC Corporate Firewall EMS SysAdmin via Corporate PC DMZ Firewall ESP Firewall EMS Jump Host DC EMS Jump Host BES Cyber Systems 16

155 17

156 18

157 19

158 20

159 Suggested Evidence Network diagrams Evidence of multi-factor authentication Evidence of end-to-end encryption Evidence that Intermediate System is subjected to applicable CIP requirements for EACMS (Electronic Access Control or Monitoring System) 21

160 References DRAFT Lesson Learned CIP Version 5 Transition Program, CIP R2: Interactive Remote Access, Version: January 9, 2015 NERC Guidance for Secure Interactive Remote Access, July 2011 National Institute of Standards and Technology (NIST), NIST Special Publication (SP) (2013) 22

161 Summary Interactive Remote Access must be managed by an Intermediate System(s) Interactive Remote Access does not originate on an Intermediate System or inside of an ESP Requires encryption to Intermediate System Requires multi-factor authentication Programmatic interfaces can run on Intermediate System, eliminating Interactive Remote Access 23

163 External Routable Connectivity June 2, 2015 Robert Vaughn Compliance Specialist II

164 Section 1 THE FACTS 2

165 Definition of External Routable Connectivity From the NERC Glossary of Terms The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection. 3

166 External Routable Connectivity The Key Question Are the requirements applicable to BES Cyber Systems (BCS) with routable connectivity (i.e., requirements related to having an ESP and External Routable Connectivity (ERC)) applicable to a natively serial-based (non-routable) BES Cyber Asset (BCA) that has been modified to be externally accessible via a routable network? 4

167 NERC Memorandum. NERC Memorandum published 4/22/15: Categorization and Protection of Network Devices and Externally Accessible Devices The routable connectivity requirements in the CIP version 5 standards apply to natively serial-based BCAs modified to be externally accessible via a routable network. This applies to all requirements that are applicable to BES Cyber Systems with External Routable Connectivity 5

168 Section 2 EXAMPLES 6

169 Remote Communications Via Routable Protocol End-to-End DAQ Server ESP Relay Engineer Relays ESP Key: TCP/IP Communications Serial Communications External Routable Connectivity 7

170 Remote Communications Access Through Port/Terminal Server v v v DAQ Server ESP Relay Engineer Port Server Relays ESP Key: TCP/IP Communications Serial Communications External Routable Connectivity 8

171 SCADA/EMS Remote Communications Access Via RTU App Server DAQ Server ESP RTU Relays ESP Key: TCP/IP Communications Serial Communications External Routable Connectivity 9

172 SCADA/EMS Remote Communications Access Via Port Server at the Control Center Relays App Server DAQ Server ESP Key: TCP/IP Communications Serial Communications External Routable Connectivity 10

175 For More Information Contact SPP RE CIP staff with questions or to schedule a one-on-one or SPP RE small group advisory session NERC Small Group Advisory Sessions: July 8-10: Austin TX, hosted by Texas RE August 4-6: Atlanta GA, Hosted by NERC September 1-3: Atlanta GA, Hosted by NERC 13

176 IN SUMMARY 14

177 Summary More network devices are now included under the V5 standards Ensure your BCAs are protected Ask SPP RE or NERC for guidance 15

178 Low Impact Facilities/Assets and BES Cyber Systems CIP-003 R1 and R2 June 3, 2015 Natalie Johnson, NERC Compliance Manager David Campbell, CIP Compliance Program Manager Enel Green Power North America February 10 th 2015 NERC CIP V5 Compliance Project - Progress Project Status

179 Contents Introduction and Who We Are CIP Project Progress Low Impact Assessment Moving Forward June 3, 2015 CIP-003 Low Impact BES Assessment 2

180 Introduction EGPNA has 1 Medium Impact Control Room EGPNA has 8 Low Impact Wind Facilities The Focus of this presenation is how we are preparing to meet CIP Requirements for Low Impact This is an example of what one company is doing and our approach June 3, 2015 CIP-003 Low Impact BES Assessment This document contains proprietary information of Enel Green Power SpA and should only be used by the recipient in relation to the purposes for which it was received. Any form of reproduction or dissemination without the explicit consent of Enel Green Power SpA is prohibited. 3

181 Who Are We? Enel Green Power North America Enel Green Power North America (EGP-NA), a subsidiary of Enel Green Power, is an industry leading owner and operator of renewable energy plants in North America with projects operating and under development in 21 U.S. states and two Canadian Provinces. With nearly 100 plants in operation representing an installed capacity of more than 2GW, EGP-NA s portfolio includes a diverse mix of hydropower, geothermal, wind and solar renewable energies. Since 2010, EGP-NA has undergone rapid expansion in the U.S., more than doubling its total installed capacity and already has more than 400 MW currently in construction. The company employs more than 350 people in North America that hold strong managerial, technical and financial expertise. Technology Hydro Wind Geothermal Solar Total Capacity 317 MW 1,665 MW 72 MW 29 MW 2,083 MW June 3, 2015 CIP-003 Low Impact BES Assessment

182 EGP-NA NERC Compliance Structure EGPNA CEO ICT ICT Director - Generation Operations CIP Sr. Manager Legal EGPNA Compliance Officer Oversight, Approvals *Deployment plan ongoing to build compliance support staff for CIP roles and responsibilities June 3, 2015 CIP-003 Low Impact BES Assessment NERC Compliance Manager CIP Compliance Program Manager Management, Coordination, Facilitation, Training

183 EGP-NA NERC Compliance Structure NERC CIP Stakeholders CIP Compliance Program Manager CIP Stakeholders Information Communications Technology Operations and Maintenance Human Resources Facilities Legal June 3, 2015 CIP-003 Low Impact BES Assessment 6

184 CIP Project Progress EGP-NA has developed approx. 120 documents in order to support the CIP transition Docs Alignement Policies Procedures Workflows Templates NERC CIP Area # BES Cyber System Categorization 1 Security Management Controls 3 Personnel & Training 2 Electronic Security Perimeter 1 Physical Security 2 System Security Management 1 Incident Management 1 Recovery Plans 1 Configuration change mgmt & VA 1 Information Protection 1 NERC CIP Area # BES Cyber System Categorization 2 Security Management Controls 2 Personnel & Training 9 Electronic Security Perimeter 3 Physical Security 5 System Security Management 10 Incident Management 3 Recovery Plans 3 Configuration change mgmt & VA 4 Information Protection 3 NERC CIP Area # BES Cyber System Categorization 1 Security Management Controls 0 Personnel & Training 9 Electronic Security Perimeter 3 Physical Security 4 System Security Management 7 Incident Management 3 Recovery Plans 2 Configuration change mgmt & VA 3 Information Protection 2 NERC CIP Area # BES Cyber System Categorization 3 Security Management Controls 2 Personnel & Training 5 Electronic Security Perimeter 1 Physical Security 2 System Security Management 4 Incident Management 2 Recovery Plans 3 Configuration change mgmt & VA 4 Information Protection 1 Total # of Policies 14 Total # of Procedures 44 Total # of Workflows 34 Total # of Templates 27 June 3, 2015 CIP-003 Low Impact BES Assessment

185 Low Impact Facilities Assessment Two Approaches Evaluation based on CIP BES Assets and/or BES Cyber Systems Bright Line Criteria Methodology Approach 1 - Inventory and categorize facilities, then identify and classify Cyber Systems (facility-centric, or top-down), A methodology to determine qualifying BES assets and BES Facilities Output Step 1 Facilities Evaluation (discrete list(s) are not required) Step 2 BES Cyber Systems Evaluation Approach 2 - The second approach is the opposite, beginning with a BES Cyber Systems inventory, then a crossreference to facilities (cyber systems centric, or bottom up) Step 1 BES Cyber Systems Evaluation Step 2 Facilities Evaluation June 3, 2015 CIP-003 Low Impact BES Assessment

186 Facilities Evaluation Process CIP Attachment 1 Impact Rating Criteria Generation resources and Control Centers evaluated against Attachment 1, Sections 1.1 to 1.4 (High Impact) and 2.1 through 2.13 (Med Impact) bright line criteria Any facilities that do not meet the criteria in 1.1 to 1.4 (High Impact) and 2.1 through 2.13 (Med Impact) and also meet the applicability qualifications in Section 4 (Applicability, part 4.2) are evaluated against sections 3.1 to 3.6 (Low Impact) bright line criteria Facilties Evaluation Categorizing Low Impact CIP Attachment 1 section 2.1 to 2.13 criteria section 3.1 criteria section 3.2 criteria section 3.3 criteria section 3.4 criteria section 3.5 criteria section 1.1 to Facilities 1.4 criteria Generation Resource A no no no no yes no no no Generation Resource B no no no no yes no no no Generation Resource C no no no no yes no no no Generation Resource D no no no no yes no no no Generation Resource E no no no no yes no no no section 3.6 criteria June 3, 2015 CIP-003 Low Impact BES Assessment Att 1 section 3.3 Generation resources.

187 Facilities Evaluation Example CIP Attachment 1 Impact Rating Criteria Key Features of Evaluation Spreadsheet List all facilities in far left column List all bright line criteria across the header Apply each asset against each criteria from Attachment 1, sections 1, 2 and 3 *CIP pg4 - an entity might choose to view an entire plant control system as a single BES Cyber System Pg31 Under Low Impact Categorization, assets with routable connectivity are protected under cyber security awareness, physical access control, electronic access control, and incident response June 3, 2015 CIP-003 Low Impact BES Assessment Excel file has a revision history with signature

188 BES Cyber System / Asset Determination Approach 2 *example workflow Routable communications paths into the BES Asset that permit External Routable Connectivity (ERC) or Interactive Remote Access (IRA) Non-Routable communications paths and endpoints into the BES Asset that permit IRA Identification of communication boundaries and access point placement Identification of physical boundaries and access point placement June 3, 2015 CIP-003 Low Impact BES Assessment *Reference: MRO Standards Application Guide - Cyber Asset Procedure, Section 4 Diagram 2 pg. 7,11

189 Low BES Asset Candidate Assessment Low Impact Candidate Identification Rationale: Low Impact BES Assets consist of BES Assets that contain BES Facilities that did not qualifying as High or Medium impact pursuant to Attachment 1 High and Medium Impact Criteria *if determined to be located in a Low BES Facility. Low BES Asset Candidate Information BES Asset Connectivity Criteria BES Asset Classification BES Asset Category BES Asset Name BES Asset BES Facility Abbreviation Association Communication service details for the BES Asset? CIPV5 R1.i - R1.vi Name of Registered_Entity_X BES Asset where the Category of the BES communications line(s) enters Asset Abbreviation of Registered_Enti ty_x BES Asset Is there a BES Facility located at the BES Asset? Does the BES Asset have a communications line(s) transporting a routable protocol? Does the BES Asset have a communications line(s) transporting a serial protocol? Does the BES Asset have a communications line(s) transporting a dial-up connection? Communication Service Type Example: Leased, Privately owned etc. Communication Line Service Provider Name of the communications line service provider. If privately owned, enter Registered_Entity_X. Communication Line Identifier Unique ID associated to the billing of the service, or if privately-owned any unique ID that exists for inventorying purposes Inventory of Communications Lines (required only if the BES Asset Classification is Low BES Asset (LBA) Destination Description Asset Name (optional) Name of Registered_Entity_ X Asset where the commuinication line terminates. This is necessary if placing Low Impact Access Points to electronic boundaries in an upstream central location. Enter a brief description of the communications line, or other data about the related application or function of the service. Functional Group Name Connectivity Attributes Accessibility Attributes Name Registered_E ntity_x Functional Group responsible for the Cyber Asset Serial Routable Protocol Routable Protocol Type (i.e. IP) Routable Protocol Network Address(es) (i.e. IP Subnet Address) Dialup Lowimpact External Routable Connectivi ty (LERC) Interactive Remote Access (IRA) BES Asset Boundary Protections Low Impact Access Point(s) (LEAPs) cyber boundary physical boundary June 3, 2015 CIP-003 Low Impact BES Assessment *Reference: MRO Standards Application Guide Low Impact.xls attachment

190 Moving Forward CIP-003 R2 Cybersecurity Policy for Low Impact BES Cyber Systems Requirement Cybersecurity Awareness Physical Security Controls Electronic Access Controls for Low Impact External Routable Connectivity (LERC) Approach As determined by EGP-NA utilize CIP-004 Policy for Medium Impact Online training courses tracked in Learning Management System Distribute media electronically As determined by EGP-NA utilize CIP-006 R1.2 & R1.3 procedures for Physical Security at Medium Impact BES Assets Documentation of key locks and authorized users As determined by EGP-NA utilize CIP-005 R1&R2 procedures for Med Impact BES Assets Document users access Track access approval, change, and revocation Cybersecurity Incident Response As determined by EGP-NA utilize CIP-008 R1- R3 procedures for Med Impact BES Assets Tabletop exercises relevant to low impact environment Service desk support covering Med Impact Facility June 3, 2015 CIP-003 Low Impact BES Assessment

191 Thank you! Questions? June 3, 2015 CIP-003 Low Impact BES Assessment

192 Low Impact BES Cyber Systems CIP R1 and R2 June 3, 2015 Steven Keller, CISA, CRISC, CISSP Lead Compliance Specialist CIP

193 CIP V5 Low Impact Assets Coverage What is a Low Impact BES Cyber Asset? How we got here Where we are going Things to Consider Audit Approach 2

194 What is a Low Impact Asset? BES Cyber System (BCS) that has not been categorized as High or Medium Impact Criteria R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower][Time Horizon: Operations Planning] 3

195 How we got here - FERC FERC issued Order 791 in Nov which is now effective Order had four directives: 1. Identify Assess and Correct language 2. Communication Networks 3. Low Impact BES Cyber Systems 4. Transient Devices Registered Entities with only Low Impact BCS only have to comply CIP and CIP

196 How we got here FERC, cont. FERC concerned with lack of objective criteria for evaluating Low Impact protections Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process Open to alternative approaches the criteria NERC proposes for evaluating a responsible entities protections for Low Impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified 5

197 Implementation Date for Low Impact BCS 6

198 Audit Approach Hints An inventory, list, or discrete identification of Low Impact BCS or their BES Cyber Assets is not required BUT!!!! A list containing the name of each asset that contains a Low Impact BES Cyber System is required, such as a list of: Generating plants Transmission stations Certain distribution stations Certain small control centers that contain Low Impact BCS Blackstart resources and cranking paths 7

199 Audit Approach Hints Must demonstrate that Low Impact BCS locations have been afforded electronic and physical protections, and are included in recovery plans To Repeat: DON T have to identify a discrete list of Low Impact BCS DO have to demonstrate compliance with CIP R2 for each Low Impact BCS A list of Low Impact BCS at each asset may be helpful 8

200 CIP R1.2 R1.2 For its assets identified in CIP 002 containing Low Impact BES Cyber Systems, if any: Cyber security awareness; Physical security controls; Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial up Connectivity; and Cyber Security Incident response 9

201 CIP R2 Each Responsible Entity with at least one asset identified in CIP 002 containing Low Impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its Low Impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] Note: An inventory, list, or discrete identification of Low Impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required. 10

202 CIP R2 Attachment 1 Section 1 Cyber Security Awareness Shall reinforce cyber security practices at least every 15 months May include physical security practices 11

203 CIP R2 Attachment 1 Section 2 Physical Security Controls Shall control physical access, based on need as determined by the Responsible Entity to: the Low Impact BCS within the asset the Low Impact BCS Electronic Access Points (LEAPs), if any 12

204 CIP R2 Attachment 1 Section 3 Electronic Access Controls 3.1 For Low Impact External Routable Connectivity (LERC), if any, implement a LEAP (Low Impact Electronic Access Point) to permit only necessary inbound and outbound bi-directional routable protocol access 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Asset capability 13

205 New Definitions - LERC LERC Low Impact External Routable Connectivity - Direct user initiated interactive access or a direct device to device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi directional routable protocol connection. Example: SCADA communicating to a low impacting RTU in the substation 14

206 LERC Exemption Point to point communications between intelligent electronic devices that use routable communication protocols for time sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition Examples of this communication include, but are not limited to: IEC GOOSE Vendor proprietary protocols 15

207 New Definitions - LEAP LEAP Low Impact BES Cyber System Electronic Access Point - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems. 16

208 CIP R2 Attachment 1 Section 4 Cyber Security Incident Response Plan(s) 4.1 Identification, Classification and Response to a Cyber Security Incident 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES ISAC), unless prohibited by law; 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals; 17

209 CIP R2 Attachment 1, con t. Section 4 Cyber Security Incident Response Plan(s) 4.4 Incident handling for Cyber Security Incidents; 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident 18

210 CIP R2 Attachment 1, con t. Section 4 Cyber Security Incident Response Plan(s) 4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident. 19

211 Example: Acme Power s Low Impact BCS The following Acme Low Impact BCS have: Electronic access controls Physical security controls Cyber security awareness (strong passwords, virus protection, etc.) Are included in a cyber incident response plan 1. Substation Alpha 2. Substation Beta 3. Substation Charlie 4. Edison Coal Plant 5. Acme Primary Control Center 20

212 Example: Acme s R2 Evidence For Acme s 5 listed BCS, evidence of: Electronic access controls Network diagram, access control list Documentation of electronic protection Physical security controls Documentation of card readers, key locks, etc. Cyber security awareness Security policies, awareness training (posters, learning modules) Cyber incident response plan Copy of the plan 21

213 Summary Be sure to follow CIP and CIP for Low Impact BCS A list of discrete, Low Impact BCS is not required but may be helpful You must have a list of assets containing Low Impact BCS Even if the asset contains Low Impact BCS, it must be on the Low Impact list even if the asset also contains High or Medium BCS 22

214 CIP Version 5 & Technical Feasibility Exceptions (TFEs) Tom Hofstetter, CIP Compliance Auditor June 3, 2015

215 Disclaimer Not speaking for the Commission, for NERC, for SPP- RE, etc. These are dynamic issues, so content, descriptions, and musings may be an educated guess about who s responsible, what it is, where it s going, when it s likely, why it s needed, or how it s done Any perceived guidance on specific approaches for implementing the CIP V5 Standards is unintentional o compliance is dependent on how it is implemented o there may be other ways to comply with the Standards that are not discussed I focus on system-wide TFE issues; details typically can be addressed by the Region 2 RELIABILITY ACCOUNTABILITY

216 CIP V3 to V5 - TFE Transition 3 RELIABILITY ACCOUNTABILITY

217 CIP V3 to V5 - TFE Transition 4 RELIABILITY ACCOUNTABILITY

218 CIP V3 to V5 - TFE Transition Target date: October 1, 2015 Changes to compliance portal (webcdms & CITS) Processes are in development update to Appendix 4D of NERC RoP Existing TFEs - keep for safe harbor even if transitioning to CIP V5 General information from NERC this summer SPP-RE also can provide guidance & answer questions 5 RELIABILITY ACCOUNTABILITY

219 CIP V3 to V5 TFE Transition 6 RELIABILITY ACCOUNTABILITY

220 CIP V3 to V5 TFE Transition Appendix 4D Revisions Timeline June July August September October April TFE Managers Legal Industry Board FERC 7 RELIABILITY ACCOUNTABILITY

221 CIP V3 to V5 TFE Transition Portal Updates Timeline users June July August September October April 8 RELIABILITY ACCOUNTABILITY

222 V5 TFE Terminology Where technically feasible TFE!!! 9 RELIABILITY ACCOUNTABILITY

223 V5 TFE Terminology per BES Cyber System capability TFE 10 RELIABILITY ACCOUNTABILITY

224 V3 TFEs that Go Away Under V5 CIP-005-3a CIP-006-3c CIP-007-3a R3.1 R1.1 R3.2 R3.2 R4 R5.3 R5.3.1 R5.3.2 R6 11 RELIABILITY ACCOUNTABILITY

225 V3 TFEs that map to V5 TFEs 17 V3 V5 CIP R2.4 CIP R2 Part 2.3 CIP R2.3 CIP R1 Part 1.1 CIP R6.4 CIP R4 Part 4.3 CIP R5.3.3 CIP R5 Part RELIABILITY ACCOUNTABILITY

226 New TFEs in V5 CIP R1 Part 1.4 CIP R2 Part 2.1 CIP R2 Part 2.2 CIP R1 Part 1.3 CIP R5 Part 5.1 CIP R5 Part 5.7 CIP R1 Part 1.5 CIP R3 Part RELIABILITY ACCOUNTABILITY

227 Appendix 4D Draft Considerations Revisions to the TFE procedure (Appendix 4D, NERC s Rules of Procedure) need to reflect and support the requirements of the CIP V5 Standards. Updated compliance portals (i.e., WebCDMS, CITS, CRATS) will support the changes to the TFE procedure. A fundamental difference between V5 CIP Reliability Standards and previous versions is the designation of BES Cyber Systems, which can include multiple Cyber Assets. Data for NERC s annual TFE report to FERC needs to reflect accurate information for both V3 and V5 records. 14 RELIABILITY ACCOUNTABILITY

228 Appendix 4D Draft Considerations When V5 takes effect, there will not be a significant change to the TFE oversight process itself. As Responsible Entities transition from compliance with V3 to V5 of the CIP Standards, there will be a period during which TFE records will be developed and maintained that apply to both versions. Responsible Entities need TFE-related records and artifacts to demonstrate compliance with the applicable requirements both before and after the effective date of the V5 Standards. 15 RELIABILITY ACCOUNTABILITY

229 Appendix 4D Proposed Draft Language 2.0. DEFINITIONS 2.2 Applicable Requirement; Requirement Part: A Requirement or Requirement Part of a CIP Standard that (i) expressly provides either (A) that compliance with the terms of the Requirement or Requirement Part is required where or as technically feasible, or (B) that technical limitations may preclude compliance with the terms of the Requirement or Requirement Part; or (ii) is subject to this Appendix by FERC directive. Wherever used in this Appendix, Requirement is assumed to include and Requirement Part unless stated otherwise. 16 RELIABILITY ACCOUNTABILITY

230 Appendix 4D Proposed Draft Language 4.0. FORM, CONTENTS AND SUBMISSION OF A TFE REQUEST OR MATERIAL CHANGE REPORT 4.1. Submissions for a TFE Request or Material Change Report One TFE Request or Material Change Report for a TFE from the same Applicable Requirement or Requirement Part for multiple Covered Assets at one or more locations when all of the following criteria are met for the Covered Assets: Same category (i.e., all BCAs, all EACMs, etc.). Within the purview of the same Regional Entity Have the same basis. Use the same compensating and/or mitigating measures Same proposed Expiration Date for all assets in the request 17 RELIABILITY ACCOUNTABILITY

231 V5 TFE Q & A Q Will there be any significant changes to the TFE Process for the V5 CIP Standards? A The primary changes pertain to the language of the procedure, but the overall process will remain fundamentally the same. 18 RELIABILITY ACCOUNTABILITY

232 V5 TFE Q & A Q In cases where a V5 TFE requirement will replace a similar V3 TFE Requirement, should entities prepare to submit new TFEs or will the old TFEs cover the similar V5 requirements? A The old V3 TFEs will cover the similar V5 TFEs. The portals are being revised to support the new terminology, but the transition for those requirements will hopefully be seamless for users. 19 RELIABILITY ACCOUNTABILITY

233 V5 TFE Q & A Q According to a NERC Transition Presentation, entities should be able to submit CIP V5 TFEs starting October 1, Is this a good date? A That is the plan right now. Of course that is contingent on the portal vendors making the necessary changes by then. 20 RELIABILITY ACCOUNTABILITY

234 V5 TFE Q & A Q When can entities start terminating V3 TFEs that are not required for V5? A It looks like the regions will be able to administratively terminate them after April 1, The vendors are aware of that expectation and have not expressed concerns about it. 21 RELIABILITY ACCOUNTABILITY

235 V5 TFE Q & A Q Will there be any specific guidance on transitioning from CIP V3 TFEs to CIP V5 TFEs? A The plan is to have changes to the portal in place on October 1, 2015 to allow entry of V5 TFEs. Delay entering new V5 TFEs until after that date. The plan is for the regions to administratively terminate all V3 TFEs that will become obsolete with V5 sometime after April 1, RELIABILITY ACCOUNTABILITY

236 V5 TFE Q & A Q Some CIP V5 requirements with TFE provisions have delayed initial compliance per the NERC Implementation Plan. Does that mean that if a TFE submittal is necessary that it would also be delayed? A The TFE would be due on the effective date for the requirement per the NERC Implementation Plan. However, there are issues (see next slide) 23 RELIABILITY ACCOUNTABILITY

237 V5 TFE Q & A For CIP R5 the only TFE eligible requirement is Part 5.6 for annual password change. If entities submitted TFEs for V3 R5.3 which may have covered one or more of the sub-requirements, there is no way to determine which sub-requirements may apply. One of two options: 1. Administratively terminate all the V3 R5.3 TFEs and enter a new TFE for V5 R5 Part Leave all TFEs for V3 R5.3 TFEs in place and either terminate the TFE if it does not cover R5.3.3 or update the TFE. This option would have to be done before we would do any mass conversion to the new Part numbers. 24 RELIABILITY ACCOUNTABILITY

238 Resources CIP V5 Transition Program: 25 RELIABILITY ACCOUNTABILITY

239 Resources CIP V5 Transition Program: RELIABILITY ACCOUNTABILITY

240 Resources CIP V5 Transition Program: RELIABILITY ACCOUNTABILITY

241 Resources 28 RELIABILITY ACCOUNTABILITY

242 Transient Cyber Assets & Removable Media CIP Compliance Workshop June 3, 2015 Kevin B. Perry Director, Critical Infrastructure Protection

243 Topics Definitions CIP-010-2, Requirement R4 Transient Cyber Asset Requirements Removable Media Requirements Expectations at Audit 2

244 Definitions Transient Cyber Asset A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 3

245 Definitions Removable Media Storage media that (i) are not Cyber Assets, (ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. 4

246 CIP-010-2, Requirement R4 CIP-010-2, Requirement R4 states: Each Responsible Entity, for its high impact and medium impact BES Cyber Systems and associated Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) for Transient Cyber Assets and Removable Media that include the sections in Attachment 1. Requires documented plans and evidence of implementation of those plans Covers Transient Cyber Asset(s) Managed by the Responsible Entity and Transient Cyber Asset(s) Managed by a Party Other than the Responsible Entity 5

247 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 1: Transient Cyber Asset(s) Managed by the Responsible Entity Part 1.1: Transient Cyber Asset Management: Responsible Entities shall manage Transient Cyber Asset(s), individually or by group: (1) in an ongoing manner to ensure compliance with applicable requirements at all times, (2) in an on demand manner applying the applicable requirements before connection to a BES Cyber System, or (3) a combination of both (1) and (2) above. 6

248 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 1: Transient Cyber Asset(s) Managed by the Responsible Entity Part 1.2: Transient Cyber Asset Authorization: For each individual or group of Transient Cyber Asset(s), each Responsible Entity shall authorize: Part 1.2.1: Users, either individually or by group or role; Part 1.2.2: Locations, either individually or by group; and Part 1.2.3: Uses, which shall be limited to what is necessary to perform business functions. 7

249 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 1: Transient Cyber Asset(s) Managed by the Responsible Entity Part 1.3: Software Vulnerability Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): Security patching, including manual or managed updates; Live operating system and software executable only from read only media; System hardening; or Other method(s) to mitigate software vulnerabilities. 8

250 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 1: Transient Cyber Asset(s) Managed by the Responsible Entity Part 1.4: Introduction of Malicious Code Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the introduction of malicious code (per Transient Cyber Asset capability): Antivirus software, including manual or managed updates of signatures or patterns; Application whitelisting; or Other method(s) to mitigate the introduction of malicious code. 9

251 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 1: Transient Cyber Asset(s) Managed by the Responsible Entity Part 1.5: Unauthorized Use Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of unauthorized use of Transient Cyber Asset(s): Restrict physical access; Full disk encryption with authentication; Multi factor authentication; or Other method(s) to mitigate the risk of unauthorized use. 10

252 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 2: Transient Cyber Asset(s) Managed by a Party Other than the Responsible Entity Part 2.1: Software Vulnerabilities Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): Review of installed security patch(es); Review of security patching process used by the party; Review of other vulnerability mitigation performed by the party; or Other method(s) to mitigate software vulnerabilities. 11

253 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 2: Transient Cyber Asset(s) Managed by a Party Other than the Responsible Entity Part 2.2: Introduction of malicious code mitigation: Use one or a combination of the following methods to achieve the objective of mitigating malicious code (per Transient Cyber Asset capability): Review of antivirus update level; Review of antivirus update process used by the party; Review of application whitelisting used by the party; Review use of live operating system and software executable only from read-only media; Review of system hardening used by the party; or Other method(s) to mitigate malicious code. 12

254 Transient Cyber Asset Requirements CIP-010-2, Attachment 1, Section 2: Transient Cyber Asset(s) Managed by a Party Other than the Responsible Entity Part 2.3: For any method used to mitigate software vulnerabilities or malicious code as specified in 2.1 and 2.2, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset. 13

255 Removable Media Requirements CIP-010-2, Attachment 1, Section 3: Removable Media Part 3.1: Removable Media Authorization: For each individual or group of Removable Media, each Responsible Entity shall authorize: Part 3.1.1: Users, either individually or by group or role; and Part 3.1.2: Locations, either individually or by group. 14

256 Removable Media Requirements CIP-010-2, Attachment 1, Section 3: Removable Media Part 3.2: Malicious Code Mitigation: To achieve the objective of mitigating the threat of introducing malicious code to high impact or medium impact BES Cyber Systems and their associated Protected Cyber Assets, each Responsible Entity shall: Part 3.2.1: Use method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES Cyber System or Protected Cyber Assets; and Part 3.2.2: Mitigate the threat of detected malicious code on Removable Media prior to connecting the Removable Media to a high impact or medium impact BES Cyber System or associated Protected Cyber Assets. 15

257 Expectations at Audit Explicit Requirements Documented plan for managing and protecting Transient Cyber Assets Evidence of implementation of the plan for managing and protecting Transient Cyber Assets that addresses all of the requirements of Sections 1 and 2 of Attachment 1 Documented plan for managing Removable Media Evidence of implementation of the plan for managing Removable Media that addresses all of the requirements of Sections 1 and 2 of Attachment 1 16

258 Expectations at Audit Implied Requirements Evidence that Transient Cyber Assets and Removable Media have been connected for 30 consecutive calendar days or less Record of connection and disconnection Evidence that the Transient Cyber Assets and Removable Media have been utilized as authorized Record of who used the Transient Cyber Asset or Removable Media Record of where the Transient Cyber Asset or Removable Media was used Record of purpose when using Transient Cyber Assets 17

259 Expectations at Audit Implied Requirements Record of Transient Cyber Asset patching if used to mitigate vulnerabilities Record of anti-malware signature file updates if used to mitigate introduction of malware Record of review of Transient Cyber Assets managed by third parties Record of scans or other methods to detect and remove malicious code before introducing Removable Media into the Electronic Security Perimeter 18

260 Helpful Resources NERC Website Links: CIP V5 Transition Home Page CIP V5 Standards and Implementation Plan CIP V5 Transition Guidance CIP V5 Transition Study Lessons Learned Project (Physical Security) CIP CIP Implementation Plan CIP-014 Revisions SAR SPP RE CIP V5 Transition Page 19