CIP-003-7 R2 Section 2

Physical Security

Controls

August 7, 2019

Joshua Rowe, PSP Compliance Auditor,

Physical and Cyber Security

About the Presenter

Joshua Rowe, PSP

• WECC Auditor, Physical and Cyber Security

• SME CIP-006, CIP-008, CIP-014

• 15+ years Law Enforcement, Physical Security, and Critical Infrastructure Experience• United States Marine Corps (Retired)

• Military Police Officer• Criminal Investigator• Physical Security Program Senior Advisor• Installation Physical Security Senior Advisor• Physical Security Inspector, USMC Inspector General’s

Office

2

Agenda

• Rationale

• Implementation Dates

• Site visits

• Physical Security Controls

• Audit approach

• Common Questions

• Summary

3

Objective

To review CIP-003-7 Attachment 1 Section 2 pursuant to Physical Security Controls for low

impact BES Cyber Systems.

4

In response to FERC Order No. 791, Requirement R2 requires

entities to develop and implement cyber security plans to

meet specific security control objectives for assets containing

low impact BES Cyber Systems. The cyber security plan(s)

covers four subject matter areas: (1) cyber security awareness;

(2) physical security controls; (3) electronic access controls;

and (4) Cyber Security Incident response. This plan(s), along

with the cyber security policies required under Requirement

R1, Part 1.2, provides a framework for operational,

procedural, and technical safeguards for low impact BES

Cyber Systems.

5

CIP-003-7 R2 Rationale

Standard/Requirement

Implementation Dates

CIP-003-7Compared to

CIP-003-6

CIP-002-5.1 R1 & R2 BES Cyber System Categorization7/1/2016

CIP-003-7 Security Management Controls1/1/2020 7/1/2016

CIP-003-7 R1.1 Policies for high & medium impact BCS7/1/2016 7/1/2016

CIP-003-7 R1.2Policies for assets containing low impact BCS 1/1/2020 4/1/2017

CIP-003-7 R2 Implement Sections 1–5

CIP-003-7, Att 1, Section 1 Cyber Security Awareness4/1/2017 4/1/2017

CIP-003-7, Att 1, Section 2 Physical Security Controls 1/1/2020 9/1/2018

CIP-003-7, Att 1, Section 3 Electronic Access Controls 1/1/2020 9/1/2018

CIP-003-7, Att 1, Section 4 Cyber Security Incident Response4/1/2017 4/1/2017

CIP-003-7, Att 1, Section 5Transient Cyber Assets and RemovableMedia Malicious Code Risk Mitigation 1/1/2020 n/a

CIP-003-7 R3 Identify a CIP Senior Manager7/1/2016 7/1/2016

CIP-003-7 R4 Delegate CIP Senior Manager authority7/1/2016 7/1/2016

6

Implementation Plan Dates

If an audit has an on-site portion, site visits may be scheduled.

▪ Random or statistical sampling is not appropriate when sampling for low impact BES asset site visits

▪ Expect the audit team to use non-statistical sampling in accordance with NERC guidelines based on the audit team's perception of risk and impact to the BES:• More attention at low impact Transmission stations with

larger impacts (multiple 230kV/345kV lines)

• Larger Generation plants (e.g., those that are near that 1500 MW net Real Power capability but have been segmented)

• BES assets with mixed impact levels

7

Low Impact Site Visits

Language of the Standard

CIP 003-7 Attachment 1 Section 2

Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or

locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber

Asset(s), as specified by the Responsible Entity, that provide electronic access

control(s) implemented for Section 3.1 if any.

8

Control Physical Access

“Each Responsible Entity shall control physical access,…”

Example controls may include:• Mechanical

• Electronic

• Monitoring

• Operational/procedural

• Technical controls

“Documentation must reflect implementation”

9

Mechanical Access Controls

• Physical hard keys

• Requires strict key management plan

• Perimeter barriers

• Chain-link, mini mesh, anti-cut/climb fence

• Pedestrian barriers

• Turnstiles

• Vehicle barriers

• Entry control point

10

Access Controls

Physical Access Control Systems (PACS)• Genetec

• CCure

• Lenel

• Prowatch

Best if used with:• Door position sensors

• Motion detectors

• Video surveillance

11

Monitoring Controls

• Monitoring Controls• Alarm system

• Human Observation

Factors for consideration when employing monitoring controls include:

• Personnel

• Training

• 24/7 operations

12

The power of “and”

• Access Control – or – Monitoring• A single point of failure

• Inherently weak control scheme

• No margin of error

• Access Control – and - Monitoring• Built in redundancy for enhanced security and

compliance

• Complimentary controls offer resiliency to failures and unforeseen events

13

Based on need

“…based on need as determined by the

Responsible Entity,...”

Entities must define the need for access

• Can be documented at the policy level

• Must be specific to low impact BES Cyber Systems

• Includes methods to grant or revoke access

14

Asset or Location

“…to (1) the asset or the locations of the low

impact BES Cyber Systems within the asset,...”

• Asset

• Protect the low impact BES Cyber System itself

• Location

• Protect the entire site

“Layered physical security is recommended”

15

Layered Physical Security

16

• CIP-003-7 requires one or more controls….. However:• Multiple concentric layers of protection are better• Multiple differing and complimentary controls are optimal

“It is okay to go above and beyond”

Electronic access controls

“…and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.”

Guidelines and Technical Basis

“If these Cyber Assets implementing the electronic access controls are located within the same asset as the low impact BES Cyber Asset(s) and inherit the same physical access controls are the same need as outlined in Section 2, this may be noted by the Responsible Entity in either its policies or cyber security plan(s) to avoid duplicate documentation of the same controls.”

17

Elements of success

• Use differing and complimentary controls if possible• Locks with new lock cylinders• Door position sensors• Motion detectors• Video surveillance

• Strong key management plans include• Complete baseline of new lock cylinders• Use highest security locks possible• Minimal distribution• Key issuance and retrieval • Requirements and procedures for rekey• Key inventory

• Implement best practices

• Detailed documentation

18

Acceptable Evidence

• Cyber security policy or policies

• Physical security plans

• Physical security procedures

• Physical security control diagrams

“Aim for sound physical security practices, and be mindful of compliance obligations.”

19

Common Questions

Q: How many keys must be lost before rekeying is necessary?

A: A single lost key is a compromised lock. The key management program should identify incidents that require a rekey.

Q: If a broken lock is discovered, do we have a violation?

A: Maybe. Does the entity have additional means of verifying no physical access occurred?

20

Common Questions

Q: After 1/1/2020, would an entity be expected to file a Self-Report if someone breaches their physical security control (i.e., fence line)?

A: Maybe, is this the only control?

Q: What is a reasonable timeline to repair a fence?

A: Resource dependent, however if this is the only control, supplemental controls must be employed in the interim to “control physical access.”

21

Review

• Entities must implement physical security controls on or before January 1, 2020

• Entities must document physical security controls in one or more physical security plan(s)

• One or more physical access control(s) are required to protect low impact BES Cyber Systems

• Site visits may be required during an audit

22

23

For CIP Questions

Contact:

Joshua Rowe, PSP Compliance Auditor, Physical and Cyber Security

JRowe@wecc.org

24