2 Agenda Differences and relations to current requirements Audit approachPossible pitfalls to look for while transitioning to version 5Implementation tips
3 CIP 003-5 R1 Differences CIP 003-3 R1 CIP 003-5 R1 Each Responsible Entity, for its high impact and medium impact BES Cyber Systems shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:1.1 Personnel & training (CIP‐004);1.2 Electronic Security Perimeters (CIP‐005) including Interactive Remote Access;1.3 Physical security of BES Cyber Systems (CIP‐006);1.4 System security management (CIP‐007);1.5 Incident reporting and response planning (CIP‐008);1.6 Recovery plans for BES Cyber Systems (CIP‐009);1.7 Configuration change management and vulnerability assessments (CIP‐010);1.8 Information protection (CIP‐011); and1.9 Declaring and responding to CIP Exceptional CircumstancesNote: Implementation of these policies is addressed in standards CIP through CIP-011-1, therefore it is not part of this requirementCIP R1CIP R1
4 What is a CIP Exceptional Circumstance? “A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.” (NERC, 2014, Glossary of Terms, p. 19)
5 CIP R1 Audit ApproachIs there a documented policy or policies that address the nine (9) topics?There can either be a single policy that covers all topics or an individual policy for eachDo the policies specifically state High and Medium Impact BES Cyber systems?
6 CIP-003-5 R1 Audit Approach (cont.) Cyber Security Policy:Was it reviewed by CIP Senior Manager once every 15 calendar monthsEvidence of review/approval including wet ink or electronic signature and version control/revision history with action and dateIf document is in a document management system, provide a screen shot of what the CIP Senior Manager reviewed, and include an approval signature page associated with the reviewed document
7 CIP-003-5 R1 – Possible Pitfall Policy doesn’t address all identified topics in the requirementNot consistently reviewing every 15 monthsCurrent annual schedule may not meet requirementNotifications and Alerts may not get updated
8 CIP-003-5 R1 Implementation tips Set-up or update annual review notifications and alerts to meet 15 calendar month criteriaAddress High and Medium in policiesReview Best Practices: Managing Evidence Presentation
9 CIP-003-5 R2 New Requirement R2. Each Responsible Entity for its assets identified in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]2.1 Cyber security awareness;2.2 Physical security controls;2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity; and2.4 Incident response to a Cyber Security Incident.An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required (NERC, 2012, CIP-003-5, p. 5)
10 CIP‐002‐5, R1, Part R1.3 = Low Impact BES Cyber Systems P 106: “[W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s protections for Low Impact assets.” (FERC, 2013, Order 791, p )
11 CIP R2 ProgressThe Standard Drafting Team (SDT) has been hard at workThe SDT is still working on the requirements, measures, and rationale.Nothing is definitive as of yetHave changed to table format
12 CIP R2 Current DraftR2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing low impact BES Cyber Systems), shall:
13 CIP-003 R2 Draft (continued) R2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity
18 CIP-003-5 R2 – Possible Pitfall Entity may not know what Low Impact BES Cyber Systems areNot consistently reviewing every 15 monthsCurrent annual schedule may not meet requirementNotifications and Alerts may not get updatedPolicies may not address all parts of the requirement
19 CIP-003-5 R2 Implementation tips Stay on top of WECC’s outreach for more direction on Low Impact BES Cyber SystemsUpdate annual review notifications and alerts to meet version 5 timeline
20 CIP-003-5 R3 No Change Each Responsible Entity shall: Identify a CIP Senior Manager by nameDocument any change within 30 calendar days of the changeCIP R2.1 R2.2CIP R3
21 CIP-003-5 R3 Audit Approach CIP Senior Manager’s name Include the date identifiedVersion control and revision historyInclude action specific to the change and include dates.Note: If you are not retaining the original document designating the CIP Senior Manager, entities still need to demonstrate compliance with the standard on or before April 1, We recommend reaffirming the CIP Senior Manager on or before April 1, 2016 and provide that document as evidence.
22 CIP-003-5 R3 – Possible Pitfall Entity did not identify CIP Senior Manager by name and did not include the date identifiedChanges to the CIP Senior Manager were not documented within 30 calendar days
23 CIP-003-5 R3 Implementation tips Update processes to ensure there are steps for documenting changes within 30 calendar days
24 CIP-003-5 R4 Minor Clarifications The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are usedCIP Senior Manager may delegate authority for specific actionsInclude delegates name or title, the specific actions delegated, and the date of the delegation;Approved by the CIP Senior Manager; and updated within 30 days of any change to the delegationDelegation changes do not need to be reinstated with a change to the delegator.CIP R2.3CIP R4
25 CIP-003-5 R4 Audit Approach Were there any delegations? Who was delegated and what were they delegated to do?Was the delegation approved by the CIP Senior Manager?
26 CIP-003-5 R4 – Possible Pitfall Entity did not document a process to delegate authorityEntity did not Identify delegates by name and did not include the date identified or specific actions delegatedThe CIP Senior manager did not approve the delegation
27 CIP 003-5 R4 Implementation tips Document a process for delegating authority, and ensure the process addresses the specific requirementsFollow the documented process
28 CIP ModificationsReorganized to only include elements of policy and cyber security program governance.CIP R3CIP R4CIP 011-1CIP R5CIP 004-5CIP R6CIP 010-1
29 Wrap-up Know what is required for each BES cyber system(s) Attend future WECC outreach events to get further clarity on Low Impact BES Cyber Systems.
30 ReferencesFERC. (2013 November 22). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM In Federal Register: Vol. 78, No. 232 (pp ). Retrieved fromNERC. (2014 March 12). Glossary of Terms Used in NERC Reliability Standards. Retrieved fromNERC. (2012 November 26). CIP – Cyber Security – Security Management Controls. Retrieved from