stop chasing the version: compliance with cipv5 through cipv99
TRANSCRIPT
![Page 1: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/1.jpg)
Stop Chasing the Version:Compliance with CIPv5 through CIPv99Dealing with the ever-changing landscape of CIP compliance
![Page 2: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/2.jpg)
Sid Shaffer (MBA, CISA)
Energy Sector Lead, Commercial Cybersecurity & Compliance
Jason Iler (ITIL, CISA)
Principal Services Architect
Trey Kirkpatrick Vice President, Energy & Utility Compliance Services
![Page 3: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/3.jpg)
Thank You!
Cybersecurity &
Compliance Advisory
and Implementation
Services
NERC Compliance
Management
Software Solutions
Security and compliance
assessment, monitoring
automation and threat
intelligence technology for
IT/OT environments
![Page 4: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/4.jpg)
Agenda and Key Takeaways
3
2
1
![Page 5: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/5.jpg)
About ICF
• 70+ offices worldwide
• 5,000 employees, 1,500+ IT professionals
• 2014 revenue of $1.3 billion
• Assisting clients with NERC and CIP compliance since 2006
• End-to-end technology, advisory, implementation, and assessment services
![Page 6: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/6.jpg)
Overview of Shifting Landscape
![Page 7: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/7.jpg)
• CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
Key Changes
![Page 8: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/8.jpg)
• CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
• CIP v6 / v7
• More new terms, clarifications
• Changes for Low Impact, Transient Devices, Removable Media
Key Changes
![Page 9: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/9.jpg)
• CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
• CIP v6 / v7
• More new terms, clarifications
• Changes for Low Impact, Transient Devices, Removable Media
• Beyond
• More uncertainty (Virtualization, NIST Cyber, ES-C2M2, DHS C³)
• Increased awareness = Increased Likelihood of Change
Key Changes
![Page 10: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/10.jpg)
Commonly Seen Compliance Program
![Page 11: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/11.jpg)
Compliance Program Goal
![Page 12: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/12.jpg)
• Companies are re-aligning / upgrading existing programs with:
• Letter of the Law Approaches
• Increased use of RAI and Risk Based Approaches
• Holistic Approaches
What We Are Seeing
![Page 13: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/13.jpg)
• Compliance• Know relevant
regulations
• Understand specifics
• Represents the base
• Cyber• Beyond Scope of
specific compliance
• Cyber Risks to reliable delivery of energy
• Cyber Risks to the organization
• Controls• Identify
• Rationalize
• Ownership
• Map to Risk
• Resiliency• Not all risk will be
addressed
• Organization incident & event response
![Page 14: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/14.jpg)
• More compelling “Compliance Story”
• Greater Consistency Through Regulatory Changes
• Reduces Risk
• Increase Efficiency
• Closer Alignment with Regulatory Direction
– Potentially Decreases Regulatory Burden
Advantages of the Holistic Approach
![Page 15: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/15.jpg)
• Both Based on Internal Control Approaches
– Preventative, Detective, Corrective
• Ties directly to “Internal Controls Evaluation” (ICE)
• Generates audit ready evidence
• Supports zero fine paths:
– Find Fix Track (FFT) / Compliance Exception / Self Logging
How Holistic Approach Supports RAI (and more)
![Page 16: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/16.jpg)
• Prepare for Change
• Create a Cross Functional Team
• Determine a solid baseline• “Knowing yourself is the beginning of all wisdom.” - Aristotle
• Analyze Risk
• Set your goals
• Implement Controls & Controls Based Program• “Regurgitating the Requirement language does not constitute developing
a program, process, or procedure.” - WECC
Implementing the Strategy
![Page 17: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/17.jpg)
Example – Critical Data
• COMPLIANCE– CIP-011-1, HIPAA, DHS, Etc.
• CYBER– Impact of sensitive information being exposed
• CONTROLS– Data Classification & Credentials (P) , Access Alerting Mechanism (D),
Event Driven SLA (C)
• RESILIENCY– Execution of what’s been stated in SLA
![Page 18: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/18.jpg)
Example – CIP-004-5 R4.1 (Access Management)
• COMPLIANCE– [A “need based” authorization process for Electronic Access, Physical
Access, and Critical Information]*
• CYBER– Not just BES Cyber System components
• CONTROLS– Onboarding / Offboarding process (P), Log review of unauthorized access
attempts (D), Access revocation & password change protocols (C)
• RESILIENCY– What happens when unauthorized use is detected?
* Paraphrased
![Page 19: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/19.jpg)
• Upgrading Program is an opportunity to:
• Implement Controls
• Automate
• Utilize tools
• to manage & report compliance
• to monitor & automate responses
Program Upgrade Considerations
![Page 20: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/20.jpg)
![Page 21: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/21.jpg)
• Establish CIP Policies & Procedures
– With Periodic Review & Approval
• Periodic/Scheduled Activities
– Collect Log files, Review Security Patches, Access Review, etc…
• Asset & Change Management
– BES Cyber Systems, Cyber Assets, Security Perimeters, Asset Groups
• Access Management
– Users, Access Roles
• Mitigation Plans
– EUEM Corrective Action Process
NERC CIP v5 and Beyond Standards
![Page 22: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/22.jpg)
AssurX CIP Solution
User
Access Role
Cyber Asset
Asset Group
Has Access ToSecurity
PerimeterSystem
![Page 23: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/23.jpg)
AssurX CIP Change Request
![Page 24: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/24.jpg)
AssurX CIP Baseline
![Page 25: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/25.jpg)
AssurX CIP Access Change Request
![Page 26: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/26.jpg)
Tripwire Has Been Providing NERC CIP Security and
Compliance since the first CIP Requirements in 2007
![Page 27: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/27.jpg)
The Goal:-Identify secure configurations of all High and Medium Cyber Assets(“80% benchmarks”)
Continuous security configuration management
Understands changes – controls “drift”, continuously
Monitors your attack surface
Detects threats in real-time and enables fast response
Lower costs, greater efficiency
![Page 28: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/28.jpg)
![Page 29: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/29.jpg)
![Page 30: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/30.jpg)
“The Responsible Entity shall establish, document and implement a process to
ensure that only those ports and services required for normal and emergency
operations are enabled.”
• Document every port and active service on every BCA, with justification,
confirm regularly, and be able to prove it
• Tripwire customized solution: “Whitelist Profiler” approach
– Capture port/services list once in .csv file, including asset tags and discrete names
– Tripwire agent downloads file and applies to its local system
– Use element content report to documents port/service state on every monitored host
– Use custom policy test to monitor continuously, display on dashboard and provide
alerts
Example of Tripwire Solution Extensions
![Page 31: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/31.jpg)
• Used for CIP 007 (Ports & Services), CIP 007 (Patch Levels) and
CIP 003 (Access Privileges)
NERC Solution – Whitelist Profiling
Tripwire Enterprise Server
File Systems
![Page 32: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/32.jpg)
• – collect current
status & changes on all critical cyber
assets
• – analyze
security data and alert on suspicious
events
• – generate
reports and dashboards that document
compliance
Tripwire NERC Solution Suite – Key Benefits
wide range of device
and software inventory, and can be asset tagged for
High/Medium/Low Impact Cyber Assets
![Page 33: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/33.jpg)
• Remember - Not a “Silver Bullet” to solve compliance
• Start with and document what you have
• Leverage a recognized framework (COSO, NIST, ISO27k)
• Institutionalize a corrective action process
• Identify accountable parties / communication paths
• Prevent atrophy with regular evaluation of program
Tips for Holistic Cyber Program Implementation
![Page 34: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/34.jpg)
• Don’t try to ELIMINATE risk – Diminishing returns
– A company can spend a lot and never reach a 100% level of risk assurance
– Objective is to lower risk
• Don’t add controls for the sake of adding controls– More controls is not always better
– Tailor the controls to the risks and address the higher risk items
• Don’t identify controls without control owners & performers identified
Pitfalls to Avoid
![Page 35: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/35.jpg)
• What are our greatest areas of Risk?
• Does our company already have an internal controls program?
• Are our controls defined & documented anywhere?
• What basis / framework did we use for our controls?
• How often are our controls reviewed / tested?
• How much is enough? How much is too much?
• Do we consider resiliency?
Questions to ask
![Page 36: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/36.jpg)
• Manage– Holistic corporate controls framework covers multiple areas of
business risk (including NERC)
• Maintain– Ongoing operation of internal controls will ensure that compliance is
maintained
• Improve– Reviewing & Revising steps to ensure internal controls are effective
will continuously improve the compliance efforts
– Corrective actions taken as a result of ongoing monitoring of the control environment will improve overall risk profile
Example of an End State
![Page 37: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/37.jpg)
• FBI cybersecurity experts will brief us on the current attack landscape on energy Critical Infrastructure, and what you can do about it.
• Sam Visner, ICF’s Senior Vice President and General Manager, Cybersecurity is former Chief of Signals Intelligence Programs at the NSA and adjunct professor at Georgetown University. Sam will discuss how “the sky is falling” thinking can give way to reasoned, useful, and appropriate investments in cybersecurity as a national imperative.
• You’ll receive in-depth practical “How Tos” to shorten your audit preparation, save time and costs and build a “business as usual” culture for security
• Compliance Workshop (Limit 40 attendees), CE credit available
• URL: https://tripwirenercworkshop.eventbrite.com
Join Us in Houston March 25-26 for a Free 1.5 Day Workshop
![Page 38: Stop Chasing the Version: Compliance with CIPv5 through CIPv99](https://reader031.vdocuments.us/reader031/viewer/2022032022/55a5ad9c1a28abbc238b4686/html5/thumbnails/38.jpg)
Thank You!
Cybersecurity &
Compliance Advisory
and Implementation
Services
NERC Compliance
Management
Software Solutions
Security and
compliance
assessment, monitoring
and automation
technology for IT/OT
environments