Post on 07-Apr-2017
CIP v5 Workshop CIP-002-5.1 Medley
Salt Lake City, UT September 9, 2015
Bryan Carr PMP, CISA, PSP
Compliance Auditor, Cyber Security Western Electricity Coordinating Council
Speaker Intro: Bryan Carr • Joined WECC in August 2012 • Dr. TFE (Emeritus) • Past compliance Program Manager at PacifiCorp • Prior experience in project and program
management
September 10, 2015 Western Electricity Coordinating Council
2
Agenda
• CIP-002-5.1 Requirements • CIPv5 Transition Guidance • Pre-Audit Data Request • Lessons Learned & FAQs • Site Visits • Questions
Western Electricity Coordinating Council
3
Daily Dose of Dilbert Slide 4
Western Electricity Coordinating Council
CIP-002-5.1: R1 • Each Responsible Entity shall implement a process that
considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning] – i. Control Centers and backup Control Centers; – ii. Transmission stations and substations; – iii. Generation resources; – iv. Systems and facilities critical to system restoration,
including Blackstart Resources and Cranking Paths and initial switching requirements;
– v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and
– vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
Western Electricity Coordinating Council
5
CIP-002-5.1: R1.1 - R1.3 • Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1 through 1.3: – 1.1. Identify each of the high impact BES Cyber Systems
according to Attachment 1, Section 1, if any, at each asset;
– 1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and
– 1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
Western Electricity Coordinating Council
6
CIP-002-5.1: Direction • CIP-002-5.1 R1.1 - R1.3 are applicable for the
transition period in lieu of the CIP-002-3 R2 list of Critical Assets (Option 3).
• Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Option 3).
• Compliance date for Low impact BES Assets on April 1, 2017. – Be sure to use CIP-003-6 when developing program and
controls for Lows – Four programmatic controls specified in CIP-003-6
Attachment 1 – Don’t ignore, but don’t prioritize for now.
Western Electricity Coordinating Council
7
CIPv5 Transition Guidance • As a practical matter, NERC understands that
Responsible Entities cannot complete transition to the CIP V5 Standards in a single instance; rather, transition to full implementation will occur over a period of time as Responsible Entities develop the necessary procedures, software, facilities, or other relevant capabilities necessary for effective compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transition Guidance, p. 2)
Western Electricity Coordinating Council
8
CIPv5 Transition Guidance • To help ensure that they are fully compliant with the CIP
V5 Standards upon the effective date, Responsible Entities may need or prefer to transition from compliance with the requirements of the CIP V3 Standards to implementation of the requirements of the CIP V5 Standards during the Transition Period. As such, there may be a period of time prior to the effective date of the CIP V5 Standards date when Responsible Entities begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are still mandatory and enforceable. (NERC, 2014 Aug 12, Transition Guidance, p. 2).
Western Electricity Coordinating Council
9
CIP v5 Transition Options*
*see Options Table (NERC, 2014 Aug 12, Transition Guidance, p. 5)
Western Electricity Coordinating Council
10
CIP v5 Transition Guidance
• WECC recommends entities choose Option 3 and immediately start transitioning to CIPv5 compliance – Freeze your CIPv3 program – Roll forward the “mostly
compatible” parts of CIPv3 – Integrate the remaining elements of
CIPv5 • Not a huge burden for CIP-002-5.1
compliance, but may present challenges for other Standards.
• A feasible sequence of Standards for transition efforts
September 10, 2015 Western Electricity Coordinating Council
11
An Entity Documents Option 3 Slide 12
Western Electricity Coordinating Council
Quiz Time
• In 1916, how much did the U.S. pay for the Danish West Indies (Virgin Islands)?
$25,000,000 in gold
Slide 13
September 10, 2015 Western Electricity Coordinating Council
Attachment G*: CIP-002-5.1 Evidence • [R1]: Provide documentation of the process and its
implementation to consider each BES asset included in the asset types listed in R1.i - R1.vi to identify the following lists: – [R1.1]: A list of High impact BCS at each asset identified by application
of Attachment 1, Section 1. – [R1.2]: A list of Medium impact BCS at each asset identified by
application of Attachment 1, Section 2. – [R1.3]: A list of identified Low impact BES Assets identified by
application of Attachment 1, Section 3]. • [R2]: Signed and dated records of the CIP Senior Manager or
delegate reviews and approvals of the identifications required by R1, even if such lists are null.
* 2016 Attachment G document is still in progress and may change to some degree, but these basic sets of evidence will expected in the initial evidence package.
Slide 14
Western Electricity Coordinating Council
Lessons Learned
Western Electricity Coordinating Council
15
• “Throughout the Implementation Study, study participants identified potential issues and asked NERC and Regional Entity staff to clarify certain aspects of the CIP Version 5 standards, or confirm that their approach was consistent with good security practices and compliance expectations.” (NERC, 2014 Aug 12, Transition Guidance, p. 23).
What is a Lesson-Learned?
• One of the key goals of the pilot study was to develop Lessons-Learned by the study participants to: – Inform and support entity transition activities – Identify obstacles – Develop commonly understood solutions
• This portion of the presentation will cover WECC’s current understanding of the Lessons-Learned and FAQs [LL/FAQ] relative to CIP-002-5.1
16
Western Electricity Coordinating Council
What is a Lesson-Learned? • To date, there are currently 23 LL/FAQ in various stages
of development (NERC, 2014 Oct, Implementation Study Final Report: Table 7, pp. 24-26).
• Most Lesson-Learned documents were developed under this preamble: – This document is designed to convey lessons learned from
NERC’s various activities. It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing reliability standards. Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time. Implementation of this lesson learned is not a substitute for compliance with requirements in NERC’s Reliability Standards.
17
Western Electricity Coordinating Council
Caveats • WECC does not provide prescriptive solutions, but
bases its audit approach on the CIPv5 Standards and makes recommendations based on Best Practices.
• As of this presentation, most of the LL/FAQ documents are still fluid and may change before their final versions. – If significant changes are introduced, WECC’s audit approach
relative to the LL/FAQ may also change. – While WECC does not expect major changes in direction, if
they do occur, the WECC CIP Team will publicize any impacts on its CIPv5 audit approach as soon as possible.
18
Western Electricity Coordinating Council
Lessons Learned Summary Requirement: Title Description Type
1. CIP‐002‐5 R1: Impact rating of generation resources (generation segmentation)
What options are available to categorize the impact rating of BES Cyber Assets at plants greater than 1500 MW?
LL
2. CIP‐002‐5 R1: Relay protection in substations with different impact ratings (i.e., far‐end relay/transfer trip)
How should the impact rating of line protection relays at each end of a transmission line connecting two substations be determined?
LL
3. CIP‐002‐5 R1: Programmable electronic devices
What are some practical examples for what is or is not a programmable electronic device?
LL
19
Western Electricity Coordinating Council
Lessons Learned Summary Requirement: Title Description Type
4. CIP‐002‐5 R1: BES impact of transmission scheduling systems
Should transmission scheduling systems be considered medium- or high-impact rating BES Cyber Systems?
LL
5. CIP‐002‐5 R1: Identifying BES Cyber Systems and BES Cyber Assets
What are some practical approaches to identify BES Cyber Systems and BES Cyber Assets?
LL
6. CIP‐002‐5 R1: Distributed BES Cyber Assets at generating plants and substations
Are instrumentation devices such as sensors, actuators, and controllers considered to be programmable electronic devices? If so, what methods would be appropriate to secure them from a compliance perspective?
LL
20
Western Electricity Coordinating Council
Lessons-Learned / FAQ Summary Requirement: Title Description Type
7. CIP‐002‐5 R1: Grouping BES Cyber Assets
What are the advantages of grouping BES Cyber Assets into BES Cyber Systems, and how can this help demonstrate compliance?
LL
8. CIP‐002‐5 R1: Shared equipment at a substation
What issues need to be addressed related to substations that are shared by different entities (e.g., identifying ownership, compliance responsibilities, emergency management, physical access controls)?
LL
9. CIP‐002‐5 R1: Applicability of Control Centers to Transmission Operators (TOP) and Transmission Owners (TO)
How would CIP‐002‐5 Attachment 1 criterion 2.12 apply to medium‐impact Control Centers if the functional obligations are performed by the TO on behalf of the TOP?
LL
21
Western Electricity Coordinating Council
Lessons Learned Summary Requirement: Title Description Type
10. CIP‐002‐5 R1: Generation interconnection points
Clarify the terms “generation interconnection point,” “generation interconnection Facility,” and “collector bus” for the purposes of applying CIP‐002‐5 Attachment 1 impact rating criteria 2.1 and 2.2.
LL
11. CIP‐003‐5 R2: Medium‐impact rating, non‐routable, no dial‐up access Cyber Assets
What is the complete set of CIP Version 5 Requirements that apply to BES Cyber Systems without routable or dial‐up access?
LL
17. CIP‐006‐5 R1: Multiple physical access controls
Discuss options for using two or more physical access controls for high‐impact BES Cyber System Physical Security Perimeters.
LL
22
Western Electricity Coordinating Council
Lessons Learned
• Two published/final related to CIP-002-5.1 – Generation Segmentation – Far-End Relay
September 10, 2015 Western Electricity Coordinating Council
23
1a. Generation Segmentation Requirement: Title Description CIP‐002‐5 R1: Impact rating of generation resources (generation segmentation)
What options are available to categorize the impact rating of BES Cyber Assets at plants greater than 1500 MW?
Impact of the Lesson‐Learned on WECC Audit Approach
This LL describes the options used by pilot study participants for identifying BCS located at generation plant sites with a net Real Power capability => 1500 MWs. The LL provides two options for protecting BCS at such generation sites: A. Protect the BCS as Medium-impact at a single location, in which the all CIP
standards are applicable B. Segment the Generating Units and their Associated BCS to ensure no BCS could
have an adverse impact on any combination of units =>1500 MWs within 15 minutes. If this option is chosen, the entity must provide sufficient evidence that all BCS have been segmented effectively, such that there are no common-mode vulnerabilities that could cause the loss of 1500 MW or more at the plant site.
24
Western Electricity Coordinating Council
1b. Generation Segmentation Acceptable Evidence of Generation Segmentation
This evidence could include engineering analyses that demonstrate effective segmentation of, for example:
• Systems protected by the segmented unit network. • Components shared by multiple generating units or group of units, and
analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable operation of the BES within 15 minutes.
• BES Cyber Systems shared by multiple generating units or group of units, and analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable operation of the BES within 15 minutes.
• Network interfaces between each generating unit or group of units and external networks (e.g., firewall rules).
25
Western Electricity Coordinating Council
1c. Generation Segmentation Impact of the Lesson‐Learned on WECC Audit Approach
When reviewing entity BCS evaluations relative to IRC 2.1, WECC will expect evidence that indicates the entity evaluated the aggregate highest net rated Real Power capability of the preceding 12 calendar months to establish the generation plant’s net output relative to the 1500 MW threshold. If the plant net output equals or exceeds the 1500 MW threshold, WECC will expect documentation demonstrating all BCS, including, but not limited to, DCS, fuel, air, and water support systems at the plant were examined to test the second condition in IRC 2.1 of an adverse impact within 15 minutes for any combination of units that equal or exceed 1500 MW. BCS that meet both conditions should be classified as Medium-impact BCS, while BCS that fail one or both conditions should be classified as Low-impact BCS (the dual conditions are also true for IRC 2.2).
26
Western Electricity Coordinating Council
2. Far End Relays Requirement: Title Description CIP‐002‐5 R1: Relay protection in substations with different impact ratings (i.e., far‐end relay/transfer trip)
How should the impact rating of line protection relays at each end of a transmission line connecting two substations be determined?
Impact of the Lesson‐Learned on WECC Audit Approach
This LL clarifies that line protection relays at each end of a transmission line connecting two substations may have different BCS impact ratings. The rating of each relay is dependent on whether the Transmission Facilities at the station or substation at which the relay is located meets the rating criteria for Medium- or Low-impact. Although the term “SPS” is being replaced by the more generic term “RAS,” this same LL concept may apply to all SPS and RAS that do NOT meet IRC 2.9.
WECC will review the entity’s R1.1, R1.2, & R1.3 lists and ask questions, as necessary, to determine the effectiveness of the process implemented to create these lists.
27
Western Electricity Coordinating Council
Quiz Time
Name of electric utility serving the U.S. Virgin Islands?
WAPA Virgin Islands Water and Power Authority
Slide 28
Western Electricity Coordinating Council
FAQ 45 Slide 29
Western Electricity Coordinating Council
FAQ 49 Slide 30
September 10, 2015 Western Electricity Coordinating Council
FAQ 52 Slide 31
Western Electricity Coordinating Council
Quiz Time
• What is the primary generation fuel source on the U.S. Virgin Islands?
Fuel Oil
Slide 32
Western Electricity Coordinating Council
CIP Site Visits
• Purpose • What to expect • Rules of engagement • Tips
Western Electricity Coordinating Council
33
Site Visit Purpose
• “… auditors obtain reasonable assurance that evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives.” (GAGAS, p. 124)
• Visual Verification • Direct Observation
Western Electricity Coordinating Council
34
What to Expect…
• Data Requests – Site Visit Analysis
• Typically for large numbers of assets/facilities or complex systems
• Seeking clarification and additional information to make informed decisions
– Site Visit Data Request • List sites selected, propose schedule
Western Electricity Coordinating Council
35
Site Visit DR Example The WECC Audit Team requests: Please schedule tours on Wednesday (September 9, 2015) of the following BILL BES Assets, including all areas with BES Cyber Systems located at: Day One (September 9, 2015)
– Primary Control Center – Backup Control Center – Substation1 – Substation2
BILL shall propose a meeting location, route, and schedule that optimizes the time the WECC audit team will have available at each BES Asset and minimizes the impact the audit team will have on BILL operations. If possible, the WECC audit team would like to end the tour at the facility nearest the audit team location, but the team is flexible and understands any operational requirements for BILL scheduling. The WECC audit team recognizes that BILL has BES operational responsibilities at the BES Asset(s) and will make an effort to minimize interference with the duties of BILL personnel once on site.
Western Electricity Coordinating Council
36
Site Visit DR Example During the tour, BILL will provide Subject Matter Experts in the three standards (CIP-002, CIP-005, & CIP-006) and the following hard copy lists and/or diagrams for use by the WECC Audit team during the site visits: • For each Asset identified as a BILL Asset containing High BCS or Medium BCS, BILL shall provide
hard copies (filtered by location) of its inventory of BCS at each site. This inventory should contain sufficient information to support validation of the entity’s compliance efforts at each location. For each Asset identified as a Low-impact BES Asset, please be prepared to discuss planned CIP protections including any expected LERC and LEAP implementations.
• For each site with one or more ESPs, BILL shall provide a hard copy diagram of each such ESP. If there is no ESP, please provide a network diagram to support the validation of the BCS perimeter(s).
• For each site with one or more PSPs, BILL shall provide a hard copy diagram of each such PSP. If there is no PSP, please provide a physical diagram to allow the CIP-006 audit team to note current physical protections for the BES Asset.
The WECC audit team will use these documents to validate BCS, ESPs, and PSPs and will annotate the documents while on site. The WECC audit team will return these documents to BILL prior to leaving each site. A separate DR – subsequent to the site visits – will request scanned PDF copies of the annotated lists and/or diagrams for review and inclusion into the audit records.
Western Electricity Coordinating Council
37
Rules of Engagement
• WECC Audit Team WILL: – Work to make everyone feel at ease and comfortable
through open and candid dialogue – Verify lists and drawings against actual deployment – Typically split into two groups – CIP-002 and 005
together, with CIP-006 on its own – Ask SMEs to perform ALL tasks & testing (login, open
cabinet doors, generate failed login attempts, hold door open, etc.)
– Notify you of concerns/issues identified
Western Electricity Coordinating Council
38
Rules of Engagement
• WECC Audit Team WILL NOT: – Attempt to ditch their escorts – Touch any equipment, keyboards, buttons,
switches, levers, dials, etc. – Attempt to ditch their escorts – Ask the SMEs to do anything that poses a risk to
reliable operation of the BES – Play the gotchya game
Western Electricity Coordinating Council
39
CIP Site Tours – Helpful Tips
• The cast of Ben Hur isn’t necessary to ensure a successful site visit
• Tailboards and other site-specific safety meetings are great
• Be sure the right SMEs are there, and prepared
Western Electricity Coordinating Council
40
References • FERC. (2013 December 3). Order No. 791: Version 5 Critical
Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5-000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf
• NERC. (2013 November 22). CIP-002-5.1 – Cyber Security Standard – BES Cyber System Categorization. Retrieved from http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-002-5.1&title=Cyber%20Security%20—%20BES%20Cyber%20System%20Categorization&jurisdiction=null
• NERC. (2014 April). Bulk Electric System Definition Reference Document (Version 2). Retrieved from http://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Definition%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf
Western Electricity Coordinating Council
41
References
• NERC. (2014 August 12). Cyber Security Standards Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards. Retrieved from http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf
• NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf
Slide 42
Western Electricity Coordinating Council
Speaker Contact Information
Bryan Carr bcarr@wecc.biz 801-819-7691
Slide 43
Western Electricity Coordinating Council