explore the implicit requirements of the nerc cip rsaws

© 2015 MetricStream, Inc. All Rights Reserved.

Explore the Implicit Requirements of the NERC CIP RSAWs

Karl PermanVP Member Services

EnergySec

Shreyank Shrinath KamatProduct Manager

MetricStream


Agenda

RSAW format

Implicit requirements of CIP RSAWs

Leveraging technology for RSAW management

Q&A

3

BACKGROUND

© 2015 Energy Sector Security Consortium, Inc.

4

RSAW Template• Identifying Information– Standard, Entity, Names of Auditors, etc.

• Applicability of Requirements by Functional Model

• Color-coded – Fixed text, Entity-supplied information,

Auditor-supplied information• Findings– Areas of Concern, Recommendations,

Positive Observations


5

RSAW Template• Entity’s Subject Matter Experts• Requirement and Measures• Questions– Space for entity response, may

reference other documents• Compliance Narrative• Evidence– Documents and descriptions

• Guidance & Questions for Auditors


7

Standard Drafting Team

• CIP V5 Transition FAQ, Response to Comments

• “It is inappropriate to suggest that there is an implicit requirement or an inherent requirement that must be complied with as requirements can only be explicit.”


8

Actual Auditors• Lew Folkerth, Reliability First

– SPP RE CIP Workshop, June 2, 2015• http://www.spp.org/documents/28852/2015%20cip%20

workshop%20materials.pdf

– RF Newsletter, Issue 3• https://www.serc1.org/docs/default-source/outreach/co

mmunications/resource-documents/serc-transmission-reference/201507---st/cip-v5-rsaw---rf-newsletter-article.pdf?sfvrsn=2

• Kevin Perry, SPP– CIP Compliance Workshop, June 3, 2015

• Wayne Lewis, NPCC– CIP Compliance Seminar, 3/24/15

• https://www.npcc.org/Compliance/CIP%20Seminars/Spring%202015%20CIP-010-2.pdf


https://www.serc1.org/docs/default-source/outreach/communications/resource-documents/serc-transmission-reference/201507---st/cip-v5-rsaw---rf-newsletter-article.pdf?sfvrsn=2





9

IMPLICIT REQUIREMENTS


10

Update Policies• CIP-003-6• Review and obtain CIP Senior Manager approval

for policies• “The SDT received comments that Requirements

R1 and R2 require annual review of the policy, but never explicitly require the policy to receive updates as a result of that review. The SDT believes this is implicit in the Requirement, and updates would occur as part of an entity’s ongoing compliance with the Requirement.”– http://www.nerc.com/pa/Stand/Project%20200806%20

Cyber%20Security%20Order%20706%20DL/Consideration_of_Comments_to_draft_3_102612_final.pdf


11

Shared Compliance Responsibility

• Asset name or designation• Formal agreement describing shared

compliance responsibility


12

Classify assets• CIP-002-5 requires entities to classify

BES Cyber Systems• BES Cyber Asset will “adversely

impact one or more Facilities, systems, or equipment”

• Classify assets as High, Medium, or Low, and then BCA are those Cyber Assets which affect those assets, and take rating from the asset they effect


13

Cyber Assets• CIP-002 never explicitly says to

identify (list) Cyber Assets– Need list of Cyber Assets to show that

all that should be BES Cyber Assets were identified as such


14

Identify PCA• CIP-005-5 R1 Part 1.1• Cyber Assets connected to network via

routable protocol shall reside within a defined ESP

– Applicable Systems• PCA Associated with High or Medium Impact

BCS• Need to identify PCA– Auditors will likely want to audit a

sample of PCA, so you need a list of PCA


15

Verify PCA• “After the ESP is defined, verify the

“implied” requirement of identifying any PCA within the ESP has been completed”

• Have a process• Use that process


16

ESP Process• “Verify the Responsible Entity has

documented one or more process(es) which require all applicable Cyber Assets connected to a network via a routable protocol to reside within a defined ESP.”– RSAW CIP-005-5

• “In order to verify that each Cyber Asset residing within a defined ESP has been identified as either a BES Cyber Asset or as a PCA, it may be necessary to examine the ESP and conduct an inventory of network connections within the ESP.”


17

Transient Cyber Assets and Removable Media

• Evidence that Transient Cyber Assets and Removable Media have been connected for 30 calendar days or less– Record of connection and disconnection

• Evidence they have been utilized as authorized– Record who used them– Record where used– Record purpose

• Record of review of Transient Cyber Assets managed by third parties

• Record of Transient Cyber Asset patching if used to mitigate vulnerabilities

• Record of anti-malware signature file updates if used to mitigate introduction of malware

• Record of scans or other methods to detect and remove malicious code before introducing Removable Media into the Electronic Security Perimeter


18

Configuration Change Management

• CIP-010-2 R1.4– 1.4.1. Prior to the change, determine required

cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change;

– 1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and

– 1.4.3. Document the results of the verification.

• Should have test procedures documented


19

Test Configuration Changes• CIP-010-2 R1.5• Identify configuration of test

environment• Identify how test environment differs

from production environement– High Impact BCS


20© 2015 Energy Sector Security Consortium, Inc.

Where technically feasible, for each change that deviates from the existing baseline configuration:

1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments.

• Document which identifies devices and configurations in a test environment

CIP-010-2


Leveraging Technology for RSAW management

Shreyank Shrinath KamatProduct ManagerMetricStream


Key Components: NERC Compliance Management


A Robust & Flexible Information Model


Setup Content (CIP standards, requirements, controls etc.)

Structure a logical compliance hierarchy, including Areas of Compliance, Standards, Requirements, Controls and Assets.

Configure workflows for managing both internal and external standards, mapping regulations, developing controls, performing compliance audits, preparing and implementing action plans, and identifying and remedying issues.

GRCLibrary

StandardsAreas of Compliance

ControlsAssets

Questions andProcedures

Requirements


Update Content (Regulatory Changes)

Regulatory Alert Interpretation

Create Channel

Subscribe Channel

Filter Alerts

Act on Alerts

Track Issues


Test Cyber Security Management Controls

Define and Manage Controls to protect Cyber Assets

Manage Password Changes to CCAs

Perform Control Assessments on regular basis

Control Tests to identify strength of controls

Notifications to appropriate officers

Logs and audit trail maintenance

Equivalent to Self Correcting Process Improvement mentioned in Version 5


Issue Remediation

Review & Approve Issues

CreateRemediation Plans

ImplementPlanned Actions

Monitor & Approve Actions

Close Issue

Review and Approve issues that arise from tests, self-assessments and certifications.

Define one or more Action/Remediation plans to

Document the work done and results and send the implemented Actions for review and approval.

Monitor the status and progress of issues and implementation of remediation plans.

Close issues after all the action plan is implemented and approved.


Surveys and Certifications

Create Questionnaire

InitiateSurveys or Certifications

File Responses

Certify & Sign-Off

Log Findings & Issues

Create sections and add questions manually or from the GRC library under every questionnaire.

Initiate a Survey or a Certification by choosing a questionnaire and selecting respondents and approvers.

File responses or collaborate with other respondents for responses.

Collate the Survey responses, Approve and sign-off the assessments and key compliance program data.

Add Findings/Issues to capture non-conformance.


RSAW Management

Initiate Survey using in-built CIP questionnaires

Record Responses

Attach Evidences

Populate Survey Response into RSAW

template

Select a CIP questionnaires and initiate survey to one or more users.

File responses or collaborate with other respondents for responses.

Attach Evidence to the survey from the GRC library or from a previous survey or from the local system.

Select the survey response and populate the same in the in-built RSAW template.

Generate RSAW Generate and download the completed RSAW in word format for editing.


Enforce Policies to Effectively Manage Compliance

Creation, Storage, Organization, Search

Creation, Review, Approval

Mapping to Risks and Controls

Alerts and Notifications

Awareness and Training

Tracking and Visibility

Policies & Procedures for Implementing a physical security program

Setting prerequisites for granting approvals, assigning work etc.

Define methods, processes, and procedures for securing Cyber Assets & BES


Real time Monitoring and Reporting

Risk Intelligence by Regulations & Critical Assets

Track NERC version and Migration check

Monitor NERC Compliance Audit Readiness

Regulatory Filings, Certifications


Data Browser


MetricStream Advantage – NERC CIP Solution

Best in class Governance, Risk and Compliance solutions provider

Platform based solution – with integrated risk, compliance, policy, issue and change management systems

Experience in working with numerous electric utilities in the US ranging from co-ops to investor owned

Built in content with controls and industry best practices

One-Click Automated RSAW generation – reduction in RSAW production times from weeks to just few minutes/ hours.

Have real-time visibility into business to avoid compliance concerns


About MetricStream

Vision Integrated Governance, Risk and Compliance for Better Business Performance

Solutions

• NERC CIP Compliance • Risk Management• Business Continuity Management• IT GRC• Audit Management

• Supplier Governance• Quality Management• EHS & Sustainability• Governance & Ethics• Content and Training

• Over 1,800+ employees • Headquarters in Palo Alto, California with offices worldwide• Over 350 enterprise customers•Privately held – Backed by global leading VCs, Sage View Capital, Goldman

Sachs

Differentiators

• Technology - GRC Platform – 9 Patents • Breadth of Solutions – Single Vendor for all GRC needs• Cross-industry Best Practices and Domain Knowledge• ComplianceOnline.com - Largest Compliance Portal on the Web

Organization

Partners


Q&A

Please submit your questions to the host by typing into the chat box on the lower right-hand portion of your screen.

Thank you for participating!

A copy of this presentation will be made available to all participants in next 48 working hours.

For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars

Karl PermanVP Member Services

EnergySecEmail: [email protected]

Shreyank S. KamatProduct Manager

MetricStreamEmail: [email protected]

http://www.metricstream.com/events/webinars

http://www.metricstream.com/events/webinars

mailto:[email protected]



THANK YOU

Contact Us:

Website: www.metricstream.com | Email: [email protected]

Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554

http://www.metricstream.com/
