Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Published byMagdalene Price Modified over 8 years ago

Similar presentations

Presentation on theme: "Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security"— Presentation transcript:

1 Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
CIP v5 Roadshow May 14-15, 2014 CIP Security Management Controls

2 Agenda Differences and relations to current requirements
Audit approach Possible pitfalls to look for while transitioning to version 5 Implementation tips

3 CIP 003-5 R1 Differences CIP 003-3 R1 CIP 003-5 R1
Each Responsible Entity, for its high impact and medium impact BES Cyber Systems shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: 1.1 Personnel & training (CIP‐004); 1.2 Electronic Security Perimeters (CIP‐005) including Interactive Remote Access; 1.3 Physical security of BES Cyber Systems (CIP‐006); 1.4 System security management (CIP‐007); 1.5 Incident reporting and response planning (CIP‐008); 1.6 Recovery plans for BES Cyber Systems (CIP‐009); 1.7 Configuration change management and vulnerability assessments (CIP‐010); 1.8 Information protection (CIP‐011); and 1.9 Declaring and responding to CIP Exceptional Circumstances Note: Implementation of these policies is addressed in standards CIP through CIP-011-1, therefore it is not part of this requirement CIP R1 CIP R1

4 What is a CIP Exceptional Circumstance?
“A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.” (NERC, 2014, Glossary of Terms, p. 19)

5 CIP R1 Audit Approach Is there a documented policy or policies that address the nine (9) topics? There can either be a single policy that covers all topics or an individual policy for each Do the policies specifically state High and Medium Impact BES Cyber systems?

6 CIP-003-5 R1 Audit Approach (cont.)
Cyber Security Policy: Was it reviewed by CIP Senior Manager once every 15 calendar months Evidence of review/approval including wet ink or electronic signature and version control/revision history with action and date If document is in a document management system, provide a screen shot of what the CIP Senior Manager reviewed, and include an approval signature page associated with the reviewed document

7 CIP-003-5 R1 – Possible Pitfall
Policy doesn’t address all identified topics in the requirement Not consistently reviewing every 15 months Current annual schedule may not meet requirement Notifications and Alerts may not get updated

8 CIP-003-5 R1 Implementation tips
Set-up or update annual review notifications and alerts to meet 15 calendar month criteria Address High and Medium in policies Review Best Practices: Managing Evidence Presentation

9 CIP-003-5 R2 New Requirement
R2. Each Responsible Entity for its assets identified in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] 2.1 Cyber security awareness; 2.2 Physical security controls; 2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity; and 2.4 Incident response to a Cyber Security Incident. An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required (NERC, 2012, CIP-003-5, p. 5)

10 CIP‐002‐5, R1, Part R1.3 = Low Impact BES Cyber Systems
P 106: “[W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s protections for Low Impact assets.” (FERC, 2013, Order 791, p )

11 CIP R2 Progress The Standard Drafting Team (SDT) has been hard at work The SDT is still working on the requirements, measures, and rationale. Nothing is definitive as of yet Have changed to table format

12 CIP R2 Current Draft R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing low impact BES Cyber Systems), shall:

13 CIP-003 R2 Draft (continued)
R2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity

14 CIP-003 R2 Draft (continued)
2.4 Incident Response to Cyber Incidents

15 CIP-003 R2 Draft (continued)
2.5 Cyber Security Awareness

16 CIP R2 Firm Dates Standard Drafting Team (SDT) must complete work by February 3, 2015 Draft goes to industry for comment June 2, 2014 If you’d like to get involved, contact Ryan Stewart with NERC at:

17 CIP R2 Comment Form

18 CIP-003-5 R2 – Possible Pitfall
Entity may not know what Low Impact BES Cyber Systems are Not consistently reviewing every 15 months Current annual schedule may not meet requirement Notifications and Alerts may not get updated Policies may not address all parts of the requirement

19 CIP-003-5 R2 Implementation tips
Stay on top of WECC’s outreach for more direction on Low Impact BES Cyber Systems Update annual review notifications and alerts to meet version 5 timeline

20 CIP-003-5 R3 No Change Each Responsible Entity shall:
Identify a CIP Senior Manager by name Document any change within 30 calendar days of the change CIP R2.1 R2.2 CIP R3

21 CIP-003-5 R3 Audit Approach CIP Senior Manager’s name
Include the date identified Version control and revision history Include action specific to the change and include dates. Note: If you are not retaining the original document designating the CIP Senior Manager, entities still need to demonstrate compliance with the standard on or before April 1, We recommend reaffirming the CIP Senior Manager on or before April 1, 2016 and provide that document as evidence.

22 CIP-003-5 R3 – Possible Pitfall
Entity did not identify CIP Senior Manager by name and did not include the date identified Changes to the CIP Senior Manager were not documented within 30 calendar days

23 CIP-003-5 R3 Implementation tips
Update processes to ensure there are steps for documenting changes within 30 calendar days

24 CIP-003-5 R4 Minor Clarifications
The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used CIP Senior Manager may delegate authority for specific actions Include delegates name or title, the specific actions delegated, and the date of the delegation; Approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation Delegation changes do not need to be reinstated with a change to the delegator. CIP R2.3 CIP R4

25 CIP-003-5 R4 Audit Approach Were there any delegations?
Who was delegated and what were they delegated to do? Was the delegation approved by the CIP Senior Manager?

26 CIP-003-5 R4 – Possible Pitfall
Entity did not document a process to delegate authority Entity did not Identify delegates by name and did not include the date identified or specific actions delegated The CIP Senior manager did not approve the delegation

27 CIP 003-5 R4 Implementation tips
Document a process for delegating authority, and ensure the process addresses the specific requirements Follow the documented process

28 CIP Modifications Reorganized to only include elements of policy and cyber security program governance. CIP R3 CIP R4 CIP 011-1 CIP R5 CIP 004-5 CIP R6 CIP 010-1

29 Wrap-up Know what is required for each BES cyber system(s)
Attend future WECC outreach events to get further clarity on Low Impact BES Cyber Systems.

30 References FERC. (2013 November 22). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM In Federal Register: Vol. 78, No. 232 (pp ). Retrieved from NERC. (2014 March 12). Glossary of Terms Used in NERC Reliability Standards. Retrieved from NERC. (2012 November 26). CIP – Cyber Security – Security Management Controls. Retrieved from

31 Questions? Lisa Wood, CISA, CBRM, CBRA
Compliance Auditor, Cyber Security Desk: Cell:

Download ppt "Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security"

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Federal Energy Regulatory Commission July 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Federal Energy Regulatory Commission July Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.

NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.

Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
PER-005-2.

PER
1 PER-005 Update Impact on Operators System Operator Conference April 17-19 and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.

1 PER-005 Update Impact on Operators System Operator Conference April and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.

Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
Update in NERC CIP Activities September 4, 2014. 2 Update on CIP-014-1 Update on Revisions to CIP Version 5  -x Posting  v6 Posting Questions Agenda.

Update in NERC CIP Activities September 4, Update on CIP Update on Revisions to CIP Version 5  -x Posting  v6 Posting Questions Agenda.
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
Environmental Management System (EMS)

Environmental Management System (EMS)
Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.

Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,

[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
Compliance Application Notice Process Update and Discussion with NERC MRC.

Compliance Application Notice Process Update and Discussion with NERC MRC.
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Similar presentations

Ads by Google