cip-005-5 electronic security perimeter(s

CIP-005-5 Audit Approach

CIP Version 5 Workshop

October 1-2, 2015

Bob Yates, CISSP, MBA - Principal Technical Auditor

Rhonda Bramer, CISSP, CISA, CISM, CRISC, GSEC - Senior CIP Auditor

Forward Together • ReliabilityFirst 2

Audit to the requirements and Applicability

Use the following for guidance

• Guidelines and Technical Basis

• V5 Transition Advisory Group Lessons Learned

• V5 Transition Advisory Group Frequently Asked Questions

CIP-005-5 R1 General Audit Approach


CIP-005-5 R1 Part 1.1


Audit Approach

• Verify the entity has documented one or more processes.

• For each sampled BES Cyber System, verify each associated

BES Cyber Asset and Cyber Asset that is connected to a

network via a routable protocol resides within a defined ESP.

• For each ESP associated with a sampled BES Cyber System,

verify all devices residing within the ESP are identified.

• For each ESP associated with a sampled BES Cyber System,

verify each device residing within the ESP is properly classified

as:

‒ A component of the highest-rated BES Cyber System within

the ESP, or

‒ A PCA associated with the highest-rated BES Cyber System

within the ESP.

CIP-005-5 R1 Part 1.1


Types of Evidence

• Lists of BCAs and PCAs within each ESP

• Detailed ESP Diagrams showing BCAs and PCAs

• Site visits to verify ESPs

CIP-005-5 R1 Part 1.1

Forward Together • ReliabilityFirst

CIP-005-5 R1 Part 1.2

6


Audit Approach


• For each ESP associated with a sampled BES Cyber

System, verify that all EAPs have been identified.

CIP-005-5 R1 Part 1.2


Types of Evidence

• Lists of EAPs and associated ESP

• Detailed ESP Diagrams showing all EAPs

• Site visits to verify EAPs

CIP-005-5 R1 Part 1.2


CIP-005-5 R1 Part 1.3

9


Audit Approach


• Verify inbound and outbound access permissions are

implemented.

• Verify each inbound and each outbound permission

includes the reason for granting access.

• Verify inbound and outbound access is denied by default.

CIP-005-5 R1 Part 1.3


Types of Evidence

• Lists of access permissions (Firewall rules, access control

lists, etc..)

• Screen shots of access permissions

• Documented reason for each rule

CIP-005-5 R1 Part 1.3


CIP-005-5 R1 Part 1.4


Audit Approach


• For each Cyber Asset accessible via Dial-up Connectivity,

verify authentication is performed when establishing a

connection, or that an approved TFE covers the device.

• If a TFE is applicable to a device, verify the compensating

measures identified by the TFE are in place.

CIP-005-5 R1 Part 1.4


Types of Evidence

• List of Cyber Assets with dial-up capability

• Description and Screen shots of authentication method

• TFEs

• Evidence of compensating and mitigating measures

• Site visits

CIP-005-5 R1 Part 1.4


CIP-005-5 R1 Part 1.5

15


Audit Approach


• For each EAP, verify the entity has implemented at least

one method for detecting known or suspected malicious

communications for both inbound and outbound

communications.

CIP-005-5 R1 Part 1.5


Types of Evidence

• List of IDS/IPS Devices

• IDS/IPS Device Configurations

• Distinct security measure (Dual protection architecture)

• Site Visits

CIP-005-5 R1 Part 1.5


CIP-005-5 R2.1

18


Audit Approach


• Verify Interactive Remote Access is configured to utilize an

Intermediate System, or that an approved TFE covers this

circumstance.

• Verify no applicable Cyber Assets are directly accessible

from assets outside an ESP, other than through an

Intermediate System, or that an approved TFE covers this

circumstance.

• If a TFE covers one or more of these issues, verify the

compensating measures identified by the TFE are in place.

CIP-005-5 R1 Part 2.1


Types of Evidence

• Network Diagrams

• Architecture Documents

• Screenshots of configurations

• Lists of firewall rules (Firewall rules, access control lists,

etc..)

• TFEs


• Site Visits

CIP-005-5 R1 Part 2.1


CIP-005-5 R2.2

21


Audit Approach


Verify all Interactive Remote Access utilizes encryption that

terminates at an Intermediate System, or that an approved

TFE covers this circumstance.



CIP-005-5 R1 Part 2.2


Types of Evidence



• Screenshots of configurations

• TFEs


• Site Visits

CIP-005-5 R1 Part 2.2


CIP-005-5 R2.3


Audit Approach

• Verify the entity has documented one or more processes

which address this Part.

• Verify all Interactive Remote Access sessions require

multi-factor authentication, or that an approved TFE covers

this circumstance.



CIP-005-5 R1 Part 2.3


Types of Evidence



• Screen shots of multi-factor authentication

• TFEs


• Site Visits

CIP-005-5 R1 Part 2.3


Questions & Answers

Forward Together ReliabilityFirst

27