1Ben Christensen Senior CIP Enforcement Analyst May 15, 2014SLC, UT
2Pop Quiz!! Who invented the electric motor? William Sturgeon Thomas DavenportMichael Faraday
3Pop Quiz!!Who invented the electric motor?Michael Faraday
4Agenda Help entities understand and prepare for the upcoming CIP 010-1 Differences and relations to current requirementsPossible pitfalls to look for while implementing CIP 010-1WECC’s audit approachBest practices
6Purpose of CIP 010-1Prevent and detect unauthorized changes to BES Cyber Systems.Specify vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise.Document and maintain device baselines and periodically verify they are accurate.
8CIP 010-1 Similarities with V.3 CIP R6: Change Control and Configuration ManagementCIP R1: Test proceduresCIP R4 and CIP R8: Cyber Vulnerability Assessment(s)CIP R9 and CIP R5: Documentation review and maintenance
9POP Quiz!! Who invented the modern automobile? Henry Ford Karl Benz Ransom Olds
10Pop Quiz!!Who invented the modern automobile?Karl Benz
12CIP R1.1Applicable to Protected Cyber Assets (PCA) and specifies information required in device baselinesCIP R1.1CIP R6
13CIP-010-1 R1.1 - Possible Pitfall #1 CIP R6 was previously not applicable to Non-CCAs that resided within an ESP. Thus entity did not create baselines or update procedures to ensure baselines were maintained for these devices.
14CIP-010-1 R1.1 - Possible Pitfall #2 Entity does not ensure documented baselines for all devices contain operating system, commercial/open source software, custom software, logical ports, and security patches applied.
15CIP R1.1 ApproachEnsure entity has documented baselines for all devices (or group of devices) in applicable BES Cyber SystemsVerify Baselines include operating system/firmware, commercial software, custom software, logical network accessible ports, and security patches applied
16CIP R1.1 Best PracticeUse combination of automated tools and manual walkthroughs/verifications to ensure lists and baselines are accurateMinimize applications on devices to only what is necessaryInclude step to periodically verify accuracy of applicable device lists and baselines
17CIP R1.1 Best PracticeDiscussions and careful planning should be conducted on the method for maintaining device baselinesReview CIP 007 R3 presentation from Oct 2013 CIPUG for common methods to maintain informationWhat method is best for your organization:Commercial SoftwareCustom SoftwareSpreadsheet
18CIP R1.1 Best PracticeConsider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining information.See Joe B presentation from October 2011 CIPUG on advantages of moving from spreadsheet to relational databaseIncludes some labeling schema tips as well for when implementing a database for device management
20CIP 010-1 R1.2 Applicable to PCA and requires changes to be authorized
21CIP-010-1 R1.2 - Possible Pitfall Entity cannot demonstrate all changes made to baseline(s) were authorized
22CIP R1.2 - ApproachEnsure all changes made to baselines have been authorized.
23CIP R1.2 – Best PracticeUpdate procedural documentation to include at minimum:Who can authorize changes, and to whatWhen authorization needs to occurHow the authorization will be documented, stored, and trackedSegregation of dutiesThe implementer should be different from the authorizer
24CIP 010-1 R1.3 Baselines must be updated within 30 days of change
25CIP 010-1 R1.3 – Possible Pitfall Entity cannot demonstrate baselines are updated within 30 days of changes made
26CIP R1.3 - ApproachEnsure entity is updating baselines within 30 days of when change was made.Start date will be determined by reviewing work orders, tracking sheet, or other documentation that details when the change actually occurred.
27CIP R1.3 – Best PracticesProcedures for updating baselines should address:Who will communicate the changes made to the baselinesHow changes will be communicatedWho the changes are communicated toWhen the changes will be made
28CIP R1.3 – Best PracticesMaintain a version history when updating documentation.Version numberWho performed the update to the documentationWho made the change to the deviceWho authorized the changeWhat was changed
30POP Quiz!!Who invented the printing press?Johannes Gutenberg
31CIP R1.4Impact due to a change must consider security controls in CIP 005 and CIP 007CIP R1.4CIP R1
32CIP 010-1 R1.4 – Possible Pitfall Entity verifies same controls for all changes made to any baseline.Thus entity does not account for different environments, devices, or changes when determining what controls could be impactedMay be ok if all controls are verified every time
33CIP R1.4 - ApproachVerify all changes made to device baselines are documentedEnsure controls that may be impacted were identified and documented prior to the changeWhy were some controls not included?Review evidence supporting identified controls were not adversely impacted
34CIP 010-1 R1.4 – Best Practices Procedures should include: Documenting date all steps taken to support cyber security controls were identified prior to change taking placeHow are potential impacted cyber security controls identified?Who does this?How will adverse impacts will be detectedWho does this and when?
35CIP R1.4 – Best PracticesInclude a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impactedCoordinate testing processes between departments, business units, etc. to ensure consistency
37CIP 010-1 R1.5 cont.. Only applicable to High Impact systems Specific to security controls that must be testedSecurity Controls in CIP 005 and CIP 007New test environment requirementsDocument if test environment was usedDocument differences between test and production environmentMeasures taken to account for these differences
38CIP 010-1 R1.5 Possible Pitfall Entity does not document differences between production and testing environmentEntity does not take measures to account for differences in the production and testing environment.
39CIP R1.5 - ApproachFor each change that deviates from existing baseline:List of cyber security controls testedTest resultsList of differences between the production and test environmentsDescriptions of how any differences were accounted forWhen testing occurred.
40CIP R1.5 – Best PracticesUse checklist or other task managing tool to reduce likelihood of not testing all controlsDocument specific test procedures for all cyber assets or group of assets?Describe the test proceduresDescribe the test environment and how It reflects the production environment
42POP Quiz!!When was the atomic bomb first invented?
43POP Quiz!!When was the atomic bomb first invented?July 1945
44CIP R2.1Must actively search for unauthorized changes to baselineAutomated preferred but can be manualMust document and investigate unauthorized changesCIP R2.1CIP R6
45CIP-010-1 R2.1 – Possible Pitfall Not consistently monitoring for changes every 35 daysEntity begins process at end of monthThus entity continuously misses 35 day deadline as it does not have enough time to complete reviewDocumentation is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuration changes
46CIP R2.1 - Approachlogs from a system that is monitoring configurationsWork orders, tracking sheets, raw data evidence of manual investigationsRecords investigating detected unauthorized changes
47CIP R2 – Best PracticeConsider using a commercial or open source File Integrity Monitoring software for continuous monitoringStart monitoring process with enough advance to complete reviewConsider using an automated task managing tool
48CIP 010-1 R2 – Best Practice What if you find an unauthorized change? What change(s) have been made without authorizationWho made the change(s)?When were the change(s) made?How can a similar issue be prevented?
50CIP R1 and R2Entities are required to test all changes in a test environment that reflects the production environment.False
51CIP 010-1 R1 and R2 Entity baselines are required to include: TRUE Operating system/FirmwareCommercial/open source softwareCustom softwareLogical portsAll security patches appliedTRUEBut what about devices where some of these don’t apply?
53CIP R3.1No more annual requirement, and CVA can be active or paperCIP R4CIP R3.1CIP R8
54CIP-010-1 R3.1 – Possible Pitfall Entity conducts initial Vulnerability Assessment in January then not again until April the next year (16 months)Remember the CIP 003 pitfalls
55CIP-010-1 R3.1 – Approach Verify when last CVA was conducted Verify current CVA was conducted within 15 calendar months of previous CVAEvidence could include:A document listing the date of the assessment and the output of any tools used to perform the assessment.
56CIP R3.2 – Best PracticesVulnerability assessment should include at minimum:Network and access point discoveryPort and service IdentificationReview of default accounts, passwords, and network management community stringsWireless access point review
57CIP R3.1 – Best PracticeConsider keeping Vulnerability Assessments for devices or groups of devices on the same cycleImplement a task managing tool to help track needed tasks and deadlinesReview NIST SP800‐115 for guidance on conducting a vulnerability assessment
58POP Quiz!! What was the first home video game console? Atari 2600 Magnavox OdysseyVESRCA Studio II
59Magnavox Odyssey POP Quiz!! What was the first home video game console?Developed in 1972Magnavox Odyssey
61CIP 010-1 R3.2 cont.. Only applicable to High Impact BES systems Required to be performed at least every 36 monthsCVA must be active and can be performed in production or test environmentTest environment must reflect productionDocument differences between test and production environmentTake and document measures to address the differences between test and production environment
62CIP 010-1 R3.2 – Possible Pitfall Entity does not conduct active Vulnerability Assessments at least every 36 monthsEntity does manual review on devices that are technically feasible to have active review
63CIP R3.2 – ApproachVerify active Vulnerability Assessments conducted at least every 36 monthsDescription of test environment and how differences were account for (if test environment used for assessment)Raw data outputs of assessment for applicable devices
64CIP R3.2 – Best PracticesVulnerability assessment should include at minimum:Network and access point discoveryPort and service IdentificationReview of default accounts, passwords, and network management community stringsWireless access point review
65CIP R3.2 – Best PracticeWhere possible conduct the Vulnerability Assessment on the production environmentImplement a task managing tool to help track needed tasks and deadlinesDocument SMEs responsible for conducting the Vulnerability Assessment and for what cyber assets
66CIP R3.3New devices need an active Vulnerability Assessment prior to deploymentCIP R3.3CIP R1
67CIP-010-1 R3.3 – Possible Pitfall Entity adds new asset to production without first conducting active Vulnerability Assessment
68CIP R3.3 – ApproachEnsure all newly added assets have had active vulnerability scan conducted prior to device being added to productionVerify all necessary controls were verified as part of assessmentVerify raw data output of vulnerability assessment can be provided
69CIP R3.3 – Best PracticeDocument specific procedures that include:Responsible personnel for conducting the testWhen testing needs to occurWhere testing should occurHow the testing should be conducted for each cyber asset or group of cyber assetsUse a checklist and/or peer reviews to reduce chance of human error
71CIP R3.4Document planned completion date for each remediation actionCIP R4CIP R3.4CIP R8
72CIP-010-1 R3.4 – Possible Pitfall Entity is not actively maintaining an action plan to remediate vulnerabilities found in the CVA.Entity is not documenting or updating planned date of completion for remediation actions
73CIP-010-1 R3.4 – Approach Document results or the review or assessment List of action items to remediate issuesStatus of the action itemsDocumented proposed dates of completion for the action plan
74CIP R3.4 – Best PracticeTie actions outlined in the plan to specific SMEsUse an automated task managing tool to track all required tasks and ensure they are being completedHave steps to ensure action plan is updated and reflects actual proposed completion date of actions
76CIP R3Entities are required to test all changes in a test environment that reflects the production environment.FalseActive CVA not required for Medium impact facilities or for like devices with similar baseline configurations
77CIP R3Entity’s will be required to meet expected completion date of action plans to remediate issues found during Vulnerability AssessmentHowever, entity can update the expected date if more time is needed.If the update is reasonable, justified, and done prior to the due dateTRUE
78Additional Resources CIP-010-1 NERC version 4 to version 5 mapping Glossary of Terms Used in NERC Reliability StandardsNIST SP800‐115 – Security testing
79Summary Know what is required for each BES cyber system(s) Create and Maintain device baselinesTrack and manage deadlinesReview referenced NIST documents for added guidance
80Ben Christensen Senior CIP Enforcement Analyst May 15, 2014SLC, UT
81AgendaHelp entities understand and prepare for the upcoming CIP standardDifferences and relations to current requirementsPossible pitfalls to look for while implementing CIP 011-1Implementation tips
82CIP 011-1 General Pitfalls Identify, Assess, and Correct (IAC) FERC has conditionally approved CIP on the basis that NERC’s Standard Drafting Team make clarifications or remove the IAC languageBES Cyber SystemPay special attention to the applicable BES cyber systems in each requirement
83PurposePrevent unauthorized access to BES Cyber System Information
84BES Cyber System Information Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System – NERC glossary
85BES Cyber System Information Includes:Security procedures/informationBES Cyber SystemsPACSEACMSList of devices with IP addressesNetwork diagrams
86BES Cyber System Information Does NOT include:Individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized accessDevices namesIndividual IP addressesESP namesPolicy statements
87CIP 011-1 Similarities with V.3 CIP R4: Information ProtectionCIP R7: Disposal or Redeployment
91CIP R1.1 LanguageNo longer a requirement to classify BES cyber system informationCIP R1.1CIP R4
92CIP R1.2Procedures for protecting information must now address storage, transit, and useCIP R1.1CIP R4
93CIP R1.1 - EvidenceDocumented BES Cyber System Information methodHow you identify BES Cyber System Information (labels, classification)?Repository or electronic and physical locations to house BES Cyber System Information
94CIP 011-1 R1.2 - Evidence Procedure for protecting BES Cyber System StorageTransitUseRecords information was handled per your proceduresChange control ticket
95CIP 011-1 R1 Possible Pitfall Information Protection plan does not address storage, transit, and use of BES Cyber System Information
96CIP 011-1 R1 - Implementation tips Consider different variables when determining how to properly protect information during transit, storage, and useDigital information stored locallyPhysical information stored in a PSP or notInformation being held by vendors or accessed by vendors
101CIP R2.1Focus is now on preventing unauthorized retrieval instead of data destructionCIP R2.1CIP R7
102CIP R2.2Focus is now on preventing unauthorized retrieval instead of data destructionCIP R2.2CIP R7
103CIP 011-1 R2.1 – Evidence Records of sanitization actions ClearingPurgingDestroyingRecords trackingEncryptionHeld in PSP
104CIP R2.2 – EvidenceRecords showing media was destroyed prior to disposalOther records of actions taken to prevent unauthorized retrieval of BES Cyber System Information
105CIP 011-1 R2 – Possible Pitfall Entity secures cyber assets no longer used that contain BES cyber system information in a location that is not restricted to only those individuals with access to the BES cyber system information
106CIP 011-1 R2 – Implementation tips Review NIST SP for guidance on developing media sanitation processesWhere possible erase, destroy, degauss, or encrypt data as soon as possible after a device is no longer needed to reduce mishandling of devices or BES cyber system information
107CIP 011-1 – Scenario 1 What if I have a 3rd party host my email? Do I need to protect this information under CIP-011-1?
108CIP – Scenario 2I have hard copies of my network diagrams located in a secure facility. Do I need to include these in my CIP program?
109PurposePrevent unauthorized access to BES Cyber System information
110It Depends CIP 011-1 – Scenario 1 What if I have a 3rd party host my ?Do I need to protect this information under CIP-011-1?It Depends
111CIP – Scenario 1What type of information is stored on the exchange server?BES Cyber System InformationHow do your procedures account for s containing this information?
112CIP – Scenario 2I have hard copies of my network diagrams located in a secure facility. Do I need to include these in my CIP program?YES
113CIP 011-1 – Scenario 2 What type of information is on the diagrams? BES Cyber System InformationList of all IP addressesList of all network access pointsWhat do your procedures state about securing hard copies?What facilities might contain this information?
114Additional Resources CIP-011-1 NERC version 4 to version 5 mapping Glossary of Terms Used in NERC Reliability StandardsNIST SP – Disposal guidance