Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CIP-002-1 Critical Cyber Asset Identification A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst.

Published byScott Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CIP-002-1 Critical Cyber Asset Identification A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst."— Presentation transcript:

1 1 CIP-002-1 Critical Cyber Asset Identification A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation

2 2 Governance Annotated Text of the Standard Annotations are NOT authoritative, they are commentary only Pre-audit questions Are intended to streamline the audit process Some go beyond what is required by the standard for informational purposes Are intended to help organize information used for compliance Are intended as a starting point for review of the compliance documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation. © ReliabilityFirst Corporation

3 3 Time-based Terminology The CIP standards call for an “annual review” or similar words in many places. But NERC has not yet defined the term “annual.” At present, the audit team must look to the entity to define “annual” in its own cyber security policy. However, some limits must be placed on how time-based terminology is defined. A typical dictionary definition of “annual” might be “occurring each year at about the same time of year” such as an annual festival. The following are possible definitions of the term annual as applied to these standards: 1.Occurring within 365 (366 in a leap year) days of the previous occurrence; 2.Once per year, at about the same time each year (plus or minus one month); 3.An event that occurs on a 12-month cycle, occurring in the same month each consecutive year. For example, an event occurring in July, 2009 would next occur in July, 2010; 4.Occurring in the same quarter each year, such as in the third quarter each year. 5.Occurring once per calendar year. © ReliabilityFirst Corporation

4 4 Time-based Terminology (cont’d) Of these examples, the first four might be acceptable to an audit team. The fifth example would probably not be acceptable since as much as 24 months may pass between occurrences of the event. Had the drafters of the standard intended this meaning, they would have used different terminology. The final resolution of this issue will not occur until an official definition takes effect. Entities responsible for compliance to these standards should be aware that if an Interpretation is passed that is more restrictive than their own practice, they may be placed in violation of the standard. An Interpretation is retroactive, as it clarifies what the standard has meant all along. © ReliabilityFirst Corporation

5 5 CIP-002-1 R1 Annotated Text R1. Critical Asset Identification Method — The Responsible Entity shall identify and document a risk-based assessment methodology 1 to use to identify its Critical Assets. 1 There has been much discussion over what constitutes a risk-based assessment methodology. The traditional risk equation, Risk = Threat x Vulnerability, has been expanded in recent years to become Risk = Threat x Vulnerability x Impact. The NERC CIP Workshops gave instruction that since the identification and protection of Critical Assets in the electric industry is a long-term process, threats and vulnerabilities cannot be known in advance. The Workshop recommended that the Threat and Vulnerability portions of the risk equation be set to 1.0. If such is the case the risk equation becomes Risk = 1.0 x 1.0 x Impact, or Risk = Impact. Therefore, the risk-based assessment becomes an impact analysis. Critical Assets: Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. © ReliabilityFirst Corporation

6 6 CIP-002-1 R1 Annotated Text (cont’d) R1.1. The Responsible Entity shall maintain documentation 2 describing its risk-based assessment methodology that includes procedures 3 and evaluation criteria 4. R1.2. The risk-based assessment shall consider the following assets: 2 The entity is required to maintain documentation regarding its methodology. Note that management approval of the methodology is not specifically required. 3 The documentation must contain procedures, that is, explicit instructions for applying the methodology. 4 The documentation must include evaluation criteria. The evaluation criteria may not be randomly chosen; they must meet certain minimum considerations as discussed below. © ReliabilityFirst Corporation

7 7 CIP-002-1 R1 Annotated Text (cont’d) R1.2.1. Control centers and backup control centers 5 performing the functions of the entities 6 listed in the Applicability section of this standard. 5 Control centers have been defined as having a broad geographic reach, as opposed to control rooms such as used at generating facilities. Using this definition, generation control rooms would fall under R1.2.3 rather than this requirement. Also note that it is the control center as a whole that is considered the asset, not just its computer systems. 6 Note that impact to the BES is not mentioned in this requirement. For example, if a control center is used to perform the function of an LSE, then it is subject to this requirement. © ReliabilityFirst Corporation

8 8 CIP-002-1 R1 Annotated Text (cont’d) R1.2.2. Transmission substations 7 that support the reliable operation of the Bulk Electric System. 7 Normal planning work is done at the transformer, line or breaker level. This requirement explicitly states that loss or compromise of an entire substation must be considered. Note that transmission lines are not included as candidates for critical assets, although they could be considered as additional assets under R1.2.7 at the entity’s discretion. Note further that substations that support the reliable operation of the BES are to be considered. This may mean a substation operating at less than 100KV might be under consideration if its loss or compromise could affect the BES. © ReliabilityFirst Corporation

9 9 CIP-002-1 R1 Annotated Text (cont’d) R1.2.3. Generation resources 8 that support the reliable operation of the Bulk Electric System. 8 The use of the term “Generation resources” rather than “Generation plants” or “Generation units” indicates that neither the plant nor the unit is to be the deciding factor in consideration. Rather, the facility must be considered by commonality of systems. For example, if a plant consists of two units, and these units share no common systems such as control rooms or computer networks, then these units would be considered as separate resources by the methodology. If, on the other hand, these units share a common system such as a control room, then the methodology must consider these units as one resource. Bulk Electric System: As defined by the Regional Reliability Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition. © ReliabilityFirst Corporation

10 10 CIP-002-1 R1 Annotated Text (cont’d) R1.2.4. Systems and facilities critical to system restoration 9, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration. 9 Systems and facilities critical to system restoration are considered to be any generator or substation, regardless of capacity or voltage level, required to be in service for the primary and secondary cranking paths as determined by the authority responsible for blackstart in the area in which the asset under consideration is located. © ReliabilityFirst Corporation

11 11 CIP-002-1 R1 Annotated Text (cont’d) R1.2.5. Systems and facilities critical to automatic load shedding 10 under a common control system capable of shedding 300 MW or more. 10 Note the restrictive limits in this requirement. Automatic load shedding, not manual; under a common control system, not separate control systems; total load controlled by the common system greater than 300MW. Also note that the BES is not mentioned in this requirement, so there is no minimum voltage consideration. © ReliabilityFirst Corporation

12 12 CIP-002-1 R1 Annotated Text (cont’d) R1.2.6. Special Protection Systems that support the reliable operation of the Bulk Electric System. Special Protection System: An automatic protection system designed to detect abnormal or predetermined system conditions, and take corrective actions other than and/or in addition to the isolation of faulted components to maintain system reliability. Such action may include changes in demand, generation (MW and Mvar), or system configuration to maintain system stability, acceptable voltage, or power flows. An SPS does not include (a) underfrequency or undervoltage load shedding or (b) fault conditions that must be isolated or (c) out-of-step relaying (not designed as an integral part of an SPS). Also called Remedial Action Scheme. © ReliabilityFirst Corporation

13 13 CIP-002-1 R1 Annotated Text (cont’d) R1.2.7. Any additional assets 11 that support the reliable operation of the Bulk Electric System that the Responsible Entity deems appropriate to include in its assessment. 11 Additional assets may include capacitor banks, transmission lines, or any other assets the entity wishes to consider as a critical asset. Note that to impact the reliability of the BES it is not necessary for an asset to operate at a voltage greater than 100KV. A capacitor bank is seldom operated at more than 100KV, but the loss or misoperation of a capacitor bank could seriously impact the reliability of the BES. © ReliabilityFirst Corporation

14 14 CIP-002-1 R1 Items for Consideration – Pre-audit 1.In compliance with CIP-002, Requirement R1, Registered Entities may define a single Risk-Based Assessment Methodology that applies to all registered functions, or the entity may define multiple methodologies applicable to subsets of their registered functions. For each defined Risk-Based Assessment Methodology, please answer the following questions: a.What registered functions are applicable to the Risk- Based Assessment Methodology? b.Describe the approach to defining and conducting the Risk-Based Assessment Methodology. © ReliabilityFirst Corporation

15 15 CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d) c.Does the Risk Based Assessment Methodology consider assets at the level of granularity specified in the Standard? Examples include control centers, substations and generation resources. © ReliabilityFirst Corporation

16 16 CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d) d.If the approach relies upon engineering or other criteria thresholds to distinguish between Critical Assets and other Bulk Electric System assets, what is the basis for selecting the threshold values? e.To what extent does the Risk-Based Assessment Methodology rely upon N-1 contingencies as criteria for eliminating Bulk Electric System assets from the Critical Asset list? © ReliabilityFirst Corporation

17 17 CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d) f.If the Risk-Based Assessment Methodology relies upon N-1 contingencies as criteria, at what granularity is the contingency applied? Examples of granularity include element, facility, and system, as defined in the NERC Glossary. g.To what extent does the Risk-Based Assessment Methodology rely upon redundancy as criteria for eliminating Bulk Electric System assets from the Critical Asset list? © ReliabilityFirst Corporation

18 18 CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d) h.To what extent do the entity’s assets utilize common control systems? Examples would include generating units with a common control room and breakers or substations with a common control system. i.To what extent does the Risk-Based Assessment Methodology rely upon assistance from neighboring Registered Entities as criteria for eliminating Bulk Electric System assets from the Critical Asset list? © ReliabilityFirst Corporation

19 19 CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d) j.If an element, facility, or system as defined in the NERC Glossary is deemed to be operationally significant per other NERC or regional standards, how does this determination factor into the Risk-Based Assessment Methodology? k.To what extent does the Risk-Based Assessment Methodology consider the misuse of the asset when evaluating Bulk Electric System assets for inclusion on the Critical Asset list? © ReliabilityFirst Corporation

20 20 CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d) l.To what extent does the Risk-Based Assessment Methodology request a review and concurrence by the Registered Entity’s Balancing Authority (if applicable), neighboring Registered Entities, and/or Reliability Coordinator? m.If multiple Risk-based Assessment Methodologies are used to identify Critical Assets, what measures are taken to ensure all Bulk Electric System assets are considered by at least one methodology? © ReliabilityFirst Corporation

21 21 CIP-002-1 R1 Notes on the Methodology Risk-based assessment methodology (RBAM) Strong preference (supported by the language of the standard) is for no more than one RBAM per registered function. Each asset identified by the BES asset list must be assessed by at least one RBAM. The RBAM must be sufficient to explain the determination of an asset as critical or not critical. (Order 706 P 288) Each entity is responsible for identifying and maintaining its own RBAM. Possible approaches (per NERC Workshop): Calculation based evaluation Experience based evaluation Combination of calculation and experience based evaluation © ReliabilityFirst Corporation

22 22 CIP-002-1 R1 Notes on the Methodology (cont’d) Risk-based assessment methodology (RBAM) (cont’d) Calculation based evaluation Uses the Risk = Threat x Vulnerability x Impact equation. An entity may choose to set Threat and Vulnerability to 1.0, thereby making the equation Risk = Impact. While this approach is not required, it is the approach recommended by NERC. If numbers are assigned to various threat and vulnerability configurations, expect the source of those numbers to be examined. A calculation based RBAM may be based on megawatt (MW) values determined by an impact study. If so, be prepared to demonstrate how and when the MW values are measured. If a loadflow was used, explain what case was used and the reason that case was chosen. © ReliabilityFirst Corporation

23 23 CIP-002-1 R1 Notes on the Methodology (cont’d) Risk-based assessment methodology (RBAM) (cont’d) Experience based evaluation Also known as a “Red Team” evaluation Document the scenarios that were considered. How and why were these scenarios chosen? Ensure the number and variety of scenarios considered is appropriate and sufficient to provide valid results. Ensure the scenarios consider loss of functionality at the level required by the standard (substation, etc.). If actual past experiences are used as all or part of the evaluation, the experienced must be documented and not anecdotal. The experiences need to be recent enough to be valid. © ReliabilityFirst Corporation

24 24 CIP-002-1 R1 Notes on the Methodology (cont’d) Risk-based assessment methodology (RBAM) (cont’d) Combination of calculation and experience based evaluation Calculations may be used to fill gaps in the experience based assessment. As two approaches are being used, particular care should be taken to ensure no gaps in the assessment remain. © ReliabilityFirst Corporation

25 25 CIP-002-1 R1 Notes on the Methodology (cont’d) Risk-based assessment methodology (RBAM) (cont’d) Explicitly required elements of the documentation Procedures (How is the RBAM applied?) Evaluation criteria (What parameters are used by the RBAM?) © ReliabilityFirst Corporation

26 26 CIP-002-1 R2 Annotated Text R2. Critical Asset Identification — The Responsible Entity shall develop a list 1 of its identified Critical Assets determined through an annual 2 application of the risk-based assessment methodology required in R1. The Responsible Entity shall review this list at least annually 3, and update it as necessary 4. 1 While a single list of Critical Assets is called for by the language of the standard, if an entity chooses to keep one list per registered function this should be considered acceptable. If CIP-003-1 R4 is enforceable then the Critical Asset list must have been identified, classified and protected per that requirement. Note that approval of this list is not explicitly required by R2. See R4 for required approvals. 2 See the discussion of time-based terminology for issues related to the term “annual.” © ReliabilityFirst Corporation

27 27 CIP-002-1 R2 Annotated Text R2. Critical Asset Identification — The Responsible Entity shall develop a list 1 of its identified Critical Assets determined through an annual 2 application of the risk-based assessment methodology required in R1. The Responsible Entity shall review this list at least annually 3, and update it as necessary 4. 3 It is not acceptable for an entity to declare that the words “annual application” and “review this list at least annually” mean that the initial review may be performed up to a year after the “Compliant” date for this requirement. The plain language of the standard means that Critical Assets must be identified prior to the “Compliant” date in the appropriate table in the Implementation Plan. 4 The issue of adding new assets which are then identified as critical is addressed in CIP-002-2. © ReliabilityFirst Corporation

28 28 CIP-002-1 R2 Items for Consideration – Pre-audit 1.How are Bulk Electric System assets identified for inclusion in the list of assets to be considered for Critical Asset designation by application of the Risk-Based Assessment Methodology? 2.Has the “reasonable business judgment” clause been used to exclude any assets from consideration as Critical Assets? © ReliabilityFirst Corporation

29 29 CIP-002-1 R3 Annotated Text R3. Critical Cyber Asset Identification — Using the list of Critical Assets developed pursuant to Requirement R2, the Responsible Entity shall develop a list 1 of associated Critical Cyber Assets essential to the operation 2 of the Critical Asset. Examples 3 at control centers 4 and backup control centers 5 include systems and facilities at master and remote sites that provide monitoring and control 6, automatic generation control, real-time power system modeling, and real-time interutility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP- 002, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics: R3.1.The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2.The Cyber Asset uses a routable protocol within a control center; or, R3.3.The Cyber Asset is dial-up accessible. © ReliabilityFirst Corporation

30 30 CIP-002-1 R3 Annotated Text (cont’d) 1 In this case the language of the standard makes it clear that each Critical Cyber Asset (CCA) may have its own list. 2 The key words in this requirement: “essential to the operation.” Critical Cyber Assets: Cyber Assets essential to the reliable operation of Critical Assets. Cyber Asset: Programmable electronic devices and communication networks including hardware, software, and data. Electronic Security Perimeter: The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. © ReliabilityFirst Corporation

31 31 CIP-002-1 R3 Items for Consideration – Pre-audit 1.For identified Critical Assets, how are Cyber Assets identified for inclusion in the list of Cyber Assets to be considered for Critical Cyber Asset designation? 2.What processes and/or criteria are used to determine which Cyber Assets are designated as Critical Cyber Assets? a.To what extent does the process or criteria rely upon redundancy as criteria for eliminating Cyber Assets from the Critical Cyber Asset list? b.To what extent does the process or criteria consider the misuse of the Cyber Asset as criteria for evaluating Cyber Assets for inclusion on the Critical Cyber Asset list? 3.Has the “reasonable business judgment” clause been used to exclude any Cyber Assets from consideration as Critical Cyber Assets? © ReliabilityFirst Corporation

32 32 CIP-002-1 R4 Annotated Text R4. Annual Approval — A senior manager or delegate(s) 1 shall approve annually 2 the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1, R2, and R3 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record 3 of the senior manager or delegate(s)’s approval of the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null 4.) 1 Note that the senior manager or delegate per CIP-003-1 R2 is not explicitly required. This changes in version 2. 2 See discussion of “annual” below. 3 This is one place where a “wet ink” signature is required. 4 If the list of CAs and/or CCAs is null, these must still be approved. © ReliabilityFirst Corporation

33 33 CIP-002-1 R4 Items for Consideration – Pre-audit 1.How is the senior manager referred to in R4 designated? 2.If the senior manager has delegated authority to approve the list of Critical Assets and/or the list of Critical Cyber Assets, how is that delegation documented? 3.Is a signed and dated list of Critical Assets and a signed and dated list of Critical Cyber Assets available for the entire audit period? © ReliabilityFirst Corporation

Download ppt "1 CIP-002-1 Critical Cyber Asset Identification A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst."

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Summary of Second Draft of the NERC Standard PRC-002-2 Disturbance Monitoring and Reporting JSIS Meeting August 10, 2010 Salt Lake City, UT.

Summary of Second Draft of the NERC Standard PRC Disturbance Monitoring and Reporting JSIS Meeting August 10, 2010 Salt Lake City, UT.
NERC TPL Standard Issues TSS Meeting #146 Seattle, WA August 15-17, 2007 Chifong Thomas.

NERC TPL Standard Issues TSS Meeting #146 Seattle, WA August 15-17, 2007 Chifong Thomas.
Reliability Subcommittee Report Vishal C. Patel Chair – Reliability Subcommittee March 2014.

Reliability Subcommittee Report Vishal C. Patel Chair – Reliability Subcommittee March 2014.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.

Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
PER-005-2.

PER
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
Goshen Area Bus Reconfiguration

Goshen Area Bus Reconfiguration
Software Quality Assurance Plan

Software Quality Assurance Plan
NERC Lessons Learned Summary December 2014. NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.

NERC Lessons Learned Summary December NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP 002 - 009 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP 002 - 009.

Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP-002-5 thru CIP-009-5 CIP-010-1 and CIP-011-1 Version 5 Filing FERC requested filing by 3/31/2013.

1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP thru CIP CIP and CIP Version 5 Filing FERC requested filing by 3/31/2013.
1 2014 System Operator Conference NERC Standards Review for: Simulator Drill Orientation 2014 System Operator Conferences Charlotte NC & Franklin TN SERC/SOS.

System Operator Conference NERC Standards Review for: Simulator Drill Orientation 2014 System Operator Conferences Charlotte NC & Franklin TN SERC/SOS.
WECC and NERC Protection Criteria and Standards

WECC and NERC Protection Criteria and Standards
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google