midwest reliability organization cip 101 for … 101 for low...history of the cip standards...
TRANSCRIPT
C L A R I T Y ▪ A S S U R A N C E ▪ R E S U L T S
M I D W E S TR E L I A B I L I TYO R G A NI Z A T I O N
Improving RELIABILITY and mitigating RISKS to the Bulk Power System
CIP 101 for Low Impact BES Cyber Systems
Bill Steiner, MRO Risk Assessment and Mitigation PrincipalMRO CIP Low Impact WorkshopMarch 1, 2017
CLARITY ▪ ASSURANCE ▪ RESULTS
Topics
Purpose and history of the NERC Critical Infrastructure Protection (CIP) StandardsApplicability of CIP V5 Low ImpactKey definitionsUseful CIP V5 materials
2
CLARITY ▪ ASSURANCE ▪ RESULTS
Purpose of NERC CIP Standards
Address security of cyber assets essential to the reliable operation of the electric grid• CIP standards are controls for Cyber Security• CIP standards are not software functionality controls
NERC CIP is the only set of mandatory cybersecurity standards in place across the critical infrastructures (water, gas, etc.) of the United States
3
CLARITY ▪ ASSURANCE ▪ RESULTS
In the Beginning
4
(UA1200)
CLARITY ▪ ASSURANCE ▪ RESULTS
History of the CIP Standards•High-level, and prior to mandatory compliance•Approved one day before the August 14, 2003 blackout (unrelated)
UA1200(2003)
• First enforceable Cybersecurity standards for Bulk Power System, use of RBAM (Risk-Based Assessment Methodology) to determine Critical Assets
CIP V1(2008)
•Minor changes to CIP V1 - Annual review of additional processes, removed ability to “accept risk” in lieu of requirements
CIP V2(2009)
•Minor changes to CIP V2 – escort of visitors• In effect from October 1, 2010 until June 30, 2016 (almost 6 years)
CIP V3(2010)
•Use of a Bright-Line Criteria (BLC) instead of RBAM•Never became enforceable, due to timing of CIP V5
CIP V4(2012)
• Impact Rating Criteria (IRC) instead of BLC or RBAM, changes in technical requirements, concept of BES Cyber Systems instead of CCAs
CIP V5+(2013)
5
CLARITY ▪ ASSURANCE ▪ RESULTS
History of the CIP StandardsCIP V5+
CIP V5 increased the number of CIP Standards from 8 (CIP-002 through CIP-009) to 10 (CIP-002 through CIP-011)• CIP-002-5 through CIP-009-5• CIP-010-1• CIP-011-1
6
CLARITY ▪ ASSURANCE ▪ RESULTS
History of the CIP StandardsCIP V5+
When FERC approved CIP V5, it directed NERC to make changesSo...CIP V5 (currently enforceable) is now:
7
• CIP-002-5.1a • CIP-007-6• CIP-003-6 • CIP-008-5• CIP-004-6 • CIP-009-6• CIP-005-5 • CIP-010-2• CIP-006-6 • CIP-011-2
CLARITY ▪ ASSURANCE ▪ RESULTS
History of the CIP StandardsCIP V5+
Upcoming CIP-related Standards in the balloting/approval process:
8
• CIP-013-1 Supply Chain Risk Management• CIP-003-7 Low Impact LEAP/LERC and TCA changes
CLARITY ▪ ASSURANCE ▪ RESULTS
Applicability of CIP V5
Like the rest of the NERC Standards, start with the definition of Bulk Electric System (BES)
In general, BES includes:• Transmission elements connected at 100kV or higher• Generation unit greater than 20MVA• Generation facility greater than 75 MVA• Blackstart Resources
For more information, see NERC’s BES Definition page• www.nerc.com ->Initiatives -> BES Definition• http://www.nerc.com/pa/RAPA/Pages/BES.aspx• http://www.nerc.com/pa/RAPA/BES%20DL/bes_phase2_reference_document_20140325_final_clean.pdf
9
CLARITY ▪ ASSURANCE ▪ RESULTS
BES Definition Resources
10
CLARITY ▪ ASSURANCE ▪ RESULTS
BES Definition Resources
11
CLARITY ▪ ASSURANCE ▪ RESULTS
Applicability of CIP V5
MRO Standards Committee CIP Subject Matter Expert Team (SMET) CIP-002-5.1 Standard Application Guide (SAG)• https://www.midwestreliability.org/MRODocuments/CIP-002-
5.1%20Standard%20Application%20Guide.pdf
MRO Standards Committee CIP Subject Matter Expert Team (SMET) CIP-003-6 R2 Standard Application Guide (SAG)• https://www.midwestreliability.org/MRODocuments/CIP%20003-
6%20R2%20Standard%20Application%20Guide.pdf
12
CLARITY ▪ ASSURANCE ▪ RESULTS
Applicability of CIP V5
Functional Registration• BA (Balancing Authority)• GO (Generator Owner)• GOP (Generator Operator)• IA (Interchange Authority)• RC (Reliability Coordinator)• TO (Transmission Owner)• TOP (Transmission Operator)
13
CLARITY ▪ ASSURANCE ▪ RESULTS
Applicability of CIP V5
Functional Registration (continued)• DP (Distribution Provider) with any of the following
—Underfrequency Load Shedding (UFLS) or UndervoltageLoad Shedding (UVLS) that:
• Is part of a load shedding program, subject to NERC Standards; AND• Performs automatic load shedding under a common control system, without human operator initiation,
of 300 MW or more
—Remedial Action Scheme (RAS) subject to NERC Standards—Transmission Protection System subject to NERC Standards—Cranking Path
14
CLARITY ▪ ASSURANCE ▪ RESULTS
UFLS/UVLS CIP V5 Applicability
Each UFLS or UVLS System that:• Is part of a Load shedding program that is subject to NERC Standards; AND• Performs automatic Load shedding under a common control system owned by the entity,
without human operator initiation, of 300 MW or more
In other words, the Standards are meant to apply security controls to prevent an attacker from compromising a single cyber asset/system and shedding 300MW or more
15
CLARITY ▪ ASSURANCE ▪ RESULTS
UFLS/UVLS Applicability Example
Entity has 400MW of UFLS• 20 relays on separate feeders, with 20MW of load each• Each relay typically senses the local frequency and makes the determination to trip,
independent of the other relays
In this case, the most load that can be shed under a common control system is 20MWNone of the UFLS relays in this example would be subject to CIP V5
16
CLARITY ▪ ASSURANCE ▪ RESULTS
Applicability of CIP V5
If you are not registered as a TO, TOP, GO, GOP, BA, RC, IA, or a DP with one of these types of systems, then CIP V5 does NOT apply• No need to go any further with determination of which Facilities are impacted• CIP V5 does not apply, not even Low Impact
For everyone else, the focus is on the Impact Rating Criteria (Attachment 1 of CIP-002-5.1)
17
CLARITY ▪ ASSURANCE ▪ RESULTS
Impact Rating Criteria
Attachment 1 is used to categorize all BES Cyber Systems as Low, Medium, or High Impact• Only Control Centers can be High• Largest Impact BES Facilities are Medium• Everything not High or Medium is Low
—“All BES Cyber Systems for Facilities not included in Attachment 1 – Impact Rating Criteria, Criteria 1.1 to 1.4 and Criteria 2.1 to 2.11 default to be low impact.” (CIP-002-5.1a p.5)
18
CLARITY ▪ ASSURANCE ▪ RESULTS
Guidelines and Technical Basis
CIP-002-5.1 is 34 pages long• CIP-002-3 was 3 pages long
CIP V5 Standards contain “notes” from the Standard Drafting Team (SDT) giving further guidance on the language of the Requirements, and why certain decisions were made in the drafting process
There are some inconsistencies
When in doubt, use the language of the Requirement
19
CLARITY ▪ ASSURANCE ▪ RESULTS
NERC Glossary of Terms
A number of new defined terms for CIP V5• http://www.nerc.com/files/glossary_of_terms.pdf• These definitions are crucial to understanding and applying the CIP V5 requirements
Retirement of:• Critical Asset (CA)• Critical Cyber Asset (CCA)• LEAP/LERC – Low Impact definitions expected to be retired upon approval of CIP-003-7
20
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsCyber Asset
Cyber Asset• Programmable electronic devices, including the hardware, software, and data
in those devices
21
CLARITY ▪ ASSURANCE ▪ RESULTS
Programmable Electronic Device
22
Programmable Electronic Device: Not a Glossary Term• Consider:
—Has an HMI—Software or firmware settings that are user configurable—Remote connection capability—Updateable software or firmware
• Workstations• Intelligent Electronic Devices (IEDs)
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsBES Cyber Asset
BES Cyber Asset (BCA)• A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of
its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.
• Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact.
• Each BES Cyber Asset is included in one or more BES Cyber System(s).• A BES Cyber Asset can not be a Transient Cyber Asset.
23
CLARITY ▪ ASSURANCE ▪ RESULTS
BES Cyber Asset (BCA)Examples
Microprocessor-based protective relayData ConcentratorEnergy Management System (EMS) serverSystem Operator ConsoleData HistorianRemote Terminal Unit (RTU)
24
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsTransient Cyber Asset
25
Transient Cyber Asset:• A Cyber Asset that
—(i) is capable of transmitting or transferring executable code,—(ii) is not included in a BES Cyber System,—(iii) is not a Protected Cyber Asset (PCA),—(iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including
near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA, and
—Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsBES Cyber System
BES Cyber System (BCS)• One or more BES Cyber Assets logically grouped by a responsible entity to
perform one or more reliability tasks for a functional entity
Examples of BCS:• All protective relays at a substation• EMS• Generation Control System (GCS)• Windows servers in an EMS or GCS
26
CLARITY ▪ ASSURANCE ▪ RESULTS
BCA vs. BCS
A BCS is a group of BCAsSubstation example:
• Substation has three relays• Two are BCAs• BCS grouping is up to you (more on that later)
27
Not a BCA since it’s not a Cyber Asset
BCS Option 1BCS Option 2
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsDial-Up Connectivity
Dial-up Connectivity• A data communication link that is established when the communication equipment dials a
phone number and negotiates a connection with the equipment on the other end of the link
Just because a modem is being used, does not mean it is using Dial-up Connectivity
28
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsPhysical Security Perimeter
Physical Security Perimeter• The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or
Electronic Access Control or Monitoring Systems reside, and for which access is controlled• Not a Low Impact concept, but a LIBCS could reside within a PSP
Examples include server rooms, substation control houses, etc.
29
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsElectronic Security Perimeter
Electronic Security Perimeter (ESP)• The logical border surrounding a network to which BES Cyber Systems are connected using a
routable protocol• Not a Low Impact concept, but a LIBCS could reside within an ESP
—If so, the LIBCS would become a PCA
Think of an ESP as a network boundary
30
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsElectronic Access Point
Electronic Access Point (EAP)• A Cyber Asset interface on an Electronic Security Perimeter that allows routable
communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter
Example of PSP, ESP, EAP:
31
Routable Protocol to Control Center EMS
SubstationA
CLARITY ▪ ASSURANCE ▪ RESULTS
Routable Protocol to Control Center EMS
SubstationA
CIP V5 Key DefinitionsPhysical Access Control Systems
Physical Access Control Systems (PACS)• Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of
locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers
32
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsElectronic Access Control or Monitoring Systems
Electronic Access Control or Monitoring Systems (EACMS)• Cyber Assets that perform electronic access control or electronic access monitoring of the
Electronic Security Perimeter(s) or BES Cyber Systems —Includes Intermediate Systems
33
Routable Protocol to Control Center EMS
SubstationA
CLARITY ▪ ASSURANCE ▪ RESULTS
CIP V5 Key DefinitionsProtected Cyber Assets
Protected Cyber Asset (PCA)• One or more Cyber Assets connected using a routable protocol within or on an Electronic
Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter
• The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP
• A Protected Cyber Asset it is not a Transient Cyber Asset
34
CLARITY ▪ ASSURANCE ▪ RESULTS
Protected Cyber Assets“High Watermark”
PCAs are used to implement a “High Watermark” conceptEven though they are not a BCA, they must be protected if they are in the ESP with a BCS that is not Low Impact
35
PCA
Routable Protocol to Control Center EMS
Substation A
CLARITY ▪ ASSURANCE ▪ RESULTS
Assets (assets)
Assets (assets) - facilities• Control Centers and Backup Control Centers• Transmission stations and substations• Generation resources• System restoration facilities (Blackstart, Cranking Paths, and initial switching requirements)• Protection Systems
36
CLARITY ▪ ASSURANCE ▪ RESULTS
Control Center
37
Control Center:• One or more facilities hosting operating
personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including associated data centers, of:
— a Reliability Coordinator, — a Balancing Authority, — a Transmission Operator for transmission
Facilities at two or more locations, or — a Generator Operator for generation Facilities
at two or more locations
CLARITY ▪ ASSURANCE ▪ RESULTS
Other Definitions
BES Cyber System Information (BES CSI)
CIP Exceptional Circumstance
CIP Senior Manager
Cyber Security Incident
External Routable Connectivity
Interactive Remote Access
Intermediate System
38
CLARITY ▪ ASSURANCE ▪ RESULTS
Useful CIP V5 Materials
Useful Materials:• MRO Standards Committee CIP SME Team CIP-002-5.1 SAG• MRO Standards Committee CIP SME Team CIP-003-6 SAG (presented today!)• NERC BES Definition• NERC Glossary of Terms• “Guidelines and Technical Basis” section of Standards
39
CLARITY ▪ ASSURANCE ▪ RESULTS
Questions?
40