Low Impact Physical Security CIP v5 Outreach for BC

Webinar January 9, 2018

Mark Lemery, CPP, PSP

Cyber & Physical Security AuditorW E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Introduction

Mark Lemery, CPP, PSP• Compliance Auditor, Physical and Cyber Security• SME CIP-006, CIP-014

– US Air Force Intelligence Officer (21 years)• Multi-discipline Focus & Background (Signals & Geospatial

Intelligence; All-source Analysis; Targeting)• Deployments: Somalia/Kenya, Germany, Turkey, Iraq,

Kosovo, Afghanistan

– Utah SIAC (State Law Enforcement Intelligence Fusion Center; 2.5 years)• Critical Infrastructure Protection (CIP) Program Manager• State Lead for Private Sector Outreach/Education/Training• Partnered w/DHS Protective Security Advisor (PSA) for Utah

2

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Disclaimer

• The information contained in this presentation is drawn from our current understanding of this Standard and its Requirements as of the presentation date.

• The WECC audit approach and information contained within this presentation is subject to change based on future guidance.

3

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Agenda

4

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• Introduction

• CIP-003-5 Requirements Overview

• CIP-003-5 Considerations: Documentation

• Physical Security Control Methods

• CIP-003-5 Audit Approach

• Procedural & Operational Control Tips

• Looking Ahead

• Key Takeaways

CIP-003-5 – Security Management Controls

5

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Low Impact Physical Security:

• “R2. Each Responsible Entity…shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics…:

2.2 Physical security controls;”

• “An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required.”

CIP-003-5 – Considerations

6

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Compliance Documentation:• Documentation set including Low Impact-specific controls

• Typically, this will include:

✓Cyber Security Policy or Policies

✓Physical Security Plan(s)

✓Physical Security Procedure(s)

✓Physical Security Control Diagram(s)

➢ Not required and does not need to be site specific• Implementation of the selected physical access control(s)

• Cyber Security awareness material concerning electronic or physical protection of Low Impact BES Cyber Systems

Physical Security Controls: Methods to Control, Monitor & Log Physical Access

7

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Controlling Physical Access• Card Key• Special Locks• Security Personnel• Other Authentication Devices

Monitoring Physical Access• Alarm Systems• Human Observation of

Access Points

Logging Physical Access• Computerized Logging• Video Recording• Manual Logging

Methods to Control, Monitor & Log Physical Access (cont’d)

8

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Responsible Entity has flexibility in selection methods for controlling, monitoring and/or logging physical access

• May use one or a combination of controls

– Perimeter controls (fences with locked gates, guards or site access policies)

• Or may use more granular areas of physical access control in areas where Low Impact BES Cyber Systems are located

– Control rooms, control houses

• Monitoring as a physical access control can be used as a complement or an alternative to access control

CIP-003-5: WECC Audit Approach

9

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• Verify documentation includes Cyber Security Policy, Plan or sections of the plan specifically for Low Impact BES Cyber Systems or Assets

• Verify documentation of selected Low Impact-specific controls

• Verify selected form of physical access control is implemented to restrict access to authorized personnel (e.g., electronic, mechanical or human)

• Verify selected method of monitoring is implemented (e.g., alarms, human observation)

• In those instances when Entity compliance measure(s) exceed the requirements of the standard(s), will audit to the language of the standard

Procedural Control Tips

10

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Leverage existing documentation (Policy, Procedure, Process):

• Specific asset inventory or lists of BES Cyber Systems, BES Cyber Assets or personnel are not required

• Site-specific physical security diagrams are not required

✓ If available, specific lists and site security control diagrams will help tell the compliance story but will not be assessed for completeness

Operational Control Tips

11

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Leverage existing access control and monitoring measures:

• Established controls used to meet High or Medium Impact BES security and compliance can be expanded to include Low Impact assets or systems

• Existing controls used to deter vandalism and copper theft can be utilized to demonstrate compliance

• For legacy lock systems, it is important to demonstrate effective access control via a rekey baseline and rigorous key management

Looking Ahead

12

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• Access controls such as ID badge systems or hard keys should have corresponding access granting/revocation, management and tracking program documentation (e.g., key/lock management program for use with hard keys)

• Specific asset/personnel lists, physical access control site diagrams and work instructions are a logical evolution

• Future guidelines for Assets containing Low Impact BCS may take on a similar approach as current Medium Impact BES with ERC

FAQs

13

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• “If we already have a locked gate with a fence, is there anything more we need to do?”

– To the letter of the Standard, this is all you need to do. Understanding this is the bare minimum, we can see FERC going in the direction of additional controls for Low Impact BES Assets, rather than less. Additionally, the audit team will request and review key management programs when hard keys systems are utilized.

FAQs

14

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• “Do we need to rekey legacy locks?”

– To the letter of the Standard, no. However, legacy locks with previously poor or unmanaged key programs present a suspect physical access control methodology. As such, it is highly recommended to establish a baseline lockset at program implementation.

• “Is a rekey required for lost, misplaced or unaccounted keys?”

– Your key management program should provide triggers to rekey compromised locks when keys are unaccounted for.

FAQs

15

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• “Are access and monitoring controls required?”

– The Standard only calls for ‘physical security controls.’ As a result, WECC audit approach would seek to provide a reasonable assurance that an entity documented and implemented at least one method to Control or Monitor physical access. However, a program that uses different and complimentary physical security controls (i.e. locks and cameras) as well as multiple layers of security (i.e. perimeter, building, room, cabinet) provides a more robust and effective means of restricting physical access.

Key Takeaways

16

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• Flexibility & Responsibility

– Do what you say you are going to do: follow-through is important

• Access & Monitoring Controls

– Emphasis on quality, not quantity

– One effectively executed control is preferable to three poorly executed ones

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

17

CIP Compliance Audit Team EmailCIP@wecc.biz

WECC – Western Electricity Coordinating Council155 North 400 West, Suite 200

Salt Lake City, UT 84103

Questions?

Gary King, CPP, PSPCIP Sr. Compliance Auditor(801) 455-8364gking@wecc.biz

Mark Lemery, CPP, PSPCIP Compliance Auditor(801) 440-8817mlemery@wecc.biz