Cyber Security Standards Update: Version 5 with Revisions

Cyber Security Standards Update: Version 5 with Revisions Security Reliability Program 2015

Agenda CIP Standards History Version 5 Format Impact Levels NOPR Final Rule References 2 RELIABILITY ACCOUNTABILITY

Pre-Version 1 FERC Request for Standard Market Design CIP Standards History o Request from FERC Staff to develop language May 8, 2002 o Modeled after ISO17799 o Transmitted to FERC on July 25, 2002 o Included in Standard Market Design NOPR as Appendix G Urgent Action 1200 o Follow-on to SMD Appendix G work o SAR Developed in 2003, approved April 7, 2003 o UA1200 approved by industry June 26, 2003 3 RELIABILITY ACCOUNTABILITY

Version 1 CIP Standards History SAR Effort started August 2003 Requirements drafting started June 8, 2004 Filed with FERC August 28, 2006 Approved by FERC January 18, 2008 Effective July 1, 2008 through January 1, 2010 (phased) 4 RELIABILITY ACCOUNTABILITY

CIP Standards History Version 2 SAR started February 2008 Requirements development started October 6, 2008 Low-hanging fruit Filed with FERC May 22, 2009 Approved by FERC September 30, 2009 Effective April 1, 2010 Version 3 (current effective version) Compliance filing to Version 2 Filed with FERC December 29, 2009 Approved by FERC March 31, 2010 Effective October 1, 2010 5 RELIABILITY ACCOUNTABILITY

CIP Standards History Version 4 Critical Asset bright-lines Approved by Industry on December 30, 2010 Filed with FERC on February 10, 2011 Approved by FERC on April 19, 2012 Superseded by Version 5 in FERC Order 791 on November 22, 2013 6 RELIABILITY ACCOUNTABILITY

Version 5 7 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 D1 Post for 60-day comment and concurrent ballot period November 7, 2011 to January 6, 2012 20-day ballot period (December 17, 2011 January 6, 2012) Multiple separate ballots o One for each standard (10 standards) o One for Implementation Plan o One for Definitions o Single ballot pool 8 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 D2 Post for 40-day comment and concurrent ballot period April 12, 2012 to May 21, 2012 10-day ballot period (May 11, 2012 May 21, 2012) Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 9 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 D3 Post for 30-day comment and concurrent ballot period September 11, 2012 to October 10, 2012 10-day ballot period (October 1, 2012 October 10, 2012) Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 10 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 D4 Post for 10-day recirculation ballot period October 26, 2012 to November 5, 2012 No substantial changes made to standards oclarifications and corrections based on comments received from Draft 3 Changes to existing votes from last successive ballot ono action maintain Draft 3 vote Multiple separate ballots osingle ballot pool osame ballot pool as initial draft 11 RELIABILITY ACCOUNTABILITY

Version 5 Ballot Results 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Initial Ballot (January 2012) Successive Ballot (May 2012) Successive Ballot (October 2012) Recirculation Ballot (November 2012) 12 RELIABILITY ACCOUNTABILITY

FERC Approval Process Filed with FERC February 1, 2013 (after 5:00 PM on 1/31) FERC Docket RM13-5 10,483 page filing (yes, ten thousand pages) Available on NERC Website at: o http://www.nerc.com/news/headlines%20dl/final_petition_cip_v5_0 1-31-13%20and%20Exhibits%20A-E.pdf o http://www.nerc.com/filingsorders/us/nerc%20filings%20to%20ferc %20DL/Exhibit%20F%20(Part%201%20of%202).pdf o http://www.nerc.com/filingsorders/us/nerc%20filings%20to%20ferc %20DL/Exhibit%20F%20(Part%202%20of%202).pdf o http://www.nerc.com/filingsorders/us/nerc%20filings%20to%20ferc %20DL/Exhibits%20G-H.pdf FERC version at http://elibrary.ferc.gov/idmws/common/opennat.asp?fileid=13167892 (76MB file) Filings to Canadian Regulators made on February 7, 2013 13 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 CIP-002-5: BES Cyber Asset and BES Cyber System Categorization CIP-003-5: Security Management Controls CIP-004-5: Personnel and Training CIP-005-5: Electronic Security Perimeter(s) CIP-006-5: Physical Security of BES Cyber Systems CIP-007-5: Systems Security Management CIP-008-5: Incident Reporting and Response Planning CIP-009-5: Recovery Plans for BES Cyber Assets and Systems CIP-010-1: Configuration Management and Vulnerability Assessments CIP-011-1: Information Protection 14 RELIABILITY ACCOUNTABILITY

SDT s Development Goals Goal 1: To address the remaining requirements-related directives from all CIP related FERC orders, all approved interpretations, and CAN topics within applicable existing requirements. Goal 2: To develop consistent identification criteria of BES Cyber Systems and application of cyber security requirements that are appropriate for the risk presented to the BES. Goal 3: To provide guidance and context for each Standard Requirement. Goal 4: To leverage current stakeholder investments used for complying with existing CIP requirements. Goal 5: To minimize technical feasibility exceptions. Goal 6: To develop requirements that foster a culture of security and due diligence in the industry to complement a culture of compliance. Goal 7: To develop a realistic and comprehensible implementation plan for the industry. 15 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 New / Modified Terms: BES Cyber Asset BES Cyber System BES Cyber System Information CIP Exceptional Circumstance CIP Senior Manager Control Center Cyber Assets Cyber Security Incident Dial-up Connectivity Electronic Access Control and Monitoring Systems (EACMS) Electronic Access Point (EAP) Electronic Security Perimeter (ESP) External Routable Connectivity Interactive Remote Access Intermediate System Physical Access Control Systems (PACS) Physical Security Perimeter (PSP) Protected Cyber Asset (PCA) Reportable Cyber Security Incident 16 RELIABILITY ACCOUNTABILITY

BES Cyber Systems Cyber Assets: Programmable electronic devices, and communication networks including the hardware, software, and data in those devices. 17 RELIABILITY ACCOUNTABILITY

BES Cyber Systems BES Cyber Asset: A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) 18 RELIABILITY ACCOUNTABILITY

BES Cyber Systems BES Cyber System: One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. 19 RELIABILITY ACCOUNTABILITY

Electronic Perimeters External Routable Connectivity: The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bidirectional routable protocol connection. Dial-up Connectivity: A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link. 20 RELIABILITY ACCOUNTABILITY

Electronic Perimeters Electronic Security Perimeter ( ESP ) : The logical border surrounding a network to which Critical Cyber Assets BES Cyber Systems are connected using a routable protocol and for which access is controlled. Electronic Access Point ( EAP ): A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter. 21 RELIABILITY ACCOUNTABILITY

Electronic Perimeters Electronic Access Control or Monitoring Systems ( EACMS ): Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Devices. Protected Cyber Assets ( PCA ): One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 22 RELIABILITY ACCOUNTABILITY

Interactive Remote Access Interactive Remote Access: User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. 23 RELIABILITY ACCOUNTABILITY

Interactive Remote Access Intermediate System: A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter. 24 RELIABILITY ACCOUNTABILITY

Physical Perimeters Physical Security Perimeter ( PSP ): The physical, completely enclosed ( six-wall ) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled. The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled. 25 RELIABILITY ACCOUNTABILITY

Physical Perimeters Physical Access Control Systems ( PACS ): Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers. 26 RELIABILITY ACCOUNTABILITY

Control Centers Control Center: One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations. 27 RELIABILITY ACCOUNTABILITY

Retired Terms Critical Assets Critical Cyber Assets CIP Standards Version 5 28 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 CIP-002 Eliminates the Critical Asset step of the identification process Builds on bright line concepts introduced in CIP-002-4 Version 3/4 Critical Asset control centers High Other Version 3/4 Critical Assets Medium Some Version 3/4 non-critical assets Medium Transmission now looking at a capacity calculation rather than number of lines at a voltage level o See http://www.nerc.com/docs/pc/rmwg/pas/index_team/ SRI_Equation_Refinement_May6_2011.pdf Catch-all category for non-specifically categorized Low o Something everywhere within the BES o Programmatic requirement: CIP-003-5 Requirement R2 29 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 High Impact Large Control Centers CIP-003 to 009 V3/V4 plus Medium Impact Generation and Transmission Control Centers Similar to CIP-003 to 009 V3/V4 All other BES Cyber Systems (Low Impact) must implement a policy to address: Cybersecurity Awareness Physical Security Controls Electronic Access Controls Incident Response V3/V4 Critical Non-Critical Large Control Centers Generation and Transmission Control Centers Generation and Transmission Small Control Centers Generation and Transmission V5 High Medium Low Non-Impactful (Distribution, Marketing, Business) 30 RELIABILITY ACCOUNTABILITY

CIP-002-5 Notes when reading NERC Standards: Capitalization is very important. Capitalized words refer to terms in the NERC Glossary of Terms Used in Reliability Standards (http://www.nerc.com/pa/stand/glossary%20of%20terms /Glossary_of_Terms.pdf) Non-capitalized terms do not refer to NERC glossary terms o i.e., Real-time is not the same as real-time o Facilities is not the same as facilities Terms with well known and authoritative definitions defer to those authoritative sources (e.g., FACTS ) Not all terms used have either NERC Glossary definitions or authoritative definitions (e.g., plant ) 31 RELIABILITY ACCOUNTABILITY

High Impact Rating (H): Version 5 Impact Rating Criteria Each BES Cyber System used by and located at any of the following: 1.1. Each Control Center or backup Control Center used to perform the functional obligations of the Reliability Coordinator. (V4 1.14) 1.2. Each Control Center or backup Control Center used to perform the functional obligations of the Balancing Authority: 1) for generation equal to or greater than an aggregate of 3000 MW in a single Interconnection, or 2) for one or more of the assets that meet criterion 2.3, 2.6, or 2.9. (V4 1.15) 1.3. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10. (V4 1.16) 1.4 Each Control Center or backup Control Center used to perform the functional obligations of the Generator Operator for one or more of the assets that meet criterion 2.1, 2.3, 2.6, or 2.9. (V4 1.17) 32 RELIABILITY ACCOUNTABILITY

Version 5 Impact Rating Criteria Medium Impact Rating (M): Each BES Cyber System, not included in Section 1 above, associated with any of the following: 2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection. (V4 1.1) 2.2. Each BES reactive resource or group of resources at a single location (excluding generation Facilities) with an aggregate maximum Reactive Power nameplate rating of 1000 MVAR or greater (excluding those at generation Facilities). The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of resources that in aggregate equal or exceed 1000 MVAR. (V4 1.2) 33 RELIABILITY ACCOUNTABILITY

Version 5 Impact Rating Criteria 2.3. Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year. (V4 1.3) 2.4. Transmission Facilities operated at 500 kv or higher. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.6) 34 RELIABILITY ACCOUNTABILITY

Version 5 Impact Rating Criteria 2.5. Transmission Facilities that are operating between 200 kv and 499 kv at a single station or substation, where the station or substation is connected at 200 kv or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below. The "aggregate weighted value" for a single station or substation is determined by summing the "weight value per line" shown in the table below for each incoming and each outgoing BES Transmission Line that is connected to another Transmission station or substation. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.7) Voltage Value of a Line less than 200 kv (not applicable) 200 kv to 299 kv 700 300 kv to 499 kv 1300 500 kv and above 0 Weight Value per Line (not applicable) 35 RELIABILITY ACCOUNTABILITY

Version 5 Impact Rating Criteria 2.6. Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies. (V4 1.8 & 1.9) 2.7. Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements. (v4 1.11) 2.8. Transmission Facilities, including generation interconnection Facilities, providing the generation interconnection required to connect generator output to the Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the generation Facilities identified by any Generator Owner as a result of its application of Attachment 1, criterion 2.1 or 2.3. (V4 1.10) 36 RELIABILITY ACCOUNTABILITY

Version 5 Impact Rating Criteria 2.9. Each Special Protection System (SPS), Remedial Action Scheme (RAS), or automated switching System that operates BES Elements, that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limits (IROLs) violations for failure to operate as designed or cause a reduction in one or more IROLs if destroyed, degraded, misused, or otherwise rendered unavailable. (V4 1.12) 2.10. Each system or group of Elements that performs automatic Load shedding under a common control system, without human operator initiation, of 300 MW or more implementing undervoltage load shedding (UVLS) or underfrequency load shedding (UFLS) under a load shedding program that is subject to one or more requirements in a NERC or regional reliability standard. (v4 1.13) 37 RELIABILITY ACCOUNTABILITY

Version 5 Impact Rating Criteria 2.11. Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. (V4 1.15) 2.12. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above. (V4 1.16) 2.13. Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MW in a single Interconnection. (V4 1.17) 38 RELIABILITY ACCOUNTABILITY

Low Impact Rating (L) Version 5 Impact Rating Criteria BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 Facilities, of this standard: 3.1. Control Centers and backup Control Centers. 3.2. Transmission stations and substations. 3.3. Generation resources. 3.4. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements. (V4 1.4 & 1.5) 3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System. (V4 1.12) 3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above. (V4 1.12 & 1.13) 39 RELIABILITY ACCOUNTABILITY

Non-CCA assets in Version 3 are also covered Non-Critical Cyber Assets within an ESP are now named Protected Cyber Assets, are associated with a BES Cyber System, and called out in the Applicable Systems column EACMS and PACS are associated with a BES Cyber System, and are called out in the Applicable Systems column CIP Standards Version 5 40 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 High Water Marking Within an ESP, all systems are treated as if they are at the highest impact level of any system in the same ESP Includes non-impactful Cyber Assets (e.g., market systems, distribution systems, corporate systems) (See definition of PCA) Market System Medium Impact BES Cyber System High Impact BES Cyber System All treated as High Impact BES Cyber Systems Low Impact BES Cyber System All treated as Medium Impact BES Cyber Systems 42 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Rationale, Guidance & Changes, Main Requirement and Measure Applicable Systems for requirement part Requirement part text Requirement part Measure text Requirement part Reference Requirement part change rationale 43 RELIABILITY ACCOUNTABILITY

Format CIP Standards Version 5 Following Results-based Standards format Background section before requirements Requirement and Measurement next to each other Rationale and guidance developed in parallel with requirements Two posting formats one with guidance/rationale text boxes inline; other with guidance and rational text grouped at end Still must audit only to the requirement Guidelines and Technical Basis section at end 44 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Applicable Systems column in tables What systems the row in the table apply to Listed in each standard Specific phrases consistent across all standards A requirement part (row) may have multiple applicability statements Examples: o High Impact BES Cyber Systems o Medium Impact BES Cyber Systems o Medium Impact BES Cyber Systems at Control Centers o Medium Impact BES Cyber Systems with External Routable Connectivity o Protected Cyber Assets o Electronic Access Control Systems 45 RELIABILITY ACCOUNTABILITY

Connectivity No longer a blanket exemption CIP Standards Version 5 Now listed in applicability section Routable Connectivity or Dial-up Connectivity Routable protocol applicability now applies where large volume, real-time communications requirements are listed e.g., logging Low Impact CIP-003-5 Requirement R2 Programmatic controls (i.e., have a program for ) Requires physical and cyber security protections for locations containing low Does not require lists of every low impact BES Cyber System 46 RELIABILITY ACCOUNTABILITY

TFEs CIP Standards Version 5 Attempting to minimize required TFEs (e.g., anti-malware on switches) Reduced from 14 requirements/subs to 8 requirements (13 parts) But still have TFEs (including new ones where existing V1 V4 problems exist) Have added per Cyber Asset capability language to allow strict compliance with the language of the requirement, without requiring a TFE (~5 requirements) Measures Guidance to auditors as well as entities An example of evidence may include, but is not limited to, No longer a meaningless restatement of the requirement 47 RELIABILITY ACCOUNTABILITY

Bulleted lists vs. numbered lists Bulleted lists are separated by or CIP Standards Version 5 Bulleted lists imply that not all of the items in the list are required Numbered lists are separated by and Numbered lists imply that all of the items in the lists are required Both bulleted and numbered lists are used in both requirements and measures 48 RELIABILITY ACCOUNTABILITY

Features of Version 5 Closes out directives in FERC Order No. 706 (also, FERC Order No. 761 imposed March 31, 2013, filing deadline) Results-based standards Focus on reliability and security-related result Non-technology specific Smarter use of Technical Feasibility Exception (TFE) process Plain language of the requirement, i.e., per device capability Risk-informed systems approach Adopt solutions and tailor security based on function and risk No longer a harsh in or out demarcation for applicability Impact and connectivity informs applicability 49 RELIABILITY ACCOUNTABILITY

Systems approach illustration Features of Version 5 Cyber Assets function together as a complex system Identify the system and apply requirements to the whole rather than the part High Watermarking inside boundary 50 RELIABILITY ACCOUNTABILITY

Paradigm shift that builds on experience Features of Version 5 Informed by and responsive to implementation and audit lessons from Versions 1 through 3 Framework for establishing a culture of security Balanced flexibility Demonstrates clear accountability for Critical Infrastructure Protection, yet... Allows adaptation of requirements to individual operations Specifies what to achieve, but broad in how to get there 51 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Proposed Effective Date (from CIP-002-5; all standards use the same language): 1. 24 Months Minimum CIP-002-5 shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. 2. In those jurisdictions where no regulatory approval is required CIP-002-5 shall become effective on the first day of the ninth calendar quarter following Board of Trustees approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities. 52 RELIABILITY ACCOUNTABILITY

Implementation issues: CIP Standards Version 5 Specified initial performance of all periodic requirements in implementation plan 24 months following regulatory approval for all requirements Identity Verification does not need to be repeated Discussion of unplanned re-categorization to a higher impact level Discussion of disaster recovery actions Discussion of requirements applied to access control systems (physical and electronic), and Protected Cyber Assets 53 RELIABILITY ACCOUNTABILITY

Applicability Section: Section 4.1 Functional Entities CIP Standards Version 5 o Describes which asset owners, based on their functional model designation, and specific ownership of assets, must comply with the standards o May have no qualifications applies to all entities registered for that function Section 4.2 Facilities o Describes which assets must comply with the standards o May have no qualifications applies to all BES assets owned by that function 54 RELIABILITY ACCOUNTABILITY

Applicability Example: CIP Standards Version 5 For Distribution Providers only those registered DPs that own specifically called out pieces of equipment, such as UFLS systems, must comply with the standards For those DPs, only the specifically called out pieces of equipment must comply with the standards If a DP does not own any called out equipment, it does not need to comply with the standards If a DP owns a piece of called out equipment, only that called out equipment must comply with the standards 55 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 56 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 57 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 58 RELIABILITY ACCOUNTABILITY

CIP-002-5 through CIP-009-5, CIP-010-1, CIP-011-1 Results-based Standard format Requirements and measures together Guidance and rational in text boxes Looks bigger CIP Standards Version 5 ~1 printout for Version 5 compared to ~¼ printout for Version 3/4 Includes much more guidance and rationale for each requirement 59 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 CIP-002 2 Requirements; 5 Parts; Attachment with bright lines for High and Medium CIP-003 4 Requirements; 13 Parts CIP-004 5 Requirements; 18 Parts CIP-005 2 Requirements; 8 Parts CIP-006 3 Requirements; 13 Parts CIP-007 5 Requirements; 20 Parts CIP-008 3 Requirements; 9 Parts CIP-009 3 Requirements; 10 Parts CIP-010 3 Requirements; 10 Parts CIP-011 2 Requirements; 4 Parts Total: 32 Requirements; 110 Parts 60 RELIABILITY ACCOUNTABILITY

Version 3 Requirement Counts CIP-002 4 Requirements; 0 sub-requirements CIP-003 6 Requirements; 18 sub-requirements CIP-004 4 Requirements; 12 sub-requirements CIP-005 5 Requirements; 26 sub-requirements CIP-006 8 Requirements; 15 sub-requirements CIP-007 9 Requirements; 34 sub-requirements CIP-008 2 Requirements; 6 sub-requirements CIP-009 5 Requirements; 2 sub-requirements Total: 43 Requirements; 113 sub-requirements 61 RELIABILITY ACCOUNTABILITY

Sub-Requirements CIP Standards Version 5 Each Requirement / Sub-Requirement is a compliance touch-point Non-compliance with a sub-requirement stands on its own Sub-requirements have independent VSLs (unless rolled-up) Requirement Parts Only the Requirement is a compliance touch-point Cannot be independently in non-compliance with a Part VSLs written only at the Requirement level (making very long and complicated VSL language) Parts allow flexibility in development and implementation of the requirement 62 RELIABILITY ACCOUNTABILITY

Version 5 Technical Webinar Draft 1 Technical Webinar on format and CIP-002 Industry lead November 15, 2011 Draft 1 Technical webinar on CIP-003 through CIP-011 Industry lead November 29, 2011 (http://www.nerc.com/pa/stand/pages/webinars.aspx) 63 RELIABILITY ACCOUNTABILITY

Version 5 Webinars Draft 2 Technical Webinar SDT Lead April 10, 2012 Draft 3 Technical Webinar SDT Lead September 21, 2012 (http://www.nerc.com/pa/stand/pages/webinars.aspx) 64 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Annual interaction with CAN-0010 now 15 months Monthly requirements changed to 35 days Measures are examples with bulleted lists; format, wording Compliance artifacts in requirements (e.g., documentation of ) LSE (removed), replaced with DP LSE functions changed since original standards development timeframe 300 MW threshold on UFLS/UVLS No justification for a different value Notifications: IROL, must run (resolving as part of V4) IROL s in WECC 65 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Definition / threshold of Control Center Includes data centers Connectivity (routable, dial-up) Low Impact (policy only) List not required Date tracking (PRA, training, access, etc) Access revocation (reassignments, timing, immediate) Removed 99.9% availability phrasing Difficult to track and audit Interactive Remote Access Clarify encryption and multi-factor authentication points Remove examples from requirements / purpose of encryption 66 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Ports & Services Physical ports - FERC Directive No remediation plan if install patches within 35 days Allow updates to existing plans rather than new plans all the time Periodic review of patch sources not individual patches Anti-malware clarify system level Per device capability clauses added Password changing / pseudorandom passwords (RuggedCom vulnerability impacts) Evidence Retention (compliance vs. security monitoring) 67 RELIABILITY ACCOUNTABILITY

CIP Standards Version 5 Take back reporting requirement from EOP-004 into CIP-008 Guidance on active vs. passive vulnerability assessment V4 bypass language still in implementation plan 68 RELIABILITY ACCOUNTABILITY

Issued April 18, 2013 Version 5 NOPR Posted at http://www.ferc.gov/whats-new/commmeet/2013/041813/e-7.pdf 75 pages Comments due June 24, 2013 (60 days after publication in Federal Register) Contains 48 specific requests for comment (may be overlap) Proposes 11 directives for change Proposes 16 areas where FERC may direct changes 69 RELIABILITY ACCOUNTABILITY

Major Themes: Identify, Assess and Correct language Impact Categorization Version 5 NOPR o No reference to studies supporting bright-line thresholds o No consideration of coordinated attack on multiple low impact systems o Only based on BES impact (i.e., no assessment of confidentiality, integrity or availability ) Low Impact BES cyber Systems o Specificity of requirements o Lack of inventory 70 RELIABILITY ACCOUNTABILITY

Definitions: Version 5 NOPR o 15 minute impact in BES Cyber Asset o Generation Control Centers (vs. control rooms) o Removal of communication networks from Cyber Asset o Use of reliability tasks phrase o Intermediate System vs. intermediate device 71 RELIABILITY ACCOUNTABILITY

Implementation Plan o Proposes to accept the Version 4 bypass language o Are 24 /36 months necessary? Violation Risk Factors o Inconsistent with prior versions Violation Severity Levels Version 5 NOPR o Inconsistent with Commission guidelines o May need to be modified based on outcome of IAC discussion 72 RELIABILITY ACCOUNTABILITY

New Topics (post Order No. 706) Communications Security Version 5 NOPR o Including encryption, protections for serial communications Remote Access (more than proposed Version 5 language?) o May already be covered by Version 5 language NIST topics o Maintenance devices o Separation of duties o Threat / risk based categorization o May include other areas May be others 73 RELIABILITY ACCOUNTABILITY

NERC Response: 60 page response (largest response) Version 5 NOPR o (http://www.nerc.com/filingsorders/us/nerc%20filings%20to%20ferc% 20DL/NERC%20Comments%20to%20CIPV5%20NOPR%20_%20FINAL.pdf) Supports standards as filed: o IAC: - Discusses meaning of IAC language - Reliability Benefit of IAC Language - Compliance obligations of IAC language - Consistency with NIST Framework o BES Cyber Asset Categorization and Protection - Supports Facility rating approach - Protections of low impact BES Cyber Assets - Supports not requiring inventory of low impact BES Cyber Assets 74 RELIABILITY ACCOUNTABILITY

NERC Response (continued): o Definitions: BES Cyber Asset - 15-minute parameter - 30-day exclusion o Definitions: Control Center - Geographically disperse generating plants o Definitions: Cyber Assets - Removal of communications networks o Definitions: Reliability Tasks - Well-understood term o Definitions: Intermediate Devices - Filing oversight Version 5 NOPR 75 RELIABILITY ACCOUNTABILITY

NERC Response (continued): Version 5 NOPR o Implementation Plan: - 24- and 36-month timeframes appropriate and necessary - Transition guidance and pilot program o VRF & VSL - Severity of violation as expressed in duration of violation - Not two separate violations o Other Technical Concerns - Technical conferences to discuss issues - Use Reliability Standards Development Process o Remote Access - Concerns addressed in CIP-004 76 RELIABILITY ACCOUNTABILITY

NOPR Comments: 65 files submitted from 62 parties 782 pages Generally supportive of NERC positions o Issues with IAC language o Issues with RFA analysis and estimates (cost & time) Next Steps: Version 5 NOPR FERC must read, summarize and react to all comments while writing final rule 77 RELIABILITY ACCOUNTABILITY

Version 5 Final Rule Final Rule Issued November 22, 2013 Docket RM13-5 Order No. 791 146 page rule Published in Federal Register December 3, 2013 78 RELIABILITY ACCOUNTABILITY

Final Rule Highlights Effective Date of Final Rule: February 3, 2014 Effective Date for Compliance with all non-periodic requirements: April 1, 2016 for High and Medium Impact April 1, 2017 for Low Impact Compliance with initial performance of periodic requirements as discussed in the Implementation Plan, using an Effective Date of April 1, 2016 79 RELIABILITY ACCOUNTABILITY

Approved technical requirements Approved 19 definitions Approved implementation plan Approved bypass of Version 4 Approve, with modifications, VRF / VSL Final Rule Highlights 80 RELIABILITY ACCOUNTABILITY

Submit modified VRF / VSL within 90 days Submit two directed changes and one informational filing within one year IAC Communications Networks Survey: 15-minute clause Two other directed changes do not have specified time frame Low Impact BES Cyber Systems Transient Devices Final Rule Highlights 81 RELIABILITY ACCOUNTABILITY

Address concerns with IAC Language Prefer to have compliance language removed from requirements Allow for flexibility for addressing concerns Supports move away from zero tolerance compliance approach for the 17 requirements IAC language ambiguous, concerns about inconsistent application, unclear expectations placed on industry Submit within one year IAC Language 82 RELIABILITY ACCOUNTABILITY

BES Cyber Asset Categorization Allow impact-based categorization May revisit in future Not persuaded to move blackstart from Low to Medium, but may revisit Does not consider connectivity, but may revisit Confirm that Low will not include non-bes assets 83 RELIABILITY ACCOUNTABILITY

Low Impact requirements Lack of objective criteria for evaluating Low Impact protections Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process Open to alternative approaches the criteria NERC proposes for evaluating a responsible entities protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified. No detailed inventory required list of locations / Facilities OK 84 RELIABILITY ACCOUNTABILITY

Survey industry about impacts of 15-minute parameter, during transition period What Cyber Assets are included / excluded by the 15- minute parameter Informational filing to FERC in one year 15-Minute Parameter Commission may revisit issue following informational filing 85 RELIABILITY ACCOUNTABILITY

30-day exemption in Definition Do not direct change to definition Directed modifications to address transient devices issues 86 RELIABILITY ACCOUNTABILITY

Devices connected for less than 30-days (USB, laptop, etc) Transient Devices Direct modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level systems 87 RELIABILITY ACCOUNTABILITY

Control Center Accept definition without change 88 RELIABILITY ACCOUNTABILITY

Approve definition of Cyber Asset without change Direct creation of definition of communication networks and requirements to address issues: Locked wiring closets Disconnected or locked spare jacks Communications Network Protection of cabling by conduit or cable trays Submit within one year Include discussion in FERC Staff-led conference 89 RELIABILITY ACCOUNTABILITY

No need to define phrase Refers to Functional Model tasks Reliability Tasks 90 RELIABILITY ACCOUNTABILITY

Intermediate Devices Accept errata filing (Intermediate Devices -> Intermediate Systems) 91 RELIABILITY ACCOUNTABILITY

Approve implementation Plan as filed 24-month for High & Medium 36-month for Low Bypass Version 4 Support NERC proposal to develop transition guidance and pilot program Declined to extend implementation plan Not persuaded to allow early shift to V5 Implementation Plan However, issues of early compliance can be addressed by NERC and Registered Entities as appropriate. 92 RELIABILITY ACCOUNTABILITY

Approve 30 (of 32) VRFs Move two VRFs from Lower to Medium Modify VSLs: IAC Language Address typographical errors Clarify unexplained elements Submit within 90 days Additional VSL changes will be required for any changed requirement IAC VRF / VSL 93 RELIABILITY ACCOUNTABILITY

FERC Staff-led Conference FERC Staff-led conference within 180 days NIST Framework for categorizations (C-I-A) Communications security Remote access Differences between CIP & NIST May produce new or modified directives 94 RELIABILITY ACCOUNTABILITY

Issued Dec 13, 2013 Errata Notice Corrects P 16 of order to confirm effective date of standard: This errata notice serves to correct P 16. Specifically, the reference to eighth in the seventh line of P 16 is changed to [ninth]. The sentence as revised would thus read, NERC requests that the CIP version 5 Standards become effective on the first day of the [ninth] calendar quarter after a Final Rule is issued in this docket. 95 RELIABILITY ACCOUNTABILITY

VRF/VSL Compliance Filing Updated VRFs & VSLs filed with FERC on May 15, 2014 Response to Order No. 791 VRF modifications filed for: CIP-006-5, Requirement R3 CIP-004-5.1, Requirement R4 VSL modifications filed for CIP-003-5, Requirements R1 and R2 CIP-004-5.1, Requirement R4 CIP-008-5, Requirement R2 CIP-009-5, Requirement R3 Filing approved on July 9, 2014 by Letter Order 96 RELIABILITY ACCOUNTABILITY

Steps Forward Any change to the requirements language must be made pursuant to the NERC Standards Process Manual Standards Drafting Team will need to be involved Opportunity for industry command and ballot Two directives with timeframes Must file in prescribed timeframe Desire to address all directives as soon as possible VRF/VSL changes and Survey will happen outside of standards development process 97 RELIABILITY ACCOUNTABILITY

References Project 2008-06 Development History: Version 4 page: http://www.nerc.com/pa/stand/pages/project_2008-06_cyber_security_phaseii_standards.aspx Version 4 Guidance Document http://www.nerc.com/pa/stand/pages/project_2008-06_cip-002-4_guidance_clean_20101220.pdf Version 5 page: http://www.nerc.com/pa/stand/pages/project_2008-06_cyber_security_version_5_cip_standards.aspx Version 5 Transition Guidance http://www.nerc.com/pa/ci/documents/v3- V5%20Transition%20Guidance%20FINAL.pdf 98 RELIABILITY ACCOUNTABILITY

Questions Scott Mix, CISSP Senior CIP Technical Manager Scott.Mix@nerc.net