cip-003-6 for low impact bes cyber systems

Click here to load reader

Post on 11-Feb-2017

216 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • CIP-003-6 for Low Impact BES Cyber Systems

    Dave Cerasoli Senior CIP Auditor

    dcerasoli@npcc.org

    Marie Kozub Senior Compliance Analyst

    mkozub@npcc.org

    May 11, 2016

    mailto:dcerasoli@npcc.orgmailto:mkozub@npcc.org

  • CIP-003-6 Applicability

    BA, DP, GO, GOP, IA, RC, TO, TOP

    See Implementation Plan for Enforceable

    Dates of the Requirements and Attachment 1 Sections

    5/4/2016 2

  • CIP-003-6 PURPOSE

    To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems (BCS) against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

    5/4/2016 3

  • CIP-003-6 R1

    R1. Each Responsible Entity, shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:

    5/4/2016 4

  • CIP-003-6 R1.2 1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any: 1.2.1. Cyber security awareness; 1.2.2. Physical security controls; 1.2.3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial- up Connectivity; and 1.2.4. Cyber Security Incident Response.

    5/4/2016 5

  • CIP-003-6 R1.2 NOTE: use of common programs and procedures are permitted for High, Medium and Low Impact BES Cyber Systems and should be noted when explaining to auditors.

    5/4/2016 6

  • CIP-003-6 R1.2 Considerations for Audit

    Policy documents Revision History that reflects review and

    approval of each cyber security policy at least once every 15 calendar months

    Records of Review, e.g., emails, meeting minutes

    Workflow evidence from a document management system

    5/4/2016 7

  • CIP-003-6 R2 R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.

    5/4/2016 8

  • CIP-003-6 R2

    Note: An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.

    5/4/2016 9

  • Low Impact BES Cyber Systems HEADS UP!!!

    Although an inventory, list, or discrete identification of low impact BCS or their BES Cyber Assets is not required A list containing the name of each asset that contains a

    low impact BES Cyber System is required, such as a list of: Generating plants Transmission stations Certain distribution stations Certain small control centers that contain low impact BCS Blackstart resources and cranking paths

    5/4/2016 10

  • CIP-003-6 R2 Attachment 1 4 Focus Areas for Lows

    Section 1. Cyber Security Awareness Reinforce, at least every 15 calendar months, cyber security

    practices Section 2. Physical Security Controls

    Control of physical access based on need Section 3. Electronic Access Controls

    Permit only necessary inbound and outbound bi-directional routable protocol access

    Authentication for all Dial-up Connectivity Section 4. Cyber Security Incident Response

    Requires 6 elements (of the 9 required for Medium )from CIP-008-5

    5/4/2016 11

  • Attachment 1 Section 1

    Section 1 Cyber Security Awareness Shall reinforce cyber security practices at least

    every 15 months May include physical security practices

    5/4/2016 12

  • Attachment 1 Section 2 Section 2 Physical Security Controls

    Shall control physical access, based on need, to: The low impact BES Cyber Systems within the asset The Low Impact BES Cyber Systems Electronic Access

    Points (LEAPs), if any.

    5/4/2016 13

  • Attachment 1 Section 3 Section 3 Electronic Access Controls 3.1 For Low Impact External Routable Connectivity

    (LERC), if any, implement a LEAP (Low Impact Electronic Access Point) to permit only necessary inbound and outbound bi-directional routable protocol access 3.2 Implement authentication for all Dial-up

    Connectivity, if any, that provides access to low impact BES Cyber Systems, per Asset capability

    5/4/2016 14

  • Attachment 1 Section 4 Section 4 Cyber Security Incident Response Plan(s) 4.2 Determination of whether an identified Cyber

    Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (E-ISAC), unless prohibited by law; 4.3 Identification of the roles and responsibilities for

    Cyber Security Incident response by groups or individuals; 4.1 Identification, Classification and Response to a

    Cyber Security Incident 4.4 Incident handling for Cyber Security Incidents;

    5/4/2016 15

  • Attachment 1 Section 4 Section 4 Cyber Security Incident Response plan(s) 4.5 Testing the Cyber Security Incident response

    plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident.

    5/4/2016 16

  • Attachment 1 Section 4 Section 4 Cyber Security Incident Response plan(s) 4.6 Updating the Cyber Security Incident response

    plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.

    5/4/2016 17

  • CIP-003-6 R2

    Considerations for Audit Provide copies of a documented cyber security

    plan(s) that collectively addresses each of the four Sections in Attachment 1.

    Have available for review - dated electronic or physical records accurately demonstrating that the cyber security plans were reviewed, implemented and followed.

    5/4/2016 18

  • CIP-003-6 R2 Considerations for Audit

    Lists of personnel with access to low impact BES Cyber Systems are not required, however, the responsible entitys plan should identify and demonstrate: Process for determining which personnel have a

    need to access the low impact BES Cyber Systems. How the electronic security protections and physical

    protections are implemented to ensure that access is restricted only to those personnel that have a need.

    That personnel have completed required training and had access to the security awareness materials.

    5/4/2016 19

  • CIP-003-6 R2 Considerations for Audit

    Entities must demonstrate that low impact BCS locations have been afforded electronic and physical protections, and are included in recovery plans. The following may be beneficial towards demonstrating compliance: Maintaining lists of BES Cyber Asset / BES Cyber Systems

    (while not required) may assist in ensuring that all low impact BES Cyber Systems are afforded proper protections.

    Station, plant, or Control Center drawings showing all Cyber Assets at the location,

    Drawings showing computer network paths through identified LEAPS, and

    Drawings of physical locations showing required physical access controls.

    5/4/2016 20

  • A Final Note for R2 CIP-002-5: Requires a list containing

    the name of each asset that contains a low impact BES Cyber System, such as:

    Generating plants Transmission stations Certain distribution stations Blackstart resources and cranking paths

    5/4/2016 21

  • CIP-003-6 R3

    R3. Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change.

    5/4/2016 22

  • CIP-003-6 R3

    Considerations for Audit Must provide documentation that specifically

    designates someone by name. email, memo, letter, company bulletin, etc.

    Documentation for changes should reflect date when the current person is stepping down and when the replacement becomes effective . 5/4/2016 23

  • CIP-003-6 R4 R4. The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator.

    5/4/2016 24

  • CIP-003-6 R4 Considerations for Audit

    Must provide a documented process for delegation of responsibility or actions.

    Must include: delegate identified by name identify the specific actions for which they are

    responsible be approved by the CIP Senior Manager and dated.

    Changes must be documented within 30 days.

    5/4/2016 25

  • Suggestions Insist on early participation from SMEs, plant,

    and field personnel from both the IT and the Operations areas to promote a better understanding of the assets and their functions, resulting in a more collaborative and effective program of protection.

    Schedule weekly team meetings to maintain focus and keep

View more