Presentation on theme: "Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records."— Presentation transcript:
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records from the previous full calendar year unless directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.” Can I presume that documents and evident not relevant (outdated) during that time frame will not be subject to review during a three year or six year audit or spot-check? A- ReliabilityFirst will conduct CIP audits for the compliance period of the previous full calendar year to the date of the audit. This means that any document that was in effect on January 1, 2010, or later may be examined in an audit occurring in 2011. As it is possible the rules may change, ReliabilityFirst suggests that entities keep documents beginning with the most recent audit unless otherwise indicated by the language of the requirement.
Q2 Q – If a CCA is identified today as not being able to have malware installed in compliance with CIP-007 R4, but the CCA was not included in a TFE previously is that a violation of CIP-007 R4? This could be generalized to any CCA found to not meet a requirement which should have been included in a TFE but was missed when the TFEs were prepared. A- The Entity should file a Self-Report and the Mitigation Plan should include submitting a TFE.
Q3 Q – For those TFEs where the "compensating measures and/or mitigating measures are complete", can you provide direction on the expectation for submitting a Quarterly Report? A- Quarterly Reports and required for all “Approved” TFEs regardless of the status of their Compensating/Mitigating Measures.
Q4 Q – Could you please comment on use of VLANs? Is this an acceptable means for separating networks and ESPs sharing a common firewall? A- VLANs are not prohibited by the language of the standard. However, care is needed in the configuration of VLANs and the associated compliance documentation. If VLANs residing within an ESP and VLANs not within an ESP are mixed on the same switch, then that switch will meet the definition of an access point to the ESP and must be documented and protected accordingly.
Q5 Q - Per CIP-005 R1.2, "For a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device." What should be on the ESP diagram/within the ESP? Just the access modem per R1.2? Do CCAs go outside or inside the ESP since these are connected via non-routable protocol? A – The CIP-005-1 FAQ Q3 gives us the guidance, “If a dialup modem on a critical bulk electric asset is used for configuration or polling it must be in an Electronic Security Perimeter that is just around the dialup access point (e.g., SCADA-controlled, dial-back, or other technologies that give proper access controls and logging).” So in this case the ESP would be drawn only around the modem. In addition, CIP-006-3, D.1.5.2 gives the guidance, “For dial-up accessible Critical Cyber Assets that use non-routable protocols, the Responsible Entity shall not be required to comply with Standard CIP-006-3 for that single access point at the dial-up device.”
Q6 Q- Please describe what is done on a tour of substations as part of a compliance audit? Will the number of substations visited be based on the sampling criteria? A- a) ReliabilityFirst is currently reviewing the necessity of on site visits to generation plants and/or transmission substations. The ATL may determine that such visits are necessary in order to complete an audit. If site visits are required, auditors, using the entity’s policy and procedures related to physical security perimeters as a guide as well as the wording of the CIP- 006 requirements, will concentrate on physical security perimeter defined by the entity, aspects of the six wall border such as entrance and exit points, monitoring and alarm responses such as logs, card key systems, security, etc. b) The number of substations to be visited will be determined through statistical sampling or non-statistical sampling depending on the number of substations eligible for a site visit. Location of substations is not a factor in determining the number of sites to be visited.
Q7 Q – Please describe what is done on a tour of control centers as part of a compliance audit? A – From a physical security perspective, control center tours will concentrate on physical security requirements as identified in entity’s policy, procedures, and wording of CIP-006. In addition to physical security assessment, tours of control rooms may include conversation with one or more controllers in order to assess their knowledge of CIP requirements applicable to a control center environment. There is no official “checklist” for what to look for or assess during a control room or tour so each site visited may vary in content and focus.
Q8 Q – Please describe the CIP compliance audit timeline starting at the 90 day notice and audit logistics (e,g, number of teams, room requirements)? Is CIP-001 included? A – The CIP compliance audit timeline, following the entity’s receipt of the 90 day notification package, includes the following milestones: Audit Team Lead (ATL) contacts entity to discuss audit process approximately 85 calendar days before the scheduled audit. Entity submits evidence package to ReliabilityFirst 40 calendar days before the scheduled audit. Audit team conducts pre-audit reviews during the weeks just prior to the scheduled audit. Audit team conducts the scheduled onsite audit including Opening and Exit Briefings. One week onsite is typical but can be extended as needed. Audit team develops the audit report following the scheduled audit. This activity can take up to 70 business days, from draft to final version, based on the comment and review cycles with the audit team and entity. The audit logistics are explained within the 90 day audit notification letter and the following documents within the 90 day notification package: General Instructions and Audit Preparation Guidelines. Any specific logistics or needs are addressed between the ATL and the Entity’s Primary Compliance Contact prior to conducting the scheduled audit. Until otherwise notified, CIP-001 will continue being audited in the scope of the Operations and Planning (e.g. 693) Standards.
Q9 Q - Do you anticipate the January 2011 self certification to cover both version 2 and version 3 or just version 2 CIP standards? A – Currently, NERC has communicated, within the ERO, that the January 2011 CIP Self Certifications will be collected covering the CIP V2 standards for the period of 4/1/2010 to 9/30/2010. NERC is in the process of finalizing a NERC Compliance Public Bulletin for posting in the near future.
Q10 Q - How are web based pre-audit reviews between audit teams or with entity SME secured? A - Web-based meetings are secured using common best practices which include, but are not limited to, passwords and SSL communication. ReliabilityFirst holds all audit related materials in the strictest confidence and maintains Physical and Electronic Cyber Security. ReliabilityFirst ensures all CIP information is handled in accordance with CIP guidelines.
Q11 Q – When evaluating the PSP during an audit does the entity need to provide any equipment (e.g. ladders)? A – ReliabilityFirst is currently reviewing the necessity of on site visits to generation plants and/or transmission substations The ATL may determine that such visits are necessary in order to complete an audit. If site visits are required, the entity will be requested to provide hard hats, goggles, and any equipment necessary to perform the team assessment of the site. Generally, auditors will not need to use a ladder however the immediate availability of one would maximize time for completion of a site visit.
Q12 Q - When defining “annual”, as in testing, some testing must be done when appropriate and done earlier than every 12 months. If testing is done early, but not in consecutive years, is that deemed non compliant? For instance, testing on 2/28/10 for 2010 compliance and then testing 12/31/10 for 2011 compliance. If our definition of “annual” is stated in writing as such, if not defined in standard by NERC or RFC, is this sufficient for compliance? This applies to both CIP and 693 standards. A - Until such time as NERC provides additional guidance, ReliabilityFirst will consider a reasonable definition of the term annual, as long as that definition is defined within an entity’s compliance program or applicable procedures. If the definition of annual is not included in the entity’s documentation, ReliabilityFirst auditors will use the pending NERC definition of annual as at least once per calendar year, but not exceeding 15 months between occurrences. A definition of annual that is not “within reason” might be one that defines annual as “every 18 months.” In your specific example, if your compliance documentation states that testing for a calendar year may be done before that calendar year starts, and provides a limit to how much before the calendar year is acceptable, then a ReliabilityFirst audit may find that acceptable. Without an understanding of your exact compliance situation, it is not possible to give 100% assurance on this topic. This approach is used by both CIP and 693 auditors.
Q13 Q- Have FERC and/or NERC been on any CIP 43 audits with RFC? If yes, did NERC and FERC participate in the preaudit reviews? A- Yes, a NERC observer has attended a ReliabilityFirst CIP 43 audit. Both FERC and NERC have observed CIP 13 Spot Checks. In all cases, FERC and NERC observers participate in the pre-audit reviews.
Q14 Q - When Steve Garn says we need to submit annual report “after acceptance of your TFE”, is that Part A Acceptance or Part B Acceptance? A – The Annual Report is required for those TFEs whose Part A has been “Accepted.” It is “due on the last business day of the month immediately following the end of the fourth calendar quarter after acceptance of the TFE Request.”
Q15 Q - Are entities required to submit TFEs related to CIP-007 R5.3 if their cyber assets cannot technically enforce the password complexity requirements in CIP-007 R5.3 and its minors (R5.3.1- R5.3.3)? Is it acceptable to not file a TFE if the entity has both technical and procedural controls as CIP-007 R5 indicates: R5. Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. A- TFEs are required. The technical and procedural controls are part of the compensating and mitigating measures.
Q16 Q - For TFE annual reports - are these due 1 year after both Part A and Part B of a TFE was approved by RFC, or 1 year after just the Part A was approved by RFC? A - The Annual Report is required for those TFEs whose Part A has been “Accepted.” It is “due on the last business day of the month immediately following the end of the fourth calendar quarter after acceptance of the TFE Request.”
Q17 Q - When will the quarterly and annual TFE report templates be available? A – The TFE Quarterly Report Template was E-mailed on October 5, 2010 to Entities who had “Approved” TFEs. The Annual Report Template will hopefully be issued by the end of this year.
Q18 Q - Does the Senior Manager signature need to be a wet signature or can it be electronic for the TFE Quarterly Reports? A - An electronic signature is acceptable.
Q19 Q- I thought Steve said that the quarterly reports for TFE(s) are required when Part A is Accepted. A- Steve did say “Accepted” which was incorrect. The slide did say “Approved” which is correct.
Q20 Q- Steve addressed the fact that multiple TFEs may be needed for devices that cannot meet multiple sub-requirements of R5.3. However, I thought perhaps the questioner wanted to know (as I do) whether or not procedural as well as technical controls are acceptable for eliminating the need for a password TFE. I understand the case where a device simply cannot meet one or more of the R5.3 requirements. A TFE (or TFEs) is clearly required in that case. However, my question is for devices where suitable passwords are possible, but the user cannot be technically forced to choose such a suitable password. For example, Microsoft Windows passwords can in fact meet all of the R5.3 sub-requirements (length, complexity, change frequency). However, Microsoft has made it so the complexity portion cannot be ENFORCED to fully meet R5.3.2. If the entity has a policy requiring employees to choose a password meeting the complexity requirements of R5.3.2 (even if Windows does not force them to do so), is this considered an adequate procedural control, such that a TFE is not required? A- TFEs are required. The technical and procedural controls are part of the compensating and mitigating measures.
Q21 Q - Will RFC auditors comply with any entity safety training prior to working onsite? Some internal requirements for safety require training for all personnel and visitors, depending on the asset and the required access. A- Currently ReliabilityFirst is currently reviewing the necessity of on site visits to generation plants and/or transmission substations. As part of this evaluation, ReliabilityFirst is reviewing any additional training that may be needed to visit the sites and will be informing the entities of our decision.
Q22 Q- CIP 004 R4 – for terminations, what type of documentation to support evidence that the access was revoked within the 24 hour or 7 day criteria? A- The type of documentation provided to an audit team in order to demonstrate compliance with CIP-004 R4.2 is determined by each Responsible Entity. There are no set rules for what is “good enough.” If you think your evidence may be weak, you should consider supplementing the evidence with additional relevant evidence to demonstrate that you have sufficient evidence to demonstrate compliance.
Q23 Q- On TFEs, which TFEs require quarterly or annual reporting? Are all TFEs included on both? A- Quarterly Reports are required for all “Approved” TFEs. Annual Reports are required for all “Accepted” TFEs.
Q24 Q- If there is such a high percentage of TFEs that don't have changes (mentioned 90%+), wouldn't it make more sense to have quarterly reports by exception? A- The Excel version of the Quarterly Report Template (which has been adopted) will minimize data entry. All “Approved” TFEs must be included in the Quarterly Report.