Compliance Open Webinar

Thursday, April 16, 2015

Agenda

• CIP-014 Third Party Assessments - Bryan Carr • Registration Update – Brittany Power

• Presentation on CIP Basics – Brent Castagnetto

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1: Updates Open Webinar April 16, 2015

Bryan Carr, PMP, CISA, PSP, CBRM, CBRA Nick Weber, CPP, PSP, CBRM, CBRA

Compliance Auditors Physical and Cyber Security

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1 Process Overview

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

R1: Applicability

R2: Unaffiliated Review

R3: Notify Control Centers

R4: Conduct Threat and Vulnerability Assessment

R5: Develop a Security Plan

R6: Unaffiliated Review

CIP-014-1 Implementation Less than nine months from effective date to Security Plan completion

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1 Implementation Timeline

Activity Implementation Not Later Than Total

R1 Assessment Effective Date 10/1/2015 0 Days

R2 Verification Effective + 90 12/30/2015 90 Days

R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 Days

R3 Notify Control Center R2 + 7 1/6/2016 157 Days

R4 Threat and Vulnerability Evaluation

R2 + 120 6/27/2016 270 Days

R5 Security Plan R2 + 120 6/27/2016 270 Days

R6 Review R5 + 90 9/25/2016 360 Days

R6.3 Address Discrepancies R6.2 + 60 11/24/2016 420 Days

CIP-014-1 R1 Risk Assessment R1: Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection.

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1 R1 Risk Assessment Three methodologies have been shared with the WECC CIP Audit Team to date: • PAC/APS Proposed Methodology

• BPA Methodology

• Peak Reliability Methodology

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1 R1 Risk Assessment

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1 R1 Risk Assessment

CIP-014-1 R1 Risk Assessment

Audit Approach Questions: • Does the methodology define cascading, uncontrolled separation, and

instability with criteria for each? • Does the methodology effectively determine whether or not loss of the

Station/Substation will result in cascading, uncontrolled separation, or instability?

The methodologies shared with the WECC CIP Team meet both criteria, but are not an all-inclusive list of methodologies. Entities are free to develop their own methodology.

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-1 R2/R6 Third Party Reviews

Audit Approach Questions: • Is the third party unaffiliated and qualified to conduct the review? • Was the review conducted and documented? • Did the entity address all reviewer recommendations in accordance with

Part 2.3/Part 6.3? • Did the entity implement procedures for protecting sensitive or

confidential information?

Entities should focus on the reviewer’s ability to strengthen their program by providing a unique perspective. The language of the standard sets no parameters on the depth, rigor, or focal points of the review.

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

At Your Service

• PSWG- Get plugged in! http://www.wecc.biz/committees/StandingCommittees/OC/CIIMS/PSWG/default.aspx

• Phone call or email away • We want to help

• Always willing to provide our audit approach

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Contacts Bryan Carr, PMP, CISA, PSP, CBRM, CBRA Compliance Auditor, Physical and Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 bcarr@wecc.biz Nick Weber, CPP, PSP, CBRM, CBRA Compliance Auditor, Physical and Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 386-6288 nweber@wecc.biz

13

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Registration Update

Brittany Power Data Coordinator

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Current Status

• FERC RBR Order • Interchange Authority & Purchase-Selling

Entity Functions • Distribution Provider Function • UFLS Only Distribution Providers • Next Steps – Load-Serving Entity Registration • Next Steps – Changes to Appendix

15

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

FERC RBR Order

On March 19, 2015, the Federal Energy Regulatory Commission (FERC) released Order

150 FERC ¶ 61,213 on Electric Reliability Organization Risk Based Registration Initiative and Requiring Compliance Filing (RBR Order).

16

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

FERC RBR Order

Under the RBR Order, FERC has approved the following: • Modification of the Compliance Registry Criteria

by removing Purchasing-Selling Entities (PSEs) and Interchange Authorities (IAs) as registered functions

• Raising the threshold for registering entities as Distribution Providers (DPs)

• Aligning five functional registration categories to the definition of Bulk Electric System

17

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

IA & PSE Functions

Removal of the IA & PSE Functions will require no action from entities that are registered under one of the eliminated functional categories.

18

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Distribution Provider Function

FERC approved the peak load threshold for Distribution Providers from 25 MW to 75 MW and the entity’s system must be directly connected to the BES. DPs below 75 MW remain eligible for registration if they own or operate protection systems such as: • Under Voltage Load Shedding • Special Protection Systems • Remedial Action Schemes • Other Transmission Protection Systems

19

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

UFLS Only Distribution Providers

FERC also approved the possibility of a Distribution Provider registered only for the reliability functions related to Underfrequency Load Shedding Protection. FERC directed NERC to include PRC-005 to this new class of UFLS Only Distribution Providers.

20

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Next Steps - LSE

In the RBR Order, FERC gave NERC 60 days to provide a proposal for removing Load-Serving Entities (LSEs) from the registry criteria with no reliability gaps.

21

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Next Steps - Changes to Appendix

In order to carry out the FERC order, NERC must introduce changes to its Rules of Procedure Section 302.1 and Appendices 5A & 5B. Comments on the proposed revisions to the NERC Rules of Procedure are being requested from industry. The 45-day comment period began on Monday April 13, 2015 and ends on Thursday, May 28, 2015.

22

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

WECC Support

weccsupport@wecc.biz

801-883-6879 or 877-937-9722

23

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP Basics Open Webinar April 16 2015

Brent Castagnetto, Manager Cyber Security Audits & Investigations

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Agenda

• Introduction • Acronym Soup • CIP Standards Overview • Questions & Answers

25

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Introduction

• Critical Infrastructure Protection (CIP) – Urgent Action 1200 (2003)

• Voluntary suite of standards and requirements affording protections to Cyber Assets essential to the operation of the Bulk Electric System (BES)

– Energy Policy Act of 2005 / Section 215 Federal Power Act

• Moved daylight savings time up • Set Federal reliability standards regulating our industry

26

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Why CIP?

• Federal Energy Regulatory Commission (FERC) Order 706 – FERC designated NERC as the Electric Reliability

Organization (ERO) – NERC has a delegation agreement with 8 regional

entities – NERC develops CIP version 1,2,3,4,5… and so on.

27

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

8 Regional Entities 28

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Acronym Soup • BCA – BES Cyber Asset • BCS – BES Cyber System • BES CSI - BES Cyber Security Information • BROS – BES Reliability Operating Services • EAP – Electronic Access Point • EACMS – Electronic Access Control and Monitoring Systems • ESP – Electronic Security Perimeter • ERC – External Routable Connectivity • IRA – Interactive Remote Access • PACS – Physical Access Control Systems • PSP – Physical Security Perimeter • PCA – Protected Cyber Asset

*Not a comprehensive list

29

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP v5 Standards

• Most recent set of approved CIP Standards • Mandatory and Enforceable 4/1/2016 • NERC CIP v5 Transition Guidance provides

entities an opportunity to move to v5 now

30

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Decrypting CIP v5 31

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-002-5-1

• BES Cyber System Categorization – BES Cyber System (BCS)

• One or more BES Cyber Assets logically grouped together that perform one or more reliability tasks

• Example: EMS, SCADA

32

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-002-5.1

• BES Reliability Operating Services (BROS) – Support defining BES Cyber Systems – See CIP-002-5.1 Attachment 1

• Monitoring & Control • Restoration of BES • Situational Awareness

*Not a comprehensive list

33

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-003-6

• Security Management Controls – Policies that support CIP-004 – CIP-011 Objectives

• Example Personnel & Training, Electronic Security Controls, Physical Security Controls

– Low Impact Controls (Mandatory & Enforceable 2017)

– Identification of CIP Senior Manager responsible for entity CIP Compliance Program

34

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-004-6

• Personnel & Training – Quarterly Security Awareness – Training – Personnel Risk Assessment (PRA) – Access Management

• Logical and physical

35

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-005-5

• Electronic Security Perimeter(s) – Establishing a logical border around BES Cyber

Assets with routable connectivity – Access Control , Authentication mechanisms – Detection of possible malicious communication at

the logical border – Interactive Remote Access

• Encryption • Multifactor authentication

36

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-005-5 Interactive Remote Access 37

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

IP-SEC VPN Tunnel: Access Control via- ACS, AD, Biometric

RDP From Remote Host to Corp Host or Jump Host : Access Control via AD & Biometric

RDP From Corp Host to Jump Host: Access Control via AD & Biometric

Jump Host to BCA/PCA: Access Control via AD/local auth

BCA/PCA to Jump Host

Remote User w/ Thumb Reader

Remote User w/ Thumb Reader

Remote User w/ Thumb Reader

Remote User w/ Thumb Reader

CIP-006-6

• Physical Security – Operational and procedural controls to restrict

physical access – Physical access controls, monitoring of physical

access, alert & alarm – Pay close attention to the applicable systems

column – Physical access logging – Visitor escort procedures

38

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-007-6

• System Security Management – Ports & Services

• Includes physical ports

– Security Patch Management • Tracking & evaluation

– Malicious Code Prevention • Deter, detect or prevent (BES Cyber System Level)

– Security Event Monitoring • Log and generate alerts for security events

39

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-007-6

• System Security Management – System Access Control

• Interactive user access authentication • Account management

– Default, generic, shared accounts – Password management

40

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-008-5

• Cyber Security Incident Response – Incident identification / classification – Reporting to Electricity Sector Information Sharing

& Analysis Center (ES-ISAC) – Annual testing of the Cyber Security Incident

Response Plan – Document lessons learned, communication plan

41

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-009-5

• Recovery Plans for BES Cyber Systems – Develop a recovery plan – Backup and storage of information used for recovery – Testing every 15 months

• Recovery from an incident • Paper drill or table top • Operational exercise

– Testing every 36 months • Operational Exercise • Pay close attention to Applicable Systems column • High Impact BES Cyber Systems only

– Document lessons learned, update, communicate

42

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-010-2

• Change Management / Vulnerability Assessment – Baseline Configuration for BES Cyber Systems – Authorize & document changes within 30 days or

completing the change – Pay close attention to applicable systems column – Configuration Monitoring (High Impact BES Cyber

Systems) – Vulnerability Assessment every 15 months – Active Vulnerability Assessment every 36 months

• Transient Cyber Assets – CIP-010-2 Attachments 1 & 2

43

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-011-2

• Cyber Security – Information Protection – Identification of BES Cyber System Information – Secure procedures

• Storage, handling, transit, use

– Reuse & Disposal

44

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP-014-2

• Physical Security Substations and Transmission Control Centers – Identification of facilities via transmission analysis – Threat and Vulnerability Assessment – Tactical Security Plan – Required 3rd party reviews

45

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Upcoming CIP Events

• CIP Low Impact Event – July 7-8 San Ramon, CA.

• Registration information

46

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Helpful Links • http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx • http://www.ferc.gov/whats-new/comm-meet/2013/112113/E-2.pdf • http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx • https://www.wecc.biz/TrainingAndEducation/Pages/Compliance.aspx

47

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

CIP Subject Matter Experts 48

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Questions

Brent Castagnetto Manager, Cyber Security Audits and Investigations bcastagnetto@wecc.biz

49

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Upcoming Events

• WECC Compliance 101 Webinar - May 21, 2015

• WECC CUG/CIPUG Conference – Portland, OR - June 2 – 4, 2015

• CIP Low Impact Training – San Ramon, CA – July 7 – 8, 2015

50

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L