Bryan j carr pmp cisa compliance auditor cyber security
Download
1 / 34

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security. CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT. Agenda. Applicability Implementation CIP-008-5 & 009-5 Overview Audit Approach Tips TFEs and CIP v5. Goal.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security' - simone


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Bryan j carr pmp cisa compliance auditor cyber security

Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security

CIP-008-5, 009-5, & TFEs

May 14, 2014

CIP v5 Roadshow – Salt Lake City, UT


Agenda
Agenda

  • Applicability

  • Implementation

  • CIP-008-5 & 009-5

    • Overview

    • Audit Approach

    • Tips

  • TFEs and CIP v5


Goal

Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5


Cip 008 5 purpose
CIP-008-5 Purpose

“To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.”


Cip 008 5 applicability
CIP-008-5 Applicability

  • HIBESCS

    • High Impact BES Cyber Systems (R1-R3)

  • MIBESCS

    • Medium Impact BES Cyber Systems (R1-R3)


Cip 008 5 implementation
CIP-008-5 Implementation

  • By April 1, 2016

    • All of CIP-008-5, except as noted below

  • On or before April 1, 2017:

    • CIP-008-5, Requirement R2, Part 2.1

    • CIP-008-5, Requirement R3, Part 3.1


Cip 008 5 r1 overview
CIP-008-5 R1 Overview

  • Ingredients of the Cyber Security Incident Response Plan

    • Identify, classify, and respond to Cyber Security Incident (CSI)

    • Process to determine if CSI is a Reportable CSI (RCSI)

    • Notify ES-ISAC w/in 1hr of determination of RCSI

    • Roles and responsibilities

    • Incident handling procedures


Cip 008 5 r1 audit approach
CIP-008-5 R1 Audit Approach

  • Documentation requirement

    • Does the CSIRP addresses each Part of R1?

    • Does the CSIRP tie all the necessary resources together?

    • Revision history with sufficient details


Cip 008 5 r1 tips
CIP-008-5 R1 Tips

  • Man on the street(ish) test

    • Can someone else in your organization pick up the CSIRP and have everything they need to respond?

  • Roles and responsibilities may include contact lists with names/numbers/emails

  • Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI

  • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends


Cip 008 5 r2 overview
CIP-008-5 R2 Overview

  • Annual test of CSIRP

    • Actual Incident

    • Paper

    • Operational

  • Use the plan during annual test & document any deviations from the plan

  • Retain records of Incidents


Cip 008 5 r2 audit approach
CIP-008-5 R2 Audit Approach

  • Performance Requirement:

    • How has the plan been implemented?

    • How do you test/exercise the plan?

    • Did you document deviations from the plan during exercise/test?

    • How are records kept and where?


Cip 008 5 r2 tips
CIP-008-5 R2 Tips

  • Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right

  • It’s ok to get a little creative with test and exercise scenarios


Cip 008 5 r3 overview
CIP-008-5 R3 Overview

  • Complete w/in 90 days of test/exercise or actual Incident response:

    • Document lessons learned

    • Update the Plan

    • Notify responsible parties of updates

  • Complete w/in 60 days of change in roles/responsibilities/technology

    • Update the Plan

    • Notify responsible parties


Cip 008 5 r3 audit approach
CIP-008-5 R3 Audit Approach

  • Performance Requirement:

    • Updates tracked through revision history or other means of sufficient detail

    • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed

    • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.


Cip 008 5 r3 tips
CIP-008-5 R3 Tips

  • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.

  • Suggest outlining how this is supposed to happen in the actual plan


CIP-008-5

Questions?



Cip 009 5 purpose
CIP-009-5 Purpose

“To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.”


Cip 009 5 applicability
CIP-009-5 Applicability

  • HIBESCS

    • High Impact BES Cyber Systems (2.3)

  • MIBESCSACCATAEACMSAPACS

    • Medium Impact BES Cyber Systems at Control Centers and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2)

  • HIBESCSATAEACMSAPACS

    • High Impact BES Cyber Systems and their associated EACMS and PACS (R1-R3 except 2.3)

  • MIBESCSATAEACMSAPACS

    • Medium Impact BES Cyber Systems and their associated EACMS and PACS (R1 except 1.4)


Cip 009 5 implementation
CIP-009-5 Implementation

  • By April 1, 2016

    • All of CIP-009-5, except as noted below

  • On or before April 1, 2017:

    • CIP-009-5, Requirement R2, Parts 2.1, 2.2

    • CIP-009-5, Requirement R3, Part 3.1

  • On or before April 1, 2018:

    • CIP-009-5, Requirement R2, Part 2.3


Cip 009 5 r1 overview
CIP-009-5 R1 Overview

  • Ingredients of the recovery plan

    • Conditions for activation of the plan

    • Roles and responsibilities

    • Process for backup and storage

    • Process to verify successful completion of backups

    • Process to preserve data



Cip 009 5 r1 audit approach
CIP-009-5 R1 Audit Approach

  • Documentation requirement

    • Does the plan (or plans) address all processes required?

    • Review associated procedures, flowcharts, etc.

    • Revision history with sufficient details


Cip 009 5 r1 tips
CIP-009-5 R1 Tips

  • Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly

  • Regurgitating the Requirement language does not constitute developing a program/process

  • Man on the street(ish) test

    • Can someone else in your organization pick up the CSIRP and have everything they need to respond?

  • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends


Cip 009 5 r2 overview
CIP-009-5 R2 Overview

  • Annual test of recovery plan

    • Actual Incident

    • Paper

    • Operational

  • Test representative sample of backups to ensure validity and compatibility

  • Operational exercise req’d 1x/36 months for High BES Cyber Systems



Cip 009 5 r2 audit approach
CIP-009-5 R2 Audit Approach

  • Performance Requirement:

    • How has the plan been implemented?

    • How do you test/exercise the plan?

    • Representative sample – how did you determine the sample set?

    • Documentation of test/exercise, outcomes & lessons learned


Cip 009 5 r2 tips
CIP-009-5 R2 Tips

  • R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs

  • Focus on outputs of R2, what are the deliverables?

    • Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months


Cip 009 5 r3 overview
CIP-009-5 R3 Overview

  • Complete w/in 90 days of test/exercise or actual recovery:

    • Document lessons learned

    • Update the plan

    • Notify responsible parties of updates

  • Complete w/in 60 days of change in roles/responsibilities/technology

    • Update the plan

    • Notify responsible parties


Cip 009 5 r3 audit approach
CIP-009-5 R3 Audit Approach

  • Performance Requirement:

    • Updates tracked through revision history or other means of sufficient detail

    • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed

    • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.


Cip 009 5 r3 tips
CIP-009-5 R3 Tips

  • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.

  • Good idea to outline how this is supposed to happen in the actual plan


Cip v5 and tfes
CIP v5 and TFEs

  • TFEs will be necessary in v5

  • Definitive list of Requirements/Parts to be determined – 9 have “where technically feasible”

  • Appendix 4D will be updated to accommodate v5

  • webCDMS will be updated as necessary

  • Streamlined process will remain in place


Resources references light reading
Resources, References, & Light Reading

  • NERC v3 to v5 mapping document

  • FERC Order 791

  • 2011 v5 SDT Presentation

  • DHS: Developing an Industrial Control Systems Cybersecurity Incident Response Capability

  • NIST Computer Security Incident Handling Guide


Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

O: 801.819.7691

M: 801.837.8425

[email protected]

Questions?


ad