wecc cip-101 cip-002 mockaudit 09252014 final · 2014-10-09 · wecc!cip%101!disclaimer! •...

CIP-‐101: Making the Transi5on CIP-‐002-‐3 to CIP-‐002-‐5.1 Mock Audit

Henderson, NV September 24-‐25, 2014

Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM

Senior Compliance Auditor – Cyber Security Western Electricity Coordina5ng Council

Speaker Intro: Dr. Joseph Baugh •  40+ years Electrical U5lity Experience

–  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs –  NERC Cer5fied System Operator –  Barehand Qualified Transmission Lineman

•  20 years of Educa5onal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  Academic & Technical Course Teaching Experience

•  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara5on •  Business Strategy, Leadership, and Management •  Informa5on Technology and IT Security •  Project Management

September 24-‐25, 2014 Western Electricity Coordina5ng Council

Slide 2

WECC CIP-‐101 Disclaimer •  The WECC Cyber Security team has

created a mythical Registered En5ty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.

•  Any resemblance of BILL to any actual Registered En5ty is purely coincidental.

•  All evidence presented, auditor comments, and findings made in regard to BILL during this presenta5on and the mock audit are fic55ous, but are representa5ve of audit team ac5vi5es during an actual CIP Compliance audit.


Slide 3

Agenda

•  Class Introduc5ons – Name, Title, Organiza5on, Interest in CIP-‐002

•  Review CIP-‐002-‐5.1 Requirements •  Review CIPv5 Transi5on Guidance •  Review CIP-‐002-‐5.1 Team audit approach •  CIP-‐002-‐5.1 Mock Audit Overview •  The BILL Mock Audit •  Ques5ons September 24-‐25, 2014 Western Electricity Coordina5ng Council

Slide 4

CIP-‐002-‐5.1 Overview •  CIP-‐002-‐5.1 is the first step on CIP Compliance trail •  All Registered En55es who perform the BA, DP, GO, GOP, IA,

RC, TO, and/or TOP registered func5ons are required to be compliant with CIP-‐002-‐5.1.

•  CIP-‐002-‐5.1 replaces LSE with the DP func5on, TSP func5on drops out.

•  Some en55es may find they are only required to be compliant with CIP-‐002-‐5.1 R1-‐R2 & CIP-‐003-‐5 R2-‐R4. –  Typically requires a reduced scope audit that will be conducted at WECC offices or other loca5ons, as necessary.

–  True if IRC applica5on generates Null R1.1 & R1.2.lists. –  Must also provide a valid R1.3 list of Low Impact BES Assets. –  Pending Low Impact BCS Requirements discussed in CIP-‐003-‐6 R2.


Slide 5

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List

CIP-‐002-‐5.1: R1 •  Each Responsible En5ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:

Inputs

R1Process

Outputs

Inventory of

BES Assets

List of High, Medium,

& Low Assets


Slide 6

CIP-‐002-‐5.1: R1 •  Each Responsible En5ty shall implement a process that

considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] –  i. Control Centers and backup Control Centers; –  ii. Transmission sta5ons and substa5ons; –  iii. Genera5on resources; –  iv. Systems and facili5es cri5cal to system restora5on, including Blackstart Resources and Cranking Paths and ini5al switching requirements;

–  v. Special Protec5on Systems that support the reliable opera5on of the Bulk Electric System; and

–  vi. For Distribu5on Providers, Protec5on Systems specified in Applicability sec5on 4.2.1 above.

•  Generates Low impact BES assets for R1.3 list


Slide 7

CIP-‐002-‐5.1: R1.1 -‐ R1.3 •  Each Responsible En5ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: –  1.1. Iden5fy each of the high impact BES Cyber Systems according to Ahachment 1, Sec5on 1, if any, at each asset;

–  1.2. Iden5fy each of the medium impact BES Cyber Systems according to Ahachment 1, Sec5on 2, if any, at each asset; and

–  1.3. Iden5fy each asset that contains a low impact BES Cyber System according to Ahachment 1, Sec5on 3, if any (a discrete list of low impact BES Cyber Systems is not required).


Slide 8

CIP-‐002-‐5.1 Requirements: R2 •  En5ty must review iden5fica5ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]

•  The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3, R4) must approve the ini5al lists [R2.2] and at least once every 15 months, therealer: –  The R1.1, R1.2, and R1.3 lists –  Include signed and dated null lists, if applicable

•  The en5ty must maintain signed and dated records of the approvals listed above. –  Electronic or physical approvals accepted

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records


Slide 9

CIP-‐002-‐5.1: Direc5on •  CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transi5on period in lieu of the CIP-‐002-‐3 R2 list of Cri5cal Assets (Op5on 3).

•  Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Op5on 3).

•  Compliance date for Low impact BES Assets on April 1, 2017. –  Specific Low impact control modifica5ons are under review by industry and oversight groups [See CIP-‐003-‐6 R2]

–  Currently, four programma5c controls from CIP-‐003-‐5 R2 – Don’t ignore, but don’t priori5ze for now.


Slide 10

CIPv5 Transi5on Guidance •  As a prac'cal ma>er, NERC understands that Responsible En''es cannot complete transi'on to the CIP V5 Standards in a single instance; rather, transi'on to full implementa'on will occur over a period of 'me as Responsible En''es develop the necessary procedures, soNware, facili'es, or other relevant capabili'es necessary for effec've compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2)


Slide 11

CIPv5 Transi5on Guidance •  To help ensure that they are fully compliant with the CIP V5 Standards upon the effec've date, Responsible En''es may need or prefer to transi'on from compliance with the requirements of the CIP V3 Standards to implementa'on of the requirements of the CIP V5 Standards during the Transi'on Period. As such, there may be a period of 'me prior to the effec've date of the CIP V5 Standards date when Responsible En''es begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are s'll mandatory and enforceable. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2).


Slide 12

CIP v5 Transi5on Op5ons*

*see Op5ons Table (NERC, 2014 Aug 12, Transi'on Guidance, p. 5)


Slide 13

CIP v5 Transi5on Guidance

•  WECC recommends en55es choose Op5on 3 and immediately start transi5oning to CIPv5 compliance –  Freeze your CIPv3 program –  Roll forward the “mostly compa5ble” parts of CIPv3

–  Integrate the remaining elements of CIPv5

•  Not a huge burden for CIP-‐002-‐5.1 compliance, but may present challenges for other Standards.

•  A suggested sequence of Standards for transi5on efforts?

CIP-002-5.1;CIP-003-6 R3, R4

CIP-005-5 CIP-006-6

CIP-007-6 CIP-014-1

CIP-010-2

CIP-011-2

CIP-004-6

CIP-008-5

CIP-009-6

CIP-003-6 R1, R2September 24-‐25, 2014 Western Electricity Coordina5ng Council

Slide 14

BILL Documents Op5on 3


Slide 15

WECC Audit Team Approach

•  Use a methodical approach to deliver consistent results across all en55es.

•  Use the RSAW supplied by the en5ty as ini5al working papers to document the audit and findings.

•  Review Ini5al Evidence package supplied by the en5ty in response to Ahachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 eviden5ary documents


Slide 16

CIP-‐002-‐5.1 Audit Team Approach

•  Audit to the Standard. •  Review the Evidence:

–  Inventory of BES Assets –  One line diagrams –  Applica5on of the IRC –  R1.1, R1.2, R1.3 lists. –  R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)

•  DR for addi5onal informa5on, as needed.

•  Complete the RSAW •  Develop the Audit Report


Slide 17

Are there more High or Medium BES

assets?

Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]

Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset

Yes (Continue BCS evaluations)

No (Continue to R2)

Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets

Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable

R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.

R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.

Are any BES assets rated as High or Medium?

Yes (Evaluate High & Medium BES assets for all applicable BCS)

No (Place all Low BES assets on R1.3 List)

Add BCS to the appropriate list:R1.1: High Impact BCS,

R1.2: Medium Impact BCS

WECC Audit Team Approach •  Review the applica5on of the IRC [R1], list of High BCS [R1.1], list

of Medium BCS [R1.2], list of Low Impact BES Assets [R1.3], even if such lists are null.

•  Compare the lists against the one-‐lines and BES Asset inventory •  If full Compliance audit:

–  Hold interviews with the en5ty’s CIP SMEs –  Perform site visits (Trust, but Verify)

•  Validate annual approval documenta5on [R2] •  Submit DR’s, as needed, to clarify compliance •  Determine findings (NF, PV, or OEA) •  Discuss findings with en5re Cyber Security Team •  Complete RSAW •  Prepare CIP audit report (ATL & CPC) September 24-‐25, 2014 Western Electricity Coordina5ng Council

Slide 18

Ahachment G*: CIP-‐002-‐5.1 Evidence •  [R1]: Provide documenta5on of the process and its

implementa5on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden5fy the following lists: –  [R1.1]: A list of High impact BCS at each asset iden5fied by applica5on of Ahachment 1, Sec5on 1.

–  [R1.2]: A list of Medium impact BCS at each asset iden5fied by applica5on of Ahachment 1, Sec5on 2.

–  [R1.3]: A list of iden5fied Low impact BES Assets iden5fied by applica5on of Ahachment 1, Sec5on 3].

•  [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the iden5fica5ons required by R1, even if such lists are null.

* 2015 Ahachment G document is s5ll in progress and may change to some degree, but these basic sets of evidence will expected in the ini5al evidence package.


Slide 19

WECC Audit Team Approach

•  Submit Data Requests [DRs] for any addi5onal informa5on that will support the en5ty’s compliance efforts, e.g.:

– Prior documenta5on to provide bookends – Address any ques5ons or concerns


Slide 20

CIP-‐101 Mock Audit Overview •  BILL declared Op5on 3 of the recent NERC CIPv5 Transi5on

Guidance (NERC, 2014 Sept 17, p. ). •  Bill compared inventory of BES Assets against current

defini5on of Bulk Electric System (NERC, 2014 Sept 17, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini5on Guidance Document, v2)

•  BILL iden5fied and documented lists of High and Medium Impact BCS and a list of Low Impact BES Assets through an applica5on of the Impact Ra5ng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: A>achment 1, pp. 14-‐16),

•  BILL requires a full Compliance audit on CIP-‐002-‐5.1 through CIP-‐011-‐1 –  First week: Discovery phase at WECC offices –  Second week: Compliance audit at BILL office


Slide 21

CIP-‐101 Mock Audit Overview •  This session covers a mock audit of CIP-‐002-‐5.1 only

•  The mock audit squeezes 2 weeks of audit ac5vi5es into a few hours. –  Sample DR’s – Mock Interview –  Site Visits – Use the RSAW as the guiding document –  Present and review evidence for each requirement – What do YOU think is the appropriate finding for each requirement?


Slide 22

CIP-‐101 Mock Audit

•  Walk through audit process in more detail •  Explain the differences between a reduced scope off-‐site audit and a full Compliance audit

•  The Mock Audit simulates a Compliance audit of Billiam Power Company [BILL]

•  BILL is registered with NERC as a BA, DP, GO, GOP, LSE, TO, TOP, TP, and TSP.

•  For the CIP audit, the BA, DP, GO, GOP, TO, and TOP func5ons are in scope.


Slide 23

Review Ini5al Evidence

•  Received from the en5ty in the ini5al evidence package

•  Responses to data requests in Ahachment G •  Informa5on contained in en5ty response to the RSAWs

•  Sets the stage for the ini5al audit review – Discovery phase at the WECC offices

•  Followed up by addi5onal Data Requests as needed


Slide 24

The BILL System* •  Billiam Power Company’s (herealer referred to by its NERC acronym, BILL) Balancing Authority (BA) area is effec5vely within the boundaries of the three coun5es on the western edge of Some State, bordered by Another State on the north and the Almost Mountains on the East and South. These three coun5es occupy about 15% of the land area of the state and contain about 20% of the state's popula5on.

•  BILL is registered as a BA, DP, GO, GOP, LSE, TO, TOP, TP, TSP


Slide 25

The BILL System (Genera5on) •  BILL’s primary genera5on sta5on is located in eastern Whatchamacallit County. The BILL genera5on sta5on has two 1,000 MW fossil fuel genera5ng units. The output of these units supports BILL’s na5ve load and any available excess energy is marketed throughout the WECC Interconnec5on.

•  BILL owns and operates nine Combus5on Turbines (averaging 30 MWs each) located near various consumer load centers throughout the service territory. These CT’s are primarily used as peaking units and for voltage and frequency support during the summer months.


Slide 26

The BILL System (Genera5on) •  BILL also owns and operates the BILL-‐3 Hydroelectric plant on the Sweet William River. BILL-‐3 has a nameplate ra5ng of 100 MW. This hydro unit is Blackstart capable and is connected to the BILL Genera5on Sta5on through a dedicated 115 kV line that runs 87 miles from Sub3 to Sub1.

•  Total BILL genera5on capacity is 2,380 MWs.


Slide 27

The BILL System (Transmission) •  There are two synchronous 345 kV inter5es with adjacent BA’s that define the BILL BA area. These 5es are with XXXX Electrical U5lity and YYYY Federal Power District at Sub1, which is adjacent to the BILL Genera5on Sta5on.

•  The BES por5on of BILL's BA area, its 345 kV, 230 kV, and 115 kV facili5es, include 190 miles of 345 kV transmission lines, 450 miles of 230 kV lines, and 973 miles of 115 kV lines.

•  BILL owns and operates two 345kV substa5ons, 25 230 kV substa5ons, and 52 115 kV substa5ons throughout its service territory. BILL serves its na5ve residen5al and commercial load through its 115 kV and 230 kV transmission facili5es.


Slide 28

The BILL System (Control Centers) •  BILL’s Genera5on and Transmission Facili5es are monitored and operated from the Primary Control Center (PCC) located at the corporate headquarters in Big Bill City. BILL also maintains a hot stand-‐by Back-‐up Control Center (BUCC) located in its opera5ons center in Lihle Bill City, which is approximately 50 miles from the PCC.

•  BILL is a summer peaking BA and BILL's BA all-‐5me area peak load was recorded on July 20, 2010 at 2,482 MWs.


Slide 29

BILL One-‐Line Diagram


Slide 30

BILL’s BES Asset Iden5fica5on •  The first step in a normal CIP-‐002-‐5.1 audit is to review the applica5on of the IRC – Starts with an overall Inventory of en5ty BES assets. – Did the en5ty use the new BES Defini5on to exclude any BES Assets?

•  If so, review and validate those exclusions – Use the IRC to iden5fy and document the R1.x lists


Slide 31

High IRC (Control Centers)


Slide 32

Medium IRC (Control Centers)


Slide 33

Low IRC (Control Centers)


Slide 34

R1.i: Example of Auditable Process


Slide 35

BILL’s BES Asset Iden5fica5on •  Were applicable BES assets evaluated rela5ve to IRC criteria 2.3. 2.6. or 2.8?

•  Did BILL demonstrate coordina5on with the applicable registered func5on(s)? –  If not, should we submit a data request?


Slide 36

Medium IRC (Transmission)


Slide 37



Slide 38



Slide 39

Medium / Low IRC (Transmission)


Slide 40

R1.ii: Example of Auditable Process


Slide 41

Medium IRC (Genera5on)


Slide 42

Medium / Low IRC (Genera5on)


Slide 43

R1.iii-‐iv: Example of Auditable Process


Slide 44

Medium IRC (Protec5on Systems)


Slide 45

Low IRC (Protec5on Systems)


Slide 46

R1.v-‐vi: Example of Auditable Process


Slide 47

List of High & Medium BES assets

•  Review the list of High BES assets •  Review the list of Medium BES assets •  Compare both lists to the lists developed for:

– R1.1: High impact BCS – R1.2: Medium impact BCS


Slide 48

Compare 2013 List of Cri5cal Assets

•  For the next several years, CIP Auditors will be comparing the results of the applica5on of the IRC to iden5fy High and Medium BCS (primarily the BES assets containing such BCS) to the prior CIP-‐002-‐3 lists of Cri5cal Assets and lists of Cri5cal Cyber Assets and evaluate any significant differences

•  This may not generate a PV, but it is guaranteed to generate discussions.


Slide 49

List of Low Impact BES Assets

•  Review the list of Low Impact BES Assets •  Correlate this list against the en5ty’s inventory of BES Assets and the list of High and Medium BCS loca5ons.


Slide 50

BILL BES Assets: 2013 Control Centers


Slide 51

BILL BES Assets: 2014 Control Centers


Slide 52

BILL BES Assets: 2013 Substa5ons


Slide 53

BILL BES Assets: 2014 Substa5ons


Slide 54

BILL BES Assets: 2013 Genera5on


Slide 55

BILL BES Assets: 2014 Genera5on


Slide 56

BILL BES Assets: 2013 Special Systems


Slide 57

BILL BES Assets: 2014 Special Systems


Slide 58

Validate BES Asset Lists •  Review and compare the prior lists of CIP-‐002-‐3 R2 Cri5cal

Assets to the current lists of High and Medium BES Assets •  Did the results seem reasonable? •  Did the en5ty opt to reduce its number of Transmission

Assets through the applica5on of the BES Defini5on? •  If so, did the en5ty provide valid ra5onale for all

exclusions? •  Do the Transmission BES Medium Assets align with the

one-‐line diagram? •  Did the en5ty provide evidence of net Real Power

capability to support Genera5on Facility ra5ngs? •  Does the audit team have any other ques5ons before

moving on to the R1.1, R1.2, and R1.3 lists?


Slide 59

BILL BES Assets: 2013 Cri5cal Assets


Slide 60

BILL BES Assets: 2014 High & Medium BES Assets


Slide 61

2013 Cri5cal Assets vs. 2014 High & Medium BES Assets – Net Changes

•  Control Centers (High BCS) –  Both Control Centers move from CA list to High BES asset list

•  Substa5ons (Medium BCS) –  Subs 1 and 2 move from CA list to Medium BES asset list –  Add 4 (Subs 4, 7, 8, 11) to Medium BES asset list –  1 (Sub 3, Blackstart Cranking Path) moves to Low BES asset –  Other Transmission subs become Low BES Assets

•  Genera5on Units (Medium and/or Low BCS) –  Big Bill Sta5on is a Medium BES asset –  Blackstart unit becomes Low BES asset –  Combus5on turbines becomes Low BES assets

•  Special Protec5on Systems (BCS Not Applicable) –  No change


Slide 62

R1: BES Asset Lists Review Ques5ons •  Did BILL apply the IRC appropriately? •  Does BILL need to confer with its RC, PA, or TP to consider any Cri5cal Assets rela5ve to Criteria 2.3, 2.6, or 2.8?

•  Applica5on Ques5ons –  Did BILL consider all BES asset types in R1.i through R1.vi? –  Did BILL review and evaluate all BES Assets through the IRC? –  Did BILL clearly iden5fy and document all BES assets in the appropriate impact ra5ng?

•  Is any addi5onal informa5on necessary before we look at the BCS groupings? –  If so, do we submit a DR?


Slide 63

Iden5fying High and Medium BCS •  R1. Each Responsible En5ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: …

–  1.1. Iden5fy each of the high impact BES Cyber Systems according to Ahachment 1, Sec5on 1, if any, at each asset;

–  1.2. Iden5fy each of the medium impact BES Cyber Systems according to Ahachment 1, Sec5on 2, if any, at each asset; and

–  1.3. Iden9fy each asset that contains a low impact BES Cyber System according to Ahachment 1, Sec5on 3, if any (a discrete list of low impact BES Cyber Systems is not required).


Slide 64

R1: Iden5fy and Document BCS

•  Add Low-‐impact BES assets to the R1.3 list

•  Use lists of High-‐ & Medium-‐impact BES assets •  Iden5fy BCA associated with

each BES Asset. •  Logically group BCA into BCS. •  Document BCS on R1.1 or

R1.2 list, as appropriate.

Inputs

R1.1 - R1-2 Process:Identify

BCS

Outputs

List of High & Medium Assets

R1.1,R1.2,Lists

List of Low Impact

Assets

Input

R1.3List


Slide 65

R1.1-‐R1.2: Iden5fying BCS •  Develop an auditable

process to examine each High and Medium impact Facility

•  Examine inventory of BCA at each Facility

•  Consider reliability func5ons

•  Group BCA into logical BCS

•  Iden5fy PCA, EACMS, and PACS


Slide 66

Process to Iden5fy BCS CIP-002-5 requires the identification of High & Medium impact BCS, but it may be a good idea to consider & identify the different types of BCS (CIP-005-5, pp. 4-5) and associated Cyber Assets (CIP-002-5, p. 6) at this point to facilitate later determinations in the Applicability Matrices of other CIP standards:

• High Impact BCS• High Impact BCS w/ Dial-up

Connectivity• High Impact BCS w/ External

Routable Connectivity• Medium Impact BCS• Medium Impact BCS at Control

Centers• Medium Impact BCS w/ Dial-up

Connectivity• Medium Impact BCS with

External Routable Connectivity• PCA• EACM• PACS

Are there More High or

Medium Facilities?

Use the inventory of BES Cyber Assets at the High- or Medium- Facility to identify and

list R1.1 and R1.2 BES Cyber Systems (BCS) at each such facility

Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the Facility

Yes

NoSeptember 24-‐25, 2014 Western Electricity Coordina5ng Council

Slide 67

Consider Reliable Opera5on of the BES •  Determine whether the BES Cyber Systems perform

or support any BES reliability func5on according to those reliability tasks iden5fied for their reliability func5on and the corresponding func5onal en5ty’s responsibili5es as defined in its rela5onships with other func5onal en55es in the NERC Func5onal Model (CIP-‐002-‐5.1, p. 5).

•  Ensures the ini5al scope for considera5on includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable opera5on of the BES. (CIP-‐002-‐5.1, p. 5).


Slide 68

Consider Real-‐Time Opera5ons •  BES Cyber Assets are those Cyber Assets that, if

rendered unavailable, degraded, or misused, would adversely impact the reliable opera5on of the BES within 15 minutes (CIP-‐002-‐5.1, p. 5).

•  Do not consider redundancy in the applica5on of the 15-‐minute 5me threshold (CIP-‐002-‐5.1, p. 5).

•  15-‐minute limita5on will typically "result in the iden5fica5on of SCADA, Energy Management Systems, transmission protec5on systems, and genera5on control systems as BES Cyber Assets” (FERC, 2013, Order 791, P. 123, p. 72771).


Slide 69

Consider Ancillary BES Cyber Assets • Protected Cyber Assets [PCA]

•  Examples may include, to the extent they are within the ESP: file servers, lp servers, 5me servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP-‐002-‐5.1, p. 6)

•  May also be lower impact BCA or BCS by virtue of the high-‐water mark (CIP-‐005-‐5, p. 14)

• Electronic Access Control or Monitoring Systems [EACMS] •  Examples include: Electronic Access Points, Intermediate Systems,

authen5ca5on servers (e.g., RADIUS servers, Ac5ve Directory servers, Cer5ficate Authori5es), security event monitoring systems, and intrusion detec5on systems (CIP-‐002-‐5.1, p. 6)

• Physical Access Control Systems [PACS] •  Examples include: authen5ca5on servers, card systems, and badge control

systems (CIP-‐002-‐5.1, p. 6).


Slide 70

BILL’s BCS Iden5fica5on

•  The next step in a CIP-‐002-‐5.1 audit is to review the en5ty’s development of the R1.1 through R1.3 lists.

•  Starts with the iden5fied lists of High and Medium impact BES assets.

•  Uses the inventory of BES Cyber Assets at each such BES asset to iden5fy and document a list of High and Medium BCS, even if such lists are null.

•  Good idea to start with any exis5ng lists of CCAs at applicable CIPv3 Cri5cal Assets.


Slide 71

2014 BCS: Primary Control Center


Slide 72

2013 CCAs: Backup Control Center


Slide 73

2013 CCAs: SUB1


Slide 74

2012 Null Lists CCAs: Genera5on & Subs


Slide 75

2013 Null Lists CCAs: Genera5on & Subs


Slide 76

Iden5fying BES Cyber Assets • Iden5fy if the Cyber Asset meets the defini5on of BCA

• Check for length of installa5on

•  If < 30 days, determine if the Cyber Asset is a transient device.

• Group into logical BCS with associated PCA


Slide 77

Grouping BCA into BCS •  En5ty determines level of granularity of a BCS

–  There may be one or more BCA within a given BCS –  Consider the BROS for your registra5ons

•  In transi'oning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Cri'cal Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an en'ty can organize their documented implementa'on of the requirements and compliance efforts (CIP-‐002-‐5.1, 2013, p. 4)


Slide 78

Examples of BCS

EMS BCS

Generation BCS Generation

BCS

Generation BCS

Transmission BCS

Transmission BCS


Slide 79

Examples of BCA Groupings: BA/TOP

•  Energy Management Systems (EMS) •  Automa5c Genera5on Control (AGC) •  SCADA systems •  Network Management Systems (NMS) •  PI systems (Historians) •  ICCP systems (Communica5ons)


Slide 80

ESP


Graphic Source: hhp://www.energy.siemens.com/us/pool/hq/automa5on/control-‐center/control_center_details.jpg

High BCS

High BCS

High BCS

High BCS

High BCS

PCA PCA

PCA

PCAPCA

PCA Low or No BCS

Low or No BCSESP


Slide 81


•  SCADA Component Systems •  RTU Systems (Telecommunica5ons) •  Protec5ve Relay Systems


Slide 82

Examples of BCA Groupings: TO/TOP Graphic Source: Pacific Northwest Na5onal Laboratory (Dagle, J., 2010 Jan) Retrieved from hhp://publicintelligence.net/scada-‐a-‐deeper-‐look/


Slide 83

SCADA Component BCS

EMS BCS

EMS BCS

RTU BCS

Protective Relay BCS

Examples of BCA Groupings: GO/GOP

•  Digital Control System (DCS) •  Control Air System (CAS) •  Water Demineraliza5on System •  Coal Handling System •  Gas Control System •  Environmental Monitoring System •  RTU (Communica5ons) •  Generator Protec5on Systems (Relays)


Slide 84

Examples of BCA Groupings: GO/GOP Graphic Source: hhps://www.fujielectric.com/company/tech/pdf/r51-‐3/06.pdf

Medium BCSPCA

PCA

Medium BCS

PCA

Medium BCS Medium BCS

Low BCS


Slide 85

Consider BCS Types •  High Impact BCS, •  High Impact BCS w/ Dial-‐up Connec5vity, •  High Impact BCS w/ External Routable Connec5vity, •  Medium Impact BCS, •  Medium Impact BCS at Control Centers, •  Medium Impact BCS w/ Dial-‐up Connec5vity, •  Medium Impact BCS w/ External Routable Connec5vity,

•  Protected Cyber Assets [PCA], and •  Electronic Access Points [EAP] (CIP-‐005-‐5, pp. 4-‐5) September 24-‐25, 2014 Western Electricity Coordina5ng Council

Slide 86

R1.1: Example of Auditable Process


Slide 87



Slide 88


•  Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact ra5ng and should be placed on the R1.3 list

•  BCS associated with a Low impact BES Asset also become Low impact BCS.

•  At this 5me, all you need to do is list the Low Impact BES Assets to sa5sfy R1.3.

•  Comply with CIP-‐003-‐6 R2 for specific technical controls


Slide 89

BILL’s Review & Approval Process

•  The next step in a CIP-‐002-‐5.1 audit is to review the iden5fica5ons of the lists created in R1, even if such lists are null. –  R1.1 list of High BCS –  R1.2 list of Medium BCS –  R1.3 list of Low-‐impact BES assets

•  Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.

Inputs

R2 Review & Approval

Process

R1.1,R1.2,R1.3Lists

Outputs

Signed and Dated

Records


Slide 90

R2: Annual Approval Review Ques5ons

•  Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months aler the ini5al iden5fica5ons?

•  Did BILL update the lists, as necessary? •  Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months aler the ini5al iden5fica5on, even if such lists are null?

•  Applica5on Ques5ons –  Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?

•  Are any DR’s necessary? –  If so, what addi5onal informa5on is required?


Slide 91

On-‐Site Ac5vi5es: The Interview

•  Set up through an interview DR the prior week •  Typically held on Monday of the on-‐site week immediately aler the opening presenta5on

•  Examines the en5ty’s understanding of and approach to R1-‐R4

•  Cover any areas of concern raised through the ini5al evidence review

•  Schedule follow-‐up interview(s), if needed, aler the site visits


Slide 92

On-‐site ac5vi5es: Mock Interview

•  Need four volunteers – You are BILL SMEs – No, you don’t get to prac5ce

•  We will ask a series of ques5ons that we generally ask all CIP-‐002 SMEs

•  Also ask ques5ons of concern, if indicated by the ini5al review of the evidence

•  The Interview Ques5on Set


Slide 93

On-‐site ac5vi5es: Mock Interview

•  What did we learn from the interview? •  What was the key issue from an audit perspec5ve?

•  Should we find a PV for this issue? •  Why or why not?


Slide 94

On-‐Site Ac5vi5es: Site Visit •  Set up through a site visit DR the prior week •  I5nerary determined through review of the ini5al evidence •  Trust, but verify. Why? •  Depending on en5ty size, this may involve 100% valida5on or a sta5s5cal sampling:

•  Where? –  Control Centers –  Genera5on Facili5es –  Transmission Facili5es

•  What? –  High and Medium BCS –  A non-‐sta5s5cal sampling of Low Impact BES Assets


Slide 95

On-‐Site Ac5vi5es: Site Visit •  Who?

–  CIP-‐002-‐5.1 Sub-‐Team •  Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL •  Works in conjunc5on with CIP-‐005 sub-‐team

–  CIP-‐005-‐5 Sub-‐Team •  Validates Electronic Access Points [EAPs] and Electronic Access Control and Monitoring devices [EACMs].

•  Confirms ESP boundaries –  CIP-‐006-‐5 Sub-‐Team

•  Validates PSPs and Physical Access Controls, such as PACS, cameras, logs, etc.

•  My colleague provided an overview on CIP-‐006 audit ac5vi5es earlier.


Slide 96

On-‐Site Ac5vi5es: CIP-‐002-‐5.1 Site Visit •  What?

–  Validate lists of BCS –  Validate null lists of BCS (if applicable) –  Look for aberra5ons from the lists – Hold informal interviews with en5ty SMEs

•  When? –  Visit remote sites during the off-‐site audit week. – Most Control Centers on Tuesday of the on-‐site audit week

– May extend to Wednesday depending on number of sites visited, distances traveled, resource constraints, etc.


Slide 97

On-‐Site Ac5vi5es: BILL Site Visits •  Visit the Primary and Backup Control Centers

–  100% valida5on of High BCS, PCA, etc. in both loca5ons –  Talk to Operators & SMEs

•  Visit the BILL Genera5on Sta5on (BGS) –  Validate Medium and Low BCS at BGS, –  Discuss CIPv5 progress at BGS.

•  Visit SUB1, SUB2, SUB11 –  Validate the Medium BCS, PCA, etc., –  Discuss CIPv5 progress on Medium BCS at Transmission Facili5es.

•  Visit Low-‐impact BES asset sampling (SUB3, SUB26, SUB53, BILL Hydro, CT1, CT8) –  Validate presence of Low BCS, –  Review CIP-‐003-‐6 R2 controls.

•  Site Visit Ques5ons –  Why validate the BCS at a given site? –  Why ask ques5ons of en5ty SMEs? –  What do the auditors expect to find?


Slide 98

BILL Site Visits: Control Centers •  Visited the Primary Control Center

– 100% valida5on of High BCS –  Iden5fied nothing out of the ordinary.

•  Visited the Backup Control Center – 100% valida5on of High BCS –  Iden5fied nothing out of the ordinary.


Slide 99

Site Visits: Genera5on Units •  Visited BILL Genera5on Sta5on

– Validated Medium BCS and Low BCS –  Iden5fied nothing out of the ordinary.

•  Visited BILL Hydro Facility, CT1, CT8 – Validated presence of Low BCS – Reviewed compliance efforts with CIP-‐003-‐6 R2 –  Iden5fied nothing out of the ordinary


Slide 100

Site Visits: Substa5ons •  Visited Sub 1, Sub 2, Sub 11

– 100% valida5on of Medium BCS – No5ced something strange here.

•  Visited Sub 3, Sub 26, Sub 53 – Validated presence of Low BCS. – Discussed CIP-‐003-‐6 R2 controls with CIP SMEs – Also no5ced something strange here.


Slide 101

Site Visits: What Did We See? What is this device and what is

it doing here in the subs?


Slide 102

On-‐Site Ac5vi5es: Site Visit •  What did we learn from the site visit?

•  Tour Notes DR •  Why do we validate Null lists and review Low BCS?

•  What was the main concern with the unexpected devices? – Should we DR for addi5onal informa5on?

• Would another interview be more effec5ve? – Does this situa5on call for an R3 PV finding?

• Why or why not?


Slide 103

Discussing the Findings •  Discuss the Findings with the whole Cyber Security Team. •  Is there a PV for the undocumented devices?

–  R1.2: Undeclared Medium BCS on R1.2 list? •  Review BCA at the Combus5on Turbines. •  Does the en5ty have documenta5on from its TP or PA/PC that exempts the CTs from Criterion 2.3? (See previous audit OEA).

–  R1.2: Incorrect iden5fica5on of Medium BCS w/Dial-‐up Connec5vity? •  The Substa5on Modems.

•  Gain team consensus on any PV. •  Determine the scope of a poten5al PV.

–  How do we do this? •  Complete the CIP-‐002-‐5.1 Findings Table in RSAW. •  Submit to the ATL and CPC for the Closeout Presenta5on.


Slide 104

Value-‐Added Ac5vity: Feedback

•  WECC Audit Teams never prescribe solu5ons, but we always brief en55es on Findings and: –  Encourage good security prac5ces, – Discuss examples of industry best prac5ces we’ve seen on other audits (without iden5fying the en55es),

–  Iden5fy Areas of Concern, which may not be viola5ons, but which could stand improvements,

–  Provide sugges5ons and/or Recommenda5ons, when appropriate, and

–  Support development of a sustainable compliance culture


Slide 105

Audit Documenta5on: The RSAW •  An auditor is judged by the quality of his or her working papers. –  Complete the RSAW –  Review evidence and notes for final determina5ons

– DR for any final needed informa5on

– Document Findings


Slide 106

Audit Documenta5on

•  Auditors review evidence, find facts, and report findings – Turn PVs over to the Enforcement team – Enforcement team depends heavily on the quality of auditor documenta5on

•  Be Literate, be Concise, but above all else, Be Accurate.

•  If it’s not wrihen down, it didn’t happen.


Slide 107

Post-‐Audit Auditor Ac5vi5es

•  The Audit Report – Work with ATL & CPC – Verify findings and other informa5on related to audited standard(s)

•  Document findings in webCDMS – PV & OEA findings only

•  Work with WECC Enforcement personnel to support Inves5ga5ons as SME for audit processes and findings


Slide 108

Post-‐Audit Auditor Ac5vi5es •  Par5cipate in en5ty Outreach ac5vi5es, such as this event and CIPUG mee5ngs.

•  Be available and responsive to en5ty ques5ons & comments.

•  Work with NERC and other regions at Na5onal level: –  Compliance working groups –  Follow Draling team progress –  Comment on new Standards, guidance documents, etc. – Ahend and present at compliance conferences & workshops –  Pilot studies like the recent CIPv5 Pilot Study


Slide 109

Summary

•  Audit to the Standard •  Provide useful feedback to the en5ty •  Prepare a valid audit report •  Be available to CIP personnel at the en55es •  Work at the Na5onal level


Slide 110

Remember the Auditor’s Mission

Just the facts, Ma’am,

Just the facts!


Slide 111

References •  FERC. (2013 December 3). Order No. 791: Version 5 Cri'cal

Infrastructure Protec'on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hhp://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf

•  NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hhp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&5tle=Cyber%20Security%20—%20BES%20Cyber%20System%20Categoriza5on&jurisdic5on=null

•  NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hhp://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Defini5on%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf


Slide 112

References

•  NERC. (2014 August 12). Cyber Security Standards Transi'on Guidance: ERO Compliance and Enforcement Ac'vi'es during the Transi'on to the CIP Version 5 Reliability Standards. Retrieved from hhp://www.nerc.com/pa/CI/Documents/V3-‐V5%20Transi5on%20Guidance%20FINAL.pdf

•  NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hhp://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf


Slide 113

Speaker Contact Informa5on

Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina5ng Council (WECC) 7400 NE 41st Street, Suite 320 Vancouver, WA 98662 jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 801.734.8357


Slide 114