CIP-010-1 R1 & R2: Configuration Change Management June 3, 2014 Steven Keller Lead Compliance Specialist - CIP skeller.re@spp.org 501.688.1633
Outline What is CIP-010-1? How it is different from CIP-003-3 R6? Focus on CIP-010-1 s Change Management Sections (R1 & R2) Evidence we like to see and best practices 2
What is CIP-010-1, and what does it bring? Updated Configuration Change Management and Vulnerability Assessments Development of Baseline Examples of Evidence 3
CIP-010-1 R1 Baselines Develop Baseline Configuration All software on each machine or a group of machines - High and Medium BES Cyber Systems - Audit trail of changes to the baseline Change Management record trail Understand what is on your systems and prevent any unauthorized changes. 4
CIP-10-1 R1.1 Baseline Develop Baseline for all High or Medium BES Systems and associated Electronic Access Control and Monitoring Systems (EACMS), Physical Access Control Systems (PACS) and Protected Cyber Assets (PCA) Baselines must have: - OS or Firmware - All Commercial software and/or Open Source software - Any custom software - Logical Network accessible ports - List of all security patches applied to the software listed above 5
CIP-10-1 R1.1 Baseline Risk: Unauthorized software on BES Cyber System Internal Control Type: Supports detective controls Sample Evidence: Spreadsheet identifying baseline for each asset/group Records from asset management system Documentation in change management system 6
CIP-10-1 R1.2 Document Changes Authorize/document deviations from existing baseline Risk: Having changes that are not authorized Internal Control Type: Preventive Sample Evidence: Change Request record that shows what changed from the Existing Baseline Must be performed by person/group with authority Best practice*: Document how your change management system works * Best practices are suggested by SPP RE staff but are NOT required by the standard 7
CIP-10-1 R1.3 30 Days Must update Baseline with in 30 DAYS of change Risk: Undetected changes to your system Internal Controls: Detective Sample Evidence: Evidence that baseline was updated in 30 days of change, such as ticket or revision history Best practice: Document how your baselines are updated. Maintain a version history. Update your baseline concurrently as you are testing the change. 8
CIP-10-1 R1.4 Deviations of Baseline What could be impacted by the change? - CIP-005-5 (access permissions, malicious communications, and remote access) - CIP-007-5 (ports, malicious code, logging, shared accounts) Provide evidence that change will not adversely affect the BES Systems in question Risk: Undetected baseline deviations (You didn t pre-identify an impacted CIP-005-5 and CIP-007-5 control & therefore did not test it) Internal Controls: Detective Sample Evidence: List of Cyber Security Controls that were verified/tested and date tested 9
Best Practices: CIP-10-1 R1.4 Deviations of Baseline Test all controls every time you make a change, even the controls you don t think will be affected Automate testing if possible Have a different group or third party test changes or review test results to verify nothing gets missed 10
CIP-10-1 R1.5 Testing of Changes Risk: Loss of High Impact systems due to faulty change Internal Controls: Preventive Sample Evidence: List of Cyber Security Controls that were verified/tested and successful test results If using a test environment, must document any differences between production 11
CIP-10-1 R1.5 Testing of Changes Only applies to High Impact BES Cyber Systems For each identified deviation from baseline, test changes in either test or production environment before implementing Document test results Show how cyber security controls for CIP-005-5 and CIP-007-5 are not adversely affected 12
Best Practices - CIP-10-1 R1.5 Testing of Changes Checklists are GOOD! Document your actual test results Test environment should replicate production, including fail-over capability Test PCAs, Medium, and Low-impacting BES Cyber Systems, not just High 13
CIP-10-1 R2 Configuration Monitoring Monitor changes to the baseline for each High Impact BES Cyber systems and associated EACMS and/or PCA - Must be done every 35 days - Investigate unauthorized changes that are detected Risk: Undetected changes to your system Internal Controls: Detective Sample Evidence: Monitoring system logs Investigation records Records of investigations (work orders or raw data) 14
Best Practices: CIP-10-1 R2 Configuration Monitoring Daily monitoring is good, but real-time monitoring is BETTER! Document how you are monitoring the baselines and detecting changes Document how you are will handle an unauthorized change 15
Summary Baseline configurations now required for all assets within your BES cyber system Know what s on your system! Test your changes fully and deeply to ensure application functionality Changes that aren t fully vetted can have major adverse impacts, such as to EMS systems 16
Steven Keller Lead Compliance Specialist CIP 501-688-1633 17