2015 04 16_WECC Open Mic Webinar Slide Deck
-
Upload
bryan-carr-cissp-pmp-cisa-psp -
Category
Documents
-
view
144 -
download
1
Transcript of 2015 04 16_WECC Open Mic Webinar Slide Deck
Compliance Open Webinar
Thursday, April 16, 2015
Agenda
• CIP-014 Third Party Assessments - Bryan Carr • Registration Update – Brittany Power
• Presentation on CIP Basics – Brent Castagnetto
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1: Updates Open Webinar April 16, 2015
Bryan Carr, PMP, CISA, PSP, CBRM, CBRA Nick Weber, CPP, PSP, CBRM, CBRA
Compliance Auditors Physical and Cyber Security
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1 Process Overview
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
R1: Applicability
R2: Unaffiliated Review
R3: Notify Control Centers
R4: Conduct Threat and Vulnerability Assessment
R5: Develop a Security Plan
R6: Unaffiliated Review
CIP-014-1 Implementation Less than nine months from effective date to Security Plan completion
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1 Implementation Timeline
Activity Implementation Not Later Than Total
R1 Assessment Effective Date 10/1/2015 0 Days
R2 Verification Effective + 90 12/30/2015 90 Days
R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 Days
R3 Notify Control Center R2 + 7 1/6/2016 157 Days
R4 Threat and Vulnerability Evaluation
R2 + 120 6/27/2016 270 Days
R5 Security Plan R2 + 120 6/27/2016 270 Days
R6 Review R5 + 90 9/25/2016 360 Days
R6.3 Address Discrepancies R6.2 + 60 11/24/2016 420 Days
CIP-014-1 R1 Risk Assessment R1: Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection.
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1 R1 Risk Assessment Three methodologies have been shared with the WECC CIP Audit Team to date: • PAC/APS Proposed Methodology
• BPA Methodology
• Peak Reliability Methodology
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1 R1 Risk Assessment
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1 R1 Risk Assessment
CIP-014-1 R1 Risk Assessment
Audit Approach Questions: • Does the methodology define cascading, uncontrolled separation, and
instability with criteria for each? • Does the methodology effectively determine whether or not loss of the
Station/Substation will result in cascading, uncontrolled separation, or instability?
The methodologies shared with the WECC CIP Team meet both criteria, but are not an all-inclusive list of methodologies. Entities are free to develop their own methodology.
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-1 R2/R6 Third Party Reviews
Audit Approach Questions: • Is the third party unaffiliated and qualified to conduct the review? • Was the review conducted and documented? • Did the entity address all reviewer recommendations in accordance with
Part 2.3/Part 6.3? • Did the entity implement procedures for protecting sensitive or
confidential information?
Entities should focus on the reviewer’s ability to strengthen their program by providing a unique perspective. The language of the standard sets no parameters on the depth, rigor, or focal points of the review.
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
At Your Service
• PSWG- Get plugged in! http://www.wecc.biz/committees/StandingCommittees/OC/CIIMS/PSWG/default.aspx
• Phone call or email away • We want to help
• Always willing to provide our audit approach
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Contacts Bryan Carr, PMP, CISA, PSP, CBRM, CBRA Compliance Auditor, Physical and Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 819-7691 [email protected] Nick Weber, CPP, PSP, CBRM, CBRA Compliance Auditor, Physical and Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 386-6288 [email protected]
13
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Registration Update
Brittany Power Data Coordinator
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Current Status
• FERC RBR Order • Interchange Authority & Purchase-Selling
Entity Functions • Distribution Provider Function • UFLS Only Distribution Providers • Next Steps – Load-Serving Entity Registration • Next Steps – Changes to Appendix
15
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
FERC RBR Order
On March 19, 2015, the Federal Energy Regulatory Commission (FERC) released Order
150 FERC ¶ 61,213 on Electric Reliability Organization Risk Based Registration Initiative and Requiring Compliance Filing (RBR Order).
16
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
FERC RBR Order
Under the RBR Order, FERC has approved the following: • Modification of the Compliance Registry Criteria
by removing Purchasing-Selling Entities (PSEs) and Interchange Authorities (IAs) as registered functions
• Raising the threshold for registering entities as Distribution Providers (DPs)
• Aligning five functional registration categories to the definition of Bulk Electric System
17
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
IA & PSE Functions
Removal of the IA & PSE Functions will require no action from entities that are registered under one of the eliminated functional categories.
18
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Distribution Provider Function
FERC approved the peak load threshold for Distribution Providers from 25 MW to 75 MW and the entity’s system must be directly connected to the BES. DPs below 75 MW remain eligible for registration if they own or operate protection systems such as: • Under Voltage Load Shedding • Special Protection Systems • Remedial Action Schemes • Other Transmission Protection Systems
19
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
UFLS Only Distribution Providers
FERC also approved the possibility of a Distribution Provider registered only for the reliability functions related to Underfrequency Load Shedding Protection. FERC directed NERC to include PRC-005 to this new class of UFLS Only Distribution Providers.
20
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Next Steps - LSE
In the RBR Order, FERC gave NERC 60 days to provide a proposal for removing Load-Serving Entities (LSEs) from the registry criteria with no reliability gaps.
21
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Next Steps - Changes to Appendix
In order to carry out the FERC order, NERC must introduce changes to its Rules of Procedure Section 302.1 and Appendices 5A & 5B. Comments on the proposed revisions to the NERC Rules of Procedure are being requested from industry. The 45-day comment period began on Monday April 13, 2015 and ends on Thursday, May 28, 2015.
22
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
WECC Support
801-883-6879 or 877-937-9722
23
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP Basics Open Webinar April 16 2015
Brent Castagnetto, Manager Cyber Security Audits & Investigations
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Agenda
• Introduction • Acronym Soup • CIP Standards Overview • Questions & Answers
25
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Introduction
• Critical Infrastructure Protection (CIP) – Urgent Action 1200 (2003)
• Voluntary suite of standards and requirements affording protections to Cyber Assets essential to the operation of the Bulk Electric System (BES)
– Energy Policy Act of 2005 / Section 215 Federal Power Act
• Moved daylight savings time up • Set Federal reliability standards regulating our industry
26
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Why CIP?
• Federal Energy Regulatory Commission (FERC) Order 706 – FERC designated NERC as the Electric Reliability
Organization (ERO) – NERC has a delegation agreement with 8 regional
entities – NERC develops CIP version 1,2,3,4,5… and so on.
27
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
8 Regional Entities 28
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Acronym Soup • BCA – BES Cyber Asset • BCS – BES Cyber System • BES CSI - BES Cyber Security Information • BROS – BES Reliability Operating Services • EAP – Electronic Access Point • EACMS – Electronic Access Control and Monitoring Systems • ESP – Electronic Security Perimeter • ERC – External Routable Connectivity • IRA – Interactive Remote Access • PACS – Physical Access Control Systems • PSP – Physical Security Perimeter • PCA – Protected Cyber Asset
*Not a comprehensive list
29
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP v5 Standards
• Most recent set of approved CIP Standards • Mandatory and Enforceable 4/1/2016 • NERC CIP v5 Transition Guidance provides
entities an opportunity to move to v5 now
30
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Decrypting CIP v5 31
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-002-5-1
• BES Cyber System Categorization – BES Cyber System (BCS)
• One or more BES Cyber Assets logically grouped together that perform one or more reliability tasks
• Example: EMS, SCADA
32
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-002-5.1
• BES Reliability Operating Services (BROS) – Support defining BES Cyber Systems – See CIP-002-5.1 Attachment 1
• Monitoring & Control • Restoration of BES • Situational Awareness
*Not a comprehensive list
33
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-003-6
• Security Management Controls – Policies that support CIP-004 – CIP-011 Objectives
• Example Personnel & Training, Electronic Security Controls, Physical Security Controls
– Low Impact Controls (Mandatory & Enforceable 2017)
– Identification of CIP Senior Manager responsible for entity CIP Compliance Program
34
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-004-6
• Personnel & Training – Quarterly Security Awareness – Training – Personnel Risk Assessment (PRA) – Access Management
• Logical and physical
35
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-005-5
• Electronic Security Perimeter(s) – Establishing a logical border around BES Cyber
Assets with routable connectivity – Access Control , Authentication mechanisms – Detection of possible malicious communication at
the logical border – Interactive Remote Access
• Encryption • Multifactor authentication
36
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-005-5 Interactive Remote Access 37
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
IP-SEC VPN Tunnel: Access Control via- ACS, AD, Biometric
RDP From Remote Host to Corp Host or Jump Host : Access Control via AD & Biometric
RDP From Corp Host to Jump Host: Access Control via AD & Biometric
Jump Host to BCA/PCA: Access Control via AD/local auth
BCA/PCA to Jump Host
Remote User w/ Thumb Reader
Remote User w/ Thumb Reader
Remote User w/ Thumb Reader
Remote User w/ Thumb Reader
CIP-006-6
• Physical Security – Operational and procedural controls to restrict
physical access – Physical access controls, monitoring of physical
access, alert & alarm – Pay close attention to the applicable systems
column – Physical access logging – Visitor escort procedures
38
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-007-6
• System Security Management – Ports & Services
• Includes physical ports
– Security Patch Management • Tracking & evaluation
– Malicious Code Prevention • Deter, detect or prevent (BES Cyber System Level)
– Security Event Monitoring • Log and generate alerts for security events
39
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-007-6
• System Security Management – System Access Control
• Interactive user access authentication • Account management
– Default, generic, shared accounts – Password management
40
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-008-5
• Cyber Security Incident Response – Incident identification / classification – Reporting to Electricity Sector Information Sharing
& Analysis Center (ES-ISAC) – Annual testing of the Cyber Security Incident
Response Plan – Document lessons learned, communication plan
41
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-009-5
• Recovery Plans for BES Cyber Systems – Develop a recovery plan – Backup and storage of information used for recovery – Testing every 15 months
• Recovery from an incident • Paper drill or table top • Operational exercise
– Testing every 36 months • Operational Exercise • Pay close attention to Applicable Systems column • High Impact BES Cyber Systems only
– Document lessons learned, update, communicate
42
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-010-2
• Change Management / Vulnerability Assessment – Baseline Configuration for BES Cyber Systems – Authorize & document changes within 30 days or
completing the change – Pay close attention to applicable systems column – Configuration Monitoring (High Impact BES Cyber
Systems) – Vulnerability Assessment every 15 months – Active Vulnerability Assessment every 36 months
• Transient Cyber Assets – CIP-010-2 Attachments 1 & 2
43
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-011-2
• Cyber Security – Information Protection – Identification of BES Cyber System Information – Secure procedures
• Storage, handling, transit, use
– Reuse & Disposal
44
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-014-2
• Physical Security Substations and Transmission Control Centers – Identification of facilities via transmission analysis – Threat and Vulnerability Assessment – Tactical Security Plan – Required 3rd party reviews
45
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Upcoming CIP Events
• CIP Low Impact Event – July 7-8 San Ramon, CA.
• Registration information
46
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Helpful Links • http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx • http://www.ferc.gov/whats-new/comm-meet/2013/112113/E-2.pdf • http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx • https://www.wecc.biz/TrainingAndEducation/Pages/Compliance.aspx
47
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP Subject Matter Experts 48
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Questions
Brent Castagnetto Manager, Cyber Security Audits and Investigations [email protected]
49
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Upcoming Events
• WECC Compliance 101 Webinar - May 21, 2015
• WECC CUG/CIPUG Conference – Portland, OR - June 2 – 4, 2015
• CIP Low Impact Training – San Ramon, CA – July 7 – 8, 2015
50
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L