2017 spring workshop - rfirst.org · follow us on linkedin and twitter 2017 spring workshop . 2016...

Forward Together • ReliabilityFirst 1

Follow us on LinkedIn and Twitter

2017 Spring Workshop

2016 CIP Violation & Themes Update

Deandra Williams-Lewis, Director of EnforcementKristen Senk, Senior Counsel

Baltimore, MDApril__, 2017

Forward Together • ReliabilityFirst

2016 CIP / Operations & Planning Violations

3

65%

35%

2016 CIP/Operations & Planning

CIP Operations & Planning


Violation Volume Decreasing

2010: Mandatory Compliance for all CIP Standards Begins; RF commences full scope audits; Entities at beginning stages of CIP implementation

2015: Maturation of CIP programs; Increased use of automated tools; increased outreach

2016: V5 Preparation and Transition

261

163

156

91

111

110

104

0 50 100 150 200 250 300

2010

2011

2012

2013

2014

2015

2016

CIP Violations by Deemed Date


Majority of Violations are Self-Reported

Larger Entities Drive Volume of Self-Reports

Two audit outliers in 2014 responsible for 92 of 117 audit violations, otherwise steady downward trend

178

132

101 10

8

153

19

1

29 24

0

101

71

117

12

32

0

20

40

60

80

100

120

140

160

180

200

2 0 1 2 2 0 1 3 2 0 1 4 2 0 1 5 2 0 1 6

BY IDENTIFICATION DATESelf-Reports/Self-Logging Self-Certifications/Self-Logging Audit


Volume Driven by High-Frequency Conduct

Requirements concerning “high-frequency conduct” drive volumeCIP-004, R4 (access: lists for cyber access and physical access; revoking privileges)CIP-006, R1 (physical security of critical cyber assets: physical access logging)CIP-007, R5 (account management: passwords and access lists)

These violations tend to be self-reported and pose a lesser risk• However, can be indicative of systemic issues

0

20

40

60

80

100

120

2008 2009 2010 2011 2012 2013 2014 2015 2016

Most Reported CIP Standards

CIP-006 CIP-007 CIP-004 Remaining CIP

0

20

40

60

80

100

120

140

160

2008 2009 2010 2011 2012 2013 2014 2015 2016

Most Reported CIP Standards

CIP-004/CIP-006/CIP-007 Remaining CIP


Decrease between Deemed and Reporting Dates

7

Detection and Reporting Duration Improvement

437.46

241.31

277.19

220.57

103.67

0 50 100 150 200 250 300 350 400 450 500

2012

2013

2014

2015

2016

Deem

ed D

ate

Average Days from Violation Start Date to Report Date


Improved Risk Posture

Year-over-year decrease in severity

75% of CIP violations are Minimal to Moderate risk 9% of CIP violations are serious risk

• Implementation issues• Culture and programmatic issues

2009 2010 2011 2012 2013 2014 2015 2016Minimal 28 144 84 100 59 77 50 7Moderate 27 75 44 28 12 8 3 0Serious 15 14 16 19 9 1 3 0

0

50

100

150

200

250

2009-2016 CIP VIOLATIONS


Observations

Possible Drivers of Positive Trending• Maturation (both RF and Entities)• Active Monitoring and Enforcement• Trending, Analytics, and Sharing

‒ Assist Visits and Outreach‒ CIP Themes Report‒ Case Study Outreach

Remain Vigilant – Moving Target

Dynamic Regulatory Approach• Focus on continuous improvement• Violations not always indicative of security state

‒ Volume can indicate strong detective controls or weak preventative/corrective controls

‒ Paper compliance does not equal security

• Proactively identify themes and management practices9


2015 CIP Themes Report

10

2015 Report identified 5 themes:


Complacency

11

Entities must stay vigilant in ensuring security and compliance.


Business Unit Silos

12

Gen

erat

ion

Lack of coordination between departments, business units, and different levels of management


Disassociation

13

SECURITY

COMPLIANCE


Lack of Awareness

14

SECURITY

Lack of awareness of entity’s capabilities, deficiencies, systems, and processes


Inadequate Tools

15

Inadequate tools, ineffective use of tools, and overreliance on automation


Questions & AnswersForward Together ReliabilityFirst

16


Break

@RFirst_Corp on Twitter

#RFWorkshop

Follow us on Linkedin

Low Impact Effective Dates, Standard Revisions and RSAW Updates

Felek Abbas, NERC, Senior CIP Compliance AdvisorLew Folkerth, RF, Principal Reliability Consultant

RELIABILITY | ACCOUNTABILITY19

Agenda

• Low Impact Effective Dates• Recent CIP Standard Revisions

• CIP-002-5.1a (In Effect)• CIP-003-7 (Pending FERC Approval)

• Recent RSAW Revisions• CIP-002-5.1a (In Effect)• CIP-003-7 (Pending)


Low Impact Effective Dates


• July 1, 2016 Identify each asset that contains a low impact BES Cyber System [CIP-

002-5.1 R1 Part 1.3] Review the identification of assets [CIP-002-5.1 R2 Part 2.1] CIP Senior Manager (or delegate) approval of identification of assets

[CIP-002-5.1 R2 Part 2.2] Designate a CIP Senior Manager [CIP-003-6 R3]

• On or after July 1, 2016, but before a delegate exercises approval authority Designate CIP Senior Manager delegates, as applicable [CIP-003-6 R4]



• April 1, 2017 Documented cyber security policies for low impact BES Cyber Systems

[CIP-003-6 R1 Part 1.2] CIP Senior Manager approval of policies for low impact BES Cyber

Systems [CIP-003-6 R1 Part 1.2]



• April 1, 2017 Document cyber security plan for low impact BES Cyber Systems [CIP-

003-6 R2]o Cyber security awareness [CIP-003-6 Attachment 1 Section 1]o Cyber Security Incident response [CIP-003-6 Attachment 1 Section 4] Implement the plan for cyber security awareness [CIP-003-6

Attachment 1 Section 1]



• April 1, 2017 Implement the plan for Cyber Security Incident responseo Develop Cyber Security Incident response plan [CIP-003-6

Attachment 1 Sections 4, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6]o Initial test of Cyber Security Incident response plan [CIP-003-6

Attachment 1 Section 4.5]– Per the Implementation Plan for Version 5 CIP Cyber Security Standards,

dated October 26, 2012 and incorporated by reference into the Implementation Plan for CIP Version 5 Revisions, dated January 23, 2015.



• September 1, 2017 (within 180 calendar days of initial test) Implement the plan for Cyber Security Incident responseo Update of Cyber Security Incident response plan based on initial

test, if needed [CIP-003-6 Attachment 1 Section 4.6]



• From “Implementation Plan for Version 5 CIP Cyber Security Standards,” October 26, 2012

• Initial Performance of Certain Periodic Requirements Specific Version 5 CIP Cyber Security Standards have periodic

requirements that contain time parameters for subsequent and recurring iterations of the requirement, such as, but not limited to, “. . . at least once every 15 calendar months . . .”, and responsible entities shall comply initially with those periodic requirements as follows:oOn or before the Effective Date of CIP-003-5, Requirement

R2 for the following requirement:– CIP-003-5, Requirement R2



• From “Implementation Plan, Project 2014-02 CIP Version 5 Revisions”, January 23, 2015

• Initial Performance of Certain Periodic Requirements For those requirements with recurring periodic obligations,

refer to the Version 5 Plan for compliance dates. These compliance dates are not extended by the effective date of CIP Version 5 Revisions.



• September 1, 2018 Physical Security Controls [CIP-003-6 R2 Attachment 1 Section 2] Electronic Access Controls [CIP-003-6 R2 Attachment 1 Section 3] CIP-003-7 was filed with FERC on March 3, 2017 However, CIP-003-7 is very unlikely to come into effect before

September 1, 2018. You will need to comply with the CIP-003-6 version of these requirements beginning September 1, 2018, until the effective date of CIP-003-7.



Standard RevisionsCIP-002-5.1a


• CIP-002-5.1a – Interpretation of CIP-002-5.1 Effective as of December 27, 2016 Interpretation Requested by EnergySec Interpretations do not change the language of the Standard Interpretations tell us what the Standard means, and has

meant since it became effective

Standard Revisions – In Effect


• CIP-002-5.1a Question 1o Whether the phrase “shared BES Cyber Systems,” means that the

evaluation for Criterion 2.1 shall be performed individually for each discrete BES Cyber System at a single plant location, or collectively for groups of BES Cyber Systems?

Answer 1 Summaryo The evaluation as to whether a BES Cyber System is shared should be

performed individually for each discrete BES Cyber System.



• CIP-002-5.1a Question 2o Whether the phrase “shared BES Cyber Systems” refers to discrete BES

Cyber Systems that are shared by multiple units, or groups of BES Cyber Systems that could collectively impact multiple units?

Answer 2 Summaryo The phrase “shared BES Cyber Systems” refers to discrete BES Cyber

Systems that are shared by multiple generation units.



• CIP-002-5.1a Question 3o If the phrase applies collectively to groups of BES Cyber Systems, what

criteria should be used to determine which BES Cyber Systems should be grouped for collective evaluation?

Answer 3o The phrase applies to each discrete BES Cyber System.



Standard RevisionsCIP-003-7


• Low Impact External Routable Connectivity (LERC) and Low Impact Bulk Electric System (BES) Cyber System Electronic Access Point (LEAP) changes approved by industry in 2016 (CIP-003-7)

• Transient Cyber Assets (TCA) for low impact approved by industry in February, 2017 (CIP-003-7(i))

• NERC Board of Trustees approval in February, 2017 for both sets of changes – as “CIP-003-7”

• Filed with Federal Energy Regulatory Commission (FERC) on March 3, 2017 (prior to the LERC/LEAP deadline of March 31, 2017)

Low Impact Revisions



Date of Publication in Federal Register Effective Date of CIP-003-7

January 31, 2017 – May 1, 2017 January 1, 2019

May 2, 2017 – August 1, 2017 April 1, 2019

August 2, 2017 – November 1, 2017 July 1, 2019

November 2, 2017 – January 30, 2018 October 1, 2019

January 31, 2018 – May 1, 2018 January 1, 2020

May 2, 2018 – August 1, 2018 April 1, 2020

August 2, 2018 – November 1, 2018 July 1, 2020

November 2, 2018 – January 30, 2019 October 1, 2020

This table assumes an order will become effective 60 days after publication in the Federal Register.

Table 1 – Effective Date of CIP-003-7 Based on Date of Publication of FERC Order in the Federal Register


• Revisions completed in response to directives in FERC Order

• Eliminated “LERC” and “LEAP” definitions Embedded concepts directly into requirement language Updated reference diagrams

• Added Transient Cyber Asset (TCA) for low impact BES Cyber Systems

(Note – additional tasks are underway by the same SDT)



• All (cyber security protection) requirements for low impact BES Cyber Systems continue to reside in CIP-003 “Low Only Entities” only need to comply with CIP-002 and CIP-

003 (including documentation that there are no high or medium impact BES Cyber Systems - CIP-002, and Policy and Senior Manager actions - CIP-003)



• Removed the terms Low Impact External Routable Connectivity (LERC) and Low Impact BES Cyber System Electronic Access Point (LEAP) Sections 2 and 3 of Attachments 1 and 2

• The modifications incorporate concepts and select language from the LERC definition into Attachment 1, Section 3 and focus the requirement on implementing electronic access controls for asset(s) containing Low Impact BES Cyber System(s).

LERC/LEAP Revisions


• Uses the phrase “asset containing Low Impact BES Cyber Systems” This means the station, plant, or Control Center that contains the BES

Cyber Systems Physical and cyber security requirements apply to the group of BES Cyber

Systems as a whole, generally implemented as border protections around them

Does not require a discrete list of BES Cyber Systems (but does require a list of “assets containing low impact BES Cyber Systems”)

• Continues to focus protections on “routable communications”



Revised Language


• Ten reference diagrams• Modified in response to FERC’s concerns dealing with “direct”

communications (as compared to indirect communications) Eliminated references to “direct” communications

• All show routable communications crossing the “asset boundary” Not all show routable communication to low impact BES Cyber Systems

• No reference diagrams for serial-only communications

Reference Diagrams


Reference Model 1


Reference Model 2


Reference Model 3


Reference Model 4


Reference Model 5


Reference Model 6


Reference Model 7


Reference Model 8


Reference Model 9


Reference Model 10


• Modified definitions to include low impact environment concepts

• Added new “Section 5” to Attachments 1 and 2 Consistent with keeping all (cyber security protection) requirements for

low impact BES Cyber Systems continue to reside in CIP-003

• TCA language is modeled after and consistent with TCA language in CIP-010 Allows consistent programs for all TCAs, if desired Eliminated sections which imply “inventory”

TCA for Low Revisions


Transient Cyber Asset (TCA): A Cyber Asset that is: 1. capable of transmitting or transferring executable code, 2. not included in a BES Cyber System, 3. not a Protected Cyber Asset (PCA) associated with high or medium

impact BES Cyber Systems, and 4. directly connected (e.g., using Ethernet, serial, Universal Serial Bus

(USB), or wireless including near field or Bluetooth communication) for 30 consecutive calendar days or less to a:

BES Cyber Asset, network within an Electronic Security Perimeter (ESP) containing high or

medium impact BES Cyber Systems, or PCA associated with high or medium impact BES Cyber Systems.

Examples of TCAs include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

Transient Cyber Asset Revised Definition


Removable Media: Storage media that:1. are not Cyber Assets,2. are capable of transferring executable code,3. can be used to store, copy, move, or access data, and4. are directly connected for 30 consecutive calendar days or less to a: BES Cyber Asset, network within an Electronic Security Perimeter (ESP), containing high or

medium impact BES Cyber Systems, or a Protected Cyber Asset associated with high or medium impact BES Cyber

Systems.Examples of Removable Media include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.

Removable MediaRevised Definition


Recent RSAW Revisions


RSAWs

• RSAW Background– Auditors’ tool– Initial interface with entity

• Posting with new or revised Standard– Comments, not votes– Subject to change based on current audit

practice


RSAWs

• CIP-002-5.1a– Updated revision to 5.1a– Included fixes for minor errata– No substantial changes


RSAWs

• CIP-003-7 R1– Added provisions for the additional policy

topics


RSAWs

• CIP-003-7 R2– Major changes to Section 3– New Section 5– The applicable Sections are now identified in

the Compliance Assessment Approach


RSAWs

Attachment 1For each asset or group of assets containing low impact BES Cyber Systems, verify that the Responsible Entity has documented one or more cyber security plan(s), as specified in Attachment 1, for its low impact BES Cyber Systems that include:1. Cyber security awareness;2. Physical security controls;3. Electronic access controls;4. Cyber Security Incident response; and5. Transient Cyber Asset and Removable Media Malicious Code Risk

Mitigation.


RSAWs

Attachment 1, Section 3For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, verify that the Responsible Entity:1. Has determined the necessary inbound and outbound electronic access for any

communications that are:a. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the

asset containing low impact BES Cyber System(s);b. using a routable protocol when entering or leaving the asset containing the

low impact BES Cyber System(s); andc. not used for time-sensitive protection or control functions between

intelligent electronic devices (e.g. communications using protocol IEC TR-61850-90-5 R-GOOSE).

2. Has implemented electronic access control for any determinations made in (1), above.

3. Has authenticated all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.


RSAWs

Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity, if any, verify the Responsible Entity has a Transient Cyber Asset risk mitigation plan that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems.

The plan should specify whether the Transient Cyber Assets are managed in an ongoing manner, an on-demand manner, or a combination of these.Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity in an ongoing manner, verify that the Transient Cyber Assets have an effective means of mitigating the risk of the introduction of malicious code onto the Transient Cyber Asset.Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity in an on-demand manner, verify that the Responsible Entity has an effective means of assessing a Transient Cyber Asset such that the risk of introducing malicious code onto a low impact BES Cyber System is mitigated.


RSAWs

Attachment 1, Section 5For Transient Cyber Assets managed by the Responsible Entity, verify the Responsible Entity has implemented its plan.Attachment 1, Section 5For Transient Cyber Assets managed by a party other than the Responsible Entity, if any, verify the Responsible Entity has a Transient Cyber Asset risk mitigation plan that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems.Attachment 1, Section 5For Transient Cyber Assets managed by a party other than the Responsible Entity, verify that the Responsible Entity has an effective means of assessing these Transient Cyber Assets such that the risk of introducing malicious code onto a low impact BES Cyber System is mitigated.Attachment 1, Section 5For Transient Cyber Assets managed by a party other than the Responsible Entity, verify the Responsible Entity has implemented its plan.


RSAWs

Attachment 1, Section 5For Removable Media, verify the Responsible Entity has a plan to:1. Detect malicious code on Removable Media using a Cyber

Asset other than a BES Cyber System; and2. mitigate the threat of detected malicious code on the

Removable Media prior to connecting Removable Media to a low impact BES Cyber System.

Attachment 1, Section 5For Removable Media, verify the Responsible Entity has an effective means to:1. Detect malicious code on Removable Media using a Cyber

Asset other than a BES Cyber System; and2. mitigate the threat of detected malicious code on the

Removable Media prior to connecting Removable Media to a low impact BES Cyber System.

For Removable Media, verify the Responsible Entity has implemented its plan.


RSAWs

Note to Auditor:Attachment 1, Section 31. For each asset identified as containing a low impact BES Cyber System(s) per CIP-002, the list of

assets should identify those assets that have routable protocol communications between low impact BES Cyber System(s) and Cyber Asset(s) outside the asset containing the low impact BES Cyber System(s) when entering or leaving the asset and not used for time-sensitive protection or time-sensitive control functions.

a. For these identified assets, obtain as evidence the devices used to control electronic access and the low impact BES Cyber Systems for which they control access.

2. For each asset identified as containing a low impact BES Cyber System(s) per CIP-002, the Responsible Entity has an obligation to determine the necessary inbound and outbound routable protocol communications between low impact BES Cyber System(s) and Cyber Asset(s) outside the asset containing the low impact BES Cyber System(s) when entering or leaving the asset and not used for time-sensitive protection or time-sensitive control functions.

Once this determination has been made and documented, the audit team’s professional judgement cannot override the determination made by the Responsible Entity.


RSAWs

Note to Auditor:Attachment 1, Section 33. For the inbound and outbound communications that the Responsible Entity has determined to be

necessary, the Responsible Entity must identify the electronic access controls used to effectively control access to and from the low impact BES Cyber System(s).

4. The ten reference models included in the Guidelines and Technical Basis section of the standard outline methods that Responsible Entities may reference for their electronic access controls. Reference models 9 and 10 outline approaches for segmenting network traffic such that there is no routable protocol communications to the low impact BES Cyber System(s).

a. Model 9 uses layer-2 network segmentation (VLANs) to control access. The configuration of the devices used to accomplish this must be documented by the Responsible Entity and assessed for its effectiveness in meeting the standard’s objective of controlling access to the low impact BES Cyber System(s).

b. In Model 10, a single device receives both serial traffic destined for low impact BES Cyber System(s) and routable traffic destined for non-BES Cyber Asset(s). The device as depicted in the model, logically isolates the serial traffic from the routable traffic. The configurations for the device must be documented by the Responsible Entity and assessed to determine whether or not the electronic access controls effectively meet the objective of controlling access to the low impact BES Cyber System(s).


RSAWs

Note to Auditor:Attachment 1, Section 51. The phrase “per Transient Cyber Asset capability” grants the Responsible Entity

flexibility to determine the method that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems.

2. The means of verifying the mitigation of the introduction of malicious code to a low impact BES Cyber System differs depending on whether a Transient Cyber Asset is managed by the Responsible Entity in an ongoing or an on-demand manner. The verification for a Transient Cyber Asset managed in an ongoing manner focuses on the process of preventing malware from being introduced to the Transient Cyber Asset. The verification for a Transient Cyber Asset managed in an on-demand manner focuses on the process used to ensure the Transient Cyber Asset may be safely used in a low impact BES Cyber System environment prior to such use. If the Transient Cyber Asset is managed in both an ongoing and an on-demand manner, then both verification techniques should be employed.


• Project 2016-02 Development History:• Modifications to CIP Standards page: http://www.nerc.com/pa/Stand/Pages/Project%202016-

02%20Modifications%20to%20CIP%20Standards.aspx

References

http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx

Modifications toAttachment C

Bob YatesPrincipal Technical Auditor


Modifications to Attachment C

76

Started using new Attachment C in 2017

Based on NERC CIP Version 5 Evidence Request• Made some revisions• Modifications have been shared with NERC and the

other Regions• Plans for NERC and the Regions to get together and

discuss revisions



Level 1 Tab

Green Tabs (populations)

Sample Sets L2 Tab

Level 2 Tab

Level 3 Tab (not currently used)

77



78


Level 1 Tab

Rows with requested date of Fifty-five (55) business days prior to on-site audit• These requests are for populations that are placed in Green Tabs• Example:

79

Request ID Standard Require-ment

Initial Evidence Request Required in RSAW and NERC Evidence Request Spreadsheet

CIP-002-R1-L1-02 CIP-002-5.1 R1

Provide a listing of all BES assets, of a type listed in the Asset Type field, in service during the audit period for which you have or share compliance responsibility by using the BES Assets tab of this spreadsheet.

CIP-002-R1-L1-04 CIP-002-5.1 R1

Provide a listing of all Cyber Assets that are included in or associated with a high or medium impact BES Cyber System on the CA tab of this spreadsheet.


Level 1 Tab

Rows with requested date of Thirty (30) business days prior to on-site audit• These requests are for Policies, Programs, Processes, Procedures and

non-population Evidence• Continue to package the PDF evidence your entity submits by Standard • Example:

80

Request ID Standard Require-ment

Initial Evidence Request Required in RSAW and NERC Evidence Request Spreadsheet

CIP-004-R1-L1-01 CIP-004-6 R1

Provide each documented process that addresses the applicable requirement parts in CIP-004-6 R1.

CIP-004-R1-L1-02 CIP-004-6 R1 Part 1.1

Provide evidence of the quarterly reinforcement materials provided to personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.

CIP-004-R2-L1-02 CIP-004-6 R2

Provide each documented program that addresses the applicable requirement parts in CIP-004-6 R2.


Level 1 Tab

Rows with requested date of “NOTE: Do not send this evidence ahead of time Audit team will review on-site”• CIP-014-2 Evidence• Example:

81

Request ID Standard Require-ment Initial Evidence Request Required in RSAW and NERC Evidence Request Spreadsheet

CIP-014-R1-L1-01 CIP-014-2 R1

Provide results of assessment of substations for applicability under CIP-014-2.

CIP-014-R2-L1-01 CIP-014-2 R2

Provide results of the third party review of the results of the assessment of substations in R1 for applicability under CIP-014-2.


Green Tabs (Populations)

• BES Assets

• CA

• Low CA

• ESP

• EAP

• PSP

• TCA

82

• TCA Non-RE

• RM

• BCSI

• Personnel

• Reuse

• Disposal

• Incident Response



Bulk Electric System (BES) Assets • Asset ID• Asset Type• Description• Commission Date• Decommission Date• Location• Contains BES Cyber System - High Impact• Contains BES Cyber System - Medium Impact• Contains BES Cyber System - Low Impact• Does any BES Cyber System have LERC?• Is dial-up connectivity present at this asset?

83



CA (Cyber Asset)• Cyber Asset ID• Cyber Asset Classification• BES Cyber System ID• Impact Rating• Asset ID• Connected to a Network Via a Routable Protocol?• IP Address• ESP Identifier [If Any]• Accessible via Dial-up Connectivity• Subject to CIP-005-5 R1.4• Is IRA Enabled to this CA?• PSP Identifier [If Any]• Is logging performed at the CA or BCS Level?• If logging is performed at the BCS level, identify the BCS that

this CA is a member of where logging occurs

84



CA (cont.)• Identify the log collector for the CA or BCS• Date of Activation in a Production Environment, if Activated During the Audit

Period• Date of Deactivation from a Production Environment, if Deactivated During

the Audit Period• Cyber Asset Function• If Cyber Asset Function is Other or needs further explanation, specify• Cyber Asset Vendor• Cyber Asset Model• Operating System or Firmware Type• If Operating System or Firmware Type is Other, please specify• External Routable Connectivity?• System logging capable?• Alerting capable?• Responsible Registered Entity• Function (TO, TOP, GO, GOP, etc.)

85



ESP (Electronic Security Perimeter)• ESP ID• ESP Description• Network Address• Is External Routable Connectivity Permitted into the ESP?• Is Interactive Remote Access Permitted into this ESP?

EAP (Electronic Access Point)• EAP ID or Interface Name• Cyber Asset ID of EACMS• ESP ID

PSP (Physical Security Perimeter)• PSP ID• PSP Description• Location

86



TCA (Transient Cyber Asset)• Transient Cyber Asset ID• TCA Management Type• TCA Description

TCA Non-RE (Transient Cyber Asset - Managed by Third Party)

• Transient Cyber Asset ID• Managed by• BES Asset ID Where Used• Cyber Asset ID of BCA/PCA Accessed• Date and Time of Access

RM (Removable Media)• BES Asset ID Where Removable Media is

Authorized for Use

87



BCSI (BES Cyber System Information)• Designated Storage Location• Storage Type

Reuse (Cyber Asset Released for Reuse)• Cyber Asset ID• Date of Release for Reuse• Date of Prevention of Unauthorized BCSI Retrieval

Disposal (Cyber Asset Disposed)• Cyber Asset ID• Date of Disposal• Date of Prevention of Unauthorized BCSI Retrieval

88



Personnel• Unique Identifier (Employee Number, Badge Number, etc.)• Individual's Full Name• Personnel Type• Individual's Company• Position/Job Title• Did Access Permissions Change During the Audit Period?• If Individual Was Terminated During the Audit Period, Date of

Termination Action• Was Individual Transferred or Reassigned During the Audit

Period?• Terminated Individual had Access to High Impact BES Cyber

Systems or Associated EACMS?• Electronic Access• Unescorted Physical Access• Access to storage locations for BES Cyber System Information

89



Incident Response (Cyber Security Incident Response)• CSIRP Designator• Date of Activation• Was the Incident a Test?• Was the Incident Reportable?

90



Please fill out all fields on all population tabs where populations exist

If there are no populations for a tab enter “no data exists” on the first line

For more information on all the population tabs please see the CIP Version 5 Evidence Request (Attachment C) User Guide on the RF website at Compliance\Guidance on CIP Standards

• CIP Version 5 Evidence Request (Attachment C) User Guide

91

https://rfirst.org/compliance/cip/Documents/CIP%20Version%205%20Evidence%20Request%20(Attachment%20C)%20User%20Guide.pdf


Sample Sets L2 Tab

Samples selected by RF for use with Level 2 requests

92

Sample Set Request ID Source Tab Population Possible

Grouping Sample Type Insert Sample Set

SS-007-R4-L2-01

CIP-007-R4-L2-04CIP-007-R5-L2-05

CA

Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers

JudgmentalSample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers

SS-007-R4-L2-02

CIP-007-R4-L2-05CIP-007-R4-L2-06

CA

Cyber Assets that are members of or associated with high impact BES Cyber Systems

Judgmental Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems

SS-007-R5-L2-01

CIP-007-R5-L2-01CIP-007-R5-L2-02

CA

Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers or medium impact BES Cyber Systems with External Routable Connectivity

Judgmental

Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers or medium impact BES Cyber Systems with External Routable Connectivity


Sample Sets L2 Tab

You will receive a spreadsheet for each Standard

The spreadsheets contain tabs for each Sample Set

You will use these Sample Sets as you complete the Level 2 requests

93


Level 2 Tab

Requests for evidence based on the Sample Sets

When submitting the Level 2 requests, create a separate PDF for each request ID

94

Request ID Standard Require-ment Sample Set Sample Set Description

Sample Set Evidence Request

NOTE TO AUDIT TEAM - Replace <insert date one week prior to Thirty (30) business days prior to on-site audit > with applicable date in rows below

CIP-007-R5-L2-02 CIP-007-6 R5 Part

5.1SS-007-R5-

L2-01

Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems at Control Centers or medium impact BES Cyber Systems with External Routable Connectivity

For each Cyber Asset selected in Sample Set SS-007-R5-L2-01 not covered by an approved TFE, provide evidence that the method(s) provided in response to CIP-007-R5-L2-01 are enforced.

CIP-007-R5-L2-03 CIP-007-6 R5 Part

5.2SS-007-R2-L2-01

Sample of all Cyber Assets on the CA tab

For each Cyber Asset selected in Sample Set SS-007-R2-L2-01, provide the inventory of enabled default or other generic accounts.

CIP-007-R5-L2-04 CIP-007-6 R5 Part

5.2SS-007-R2-L2-01

Sample of all Cyber Assets on the CA tab

For each Cyber Asset selected in Sample Set SS-007-R2-L2-01, provide the method used to identify enabled default or other generic accounts.

CIP-007-R5-L2-05 CIP-007-6 R5 Part

5.3SS-007-R1-L2-01

Sample of Cyber Assets that are members of or associated with high impact BES Cyber Systems or medium impact BES Cyber Systems with External Routable Connectivity

For all shared accounts that exist on each Cyber Asset in Sample Set SS-007-R1-L2-01, provide evidence that individuals with authorized access to those accounts are identified.


Level 3 Tab

We are not currently using the Level 3 tab

95

Request ID Standard Requirement Sample Set Sample Set Description Sample Set Evidence Request

CIP-007-R4-L3-01 CIP-007-6 R4 Part 4.3 SS-007-R4-L3-01 List of specific dates for specific Cyber Assets

Provide evidence of actual logs for each Cyber Asset and each date in SS-007-R4-L3-01

CIP-010-R3-L3-01 CIP-010-2 R3 Part 3.4 N/A Sample of action plans to remediate vulnerabilities

For the sampled action plans to remediate or mitigate vulnerabilities identified by a vulnerability assessment, provide for each action plan:1. The planned or actual completion date of the action plan.2. The execution status of the action plan. 3. Evidence of the execution of the action plan.


Summary

Complete Green Tab Populations• Fifty-five (55) business days prior to on-site audit

RF selects Sample Sets and returns Attachment C• Within ten (10) business days

Complete Level 1 Requests for Policies, Programs, Processes, Procedures and non-population evidence• Thirty (30) business days prior to on-site audit• Package as one PDF per Standard• CIP-014-2 evidence is reviewed on-site – DO NOT SEND

Complete Level 2 requests for evidence based on the Sample Sets• Thirty (30) business days prior to on-site audit• Package as one PDF per Request

96


Links to Attachment C

Attachment C and the Users Guide are located on the RF website at Compliance\Guidance on CIP Standards• CIP Version 5 Evidence Request (Attachment C) User

Guide• CIP Version 5 Evidence Request_RF5 (Attachment C)

97

https://rfirst.org/compliance/cip/Documents/CIP%20Version%205%20Evidence%20Request%20(Attachment%20C)%20User%20Guide.pdf

https://rfirst.org/compliance/cip/Documents/CIP%20Version%205%20Evidence%20Request_RF5%20(Attachment%20C).xlsx



98

Forward Together • ReliabilityFirst 99

Follow us on LinkedIn and Twitter

2017 Spring Workshop

LUNCH


Send questions using webinar chat

Cyber Security Supply Chain Risk ManagementCorey Sellers, SDT Chair, Southern CompanyReliabilityFirst Spring WorkshopApril 20, 2017


Administrative Items

• NERC Antitrust Guidelines It is NERC’s policy and practice to obey the antitrust laws and to avoid all

conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition.

• Notice of Open Meeting Participants are reminded that this webinar is public. The access number

was widely distributed. Speakers on the call should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders.


[the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.

- Order No. 829, July 2016

• Standard(s) must be filed by September 2017

FERC Order No. 829

http://www.nerc.com/FilingsOrders/us/FERCOrdersRules/Order_SupplyChain_20160721_RM15-14.pdf


Link to draft CIP-013-1

Draft CIP-013-1 as Posted in January

# Requirement Summary

R1 Requires entities to implement one or more documented supply chain risk management plan(s) for mitigating risks to BES Cyber Systems and associated cyber systems

R2 Requires entities to review the plan every 15 calendar months and address new risks or mitigation measures, if any

R3 Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber Systems

R4 Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems

R5 Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems

http://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/2016-03_CIP-013-1_draft_Jan_12_2017.pdf


Proposed Changes to CIP Standards

FERC Order 829

ObjectiveVersion 1 of CIP-013 Version 2 of CIP-013

… plus modifications to other existing CIP Standards

1 – 4

R1 Implement the supply chain cyber security risk management plan for BES Cyber Systems (inclEACMS, PACS, PCAs)

R1 – Develop the supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems, including specific procurement processes

R2 – execute plan(s) from R1

CIP-003-8 (low impact BES Cyber Systems)• R2 Attachment 1 Section 6 added

1 – 4R2 Review plan(s) every 15 months

now R3 but remained essentially the same –Review plan(s) every 15 months

* Review part of CIP-003 R2 changes above

1R3 (software authenticity) R3 removed and moved to >> CIP-010-3 (“software integrity and authenticity”)

• Table R1 Part 1.6 added

2

R4 (vendor remote access) R4 removed and moved to >> CIP-005-6 (“visibility and disabling”)• Table R2 Part 2.4/2.5 added

1 – 4 R5 (Low impact BES Cyber Systems)

Removed No changes


• Focus R1 on High and Medium Impact BES Cyber Systems• Move R1 related (i.e., “procurement” related) Low Impact BES

Cyber System Requirements to CIP-003• Split into two requirements: R1 now “develop one or more… plan(s)” R2 now “implement… plan(s)”

• Specifically note (1) renegotiation or abrogation of existing contracts is not required, (2) actual contract T’s & C’s are out of scope, and (3) vendor performance and adherence to a contract are out of scope

Requirement R1 Key Changes


Requires entities to review the plan every 15 calendar months and address new risks or mitigation measures, if any

• Change to mirror other 15 month review language• No explicit “address new risks or mitigation measures”

requirement



Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber

• Move this operational requirement into existing CIP standards Received assistance from “CIP Modifications” Standard Drafting Team Proposed change to CIP-010 (Table R1 Part 1.6 added) Will be posted along with CIP-013 and other CIP changes as single package

• Adding phrase “when the method to do so is available to the Responsible Entity from the software source” to account for situations in which a vendor cannot or will not provide needed functionality



Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems

• Move this operational requirement into existing CIP standards Received assistance from “CIP Modifications” Standard Drafting Team Proposed change to CIP-005 (Table R2 Part 2.4/2.5 added) Will be posted along with CIP-013 and other CIP changes as single package

• Focus on visibility and the ability to disable remote access 2.4 – Have “one or more methods for determining active vendor remote

access sessions” (including IRA and system-to-system) 2.5 – Have “one or more methods to disable active vendor remote access”

(including IRA and system-to-system)



Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems

• Remove R5 – no new operational requirements on Low Impact BES Cyber Systems



• 1st formal comment period January 20th – March 6, 2017

• Next formal comment period will being in early May

• SDT is working to develop Implementation Guidance for CIP-013 and CIP-003 modifications based on posted Technical Guidance and Examples document

Standards Development Process

Oct 2016 – Jan 2017Tech Conference1st Formal Balloting

May 20172nd Formal

Comment and Balloting

August 2017NERC Board

Adoption

September 2017Deadline for filing


Contact Information

• Refer to the Project 2016-03 page for more information• Email [email protected] to join the email list• Corey Sellers, Southern Company, SDT Chair Email at [email protected]

• JoAnn Murphy, PJM Interconnection, SDT Vice Chair Email at [email protected]

http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx

mailto:[email protected]




Send questions using webinar chat

AGENDA

• NIPSCO Overview• Company Overview and Compliance Culture

• Introduction of NIPSCO Speakers• Mike Melvin• Mark Kelly• Steve Sumichrast

116

NIPSCO

NIPSCO’s Presentation Expectations

• We want you to walk away with a clear view of our culture of compliance.

• We want to learn from discussions and outcomes• We embrace continuous improvement• We welcome peer feedback

117

NIPSCO

118

NiSource Profile• Fortune 500 Energy Company

– One of five headquartered in Indiana

• Publicly traded– NYSE: NI

• Serving 3.8 million customers – Electricity and natural gas

• Presence in more than 20 states – Gulf Coast to the Midwest

to New England

NiSource Profile

NIPSCO’s Electric Profile

• 468,000 Electric Customers in 20 Counties

• 3,291 MW Generating Capacity• Operates 6 Electric Generating

Facilities (3 Coal, 1 Natural Gas, 2 Hydro)

• 2,800 Miles of Electric Transmission (69kV +)• Interconnects with 5 Major Utilities

(3 in MISO; 2 in PJM)

119

NIPSCO Electric Profile

NIPSCO Program Focus

• Key Focus – Reliability of the Bulk Electric System

• Meet All Compliance Requirements • Good Compliance Governance• Industry Awareness

• Effective Management Systems• Keep us on task• Capture our compliance

policies and evidence

120

NIPSCO Compliance Culture

• Engaged & Focused Senior Leadership

• Dedicated & Robust NERC Compliance Department

• Separate Compliance Governance Function, CEO Direct Report

• Open Communication Channels to CEO & Other Senior Leaders

• Employee Education – Duty to Report Risks & Possible Violations

NIPSCO

NERC Compliance Department CharterThe NERC Compliance Department provides NIPSCO executives with an independent and objective evaluation of adherence to standards required for the reliable operation of Bulk Electric System.

121

122

Chief Operating Officer

Jim Stanley

Senior VP Capital Execution

Mike Finissi

VP Engineering Electric

Russ Atkins

Managing Director Transmission

Matt Holtz

Director NERC Compliance Programs

Mike Melvin

Manager CIP Compliance

Manager Compliance

Training

NIPSCO NERC Compliance Organization

Manager NERC Compliance

Director Compliance Oversight

Noreta Davis

Executive VP & President of

NIPSCO

Violet Sistovaris

Chief Executive Officer

Joseph Hamrock

123


Russ Atkins – CIP Senior Manager


Matt Holtz

Director NERC Compliance Programs

Mike Melvin

Manager CIP Compliance

Manager NERC Compliance

Manager Compliance

Training

CIP Compliance EngineerAlan Janik

NIPSCO CIP Compliance

CIP Compliance Engineer

Christie Krsek

CIP Compliance Engineer

Julaine Dyke

CIP Compliance Specialist

Sharon Carnes

124


Russ Atkins


Matt Holtz

Manager Ops Technology Security

Frank Dessuit

Leader CIP Applications

Paul Huseman

Leader CIP SystemsSteve Sumichrast

Communication and Control

Leader CIP SecurityMatt York

NIPSCO Operations Technology (OT)

MECS

125


NIPSCO Generation Facts

Generation Capacity of 3,291 MW

◦ 3 coal-fired generating stations (2,540 MW)

◦ 1 combined cycle generating station (535 MW)

◦ 4 combustion turbines (206 MW)

◦ 2 hydroelectric dams (10 MW)

Transmission system

◦ 353 circuit miles of 345 kV lines

◦ 755 circuit miles of 138 kV lines

◦ 1,687 circuit miles of 69 kV lines

Substations

◦ 56 transmission substations with voltage levels of 345kV, 138kV, 69kV, and 34kV

NIPSCO Transmission Facts

126


BA/TOP Control Centers

Primary Control Center: Hammond, IN

Backup Control Center: Merrillville, IN

127


Midcontinent Independent System Operator (MISO)

NIPSCO has been an active member of MISO since 10/01/2003

MISO performs scheduling and Reliability Coordinator functions for NIPSCO

MISO also performs numerous Balancing Authority functions for NIPSCO (JRO00001)

MISO administers the energy market for which NIPSCO is a participant

MISO performs a limited set of TOP functions for NIPSCO (CFR00132)

128


NERC & RF Registrations

Balancing Authority (CFR) Load Serving Entity (CFR) Transmission Owner Transmission Operator

(CFR) Transmission Planner (CFR) Purchasing Selling Entity Generator Owner Generator Operator Resource Planner (CFR) Distribution Provider

129


Tripwire Enterprise

• Tripwire Enterprise is a configuration monitoring tool• Allows for tracking, alerting, and reporting on detected changes• This is done typically through Command Output Capture Rules (COCRs)

– Stores results of a command in the application database– Compares the previous results with the most recent version returned from

the COCR– Creates a notification or other type of alert depending on configuration

when a change is detected

130

Tripwire Whitelist Profiler

• Tripwire Whitelist Profiler is an app that is added to Tripwire Enterprise– Allows for a desired or authorized configuration to be set (a whitelist)– Added to Tripwire Enterprise through specific Whitelist Profiler COCRs available for

download from Tripwire Customer Center– Specific NERC CIP rules, policies, and reports are available for download– Tripwire Enterprise monitors the Whitelist Profiler COCRs to monitor for and notify

on detected changes to those states• Works as compliment to Tripwire Enterprise, not as a stand alone product

http://www.tripwire.com/register/tripwire-whitelist-profiler/

131

http://www.tripwire.com/register/tripwire-whitelist-profiler/

NIPSCO’s Use of Tripwire Whitelist Profiler

NIPSCO uses Tripwire Whitelist Profiler to:1. Efficiently monitor approved configurations2. Reduce excess noise of detected changes to already approved

configurations3. Quickly and easily report on information related to the approved

configurations

132

Monitoring Approved Configurations

• NISCPO has imported NERC CIP rules for Whitelist Profiler available from Tripwire

• Rules include items necessary for a CIP-010 baseline such as:– Logical network accessible ports– Installed software

• Whitelist Profiler settings are configured in CSV files• Configuration files are analyzed when the rules are run on the node

133


134


• Prior to using Tripwire, NIPSCO relied on configuration dump scripts and performed comparisons on the results of those scripts

• Whitelist Profiler allows for configuration monitoring to be done automatically and specifically checks for the authorized settings

• Key benefits:– Increased efficiency in configuration monitoring– Reduced chance for human error in manual comparisons

135

Reducing Excess Noise of Detected Changes

• Potential pitfall of automatic configuration monitoring is the excess noise produced from monitoring too much too often

• NIPSCO has tuned the Whitelist Profiler rules to reduce this noise using:– Whitelist Profiler configuration settings– Regex filters in both the Whitelist Profiler configuration files and

the rules– Adjusted severity levels to only monitor but not report on

information deemed to be less important– Whitelist Profiler Policy rules

136


137


• Whitelist Profiler tags any settings outside the desired configuration as “Unauthorized Items”

• Policy rules store only information that is tagged as “Unauthorized”– Notification is raised only if a detected change is outside the

approved settings– Allows for cases such as ignoring changes to dynamic network

port numbers

138


139

Reporting on Approved Configurations

• Tripwire Whitelist Profiler allows for additional information to be appended to the configuration items

• NIPSCO has included fields for items such as:– Network port business justification– Network port documentation– Software type (Commercial, Open-Source, or Custom)– Comments related to the item– Change ticket number for the authorization of that item

140

Reporting on Approved Configurations

• Additional information in Whitelist Profiler configuration files is appended to the output stored in Tripwire

• Storing the information in the application allows for Tripwire Enterprise reports to contain all the documentation needed for specific items on specific assets

• NIPSCO has built “CIP-010 R1 Baseline Reports” which pull all the information necessary for a CIP-010 R1 baseline

141

Questions?

142

NIPSCO


Break

@RFirst_Corp on Twitter

#RFWorkshop

Follow us on Linkedin

NERC CIP v5 Journey

Partnering with RF to achieve top decileNERC CIP performance

144

145

Presenters

Chris Plensdorf, Manager NERC [email protected]

George Becker, IT Senior Security [email protected]

NERC Security and ComplianceDTE Electric Company



• DTE Energy – About Us

• Our NERC Security and Compliance Journey

• The Road Ahead – Top Decile Performance

146

DTE Energy, a Michigan based utility

DTE Electric• Electric generation

and distribution• 2.2 million customers• 11,700 MW capacity• Fully regulated

Gas Storage & Pipelines• Transport and store natural

gas• 5 pipelines, 91 Bcf of storage

Power & Industrial Projects• Own and operate energy

related assets• 66 sites, 17 states

Energy Trading• Active physical and

financial gas and power marketing company

75%-80% Utility

20%-25% Non-Utility

DTE Gas• Natural gas

transmission, storage and distribution

• 1.2 million customers• Fully regulated

MM

147

•

148

NERC CIP Regulated Sites•high impact asset locations•medium impact asset locations•low impact asset locations

149

Continuous Improvement (CI) is one of corporate priorities

Our system of corporate priorities

drives our aspiration to be the

“best operated energy company in

North America and a

force for growth in the communities

where we live and serve”

We regularly use CI tools in achieving top decile NERC CIP performance

150

DTE Energy Priority

• Root Cause Analysis• Systematic Problem Solving• Process Innovation/Mapping• Standard Work Instructions

Strategic NERC CI Work

• Embedded Tests• Huddles/PRT• Shared Lessons Learned• Metrics / Scorecard




151

Security vulnerabilities identified in RF’s 2014 audit stemmed from four root causes

Root Cause

Lack of senior management engagement

Confusing and ineffective organizational structure

Lack of the necessary dedicated resources

Lack of defined processes, metrics, and controls

152

We’ve taken tangible steps to address these root causes

153

Executive Leadership

New leadership and Organizational

Structure

Dedicated Business Unit Resources

TargetedCommunications

Outreach

Process Controls

Collaborative Partnership with RF

Executive commitment and NCO restructuring enhance compliance posture

New Leadership and Organizational Structure

Executive Leadership

• Director level leadership added to NERC Compliance Organization (NCO)

• NCO transferred to a more central organization within DTE Electric (no longer housed within Electric Distribution)

Senior Executive NERC Committee - Weekly • Leadership transcends business unit “silos” • Clear, top-down message of NERC Security and

Compliance

154

155

Resource allocation and clear program ownership key to improvement

Dedicated Business Unit Resources

• Dedicated resources embedded with Business Units • Assigned Business Unit CIP standard program owners• Weekly Business Unit Liaison meetings• Individual employee goals cascaded to the work plans of

65 business unit liaison and subject matter experts

156

CIP standards divided into 16 programs and assigned to Business Unit, director, manager, SME and NCO partner

CIP v5 Programs Business Unit

CIP Standards and Requirements Director Manager SME NCO

Partner

1 Bulk Electric System Asset Management NCO CIP-0022 Management Controls Program NCO CIP-0033 Security Awareness Program IT CIP-004 R14 CIP Role Based Training NCO CIP-004 R2.1, R2.35 Personnel Risk Assessment Program HR CIP-004 R3

6 Access Management and Revocation ITCIP-004 R2.2, R3.5, R4, R5, CIP-007 R5.3

7 Electronic Security Perimeter Management IT CIP-005

8 Physical Security Program Corp Sec CIP-0069 Systems Security Program IT CIP-007 R1, R3, R5

10 Patch Management Program IT CIP-007 R211 Cyber Systems Monitoring Program IT CIP-007 R412 Incident Response Program IT CIP-008

13 System Recovery Program IT CIP-00914 Change and Configuration Management IT CIP-010 R1, R215 Vulnerability Management Program IT CIP-010 R316 Information Protection Program IT CIP-011

Awareness and culture of compliance fostered through multiple communication touchpoints

157

• Tone at the Top: level setting WebEx by executive leadership • Leadership Engagement: NERC CIP presentation at November

2016 DTE Electric Leadership Forum• Departmental Stand-downs: IT and Corporate Security• Town halls at NERC CIP v5/v6 locations: building engagement

and awareness• Enhanced NERC CIP training content• Improved PSP door signage

Targeted Communications Outreach

158

Sustainment process provides oversight and structure for complying with NERC CIP requirements

Strong process controls through Sustain Project

• Commended by RF during the 2016 Spot Check• Labor intensive manual process• Excel based• Managed and tracked on a weekly cadence

Sustain

Example of a weekly report out

Sustain Project: schedule metric

Collaborative partnership with RF is a key component to DTE’s Journey

Thank you to Lew Folkerth and Dave

Sopata for assistance visits!

159

RF Technical Assistance

Benchmark Coordination

Leadership Engagement• Frequent open conversation between DTE and RF leadership driving

transparency, collaboration and common purpose • DTE VP Matt Paul now serving three-year term on RF board

• Assist Visits- Assist Visits were an underutilized service offered by RF - DTE and RF embarked on a year-long commitment to

monthly assist visits in 2016• Active involvement in our Potential Violation Process

• RF recommended and helped coordinate benchmarking opportunities enabling DTE to learn from high performing NERC programs and companies facing similar challenges

We’ve seen significant improvement as a result of these steps

160

Improved Culture of Compliance

Strong Potential Violation (PV)

Process

Early Implementation

of CIP v5/v6

An improved culture of compliance is evidenced by a willingness to raise your hand and identify defects

Business UnitIdentified

Central NERCOrganization

Identified

2016

161

Defect identification largely occurring at point of activity

BU’s identified 85%of NERC CIP defects • Surfacing of defects is

an integral part of our commitment to continuous improvement (CI)

• This process ultimately drives reduction of security risks

Celebrate the Gap

Potential violation process rapidly surfaces and resolves NERC compliance and security issues

162

0 10 20 30 40 50 60 70 80 90

Self Report

Mitigation Plan

Mitigation PlanEvidence Package

Average business days from issue identification to report submittal

2016 Data

NERC program improvements enabled April 2016 go-live affording valuable learning period for v5/v6 standards

163

• Three month grace period afforded by postponed enactment date• Mock audit successfully completed during early implementation phase• Sustainment process piloted April-June 2016

Early Implementation 2016




164

165

We have improvements underway as part of our journey to top decile performance

RF continues key role

Internal Controls Program

Maximo for BES Asset List

Cyber Asset Baseline

Monitoring

Shared Account Management

Early Implementation of NERC CIP v6

166

RF will continue to play a key role moving forward

Collaboration on potential violation

process

Benchmarking recommendations and connections

Assistance with security and NERC CIP

implementation

Transition to Internal Controls Evaluation (ICE)

Risk based internal controls program to provide a framework for systemic compliance

167

Completion of Phase 1 - Fall 2017

NERC BES Asset List on Maximo

168

Automated tools reduce compliance risk

• Transitioning our Bulk Electric System Cyber Systems (BCS) asset list from an excel spreadsheet to the asset and work management tool Maximo

• Supports CIP002 Compliance

Maximo BES Implementation Timeline

Use /Expand

TrainVerify

Build List /Transition

PlanDesign Q3/Q4 2016Q2 2016 Q1 2017 Present -2018

Cyber Asset Baseline Monitoring

169


• Tripwire will increase automation of the monthly baseline configuration management from 25% to 90% for our High & Medium NERC CIP Assets

• Supports CIP010 compliance and helps the configuration change management process to become more efficient for asset owners

PlanDesign

BuildInstall

DeployOptimize

Complete/Operate12/29/2016 2/3/2017 7/21/2017 4/18/2018

Tripwire Implementation Timeline

Shared Account Management

170


• System level controls to effectively monitor and control the usage of shared and privileged accounts on High/Medium Bulk Electric System (BES) Cyber assets.

• Supports CIP007-5.2, 5.3, 5.4 and CIP004-R5.5 compliance.

September 2017April 2016

Cyber Ark Implementation Timeline

PlanDesign

DataCapture/

ConnectorsBuild Test

Complete/OperateApril 2017 May 2017

Early Implementation for NERC CIP v6 low impact assets

171

• Implementation scheduled March 31st, 2018 (5 months early)• 12,982 FTEs estimated to complete LI physical and electronic

infrastructure upgrades

Early implementation

Low Impact Timeline

3/31/2018 9/1/2018LI Gap

Evaluation

v6Plans & Policies

Infra-structure Upgrades

5 Month Compliance

Pilot4/1/20171/20/2017

Design approach for low impact asset physical and electronic infrastructure upgrades

172

Electronic Protections

• Where feasible, leverage existing NERC CIP High- and Medium-impact approaches

• Use standardized approach at all facilities • Place all Low-impact routable cyber assets behind Low-

impact Electronic Access Point (LEAP) • LEAP placement localized at each site

Physical Protections

Primary Controls:• Physical protection requirements for Non-Routable & Routable LI

BES Assets• Site Perimeter Fencing, Facility Doors

Secondary Controls:• Physical protection for Routable LI BES Assets• Locked Cabinets, Locked Cages, Cyber Locks on Control Panels, etc.

Summary

173

• We have moved the dial on NERC CIP security and compliance and dramatically changed our culture

• RF played a significant role in driving this improvement and will be a key partner moving forward

• With many of the resources and tools coming into place, we now must prove ourselves in the RF 2017 CIP audit and beyond

• We are committed to top decile industry performance by the end of 2018

CIP-014-2Physical SecurityWhat to Expect

April 20, 2017

CIP-014-2

176

• Purpose–To identify and protect Transmission stations and

Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

How did we get here?• April 16, 2013 PGE’s Metcalf Substation Attack

–52,000 gallons of oil–16 transformers–$15M in damages

• March 7, 2014 FERC directs NERC to submit a physical security reliability standard within 90 days

• May 13, 2014 NERC Board approves CIP-014

• CIP-014-2 Effective 10/2/2015

177

Metcalf Site - Then

178

Metcalf Site - Now

179

Changes Made• Vegetation in close proximity to the substation

fence has been removed

• Chain link fence has been replaced with a solid material (e.g. concrete) that restricts exterior line of sight into the substation

• Additional lighting to ensure better camera visibility of the site

• Additional cameras were installed including PTZ to further enhance security monitoring

180

RF Audit Approach• What the auditor needs to assess compliance

–R1 – Asset Applicability • List of Transmission stations/substations that meet eligibility

requirements for further analysis that meet Applicability Section 4.1.1 criteria

• List of Transmission stations/substations that require risk analysis

• Dated written or electronic documentation of risk assessment for substations/stations that meet Applicability Section 4.1.1 criteria; stations and substations in scope; system one-line diagram(s); risk assessment methodology

– Original documents showing how the risk assessment was performed and by whom (e.g., power flow analysis, system flow analysis, contingency loadings, cascading, etc.)

181

RF Audit Approach –R2 – Third party verification of risk analysis

• Evidence of review of the risk assessment– Dated original documents of review of assessment criteria used in

R1 and the results of that review– PJM and MISO may provide this review if requested

• The third party verification may occur concurrent with or after the risk assessment performed under Requirement R1.

–R3 – Notification to Transmission Operator – if applicable

• Document indicating date and to whom notification was made

182

RF Audit Approach –R4 – Evaluation of potential threats and vulnerabilities

• One assessment PLAN per identified transmission station/substation

– Dated documents showing the Threats and Vulnerabilities assessment methodology and who performed the assessment

» Often current and former local police, FBI, TSA agents may be willing to assist in this assessment

– Examples of some characteristics of the assessment that should be considered in the assessment include:

» Terrain/elevation of surrounding ground or structures providing line of sight

» Line-of-sight distance from approach avenues (distance and direction that armament can be utilized

» Proximity to and speed of adjacent vehicular traffic for vehicle-induced damage

» Proximity to traffic for easy vehicular access and egress (e.g., "drive-by" access)

» Proximity to other targets of interest or critical load (e.g., number of customers affected, densely populated area

183

RF Audit Approach (cont’d)–R4 – Evaluation of potential threats and vulnerabilities

– Be careful:» Assets in different locations may face different threats» Threats and vulnerabilities may vary at night

184

RF Audit Approach –R5 – Develop physical security plan(s)

• Physical security plan(s) to deter, detect, delay, assess, communicate and respond to the threats and vulnerabilities identified in R4

– Resiliency may be considered as an element of the physical security plan

» If resiliency is an element of your physical security plan(s), be sure to DEFINE what you determine to be resiliency

» If you do not define what you determine to be resiliency, the auditor will do it for you

185

RF Audit Approach –R6 – Review of Plans

• Third party to verify plans in R4 and security measures in R5– Document identifying who reviewed your plans, the qualifications of reviewer– Dated and signed statement by reviewer indicating date the review was completed– Dated and signed document indicating changes to your plan(s) recommended by the

reviewer

» NOTE: If changes are recommended by the reviewer, you can:• Accept the recommended changes and modify your TVA in R4 or you

physical security plan(s) identified in R5 OR• Provided a dated and signed document providing the reason(s) for not

modifying the evaluation or security plan(s)

* Review list of qualifying credentials for third party reviewer noted in the CIP-014-2 Standard R6.1

186

RF Audit Approach • R6 Information protection

–Documentation of procedures to protect sensitive or confidential information

• Use of Non-Disclosure Agreement (NDA) for vendors, contractors, and unaffiliated third party reviewers and vendors

• Site layout drawings or depictions (think PSP)• Physical security plans and elements being used (like in a

PSP)• Risk assessments and results• Threats and Vulnerability assessments• Any other information you deem sensitive or confidential

187

CIP-014-2 Implementation Schedule– Flow chart below tracks the various steps required to Comply with CIP-014-2

188

Implementing Physical Security Plan(s)• Implementing the physical security plan(s) for

designated assets– Implementation schedule(s) must be developed for the

physical security plan(s) identified in R5 and verified in R6– The standard is silent as to when the plan(s) are

implemented• Reasonable time lines with accompanying rationale are expected

– Reasonable is defined by Merriam-Webster as:» being in accordance with reason» not extreme or excessive

– Understanding the term reasonable relies on a myriad of factors so be prepared to explain your reasoning to the auditor.

189

Auditing Implemented Physical Security Plan(s)• Once implemented, the auditor will have to verify

that the implemented plan(s)–Addressed the characteristics of the Threat and

Vulnerability Assessment identified in R4–The physical security measures identified in R5 and

verified in R6 are in place.–The verification process can be accomplished by:

• Reviewing photographs and other documentation of each site before and after plan implementation

• Site visit(s) by the auditor• A combination of the two approaches

190


191