NPCC Compliance Webinar

Welcome

Scott NiedAssistant Vice-President, ComplianceJuly 14, 2020

7/14/2020 1

The ERO Golden CircleWhy, How, What

7/14/2020 2

Example of ERO CMEP Aspirations• The Staff initiatives and behavior are centered around our “why.”

• Monitoring engagements are not just about compliance. It is more holistic. Is security and reliability sustainable?

• Stakeholders identify with our transformational activities and see value in their monitoring engagement with us.

7/14/2020 3

Note: Audit Preparation• Successful audits take effort and need project management• Understand the Requirements• Know what the auditor is looking for. There are measures in the Requirement and auditor

approaches in RSAW.• Acquire, track, and log your evidence.• The CIP ERT, PRC-005 components, list of BES facilities; all need to be accurate. That affects the

sampling process.• Analyze your evidence• Annotate the evidence. (Or a data request is needed.)• Develop relevant compliance narratives that accurately and succinctly speak to the evidence that

you provide and how it supports your compliance. – User Guide: A recommendation is to give the same evidence to someone within your organization who is

less familiar with it to determine if you have provided sufficient context or explanation.• Package your evidence, Use naming conventions as per the ERT user guide, Review folder structure

of evidence submittals; so NPCC can find it.• Perform a Mock Audit• Uniform effort: Sys Ops, Prot Eng, Substations, Trans Eng, Trans Plan, Line Clearance, EMS Support,

IT, Network Security• Ensure SMEs understand how the evidence that you are presenting makes you compliant

7/14/2020 4

COVID-19 Noncompliance Logging

Damase HebertJuly 14, 2020, NPCC Workshop

1

ERO Enterprise Guidance addressing Noncompliance Related to Coronavirus Impacts

Issued May 28, 2020

2

May 28 Guidance• Maintaining Safety of workforce and communities• Assure Reliability of bulk power system during public health

emergency.• Self-log noncompliance.

3

May 28 Guidance• Applies to minimal and moderate risk noncompliance• Applies to periodic and non-periodic actions.• Expires September 30, 2020

4

5

NPCC COVID-19 Notification Spreadsheet• Standard, Requirement, Functions• Start and Possible End Dates. • Compliance impact details and mitigating controls• Justification for Exception.

6

NPCC On-site Activity• Suspended through 2020• Off-site activity continues

7

Questions• Questions? Email: COVID19_Notifications@npcc.org

8

CIP Evidence Request Tool v4.5

v4.0 to v4.5 Change List

July 14, 2020

• CIP ERT Version 4.5 User Guide• Using the ERT• Submitting the ERT and Responses• General Recommendations• Tips for Evidence• ERT and RSAW

2

Agenda

– Key resource when completing the ERT

– Sent with audit notification package

– Available on NERC website: CIP v5 Transition Program

CIP ERT Version 4.5

3

CIP ERT 4.5 User Guide

– 90 requests depending upon scope

– Also requested in RSAW

– Documentation focused:• Policies• Programs• Procedures• Processes• Diagrams• Configurations • Etc.

– Populations of Cyber Assets, etc., that will be used for generating the Sample Sets in the Level 2 Evidence Request. Bright Green rows indicate that there is a tab to be completed.

4

ERT Level 1 – Initial Evidence Request

Using the ERT

ERT Level 1 - Sampling Population Tabs

5

• 13 Sampling Populations depending upon audit scope.

• Each population has a tab that must be completed. All fields on the tab should be completed or blank as appropriate. For requests anywhere in the ERT on standards or requirements that are not in scope for the audit simply state “Not in scope”.

• The CIP Evidence Request Tool User Guide v4.5 has detailed instructions for completing each tab and each column in the ERT.

• Pay attention to true/blank drop downs, pick lists and date of activation/deactivation.

• When in doubt, contact your Audit Team Lead.

Using the ERT

6

• Initial questions may be available with the L1 requests.

NPCC TABUsed by audit team to ask questions and request evidence that may not be covered by the ERT or RSAW. This tab is also used to document onsite questions

6

• Each request is assigned a unique number

• Multiple rounds of questions will be separated by a yellow bar

Using the ERT

Sample Sets Example – CA Tab – CIP-005-6 R2

7

Using the ERT

Sample Sets Example – CA Tab – CIP-005-6 R2 (cont.)

8

* Sampling performed in alignment with the ERO Sampling Handbook

Using the ERT

Sample Sets Example – CA Tab – CIP-005-6 R2 (cont.)

9

Request IDs CIP-005-R2-L2-01 to CIP-005-R2-L2-03 apply to the cyber assets selected in SS-005-R2-L2-01

Level 2 Evidence Requests

Using the ERT

Sample Sets Example – Sampling Dates

10

These can be a range or ranges of dates throughout the audit period.

SS-Date-XX will be documented on the NPCC Tab of the ERT and sent with the Level 2 requests.

Using the ERT

– Each line of the Level 1 and Level 2 tabs contains a “Request ID,” which uniquely identifies each request.

CIP-sss-Rr-Lm-nn– sss is the three-digit CIP Reliability Standard number;– r is the Requirement number within the Standard;– m is the level of the evidence request (either “1” for Level 1 or “2” for Level

2);– nn is a two-digit request number within the Standard, Requirement, and

Level.11

Naming Conventions

Level 1 Tab Level 2 Tab

Submitting the ERT and Responses

Folder Structure

• Response Level

• ERT Request ID

• NPCC Data Request #

12

Submitting the ERT and Responses

General Recommendations• Review the Audit package instructions when

submitting evidence artifacts (ex. Filling out the ERT and usage of evidence narratives)– Review accuracy of assets on the ERT– Provide narratives with evidence artifacts– Use naming conventions as per the user guide– Review folder structure of evidence submittals

13

Tips for Evidence• Submit supporting documents with brief explanations

of evidence files (i.e. README files or narratives).• Screen Shot Evidence

– Annotate if possible– Cyber Asset Name/Identifier– Date & Time

• Photographic Evidence– Annotate if possible– Front and back of device– Cyber Asset Name/Identifier Tag

14

ERT and RSAW• ERT, ERT responses and RSAWS must be

submitted.• Cite ERT responses in RSAW if the same

evidence is being used to demonstrate compliance.

• Additional evidence may be required to support RSAW responses

15

Questions?

Please send all questions to cip@npcc.org

16

Data Validation

Kimberly GriffithSenior Compliance Engineer

5/20/2020 1

7/14/2020 2

• New Registration Requests• Changes to Existing Registrations

• Registration Information

CORES Functionality: Accessing CORES

5/20/2020 3

CORES – My Entity Validation Summary

Form Section Instructions

Basic Information Ensure all fields are filled out correctly and add information if applicable.

Upstream Holding Companies Add the top tier Holding Company and, if applicable, all NERC registered affiliates.

Contacts (Roles - PCC, ACC, PCO, etc.)

Temporary Contact Role Change Process • Until further notice, any changes made to Compliance Contact Roles (PCC, ACC, PCO, etc.) will

be made in CDAA - NOT in CORES.• Please let me know if you make changes in CDAA so I can make them in CORES.

Entity Scopes Ensure all fields are filled out correctly (effective date of the NERC reliability function(s) per region).

Functional Mapping Functional Relationships. Please add, if available. Required for new registrations in CORES.

Coordinated Oversight If applicable, review the Coordinated Oversight entity list.

CFR If a Coordinated Functional Registration (CFR) record exists, review the information for accuracy.

JRO If a Joint Registration Organization (JRO) record exists, review the information for accuracy.

Comments & Attachments Upload supporting documents, etc.

5/20/2020 4

Resources - Help Desk• Select the Help Desk option

• This opens a page where you can submit a ticket to the NERC Help Desk – https://support.nerc.net/

5/20/2020 5

CORES ResourcesResource Link

ERO Portal Access https://eroportal.nerc.net/

ERO Enterprise Help Desk https://support.nerc.net/

ERO Portal User Guide https://www.nerc.com/pa/comp/RegistrationReferenceDocsDL/User Guide_ERO Portal.pdf

NERC CORES Training https://training.nerc.net/

NERC Project Page https://www.nerc.com/pa/comp/Pages/CORESTechnologyProject.aspx

NERC Registration Page https://www.nerc.com/pa/comp/Pages/Registration.aspx

NPCC Registration Page https://www.npcc.org/Compliance/Compliance Registration1/Forms/Public List.aspx

5/20/2020 6

Contact

Kimberly GriffithSenior Compliance Engineer

646-276-5332 (cell)212-205-7051 (office)

kgriffith@npcc.org

5/20/2020 7

NPCC FAC-008 Focused Outreach and

Compliance Bulletins

NPCC WebinarJuly 14, 2020

Ben Eng, Mgr. ERA1

Objectives• Why the Focus on FAC-008-3?• NPCC Survey results• Suggested Actions from NPCC• What is NPCC doing to address these concerns?

2

Origin of Focus• Recent NERC Board of Trustees and FERC interest• ERO CMEP Implementation Plan• SERC started field visits in 2018

o Discrepancies were found• ERO noncompliance trends

3

Why are Facility Ratings important?

They are the main component in the determination of accurate System Operating Limits (SOL)

Without accurate Facility Ratings, accurate real-time situational awareness is not accomplished and planning models are inaccurate.– Interface MW Flow– Transient Stability– Voltage Stability– System Voltage Limits– Interconnection Reliability Operating Limits (IROL)

4

An example issue - Series Components

5

How Does This All Fit Together?

6

The FAC-008-3 requirements deal with• Equipment Ratings which help develop• Facility Ratings for

• Various configurations• Various conditions• Identifying most limiting elements

• Change Management for the above:• As-Built (field) info • Drawing info• Database/Speadsheet info• Triggers for information change

• Equipment replacement • Planned• Emergency• Identical?

• Most Limiting Element(s) same?• Database, drawing, ratings updates• Communicate changes to others

March 2020 FAC-008 Survey ResultsConfirms the challenges encountered by entities having Violations

• Biggest challenge regarding accuracy of Facility Ratings?‒ Change Mgmt for Planned and Emergency work (7)‒ Databases that are not synched (4)‒ Mergers/Consolidation (1)

• How are Ratings changes and updates tracked or managed?– Software (7)– Spreadsheet (3)– Access Database (2) (without a template)– Changes are peer checked (9)

• How often is Facility Rating Methodology vs. equipment field data vs. database verified by substation visits and ROW walkdown?

‒ Rarely (12) [As needed, for new equipment]• Facility Ratings Database Access Controls

‒ Key people make changes w/o review (6)‒ Key people make changes with review (4)‒ Anyone can change (2)

7

From Entities: Best Way for NPCC to Help Its Region?

• Keep a constant platform in place for best practices and internal controls

• Offer a voluntary outreach program to discuss processes w/o visiting stations

• Surveys like this (FAC-008) have succeeded in raising awareness already at my company

• Outreach at workshops, scheduled engagements and bulletins

8

What is NPCC doing for this outreach? (FAC-008)• Canvased ERO knowledgebase to find ERO Tools specific to FAC-008-3:

• Standards Application Guide FAC-008-3, dated March 21, 2017• https://www.nerc.com/pa/comp/guidance/EROEndorsedImplementationGuidance/FAC

-008-3%20Standard%20Application%20Guide.pdf• CMEP Practice Guide, Evaluation of Facility Ratings and System Operating

Limits, dated June 17, 2020• https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise

%20CMEP%20Practice%20Guide_%20Evaluation%20of%20Facility%20Ratings%20and%20System%20Operating%20Limits.pdf

• NPCC FAC-008 EIC team has taken the above, enhanced it with our past EIC experience, and is developing a “do-it-yourself” EIC kit for FAC-008 R3, R6 and R8.

9

If you volunteer for EIC of FAC-008, NPCC will:

• Conduct a customized presentation for your company including • Tutorial on controls, types, modality, control silos, testing, documentation• Explanation of what EIC is and is not• Comparison of EIC to Compliance Audit• Explanation of approach, tools, logistics, milestones, and deliverables

• Provide FAC-008 Process Flow Diagram template and guidance.• Provide FAC-008 Controls/Testing Questions and guidance.• Coordinate data submittal dates, initial questions from NPCC, answers

from volunteer entity, EIC “walkthrough” review• Develop deliverables (FAC-008 EIC Report and Table of Suggestions to

Enhance/Improve Controls)10

Current Status of NPCC FAC-008 EIC• Two of the NPCC survey TO’s have volunteered for FAC-008 EIC • Conducted the NPCC FAC-008 EIC presentations for them with proposed

milestones• NPCC generic FAC-008 Process Flow Diagram will be provided to volunteer entities.• NPCC’s list of FAC-008 Controls Questions and Testing Questions will be provided.

• 3rd volunteer waiting in the wings for NPCC to proceed with the above.• Addressing some scheduling and logistics issues.

If interested in volunteering, or any questions, contact ERA@NPCC.org

11

FINI

12

THANK YOU FOR YOUR ATTENTION

Appendix: Process Flow Diagram for FAC-008(excerpt of draft)

13

14

Appendix: Process Flow Diagram for FAC-008(excerpt of draft - continued)

Appendix: NPCC List of Controls Questions for FAC-008

The NPCC EIC Team is developing a comprehensive list of controls questions and related testing questions for the entity to consider and answer.

15

Appendix: EIC Tools Target the Controls Listed Below

NPCC Compliance Bulletin Noncompliance Trends.pdf

Additional 2020 Outreach

Scott NiedAssistant Vice-President, ComplianceJuly 14, 2020

7/14/2020 1

7/14/2020 2

Recap• GO/GOP on 2020 schedule• Compliance Bulletins• FAC-008 Survey• CIP-013• Internal Compliance Program review of Self-

Logging entities and Self-Reporters

7/14/2020 3

1

Compliance Bulletin July 2020

NPCC publishes compliance bulletins as a means to engage and inform NPCC entities on aspects of Bulk Power System security, reliability, and compliance.

CIP-013 – Supply Chain Risk Management Resources and FAQ This Compliance Bulletin is a summary of the various documentation surrounding CIP-013 and gives a quick answer guide while also providing justifications. Each answer is summarized, but the topic header will provide the source information. Additionally, this document includes above and beyond practices that were demonstrated by NPCC entities. Although CIP-013 also has impacts on CIP-005 and CIP-010, questions related to CIP-005 and CIP-010 are not addressed in this bulletin. Background and Helpful Resources FAQs: Implementation of these responses to the frequently asked questions are not a substitute for compliance with NERC’s Reliability Standards requirements. Supply Chain – Small Group Advisory Session (SGAS) 2018 FAQ 2019 FAQ

Implementation Guidance and Guidelines: Provides considerations for implementing the requirements in CIP-013-1 and examples of approaches that responsible entities could use to meet the requirements. The examples do not constitute the only approach to complying with CIP-013-1. Responsible Entities may choose alternative approaches that better fit their situation. North American Transmission Forum (NATF) Cyber Security Supply Chain Risk Management Guidance ERO Endorsed Guidance

Edison Electric Institute (EEI) Procurement Contract Language

NERC Resources Cyber Security Supply Chain Risk Management Plan CIP-013 RSAW

Critical Infrastructure Protection Committee (CIPC) Risk Management – An overview of topics such as identifying, assessing, and mitigating

threats and procurements, installations and updating the risk management plan.

2

Secure Equipment Delivery – Highlights some of the aspects to consider regarding secure transportation and delivery of systems and components, from component manufacturers to integrators, to vendors, and ultimately to the Bulk Electric System (BES).

Risk Considerations for Open Source Software – An overview defining open source software and risks to consider if your entity has open source software

Best Practices for Small Entities – Although CIP-013-1 is not applicable to low-impact BES Cyber Systems, this white paper identifies a catalog of supply chain risk management practices for consideration by small registered entities with low-impact BES Cyber Systems.

3

NPCC Questions from Outreach Reminder: All ERO responses are identified in GREEN and referenced in the footnotes All NPCC stances are identified in RED 1. Is an entity a “vendor” only if you have a contract with that entity? Is a procurement in scope

of CIP-013-1 if you purchase a BES Cyber Asset from a supplier without a contract (e.g. credit card purchase made during an emergency)? What is considered a service? - Under the Rationale Section, the term vendor(s) as used in the standard is limited to those

persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber Systems and related services. It does not include other NERC registered entities providing reliability services (e.g., Balancing Authority or Reliability Coordinator services pursuant to NERC Reliability Standards). A vendor, as used in the standard, may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers; or (iii) system integrators.1

- Although the term “vendor” is not defined in the NERC Glossary of Terms, the drafting team did provide guidance in the CIP-013-1 Guidelines and Technical Basis section. As discussed therein, the standard drafting team (SDT) intended the term vendor to include those persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber Systems and related services. The SDT did not intend it to include, for instance, other NERC registered entities providing reliability services (e.g., Balancing Authority or Reliability Coordinator services) pursuant to NERC Reliability Standards.2

- NPCC considers credit card procurements of High & Medium BCS and related services to be in scope of R1.

- NPCC recommended that the documented supply chain cyber security risk management plan(s) include provisions documenting emergency procurements, this should include one or more process(es) that address the 1.2 requirement parts.

- NPCC recommended some alternate risk identification and assessment means, because it may not be practical to have the reseller complete a questionnaire

- NPCC recommends the following Potential Approach to address Credit Card Procurements o Verify that the reseller (Staples, for example) does not tamper with any products

(we could probably do this with an attestation from the reseller) o Only buy whitelisted products from the reseller whose manufacturer(s) we have

already assessed (Cisco, Microsoft, etc.)

1 CIP-013-1_Standard_Page12 2 SGAS2018_Page2

4

2. If an entity contracts with a reseller (Company A) that sells Original Equipment Manufacturer (OEM) products of another company (Company B), is the entity required to identify and assess the risks associated with Company B’s products and services?

- Product resellers are cited in the CIP-013-1 Supplemental Material section as potential

vendors, “A vendor, as used in the standard, may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers [emphasis added]; or (iii) system integrators” (p. 12). Depending on the specific reseller and the item(s) procured through the reseller, there may be additional cybersecurity risks associated with such procurements beyond those identified and assessed for the product manufacturer(s) or the product type(s) in the Part 1.1 cybersecurity risk identification and assessment (i.e., hardware and/or software obtained through a reseller). A registered entity would identify and assess any cybersecurity risks that may be involved in purchasing such applicable hardware or software from resellers. 3

- NPCC will review the risk assessment and will review the documented supply chain cyber security risk management plan. NPCC would expect the risk management plan to have a process for evaluating the risk associated with hardware and/or software obtained through a reseller. NPCC would expect the risk assessment of such procurements to identify risks (e.g., if the reseller alters the product), and would expect the plan to address the identified risks.

3. Do all procurements made after October 1, 2020 need to comply with CIP-013-1 even if the

procurement was made under a contract that was in place before October 1, 2020. What is NPCC’s opinion on renegotiating terms and conditions with vendors for existing contracts?

- Under the “Supplemental Information” section of the standard, Responsible Entities are not

required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan.4

- NPCC considers procurements against contracts in place before 10/1/2020 out of scope.

4. If the entity were to procure a BES Cyber Asset or related service, and subsequently find out (before that BCA or service was deployed in a BES Cyber System) that the risk identification and assessment was not done, can the risk identification and assessment be performed at that point? Would performance at that point be a compliance violation, even if the identification and assessment of risk was performed before that BCA could affect the BES? - CIP-013-1 is applicable to any procurement regardless of the scenario, including an

emergency. CIP-013-1 is silent to any special provisions such as emergency procurements. A registered entity may identify certain hardware, software or services that may be used during emergencies and perform risk assessments in planning for these situations to

3 SGAS2019_Page7 4 CIP-013-1_Standard_Page14

5

mitigate the supply chain risk. Although the CIP-013-1 Standard does not directly address emergency procurements, the registered entity could consider including language in its R1 SCRM procurement plan that addresses the potential for the use of purchasing cards in emergency situations. The registered entity should document the emergency procurement process in the R1 SCRM procurement plan, along with documentation that registered entity personnel or approved contractors verified after-the-fact risks and mitigations of the procurement.5

- NPCC will review the documented supply chain cyber security risk management plan and will confirm the entity followed its process. NPCC may identify a potential noncompliance if the entity fails to follow its plan.

5. Are procurements of Transient Cyber Assets (TCAs) and Removable Media (RM) subject to

CIP-013-1?

- CIP-013-1 R1 states, “Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.” Transient Cyber Assets are currently not included in the CIP-013-1 requirement language. The NAGF Cyber Security Supply Chain Management White Paper identifies examples to consider when developing and implementing a cyber security risk management plan that includes Transient Cyber Asset considerations.6

6. CIP-013-1 requires identification and assessment of risk to the supply chain during planning

for procurement. The requirement does not mention mitigation of that risk. Does a failure to perform risk mitigation constitute a violation? Are entities allowed to accept the risk or are entities required to mitigate all risks?

- A vendor’s intentional or unintentional ability to adhere to the conditions of an agreement

as it relates to CIP-013-1 should be identified and assessed as a risk. As with all of the risks, it is the responsibility of the registered entity to mitigate them accordingly. As an example, the registered entity may address this risk by the implementation of internal controls and processes such as using reputable shippers, tracking shipments, and requiring signatures on delivery.7

- Paragraph 17 of the FERC Order approving the Standard states that entities are required to mitigate. Mitigation is mentioned in the purpose of the standard and not mentioned in the Requirement. NPCC auditors will ask about mitigation in an audit. Failure to perform mitigation could result in an Area of Concern (AOC). Failure to implement the documented supply chain cyber security risk management plan will result in a Potential Noncompliance (PNC). The assessment, acceptance, mitigation, and transfer of risk is part of what the

5 SGAS2019_Page4 6 NAGF, Cyber Security Supply Chain Management White Paper (2018) 7 SGAS2019_Page5

6

entity will work through in developing the supply chain cyber security risk management plan(s). NPCC recommends categorizing risk (e.g. high, medium, low) and then performing the risk management processes.

7. How should auto renewals be handled, sometimes products and services are auto renewed and

entities just get an invoice that the maintenance has been renewed.

- Under the “Supplemental Information” section of the standard, Responsible Entities are not required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan.8

- NPCC recommends entities identify products or services that are set for auto renewal and perform a risk assessment on that product or service prior to the next auto renewal to identify risks and determine if continuing to auto renew that product or service is in the best interest for the entity, reliability, and security.

8. The CIP-013-1 R1 requirement includes language associated with “transitions from one

vendor(s) to another vendor(s).” Does this language apply to the product, parts and services vendors may procure to create the product prior to delivery to the Entity or does the language refer to contractual or master agreement transfers?

- If a vendor is purchased by another vendor, the entity’s plan may include controls to

maintain awareness of vendor acquisitions and a process to re-evaluate or reassess the vendor.9

- NPCC considers the language to apply for both scenarios. A stronger SCRM may include sections to address the vendor’s inherent risk if they utilize other manufacturers to create their product. The SCRM should address the risk posed by the vendor. When transitioning from an old vendor to a new vendor, apply your CIP-011-2 Information Protection Program and CIP-004-6 access revocation program.. The registered entity should treat the new vendor as such, with a complete Part 1.1 risk identification and assessment process of the vendor and applicable products or services.

9. Does a new Scope of Work (SOW) post October 1, 2020 under a master agreement established prior to the October 1, 2020 effective date trigger the need to negotiate new terms and conditions to account for CIP-013-1?

- Under the “Supplemental Information” section of the standard, Responsible Entities are not

required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan.10

- Entities are required to follow their SCRM process on the new SOW.

8 CIP-013-1_Standard_Page14 9 SGAS2019_Page3 10 CIP-013-1_Standard_Page13

7

10. Does a new SOW post October 1, 2020 under a master agreement established prior to the

October 1, 2020 effective date trigger the need to perform a supply chain cyber security risk assessment?

- A SOW post October 1, 2020 with an established master agreement prior to the effective

date triggers the need to perform a supply chain cyber security risk assessment.

11. If an Entity chooses to address CIP-013-1 R1.2.1 – R1.2.6 with the terms and conditions of a procurement contract and existing contracts do not need to be renegotiated, does an Entity need to supply evidence of R1.2.1-R1.2.6 in R2 for existing vendors? If so, what evidence is expected?

- The entity is expected to provide evidence of compliance related to 1.2.1 – 1.2.6 for all

contracts in scope of CIP-013-1. Although existing contracts do not need to be renegotiated, products or services procured after October 1, 2020 are required to follow the entity’s SCRM. For a list of specific examples, please refer to the M2 within the standard.

12. What are the qualities of a successful supply chain cyber security risk management plan?

- NPCC will be presenting a CIP-013-1 webinar that includes recommended practices.

Additionally, please see the resources section of this FAQ for more information or review the NERC website page dedicated to CIP-013-1. Again, the guidance and implementation plans do not constitute the only approach to complying with CIP-013-1. Responsible Entities may choose alternative approaches that better fit their situation.

13. Is it acceptable for an entity to leverage the CIP standards and requirements in their process for assessing risk, determining mitigation, and implementing mitigation actions? For example, if the entity can determine and disable remote or onsite access can this be used to assess risk and mitigate the risk?

- It is the entity’s responsibility to determine risk and implement mitigation actions to

address the risk. In NPCC’s opinion, the provided example is a control to mitigate a risk posed by an outside threat but may not be a way to mitigate a different threat.

14. Is it acceptable for contract language to be less stringent than the EEI model if the effect is to increase likelihood of acceptance, so long as the language is still robust? Where time periods are blank in the EEI model language, does NERC expect a baseline

time period for minimal compliance, or are these time periods expected to be negotiated on a case-by-case basis? Ex: Under R1.2.2, the number of days the vendor has to develop a prevention of recurrence plan is blank

8

- NPCC considers the EEI model as a guidance tool. NPCC will be monitoring for compliance to the Standard and requirement language. Currently, CIP-013-1 does not provide specific timeframes, for example, the EEI model states “Within [insert number of] days of notifying company of the security incident…” or “Contractor shall provide summary documentation of vulnerabilities and material defects in the procured product or services within thirty (30) calendar days after such vulnerabilities and material defects become known to Contractor.” A stronger SCRM will consider the risk associated from a longer duration to disclose a vulnerability.

15. What evidence will be required to show the process of negotiating CIP-013-1 language with

vendors, particularly if security terms are less stringent than the EEI model and a vendor is still selected for commercial reasons?

- The procurement documents (e.g., RFP and vendor response evaluation matrices) used for a

specific applicable procurement, along with any contract language connected to the procurement can serve as primary evidence the registered entity pursued its due diligence for the R1 Part 1.2 Requirement Parts, when the vendor failed or refused to comply. As stated in R2, vendor performance and adherence to a contract is beyond the scope of R2, so the responsibility of compliance rests on the registered entity to demonstrate it implemented its Part1.2 processes as far as it could reasonably go without negating the procurement. Since the registered entity identified risk, it is incumbent on the registered entity to enact mitigating measures that would address the vendor’s refusal to meet the Requirement Parts.11

- NPCC considers the EEI model as a guidance tool. In the event that contract negotiations fall short of adhering to the subparts of CIP-013-1 R1, NPCC will review the entity’s correspondence, policy documents, or working documents that demonstrate use of the SCRM.

11 SGAS2019_Page5-6

9

Practices Demonstrated by NPCC Entities NPCC has compiled a list of recommended and above and beyond practices demonstrated during the course of assisting our registered entities. Please also refer to the resources section to supplement your compliance program regarding CIP-013.

CIP-013 Supply Chain Risk Management Webinar Recommended Practice(s) Above and Beyond Practices R1. Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.

1. Consider including Emergency Procurements within the SCRM or whitelisting vendors

1. Apply the documented supply chain cyber security risk management plan for all procurements 2. Consider a Risk Score process to evaluate vendors 3. Consider identifying and developing supply chain risk strategies for creating an overarching cyber supply chain risk management plan. 4. Consider identifying and assessing interdependent processes.

R1.1. One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).

1. Consider including a form/questionnaire for procurements to identify if the purchase will be used in High/Medium BCS. 2. Consider developing a process which includes updating, communicating, and documenting vendor relationships

1. Allocate dedicated resources familiar with the standard to review procurements specific to CIP-013. Utilize any NERC compliance groups to review procurements and vendor transitions.

1.2. One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable:

1. Consider EEI's procurement language when negotiating contracts. (EEI Procurement Guidance)

1. Pre-authorize all vendors no matter if they are “grandfathered”

10

1.2.1. Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

1. Consider defining methods of notification and qualifying vendor incidents.

Subscription to Threat Intelligence services

1.2.2. Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

1. Consider defining incident coordination methods.

1.2.3. Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;

1. Consider a method to track and manage vendor remote or on-site access

Remote vendor access is disabled by default and only enabled for assigned / scheduled work.

1.2.4. Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;

1. Consider establishing vendor reporting obligations and define “known vulnerabilities”

Subscription to Threat Intelligence services

1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and

1. Consider classifying software (custom/open source/commercially available) 2. Consider managing and recording exceptions to this process when there is not a method to verify the identity of the software source or the integrity of the software obtained from the source. 3. Consider managing and tracking software source changes

After software integrity and authenticity is performed, entity places approved software in internal repository. IT staff use approved internal repository for installation of software.

1.2.6. Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s).

1. Consider defining or applying vendor access protocols.

11

ERO Will Evaluate Effectiveness of CIP-013-1 NERC plans to measure the effectiveness of the Supply Chain Standards by performing the following actions during the first two years of implementation:

ERO staff will conduct surveys on supply chain awareness, compiling statistics on identified key risk indicators. These indicators include software validation discrepancies, information on vendors that support supply chain frameworks, entities who performed vendor risk assessments in the prior 24 months, and analysis of vendor vulnerability and cyber security incident notifications. Information compiled will be examined for trends and reported periodically to the Reliability and Security Technical Committee and posted on the website.

ERO staff will solicit comparative contractual language (pre and post Supply Chain Standards implementation) voluntarily from entities to determine whether entities have been able to successfully negotiate contracts that include required supply chain controls, or whether other controls have been required to manage the risk. This will include entities not subject to the Supply Chain Standards to determine whether there has been any incidental benefits derived from the implementation of the Supply Chain Standards.

ERO staff will compile audit and compliance information on the Supply Chain Standards to determine whether the language is clear, whether entities understand what is expected, and whether there are any reliability gaps in the standards.

Finally, ERO staff will analyze supply chain communications, education, outreach, and training to determine whether vulnerabilities have been identified and successfully communicated. This will include inquires to the E-ISAC on supply chain issues and requests for training and outreach.

Periodically during the two years of analysis and at the conclusion of the two years, NERC staff will report to the Board on its analysis of the effectiveness and provide any recommended actions that may be determined to be necessary. 12

12 NERC Evaluation of CIP-013-1

12

Future plans for CIP-013-2

FERC Order 850 (October 18, 2018)

•FERC directs NERC modify CIP-013 to include EACMS associated with medium and high impact BES Cyber Systems.

•FERC accepted NERC’s commitment to evaluate the risks of PACSs and PCAs (in addition to low impact BES Cyber Systems)

NERC Cyber Security Supply Chain Risks Report (May 17, 2019)

•NERC recommends CIP-013 to address Physical Access Control Systems (PACSs) to high and medium-impact BES Cyber Systems.

•NERC recommends additional studies for low-impact BES Cyber Systems and PCAs.

•NERC recommends CIPC Supply Chain Working Group develop a guideline to assist entities in applying supply chain risk management plans to low impact BES Cyber Systems and PCAs.

Standards drafting team (September 2019)

•Creation of CIP-013-2 to include EACMS and PACS.

•Final ballot approval estimated November 2020

2020 Current Events and Predicted Future

•Send to BOT for Approval•Send to FERC for Filing•FERC approval estimated

2021•Estimated Effective date in

2022

Work at Home Remote Security

Michael Bilheimer July 14, 2020, NPCC WebEx

1

Remote Workforce Risks• Remote access is becoming more prevalent in in the current environment and

there is a high likelihood that remote access working will remain for a large portion of the workforce in the future.

• This distributed workforce opens up attack vectors which may include access to sensitive data (CIP, CII, Financial, etc.), critical systems (EMS), and communication paths are more distributed and have greater exposure to vulnerabilities:– Misuse or mishandling of sensitive data.– Unsecure connections or circumventing security controls– Unpatched systems – Unable to support remote workforce due to technical constraints– Phishing attacks

2

Key Elements of Success• Educate users in new remote workforce risks.• Confirm VPN and other remote access methods have capacity to

meet increase demand, 2FA and encryption enabled. • Confirm remote access methods have rapid detection and response

capabilities to attacks.• Improve and define remote device management of personally

owned devices if allowed. • Monitor cyber security threats that are on the rise due to remote

workforce (Phishing, Big Game Hunting, Ransomware, Zero day vulnerabilities).

3

Education of Remote Workforce

– Identifying phishing and security threats• Training (short training messages of

700 words or less)• Phishing tests• Report of Cyber incidents or data leaks

– Proper handling of sensitive documents• Printing • Locking computers• Storage of sensitive documents

– How to secure your systems including home network.

• Change default home network password.• Minimum home network security

requirements. – Use and security of video conferencing

• Obscuring or making sure personnel or sensitive information is not visible unless the video chat participants are verified.

• Put yourself on mute unless talking.– Personnel Device Use (if allowed)

• Laptops • Smartphones and Tablets

4

Remote access and Patching • Patch Corporate Managed Devices.

– Laptop(s), Smartphone, Tablets, Servers, Appliances, Firewalls, Etc.• Required for Personnel Owned Device (BYOD) (If allowed)

– Personnel Owned Device Patching– Create Separate profile– Don’t store sensitive information on personnel device.

• Use strong Passphrases and password managers– Don’t reuse passwords or share passwords.

• Use/Require 2FA

5

Corporate Monitoring• Deploy or Enhance Endpoint Detection. • Enable or acquire Machine Learning (ML) and Artificial

Intelligence (AI) Monitoring into corporate network security monitoring.

• Institute Zero Trust Model – All assets operating in the environment is untrusted until validated

and approved.

6

Resources• Sans Security Awareness Work-From Home Deployment Kit

– https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

– https://www.sans.org/webcasts/– CISA TIC 3.0 Interim Telework Guidance

• https://www.cisa.gov/publication/tic-30-interim-telework-guidance• https://www.cisa.gov/publications-library/Cybersecurity

7

RELIABILITY | RESILIENCE | SECURITY

Align/SEL Update

Presented at NPCC WebinarJuly 14, 2020

RELIABILITY | RESILIENCE | SECURITY2

Align Adoption Stages

RELIABILITY | RESILIENCE | SECURITY3

Aspects of Sensitive Information• Accessibility• Availability• Readability / Manipulation• Retention• Repositories

Current and Future

RELIABILITY | RESILIENCE | SECURITY4

Guiding Principles

• All registered entity-provided evidence, unless prohibited by a standard, will go into the registered entity SEL or ERO Enterprise SEL

• All registered entity developed lockers must meet ERO Enterprise-developed criteria for functionality, access, etc.

• ERO Enterprise CMEP workflow and CMEP work products will be in the ERO Enterprise Align tool.

• The ERO Enterprise will enhance CMEP work processes/products/practices to support compliance conclusions in Align without the need to store sensitive information for extended periods, minimizing data protection risk.

RELIABILITY | RESILIENCE | SECURITY5

• Regional subject matter experts (SMEs) are validating Release 1 and data elements

• Training materials (i.e., videos, user guide, and quick reference cards) are under construction

• ERO Enterprise SEL final design complete• Stakeholder engagement (via CCC and other entities) for user

acceptance testing is taking place (week of 7/13 in NPCC)• Planning for go live in Q4 2020 with two pilot Regions (i.e., MRO

and Texas RE) with select registered entities

Current Events

RELIABILITY | RESILIENCE | SECURITY6

Timeline Overview

R1 Regional Training(October – December)

Regions conduct training for staff and registered entities

R1 Registered Entity Testing(June – July)

Select registered entities test entity functionality

R1 Regional Adoption Workshops

(July – September)Workshops focused on

preparing the regions for R1

R1 Train the Trainer (TTT)(September – October)

Training SMEs are prepared to conduct training for staff and

registered entities

R1 SME Data Validation(April – May)

Regional SMEs validate standards and entity data

Evidence Locker Process Harmonization (April – June)

Process harmonization exercise focused on the evidence locker

ERO Enterprise Staff

Registered Entities

AUDIENCE IMPACT KEY

R1 Go/No-Go Process(December – January)

Series of checkpoints to validate production

readiness

The following is a timeline of upcoming key activities:

Development of R2 Functional Design

(April – June)Development of R2 design

documentation

RELIABILITY | RESILIENCE | SECURITY7

Release

3

Align Release Overview

Est. Q4 2021

Release

2Est. Q2 2021

Release

1Q1 2021

Align and Evidence Locker(s)

RELIABILITY | RESILIENCE | SECURITY8

Align Release 1: What to expect as a registered entity?

Stakeholder Group

Release 1 Functionality• Create and submit Self-Reports and Self-Logs• Create and manage mitigating activities

(informal) and Mitigation Plans (formal)• View and track open Enforcement Actions

(EAs) resulting from all monitoring methods• Receive and respond to Requests for

Information (RFIs)• Receive notifications and view dashboards on

new/open action items• Generate report of standards and requirements

applicable to your entity• Manage user access for your specific entity• Manage evidence supporting R1 functionality

securely via separate Evidence Locker(s)

Registered Entities

RELIABILITY | RESILIENCE | SECURITY9

Align Release 1: What to expect as a Regional Entity?

Stakeholder Group

Regional Entities

Release 1 Functionality• Receive Self-Reports and Self-Logs from entities• Manually create findings that result from any

monitoring method (i.e., audits, spot checks, investigations, periodic data submittals, self-certifications, complaints)

• Perform preliminary screens, PNC reviews, and disposition determinations for each PNC/EA

• Send and received responses to RFIs• Trigger notifications such as NAVAPS, NOCV, CE

Letter, FFT Letter, and Settlement Agreements• Receive, review, and approve mitigating activities

(informal) and Mitigation Plans (formal)• Receive notifications and view dashboards on

new/open action items• Generate report of standards and requirements

applicable to a registered entity• View/analyze evidence supporting R1 functionality

securely via separate Evidence Locker(s)

RELIABILITY | RESILIENCE | SECURITY10

• Compliance Planning (i.e., Risk, CMEP Implementation Plan, Inherent Risk Assessment, Internal Controls Evaluation, Compliance Oversight Plan)

• Compliance Audit• Spot Check• Compliance Investigations• Complaints• Expand use of evidence lockers to

include evidence submitted for these activities

• Technical Feasibility Exceptions (TFEs)

• Periodic Data Submittals• Self-Certifications• Additional enhancements identified

from R1 as needed• Expand use of Evidence Lockers to

include evidence submitted for these activities

Note: The monitoring methods above will be managed in existing systems during the gap between R1 and R2

Align Future Releases: What to expect?

Release 2 FunctionalityEst. Q2 2021

Release 3 FunctionalityEst. Q4 2021

RELIABILITY | RESILIENCE | SECURITY11

• Highly secure, isolated, on-premises environments Collect and protect evidence Enable submission by authorized and authenticated entity users Provide compartmentalized analysis of evidence in temporary, isolated,

disposable environments Does not interface with any other systems

• Evidence in these environments is: Encrypted immediately upon submission Securely isolated per entity Never extracted Never backed up Subject to proactive and disciplined destruction policy

Secure Evidence Locker (SEL)

RELIABILITY | RESILIENCE | SECURITY12

Evidence Lockers: How will they work?

ERO Enterprise Evidence Analysis Locker

Secure File Transfer

Enterprise Content

Management

Encryption• Regionally

Specific

Routing Rules

Management Utilities

Locker

Locker

Analysis Environment

Auditor Session• auditor tools• disposable

Auditor Session• auditor tools• disposable

MFA

Au

then

ticat

ionM

FA

Auth

entic

atio

n

Registered Entity User

AuthorizedCMEP

Personnel

Privileged SessionServer

MFA

SystemAdministrator

RELIABILITY | RESILIENCE | SECURITY13

• Yes; however, they must be available and validated before they are authorized for use for CMEP activities. Analysis tools availability (e.g., NP-View, RAT-STATS, MS Office, Adobe

Acrobat) Assurance of data integrity, the CEA login through NERC’s federated

authentication services

• The retention obligation does not change (e.g., the requirement still exists for future Regional access to evidence if the locker is retired).

Evidence Lockers: Can registered entities build them?

RELIABILITY | RESILIENCE | SECURITY14

ERO Uniformity and Consistency: Provide a common portal for Regions and registered entities, enabling consistency of experience

Offer real-time access to information, eliminating delays and manual communications

Improve capability to support the risk-based compliance oversight framework

Enhance quality assurance and oversight, enabling consistent application of the CMEP

Improve analytics, report development, including visibility into compliance and reliability risks

Increase capability to implement audit best practices and processes (planning, fieldwork, reporting, and quality assurance);

Standardize the implementation of common business processes and workflows, enabling increased productivity; and

Reduce application costs across the ERO Enterprise.

Additional Business Objectives

RELIABILITY | RESILIENCE | SECURITY15

FAQs

• For technical questions about evidence locker, review the webinar from the Align Project Page.

• There are answers to more than 50 questions posted on the Align Project FAQ page.

• Submit questions to askalign@nerc.net.

RELIABILITY | RESILIENCE | SECURITY16

RELIABILITY | RESILIENCE | SECURITY17

Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.

Align Content: Compliance Monitoring

RELIABILITY | RESILIENCE | SECURITY18

Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.

Align Content:Risk Assessment/Mitigation/Enforcement