wecc bcuc session3 libcs bestpractices slc jbaugh 01092018 · 2018. 1. 15. · low impact...

Low Impact BES Assets: Best Prac4ces BC Outreach Webinar: Session 3 Salt Lake City UT – January 9, 2018

Joseph B. Baugh, PhD Senior Compliance Auditor – Cyber Security Western Electricity Coordina4ng Council

W ESTERN E LECTRICITY C OORDINATING C OUNCIL

Speaker Intro: Dr. Joseph B. Baugh •  Electrical U4lity Experience (44+ years) –  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  NERC Cer4fied System Operator –  Barehand Qualified Transmission Lineman

•  Educa4onal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  Cer4fica4ons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-‐IAM/IEM –  Academic & Technical Course Teaching Experience (20+ years)

•  Business Strategy, Leadership, and Management •  Informa4on Technology, IT Security, and Project Management •  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara4on •  CIP Compliance workshops and other outreach sessions

2


Agenda •  CIP-‐003-‐5 R2 •  WECC Low Impact Case Study [LICS] –  Challenges

•  Administra4ve •  Technical

•  Protec4ng Low impact BES Assets –  Frequently Asked Ques4ons –  Lessons Learned –  Best Prac4ces

•  Differences between CIP-‐003-‐5 and CIP-‐003-‐7 –  LERC/LEAP vs. electronic access controls – Addi4onal protec4ons and controls

3


CIP-‐003-‐5 R2

•  Since BCUC may replace CIP-‐003-‐5 with CIP-‐003-‐7, en44es may ignore the IAC language in R2 for CIP-‐003-‐5 compliance

•  No adverse impact on R2 compliance is incurred by this ac4on

4


LICS Par4cipa4on Details •  The WECC LICS pilot study ran from October 2015 through May 2016 (Wood, 2016 March 24)

•  Four (4) par4cipants from the WECC region: – One (1) mixed impact municipal en4ty •  This en4ty had prior CIP-‐002-‐3 Cri4cal Cyber Assets [CCA] •  Some v3 Cri4cal Assets contained higher impact BCS under v5 •  En4ty iden4fied mul4ple Low impact BES Assets

– Three (3) Low impact only en44es •  These en44es had prior null lists of CCA •  All three iden4fied only Low impact BES Assets

•  CIP compliance experience levels were also mixed

5


Low Impact Case Study Goals 6


Ensure an Efficient and Effec/ve Transi/on

Understand and address

challenges

Foster Communica/on and knowledge

sharing

Iden/fy Guidance Topics

Administra4ve Challenges •  Programs, Policies, Procedures, and Plans – Reconciling internal defini4ons with NERC defini4ons – Upda4ng documenta4on to match

•  Small, but cri4cal staff – Staffing the project, if a team member was sick, project progress came to a grinding halt

•  Finding a place to start – Picked one or two prototype BES Assets to develop and fine-‐tune the processes and procedures before rolling it out across the gamut of BES Assets

7


Technical Challenges •  Small Technical Staff –  Finding 4me to review and create the required documenta4on

•  Mee4ng Compliance AND Security Needs –  Ensuring requirements are met, also focusing on physical and electronic access controls, securing the network and facili4es, at a reasonable cost

•  Learning Curve –  Transla4ng compliance language from the Standards to IT and layman language

– Documen4ng technical issues in an easy-‐to-‐grasp manner –  Bringing field and other personnel into the compliance fold

8


LICS FAQ -‐ Policies •  Do we need to have the policies in one document or can they be separated and 4ed to the associated plan (e.g., awareness, physical access controls, electronic access controls, incident response)? –  From an audit perspec4ve it doesn't maler how the informa4on is laid out or put together, so long as you have it and can demonstrate it for audit

–  You may choose to have one document with all the policies, or you may choose to have the each policy within the plan documenta4on

–  Provide pointers to the associated sec4on(s) of the alachment, if you do keep the policies together in a separate document

9


LICS FAQ -‐ Policies •  What is the difference between program, policy, plan and procedure? – A program is the overarching name for the documenta4on (or the "why") that provides both strategic and tac4cal elements that create compliance

– A policy is the documenta4on that provides the strategic overview of "what" you will do to become compliant

–  The plans, prac4ces, processes and procedures describe "how" you will perform policy requirements and are part of the tac4cal elements to the program •  Plans and processes are the overview of how you will be compliant •  Prac4ces and procedures are the step-‐by-‐step details of how you perform compliance tasks

10


Low impact Strategic & Tac4cal Elements 11


CIP Compliance Program

High & Medium BCS

Not in Scope for

Low impact BES Assets

Low-ImpactBES Assets

Develop and document Low impact cybersecurity policies

Develop and document cybersecurity plans w/ procedures, practices, &/or

processes

Implement cybersecurity plans and controls

Strategic Elements(Policies)

TacticalElements(Plans)

Audi4ng Low-‐impact Compliance •  At audit, the CIP-‐003 team will review and validate each strategic and tac4cal step down through the flowchart

•  A prudent en4ty will develop and maintain auditable ar4facts that demonstrate the en4ty documented and implemented a sound CIP-‐003 cyber security compliance program with associated policies, plans, processes, and/or procedures that cover all of its applicable Low impact BES Assets

12


LICS FAQ – R2.1 Awareness •  What is awareness and what should be included? – Webster defines "aware" as knowing that something exists. Awareness is the state of such knowledge

–  In terms of the CIP-‐003-‐5 Guidelines and Technical Basis, awareness would then mean each employee is aware or cognizant of specific cyber security measures

–  These measures may include any or all of the following (CIP-‐003-‐7, A"achment 2: Sec.on 1, p. 24): •  Direct communica4ons (for example, e-‐mails, memos, or computer-‐based training);

•  Indirect communica4ons (for example, posters, intranet, or brochures); or

•  Management support and reinforcement (for example, presenta4ons or mee4ngs).

13


LICS FAQ – R2.1 Awareness •  What are examples of reinforcement? –  In terms of the CIP-‐003-‐5 R2.1 low-‐impact cyber security awareness policy, the en4ty should present cybersecurity awareness measures to its personnel at least once every 15 calendar months

– This is the bare minimum to demonstrate compliance and may be part of an ongoing cybersecurity awareness effort that includes signage, training, case studies, and any other means of raising cybersecurity awareness

14


LICS FAQ – R2.2 Physical Security Controls •  Mark Lemery will cover these topics in his presenta4on this aqernoon

15


LICS FAQ – R2.3 Electronic Access Controls •  What do I need to implement electronic access controls for external routable connec4ons and/or dial-‐up connec4vity? – Un4l such 4me that addi4onal guidance is provided by BCUC rela4ve to CIP-‐003-‐7, a prudent en4ty would ensure that any protocol conversion device provides an actual authen4ca4on break between the IP and alached serial devices

–  In the absence of such demonstrated evidence, the audit team may determine that unprotected electronic access is present in the serial devices and take further compliance ac4on

16


LICS FAQ – R2.3 Electronic Access Controls •  Do we need to provide a diagram and the configura4on files associated with electronic access controls? – While such diagrams and files are not specifically required by CIP-‐003-‐5, an en4ty should be able to demonstrate the required controls (as defined in the R2.3 policy) are afforded where external routable access or dial-‐up connec4vity exists into an asset containing Low impact BES Cyber Systems

– The audit team may check a sampling of Low impact Cyber Assets with electronic access to validate that such devices are protected, as required by the en4ty’s electronic access control policy

17


LICS FAQ – R2.4 Incident Response •  Is monitoring or intrusion detec4on required? If not, how do I know to respond to an incident if I'm not monitoring for one? – No, monitoring is not specifically required. The Standard Draqing Team leq R2.4 as a policy to respond to an incident that somehow created its own awareness

– Although monitoring is not required by the Standard, as a best cyber security prac4ce, a prudent en4ty would monitor all electronic access points to ensure it becomes aware of any cyber incident in a 4mely manner

–  This issue has been addressed much more extensively in CIP-‐003-‐7, as well as a recent FERC NOPR (2017 December 21) on incident response and malware

18


LICS FAQ – R3 CIP Senior Manager •  Can a CIP Senior Manager be a contractor? – No, the CIP Senior Manager is a defined term in the NERC Glossary and specifically states this person must be a ”single senior management official with overall authority and responsibility” (NERC, 2018 January 2, Glossary of Terms, p. 9) for an en4ty’s CIP compliance program

– The BCUC adopted the NERC Glossary dated October 1, 2014 via BCUC Order R-‐38-‐15 (2015 July 15, Ar4cle H, p. 2), including the CIP Senior Manager term (Ibid, p. 16), so this response is equally valid in the BCUC footprint

19


LICS FAQ – R3 CIP Senior Manager •  What kind of documenta4on would you expect to see for CIP-‐003-‐5 R3? – A document on company leler head that includes the name and 4tle of the CIP Senior Manager, with the date of his or her assignment is sufficient

20


LICS FAQ – R4 Delega4ons •  Can the CIP Senior Manager informa4on and delegate informa4on reside in the same document, or do they need to be in separate documents? – For audit purposes, R3 and R4 simply must be documented. It doesn't maler if these assignments are in one document or mul4ple documents

– However, the CIP Senior Manager is generally assigned by the CEO, General Manager, or some other high-‐level execu4ve. Delegates may be assigned for specific CIP du4es on shorter 4meframes by the CIP Senior Manager, so the audit team generally sees mul4ple documents

21


LICS FAQ – General Ques4ons •  If an en4ty opts to combine their low impact policy and plan documenta4on with their High and/or Medium impact documents, how could this informa4on be shared with low impact personnel since there are addi4onal requirements for Highs and Medium BCS pertaining to BESCSI (CIP-‐004 R2 and R4)? –  En44es are allowed to combine their documents for Highs, Mediums, and Lows, but if the combined documenta4on contains BES Cyber System Informa4on (BCSI), an en4ty would need to include everyone with access to the BCSI within the associated programs (e.g., access management) when the en4ty implemented the applicable requirements. This would include individuals who are only associated with Low Impact BCS

– With that in mind, it may be more feasible to use the High and/or Medium BCS documenta4on as a star4ng point and develop a specific set of documenta4on for Low-‐impact BES Assets for use by a wider set of personnel

22


LICS FAQ – General Ques4ons •  Can we use our exis4ng system inventory as Low Impact Cyber Assets List knowing it is not required? – Even though discrete lists of Low-‐impact BCS are not required by CIP-‐002-‐5.1 R1.3, LICS par4cipants found it almost impossible to ensure all required controls were afforded without such lists of applicable Cyber Assets for each LIBCS at each iden4fied and documented Low-‐impact BES Asset

23


LICS Lessons Learned •  LICS par4cipants were asked these ques4ons during the panel discussion at the WECC Compliance Workshop in La Jolla (Wood, 2016): – What are your perspec.ves on necessary resources? – What are some of the key conclusions, lessons learned, and recommenda.ons for transi.oning to CIP Version 5 for en..es with assets containing low impact BCS?

– Did you find any ambiguity in the Requirements? If so, how did you clarify these issues?

•  The responses are captured in the following slides

24


LICS Lessons Learned •  Review the standards and clarify all of the documenta4on requirements for each standard early on –  Kept each documenta4on requirement as a highlighted ac4on item in all of their draqs

•  Create internal cascading project 4meline w/deliverables – Develop Ganl charts to track tasks and updated, as applicable each week

•  Research, Research, Research –  Tap unlikely sources such as your commercial insurance carrier/broker

– One en4ty used a “great template” from its insurance carrier for its cyber incident response plan

25


LICS Lessons Learned •  Don’t be fooled by the generic and oversimplified requirements for policies – They are simplis4c by design to allow you the flexibility to build your own workable policies and plans, but they are going to take more 4me to develop and implement than you think, so build some extra 4me into your project 4meline for tes4ng & feedback, budget cycles, and unplanned con4ngencies

•  Engage Subject Maler Experts [SMEs] and plant/field personnel who are going to have to live with the results of your transi4on project early on –  “No use flying 8000 RPMs down the road to a technically unalainable or cost-‐prohibi4ve goal”

26


LICS Lessons Learned •  Have weekly team mee4ngs –  Even if there’s not much to discuss, this prac4ce keeps the project on everyone’s radar

•  Make sure all documents at minimum undergo a basic technical and legal review and then a final formawng review –  Copy & paste is both a blessing and a curse!

•  Avoid business silos –  If you are coming from the IT side of the house, go shake hands with and learn about the OT environment, as it will allow you to beler understand the assets you’re trying to protect

–  The OT side of the house will also gain a beler understanding of why you’re doing the things you do to achieve compliance

27


Best Prac4ces and Next Steps •  Approach the Low impact compliance implementa4on as an approved & funded project

•  Develop a sound project plan including tasks, schedules, and an4cipated costs

•  Begin with one or two nearby Low impact BES Assets as part of a prototype program to test and implement electronic and physical security controls

•  Roll out the cyber security training and awareness programs early on to minimize resistance to change from field personnel

28


Best Prac4ces and Next Steps •  Vet documents as they are implemented and make any necessary changes to reflect actual field condi4ons

•  Con4nue to develop and improve electronic and physical security measures and controls during the implementa4on

•  Integrate addi4onal BES Assets on your project 4meline based on the knowledge gained and lessons learned during the prototype phase

•  Develop lists of Cyber Assets during the implementa4on phase, this prac4ce will help greatly during the implementa4on of CIP-‐003-‐7

29


CIP-‐003-‐x Standard Versions •  CIP-‐003-‐5 only requires an en4ty to implement four cyber security policies (R2.1-‐R2.4)

•  CIP-‐003-‐5 becomes effec4ve October 1, 2018 (BCUC Order R-‐38-‐15, 2015 July 24)

•  Subsequent versions moved the cyber security policies to R1.2, while R2 now requires more extensive plans, processes, and procedures for Low impact BES Assets

•  CIP-‐003-‐6 was held in abeyance for Bri4sh Columbia due to the pending CIP-‐003-‐7 revision (adopted by NERC Board of Trustees February 9, 2017), which is awai4ng FERC approval in the US

•  FERC proposed approval of CIP-‐003-‐7 on October 26, 2017 in a No4ce of Public Rulemaking [NOPR] published in the Federal Register (2017 October 29), with a comment period ending December 26, 2017

30


CIP-‐003-‐7 Items of Interest •  Since FERC approval of CIP-‐003-‐7 is expected in the first quarter of 2018, a prudent en4ty would review CIP-‐003-‐7 (NERC, 2017 February 9) and prepare for possible BCUC adop4on of that Standard

•  CIP-‐003-‐7 clarifies elements for which electronic access protec4ons need to be applied as directed by FERC to NERC as a condi4on of adop4ng CIP-‐003-‐6

•  BCUC may not adopt LERC and LEAP terms, which will be re4red from the NERC Glossary upon FERC approval of CIP-‐003-‐7 and addressed as electronic access controls (see NERC, 2017 Feb 9, CIP-‐003-‐7: A"achment 1 Sec.on 3, p. 22)

•  CIP-‐003-‐7 may be in the next BC Hydro Standard assessment report filed with the BCUC this year

31


Key Changes in CIP-‐003-‐7 •  CIP-‐003-‐7 moved Low impact cyber security policies from R2 to R1.2 (p. 5) and added policies for malicious code mi4ga4on for Transient Cyber Assets [TCA] and Removable Media [RM] (R1.2.5) as well as CIP Excep4onal Circumstances (R1.2.6)

•  R2 references Alachment 1 (pp. 22-‐24), which includes specific provisions for cyber security plans: –  Sec4on 1: Cyber Security Awareness, –  Sec4on 2: Physical Security Controls, –  Sec4on 3: Electronic Access Controls, –  Sec4on 4: Cyber Security Incident Response, and –  Sec4on 5: TCA and RM Malicious Code Risk Mi4ga4on.

•  Alachment 2 (pp. 25-‐27) provides examples of evidence for the five sec4on plans cited above

32


Speaker Contact Informa4on

Joseph B. Baugh, Ph.D., MBA PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina4ng Council (WECC) jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631


References •  BCUC. (2015 July 24). Order R-‐38-‐15. Retrieved from hlp://www.bcuc.com/Documents/Orders/2015/DOC_44244_R-‐38-‐15_BCH_MRS_RPT_8.pdf

•  FERC. (2017 October 29). Revised Cri.cal Infrastructure Protec.on Reliability Standard CIP– 003–7—Cyber Security—Security Management Controls [No4ce of Public Rulemaking], 18 CFR Part 40, Docket No. RM17-‐11-‐000. In Federal Register, 82(206), (pp. 49541-‐49549). Retrieved from hlps://www.gpo.gov/fdsys/pkg/FR-‐2017-‐10-‐26/pdf/2017-‐23287.pdf

•  FERC. (2017 December 21). Cyber Security Incident Repor.ng Reliability Standards [No4ce of Public Rulemaking], 161 FERC ¶ 61,291 18 CFR Part 40 Docket Nos. RM18-‐2-‐000 and AD17-‐9-‐000. Retrieved from hlps://www.ferc.gov/whats-‐new/comm-‐meet/2017/122117/E-‐1.pdf

34


References •  NERC. (2018 January 2). Glossary of Terms Used in NERC

Reliability Standards. Retrieved from hlp://www.nerc.com/files/glossary_of_terms.pdf

•  NERC. (2017 February 9). CIP-‐003-‐7 – Cyber Security – Security Management Controls [Adopted by NERC Board of Trustees]. Retrieved from hlp://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-‐003-‐7.pdf

•  Wood, L. (2016 March 24). Low Impact Case Study (LICS) Presenta.on/Panel. Presenta4on at WECC Compliance Workshop in La Jolla CA. Retrieved from hlps://www.wecc.biz/_layouts/15/WopiFrame.aspx?sourcedoc=/Administra4ve/13a%20Low%20Impact%20Case%20Study%20March%202016%20Wood.pdf&ac4on=default&DefaultItemOpen=1

35
