bryan j carr pmp cisa compliance auditor cyber security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security PowerPoint Presentation
Download Presentation
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Loading in 2 Seconds...

play fullscreen
1 / 34
jessamine-hobbs

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security - PowerPoint PPT Presentation

77 Views
Download Presentation
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT

  2. Agenda • Applicability • Implementation • CIP-008-5 & 009-5 • Overview • Audit Approach • Tips • TFEs and CIP v5

  3. Goal Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5

  4. CIP-008-5 Purpose “To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.”

  5. CIP-008-5 Applicability • HIBESCS • High Impact BES Cyber Systems (R1-R3) • MIBESCS • Medium Impact BES Cyber Systems (R1-R3)

  6. CIP-008-5 Implementation • By April 1, 2016 • All of CIP-008-5, except as noted below • On or before April 1, 2017: • CIP-008-5, Requirement R2, Part 2.1 • CIP-008-5, Requirement R3, Part 3.1

  7. CIP-008-5 R1 Overview • Ingredients of the Cyber Security Incident Response Plan • Identify, classify, and respond to Cyber Security Incident (CSI) • Process to determine if CSI is a Reportable CSI (RCSI) • Notify ES-ISAC w/in 1hr of determination of RCSI • Roles and responsibilities • Incident handling procedures

  8. CIP-008-5 R1 Audit Approach • Documentation requirement • Does the CSIRP addresses each Part of R1? • Does the CSIRP tie all the necessary resources together? • Revision history with sufficient details

  9. CIP-008-5 R1 Tips • Man on the street(ish) test • Can someone else in your organization pick up the CSIRP and have everything they need to respond? • Roles and responsibilities may include contact lists with names/numbers/emails • Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends

  10. CIP-008-5 R2 Overview • Annual test of CSIRP • Actual Incident • Paper • Operational • Use the plan during annual test & document any deviations from the plan • Retain records of Incidents

  11. CIP-008-5 R2 Audit Approach • Performance Requirement: • How has the plan been implemented? • How do you test/exercise the plan? • Did you document deviations from the plan during exercise/test? • How are records kept and where?

  12. CIP-008-5 R2 Tips • Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right • It’s ok to get a little creative with test and exercise scenarios

  13. CIP-008-5 R3 Overview • Complete w/in 90 days of test/exercise or actual Incident response: • Document lessons learned • Update the Plan • Notify responsible parties of updates • Complete w/in 60 days of change in roles/responsibilities/technology • Update the Plan • Notify responsible parties

  14. CIP-008-5 R3 Audit Approach • Performance Requirement: • Updates tracked through revision history or other means of sufficient detail • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.

  15. CIP-008-5 R3 Tips • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates. • Suggest outlining how this is supposed to happen in the actual plan

  16. CIP-008-5 Questions?

  17. Everyone awake?

  18. CIP-009-5 Purpose “To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.”

  19. CIP-009-5 Applicability • HIBESCS • High Impact BES Cyber Systems (2.3) • MIBESCSACCATAEACMSAPACS • Medium Impact BES Cyber Systems at Control Centers and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2) • HIBESCSATAEACMSAPACS • High Impact BES Cyber Systems and their associated EACMS and PACS (R1-R3 except 2.3) • MIBESCSATAEACMSAPACS • Medium Impact BES Cyber Systems and their associated EACMS and PACS (R1 except 1.4)

  20. CIP-009-5 Implementation • By April 1, 2016 • All of CIP-009-5, except as noted below • On or before April 1, 2017: • CIP-009-5, Requirement R2, Parts 2.1, 2.2 • CIP-009-5, Requirement R3, Part 3.1 • On or before April 1, 2018: • CIP-009-5, Requirement R2, Part 2.3

  21. CIP-009-5 R1 Overview • Ingredients of the recovery plan • Conditions for activation of the plan • Roles and responsibilities • Process for backup and storage • Process to verify successful completion of backups • Process to preserve data

  22. Backup and Recovery

  23. CIP-009-5 R1 Audit Approach • Documentation requirement • Does the plan (or plans) address all processes required? • Review associated procedures, flowcharts, etc. • Revision history with sufficient details

  24. CIP-009-5 R1 Tips • Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly • Regurgitating the Requirement language does not constitute developing a program/process • Man on the street(ish) test • Can someone else in your organization pick up the CSIRP and have everything they need to respond? • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends

  25. CIP-009-5 R2 Overview • Annual test of recovery plan • Actual Incident • Paper • Operational • Test representative sample of backups to ensure validity and compatibility • Operational exercise req’d 1x/36 months for High BES Cyber Systems

  26. Test the Plan

  27. CIP-009-5 R2 Audit Approach • Performance Requirement: • How has the plan been implemented? • How do you test/exercise the plan? • Representative sample – how did you determine the sample set? • Documentation of test/exercise, outcomes & lessons learned

  28. CIP-009-5 R2 Tips • R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs • Focus on outputs of R2, what are the deliverables? • Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months

  29. CIP-009-5 R3 Overview • Complete w/in 90 days of test/exercise or actual recovery: • Document lessons learned • Update the plan • Notify responsible parties of updates • Complete w/in 60 days of change in roles/responsibilities/technology • Update the plan • Notify responsible parties

  30. CIP-009-5 R3 Audit Approach • Performance Requirement: • Updates tracked through revision history or other means of sufficient detail • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.

  31. CIP-009-5 R3 Tips • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates. • Good idea to outline how this is supposed to happen in the actual plan

  32. CIP v5 and TFEs • TFEs will be necessary in v5 • Definitive list of Requirements/Parts to be determined – 9 have “where technically feasible” • Appendix 4D will be updated to accommodate v5 • webCDMS will be updated as necessary • Streamlined process will remain in place

  33. Resources, References, & Light Reading • NERC v3 to v5 mapping document • FERC Order 791 • 2011 v5 SDT Presentation • DHS: Developing an Industrial Control Systems Cybersecurity Incident Response Capability • NIST Computer Security Incident Handling Guide

  34. Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security O: 801.819.7691 M: 801.837.8425 bcarr@wecc.biz Questions?