wecc cip-101 cip-002 mockaudit 09252014 final · 2014-10-09 · wecc!cip%101!disclaimer! •...
TRANSCRIPT
CIP-‐101: Making the Transi5on CIP-‐002-‐3 to CIP-‐002-‐5.1 Mock Audit
Henderson, NV September 24-‐25, 2014
Joseph B. Baugh, PhD, PMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor – Cyber Security Western Electricity Coordina5ng Council
Speaker Intro: Dr. Joseph Baugh • 40+ years Electrical U5lity Experience
– Senior Compliance Auditor, Cyber Security – IT Manager & Power Trading/Scheduling Manager – IT Program Manager & Project Manager – PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM certs – NERC Cer5fied System Operator – Barehand Qualified Transmission Lineman
• 20 years of Educa5onal Experience – Degrees earned: Ph.D., MBA, BS-‐Computer Science – Academic & Technical Course Teaching Experience
• PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara5on • Business Strategy, Leadership, and Management • Informa5on Technology and IT Security • Project Management
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 2
WECC CIP-‐101 Disclaimer • The WECC Cyber Security team has
created a mythical Registered En5ty, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.
• Any resemblance of BILL to any actual Registered En5ty is purely coincidental.
• All evidence presented, auditor comments, and findings made in regard to BILL during this presenta5on and the mock audit are fic55ous, but are representa5ve of audit team ac5vi5es during an actual CIP Compliance audit.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 3
Agenda
• Class Introduc5ons – Name, Title, Organiza5on, Interest in CIP-‐002
• Review CIP-‐002-‐5.1 Requirements • Review CIPv5 Transi5on Guidance • Review CIP-‐002-‐5.1 Team audit approach • CIP-‐002-‐5.1 Mock Audit Overview • The BILL Mock Audit • Ques5ons September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 4
CIP-‐002-‐5.1 Overview • CIP-‐002-‐5.1 is the first step on CIP Compliance trail • All Registered En55es who perform the BA, DP, GO, GOP, IA,
RC, TO, and/or TOP registered func5ons are required to be compliant with CIP-‐002-‐5.1.
• CIP-‐002-‐5.1 replaces LSE with the DP func5on, TSP func5on drops out.
• Some en55es may find they are only required to be compliant with CIP-‐002-‐5.1 R1-‐R2 & CIP-‐003-‐5 R2-‐R4. – Typically requires a reduced scope audit that will be conducted at WECC offices or other loca5ons, as necessary.
– True if IRC applica5on generates Null R1.1 & R1.2.lists. – Must also provide a valid R1.3 list of Low Impact BES Assets. – Pending Low Impact BCS Requirements discussed in CIP-‐003-‐6 R2.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 5
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
CIP-‐002-‐5.1: R1 • Each Responsible En5ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
Inputs
R1Process
Outputs
Inventory of
BES Assets
List of High, Medium,
& Low Assets
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 6
CIP-‐002-‐5.1: R1 • Each Responsible En5ty shall implement a process that
considers each of the following assets for purposes of parts 1.1 through 1.3: [Viola'on Risk Factor: High][Time Horizon: Opera'ons Planning] – i. Control Centers and backup Control Centers; – ii. Transmission sta5ons and substa5ons; – iii. Genera5on resources; – iv. Systems and facili5es cri5cal to system restora5on, including Blackstart Resources and Cranking Paths and ini5al switching requirements;
– v. Special Protec5on Systems that support the reliable opera5on of the Bulk Electric System; and
– vi. For Distribu5on Providers, Protec5on Systems specified in Applicability sec5on 4.2.1 above.
• Generates Low impact BES assets for R1.3 list
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 7
CIP-‐002-‐5.1: R1.1 -‐ R1.3 • Each Responsible En5ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: – 1.1. Iden5fy each of the high impact BES Cyber Systems according to Ahachment 1, Sec5on 1, if any, at each asset;
– 1.2. Iden5fy each of the medium impact BES Cyber Systems according to Ahachment 1, Sec5on 2, if any, at each asset; and
– 1.3. Iden5fy each asset that contains a low impact BES Cyber System according to Ahachment 1, Sec5on 3, if any (a discrete list of low impact BES Cyber Systems is not required).
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 8
CIP-‐002-‐5.1 Requirements: R2 • En5ty must review iden5fica5ons made in R1 (and update them, if necessary) at least every 15 months [R2.1]
• The CIP Senior Manager or delegate (as defined in CIP-‐003-‐3 R2 or CIP-‐003-‐6 R3, R4) must approve the ini5al lists [R2.2] and at least once every 15 months, therealer: – The R1.1, R1.2, and R1.3 lists – Include signed and dated null lists, if applicable
• The en5ty must maintain signed and dated records of the approvals listed above. – Electronic or physical approvals accepted
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 9
CIP-‐002-‐5.1: Direc5on • CIP-‐002-‐5 R1.1 -‐ R1.3 are applicable for the transi5on period in lieu of the CIP-‐002-‐3 R2 list of Cri5cal Assets (Op5on 3).
• Focus on High BCS (R1.1) and Medium BCS (R1.2) for immediate CIPv5 compliance efforts (Op5on 3).
• Compliance date for Low impact BES Assets on April 1, 2017. – Specific Low impact control modifica5ons are under review by industry and oversight groups [See CIP-‐003-‐6 R2]
– Currently, four programma5c controls from CIP-‐003-‐5 R2 – Don’t ignore, but don’t priori5ze for now.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 10
CIPv5 Transi5on Guidance • As a prac'cal ma>er, NERC understands that Responsible En''es cannot complete transi'on to the CIP V5 Standards in a single instance; rather, transi'on to full implementa'on will occur over a period of 'me as Responsible En''es develop the necessary procedures, soNware, facili'es, or other relevant capabili'es necessary for effec've compliance with the CIP V5 Standards. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 11
CIPv5 Transi5on Guidance • To help ensure that they are fully compliant with the CIP V5 Standards upon the effec've date, Responsible En''es may need or prefer to transi'on from compliance with the requirements of the CIP V3 Standards to implementa'on of the requirements of the CIP V5 Standards during the Transi'on Period. As such, there may be a period of 'me prior to the effec've date of the CIP V5 Standards date when Responsible En''es begin to operate in accordance with the CIP V5 Standards while the CIP V3 Standards are s'll mandatory and enforceable. (NERC, 2014 Aug 12, Transi'on Guidance, p. 2).
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 12
CIP v5 Transi5on Op5ons*
*see Op5ons Table (NERC, 2014 Aug 12, Transi'on Guidance, p. 5)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 13
CIP v5 Transi5on Guidance
• WECC recommends en55es choose Op5on 3 and immediately start transi5oning to CIPv5 compliance – Freeze your CIPv3 program – Roll forward the “mostly compa5ble” parts of CIPv3
– Integrate the remaining elements of CIPv5
• Not a huge burden for CIP-‐002-‐5.1 compliance, but may present challenges for other Standards.
• A suggested sequence of Standards for transi5on efforts?
CIP-002-5.1;CIP-003-6 R3, R4
CIP-005-5 CIP-006-6
CIP-007-6 CIP-014-1
CIP-010-2
CIP-011-2
CIP-004-6
CIP-008-5
CIP-009-6
CIP-003-6 R1, R2September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 14
BILL Documents Op5on 3
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 15
WECC Audit Team Approach
• Use a methodical approach to deliver consistent results across all en55es.
• Use the RSAW supplied by the en5ty as ini5al working papers to document the audit and findings.
• Review Ini5al Evidence package supplied by the en5ty in response to Ahachment G: – One-‐line diagrams (we’ll see the BILL one-‐line later) – Specific CIP-‐002-‐5.1 eviden5ary documents
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 16
CIP-‐002-‐5.1 Audit Team Approach
• Audit to the Standard. • Review the Evidence:
– Inventory of BES Assets – One line diagrams – Applica5on of the IRC – R1.1, R1.2, R1.3 lists. – R2 records of current and prior approved versions of R1 & R2 documents (the Bookends)
• DR for addi5onal informa5on, as needed.
• Complete the RSAW • Develop the Audit Report
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 17
Are there more High or Medium BES
assets?
Apply IRC to inventory of BES assets to identify & list High-, Medium-, & Low-impact rated BES assets [from R1.i - R1.vi]
Use inventory of BES Cyber Assets at the High or Medium BES asset to identify BCS at each such asset
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the BES asset
Yes (Continue BCS evaluations)
No (Continue to R2)
Optional: Apply BES Definition to inventory of BES assets, Begin CIP-002-5.1 Process w/ inventory of BES Assets
Apply CIP-003-6 through CIP-011-2 protections to the three lists, as applicable
R2.2: CIP Senior Manager or delegate approves lists after the initial identification and at least once every 15 calendar months thereafter.
R2.1: Review the R1.1, R1.2, & R1.3 Lists after the initial identification and at least once every 15 calendar months thereafter.
Are any BES assets rated as High or Medium?
Yes (Evaluate High & Medium BES assets for all applicable BCS)
No (Place all Low BES assets on R1.3 List)
Add BCS to the appropriate list:R1.1: High Impact BCS,
R1.2: Medium Impact BCS
WECC Audit Team Approach • Review the applica5on of the IRC [R1], list of High BCS [R1.1], list
of Medium BCS [R1.2], list of Low Impact BES Assets [R1.3], even if such lists are null.
• Compare the lists against the one-‐lines and BES Asset inventory • If full Compliance audit:
– Hold interviews with the en5ty’s CIP SMEs – Perform site visits (Trust, but Verify)
• Validate annual approval documenta5on [R2] • Submit DR’s, as needed, to clarify compliance • Determine findings (NF, PV, or OEA) • Discuss findings with en5re Cyber Security Team • Complete RSAW • Prepare CIP audit report (ATL & CPC) September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 18
Ahachment G*: CIP-‐002-‐5.1 Evidence • [R1]: Provide documenta5on of the process and its
implementa5on to consider each BES asset included in the asset types listed in R1.i -‐ R1.vi to iden5fy the following lists: – [R1.1]: A list of High impact BCS at each asset iden5fied by applica5on of Ahachment 1, Sec5on 1.
– [R1.2]: A list of Medium impact BCS at each asset iden5fied by applica5on of Ahachment 1, Sec5on 2.
– [R1.3]: A list of iden5fied Low impact BES Assets iden5fied by applica5on of Ahachment 1, Sec5on 3].
• [R2]: Signed and dated records of the CIP Senior Manager or delegate reviews and approvals of the iden5fica5ons required by R1, even if such lists are null.
* 2015 Ahachment G document is s5ll in progress and may change to some degree, but these basic sets of evidence will expected in the ini5al evidence package.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 19
WECC Audit Team Approach
• Submit Data Requests [DRs] for any addi5onal informa5on that will support the en5ty’s compliance efforts, e.g.:
– Prior documenta5on to provide bookends – Address any ques5ons or concerns
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 20
CIP-‐101 Mock Audit Overview • BILL declared Op5on 3 of the recent NERC CIPv5 Transi5on
Guidance (NERC, 2014 Sept 17, p. ). • Bill compared inventory of BES Assets against current
defini5on of Bulk Electric System (NERC, 2014 Sept 17, Glossary of Terms, pp. 18-‐21; NERC, 2014 April, BES Defini5on Guidance Document, v2)
• BILL iden5fied and documented lists of High and Medium Impact BCS and a list of Low Impact BES Assets through an applica5on of the Impact Ra5ng Criteria [IRC] (NERC, 2013 Nov 22, CIP-‐002-‐5.1: A>achment 1, pp. 14-‐16),
• BILL requires a full Compliance audit on CIP-‐002-‐5.1 through CIP-‐011-‐1 – First week: Discovery phase at WECC offices – Second week: Compliance audit at BILL office
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 21
CIP-‐101 Mock Audit Overview • This session covers a mock audit of CIP-‐002-‐5.1 only
• The mock audit squeezes 2 weeks of audit ac5vi5es into a few hours. – Sample DR’s – Mock Interview – Site Visits – Use the RSAW as the guiding document – Present and review evidence for each requirement – What do YOU think is the appropriate finding for each requirement?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 22
CIP-‐101 Mock Audit
• Walk through audit process in more detail • Explain the differences between a reduced scope off-‐site audit and a full Compliance audit
• The Mock Audit simulates a Compliance audit of Billiam Power Company [BILL]
• BILL is registered with NERC as a BA, DP, GO, GOP, LSE, TO, TOP, TP, and TSP.
• For the CIP audit, the BA, DP, GO, GOP, TO, and TOP func5ons are in scope.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 23
Review Ini5al Evidence
• Received from the en5ty in the ini5al evidence package
• Responses to data requests in Ahachment G • Informa5on contained in en5ty response to the RSAWs
• Sets the stage for the ini5al audit review – Discovery phase at the WECC offices
• Followed up by addi5onal Data Requests as needed
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 24
The BILL System* • Billiam Power Company’s (herealer referred to by its NERC acronym, BILL) Balancing Authority (BA) area is effec5vely within the boundaries of the three coun5es on the western edge of Some State, bordered by Another State on the north and the Almost Mountains on the East and South. These three coun5es occupy about 15% of the land area of the state and contain about 20% of the state's popula5on.
• BILL is registered as a BA, DP, GO, GOP, LSE, TO, TOP, TP, TSP
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 25
The BILL System (Genera5on) • BILL’s primary genera5on sta5on is located in eastern Whatchamacallit County. The BILL genera5on sta5on has two 1,000 MW fossil fuel genera5ng units. The output of these units supports BILL’s na5ve load and any available excess energy is marketed throughout the WECC Interconnec5on.
• BILL owns and operates nine Combus5on Turbines (averaging 30 MWs each) located near various consumer load centers throughout the service territory. These CT’s are primarily used as peaking units and for voltage and frequency support during the summer months.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 26
The BILL System (Genera5on) • BILL also owns and operates the BILL-‐3 Hydroelectric plant on the Sweet William River. BILL-‐3 has a nameplate ra5ng of 100 MW. This hydro unit is Blackstart capable and is connected to the BILL Genera5on Sta5on through a dedicated 115 kV line that runs 87 miles from Sub3 to Sub1.
• Total BILL genera5on capacity is 2,380 MWs.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 27
The BILL System (Transmission) • There are two synchronous 345 kV inter5es with adjacent BA’s that define the BILL BA area. These 5es are with XXXX Electrical U5lity and YYYY Federal Power District at Sub1, which is adjacent to the BILL Genera5on Sta5on.
• The BES por5on of BILL's BA area, its 345 kV, 230 kV, and 115 kV facili5es, include 190 miles of 345 kV transmission lines, 450 miles of 230 kV lines, and 973 miles of 115 kV lines.
• BILL owns and operates two 345kV substa5ons, 25 230 kV substa5ons, and 52 115 kV substa5ons throughout its service territory. BILL serves its na5ve residen5al and commercial load through its 115 kV and 230 kV transmission facili5es.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 28
The BILL System (Control Centers) • BILL’s Genera5on and Transmission Facili5es are monitored and operated from the Primary Control Center (PCC) located at the corporate headquarters in Big Bill City. BILL also maintains a hot stand-‐by Back-‐up Control Center (BUCC) located in its opera5ons center in Lihle Bill City, which is approximately 50 miles from the PCC.
• BILL is a summer peaking BA and BILL's BA all-‐5me area peak load was recorded on July 20, 2010 at 2,482 MWs.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 29
BILL One-‐Line Diagram
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 30
BILL’s BES Asset Iden5fica5on • The first step in a normal CIP-‐002-‐5.1 audit is to review the applica5on of the IRC – Starts with an overall Inventory of en5ty BES assets. – Did the en5ty use the new BES Defini5on to exclude any BES Assets?
• If so, review and validate those exclusions – Use the IRC to iden5fy and document the R1.x lists
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 31
High IRC (Control Centers)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 32
Medium IRC (Control Centers)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 33
Low IRC (Control Centers)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 34
R1.i: Example of Auditable Process
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 35
BILL’s BES Asset Iden5fica5on • Were applicable BES assets evaluated rela5ve to IRC criteria 2.3. 2.6. or 2.8?
• Did BILL demonstrate coordina5on with the applicable registered func5on(s)? – If not, should we submit a data request?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 36
Medium IRC (Transmission)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 37
Medium IRC (Transmission)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 38
Medium IRC (Transmission)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 39
Medium / Low IRC (Transmission)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 40
R1.ii: Example of Auditable Process
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 41
Medium IRC (Genera5on)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 42
Medium / Low IRC (Genera5on)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 43
R1.iii-‐iv: Example of Auditable Process
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 44
Medium IRC (Protec5on Systems)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 45
Low IRC (Protec5on Systems)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 46
R1.v-‐vi: Example of Auditable Process
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 47
List of High & Medium BES assets
• Review the list of High BES assets • Review the list of Medium BES assets • Compare both lists to the lists developed for:
– R1.1: High impact BCS – R1.2: Medium impact BCS
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 48
Compare 2013 List of Cri5cal Assets
• For the next several years, CIP Auditors will be comparing the results of the applica5on of the IRC to iden5fy High and Medium BCS (primarily the BES assets containing such BCS) to the prior CIP-‐002-‐3 lists of Cri5cal Assets and lists of Cri5cal Cyber Assets and evaluate any significant differences
• This may not generate a PV, but it is guaranteed to generate discussions.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 49
List of Low Impact BES Assets
• Review the list of Low Impact BES Assets • Correlate this list against the en5ty’s inventory of BES Assets and the list of High and Medium BCS loca5ons.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 50
BILL BES Assets: 2013 Control Centers
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 51
BILL BES Assets: 2014 Control Centers
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 52
BILL BES Assets: 2013 Substa5ons
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 53
BILL BES Assets: 2014 Substa5ons
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 54
BILL BES Assets: 2013 Genera5on
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 55
BILL BES Assets: 2014 Genera5on
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 56
BILL BES Assets: 2013 Special Systems
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 57
BILL BES Assets: 2014 Special Systems
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 58
Validate BES Asset Lists • Review and compare the prior lists of CIP-‐002-‐3 R2 Cri5cal
Assets to the current lists of High and Medium BES Assets • Did the results seem reasonable? • Did the en5ty opt to reduce its number of Transmission
Assets through the applica5on of the BES Defini5on? • If so, did the en5ty provide valid ra5onale for all
exclusions? • Do the Transmission BES Medium Assets align with the
one-‐line diagram? • Did the en5ty provide evidence of net Real Power
capability to support Genera5on Facility ra5ngs? • Does the audit team have any other ques5ons before
moving on to the R1.1, R1.2, and R1.3 lists?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 59
BILL BES Assets: 2013 Cri5cal Assets
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 60
BILL BES Assets: 2014 High & Medium BES Assets
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 61
2013 Cri5cal Assets vs. 2014 High & Medium BES Assets – Net Changes
• Control Centers (High BCS) – Both Control Centers move from CA list to High BES asset list
• Substa5ons (Medium BCS) – Subs 1 and 2 move from CA list to Medium BES asset list – Add 4 (Subs 4, 7, 8, 11) to Medium BES asset list – 1 (Sub 3, Blackstart Cranking Path) moves to Low BES asset – Other Transmission subs become Low BES Assets
• Genera5on Units (Medium and/or Low BCS) – Big Bill Sta5on is a Medium BES asset – Blackstart unit becomes Low BES asset – Combus5on turbines becomes Low BES assets
• Special Protec5on Systems (BCS Not Applicable) – No change
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 62
R1: BES Asset Lists Review Ques5ons • Did BILL apply the IRC appropriately? • Does BILL need to confer with its RC, PA, or TP to consider any Cri5cal Assets rela5ve to Criteria 2.3, 2.6, or 2.8?
• Applica5on Ques5ons – Did BILL consider all BES asset types in R1.i through R1.vi? – Did BILL review and evaluate all BES Assets through the IRC? – Did BILL clearly iden5fy and document all BES assets in the appropriate impact ra5ng?
• Is any addi5onal informa5on necessary before we look at the BCS groupings? – If so, do we submit a DR?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 63
Iden5fying High and Medium BCS • R1. Each Responsible En5ty shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: …
– 1.1. Iden5fy each of the high impact BES Cyber Systems according to Ahachment 1, Sec5on 1, if any, at each asset;
– 1.2. Iden5fy each of the medium impact BES Cyber Systems according to Ahachment 1, Sec5on 2, if any, at each asset; and
– 1.3. Iden9fy each asset that contains a low impact BES Cyber System according to Ahachment 1, Sec5on 3, if any (a discrete list of low impact BES Cyber Systems is not required).
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 64
R1: Iden5fy and Document BCS
• Add Low-‐impact BES assets to the R1.3 list
• Use lists of High-‐ & Medium-‐impact BES assets • Iden5fy BCA associated with
each BES Asset. • Logically group BCA into BCS. • Document BCS on R1.1 or
R1.2 list, as appropriate.
Inputs
R1.1 - R1-2 Process:Identify
BCS
Outputs
List of High & Medium Assets
R1.1,R1.2,Lists
List of Low Impact
Assets
Input
R1.3List
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 65
R1.1-‐R1.2: Iden5fying BCS • Develop an auditable
process to examine each High and Medium impact Facility
• Examine inventory of BCA at each Facility
• Consider reliability func5ons
• Group BCA into logical BCS
• Iden5fy PCA, EACMS, and PACS
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 66
Process to Iden5fy BCS CIP-002-5 requires the identification of High & Medium impact BCS, but it may be a good idea to consider & identify the different types of BCS (CIP-005-5, pp. 4-5) and associated Cyber Assets (CIP-002-5, p. 6) at this point to facilitate later determinations in the Applicability Matrices of other CIP standards:
• High Impact BCS• High Impact BCS w/ Dial-up
Connectivity• High Impact BCS w/ External
Routable Connectivity• Medium Impact BCS• Medium Impact BCS at Control
Centers• Medium Impact BCS w/ Dial-up
Connectivity• Medium Impact BCS with
External Routable Connectivity• PCA• EACM• PACS
Are there More High or
Medium Facilities?
Use the inventory of BES Cyber Assets at the High- or Medium- Facility to identify and
list R1.1 and R1.2 BES Cyber Systems (BCS) at each such facility
Validate List of BES Cyber Assets to account for all BCS, PCA, EACM & PACS within/around each tentative ESP at the Facility
Yes
NoSeptember 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 67
Consider Reliable Opera5on of the BES • Determine whether the BES Cyber Systems perform
or support any BES reliability func5on according to those reliability tasks iden5fied for their reliability func5on and the corresponding func5onal en5ty’s responsibili5es as defined in its rela5onships with other func5onal en55es in the NERC Func5onal Model (CIP-‐002-‐5.1, p. 5).
• Ensures the ini5al scope for considera5on includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable opera5on of the BES. (CIP-‐002-‐5.1, p. 5).
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 68
Consider Real-‐Time Opera5ons • BES Cyber Assets are those Cyber Assets that, if
rendered unavailable, degraded, or misused, would adversely impact the reliable opera5on of the BES within 15 minutes (CIP-‐002-‐5.1, p. 5).
• Do not consider redundancy in the applica5on of the 15-‐minute 5me threshold (CIP-‐002-‐5.1, p. 5).
• 15-‐minute limita5on will typically "result in the iden5fica5on of SCADA, Energy Management Systems, transmission protec5on systems, and genera5on control systems as BES Cyber Assets” (FERC, 2013, Order 791, P. 123, p. 72771).
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 69
Consider Ancillary BES Cyber Assets • Protected Cyber Assets [PCA]
• Examples may include, to the extent they are within the ESP: file servers, lp servers, 5me servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP-‐002-‐5.1, p. 6)
• May also be lower impact BCA or BCS by virtue of the high-‐water mark (CIP-‐005-‐5, p. 14)
• Electronic Access Control or Monitoring Systems [EACMS] • Examples include: Electronic Access Points, Intermediate Systems,
authen5ca5on servers (e.g., RADIUS servers, Ac5ve Directory servers, Cer5ficate Authori5es), security event monitoring systems, and intrusion detec5on systems (CIP-‐002-‐5.1, p. 6)
• Physical Access Control Systems [PACS] • Examples include: authen5ca5on servers, card systems, and badge control
systems (CIP-‐002-‐5.1, p. 6).
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 70
BILL’s BCS Iden5fica5on
• The next step in a CIP-‐002-‐5.1 audit is to review the en5ty’s development of the R1.1 through R1.3 lists.
• Starts with the iden5fied lists of High and Medium impact BES assets.
• Uses the inventory of BES Cyber Assets at each such BES asset to iden5fy and document a list of High and Medium BCS, even if such lists are null.
• Good idea to start with any exis5ng lists of CCAs at applicable CIPv3 Cri5cal Assets.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 71
2014 BCS: Primary Control Center
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 72
2013 CCAs: Backup Control Center
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 73
2013 CCAs: SUB1
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 74
2012 Null Lists CCAs: Genera5on & Subs
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 75
2013 Null Lists CCAs: Genera5on & Subs
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 76
Iden5fying BES Cyber Assets • Iden5fy if the Cyber Asset meets the defini5on of BCA
• Check for length of installa5on
• If < 30 days, determine if the Cyber Asset is a transient device.
• Group into logical BCS with associated PCA
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 77
Grouping BCA into BCS • En5ty determines level of granularity of a BCS
– There may be one or more BCA within a given BCS – Consider the BROS for your registra5ons
• In transi'oning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Cri'cal Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an en'ty can organize their documented implementa'on of the requirements and compliance efforts (CIP-‐002-‐5.1, 2013, p. 4)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 78
Examples of BCS
EMS BCS
Generation BCS Generation
BCS
Generation BCS
Transmission BCS
Transmission BCS
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 79
Examples of BCA Groupings: BA/TOP
• Energy Management Systems (EMS) • Automa5c Genera5on Control (AGC) • SCADA systems • Network Management Systems (NMS) • PI systems (Historians) • ICCP systems (Communica5ons)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 80
ESP
Examples of BCA Groupings: BA/TOP
Graphic Source: hhp://www.energy.siemens.com/us/pool/hq/automa5on/control-‐center/control_center_details.jpg
High BCS
High BCS
High BCS
High BCS
High BCS
PCA PCA
PCA
PCAPCA
PCA Low or No BCS
Low or No BCSESP
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 81
Examples of BCA Groupings: BA/TOP
• SCADA Component Systems • RTU Systems (Telecommunica5ons) • Protec5ve Relay Systems
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 82
Examples of BCA Groupings: TO/TOP Graphic Source: Pacific Northwest Na5onal Laboratory (Dagle, J., 2010 Jan) Retrieved from hhp://publicintelligence.net/scada-‐a-‐deeper-‐look/
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 83
SCADA Component BCS
EMS BCS
EMS BCS
RTU BCS
Protective Relay BCS
Examples of BCA Groupings: GO/GOP
• Digital Control System (DCS) • Control Air System (CAS) • Water Demineraliza5on System • Coal Handling System • Gas Control System • Environmental Monitoring System • RTU (Communica5ons) • Generator Protec5on Systems (Relays)
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 84
Examples of BCA Groupings: GO/GOP Graphic Source: hhps://www.fujielectric.com/company/tech/pdf/r51-‐3/06.pdf
Medium BCSPCA
PCA
Medium BCS
PCA
Medium BCS Medium BCS
Low BCS
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 85
Consider BCS Types • High Impact BCS, • High Impact BCS w/ Dial-‐up Connec5vity, • High Impact BCS w/ External Routable Connec5vity, • Medium Impact BCS, • Medium Impact BCS at Control Centers, • Medium Impact BCS w/ Dial-‐up Connec5vity, • Medium Impact BCS w/ External Routable Connec5vity,
• Protected Cyber Assets [PCA], and • Electronic Access Points [EAP] (CIP-‐005-‐5, pp. 4-‐5) September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 86
R1.1: Example of Auditable Process
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 87
R1.1: Example of Auditable Process
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 88
R1.3: Example of Auditable Process
• Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact ra5ng and should be placed on the R1.3 list
• BCS associated with a Low impact BES Asset also become Low impact BCS.
• At this 5me, all you need to do is list the Low Impact BES Assets to sa5sfy R1.3.
• Comply with CIP-‐003-‐6 R2 for specific technical controls
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 89
BILL’s Review & Approval Process
• The next step in a CIP-‐002-‐5.1 audit is to review the iden5fica5ons of the lists created in R1, even if such lists are null. – R1.1 list of High BCS – R1.2 list of Medium BCS – R1.3 list of Low-‐impact BES assets
• Review the signed and dated records of the CIP Senior Manager’s or delegate’s approval of the lists.
Inputs
R2 Review & Approval
Process
R1.1,R1.2,R1.3Lists
Outputs
Signed and Dated
Records
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 90
R2: Annual Approval Review Ques5ons
• Did BILL review its R1.1-‐R1.3 lists at least every 15 calendar months aler the ini5al iden5fica5ons?
• Did BILL update the lists, as necessary? • Did the BILL CIP Senior Manager or delegate approve the R1.1-‐R1.3 lists at least every 15 calendar months aler the ini5al iden5fica5on, even if such lists are null?
• Applica5on Ques5ons – Did BILL provide evidence of periodic list reviews [R2.1] and signed and dated approvals [R2.2]?
• Are any DR’s necessary? – If so, what addi5onal informa5on is required?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 91
On-‐Site Ac5vi5es: The Interview
• Set up through an interview DR the prior week • Typically held on Monday of the on-‐site week immediately aler the opening presenta5on
• Examines the en5ty’s understanding of and approach to R1-‐R4
• Cover any areas of concern raised through the ini5al evidence review
• Schedule follow-‐up interview(s), if needed, aler the site visits
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 92
On-‐site ac5vi5es: Mock Interview
• Need four volunteers – You are BILL SMEs – No, you don’t get to prac5ce
• We will ask a series of ques5ons that we generally ask all CIP-‐002 SMEs
• Also ask ques5ons of concern, if indicated by the ini5al review of the evidence
• The Interview Ques5on Set
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 93
On-‐site ac5vi5es: Mock Interview
• What did we learn from the interview? • What was the key issue from an audit perspec5ve?
• Should we find a PV for this issue? • Why or why not?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 94
On-‐Site Ac5vi5es: Site Visit • Set up through a site visit DR the prior week • I5nerary determined through review of the ini5al evidence • Trust, but verify. Why? • Depending on en5ty size, this may involve 100% valida5on or a sta5s5cal sampling:
• Where? – Control Centers – Genera5on Facili5es – Transmission Facili5es
• What? – High and Medium BCS – A non-‐sta5s5cal sampling of Low Impact BES Assets
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 95
On-‐Site Ac5vi5es: Site Visit • Who?
– CIP-‐002-‐5.1 Sub-‐Team • Validates R1.1, R1.2, and R1.3 lists, even if such lists are NULL • Works in conjunc5on with CIP-‐005 sub-‐team
– CIP-‐005-‐5 Sub-‐Team • Validates Electronic Access Points [EAPs] and Electronic Access Control and Monitoring devices [EACMs].
• Confirms ESP boundaries – CIP-‐006-‐5 Sub-‐Team
• Validates PSPs and Physical Access Controls, such as PACS, cameras, logs, etc.
• My colleague provided an overview on CIP-‐006 audit ac5vi5es earlier.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 96
On-‐Site Ac5vi5es: CIP-‐002-‐5.1 Site Visit • What?
– Validate lists of BCS – Validate null lists of BCS (if applicable) – Look for aberra5ons from the lists – Hold informal interviews with en5ty SMEs
• When? – Visit remote sites during the off-‐site audit week. – Most Control Centers on Tuesday of the on-‐site audit week
– May extend to Wednesday depending on number of sites visited, distances traveled, resource constraints, etc.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 97
On-‐Site Ac5vi5es: BILL Site Visits • Visit the Primary and Backup Control Centers
– 100% valida5on of High BCS, PCA, etc. in both loca5ons – Talk to Operators & SMEs
• Visit the BILL Genera5on Sta5on (BGS) – Validate Medium and Low BCS at BGS, – Discuss CIPv5 progress at BGS.
• Visit SUB1, SUB2, SUB11 – Validate the Medium BCS, PCA, etc., – Discuss CIPv5 progress on Medium BCS at Transmission Facili5es.
• Visit Low-‐impact BES asset sampling (SUB3, SUB26, SUB53, BILL Hydro, CT1, CT8) – Validate presence of Low BCS, – Review CIP-‐003-‐6 R2 controls.
• Site Visit Ques5ons – Why validate the BCS at a given site? – Why ask ques5ons of en5ty SMEs? – What do the auditors expect to find?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 98
BILL Site Visits: Control Centers • Visited the Primary Control Center
– 100% valida5on of High BCS – Iden5fied nothing out of the ordinary.
• Visited the Backup Control Center – 100% valida5on of High BCS – Iden5fied nothing out of the ordinary.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 99
Site Visits: Genera5on Units • Visited BILL Genera5on Sta5on
– Validated Medium BCS and Low BCS – Iden5fied nothing out of the ordinary.
• Visited BILL Hydro Facility, CT1, CT8 – Validated presence of Low BCS – Reviewed compliance efforts with CIP-‐003-‐6 R2 – Iden5fied nothing out of the ordinary
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 100
Site Visits: Substa5ons • Visited Sub 1, Sub 2, Sub 11
– 100% valida5on of Medium BCS – No5ced something strange here.
• Visited Sub 3, Sub 26, Sub 53 – Validated presence of Low BCS. – Discussed CIP-‐003-‐6 R2 controls with CIP SMEs – Also no5ced something strange here.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 101
Site Visits: What Did We See? What is this device and what is
it doing here in the subs?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 102
On-‐Site Ac5vi5es: Site Visit • What did we learn from the site visit?
• Tour Notes DR • Why do we validate Null lists and review Low BCS?
• What was the main concern with the unexpected devices? – Should we DR for addi5onal informa5on?
• Would another interview be more effec5ve? – Does this situa5on call for an R3 PV finding?
• Why or why not?
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 103
Discussing the Findings • Discuss the Findings with the whole Cyber Security Team. • Is there a PV for the undocumented devices?
– R1.2: Undeclared Medium BCS on R1.2 list? • Review BCA at the Combus5on Turbines. • Does the en5ty have documenta5on from its TP or PA/PC that exempts the CTs from Criterion 2.3? (See previous audit OEA).
– R1.2: Incorrect iden5fica5on of Medium BCS w/Dial-‐up Connec5vity? • The Substa5on Modems.
• Gain team consensus on any PV. • Determine the scope of a poten5al PV.
– How do we do this? • Complete the CIP-‐002-‐5.1 Findings Table in RSAW. • Submit to the ATL and CPC for the Closeout Presenta5on.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 104
Value-‐Added Ac5vity: Feedback
• WECC Audit Teams never prescribe solu5ons, but we always brief en55es on Findings and: – Encourage good security prac5ces, – Discuss examples of industry best prac5ces we’ve seen on other audits (without iden5fying the en55es),
– Iden5fy Areas of Concern, which may not be viola5ons, but which could stand improvements,
– Provide sugges5ons and/or Recommenda5ons, when appropriate, and
– Support development of a sustainable compliance culture
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 105
Audit Documenta5on: The RSAW • An auditor is judged by the quality of his or her working papers. – Complete the RSAW – Review evidence and notes for final determina5ons
– DR for any final needed informa5on
– Document Findings
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 106
Audit Documenta5on
• Auditors review evidence, find facts, and report findings – Turn PVs over to the Enforcement team – Enforcement team depends heavily on the quality of auditor documenta5on
• Be Literate, be Concise, but above all else, Be Accurate.
• If it’s not wrihen down, it didn’t happen.
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 107
Post-‐Audit Auditor Ac5vi5es
• The Audit Report – Work with ATL & CPC – Verify findings and other informa5on related to audited standard(s)
• Document findings in webCDMS – PV & OEA findings only
• Work with WECC Enforcement personnel to support Inves5ga5ons as SME for audit processes and findings
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 108
Post-‐Audit Auditor Ac5vi5es • Par5cipate in en5ty Outreach ac5vi5es, such as this event and CIPUG mee5ngs.
• Be available and responsive to en5ty ques5ons & comments.
• Work with NERC and other regions at Na5onal level: – Compliance working groups – Follow Draling team progress – Comment on new Standards, guidance documents, etc. – Ahend and present at compliance conferences & workshops – Pilot studies like the recent CIPv5 Pilot Study
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 109
Summary
• Audit to the Standard • Provide useful feedback to the en5ty • Prepare a valid audit report • Be available to CIP personnel at the en55es • Work at the Na5onal level
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 110
Remember the Auditor’s Mission
Just the facts, Ma’am,
Just the facts!
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 111
References • FERC. (2013 December 3). Order No. 791: Version 5 Cri'cal
Infrastructure Protec'on Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-‐5-‐000. Published in Federal Register: Vol. 78, No. 232 (pp. 72756-‐72787). Retrieved from hhp://www.gpo.gov/fdsys/pkg/FR-‐2013-‐12-‐03/pdf/2013-‐28628.pdf
• NERC. (2013 November 22). CIP-‐002-‐5.1 – Cyber Security Standard – BES Cyber System Categoriza'on. Retrieved from hhp://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-‐002-‐5.1&5tle=Cyber%20Security%20—%20BES%20Cyber%20System%20Categoriza5on&jurisdic5on=null
• NERC. (2014 April). Bulk Electric System Defini'on Reference Document (Version 2). Retrieved from hhp://www.nerc.com/pa/Stand/Project%20201017%20Proposed%20Defini5on%20of%20Bulk%20Electri/bes_phase2_reference_document_20140325_final_clean.pdf
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 112
References
• NERC. (2014 August 12). Cyber Security Standards Transi'on Guidance: ERO Compliance and Enforcement Ac'vi'es during the Transi'on to the CIP Version 5 Reliability Standards. Retrieved from hhp://www.nerc.com/pa/CI/Documents/V3-‐V5%20Transi5on%20Guidance%20FINAL.pdf
• NERC. (2014 September 17). Glossary of Terms used in NERC Reliability Standards. Retrieved from hhp://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_of_terms.pdf
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 113
Speaker Contact Informa5on
Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor -‐ Cyber Security Western Electricity Coordina5ng Council (WECC) 7400 NE 41st Street, Suite 320 Vancouver, WA 98662 jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 801.734.8357
September 24-‐25, 2014 Western Electricity Coordina5ng Council
Slide 114