wecc bcuc session2 cip-002-5.1 mockaudit slc ... validate list of bes cyber assets to account for...

Click here to load reader

Post on 12-Jul-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Iden%fying  &  Audi%ng  Low  Impact   BES  Assets:  A  Mock  Audit   BC  Outreach  Webinar:  Session  2     Salt  Lake  City  UT  –  January  9,  2018  

    Joseph  B.  Baugh,  PhD   Senior  Compliance  Auditor  –  Cyber  Security   Western  Electricity  Coordina%ng  Council  

     

  • Speaker  Intro:  Dr.  Joseph  Baugh   •  Electrical  U%lity  Experience  (44+  years)  

    –  Senior  Compliance  Auditor,  Cyber  Security   –  IT  Manager  &  Power  Trading/Scheduling  Manager   –  IT  Program  Manager  &  Project  Manager     –  NERC  Cer%fied  System  Operator   –  Barehand  Qualified  Transmission  Lineman  

    •  Educa%onal  Experience     –  Degrees  earned:  Ph.D.,  MBA,  BS-­‐Computer  Science   –  Cer%fica%ons:  PMP,  CISSP,  CISA,  CRISC,  CISM,  PSP,  NSA-­‐IAM/IEM     –  Academic  &  Technical  Course  Teaching  Experience  (20+  years)  

    •  Business  Strategy,  Leadership,  and  Management     •  Informa%on  Technology,  IT  Security,  and  Project  Management   •  PMP,  CISA,  CISSP,  CISM,  ITIL,  &  Cisco  exam  prepara%on     •  CIP  Compliance  workshops  and  other  outreach  sessions    

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    2  

  • Agenda      

    •  Review  CIP-­‐002-­‐5.1  Requirements   •  Review  CIP-­‐002-­‐5.1  Team  audit  approach   •  Defining  the  Inventory  of  BES  Assets   •  CIP-­‐002-­‐5.1  Mock  Audit    

    – Focus  on  Low  Impact  BES  Assets   •  Ques%ons  

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    3  

  • CIP-­‐002-­‐5.1  Overview   •  CIP-­‐002-­‐5.1  is  the  first  step  on  CIP  Compliance  trail   •  All  Registered  En%%es  who  perform  the  BA,  DP,  GO,  GOP,  IA,   RC,  TO,  and/or  TOP  registered  func%ons  are  required  to  be   compliant  with  CIP-­‐002-­‐5.1  

    •  CIP-­‐002-­‐5.1  adds  the  DP  func%on,  TSP  func%on  drops  out   •  Some  en%%es  may  find  they  are  only  required  to  be   compliant  with  CIP-­‐002-­‐5.1  (R1  &  R2)  and  with  CIP-­‐003-­‐5   (R1.2,  R2,  R3,  &  R4)   –  True,  if  the  IRC  applica%on  on  the  en%ty’s  inventory  of  BES  Assets   (see  Part  R1.i  –  R1.vi)  generates  Null  R1.1  &  R1.2  lists  

    – Must  provide  a  valid  R1.3  list  of  Low  Impact  BES  Assets   –  Typically  requires  a  reduced  scope  audit  that  may  be  conducted   on-­‐site,  at  WECC  offices,  or  other  loca%ons,  as  necessary  

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    4  

  • CIP-­‐002-­‐5.1:  Part  R1.i  –  R1.vi   •  Each  Responsible  En%ty  shall  implement  a  process  that  

    considers  each  of  the  following  assets  for  purposes  of  parts   1.1  through  1.3:  [Viola'on  Risk  Factor:  High][Time  Horizon:   Opera'ons  Planning]   –  i.  Control  Centers  and  backup  Control  Centers;     –  ii.  Transmission  sta%ons  and  substa%ons;     –  iii.  Genera%on  resources;     –  iv.  Systems  and  facili%es  cri%cal  to  system  restora%on,  including   Blackstart  Resources  and  Cranking  Paths  and  ini%al  switching   requirements;    

    –  v.  Special  Protec%on  Systems  that  support  the  reliable  opera%on   of  the  Bulk  Electric  System;  and    

    –  vi.  For  Distribu%on  Providers,  Protec%on  Systems  specified  in   Applicability  sec%on  4.2.1  above.    

    •  May  generate  Low  impact  BES  Assets  for  R1.3  list  under  IRC  3.6    

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    5  

  • Inputs

    R1.1 - R1-2 Process: Identify

    BCS

    O utputs

    List of High & Medium Assets

    R1.1, R1.2, Lists

    List of Low Impact

    Assets

    Input

    R1.3 List

    CIP-­‐002-­‐5.1:  R1   •  Each  Responsible   En%ty  shall   implement  a   process  that   considers  each  of   the  following   assets  (see  Part   R1.i-­‐R1.vi)  for   purposes  of  parts   1.1  through  1.3:  

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    Inputs

    R1 Process

    O utputs

    Inventory of

    BES Assets

    List of High, Medium,

    & Low Assets

    6  

  • CIP-­‐002-­‐5.1  Requirements:  R2     •  En%ty  must  review  iden%fica%ons  made  in  R1   (and  update  them,  if  necessary)  at  least  every   15  months  [R2.1]  

    •  The  CIP  Senior  Manager  or  delegate  (as   defined  in  CIP-­‐003-­‐3  R2  or  CIP-­‐003-­‐6  R3  &  R4)   must  approve  the  ini%al  lists  [R2.2]    and  at   least  once  every  15  months,  thereajer:   –  The  R1.1,  R1.2,  and  R1.3  lists   –  Include  signed  and  dated  null  lists,  if  applicable  

    •  The  en%ty  must  maintain  signed  and  dated   records  of  the  approvals  listed  above   –  Electronic  or  physical  approvals  accepted  

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    Inputs

    R2 Review & Approval

    Process

    R1.1, R1.2, R1.3 Lists

    O utputs

    Signed and Dated

    Records

    7  

  • WECC  Audit  Team  Approach   •  Use  a  methodical  approach  to  deliver  consistent   results  across  all  en%%es  

    •  Start  with  the  RSAW  supplied  by  the  en%ty  as  ini%al   working  papers  to  document  the  audit  and  findings  

    •  Review  the  evidence  to  develop  findings   •  Submit  data  requests  for  more  informa%on,  as   needed  

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    8  

  • WECC  Evidence  Review   •  Review  Ini%al  Evidence  package  supplied  by  the   en%ty  in  response  to  the  Pre-­‐Audit  Request  for   Informa%on  [RFI]:   – One-­‐line  diagrams     – Specific  CIP-­‐002-­‐5.1  eviden%ary  documents  

    •  Documented  process  to  iden%fy  and  categorize  the  en%ty’s   BCS  and  BES  Assets  

    •  Implementa%on  of  the  process  (i.e.,  applica%on  of  the  IRC  to   the  inventory  of  BES  Assets  to  develop  the  lists)    

    •  Reviewed  and  approved  R1.1  –  R1.3  lists   •  En%ty  responses  to  data  requests,  as  applicable  

    W ESTERN   E LECTRICITY   C OORDINATING   C OUNCIL  

    9  

  • CIP-­‐002-­‐5.1  Audit   Team  Approach  

    •  Audit  to  the  Standard   •  Review  the  evidence:  

    –  En%ty’s  documented  process   –  Inventory  of  BES  Assets     –  One  line  diagrams   –  Applica%on  of  the  IRC   –  R1.1,  R1.2,  R1.3  lists   –  R2  records  of  current  and  prior   approved  versions  of  R1  &  R2   documents  (the  bookends)  

    •  DR  for  addi%onal  informa%on,   as  needed  

    •  Determine  findings     •  Complete  the  RSAW   •  Develop  the  Audit  Report  

    Are there more High or Medium BES

    assets?

    Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]

    Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset

    Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/a