Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
-
Upload
jessamine-hobbs -
Category
Documents
-
view
36 -
download
0
description
Transcript of Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
CIP-008-5, 009-5, & TFEsMay 14, 2014
CIP v5 Roadshow – Salt Lake City, UT
2
• Applicability• Implementation• CIP-008-5 & 009-5o Overviewo Audit Approacho Tips
• TFEs and CIP v5
Agenda
3
Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5
Goal
4
“To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response
requirements.”
CIP-008-5 Purpose
5
• HIBESCSo High Impact BES Cyber Systems (R1-R3)
• MIBESCSo Medium Impact BES Cyber Systems (R1-R3)
CIP-008-5 Applicability
6
• By April 1, 2016o All of CIP-008-5, except as noted below
• On or before April 1, 2017:o CIP-008-5, Requirement R2, Part 2.1o CIP-008-5, Requirement R3, Part 3.1
CIP-008-5 Implementation
7
• Ingredients of the Cyber Security Incident Response Plano Identify, classify, and respond to Cyber Security
Incident (CSI)o Process to determine if CSI is a Reportable CSI
(RCSI)o Notify ES-ISAC w/in 1hr of determination of
RCSIo Roles and responsibilitieso Incident handling procedures
CIP-008-5 R1 Overview
8
• Documentation requiremento Does the CSIRP addresses each Part of R1?o Does the CSIRP tie all the necessary resources
together?o Revision history with sufficient details
CIP-008-5 R1 Audit Approach
9
• Man on the street(ish) testo Can someone else in your organization pick up the
CSIRP and have everything they need to respond?
• Roles and responsibilities may include contact lists with names/numbers/emails
• Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI
• Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
CIP-008-5 R1 Tips
10
• Annual test of CSIRPo Actual Incidento Papero Operational
• Use the plan during annual test & document any deviations from the plan
• Retain records of Incidents
CIP-008-5 R2 Overview
11
• Performance Requirement:o How has the plan been implemented?o How do you test/exercise the plan?o Did you document deviations from the plan
during exercise/test?o How are records kept and where?
CIP-008-5 R2 Audit Approach
12
• Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right
• It’s ok to get a little creative with test and exercise scenarios
CIP-008-5 R2 Tips
13
• Complete w/in 90 days of test/exercise or actual Incident response:o Document lessons learnedo Update the Plano Notify responsible parties of updates
• Complete w/in 60 days of change in roles/responsibilities/technologyo Update the Plano Notify responsible parties
CIP-008-5 R3 Overview
14
• Performance Requirement:o Updates tracked through revision history or
other means of sufficient detailo Track dates of “triggering” events such as
completion of exercise/Incident, or when roles/responsibilities/technology changed
o Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
CIP-008-5 R3 Audit Approach
15
• Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.
• Suggest outlining how this is supposed to happen in the actual plan
CIP-008-5 R3 Tips
16
CIP-008-5
Questions?
17
Everyone awake?
18
“To recover reliability functions performed by BES Cyber Systems by specifying recovery
plan requirements in support of the continued stability, operability, and reliability
of the BES.”
CIP-009-5 Purpose
19
• HIBESCSo High Impact BES Cyber Systems (2.3)
• MIBESCSACCATAEACMSAPACSo Medium Impact BES Cyber Systems at Control Centers
and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2)
• HIBESCSATAEACMSAPACSo High Impact BES Cyber Systems and their associated
EACMS and PACS (R1-R3 except 2.3)
• MIBESCSATAEACMSAPACSo Medium Impact BES Cyber Systems and their associated
EACMS and PACS (R1 except 1.4)
CIP-009-5 Applicability
20
• By April 1, 2016o All of CIP-009-5, except as noted below
• On or before April 1, 2017:o CIP-009-5, Requirement R2, Parts 2.1, 2.2o CIP-009-5, Requirement R3, Part 3.1
• On or before April 1, 2018:o CIP-009-5, Requirement R2, Part 2.3
CIP-009-5 Implementation
21
• Ingredients of the recovery plano Conditions for activation of the plano Roles and responsibilitieso Process for backup and storageo Process to verify successful completion of
backupso Process to preserve data
CIP-009-5 R1 Overview
22
Backup and Recovery
23
• Documentation requiremento Does the plan (or plans) address all processes
required?o Review associated procedures, flowcharts, etc.o Revision history with sufficient details
CIP-009-5 R1 Audit Approach
24
• Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly
• Regurgitating the Requirement language does not constitute developing a program/process
• Man on the street(ish) testo Can someone else in your organization pick up
the CSIRP and have everything they need to respond?
• Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
CIP-009-5 R1 Tips
25
• Annual test of recovery plano Actual Incidento Papero Operational
• Test representative sample of backups to ensure validity and compatibility
• Operational exercise req’d 1x/36 months for High BES Cyber Systems
CIP-009-5 R2 Overview
26
Test the Plan
27
• Performance Requirement:o How has the plan been implemented?o How do you test/exercise the plan?o Representative sample – how did you
determine the sample set?o Documentation of test/exercise, outcomes &
lessons learned
CIP-009-5 R2 Audit Approach
28
• R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs
• Focus on outputs of R2, what are the deliverables?
• Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months
CIP-009-5 R2 Tips
29
• Complete w/in 90 days of test/exercise or actual recovery:o Document lessons learnedo Update the plano Notify responsible parties of updates
• Complete w/in 60 days of change in roles/responsibilities/technologyo Update the plano Notify responsible parties
CIP-009-5 R3 Overview
30
• Performance Requirement:o Updates tracked through revision history or
other means of sufficient detailo Track dates of “triggering” events such as
completion of exercise/Incident, or when roles/responsibilities/technology changed
o Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
CIP-009-5 R3 Audit Approach
31
• Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates.
• Good idea to outline how this is supposed to happen in the actual plan
CIP-009-5 R3 Tips
32
• TFEs will be necessary in v5• Definitive list of Requirements/Parts to be
determined – 9 have “where technically feasible”
• Appendix 4D will be updated to accommodate v5
• webCDMS will be updated as necessary• Streamlined process will remain in place
CIP v5 and TFEs
33
• NERC v3 to v5 mapping document• FERC Order 791• 2011 v5 SDT Presentation• DHS: Developing an Industrial Control Systems C
ybersecurity Incident Response Capability• NIST Computer Security Incident Handling Guide
Resources, References, & Light Reading
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
O: 801.819.7691
M: 801.837.8425
Questions?