Cyber System-Centric Approach To Cyber Security and CIP

Cyber System-Centric Approach To Cyber Security and CIP
Morgan King Senior Compliance Auditor – Cyber Security WECC Reliability and Security Workshop San Diego CA – October 23 – 24, 2018 Western Electricity Coordinating Council

Western Electricity Coordinating Council
Did We Get CIP v5 Right? We got CIP v5 so right System-centric approach never fully realized Need all perspectives in identifying and resolving the issues Making CIP more manageable, auditable, secure, and resilient Western Electricity Coordinating Council

By the Numbers Western Electricity Coordinating Council

By The Risk Western Electricity Coordinating Council

By The Events Western Electricity Coordinating Council

Two Aspects in CIP CIP is a PROGRAM and its elements. CIP-002, CIP-003, CIP-004, CIP-006, CIP-008, CIP-009, CIP-011, CIP-014 CIP has TECHNICAL architecture requirements. CIP-005, CIP-007, CIP-010 Western Electricity Coordinating Council

Paradigm Shift Western Electricity Coordinating Council

Device-Centric CIP v3 Critical Cyber Assets CIP v5 original concept was to be a paradigm shift from device-centric to a system-centric approach. Cyber Asset Programmable electronic device BES Cyber Asset BES Cyber System Per BES Cyber System / Cyber Asset Capability Western Electricity Coordinating Council

Device-Centric Approach
BES Cyber System BES Cyber System BES Cyber System Baseline Baseline Baseline Cyber Asset Cyber Asset Cyber Asset Western Electricity Coordinating Council

System-Centric Consider that cyber technology in support of reliability is not just a piece of hardware or software, or a communication circuit, but a system intimately associated with the reliability functions it supports. One of the fundamental differences between Versions 4 and 5 of the CIP Cyber Security Standards is the shift from identifying Critical Cyber Assets to identifying BES Cyber Systems. Western Electricity Coordinating Council

System-Centric Approach
Baselines For Like Device Types BES Cyber System BES Cyber System BES Cyber System Western Electricity Coordinating Council

What If…? We retire some definitions We modify existing or create new definitions concerning devices and networking to include virtualization concepts We create additional technical requirements for securing today’s version of virtualization technology? We change requirements to security-objective-based Technology agnositic Nonprescriptive Backward compatible Future Proof technology agnostic Western Electricity Coordinating Council

CIP Modifications Drafting Team
SDT has worked for over a year on designing virtualization-specific language and requirements Electronic Security Zone – to logically isolate systems on shared infrastructure Centralized Management System – to address the risk of virtualization management systems; “fewer, bigger buttons” Issues Very complex Today’s technology and products Continues to evolve Western Electricity Coordinating Council

CIP SDT White Paper Western Electricity Coordinating Council

Definitions Proposed for Retirement BES Cyber Asset Protected Cyber Asset Electronic Security Perimeter Electronic Access Point Electronic Access Control or Monitoring Systems Western Electricity Coordinating Council

More Change Upon Us Cyber Asset only applicable to (TCA, Removable Media) BES Cyber System Protected Cyber System Electronic Access Control System Electronic Access Monitoring Systems External Routable Connectivity with new objective-based isolation model Interactive Remote Access to address IP-serial conversion scenarios Western Electricity Coordinating Council

Nonprescriptive CIP R3 Part 3.1 “Deploy method(s) to deter, detect, or prevent malicious code.” CIP R3 Guidance “Due to the wide range of equipment comprising the BES Cyber Systems and the wide variety of vulnerability and capability of that equipment to malware as well as the constantly evolving threat and resultant tools and controls, it is not practical within the standard to prescribe how malware is to be addressed on each Cyber Asset. Rather, the Responsible Entity determines on a BES Cyber System basis which Cyber Assets have susceptibility to malware intrusions and documents their plans and processes for addressing those risks and provides evidence that they follow those plans and processes.” Western Electricity Coordinating Council

Virtualized Architecture
Western Electricity Coordinating Council

Electronic Security Zone

Is a containerized application a BCA? Or is it just an application? An entities Electronic Access Point is now a policy-based “firewall,” dynamically placed in front of workloads. Access control is now beyond a layer 3 routable protocol level. How does an entity demonstrate compliance with CIP-005? Is SAN part of the same BES Cyber Asset as the virtual machine, is a SAN its own BES Cyber Asset, or is it just a BES Cyber System Information repository since it alone does not perform any BES functions? Western Electricity Coordinating Council

System-Centric Approach
Make “BES Cyber System” the foundational object. Requirements apply at the system level. Implement on system as a whole Implement on components that make sense Allows for dynamic components Western Electricity Coordinating Council

Current CIP R1, R2 Western Electricity Coordinating Council

Logical Isolation Zone / External Routable Connectivity
One or more cyber systems isolated by logical controls that only allow known and controlled communications to or from those systems. External Routable Connectivity Inbound and outbound communication to a logically isolated BES Cyber system initiated from a system that is outside of the Logical Isolation Zone. Western Electricity Coordinating Council

Proposed CIP R1 ` Western Electricity Coordinating Council

Logical Isolation Western Electricity Coordinating Council

Sufficient Logical Isolation

Logical Isolation Compared

NERC CIPC/CIWG Cloud Project
Implications of Cloud Services for CIP Assets Underlay / Overlay Certifications Meeting security objectives for applicable systems Western Electricity Coordinating Council

CIWG Cloud Project Tabletop Participants
Tri-State SMUD APS MISO AES Ameren? KCP&L? Western Electricity Coordinating Council

Service Provider Participants
CoalFire AWS IBM ServiceNow Microsoft FedRAMP PMO? Western Electricity Coordinating Council

Overlay / Underlay Western Electricity Coordinating Council

CIP Obligations / Certifications

CIP Obligations Western Electricity Coordinating Council

Potential Gaps Should there be a notification to utilities when CIP standard are violated? Service provider audit report not shared with others Ensuring the security plan and actual implementation are adequate Western Electricity Coordinating Council

Concerns Compliance risks for utilities when vendors don’t perform How to address changes to CIP standards with service providers? Mapping to the CMEP How will this be audited and PNCs addressed? Mitigating violations that impact CIP Compliance Western Electricity Coordinating Council

Review CIP v5 continues to evolve System-centric approach closer to being fully developed Need all perspectives in identifying and resolving the issues Ensuring CIP is more manageable, auditable, secure, and resilient Western Electricity Coordinating Council

Next Steps Post for informal comment period October 29, 2018. Seeking Standards Committee (SC) authorization to post March 2019. Initial posting March 2019 (if authorized to post by SC). November 1, 2018 Virtualization Webinar. Western Electricity Coordinating Council

Cyber System-Centric Approach To Cyber Security and CIP

Similar presentations

Presentation on theme: "Cyber System-Centric Approach To Cyber Security and CIP"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Cyber System-Centric Approach To Cyber Security and CIP

Similar presentations

Presentation on theme: "Cyber System-Centric Approach To Cyber Security and CIP"— Presentation transcript:

Similar presentations

About project

Feedback