Cover Your Assets in Version 5. August Webinar #CIPv5

Transcription

1 Hosted By: Sponsored By: Cover Your Assets in Version 5 August Webinar

2 Welcome! Why are we doing this webinar? The transition from CIP v3 to v5 is a big deal Bright line criteria require new attention to detail Terminology and methodologies changes abound! Today s agenda: Tom Alrich will walk us through CIP Steve Parker will address the Implement, Assess and Correct Twitter Accounts: Steve Parker EnergySec Honeywell 2

3 Your Presenters Tom Alrich is part of the Honeywell Process Solutions industrial cyber security team, focusing on the energy sector and especially electric power. He has been involved with industrial cyber security and especially NERC CIP compliance since Tom has spent most of his career in the IT industry, primarily in services for networking and cyber security. Tom has a BA in Economics from the University of Chicago. He lives in Evanston, Illinois. Steven Parker is President of Energy Sector Security Consortium (EnergySec). He was part of the grassroots effort that led to the formation of EnergySec, and has served on its board of directors since Steven holds the CISA and CISSP certificates. Steve was formerly a Senior CIP Compliance Auditor at WECC and has implemented the CIP standards as an employee of a large utility in the Western US. Your host: Stacy Bresler. Currently, the co-principal investigator for the National Electric Sector Cybersecurity Organization and the Vice-President of Outreach and Operations at EnergySec. 3

4 Disclaimer Any opinions expressed by Tom Alrich are not necessarily those of Honeywell International, Inc. For that matter, Steve Parker s opinions aren t Honeywell s, either. 4

5 Timetable for CIP Version 5 V5 will very likely be approved by 4/1/2014, perhaps even in At the same time, FERC will likely order changes, to be made in 6-9 months (?) in a new filing This will probably be called CIP V6, and will be what you have to comply with. V6 will be approved by FERC late 2014 or 1H2015? Compliance date for Highs/Mediums may be just one year from V6 approval (early-mid 2016?) Compliance date for Lows 2017 or 2018? 5

6 CIP-002-6? FERC s NOPR didn t raise direct questions about CIP-002. However, my own examination makes me believe the standard is impossible to follow as written. I have proposed a rewritten version to make clear what I believe was the intent of the SDT all along (I m not saying the intent was bad, but that it wasn t expressed well in the standard). I m not assuming in this webinar that my version will see the light of day. I will simply do my best to describe what needs to be done to follow CIP as it now stands. 6

7 The Basic Steps These are the 3 steps we believe you need to take to comply with CIP-002-5: 1. Decide if you re in or out for Version 5 (Sections 4.1 and 4.2). 2. Go through Attachment 1 to decide what Facilities/ Assets are in scope and whether they re High, Medium or Low impact. 3. Identify BES Cyber Assets, PACS, EAMCS at each High/Medium facility. Group BES Cyber Assets into BES Cyber Systems as desired. 4. Mix well and add sugar (you ll need it!). 7

8 The Details: Step 1 Section 4.1 lists NERC entity types that are in scope for CIP Version 5. DP s are in there (LSE s aren t). However, DP s only have to comply if they have four specific types of Facilities. Section 4.2 says all Facilities at covered entities are in scope as High, Medium or Low impact. Except for pure DP s for them, only the four Facilities shown are in scope for Version 5. 8

9 The Details: Step 2 For each Facility in scope, run down Attachment 1 and decide if it s High, Medium or Low impact. Everything not High or Medium is Low. Substations: You can slice and dice them if they contain both Transmission and Distribution elements. Only the former will be the BES Facility. However, the networks will need to be separated! We could easily do another webinar just on the bright line criteria. 9

10 The Details: Step 3 (slide 1) (now comes the really fun part ) Read the definition of BES Cyber Asset: A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. 10

11 The Details: Step 3 (slide 2) Now re-read the definition; and re-reread it. In some ways, it s like the definition of Critical Cyber Asset ( essential to the operation of the facility). Note: unavailable, degraded or misused the cyber asset doesn t have to be completely lost. Maybe it s just doing half of what it should; it s still a BCA. Don t take 15 minutes too seriously now FERC didn t like it in their NOPR and may order it removed. 11

12 The Details: Step 3 (slide 3) Ignore the sentence in parentheses about 30 days or less. FERC really doesn t like that. It likely won t survive in V6. Now group BES Cyber Assets into BES Cyber Systems. You have complete discretion in doing that. Really. You can: a) make every BCA its own BCS; b) group some BCA s into BCS s; or c) group all BCA s into BCS s. A BCS just has to be a single system (historian, DCS, EMS, etc). But you can t group differently in different standards. Now classify by Facility ranking. In general, all BES Cyber Systems at a High or Medium facility will be High or Medium (mileage may vary). Same for Lows. 12

13 Other Cyber Asset Types Besides BES Cyber Systems, there are three other types of cyber assets you need to identify: Physical Access Control Systems (PACS), Electronic Access Control or Monitoring Systems (EACMS), and Protected Cyber Assets (PCA). Each of these types has particular requirements that apply to it. You need to read the Definitions document and decide which cyber assets fall into these categories. In the PCA definition, you should ignore the last sentence like in the definition of BES Cyber Asset. 13

14 What about Lows? I m glad you asked that question. Version 5 says multiple times that no inventory of cyber assets at Low impact assets is needed. FERC says in their NOPR that it is needed. There were many comments to FERC saying no inventory should be required for Lows. What will happen? We don t know, but we will when FERC approves Version 5. Be prepared to have to inventory all your Lows. Start now if it will be a huge job. 14

15 On Routable Protocols You probably know this already: no more exemption of facilities without external routable protocol. However, facilities without ERP don t have as many requirements as those with ERP. You probably don t know: There s a big change regarding networks within Facilities in V5. In CIP V1-4: you should group CCA s in one network (the ESP) and put other assets in separate networks. In V5, all networked cyber assets at the Facility have to be within an ESP (CIP R1.1). It doesn t matter what network they re on. At H/M facilities, cyber assets not networked with BES Cyber Systems may be classified as Low impact. 15

16 The BROS BES Reliability Operating Services are described in the CIP Guidelines and Technical Basis section (pp. 17ff). They list services performed by BES Facilities and the types of systems that may support them. E.g. Controlling Voltage is a BROS; Automatic Generation Control supports it. BROS are no longer part of the standard, but can help identify BES Cyber Systems at a Facility. Expect the auditors will use BROS Go thou and do likewise. 16

17 Questions? Coming soon: three white papers on preparing for CIP Version 5 (link will be sent to all attendees) 17

18 Identify, Assess, and Correct Discussion of the IAC language in version 5 of the CIP standards. Review FERC s concerns regarding this language Review NERC s comments on FERC s concerns Provide my assessment (best guess) of what this all means 18

19 Background 17 requirements in version 5 of the CIP standards require entities to implement procedures, in a manner that identifies, assesses, and corrects deficiencies,... Relates to High Frequency Security Obligations This language is an attempt by the drafting team to address requirements which require perfection (zero defect approach) 19

20 Requirements with IAC language CIP R2,4 Security Policies, Delegations CIP R2,3,4,5 Training, PRAs, Access Management, Access Revocation CIP R1,2 Physical Security Plan, Visitor Control Program CIP R1,2,3,4,5 Ports and Services, Patch Management, Malicious Code Prevention, Security Event Monitoring, System Access Control CIP R2 Recovery Plan Testing and Implementation CIP R1,2 Configuration Change Management, Configuration Monitoring CIP R1 Information Protection 20

21 FERC Concerns IAC language is too vague to be audited It is not clear to what extent [the IAC language] permits [evaluation of] the adequacy of an entity s processes or against what criteria they would be evaluated One requirement or two? Does the IAC language excuse violations that are corrected? 21

22 Steve s Questions What is a deficiency? Is a deficiency a violation? Is 100% compliance still required? What is a high vs. low risk deficiency? Does this approach increase the subjectivity of audits? 22

23 What is a deficiency? The term deficiency is not defined. The standard drafting team did not create a specific definition for the terms identify, assess, correct, or deficiency. Not clear whether it is a violation, or some other weakness, or areas for improvement. Discussion in background section of standards suggests deficiency == violation. Discussion in NERC NOPR comments suggest deficiency may!= violation. 23

24 Is a deficiency a violation? Background notes from V5 standards docs not focus on individual instances of failure as a sole basis for violating the standard. The intent is to change the basis of a violation in those requirements so that they are not focused on whether there is a deficiency, but on identifying, assessing, and correcting deficiencies. NERC comments on FERC NOPR The self-correcting language does not affect the enforceability of the underlying obligations in the applicable requirements. In requirements where the self-correcting language is used, the selfcorrecting language does not affect the underlying obligation in the requirement to achieve the Technical Parts. And more 24

25 Is 100% compliance still required? Example from NERC comments on FERC NOPR: Version 4: logs be collected twenty-four hours per day, seven days a week, essentially mandating a 100% up-time for the central logging server that is collecting and managing the logs. Version 5: focus on the act of collecting the logs. i.e. the documented process meets the Technical Part Depending on the facts and circumstances of the deficiency, there may be a potential violation if actual performance does not meet the Technical Parts. 25

26 What is a high vs. low risk deficiency? This distinction is not made in the standards documents. In the sample RSAW, deficiencies referred to potential noncompliance however, not all deficiencies would be treated as possible However, while the correction of lesser risk deficiencies would be documented for review [by the CEA], entities would be expected to continue to self- report higher risk deficiencies. Not requiring the individual reporting and processing of corrected lesser risk deficiencies will result in resource savings NERC will address what constitutes a higher and lesser risk deficiency in the compliance filing. 26

27 Audit Subjectivity [Compliance with IAC] would be reviewed by an auditor. This review will require a heightened level of discretion and use of professional judgment by auditors. NERC and the Regional Entities will train auditors and develop guidance to provide for consistent and effective auditing practices across the ERO. Additionally, the self-correcting language was intended to work in concert with a compliance approach The compliance approach will be defined sometime in the future 27

28 Contact Us Tom Alrich Steve Parker Website: Website: Blog: @es_shp LinkedIn: All of us 28

29 Thank you! Upcoming Events Sept Denver, CO EnergySec 9 th Annual Security Summit Register hqp://grids.ec/summit9 October 9 Dallas, Tx NERC CIP- 005/CIP- 007 Deep Dive Training Register - hqp://grids.ec/dallasciptraining For more informayon about Honeywell s Vendor- Independent Cyber Security and NERC CIP services: Tom Alrich tom.alrich@honeywell.com December 4 Sacramento, CA NERC CIP- 005/ CIP- 007 Deep Dive Training Register - hqp://grids.ec/sacciptraining 29