maintaining cmep evidence and workflow documentation documents...jan 27, 2020 · cmep staff will...

RELIABILITY | RESILIENCE | SECURITY

Maintaining CMEP Evidence and Workflow Documentation Stakeholder Webinar

January 27, 2020

RELIABILITY | RESILIENCE | SECURITY2

Jim Robb, President and CEO, NERC


Why?

1. Drive alignment and consistency in Regional Entity CMEP practices to ensure more equity in outcomes for Registered Entities

2. Improve the security of handling highly sensitive information

3. Capture productivity gains


Harmonization Activities

• Critical component of the Align implementation.• Primary goal is to address the inconsistencies in processes and

approach and engagement with the Registered Entities.• Harmonized 53 processes, including the approach to

maintaining Registered Entity evidence and CMEP workflow documentation.

• Harmonization activities will continue with Align and locker deployment and ongoing as needed.


Sara Patrick, President and CEO, MROAlign Executive Sponsor


Webinar Objectives

• Update on Align, including demo• Introduce locker concept• Provide high level information on Align and locker security• Provide examples of workflow and work papers in Align• Request input and feedback on webinar content• This webinar will be posted to the NERC website• Questions? Send them to [email protected]


Webinar Agenda Topics

• Benefits• Recap the Journey• Maintaining and Securing Evidence and Information Guiding

Principles• Align Application Security• Evidence Lockers Introduction and Security• Align Demo• ERO Enterprise Documentation in Align• Workflow and Work paper Examples and Scenarios• Next Steps and Webinar Close


Align Project Update How does this benefit you?

Moving to a common platform will provide:• Alignment of common CMEP business processes, ensuring

consistent practices and data gathering• A standardized interface for Registered Entities to interact with

the ERO Enterprise• Real-time access to information, eliminating delays and manual

communications• Consistent application of the CMEP

• More secure method of managing and storing CMEP data


• December 2016 – Steering Committee selects partner (Deloitte)• November 2017 – NERC Board Approves Align Business Case• March 2018 – Steering Committee selects solution (BWise)• June 2018 – Release 1 development begins• March 2019 – Regional SMEs review R1 initial prototype• December 2019 – R1 development and testing complete

Recap – Align Milestones


Recap - Stakeholder Outreach

• Stakeholder formal outreach conducted:• March 21, 2019• July 31, 2019• October 15, 2019 • January 27, 2020 – Today’s webinar

• Other outreach with Compliance and Certification Committee (CCC), trades and informal touchpoints.


Guiding Principles

• All Registered Entity provided evidence* will go into the Registered Entity or ERO Enterprise locker (any Registered Entity locker must meet certain criteria the ERO Enterprise develops for functionality, access, etc.).

• ERO Enterprise workflow and work products will be in the ERO Enterprise Align tool.

• The ERO Enterprise will enhance ERO Enterprise work products (e.g., working papers) to support conclusions without the need to store data for extended periods, minimizing a data protection risk.

*Unless prohibited by a standard

NOTE: Achieving this will occur via training, guidance, oversight activities and other outreach


Justin Lofquist, NERC IT


Align Application Security


Align – Application Security

• Consistent with industry-recognized cybersecurity standards frameworks

• Principles• Data identification, classification, management, and destruction• Aggressive management of role-based credentials• Evidence and data separation and isolation• Control processes and auditing



• Application, patch release and network cyber testing• Multi-factor authentication for user access• Activity logging and 24x7 system monitoring• Geo-blocking • CRISP monitoring for CRISP participants and NERC• Encryption at-rest and in-transit

• Virtualization and database layer

• NERC (customer) controlled encryption key management• File integrity monitoring• Anti-virus appliances



• Boundary Controls• Isolated Virtual Network • Intrusion Detection and Prevention devices• Web Application Proxies• Next-Gen Firewall• Network Traffic Analytics and Log collector

• Enterprise Vulnerability Scanning


Evidence Locker


• What it is• How it will work• User scenarios• How we will keep the information secure• Can entities set up their own locker? And what are the

requirements?

Evidence Locker Topics


Purpose-built to collect and protect evidence Enables submission by authorized and authenticated entity users Provides compartmentalized analysis of evidence in temporary,

isolated, disposable environments No interfaces with any other systems

• Evidence Is encrypted immediately upon submission Is securely isolated per entity Is never extracted Is never backed up Is subject to proactive and disciplined destruction policies

Evidence Locker Overview

• A highly secure, isolated on-premise environment


Systems Communications

EvidenceLocker

Align

CORESRegistration System

Registered Entities*

Standards & Requirements*

No information exchange

Contacts andBusiness

Roles

Secured informationexchange

*Publically available


Entity Locker – How will it work?Conceptual Overview

Evidence RoomLobby Offices

LOCKER


Registered Entity Goes to Lobby

Registered Entity


LOCKER


Registered Entity Provides Evidence to Custodian

Registered Entity


LOCKER


Custodian Moves Evidence to Locker

Registered Entity


LOCKER


ERO Monitoring and Enforcement Staff Reviews Evidence

Authorized CMEP

Personnel


LOCKER


Custodian Destroys Evidence When Work is Complete

Authorized CMEP

Personnel


LOCKER


Evidence Locker - How will it work?Technical Implementation

ERO Enterprise Evidence Analysis Locker

Secure File Transfer

Enterprise Content

Management

Encryption• Regionally

Specific

Routing Rules

Management Utilities

Locker

Locker

Analysis Environment

Auditor Session• auditor tools• disposable

Auditor Session• auditor tools• disposable

MFA

Au

then

ticat

ionM

FA

Auth

entic

atio

n

Registered Entity User

AuthorizedCMEP

Personnel

Privileged SessionServer

MFA

SystemAdministrator


• Entity User – On-boarding and Submission Obtain an ERO Portal Account (https://EROPortal.nerc.net) Request access to the evidence locker for your entity through the ERO

Portal and be vetted by your Entity Administrator Navigate to the ERO Evidence Locker URL (TBD) and supply your username

/ password Redirect to MFA and receive and approve a push to your mobile phone Land on the home page of the ERO Evidence Locker Choose certain meta-data (e.g. type of evidence, violation ID) and upload

evidence. Receive an email confirmation of submission, which includes date of

submission and a hash of the evidence submitted. This hash can be used to confirm integrity of the evidence file(s). In the case of evidence locker failure, all evidence will require re-

submission

Use Cases, Key Examples and Scenarios

https://eroportal.nerc.net/


• CMEP staff – Analysis CMEP staff will access through an internal-facing, non-public URL Access will only be provided through Regional offices; access from the field

will require a VPN connection into the regional network CMEP staff will authenticate with credentials and also MFA CMEP staff will launch a web browser within a virtual desktop environment

to access a specific locker of evidence No other network access will be permitted in the virtual environment,

including outbound communications Once complete, virtual desktops are logged out and recycled.



• NERC System and Security Administrator – Access and Operations Administrators will access a secure URL of a privileged session server, and

authenticate with MFA All devices and applications within the environment are accessed through

remote desktop (RDP) with secure shell (SSH) and HTTPS Read-only access to a managed file transfer server (SFTP) via RDP for

external documentation and system patches – no external network access permitted

No access to evidence files



• Adherence to NIST 800-171(b) security framework• Encryption File-level encryption at point of entry All traffic encrypted (inbound and within walls)

• Outbound communications limited to e-mail (SMTP) and security information and event (SIEM) logs No ability to extract evidence

• Analysis environment destruction upon log out• No direct access to the evidence Secure File Transfer -> Locker Analysis Environment -> Locker

• File level permissions applied to evidence

Evidence Locker - Security


• Boundary Protections Web-application Next-Gen firewall – inspection of all HTTPS traffic Application Proxies Geo-blocking

• Intrusion detection and prevention Endpoint Detection and Response Management Server – forensic endpoint

monitoring and logging Enterprise Vulnerability Scanning appliance ICAP Server: virus / malware protection



• Internal Controls Integrated, key-based authentication (PKI) Micro-segmentation Firewall Auditing of all activities and file actions Network Traffic Analytics and Log collector Privileged Access Management Service Patch Management Server



• Entity Access Multi-factor authentication (MFA) Distributed Authorization

• CEA access Multi-factor authentication IP-restricted, VPN connections only

• System Administrators Multi-factor authentication Privileged Session Server (Jump Box) on NERC premises – no internet

access No access to evidence



• Yes… it must be available and validated before it is authorized for use for CMEP activities Data Availability o initial timelinesso 24 x 7 availability with advanced notification of schedule maintenance

Analysis tools availability (e.g. NP-View, RAT-STATS, MS Office, Adobe Acrobat)

Assurance of data integrity (e.g. hash, digital certificates) CEA login through NERC’s federated authentication services (SAML-based

CBA)

• No change in retention obligation (e.g. if the locker is retired, the requirement still exists for CEA access to evidence)

Can I set up my own locker?


Andy Rodriquez, NERC ITAlign Release 1 Functionality and Activities

Align Demonstration


Align Release 1: What to expect as a registered entity?

Stakeholder Group

Release 1 Functionality• Create and submit Self-Reports and Self-Logs• Create and manage mitigating activities

(informal) and Mitigation Plans (formal)• View and track Open Enforcement Actions

(EAs) resulting from all monitoring methods• Receive and respond to Requests for

Information (RFIs)• Receive notifications and view dashboards on

new/open action items• Generate report of Standards and

Requirements applicable to your entity• Manage user access for your specific entity

Registered Entities


• Complete final quality assurance activities, testing, and remediation

• Finalize design and technology selections for ERO Enterprise Evidence Locker and build

• Perform final Standards data export from existing systems and import into Align

• Perform load of Functional Registrations into Align • Develop and deliver training for Align Release 1 and use of ERO

Enterprise Evidence Locker • Continue with stakeholder communications, engagement, and

organizational change management initiatives

Next Steps – What to Expect

RELIABILITY | ACCOUNTABILITY39

Align Demonstration


ERO Enterprise Information and Documentation Examples to be

Stored and Protected

Curtis Crews, Texas RE CMEPEd Kichline, NERC Enforcement

Jeff Norman, MRO CMEPLonnie Ratliff, NERC CIP Compliance


• ERO Enterprise CMEP Business Practice Enhancements Re-evaluate access/possession/retention of entity documents and data Separating CMEP planning, business workflow and work papers versus

evidence location Proactive and disciplined destruction policy Clarify workflow and work paper documentation expectations

Workflow Documentation and Work Paper Enhancements


Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.

Align Content – Compliance Monitoring

RELIABILITY | RESILIENCE | SECURITY43Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.

Align Content - Enforcement


Example: IRA Questionnaires


Example: IRA Questionnaire


Example: IRA and COP Work Papers


Example: IRA and COP Summary


Example: Request for Information


Example: RSAW with Auditor Notes


Example: Preliminary Finding and Risk Harm Assessment


Example: Compliance Audit Report


Example: Self-Certification


Example: Periodic Data Submittal


• Almost 80% of noncompliance is identified by registered entities• Registered entities will produce much of the content within

Align Self-Reports and Self-Logs Mitigation activities, including Mitigation Plans

• Outreach and training for registered entities on what should go into Align and what should go into a locker Content of narratives in Self-Reports and Mitigation Plans

• Training for ERO Enterprise personnel on how to document the assessment of materials provided by registered entities Align should not replicate information included in a locker

Enforcement Considerations


Self-Report Example


Mitigation Plan Examples


Mitigation Verification Example


• Evidence resides in a stand-alone tool• Additional involvement for access, authentication Learning curve Security-focused destruction and none-backup policies may require limited

resubmittal of evidence

• Expectations and obligations for retention responsibilities• Additional training and outreach opportunities

What this means to Registered Entities


• Enhanced and harmonized work flow and documentation• Additional infrastructure development and maintenance costs• Expectations and obligations for retention Possible ROP changes to support Implications of entity responsibility to retain copy

• Complexity and resource considerations for engagement or processing activities

• Overall, there may be some pain points as with any implementation, but we are in this together.

What this means to ERO Enterprise


Jim Albright, Vice President and COO, Texas REAlign Steering Committee Chair


• Align and locker are secure and functional solutions to maintaining CMEP evidence and work flow documentation

• Implementation will require coordination and collaboration• Training will be provided. • Harmonization efforts and tool implementation result in

improved CMEP.• Continued input and feedback are crucial for success.

Summary


• Timing of Align Phase 1 Roll-out and locker criteria. 2nd Half of 2020

• Align and locker training. In coordination with Align and locker deployment dates

• Training. Ongoing and in coordination with Align and locker deployment dates

• Continued formal and informal outreach. Ongoing.

Next Steps


• All questions welcomed.• Submit questions to the [email protected] email address with

your name and company.• We will review questions received today (January 27) and post

an initial consolidated FAQ to the Align project page this Friday, January 31, 2020.

• We will update the FAQ as necessary on a rolling basis every Friday in February and twice a month through Q2 2020.

Questions

mailto:[email protected]

maintaining cmep evidence and workflow documentation documents...jan 27, 2020 · cmep staff will...

Documents