Update on Supply Chain Risk Management [SCRM] Standard

Similar documents
CIP Cyber Security - Supply Chain Risk Management. A. Introduction

Supply Chain Security

CIP Cyber Security Security Management Controls

Reliability Assurance Initiative. Sonia Mendonca, Associate General Counsel and Senior Director of Enforcement

ERO Enterprise Compliance Auditor Manual & Handbook Florida Reliability Coordinating Council, Inc. Spring Workshop April 8-10, 2014

Cover Your Assets in Version 5. August Webinar #CIPv5

IT-28 Risk Mitigation Policy and Peer Review Process

Quality Impact Assessment Procedure. July 2012

Mid-C Seminar July 16 th, 2014

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

COURSE LISTING. Courses Listed. with SAP Ariba SAP Ariba Procurement. 4 February 2018 (03:51 GMT)

COURSE LISTING. Courses Listed. Training for Applications with Integration in SAP Business One. 27 November 2017 (07:09 GMT) Advanced

Business Practice Manual for The Transmission Planning Process

Compliance Monitoring and Enforcement Program Implementation Plan. Version 1.7

COURSE LISTING. Courses Listed. with Quality Management SAP ERP. 15 February 2018 (23:55 GMT) SAP01 - SAP SAP01E - SAP Overview

A. Introduction. B. Requirements. Standard PER System Personnel Training

Standard IRO Reliability Coordination Monitoring and Analysis

Standard IRO Reliability Coordinator Data Specification and Collection

PRC Under Voltage Load Shedding

NERC CIP Version 6 - Robert Koziy Director Cyber Security Compliance Open Systems International

CIP v5 RSAWs and Evidence. Lew Folkerth, PE, CISSP, CISA, GCFA SPP RE CIP Workshop June 2, 2015

Terms of Reference Governance Committee

C. Measures. Standard INT Response to Interchange Authority

AoC and Organizational Reviews: Supporting ICANN Accountability. ICANN53 24 June 2015

Understanding Supply Chain Risks

Raynet Software Lifecycle

TERMS OF REFERENCE FOR THE HUMAN RESOURCES COMMITTEE

Josh Reber Associate Compliance Auditor, Cyber Security. CIP Personnel & Training September 9, 2015 CIP Advanced Workshop Salt Lake City, UT

MiFID II Extraterritorial Impacts. Product Manufacturing and Distribution

Preventive Controls & cgmp s for Animal Food Industry Perspective Michele M. Evans, Ph.D. Diamond Pet Foods

COURSE LISTING. Courses Listed. with Business Intelligence (BI) Crystal Reports. 26 December 2017 (18:02 GMT)

Meter Data Management System (MDMS) Sharing. Ricky Ip CLP Project Manager

QUICK START GUIDE. SQF Implementation. for.

9100 Team July, IAQG is a trademark the International Aerospace Quality Group. Copyright 2014 IAQG. All rights reserved.

Periodic Review Template INT Dynamic Transfers

Periodic Review Template INT Evaluation of Interchange Transactions

COURSE LISTING. Courses Listed. with Customer Relationship Management (CRM) SAP CRM. 15 December 2017 (12:23 GMT)

The BIM Toolkit. Sarah Delany February 2015 v2.0

FAC Facility Interconnection Requirements

Periodic Review Template INT Implementation of Interchange

Vol. 2 Management RFP No. QTA0015THA A2-2

FEDERAL ENERGY REGULATORY COMMISSION DOCKET NO. RR14- NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Electric Forward Market Report

BP Wind Energy s Perspective on Internal Controls. Carla Holly, Regulatory Compliance Manager October 8, 2013

NATIONAL GRID. NTS Shrinkage Incentive Methodology Statement Submitted for Approval

North American Portability Management, LLC Transition Oversight Manager. TOEP Webcast January 17, 2018

Internet Protocol version 6 (IPv6) Transition. Presented to the Federal IPv6 Inter-Agency Conference

Administration Division Public Works Department Anchorage: Performance. Value. Results.

ORACLE RESPONSYS PROFESSIONAL SERVICES DESCRIPTIONS

Planning Performance Agreement. In respect of. The Grahame Park Estate, Colindale, NW9 ( the Site )

COURSE LISTING. Courses Listed. 4 February 2018 (12:50 GMT) SAPSCM - SAP SCM. SCM200 - Business Processes in Planning (SCM)

EMS AND ENERGY MANAGEMENT CALENDAR

DoD Hazmat Business Process Reengineering: Environment, Safety and Occupational Health (ESOH) Transformation

Traffic Division Public Works Department Anchorage: Performance. Value. Results.

Storage as a Transmission Asset:

COURSE LISTING. Courses Listed. with Logistics Execution & Warehouse Management SAP ERP. 23 January 2018 (16:50 GMT)

BILLING CODE P DEPARTMENT OF ENERGY. Federal Energy Regulatory Commission. 18 CFR Part 40. [Docket No. RM ; Order No.

SWIFT and Blockchain. Anand Bindumadhavan Head of Services & Support, APAC, SWIFT Japan Open Day - May 30, 2017

Terms of Reference (TOR) Provision of consultancy services for payroll verification exercise

Enterprise Technology Projects Fiscal Year 2012/2013 Fourth Quarter Report

TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Standard Development Timeline

Introduction and Key Concepts Study Group Session 1

Online Platform for Voluntary Cancellation

COURSE LISTING. Courses Listed. with SAP ERP. 18 January 2018 (11:06 GMT)

Service Level Agreement Policy. Table of Contents

An Open Source Student System: It is coming

CONSULTATION PAPER. Supplementary Standards and Guidance

Standard TPL Transmission System Planning Performance Requirements

Standard EOP Loss of Control Center Functionality

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

COURSE LISTING. Courses Listed. with SAP ERP. 3 January 2018 (00:08 GMT) SCM600 - Business Processes in Sales and Distribution

Welcome! Process Integration, Metrics and Setting ITSM Academy

IPA Conference Quality Culture: Entry Level Training 23 FEBRUARY, 2018

Bank of Ireland. Service Integration as a means to govern a multivendor. 11 th October 2013

3 PART THREE: WORK PLAN AND IV&V METHODOLOGY (SECTION 5.3.3)

Standard MOD Verification of Models and Data for Turbine/Governor and Load Control or Active Power/Frequency Control Functions

FINANCE AND STRATEGY PRACTICE CFO EXECUTIVE BOARD. Safeguarding Supply. Protecting the Enterprise from Unforeseen Supply Chain Risks

Approved by the Board on July 27, 2017 Page 1

Pennsylvania Home And Community Based Services (HCBS) Waiver Settings Transition Plan

HP Standard Supplier Requirements for Safe and Legal Products

How to Drive Business Value with Capacity Management

The Call Center Balanced Scorecard

Aligning Process Redesign and Change Management with Project Management (System Implementation Projects)

COURSE LISTING. Courses Listed. 12 January 2018 (08:11 GMT) SAPFIN - Overview of SAP Financials

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

Improving Human Performance: March 26, 2013

National Food Safety Data Exchange Pilot (NFSDX)

ISO Monitoring and Measurement Nonconformance and Corrective and Preventative Action

COF: Assessing, Analyzing and Improving the Role of our Current Learning Technologies in Student Success FORMAL RFP

2017 Training Programmes

A. Introduction Balancing Authority Reliability Coordinator Transmission Operator. 5. Effective Date:

Third Party Fiduciary Agent. Guam Department of Education. In partial fulfillment of Contract: Monthly Project Status Report.

Governance, Risk Management & USE Workshop. 1 & 3 March 2011

Modernizing Sustainability Reporting GRI, G4 and XBRL - Dr. Nelmara Arbex, Deputy Chief Executive, Guidance, Support and Innovations area

Market System Evaluation. March 2017

AUSTRALIAN ENERGY MARKET OPERATOR INDEPENDENT ASSURANCE REPORT ON AEMO S COMPLIANCE WITH THE GAS SERVICES INFORMATION RULES AND GSI PROCEDURES

Final 2014 Flexible Capacity Needs Assessment

Transcription:

Update on Supply Chain Risk Management [SCRM] Standard Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security WECC Compliance Workshop Portland OR November 14, 2017

Speaker Credentials Electrical Utility Experience (45 years) Senior Compliance Auditor, Cyber Security IT Manager & Power Trading/Scheduling Manager IT Program Manager & Project Manager NERC Certified System Operator Barehand Qualified Transmission Lineman Educational Experience Degrees earned: Ph.D., MBA, BS-Computer Science Certifications: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-IAM/IEM Academic & Technical Course Teaching Experience (20+ years) Business Strategy, Leadership, and Management Information Technology, IT Security, and Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation CIP Compliance workshops and other outreach sessions 2

Impact to Reliability 3 Ensure entities are aware of new CIP Compliance Requirements and identify WECC's potential audit approach to guide and inform the implementation period for CIP-013-1.

Agenda CIP-013-1 SCRM Standard Where have we been? Where we are? Where are we going? SCRM related changes for other Standards CIP-005-6 (Part 2.4 - vendor remote access) CIP-010-3 (Part 1.6 - software integrity & authenticity) SCRM Implementation Plan SCRM Preliminary Audit Approach Questions 4

5 What is SCRM? Project 2016-03 Cyber Security Supply Chain Risk Management (NERC, 2017, Project Website) FERC (2016) directed NERC to develop a forwardlooking, objective-based Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations (Order 829, P. 2, p. 49879).

6 What is SCRM? Order 829 described four key security objectives 1 [SO] for SCRM: 1. Software integrity and authenticity; 2. Vendor remote access; 3. Information system planning; and 4. Vendor risk management and procurement controls. SDT set up to develop CIP-013-1 1 See FERC Order 829 (PP. 48-62, pp. 49885-49887) for Security Objective details

Where Have We Been? First Posting R1 Procurement plans, processes, controls, and methodologies [SO-1; SO-2; SO-3; SO-4] R2 Plan reviews at least every 15 months, with updates, as necessary [Order 829, P. 47] R3 Process(es) for verifying integrity and authenticity of software and firmware for High and Medium BCS [SO-1] R4 Process(es) for controlling vendor remote access to High and Medium BCS [SO-2] R5 Cybersecurity policies for Low impact BES Assets [SO-1; SO-2] 7

8 What Happened? The First Ballot A record-setting first ballot rejection by industry with major objections to or concerns about: Inclusion of Low impact BES Assets did not align with the other CIP Standards that focus on High and Medium BCS Unclear vendor cooperation expectations Combination of plan development and implementation Ensure CIP-013-1 does not require entities to renegotiate or abrogate existing contracts (i.e., forwardlooking as of the effective date)

What Happened? After the Ballot The SDT changed directions to focus on High and Medium BCS only, Retained SCRM procurement planning, reviews/approvals, and implementation in CIP-013-1, and Decided to work with other SDTs to incorporate SCRM security objective language into other Standards, where applicable: CIP-005-6 (added Parts 2.4 & 2.5) CIP-010-3 (added Part 1.6) 9

10 Where Are We Now? CIP-013-1: R1.1 R1. Focuses on SCRM procurement plans for High and Medium BCS R1.1. Develop processes used in planning procurement to identify and assess cyber security risks to the BES from vendor products or services resulting from: i. Procuring and installing vendor equipment and software; and ii. Transitions from one vendor to another vendor

Where Are We Now? CIP-013-1: R1.2 R1.2. One or more processes used in procuring High and Medium BCS to address, as applicable, for products or services supplied to the entity that pose cyber security risk to the entity: R1.2.1. Notification by vendor of vendor-initiated incidents; R1.2.2. Coordination of responses to vendor-initiated incidents; R1.2.3. Notification by vendors when remote or onsite access should no longer be granted to vendor representative(s); 11

Where Are We Now? CIP-013-1: R1.2 R1.2. One or more processes used in procuring High and Medium BCS to address, as applicable, for products or services supplied to the entity that pose cyber security risk to the entity: R1.2.4. Disclosure by vendors of known vulnerabilities; R1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES; R1.2.6. Coordination of controls for: i. Vendor-initiated Interactive Remote Access, and ii. System-to-system remote access with a vendor. 12

13 Where Are We Now? CIP-013-1: R2 R2. Each entity shall implement its SCRM plan specified in R1 Implementation does not require entities to renegotiate or abrogate existing contracts, including amendments to master agreements and purchase orders These issues are beyond the scope of R2: 1) The actual terms and conditions of a procurement contract, and 2) Vendor performance and adherence to a contract

14 Where Are We Now? CIP-013-1: R3 R3. Each entity shall review and obtain CIP Senior Manager or delegate approval of its SCRM plan specified in R1 at least once every 15 calendar months The implementation plan calls for the R3 initial review and CIP Senior Manager or delegate s approval of the R1 SCRM plan to occur on or before the effective date of CIP-013-1 (NERC, 2017 July, Implementation Plan, p. 3)

15 Where Are We Going? Second Ballot Final Ballot closed on July 20, 2017 Gained approval for changes to all three Standards NERC Board of Trustees approved CIP-013-1 on August 10, 2017 All three Standards are pending FERC approval

16 SCRM Related Changes: Other Standards High impact BCS & Medium impact BCS CIP-005-6 CIP-010-3 Low impact BES Assets Removed from industry approved draft SCRM for Low impact BES Assets to be determined May be covered in CIP-003-x May instigate another FERC directive

17 CIP-005-6 R2 Scope Change The scope of Requirement R2 in CIP-005-6 is expanded from approved CIP-005-5 to address all remote access management, not just Interactive Remote Access. If a Responsible Entity does not allow remote access (system-to-system or Interactive Remote Access) then the Responsible Entity need not develop a process for each of the subparts in Requirement R2. The entity could document that it does not allow remote access to meet the reliability objective. Source: NERC, 2017 July, CIP-005-6, Rationale for R2 section, p. 24.

CIP-005-6 Part 2.4 & 2.5 - Objectives The objective of Requirement R2 Part 2.4 is for entities to have visibility of active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access) that are taking place on their system. This scope covers all remote access sessions with vendors. The obligation in Part 2.4 requires entities to have a method to determine active vendor remote access sessions. While not required, a solution that identifies all active remote access sessions, regardless of whether they originate from a vendor, would meet the intent of this requirement. The objective of Requirement R2 Part 2.5 is for entities to have the ability to disable active remote access sessions in the event of a system breach as specified in Order No. 829 (P. 52). Source: CIP-005-6 (p. 24). 18

SCRM Provisions CIP-005-6: Part 2.4 19

CIP-005-6: Part 2.4 Indicates monitoring and control of active vendor remote access sessions is appropriate Vendor remote access sessions includes Interactive Remote Access and system-to-system access for vendor sessions A vendor, as used in the standard, is NOT a defined term, but may include: i. Developers or manufacturers of information systems, system components, or information system services; ii. Product resellers; or iii. System integrators (CIP-005-6, p. 24). 20

SCRM Provisions CIP-005-6: Part 2.5 21

22 CIP-005-6: Part 2.5 Requires one or more documented methods to disable active vendor remote access, including Interactive Remote Access, and System-to-system remote access. May have separate methods to disable each category of vendor remote access, as applicable.

23 CIP-005-6: Parts 2.4 & 2.5 Evidence The Part 2.4 Measures section provides some methods that may be used to identify, monitor, and control vender remote access sessions Part 2.5 evidence may include: Documented methods for disabling the two types of vendor remote access Evidence that vendor remote access was disabled, when and as applicable Internal controls to ensure vendor remote access is disabled when no longer required, or the entity is notified by the vendor of a cyber security event

SCRM Provisions CIP-010-3: Part 1.6 24

CIP-010-3: Part 1.6 - Objective The concept of software verification (verifying the identity of the software source and the integrity of the software obtained from the software source) is a key control in preventing the introduction of malware or counterfeit software. This objective is intended to reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System. The intent of the SDT is for Responsible Entities to provide controls for verifying the baseline elements that are updated by vendors. It is important to note that this is not limited to only security patches. Source: NERC, 2017 July, CIP-010-3, Software Verification section, p. 24. 25

26 Requires entities to: CIP-010-3: Part 1.6 Verify the identity of the software source Verify the integrity of the software source The methodology used for such verifications is left to the entity to define Part 1.6 is not limited to security patches

27 CIP-010-3: Part 1.6 Evidence Evidence may include change request records to confirm the entity s documented process(es) for such identity and integrity verifications occurred as described Leverage existing documented CIP cyber security policies and controls Document new processes and controls to manage verifications for identify of software sources and integrity of software obtained from those sources (e.g., Guidelines and Technical Basis section, p. 39)

28 SCRM Implementation Plan - Timeline Three Standards currently pending FERC Approval Effective 1 st day of 1 st quarter that is 18 months after applicable approval order If FERC approves at the November or December meeting, SCRM may be effective as early as July 1, 2019 2017 2018 2019 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 20 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Effective Date - July 1, 2019 What if FERC issues a NOPR for CIP-013-1 and provides a typical stakeholder comment period? We could easily add another six to twelve months

29 SCRM Implementation Plan R1 R1.1. Develop documented processes to provide a risk-based approach to identify potential cyber security risks resulting from: i. Procuring and installing vendor equipment and software, and ii. Transitions from one vendor to another vendor R1.2. Document procurement plans and processes to manage identified risks See NERC (2017 April, Implementation Guidance: R1.2.1 R1.2.6, pp. 2-7) for more details

SCRM Implementation Plan R2 Implement SCRM plans specified in R1: Does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders), consistent with Order No. 829 (P. 36). Contracts entering the Responsible Entity's procurement process (e.g. through Request for Proposals) on or after the effective date are within scope of CIP-013-1. Contract effective date, commencement date, or other activation dates specified in the contract do not determine whether the contract is within scope of CIP-013-1. 30 Source: NERC, 2017 April, Implementation Guidance, p. 8.

SCRM Implementation Plan R3 Review SCRM plans and processes identified in R1 by Entity SMEs using: Requirements and guidelines Industry best practices Mitigating controls Internal entity continuous improvement feedback Obtain CIP Senior Manager or delegate approval: Initially, on or before the effective date Implies R1 documented plans and processes must be developed on or before the effective date, as well At least once every 15 calendar months, thereafter 31

SCRM Audit Approach The CIP team is still evaluating its audit approach This process will continue until FERC approves CIP- 013-1 and the effective date is established The CIP Team will present updated information on the audit approach in a future outreach event For now, consider how vendor products and services impact your High and Medium BCS Evaluate and document cyber security risks associated with each applicable BCS Consider preliminary procurement planning and RFP template development to address cyber security risks 32

33 Questions & Contact Information Joseph B. Baugh (360)600-6631 Office (520)331-6351 Cell jbaugh@wecc.biz

References FERC. (2016 July 29). Order No. 829: Revised Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 156 FERC 61,050: Docket No. RM15-14-002. Published in Federal Register, 81(146) [pp. 49879-49894]. Retrieved from https://www.gpo.gov/fdsys/pkg/fr-2016-07- 29/pdf/2016-17842.pdf NERC. (2017). Project 2016-03 Cyber Security Supply Chain Risk Management [Project Website]. Retrieved from http://www.nerc.com/pa/stand/pages/project201603cybers ecuritysupplychainmanagement.aspx NERC. (2017 April). Cyber Security Supply Chain Risk Management Plans: Implementation Guidance for CIP-013-1. Retrieved from http://www.nerc.com/pa/stand/project%20201603%20cyber %20Security%20Supply%20Chain%20Managem/Implementat ion_guidance_071117.pdf 34

35 References NERC. (2017 July). CIP-005-6 Cyber Security Electronic Security Perimeter(s). Retrieved from http://www.nerc.com/pa/stand/project%20201603%20cyber%20security% 20Supply%20Chain%20Managem/CIP-005-6_Clean_071117.pdf NERC. (2017 July). CIP-010-3 Cyber Security Configuration Change Management and Vulnerability Assessments. Retrieved from http://www.nerc.com/pa/stand/project%20201603%20cyber%20security% 20Supply%20Chain%20Managem/CIP-010-3_Clean_071117.pdf NERC. (2017 July). CIP-013-1 Cyber Security - Supply Chain Risk Management. Retrieved from http://www.nerc.com/pa/stand/project%20201603%20cyber%20security% 20Supply%20Chain%20Managem/CIP-013-1_Clean_071117.pdf NERC. (2017 July). Implementation Plan: Project 2016-03 Cyber Security Supply Chain Risk Management Reliability Standard. Retrieved from http://www.nerc.com/pa/stand/project%20201603%20cyber%20security% 20Supply%20Chain%20Managem/Implementation_Plan_Clean_071117.pdf

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback