1 / 34

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security. CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT. Agenda. Applicability Implementation CIP-008-5 & 009-5 Overview Audit Approach Tips TFEs and CIP v5. Goal.

Download Presentation

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT

  2. Agenda • Applicability • Implementation • CIP-008-5 & 009-5 • Overview • Audit Approach • Tips • TFEs and CIP v5

  3. Goal Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5

  4. CIP-008-5 Purpose “To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.”

  5. CIP-008-5 Applicability • HIBESCS • High Impact BES Cyber Systems (R1-R3) • MIBESCS • Medium Impact BES Cyber Systems (R1-R3)

  6. CIP-008-5 Implementation • By April 1, 2016 • All of CIP-008-5, except as noted below • On or before April 1, 2017: • CIP-008-5, Requirement R2, Part 2.1 • CIP-008-5, Requirement R3, Part 3.1

  7. CIP-008-5 R1 Overview • Ingredients of the Cyber Security Incident Response Plan • Identify, classify, and respond to Cyber Security Incident (CSI) • Process to determine if CSI is a Reportable CSI (RCSI) • Notify ES-ISAC w/in 1hr of determination of RCSI • Roles and responsibilities • Incident handling procedures

  8. CIP-008-5 R1 Audit Approach • Documentation requirement • Does the CSIRP addresses each Part of R1? • Does the CSIRP tie all the necessary resources together? • Revision history with sufficient details

  9. CIP-008-5 R1 Tips • Man on the street(ish) test • Can someone else in your organization pick up the CSIRP and have everything they need to respond? • Roles and responsibilities may include contact lists with names/numbers/emails • Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends

  10. CIP-008-5 R2 Overview • Annual test of CSIRP • Actual Incident • Paper • Operational • Use the plan during annual test & document any deviations from the plan • Retain records of Incidents

  11. CIP-008-5 R2 Audit Approach • Performance Requirement: • How has the plan been implemented? • How do you test/exercise the plan? • Did you document deviations from the plan during exercise/test? • How are records kept and where?

  12. CIP-008-5 R2 Tips • Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right • It’s ok to get a little creative with test and exercise scenarios

  13. CIP-008-5 R3 Overview • Complete w/in 90 days of test/exercise or actual Incident response: • Document lessons learned • Update the Plan • Notify responsible parties of updates • Complete w/in 60 days of change in roles/responsibilities/technology • Update the Plan • Notify responsible parties

  14. CIP-008-5 R3 Audit Approach • Performance Requirement: • Updates tracked through revision history or other means of sufficient detail • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.

  15. CIP-008-5 R3 Tips • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates. • Suggest outlining how this is supposed to happen in the actual plan

  16. CIP-008-5 Questions?

  17. Everyone awake?

  18. CIP-009-5 Purpose “To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.”

  19. CIP-009-5 Applicability • HIBESCS • High Impact BES Cyber Systems (2.3) • MIBESCSACCATAEACMSAPACS • Medium Impact BES Cyber Systems at Control Centers and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2) • HIBESCSATAEACMSAPACS • High Impact BES Cyber Systems and their associated EACMS and PACS (R1-R3 except 2.3) • MIBESCSATAEACMSAPACS • Medium Impact BES Cyber Systems and their associated EACMS and PACS (R1 except 1.4)

  20. CIP-009-5 Implementation • By April 1, 2016 • All of CIP-009-5, except as noted below • On or before April 1, 2017: • CIP-009-5, Requirement R2, Parts 2.1, 2.2 • CIP-009-5, Requirement R3, Part 3.1 • On or before April 1, 2018: • CIP-009-5, Requirement R2, Part 2.3

  21. CIP-009-5 R1 Overview • Ingredients of the recovery plan • Conditions for activation of the plan • Roles and responsibilities • Process for backup and storage • Process to verify successful completion of backups • Process to preserve data

  22. Backup and Recovery

  23. CIP-009-5 R1 Audit Approach • Documentation requirement • Does the plan (or plans) address all processes required? • Review associated procedures, flowcharts, etc. • Revision history with sufficient details

  24. CIP-009-5 R1 Tips • Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly • Regurgitating the Requirement language does not constitute developing a program/process • Man on the street(ish) test • Can someone else in your organization pick up the CSIRP and have everything they need to respond? • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends

  25. CIP-009-5 R2 Overview • Annual test of recovery plan • Actual Incident • Paper • Operational • Test representative sample of backups to ensure validity and compatibility • Operational exercise req’d 1x/36 months for High BES Cyber Systems

  26. Test the Plan

  27. CIP-009-5 R2 Audit Approach • Performance Requirement: • How has the plan been implemented? • How do you test/exercise the plan? • Representative sample – how did you determine the sample set? • Documentation of test/exercise, outcomes & lessons learned

  28. CIP-009-5 R2 Tips • R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs • Focus on outputs of R2, what are the deliverables? • Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months

  29. CIP-009-5 R3 Overview • Complete w/in 90 days of test/exercise or actual recovery: • Document lessons learned • Update the plan • Notify responsible parties of updates • Complete w/in 60 days of change in roles/responsibilities/technology • Update the plan • Notify responsible parties

  30. CIP-009-5 R3 Audit Approach • Performance Requirement: • Updates tracked through revision history or other means of sufficient detail • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.

  31. CIP-009-5 R3 Tips • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates. • Good idea to outline how this is supposed to happen in the actual plan

  32. CIP v5 and TFEs • TFEs will be necessary in v5 • Definitive list of Requirements/Parts to be determined – 9 have “where technically feasible” • Appendix 4D will be updated to accommodate v5 • webCDMS will be updated as necessary • Streamlined process will remain in place

  33. Resources, References, & Light Reading • NERC v3 to v5 mapping document • FERC Order 791 • 2011 v5 SDT Presentation • DHS: Developing an Industrial Control Systems Cybersecurity Incident Response Capability • NIST Computer Security Incident Handling Guide

  34. Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security O: 801.819.7691 M: 801.837.8425 bcarr@wecc.biz Questions?

More Related