Welcome to the CIP Workshop!

Welcome to the CIP Workshop! Download Materials @ SPP.org ->Regional Entity ->2015 CIP Workshop: Questions or Comments? Email reworkshop@spp.org Please wait for a microphone Submit via online form on workshop web page (will generate email to staff from anonymous@reworkshop.spp.org) Meeting Room Wireless Select the SWPP2015 network and use password swpp2015

Tuesday, June 2 7:30-8:00 Registration and light breakfast 8:00-8:30 1 - Welcome Terry Bassham, CEO, KCPL Ron Ciesiel, General Manager, SPP RE 8:30-9:30 2 - Preparing for a V5 Audit (RSAWS and evidence) Lew Folkerth, Reliability First 9:30-9:45 Break 9:45-10:35 3 - Identifying BES Cyber Systems Kevin Perry, SPP RE 10:35-10:50 Break 10:50-11:50 4 - Grouping BES Cyber Systems Laura Cox, Westar Josh Roper, KCPL 11:50-1:00 Lunch 1:00-2:00 5 - Lessons Learned/FAQ Documents Tom Hofstetter, NERC 2:00-2:10 Break 2:10-3:10 6 - Virtualization Jeremy Withers, SPP RE Tom Hofstetter, NERC 3:10-3:40 Snack and Coffee Break 3:40-4:20 7 - Interactive Remote Access Shon Austin, SPP RE 4:20-5:00 Open CIP Q&A all CIP topics welcome! Wednesday, June 3 7:30-8:00 Registration and light breakfast 8:00-8:10 Welcome 8:10-8:50 8 - External Routable Connectivity Robert Vaughn, SPP RE 8:50-9:00 Break 9:00-10:00 9 - Low Impact BES Cyber Systems, CIP-003 Steven Keller, SPP RE Natalie Johnson, David Campbell, ENEL 10:00-10:15 Break 10:15-10:50 10 - Technical Feasibility Exceptions (TFEs) Tom Hofstetter, NERC 10:50-11:20 11 - Transient Devices and Removable Media Kevin Perry, SPP RE 11:20-11:30 Break 11:30-12:00 Open CIP Q&A all CIP topics welcome! 12:00-1:00 Lunch The workshop is followed by the RTO Compliance Forum for members and Registered Entities, which requires separate registration.

CIP v5 RSAWs and Evidence Lew Folkerth, PE, CISSP, CISA, GCFA SPP RE CIP Workshop June 2, 2015

Agenda RSAWs The Role of the RSAW Development Overview and Strategy Organization and Structure Navigation Compliance Assessment Approach Tips Evidence Policy/Process/ Procedure Populations Sample Sets Sampling Strategies Applicability IRA and ICE Considerations 2 Forward Together ReliabilityFirst

RSAWS 3 Forward Together ReliabilityFirst

The Role of the RSAW The RSAW is required in this part only 4 Forward Together ReliabilityFirst

The Role of the RSAW How the RSAW is Used Before an audit, RSAWs may be used by an entity to organize compliance efforts and prepare for compliance monitoring actions. During an audit, RSAWs are used as a tool to organize compliance evidence and to communicate an entity s compliance approach to the audit team. During and after an audit, RSAWs are used by audit teams to organize, execute, and document a compliance assessment as part of the Entity Compliance Oversight Plan. 5 Forward Together ReliabilityFirst

CIP v5 RSAW Development Overview NERC/Region core development team Development began in early 2013 Draft 1 had extensive evidence requests and guidance Based on comments, Draft 2 had evidence requests and most of the guidance removed Advised by additional Region specialists Posted four times for industry review/comment Three meetings with 791 SDT Final review by NERC legal staff Final version posted 5/8/2015 for public use 6 Forward Together ReliabilityFirst

RSAW Development Strategy One RSAW per Standard - TFE and CIP Exceptional Circumstance review embedded in the applicable Requirements One section per Part, rather than one section per Requirement Minimal guidance included In most cases, audit review is based on outcomes (actual work performed), rather than documentation 7 Forward Together ReliabilityFirst

RSAW Structure 8 General Information Cover Page Findings Page Subject Matter Experts Page Footer Additional Information Repeated for each Requirement: Text of Requirement and/or Part Question(s), if applicable Compliance Narrative Evidence Table Evidence Reviewed Compliance Assessment Approach Note(s) to Auditor, if applicable Forward Together ReliabilityFirst

Cover Page Audit Information Applicability Color Coding 9 Forward Together ReliabilityFirst

Findings Page 10 Forward Together ReliabilityFirst

SME List/Page Footer 11 Forward Together ReliabilityFirst

Requirement and Part The CIP v5 RSAWs are organized by Part rather than Requirement. Each part may have different Applicable Systems, and therefore different sample sets. 12 Forward Together ReliabilityFirst

Questions Questions may be asked for circumstances beyond those covered in the Compliance Assessment Approach. In this case, any shared compliance responsibility needs to be communicated to the audit team so the proper review can be performed. 13 Forward Together ReliabilityFirst

Compliance Narrative The Compliance Narrative is the place to tell the compliance monitoring team how you approach compliance with this Part. This may be the most important section of the RSAW. 14 Forward Together ReliabilityFirst

Evidence Provided 15 Forward Together ReliabilityFirst

Compliance Assessment Approach 16 Forward Together ReliabilityFirst

Navigation Collapse/Expand Select Section 17 Forward Together ReliabilityFirst

RSAW Compliance Assessment Approach Types of Review Documentation Review Does the required documentation exist? Does the required documentation look reasonable and complete? Process Evaluation Does the process include the required steps? Is the process adequate to ensure security? Is the process adequate to ensure compliance? Outcome Verification Has the entity performed the compliance tasks required by the Standard? Has the entity adequately secured its assets as intended by the Standard? 18 Forward Together ReliabilityFirst

RSAW Compliance Assessment Approach Types of Review Documentation Review Does the required documentation exist? Does the required documentation look reasonable and complete? Process Evaluation Does the process include the required steps? Is the process adequate to ensure security? Is the process adequate to ensure compliance? Outcome Verification Compliance Audit Has the entity performed the compliance tasks required by the Standard? Has the entity adequately secured its assets as intended by the Standard? 19 Forward Together ReliabilityFirst

RSAW Compliance Assessment Approach Types of Review Documentation Review Does the required documentation exist? Does the required documentation look reasonable and complete? Process Evaluation Does the process include the required steps? Is the process adequate to ensure security? Is the process adequate to ensure compliance? Outcome Verification Part of Internal Controls Evaluation Has the entity performed the compliance tasks required by the Standard? Has the entity adequately secured its assets as intended by the Standard? 20 Forward Together ReliabilityFirst

RSAW CAA Special Considerations Proving a Negative Review process Review implementation of process Sample negative results Attestation last resort Example CIP-002-5.1 R1 BES Cyber Assets Implied Requirements Requirements not explicitly stated but implied by the language Example CIP-005-5 R1 Part 1.1 Identification of PCA 21 Forward Together ReliabilityFirst

Example CAA CIP-005-5 R1 Part 1.1 22 Process Evaluation Verify a process exists for the identification of ESPs. Verify the process requires that all applicable Cyber Assets reside within an ESP. Outcome Verification/Show a Negative From the inventory of Cyber Assets associated with one or more high or medium impact BES Cyber Systems, identify all Cyber Assets connected to a network with a routable protocol. Verify each of the Cyber Assets is protected by a defined ESP, and that no BES Cyber Assets networked via a routable protocol have been missed. Outcome Verification/Implied Requirement After the ESP is defined, verify the implied requirement of identifying any PCA within the ESP has been completed. Forward Together ReliabilityFirst

Example CAA CIP-008-5 R1 Part 1.1 Process Evaluation Does the Cyber Security Incident response plan contain the required steps? A process evaluation is needed since this Requirement does not call for implementation of the plan. That happens in R2. 23 Forward Together ReliabilityFirst

Example CAA CIP-004 R3 Part 3.3 Process Evaluation Does the process contain the required steps? Documentation Review Review documentation that the process was implemented. This may include a review of a redacted personnel risk assessment, or other documentation may be reviewed to verify compliance. This is due to the extremely sensitive nature of the compliance evidence. 24 Forward Together ReliabilityFirst

Example CAA CIP-007-6 R2 Part 2.3 25 Forward Together ReliabilityFirst

Example CAA CIP-007-6 R2 Part 2.3 Process Evaluation Does the patch management process have the required steps? Do the required steps include the creation of mitigation plans with the required elements? 26 Forward Together ReliabilityFirst

Example CAA CIP-007-6 R2 Part 2.3 Outcome Verification Did the patch management process result in systems that are patched as required, or are unpatched systems part of a mitigation plan? Documentation Review Did any mitigation plan include the required elements? 27 Forward Together ReliabilityFirst

Tips for Using the RSAWs Avoid unnecessary redundancy use references where possible; otherwise copy and paste. If a process applies to an entire Requirement, describe it in one Part and make reference to it elsewhere. The Compliance Narrative is your best opportunity to tell an audit team how you meet compliance. Pay attention to any Notes to Auditor. They re meant for you, too. 28 Forward Together ReliabilityFirst

EVIDENCE 29 Forward Together ReliabilityFirst

Evidence Overview Initial Evidence Request Sampling Populations (minimal detail) BES Cyber Systems Cyber Assets Assets Personnel CIP Exceptional Circumstances Technical Feasibility Exceptions Compliance Documents Policy Process Plan Program Procedure Initial Sampling Multiple Sample Sets Sample set appropriate to Requirement and/or Part Evidence specific to each Requirement Additional sampling may be advisable 30 Forward Together ReliabilityFirst

Evidence Types Compliance Documents Policy Process Plan Program Procedure Evidence of Compliance Pertaining to: Cyber Assets BES Cyber Systems Assets Personnel CIP Exceptional Circumstances Technical Feasibility Exceptions 31 Forward Together ReliabilityFirst

Sampling Guideline Sampling Overview Current Guideline updated September 4, 2013 http://www.nerc.com/pa/comp/documents/sampling%20methodology%20guidelines%20and%20criteria_pdf.pdf References RAT-STATS http://oig.hhs.gov/compliance/rat-stats/ New revision in progress Will be an Addendum to the ERO Compliance Auditor Handbook CIP-specific Addendum is planned by the end of 2015 Sampling Process (greatly simplified) Determine sample size Choose sampling method Select sample 32 Forward Together ReliabilityFirst

Sample Sets Expect to see different sample sets, such as: High impact BES Cyber Systems Cyber Assets of an Applicable System Electronic Security Perimeters Cyber Assets within a specific set of ESPs As the sampling methodologies take shape, the development team will attempt to minimize redundancy, but this will be difficult due to the divergent applicability of the Parts of some Requirements. The following slide demonstrates some of the complexity. 33 Forward Together ReliabilityFirst

Applicability Cyber Asset Cyber Asset Type Member of BES Cyber System Associated BES Cyber System Applicability CIP-007-6 Impact Rating ERC R1.1 R1.2 R2.1 R2.2 R2.3 R2.4 R3.1 R3.2 R3.3 R4.1 R4.2 R4.3 R4.4 R5.1 R5.2 R5.3 R5.4 R5.5 R5.6 R5.7 MAINEMS1 BESCA MAINEMS H Y 20 MAINEMS2 BESCA MAINEMS H Y 20 MAINHIS1 PCA H 20 MAINFW1 EACMS MAINEMS H 19 MAINPAC1 PACS MAINEMS H 18 SUB1RTU1 BESCA SUB1A M Y 16 SUB1SEL411 BESCA SUB1B M N 11 SUB1FW1 EACMS SUB1A M 16 SUB1PAC1 PACS SUB1A M 16 SUB1PAC2 PACS SUB1B M 11 Number of Applicable Parts As you can see, the number of applicable parts varies widely depending on the type of Cyber Asset under consideration. This will make the sampling process far more complex than that of CIPv3. 34 Forward Together ReliabilityFirst

IRA and ICE IRA Inherent Risk Assessment Based on registrations, entity size, compliance history, etc. Determines initial scope of compliance assessment Provides risk levels to other processes ICE Internal Controls Evaluation Based on voluntary review of internal controls Can affect: Scope of compliance assessment Depth of compliance assessment (e.g., sample size) Frequency of audits 35 Forward Together ReliabilityFirst

Questions & Answers Forward Together ReliabilityFirst Forward Together ReliabilityFirst

Identifying BES Cyber Systems CIP Compliance Workshop June 2, 2015 Kevin B. Perry Director, Critical Infrastructure Protection kperry.re@spp.org 501.614.3251

Topics Guidance on Exemption (Section 4.2.3.2) HVDC Facilities Control Center Criteria Criterion 2.1 Criterion 2.5 Criteria 2.3 and 2.6 Audit Considerations 2

Exemption Section 4.2.3.2 An exemption appears as Section 4.2.3.2 in each of the CIP V5 Standards Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. Works well if there are two discrete Electronic Security Perimeters (ESPs) Doesn t work so well if there is only one (or no) ESP Also a cart-before-the-horse issue Must identify BES Cyber Systems before identifying ESP 3

Exemption Section 4.2.3.2 Communication/networking Cyber Assets are not automatically exempt from the CIP V5 Standards How do you know what is in, and what is out? You need a proxy for the ESP as you identify BES Cyber Assets and group them into BES Cyber Systems Recently released NERC Guidance Memorandum introduces the concept of a demarcation point Can also serve as the ESP proxy 4

Exemption Section 4.2.3.2 Exempt Demarc Proxy ESP Possible Demarcation Points Proxy ESP Demarc ESP ESP Control Center Substation 5

Exemption Section 4.2.3.2 ESP Demarc Proxy ESP Exempt Demarc Possible Demarcation Points Proxy ESP ESP Control Center Substation 6

HVDC Facilities The Impact Rating Criteria are focused on Facilities operated at AC (alternating current) voltages The Guidelines and Technical Basis section of CIP-002-5.1 is silent on the issue of DC (direct current) Facilities So, how does a Registered Entity apply the Impact Rating Criteria to HVDC Facilities? AC Voltage is phase to phase HVDC circuits do not have phases, but they have poles The pole-to-pole/return voltage differential can be used as a substitute for phase-to-phase AC voltages 7

HVDC Facilities For bi-pole circuits, the pole-to-pole current differential is the effective voltage for the purposes of the Criteria A bi-pole DC circuit operated at +/- 250 kv would be treated as a 500 kv Facility For monopole with earth return circuits or for symmetrical monopole circuits, the circuit voltage rating is the effective voltage If a circuit can be operated in monopole or bi-pole mode, the effective voltage is the bi-pole current differential 8

HVDC Facilities Back-to-Back converter stations are treated the same as bi-pole HVDC Transmission lines Multi-terminal systems (two converter stations linked by HVDC Transmission lines) are treated at the same voltage as the HVDC Transmission line 9

Control Center Criteria Control Center Definition: One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations. The facility must meet the definition of Control Center for the Impact Rating Criteria to apply Look carefully at your generator operations 10

Control Center Criteria The Impact Rating Criteria is applicable to Control Centers performing the functional obligations of a Reliability Coordinator, Balancing Authority, Transmission Operator, or Generator Operator The Registered Entity does not need to be registered as a RC, BA, TOP, or GOP to have a Control Center performing the functional obligations of one of those registrations BES Cyber Systems associated with the Control Center must be used by the Control Center and also must be located at the Control Center 11

Criterion 2.1 Applies to generating plants, not individual generating units The plant must have an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection 12

Criterion 2.1 It is possible to have a plant exceeding the 1500 MW threshold yet have only Low Impact BES Cyber Systems Plant control systems can be segregated in such a manner that there are no shared systems exceeding the 1500 MW threshold Many BES Cyber Systems can be configured to stay below the 1500 MW threshold At audit, be prepared to demonstrate how the plant systems and networks are configured to assure the segregation 13

Criterion 2.5 Applies to Transmission stations and substations operated between 200 and 499 kv Additional qualifiers : The station or substation must be connected at 200 kv, or higher voltages to three or more other Transmission stations or substations The combination of Transmission lines yields an "aggregate weighted value" exceeding 3000 BES Cyber Systems associated with any Facility (high or low side) operated at 200 to 499 kv are Medium impacting 14

Criterion 2.5 For a Transmission line to be considered a Transmission Facility and included in the Impact Rating Criterion 2.5 calculation, the line must be used for network flow of the Bulk Electric System and connected to another Transmission station or substation A radial line is not a Transmission line A generator lead line is the line at any voltage between the generator and the first connected substation where Transmission lines are present - it is not a Transmission line 15

Criterion 2.5 The Criterion applies even if the high side of the station or substation is operated at 500 kv or above Applies to the 345 kv side of a 500/345 kv substation, but only if the substation meets the Criteria 2.5 qualifying characteristics It is possible to have a 500/345 kv substation where BES Cyber Systems associated with the 500 kv Facilities are Medium impacting but the BES Cyber Systems associated with the 345 kv Facilities are Low impacting 16

Criteria 2.3 and 2.6 The Reliability Coordinator, Planning Coordinator, or Transmission Planner designates the generation or Transmission facility with impact The registered entity is responsible for identifying BES Cyber Systems associated with the identified Facility All associated BES Cyber Systems are Medium Impact Segregation of control systems in a generating plant will not reduce the impact categorization BES Transmission Facilities operated below 200 kv are not exempt 17

Audit Considerations Explicit requirements in CIP-002-5.1: List of High and Medium Impact BES Cyber Systems List of assets containing a Low Impact BES Cyber System Additional requirement: Every Cyber Asset satisfying the definition of BES Cyber Asset must be a member of at least one BES Cyber System And while we are on the subject You can group BES Cyber Assets into BES Cyber Systems differently on a requirement by requirement basis 18

Audit Considerations You will need to show your work Demonstrate that every BES Cyber Asset has been identified Be prepared to demonstrate why a Cyber Asset is not a BES Cyber Asset Demonstrate that every BES Cyber Asset is a member of at least one BES Cyber System If you regroup based on requirement, demonstrate that every BES Cyber Asset is accounted for in each regrouping Compliance means more than just producing two lists 19

Helpful Resources NERC Website Links: CIP V5 Transition Home Page CIP V5 Standards and Implementation Plan CIP V5 Transition Guidance CIP V5 Transition Study Lessons Learned Project 2014-04 (Physical Security) CIP-014-1 CIP-014-1 Implementation Plan CIP-014 Revisions SAR SPP RE CIP V5 Transition Page 20

SPP RE CIP Team Kevin Perry, Director of Critical Infrastructure Protection (501) 614-3251 Shon Austin, Lead Compliance Specialist-CIP (501) 614-3273 Steven Keller, Lead Compliance Specialist-CIP (501) 688-1633 Jeremy Withers, Senior Compliance Specialist-CIP (501) 688-1676 Robert Vaughn, Compliance Specialist II-CIP (501) 482-2301 21

Kansas City Power & Light CIP 002-5 and Grouping BES Cyber Systems Board of Directors Meeting - February 11, 2014 CONFIDENTIAL RESTRICTED

KCP&L Overview More than 830,800 customers Service Territory Diverse Generation Mix Approximately 6600 MW of Generation Customer Base Residences.. 730,800 Commercial Firms... 97,400 Industrial and Other.... 2,600 Coal... 85% Nuclear...... 12% Natural Gas and Oil.... 1% Wind...2% Board of Directors Meeting - February 11, 2014 CONFIDENTIAL RESTRICTED

KCP&L CIP v5 Sites in Scope Multiple High Control Centers Backup Control Centers Associated data centers A Single Medium generating station Two generators which combined meet the 1500mw threshold 5-10 Medium Substations Possibly 3 Low Control Centers We are examining the usefulness of the Cyber Systems that create the low control centers, may remove them to lower the potential impact to the BES of any issues Scores of low generating stations and substations 3

Step 1 Workshop Based Approach Top Down vs. Bottom Up vs. Hybrid Generation, T&D, and IT Representatives Break the silos Share perspectives and experience Skilled Facilitator Impartial! Must know the language and translate between groups Must ask the probing questions that elicits more information 4

Process Overview Documented Annual Repeatable Evidenced T o p D o w n B o t t o m U p 5 5/29/2015 12

Purpose of the Workshops Find the Facilities and Ratings Primary Goals: Create a list of facilities that meet the BES definition Determine the facility impact rating **Special Note** You are prequalifying the systems at the facility, the facility doesn t have an impact rating, the BES Cyber Systems do Document why the rating is appropriate How to do it: 1. Before the workshop, ask the IT, T&D, and Generation asset owners to create and bring an inventory of all facilities to the workshop 2. Using the inventory, apply the BES definition to each facility 3. For BES sites, use the Bright Line Criteria to define impact rating 4. Focus on identifying the High and Medium impact sites The why is important - can we make changes to modify (reduce) the BES Cyber System s impact to the BES if an issue occurs? 6

Sample Applicability

Sample Facility Impact

Purpose of the Workshops Find the Cyber Systems Top Down Approach Identify Cyber Systems supporting the facilities Ask a lot of questions about day to day operations Follow up on extraordinary circumstances Listen for key words Create system clouds (buckets) Get the buckets of systems identified Refer to the CIP v3 guidance document for identifying essential systems Eliminate redundancies Ensure common language One cloud needs to be a low system general cloud Examine the system clouds based on the BROS 9

Identification of BES Cyber Systems 10

Grouping By Function - Generation DCS Coal Handling System Water Purification General Plant Support 11

Results of Assessment BROS GO BES Cyber System 15 Minute Impact (Y/N) Externally Routable (Y/N) Dynamic Response DCS Relays Generator Controls Turbine Controls Y N N N Y N Y Y Balancing Load & DCS Y Y Generation Controlling Frequency DCS Turbine Controls Y N Y Y Controlling Voltage DCS Relays Generator Controls Managing Constraints Monitoring and Control Restoration Situation Awareness Inter-Entity Coordination DCS Y Y Y N N Y N Y 12

Step 2 Perform an Inventory Bottom Up Approach Primary Goals: Create a comprehensive CIP inventory of each facility s assets How to do it: Have an inventory tracking system/process defined before you even start Don t underestimate how complicated this really is You need everyone with Cyber Assets at the facility to attend the inventory Use a labeling system (if you don t have one) to assist in tracking Don t bring the system clouds to the inventory If definitions shift (PED), it will cause rework in this and subsequent steps 13

Inventory Label Example 14

New Asset Entry Division Generation Request Type New Asset Unique ID Host Name Gen-##### #%$#%$#%$#% CIP Location Generator 1 Cyber System Generator DCS ESP PSP Main Gen ESP 1 PSP Gen 2 Operating System Controller OS Physical Location Details $(*&^#$(*&(#$ Manufacturer Good Manufacturer Type of Device Controller Owning Department Generation Model Number #$(&^#$(*& Serial Number Firmware $(*#&(#*$& OS 6.8 CONTROLLER 3.5.1 15

Step 3 Assign Cyber Assets to System Clouds Hybrid approach Primary Goals: Every Cyber Asset assigned to a cloud How to do it: Assign every Cyber Asset to a system cloud If the Cyber Asset doesn t fit in an established system cloud: Create a new system cloud Determine that it is a low asset and assign it to the low system cloud 16

Grouping By Function - Generation Controls Coal Handling System Water Purification General Plant Support 17

Step 4 Create BES Cyber Systems Primary Goals: BES Cyber Systems are created How to do it: Determine the high watermark of the Cyber Assets in the cloud Examine the cloud for potential breakdown into sub-clouds Balance the high watermark against the Cyber Assets in the cloud If there is too much diversity in the system, separate clouds may make sense Examine the clouds for potential consolidation Similar systems, in multiple clouds, with similar watermarks, with similar functions could be put together 18

Controls Cloud OSC Router NIDS Terminal 1 Workstation 1 Terminal 2 DMZ Switch Workstation 3 PLC Workstation 2 PED Distributed Controls System OSC Router Air Quality Controls Terminal 2 DMZ Switch Workstation 2 PLC Workstation 1 NIDS PED Terminal 1 19 Workstation 3

Specific Tools and Processes Microsoft System Center Long term solution for MCDL, Asset Inventory, Configuration Inventory, and change management for those functions SharePoint / AgilePoint Platform interim solution for Asset Inventory, needed to keep CIP-002 moving forward while MSC is being configured Industrial Defender receives logs, configuration monitoring Nexpose Scanners scan the network for many things Tripwire used for log examination 20

Creating BES Systems Special Considerations How can we ensure every asset was found Extensive Inventory work T&D, Generation, and IT Extensive inventory procedure created and followed to ensure every device is accounted for (walk the room, walk the racks, walk each shelf) How can we ensure every asset is in a BES Cyber System Inventory/Change Management tools require a selection from a preapproved BES Cyber System list to input an asset in the Master CIP Device List Internal Controls used to guarantee accuracy Clear communication and training for all employees System controls- notify when Cyber Assets are added to the network EMS - Nexpose Scanner, Industrial Defender, Tripwire Generation Industrial Defender Apply the 15 minute rule to Cyber Systems, but you should also apply the 15 minute rule to each device to aid in subdividing the clouds 21

Creating BES Systems Special Considerations Does the environment change the pros and cons of BES Cyber System creation? BES Cyber System creation should consider the function and all capabilities of the Cyber Systems, and also the operational support and management of the Cyber Systems Creating BES Cyber Systems differently for different standards? CIP v5 is too complex for us to try this Benefit to reliability or security isn t clear Removing PCA assets from Electronic Security Perimeters? DMZ or CAFE environments Don t leave the front line guessing! Corporate Goals for CIP Program: Mandatory process/procedure alignment Mandatory evidence artifact alignment Mandatory tool alignment, unless tools must vary due to environment differences 22

Creating BES Systems Special Considerations External Routable Connectivity External routable connectivity can drive system separations Separating ERC Cyber Systems from non-erc Cyber Systems is helpful, non-erc Cyber Systems outside the ESP holding ERC Cyber Systems will have smaller surface areas to attack and can solve operational and compliance issues, especially in the Generation environment Systems without ERC don t need: Electronic Security Perimeters Physical Security Perimeters Personal Risk Assessments Training Requirement Removed (Security Awareness Training stays) If you have Cyber Systems with and without ERC, you can use the same processes (meet the higher ERC level requirements), but you don t have to manage the employees around the non-erc system the same way 23

Generation Cyber System Creation 1 What s in Scope One Medium Generating Station with routable connectivity Two units, both must be affected to reach 1500 mw threshold System Creation DCS is the only in-scope Cyber System Dividing the DCS wasn t an option due to mechanical configuration of equipment at the site We could have tried some odd things to affect parts of DCS, but would have potentially lowered unit reliability and security Strategic decisions to move PCAs into a DMZ or CAFÉ environment are still being made Clear goal to move as many PCAs as possible out of the ESP Firewall rule headaches versus PCA requirements need to be balanced PED tracking Blanket Statements? 24

Generation Cyber System Creation 2 Asset Tracking Inventory, Asset Labeling Industrial Defender will let us know if the process isn t followed (if an ID client is installed part of commissioning process) Front line personnel performing changes trained and entering change information AgilePoint / SharePoint, moving to Microsoft System Center when the system is ready Special Considerations PED definition clarification won t affect the plant Cyber Systems, no PEDs or groups of PEDs affect both units Generating environment poses unique challenges Outages and Summer operations tie up a lot or resources Sprawling environment creates a lot of tracking issues Confined environments in buildings make PSP creation difficult Managing contractors and PSPs will be difficult during outages Scanning the DCS would probably trip the units, creates unique challenges for tool selection Network latency issues 25

Ovation ESP Corporate Firewall A&B LAN GPS Antenna Unit 2 OVATION DATA HIGHWAY Access Point: Router Switch OSC Router GPS Clock IP Traffic SW33 Ovation IP Traffic Net IP Traffic Ovation IP Traffic Net SW11 Ovation Core Network Switch NIDS PriFan OutSW23 OVATION SECURITY NETWORK Switch Unit 1 OVATION DATA HIGHWAY UNIT 2 OVATION DATA HIGHWAY drop101 SecFan OutSW24 ID NAS Terminal Drop Terminal Terminal DMZ Switch Ovation DMZ Router DMZ Network Jump Host 1 Logging Mgmt Server Pi Server 26 Printer Drop Terminal

Transmission & Distribution Cyber System Creation 1 What s in Scope? 5-10 Medium Substations No external routable connectivity Cyber System Creation Each substation systems stand alone Functionally, this made the most sense to us, eases management of the Cyber Assets/Cyber Systems Approximately 5 BES Cyber Systems per substation, all medium, functional and management considerations drove system creation Protective Relays Logical to group together RTUs Stand alone due to their criticality Communication radio, telecom, microwave (all serial) Metering meters for AGC Security cameras, badge readers, etc. 27

Transmission & Distribution Cyber System Creation 2 Asset Tracking Inventory, asset labeling Manual notification to T&D compliance support when update is needed, manual entry of update into tracking system SharePoint / AgilePoint Platform, moving to Microsoft System Center when the system is ready Special Considerations Removing nonessential systems from the ESPs is still a primary concern, lowers the potential attack surface and increase security PED inventory completed before PED definition was clarified to include configurable devices, rework was necessary Previous understanding was microprocessor based relays only Now solid state and electromechanical relays are in scope Inventory workload estimated to triple from the clarification Integration with WMS would be ideal, but we aren t using a large WMS right now 28

IT Control Centers 1 What s in Scope? High Generation and T&D control centers, backup control centers, data centers Cyber System Creation EMS is our High Impact Cyber System CIP version 3 in-scope Cyber Assets / Cyber System New EMS install is finishing now, planning for v5 informed design Design focused on removing as many PCAs from ESP as possible One large ESP for the entire environment, help meet CIP 005-3, R1.3 Utilizing encryption between physical locations creates one ESP to satisfy the requirement in CIP 005-3, R1.3 Potential issues protecting communications links KCPL avoids issues protecting 3 rd party communication links b/c we own the fiber between the PSPs, no PEDs outside of PSPs 29

IT Control Centers 2 Asset Tracking Inventory, Asset Labeling, Regular Inventory Checks Industrial Defender, Nexpose, Tripwire will let us know if the process isn t followed Front line personnel performing changes trained and entering change information, approval goes through QA personnel Microsoft System Center Special Considerations PED definition clarification hasn t affected the EMS environment, Cyber Asset that could have been affected already had Ethernet and was in ESP All physical hardware in the ESP, virtualization in CAFE and DMZ PI wasn t an issue because we are using a Cronus application Leave scanning tools in the ESP, otherwise causes firewall issues Move the management consoles to CAFE or DMZ 30

EMS ESP 31

Questions

2015 SPP RE CIP Workshop Grouping BES Cyber Systems June 2, 2015 Taking Reliability to heart.

Westar s High and Medium Scope HIGH Control Centers (2) and associated Data Centers Primary and Backup MEDIUM Generation Facility Substations (12) Without External Routable Connectivity 2015 SPP RE CIP WORKSHOP 2

BES Cyber Systems Control Centers Functional approach 5 BES Cyber Systems SCADA Network Infrastructure SCADA Configuration ICCP Server Infrastructure Support 2015 SPP RE SPRING WORKSHOP 3

Generation BES Cyber Systems System Approach Ovation Composer DCS Soot Blowing Air Compressor (SBAC) 2015 SPP RE SPRING WORKSHOP 4

Substation BES Cyber Systems BES Cyber Assets without External Routable Connectivity Location specific All BES Cyber Assets at each substation will be in one BCS 2015 SPP RE SPRING WORKSHOP 5

Associated Evidence Enter: 1 = True, 0 = False EMS System BES Cyber System Impact Rating: High BES Cyber Systems and Cyber Assets System Supports a BES Reliability Operating Service (BROS)? BES Cyber Systems (BCS) Status In ESP? In PSP? PCA Status? Physical Access Control System PACS? Monitoring & Control SCADA System 1 BCS 1 1 No 0 0 Network Infrastructure 1 BCS 1 1 No 0 0 SCADA Configuration 1 BCS 1 1 No 0 0 ICCP Server 1 BCS 1 1 No 0 0 Infrastructure Support 1 BCS 1 1 No 0 0 2015 SPP RE SPRING WORKSHOP 6

Associated Evidence R1.2 Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset Generation IT & I&C Enter: 1 = True, 0 = False BES Cyber System Impact Rating: Medium/Low BES Cyber Systems and Cyber Assets System Supports a BES Reliabilit y Operatin g Service (BROS)? BES Cyber Systems (BCS) Status In ESP? In PSP? PCA Status? Physical Access Control System PACS? Monitor Adverse ing & Impact in Control <15 min? Bentley 1 BCS 1 1 No 0 0 No Low PI 1 BCS 1 1 No 0 0 No Low Ovation (HMI) 1 BCS 1 1 No 0 0 Yes Medium InfiNet (DCS) 1 BCS 1 1 No 0 0 Yes Medium H20 1 BCS 1 1 No 0 0 No Low FIS 1 BCS 1 1 No 0 0 No Low NNET 1 BCS 1 1 No 0 0 No Low Composer 1 BCS 1 1 No 0 0 Yes Medium SBAC 1 BCS 1 1 No 0 0 Yes Medium DBDoc 1 BCS 1 1 No 0 0 No Low Coal Handling 1 BCS 1 1 No 0 0 No Low 2015 SPP RE SPRING WORKSHOP 7

Factors to Consider when grouping Location Connectivity (Routable vs. Nonroutable) BES Cyber Assets that serve a common function of protecting the BES BES Cyber Assets that are subject to the same software patching requirement. BES Cyber Assets that share the same impact rating. 2015 SPP RE SPRING WORKSHOP 8

Questions Laura.Cox@westarenergy.com 785.575.8290 2015 SPP RE SPRING WORKSHOP 9

CIP Version 5 Transition Program Lessons Learned & FAQs Tom Hofstetter, CIP Auditor June 2, 2015

Disclaimer Not speaking for the Commission, for NERC, for SPP- RE, etc. These are dynamic issues, so content, descriptions, and musings may be an educated guess about who s responsible, what it is, where it s going, when it s likely, why it s needed, or how it s done Any perceived guidance on specific approaches for implementing the CIP V5 Standards is unintentional o compliance is dependent on how it is implemented o there may be other ways to comply with the Standards that are not discussed I focus on system-wide TFE issues; details typically can be addressed by the Region 2 RELIABILITY ACCOUNTABILITY

Lessons Learned and FAQs Topic Lesson Learned or FAQ Date Posted for Stakeholder Comment Generation Segmentation Lesson Learned October 23, 2014 Far-End Relay Lesson Learned October 23, 2014 BES Impact of Transmission FAQ April 24, 2015 Scheduling Systems Grouping of BES Cyber Systems Lesson Learned March 2, 2015 Shared Equipment at a FAQ April 1, 2015 Substation Virtualization Lesson Learned April 17, 2015 Intrusion Detection Systems FAQ April 30, 2015 Interactive Remote Access Lesson Learned January 8, 2015 Mixed Trust EACMS Lesson Learned January 8, 2015 Multiple Physical Access FAQ April 1, 2015 Controls Protecting Physical Ports FAQ April 1, 2015 At a glance: 23 original topics 50 FAQs 7 LLs 57 topics via Section 11 5 issues addressed by NERC Identifying Sources of Patch Management Mitigating Threat of Detected Malicious Code Vulnerability Testing of Physical Access Controls FAQ April 30, 2015 FAQ November 25, 2014 FAQ April 1, 2015 3 RELIABILITY ACCOUNTABILITY

Lessons Learned & FAQ Document effective approaches to implementation or compliance Suggestions on how to comply Somewhat prescriptive but not binding Uses industry comment and vetting approach 4 RELIABILITY ACCOUNTABILITY

Guidance: Effective Approaches to Comply Section 11 Guidance Development Process 5 RELIABILITY ACCOUNTABILITY

NERC Communications Used when question is not about approaches to implementation nor compliance Rather, used to address questions regarding the meaning of a particular requirement or term Defers to Standard Drafting Team portions of the record : Guidelines and Technical Basis Comment responses Issued April 21, 2015 6 RELIABILITY ACCOUNTABILITY

Far-end Relay Generation Segmentation Mixed Trust EACMs Interactive Remote Access Grouping of BES Cyber Systems Virtualization (Networks and Servers) 3rd Party Notifications of medium impact assets* Generation Interconnection * Programmable Electronic Devices * Serial Devices that are accessed remotely * Network devices as BES Cyber Systems * Control Centers operated by TOs and non-registered BAs * General FAQs * - Not Issued as Lessons Learned or FAQ Status 7 RELIABILITY ACCOUNTABILITY

Far-end Relay (AKA Transfer-Trip) What s Trending with CIP V5 Transition Status: Approved by Standards Committee and Posted as Final. The far-end relay does not automatically inherit a Medium impact categorization if the near-end substation satisfies the qualifications of Criterion 2.5. 8 RELIABILITY ACCOUNTABILITY

Generation Segmentation What s Trending with CIP V5 Transition Status: Approved by Standards Committee and Posted as Final. BES Cyber Systems associated with a generating plant in excess of 1500 MW Net Real Power Capability can be segmented such that there are no Medium impacting BES Cyber Systems. Includes a discussion of evidence required to demonstrate sufficient segregation. 9 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition Mixed Trust Electronic Access Control or Monitoring Systems Status: Addressing industry comments The issue is whether corporate resources (Active Directory servers, remote access authentication servers, log servers, Intrusion Detection Systems, etc.) supporting both corporate and Electronic Security Perimeter access control are Electronic Access Control or Monitoring Systems. Current position is that if the Cyber Asset is providing electronic access control or monitoring support to the CIP environment, the Cyber Asset is an EACMS for the purposes of CIP compliance. 10 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition Interactive Remote Access (Scripts and Management Consoles) Status: Addressing industry comments provide guidance on implementing security controls for the use of Interactive Remote Access. Open question is whether scripts under programmatic control and actions performed by management consoles constitute Interactive Remote Access. 11 RELIABILITY ACCOUNTABILITY

Grouping of BES Cyber Systems Status: Addressing industry comments What s Trending with CIP V5 Transition Purpose is to describe useful methods to group BES Cyber Assets into BES Cyber Systems (BCS). 12 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition 3rd Party Notifications of medium impact assets Status: Issued as a NERC Communication and not a Lessons Learned For IRC 2.3 and 2.6 Reliability Coordinator, Planning Coordinator, or Transmission Planner addresses the Facility (generation or transmission) The asset owning registered entity must then determine which BES Cyber Assets or BES Cyber Systems support the identified Facility 13 RELIABILITY ACCOUNTABILITY

Generation Interconnection (IRC 2.5) What s Trending with CIP V5 Transition Status: Issued as a NERC Communication and not a Lessons Learned The question is whether the line (sometimes referred to as the generator lead line) operated at transmission voltages between a generating plant and a transmission substation is a Transmission Facility for the purposes of the CIP-002-5 Impact Rating Criteria. Position is for transmission line to be considered a Transmission Facility and included in the Criterion 2.5 calculation, the line must be used for network flow of the Bulk Electric System and connected to another Transmission station or substation. 14 RELIABILITY ACCOUNTABILITY

Programmable Electronic Devices (PED) What s Trending with CIP V5 Transition Status: Issued as a NERC Communication and not a Lessons Learned Went back to the official record of the Standard Drafting Team and determined that questions raised were already addressed Programmable electronic device (PED) Is an electronic device which can execute a sequence of instructions loaded to it through software or firmware, and configuration of an electronic device is included in programmable. - SDT Considerations of for V5 Posting 15 RELIABILITY ACCOUNTABILITY

Virtualization (Networks and Servers) Status: To be issued as a Lessons Learned What s Trending with CIP V5 Transition The concern with virtualization is when there is a mixed trust environment The standards do not do a good job of addressing the technology For virtual servers where a mixed trust environment is being used there will be a lot of scrutiny of security controls in place For networks using mixed trust will need to see that the appropriate Electronic Access Point Controls are in place for the device 16 RELIABILITY ACCOUNTABILITY

Serial Devices that are accessed remotely Status: Issued as a NERC Communication and not a Lessons Learned ERC definition ability to access What s Trending with CIP V5 Transition The position is that terminal server/gateways that are connected using external routable connectivity with serial devices on the back end, and that perform no application-level processing are external routable connectivity all the way to the serial device. They must be within an ESP and have protection of an Electronic Access Point. 17 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition Serial devices with ERC: Use a dumb converter (e.g., a terminal server No application-level processing or proxying of traffic Data passed from routable connection to serial connection with no application-level processing Require an EACMS 18 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition Serial devices without ERC: Use application proxy converter (e.g., a data concentrator or application gateway ) Application or protocol break between routable network and serial device Data passes through application-level filtering or conversion 19 RELIABILITY ACCOUNTABILITY

Network Devices and BES Cyber Systems What s Trending with CIP V5 Transition Status: Issued as a NERC Communication and not a Lessons Learned Exclusion: Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. Network devices can be considered BCAs based on the BCA definition, especially if inside ESPs ERO will use discretion to exempt any Cyber Assets associated with non-routable communication networks/links that would be exempt if they were routable communication between discrete ESPs 20 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition Control Centers operated by TOs and non-registered BAs Status: Issued as a NERC Communication and not a Lessons Learned High Impact Rating (H) o 1.3 Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10. Medium Impact Rating (M) o 2.12. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above. 21 RELIABILITY ACCOUNTABILITY

What s Trending with CIP V5 Transition Control Centers operated by TOs and non-registered Bas Went back to the official record of the Standard Drafting Team and determined it was clearly addressed that the SDT intent was the functions you are performing and not how you are registered. 22 RELIABILITY ACCOUNTABILITY

General Frequently Asked Questions (FAQs) What s Trending with CIP V5 Transition 3 are already posted on the V5 Transition Program page on the NERC web site as Technical FAQs 34 FAQs were posted for industry comment April 2 with comments due by May 15. More FAQs posted May 1; comments due June 15 23 RELIABILITY ACCOUNTABILITY

References CIP Version 5 Transition page: http://www.nerc.com/pa/ci/pages/transition-program.aspx 24 RELIABILITY ACCOUNTABILITY

Questions Tom Hofstetter, CISA, CISSP CIP Compliance Auditor tom.hofstetter@nerc.net

Virtualization and CIP Compliance June 2, 2015 Jeremy Withers, CISSP, Security+, Network+, CISA Senior Compliance Specialist CIP 501-688-1676 jwithers.re@spp.org

What is Virtualization? The simulation of the software and/or hardware upon which other software runs. Virtualization refers to the creation of a virtual, as opposed to an actual (or physical), computer hardware platform, storage device, or computer network resources. 2

Pros and Cons of Virtualization Pros Lower overall costs Efficient resource utilization Redundancy Energy efficiency savings Cons High upfront costs Server sprawls 3

Audit Approach Auditors will treat virtual assets the same as physical assets. Evidence of compliance will be virtually the same. 4

Virtual Server Example 5

Virtualization and CIP Compliance CIP-002-5.1 BES Cyber System Identification Medium Impact BES Cyber System DAC1 BES Cyber Asset DAC2 BES Cyber Asset HIS Protected Cyber Asset Does not have 15 minute impact on reliability Host machine/hypervisor BES Cyber Asset Host machine/hypervisor must inherit the impact categorization as the highest impacting BES Cyber Asset that can run on that Host Machine 6

Virtualization and CIP Compliance CIP-004-5.1 Personnel and Training Personnel with access to any portion of the virtual server must be properly trained Personnel with access to any portion of the virtual server must have Personnel Risk Assessments performed CIP-005-5 Electronic Security Perimeter(s) The Host Machine/Hypervisor, Guest Machines, and all network connectivity must fully reside within an Electronic Security Perimeter (ESP) 7

Virtualization and CIP Compliance CIP-006-5 Physical Security of BES Cyber Systems The Host machine/hypervisor must be physically protected CIP-007-5 System Security Management The need for the enabled listening ports must be documented for the Host machine/hypervisor and all guest machines Patches must be evaluated for the Host/Hypervisor and all guest machines 8

Virtualization and CIP Compliance CIP-009-5 Recovery Plans for BES Cyber Systems Build and restore procedures for Host machine/hypervisor and guests CIP-010-1 Configuration Change Management and Vulnerability Assessments Baseline documentation for Host machine/hypervisor and guests Virtualization may be used as a testing environment Conduct a vulnerability assessment on Host machine/hypervisor and guests 9

Virtual Local Area Network Example 10

Virtualization and CIP Compliance CIP-002-5.1 BES Cyber System Identification Medium Impact BES Cyber System SCADA L2 Switch BES Cyber Asset Medium Impact BES Cyber System VLAN 10 assets BES Cyber Assets VLAN 20 assets BES Cyber Assets Electronic Access Control or Monitoring Systems SCADA Firewall Electronic Access Point (EAP) Intermediate System 11

Virtualization and CIP Compliance CIP-005-5 Electronic Security Perimeter(s) All External Routable Connectivity must go through the SCADA Firewall (EAP) The Intermediate System must be used for all Interactive Remote Access 12

Summary Make sure you classify your virtual assets properly It s very important to protect your host machine Provide evidence for how your virtual assets meet the CIP requirements, the same as you would for your physical assets 13