lisa wood, cisa, cbrm, cbra compliance auditor, cyber security cip v5 roadshow may 14-15, 2014...

Click here to load reader

Post on 26-Dec-2015

214 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security CIP v5 Roadshow May 14-15, 2014 CIP-003-5 Security Management Controls
  • Slide 2
  • 2 Differences and relations to current requirements Audit approach Possible pitfalls to look for while transitioning to version 5 Implementation tips Agenda
  • Slide 3
  • 3 Each Responsible Entity, for its high impact and medium impact BES Cyber Systems shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: 1.1Personnel & training (CIP 004); 1.2Electronic Security Perimeters (CIP 005) including Interactive Remote Access; 1.3Physical security of BES Cyber Systems (CIP 006); 1.4System security management (CIP 007); 1.5Incident reporting and response planning (CIP 008); 1.6Recovery plans for BES Cyber Systems (CIP 009); 1.7Configuration change management and vulnerability assessments (CIP 010); 1.8Information protection (CIP 011); and 1.9Declaring and responding to CIP Exceptional Circumstances Note: Implementation of these policies is addressed in standards CIP-004-5 through CIP-011-1, therefore it is not part of this requirement CIP 003-5 R1 Differences CIP 003-5 R1 CIP 003-3 R1
  • Slide 4
  • 4 A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability. (NERC, 2014, Glossary of Terms, p. 19) What is a CIP Exceptional Circumstance?
  • Slide 5
  • 5 Is there a documented policy or policies that address the nine (9) topics? o There can either be a single policy that covers all topics or an individual policy for each Do the policies specifically state High and Medium Impact BES Cyber systems? CIP-003-5 R1 Audit Approach
  • Slide 6
  • 6 Cyber Security Policy: o Was it reviewed by CIP Senior Manager once every 15 calendar months Evidence of review/approval including wet ink or electronic signature and version control/revision history with action and date If document is in a document management system, provide a screen shot of what the CIP Senior Manager reviewed, and include an approval signature page associated with the reviewed document CIP-003-5 R1 Audit Approach (cont.)
  • Slide 7
  • 7 Policy doesnt address all identified topics in the requirement Not consistently reviewing every 15 months o Current annual schedule may not meet requirement o Notifications and Alerts may not get updated CIP-003-5 R1 Possible Pitfall
  • Slide 8
  • 8 Set-up or update annual review notifications and alerts to meet 15 calendar month criteria Address High and Medium in policies Review Best Practices: Managing Evidence Presentation http://www.wecc.biz/compliance/outreach/List s/101Links/AllItems.aspx CIP-003-5 R1 Implementation tips
  • Slide 9
  • 9 R2. Each Responsible Entity for its assets identified in CIP 002 5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] 2.1 Cyber security awareness; 2.2 Physical security controls; 2.3 Electronic access controls for external routable protocol connections and Dial up Connectivity; and 2.4 Incident response to a Cyber Security Incident. An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required (NERC, 2012, CIP-003-5, p. 5) CIP-003-5 R2 New Requirement
  • Slide 10
  • 10 o P 106: [W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entitys protections for Low Impact assets. (FERC, 2013, Order 791, p. 72769) CIP 002 5, R1, Part R1.3 = Low Impact BES Cyber Systems
  • Slide 11
  • 11 The Standard Drafting Team (SDT) has been hard at work o The SDT is still working on the requirements, measures, and rationale. o Nothing is definitive as of yet o Have changed to table format CIP-003-5 R2 Progress
  • Slide 12
  • 12 R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing low impact BES Cyber Systems), shall: CIP-003-5 R2 Current Draft
  • Slide 13
  • 13 R2.3 Electronic access controls for external routable protocol connections and Dial up Connectivity CIP-003 R2 Draft (continued)
  • Slide 14
  • 14 2.4 Incident Response to Cyber Incidents CIP-003 R2 Draft (continued)
  • Slide 15
  • 15 2.5 Cyber Security Awareness CIP-003 R2 Draft (continued)
  • Slide 16
  • 16 Standard Drafting Team (SDT) must complete work by February 3, 2015 Draft goes to industry for comment June 2, 2014 If youd like to get involved, contact Ryan Stewart with NERC at: ryan.stewart@nerc.netryan.stewart@nerc.net CIP-003-5 R2 Firm Dates
  • Slide 17
  • 17 CIP-003-5 R2 Comment Form
  • Slide 18
  • 18 Entity may not know what Low Impact BES Cyber Systems are Not consistently reviewing every 15 months o Current annual schedule may not meet requirement o Notifications and Alerts may not get updated Policies may not address all parts of the requirement CIP-003-5 R2 Possible Pitfall
  • Slide 19
  • 19 Stay on top of WECCs outreach for more direction on Low Impact BES Cyber Systems Update annual review notifications and alerts to meet version 5 timeline CIP-003-5 R2 Implementation tips
  • Slide 20
  • 20 Each Responsible Entity shall: o Identify a CIP Senior Manager by name o Document any change within 30 calendar days of the change CIP-003-5 R3 No Change CIP 003-3 R2.1 R2.2 CIP 003-5 R3
  • Slide 21
  • 21 CIP Senior Managers name o Include the date identified Version control and revision history o Include action specific to the change and include dates. Note: If you are not retaining the original document designating the CIP Senior Manager, entities still need to demonstrate compliance with the standard on or before April 1, 2016. We recommend reaffirming the CIP Senior Manager on or before April 1, 2016 and provide that document as evidence. CIP-003-5 R3 Audit Approach
  • Slide 22
  • 22 Entity did not identify CIP Senior Manager by name and did not include the date identified Changes to the CIP Senior Manager were not documented within 30 calendar days CIP-003-5 R3 Possible Pitfall
  • Slide 23
  • 23 Update processes to ensure there are steps for documenting changes within 30 calendar days CIP-003-5 R3 Implementation tips
  • Slide 24
  • 24 The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used CIP Senior Manager may delegate authority for specific actions o Include delegates name or title, the specific actions delegated, and the date of the delegation; Approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation Delegation changes do not need to be reinstated with a change to the delegator. CIP-003-5 R4 Minor Clarifications CIP 003-3 R2.3 CIP 003-5 R4
  • Slide 25
  • 25 Were there any delegations? Who was delegated and what were they delegated to do? Was the delegation approved by the CIP Senior Manager? CIP-003-5 R4 Audit Approach
  • Slide 26
  • 26 Entity did not document a process to delegate authority Entity did not Identify delegates by name and did not include the date identified or specific actions delegated The CIP Senior manager did not approve the delegation CIP-003-5 R4 Possible Pitfall
  • Slide 27
  • 27 Document a process for delegating authority, and ensure the process addresses the specific requirements Follow the documented process CIP 003-5 R4 Implementation tips
  • Slide 28
  • 28 Reorganized to only include elements of policy and cyber security program governance. CIP-003-5 Modifications CIP 003-3 R3 CIP 003-3 R6 CIP 010-1 CIP 003-3 R4 CIP 003-3 R5 CIP 011-1 CIP 004-5
  • Slide 29
  • 29 Know what is required for each BES cyber system(s) Attend future WECC outreach events to get further clarity on Low Impact BES Cyber Systems. Wrap-up
  • Slide 30
  • 30 FERC. (2013 November 22). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC 61,160: Docket No. RM13-5-000. In Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf NERC. (2014 March 12). Glossary of Terms Used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf http://www

View more