(77767007) (1) spina scce presentation · 2014. 9. 3. · 10 version 5 example 19 version 5...
TRANSCRIPT
1
www.morganlewis.com
NERC Cybersecurity ComplianceSociety of Corporate Compliance and Ethics
Utilities & Energy Compliance Conference
Stephen M. SpinaFebruary 24, 2014
DISCLAIMER
• This material is provided as a general informational service to clients and friends of Morgan, Lewis & Bockius LLP. It does not constitute, and should not be construed as, legal advice on any specific matter, nor does it create an attorney-client relationship. You should not act or refrain from acting on the basis of this information. This material may be considered Attorney Advertising in some states. Any prior results discussed in the material do not guarantee similar outcomes. Links provided from outside sources are subject to expiration or change. © 2013 Morgan, Lewis & Bockius LLP. All Rights Reserved.
• IRS Circular 230 DisclosureTo ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. For information about why we are required to include this legend, please see http://www.morganlewis.com/circular230.
2
Overview
• NERC CIP Overview
• CIP Version 5 Final Rule and Implementation Plan
• NERC’s Transition Guidance
• Comparing Options Under Transition Guidance
• Selecting Your Transition Path
• NIST Framework
• FERC’s Office of Energy Infrastructure Security
3
CIP Compliance and Why It Is Important
• Importance to utilities:• Easy to violate, perfect compliance very difficult
• A significant human element, regardless of automation
• Many specific operational and documentation requirements
• Violations carry heavy penalties: up to $1M per violation, per day as a violation of Part II of the Federal Power Act
• Provides important security protections for valuable and hard-to-replace assets
• Importance to regulators:• Major source of concern for FERC (OER and OEIS)
• Significant Congressional scrutiny, possibility of legislation
• Executive concern, as evident in executive order
4
3
CIP Standards Violation History
5
CIP Standards Violation History
6
4
CIP Compliance Strategies from the Field
• Establish a stand-alone security organization• Separate from compliance, but working with compliance
• Security expertise; not simply IT expertise
• Often part of the corporate security organization
• Make the investments that are necessary to achieve compliance• In most cases, if you are not CIP compliant you likely have a security
gap that could jeopardize costly assets.• Mitigation, compliance, and legal costs can also be significant if a violation
occurs.
• Decision-makers need to recognize risks to their assets and operations.
• State regulators need to understand the risk and the prudence of expenditures to mitigate that risk (NARUC is leading in this area).
• Replacing an access control and authorization system is cheaper than replacing a turbine destroyed through an Aurora-style attack.
7
CIP Compliance Strategy: Strong Process Controls
• The Problem: CIP Standards are highly detailed and require the careful implementation of complex procedures. You are held to your procedures. • There is always a human component, which leads to human
error.
• There are many individuals who have a role in CIP compliance; an error by a single one can create a compliance violation.
• The Solution: Implement strict process controls to reduce the likelihood of noncompliance. • Increase reliance on automation and technical controls, where
possible, and reduce reliance on procedural controls.
• Automated controls fail, but not as often as procedural (i.e. human) controls.
8
5
CIP Compliance Strategy: Understanding Compliance vs. Security
• Distinguish between cybersecurity compliance and cybersecurity.• Cybersecurity compliance: What is necessary to meet your legal
obligations under the CIP Reliability Standards.
• Cybersecurity: What is necessary to protect your utility assets.
• The regulatory requirements and business interests have the same objective, but are not equivalent.
• Implement those measures necessary to achieve CIP compliance and define these in your CIP program.=The floor for your cybersecurity efforts.
• Implement those measures necessary to achieve security, but not as part of your CIP program.=The ceiling for your cybersecurity efforts.
9
Compliant Is Not Secure
• The intent to go “above and beyond” in setting compliance goals is laudable, because the intent is to improve the security of critical assets.• However, from a legal perspective, making these efforts part of the CIP
program can create unnecessary risk.
• Need to draw a critical distinction between CIP compliance and the security of your critical assets.• CIP compliance should be what you must do to avoid regulatory fines,
but often includes what you voluntarily do as well.
• Security is what you choose to do to protect your assets.
10
What you must do
What you choose to make
CIP
CIP Risk
6
Avoid Repeat Violations
• FERC is increasingly scrutinizing repeated violations by the same or affiliated Registered Entities.
• Under the Commission’s guidance order, a violation should be considered repetitive if it is:• the result of conduct similar to the conduct underlying the previous
violation of the same, or a closely-related, Reliability Standard Requirement,
• the result of conduct addressed in a company’s mitigation plan for a prior violation of the same, or a closely-related, Reliability Standard Requirement, or
• an additional violation of the same Reliability Standard Requirement • An affiliate’s violation can be grounds for a finding of a repeat
violation if the prior violation involved:• an affiliate operated by the same corporate entity or • an affiliate whose reliability compliance activities are conducted by the
same corporate entity • Whether the violations happened in different Regions is irrelevant.• Violations that are considered “repetitive” are subject to heightened
sanctions. 11
How To Demonstrate a Culture of Compliance for CIP Standards
• When your utility experiences a cyber incident, consider reporting it to DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). • Can respond to and analyze control system related incidents
• Can conduct vulnerability and malware analysis
• Can support forensic investigations onsite
• In response to one of the recent attacks on generators, ICS-CERT:• Conducted on-site interviews with relevant personnel, imaged the
affected machines, analyzed those images, and identified the malware
• Issued specific recommendations to the affected utility on antivirus, USB best practices, and the importance of “hot spares” for critical systems
12
7
History of CIP Reliability Standards
• All CIP Standard Versions begin with identification of covered assets and then the application of specific cybersecurity controls.
• CIP Versions 1-3: Identify “Critical Cyber Assets” and protect them.• Version 1 Standards approved by FERC in Order No. 706 in January 2008.• Versions 2 and 3 made minor corrections and improvements to address
concerns identified by FERC, Version 3 now in effect.• Version 4 introduces “bright-line” criteria for identifying protected assets.
[Note: Version 4 is skipped and will not become effective.]
• CIP Version 5: Approved by FERC in Order No. 791 in November 2013. • Requires the identification of BES Cyber Systems. • Significantly revises the scope of the CIP Standards and the protections
applied to protected assets.
13
CIP Version 3—The Standards Today
• Scope of compliance responsibilities stem from identification of Critical Assets: “Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.”• Responsible Entity develops its own risk-based assessment
methodology for identifying Critical Assets.• E.g., control centers, substations, generators, etc.
• Highly discretionary; FERC/NERC concerned that this leads to under-identification of Critical Assets.
• Based on that list of Critical Assets, the Responsible Entity then identifies its Cyber Assets that are “essential to the operation” of its Critical Assets and are therefore “Critical Cyber Assets.”
• Cyber Assets are “Programmable electronic devices and communication networks including hardware, software, and data.” 14
8
Version 5: The Key Changes
• Categorization of “BES Cyber Systems” that could affect BES reliability and protection of those systems.• No more Critical Cyber Assets.
• BES Cyber Systems are essentially groups of Critical Cyber Assets.
• Allows entities to achieve compliance at the group level, rather than the device level.
• Could meet malware requirements for the BES Cyber System as a whole without the need to install malware prevention on each individual asset.
• Provides significant entity discretion: generator plant control system could be considered a BES Cyber System or individual components in plan control system could be considered BES Cyber Systems.
15
Version 5: The Key Changes
• Identifying BES Cyber System compliance requirements is a two-step process:1. Identify BES Cyber Systems for controls centers, substations,
generation resources, system restoration facilities, SPSs.• By definition, a BES Cyber System must, if misused, adversely affect the
reliable operation of the BES within 15 minutes.
• NERC provides extensive guidance on making this assessment.
– Look to effects of asset loss on dynamic response, balancing, frequency control, voltage control, constraint management, system monitoring and control, system restoration, situational awareness, and inter-entity coordination.
2. Classify those BES Cyber Systems as “High Impact,” “Medium Impact,” or “Low Impact.”
• Note: Every BES Cyber System will have a classification and must therefore receive some level of CIP protection; may capture many assets that would not have been covered under CIP Versions 1 through 4.
16
9
Version 5: The Key Changes
• “High Impact Rating” BES Cyber Systems are BES Cyber Systems used by and located at:• Reliability Coordinator Control Centers
• Balancing Authority Control Centers for certain 3000 MW Balancing Authorities and certain special categories
• Control Centers for Transmission Operators
• Control Centers for Generator Operators with control of certain critical generation (e.g. 1500 MW in an interconnection)
17
Version 5: The Key Changes
• “Medium Impact Rating” BES Cyber Systems are BES Cyber Systems used by and located at:• 1500 MW generating stations (but only for shared BES Cyber
Systems that would affect at least 1500 MW in 15 minutes)
• 500 kV and above transmission facilities
• 200 kV to 499 kV transmission facilities at a substation interconnected with at least three other 200 kV+ substations that meet certain criticality requirements
• “Low Impact Rating” BES Cyber Systems are BES Cyber Systems used by and located at other facilities not captured in the High and Medium Impact Rating lists. • Note: Would still need to be shown to adversely affect the
reliable operation of the BES within 15 minutes.18
10
Version 5 Example
19
Version 5 Implementation Plan
• April 1, 2016: effective date for all but CIP-003-5 R2.
• April 1, 2017: effective date for CIP-003-5 R2 (addressing Low Impact BES Cyber Systems)
• Certain actions must be performed prior to effective date.
• Certain actions must be performed shortly after effective date (see implementation plan for full list).
• Planned changes: compliant at next annual assessment.
• Unplanned changes: separate compliance implementation.
20
11
Cyber Security Standards Transition Guidance (Revised)
• Responsible Entities must continue to comply with Version 3 during the transition.
• BUT, the scope of the Standards depends on the choice made by the Responsible Entity.
21
Version 3 RBAM
• Use existing Risk-Based Assessment Methodology
Version 4 Bright Line
• Use the Version 4 Bright Line Criteria
• (option 1)
Version 5 High/Medium
• Use Version 5 High and Medium Impact Ratings
• (option 2)
Implementing the Cyber Security Standards Transition Guidance
• The three choices only affect the scope of the assets covered by the CIP Standards, not the technical cybersecurity protections.
= CIP Version 3 continues to be enforced for the protective measures required.
• Options can bring additional assets into scope or can remove existing assets previously identified in RBAM.
• Responsible Entities will be required to notify auditors prior to audits.
22
12
Transition Guidance: Third-Party Designated Assets
• If choosing alternative option 1 or 2, consider notifying relevant third-parties who can designate an asset as critical under Version 4 or Version 5.• Third-parties “highly encouraged” to proactively designate
necessary assets.
• CIP Version 4 examples:• (Criteria 1.3) Each generation Facility that the Planning Coordinator
or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid Bulk Electric System Adverse Reliability Impacts in the long-term planning horizon.
• (Criteria 1.8) Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of [IROLs] and their associated contingencies.
23
Transition Guidance: Third-Party Designated Assets
• CIP Version 5 examples:• (Impact Rating 2.3) Each generation Facility that its Planning
Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year.
• (Impact Rating 2.6) Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.
24
13
Transition Implementation Study
• Intended to help generate lessons learned for transition.
• Diverse mix of Responsible Entities selected to participate (6 to 8 total entities).• Will implement Version 5
• Not subject to CMEP enforcement for Version 3
• Expected to end in first quarter 2014; will result in new transition guidance based on:1. Effective methods noted for new technical controls.
2. Effective training and policies to guide employees.
3. Hurdles experienced and resulting outcomes.
4. Requirements posing particular difficulties.
25
Deciding on an Implementation Strategy: Key Factors
• Conduct the analysis to determine how the option you choose will affect the scope of CIP requirements.• Stability reduces compliance risk.
• Little change in scope = earlier transition has less create risk.
• Large change in scope = earlier transition has more risk.
• Scope also determines compliance risk.• Shrinking scope = less risk.
• Expanding scope = more risk.
• All utilities will need to transition to Version 5 at some point; there can be advantages to transitioning the scope of CIP compliance earlier, on your own schedule.• Breaks Version 5 transition into two steps: (1) scope change and
then (2) technical protections change.26
14
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
1. Identification of Critical Infrastructure• DHS process and identification; notification;
reconsideration
2. Voluntary Cybersecurity Framework• NIST consultative, notice & comment process
• determine, analyze, and manage cyber risks
3. Methods to Encourage Adoption• Voluntary compliance; sector-specific agencies
• Annual DHS reporting; other incentives
4. Threat Information Sharing (classified and unclassified)
27
NIST’s Role in Developing CybersecurityFramework
• Developing a voluntary framework for reducing cyber risks to critical infrastructure
• Rulemaking-type process• Very public, consultative
• Workshops
• Formal notice & comment process
• Process to date
28
RFI and responses Workshops Identify
ThemesOutline
FrameworkPreliminary Framework
15
Presidential Policy Directive 21: Sector-Specific Agencies
29
DHS DOD
DHS EPA
DHS DOE
DHS Treasury
DHS DOA/HHS
HHS DHS
DHS DHS/DOT
Purpose of the NIST Framework
1. Describe current cybersecurity posture
2. Describe target status for cybersecurity posture
3. Identify and prioritize improvements
4. Assess progress towards target posture status
5. Better communication among stakeholders
30
16
Discussion Draft of Preliminary Cybersecurity Framework
Three key areas:
1. Framework Core Functions• Five Core Functions; Categories; Sub-Categories; References
2. Implementation Tiers• How Framework is implemented and risk managed
3. Framework Profile• Organization-specific status and target roadmap
Also provides:
1. Guidance on implementing the Framework
2. Examples of using the Framework to address risks
3. Profile example based on the electricity subsector31
Five Core Functions
• Identify: Understand the systems, assets, data, and capabilities that need to be protected; prioritize risk; plan to meet risk management goals
• Protect: Implement the safeguards, prioritized through risk management, to ensure delivery of critical infrastructure services
• Detect: Implement activities to identify cybersecurityevents (intrusions, etc.)
• Respond: Implement activities, prioritized through risk management, to take action if cybersecurity events occur
• Recover: Implement activities, prioritized through risk management, to restore capabilities impaired by an event 32
17
Framework Core Functions: Structure
Function
Category
Subcategory References
Subcategory References
Category
Subcategory References
Subcategory References
33
Selection from NIST Framework
34
18
Framework Core Functions: Example
Protect
Access Control
PR.AC-1 ISA 99 . . .
PR.AC-2 COBIT DSS01 . . .
Awareness and Training
PR.AT-1 ISO/IEC 27001 . . .
PR-AT-2 NIST SP 800-53 . . .
35
Categories/Subcategories
• Asset Management has six subcategories1. ID.AM-1: Inventory and track physical devices and systems
within the organization
2. ID.AM-2: Inventory software platforms and applications within the organization
3. ID.AM-3: Identify organizational network components and connections
4. ID.AM-4: Identify external information systems including processing, storage, and service location
5. ID.AM-5: Identify classification/criticality/business value of hardware, devices, and software
6. ID.AM-6: Identify business value of workforce functions by role
Each subcategory has multiple information references.
36
19
NIST Example: Framework for Electricity Subsector
37
Implementation Tiers
• Used to reflect how an organization implements the Framework Core functions and manages risk
• Appropriate “Tier” defined at organizational level and then applied to Framework Core to determine how a category is implemented
38
Tier 0=Partial
Tier 1: Risk Informed
Tier 2: Repeatable
Tier 3: Adaptive
20
Tier Range in Implementing Framework
Tier 0 = Partial (Lowest) Tier 3 = Adaptive (Highest)
Has not yet implemented a formal, threat-aware risk management process to determine a prioritized list of cybersecurityactivities
Updates its Profile based on predictive indicators derived from previous and anticipated cybersecurity activities
May implement some portions of the Framework on an irregular, case-by-case basis due to varied experience or information gained from outside sources
Has risk-informed policies, processes, and procedures are part of the organizational culture and evolve from previous activities (and from information shared by other sources) to predict and address potential cybersecurity events
May not have the processes in place to share cybersecurity information internally between its organizational layers and may not have the processes in place to participate in coordination or collaboration with other entities.
Manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before an event occurs
39
An Organization’s Framework Profile
• Each organization identifies a current Tier for each Function as well as a target Tier for each Function
40
Identify Risk Assess Risk
Select Categories and Tiers based
on risk management
Implement selected
subcategories
21
NIST’s Guidelines for Profile Implementation
41
NIST Implementation Example
Make Organization Wide Decisions
Establish Target Profile
Establish Current Profile
Compare Profiles
Implement Target Profile
42
22
Takeaways for Industry
• Broad framework without specific required actions
• Organizational flexibility
• Scalability/implementation tied to risk
• Technology neutral
• Incorporates privacy and civil liberty methodology for Functions and most categories
• Methodology for assessing current status and developing roadmap for improvements
• Relies on existing standards, best practices, and guidelines
43
Implications for Critical Infrastructure Owners
• Most major industries covered by Executive Order/NISTFramework but many organizations may not have “Critical Infrastructure” identified by DHS• DHS will make determinations in consultation with sector-specific
agencies
• Private notification
• Possibility for reconsideration
• You will be notified if you are a Critical Infrastructure Owner• You will be expected (but not required) to implement the
Framework, but . . . .
44
23
Office of Energy Infrastructure Security
• Established in September 2012 to focus on physical and cyber risks to energy facilities subject to FERC jurisdiction.
• Intended to assist the Commission in identifying security risks, communicating those risks to other federal and state agencies and regulated utilities, and developing solutions to mitigate those risks.
• Four areas of focus:1. Developing recommendations to mitigate security risks to FERC-
jurisdictional facilities.2. Advising Congress, other agencies, and utilities regarding these risks .3. Participating in intelligence-related collaborative efforts to address
these risks alongside other agencies and utilities .4. Conducting outreach to address these threats with private-sector
owners and operators of critical infrastructure .
• Interaction with utilities through security assessments and collaboration to improve information and threat sharing.
45
Office of Energy Infrastructure Security
46
