C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Critical Infrastructure Protection 101 An Introduction to CIP Version 5 Richard Burt MRO Principal Risk Assessment and Mitigation Engineer MRO CIP Version 5 Workshop February 11 and 17, 2015 Improving RELIABILITY and mitigating RISKS to the Bulk Power System
Introduction Purpose and history of the NERC Critical Infrastructure Protection (CIP) Standards Applicability of CIP Version 5 (V5) Key definitions Useful CIP V5 materials 2
Purpose of the NERC CIP Standards Address the security of cyber assets essential to the reliable operation of the bulk power system NERC CIP is the only set of mandatory cybersecurity standards in place across the critical infrastructures (water, gas, etc.) of the United States 3
History of the CIP Standards UA1200 (2003) CIP V1 (2008) CIP V2 (2009) CIP V3 (2010) CIP V4 (2012) High-level Prior to mandatory compliance First enforceable cybersecurity standards for the bulk power system, use of RBAM (Risk-Based Assessment Methodology) to determine Critical Assets Minor changes to CIP V1 - Annual review of additional processes, removed ability to accept risk in lieu of requirements, etc. Minor changes to CIP V2 escort of visitors, etc. Use of a Bright-Line Criteria (BLC) instead of RBAM Never became enforceable, due to timing of CIP V5 CIP V5+ (2013) Impact Rating Criteria (IRC) instead of BLC or RBAM, changes in technical requirements, concept of Cyber Systems instead of Critical Cyber Assets dfkjflkdskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk (CCAs) 4 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
History of the CIP Standards CIP Version 5 CIP V5 increased the number of CIP Standards from eight (CIP-002 through CIP-009) to ten (CIP-002 through CIP- 011) CIP-002-5 through CIP-009-5 CIP-010-1 CIP-011-1 5
History of the CIP Standards CIP Version 5 When FERC approved CIP V5, it directed NERC to make changes So.CIP V5 will be the following Standards CIP-002-5.1 CIP-003-7 CIP-004-7 CIP-005-5 CIP-006-5 CIP-007-7 CIP-008-5 CIP-009-6 CIP-010-3 CIP-011-3 6
Applicability of CIP V5 Like the rest of the NERC Standards, start with the definition of Bulk Electric System (BES) In general, the BES includes: Transmission elements connected at 100kV or higher Generation unit greater than 20MVA Generation facility greater than 75 MVA Blackstart Resources For more information, see NERC s BES Definition page www.nerc.com ->Initiatives -> BES Definition http://www.nerc.com/pa/rapa/pages/bes.aspx 7
BES Definition Resources 8
BES Definition Resources 9
Applicability of CIP V5 See MRO CIP Subject Matter Expert (SME) Team CIP-002-5.1 Standard Application Guide (SAG) https://www.midwestreliability.org/mrodocu ments/cip-002-5.1%20standard%20application%20guide.p df 10
Applicability of CIP V5 Registration Functional Registration First BA (Balancing Authority) GO (Generator Owner) GOP (Generator Operator) IA (Interchange Authority) TO (Transmission Owner) TOP (Transmission Operator) RC (Reliability Coordinator) 11
Applicability of CIP V5 Registration Functional Registration First (continued) DP (Distribution Provider) with any of the following Underfrequency Load Shedding (UFLS) or Undervoltage Load Shedding (UVLS) that Is part of a load shedding program, subject to NERC Standards; AND Performs automatic load shedding under a common control system, without human operator initiation, of 300 MW or more Special Protection Systems (SPS)/Remedial Action Scheme (RAS) subject to NERC Standards Transmission Protection System subject to NERC Standards Cranking Path 12
UFLS/UVLS CIP V5 Applicability Each UFLS or UVLS System that Is part of a load shedding program that is subject to NERC Standards; AND Performs automatic load shedding under a common control system owned by the entity, without human operator initiation, of 300 MW or more In other words, the standards are meant to apply security controls to prevent an attacker from compromising a single cyber asset/system and shedding 300MW or more 13
UFLS/UVLS Applicability Example Entity has 400MW of UFLS 20 relays on separate feeders, with 20MW of load each Each relay typically senses the local frequency and makes the determination to trip, independent of the other relays In this case, the most load that can be shed under a common control system is 20MW None of the UFLS relays in this example would be subject to CIP V5 14
Applicability of CIP V5 If you are not a TO, TOP, GO, GOP, BA, RC, IA, or a DP with one of these types of systems, then CIP V5 does NOT apply No need to go any further with determination of which Facilities are impacted CIP V5 does not apply, not even Low Impact For everyone else, the focus is on the Impact Rating Criteria (Attachment 1 of CIP-002-5) 15
Impact Rating Criteria Attachment 1 is used to categorize all BES Cyber Systems as low, medium, or high impact Only Control Centers can be high Largest impact BES Facilities are medium Everything not high or medium is low Number of applicable Requirements is related to the level of impact With increasing numbers of Requirements applicable to higher-risk configurations and systems such as those that can be accessed remotely through a routable connection such as TCP/IP Requirements for Low Impact BCS are in CIP-003 16
CIP Requirements Applicability Color-Coded by System Type Source: http://www.nerc.com/ docs/standards/dt/ta ble_of_cip_v5_applic able_systems.pdf 17
Requirements and Parts CIP V5 does not use sub-requirements Requirements point to Parts Parts are applicable to different types of BCSs Example, CIP-005 R1 Implement one or more documented processes that collectively include each of the applicable requirement parts in CIP-005-5 Table R1 18
Guidelines and Technical Basis CIP-002-5.1 is 34 pages long CIP-002-3 was 3 pages long CIP V5 Standards contain notes from the Standard Drafting Team (SDT) giving further guidance on the language of the Requirements, and why certain decisions were made in the drafting process There are some inconsistencies, which will be discussed later in this workshop When in doubt, use the language of the Requirement 19
Guidelines and Technical Basis Example: CIP-002-5 Why was 300MW chosen as the threshold of UFLS/UVLS? From Guidelines and Technical Basis section of CIP-002-5: The SDT believes that the threshold should be lower than the 1500MW generation requirement since it is specifically addressing UFLS and UVLS, which are last ditch efforts to save the BES. A review of UFLS tolerances defined in UFLS program requirements to date indicates that the historical value of 300MW represents an adequate and reasonable threshold value. 20
NERC Glossary of Terms A number of new defined terms for CIP V5 http://www.nerc.com/files/glossary_of_terms.pdf These definitions are crucial to understanding and applying the CIP V5 requirements Retirement of: Critical Asset (CA) Critical Cyber Asset (CCA) 21
CIP V5 Key Definitions Cyber Asset Cyber Asset Programmable electronic devices, including the hardware, software, and data in those devices Examples Computers Intelligent Electronic Devices (IEDs) 22
CIP V5 Key Definitions BES Cyber Asset BES Cyber Asset (BCA) A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) 23
BES Cyber Asset (BCA) Examples Microprocessor-based protective relay Data Concentrator Energy Management System (EMS) server System Operator Console 24
CIP V5 Key Definitions BES Cyber System BES Cyber System (BCS) One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity Examples of BCS: All protective relays at a substation EMS Generation Control System (GCS) Windows servers in an EMS or GCS 25
A BCS is a group of BCAs Substation example: Substation has three relays Two are BCAs BCS grouping is up to you (more on that later) BCA versus BCS BCS Option 1 BCS Option 2 Not a BCA since it s not a Cyber Asset 26
CIP V5 Key Definitions Dial-Up Connectivity (DUC) Dial-up Connectivity A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link Just because a modem is being used, does not mean it is using DUC 27
CIP V5 Key Definitions Physical Security Perimeter Physical Security Perimeter The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled Examples include server rooms, substation control houses, etc 28
CIP V5 Key Definitions Electronic Security Perimeter Electronic Security Perimeter (ESP) The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol Think of an ESP as a network boundary 29
CIP V5 Key Definitions Electronic Access Point Electronic Access Point (EAP) A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter Example of PSP, ESP, EAP: 30
CIP V5 Key Definitions Physical Access Control Systems Physical Access Control Systems (PACS) Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers 31
CIP V5 Key Definitions Electronic Access Control or Monitoring Systems Electronic Access Control or Monitoring Systems (EACMS) Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber System(s) Includes Intermediate Systems 32
CIP V5 Key Definitions Protected Cyber Asset Protected Cyber Asset (PCA) One or more Cyber Assets connected using a routable protocol within or on an ESP that is not part of the highest impact BCS within the same ESP The impact rating of a PCA is equal to the highest rated BCS in the same ESP A Cyber Asset is not a PCA if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes 33
Protected Cyber Assets High Watermark PCA PCAs are used to implement a High Watermark concept Even though they are not a BCA, they must be protected if they are in the ESP with a BCS that is not Low Impact 34
Other Definitions BES Cyber System Information CIP Exceptional Circumstance CIP Senior Manager Cyber Security Incident External Routable Connectivity Interactive Remote Access Intermediate System Reportable Cyber Security Incident 35
Useful CIP V5 Materials Already Mentioned MRO CIP SME Team CIP-002-5.1 SAG NERC BES Definition NERC Glossary of Terms Table of CIP V5 Applicable Systems Guidelines and Technical Basis section of Standards NERC CIP V5 Transition Program Page www.nerc.com ->Initiatives -> CIP V5 Transition http://www.nerc.com/pa/ci/pages/transition-program.aspx 36
NERC CIP V5 Transition Page 37
NERC CIP V5 Transition Page 38
Questions? 39