Bryan j carr pmp cisa compliance auditor cyber security
Download
1 / 34

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security. CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT. Agenda. Applicability Implementation CIP-008-5 & 009-5 Overview Audit Approach Tips TFEs and CIP v5. Goal.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security' - simone


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Bryan j carr pmp cisa compliance auditor cyber security

Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security

CIP-008-5, 009-5, & TFEs

May 14, 2014

CIP v5 Roadshow – Salt Lake City, UT


Agenda
Agenda

  • Applicability

  • Implementation

  • CIP-008-5 & 009-5

    • Overview

    • Audit Approach

    • Tips

  • TFEs and CIP v5


Bryan j carr pmp cisa compliance auditor cyber security
Goal

Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5


Cip 008 5 purpose
CIP-008-5 Purpose

“To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.”


Cip 008 5 applicability
CIP-008-5 Applicability

  • HIBESCS

    • High Impact BES Cyber Systems (R1-R3)

  • MIBESCS

    • Medium Impact BES Cyber Systems (R1-R3)


Cip 008 5 implementation
CIP-008-5 Implementation

  • By April 1, 2016

    • All of CIP-008-5, except as noted below

  • On or before April 1, 2017:

    • CIP-008-5, Requirement R2, Part 2.1

    • CIP-008-5, Requirement R3, Part 3.1


Cip 008 5 r1 overview
CIP-008-5 R1 Overview

  • Ingredients of the Cyber Security Incident Response Plan

    • Identify, classify, and respond to Cyber Security Incident (CSI)

    • Process to determine if CSI is a Reportable CSI (RCSI)

    • Notify ES-ISAC w/in 1hr of determination of RCSI

    • Roles and responsibilities

    • Incident handling procedures


Cip 008 5 r1 audit approach
CIP-008-5 R1 Audit Approach

  • Documentation requirement

    • Does the CSIRP addresses each Part of R1?

    • Does the CSIRP tie all the necessary resources together?

    • Revision history with sufficient details


Cip 008 5 r1 tips
CIP-008-5 R1 Tips

  • Man on the street(ish) test

    • Can someone else in your organization pick up the CSIRP and have everything they need to respond?

  • Roles and responsibilities may include contact lists with names/numbers/emails

  • Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI

  • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends


Cip 008 5 r2 overview
CIP-008-5 R2 Overview

  • Annual test of CSIRP

    • Actual Incident

    • Paper

    • Operational

  • Use the plan during annual test & document any deviations from the plan

  • Retain records of Incidents


Cip 008 5 r2 audit approach
CIP-008-5 R2 Audit Approach

  • Performance Requirement:

    • How has the plan been implemented?

    • How do you test/exercise the plan?

    • Did you document deviations from the plan during exercise/test?

    • How are records kept and where?


Cip 008 5 r2 tips
CIP-008-5 R2 Tips

  • Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right

  • It’s ok to get a little creative with test and exercise scenarios


Cip 008 5 r3 overview
CIP-008-5 R3 Overview

  • Complete w/in 90 days of test/exercise or actual Incident response:

    • Document lessons learned

    • Update the Plan

    • Notify responsible parties of updates

  • Complete w/in 60 days of change in roles/responsibilities/technology

    • Update the Plan

    • Notify responsible parties


Cip 008 5 r3 audit approach
CIP-008-5 R3 Audit Approach

  • Performance Requirement:

    • Updates tracked through revision history or other means of sufficient detail

    • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed

    • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.


Cip 008 5 r3 tips
CIP-008-5 R3 Tips

  • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.

  • Suggest outlining how this is supposed to happen in the actual plan


Bryan j carr pmp cisa compliance auditor cyber security

CIP-008-5

Questions?



Cip 009 5 purpose
CIP-009-5 Purpose

“To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.”


Cip 009 5 applicability
CIP-009-5 Applicability

  • HIBESCS

    • High Impact BES Cyber Systems (2.3)

  • MIBESCSACCATAEACMSAPACS

    • Medium Impact BES Cyber Systems at Control Centers and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2)

  • HIBESCSATAEACMSAPACS

    • High Impact BES Cyber Systems and their associated EACMS and PACS (R1-R3 except 2.3)

  • MIBESCSATAEACMSAPACS

    • Medium Impact BES Cyber Systems and their associated EACMS and PACS (R1 except 1.4)


Cip 009 5 implementation
CIP-009-5 Implementation

  • By April 1, 2016

    • All of CIP-009-5, except as noted below

  • On or before April 1, 2017:

    • CIP-009-5, Requirement R2, Parts 2.1, 2.2

    • CIP-009-5, Requirement R3, Part 3.1

  • On or before April 1, 2018:

    • CIP-009-5, Requirement R2, Part 2.3


Cip 009 5 r1 overview
CIP-009-5 R1 Overview

  • Ingredients of the recovery plan

    • Conditions for activation of the plan

    • Roles and responsibilities

    • Process for backup and storage

    • Process to verify successful completion of backups

    • Process to preserve data



Cip 009 5 r1 audit approach
CIP-009-5 R1 Audit Approach

  • Documentation requirement

    • Does the plan (or plans) address all processes required?

    • Review associated procedures, flowcharts, etc.

    • Revision history with sufficient details


Cip 009 5 r1 tips
CIP-009-5 R1 Tips

  • Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly

  • Regurgitating the Requirement language does not constitute developing a program/process

  • Man on the street(ish) test

    • Can someone else in your organization pick up the CSIRP and have everything they need to respond?

  • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends


Cip 009 5 r2 overview
CIP-009-5 R2 Overview

  • Annual test of recovery plan

    • Actual Incident

    • Paper

    • Operational

  • Test representative sample of backups to ensure validity and compatibility

  • Operational exercise req’d 1x/36 months for High BES Cyber Systems



Cip 009 5 r2 audit approach
CIP-009-5 R2 Audit Approach

  • Performance Requirement:

    • How has the plan been implemented?

    • How do you test/exercise the plan?

    • Representative sample – how did you determine the sample set?

    • Documentation of test/exercise, outcomes & lessons learned


Cip 009 5 r2 tips
CIP-009-5 R2 Tips

  • R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs

  • Focus on outputs of R2, what are the deliverables?

    • Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months


Cip 009 5 r3 overview
CIP-009-5 R3 Overview

  • Complete w/in 90 days of test/exercise or actual recovery:

    • Document lessons learned

    • Update the plan

    • Notify responsible parties of updates

  • Complete w/in 60 days of change in roles/responsibilities/technology

    • Update the plan

    • Notify responsible parties


Cip 009 5 r3 audit approach
CIP-009-5 R3 Audit Approach

  • Performance Requirement:

    • Updates tracked through revision history or other means of sufficient detail

    • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed

    • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.


Cip 009 5 r3 tips
CIP-009-5 R3 Tips

  • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.

  • Good idea to outline how this is supposed to happen in the actual plan


Cip v5 and tfes
CIP v5 and TFEs

  • TFEs will be necessary in v5

  • Definitive list of Requirements/Parts to be determined – 9 have “where technically feasible”

  • Appendix 4D will be updated to accommodate v5

  • webCDMS will be updated as necessary

  • Streamlined process will remain in place


Resources references light reading
Resources, References, & Light Reading

  • NERC v3 to v5 mapping document

  • FERC Order 791

  • 2011 v5 SDT Presentation

  • DHS: Developing an Industrial Control Systems Cybersecurity Incident Response Capability

  • NIST Computer Security Incident Handling Guide


Bryan j carr pmp cisa compliance auditor cyber security

Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

O: 801.819.7691

M: 801.837.8425

bcarr@wecc.biz

Questions?