Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. ·...
Transcript of Texas RE strictly prohibits persons participating in Texas RE … with... · 2020. 7. 23. ·...
1
Antitrust Admonition
Texas RE strictly prohibits persons participating in Texas RE
activities from using their participation as a forum for engaging in
practices or communications that violate antitrust laws. Texas
RE has approved antitrust guidelines available on its website. If
you believe that antitrust laws have been violated at a Texas RE
meeting, or if you have any questions about the antitrust
guidelines, please contact the Texas RE General Counsel.
Talk with Texas RE
March 19, 2020
2
Coronavirus Response Page
Talk with Texas RE
March 19, 2020
Kenath Carver
Manager, CIP Compliance Monitoring
Supply Chain Risk Management
Top 16 Commonly Asked Questions
Talk with Texas RE
Date
4
Supply Chain Risk Management Effective Date
Talk with Texas RE
March 19, 2020
July 1, 2020
Canada Day
Creative Ice Cream Flavors Day
International Chicken Wing Day
International Joke Day
National Postal Worker Day
CIP-013-1
CIP-005-6
CIP-010-3
5
CIP-013-1 R1 Part 1.1
Talk with Texas RE
March 19, 2020
6
Question 1
Should a registered entity consider applying the Supply Chain Risk Management Standards to low impact BES Cyber Systems, Protected Cyber Assets (PCAs), Electronic Access Control or Monitoring Systems (EACMS), or Physical Access Control Systems (PACS)?
Talk with Texas RE
March 19, 2020
7
Answer 1
● Project 2019-03 Cyber Security Supply Chain Risks
PACS and EACMS
• CIP-005-7 Parts 2.4 and 2.5
• CIP-010-4 Part 1.6
• CIP-013-2 R1 Parts 1.1 and 1.2
● NERC Supply Chain Risk Assessment
Recommendation
• “Include low impact BES Cyber Systems with remote electronic access
connectivity in future modification of Supply Chain Standards.”
Talk with Texas RE
March 19, 2020
8
Questions 2, 3, & 4
What does the term “vendor” mean?
Is a reseller applicable to Part 1.1?
Could a registered entity be considered a “vendor” if they are providing non-reliability services?
Talk with Texas RE
March 19, 2020
9
Answers 2, 3, & 4
Supplemental Material
The term vendor(s) as used in the standard is limited to those persons,
companies, or other organizations with whom the Responsible Entity,
or its affiliates, contract with to supply BES Cyber Systems and
related services. It does not include other NERC registered entities
providing reliability services (e.g., Balancing Authority or Reliability
Coordinator services pursuant to NERC Reliability Standards). A
vendor, as used in the standard, may include: (i) developers or
manufacturers of information systems, system components, or
information system services; (ii) product resellers; or (iii) system
integrators.
Talk with Texas RE
March 19, 2020
10
Question 5
Is it necessary to implement CIP-013-1 R1 Part 1.1 for resellers if the contract is directly with the vendor?
Talk with Texas RE
March 19, 2020
11
Answer 5
● Part 1.1 identification and assessment of cyber security risks.
A registered entity should identify and assess any cyber
security risks that may be involved in purchasing such
applicable hardware or software from the vendor that it is
contracted with.
● Although the primary focus should be on the vendor you are
contracted with, cyber security risks associated with the
reseller should not be ignored as part of your cyber security
risk identification and assessment.
Talk with Texas RE
March 19, 2020
12
Question 6
Should a registered entity identify and assess cyber security risks related to the vendor and/or product or service?
Talk with Texas RE
March 19, 2020
13
Answer 6
Both should be done to conduct an accurate cybersecurity risk
identification and assessment.
Vendor questionnaire
Product or service questionnaire
Talk with Texas RE
March 19, 2020
14
Question 7
Does a registered entity need to mitigate identified and assessed cyber security risks?
Talk with Texas RE
March 19, 2020
15
Answer 7
FERC Order No. 829
The security objective is to ensure entities consider cyber security risks
to the BES from vendor products or services resulting from: (i)
procuring and installing vendor equipment and software; and (ii)
transitions from one vendor(s) to another vendor(s); and options for
mitigating these risks when planning for BES Cyber Systems.
Talk with Texas RE
March 19, 2020
16
Question 8
Prior to July 1, 2020, what if a registered entity has Cyber Assets that were purchased in bulk and stored as inventory, then after July 1, 2020, some or all are commissioned as a BCA? Does the registered entity have to implement CIP-013-1 R2?
Talk with Texas RE
March 19, 2020
17
Answer 8
● Any procurement on and after July 1, 2020, of BES Cyber
Systems from vendor products or services resulting from: (i)
procuring and installing vendor equipment and software; and
(ii) transitions from one vendor(s) to another vendor(s) are
subject to CIP-013-1.
Talk with Texas RE
March 19, 2020
18
Question 9
Should a registered entity include a provision for an after-the-fact cyber security risk identification and assessment under emergency situations?
Talk with Texas RE
March 19, 2020
19
Answer 9
● CIP-013-1 is applicable to any procurement regardless of the
scenario, including an emergency.
● The registered entity should consider including language in its
plan to address the potential for the use of purchasing cards in
emergency situations.
● The registered entity should consider conducting an after-the-
fact cybersecurity risk identification and assessment and
implement any mitigations of the procurement.
Talk with Texas RE
March 19, 2020
20
Question 10
How often should a registered entity re-assess a vendor?
Talk with Texas RE
March 19, 2020
21
Answer 10
Based on a given registered entity’s plan
With every procurement
Existing assessments could be leveraged
When certain “triggers” are met such as being bought and sold
Annually, bi-annually, etc.
Talk with Texas RE
March 19, 2020
22
Question 11
Can a registered entity use a third-party service to conduct a vendor cyber security risk identification and assessment?
Talk with Texas RE
March 19, 2020
23
Answer 11
Third-party services could be used to complement a registered
entity’s own cyber security identification and risk assessment.
Talk with Texas RE
March 19, 2020
24
CIP-013-1 R1 Part 1.2
Talk with Texas RE
March 19, 2020
25
Question 12
What if the registered entity’s vendor cannot adhere to one or more sub-parts (1.2.1-1.2.6)?
Talk with Texas RE
March 19, 2020
26
Answer 12
● Registered entities should document and implement controls
for Part 1.2 in the absence of vendor adherence.
● For example, if the registered entity’s vendor is not notifying it
of vendor-identified incidents, then a control that monitors US-
CERT, ICS-CERT, E-ISAC, and NERC Alerts could be
implemented.
Talk with Texas RE
March 19, 2020
27
Question 13
Could a registered entity provide a redacted (due to confidentiality issues relating to the contract and associated communications) executed contract, attestation(s) from vendor and internal supply chain personnel, and internal processes/procedures as evidence of implementation for CIP-013-1 R2?
Talk with Texas RE
March 19, 2020
28
Answer 13
● An executed contract demonstrating Part 1.2 was addressed
could be sufficient to demonstrate compliance if the registered
entity also provides additional supporting evidence such as
processes/procedures, email communications, and
attestations.
● The registered entity should not reveal any sensitive or
proprietary information that would cause a breach of contract.
Talk with Texas RE
March 19, 2020
29
CIP-005-6 R2 Part 2.4
Talk with Texas RE
March 19, 2020
30
CIP-005-6 R2 Part 2.5
Talk with Texas RE
March 19, 2020
31
Question 14
Does a registered entity have to demonstrate evidence that method(s) are implemented?
Talk with Texas RE
March 19, 2020
32
Answer 14
● Evidence of the capability
● Level 2 Sample Sets
Logs
Configurations
Screenshots
● Live Demonstrations
Talk with Texas RE
March 19, 2020
33
CIP-10-2 R1 Part 1.6
Talk with Texas RE
March 19, 2020
34
Question 15
If the registered entity’s “method to do so” is not available, does the registered entity need to demonstrate evidence?
Talk with Texas RE
March 19, 2020
35
Answer 15
● Evidence must be provided to demonstrate the “method to do
so” was not available.
Change Request Tickets
• Dated evidence
Logs
Talk with Texas RE
March 19, 2020
36
Question 16
Is open-source software in scope for CIP-013-1 and CIP-010-3?
Talk with Texas RE
March 19, 2020
37
Answer 16
● A registered entity should implement its cyber security risk
identification and assessment for all procurements of open-
source software on all applicable systems.
● A registered entity should implement a method to verify the
identity of the source and the integrity of the open-source
software on all applicable systems.
● Document controls implemented that minimize the risks
associated with open-source software
Talk with Texas RE
March 19, 2020
38
Questions?
Talk with Texas RE
March 19, 2020