texas re strictly prohibits persons participating in texas re … with... · 2020. 7. 23. ·...
TRANSCRIPT
![Page 1: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/1.jpg)
1
Antitrust Admonition
Texas RE strictly prohibits persons participating in Texas RE
activities from using their participation as a forum for engaging in
practices or communications that violate antitrust laws. Texas
RE has approved antitrust guidelines available on its website. If
you believe that antitrust laws have been violated at a Texas RE
meeting, or if you have any questions about the antitrust
guidelines, please contact the Texas RE General Counsel.
Talk with Texas RE
March 19, 2020
![Page 2: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/2.jpg)
2
Coronavirus Response Page
Talk with Texas RE
March 19, 2020
![Page 3: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/3.jpg)
Kenath Carver
Manager, CIP Compliance Monitoring
Supply Chain Risk Management
Top 16 Commonly Asked Questions
Talk with Texas RE
Date
![Page 4: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/4.jpg)
4
Supply Chain Risk Management Effective Date
Talk with Texas RE
March 19, 2020
July 1, 2020
Canada Day
Creative Ice Cream Flavors Day
International Chicken Wing Day
International Joke Day
National Postal Worker Day
CIP-013-1
CIP-005-6
CIP-010-3
![Page 5: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/5.jpg)
5
CIP-013-1 R1 Part 1.1
Talk with Texas RE
March 19, 2020
![Page 6: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/6.jpg)
6
Question 1
Should a registered entity consider applying the Supply Chain Risk Management Standards to low impact BES Cyber Systems, Protected Cyber Assets (PCAs), Electronic Access Control or Monitoring Systems (EACMS), or Physical Access Control Systems (PACS)?
Talk with Texas RE
March 19, 2020
![Page 7: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/7.jpg)
7
Answer 1
● Project 2019-03 Cyber Security Supply Chain Risks
PACS and EACMS
• CIP-005-7 Parts 2.4 and 2.5
• CIP-010-4 Part 1.6
• CIP-013-2 R1 Parts 1.1 and 1.2
● NERC Supply Chain Risk Assessment
Recommendation
• “Include low impact BES Cyber Systems with remote electronic access
connectivity in future modification of Supply Chain Standards.”
Talk with Texas RE
March 19, 2020
![Page 8: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/8.jpg)
8
Questions 2, 3, & 4
What does the term “vendor” mean?
Is a reseller applicable to Part 1.1?
Could a registered entity be considered a “vendor” if they are providing non-reliability services?
Talk with Texas RE
March 19, 2020
![Page 9: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/9.jpg)
9
Answers 2, 3, & 4
Supplemental Material
The term vendor(s) as used in the standard is limited to those persons,
companies, or other organizations with whom the Responsible Entity,
or its affiliates, contract with to supply BES Cyber Systems and
related services. It does not include other NERC registered entities
providing reliability services (e.g., Balancing Authority or Reliability
Coordinator services pursuant to NERC Reliability Standards). A
vendor, as used in the standard, may include: (i) developers or
manufacturers of information systems, system components, or
information system services; (ii) product resellers; or (iii) system
integrators.
Talk with Texas RE
March 19, 2020
![Page 10: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/10.jpg)
10
Question 5
Is it necessary to implement CIP-013-1 R1 Part 1.1 for resellers if the contract is directly with the vendor?
Talk with Texas RE
March 19, 2020
![Page 11: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/11.jpg)
11
Answer 5
● Part 1.1 identification and assessment of cyber security risks.
A registered entity should identify and assess any cyber
security risks that may be involved in purchasing such
applicable hardware or software from the vendor that it is
contracted with.
● Although the primary focus should be on the vendor you are
contracted with, cyber security risks associated with the
reseller should not be ignored as part of your cyber security
risk identification and assessment.
Talk with Texas RE
March 19, 2020
![Page 12: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/12.jpg)
12
Question 6
Should a registered entity identify and assess cyber security risks related to the vendor and/or product or service?
Talk with Texas RE
March 19, 2020
![Page 13: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/13.jpg)
13
Answer 6
Both should be done to conduct an accurate cybersecurity risk
identification and assessment.
Vendor questionnaire
Product or service questionnaire
Talk with Texas RE
March 19, 2020
![Page 14: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/14.jpg)
14
Question 7
Does a registered entity need to mitigate identified and assessed cyber security risks?
Talk with Texas RE
March 19, 2020
![Page 15: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/15.jpg)
15
Answer 7
FERC Order No. 829
The security objective is to ensure entities consider cyber security risks
to the BES from vendor products or services resulting from: (i)
procuring and installing vendor equipment and software; and (ii)
transitions from one vendor(s) to another vendor(s); and options for
mitigating these risks when planning for BES Cyber Systems.
Talk with Texas RE
March 19, 2020
![Page 16: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/16.jpg)
16
Question 8
Prior to July 1, 2020, what if a registered entity has Cyber Assets that were purchased in bulk and stored as inventory, then after July 1, 2020, some or all are commissioned as a BCA? Does the registered entity have to implement CIP-013-1 R2?
Talk with Texas RE
March 19, 2020
![Page 17: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/17.jpg)
17
Answer 8
● Any procurement on and after July 1, 2020, of BES Cyber
Systems from vendor products or services resulting from: (i)
procuring and installing vendor equipment and software; and
(ii) transitions from one vendor(s) to another vendor(s) are
subject to CIP-013-1.
Talk with Texas RE
March 19, 2020
![Page 18: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/18.jpg)
18
Question 9
Should a registered entity include a provision for an after-the-fact cyber security risk identification and assessment under emergency situations?
Talk with Texas RE
March 19, 2020
![Page 19: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/19.jpg)
19
Answer 9
● CIP-013-1 is applicable to any procurement regardless of the
scenario, including an emergency.
● The registered entity should consider including language in its
plan to address the potential for the use of purchasing cards in
emergency situations.
● The registered entity should consider conducting an after-the-
fact cybersecurity risk identification and assessment and
implement any mitigations of the procurement.
Talk with Texas RE
March 19, 2020
![Page 20: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/20.jpg)
20
Question 10
How often should a registered entity re-assess a vendor?
Talk with Texas RE
March 19, 2020
![Page 21: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/21.jpg)
21
Answer 10
Based on a given registered entity’s plan
With every procurement
Existing assessments could be leveraged
When certain “triggers” are met such as being bought and sold
Annually, bi-annually, etc.
Talk with Texas RE
March 19, 2020
![Page 22: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/22.jpg)
22
Question 11
Can a registered entity use a third-party service to conduct a vendor cyber security risk identification and assessment?
Talk with Texas RE
March 19, 2020
![Page 23: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/23.jpg)
23
Answer 11
Third-party services could be used to complement a registered
entity’s own cyber security identification and risk assessment.
Talk with Texas RE
March 19, 2020
![Page 24: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/24.jpg)
24
CIP-013-1 R1 Part 1.2
Talk with Texas RE
March 19, 2020
![Page 25: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/25.jpg)
25
Question 12
What if the registered entity’s vendor cannot adhere to one or more sub-parts (1.2.1-1.2.6)?
Talk with Texas RE
March 19, 2020
![Page 26: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/26.jpg)
26
Answer 12
● Registered entities should document and implement controls
for Part 1.2 in the absence of vendor adherence.
● For example, if the registered entity’s vendor is not notifying it
of vendor-identified incidents, then a control that monitors US-
CERT, ICS-CERT, E-ISAC, and NERC Alerts could be
implemented.
Talk with Texas RE
March 19, 2020
![Page 27: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/27.jpg)
27
Question 13
Could a registered entity provide a redacted (due to confidentiality issues relating to the contract and associated communications) executed contract, attestation(s) from vendor and internal supply chain personnel, and internal processes/procedures as evidence of implementation for CIP-013-1 R2?
Talk with Texas RE
March 19, 2020
![Page 28: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/28.jpg)
28
Answer 13
● An executed contract demonstrating Part 1.2 was addressed
could be sufficient to demonstrate compliance if the registered
entity also provides additional supporting evidence such as
processes/procedures, email communications, and
attestations.
● The registered entity should not reveal any sensitive or
proprietary information that would cause a breach of contract.
Talk with Texas RE
March 19, 2020
![Page 29: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/29.jpg)
29
CIP-005-6 R2 Part 2.4
Talk with Texas RE
March 19, 2020
![Page 30: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/30.jpg)
30
CIP-005-6 R2 Part 2.5
Talk with Texas RE
March 19, 2020
![Page 31: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/31.jpg)
31
Question 14
Does a registered entity have to demonstrate evidence that method(s) are implemented?
Talk with Texas RE
March 19, 2020
![Page 32: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/32.jpg)
32
Answer 14
● Evidence of the capability
● Level 2 Sample Sets
Logs
Configurations
Screenshots
● Live Demonstrations
Talk with Texas RE
March 19, 2020
![Page 33: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/33.jpg)
33
CIP-10-2 R1 Part 1.6
Talk with Texas RE
March 19, 2020
![Page 34: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/34.jpg)
34
Question 15
If the registered entity’s “method to do so” is not available, does the registered entity need to demonstrate evidence?
Talk with Texas RE
March 19, 2020
![Page 35: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/35.jpg)
35
Answer 15
● Evidence must be provided to demonstrate the “method to do
so” was not available.
Change Request Tickets
• Dated evidence
Logs
Talk with Texas RE
March 19, 2020
![Page 36: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/36.jpg)
36
Question 16
Is open-source software in scope for CIP-013-1 and CIP-010-3?
Talk with Texas RE
March 19, 2020
![Page 37: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/37.jpg)
37
Answer 16
● A registered entity should implement its cyber security risk
identification and assessment for all procurements of open-
source software on all applicable systems.
● A registered entity should implement a method to verify the
identity of the source and the integrity of the open-source
software on all applicable systems.
● Document controls implemented that minimize the risks
associated with open-source software
Talk with Texas RE
March 19, 2020
![Page 38: Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. · International Joke Day National Postal Worker Day CIP-013-1 CIP-005-6 CIP-010-3. 5](https://reader035.vdocuments.mx/reader035/viewer/2022071000/5fbc54ec76839f734e063df9/html5/thumbnails/38.jpg)
38
Questions?
Talk with Texas RE
March 19, 2020