Loading in 2 Seconds...
Loading in 2 Seconds...
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security. CIP v5 Roadshow May 14-15, 2014 CIP-003-5 Security Management Controls. Agenda. Differences and relations to current requirements Audit approach Possible pitfalls to look for while transitioning to version 5
Lisa Wood, CISA,CBRM, CBRACompliance Auditor, Cyber Security CIP v5 Roadshow May 14-15, 2014 CIP-003-5 Security Management Controls
Agenda • Differences and relations to current requirements • Audit approach • Possible pitfalls to look for while transitioning to version 5 • Implementation tips
CIP 003-5 R1 Differences Each Responsible Entity, for its high impactand medium impact BES Cyber Systemsshall review and obtain CIP Senior Manager approval at least once every 15 calendar monthsfor one or more documented cyber security policies that collectively address the following topics: • 1.1 Personnel & training (CIP‐004); • 1.2 Electronic Security Perimeters (CIP‐005) including Interactive Remote Access; • 1.3 Physical security of BES Cyber Systems (CIP‐006); • 1.4 System security management (CIP‐007); • 1.5 Incident reporting and response planning (CIP‐008); • 1.6 Recovery plans for BES Cyber Systems (CIP‐009); • 1.7 Configuration change management and vulnerability assessments (CIP‐010); • 1.8 Information protection (CIP‐011); and • 1.9 Declaring and responding to CIP Exceptional Circumstances Note: Implementation of these policies is addressed in standards CIP-004-5 through CIP-011-1, therefore it is not part of this requirement CIP 003-3 R1 CIP 003-5 R1
What is a CIP Exceptional Circumstance? • “A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.” (NERC, 2014, Glossary of Terms, p. 19)
CIP-003-5 R1 Audit Approach • Is there a documented policy or policies that address the nine (9) topics? • There can either be a single policy that covers all topics or an individual policy for each • Do the policies specifically state High and Medium Impact BES Cyber systems?
CIP-003-5 R1 Audit Approach (cont.) • Cyber Security Policy: • Was it reviewed by CIP Senior Manager once every 15 calendar months • Evidence of review/approval including wet ink or electronic signature and version control/revision history with action and date • If document is in a document management system, provide a screen shot of what the CIP Senior Manager reviewed, and include an approval signature page associated with the reviewed document
CIP-003-5 R1 – Possible Pitfall • Policy doesn’t address all identified topics in the requirement • Not consistently reviewing every 15 months • Current annual schedule may not meet requirement • Notifications and Alerts may not get updated
CIP-003-5 R1 Implementation tips • Set-up or update annual review notifications and alerts to meet 15 calendar month criteria • Address High and Medium in policies • Review Best Practices: Managing Evidence Presentation http://www.wecc.biz/compliance/outreach/Lists/101Links/AllItems.aspx
CIP-003-5 R2 New Requirement R2. Each Responsible Entity for its assets identified in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] • 2.1 Cyber security awareness; • 2.2 Physical security controls; • 2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity; and • 2.4 Incident response to a Cyber Security Incident. An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required (NERC, 2012, CIP-003-5, p. 5)
CIP‐002‐5, R1, Part R1.3 = Low Impact BES Cyber Systems • P 106: “[W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiencyof an entity’s protections for Low Impact assets.” (FERC, 2013, Order 791, p. 72769)
CIP-003-5 R2 Progress • The Standard Drafting Team (SDT) has been hard at work • The SDT is still working on the requirements, measures, and rationale. • Nothing is definitive as of yet • Have changed to table format
CIP-003-5 R2 Current Draft R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing low impact BES Cyber Systems), shall:
CIP-003 R2 Draft (continued) • R2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity
CIP-003 R2 Draft (continued) • 2.4 Incident Response to Cyber Incidents
CIP-003 R2 Draft (continued) • 2.5 Cyber Security Awareness
CIP-003-5 R2 Firm Dates • Standard Drafting Team (SDT) must complete work by February 3, 2015 • Draft goes to industry for comment June 2, 2014 • If you’d like to get involved, contact Ryan Stewart with NERC at: email@example.com
CIP-003-5 R2 – Possible Pitfall • Entity may not know what Low Impact BES Cyber Systems are • Not consistently reviewing every 15 months • Current annual schedule may not meet requirement • Notifications and Alerts may not get updated • Policies may not address all parts of the requirement
CIP-003-5 R2 Implementation tips • Stay on top of WECC’s outreach for more direction on Low Impact BES Cyber Systems • Update annual review notifications and alerts to meet version 5 timeline
CIP-003-5 R3 No Change • Each Responsible Entity shall: • Identify a CIP Senior Manager by name • Document any change within 30 calendar days of the change CIP 003-3 R2.1 R2.2 CIP 003-5 R3
CIP-003-5 R3 Audit Approach • CIP Senior Manager’s name • Include the date identified • Version control and revision history • Include action specific to the change and include dates. Note: If you are not retaining the original document designating the CIP Senior Manager, entities still need to demonstrate compliance with the standard on or before April 1, 2016. We recommend reaffirming the CIP Senior Manager on or before April 1, 2016 and provide that document as evidence.
CIP-003-5 R3 – Possible Pitfall • Entity did not identify CIP Senior Manager by name and did not include the date identified • Changes to the CIP Senior Manager were not documented within 30 calendar days
CIP-003-5 R3 Implementation tips • Update processes to ensure there are steps for documenting changes within 30 calendar days
CIP-003-5 R4 Minor Clarifications • The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used • CIP Senior Manager may delegate authority for specific actions • Include delegates name ortitle, the specific actions delegated, and the date of the delegation; • Approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation • Delegation changes do not need to be reinstated with a change to the delegator. CIP 003-5 R4 CIP 003-3 R2.3
CIP-003-5 R4 Audit Approach • Were there any delegations? • Who was delegated and what were they delegated to do? • Was the delegation approved by the CIP Senior Manager?
CIP-003-5 R4 – Possible Pitfall • Entity did not document a process to delegate authority • Entity did not Identify delegates by name and did not include the date identified or specific actions delegated • The CIP Senior manager did not approve the delegation
CIP 003-5 R4 Implementation tips • Document a process for delegating authority, and ensure the process addresses the specific requirements • Follow the documented process
CIP-003-5 Modifications • Reorganized to only include elements of policy and cyber security program governance. CIP 003-3 R3 CIP 011-1 CIP 003-3 R4 CIP 004-5 CIP 003-3 R5 CIP 010-1 CIP 003-3 R6
Wrap-up • Know what is required for each BES cyber system(s) • Attend future WECC outreach events to get further clarity on Low Impact BES Cyber Systems.
References • FERC. (2013 November 22). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5-000. In Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf • NERC. (2014 March 12). Glossary of Terms Used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf • NERC. (2012 November 26). CIP-003-5 – Cyber Security – Security Management Controls. Retrieved from http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-003-5&title=Cyber%20Security%20-%20Security%20Management%20Controls&jurisdiction=null
Questions? Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security firstname.lastname@example.org Desk: 801-819-7601 Cell: 801-300-0225