Maintaining CMEP Evidence and Workflow Documentation Documents...Jan 27, 2020 · CMEP staff will...
Transcript of Maintaining CMEP Evidence and Workflow Documentation Documents...Jan 27, 2020 · CMEP staff will...
RELIABILITY | RESILIENCE | SECURITY
Maintaining CMEP Evidence and Workflow Documentation Stakeholder Webinar
January 27, 2020
RELIABILITY | RESILIENCE | SECURITY2
Jim Robb, President and CEO, NERC
RELIABILITY | RESILIENCE | SECURITY3
Why?
1. Drive alignment and consistency in Regional Entity CMEP practices to ensure more equity in outcomes for Registered Entities
2. Improve the security of handling highly sensitive information
3. Capture productivity gains
RELIABILITY | RESILIENCE | SECURITY4
Harmonization Activities
• Critical component of the Align implementation.• Primary goal is to address the inconsistencies in processes and
approach and engagement with the Registered Entities.• Harmonized 53 processes, including the approach to
maintaining Registered Entity evidence and CMEP workflow documentation.
• Harmonization activities will continue with Align and locker deployment and ongoing as needed.
RELIABILITY | RESILIENCE | SECURITY5
Sara Patrick, President and CEO, MROAlign Executive Sponsor
RELIABILITY | RESILIENCE | SECURITY6
Webinar Objectives
• Update on Align, including demo• Introduce locker concept• Provide high level information on Align and locker security• Provide examples of workflow and work papers in Align• Request input and feedback on webinar content• This webinar will be posted to the NERC website• Questions? Send them to [email protected]
RELIABILITY | RESILIENCE | SECURITY7
Webinar Agenda Topics
• Benefits• Recap the Journey• Maintaining and Securing Evidence and Information Guiding
Principles• Align Application Security• Evidence Lockers Introduction and Security• Align Demo• ERO Enterprise Documentation in Align• Workflow and Work paper Examples and Scenarios• Next Steps and Webinar Close
RELIABILITY | RESILIENCE | SECURITY8
Align Project Update How does this benefit you?
Moving to a common platform will provide:• Alignment of common CMEP business processes, ensuring
consistent practices and data gathering• A standardized interface for Registered Entities to interact with
the ERO Enterprise• Real-time access to information, eliminating delays and manual
communications• Consistent application of the CMEP
• More secure method of managing and storing CMEP data
RELIABILITY | RESILIENCE | SECURITY9
• December 2016 – Steering Committee selects partner (Deloitte)• November 2017 – NERC Board Approves Align Business Case• March 2018 – Steering Committee selects solution (BWise)• June 2018 – Release 1 development begins• March 2019 – Regional SMEs review R1 initial prototype• December 2019 – R1 development and testing complete
Recap – Align Milestones
RELIABILITY | RESILIENCE | SECURITY10
Recap - Stakeholder Outreach
• Stakeholder formal outreach conducted:• March 21, 2019• July 31, 2019• October 15, 2019 • January 27, 2020 – Today’s webinar
• Other outreach with Compliance and Certification Committee (CCC), trades and informal touchpoints.
RELIABILITY | RESILIENCE | SECURITY11
Guiding Principles
• All Registered Entity provided evidence* will go into the Registered Entity or ERO Enterprise locker (any Registered Entity locker must meet certain criteria the ERO Enterprise develops for functionality, access, etc.).
• ERO Enterprise workflow and work products will be in the ERO Enterprise Align tool.
• The ERO Enterprise will enhance ERO Enterprise work products (e.g., working papers) to support conclusions without the need to store data for extended periods, minimizing a data protection risk.
*Unless prohibited by a standard
NOTE: Achieving this will occur via training, guidance, oversight activities and other outreach
RELIABILITY | RESILIENCE | SECURITY12
Justin Lofquist, NERC IT
RELIABILITY | RESILIENCE | SECURITY13
Align Application Security
RELIABILITY | RESILIENCE | SECURITY14
Align – Application Security
• Consistent with industry-recognized cybersecurity standards frameworks
• Principles• Data identification, classification, management, and destruction• Aggressive management of role-based credentials• Evidence and data separation and isolation• Control processes and auditing
RELIABILITY | RESILIENCE | SECURITY15
Align – Application Security
• Application, patch release and network cyber testing• Multi-factor authentication for user access• Activity logging and 24x7 system monitoring• Geo-blocking • CRISP monitoring for CRISP participants and NERC• Encryption at-rest and in-transit
• Virtualization and database layer
• NERC (customer) controlled encryption key management• File integrity monitoring• Anti-virus appliances
RELIABILITY | RESILIENCE | SECURITY16
Align – Application Security
• Boundary Controls• Isolated Virtual Network • Intrusion Detection and Prevention devices• Web Application Proxies• Next-Gen Firewall• Network Traffic Analytics and Log collector
• Enterprise Vulnerability Scanning
RELIABILITY | RESILIENCE | SECURITY17
Evidence Locker
RELIABILITY | RESILIENCE | SECURITY18
• What it is• How it will work• User scenarios• How we will keep the information secure• Can entities set up their own locker? And what are the
requirements?
Evidence Locker Topics
RELIABILITY | RESILIENCE | SECURITY19
Purpose-built to collect and protect evidence Enables submission by authorized and authenticated entity users Provides compartmentalized analysis of evidence in temporary,
isolated, disposable environments No interfaces with any other systems
• Evidence Is encrypted immediately upon submission Is securely isolated per entity Is never extracted Is never backed up Is subject to proactive and disciplined destruction policies
Evidence Locker Overview
• A highly secure, isolated on-premise environment
RELIABILITY | RESILIENCE | SECURITY20
Systems Communications
EvidenceLocker
Align
CORESRegistration System
Registered Entities*
Standards & Requirements*
No information exchange
Contacts andBusiness
Roles
Secured informationexchange
*Publically available
RELIABILITY | RESILIENCE | SECURITY21
Entity Locker – How will it work?Conceptual Overview
Evidence RoomLobby Offices
LOCKER
RELIABILITY | RESILIENCE | SECURITY22
Registered Entity Goes to Lobby
Registered Entity
Evidence RoomLobby Offices
LOCKER
RELIABILITY | RESILIENCE | SECURITY23
Registered Entity Provides Evidence to Custodian
Registered Entity
Evidence RoomLobby Offices
LOCKER
RELIABILITY | RESILIENCE | SECURITY24
Custodian Moves Evidence to Locker
Registered Entity
Evidence RoomLobby Offices
LOCKER
RELIABILITY | RESILIENCE | SECURITY25
ERO Monitoring and Enforcement Staff Reviews Evidence
Authorized CMEP
Personnel
Evidence RoomLobby Offices
LOCKER
RELIABILITY | RESILIENCE | SECURITY26
Custodian Destroys Evidence When Work is Complete
Authorized CMEP
Personnel
Evidence RoomLobby Offices
LOCKER
RELIABILITY | RESILIENCE | SECURITY27
Evidence Locker - How will it work?Technical Implementation
ERO Enterprise Evidence Analysis Locker
Secure File Transfer
Enterprise Content
Management
Encryption• Regionally
Specific
Routing Rules
Management Utilities
Locker
Locker
Analysis Environment
Auditor Session• auditor tools• disposable
Auditor Session• auditor tools• disposable
MFA
Au
then
ticat
ionM
FA
Auth
entic
atio
n
Registered Entity User
AuthorizedCMEP
Personnel
Privileged SessionServer
MFA
SystemAdministrator
RELIABILITY | RESILIENCE | SECURITY28
• Entity User – On-boarding and Submission Obtain an ERO Portal Account (https://EROPortal.nerc.net) Request access to the evidence locker for your entity through the ERO
Portal and be vetted by your Entity Administrator Navigate to the ERO Evidence Locker URL (TBD) and supply your username
/ password Redirect to MFA and receive and approve a push to your mobile phone Land on the home page of the ERO Evidence Locker Choose certain meta-data (e.g. type of evidence, violation ID) and upload
evidence. Receive an email confirmation of submission, which includes date of
submission and a hash of the evidence submitted. This hash can be used to confirm integrity of the evidence file(s). In the case of evidence locker failure, all evidence will require re-
submission
Use Cases, Key Examples and Scenarios
RELIABILITY | RESILIENCE | SECURITY29
• CMEP staff – Analysis CMEP staff will access through an internal-facing, non-public URL Access will only be provided through Regional offices; access from the field
will require a VPN connection into the regional network CMEP staff will authenticate with credentials and also MFA CMEP staff will launch a web browser within a virtual desktop environment
to access a specific locker of evidence No other network access will be permitted in the virtual environment,
including outbound communications Once complete, virtual desktops are logged out and recycled.
Use Cases, Key Examples and Scenarios
RELIABILITY | RESILIENCE | SECURITY30
• NERC System and Security Administrator – Access and Operations Administrators will access a secure URL of a privileged session server, and
authenticate with MFA All devices and applications within the environment are accessed through
remote desktop (RDP) with secure shell (SSH) and HTTPS Read-only access to a managed file transfer server (SFTP) via RDP for
external documentation and system patches – no external network access permitted
No access to evidence files
Use Cases, Key Examples and Scenarios
RELIABILITY | RESILIENCE | SECURITY31
• Adherence to NIST 800-171(b) security framework• Encryption File-level encryption at point of entry All traffic encrypted (inbound and within walls)
• Outbound communications limited to e-mail (SMTP) and security information and event (SIEM) logs No ability to extract evidence
• Analysis environment destruction upon log out• No direct access to the evidence Secure File Transfer -> Locker Analysis Environment -> Locker
• File level permissions applied to evidence
Evidence Locker - Security
RELIABILITY | RESILIENCE | SECURITY32
• Boundary Protections Web-application Next-Gen firewall – inspection of all HTTPS traffic Application Proxies Geo-blocking
• Intrusion detection and prevention Endpoint Detection and Response Management Server – forensic endpoint
monitoring and logging Enterprise Vulnerability Scanning appliance ICAP Server: virus / malware protection
Evidence Locker - Security
RELIABILITY | RESILIENCE | SECURITY33
• Internal Controls Integrated, key-based authentication (PKI) Micro-segmentation Firewall Auditing of all activities and file actions Network Traffic Analytics and Log collector Privileged Access Management Service Patch Management Server
Evidence Locker - Security
RELIABILITY | RESILIENCE | SECURITY34
• Entity Access Multi-factor authentication (MFA) Distributed Authorization
• CEA access Multi-factor authentication IP-restricted, VPN connections only
• System Administrators Multi-factor authentication Privileged Session Server (Jump Box) on NERC premises – no internet
access No access to evidence
Evidence Locker - Security
RELIABILITY | RESILIENCE | SECURITY35
• Yes… it must be available and validated before it is authorized for use for CMEP activities Data Availability o initial timelinesso 24 x 7 availability with advanced notification of schedule maintenance
Analysis tools availability (e.g. NP-View, RAT-STATS, MS Office, Adobe Acrobat)
Assurance of data integrity (e.g. hash, digital certificates) CEA login through NERC’s federated authentication services (SAML-based
CBA)
• No change in retention obligation (e.g. if the locker is retired, the requirement still exists for CEA access to evidence)
Can I set up my own locker?
RELIABILITY | RESILIENCE | SECURITY36
Andy Rodriquez, NERC ITAlign Release 1 Functionality and Activities
Align Demonstration
RELIABILITY | RESILIENCE | SECURITY37
Align Release 1: What to expect as a registered entity?
Stakeholder Group
Release 1 Functionality• Create and submit Self-Reports and Self-Logs• Create and manage mitigating activities
(informal) and Mitigation Plans (formal)• View and track Open Enforcement Actions
(EAs) resulting from all monitoring methods• Receive and respond to Requests for
Information (RFIs)• Receive notifications and view dashboards on
new/open action items• Generate report of Standards and
Requirements applicable to your entity• Manage user access for your specific entity
Registered Entities
RELIABILITY | RESILIENCE | SECURITY38
• Complete final quality assurance activities, testing, and remediation
• Finalize design and technology selections for ERO Enterprise Evidence Locker and build
• Perform final Standards data export from existing systems and import into Align
• Perform load of Functional Registrations into Align • Develop and deliver training for Align Release 1 and use of ERO
Enterprise Evidence Locker • Continue with stakeholder communications, engagement, and
organizational change management initiatives
Next Steps – What to Expect
RELIABILITY | ACCOUNTABILITY39
Align Demonstration
RELIABILITY | RESILIENCE | SECURITY40
ERO Enterprise Information and Documentation Examples to be
Stored and Protected
Curtis Crews, Texas RE CMEPEd Kichline, NERC Enforcement
Jeff Norman, MRO CMEPLonnie Ratliff, NERC CIP Compliance
RELIABILITY | RESILIENCE | SECURITY41
• ERO Enterprise CMEP Business Practice Enhancements Re-evaluate access/possession/retention of entity documents and data Separating CMEP planning, business workflow and work papers versus
evidence location Proactive and disciplined destruction policy Clarify workflow and work paper documentation expectations
Workflow Documentation and Work Paper Enhancements
RELIABILITY | RESILIENCE | SECURITY42
Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.
Align Content – Compliance Monitoring
RELIABILITY | RESILIENCE | SECURITY43Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.
Align Content - Enforcement
RELIABILITY | RESILIENCE | SECURITY44
Example: IRA Questionnaires
RELIABILITY | RESILIENCE | SECURITY45
Example: IRA Questionnaire
RELIABILITY | RESILIENCE | SECURITY46
Example: IRA and COP Work Papers
RELIABILITY | RESILIENCE | SECURITY47
Example: IRA and COP Work Papers
RELIABILITY | RESILIENCE | SECURITY48
Example: IRA and COP Summary
RELIABILITY | RESILIENCE | SECURITY49
Example: Request for Information
RELIABILITY | RESILIENCE | SECURITY50
Example: RSAW with Auditor Notes
RELIABILITY | RESILIENCE | SECURITY51
Example: RSAW with Auditor Notes
RELIABILITY | RESILIENCE | SECURITY52
Example: Preliminary Finding and Risk Harm Assessment
RELIABILITY | RESILIENCE | SECURITY53
Example: Compliance Audit Report
RELIABILITY | RESILIENCE | SECURITY54
Example: Compliance Audit Report
RELIABILITY | RESILIENCE | SECURITY55
Example: Self-Certification
RELIABILITY | RESILIENCE | SECURITY56
Example: Periodic Data Submittal
RELIABILITY | RESILIENCE | SECURITY57
• Almost 80% of noncompliance is identified by registered entities• Registered entities will produce much of the content within
Align Self-Reports and Self-Logs Mitigation activities, including Mitigation Plans
• Outreach and training for registered entities on what should go into Align and what should go into a locker Content of narratives in Self-Reports and Mitigation Plans
• Training for ERO Enterprise personnel on how to document the assessment of materials provided by registered entities Align should not replicate information included in a locker
Enforcement Considerations
RELIABILITY | RESILIENCE | SECURITY58
Self-Report Example
RELIABILITY | RESILIENCE | SECURITY59
Self-Report Example
RELIABILITY | RESILIENCE | SECURITY60
Mitigation Plan Examples
RELIABILITY | RESILIENCE | SECURITY61
Mitigation Verification Example
RELIABILITY | RESILIENCE | SECURITY62
• Evidence resides in a stand-alone tool• Additional involvement for access, authentication Learning curve Security-focused destruction and none-backup policies may require limited
resubmittal of evidence
• Expectations and obligations for retention responsibilities• Additional training and outreach opportunities
What this means to Registered Entities
RELIABILITY | RESILIENCE | SECURITY63
• Enhanced and harmonized work flow and documentation• Additional infrastructure development and maintenance costs• Expectations and obligations for retention Possible ROP changes to support Implications of entity responsibility to retain copy
• Complexity and resource considerations for engagement or processing activities
• Overall, there may be some pain points as with any implementation, but we are in this together.
What this means to ERO Enterprise
RELIABILITY | RESILIENCE | SECURITY64
Jim Albright, Vice President and COO, Texas REAlign Steering Committee Chair
RELIABILITY | RESILIENCE | SECURITY65
• Align and locker are secure and functional solutions to maintaining CMEP evidence and work flow documentation
• Implementation will require coordination and collaboration• Training will be provided. • Harmonization efforts and tool implementation result in
improved CMEP.• Continued input and feedback are crucial for success.
Summary
RELIABILITY | RESILIENCE | SECURITY66
• Timing of Align Phase 1 Roll-out and locker criteria. 2nd Half of 2020
• Align and locker training. In coordination with Align and locker deployment dates
• Training. Ongoing and in coordination with Align and locker deployment dates
• Continued formal and informal outreach. Ongoing.
Next Steps
RELIABILITY | RESILIENCE | SECURITY67
• All questions welcomed.• Submit questions to the [email protected] email address with
your name and company.• We will review questions received today (January 27) and post
an initial consolidated FAQ to the Align project page this Friday, January 31, 2020.
• We will update the FAQ as necessary on a rolling basis every Friday in February and twice a month through Q2 2020.
Questions
RELIABILITY | RESILIENCE | SECURITY68