CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT
description
Transcript of CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT
![Page 1: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/1.jpg)
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber SecuritySalt Lake City, UT Office
CIP-006 V3 to CIP-006 V5 Transition Overview5/14/2014
V5 OutreachSalt Lake City, UT
![Page 2: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/2.jpg)
2
• Lessons Learned updates to slide deck
Revision History of Road Show
CIP-006 Change History Date
R1 Added R1.10 5/8/2014 NERC SDT addition per FERC Order
![Page 3: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/3.jpg)
3
• 24 years Physical Security Experienceo Marine Corps Veteran (PRP)o Retired Law Enforcement Officero 7 years Critical Infrastructure Protection Program o ASIS Utilities Security Council – Chairmano ASIS Physical Security Council o Education: M.Ad. (Leadership Emphasis)
w/Distinction- Northern Arizona University o BA- Police Science- Ottawa University (Summa Cum Laude)
Speaker Intro: Darren T. Nielsen, CISA, CPP, PCI, PSP,
![Page 4: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/4.jpg)
4
Provide a basic overview of the changes• Share WECC audit approach• Provide examples of Best Practices• Answer questions to assist your compliance
efforts
Purpose of V5 transition Presentation
![Page 5: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/5.jpg)
5
Physical Security Programo Must define the operational or procedural controls to
restrict physical accesso Removed current “6 wall” wording to instead require
a Physical Border- PSPo For High Impact, added the need to utilize two or more
different and complementary physical access controls
to restrict physical accesso Testing changed to a 24-month cyclehttp://www.nerc.com/pa/Stand/Project20086CyberSecurityOrder706Version5CIPStanda/Mapping_Document_for_CIP_V5_Clean_(2012-0911).pdf
Summary of CIP-006-5 Changes
![Page 6: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/6.jpg)
6
• A new Purpose….and some new language• To manage physical access to “BES Cyber
Systems” by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP-006-5 -Physical Security of BES Cyber Systems
![Page 7: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/7.jpg)
7
• High Impact BES Cyber Systems –• Medium Impact BES Cyber Systems–• Medium Impact BES Cyber Systems without
External Routable Connectivity –• Medium Impact BES Cyber Systems with External
Routable Connectivity –o This also excludes Cyber Assets in the BES Cyber System that cannot be directly
accessed through External Routable Connectivity.
New language to assist going forward
![Page 8: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/8.jpg)
8
• Physical Access Control Systems (PACS) – Applies to each Physical Access Control System associated with a referenced high impact BES Cyber System or medium
impact BES Cyber System.
New language (Continued)
![Page 9: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/9.jpg)
9
• Locally mounted hardware or devices at the Physical Security Perimeter – Applies to the locally mounted hardware or devices (e.g. such as motion sensors, electronic lock control mechanisms, and badge readers) at a Physical Security Perimeter associated with a referenced high impact BES Cyber System or medium impact BES Cyber System with External Routable Connectivity, and that does not contain or store access control information or independently perform access authentication. These hardware and devices are excluded in the definition of Physical Access Control Systems.
New language (Continued)
![Page 10: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/10.jpg)
10
• Protected Cyber Assets (PCA) – Applies to each Protected Cyber Asset associated with a referenced high impact BES Cyber System or medium impact BES Cyber System.
• Electronic Access Control or Monitoring Systems (EACMS) – Applies to each Electronic Access Control or Monitoring System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Examples may include, but are not limited to, firewalls, authentication servers, and log monitoring and
alerting systems.
You're now bilingual CIP personnel (end of new language)
![Page 11: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/11.jpg)
11
• A substantive change to your Plan.. now becomes a program. No Annual Approval.
CIP-006-5 —R1A new look- Requirements and Measures
![Page 12: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/12.jpg)
12
• Methods to control, log and monitor access remain the same as CIP-006-3 R4, R5, and R6
CIP-006-5 —R1.2A new look- Requirements and Measures
![Page 13: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/13.jpg)
13
o Aligns to old V3 for CCA’s and protecting PACS assets.
CIP-006-5 —R1.2A new look- Requirements and Measures
![Page 14: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/14.jpg)
14
• Major Change- Physical Access control to High Impact BES Cyber Systems assets
CIP-006-5 —R1.3A new look- Requirements and Measures
For physically layered protection, a locked gate in combination with a locked control-building could be acceptable, provided no single authenticator (e.g., key or card key) would provide access through both.
![Page 15: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/15.jpg)
15
• Two forms of access control means access needs to require two of the following:1. Something you know (PIN, password, etc.)
2. Something you are (biometrics, security guard identity verification, etc.)
3. Something you have (Hard key, token, card key, etc.)
CIP-006-5 —R1.3 – Audit Approach
![Page 16: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/16.jpg)
16
Methods of physical access control include:• Card Key: A means of electronic access where the access rights
of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another.
• Special Locks: These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “man‐trap” systems.
• Security Personnel: Personnel responsible for controlling physical access who may reside on‐site or at a monitoring station.
• Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access into the Physical Security Perimeter.
CIP-006-5 —R1.3 – Audit Approach
![Page 17: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/17.jpg)
17
This is the old CIP-006-3 R5 Monitoring Requirement
CIP-006-5 —R1.4A new look- Requirements and Measures
![Page 18: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/18.jpg)
18
More of the old R5 for High Impact and Medium with ERC within 15 minutes
CIP-006-5 —R1.5A new look- Requirements and Measures
![Page 19: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/19.jpg)
19
• Specific to PACS associated with….this is the old CIP-006 R2.1 with a twist. PACS must now be monitored in addition to the Physical Security Perimeter.
CIP-006-5 —R1.6A new look- Requirements and Measures
![Page 20: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/20.jpg)
20
CIP-006-5 —R1.7A new look- Requirements and Measures
NOTE: within 15 minutes for “detected” UA access to a PACS. Added notification emphasis to contact identified in CSIRP.
![Page 21: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/21.jpg)
21
• Logs requirement (old CIP-006-3 R6)
CIP-006-5 —R1.8A new look- Requirements and Measures
![Page 22: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/22.jpg)
22
• Log retention stays the same (Old V3- R7)
CIP-006-5 —R1.9A new look- Requirements and Measures
![Page 23: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/23.jpg)
23
CIP-006-5 —R1.10 (in work SDT)
![Page 24: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/24.jpg)
24
• Visitor Control Program Old (V3 R1.6)• Added CIP Exceptional Circumstances
CIP-006-5 —R2A new look- Requirements and Measures
![Page 25: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/25.jpg)
25
Major change: log visitor only once per day. (Initial entry and exit)- Point of Contact req.• maintain logs for 90 days (R2.3)
CIP-006-5 —R2.2 & 2.3A new look- Requirements and Measures
![Page 26: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/26.jpg)
26
• Testing & Maintenance (CIP-006-3 R8) changed from 3 year to 2 year cycle
CIP-006-5 —R3A new look- Requirements and Measures
![Page 27: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/27.jpg)
27
• Key Control Program
oWho has them?oHow do you log the use of a hard key?o Is an alarm triggered when the door is opened? oDo they have a PRA?o Training
Physical Access Controls
![Page 28: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/28.jpg)
28
• Visitor/escort forgets to log out.• Are you in a Possible Violation situation?
oCan you retrieve data via Cameras?oOther Logs?o Ask and update to ensure completeness of
logs.
Logging
![Page 29: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/29.jpg)
29
• PSWG- Get plugged in!• http://www.wecc.biz/committees/StandingCommittees/OC/
CIIMS/PSWG/default.aspx
• Phone call away- We want to help.
• Always willing to provide our “audit approach”
At Your Service
![Page 30: CIP-006 V3 to CIP-006 V5 Transition Overview 5 /14/2014 V5 Outreach Salt Lake City, UT](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813aec550346895da358be/html5/thumbnails/30.jpg)
Darren T. Nielsen, M.Ad, CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
155 North 400 West, Suite 200
Salt Lake City, UT 84103
(801) 857-9134
Questions?