1 / 74

CIP - Cyber Security Training

CIP - Cyber Security Training. Purpose and Objectives. 2. Purpose To train personnel on the procedures and program controls that implement the mandatory NERC Standard requirements for BES Cyber Security and to ensure that

helenpotter
Download Presentation

CIP - Cyber Security Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIP - Cyber Security Training

  2. Purpose and Objectives 2 • Purpose • To train personnel on the procedures and program controls that implement the mandatory NERC Standard requirements for BES Cyber Security and to ensure that • personnel understand the importance of and responsibilities for compliance with the Cyber Security policies and practices. • Objectives • Cyber Security • NERC Standard CIP-002 • NERC Standard CIP-003 • Cyber Security Awareness • Physical Security Controls • Electronic Access Controls • Cyber Security Incident Response

  3. Cyber Security

  4. What is Cyber Security? 4 • In general, cyber security is the use of technologies, processes, and practices to protect networks, computers, programs and data from attack, damage or unauthorized access. • Think of protecting your personal computer. • Protect from malicious electronic access: • Anti-virus Software • Internet Firewall • Encryption Software • Anti-malware • Protect from physical access: • Locked access - ID and Password • Locked car/home/office • The electric industry uses cyber systems in its operations. If not secure, the Bulk Electric System (BES) is more vulnerable to attacks and loss of service.

  5. What is the BES? 5 The Bulk Electric System (BES) is: …all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher… The BES generally includes (some exclusions apply – see NERC definition): • Transformers • Generating resources • Blackstart resources • Dispersed power producing resources that aggregate to a total capacity greater than 75 MVA. • Static or dynamic devices dedicated to supplying or absorbing Reactive Power

  6. National BES Cyber Security Initiatives 6 NERC’s Mission: Ensure that the Bulk Electric System (BES) in North America is reliable. Dept. of Homeland Security - Office of Infrastructure Protection Mission: To lead the national effort to secure critical infrastructure from all hazards by managing risk and enhancing resilience… Dept. of Energy (DOE): Addressing cybersecurity is critical to enhancing the security and reliability of the nation’s electric grid. Ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure that other sectors depend upon to deliver essential services.

  7. NERC Requirements 7 NERC is addressing improvements in BES Cyber Security through changes to Critical Infrastructure Protection (CIP) Reliability Standards. The level of Cyber Security Controls are based upon the impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation. CIP-002 – BES Cyber System Categorization Requires an impact evaluation that categorizes the BES Cyber System to determine what level of cyber security controls are required. CIP-003 – Security Management Controls Specifies the security management controls required to protect BES Cyber Systems based upon the BES Cyber System Categorization.

  8. CIP-002 - BES Cyber System Categorization

  9. CIP-002 9 Definitions BES Cyber Asset (BCA) – A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non‐operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. BES Cyber System (BCS) – One or more BES Cyber Asset logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. Control Center – One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data center, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.

  10. CIP-002 10 Definitions Cyber Asset – Programmable electronic devices, including the hardware, software, and data in those devices.

  11. CIP-002 11 R1:Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: I. Control Centers and backup Control Centers; II. Transmission stations and substations; III. Generation resources; IV. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching operation of the Bulk Electric System; and V. Special Protection Systems that support the reliable operation of the Bulk Electric System; and VI. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above. R1.1: Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset; R1.2: Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; R1.3: Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).

  12. CIP-002 12 R2: The Responsible Entity shall: R2.1: Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and R2.2: Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1.

  13. CIP-002 13 CIP-002 Procedure Provides the process for Impact Evaluations to determine what level of cyber security requirements apply: • High Impact • Medium Impact • Low Impact Responsibilities The CIP Senior Manager shall review, update, and approve CIP Impact Evaluations and Cyber Asset Categorizations annually (not to exceed 15 months).

  14. CIP-002 14 Details • Use Attachment 1 of the procedure (Impact Rating Criteria) to evaluate all BES Cyber Systems annually (not to exceed 15 months). • Categorize the BES Cyber Systems. • High Impact – Control Centers and backup Control Centers that perform specified reliability functions. • Medium Impact – Generation Facilities, Reactive Resources, Transmission Facilities, Special Protection Systems, Control Centers and backup Control Centers that meet specified criteria. • Low Impact – Not High or Medium Impact • CIP Senior Manager reviews and approves annual evaluations and categorizations. • If the Impact Rating has changed, re-evaluate CIP Standards to ensure compliance.

  15. CIP-002 – Attachment 1 15

  16. CIP-002 – Attachment 1 16

  17. CIP-002 – Attachment 1 17

  18. CIP-002 – Attachment 1 18

  19. CIP-002 – Attachment 1 19

  20. CIP-002 – Attachment 1 20

  21. CIP-002 21 Review this Procedure for additional specific details: PRO-CIP-002 – BES Cyber System Categorization

  22. CIP-003 – Security Management Controls

  23. CIP-003 • R1: Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: • R1.1 For its high impact and medium impact BES Cyber Systems, if any: R1.1.1 Personnel and training (CIP-004); R1.1.2 Electronic Security Perimeters (CIP-005) including Interactive Remote Access; R1.1.3 Physical security of BES Cyber Systems (CIP-006); R1.1.4 System security management (CIP-007); R1.1.5Incident reporting and response planning (CIP-008); R1.1.6 Recovery plans for BES Cyber Systems (CIP-009); R1.1.7 Configuration change management and vulnerability assessments (CIP-010); R1.1.8 Information protection (CIP-011); and R1.1.9 Declaring and responding to CIP Exceptional Circumstances.

  24. CIP-003 • R1.2: For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any: • R1.2.1 Cyber security awareness; • R1.2.2 Physical security controls; • R1.2.3 Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and • R1.2.4 Cyber Security Incident response • R2: Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. Note: An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.

  25. CIP-003 • R3:Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change. • R4: The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator.

  26. CIP-003 • CIP-003 Procedure • Provides controls for assignment of a CIP Senior Manager and prescribes the Cyber Security Policies that must be implemented for Low Impact BES Cyber Systems. • The Cyber Security Policy details are implemented in the following procedures: • Cyber Security Awareness • Physical Security Controls • Electronic Access Controls • Cyber Security Incident Response

  27. CIP-003 27 • Definitions • Appropriate Level of Management – A member of the organization's senior management team that is organizationally superior to the designated CIP Senior Manager. • Responsibilities • Ensure documentation of the CIP Senior Manager and CIP Delegates are accurate and up-to-date. • CIP Senior Manager shall ensure that documented Cyber Security Policies are effectively implemented for • Cyber Security Awareness, • Physical Security Controls, • Electronic Access Controls • Cyber Security Incident Response. • CIP Senior Manager shall ensure that the Cyber Security Policies are reviewed and approved annually.

  28. CIP-003 28 • Cyber Security Policies • CIP Senior Manager shall ensure that Cyber Security Policies are maintained and implemented for the following: • Cyber Security Awareness • Physical Security Controls • Electronic Access Controls • Cyber Security Incident Response • Cyber Security Policies shall contain the elements described in Attachment 1 – Required Sections for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems • CIP Senior Manager shall review and approve the Cyber Security Policies annually (not to exceed 15 months).

  29. CIP-003 29 • CIP Senior Manager • Appropriate Level of Management shall assign a CIP Senior Manager with overall responsibility and authority for leading and managing the implementation of, and adherence to the CIP Standards. • The CIP Senior Manager shall be identified by name and date of designation. • Changes to the CIP Senior Manager must be documented within 30 calendar days of the change. • The CIP Senior Manager may delegate authority for specific actions to a named delegate (where allowed by the CIP Standards). Delegations shall include: • Name and Title of the delegate • Specific actions delegated • Date of the designation • Signed approval from the CIP Senior Manager • Any change to the delegation shall be updated within 30 days of the change.

  30. CIP-003 30 Review this Procedure for additional specific details: PRO-CIP-003 – Security Management Controls

  31. 31 Cyber Security Awareness

  32. Cyber Security Awareness 32 CIP-003 – Attachment 1 (Section 1) Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices). Cyber Security Awareness Procedure Establishes requirements for personnel training and an ongoing Cyber Security awareness program. Responsibilities CIP Senior Manager or designee shall ensure that personnel are aware of Cyber Security Procedures and practices.

  33. Cyber Security Awareness 33 Details • The CIP Senior Manager shall ensure that personnel are trained on Cyber Security procedures and subsequent practices. Cyber Security Training shall include: • Physical Security Controls • Electronic Access Controls • Cyber Security Incident Response • Employ ongoing Cyber Security Awareness methods at the CIP Senior Manager’s discretion: • Emails / Memos • Presentation / Meetings • Posters / Brochures • Company website / Intranet / Newsletter

  34. Cyber Security Awareness 34 Review this Procedure for additional specific details: ICP-PRO-06 – Cyber Security Awareness

  35. 35 Physical Security Controls

  36. Physical Security Controls 36 Definitions BCA Authorized Personnel – Personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems / BES Cyber Assets. CIP Exceptional Circumstance – A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest’ an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability. Low Impact BES Cyber System Electronic Access Point (LEAP) – A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.

  37. Physical Security Controls 37 Definitions Physical Security Perimeter (PSP) – The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Assess Control or Monitoring Systems reside, and for which access is controlled. Physical Access Control Systems (PACS) – Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.

  38. Physical Security Controls 38 • CIP-003 – Attachment 1 (Section 2) - Physical Security Controls: • Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any. • Physical Security Controls Procedure • Establishes controls for managing physical access to BES Cyber Systems. • Facility Physical Security Perimeter (PSP) • BES Cyber Asset (BCA) Locations PSPs

  39. Physical Security Controls 39 • Responsibilities • CIP Senior Manager shall ensure that appropriate methods are used to control physical access to the BES Cyber Assets, BES Cyber Systems, and their associated Physical Security Perimeters (PSP) • Details • Plant personnel shall notify appropriate Management of any violation or suspected violation of the Physical Security Control Plan. • Plant shall maintain documentation of all personnel’s Authorization Levels.

  40. Physical Security Controls - examples 40 • Details • BCA Locations PSPs • Controls • Identification –The identity of personnel of all Authorization Levels must be confirmed prior to granting access to a BCA PSPs. • Security Door Access – When not in use, the Security Doors to the BCA PSPs shall remain closed and locked. • Vulnerability Review – All alternate access points to the BCA PSP must be secured (windows, ducts, etc.). • Authorization • Access Authorization is provided by the CIP Senior Manager or designee. • Visitors are restricted from entering the BCA PSP unless continuously escorted. (Unescorted Access permissions may be permitted only during CIP Exceptional Circumstances) • BCA Authorized personnel are pre-authorization to enter the BCA PSP. BCA Authorized personnel are authorized to serve as visitor escorts.

  41. Physical Security Controls 41 Review this Procedure for additional specific details: ICP-PRO-07 – Physical Security Controls

  42. 42 Electronic Access Controls

  43. Electronic Access Controls 43 Definitions Dial-Up Connectivity – A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link. Electronic Access Control or Monitoring Systems (EACMS) – Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems. Electronic Access Point (EAP) – A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter. Electronic Security Perimeter (ESP) – The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol. External Routable Connectivity (ERC) – The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.

  44. Electronic Access Controls 44 Definitions Interactive Remote Access – User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. Low Impact BES Cyber System Electronic Access Points (LEAPs) - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems. (See procedure for additional guidance.)

  45. Electronic Access Controls 45 Definitions Low Impact External Routable Connectivity (LERC) - Direct user‐initiated interactive access or a direct device‐to‐device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi‐directional routable protocol connection. (See procedure for additional guidance). Multi-Factor Authentication – Authenticators may include, but are not limited to: • Something the individual knows such as passwords or PINs. (This does not include User ID) • Something the individual has such as tokens, digital certificates, or smart cards • Something the individual is such as fingerprints, iris scans, or other biometric characteristics.

  46. Electronic Access Controls 46 Definitions Protected Cyber Asset (PCA) – One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

  47. Electronic Access Controls 47 CIP-003 – Attachment 1 (Section 3) Electronic Access Controls: Each Responsible Entity shall: 3.1 For LERC, if any, implement a LEAP to permit only necessary inbound and outbound bi-directional routable protocol access; and 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability. Electronic Access Controls Procedure Establishes controls to manage electronic access to BES Cyber Systems.

  48. Electronic Access Controls 48 Interactive Remote Access Electronic Security Perimeter (ESP) Electronic Access Point (EAP) Protected Cyber Assets (PCAs) Electronic Access Control or Monitoring Systems (EACMS)

  49. Electronic Access Controls 49 • Responsibilities • CIP Senior Manager shall ensure that Electronic Access Control processes for External Routable Connectivity, Interactive Remote Access sessions, and Dial-up Connectivity are implemented. • CIP Senior Manager shall ensure that Electronic Security Perimeters and Electronic Access Points are defined and protected.

  50. Electronic Access Controls 50 • Details • External Routable Connectivity (if any) • The Electronic Security Perimeter (ESP) shall be protected via an Electronic Access Control or Monitoring System (EACMS) that does not allow Interactive Remote Access to have direct access to BCAs. • The EACMS shall be configured to: • Only allow inbound and outbound access by permissions / rules. • Deny ALL other access by default. • Interactive Remote Access Sessions (if any) shall • Use encryption between the EACMS and the Cyber Asset initiating communication when feasible. • Use Multi-Factor Authentication when feasible.

More Related