IdenBfying Low Impact BES Assets
Transcript of IdenBfying Low Impact BES Assets
Iden%fying Low Impact BES Assets San Ramon, California
July 7-‐8, 2015
Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor – Cyber Security Western Electricity Coordina%ng Council
Speaker Intro: Dr. Joseph Baugh • Electrical U%lity Experience (40+ years)
– Senior Compliance Auditor, Cyber Security – IT Manager & Power Trading/Scheduling Manager – IT Program Manager & Project Manager – PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs – NERC Cer%fied System Operator – Barehand Qualified Transmission Lineman
• Educa%onal Experience – Degrees earned: Ph.D., MBA, BS-‐Computer Science – Academic & Technical Course Teaching Experience (20 years)
• PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara%on • Business Strategy, Leadership, and Management • Informa%on Technology and IT Security • Project Management
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
2
WECC Low Impact Disclaimer • The WECC Cyber Security team has
created a mythical Registered En%ty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.
• Any resemblance of BILL to any actual Registered En%ty is purely coincidental.
• All evidence presented, auditor comments, and findings made in regard to BILL during this presenta%on are fic%%ous, but are representa%ve of audit team ac%vi%es during an actual CIP Compliance audit.
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
3
Agenda
• Review CIP-‐002-‐5.1 Requirements • Review CIPv5 Transi%on Guidance • Review CIP-‐002-‐5.1 Team audit approach • CIP-‐002-‐5.1 Mock Audit Overview
– Focusing on Low Impact BES Assets
• Ques%ons
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
4
CIP-‐002-‐5.1 Overview • CIP-‐002-‐5.1 is the first step on CIP Compliance trail • All Registered En%%es who perform the BA, DP, GO, GOP, IA, RC, TO, and/or TOP registered func%ons are required to be compliant with CIP-‐002-‐5.1.
• CIP-‐002-‐5.1 replaces LSE with the DP func%on, TSP func%on drops out.
• Some en%%es may find they are only required to be compliant with CIP-‐002-‐5.1 (R1 & R2) and with CIP-‐003-‐6 (R1.2, R2, R3, & R4). – True, if the IRC applica%on generates Null R1.1 & R1.2 lists. – Must provide a valid R1.3 list of Low Impact BES Assets. – Typically requires a reduced scope audit that may be conducted on-‐site, at WECC offices, or other loca%ons, as necessary.
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
5
Mapping V3 CA & CCA to V5 BCS Slide 6
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
• High Impact BCS (IRC 1.1 − 1.4) – Large Control Centers
• Medium Impact BCS (IRC 2.1 − 2.13) – Control Centers – Genera%on Facili%es – Transmission Facili%es
• Low Impact BCS (IRC 3.1 − 3.6) – All other BES Assets – Applicable DP Assets (Sect. 4.2.1) – Must implement one or more CIP-‐003-‐6 policies to address:
• Cyber Security Awareness • Physical Security Controls • Electronic Access Controls • Cyber Security Incident Response
V3 BES Assets & Cyber Assets > BES Assets > V5 BCS
Cri3cal Assets & Cri3cal
Cyber Assets
Non-‐Cri3cal Assets & Non-‐Cri3cal Cyber
Assets
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
CIP-‐002-‐5.1: R1 • Each Responsible En%ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
7
Inputs
R1Process
Outputs
Inventory of
BES Assets
List of High, Medium,
& Low Assets
CIP-‐002-‐5.1: R1 • Each Responsible En%ty shall implement a process that
considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] – i. Control Centers and backup Control Centers; – ii. Transmission sta%ons and substa%ons; – iii. Genera%on resources; – iv. Systems and facili%es cri%cal to system restora%on, including Blackstart Resources and Cranking Paths and ini%al switching requirements;
– v. Special Protec%on Systems that support the reliable opera%on of the Bulk Electric System; and
– vi. For Distribu%on Providers, Protec%on Systems specified in Applicability sec%on 4.2.1 above.
• Generates Low impact BES Assets for R1.3 list
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
8
CIP-‐002-‐5.1: R1.1 -‐ R1.3 • Each Responsible En%ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: – 1.1. Iden%fy each of the high impact BES Cyber Systems according to Ajachment 1, Sec%on 1, if any, at each asset;
– 1.2. Iden%fy each of the medium impact BES Cyber Systems according to Ajachment 1, Sec%on 2, if any, at each asset; and
– 1.3. Iden%fy each asset that contains a low impact BES Cyber System according to Ajachment 1, Sec%on 3, if any (a discrete list of low impact BES Cyber Systems is not required).
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
9
CIP-‐002-‐5.1 Requirements: R2 • En%ty must review iden%fica%ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]
• The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3 & R4) must approve the ini%al lists [R2.2] and at least once every 15 months, thereaner: – The R1.1, R1.2, and R1.3 lists – Include signed and dated null lists, if applicable
• The en%ty must maintain signed and dated records of the approvals listed above. – Electronic or physical approvals accepted
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
10
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
CIP-‐002-‐5.1: Direc%on • CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transi%on period in lieu of the CIP-‐002-‐3 R2 list of Cri%cal Assets (Op%on 3).
• Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Op%on 3).
• Ini%al compliance date for Low impact BES Assets on April 1, 2017. – Specific Low impact controls and evalua%on criteria are under review by oversight groups [See CIP-‐003-‐6 R2]
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
11
CIPv5 Transi%on Guidance • As a prac'cal ma>er, NERC understands that Responsible En''es cannot complete transi'on to the CIP V5 Standards in a single instance; rather, transi'on to full implementa'on will occur over a period of 'me as Responsible En''es develop the necessary procedures, soNware, facili'es, or other relevant capabili'es necessary for effec've compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
12
CIPv5 Transi%on Guidance • To help ensure that they are fully compliant with the CIP V5 Standards upon the effec've date, Responsible En''es may need or prefer to transi'on from compliance with the requirements of the CIP V3 Standards to implementa'on of the requirements of the CIP V5 Standards during the Transi'on Period. As such, there may be a period of 'me prior to the effec've date of the CIP V5 Standards date when Responsible En''es begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are s'll mandatory and enforceable. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2).
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
13
CIP v5 Transi%on Op%ons*
*see Op%ons Table (NERC, 2014 Aug 12, Transi'on Guidance, p. 5)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
14
BILL Documents Op%on 3 Slide 15
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
WECC Audit Team Approach
• Use a methodical approach to deliver consistent results across all en%%es.
• Use the RSAW supplied by the en%ty as ini%al working papers to document the audit and findings.
• Review Ini%al Evidence package supplied by the en%ty in response to Ajachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 eviden%ary documents
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
16
CIP-‐002-‐5.1 Audit Team Approach
• Audit to the Standard. • Review the Evidence:
– Inventory of BES Assets – One line diagrams – Applica%on of the IRC – R1.1, R1.2, R1.3 lists. – R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)
• DR for addi%onal informa%on, as needed.
• Complete the RSAW • Develop the Audit Report
17
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Are there more High or Medium BES
assets?
Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]
Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset
Yes (Continue BCS evaluations)
No (Continue to R2)
Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets
Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable
R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.
R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.
Are any BES assets rated as High or Medium?
Yes (Evaluate High & Medium BES assets for all applicable BCS)
No (Place all Low BES assets on R1.3 List)
Add BCS to the appropriate list:R1.1: High Impact BCS,
R1.2: Medium Impact BCS
BILL’s One-‐Line Diagram Slide 18
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
BESNET Process • En%ty must ini%ate a BESNET request • Two BESNET Request Types Available:
– Defini%on Request – Excep%on Request
• A Defini%on Request does not need to be submijed through the BESNET process.
• An Excep%on Request must be completed and approved or rejected through the BESNET process
• Excep%on Requests cannot be declared and will not be reviewed or approved at audit
• En%ty should provide BESNET no%fica%on of NERC approval of the Excep%on Request in evidence package (see Ajachment G).
Slide 19
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
BESNET Defini%on Request • Self-‐Determined No%fica%on [SDN] • Applied for change in status as provided by the BES Defini%on
(NERC, 2014 April, BES Reference Document). • Iden%fies specific BES Element(s) under considera%on for: – Inclusion (SDN-‐I: Add BES Element), or – Exclusion (SDN-‐E: Remove BES Element)
• May cover con%guous BES Elements (e.g., include Mul%ple Generators [I2], or exclude Radial Elements [E1])
• The audit team may request documenta%on of the SDN at audit
Slide 20
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
BESNET Excep%on Request • Based on Appendix 5C (NERC, 2014 July 1) to the NERC Rules of
Procedure • Allows (a) Exclusion of BES Elements that would normally be
included, and (b) Inclusion of BES Elements that would normally be excluded by the BES Defini%on (NERC, 2014 July 1, Sec%on 3.1)
• Request must be specific rela%ve to desired changes (Sec%on 4.5) • Must undergo ini%al screening and substan%ve review by WECC, if
ini%ally disapproved, must be sent to technical review panel prior to Recommenda%on to NERC (Sec%on 5.0)
• Final approval or rejec%on rests with NERC (Sec%ons 8.0 -‐ 9.0) • Requires a mandatory cer%fica%on by the en%ty sta%ng the
Approved Excep%on Basis is unchanged every three years, otherwise the Excep%on will automa%cally expire (Sec%on 11.3)
Slide 21
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
WECC Audit Team Approach • Review the applica%on of the IRC [R1], list of High BCS [R1.1], list
of Medium BCS [R1.2], list of Low impact BES Assets [R1.3], even if such lists are null.
• Compare the lists against the one-‐lines and BES Asset inventory • If full Compliance audit:
– Hold interviews with the en%ty’s CIP SMEs – Perform site visits (Trust, but Verify)
• Validate annual approval documenta%on [R2] • Submit DR’s, as needed, to clarify compliance • Determine findings (NF, PV, or OEA) • Discuss findings with en%re Cyber Security Team • Complete RSAW • Prepare CIP audit report (ATL & CPC) July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
22
Ajachment G*: CIP-‐002-‐5.1 Evidence • [R1]: Provide documenta%on of the process and its
implementa%on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden%fy the following lists: – [R1.1]: A list of High impact BCS at each asset iden%fied by applica%on of Ajachment 1, Sec%on 1.
– [R1.2]: A list of Medium impact BCS at each asset iden%fied by applica%on of Ajachment 1, Sec%on 2.
– [R1.3]: A list of iden%fied Low impact BES Assets iden%fied by applica%on of Ajachment 1, Sec%on 3].
• [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the iden%fica%ons required by R1, even if such lists are null.
* 2015 Ajachment G document is s%ll in progress and may change to some degree, but these basic sets of evidence will expected in the ini%al evidence package.
Slide 23
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
CIP-‐101 Mock Audit Overview • BILL declared Op%on 3 of the NERC CIPv5 Transi'on Guidance (NERC, 2014 August 12, p. 5).
• Bill compared inventory of BES Assets against current defini%on of Bulk Electric System (NERC, 2014 Dec 31, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini%on Guidance Document, v2)
• BILL iden%fied and documented lists of High and Medium Impact BCS, even if such lists are null, and a list of Low Impact BES Assets through an applica%on of the Impact Ra%ng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: A>achment 1, pp. 14-‐16)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
24
BILL’s BES Asset Iden%fica%on • The first step in a normal CIP-‐002-‐5.1 audit is to review the applica%on of the IRC – Starts with an overall Inventory of en%ty BES assets. – Did the en%ty use the BES Defini%on Request process to include new BES Assets or exclude extant BES Assets?
• Does the en%ty have documenta%on and approval for all Exclusions and/or Excep%ons?
• Review and validate the documenta%on
– Apply the IRC to validate the R1.x lists
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
25
High IRC (Control Centers)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 26
Medium IRC (Control Centers)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 27
Low IRC (Control Centers)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 28
R1.i: Example of Auditable Process
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 29
BILL’s BES Asset Iden%fica%on • Were applicable BES assets evaluated rela%ve to IRC criteria 2.3. 2.6. or 2.8?
• Did BILL demonstrate coordina%on with the applicable registered func%on(s)? – If not, should we submit a data request?
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
30
Medium IRC (Transmission)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 31
Medium IRC (Transmission)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 32
Medium IRC (Transmission)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 33
Medium / Low IRC (Transmission)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 34
R1.ii: Example of Auditable Process
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 35
Medium IRC (Genera%on)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 36
Medium / Low IRC (Genera%on)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 37
R1.iii-‐iv: Example of Auditable Process
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 38
Medium IRC (Protec%on Systems)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 39
Low IRC (Protec%on Systems)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 40
Low IRC (DP Systems)
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 41
R1.v-‐vi: Example of Auditable Process
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 42
List of High & Medium BES assets
• Review the list of High BES assets • Review the list of Medium BES assets
– For some en%%es in this session, both lists may be null
• Iden%fy BCA at each such BES Asset and group into High-‐ or Medium-‐impact BCS
• Provide the full protec%ons of CIP-‐003-‐6 through CIP-‐011-‐2 to these BCS, as applicable.
Slide 43
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
List of Low Impact BES Assets
• Review the list of Low impact BES Assets • Correlate this list against the en%ty’s inventory of BES Assets
Slide 44
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Validate BES Asset Lists • Review and compare the prior lists of CIP-‐002-‐3 R2 Cri%cal
Assets to the current lists of High and Medium BES Assets • Did the results seem reasonable? • Did the en%ty opt to reduce its number of Transmission
Assets through an appropriate applica%on of the BESNET? • If so, does the en%ty have documented approval for all
claimed exclusions ? • Do the Transmission BES Medium Assets align with the
one-‐line diagram? • Did the en%ty provide evidence of net Real Power
capability to support Genera%on Facility ra%ngs? • Does the audit team have any other ques%ons before
moving on to the R1.1, R1.2, and R1.3 lists?
Slide 45
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
List all Low impact BES Assets • BILL must provide CIP-‐003-‐6 R1.2 & R2 protec%ons, as applicable, to its Low impact BES Assets
• Zero (0) Low impact Control Centers – Both Control Centers have High-‐impact BCS
• Sixty-‐Five (65) Low impact Transmission Substa%ons, including Cranking Paths and assuming no substa%ons were removed via the BESNET process – Six substa%ons w/ Medium-‐impact BCS
• Ten (10) Low impact Genera%on Sites, including the 100 MW Blackstart Resource at Bill-‐3 substa%on – The 2000 MW BILL Genera%on Sta%on loca%on > 1500 MW net Real Power capability threshold in IRC 2.1
Slide 46
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
IRC 2.1: Segmen%ng Genera%on BCS • Can BILL segment the BCS at the Genera%on loca%on to reduce the BCS impact levels to Low?
• Document the segmenta%on efforts carefully
• Heed Lesson-‐Learned from pilot study
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Slide 47
Genera%on BCS Segmenta%on Requirement: Title Descrip3on CIP-‐002-‐5 R1: Impact ra%ng of genera%on resources (genera%on segmenta%on)
What op%ons are available to categorize the impact ra%ng of BES Cyber Assets at plants greater than 1500 MW?
Impact of the Lesson Learned on WECC Audit Approach
This LL describes the op%ons used by pilot study par%cipants for iden%fying BCS located at genera%on plant sites with a net Real Power capability => 1500 MWs. The LL provides two op%ons for protec%ng BCS at such genera%on sites: A. Protect the BCS as Medium-‐impact at a single loca%on, in which the all CIP
standards are applicable B. Segment the Genera%ng Units and their Associated BCS to ensure no BCS could
have an adverse impact on any combina%on of units =>1500 MWs within 15 minutes. If this op%on is chosen, the en%ty must provide sufficient evidence that all BCS have been segmented effec%vely, such that no common-‐mode vulnerabili%es exist that could cause the loss >= 1500 MW at the plant site.
48
Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA July 7, 2015
Genera%on BCS Segmenta%on Acceptable Evidence of Genera3on Segmenta3on
This evidence could include engineering analyses that demonstrate effec%ve segmenta%on of, for example:
• Systems protected by the segmented unit network. • Components shared by mul%ple genera%ng units or group of units, and
analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable opera%on of the BES within 15 minutes.
• BES Cyber Systems shared by mul%ple genera%ng units or group of units, and analysis that loss, compromise, or misuse of the BES Cyber Systems could have on the reliable opera%on of the BES within 15 minutes.
• Network interfaces between each genera%ng unit or group of units and external networks (e.g., firewall rules).
49
Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA July 7, 2015
Genera%on BCS Segmenta%on Impact of the Lesson Learned on WECC Audit Approach
When reviewing en%ty BCS evalua%ons rela%ve to IRC 2.1, WECC will expect evidence that indicates the en%ty evaluated the aggregate highest net rated Real Power capability of the preceding 12 calendar months to establish the genera%on plant’s net output rela%ve to the 1500 MW threshold. If the plant net output equals or exceeds the 1500 MW threshold, WECC will expect documenta%on demonstra%ng all BCS, including, but not limited to, DCS, fuel, air, and water support systems at the plant were examined to test the second condi%on in IRC 2.1 of an adverse impact within 15 minutes for any combina%on of units that equal or exceed 1500 MW. BCS that meet both condi%ons should be classified as Medium-‐impact BCS, while BCS that fail one or both condi%ons should be classified as Low impact BCS (the dual condi%ons are also true for IRC 2.2).
50
Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA July 7, 2015
IRC 2.5: Segmen%ng Substa%on BCS
• Can BILL have mixed impact BCS at its substa%ons?
Slide 51
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Substa%on BCS Segmenta%on • Up to this point, WECC has been recommending that en%%es segregate their substa%on Facili%es by control buildings based on the language in IRC 2.5, "rela%ve to "Transmission Facili'es that are opera'ng between 200kV and 499kV at a single sta*on or substa*on [Emphasis added], …" (CIP-‐002-‐5.1, A>achment 1, p. 15)
• On further review, the prac%ce of segrega%ng Transmission Facili%es by voltage levels appears to be supported by language in the Overall Applica'on sec%on, "Responsible En''es have flexibility in how they group Facili'es, systems, and equipment at a loca'on" (CIP-‐002-‐5.1, p. 23), as well as graphically in Reference Model – 7 (CIP-‐003-‐6, Guidelines and Technical Basis, p. 37).
Slide 52
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Iden%fying Substa%on BCS • Aner discussions with other regions and NERC, although the overall impact ra%ng for a single Transmission sta%on or substa%on is determined by its connec%on to other sta%ons or substa%ons and the calcula%on of the aggregated weighted value, there is some la%tude for segrega%ng mixed-‐impact levels at substa%ons (i.e., Medium BCS and Low BCS).
• IRC 2.4 describes Medium BCS at 500kV and above. • IRC 2.5 describes Medium BCS grouped from BCA associated with Transmission Facili%es operated between 200kV and 499kv in a qualifying substa%on that meets the three-‐substa%on connec%vity and Aggregated Weighted Value [AWV] threshold criteria.
• En%%es may have lower voltage levels, at a single loca%on, that do not qualify as Medium-‐impact under IRC 2.5
Slide 53
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Substa%on BCS Segmenta%on Slide 54
Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA July 7, 2015
• Reference Model – 7 (CIP-‐003-‐6, Guidelines and Technical Basis, p. 37) provides an illustra%on of mixed-‐impact BCS within a single BES Asset boundary.
Substa%on BCS Protec%ons • Provide Physical Security protec%ons at substa%on control building with mixed-‐impact BCS at the Medium BCS level, as applicable.
• Electronic Protec%ons – If a Low impact BCS is contained within a Medium BCS ESP, protect the LIBCS as PCA to the Medium BCS, as applicable.
– If a Low impact BCS has LERC and is segregated electronically from Medium BCS, protect it in accordance with CIP-‐003-‐6 R1.2.3 (p. 5) and R2 (A>achment 1, Sec'on 3, p. 20).
Slide 55
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Substa%on BCS Caveats • For BES Cyber Assets associated with a transformer that spans the boundary between Medium-‐impact and Low impact Transmission Facili%es (e.g., transformer differen%al relays), WECC recommends such BCA be grouped with the higher impact BCS, even if located on the low-‐side of the transformer.
• If IRC 2.6 and/or 2.8 apply to a specific substa%on, treat all BCS at that substa%on as Medium-‐impact, regardless of voltage levels, and protect as applicable.
• Consider and apply high-‐water marks, as applicable. • Document all segmenta%on evalua%ons carefully and completely for future audits.
Slide 56
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
R1.3 List of Low impact BES Assets
• R1.3 does not require discrete lists of Low impact BES Cyber Systems.
• However, R1.3 does require a list containing the name of “each asset that contains a low impact BES Cyber System.” – This list should contain all genera%ng plants, transmission sta%ons, certain distribu%on sta%ons, and certain “small” control centers, that contain low impact BES Cyber Systems.
Slide 57
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
R1.3 List of Low impact BES Assets – The en%ty should be prepared to demonstrate that all BES assets (loca%ons) are accounted for on either the list of high impact, medium impact or low impact loca%ons (note: a list of high or medium impact loca%ons is not specifically required, but can be surmised by looking at lists of high impact and medium impact BES Cyber Systems, if they exist)
– The en%ty should be prepared to demonstrate that all the low impact BES Cyber Systems at the assets on the lists have been afforded electronic and physical protec%ons, and are included in recovery plans
Slide 58
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Comparing Low impact BES Assets • Not all Low impact BES Assets are created equal
– “Low impact” covers a wide range of BES loca%ons and Facili%es
– Within “Low impact” there are poten%ally vastly different risks and impacts to the reliability of the BES.
– The CIP Standards don’t make a dis%nc%on between a “big” (i.e., more impac{ul) Low impact BES Asset and a “small” (i.e., less impac{ul) Low impact BES Asset
• Consider the following examples of IRC 2.1 (w/ net Real Power capability [NRPC] calcula%ons) and IRC 2.5 (w/ Aggregated Weighted Value [AWV] calcula%ons):
Slide 59
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
IRC 2.1 & IRC 2.5 Low-‐impact Examples Slide 60
Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA July 7, 2015
AWV = 0 AWV = 2600 AWV = 5200
NRPC = 30 MWs AWV = 0
NRPC = 1400 MWs AWV = 1400
NRPC = 2800 MWs AWV = 3900
2.1
2.5
Compliance & Audit Implica%ons • Random or sta*s*cal sampling of low impact assets for CIPv5 audit purposes is not appropriate when sampling for Low impact BES Asset site visits.
• Expect the audit team to apply judgmental or non-‐sta*s*cal sampling based on the audit team’s percep%on of risk and impact to the BES. – Expect more audit ajen%on at Low impact Transmission Facili%es with larger impacts.
– Expect more audit ajen%on at larger Low impact Genera%on plants than at smaller plants, par%cularly those that equal or exceed 1500 MWs net Real Power capability
Slide 61
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Compliance & Audit Implica%ons • Expect more ajen%on at any genera%on plant > 1500 MW NPRC, regardless of control system segmenta%on. The en%ty should be prepare to: – Demonstrate how the unit controls are segmented, including computer network diagrams, firewall configura%ons, data flow analysis, etc.
– Demonstrate the analysis of any common systems at the plant.
– Explain the analysis and include both %me-‐based and impact-‐based components.
– Facilitate site visits to any Genera%on plants that contain >= 1500 MW net Real Power capability.
Slide 62
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
Compliance & Audit Implica%ons • Expect more ajen%on at any Low impact Transmission substa%on with a significant number of 230kV and 345kV lines. The en%ty should be prepared to: – Demonstrate how IRC 2.5 was applied – Discuss all Transmission lines that were not calculated into the total AWV, e.g.:
• Removed under the BESNET process as radial feeds serving only Load or other legi%mate exclusions, or
• Classified as Genera%on Interconnec%on Facili%es. – Facilitate site visits to any Transmission substa%ons that have mixed BCS impact levels
Slide 63
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
R1: BES Asset Lists Review Ques%ons • Did BILL apply the IRC appropriately? • Does BILL need to confer with its RC, PA, or TP to consider any Cri%cal Assets rela%ve to Criteria 2.3, 2.6, or 2.8 before moving them to the Low BES Asset list?
• Applica%on Ques%ons: – Did BILL consider all BES asset types in R1.i through R1.vi? – Did BILL review & evaluate all BES Assets through the IRC? – Did BILL clearly iden%fy and document all BES assets in the appropriate impact ra%ng?
• Is any addi%onal informa%on necessary?
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
64
BILL’s Review & Approval Process
• The next step in a CIP-‐002-‐5.1 audit is to determine if the en%ty reviewed the iden%fica%ons of the lists created in R1, even if such lists are null. – R1.1 list of High BCS – R1.2 list of Medium BCS – R1.3 list of Low impact BES assets
• Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
65
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
R2: Annual Approval Review Ques%ons
• Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months aner the ini%al iden%fica%ons?
• Did BILL update the lists, as necessary? • Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months aner the ini%al iden%fica%on, even if such lists are null?
• Applica%on Ques%ons – Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?
• Are any DR’s necessary? – If so, what addi%onal informa%on is required?
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
66
Audit Ac%vi%es: The Interview
• Set up through an interview DR the prior week • Typically held on Monday of the on-‐site week immediately aner the opening presenta%on
• Examines the en%ty’s understanding of and approach to R1-‐R2
• Cover any areas of concern raised through the ini%al evidence review
• Schedule follow-‐up interview(s), if needed, aner the site visits
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
67
Audit Ac%vi%es: Site Visits • Set up through a site visit DR • I%nerary determined through review of the ini%al evidence • Trust, but verify. Why? • Depending on en%ty size and number of BES Assets, this may
involve 100% valida%on or valida%on of a sampling of BES Assets (as previously discussed):
• Where? – Control Centers (both PCC and BCC) – Genera%on Facili%es – Transmission Facili%es
• What? – In BILL’s case, site visits will include High and Medium BCS, as well as a judgmental sampling of Low Impact BES Assets
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
68
Audit Ac%vi%es: General Site Visits • Who?
– CIP-‐002-‐5.1 Audit Team • Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL • Works in conjunc%on with CIP-‐005 & CIP-‐006 sub-‐teams
– CIP-‐005-‐5 Audit Team • Iden%fies sites with Electronic Remote Access [ERC] and/or Low impact Electronic Remote Connec%vity [LERC]
• Validates Electronic Access Points [EAP] and/or Low Impact Electronic Access Points [LEAPs].
– CIP-‐006-‐6 Audit Team • Validates Physical Access Controls, rela%ve to CIP-‐006-‐6 and CIP-‐003-‐6, R2 (for Low impact BES Assets).
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
69
Audit Ac%vi%es: Low-‐impact Site Visits
• CIP-‐002-‐5.1 Audit Team – Validates R1.3 lists, schedules visits to a non-‐sta%s%cal sampling of Low-‐impact BES Assets.
– Works in conjunc%on with CIP-‐005 & CIP-‐006 sub-‐teams
• CIP-‐005-‐5 Audit Team [CIP-‐003-‐6 R2, Aj. 1, Sec%on 3] – Iden%fies sites with LERC and validates LEAP controls – Validates authen%ca%on for LIBCS w/ Dial-‐up Connec%vity
• CIP-‐006-‐6 Audit Team [CIP-‐003-‐6 R2, Aj. 1, Sec%on 2] – Validates Low-‐impact Physical Security controls
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
70
Audit Ac%vi%es: Site Visits • What?
– Validate High and Medium impact BCS (if applicable) – Discuss CIP-‐003-‐6 R2 protec%ons at Low impact BES Assets – Look for aberra%ons from the lists – Hold informal interviews with en%ty SMEs
• When? – Typically during the audit week – May occur before the audit week, depending on number of sites visited, distances traveled, resource constraints, etc.
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
71
Value-‐Added Ac%vity: Feedback
• WECC Audit Teams never prescribe solu%ons, but we do describe: – Brief en%%es on findings – Encourage good security prac%ces – Discuss examples of industry best prac%ces – Iden%fy areas of concern, which may not be viola%ons, but which could stand improvements
– Provide sugges%ons, when appropriate • Support development of a sustainable compliance culture.
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
72
Post-‐Audit Auditor Ac%vi%es • Par%cipate in en%ty outreach ac%vi%es, such as this event and CIPUG mee%ngs
• Be available and responsive to address en%ty ques%ons/comments
• Work at Na%onal level – CCWG – Draning teams – Comment on new Standards, CANs, etc. – Ajend and present at Conferences – CIPv5 Pilot Study and Outreach
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
73
Summary
• Audit to the Standard • Provide useful feedback to the en%ty • Prepare a valid report • Be available to CIP personnel at the en%%es • Work at Na%onal level
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
74
Remember the Auditor’s Mission
Just the facts, Ma’am,
Just the facts!
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
75
References • FERC. (2013 December 3). Order No. 791: Version 5 Cri'cal Infrastructure
Protec'on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hjp://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf
• NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hjp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&%tle=Cyber%20Security%20—%20BES%20Cyber%20System%20Categoriza%on&jurisdic%on=null
• NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hjp://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Defini%on%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
76
References • NERC. (2014 July 1). Appendix 5C: Procedure for Reques'ng and Receiving an
Excep'on from the Applica'on of the the NERC Defini'on of Bulk Electric System. Retrieved from hjp://www.nerc.com/FilingsOrders/us/RuleOfProcedureDL/Appendix_5C_ProcForReqAndRecExFromAppOfNERCDefBES_20140701.pdf
• NERC. (2014 August 12). Cyber Security Standards Transi'on Guidance: ERO Compliance and Enforcement Ac'vi'es during the Transi'on to the CIP Version 5 Reliability Standards. Retrieved from hjp://www.nerc.com/pa/CI/Documents/V3-‐V5%20Transi%on%20Guidance%20FINAL.pdf
• NERC. (2014 December 31). Glossary of Terms used in NERC Reliability Standards. Retrieved from hjp://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf
• NERC. (2015 February 12). CIP-‐003-‐6 – Cyber Security — Security Management Controls. Retrieved from hjp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐003-‐6&%tle=Cyber%20Security%20-‐%20Security%20Management%20Controls&jurisdic%on=null
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA
77
Speaker Contact Informa%on
Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina%ng Council (WECC) jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631
Slide 78
July 7, 2015 Dr. Joseph Baugh | Low impact BES Assets: San Ramon CA