Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

CIP-008-5, 009-5, & TFEsMay 14, 2014

CIP v5 Roadshow – Salt Lake City, UT

2

• Applicability• Implementation• CIP-008-5 & 009-5o Overviewo Audit Approacho Tips

• TFEs and CIP v5

Agenda

3

Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5

Goal

4

“To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response

requirements.”

CIP-008-5 Purpose

5

• HIBESCSo High Impact BES Cyber Systems (R1-R3)

• MIBESCSo Medium Impact BES Cyber Systems (R1-R3)

CIP-008-5 Applicability

6

• By April 1, 2016o All of CIP-008-5, except as noted below

• On or before April 1, 2017:o CIP-008-5, Requirement R2, Part 2.1o CIP-008-5, Requirement R3, Part 3.1

CIP-008-5 Implementation

7

• Ingredients of the Cyber Security Incident Response Plano Identify, classify, and respond to Cyber Security

Incident (CSI)o Process to determine if CSI is a Reportable CSI

(RCSI)o Notify ES-ISAC w/in 1hr of determination of

RCSIo Roles and responsibilitieso Incident handling procedures

CIP-008-5 R1 Overview

8

• Documentation requiremento Does the CSIRP addresses each Part of R1?o Does the CSIRP tie all the necessary resources

together?o Revision history with sufficient details

CIP-008-5 R1 Audit Approach

9

• Man on the street(ish) testo Can someone else in your organization pick up the

CSIRP and have everything they need to respond?

• Roles and responsibilities may include contact lists with names/numbers/emails

• Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI

• Flowcharts, process diagrams, decision trees, etc. are auditor’s friends

CIP-008-5 R1 Tips

10

• Annual test of CSIRPo Actual Incidento Papero Operational

• Use the plan during annual test & document any deviations from the plan

• Retain records of Incidents

CIP-008-5 R2 Overview

11

• Performance Requirement:o How has the plan been implemented?o How do you test/exercise the plan?o Did you document deviations from the plan

during exercise/test?o How are records kept and where?

CIP-008-5 R2 Audit Approach

12

• Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right

• It’s ok to get a little creative with test and exercise scenarios

CIP-008-5 R2 Tips

13

• Complete w/in 90 days of test/exercise or actual Incident response:o Document lessons learnedo Update the Plano Notify responsible parties of updates

• Complete w/in 60 days of change in roles/responsibilities/technologyo Update the Plano Notify responsible parties

CIP-008-5 R3 Overview

14

• Performance Requirement:o Updates tracked through revision history or

other means of sufficient detailo Track dates of “triggering” events such as

completion of exercise/Incident, or when roles/responsibilities/technology changed

o Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.

CIP-008-5 R3 Audit Approach

15

• Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.

• Suggest outlining how this is supposed to happen in the actual plan

CIP-008-5 R3 Tips

16

CIP-008-5

Questions?

17

Everyone awake?

18

“To recover reliability functions performed by BES Cyber Systems by specifying recovery

plan requirements in support of the continued stability, operability, and reliability

of the BES.”

CIP-009-5 Purpose

19

• HIBESCSo High Impact BES Cyber Systems (2.3)

• MIBESCSACCATAEACMSAPACSo Medium Impact BES Cyber Systems at Control Centers

and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2)

• HIBESCSATAEACMSAPACSo High Impact BES Cyber Systems and their associated

EACMS and PACS (R1-R3 except 2.3)

• MIBESCSATAEACMSAPACSo Medium Impact BES Cyber Systems and their associated

EACMS and PACS (R1 except 1.4)

CIP-009-5 Applicability

20

• By April 1, 2016o All of CIP-009-5, except as noted below

• On or before April 1, 2017:o CIP-009-5, Requirement R2, Parts 2.1, 2.2o CIP-009-5, Requirement R3, Part 3.1

• On or before April 1, 2018:o CIP-009-5, Requirement R2, Part 2.3

CIP-009-5 Implementation

21

• Ingredients of the recovery plano Conditions for activation of the plano Roles and responsibilitieso Process for backup and storageo Process to verify successful completion of

backupso Process to preserve data

CIP-009-5 R1 Overview

22

Backup and Recovery

23

• Documentation requiremento Does the plan (or plans) address all processes

required?o Review associated procedures, flowcharts, etc.o Revision history with sufficient details

CIP-009-5 R1 Audit Approach

24

• Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly

• Regurgitating the Requirement language does not constitute developing a program/process

• Man on the street(ish) testo Can someone else in your organization pick up

the CSIRP and have everything they need to respond?

• Flowcharts, process diagrams, decision trees, etc. are auditor’s friends

CIP-009-5 R1 Tips

25

• Annual test of recovery plano Actual Incidento Papero Operational

• Test representative sample of backups to ensure validity and compatibility

• Operational exercise req’d 1x/36 months for High BES Cyber Systems

CIP-009-5 R2 Overview

26

Test the Plan

27

• Performance Requirement:o How has the plan been implemented?o How do you test/exercise the plan?o Representative sample – how did you

determine the sample set?o Documentation of test/exercise, outcomes &

lessons learned

CIP-009-5 R2 Audit Approach

28

• R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs

• Focus on outputs of R2, what are the deliverables?

• Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months

CIP-009-5 R2 Tips

29

• Complete w/in 90 days of test/exercise or actual recovery:o Document lessons learnedo Update the plano Notify responsible parties of updates

• Complete w/in 60 days of change in roles/responsibilities/technologyo Update the plano Notify responsible parties

CIP-009-5 R3 Overview

30

• Performance Requirement:o Updates tracked through revision history or

other means of sufficient detailo Track dates of “triggering” events such as

completion of exercise/Incident, or when roles/responsibilities/technology changed

o Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.

CIP-009-5 R3 Audit Approach

31

• Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.

• Good idea to outline how this is supposed to happen in the actual plan

CIP-009-5 R3 Tips

32

• TFEs will be necessary in v5• Definitive list of Requirements/Parts to be

determined – 9 have “where technically feasible”

• Appendix 4D will be updated to accommodate v5

• webCDMS will be updated as necessary• Streamlined process will remain in place

CIP v5 and TFEs

33

• NERC v3 to v5 mapping document• FERC Order 791• 2011 v5 SDT Presentation• DHS: Developing an Industrial Control Systems C

ybersecurity Incident Response Capability• NIST Computer Security Incident Handling Guide

Resources, References, & Light Reading

Bryan J. Carr, PMP, CISA

Compliance Auditor, Cyber Security

O: 801.819.7691

M: 801.837.8425

bcarr@wecc.biz

Questions?