wecc cip-101 cip-002 mockaudit 09242014 final · 9/24/14 1...

9/24/14

1

CIP-‐101: Making the Transi9on CIP-‐002-‐3 to CIP-‐002-‐5.1 Mock Audit

Henderson, NV September 24-‐25, 2014

Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM

Senior Compliance Auditor – Cyber Security Western Electricity Coordina9ng Council

Speaker Intro: Dr. Joseph Baugh •  40+ years Electrical U9lity Experience

–  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs –  NERC Cer9fied System Operator –  Barehand Qualified Transmission Lineman

•  20 years of Educa9onal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  Academic & Technical Course Teaching Experience

•  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara9on •  Business Strategy, Leadership, and Management •  Informa9on Technology and IT Security •  Project Management

September 24-‐25, 2014 Western Electricity Coordina9ng Council

2

WECC CIP-‐101 Disclaimer •  The WECC Cyber Security team has

created a mythical Registered En9ty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.

•  Any resemblance of BILL to any actual Registered En9ty is purely coincidental.

•  All evidence presented, auditor comments, and findings made in regard to BILL during this presenta9on and the mock audit are fic99ous, but are representa9ve of audit team ac9vi9es during an actual CIP Compliance audit.


3

9/24/14

2

Agenda

•  Class Introduc9ons – Name, Title, Organiza9on, Interest in CIP-‐002

•  Review CIP-‐002-‐5.1 Requirements •  Review CIPv5 Transi9on Guidance •  Review CIP-‐002-‐5.1 Team audit approach •  CIP-‐002-‐5.1 Mock Audit Overview •  The BILL Mock Audit •  Ques9ons September 24-‐25, 2014 Western Electricity Coordina9ng Council

4

CIP-‐002-‐5.1 Overview •  CIP-‐002-‐5.1 is the first step on CIP Compliance trail •  All Registered En99es who perform the BA, DP, GO, GOP, IA,

RC, TO, and/or TOP registered func9ons are required to be compliant with CIP-‐002-‐5.1.

•  CIP-‐002-‐5.1 replaces LSE with the DP func9on, TSP func9on drops out.

•  Some en99es may find they are only required to be compliant with CIP-‐002-‐5.1 R1-‐R2 & CIP-‐003-‐5 R2-‐R4. –  Typically requires a reduced scope audit that will be conducted at WECC offices or other loca9ons, as necessary.

–  True if IRC applica9on generates Null R1.1 & R1.2.lists. –  Must also provide a valid R1.3 list of Low Impact BES Assets. –  Pending Low Impact BCS Requirements discussed in CIP-‐003-‐6 R2.


5

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

CIP-‐002-‐5.1: R1 •  Each Responsible En9ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:


6

Inputs

R1Process

Outputs

Inventory of

BES Assets

List of High, Medium,

& Low Assets

9/24/14

3

CIP-‐002-‐5.1: R1 •  Each Responsible En9ty shall implement a process that

considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] –  i. Control Centers and backup Control Centers; –  ii. Transmission sta9ons and substa9ons; –  iii. Genera9on resources; –  iv. Systems and facili9es cri9cal to system restora9on, including Blackstart Resources and Cranking Paths and ini9al switching requirements;

–  v. Special Protec9on Systems that support the reliable opera9on of the Bulk Electric System; and

–  vi. For Distribu9on Providers, Protec9on Systems specified in Applicability sec9on 4.2.1 above.

•  Generates Low impact BES assets for R1.3 list


7

CIP-‐002-‐5.1: R1.1 -‐ R1.3 •  Each Responsible En9ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: –  1.1. Iden9fy each of the high impact BES Cyber Systems according to Aiachment 1, Sec9on 1, if any, at each asset;

–  1.2. Iden9fy each of the medium impact BES Cyber Systems according to Aiachment 1, Sec9on 2, if any, at each asset; and

–  1.3. Iden9fy each asset that contains a low impact BES Cyber System according to Aiachment 1, Sec9on 3, if any (a discrete list of low impact BES Cyber Systems is not required).


8

CIP-‐002-‐5.1 Requirements: R2 •  En9ty must review iden9fica9ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]

•  The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3, R4) must approve the ini9al lists [R2.2] and at least once every 15 months, thereamer: –  The R1.1, R1.2, and R1.3 lists –  Include signed and dated null lists, if applicable

•  The en9ty must maintain signed and dated records of the approvals listed above. –  Electronic or physical approvals accepted


9

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

9/24/14

4

CIP-‐002-‐5.1: Direc9on •  CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transi9on period in lieu of the CIP-‐002-‐3 R2 list of Cri9cal Assets (Op9on 3).

•  Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Op9on 3).

•  Compliance date for Low impact BES Assets on April 1, 2017. –  Specific Low impact control modifica9ons are under review by industry and oversight groups [See CIP-‐003-‐6 R2]

–  Currently, four programma9c controls from CIP-‐003-‐5 R2 – Don’t ignore, but don’t priori9ze for now.


10

CIPv5 Transi9on Guidance •  As a prac'cal ma>er, NERC understands that Responsible En''es cannot complete transi'on to the CIP V5 Standards in a single instance; rather, transi'on to full implementa'on will occur over a period of 'me as Responsible En''es develop the necessary procedures, soNware, facili'es, or other relevant capabili'es necessary for effec've compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2)


11

CIPv5 Transi9on Guidance •  To help ensure that they are fully compliant with the CIP V5 Standards upon the effec've date, Responsible En''es may need or prefer to transi'on from compliance with the requirements of the CIP V3 Standards to implementa'on of the requirements of the CIP V5 Standards during the Transi'on Period. As such, there may be a period of 'me prior to the effec've date of the CIP V5 Standards date when Responsible En''es begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are s'll mandatory and enforceable. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2).


12

9/24/14

5

CIP v5 Transi9on Guidance

•  WECC recommends en99es with sound CIPv3 compliance programs immediately start transi9oning to CIPv5 compliance – Freeze your CIPv3 program – Roll forward the compa9ble parts of CIPv3 –  Integrate the remaining elements of CIPv5

•  Not a huge burden for CIP-‐002-‐5.1 compliance, but may present challenges for other Standards.


13

CIP v5 Transi9on Op9ons*

*see Op9ons Table (NERC, 2014 Aug 12, Transi'on Guidance, p. 5)


14

BILL Documents Op9on 3 Slide 15


9/24/14

6

WECC Audit Team Approach

•  Use a methodical approach to deliver consistent results across all en99es.

•  Use the RSAW supplied by the en9ty as ini9al working papers to document the audit and findings.

•  Review Ini9al Evidence package supplied by the en9ty in response to Aiachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 eviden9ary documents


16

CIP-‐002-‐5.1 Audit Team Approach

•  Audit to the Standard. •  Review the Evidence:

–  Inventory of BES Assets –  One line diagrams –  Applica9on of the IRC –  R1.1, R1.2, R1.3 lists. –  R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)

•  DR for addi9onal informa9on, as needed.

•  Complete the RSAW •  Develop the Audit Report

17

Are there more High or Medium BES

assets?

Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]

Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset

Yes (Continue BCS evaluations)

No (Continue to R2)

Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets

Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable

R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.

R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.

Are any BES assets rated as High or Medium?

Yes (Evaluate High & Medium BES assets for all applicable BCS)

No (Place all Low BES assets on R1.3 List)

Add BCS to the appropriate list:R1.1: High Impact BCS,

R1.2: Medium Impact BCS

WECC Audit Team Approach •  Review the applica9on of the IRC [R1], list of High BCS [R1.1], list

of Medium BCS [R1.2], list of Low Impact BES Assets [R1.3], even if such lists are null.

•  Compare the lists against the one-‐lines and BES Asset inventory •  If full Compliance audit:

–  Hold interviews with the en9ty’s CIP SMEs –  Perform site visits (Trust, but Verify)

•  Validate annual approval documenta9on [R2] •  Submit DR’s, as needed, to clarify compliance •  Determine findings (NF, PV, or OEA) •  Discuss findings with en9re Cyber Security Team •  Complete RSAW •  Prepare CIP audit report (ATL & CPC) September 24-‐25, 2014 Western Electricity Coordina9ng Council

18

9/24/14

7

Aiachment G*: CIP-‐002-‐5.1 Evidence •  [R1]: Provide documenta9on of the process and its

implementa9on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden9fy the following lists: –  [R1.1]: A list of High impact BCS at each asset iden9fied by applica9on of Aiachment 1, Sec9on 1.

–  [R1.2]: A list of Medium impact BCS at each asset iden9fied by applica9on of Aiachment 1, Sec9on 2.

–  [R1.3]: A list of iden9fied Low impact BES Assets iden9fied by applica9on of Aiachment 1, Sec9on 3].

•  [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the iden9fica9ons required by R1, even if such lists are null.

* 2015 Aiachment G document is s9ll in progress and may change to some degree, but these basic sets of evidence will expected in the ini9al evidence package.

Slide 19


WECC Audit Team Approach

•  Submit Data Requests [DRs] for any addi9onal informa9on that will support the en9ty’s compliance efforts, e.g.:

– Prior documenta9on to provide bookends – Address any ques9ons or concerns


20

CIP-‐101 Mock Audit Overview •  BILL declared Op9on 3 of the recent NERC CIPv5 Transi9on

Guidance (NERC, 2014 Sept 17, p. ). •  Bill compared inventory of BES Assets against current

defini9on of Bulk Electric System (NERC, 2014 Sept 17, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini9on Guidance Document, v2)

•  BILL iden9fied and documented lists of High and Medium Impact BCS and a list of Low Impact BES Assets through an applica9on of the Impact Ra9ng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: A>achment 1, pp. 14-‐16),

•  BILL requires a full Compliance audit on CIP-‐002-‐5.1 through CIP-‐011-‐1 –  First week: Discovery phase at WECC offices –  Second week: Compliance audit at BILL office


21

9/24/14

8

CIP-‐101 Mock Audit Overview •  This session covers a mock audit of CIP-‐002-‐5.1 only

•  The mock audit squeezes 2 weeks of audit ac9vi9es into a few hours. –  Sample DR’s – Mock Interview –  Site Visits – Use the RSAW as the guiding document –  Present and review evidence for each requirement – What do YOU think is the appropriate finding for each requirement?


22

CIP-‐101 Mock Audit

•  Walk through audit process in more detail •  Explain the differences between a reduced scope off-‐site audit and a full Compliance audit

•  The Mock Audit simulates a Compliance audit of Billiam Power Company [BILL]

•  BILL is registered with NERC as a BA, DP, GO, GOP, LSE, TO, TOP, TP, and TSP.

•  For the CIP audit, the BA, DP, GO, GOP, TO, and TOP func9ons are in scope.


23

Review Ini9al Evidence

•  Received from the en9ty in the ini9al evidence package

•  Responses to data requests in Aiachment G •  Informa9on contained in en9ty response to the RSAWs

•  Sets the stage for the ini9al audit review – Discovery phase at the WECC offices

•  Followed up by addi9onal Data Requests as needed


24

9/24/14

9

The BILL System* •  Billiam Power Company’s (hereamer referred to by its NERC acronym, BILL) Balancing Authority (BA) area is effec9vely within the boundaries of the three coun9es on the western edge of Some State, bordered by Another State on the north and the Almost Mountains on the East and South. These three coun9es occupy about 15% of the land area of the state and contain about 20% of the state's popula9on.

•  BILL is registered as a BA, DP, GO, GOP, LSE, TO, TOP, TP, TSP


25

The BILL System (Genera9on) •  BILL’s primary genera9on sta9on is located in eastern Whatchamacallit County. The BILL genera9on sta9on has two 1,000 MW fossil fuel genera9ng units. The output of these units supports BILL’s na9ve load and any available excess energy is marketed throughout the WECC Interconnec9on.

•  BILL owns and operates nine Combus9on Turbines (averaging 30 MWs each) located near various consumer load centers throughout the service territory. These CT’s are primarily used as peaking units and for voltage and frequency support during the summer months.


26

The BILL System (Genera9on) •  BILL also owns and operates the BILL-‐3 Hydroelectric plant on the Sweet William River. BILL-‐3 has a nameplate ra9ng of 100 MW. This hydro unit is Blackstart capable and is connected to the BILL Genera9on Sta9on through a dedicated 115 kV line that runs 87 miles from Sub3 to Sub1.

•  Total BILL genera9on capacity is 2,380 MWs.


27

9/24/14

10

The BILL System (Transmission) •  There are two synchronous 345 kV inter9es with adjacent BA’s that define the BILL BA area. These 9es are with XXXX Electrical U9lity and YYYY Federal Power District at Sub1, which is adjacent to the BILL Genera9on Sta9on.

•  The BES por9on of BILL's BA area, its 345 kV, 230 kV, and 115 kV facili9es, include 190 miles of 345 kV transmission lines, 450 miles of 230 kV lines, and 973 miles of 115 kV lines.

•  BILL owns and operates two 345kV substa9ons, 25 230 kV substa9ons, and 52 115 kV substa9ons throughout its service territory. BILL serves its na9ve residen9al and commercial load through its 115 kV and 230 kV transmission facili9es.


28

The BILL System (Control Centers) •  BILL’s Genera9on and Transmission Facili9es are monitored and operated from the Primary Control Center (PCC) located at the corporate headquarters in Big Bill City. BILL also maintains a hot stand-‐by Back-‐up Control Center (BUCC) located in its opera9ons center in Liile Bill City, which is approximately 50 miles from the PCC.

•  BILL is a summer peaking BA and BILL's BA all-‐9me area peak load was recorded on July 20, 2010 at 2,482 MWs.


29

BILL One-‐Line Diagram 30

9/24/14

11

BILL’s BES Asset Iden9fica9on •  The first step in a normal CIP-‐002-‐5.1 audit is to review the applica9on of the IRC – Starts with an overall Inventory of en9ty BES assets. – Did the en9ty use the new BES Defini9on to exclude any BES Assets?

•  If so, review and validate those exclusions – Use the IRC to iden9fy and document the R1.x lists


31

High IRC (Control Centers)

Medium IRC (Control Centers)

9/24/14

12

Low IRC (Control Centers)

R1.i: Example of Auditable Process

BILL’s BES Asset Iden9fica9on •  Were applicable BES assets evaluated rela9ve to IRC criteria 2.3. 2.6. or 2.8?

•  Did BILL demonstrate coordina9on with the applicable registered func9on(s)? –  If not, should we submit a data request?


36

9/24/14

13

Medium IRC (Transmission)



9/24/14

14

Medium / Low IRC (Transmission)

R1.ii: Example of Auditable Process

Medium IRC (Genera9on)

9/24/14

15

Medium / Low IRC (Genera9on)

R1.iii-‐iv: Example of Auditable Process

Medium IRC (Protec9on Systems)

9/24/14

16

Low IRC (Protec9on Systems)

R1.v-‐vi: Example of Auditable Process

List of High & Medium BES assets

•  Review the list of High BES assets •  Review the list of Medium BES assets •  Compare both lists to the lists developed for:

– R1.1: High impact BCS – R1.2: Medium impact BCS

Slide 48


9/24/14

17

Compare 2013 List of Cri9cal Assets

•  For the next several years, CIP Auditors will be comparing the results of the applica9on of the IRC to iden9fy High and Medium BCS (primarily the BES assets containing such BCS) to the prior CIP-‐002-‐3 lists of Cri9cal Assets and lists of Cri9cal Cyber Assets and evaluate any significant differences

•  This may not generate a PV, but it is guaranteed to generate discussions.

Slide 49


List of Low Impact BES Assets

•  Review the list of Low Impact BES Assets •  Correlate this list against the en9ty’s inventory of BES Assets and the list of High and Medium BCS loca9ons.

Slide 50


BILL BES Assets: 2013 Control Centers


51

9/24/14

18

BILL BES Assets: 2014 Control Centers


52

BILL BES Assets: 2013 Substa9ons


53

BILL BES Assets: 2014 Substa9ons


54

9/24/14

19

BILL BES Assets: 2013 Genera9on


55

BILL BES Assets: 2014 Genera9on


56

BILL BES Assets: 2013 Special Systems


57

9/24/14

20

BILL BES Assets: 2014 Special Systems


58

Validate BES Asset Lists •  Review and compare the prior lists of CIP-‐002-‐3 R2 Cri9cal

Assets to the current lists of High and Medium BES Assets •  Did the results seem reasonable? •  Did the en9ty opt to reduce its number of Transmission

Assets through the applica9on of the BES Defini9on? •  If so, did the en9ty provide valid ra9onale for all

exclusions? •  Do the Transmission BES Medium Assets align with the

one-‐line diagram? •  Did the en9ty provide evidence of net Real Power

capability to support Genera9on Facility ra9ngs? •  Does the audit team have any other ques9ons before

moving on to the R1.1, R1.2, and R1.3 lists?

Slide 59


BILL BES Assets: 2013 Cri9cal Assets


60

9/24/14

21

BILL BES Assets: 2014 High & Medium BES Assets


61

2013 Cri9cal Assets vs. 2014 High & Medium BES Assets – Net Changes

•  Control Centers (High BCS) –  Both Control Centers move from CA list to High BES asset list

•  Substa9ons (Medium BCS) –  Subs 1 and 2 move from CA list to Medium BES asset list –  Add 4 (Subs 4, 7, 8, 11) to Medium BES asset list –  1 (Sub 3, Blackstart Cranking Path) moves to Low BES asset –  Other Transmission subs become Low BES Assets

•  Genera9on Units (Medium and/or Low BCS) –  Big Bill Sta9on is a Medium BES asset –  Blackstart unit becomes Low BES asset –  Combus9on turbines becomes Low BES assets

•  Special Protec9on Systems (BCS Not Applicable) –  No change


62

R1: BES Asset Lists Review Ques9ons •  Did BILL apply the IRC appropriately? •  Does BILL need to confer with its RC, PA, or TP to consider any Cri9cal Assets rela9ve to Criteria 2.3, 2.6, or 2.8?

•  Applica9on Ques9ons –  Did BILL consider all BES asset types in R1.i through R1.vi? –  Did BILL review and evaluate all BES Assets through the IRC? –  Did BILL clearly iden9fy and document all BES assets in the appropriate impact ra9ng?

•  Is any addi9onal informa9on necessary before we look at the BCS groupings? –  If so, do we submit a DR?


63

9/24/14

22

Iden9fying High and Medium BCS •  R1. Each Responsible En9ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: …

–  1.1. Iden9fy each of the high impact BES Cyber Systems according to Aiachment 1, Sec9on 1, if any, at each asset;

–  1.2. Iden9fy each of the medium impact BES Cyber Systems according to Aiachment 1, Sec9on 2, if any, at each asset; and

–  1.3. Iden9fy each asset that contains a low impact BES Cyber System according to Aiachment 1, Sec9on 3, if any (a discrete list of low impact BES Cyber Systems is not required).

Slide 64


R1: Iden9fy and Document BCS

•  Add Low-‐impact BES assets to the R1.3 list

•  Use lists of High-‐ & Medium-‐impact BES assets •  Iden9fy BCA associated with

each BES Asset. •  Logically group BCA into BCS. •  Document BCS on R1.1 or

R1.2 list, as appropriate.

Slide 65


Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

R1.1-‐R1.2: Iden9fying BCS •  Develop an auditable

process to examine each High and Medium impact Facility

•  Examine inventory of BCA at each Facility

•  Consider reliability func9ons

•  Group BCA into logical BCS

•  Iden9fy PCA, EACMS, and PACS

Slide 66


9/24/14

23

Process to Iden9fy BCS Slide 67


CIP-002-5 requires the identification of High & Medium impact BCS, but it may be a good idea to consider & identify the different types of BCS (CIP-005-5, pp. 4-5) and associated Cyber Assets (CIP-002-5, p. 6) at this point to facilitate later determinations in the Applicability Matrices of other CIP standards:

• High Impact BCS• High Impact BCS w/ Dial-up

Connectivity• High Impact BCS w/ External

Routable Connectivity• Medium Impact BCS• Medium Impact BCS at Control

Centers• Medium Impact BCS w/ Dial-up

Connectivity• Medium Impact BCS with

External Routable Connectivity• PCA• EACM• PACS

Are there More High or

Medium Facilities?

Use the inventory of BES Cyber Assets at the High- or Medium- Facility to identify and

list R1.1 and R1.2 BES Cyber Systems (BCS) at each such facility

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the Facility

Yes

No

Consider Reliable Opera9on of the BES •  Determine whether the BES Cyber Systems perform

or support any BES reliability func9on according to those reliability tasks iden9fied for their reliability func9on and the corresponding func9onal en9ty’s responsibili9es as defined in its rela9onships with other func9onal en99es in the NERC Func9onal Model (CIP-‐002-‐5.1, p. 5).

•  Ensures the ini9al scope for considera9on includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable opera9on of the BES. (CIP-‐002-‐5.1, p. 5).

Slide 68


Consider Real-‐Time Opera9ons •  BES Cyber Assets are those Cyber Assets that, if

rendered unavailable, degraded, or misused, would adversely impact the reliable opera9on of the BES within 15 minutes (CIP-‐002-‐5.1, p. 5).

•  Do not consider redundancy in the applica9on of the 15-‐minute 9me threshold (CIP-‐002-‐5.1, p. 5).

•  15-‐minute limita9on will typically "result in the iden9fica9on of SCADA, Energy Management Systems, transmission protec9on systems, and genera9on control systems as BES Cyber Assets” (FERC, 2013, Order 791, P. 123, p. 72771).

Slide 69


9/24/14

24

Consider Ancillary BES Cyber Assets • Protected Cyber Assets [PCA]

•  Examples may include, to the extent they are within the ESP: file servers, mp servers, 9me servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP-‐002-‐5.1, p. 6)

•  May also be lower impact BCA or BCS by virtue of the high-‐water mark (CIP-‐005-‐5, p. 14)

• Electronic Access Control or Monitoring Systems [EACMS] •  Examples include: Electronic Access Points, Intermediate Systems,

authen9ca9on servers (e.g., RADIUS servers, Ac9ve Directory servers, Cer9ficate Authori9es), security event monitoring systems, and intrusion detec9on systems (CIP-‐002-‐5.1, p. 6)

• Physical Access Control Systems [PACS] •  Examples include: authen9ca9on servers, card systems, and badge control

systems (CIP-‐002-‐5.1, p. 6).

Slide 70


BILL’s BCS Iden9fica9on

•  The next step in a CIP-‐002-‐5.1 audit is to review the en9ty’s development of the R1.1 through R1.3 lists.

•  Starts with the iden9fied lists of High and Medium impact BES assets.

•  Uses the inventory of BES Cyber Assets at each such BES asset to iden9fy and document a list of High and Medium BCS, even if such lists are null.

•  Good idea to start with any exis9ng lists of CCAs at applicable CIPv3 Cri9cal Assets.


71

2014 BCS: Primary Control Center


72

9/24/14

25

2013 CCAs: Backup Control Center


73

2013 CCAs: SUB1


74

2012 Null Lists CCAs: Genera9on & Subs


75

9/24/14

26

2013 Null Lists CCAs: Genera9on & Subs


76

Iden9fying BES Cyber Assets • Iden9fy if the Cyber Asset meets the defini9on of BCA

• Check for length of installa9on

•  If < 30 days, determine if the Cyber Asset is a transient device.

• Group into logical BCS with associated PCA

Slide 77


Grouping BCA into BCS •  En9ty determines level of granularity of a BCS

–  There may be one or more BCA within a given BCS –  Consider the BROS for your registra9ons

•  In transi'oning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Cri'cal Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an en'ty can organize their documented implementa'on of the requirements and compliance efforts (CIP-‐002-‐5.1, 2013, p. 4)

Slide 78


9/24/14

27

Examples of BCS Slide 79

Western Electricity Coordina9ng Council September 24-‐25, 2014

EMS BCS

Generation BCS Generation

BCS

Generation BCS

Transmission BCS

Transmission BCS

Examples of BCA Groupings: BA/TOP

•  Energy Management Systems (EMS) •  Automa9c Genera9on Control (AGC) •  SCADA systems •  Network Management Systems (NMS) •  PI systems (Historians) •  ICCP systems (Communica9ons)

Slide 80


ESP


Graphic Source: hip://www.energy.siemens.com/us/pool/hq/automa9on/control-‐center/control_center_details.jpg

High BCS

High BCS

High BCS

High BCS

High BCS

PCA PCA

PCA

PCAPCA

PCA Low or No BCS

Low or No BCSESP

9/24/14

28


•  SCADA Component Systems •  RTU Systems (Telecommunica9ons) •  Protec9ve Relay Systems

Slide 82


Examples of BCA Groupings: TO/TOP Graphic Source: Pacific Northwest Na9onal Laboratory (Dagle, J., 2010 Jan) Retrieved from hip://publicintelligence.net/scada-‐a-‐deeper-‐look/

SCADA Component BCS

EMS BCS

EMS BCS

RTU BCS

Protective Relay BCS

Examples of BCA Groupings: GO/GOP

•  Digital Control System (DCS) •  Control Air System (CAS) •  Water Demineraliza9on System •  Coal Handling System •  Gas Control System •  Environmental Monitoring System •  RTU (Communica9ons) •  Generator Protec9on Systems (Relays)

Slide 84


9/24/14

29

Examples of BCA Groupings: GO/GOP Graphic Source: hips://www.fujielectric.com/company/tech/pdf/r51-‐3/06.pdf

Medium BCSPCA

PCA

Medium BCS

PCA

Medium BCS Medium BCS

Low BCS

Consider BCS Types •  High Impact BCS, •  High Impact BCS w/ Dial-‐up Connec9vity, •  High Impact BCS w/ External Routable Connec9vity, •  Medium Impact BCS, •  Medium Impact BCS at Control Centers, •  Medium Impact BCS w/ Dial-‐up Connec9vity, •  Medium Impact BCS w/ External Routable Connec9vity,

•  Protected Cyber Assets [PCA], and •  Electronic Access Points [EAP] (CIP-‐005-‐5, pp. 4-‐5)

Slide 86


R1.1: Example of Auditable Process Slide 87


9/24/14

30

R1.1: Example of Auditable Process Slide 88


R1.3: Example of Auditable Process

•  Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact ra9ng and should be placed on the R1.3 list

•  BCS associated with a Low impact BES Asset also become Low impact BCS.

•  At this 9me, all you need to do is list the Low Impact BES Assets to sa9sfy R1.3.

•  Comply with CIP-‐003-‐6 R2 for specific technical controls

Slide 89


BILL’s Review & Approval Process

•  The next step in a CIP-‐002-‐5.1 audit is to review the iden9fica9ons of the lists created in R1, even if such lists are null. –  R1.1 list of High BCS –  R1.2 list of Medium BCS –  R1.3 list of Low-‐impact BES assets

•  Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.


90

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records

9/24/14

31

R2: Annual Approval Review Ques9ons

•  Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months amer the ini9al iden9fica9ons?

•  Did BILL update the lists, as necessary? •  Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months amer the ini9al iden9fica9on, even if such lists are null?

•  Applica9on Ques9ons –  Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?

•  Are any DR’s necessary? –  If so, what addi9onal informa9on is required?


91

On-‐Site Ac9vi9es: The Interview

•  Set up through an interview DR the prior week •  Typically held on Monday of the on-‐site week immediately amer the opening presenta9on

•  Examines the en9ty’s understanding of and approach to R1-‐R4

•  Cover any areas of concern raised through the ini9al evidence review

•  Schedule follow-‐up interview(s), if needed, amer the site visits


92

On-‐site ac9vi9es: Mock Interview

•  Need four volunteers – You are BILL SMEs – No, you don’t get to prac9ce

•  We will ask a series of ques9ons that we generally ask all CIP-‐002 SMEs

•  Also ask ques9ons of concern, if indicated by the ini9al review of the evidence

•  The Interview Ques9on Set


93

9/24/14

32

On-‐site ac9vi9es: Mock Interview

•  What did we learn from the interview? •  What was the key issue from an audit perspec9ve?

•  Should we find a PV for this issue? •  Why or why not?


94

On-‐Site Ac9vi9es: Site Visit •  Set up through a site visit DR the prior week •  I9nerary determined through review of the ini9al evidence •  Trust, but verify. Why? •  Depending on en9ty size, this may involve 100% valida9on or a sta9s9cal sampling:

•  Where? –  Control Centers –  Genera9on Facili9es –  Transmission Facili9es

•  What? –  High and Medium BCS –  A sampling of Low Impact BES Assets


95

On-‐Site Ac9vi9es: Site Visit •  Who?

–  CIP-‐002-‐5.1 Sub-‐Team •  Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL •  Works in conjunc9on with CIP-‐005 sub-‐team

–  CIP-‐005-‐5 Sub-‐Team •  Validates Electronic Access Points [EAPs] and Electronic Access Control and Monitoring devices [EACMs].

•  Confirms ESP boundaries –  CIP-‐006-‐5 Sub-‐Team

•  Validates PSPs and Physical Access Controls, such as PACS, cameras, logs, etc.

•  My colleague provided an overview on CIP-‐006 audit ac9vi9es earlier.


96

9/24/14

33

On-‐Site Ac9vi9es: CIP-‐002-‐5.1 Site Visit •  What?

–  Validate lists of BCS –  Validate null lists of BCS (if applicable) –  Look for aberra9ons from the lists – Hold informal interviews with en9ty SMEs

•  When? –  Visit remote sites during the off-‐site audit week. – Most Control Centers on Tuesday of the on-‐site audit week

– May extend to Wednesday depending on number of sites visited, distances traveled, resource constraints, etc.


97

On-‐Site Ac9vi9es: BILL Site Visits •  Visit the Primary and Backup Control Centers

–  100% valida9on of High BCS, PCA, etc. in both loca9ons –  Talk to Operators & SMEs

•  Visit the BILL Genera9on Sta9on, the Hydro Blackstart Facility, and a sampling of the CT units.

•  Visit SUB1, SUB2, SUB3, SUB11 –  Validate the Medium BCS, PCA, etc. –  Talk with en9ty SMEs

•  Visit a sampling of Low-‐impact BES assets (SUB26, SUB53) –  Validate presences of Low BCS, –  Review CIP-‐003-‐6 R2 controls.

•  Site Visit Ques9ons –  Why validate the BCS at a given site? –  Why ask ques9ons of en9ty SMEs? –  What do the auditors expect to find?


98

BILL Site Visits: Control Centers •  Visited the Primary Control Center

– 100% valida9on of High BCS – Found nothing out of the ordinary.

•  Visited the Backup Control Center – 100% valida9on of High BCS – Found nothing out of the ordinary.


99

9/24/14

34

Site Visits: Genera9on Units •  Visited BILL Genera9on Sta9on

– Validated Medium BCS and Low BCS – Found nothing out of the ordinary.


100

Site Visits: Substa9ons •  Visited Sub 1

– 100% valida9on of Medium BCS – Found nothing out of the ordinary.

•  Visited Subs 2, 4, 7, 8, & 11 – Validated Medium BCS. – No9ced something strange here.


101

Site Visits: What Did We See? What is this device and what is

it doing here in the subs?


102

9/24/14

35

On-‐Site Ac9vi9es: Site Visit •  What did we learn from the site visit?

•  Tour Notes DR

•  Why do we validate Null lists of CCAs? •  What was the main concern with the unexpected devices?

•  Should we DR for addi9onal informa9on? •  Would another interview be more effec9ve? •  Does this situa9on call for an R3 PV finding? •  Why or why not?


103

Discussing the Findings •  Discuss with whole Cyber Security Team •  Is there a PV for the undocumented devices?

–  R1.2: Undeclared Medium BCS? •  BCA at the Combus9on Turbines •  Does the en9ty have documenta9on from its TP or PA/PC that exempts the CTs from Criterion 2.3?

–  R1.2: Incorrect iden9fica9on of Medium BCS w/Dial-‐up Connec9vity?

•  The Substa9on Modems •  Determine the scope of a poten9al PV

–  How do we do this? •  Complete the CIP-‐002-‐5.1 Findings Table in RSAW •  Submit to the ATL and CPC for the Closeout Presenta9on


104

Value-‐Added Ac9vity: Feedback

•  WECC Audit Teams never Prescribe Solu9ons, but we do describe: –  Brief en99es on findings –  Encourage good security prac9ces – Discuss examples of industry best prac9ces –  Iden9fy areas of concern, which may not be viola9ons, but which could stand improvements

–  Provide sugges9ons, when appropriate •  Support development of a sustainable compliance culture


105

9/24/14

36

Audit Documenta9on: The RSAW •  An auditor is judged by the quality of his or her working papers. –  Complete the RSAW –  Review evidence and notes for final determina9ons

– DR for any final needed informa9on

– Document Findings


106

Audit Documenta9on

•  Auditors review evidence, find facts, and report findings – Turn PVs over to the Enforcement team – Enforcement team depends heavily on the quality of auditor documenta9on

•  Be Literate, be Concise, but above all else, Be Accurate.

•  If it’s not wriien down, it didn’t happen.


107

Post-‐Audit Auditor Ac9vi9es

•  The Audit Report – Work with ATL & CPC – Verify findings and other informa9on related to audited standard(s)

•  Document findings in webCDMS – PV & OEA findings only

•  Work with WECC Enforcement personnel to support Inves9ga9ons as SME for audit processes and findings


108

9/24/14

37

Post-‐Audit Auditor Ac9vi9es •  Par9cipate in en9ty Outreach ac9vi9es, such as this event and CIPUG mee9ngs

•  Be available and responsive to address en9ty ques9ons/comments

•  Work at Na9onal level –  CCWG – Draming teams –  Comment on new Standards, CANs, etc. – Aiend and present at Conferences –  CIPv5 Pilot Study


109

Summary

•  Audit to the Standard •  Provide useful feedback to the en9ty •  Prepare a valid report •  Be available to CIP personnel at the en99es •  Work at Na9onal level


110

Remember the Auditor’s Mission

Just the facts, Ma’am,

Just the facts!


111

9/24/14

38

References •  FERC. (2013 December 3). Order No. 791: Version 5 Cri'cal

Infrastructure Protec'on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hip://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf

•  NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hip://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&9tle=Cyber%20Security%20—%20BES%20Cyber%20System%20Categoriza9on&jurisdic9on=null

•  NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hip://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Defini9on%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf


112

References

•  NERC. (2014 August 12). Cyber Security Standards Transi'on Guidance: ERO Compliance and Enforcement Ac'vi'es during the Transi'on to the CIP Version 5 Reliability Standards. Retrieved from hip://www.nerc.com/pa/CI/Documents/V3-‐V5%20Transi9on%20Guidance%20FINAL.pdf

•  NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hip://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf

Slide 113


Speaker Contact Informa9on

Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina9ng Council (WECC) 7400 NE 41st Street, Suite 320 Vancouver, WA 98662 jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 801.734.8357

Slide 114
