Download - WECC BCUC Session2 CIP-002-5.1 MockAudit SLC …...Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset Yes

Iden%fying & Audi%ng Low Impact BES Assets: A Mock Audit BC Outreach Webinar: Session 2 Salt Lake City UT – January 9, 2018

Joseph B. Baugh, PhD Senior Compliance Auditor – Cyber Security Western Electricity Coordina%ng Council

Speaker Intro: Dr. Joseph Baugh •  Electrical U%lity Experience (44+ years)

–  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  NERC Cer%fied System Operator –  Barehand Qualified Transmission Lineman

•  Educa%onal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  Cer%fica%ons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-‐IAM/IEM –  Academic & Technical Course Teaching Experience (20+ years)

•  Business Strategy, Leadership, and Management •  Informa%on Technology, IT Security, and Project Management •  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara%on •  CIP Compliance workshops and other outreach sessions

W ESTERN E LECTRICITY C OORDINATING C OUNCIL

2

Agenda

•  Review CIP-‐002-‐5.1 Requirements •  Review CIP-‐002-‐5.1 Team audit approach •  Defining the Inventory of BES Assets •  CIP-‐002-‐5.1 Mock Audit

– Focus on Low Impact BES Assets

•  Ques%ons


3

CIP-‐002-‐5.1 Overview •  CIP-‐002-‐5.1 is the first step on CIP Compliance trail •  All Registered En%%es who perform the BA, DP, GO, GOP, IA, RC, TO, and/or TOP registered func%ons are required to be compliant with CIP-‐002-‐5.1

•  CIP-‐002-‐5.1 adds the DP func%on, TSP func%on drops out •  Some en%%es may find they are only required to be compliant with CIP-‐002-‐5.1 (R1 & R2) and with CIP-‐003-‐5 (R1.2, R2, R3, & R4) –  True, if the IRC applica%on on the en%ty’s inventory of BES Assets (see Part R1.i – R1.vi) generates Null R1.1 & R1.2 lists

– Must provide a valid R1.3 list of Low Impact BES Assets –  Typically requires a reduced scope audit that may be conducted on-‐site, at WECC offices, or other loca%ons, as necessary


4

CIP-‐002-‐5.1: Part R1.i – R1.vi •  Each Responsible En%ty shall implement a process that

considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] –  i. Control Centers and backup Control Centers; –  ii. Transmission sta%ons and substa%ons; –  iii. Genera%on resources; –  iv. Systems and facili%es cri%cal to system restora%on, including Blackstart Resources and Cranking Paths and ini%al switching requirements;

–  v. Special Protec%on Systems that support the reliable opera%on of the Bulk Electric System; and

–  vi. For Distribu%on Providers, Protec%on Systems specified in Applicability sec%on 4.2.1 above.

•  May generate Low impact BES Assets for R1.3 list under IRC 3.6


5

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

CIP-‐002-‐5.1: R1 •  Each Responsible En%ty shall implement a process that considers each of the following assets (see Part R1.i-‐R1.vi) for purposes of parts 1.1 through 1.3:


Inputs

R1Process

Outputs

Inventory of

BES Assets

List of High, Medium,

& Low Assets

6

CIP-‐002-‐5.1 Requirements: R2 •  En%ty must review iden%fica%ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]

•  The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3 & R4) must approve the ini%al lists [R2.2] and at least once every 15 months, thereajer: –  The R1.1, R1.2, and R1.3 lists –  Include signed and dated null lists, if applicable

•  The en%ty must maintain signed and dated records of the approvals listed above –  Electronic or physical approvals accepted


Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

7

WECC Audit Team Approach •  Use a methodical approach to deliver consistent results across all en%%es

•  Start with the RSAW supplied by the en%ty as ini%al working papers to document the audit and findings

•  Review the evidence to develop findings •  Submit data requests for more informa%on, as needed


8

WECC Evidence Review •  Review Ini%al Evidence package supplied by the en%ty in response to the Pre-‐Audit Request for Informa%on [RFI]: – One-‐line diagrams – Specific CIP-‐002-‐5.1 eviden%ary documents

•  Documented process to iden%fy and categorize the en%ty’s BCS and BES Assets

•  Implementa%on of the process (i.e., applica%on of the IRC to the inventory of BES Assets to develop the lists)

•  Reviewed and approved R1.1 – R1.3 lists •  En%ty responses to data requests, as applicable


9

CIP-‐002-‐5.1 Audit Team Approach

•  Audit to the Standard •  Review the evidence:

–  En%ty’s documented process –  Inventory of BES Assets –  One line diagrams –  Applica%on of the IRC –  R1.1, R1.2, R1.3 lists –  R2 records of current and prior approved versions of R1 & R2 documents (the bookends)

•  DR for addi%onal informa%on, as needed

•  Determine findings •  Complete the RSAW •  Develop the Audit Report

Are there more High or Medium BES

assets?

Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]

Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset

Yes (Continue BCS evaluations)

No (Continue to R2)

Review entity’s documented R1 process

Entity applies CIP-003-5 through CIP-011-1 protections to the components of the three lists, as applicable

R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.

R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.

Are any BES assets rated for High or

Medium BCS?

Yes (Evaluate High & Medium BES assets for all applicable BCS)

No (Place all Low BES assets on R1.3 List)

Add BCS to the appropriate list:R1.1: High Impact BCS,

R1.2: Medium Impact BCS


10

Sample One-‐Line Diagram


11

WECC Audit Team Approach •  Review the applica%on of the IRC [R1], list of High BCS [R1.1], list of Medium BCS [R1.2], list of Low impact BES Assets [R1.3], even if one or more of these lists are null

•  Compare the lists against the one-‐lines and BES Asset inventory

•  Hold interviews with the en%ty’s CIP SMEs, if necessary •  If audit is on-‐site, perform site visits (Trust, but Verify) •  Validate annual approval documenta%on [R2] •  Submit DR’s, as needed, to clarify compliance •  Determine findings (NF, PV, or OA) •  Discuss findings with en%re Cyber Security Team •  Complete RSAW •  Prepare CIP audit report (ATL & CPC)


12

Pre-‐Audit CIP-‐002-‐5.1 Evidence •  [R1]: Provide documenta%on of the process and its implementa%on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden%fy the following lists: –  [R1.1]: A list of High impact BCS at each asset iden%fied by applica%on of Aoachment 1, Sec%on 1.

–  [R1.2]: A list of Medium impact BCS at each asset iden%fied by applica%on of Aoachment 1, Sec%on 2.

–  [R1.3]: A list of iden%fied Low impact BES Assets iden%fied by applica%on of Aoachment 1, Sec%on 3].

•  [R2]: Signed and dated records of the list reviews and CIP Senior Manager or delegate approvals of the iden%fica%ons required by R1, even if such lists are null.


13

CIP-‐101 Mock Audit Overview •  Compare inventory of BES Assets against current defini%on of Bulk Electric System as adopted by the BCUC (BCUC, 2015 July 24, Order RM-‐38-‐15, p. 15; see also NERC, 2016 May 17, Glossary of Terms, pp. 23-‐26; NERC, 2014 April, BES Defini%on Guidance Document, v2)

•  Did the en%ty iden%fy and document lists of High impact BCS [R1.1], Medium impact BCS [R1.2] and a list of Low impact BES Assets [R1.3] through an applica%on of the Impact Ra%ng Criteria [IRC] (BCUC, 2018 October 1, CIP-‐002-‐5.1: AMachment 1, pp. 14-‐16)


14

The En%ty's BES Asset Iden%fica%on •  The first step in a normal CIP-‐002-‐5.1 audit is to review the applica%on of the IRC – Starts with an overall Inventory of en%ty BES assets –  Inventory is validated against the one-‐line diagram(s) – Apply the IRC to validate the R1.x lists


15

Defini%on of Control Center •  One or more facili%es hos%ng opera%ng personnel that monitor and control the Bulk Electric System (BES) in real-‐%me to perform the reliability tasks, including their associated data centers, of: – 1) a Reliability Coordinator, – 2) a Balancing Authority, – 3) a Transmission Operator for transmission Facili%es at two or more loca%ons, or

– 4) a Generator Operator for genera%on Facili%es at two or more loca%ons. (NERC, 2016 May 17, Glossary of Terms, p. 33)


16

Low IRC (Control Centers)


17

IRC 2.5 -‐ Medium or Low Impact


18

IRC 2.5 and Genera%on Interconnec%ons •  NERC Lessons Learned document (2015 Oct 1) discusses how En%%es should consider genera%on lead lines or interconnec%on lines as they apply IRC 2.5

•  A radial generator lead line with no network flows (i.e., no power would flow through the line if the generator is off-‐line) and with the sole purpose of connec%ng generator output to a networked Transmission system would not qualify as a Transmission Line to be included in the IRC AWV calcula%on

•  May apply to standalone genera%on units and distributed genera%on Facili%es

•  Iden%fy interconnec%on points in the analysis W ESTERN E LECTRICITY C OORDINATING C OUNCIL

19

Low IRC (Transmission not in Sec%on 2)


20

Low IRC (Genera%on not in Sec%on 2)


21

Low IRC (Protec%on Systems)


22

Low IRC (DP Systems)


23

Audit Lists of High & Medium BCS •  Review the R1.1 list of High impact BCS •  Review the R1.2 list of Medium impact BCS •  For most en%%es in this session, both the R1.1 and the R1.2 lists will be null, but must be explicitly: – Reviewed by technical SMEs [R2.1], and – Approved by the CIP Senior Manager or delegate at least once every 15 calendar months [R2.2]


24

Audit List of Low Impact BES Assets •  Review the R1.3 list of Low impact BES Assets •  Correlate this list against:

– The en%ty’s inventory of BES Assets – The en%ty’s one-‐line diagram

•  The en%ty must provide CIP-‐003-‐5 protec%ons, as applicable, to its Low impact BES Assets


25

Validate BES Asset Lists •  Review and compare the en%ty’s one-‐line diagram to the current lists of BES Assets

•  Did the results seem reasonable? •  Do the Transmission BES Assets align with the one-‐line diagram?

•  Did the en%ty provide evidence of net Real Power capability to support Genera%on Facility ra%ngs?

•  Does the audit team have any other ques%ons before moving on to the R1.1, R1.2, and R1.3 lists?


26

Low impact BCS Security Controls •  Provide physical security protec%ons at Low impact BES Assets, in accordance with R2.2 (BCUC, 2018 October 1, CIP-‐003-‐5, p. 5)

•  Electronic Protec%ons –  If a Low impact BCS [LIBCS] is contained within a Medium BCS ESP, protect the LIBCS as PCA to the Medium BCS, as applicable

–  If a Low impact BCS has electronic access or dial-‐up connec%vity, protect it with controls described in accordance with R2.3 (Ibid, p. 5)

•  Future alert: Review NERC CIP-‐003-‐7 for physical and electronic access controls that may be implemented in the BCUC footprint (more on this in Session 3)


27

R1.3 List of Low impact BES Assets •  R1.3 does not require discrete lists of Low impact BES Cyber Systems.

•  However, R1.3 does require a list containing the name of “each asset that contains a low impact BES Cyber System.” – This list should contain all genera%ng plants, transmission sta%ons, certain distribu%on sta%ons, and certain “small” control centers, that meet one or more of the Sec%on 3 IRC and contain low impact BES Cyber Systems.


28

R1.3 List of Low impact BES Assets – The en%ty should be prepared to demonstrate that all BES assets (loca%ons) are accounted for on either the list of high impact, medium impact or low impact loca%ons

– The en%ty should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protec%ons (per CIP-‐003-‐5 R2.2-‐R2.3)


29

Comparing Low impact BES Assets •  Not all Low impact BES Assets are created equal

–  “Low impact” covers a wide range of BES loca%ons and Facili%es

– Within “Low impact” there are poten%ally vastly different risks and impacts to the reliability of the BES.

–  The CIP Standards don’t make a dis%nc%on between a “big” (i.e., more impacvul) Low impact BES Asset and a “small” (i.e., less impacvul) Low impact BES Asset

•  Consider the following examples of IRC 2.1 (w/ net Real Power capability [NRPC] calcula%ons and Aggregated Weighted Value [AWV]) and IRC 2.5 (w/ AWV calcula%ons):


30

IRC 2.1 Low-‐impact GO/GOP Examples


NRPC = 30 MWs AWV = 0

NRPC = 1400 MWs AWV = 1400

NRPC = 2800 MWs AWV = 3900

31

IRC 2.5 Low-‐impact TO/TOP Examples


AWV = 0 AWV = 2600 AWV = 5200

To SUB C

32

Compliance & Audit Implica%ons •  Random or sta+s+cal sampling of low impact assets for CIPv5 audit purposes is not appropriate when sampling for Low impact BES Asset site visits

•  Expect the audit team to apply judgmental or non-‐sta+s+cal sampling based on the audit team’s percep%on of risk and impact to the BES –  Expect more audit aoen%on at Low impact Transmission Facili%es with larger impacts

–  Expect more audit aoen%on at larger Low impact Genera%on plants than at smaller plants, par%cularly those that equal or exceed 1500 MWs net Real Power capability, but which have been segmented to reduce the BCS impact ra%ng under IRC 2.1


33

Compliance & Audit Implica%ons •  Expect more aoen%on at any genera%on plant > 1500 MW NPRC, regardless of control system segmenta%on. The en%ty should be prepared to: – Demonstrate how the unit controls are segmented, including computer network diagrams, firewall configura%ons, data flow analysis, etc.,

– Demonstrate the analysis of any common systems at the plant,

–  Explain the analysis and include both %me-‐based and impact-‐based components, and

–  Facilitate site visits to any Genera%on plants with >= 1500 MW net Real Power capability.


34

Compliance & Audit Implica%ons •  Expect more aoen%on at any Low impact Transmission substa%on with a significant number of 230kV and/or 345kV lines. The en%ty should be prepared to: – Demonstrate how IRC 2.5 was applied – Discuss all Transmission lines that were not calculated into the total AWV, e.g.:

•  Excluded as Radial lines serving only load, or •  Classified as Genera%on Interconnec%on Facili%es.

– Facilitate poten%al site visits to any Transmission substa%ons that have mixed BCS impact levels


35

R1: BES Asset List Review Ques%ons •  Did the En%ty apply the IRC appropriately? •  Did the En%ty confer with its RC, PA, and/or TP to consider any Cri%cal Assets rela%ve to Criteria 2.3, 2.6, or 2.8 before moving them to the Low BES Asset list?

•  Applica%on Ques%ons: – Did the En%ty consider all BES asset types in R1.i through R1.vi?

– Did the En%ty review & evaluate all BES Assets through the IRC?

– Did the En%ty clearly iden%fy and document all BES assets in the appropriate impact ra%ng?

•  Is any addi%onal informa%on necessary? W ESTERN E LECTRICITY C OORDINATING C OUNCIL

36

The En%ty’s Review & Approval Process •  The next step in a CIP-‐002-‐5.1 audit is to determine if the en%ty reviewed the iden%fica%ons of the lists created in R1, even if such lists are null. –  R1.1 list of High BCS –  R1.2 list of Medium BCS –  R1.3 list of Low impact BES assets

•  Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists –  Either electronic or “wet-‐ink” signatures are acceptable


Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

37

R2: Annual Approval Review Ques%ons •  Did the En%ty review its R1.1-‐R1.3 lists at least every 15 calendar months ajer the ini%al iden%fica%ons?

•  Did the En%ty update the lists, as necessary? •  Did the the En%ty CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months ajer the ini%al iden%fica%on, even if such lists are null?

•  Applica%on Ques%ons – Did the En%ty provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?

•  Are any DR’s necessary? –  If so, what addi%onal informa%on is required?


38

A Word to the Wise •  The WECC CIP-‐002 team has noted several issues with R2 during transi%on period audits that generated either Recommenda%ons or an Area of Concern [AoC]

•  A Recommenda%on is a sugges%on for improvement, but does not indicate a failure to comply

•  An AoC related to CIP-‐002-‐5.1 R1 or R2 during a transi%on audit will likely be a Possible Viola%on [PV] ajer October 1, 2018

•  Several En%%es have prepared nicely defined signature blocks, but failed to cite or include the actual R1.1, R1.2, and R1.3 lists


39

Key Issues from the Transi%on •  An En%ty that only has Low-‐impact BES Assets [R1.3] should s%ll evaluate its inventory of BES Assets against the IRC, prepare, review, and approve: – A null list of High BCS [R1.1] – A null list of Medium BCS [R1.2]

•  Be sure to implement your documented R1 process, review the resul%ng three lists, and have the CIP Senior Manager or delegate approve them at least once every 15 calendar months


40

Lower-‐BCS Connec%on to Higher BCS •  Facili%es may be owned by the same en%ty or different en%%es.

•  If mul%ple en%%es are involved, iden%fy the: –  Point(s) of connec%on between the en%%es, –  En%ty responsible for compliance at/around the demarca%on point, and

–  En%ty responsible for CIP-‐006-‐5 physical security compliance.

•  May involve EACMS or LEAP depending on impact ra%ngs and connec%vity characteris%cs.

•  Protect all BCS, as applicable.

41


Substa%on BCS Segmenta%on


•  Reference Model – 7 (NERC, CIP-‐003-‐6, Guidelines and Technical Basis, p. 37) provides an illustra%on of mixed-‐impact BCS within a single BES Asset boundary.

42

Connec%ng Low-‐impact BES Assets

43


•  No “Backcas%ng” impact levels.

•  Similar to the Far-‐end Relay Lesson Learned.

•  Consider all communica%ons paths.

•  BCA/BCS Owners are obligated to comply with the applicable CIP Standards –  Performance may be delegated via an opera%ng agreement or other clearly defined binding agreement

?

Value-‐Added Ac%vity: Feedback •  WECC Audit Teams never prescribe solu%ons, but we do: –  Brief en%%es on findings –  Encourage good security prac%ces – Discuss examples of industry best prac%ces –  Provide Recommenda%ons and sugges%ons for improvement, when appropriate

–  Iden%fy any AoC, which may not currently be viola%ons, but may become a Possible Viola%on [PV] in a future audit, if not addressed

•  Support development of a sustainable compliance culture


44

Addi%onal Audit Team Member Ac%vi%es •  Available to address and respond to En%ty ques%ons/comments

•  Par%cipate in WECC En%ty outreach ac%vi%es: –  Semi-‐annual Compliance Workshops (next one in Boise ID), – Monthly Open Webinars, and –  Special events such as this event.

•  Work at Na%onal level: –  CCTF, –  Standard Drajing Team, –  Comment on new Standards and guidance documents, –  Run CIP pilot studies, and –  Aoend and present at Cyber Security Conferences, Regional, Na%onal, and Interna%onal Outreach events.


45

Summary •  Audit to the Standard •  Provide useful feedback to the en%ty •  Prepare a valid report •  Be available to CIP personnel at the en%%es • Work at Na%onal level


46

Remember the Auditor’s Mission


Just the facts, Ma’am,

Just the facts!

47

References •  BCUC. (2015 July 24). Order R-‐38-‐15. Retrieved from hop://www.bcuc.com/Documents/Orders/2015/DOC_44244_R-‐38-‐15_BCH_MRS_RPT_8.pdf

•  BCUC. (2018 October 1). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hops://www.wecc.biz/Reliability/CIP-‐002-‐5.1.pdf

•  BCUC. (2018 October 1). CIP-‐003-‐5 – Cyber Security — Security Management Controls. Retrieved from hops://www.wecc.biz/Reliability/CIP-‐003-‐5.pdf


48

References •  NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hop://www.nerc.com/pa/RAPA/BES%20DL/bes_phase2_reference_document_20140325_final_clean.pdf

•  NERC. (2016 May 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hop://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf


49

Speaker Contact Informa%on

Joseph B. Baugh, Ph.D., MBA PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina%ng Council (WECC) jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631


50

Download - WECC BCUC Session2 CIP-002-5.1 MockAudit SLC …...Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset Yes

Top Related