cip-013-1: scrm is getting closer - wecc · cip-013-1: scrm is getting closer presented by: holly...

CIP-013-1: SCRM Is Getting Closer

Presented by: Holly Eddy, Compliance Auditor, Cyber Security

Author: Dr. Joseph B. Baugh, Senior Compliance Auditor, Cyber Security

Compliance Workshop –March 29, 2018

Boise, Idaho

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Impact to Reliability

Ensure entities are aware of new CIP Compliance Requirements to guide and inform the

implementation period for CIP-013-1 and associated Standard revisions, support future compliance

efforts, and facilitate the development of effective documentation for audit.

2


Agenda

• CIP-013-1 SCRM Standard

• SCRM related changes for other Standards

– CIP-005-6 (Parts 2.4, 2.5 - vendor remote access)

– CIP-010-3 (Part 1.6 - software integrity & authenticity)

• NERC Small Group Advisory Sessions [SGAS]

• Example of R2 implementation

• As always, your questions are welcome at any time during the presentation

3


What is SCRM?

• Project 2016-03 Cyber Security Supply Chain Risk Management (NERC, 2017, Project Website)

• FERC (2016) directed “NERC to develop a forward-looking, objective-based Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations” (Order 829, P. 2, p. 49879)

4


The FERC NOPR

• All three revisions were approved by industry on the second ballot

• NERC Board of Trustees approval on August 10, 2017

• FERC (2018 Jan 25, SCRM: NOPR) issued a NOPR recommending approval CIP-013-1, CIP-005-6, and CIP-010-3

5


CIP-005-6: Part 2.4

• Indicates monitoring and control of active vendor remote access sessions is appropriate

• Vendor remote access sessions includes Interactive Remote Access and system-to-system access for vendor sessions

• A vendor, as used in the standard, is NOT a defined term, but may include:

i. Developers or manufacturers of information systems, system components, or information system services;

ii. Product resellers; or

iii. System integrators (CIP-005-6, p. 24)

6


CIP-005-6: Part 2.5

• Requires one or more documented methods to disable active vendor remote access, including

– Interactive Remote Access, and

– System-to-system remote access

• May have separate methods to disable each category of vendor remote access, as applicable

7


CIP-010-3: Part 1.6

• Requires entities to:

– Verify the identity of the software source

– Verify the integrity of the software obtained from the software source

• The methodology used for such verifications is left to the entity to define

• Part 1.6 is not limited to security patches

8


FERC Concerns Over Residual SCRM Risks• LIBCS were removed from final industry approved draft

– NERC Board of Trustees approved this change with CIP-013-1

• SCRM for Low impact BES Assets is yet to be determined as FERC expressed some concern over the absence of LIBCS from CIP-013-1 (FERC, 2018 Jan 25, SCRM: NOPR, P. 13, p. 3435; P. 15, p. 3436)

• NERC will perform a study on risks associated with LIBCS not being included in CIP-013-1 (Ibid, P. 27, p. 3437)

• FERC will “await the outcome of that study’s final report before considering whether low impact BES Cyber Systems should be addressed in the supply chain risk management Reliability Standards” (Ibid, P. 33, p. 3438)

• Along with LIBCS, FERC may include Cyber Assets associated with BCS under CIP-013-1 due to concerns over significant cyber security risk from unprotected EACMS, PACS, and PCA (Ibid, P. 4, p. 3434)

• NERC responded to the NOPR in its comments with a request to include EACMS, PACS, and PCAs as part of the proposed study to examine the impact of supply chain risk to Low impact BES Assets (NERC, 2018 March 26, p. 2)

9


Linking CIP-013-1 with other CIPv5 Standards10

• R1 & R3 – Develop and approve the SCRM Procurement Plan

• R2 – Implement the SCRM Procurement Plan

• Identify and document BCS (CIP-002-6)

• Protect and manage BCS, as applicable, during the BCS Life Cycle (CIP-003-7 – CIP-011-2)

Notional BES Cyber System Life Cycle graphic (CIP-013-1, p. 6)

SCRM Implementation Plan - Timeline11


• Three Standards currently pending FERC Approval• FERC has moved closer to that point (see 2018 Jan 25, SCRM: NOPR) • Implementation plan reduced from the usual 18 months to 12 months

– NERC requested the implementation plan remain at 18-months (NERC, 2018 March 26, p. 2)

• Effective 1st day of the 1st calendar quarter that is 12 months after the effective date of FERC order approving CIP-013-1 (Ibid, P. 3, p. 3434)

• Assuming FERC approval in Q2 2018, we could see SCRM in action as early as July 1, 2019

SCRM Implementation Plan – R1

• R1.1. Develop documented processes to provide a risk-based approach to identify potential cyber security risks resulting from:

i. Procuring and installing vendor equipment and software, and

ii. Transitions from one vendor to another vendor

• R1.2. Document procurement plans and processes to manage identified risks

• See NERC (2017 April, Implementation Guidance: R1.2.1 – R1.2.6, pp. 2-7) for more details

12



• Implement SCRM plans specified in R1:– Does not require the Responsible Entity to renegotiate or abrogate existing

contracts (including amendments to master agreements and purchase orders), consistent with Order No. 829 (P. 36)

– Contracts entering the Responsible Entity's procurement process (e.g. through Request for Proposals) on or after the effective date are within scope of CIP-013-1

– Contract effective date, commencement date, or other activation dates specified in the contract do not determine whether the contract is within scope of CIP-013-1

Source: NERC, 2017 April, Implementation Guidance, p. 8.

13



• Review SCRM plans and processes identified in R1 by Entity SMEs using:– Requirements and guidelines

– Industry best practices

– Mitigating controls

– Internal entity continuous improvement feedback

• Obtain CIP Senior Manager or delegate approval:– Initially, on or before the effective date

• Implies R1 documented plans and processes must be developed on or before the effective date, as well

– At least once every 15 calendar months, thereafter

14


NERC SCRM SGAS (March 13-15, 2018)

• NERC Small Group Advisory Sessions [SGAS] were held in Atlanta

• A general SCRM webinar was presented on March 14, 2018

• One WECC entity participated in the Atlanta sessions

• NERC plans to develop a Lessons Learned document from the March SGAS

• NERC may hold additional SGAS in Q4 2018

• Consider registering for and attending one near you

15


Common SGAS Questions• Should I develop one procurement plan for High & Medium BCS and a

separate plan for other Cyber Assets?

– WECC concurred with NERC’s statement, “by requiring that entities implement supply chain cybersecurity risk management plans for high and medium impact BES Cyber Systems, those plans would likely also cover their low impact BES Cyber Systems’’ (FERC, 2018 Jan 25, SCRM: NOPR, P. 15, p. 3436)

– Based on my experiences as an IT Program Manager who has developed and evaluated many RFPs related to Cyber Asset projects, I think it highly unlikely procurement personnel will establish two separate plans for High/Medium and Low/no BCS levels

– As mentioned above, FERC has already demonstrated significant interest in extending SCRM to LIBCS and other Cyber Assets, so a prudent entity will start thinking in that direction, as well

16


Common SGAS Questions

• Another common question revolved around what type of evidence auditors will seek to demonstrate my entity complied with R1 and R2

– During the SGAS with the WECC entity, WECC recommended developing a good RFP template module that directly addresses the cybersecurity risks associated with R1.2.1 – R1.2.6 and include it with the R1 procurement plan

– Let’s look at an example with audience participation of how this procurement and evaluation process might be implemented

17


R1.2.1 Procurement Plan Example

• As part of its development for an SCRM procurement plan to meet Requirement R1, Entity A opted to develop a generic RFP template to address the cybersecurity risks associated with R1.2.1 through R1.2.6 and other relevant criteria

• Let’s walk through a set of fictitious vendor responses for Line item 1.2.1

18


R1.2.1 Example

R1.2.1: Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity; (CIP-013-1, p. 7)

• RFP Line Item: Please provide a description of your processes to notify your clients of vendor-identified incidents that pose cyber security risk related to your products or services and include any internal controls that ensure the process(es) work as intended

• Evaluate the vendor responses in your RFP Evaluation Matrix with the appropriate scoring and weighting for the line item

19


Scoring the Responses

• I generally apply a five-point Likert scale (1-5) for my RFPs:

1 – No response

2 – Minimal response, does not address all aspects of the RFP line item

3 – Response meets minimum vendor expectations

4 – Response adequately addresses all aspects of the RFP line item

5 – Excellent response that exceeds vendor expectations

• You can (and should) use a scale that aligns with your entity’s existing procurement process

• Establish a feasible RFP evaluation process with the evaluation team and Procurement Department personnel

20


Vendor C Response

• Managing supply chain risk is a key priority for our organization. Our cybersecurity team has set up a specific process to monitor for vulnerabilities or threats and evaluate any cybersecurity risks that may occur with our products or services. Our management team reviews this process monthly to ensure it is operational and effective. We commit to notifying our clients within 24 hours of the identification of any cybersecurity risk, as well as keeping our clients apprised on an ongoing basis of new fixes and/or patches that will mitigate or eliminate the problem.

21


Evaluating Vendor Responses• Spreadsheets are ideal for evaluating and

analyzing quantitative values, such as Likert Scale responses

• Develop an evaluation matrix that has space for each vendor and the RFP criteria, in this case, R1.2.1 – R1.2.6 and a couple of other items

• Provide a copy of the evaluation matrix to each member of the RFP evaluation team

• Develop an overall evaluation matrix that aggregates the individual evaluation ratings to facilitate choosing a vendor that meets the needs of the project and provides sound SCRM practices

• Retain the RFP and the evaluation matrices as R2 evidence at audit

22


WECC SCRM Audit Approach• The CIP team is still evaluating its audit approach

– This process will continue until FERC approves CIP-013-1 and the effective date of the new Standard arrives

– The CIP Team will present updated information on the CIP-013-1 audit approach at future outreach events as it develops

• For now, consider how vendor products and services impact your High and Medium BCS

• Evaluate and document cyber security risks associated with each applicable BCS

• Consider preliminary procurement planning and RFP template development to address cyber security risks throughout the Notional BCS Life Cycle

• Develop a feasible RFP evaluation process

• Document, document, document…

23


Closing Thoughts on SCRM

• CIP-013-1 supply chain cyber security risk management plan(s) may need to consider and effectively address supply chain risks beyond just the six items in R1.2– Certainly there are more risks to be considered than just the six in R1.2.1 –

R1.2.6

– While there is flexibility as to how to reach the security objectives of CIP-013 entities should ensure they fully do so with a risk-based approach

• Risk beyond the planning, acquisition, and deployment phases [remember the Notional BES Cyber System Life Cycle graphic above] should be thoroughly contemplated with the consideration of today’s ever evolving threat landscape (M. King, 2018, Personal Communication)

24


Speaker Contact Information25


Holly Eddy, CISA, CRISCCompliance Auditor - Cyber Security

Western Electricity Coordinating Council (WECC)heddy (at) wecc (dot) biz

(C) 719.660.3457 (O) 385.228.2442

Joseph B. Baugh, Ph.D., MBA,PMP, CISA, CISSP, CRISC, CISM, PSP

Senior Compliance Auditor - Cyber SecurityWestern Electricity Coordinating Council (WECC)

jbaugh (at) wecc (dot) biz(C) 520.331.6351 (O) 360.600.6631

References• FERC. (2016 July 29). Order No. 829: Revised Critical Infrastructure Protection Reliability

Standards. 18 CFR Part 40, 156 FERC ¶ 61,050 [Docket No. RM15-14-002]. Published in Federal Register, 81(146) [pp. 49879-49894]. Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2016-07-29/pdf/2016-17842.pdf

• FERC. (2018 January 25). Supply Chain Risk Management Reliability Standards: Notice of Proposed Rulemaking [SCRM: NOPR]. 18 CFR Part 40, 162 FERC ¶ 61,044 [Docket No. RM17-13-00]. In Federal Register, 83(17), 3433-3442. Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2018-01-25/pdf/2018-01247.pdf

• NERC. (2017). Project 2016-03 Cyber Security Supply Chain Risk Management [Project Website]. Retrieved from http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx

• NERC. (2017 April). Cyber Security Supply Chain Risk Management Plans: Implementation Guidance for CIP-013-1. Retrieved from http://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/Implementation_Guidance_071117.pdf

26


https://www.gpo.gov/fdsys/pkg/FR-2016-07-29/pdf/2016-17842.pdf

https://www.gpo.gov/fdsys/pkg/FR-2018-01-25/pdf/2018-01247.pdf

http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx

http://www.nerc.com/pa/Stand/Project 201603 Cyber Security Supply Chain Managem/Implementation_Guidance_071117.pdf

References• NERC. (2017 July). CIP-005-6 – Cyber Security – Electronic Security Perimeter(s). Retrieved from

http://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-005-6_Clean_071117.pdf

• NERC. (2017 July). CIP-010-3 – Cyber Security — Configuration Change Management and Vulnerability Assessments. Retrieved from http://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-010-3_Clean_071117.pdf

• NERC. (2017 July). CIP-013-1 – Cyber Security - Supply Chain Risk Management. Retrieved from http://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-013-1_Clean_071117.pdf

• NERC. (2017 July). Implementation Plan: Project 2016-03 Cyber Security Supply Chain Risk Management Reliability Standard. Retrieved from http://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/Implementation_Plan_Clean_071117.pdf

• NERC. (2018 March 26). Comments of the North American Electric Reliability Organization in response to Notice of Public Rulemaking [Docket No. RM17-13-000].. Retrieved from https://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/NOPR%20Comments%20-%20Supply%20Chain%20Reliability%20Standards.pdf

27


http://www.nerc.com/pa/Stand/Project 201603 Cyber Security Supply Chain Managem/CIP-005-6_Clean_071117.pdf



http://www.nerc.com/pa/Stand/Project 201603 Cyber Security Supply Chain Managem/Implementation_Plan_Clean_071117.pdf

https://www.nerc.com/FilingsOrders/us/NERC Filings to FERC DL/NOPR Comments - Supply Chain Reliability Standards.pdf

cip-013-1: scrm is getting closer - wecc · cip-013-1: scrm is getting closer presented by: holly...

Documents