Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIP-002-5 Outreach Session Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office.

Published byKerry Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "CIP-002-5 Outreach Session Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office."— Presentation transcript:

1 CIP-002-5 Outreach Session
Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office CIP Outreach Session CIP v5 Roadshow Salt Lake City May 14-15, 2014

2 Speaker Intro: Dr. Joseph Baugh
Over 40 years of Electrical Utility Experience Transmission Lineman NERC Certified System Operator IT Manager & Power Operations Manager 20 years Information Technology & IT Security Experience Project Manager & IT Program Manager PMP, CISA, CISSP, CRISC, CISM, NSA-IAM/IEM certs 20 years of Educational Experience Degrees earned: Ph.D., MBA, BS-Computer Science Academic & Technical Course Teaching Experience Information Technology and IT Security Business Strategy, Leadership, and Management Project Management PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation

3 WECC Disclaimer The contents of this presentation represent sound practices based on WECC’s understanding of CIP , however: WECC neither provides prescriptive solutions nor endorses specific vendors, tools, or products for compliance with CIP Standards. The processes and applications discussed in this presentation represent one approach toward compliance efforts for CIP , but this is not the only possible method. WECC will not provide the actual spreadsheets used to explicate the processes described in this presentation to entities or other interested parties. Blind adherence to any process does not guarantee compliance. Each Registered Entity is responsible for demonstrating its compliance with CIP in a manner befitting the entity’s registered functions and operational requirements relative to the reliability of the BES.

4 Agenda Definition of Terms Mapping CIP-002-x Compliance Evolution
Review CIP CIP Process Overview Breaking Down the Process Steps Demonstrating Compliance through Auditable Processes Questions

5 Definition of Terms - BES
Current Bulk Electric System [BES] Definition – Expires June 30, 2014 As defined by the Regional Reliability Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition (NERC, 2013 Nov, Glossary of Terms, p. 12). Read and discuss the current definition, particularly the expiration date and its impact on CIP R1.

6 Definition of Terms - BES
New Bulk Electric System [BES] Definition Effective July 1, 2014 Unless modified by the lists shown below [Emphasis Added], all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy (NERC, 2013 Nov, Glossary of Terms, pp ). New definition maps to an extensive list of Inclusions and Exclusions (NERC, 2014 April, BES Definition Reference Document, pp. 1-66). Point to the lists in the Glossary and the full lists of Inclusions and Exclusions in the BES Guidance document. Explain the discussion on the BES is outside the scope of this presentation, but it is important to understand and apply the Inclusions and Exclusions accurately going forward prior to applying the IRC to the entity's inventory of BES Assets.

7 Definition of Terms - IRC
Impact Rating Criteria (CIP – Attachment 1, pp ) 1. High Impact Rating (H) Each BES Cyber System used by and located at any of the following: (See IRC 1.1 – 1.4) 2. Medium Impact Rating (M) Each BES Cyber System, not included in Section 1 above, associated with any of the following: (See IRC 2.1 – 2.13) 3. Low Impact Rating (L) BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 ‐ Applicability, part 4.2 – Facilities, of this standard: (See IRC 3.1 – 3.6) 4.2: Facilities: For the purpose of the requirements contained herein, the following Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicable. For requirements in this standard where a specific type of Facilities, system, or equipment or subset of Facilities, systems, and equipment are applicable, these are specified explicitly. Note especially 4.2.2: Responsible Entities listed in 4.1 other than Distribution Providers: All BES Facilities.

8 Definition of Terms - BCA
BES Cyber Asset (BCA) – Effective April 1, 2016 A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) (NERC, 2013 Nov, Glossary of Terms, p. 9). P As explained by NERC, the 15-minute parameter will typically result in the identification of SCADA, Energy Management Systems, transmission protection systems, and generation control systems as BES Cyber Assets. Further, according to NERC, ‘‘[t]ypical systems that might be excluded by the 15-minute parameter are systems that collect data for engineering analysis and support, and maintenance rather than providing input to the operator for real-time operations or triggering automated realtime operations. Such excluded systems would include those used to collect data for the purpose of determining maintenance schedules for assets such as transformers or for engineering analysis.’’ (FERC, 2013, Order 791, P.123, p )

9 Definition of Terms - BCS
BES Cyber System (BCS) – Effective April 1, 2016 One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity (NERC, 2013 Nov, Glossary of Terms, p. 10).

10 Definition of Terms - Reliability Tasks
Identified in the NERC Functional Model as listed under the various Functions, “the Model provides the framework on which the NERC Reliability Standards are developed and applied. To ensure that this framework remains viable, the Model itself is governed by a set of “guiding principles” that define a Function's Tasks and establish the relationships between the functional entities which are responsible for meeting the requirements in the NERC Reliability Standards that correspond to these Tasks” (NERC, 2009 Nov, Functional Model v5, p. 11).

11 Definition of Terms - Reliability Tasks
FERC also commented on reliability tasks in the CIPv5 Final Ruling, “we believe that the NERC Functional Model is the basis for the phrase “reliability task” while the Guidelines and Technical Basis section provides clarity on how the term applies to the CIP version 5 Standards” (FERC, 2013, Order 791: P. 156, p )

12 Definition of Terms - Reliability Tasks
In order to identify BES Cyber Systems, Responsible Entities determine whether the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional entity’s responsibilities as defined in its relationships with other functional entities in the NERC Functional Model (NERC, 2013 Nov, CIP , p. 5).

13 Definition of Terms - BROS
BES Reliability Operating Services (BROS) The concept of BES reliability operating service is useful in providing Responsible Entities with the option of a defined process for scoping those Systems that would be subject to CIP‐002‐5.1 (NERC, 2013 Nov, CIP , pp ). WECC recommends a good review of BROS details (NERC, 2013 Nov, CIP , pp ) relative to your specific Registered Functions prior to application of the IRC and subsequent BCS identification.

14 Definition of Terms - BROS
The BROS “includes a number of named BES reliability operating services. These named services include” (NERC, 2013 Nov, CIP , p. 18): Dynamic Response to BES conditions Balancing Load and Generation Controlling Frequency (Real Power) Controlling Voltage (Reactive Power) Managing Constraints Monitoring & Control Restoration of BES Situational Awareness Inter‐Entity Real‐Time Coordination and Communication

15 Definition of Terms - BROS
The BROS may provide guidance to determine which BCS are applicable to a specific Registered Function (NERC, 2013 Nov, CIP , p. 18). Responsibility for the reliable operation of the BES is spread across all Entity Registrations. Each entity registration has its own special contribution to reliable operations and the following discussion helps identify which entity registration, in the context of those functional entities to which these CIP standards apply, performs which reliability operating service, as a process to identify BES Cyber Systems that would be in scope. The following provides guidance for Responsible Entities to determine applicable reliability operations services according to their Function Registration type (NERC, 2013 Nov, Table, p. 18). When setting up your CIP Identification process, be sure to consider all of the applicable BROS that relate to your Registered Functions.

16 CIP-002-x Compliance Evolution
I realize this chart is a bit of an eye test, but it examines the evolution of CIP-002 requirements from CIP R1-R4 through CIP R1-R3 and finally to CIP R1 and R2.

17 The CIP-002-5.1 Compliance Model
CIP BES Cyber System Categorization R1: Instead of identifying Critical Assets as in previous versions, the Responsible Entity must Identify Facilities, systems, or equipment (see R1.i-R1.vi, p. 6 for assets that must be considered) that meet the Impact Rating Criteria [IRC] (CIP Attachment 1, pp ) as high impact BCS (R1.1), medium impact BCS (R1.2), or low impact (R1.3) assets. Using the lists of Facilities, systems, or equipment identified through the application of the IRC, the Responsible Entity must identify and categorize its BES Cyber Systems as high impact or medium impact. BES Cyber Systems not identified as high impact or medium impact default to Low impact. New standard identifies BES Cyber Systems as a grouping of BES Cyber Assets because it allows entities to apply some requirements at a system level rather than an individual asset level. R2: Annual review (R2.1) and approval (R2.2) of the High and Medium BES Cyber System Lists (R1.1, R1.2) and the list of Low Impact BES Assets (R1.3). The initial reviews and approval pursuant to R2 must occur on or before April 1, 2016 and must occur at least once every 15 calendar months after the initial review and approval. This Figure is a bit easier to read and is pertinent to today's discussion. As you know, the functionality for CIP R1-R3 and CIP R1-R2 have been combined in CIP R1. We will talk extensively about R1 in the ensuing slides, while CIP R4, CIP R3 and CIP R2 are relatively similar in the required reviews and approvals. The key change in CIP R2 is the timeframe. CIP abandons the annual requirement in favor of a fixed maximum timeframe of 15 calendar months.

18 CIP Compliance Date Specific Version 5 CIP Cyber Security Standards have periodic requirements that contain time parameters for subsequent and recurring iterations of the requirement, such as, but not limited to, “. . . at least once every 15 calendar months . . .”, and responsible entities shall comply initially with those periodic requirements as follows (Implementation Plan, p. 2): 1. On or before the Effective Date of the Version 5 CIP Cyber Security Standards for the following requirements: CIP-002-5, Requirement R2 April 1, 2016 This is where that phrase that is near and dear to every CIP Auditor’s heart may first arise, “Show me in the standard where I have to …” In this case, comply with CIP R1, if only R2 is effective on April 1, 2016. The answer to that is quite simple, in order to comply with R2, the entity must implement its R1 process to develop the R1.1-R1.3 lists that will be reviewed and approved under R2.

19 CIP : R1 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: Control Centers and backup Control Centers; Transmission stations and substations; Generation resources; Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements; Special Protection Systems that support the reliable operation of the Bulk Electric System; and For Distribution Providers, Protection Systems specified in Applicability section above.

20 R1: …shall implement a process…
Process: “a series of actions or operations conducing to an end.” Two schools of thought on the R1 process flow Top-down process first evaluates the inventory of BES Assets against the IRC Bottom-up process evaluates the inventory of BES Cyber Assets against the IRC The process that Brent presented at CIPUG is ONE way of approaching CIP , but it is certainly not the only way. WECC does not prescribe solutions. We expect entities to develop and implement an R1 process that works for them, but it must be clearly documented and address all of the BES Assets listed under R1.i through R1.v, as well as any applicable distribution protection systems under R1.iv. By objectively applying the IRC to the inventory of BES Assets, you have effectively eliminated much of the subjectivity formerly associated with identifying a list of Critical Assets through the application of the RBAM under CIP and should end up with a manageable list of High and Medium impact BES Assets, from which you can then evaluate and identify applicable BCS at each such facility. Anything left over from your inventory of BES Assets after the application of the IRC by default becomes the candidate list that can be used to develop the list required by R1.3. Please keep in mind the CIP standards are performance-based standards. If you do not document the evaluation (or consideration) of your BES Assets under the R1 parent statement, how will you demonstrate that you considered "each of the following assets for purposes of parts 1.1 through 1.3" (CIP : R1, p. 6)? In addition, R1.1 and R1.2 require entities to identify High and Medium impact BCS "at each asset" (CIP : R1.1 & R1.2, p. 6). The WECC audit team will be reviewing documentation that clearly demonstrates an entity complied with all parts of R1 and R2.  In addition, there is another clear advantage to taking a top-down approach to CIP R1. By evaluating and clearly identifying each of your BES Assets as High, Medium, or Low impact, you effectively reduce the effort associated with evaluating all BCS, which conceivably could include identifying and discarding low impact BCS under a bottom-up approach. A top-down approach will initially focus on only High and Medium Assets and their applicable BCS and create the R1.3 list by default. Process definition: “a series of actions or operations conducing to an end” (Merriam-Webster Online Dictionary). Retrieved from Conduce definition: “Leading or tending to a particular and often desirable result“ (Merriam-Webster Online Dictionary). Retrieved from

21 Top-Down Process Flow Chart Groups
This figure shows the flow of the remainder of this presentation. We will walk through each of these process groups in turn to examine one logical process flow to identify and compile the lists required by CIP R1 and the reviews and approvals required by R2. Routable protocol exemption – A complete exemption of Cyber Assets based on communication characteristics no longer applies. This is because the vulnerability some security requirements address is not mitigated by the lack of routable protocols (e.g., training, response, recovery, etc.) Where the lack of routable protocols itself meets the requirement objective, the exemption is applied at the requirement level.

22 Beginning the Process Start with inventory of BES Assets
Which BES Definition? Apply the IRC to identify High- & Medium-Impact Facilities All other BES Assets and applicable Distribution Assets (IRC 3.6) default to Low-Impact Recall our discussion of the application of the BES Definition. Evaluate your inventory of BES Assets against the new BES definition prior to beginning this top-down process. A best practice would be to document the evaluation process as prior audit evidence is typically compared to new audit evidence to identify differences

23 Deriving the R1.1-R1.3 Lists Start with your BES Assets as defined in R1.i-R1.v, plus Distribution Assets, if any, from R1.vi Apply a logical process to identify your High, Medium, and Low impact rated Facilities Applicable Distribution Protection Systems default to Low impact (IRC 3.6), add their host facilities to Low Impact List (R1.3) Whichever methodology you ultimately use is up to each entity, however, be sure to document and review your considerations to ensure you have not let any BCA or BCS slip through the cracks. Once you have a valid inventory of BES Assets (R1.i-R1.v) and applicable DP Assets that meet the R1.vi criteria, then apply the IRC to identify a list of High impact (for R1.1) and a list of Medium impact (for R1.2) Facilities, systems, or equipment (i.e., Assets). All other BES Assets on your initial list will default to a Low impact rating. Document these BES Assets in the list required by R1.3. Note: The following example of an auditable process follows the top-down methodology.

24 High IRC (Control Centers)

25 Medium IRC (Control Centers)

26 What is Net Real Power Capability?
Criterion 2.11 contains the term “aggregate highest rated net Real Power capability of the preceding 12 calendar months.” Also applicable to criterion 2.1 for generation resources. A best practice would be to use the calculation material found in the new MOD standard (see NERC, 2014 March 20, MOD-025-2: Attachment 2, pp ), including this specific formula: “Net Real Power Capability (*MW) equals Gross Real Power Capability (*MW) minus Aux Real Power connected at the same bus (*MW) minus tertiary Real Power connected at the same bus(*MW)” (p. 19). The highest calculated value(s) for the preceding 12 calendar month period is/are acceptable as valid audit evidence for Criteria 2.1 and 2.11. An entity asked, “How do we calculate this value?” Although the MOD standard does not become effective until July 1, 2016, it represents a FERC approved calculation methodology. As such, it is also acceptable to the WECC CIP team as supporting evidence to demonstrate compliance in the application of IRC 2.1 and 2.11. Obviously for criterion 2.1, I would calculate and aggregate the Net Real Power capability for each unit or group of units at a single location to determine whether or not this location met or exceeded the 1500mW threshold. For 2.11, I would perform the same calculations for all BES generation units controlled by my Conrol Center(s) within a single Interconnection to determine if my Control Center(s) met the Medium impact criterion or became Low Impact.

27 Low IRC (Control Centers)

28 R1.i: Example of Auditable Process
This is an example of a simple binary selection model. It uses Boolean values to determine the status of a given BES Asset. The model defaults to a Low Impact rating by virtue of the preloaded FALSE, such that if a given BES Asset does not meet any of the applicable IRC, it will default to a Low rating and can be added to the R1.3 list of Low Impact Facilities. At that point, it will not be necessary to further evaluate the BCS associated with that facility (at least for now). The model includes the following IRC: High Ratings 1.1: RC Control Centers or Backup Control Centers 1.2: BA Control Centers or backup Control Centers for (a) generation => an aggregate of 3000 MW in a single Interconnection, or (b) for assets meeting IRC 2.3, 2.6, or 2.9 1.3: TO Control Center or backup Control Centers for one or more assets that meet IRC 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10 1.4: GO Control Center or backup Control Centers for one or more assets that meet IRC 2.1, 2.3, 2.6, 2.9 Medium Ratings 2.11: GO Control Center or backup Control Centers, not already included as a High rated Facility, for generation => 1500 MW in a single Interconnection 2.12: TO Control Center or backup Control Centers, not already included as a High rated Facility 2.13: BA Control Centers or backup Control Centers, not already included as a High rated Facility, for generation => an aggregate of 1500 MW in a single Interconnection Low Ratings 3.1: Any Control Center or backup Control Center not already included as a High or Medium rated Facility. <CLICK HERE> to load completed matrix. Enter a 1 (TRUE) in the applicable cells to identify the status of the entity's Control Centers as meeting one or more of the applicable IRC. This model assigns the highest applicable rating, but it is a good idea to identify all applicable criteria in the event that the Facility is later changed to an extent that may impact its IRC rating. In this example, the entity only has two control centers, both of which meet Criteria 1.3 and 1.4, so both are rated at the High impact level.

29 Medium IRC (Transmission)

30 Medium IRC (Transmission)

31 Medium IRC (Transmission)

32 Medium / Low IRC (Transmission)

33 R1.ii: Example of Auditable Process
This is an example of a simple binary selection model. It uses Boolean values to determine the status of a given BES Asset. The model defaults to a Low Impact rating by virtue of the preloaded FALSE, such that if a given BES Asset does not meet any of the applicable IRC, it will default to a Low rating and can be added to the R1.3 list of Low Impact Facilities. At that point, it will not be necessary to further evaluate the BCS associated with that facility (at least for now). Identifying the rating of Substations and Switchyards is a bit more complex due to the number of applicable Criteria and the specific nature of Criterion 2.5, which incorporates the weighted value of lines into/out of the Facility and the number of connected substations or switchyards. For the purpose of this model, Substations and Switchyards are synonymous with Station. The model includes the following IRC: Medium Ratings 2.2: Each BES Reactive resource (or group of resources) at a single location - excluding generation Facilities - with an aggregate maximum nameplate Reactive Power rating => 1000MVAR. 15-minute threshold is applicable to this criterion. 2.4: Transmission Facilities operated at 500kV or higher, excludes generation connector busses. 2.5: Transmission Facilities operating between 200kV and 499kV within a single station, which is (a) connected at 200kV or higher to three or more other Transmission stations, and (b) has an aggregated weighted value > 3000 as determined by the summation of the value assigned to each incoming and each outgoing BES Transmission line: > 200kV = 0, 200kV to 299kV = 700, 300kV to 499kV = 1300, >=500kV = 0 (covered by IRC 2.4) 2.6: Transmission Facilities at a single station identified by the RC, PC/PA, or TP as critical to the derivation of IROLs and associated contingencies. 2.7: Transmission Facilities identified as essential to meet Nuclear Plant Interface Requirements 2.8: Transmission Facilities, including generation interconnection Facilities, that connect generation output to the Transmission System identified by the GO for units meeting IRC 2.1 or 2.3 2.9: Each SPS, RAS or automated switching system that would cause one or more IROL violations for failure to operate as designed or cause a reduction in one or more IROLs if destroyed, degrade, misused, or otherwise rendered unavailable 2.10: Each system or group of Elements, under a common control system, that (a) perform UVLS or UFLS automatic load shedding => 300 MWs under a load shedding program that is subject to a NERC or regional reliability standard (e.g., Low Ratings 3.2: Transmission Stations and substations, not included as a Medium impact rated Facility 3.4: Systems and facilities critical to system restoration, including Cranking Paths and initial switching requirements. 3.5: Special Protection Systems that support the reliable operation of the BES <CLICK HERE> to load completed matrix. Enter a 1 (TRUE) in the applicable cells to identify the status of the entity's stations as meeting one or more of the applicable IRC. This model assigns the highest applicable rating, but it is a good idea to identify all applicable criteria in the event that the Facility is later changed to an extent that may impact its IRC rating. In this example, the entity has many substations at four voltage levels, but only a representative set where included for brevity.

34 Medium IRC (Generation)

35 Medium / Low IRC (Generation)

36 R1.iii-iv: Example of Auditable Process
This is an example of a simple binary selection model. It uses Boolean values to determine the status of a given BES Asset. The model defaults to a Low Impact rating by virtue of the preloaded FALSE, such that if a given BES Asset does not meet any of the applicable IRC, it will default to a Low rating and can be added to the R1.3 list of Low Impact Facilities. At that point, it will not be necessary to further evaluate the BCS associated with that facility (at least for now). The model includes the following IRC: Medium Ratings 2.1: Commissioned generation, by each group of generating units at a single plant location with a highest rated net Real Power capability => 1500 MW in a single Interconnection. The 15-minute threshold applies to this criterion for identifying shared BCS associated with these facilities. 2.3: Each generation Facility that the PC/PA or TP designates and informs the GO or GOP as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year. 2.6: Generation at a single plant location station identified by the RC, PC/PA, or TP as critical to the derivation of IROLs and associated contingencies. Low Ratings 3.3: Generation resources not already included as a Medium rated facility 3.4: Systems and facilities critical to system restoration, including Blackstart resources and initial switching requirements <CLICK HERE> to load completed matrix. Enter a 1 (TRUE) in the applicable cells to identify the status of the entity's generation stations as meeting one or more of the applicable IRC. This model assigns the highest applicable rating, but it is a good idea to identify all applicable criteria in the event that the Facility is later changed to an extent that may impact its IRC rating.

37 Medium IRC (Protection Systems)

38 Low IRC (Protection Systems)

39 R1.v-vi: Example of Auditable Process
This is an example of a simple binary selection model. It uses Boolean values to determine the status of a given BES Asset. The model defaults to a Low Impact rating by virtue of the preloaded FALSE, such that if a given BES Asset does not meet any of the applicable IRC, it will default to a Low rating and can be added to the R1.3 list of Low Impact Facilities. At that point, it will not be necessary to further evaluate the BCS associated with that facility (at least for now). The model includes the following IRC: Medium Ratings 2.9: Commissioned generation, by each group of generating units at a single plant location with a highest rated net Real Power capability => 1500 MW in a single Interconnection. The 15-minute threshold applies to this criterion for identifying shared BCS associated with these facilities. 2.10: Each generation Facility that the PC/PA or TP designates and informs the GO or GOP as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year. Low Ratings 3.4: Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements. 3.5: Special Protection Systems that support the reliable operation of the BES 3.6: For DP's, Protection Systems specified in Applicability section 4.2.1 : Each UFLS or UFLS system that: : is part of a Load Shedding program that is subject to one or more requirements in a NERC or Regional Reliability Standards; and : performs automatic load shedding under a common control system => 300 MW. : Each SPS or RAS subject to requirements in a one or more NERC or Regional Reliability Standards : Each Protection System (excluding UVLS and UFLS) that applies to Transmisssion where the Protection System is subject to one or more requirements in a NERC or Regional Reliability Standards : Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart resource up to and including the first interconnection point of the starting station service of the next generation unit(s) to be started. <CLICK HERE> to load completed matrix. Enter a 1 (TRUE) in the applicable cells to identify the status of the entity's generation stations as meeting one or more of the applicable IRC. This model assigns the highest applicable rating, but it is a good idea to identify all applicable criteria in the event that the Facility is later changed to an extent that may impact its IRC rating.

40 CIP : R1.1-R1.3 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: … 1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset; 1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and 1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).

41 R1: Identify and Document BCS
Use list of High- & Medium-impact BES Assets Identify BCA associated with each BES Asset Logically group BCA into BCS Document BCS on R1.1 or R1.2 list, as appropriate This is a good example of where a top-down approach simplifies the whole process. By first applying the IRC to your inventory of BES Assets, you have created the R1.3 list by default.

42 R1.1-R1.2: Identifying BCS Develop an auditable process to examine each High and Medium impact Facility Examine inventory of BCA at each Facility Consider reliability functions Group BCA into logical BCS Identify PCA, EACMS, and PACS Although this graphic depicts Version 4 Cyber Assets, for all intents and purposes these are the same classes of Cyber Assets currently considered under CIP R3. Begin this process with the list of High and Medium impact facilities. For each Facility: Examine the inventory of BES Cyber Assets Consider the BES Reliability Operating Services used by the Registered Function(s) at that Facility Identify BCA that support a BROS and the reliable operation of the BES: Consider Real-Time Operational characteristics Group those BCA into logical BES Cyber Systems that considers an appropriate level of granularity. The level of granularity should take into consideration the operational environment and scope of management when defining the BCS boundary. Consider the PCA, EACMs, and PACS that support and protect the BCS:

43 Process to Identify BCS
It is left up to the Responsible Entity to determine the level of granularity at which to identify a BES Cyber System within the qualifications in the definition of BES Cyber System. For example, the Responsible Entity might choose to view an entire plant control system as a single BES Cyber System, or it might choose to view certain components of the plant control system as distinct BES Cyber Systems. The Responsible Entity should take into consideration the operational environment and scope of management when defining the BES Cyber System boundary in order to maximize efficiency in secure operations. Defining the boundary too tightly may result in redundant paperwork and authorizations, while defining the boundary too broadly could make the secure operation of the BES Cyber System difficult to monitor and assess (CIP , pp. 4-5).

44 Consider Reliable Operation of the BES
Determine whether the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional entity’s responsibilities as defined in its relationships with other functional entities in the NERC Functional Model (CIP , p. 5). Ensures the initial scope for consideration includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable operation of the BES. (CIP , p. 5). In order to identify BES Cyber Systems, Responsible Entities determine whether the BES Cyber Systems perform or support any BES reliability function according to those reliability tasks identified for their reliability function and the corresponding functional entity’s responsibilities as defined in its relationships with other functional entities in the NERC Functional Model. This ensures that the initial scope for consideration includes only those BES Cyber Systems and their associated BES Cyber Assets that perform or support the reliable operation of the BES. The definition of BES Cyber Asset provides the basis for this scoping. (CIP , Section 6: Background - Reliable Operation of the BES, p. 5).

45 Consider Real-Time Operations
BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes (CIP , p. 5). Do not consider redundancy in the application of the 15-minute time threshold (CIP , p. 5). 15-minute limitation will typically "result in the identification of SCADA, Energy Management Systems, transmission protection systems, and generation control systems as BES Cyber Assets” (FERC, 2013, Order 791: P. 123, p ). One characteristic of the BES Cyber Asset is a real‐time scoping characteristic. The time horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to the application of these Version 5 CIP Cyber Security Standards is defined as that which is material to real‐time operations for the reliable operation of the BES. To provide a better defined time horizon than “Real‐time,” BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise. This time window must not include in its consideration the activation of redundant BES Cyber Assets or BES Cyber Systems: from the cyber security standpoint, redundancy does not mitigate cyber security vulnerabilities. (CIP , Section 6: Background - Real-time Operations, p. 5). Group BCA into logical BES Cyber Systems that considers an appropriate level of granularity. The level of granularity should take into consideration the operational environment and scope of management when defining the BCS boundary.

46 Consider Ancillary BES Cyber Assets
Protected Cyber Assets Examples may include, to the extent they are within the ESP: file servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems (CIP , p. 6) May also be lower impact BCA or BCS by virtue of the high-water mark (CIP-005-5, p. 14) Electronic Access Control or Monitoring Systems Examples include: Electronic Access Points, Intermediate Systems, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems (CIP , p. 6) Physical Access Control Systems Examples include: authentication servers, card systems, and badge control systems (CIP , p. 6). While this step is not required by CIP R1, it makes sense to identify and document these BCA to support compliance efforts under CIP through CIP-011-1: Consider the PCA, EACMs, and PACS that support and protect the BCS: Protected Cyber Assets (“PCA”) Examples may include, to the extent they are within the ESP: file servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems May also be lower impact BCA or BCS by virtue of the high-water mark (CIP-005-5, p. 14) Electronic Access Control or Monitoring Systems (“EACMS”) Examples include: Electronic Access Points, Intermediate Systems, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems. Physical Access Control Systems (“PACS”) Examples include: authentication servers, card systems, and badge control systems. (CIP , Section 6: Background, p. 6).

47 Identifying BES Cyber Assets
Identify if the Cyber Asset meets the definition of BCA Check for length of installation If < 30 days, determine if the Cyber Asset is a transient device. Group into logical BCS with associated PCA

48 Grouping BCA into BCS Entity determines level of granularity of a BCS
There may be one or more BCA within a given BCS Consider the BROS for your registrations In transitioning from version 4 [and version 3] to version 5, a BES Cyber System can be viewed simply as a grouping of Critical Cyber Assets (as that term is used in version 4 [and version 3]). The CIP Cyber Security Standards use the “BES Cyber System” term primarily to provide a higher level for referencing the object of a requirement… Another reason for using the term “BES Cyber System is to provide a convenient level at which an entity can organize their documented implementation of the requirements and compliance efforts (CIP , 2013, p. 4)

49 Graphic Source: http://www. sas
Examples of BCS

50 Examples of BCA Groupings: BA/TOP
Energy Management Systems (EMS) Automatic Generation Control (AGC) SCADA systems Network Management Systems (NMS) PI systems (Historians) ICCP systems (Communications)

51 Examples of BCA Groupings: BA/TOP
Graphic Source: Examples of BCA Groupings: BA/TOP

52 Examples of BCA Groupings: TO/TOP
SCADA Component Systems RTU Systems (Telecommunications) Protective Relay Systems

53 Examples of BCA Groupings: TO/TOP
Graphic Source: Pacific Northwest National Laboratory (Dagle, J., 2010 Jan) Retrieved from Examples of BCA Groupings: TO/TOP

54 Pilot Study Lesson-Learned: TO/TOP

55 Pilot Study Lesson-Learned: TO/TOP
Programmable Electronic Devices [PEDs] aka Intelligent Electronic Devices [IEDs] Found as data aggregators for CTs/PTs May be located in breaker cabinets Evaluate to determine if the PED/IED meets BCA criteria If so, consider inclusion in Protective Relay BCS

56 Examples of BCA Groupings: GO/GOP
Digital Control System (DCS) Control Air System (CAS) Water Demineralization System Coal Handling System Gas Control System Environmental Monitoring System RTU (Communications) Generator Protection Systems (Relays)

57 Examples of BCA Groupings: GO/GOP
Graphic Source: Examples of BCA Groupings: GO/GOP

58 Pilot Study Lesson-Learned: GO/GOP
How is the 1,500 MW threshold defined? What about segregated systems? What is a segregated system? What is a common-mode vulnerability?

59 Consider BCS Types High Impact BCS,
High Impact BCS w/ Dial-up Connectivity, High Impact BCS w/ External Routable Connectivity, Medium Impact BCS, Medium Impact BCS at Control Centers, Medium Impact BCS w/ Dial-up Connectivity, Medium Impact BCS w/ External Routable Connectivity, Protected Cyber Assets [PCA], and Electronic Access Points [EAP] (CIP-005-5, pp. 4-5) One important thing to note here is the expiration of the serial exemption. Under CIP-002-5, the complete exemption of Cyber Assets based on communication characteristics no longer applies. This is because the vulnerability some security requirements address is not mitigated by the lack of routable protocols (e.g., training, response, recovery, etc.). Where the lack of routable protocols itself meets the requirement objective, the exemption is applied at the requirement level. Mick is going to talk about the various types of BCS and associated Cyber Assets in his CIP presentation, so I won't expand on that to any great extent in this presentation. Let it suffice to mention that understanding the different types of High and Medium Impact BCS during the initial identification and grouping of BCS may pay dividends later on in the Compliance process: High Impact BES Cyber Systems – Applies to BES Cyber Systems categorized as high impact according to the CIP‐002‐5 identification and categorization processes. High Impact BES Cyber Systems with Dial‐up Connectivity – Only applies to high impact BES Cyber Systems with Dial‐up Connectivity. High Impact BES Cyber Systems with External Routable Connectivity – Only applies to high impact BES Cyber Systems with External Routable Connectivity. This also excludes Cyber Assets in the BES Cyber System that cannot be directly accessed through External Routable Connectivity. Medium Impact BES Cyber Systems – Applies to each BES Cyber Systems categorized as medium impact according to the CIP‐002‐5 identification and categorization processes. Medium Impact BES Cyber Systems at Control Centers – Only applies to medium impact BES Cyber Systems located at a Control Center. Medium Impact BES Cyber Systems with Dial‐up Connectivity – Only applies to medium impact BES Cyber Systems with Dial‐up Connectivity. Medium Impact BES Cyber Systems with External Routable Connectivity – Only applies to medium impact BES Cyber Systems with External Routable Connectivity. This also excludes Cyber Assets in the BES Cyber System that cannot be directly accessed through External Routable Connectivity. Protected Cyber Assets (PCA) – Applies to each Protected Cyber Asset associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Electronic Access Points (EAP) – Applies at Electronic Access Points associated with a referenced high impact BES Cyber System or medium impact BES Cyber System.

60 R1.1: Example of Auditable Process

61 R1.1: Example of Auditable Process

62 R1.3: Example of Auditable Process
Any BES Asset (i.e. Facility) not rated as High or Medium defaults to a Low Impact rating BCS associated with a Low impact BES Asset also become Low impact BCS. At this time, all you need to do is list the Low Impact BES Assets to satisfy R1.3. Comply with CIP R2 When using a top-down evaluation process, any BES Asset not rated as High or Medium, automatically defaults to a Low Impact rating and any associated BCS also become Low impact ratings. At this time, all you need to do is list the Low Impact BES Assets and begin compliance efforts with CIP R2.

63 R2: Review and Approve the Lists
R2. The Responsible Entity shall 2.1 Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and 2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1.

64 R1.3 Lists: What to Do? CIP-003-5 R2
Stay tuned for future developments

65 Review and Approve Lists

66 R2: Example of Auditable Process
Review and document initial R1.1 - R1.3 lists (R2.1) Document CIP Senior Manager approval of the R1.1-R1.3 lists (R2.2) Ensure review & approval cycle does not exceed the 15-month limitation (R2.2) Review (and update) lists, as necessary, and approve subsequent R1.1-R1.3 lists (R2.1-R2.2) Maintain documentation of reviews and approvals for audit period to demonstrate compliance to audit team

67 References FERC. (2013 December 3). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM Published in Federal Register: Vol. 78, No. 232 (pp ). Retrieved from NERC. (2009 November 30). Reliability Functional Model (v5, pp. 1-55). Retrieved from NERC. (2012 October 26). Implementation Plan for Version 5 CIP Cyber Security Standards. Retrieved from

68 References NERC. (2013 November 21). Glossary of Terms Used in NERC Reliability Standards. Retrieved from NERC. (2013 November 22). CIP – Cyber Security – BES Cyber System Categorization. Retrieved from NERC. (2014 April). Bulk Electric System Definition Reference Document. Retrieved from

69 CIP-002-5.1 Presentation Revision History
Version Change History Date By v1 Developed initial presentation for SLC Outreach 01/21/14 J. Baugh v2 Minor changes for SLC Outreach 02/01/14 v3 Added IRC slides for SMUD presentation 02/16/14 v4 Added examples of BCS Groupings for MDR Outreach 03/13/14 v5 Minor changes for SMUD Outreach 05/03/14 v6 Added slides to discuss Pilot Study lessons learned proposals; Included discussion on Net Real Power Capability; Added revision history for SLC Outreach 05/09/14

70 Questions? Joseph B. Baugh, Ph.D., PMP CISA, CISSP, CRISC, CISM
Senior Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) 7400 NE 41st Street, Suite 320 Vancouver, WA  98662 jbaugh (at) wecc (dot) biz  (C) (O)

Download ppt "CIP-002-5 Outreach Session Joseph B. Baugh, Ph.D., PMP, CISA, CISSP, CRISC, CISM Senior Compliance Auditor – Cyber Security WECC: Vancouver WA Office."

Similar presentations

Summary of Second Draft of the NERC Standard PRC-002-2 Disturbance Monitoring and Reporting JSIS Meeting August 10, 2010 Salt Lake City, UT.

Summary of Second Draft of the NERC Standard PRC Disturbance Monitoring and Reporting JSIS Meeting August 10, 2010 Salt Lake City, UT.
Reliability Subcommittee Report Vishal C. Patel Chair – Reliability Subcommittee March 2014.

Reliability Subcommittee Report Vishal C. Patel Chair – Reliability Subcommittee March 2014.
CUG Meeting June 3 – 5 Salt Lake City, UT

CUG Meeting June 3 – 5 Salt Lake City, UT
CIP Version 5 Transition Guidance September 2013 Open-Webinar

CIP Version 5 Transition Guidance September 2013 Open-Webinar
STATUS OF BULK ELECTRIC SYSTEM DEFINITION PROJECT

STATUS OF BULK ELECTRIC SYSTEM DEFINITION PROJECT
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
PER-005-2.

PER
1 PER-005 Update Impact on Operators System Operator Conference April 17-19 and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.

1 PER-005 Update Impact on Operators System Operator Conference April and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.

Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
Project 2010-17 Definition of Bulk Electric System & Bulk Electric System Rules of Procedure Development Presenter: Peter Heidrich, FRCC – BES Drafting.

Project Definition of Bulk Electric System & Bulk Electric System Rules of Procedure Development Presenter: Peter Heidrich, FRCC – BES Drafting.
COM Operating Personnel Communications Protocols

COM Operating Personnel Communications Protocols
Steve Rueckert Director of Standards Standards Update June 5, 2014 Joint Guidance Committee Meeting Salt Lake City, UT.

Steve Rueckert Director of Standards Standards Update June 5, 2014 Joint Guidance Committee Meeting Salt Lake City, UT.
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.

Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP-002-5 thru CIP-009-5 CIP-010-1 and CIP-011-1 Version 5 Filing FERC requested filing by 3/31/2013.

1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP thru CIP CIP and CIP Version 5 Filing FERC requested filing by 3/31/2013.
BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.

BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.

Similar presentations

Ads by Google