cip-003-7 r2 section 2 physical security controls - cip-003... · pdf file...

Click here to load reader

Post on 21-Jul-2020

2 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • CIP-003-7 R2 Section 2

    Physical Security

    Controls

    August 7, 2019

    Joshua Rowe, PSP Compliance Auditor,

    Physical and Cyber Security

  • About the Presenter

    Joshua Rowe, PSP

    • WECC Auditor, Physical and Cyber Security

    • SME CIP-006, CIP-008, CIP-014

    • 15+ years Law Enforcement, Physical Security, and Critical Infrastructure Experience • United States Marine Corps (Retired)

    • Military Police Officer • Criminal Investigator • Physical Security Program Senior Advisor • Installation Physical Security Senior Advisor • Physical Security Inspector, USMC Inspector General’s

    Office

    2

  • Agenda

    • Rationale

    • Implementation Dates

    • Site visits

    • Physical Security Controls

    • Audit approach

    • Common Questions

    • Summary

    3

  • Objective

    To review CIP-003-7 Attachment 1 Section 2 pursuant to Physical Security Controls for low

    impact BES Cyber Systems.

    4

  • In response to FERC Order No. 791, Requirement R2 requires

    entities to develop and implement cyber security plans to

    meet specific security control objectives for assets containing

    low impact BES Cyber Systems. The cyber security plan(s)

    covers four subject matter areas: (1) cyber security awareness;

    (2) physical security controls; (3) electronic access controls;

    and (4) Cyber Security Incident response. This plan(s), along

    with the cyber security policies required under Requirement

    R1, Part 1.2, provides a framework for operational,

    procedural, and technical safeguards for low impact BES

    Cyber Systems.

    5

    CIP-003-7 R2 Rationale

  • Standard/Requirement

    Implementation Dates

    CIP-003-7 Compared to

    CIP-003-6

    CIP-002-5.1 R1 & R2 BES Cyber System Categorization 7/1/2016

    CIP-003-7 Security Management Controls 1/1/2020 7/1/2016

    CIP-003-7 R1.1 Policies for high & medium impact BCS 7/1/2016 7/1/2016

    CIP-003-7 R1.2 Policies for assets containing low impact BCS 1/1/2020 4/1/2017

    CIP-003-7 R2 Implement Sections 1–5

    CIP-003-7, Att 1, Section 1 Cyber Security Awareness 4/1/2017 4/1/2017

    CIP-003-7, Att 1, Section 2 Physical Security Controls 1/1/2020 9/1/2018

    CIP-003-7, Att 1, Section 3 Electronic Access Controls 1/1/2020 9/1/2018

    CIP-003-7, Att 1, Section 4 Cyber Security Incident Response 4/1/2017 4/1/2017

    CIP-003-7, Att 1, Section 5 Transient Cyber Assets and Removable Media Malicious Code Risk Mitigation 1/1/2020 n/a

    CIP-003-7 R3 Identify a CIP Senior Manager 7/1/2016 7/1/2016

    CIP-003-7 R4 Delegate CIP Senior Manager authority 7/1/2016 7/1/2016

    6

    Implementation Plan Dates

  • If an audit has an on-site portion, site visits may be scheduled.

    ▪ Random or statistical sampling is not appropriate when sampling for low impact BES asset site visits

    ▪ Expect the audit team to use non-statistical sampling in accordance with NERC guidelines based on the audit team's perception of risk and impact to the BES: • More attention at low impact Transmission stations with

    larger impacts (multiple 230kV/345kV lines)

    • Larger Generation plants (e.g., those that are near that 1500 MW net Real Power capability but have been segmented)

    • BES assets with mixed impact levels

    7

    Low Impact Site Visits

  • Language of the Standard

    CIP 003-7 Attachment 1 Section 2

    Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or

    locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber

    Asset(s), as specified by the Responsible Entity, that provide electronic access

    control(s) implemented for Section 3.1 if any.

    8

  • Control Physical Access

    “Each Responsible Entity shall control physical access,…”

    Example controls may include: • Mechanical

    • Electronic

    • Monitoring

    • Operational/procedural

    • Technical controls

    “Documentation must reflect implementation”

    9

  • Mechanical Access Controls

    • Physical hard keys

    • Requires strict key management plan

    • Perimeter barriers

    • Chain-link, mini mesh, anti-cut/climb fence

    • Pedestrian barriers

    • Turnstiles

    • Vehicle barriers

    • Entry control point

    10

  • Access Controls

    Physical Access Control Systems (PACS) • Genetec

    • CCure

    • Lenel

    • Prowatch

    Best if used with: • Door position sensors

    • Motion detectors

    • Video surveillance

    11

  • Monitoring Controls

    • Monitoring Controls • Alarm system

    • Human Observation

    Factors for consideration when employing monitoring controls include:

    • Personnel

    • Training

    • 24/7 operations

    12

  • The power of “and”

    • Access Control – or – Monitoring • A single point of failure

    • Inherently weak control scheme

    • No margin of error

    • Access Control – and - Monitoring • Built in redundancy for enhanced security and

    compliance

    • Complimentary controls offer resiliency to failures and unforeseen events

    13

  • Based on need

    “…based on need as determined by the

    Responsible Entity,...”

    Entities must define the need for access

    • Can be documented at the policy level

    • Must be specific to low impact BES Cyber Systems

    • Includes methods to grant or revoke access

    14

  • Asset or Location

    “…to (1) the asset or the locations of the low

    impact BES Cyber Systems within the asset,...”

    • Asset

    • Protect the low impact BES Cyber System itself

    • Location

    • Protect the entire site

    “Layered physical security is recommended”

    15

  • Layered Physical Security

    16

    • CIP-003-7 requires one or more controls….. However: • Multiple concentric layers of protection are better • Multiple differing and complimentary controls are optimal

    “It is okay to go above and beyond”

  • Electronic access controls

    “…and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.”

    Guidelines and Technical Basis

    “If these Cyber Assets implementing the electronic access controls are located within the same asset as the low impact BES Cyber Asset(s) and inherit the same physical access controls are the same need as outlined in Section 2, this may be noted by the Responsible Entity in either its policies or cyber security plan(s) to avoid duplicate documentation of the same controls.”

    17

  • Elements of success

    • Use differing and complimentary controls if possible • Locks with new lock cylinders • Door position sensors • Motion detectors • Video surveillance

    • Strong key management plans include • Complete baseline of new lock cylinders • Use highest security locks possible • Minimal distribution • Key issuance and retrieval • Requirements and procedures for rekey • Key inventory

    • Implement best practices

    • Detailed documentation

    18

  • Acceptable Evidence

    • Cyber security policy or policies

    • Physical security plans

    • Physical security procedures

    • Physical security control diagrams

    “Aim for sound physical security practices, and be mindful of compliance obligations.”

    19

  • Common Questions

    Q: How many keys must be lost before rekeying is necessary?

    A: A single lost key is a compromised lock. The key management program should identify incidents that require a rekey.

    Q: If a broken lock is discovered, do we have a violation?

    A: Maybe. Does the entity have additional means of verifying no physical access occurred?

    20

  • Common Questions

    Q: After 1/1/2020, would an entity be expected to file a Self-Report if someone breaches their physical security control (i.e., fence line)?

    A: Maybe, is this the only control?

    Q: What is a reasonable timeline to repair a fence?

    A: Resource dependent, however if this is the only control, supplemental controls must be employed in the interim to “control physical access.”

    21

  • Review

    • Entities must implement physical security controls on or before January 1, 2020

    • Entities must document physical security controls in one or more physical security plan(s)

    • One or more physical access control(s) are required to protect low impact BES Cyber Systems

    • Site visits may be required during an audit

    22

  • 23

    For CIP Questions

  • Contact:

    Joshua Rowe, PSP Compliance Auditor, Physical and Cyber Security

    JRowe@wecc.org

    24

View more