Cyber Security Standards: Version 5 Revisions Security Reliability Program 2015
Overview of Development Activities The Team Standard Drafting Team (SDT) appointed to address these revisions in Project 2014-02. Maggy Powell, Exelon Philip Huff, AECC David Revill, GTC Jay Cribb, Southern Company Forrest Krigbaum, BPA David Dockery, AECI Greg Goodrich, NYISO Christine Hasha, ERCOT Steve Brain, Dominion Scott Saunders, SMUD 2 RELIABILITY ACCOUNTABILITY
CIP Standards Version 5 CIP-002-5.1*: BES Cyber Asset and BES Cyber System Categorization CIP-003-6**: Security Management Controls CIP-004-6**: Personnel and Training CIP-005-5: Electronic Security Perimeter(s) CIP-006-6: Physical Security of BES Cyber Systems CIP-007-6**: Systems Security Management * - Changed Devices to Systems in background section ** - Developed as version 7 3 RELIABILITY ACCOUNTABILITY
CIP Standards Version 5 CIP-008-5: Incident Reporting and Response Planning CIP-009-6: Recovery Plans for BES Cyber Assets and Systems CIP-010-2***: Configuration Management and Vulnerability Assessments CIP-011-2***: Information Protection *** - Developed as version 3 4 RELIABILITY ACCOUNTABILITY
Overview of Development Activities Key Objectives Four directive areas One year filing deadline Outreach during development and comment period 5 RELIABILITY ACCOUNTABILITY
FERC Final Rule Issued November 3, 2013 Effective February 3, 2014 Four directives: Identify Assess and Correct language Communication Networks Low Impact BES Cyber Systems Transient Devices First two had one-year deadline Filing deadline February 3, 2015 6 RELIABILITY ACCOUNTABILITY
Identify, Assess, and Correct FERC preferred to not have compliance language included within technical requirement SDT responded by deleting language from 17 requirements RAI (Risk-based Compliance Monitoring and Enforcement) concepts replaced need for IAC language 7 RELIABILITY ACCOUNTABILITY
Communication Networks FERC Directed creation of definition of communication networks and requirements to address issues: Locked wiring closets Disconnected or locked spare jacks Protection of cabling by conduit or cable trays 8 RELIABILITY ACCOUNTABILITY
Communication Networks SDT responded by adding CIP-006 Part 1.10 to address protections of non programmable components of communication networks that are inside an ESP, but outside of a PSP SDT also modified CIP-007 Part 1.2 to address unused physical ports on nonprogrammable communication components and devices at high and medium impact Control Centers Formal definition determined by SDT to be unnecessary at this time 9 RELIABILITY ACCOUNTABILITY
Transient Devices Described in Final Rule as devices connected for less than 30-days (USB, laptop, etc) FERC directed modifications to address the following concerns: Device authorization Software authorization Security patch management Malware prevention Unauthorized physical access Procedures for connecting to different impact level systems 10 RELIABILITY ACCOUNTABILITY
Transient Devices SDT developed two additional definitions Removable Media Transient Cyber Assets Added CIP-010 Requirement R4 dealing with issue Detailed requirements in attachment and measures in a separate attachment Separated into three areas: o Transient Cyber Assets managed by Responsible Entity o Transient Cyber Assets managed by other parties o Removable Media Modified CIP-004 Part 2.1 to address training on risks associated with Transient Cyber Assets and Removable Media 11 RELIABILITY ACCOUNTABILITY
Transient Cyber Assets Transient Cyber Asset: A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 12 RELIABILITY ACCOUNTABILITY
Transient Cyber Assets (continued) Removable Media: Storage media that (i) are not Cyber Assets, (ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. 13 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems FERC concerned with lack of objective criteria for evaluating Low Impact protections Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process Open to alternative approaches the criteria NERC proposes for evaluating a responsible entities protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified. No detailed inventory required list of locations / Facilities OK 14 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) SDT maintained all low impact requirements in CIP-003 Low-only entities only need to comply with CIP-002 and CIP- 003 Added CIP-003 Part 1.2 dealing with security policy for low impact BES Cyber Systems Added Attachments dealing with the technical requirement and measures Kept four original areas 15 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) Security Awareness reinforce, at least every 15 calendar months, cyber security practices Incident Response Modeled from medium impact 6 elements (of 9: collapsed process requirements and update requirements together; no documentation of deviations or specific record retention but still need to demonstrate compliance) Physical Security control physical access based on need 16 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 17 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) Electronic Security Two new definitions LERC and LEAP Similar to but different from ERC and EAP concepts at medium & high permit only necessary inbound and outbound bi-directional routable protocol access authentication for all Dial-up Connectivity Seven reference model drawings showing LERC & LEAP in Guidelines and Technical Basis section 18 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) ERC - External Routable Connectivity - The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection. LERC Low Impact External Routable Connectivity - Direct user initiated interactive access or a direct device to device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi directional routable protocol connection. Point to point communications between intelligent electronic devices that use routable communication protocols for time sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols). 19 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) EAP - Electronic Access Point - A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter. LEAP Low Impact BES Cyber System Electronic Access Point - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems. 20 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 21 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 22 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 23 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 24 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 25 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 26 RELIABILITY ACCOUNTABILITY
Low Impact BES Cyber Systems (continued) 27 RELIABILITY ACCOUNTABILITY
Implementation Plan Phased implementation plan: IAC no change (4/1/16) Communication Networks 9 months after the effective date of the standard Transient Devices 9 months after the effective date of the standard Low Impact o Latter of 4/1/17 or 9 months after the effective date of the standard for policy, plan, security awareness, and response o Latter of 9/1/18 or 9 months after the effective date of the standard for physical and electronic security 28 RELIABILITY ACCOUNTABILITY
April 1, 2016 - CIP V5 Approved Effective Date IAC, CN revisions - November 13, 2014 LI, TD revisions - February 12, 2015 Implementation Plan NERC If FERC approves CIPV5R in: Board Standard/Requirement Revision Adoption 3Q15 4Q15 1Q16 CIP-002-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16 CIP-003-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-003-6, R1, part 1.1 H/M - Policy 1-Apr-16 1-Apr-16 1-Apr-16 CIP-003-6, R1, part 1.2 LI - Policy 1-Apr-17 1-Apr-17 1-Apr-17 CIP-003-6, R2 LI - Plan 1-Apr-17 1-Apr-17 1-Apr-17 CIP-003-6, Att 1, Sect. 1 LI - Sec Awareness 1-Apr-17 1-Apr-17 1-Apr-17 CIP-003-6, Att 1, Sect. 2 LI - Phys Security 1-Sep-18 1-Sep-18 1-Sep-18 CIP-003-6, Att 1, Sect. 3 LI - Elec. Access 1-Sep-18 1-Sep-18 1-Sep-18 CIP-003-6, Att 1, Sect. 4 LI - Incident Resp 1-Apr-17 1-Apr-17 1-Apr-17 CIP-004-6 TCA & RM added to Training 1-Apr-16 1-Apr-16 1-Jul-16 CIP-005-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16 CIP-006-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-006-6, R1, part 1.10* CN 1-Jan-17 1-Jan-17 1-Apr-17 CIP-007-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-007-6, R1, part 1.2* CN, RM capitalized 1-Jan-17 1-Jan-17 1-Apr-17 CIP-008-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16 CIP-009-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-010-2 1-Apr-16 1-Apr-16 1-Jul-16 CIP-010-2, R4 TD 1-Jan-17 1-Jan-17 1-Apr-17 CIP-011-2 TCA & RM added to Guidelines 1-Apr-16 1-Apr-16 1-Jul-16 TCA, RM Glossary Terms TD 1-Jan-17 1-Jan-17 1-Apr-17 BCA, PCA Glossary Terms TD 1-Jan-17 1-Jan-17 1-Apr-17 LERC, LEAP Glossary Terms LIA 1-Apr-17 1-Apr-17 1-Apr-17 V5 E- Date 29 RELIABILITY ACCOUNTABILITY
Current Status NERC Board approved responses to IAC and Communication Networks directives on November 13, 2014 NERC Board approved responses to Low Impact and Transient Device directives on February 12, 2015 Board action adjusted version numbers to -6 and -2 All four directive areas filed with FERC on February 13, 2015 (10- day extension granted due to scheduled NERC board meeting) FERC must go through its approval process 30 RELIABILITY ACCOUNTABILITY
Version X IAC/CN Only CIP-003-X/CIP-010-X CIP-003-6/CIP-010-2 CIP-003-6/CIP- 010-2 July Initial Ballot October Additional Ballot October Final Ballot CIP Version What? CIP-003-6/CIP-010-2 Lows/Transients CIP-003-6/CIP-010-2 November Board Adoption January Additional Ballot January Final Ballot CIP-003-7/CIP-010-3 4 directives CIP-003-7/CIP-010-3 4 directives February Board Adoption CIP-003-6/CIP-004-6/CIP-006-6/ CIP-007-6/CIP-009-6/CIP-010-2/CIP-011-2 FERC Filing 2/13/2015 31 RELIABILITY ACCOUNTABILITY
Project 2014-02 Development History: CIP Version 5 Revisions page: References http://www.nerc.com/pa/stand/pages/project-2014-xx- Critical-Infrastructure-Protection-Version-5-Revisions.aspx CIP Version 5 Transition page: http://www.nerc.com/pa/ci/pages/transition-program.aspx 32 RELIABILITY ACCOUNTABILITY
Questions Scott Mix, CISSP Senior CIP Technical Manager Scott.Mix@nerc.net