Josh Reber Associate Compliance Auditor, Cyber Security. CIP Personnel & Training September 9, 2015 CIP Advanced Workshop Salt Lake City, UT

Size: px

Start display at page:

Download "Josh Reber Associate Compliance Auditor, Cyber Security. CIP Personnel & Training September 9, 2015 CIP Advanced Workshop Salt Lake City, UT"

Julian Nash
6 years ago
Views:

1 Josh Reber Associate Compliance Auditor, Cyber Security CIP Personnel & Training September 9, 2015 CIP Advanced Workshop Salt Lake City, UT

2 Agenda Applicability Implementation CIP R1-R5 Overview Audit Approach Tips *This presentation will be on the WECC website for future reference. 2

Compliance is like an onion Positives: Important

an organization Improves overall health of the BES

Makes people cry Known to aggravate certain medical

3 Compliance is like an onion Positives: Important ingredient in the stew of reliability Adds flavor to an organization Improves overall health of the BES Peel back layers of evidence Negatives: It stinks Makes people cry Known to aggravate certain medical conditions Causes indigestion Can be dry Carr, Compliance Auditor

4 Goal Communicate WECC s audit approach for each Requirement of CIP

5 CIP Purpose To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems. 5

6 Policy, Program, Process, Procedure Regurgitating the Requirement language does not constitute developing a policy, program, process, or procedure. 6

7 CIP Acronym Soup HIBESCS MIBESCS HIBESCSATAEACMSAPACS HIBESCSATAEACMS MIBESCSWERCATAEACMSAPACS 7

8 CIP Applicability HIBESCS High Impact BES Cyber Systems (R1) MIBESCS Medium Impact BES Cyber Systems (R1) HIBESCSATAEACMSAPACS High Impact BES Cyber Systems and their associated EACMS and PACS (R2-R5 except 5.5) HIBESCSATAEACMS High Impact BES Cyber Systems and their associated EACMS (Part 5.5 only) MIBESCSWERCATAEACMSAPACS Medium Impact BES Cyber Systems with external routable connectivity and their associated EACMS and PACS (R2-R5 except 5.5) 8

9 CIP Implementation By April 1, 2016 CIP R1-R5 except as noted below On or before July 1, 2016: CIP-004-6, R4, Part 4.2 On or before April 1, 2017: CIP-004-6, R2, Part 2.3 CIP-004-6, R4, Part 4.3, Part 4.4 Within 7 years after last PRA performed: CIP-004-6, Requirement R3, Part 3.5 9

10 CIP R1 Overview Security Awareness Program Reinforce cyber (and physical) security practices Once each calendar quarter High & Medium BESCS 10

11 CIP R1 Audit Approach Documented process covering all of R1 Quarterly reinforcement Evidence demonstrating: Content Delivery method 11

12 CIP R1 Tips Informational program reinforcing logical and physical security practices Strong awareness programs leverage various content and content delivery methods R1 applies to High and Medium BES Cyber Systems 12

13 CIP R2 Overview Cyber security training specific to roles, functions, responsibilities Training content specified in Train PRIOR to granting access Refresh annually (at least 1x/15 months) High & Medium (w/erc) BESCS + EACM + PACS 13

14 14 Training

15 CIP R2 Audit Approach Documented role-based training programs e.g. Sys Admin vs. Operator vs. Security Guard Does training cover ? Validate training prior to access Compare dates Validate annual refresh Review controls in place to ensure timely delivery of training and annual refreshers 15

16 CIP R2 Tips You have flexibility to develop customized/personalized training program(s) Don t get too granular with role-based training Not intended to be technical training CIP Exceptional Circumstances consider how it applies to your organization 16

17 Quiz Time!! All programs and policies specified throughout CIP require CIP Senior Manager approval. False 17

18 CIP R3 Overview Personnel risk assessment Confirm identity 7-year criminal history check Process & criteria to evaluate results PRAs for contractors & vendors Renewal process 18

19 19 Personnel Risk Assessment

20 CIP R3 Audit Approach Documented PRA process does it include: Identity validation 7-year criminal history Supporting documentation if 7 years cannot be completed Evaluation of results Tracking PRA dates - initial & renewal Evaluate controls in place to ensure timely completion, renewal, and tracking of PRAs 20

21 CIP R3 Tips Criteria or process to evaluate criminal history (3.3) is NEW clearly identify criteria or evaluation process & associated outputs Check that PRA dates are PRIOR to access granted dates Be prepared to request PRA evidence from vendors & contractors PRAs performed for v3 don t need to be redone for v5 21

22 CIP R4 Overview Access Management Program Access authorization process covering: Cyber Physical BES Cyber System Information Quarterly verification of authorization Annual verification of: Privileges to BES Cyber Systems Access to BCSI 22

23 23 Access Management

24 CIP R4 Audit Approach Documented access management program does it address all aspects of , including deliverables? Validate quarterly & annual reviews Validate access grants against system records Evaluate controls related to access list maintenance, and quarterly & annual reviews 24

25 CIP R4 Tips Work towards evolving beyond spreadsheets and paper forms Continue tracking individuals and their role-based access rights Consider separation of duties: provisioner vs. reviewer 25

26 CIP R5 Overview Documented access revocation process Terminations Initiate removal of ability for physical and interactive remote access immediately and complete w/in 24 hours Revoke logical/physical access to designated storage locations by end of next calendar day Revoke non-shared user accounts w/in 30 days Change shared account passwords w/in 30 days Transfers/Reassignments: Revoke logical & physical access by end of next business day Change shared account passwords w/in 30 days 26

27 27 Access Revocation

28 CIP R5 Audit Approach Processes for terminations and transfers/reassignments Do the processes cover everything in 5.1 through 5.5? Do your processes point to procedures detailing how each action is carried out? Proof of performance: records, lists, screenshots, tickets, s, system reports, forms, etc. 28

29 CIP R5 Tips NEW designated storage locations, whether physical or electronic, for BES Cyber System Information identify and document NEW extenuating operating circumstances (changing shared account passwords 5.5) define, document, and track Part 5.5 only applies to High Impact BES CA and associated EACMS Workflow diagrams are an auditors best friend 29

30 Resources, References, & Light Reading NERC v3 to v5 mapping document (pp. 8-11) FERC Order 791 (pp ) 2011 v5 SDT Presentation (pp ) 30

31 Questions? Josh Reber Associate Compliance Auditor, Cyber Security O: M:

Cover Your Assets in Version 5. August Webinar #CIPv5

Hosted By: Sponsored By: Cover Your Assets in Version 5 August 21 2013 Webinar Welcome! Why are we doing this webinar? The transition from CIP v3 to v5 is a big deal Bright line criteria require new attention