Upload File

cip$101:(cip$005$5(auditapproach,(esp(diagrams,( …...2014/09/24  ·...

  • Home
  • Documents
  • CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
70
CIP101: CIP0055 Audit Approach, ESP Diagrams, and Industry Best Prac@ces Overview September 24 – 25, 2014 Henderson, NV Joe Andrews, MSc.IA, CISSPISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security W ESTERN E LECTRICITY C OORDINATING C OUNCIL

Upload: others

Post on 15-Aug-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐101:  CIP-­‐005-­‐5  Audit  Approach,  ESP  Diagrams,  and  Industry  Best  Prac@ces  Overview  

September  24  –  25,  2014  Henderson,  NV  

 Joe  Andrews,  MSc.IA,  CISSP-­‐ISSEP,  

ISSAP,  ISSMP,  CISA,  PSP  Sr.  Compliance  Auditor  –  Cyber  Security  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 2: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Speaker  Introduc@on  •  Joseph  A.  Andrews  

o  4  years  Cri@cal  Infrastructure  -­‐  Cyber  Security  o  21  years  DoD  Cyber  Security  /  Network  Security  Engineering  (Federal  

Civilian)  §  Senior  Informa@on  Systems  Security  Engineer  §  Informa@on  Assurance  Program  Manager  §  Network  Security  Engineer  §  Informa@on  Systems  Security  Officer  §  Etc..  

o  Academic  §  Master  of  Science  in  Informa@on  Security  &  Assurance    §  Bachelor  of  Science  in  IT/Informa@on  Security  §  Professional  Cer@fica@ons:  CISSP-­‐ISSEP,  ISSAP,  ISSMP,  CISA,  PSP,  CAP,  

CSSA,  GCIH,  C|CISO,  C|EH,  CNDA,  CBRM,  CGEIT,  CompTIA  Security  +  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 3: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

PRESENATION  DIAGRAMS  DISCLAIMER  •  The  network  diagrams  depicted  within  this  presenta@on  are  only  provided  as  examples  to  illustrate  topics  of  discussion  and  are  not  meant  to  be  prescrip@ve  regarding  any  specific    applica@ons  to  compliance.  

•  WECC  does  not  promote  any  par@cular  brand  of  network  appliance  or  computer.  Various  vendor  models  are  used  only  for  demonstra@on  purposes.  

3  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 4: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP  Version  5  -­‐  Founda@on  •  Borrows  from  NIST  Risk  Management  Framework  o  System-­‐centric  (e.g.,  BCS)  approach  to  security  

assessment,  security  control  iden@fica@on  and  implementa@on  

             -­‐  Establishing  Cyber  System  boundaries  based  on  security  categorizaCon  (e.g.,  criCcality  –  High,  Medium  or  Low),  then  apply  risk  management  strategy  and  processes  

             -­‐  Common  security  control  inheritance  o   Con@nuous  monitoring  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 5: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Terminology  

•  BES  Cyber  Asset  (BCA)  •  BES  Cyber  Systems  (BCS)  •  Protected  Cyber  Asset  (PCA)  •  Electronic  Security  Perimeter  (ESP)  •  External  Routable  Connec@vity  (ERC)  •  Electronic  Access  Point  (EAP)  •  Interac@ve  Remote  Access  (IRA)  •  Dial-­‐up  Connec@vity  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 6: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Requirement  Count  

•  5  Requirements  (Version  3)  – 26  Sub-­‐requirements  

•  2  Requirements  (Version  5)  – 8  Parts  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 7: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1  Requirements  Overview  •  R1.  Each  Responsible  En@ty  shall  implement  one  or  more  documented  

processes  that  collec@vely  include  each  of  the  applicable  requirement  parts  in  CIP-­‐005-­‐5  Table  R1  –  Electronic  Security  Perimeter.  

o  R1.1  All  applicable  Cyber  Assets  connected  to  a  network  via  a  routable  protocol  shall  reside  within  a  defined  ESP.      

o  R1.2  All  External  Routable  Connec@vity  must  be  through  an  iden@fied  Electronic  Access  Point  (EAP).    

o  R1.3  Require  inbound  and  outbound  access  permissions,  including  the  reason  for  gran@ng  access,  and  deny  all  other  access  by  defa    

o  R1.4  Where  technically  feasible,  perform  authen@ca@on  when  establishing  Dial-­‐up  Connec@vity  with  applicable  Cyber  Assets.  

o  R1.5  Have  one  or  more  methods  for  detec@ng  known  or  suspected  malicious  communica@ons  for  both  inbound  and  outbound  communica@ons.  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 8: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R2  Requirements  Overview  •  R2.  Each  Responsible  En@ty  allowing  Interac@ve  Remote  

Access  to  BES  Cyber  Systems  shall  implement  one  or  more  documented  processes  that  collec@vely  include  the  applicable  requirement  parts,  where  technically  feasible,  in  CIP-­‐005-­‐5  Table  R2  –  Interac@ve  Remote  Access  Management.  

o  R2.1  All  applicable  Cyber  Assets  connected  to  a  network  via  a  routable  protocol  shall  reside  within  a  defined  ESP.  

o  R2.2  For  all  Interac@ve  Remote  Access  sessions,  u@lize  encryp@on  that  terminates  at  an  Intermediate  System.    

o  R2.3  Require  mul@-­‐factor  authen@ca@on  for  all  Interac@ve  Remote  Access  sessions.      

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 9: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

9  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 10: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Electronic  Security  Perimeter  (ESP)  

•  Provides  network  segmenta@on  and  restricted  access  to  Cyber  Assets  within  the  SCADA  and  Process  Control  Network  from  the  Enterprise/Corporate  Network  and  any  other  untrusted  networks  and  sources  (e.g,  unauthorized  mobile  sources/systems).  

•  It  is  the  Electronic  Access  Point,  which  establishes  the  Electronic  Security  Perimeter.  

  W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 11: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

 Electronic  Access  Point  (EAP)  •  An  interface  of  a  Cyber  System,  device  or  appliance  that  provides  access  to  and/or  through  (e.g.,  ingress  and  egress  traffic)  an  ESP  (e.g.,  Firewall,  Gateway,  Control  device  w/modem  (TCP,  UDP;  Telnet,  SSH,  SSL,  VPN,  HTTP[s]),  which  the  Cyber  Assets  with  routable  connec@vity  must  reside  within  the  ESP.  

•  May  provide  access  control,  monitoring,  aler@ng  and/or  logging  of  access  to  and/or  through  the  ESP    o  may  require  intermediary  device(s)  for  some  of  this      funcConality:  Electronic  Access  Control  and  Monitoring  (EACM)  devices  

 W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 12: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

BES  Cyber  Asset  (BCA)    Defini@on  -­‐  FERC  Approved  Date:  11/22/2013  Effec@ve  Date:  4/1/2016  

•  A  Cyber  Asset  that  if  rendered  unavailable,  degraded,  or  misused  would,  within  15  minutes  of  its  required  opera@on,  misopera@on,  or  non-­‐opera@on,  adversely  impact  one  or  more  Facili@es,  systems,  or  equipment,  which,  if  destroyed,  degraded,  or  otherwise  rendered  unavailable  when  needed,  would  affect  the  reliable  opera@on  of  the  Bulk  Electric  System.  Redundancy  of  affected  Facili@es,  systems,  and  equipment  shall  not  be  considered  when  determining  adverse  impact.  Each  BES  Cyber  Asset  is  included  in  one  or  more  BES  Cyber  Systems.  (A  Cyber  Asset  is  not  a  BES  Cyber  Asset  if,  for  30  consecuAve  calendar  days  or  less,  it  is  directly  connected  to  a  network  within  an  ESP,  a  Cyber  Asset  within  an  ESP,  or  to  a  BES  Cyber  Asset,  and  it  is  used  for  data  transfer,  vulnerability  assessment,  maintenance,  or  troubleshoo@ng  purposes.)  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 13: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

•  Cyber  Assets  are  subject  to  the  CIP  standards  based  on  their  func@onality  and  resultant  poten@al  impact  to  BES  reliability.  

•  BES  Cyber  Systems  and  associated  BES  Cyber  Assets  are  not  dependent  upon  a  routable  protocol  (see  defini@ons).      

 •  A  BES  Cyber  System  may  include  non-­‐routable  (serial)  devices.  

•  End  point  devices  (relays)  may  be  included  within  the  v5  requirements  and  iden@fied  as  BES  Cyber  Assets,  even  if  no  routable  communica@ons  exist.    

 •  There  are  v5  requirements  to  be  addressed  (i.e.  CIP-­‐007-­‐5)    

Non-­‐Routable  BCA/BCS  

Page 14: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

BCA  and  BCS  CIP-­‐005-­‐5  Applicability  

•  All  applicable  Cyber  Assets  mee@ng  the  BES  Cyber  Asset  defini@on  criteria  connected  to  a  network  via  a  routable  protocol  

14  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 15: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 16: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

BES  Cyber  System  (BCS)  Defini@on  -­‐  FERC  Approved  Date:  11/22/2013  Effec@ve  Date:  4/1/2016    

•  One  or  more  BES  Cyber  Assets  logically  grouped  by  a  responsible  en@ty  to  perform  one  or  more  reliability  tasks  for  a  func@onal  en@ty.      

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 17: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Protected  Cyber  Asset  

•  One  or  more  Cyber  Assets  connected  using  a  routable  protocol  within  or  on  an  Electronic  Security  Perimeter  that  is  not  part  of  the  highest  impact  BES  Cyber  System  within  the  same  Electronic  Security  Perimeter.  The  impact  ra@ng  of  Protected  Cyber  Assets  is  equal  to  the  highest  rated  BES  Cyber  System  in  the  same  ESP.    A  Cyber  Asset  is  not  a  Protected  Cyber  Asset  if,  for  30  consecu@ve  calendar  days  or  less,  it  is  connected  either  to  a  Cyber  Asset  within  the  ESP  or  to  the  network  within  the  ESP,  and  it  is  used  for  data  transfer,  vulnerability  assessment,  maintenance,  or  troubleshoo@ng  purposes.  

   

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 18: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 19: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

EACM  Electronic  Access  Control  or  Monitoring  •  Cyber  Assets  that  perform  electronic  access  control  or  electronic  access  monitoring  of  the  Electronic  Security  Perimeter(s)  or  BES  Cyber  Systems.    

•  This  includes  but  is  not  limited  to  EAPs,    Intermediate  Devices,  authen@ca@on  servers  (RADIUS/TACACS),  Ac@ve  Directory  Servers,  Cer@ficate  Authori@es,  Security  Event  Monitoring  systems,  IDS/IPS,  etc..  

19  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 20: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

20  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 21: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 22: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

BCS  (HIGH  WATERMARK)  •  An  example  of  the  high  water  applica@on  would  be  a  Protected  Cyber  Asset  (PCA)  that  is  physically  and  logically  connected  (e.g.,  same  subnet)  to  the  same  ESP  of  an  interconnected  BES  Cyber  Asset  (BCA)  or  BES  Cyber  System  (BCS),  which  results  in  the  lower  security  category  PCA  inheri@ng  the  same  security  category  and  subsequent  NERC  CIP  security  control  requirements  of  the  BCA  or  BCS.      

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 23: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 24: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 25: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 26: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 27: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Discreet  Electronic  Security  Perimeter  

•  An  Electronic  Security  Perimeter  that  is  typically  located  in  a  single  geographical  loca@on,  which  may  be  protected  by  a  single  Physical  Security  Perimeter  (PSP)  that  may  or  may  not  traverse  mul@ple  rooms,  albeit,  the  cabling  infrastructure  is  protected  by  the  PSP  and  all  rooms  are  afforded  the  protec@ons  of  CIP-­‐006.  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 28: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 29: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Extended  Electronic  Security  Perimeter  

•  A  single  Electronic  Security  Perimeter  that  may  be  located  in  mul@ple  geographical  loca@ons,  or  mul@ple  rooms  in  the  same  facility  loca@on,  protected  by  one  or  more  Physical  Security  Perimeters  (PSP),  albeit,  the  cabling  infrastructure  may  traverse  mul@ple  facility  rooms  or  areas  outside  of  an  established  PSP.  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 30: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 31: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐006  REMAND  

•  NERC  contends  wiring  is  not  included  within  defini@on  of  Cyber  Asset,  so  it  should  be  excluded  from  CIP  compliance  measures.  

•  FERC  states  “15.  …We  do  not  agree  that  the  network  cabling  (i.e.,  wires)  that  gives  a  communica@on  network  its  networking  capability  would  be  exempt  from  the  CIP  Reliability  Standards…”  

•  CIP-­‐006-­‐6  language  now  includes  protec@on  for  Cyber  Asset  cabling    

31  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 32: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐006-­‐5  R1.10  Alterna@ve  Controls  •   End-­‐to-­‐end  Encryp@on  examples:                        -­‐  Layer-­‐2  IEEE  802.1AE  MACsec  GCM-­‐AES-­‐256  (e.g.  switches)                      -­‐  Layer-­‐2  intermediate  encrypCon  devices/appliances                      -­‐  Layer-­‐3  IPSEC                        -­‐  Not  required,  but  recommended  for  encrypCon  validaCon                                              e.g.  FIPS  140-­‐2  compliant                                                Common  Criteria:  EAL4,  EAL5  

•  Physical  Security  Controls  examples:            -­‐  Special  locks            -­‐  Key  control  –  Authorized  personnel  

•  Circuit  monitoring  w/  supplemental  controls  

32  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 33: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 34: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 35: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 36: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

36  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 37: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

37  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 38: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 39: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

YERSINIA  (VLAN  Exploit  Tool)  Contrary  to  popular  belief:  VLANs  were  originally  created  as  a  network  performance  and  organiza@on  feature,  not  a  Security  feature.  •  Dynamic  Trunking  protocol  (DTP)  abuse  o Cisco  proprietary,  no  authenCcaCon,  switches  are  in  default  auto-­‐negoCate,  sniff  all  VLAN  traffic  

•  Trunking  protocol  (802.1q  and  ISL)  abuse  o   PVLAN  hopping,  Double  802.1q  VLAN  tagging    

•  Virtual  Trunking  protocol  (VTP)  abuse  •  Common  spanning  tree  (CST)  abuse  •  Mul@ple  other  aoacks  •  Broadcast  storm  traffic  has  been  known  to  disrupt  layer-­‐2  switches  and  misconfigure  VLANS  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  hop://www.yersinia.net/index.htm  

Page 40: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Trend:  Legacy  Networks  to  IP  VPN  •  Legacy  SCADA  Networks  o Radio  and  Leased  Line  communicaCon  o RTUs  serially  connected  to  Radio  Modem  or    Leased  Line  Modem  

o Radio  Modem  or  Leased  Line  Modem  Connected  to  Front  End  Processor  (FEP)  at  control  station      

•  Secure  IP  VPN  (Vendors  are  pushing)  o  IP  network  communicaCons  o RTU  connected  to  mulC-­‐homed  and  mulC-­‐protocol  devices  (MPLS/Frame/IP;  Fiber,  Ethernet,  VSAT)  

o  Front  End  Processors  are  mulC-­‐homed  and  mulC-­‐protocol  capable  and  scalable  devices  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 41: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 42: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement
Page 43: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Legacy  Networks  to  IP  VPN  -­‐  WHY?  •  It’s  cheaper  o One  to  one  hardware  soluCons  are  more  expensive  

•  It’s  scalable  &  reliable  (redundancy)  o MulC-­‐homed,  mulC-­‐protocol  and  network  agnosCc  systems  are  scalable,  while  eliminaCng  single  points  of  failure  

•  It’s  safer  o  VPN-­‐IPSEC,  AES256  versus  unencrypted  legacy  serial  communicaCons  

•  It’s  sAll  IP!  o  SuscepCble  to  the  same  vulnerabiliCes  plaguing    tradiConal  network  architectures    

o We’re  not  against  it,  we  just  need  to  check  it          

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 44: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Hacking  Satellite  

•  Spanish  Cyber  Security  Researcher  Leonardo  Nve  demonstrated  at  BlackHat  the  exploita@on  of  (i.e.,  gaining  access  to  and  impersonaCng  legiCmate  users)  satellite  internet  connec@ons  using  less  than  $75  worth  of  tools,  which  can  be  purchased  on  Ebay.  

     -­‐  (1)  Skystar  “2”  PCI  satellite  receiver  card,              open  source  Linux  DVB  sojware  app,              and  the  free  network  data  analysis  tool  

Wireshark.    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 45: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

EXTRA!  EXTRA!  Read  all  about  it!  

•  US  Satellites  hacked  by  Chinese  Military!    •  The  hac@vist  group  Anonymous  Hacks  NASA  Satellite!  

•  Anonymous  hacks  Turkish  Satellite  provider!  •  Three  states  have  demonstrated  the  ability  to  physically  damage  satellites  by  intercep@ng  them:  the  US,  Russia  and  China  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 46: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

NERC  Industry  Advisories  •  Remote  Access  Guidance  o  Use  encrypted  access  controls  for  remote  

access  o  Use  mulC-­‐factor  authenCcaCon  o  Consider  Proxy  device  as  VPN  terminaCon  

point  o  Implement  logging  and  monitoring  o  etc…  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 47: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

NERC  Guidance  •  Guidance  for  Secure  Remote  Access  o  Secure  interacCve  remote  access  concepts  o  Security  pracCces  and  proposed  soluCons  for  secure  interacCve  remote  access  

o  Assessing  the  implementaCon  of  interacCve  remote  access  controls  

o  Network  architecture  decisions    

Page 48: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1  Part  1.1  •  All  Cyber  Assets  with  routable  connec@vity  shall  reside  within  a  defined  ESP  

Page 49: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Measures  (Part  1.1)  

•  List  of  BES  Cyber  Systems  •  List  of  BES  Cyber  Assets  within  each  BCS  •  List  of  Protected  Cyber  Assets  (associated  assets)  

•  ESP  network  topology  including  subnets  •  Cyber  Asset  IP  addresses  

49  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 50: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1  Part  1.2  50  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  External  routable  connec@vity  must  be  through  an  iden@fied  EAP  

Page 51: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

External  Routable  Connec@vity  

•  External  Routable  Connec@vity’  includes  the  term  ‘bi-­‐direc@onal’    •  ‘bi-­‐direc@onal  routable  protocol  connec@on’  •  Systems  behind  a  data  diode  do  not  have  External  Routable  Connec@vity  

 

51  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 52: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

52  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 53: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Measures  (Part  1.2)  

•  Network  Diagrams  •  External  routable  communica@on  paths  •  List  of  all  Iden@fied  EAPs  

53  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 54: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1  Part  1.3  54  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  Inbound  and  outbound  access  permissions  must  be  applied,  including  a  documented  reason  for  access  and  deny  all  other  access  

Page 55: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Audit  Approach  (Part  1.3)    

•  Inbound  and  outbound  access  permissions  must  be  configured  for  all  EAPs  

•  Not  required  to  document  the  inner  workings  of  stateful  firewalls,  where  connec@ons  ini@ated  in  one  direc@on  are  allowed  a  return  path  

•  EAP  must  incorporate  an  access  control  model  that  denies  access  by  default  

55  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 56: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Measures  (Part  1.3)  

•  Established  baseline    •  Electronic  Access  Point(s)  configura@on(s)  •  U@lize  ‘remark’  type  command  

56  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 57: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1  Part  1.4  57  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  Authen@ca@on  is  required  for  all  Dial-­‐up  connec@vity  access,  where  technically  feasible  

Page 58: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Change  Ra@onale  (Part  1.4)  

•  Added  clarifica@on  that  dial-­‐up  connec@vity  should  perform  authen@ca@on  so  that  the  BES  Cyber  System  is  not  directly  accessible  with  a  phone  number  only.    

58  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 59: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Audit  Approach  (Part  1.4)  

•  Authen@ca@on  required  for  all  dial-­‐up  accessible  Cyber  Assets  o  Secure  modem  with  authen@ca@on  feature  

(e.g.,  username,  password)  o  Documented  process  describing  how  

authen@ca@on  is  accomplished  (e.g.,  dial-­‐back,  user  challenge  authen@ca@on,  temporary  modem  plugin)    

•  Authen@ca@on  –  does  not  require  mul@-­‐factor  authen@ca@on  as  in  interac@ve  remote  access  

59  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 60: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1  Part  1.5  60  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  Having  one  or  more  methods  for  detec@ng  malicious  communica@ons  for  inbound  and  outbound  ESP  traffic  

Page 61: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R1.5  Change  Ra@onale  

•  Per  FERC  Order  No.  706,  Paragraphs  496-­‐503,  ESPs  need  two  dis@nct  security  measures  such  that  the  Cyber  Assets  do  not  lose  all  perimeter  protec@on  if  one  measure  fails  or  is  misconfigured.  The  Order  makes  clear  this  is  not  simple  redundancy  of  firewalls,  thus  the  SDT  has  decided  to  add  the  security  measure  of  malicious  traffic  inspec@on  as  a  requirement  for  these  ESPs.  

61  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 62: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Audit  Approach  (Part  1.5)  •  Direc@on  of  the  traffic  monitored  – both  inbound  and  outbound  traffic  subject  to  the  applica@on  of  a  malicious  code  detec@on  mechanism  

•  Placement  of  malicious  communica@ons  inspec@on  – specific  architecture  and  placement  is  not  prescribed  

•  Number  of  malicious  code  detec@on  mechanisms  (e.g.  IDS)    – Applicability  is  set  at  the  EAP  level    

•  Aler@ng  is  addressed  through  CIP-­‐007-­‐5  R4  

62  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 63: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R2.1  63  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  Intermediate  system(s)  are  required  for  Interac@ve  Remote  Access  (IRA),  to  ensure  direct  access  to  Cyber  Asset(s)  is  prohibited  

Page 64: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

R2.1  Audit  Approach  

•  All  Interac@ve  Remote  Access  requires  an  Intermediate  System  that  “proxies”  all  traffic  into  the  ESP  –  No  direct  external  access  from  client  to  internal  BES  cyber  asset  

–  Source  IP  address  is  the  IP  address  of  the  intermediate  system  

–  NERC  Remote  Access  guidance  documenta@on  •  System-­‐to  system  process  communica@ons  not  considered  IRA  –  can  this  communica@on  be  accessed  for  Interac@ve  Remote  Access?  

64  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 65: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R2.2  65  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  Interac@ve  Remote  Access  sessions  must  be  encrypted  and  terminated  at  the  intermediate  system.  

Page 66: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

R2.2  Audit  Approach  

•  Interac@ve  Remote  Access  requires  encryp@on  from  remote  client  all  the  way  to  the  intermediate  system  

•  Interac@ve  Remote  Access  only  allowed  into  the  ESP  from  the  intermediate  system  source  IP  address  of  the  intermediate  system  

•  All  Intermediate  system  communica@ons  into  the  ESP  must  traverse  an  EAP  prior  to  entry  into  ESP  

•  Restric@ve  access  controls  must  be  defined  for  all  traffic  from  the  intermediate  system  into  the  ESP,  and  traffic  must  be  unencrypted  before  entry  into  the  ESP,  to  ensure  data  can  be  inspected  

66  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 67: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

CIP-­‐005-­‐5  R2.3  67  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

•  IRA  requires  mul@-­‐factor  authen@ca@on  

Page 68: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

R2.3  Audit  Approach  

•  Mul@-­‐factor  authen@ca@on  is  required  for  all  Interac@ve  Remote  Access  

•  Mul@-­‐factor  authen@ca@on  requires  at  least  two  of  the  following:  –  Something  you  have  (tokens)  –  Something  you  know  (passwords)  –  Something  you  are  (biometrics)  

•  Mul@-­‐factor  authen@ca@on  is  required  at  the  intermediate  system  –this  is  in  addi@on  to  external  corporate  VPN  access  authen@ca@on  

68  

W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

Page 69: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

References  •  NERC  Industry  Advisory:  remote  access  guidance  (2011).  Retrieved  from  the  North  American  Electric  

Reliability  Corporate  website  on  January  7,  2012,  from,  hop://www.nerc.com/fileUploads/File/Events%20Analysis/A-­‐2011-­‐08-­‐24-­‐1-­‐Remote_Access_Guidance-­‐Final.pdf  

 •  NERC  Guidance  for  Secure  Interac@ve  Remote  Access  (2011).  Retrieved  from  the  North  American  Electric  

Reliability  Corporate  website  on  January  7,  2012,  from,  hop://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-­‐Guidance_for_Secure_Interac@ve_Remote_Access.pdf  

Page 70: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24  · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement

Contact  

Joe  Andrews,  MSc.IA,  CISSP-­‐ISSEP,  ISSAP,  ISSMP,  CISA,  PSP  Sr.  Compliance  Auditor  –  Cyber  Security  Western  Electricity  Coordina@ng  Council  jandrews[@]wecc[.]biz  Office:  801.819.7683  


CIP-005-5 Lessons Learned CIPUG January 29, 2015 Anaheim, Ca

Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5

Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018  · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011

CIP-005-5 Electronic Security Perimeter(s

Lesson Learned CIP Version 5 Transition Program€¦ · according to the impact rating criteria identified in CIP‐002‐5 Requirement R1, Attachment 1. Other ... (ESP) were assessed

PRIVILEGED AND CONFIDENTIAL INFORMATION HAS BEEN … Filings to FERC DL/Publ… · R2, INT-001-2 R1,INT-004-1 R2, INT-006-1 R1, IRO-STD-006-0 WR1, PER-002-0 R1, PRC-005-1 R1 and R2

1 (R1) - amazu.com.br ALAN/TEORIA DA CONTABILIDADE/005... · 5 – NTÁBIL-– (R1) 1 3 1. Citar o objetivo da contabilidade; 2. Citar os usuários internos e externos da contabilidade;

Item 2a(i) CIP-005-6 clean apr 17 2017 - NERC Standards/CIP-005-6.pdf · documentation and implementation of applicable items in the documented processes. These measures serve to

CIP-003-7 & CIP-003-8 Effective Dates and... · CIP-003-8 R4 Delegate CIP Senior Manager authority 7/1/2016 9. CIP Reliability Standard Effective Date CIP-005-6 July 1, 2020 CIP-008-6

Cip 004, R1 Physical Security Awareness Webinar 10 23 09 Final Lipub

CIP -005 -5 Cyber Security Electronic Security Perimeter(s) · 2017. 4. 12. · CIP -005 -5 Cyber Security Electronic Security Perimeter(s) 4.2.3.5 Responsible Entities that identify

Welcome! [] 2 Presentation.pdf · 12-07-2017  · 10. 12. 14. 16. 18. 20. CIP-005-5, R1. CIP-005-5, R2. 19 (57.6%) 16 (64%) 14 (42.4%) 9 (36%) CIP -005 -5 Noncompliance. 7/1/2016

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 10 • Auditors conduct interview with BPC CIP Compliance Lead and CIP-005-3 SME’s o Q: Why is there a discrepancy

Spring 2015 CIP-005-5

Automating for NERC CIP-007-5-R1

CIP-014-2 - nerc.com Standards/CIP-014-2.pdf · CIP-014-2 — Physical Security Page 3 of 36 B. Requirements and Measures R1. Each Transmission Owner shall perform an initial risk

PER-005-2 Operations Personnel Training - nerc.com Standards/PER-005-2.pdf · PER-005-2 — Operations Personnel Training Page 2 of 16 B. Requirements and Measures R1. Each Reliability

Low Impact BES Cyber Systems CIP-003-6 R1 and R2 · Low Impact BES Cyber Systems CIP-003-6 R1 and R2 June 3, 2015 Steven Keller, CISA, CRISC, CISSP Lead Compliance Specialist –

JUNÍN · 2020. 2. 12. · 1 Elaborado por: Abg. DANNY LUJAN ROJAS Proyecto Aprobado Mediante RESOLUCIÓN N°005-2014-AD-CIP/CDJ Departamental De Junín CIP - CDJ COLEGIO DE INGENIEROS

Comment Report - nerc.com Security Suppl… · The SDT is proposing to restore CIP-005-7 Requirement R2 Parts 2.4 and 2.5 to the original approved CIP -005-6 language and ... Review

CIP-005-5 — Cyber Security – Electronic Security Perimeter(s) Standards/CIP-005-5.pdfCIP-005-5 — Cyber Security – Electronic Security Perimeter(s) 4.1.8 Transmission Owner

Mick Neshem CISA, CISSP, CSSA Senior Compliance Auditor – Cyber Security CIP-005-5 Compliance Outreach CIP v5 Roadshow May 14-15, 2014 Salt Lake City,

CIP r011 r1 Cyber Security Information Protection

CIP-005-6 and CIP-010-3 › Administrative › CIP-005-6 and...CIP-010-3 is July 1, 2020; at which time the Standards will be mandatory and enforceable. Refer to Project 2016-03 Cyber

CIP-005-5 — Cyber Security – Electronic Security … Standards/CIP-005-5.pdf · CIP-005-5 — Cyber Security – Electronic Security Perimeter(s) 4.1.8 Transmission Owner 4.2

SCCE Presentation - NERC CIP Compliance Program Metrics II ......Protocol CIP-005 Electronic Access Point policy requires business units to minimize the number of communication channels

M2-CV-RC-D-005 (R1).doc

Beauftragte der Universität Regensburg an der Fakultät für ... · pt3 cip vg cip pt4 cip pt5 cip rbib cip leist cip rwh1 cip rwl1 cip rwl2 cip rz1 cip rz2 cip rz3 cip rz4 cip sg1

NERC News...2019/09/05  · NERC posted the streaming webinar and slide presentation from the September 12, 2019 Project 2016-02 – Modifications to CIP Standards | CIP-005 and Associated

NERC Comp Monitoring ment Program · 2009. 8. 21. · PRC-005, 204 VAR-001 EOP-001 FAC-003 VAR-002 CIP-004 FAC-009 TOP-002 FAC-008 CIP-001 PRC-005 Total Top Ten Violations: 812. As

Standard Development Timeline - North American … 201603 Cyber...Project 2016-03. 6. Background: Standard CIP-005 exists as part of a suite of CIP Standards related to cyber security,

Public Awareness and Access to Grey Literaturepuma.isti.cnr.it/.../2017-A6-005/2017-A6-005.pdf · 2 CIP GL19 Program Book Nineteenth International Conference on Grey Literature –

British Columbia Utilities Commission (BCUC ... · CIP-003-7 did not modify CIP-003-6 Requirement R1, Parts 1.2.1, 1.2.2 and 1.2.4 or Requirement R2, Attachment 1, Sections 1, 2 and

Comment Report - NERC 201602 Modifications to CIP... · Comment Report Project Name: 2016-02 Modifications to CIP Standards | Virtualization Updates for CIP-004, CIP-005, CIP-006,

CIP-003-7 R2 Section 2 Physical Security Controls - CIP-003... · Standard/Requirement Implementation Dates CIP-003-7 Compared to CIP-003-6 CIP-002-5.1 R1 & R2 BES Cyber System Categorization