npcc compliance webinar welcome
TRANSCRIPT
NPCC Compliance Webinar
Welcome
Scott NiedAssistant Vice-President, ComplianceJuly 14, 2020
7/14/2020 1
The ERO Golden CircleWhy, How, What
7/14/2020 2
Example of ERO CMEP Aspirations• The Staff initiatives and behavior are centered around our “why.”
• Monitoring engagements are not just about compliance. It is more holistic. Is security and reliability sustainable?
• Stakeholders identify with our transformational activities and see value in their monitoring engagement with us.
7/14/2020 3
Note: Audit Preparation• Successful audits take effort and need project management• Understand the Requirements• Know what the auditor is looking for. There are measures in the Requirement and auditor
approaches in RSAW.• Acquire, track, and log your evidence.• The CIP ERT, PRC-005 components, list of BES facilities; all need to be accurate. That affects the
sampling process.• Analyze your evidence• Annotate the evidence. (Or a data request is needed.)• Develop relevant compliance narratives that accurately and succinctly speak to the evidence that
you provide and how it supports your compliance. – User Guide: A recommendation is to give the same evidence to someone within your organization who is
less familiar with it to determine if you have provided sufficient context or explanation.• Package your evidence, Use naming conventions as per the ERT user guide, Review folder structure
of evidence submittals; so NPCC can find it.• Perform a Mock Audit• Uniform effort: Sys Ops, Prot Eng, Substations, Trans Eng, Trans Plan, Line Clearance, EMS Support,
IT, Network Security• Ensure SMEs understand how the evidence that you are presenting makes you compliant
7/14/2020 4
COVID-19 Noncompliance Logging
Damase HebertJuly 14, 2020, NPCC Workshop
1
ERO Enterprise Guidance addressing Noncompliance Related to Coronavirus Impacts
Issued May 28, 2020
2
May 28 Guidance• Maintaining Safety of workforce and communities• Assure Reliability of bulk power system during public health
emergency.• Self-log noncompliance.
3
May 28 Guidance• Applies to minimal and moderate risk noncompliance• Applies to periodic and non-periodic actions.• Expires September 30, 2020
4
5
NPCC COVID-19 Notification Spreadsheet• Standard, Requirement, Functions• Start and Possible End Dates. • Compliance impact details and mitigating controls• Justification for Exception.
6
NPCC On-site Activity• Suspended through 2020• Off-site activity continues
7
CIP Evidence Request Tool v4.5
v4.0 to v4.5 Change List
July 14, 2020
• CIP ERT Version 4.5 User Guide• Using the ERT• Submitting the ERT and Responses• General Recommendations• Tips for Evidence• ERT and RSAW
2
Agenda
– Key resource when completing the ERT
– Sent with audit notification package
– Available on NERC website: CIP v5 Transition Program
CIP ERT Version 4.5
3
CIP ERT 4.5 User Guide
– 90 requests depending upon scope
– Also requested in RSAW
– Documentation focused:• Policies• Programs• Procedures• Processes• Diagrams• Configurations • Etc.
– Populations of Cyber Assets, etc., that will be used for generating the Sample Sets in the Level 2 Evidence Request. Bright Green rows indicate that there is a tab to be completed.
4
ERT Level 1 – Initial Evidence Request
Using the ERT
ERT Level 1 - Sampling Population Tabs
5
• 13 Sampling Populations depending upon audit scope.
• Each population has a tab that must be completed. All fields on the tab should be completed or blank as appropriate. For requests anywhere in the ERT on standards or requirements that are not in scope for the audit simply state “Not in scope”.
• The CIP Evidence Request Tool User Guide v4.5 has detailed instructions for completing each tab and each column in the ERT.
• Pay attention to true/blank drop downs, pick lists and date of activation/deactivation.
• When in doubt, contact your Audit Team Lead.
Using the ERT
6
• Initial questions may be available with the L1 requests.
NPCC TABUsed by audit team to ask questions and request evidence that may not be covered by the ERT or RSAW. This tab is also used to document onsite questions
6
• Each request is assigned a unique number
• Multiple rounds of questions will be separated by a yellow bar
Using the ERT
Sample Sets Example – CA Tab – CIP-005-6 R2
7
Using the ERT
Sample Sets Example – CA Tab – CIP-005-6 R2 (cont.)
8
* Sampling performed in alignment with the ERO Sampling Handbook
Using the ERT
Sample Sets Example – CA Tab – CIP-005-6 R2 (cont.)
9
Request IDs CIP-005-R2-L2-01 to CIP-005-R2-L2-03 apply to the cyber assets selected in SS-005-R2-L2-01
Level 2 Evidence Requests
Using the ERT
Sample Sets Example – Sampling Dates
10
These can be a range or ranges of dates throughout the audit period.
SS-Date-XX will be documented on the NPCC Tab of the ERT and sent with the Level 2 requests.
Using the ERT
– Each line of the Level 1 and Level 2 tabs contains a “Request ID,” which uniquely identifies each request.
CIP-sss-Rr-Lm-nn– sss is the three-digit CIP Reliability Standard number;– r is the Requirement number within the Standard;– m is the level of the evidence request (either “1” for Level 1 or “2” for Level
2);– nn is a two-digit request number within the Standard, Requirement, and
Level.11
Naming Conventions
Level 1 Tab Level 2 Tab
Submitting the ERT and Responses
Folder Structure
• Response Level
• ERT Request ID
• NPCC Data Request #
12
Submitting the ERT and Responses
General Recommendations• Review the Audit package instructions when
submitting evidence artifacts (ex. Filling out the ERT and usage of evidence narratives)– Review accuracy of assets on the ERT– Provide narratives with evidence artifacts– Use naming conventions as per the user guide– Review folder structure of evidence submittals
13
Tips for Evidence• Submit supporting documents with brief explanations
of evidence files (i.e. README files or narratives).• Screen Shot Evidence
– Annotate if possible– Cyber Asset Name/Identifier– Date & Time
• Photographic Evidence– Annotate if possible– Front and back of device– Cyber Asset Name/Identifier Tag
14
ERT and RSAW• ERT, ERT responses and RSAWS must be
submitted.• Cite ERT responses in RSAW if the same
evidence is being used to demonstrate compliance.
• Additional evidence may be required to support RSAW responses
15
Data Validation
Kimberly GriffithSenior Compliance Engineer
5/20/2020 1
7/14/2020 2
• New Registration Requests• Changes to Existing Registrations
• Registration Information
CORES Functionality: Accessing CORES
5/20/2020 3
CORES – My Entity Validation Summary
Form Section Instructions
Basic Information Ensure all fields are filled out correctly and add information if applicable.
Upstream Holding Companies Add the top tier Holding Company and, if applicable, all NERC registered affiliates.
Contacts (Roles - PCC, ACC, PCO, etc.)
Temporary Contact Role Change Process • Until further notice, any changes made to Compliance Contact Roles (PCC, ACC, PCO, etc.) will
be made in CDAA - NOT in CORES.• Please let me know if you make changes in CDAA so I can make them in CORES.
Entity Scopes Ensure all fields are filled out correctly (effective date of the NERC reliability function(s) per region).
Functional Mapping Functional Relationships. Please add, if available. Required for new registrations in CORES.
Coordinated Oversight If applicable, review the Coordinated Oversight entity list.
CFR If a Coordinated Functional Registration (CFR) record exists, review the information for accuracy.
JRO If a Joint Registration Organization (JRO) record exists, review the information for accuracy.
Comments & Attachments Upload supporting documents, etc.
5/20/2020 4
Resources - Help Desk• Select the Help Desk option
• This opens a page where you can submit a ticket to the NERC Help Desk – https://support.nerc.net/
5/20/2020 5
CORES ResourcesResource Link
ERO Portal Access https://eroportal.nerc.net/
ERO Enterprise Help Desk https://support.nerc.net/
ERO Portal User Guide https://www.nerc.com/pa/comp/RegistrationReferenceDocsDL/User Guide_ERO Portal.pdf
NERC CORES Training https://training.nerc.net/
NERC Project Page https://www.nerc.com/pa/comp/Pages/CORESTechnologyProject.aspx
NERC Registration Page https://www.nerc.com/pa/comp/Pages/Registration.aspx
NPCC Registration Page https://www.npcc.org/Compliance/Compliance Registration1/Forms/Public List.aspx
5/20/2020 6
Contact
Kimberly GriffithSenior Compliance Engineer
646-276-5332 (cell)212-205-7051 (office)
5/20/2020 7
NPCC FAC-008 Focused Outreach and
Compliance Bulletins
NPCC WebinarJuly 14, 2020
Ben Eng, Mgr. ERA1
Objectives• Why the Focus on FAC-008-3?• NPCC Survey results• Suggested Actions from NPCC• What is NPCC doing to address these concerns?
2
Origin of Focus• Recent NERC Board of Trustees and FERC interest• ERO CMEP Implementation Plan• SERC started field visits in 2018
o Discrepancies were found• ERO noncompliance trends
3
Why are Facility Ratings important?
They are the main component in the determination of accurate System Operating Limits (SOL)
Without accurate Facility Ratings, accurate real-time situational awareness is not accomplished and planning models are inaccurate.– Interface MW Flow– Transient Stability– Voltage Stability– System Voltage Limits– Interconnection Reliability Operating Limits (IROL)
4
An example issue - Series Components
5
How Does This All Fit Together?
6
The FAC-008-3 requirements deal with• Equipment Ratings which help develop• Facility Ratings for
• Various configurations• Various conditions• Identifying most limiting elements
• Change Management for the above:• As-Built (field) info • Drawing info• Database/Speadsheet info• Triggers for information change
• Equipment replacement • Planned• Emergency• Identical?
• Most Limiting Element(s) same?• Database, drawing, ratings updates• Communicate changes to others
March 2020 FAC-008 Survey ResultsConfirms the challenges encountered by entities having Violations
• Biggest challenge regarding accuracy of Facility Ratings?‒ Change Mgmt for Planned and Emergency work (7)‒ Databases that are not synched (4)‒ Mergers/Consolidation (1)
• How are Ratings changes and updates tracked or managed?– Software (7)– Spreadsheet (3)– Access Database (2) (without a template)– Changes are peer checked (9)
• How often is Facility Rating Methodology vs. equipment field data vs. database verified by substation visits and ROW walkdown?
‒ Rarely (12) [As needed, for new equipment]• Facility Ratings Database Access Controls
‒ Key people make changes w/o review (6)‒ Key people make changes with review (4)‒ Anyone can change (2)
7
From Entities: Best Way for NPCC to Help Its Region?
• Keep a constant platform in place for best practices and internal controls
• Offer a voluntary outreach program to discuss processes w/o visiting stations
• Surveys like this (FAC-008) have succeeded in raising awareness already at my company
• Outreach at workshops, scheduled engagements and bulletins
8
What is NPCC doing for this outreach? (FAC-008)• Canvased ERO knowledgebase to find ERO Tools specific to FAC-008-3:
• Standards Application Guide FAC-008-3, dated March 21, 2017• https://www.nerc.com/pa/comp/guidance/EROEndorsedImplementationGuidance/FAC
-008-3%20Standard%20Application%20Guide.pdf• CMEP Practice Guide, Evaluation of Facility Ratings and System Operating
Limits, dated June 17, 2020• https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise
%20CMEP%20Practice%20Guide_%20Evaluation%20of%20Facility%20Ratings%20and%20System%20Operating%20Limits.pdf
• NPCC FAC-008 EIC team has taken the above, enhanced it with our past EIC experience, and is developing a “do-it-yourself” EIC kit for FAC-008 R3, R6 and R8.
9
If you volunteer for EIC of FAC-008, NPCC will:
• Conduct a customized presentation for your company including • Tutorial on controls, types, modality, control silos, testing, documentation• Explanation of what EIC is and is not• Comparison of EIC to Compliance Audit• Explanation of approach, tools, logistics, milestones, and deliverables
• Provide FAC-008 Process Flow Diagram template and guidance.• Provide FAC-008 Controls/Testing Questions and guidance.• Coordinate data submittal dates, initial questions from NPCC, answers
from volunteer entity, EIC “walkthrough” review• Develop deliverables (FAC-008 EIC Report and Table of Suggestions to
Enhance/Improve Controls)10
Current Status of NPCC FAC-008 EIC• Two of the NPCC survey TO’s have volunteered for FAC-008 EIC • Conducted the NPCC FAC-008 EIC presentations for them with proposed
milestones• NPCC generic FAC-008 Process Flow Diagram will be provided to volunteer entities.• NPCC’s list of FAC-008 Controls Questions and Testing Questions will be provided.
• 3rd volunteer waiting in the wings for NPCC to proceed with the above.• Addressing some scheduling and logistics issues.
If interested in volunteering, or any questions, contact [email protected]
11
FINI
12
THANK YOU FOR YOUR ATTENTION
Appendix: Process Flow Diagram for FAC-008(excerpt of draft)
13
14
Appendix: Process Flow Diagram for FAC-008(excerpt of draft - continued)
Appendix: NPCC List of Controls Questions for FAC-008
The NPCC EIC Team is developing a comprehensive list of controls questions and related testing questions for the entity to consider and answer.
15
Appendix: EIC Tools Target the Controls Listed Below
NPCC Compliance Bulletin Noncompliance Trends.pdf
Additional 2020 Outreach
Scott NiedAssistant Vice-President, ComplianceJuly 14, 2020
7/14/2020 1
7/14/2020 2
Recap• GO/GOP on 2020 schedule• Compliance Bulletins• FAC-008 Survey• CIP-013• Internal Compliance Program review of Self-
Logging entities and Self-Reporters
7/14/2020 3
1
Compliance Bulletin July 2020
NPCC publishes compliance bulletins as a means to engage and inform NPCC entities on aspects of Bulk Power System security, reliability, and compliance.
CIP-013 – Supply Chain Risk Management Resources and FAQ This Compliance Bulletin is a summary of the various documentation surrounding CIP-013 and gives a quick answer guide while also providing justifications. Each answer is summarized, but the topic header will provide the source information. Additionally, this document includes above and beyond practices that were demonstrated by NPCC entities. Although CIP-013 also has impacts on CIP-005 and CIP-010, questions related to CIP-005 and CIP-010 are not addressed in this bulletin. Background and Helpful Resources FAQs: Implementation of these responses to the frequently asked questions are not a substitute for compliance with NERC’s Reliability Standards requirements. Supply Chain – Small Group Advisory Session (SGAS) 2018 FAQ 2019 FAQ
Implementation Guidance and Guidelines: Provides considerations for implementing the requirements in CIP-013-1 and examples of approaches that responsible entities could use to meet the requirements. The examples do not constitute the only approach to complying with CIP-013-1. Responsible Entities may choose alternative approaches that better fit their situation. North American Transmission Forum (NATF) Cyber Security Supply Chain Risk Management Guidance ERO Endorsed Guidance
Edison Electric Institute (EEI) Procurement Contract Language
NERC Resources Cyber Security Supply Chain Risk Management Plan CIP-013 RSAW
Critical Infrastructure Protection Committee (CIPC) Risk Management – An overview of topics such as identifying, assessing, and mitigating
threats and procurements, installations and updating the risk management plan.
2
Secure Equipment Delivery – Highlights some of the aspects to consider regarding secure transportation and delivery of systems and components, from component manufacturers to integrators, to vendors, and ultimately to the Bulk Electric System (BES).
Risk Considerations for Open Source Software – An overview defining open source software and risks to consider if your entity has open source software
Best Practices for Small Entities – Although CIP-013-1 is not applicable to low-impact BES Cyber Systems, this white paper identifies a catalog of supply chain risk management practices for consideration by small registered entities with low-impact BES Cyber Systems.
3
NPCC Questions from Outreach Reminder: All ERO responses are identified in GREEN and referenced in the footnotes All NPCC stances are identified in RED 1. Is an entity a “vendor” only if you have a contract with that entity? Is a procurement in scope
of CIP-013-1 if you purchase a BES Cyber Asset from a supplier without a contract (e.g. credit card purchase made during an emergency)? What is considered a service? - Under the Rationale Section, the term vendor(s) as used in the standard is limited to those
persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber Systems and related services. It does not include other NERC registered entities providing reliability services (e.g., Balancing Authority or Reliability Coordinator services pursuant to NERC Reliability Standards). A vendor, as used in the standard, may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers; or (iii) system integrators.1
- Although the term “vendor” is not defined in the NERC Glossary of Terms, the drafting team did provide guidance in the CIP-013-1 Guidelines and Technical Basis section. As discussed therein, the standard drafting team (SDT) intended the term vendor to include those persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber Systems and related services. The SDT did not intend it to include, for instance, other NERC registered entities providing reliability services (e.g., Balancing Authority or Reliability Coordinator services) pursuant to NERC Reliability Standards.2
- NPCC considers credit card procurements of High & Medium BCS and related services to be in scope of R1.
- NPCC recommended that the documented supply chain cyber security risk management plan(s) include provisions documenting emergency procurements, this should include one or more process(es) that address the 1.2 requirement parts.
- NPCC recommended some alternate risk identification and assessment means, because it may not be practical to have the reseller complete a questionnaire
- NPCC recommends the following Potential Approach to address Credit Card Procurements o Verify that the reseller (Staples, for example) does not tamper with any products
(we could probably do this with an attestation from the reseller) o Only buy whitelisted products from the reseller whose manufacturer(s) we have
already assessed (Cisco, Microsoft, etc.)
1 CIP-013-1_Standard_Page12 2 SGAS2018_Page2
4
2. If an entity contracts with a reseller (Company A) that sells Original Equipment Manufacturer (OEM) products of another company (Company B), is the entity required to identify and assess the risks associated with Company B’s products and services?
- Product resellers are cited in the CIP-013-1 Supplemental Material section as potential
vendors, “A vendor, as used in the standard, may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers [emphasis added]; or (iii) system integrators” (p. 12). Depending on the specific reseller and the item(s) procured through the reseller, there may be additional cybersecurity risks associated with such procurements beyond those identified and assessed for the product manufacturer(s) or the product type(s) in the Part 1.1 cybersecurity risk identification and assessment (i.e., hardware and/or software obtained through a reseller). A registered entity would identify and assess any cybersecurity risks that may be involved in purchasing such applicable hardware or software from resellers. 3
- NPCC will review the risk assessment and will review the documented supply chain cyber security risk management plan. NPCC would expect the risk management plan to have a process for evaluating the risk associated with hardware and/or software obtained through a reseller. NPCC would expect the risk assessment of such procurements to identify risks (e.g., if the reseller alters the product), and would expect the plan to address the identified risks.
3. Do all procurements made after October 1, 2020 need to comply with CIP-013-1 even if the
procurement was made under a contract that was in place before October 1, 2020. What is NPCC’s opinion on renegotiating terms and conditions with vendors for existing contracts?
- Under the “Supplemental Information” section of the standard, Responsible Entities are not
required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan.4
- NPCC considers procurements against contracts in place before 10/1/2020 out of scope.
4. If the entity were to procure a BES Cyber Asset or related service, and subsequently find out (before that BCA or service was deployed in a BES Cyber System) that the risk identification and assessment was not done, can the risk identification and assessment be performed at that point? Would performance at that point be a compliance violation, even if the identification and assessment of risk was performed before that BCA could affect the BES? - CIP-013-1 is applicable to any procurement regardless of the scenario, including an
emergency. CIP-013-1 is silent to any special provisions such as emergency procurements. A registered entity may identify certain hardware, software or services that may be used during emergencies and perform risk assessments in planning for these situations to
3 SGAS2019_Page7 4 CIP-013-1_Standard_Page14
5
mitigate the supply chain risk. Although the CIP-013-1 Standard does not directly address emergency procurements, the registered entity could consider including language in its R1 SCRM procurement plan that addresses the potential for the use of purchasing cards in emergency situations. The registered entity should document the emergency procurement process in the R1 SCRM procurement plan, along with documentation that registered entity personnel or approved contractors verified after-the-fact risks and mitigations of the procurement.5
- NPCC will review the documented supply chain cyber security risk management plan and will confirm the entity followed its process. NPCC may identify a potential noncompliance if the entity fails to follow its plan.
5. Are procurements of Transient Cyber Assets (TCAs) and Removable Media (RM) subject to
CIP-013-1?
- CIP-013-1 R1 states, “Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.” Transient Cyber Assets are currently not included in the CIP-013-1 requirement language. The NAGF Cyber Security Supply Chain Management White Paper identifies examples to consider when developing and implementing a cyber security risk management plan that includes Transient Cyber Asset considerations.6
6. CIP-013-1 requires identification and assessment of risk to the supply chain during planning
for procurement. The requirement does not mention mitigation of that risk. Does a failure to perform risk mitigation constitute a violation? Are entities allowed to accept the risk or are entities required to mitigate all risks?
- A vendor’s intentional or unintentional ability to adhere to the conditions of an agreement
as it relates to CIP-013-1 should be identified and assessed as a risk. As with all of the risks, it is the responsibility of the registered entity to mitigate them accordingly. As an example, the registered entity may address this risk by the implementation of internal controls and processes such as using reputable shippers, tracking shipments, and requiring signatures on delivery.7
- Paragraph 17 of the FERC Order approving the Standard states that entities are required to mitigate. Mitigation is mentioned in the purpose of the standard and not mentioned in the Requirement. NPCC auditors will ask about mitigation in an audit. Failure to perform mitigation could result in an Area of Concern (AOC). Failure to implement the documented supply chain cyber security risk management plan will result in a Potential Noncompliance (PNC). The assessment, acceptance, mitigation, and transfer of risk is part of what the
5 SGAS2019_Page4 6 NAGF, Cyber Security Supply Chain Management White Paper (2018) 7 SGAS2019_Page5
6
entity will work through in developing the supply chain cyber security risk management plan(s). NPCC recommends categorizing risk (e.g. high, medium, low) and then performing the risk management processes.
7. How should auto renewals be handled, sometimes products and services are auto renewed and
entities just get an invoice that the maintenance has been renewed.
- Under the “Supplemental Information” section of the standard, Responsible Entities are not required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan.8
- NPCC recommends entities identify products or services that are set for auto renewal and perform a risk assessment on that product or service prior to the next auto renewal to identify risks and determine if continuing to auto renew that product or service is in the best interest for the entity, reliability, and security.
8. The CIP-013-1 R1 requirement includes language associated with “transitions from one
vendor(s) to another vendor(s).” Does this language apply to the product, parts and services vendors may procure to create the product prior to delivery to the Entity or does the language refer to contractual or master agreement transfers?
- If a vendor is purchased by another vendor, the entity’s plan may include controls to
maintain awareness of vendor acquisitions and a process to re-evaluate or reassess the vendor.9
- NPCC considers the language to apply for both scenarios. A stronger SCRM may include sections to address the vendor’s inherent risk if they utilize other manufacturers to create their product. The SCRM should address the risk posed by the vendor. When transitioning from an old vendor to a new vendor, apply your CIP-011-2 Information Protection Program and CIP-004-6 access revocation program.. The registered entity should treat the new vendor as such, with a complete Part 1.1 risk identification and assessment process of the vendor and applicable products or services.
9. Does a new Scope of Work (SOW) post October 1, 2020 under a master agreement established prior to the October 1, 2020 effective date trigger the need to negotiate new terms and conditions to account for CIP-013-1?
- Under the “Supplemental Information” section of the standard, Responsible Entities are not
required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan.10
- Entities are required to follow their SCRM process on the new SOW.
8 CIP-013-1_Standard_Page14 9 SGAS2019_Page3 10 CIP-013-1_Standard_Page13
7
10. Does a new SOW post October 1, 2020 under a master agreement established prior to the
October 1, 2020 effective date trigger the need to perform a supply chain cyber security risk assessment?
- A SOW post October 1, 2020 with an established master agreement prior to the effective
date triggers the need to perform a supply chain cyber security risk assessment.
11. If an Entity chooses to address CIP-013-1 R1.2.1 – R1.2.6 with the terms and conditions of a procurement contract and existing contracts do not need to be renegotiated, does an Entity need to supply evidence of R1.2.1-R1.2.6 in R2 for existing vendors? If so, what evidence is expected?
- The entity is expected to provide evidence of compliance related to 1.2.1 – 1.2.6 for all
contracts in scope of CIP-013-1. Although existing contracts do not need to be renegotiated, products or services procured after October 1, 2020 are required to follow the entity’s SCRM. For a list of specific examples, please refer to the M2 within the standard.
12. What are the qualities of a successful supply chain cyber security risk management plan?
- NPCC will be presenting a CIP-013-1 webinar that includes recommended practices.
Additionally, please see the resources section of this FAQ for more information or review the NERC website page dedicated to CIP-013-1. Again, the guidance and implementation plans do not constitute the only approach to complying with CIP-013-1. Responsible Entities may choose alternative approaches that better fit their situation.
13. Is it acceptable for an entity to leverage the CIP standards and requirements in their process for assessing risk, determining mitigation, and implementing mitigation actions? For example, if the entity can determine and disable remote or onsite access can this be used to assess risk and mitigate the risk?
- It is the entity’s responsibility to determine risk and implement mitigation actions to
address the risk. In NPCC’s opinion, the provided example is a control to mitigate a risk posed by an outside threat but may not be a way to mitigate a different threat.
14. Is it acceptable for contract language to be less stringent than the EEI model if the effect is to increase likelihood of acceptance, so long as the language is still robust? Where time periods are blank in the EEI model language, does NERC expect a baseline
time period for minimal compliance, or are these time periods expected to be negotiated on a case-by-case basis? Ex: Under R1.2.2, the number of days the vendor has to develop a prevention of recurrence plan is blank
8
- NPCC considers the EEI model as a guidance tool. NPCC will be monitoring for compliance to the Standard and requirement language. Currently, CIP-013-1 does not provide specific timeframes, for example, the EEI model states “Within [insert number of] days of notifying company of the security incident…” or “Contractor shall provide summary documentation of vulnerabilities and material defects in the procured product or services within thirty (30) calendar days after such vulnerabilities and material defects become known to Contractor.” A stronger SCRM will consider the risk associated from a longer duration to disclose a vulnerability.
15. What evidence will be required to show the process of negotiating CIP-013-1 language with
vendors, particularly if security terms are less stringent than the EEI model and a vendor is still selected for commercial reasons?
- The procurement documents (e.g., RFP and vendor response evaluation matrices) used for a
specific applicable procurement, along with any contract language connected to the procurement can serve as primary evidence the registered entity pursued its due diligence for the R1 Part 1.2 Requirement Parts, when the vendor failed or refused to comply. As stated in R2, vendor performance and adherence to a contract is beyond the scope of R2, so the responsibility of compliance rests on the registered entity to demonstrate it implemented its Part1.2 processes as far as it could reasonably go without negating the procurement. Since the registered entity identified risk, it is incumbent on the registered entity to enact mitigating measures that would address the vendor’s refusal to meet the Requirement Parts.11
- NPCC considers the EEI model as a guidance tool. In the event that contract negotiations fall short of adhering to the subparts of CIP-013-1 R1, NPCC will review the entity’s correspondence, policy documents, or working documents that demonstrate use of the SCRM.
11 SGAS2019_Page5-6
9
Practices Demonstrated by NPCC Entities NPCC has compiled a list of recommended and above and beyond practices demonstrated during the course of assisting our registered entities. Please also refer to the resources section to supplement your compliance program regarding CIP-013.
CIP-013 Supply Chain Risk Management Webinar Recommended Practice(s) Above and Beyond Practices R1. Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.
1. Consider including Emergency Procurements within the SCRM or whitelisting vendors
1. Apply the documented supply chain cyber security risk management plan for all procurements 2. Consider a Risk Score process to evaluate vendors 3. Consider identifying and developing supply chain risk strategies for creating an overarching cyber supply chain risk management plan. 4. Consider identifying and assessing interdependent processes.
R1.1. One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).
1. Consider including a form/questionnaire for procurements to identify if the purchase will be used in High/Medium BCS. 2. Consider developing a process which includes updating, communicating, and documenting vendor relationships
1. Allocate dedicated resources familiar with the standard to review procurements specific to CIP-013. Utilize any NERC compliance groups to review procurements and vendor transitions.
1.2. One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable:
1. Consider EEI's procurement language when negotiating contracts. (EEI Procurement Guidance)
1. Pre-authorize all vendors no matter if they are “grandfathered”
10
1.2.1. Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
1. Consider defining methods of notification and qualifying vendor incidents.
Subscription to Threat Intelligence services
1.2.2. Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
1. Consider defining incident coordination methods.
1.2.3. Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;
1. Consider a method to track and manage vendor remote or on-site access
Remote vendor access is disabled by default and only enabled for assigned / scheduled work.
1.2.4. Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;
1. Consider establishing vendor reporting obligations and define “known vulnerabilities”
Subscription to Threat Intelligence services
1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and
1. Consider classifying software (custom/open source/commercially available) 2. Consider managing and recording exceptions to this process when there is not a method to verify the identity of the software source or the integrity of the software obtained from the source. 3. Consider managing and tracking software source changes
After software integrity and authenticity is performed, entity places approved software in internal repository. IT staff use approved internal repository for installation of software.
1.2.6. Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s).
1. Consider defining or applying vendor access protocols.
11
ERO Will Evaluate Effectiveness of CIP-013-1 NERC plans to measure the effectiveness of the Supply Chain Standards by performing the following actions during the first two years of implementation:
ERO staff will conduct surveys on supply chain awareness, compiling statistics on identified key risk indicators. These indicators include software validation discrepancies, information on vendors that support supply chain frameworks, entities who performed vendor risk assessments in the prior 24 months, and analysis of vendor vulnerability and cyber security incident notifications. Information compiled will be examined for trends and reported periodically to the Reliability and Security Technical Committee and posted on the website.
ERO staff will solicit comparative contractual language (pre and post Supply Chain Standards implementation) voluntarily from entities to determine whether entities have been able to successfully negotiate contracts that include required supply chain controls, or whether other controls have been required to manage the risk. This will include entities not subject to the Supply Chain Standards to determine whether there has been any incidental benefits derived from the implementation of the Supply Chain Standards.
ERO staff will compile audit and compliance information on the Supply Chain Standards to determine whether the language is clear, whether entities understand what is expected, and whether there are any reliability gaps in the standards.
Finally, ERO staff will analyze supply chain communications, education, outreach, and training to determine whether vulnerabilities have been identified and successfully communicated. This will include inquires to the E-ISAC on supply chain issues and requests for training and outreach.
Periodically during the two years of analysis and at the conclusion of the two years, NERC staff will report to the Board on its analysis of the effectiveness and provide any recommended actions that may be determined to be necessary. 12
12 NERC Evaluation of CIP-013-1
12
Future plans for CIP-013-2
FERC Order 850 (October 18, 2018)
•FERC directs NERC modify CIP-013 to include EACMS associated with medium and high impact BES Cyber Systems.
•FERC accepted NERC’s commitment to evaluate the risks of PACSs and PCAs (in addition to low impact BES Cyber Systems)
NERC Cyber Security Supply Chain Risks Report (May 17, 2019)
•NERC recommends CIP-013 to address Physical Access Control Systems (PACSs) to high and medium-impact BES Cyber Systems.
•NERC recommends additional studies for low-impact BES Cyber Systems and PCAs.
•NERC recommends CIPC Supply Chain Working Group develop a guideline to assist entities in applying supply chain risk management plans to low impact BES Cyber Systems and PCAs.
Standards drafting team (September 2019)
•Creation of CIP-013-2 to include EACMS and PACS.
•Final ballot approval estimated November 2020
2020 Current Events and Predicted Future
•Send to BOT for Approval•Send to FERC for Filing•FERC approval estimated
2021•Estimated Effective date in
2022
Work at Home Remote Security
Michael Bilheimer July 14, 2020, NPCC WebEx
1
Remote Workforce Risks• Remote access is becoming more prevalent in in the current environment and
there is a high likelihood that remote access working will remain for a large portion of the workforce in the future.
• This distributed workforce opens up attack vectors which may include access to sensitive data (CIP, CII, Financial, etc.), critical systems (EMS), and communication paths are more distributed and have greater exposure to vulnerabilities:– Misuse or mishandling of sensitive data.– Unsecure connections or circumventing security controls– Unpatched systems – Unable to support remote workforce due to technical constraints– Phishing attacks
2
Key Elements of Success• Educate users in new remote workforce risks.• Confirm VPN and other remote access methods have capacity to
meet increase demand, 2FA and encryption enabled. • Confirm remote access methods have rapid detection and response
capabilities to attacks.• Improve and define remote device management of personally
owned devices if allowed. • Monitor cyber security threats that are on the rise due to remote
workforce (Phishing, Big Game Hunting, Ransomware, Zero day vulnerabilities).
3
Education of Remote Workforce
– Identifying phishing and security threats• Training (short training messages of
700 words or less)• Phishing tests• Report of Cyber incidents or data leaks
– Proper handling of sensitive documents• Printing • Locking computers• Storage of sensitive documents
– How to secure your systems including home network.
• Change default home network password.• Minimum home network security
requirements. – Use and security of video conferencing
• Obscuring or making sure personnel or sensitive information is not visible unless the video chat participants are verified.
• Put yourself on mute unless talking.– Personnel Device Use (if allowed)
• Laptops • Smartphones and Tablets
4
Remote access and Patching • Patch Corporate Managed Devices.
– Laptop(s), Smartphone, Tablets, Servers, Appliances, Firewalls, Etc.• Required for Personnel Owned Device (BYOD) (If allowed)
– Personnel Owned Device Patching– Create Separate profile– Don’t store sensitive information on personnel device.
• Use strong Passphrases and password managers– Don’t reuse passwords or share passwords.
• Use/Require 2FA
5
Corporate Monitoring• Deploy or Enhance Endpoint Detection. • Enable or acquire Machine Learning (ML) and Artificial
Intelligence (AI) Monitoring into corporate network security monitoring.
• Institute Zero Trust Model – All assets operating in the environment is untrusted until validated
and approved.
6
Resources• Sans Security Awareness Work-From Home Deployment Kit
– https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit
– https://www.sans.org/webcasts/– CISA TIC 3.0 Interim Telework Guidance
• https://www.cisa.gov/publication/tic-30-interim-telework-guidance• https://www.cisa.gov/publications-library/Cybersecurity
7
RELIABILITY | RESILIENCE | SECURITY
Align/SEL Update
Presented at NPCC WebinarJuly 14, 2020
RELIABILITY | RESILIENCE | SECURITY2
Align Adoption Stages
RELIABILITY | RESILIENCE | SECURITY3
Aspects of Sensitive Information• Accessibility• Availability• Readability / Manipulation• Retention• Repositories
Current and Future
RELIABILITY | RESILIENCE | SECURITY4
Guiding Principles
• All registered entity-provided evidence, unless prohibited by a standard, will go into the registered entity SEL or ERO Enterprise SEL
• All registered entity developed lockers must meet ERO Enterprise-developed criteria for functionality, access, etc.
• ERO Enterprise CMEP workflow and CMEP work products will be in the ERO Enterprise Align tool.
• The ERO Enterprise will enhance CMEP work processes/products/practices to support compliance conclusions in Align without the need to store sensitive information for extended periods, minimizing data protection risk.
RELIABILITY | RESILIENCE | SECURITY5
• Regional subject matter experts (SMEs) are validating Release 1 and data elements
• Training materials (i.e., videos, user guide, and quick reference cards) are under construction
• ERO Enterprise SEL final design complete• Stakeholder engagement (via CCC and other entities) for user
acceptance testing is taking place (week of 7/13 in NPCC)• Planning for go live in Q4 2020 with two pilot Regions (i.e., MRO
and Texas RE) with select registered entities
Current Events
RELIABILITY | RESILIENCE | SECURITY6
Timeline Overview
R1 Regional Training(October – December)
Regions conduct training for staff and registered entities
R1 Registered Entity Testing(June – July)
Select registered entities test entity functionality
R1 Regional Adoption Workshops
(July – September)Workshops focused on
preparing the regions for R1
R1 Train the Trainer (TTT)(September – October)
Training SMEs are prepared to conduct training for staff and
registered entities
R1 SME Data Validation(April – May)
Regional SMEs validate standards and entity data
Evidence Locker Process Harmonization (April – June)
Process harmonization exercise focused on the evidence locker
ERO Enterprise Staff
Registered Entities
AUDIENCE IMPACT KEY
R1 Go/No-Go Process(December – January)
Series of checkpoints to validate production
readiness
The following is a timeline of upcoming key activities:
Development of R2 Functional Design
(April – June)Development of R2 design
documentation
RELIABILITY | RESILIENCE | SECURITY7
Release
3
Align Release Overview
Est. Q4 2021
Release
2Est. Q2 2021
Release
1Q1 2021
Align and Evidence Locker(s)
RELIABILITY | RESILIENCE | SECURITY8
Align Release 1: What to expect as a registered entity?
Stakeholder Group
Release 1 Functionality• Create and submit Self-Reports and Self-Logs• Create and manage mitigating activities
(informal) and Mitigation Plans (formal)• View and track open Enforcement Actions
(EAs) resulting from all monitoring methods• Receive and respond to Requests for
Information (RFIs)• Receive notifications and view dashboards on
new/open action items• Generate report of standards and requirements
applicable to your entity• Manage user access for your specific entity• Manage evidence supporting R1 functionality
securely via separate Evidence Locker(s)
Registered Entities
RELIABILITY | RESILIENCE | SECURITY9
Align Release 1: What to expect as a Regional Entity?
Stakeholder Group
Regional Entities
Release 1 Functionality• Receive Self-Reports and Self-Logs from entities• Manually create findings that result from any
monitoring method (i.e., audits, spot checks, investigations, periodic data submittals, self-certifications, complaints)
• Perform preliminary screens, PNC reviews, and disposition determinations for each PNC/EA
• Send and received responses to RFIs• Trigger notifications such as NAVAPS, NOCV, CE
Letter, FFT Letter, and Settlement Agreements• Receive, review, and approve mitigating activities
(informal) and Mitigation Plans (formal)• Receive notifications and view dashboards on
new/open action items• Generate report of standards and requirements
applicable to a registered entity• View/analyze evidence supporting R1 functionality
securely via separate Evidence Locker(s)
RELIABILITY | RESILIENCE | SECURITY10
• Compliance Planning (i.e., Risk, CMEP Implementation Plan, Inherent Risk Assessment, Internal Controls Evaluation, Compliance Oversight Plan)
• Compliance Audit• Spot Check• Compliance Investigations• Complaints• Expand use of evidence lockers to
include evidence submitted for these activities
• Technical Feasibility Exceptions (TFEs)
• Periodic Data Submittals• Self-Certifications• Additional enhancements identified
from R1 as needed• Expand use of Evidence Lockers to
include evidence submitted for these activities
Note: The monitoring methods above will be managed in existing systems during the gap between R1 and R2
Align Future Releases: What to expect?
Release 2 FunctionalityEst. Q2 2021
Release 3 FunctionalityEst. Q4 2021
RELIABILITY | RESILIENCE | SECURITY11
• Highly secure, isolated, on-premises environments Collect and protect evidence Enable submission by authorized and authenticated entity users Provide compartmentalized analysis of evidence in temporary, isolated,
disposable environments Does not interface with any other systems
• Evidence in these environments is: Encrypted immediately upon submission Securely isolated per entity Never extracted Never backed up Subject to proactive and disciplined destruction policy
Secure Evidence Locker (SEL)
RELIABILITY | RESILIENCE | SECURITY12
Evidence Lockers: How will they work?
ERO Enterprise Evidence Analysis Locker
Secure File Transfer
Enterprise Content
Management
Encryption• Regionally
Specific
Routing Rules
Management Utilities
Locker
Locker
Analysis Environment
Auditor Session• auditor tools• disposable
Auditor Session• auditor tools• disposable
MFA
Au
then
ticat
ionM
FA
Auth
entic
atio
n
Registered Entity User
AuthorizedCMEP
Personnel
Privileged SessionServer
MFA
SystemAdministrator
RELIABILITY | RESILIENCE | SECURITY13
• Yes; however, they must be available and validated before they are authorized for use for CMEP activities. Analysis tools availability (e.g., NP-View, RAT-STATS, MS Office, Adobe
Acrobat) Assurance of data integrity, the CEA login through NERC’s federated
authentication services
• The retention obligation does not change (e.g., the requirement still exists for future Regional access to evidence if the locker is retired).
Evidence Lockers: Can registered entities build them?
RELIABILITY | RESILIENCE | SECURITY14
ERO Uniformity and Consistency: Provide a common portal for Regions and registered entities, enabling consistency of experience
Offer real-time access to information, eliminating delays and manual communications
Improve capability to support the risk-based compliance oversight framework
Enhance quality assurance and oversight, enabling consistent application of the CMEP
Improve analytics, report development, including visibility into compliance and reliability risks
Increase capability to implement audit best practices and processes (planning, fieldwork, reporting, and quality assurance);
Standardize the implementation of common business processes and workflows, enabling increased productivity; and
Reduce application costs across the ERO Enterprise.
Additional Business Objectives
RELIABILITY | RESILIENCE | SECURITY15
FAQs
• For technical questions about evidence locker, review the webinar from the Align Project Page.
• There are answers to more than 50 questions posted on the Align Project FAQ page.
• Submit questions to [email protected].
RELIABILITY | RESILIENCE | SECURITY16
RELIABILITY | RESILIENCE | SECURITY17
Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.
Align Content: Compliance Monitoring
RELIABILITY | RESILIENCE | SECURITY18
Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.
Align Content:Risk Assessment/Mitigation/Enforcement