Cyber Security Standards:
Low Impact Requirements
Scott R. Mix, CISSP, NERC Senior CIP Technical Manager
FRCC Compliance Fall Workshop
November 10, 11, 12, 2015
2 RELIABILITY | ACCOUNTABILITY
Goals of Low Impact
• High Impact
– Large Control Centers
– CIP-003 to 009 V3 “plus”
• Medium Impact
– Generation and Transmission
– Control Centers
– Similar to CIP-003 to 009 V3
• All other BES Cyber Systems (Low Impact) must implement a policy to address:
– Cybersecurity Awareness
– Physical Security Controls
– Electronic Access Controls
– Incident Response
High
Non-Critical
Critical
Non-Impactful(Distribution,
Marketing, Business)
Medium
Low
Generation and Transmission
Large Control Centers
V3/V4 V5
Control Centers
Small Control Centers
Generation and Transmission
Generation and Transmission
3 RELIABILITY | ACCOUNTABILITY
FERC Final Rule
• Issued November 3, 2013
Effective February 3, 2014
• Four directives:
Identify Assess and Correct language
Communication Networks
Low Impact BES Cyber Systems
Transient Devices
• First two had one-year deadline
Filing deadline February 3, 2015
4 RELIABILITY | ACCOUNTABILITY
Low Impact BES Cyber Systems
• FERC concerned with lack of objective criteria for evaluating Low Impact protections
“Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process”
Open to alternative approaches
“… the criteria NERC proposes for evaluating a responsible entities’ protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified.”
• No detailed inventory required … list of locations / Facilities OK
5 RELIABILITY | ACCOUNTABILITY
What are Low Impact BES Cyber Systems?
• Low Impact Rating (L) BES Cyber Systems not included in Sections 1 or 2 above that are associated
with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 – Facilities, of this standard:
3.1. Control Centers and backup Control Centers.
3.2. Transmission stations and substations.
3.3. Generation resources.
3.4. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements.
3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System.
3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
7 RELIABILITY | ACCOUNTABILITY
Low Impact BES Cyber Systems
• SDT maintained all low impact requirements in CIP-003
“Low-only entities” only need to comply with CIP-002 and CIP-003
• Added CIP-003 Part 1.2 dealing with security policy for low impact BES Cyber Systems
• Added Attachments dealing with the technical requirement and measures
Kept four original “areas”
8 RELIABILITY | ACCOUNTABILITY
Low Impact BES Cyber SystemsSecurity Awareness
• Security Awareness
“Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).”
Essentially the same language as CIP-004 Requirement 1 Part 1.1 for high / medium except for timing
Can be the same program as high/medium
9 RELIABILITY | ACCOUNTABILITY
Low Impact BES Cyber SystemsPhysical Security
• Physical Security
“Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any.”
Key Concepts:
o “… control access …”
o “… based on need as determined by the Responsible Entity …”
Includes locations containing LEAP devices
10 RELIABILITY | ACCOUNTABILITY
Low Impact BES Cyber SystemsIncident Response
• Incident Response
Modeled from medium impact
6 elements (of 9: collapsed process requirements and update requirements together; no documentation of deviations or specific record retention – but still need to demonstrate compliance)
12 RELIABILITY | ACCOUNTABILITY
Low Impact BES Cyber SystemsElectronic Security
• Electronic Security Two new definitions – LERC and LEAP Similar to but different from ERC and EAP concepts at medium &
high• Electronic Access Controls: Each Responsible Entity shall:• 3.1 For LERC, if any, implement a LEAP to permit only necessary
inbound and outbound bi-directional routable protocol access; and• 3.2 Implement authentication for all Dial-up Connectivity, if any, that
provides access to low impact BES Cyber Systems, per Cyber Asset capability.
• Seven “reference model” drawings showing LERC & LEAP in Guidelines and Technical Basis section
• Models are suggestions and guidance – not binding requirements
13 RELIABILITY | ACCOUNTABILITY
• ERC - External Routable Connectivity - The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.
• LERC – Low Impact External Routable Connectivity - Direct user‐initiated interactive access or a direct device‐to‐device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi‐directional routable protocol connection. Point‐to‐point communications between intelligent electronic devices that use routable communication protocols for time‐sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).
Low Impact BES Cyber SystemsElectronic Security
14 RELIABILITY | ACCOUNTABILITY
• EAP - Electronic Access Point - A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.
• LEAP – Low Impact BES Cyber System Electronic Access Point - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.
Low Impact BES Cyber SystemsElectronic Security
22 RELIABILITY | ACCOUNTABILITY
Implementation Plan
• Phased implementation plan:
IAC – no change (4/1/16)
Communication Networks – 9 months after the effective date of the standard
Transient Devices – 9 months after the effective date of the standard
Low Impact
o Latter of 4/1/17 or 9 months after the effective date of the standard for policy, plan, security awareness, and response
o Latter of 9/1/18 or 9 months after the effective date of the standard for physical and electronic security
23 RELIABILITY | ACCOUNTABILITY
Implementation Plan
Standard/Requirement Revision 3Q15 4Q15 1Q16
CIP-002-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16
CIP-003-6 1-Apr-16 1-Apr-16 1-Jul-16
CIP-003-6, R1, part 1.1 H/M - Policy 1-Apr-16 1-Apr-16 1-Apr-16
CIP-003-6, R1, part 1.2 LI - Policy 1-Apr-17 1-Apr-17 1-Apr-17
CIP-003-6, R2 LI - Plan 1-Apr-17 1-Apr-17 1-Apr-17
CIP-003-6, Att 1, Sect. 1 LI - Sec Awareness 1-Apr-17 1-Apr-17 1-Apr-17
CIP-003-6, Att 1, Sect. 2 LI - Phys Security 1-Sep-18 1-Sep-18 1-Sep-18
CIP-003-6, Att 1, Sect. 3 LI - Elec. Access 1-Sep-18 1-Sep-18 1-Sep-18
CIP-003-6, Att 1, Sect. 4 LI - Incident Resp 1-Apr-17 1-Apr-17 1-Apr-17
CIP-004-6 TCA & RM added to Training 1-Apr-16 1-Apr-16 1-Jul-16
CIP-005-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16
CIP-006-6 1-Apr-16 1-Apr-16 1-Jul-16
CIP-006-6, R1, part 1.10* CN 1-Jan-17 1-Jan-17 1-Apr-17
CIP-007-6 1-Apr-16 1-Apr-16 1-Jul-16
CIP-007-6, R1, part 1.2* CN, RM capitalized 1-Jan-17 1-Jan-17 1-Apr-17
CIP-008-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16
CIP-009-6 1-Apr-16 1-Apr-16 1-Jul-16
CIP-010-2 1-Apr-16 1-Apr-16 1-Jul-16
CIP-010-2, R4 TD 1-Jan-17 1-Jan-17 1-Apr-17
CIP-011-2 TCA & RM added to Guidelines 1-Apr-16 1-Apr-16 1-Jul-16
TCA, RM Glossary Terms TD 1-Jan-17 1-Jan-17 1-Apr-17
BCA, PCA Glossary Terms TD 1-Jan-17 1-Jan-17 1-Apr-17
LERC, LEAP Glossary Terms LIA 1-Apr-17 1-Apr-17 1-Apr-17
NERC
Board
Adoption
If FERC approves CIPV5R in:
V5 E-
Date
IAC
, CN
revisio
ns - N
ove
mb
er 1
3, 2
01
4
LI, TD re
vision
s - Feb
ruary 1
2, 2
01
5
Ap
ril 1, 2
01
6 - C
IP V
5 A
pp
rove
d Effe
ctive D
ate
24 RELIABILITY | ACCOUNTABILITY
CIP Version What?CIP-003-6/CIP-
010-2 July Initial Ballot
CIP-003-6/CIP-010-2
CIP-003-6/CIP-010-2
Version XIAC/CN Only
CIP-003-X/CIP-010-X
CIP-003-7/CIP-010-34 directives
CIP-003-7/CIP-010-34 directives
CIP-003-6/CIP-010-2Lows/TransientsOctober Additional Ballot
October Final Ballot
November Board Adoption
January Additional Ballot
January Final Ballot
CIP-003-6/CIP-004-6/CIP-006-6/CIP-007-6/CIP-009-6/CIP-010-2/CIP-011-2
February Board Adoption
FERC Filing –2/13/2015
25 RELIABILITY | ACCOUNTABILITY
NOPR
• NOPR for approval issued July 16, 2015
Publication in Federal Register July 22, 2015
Comments due back September 21, 2015
Docket RM15-14
57 pages long
Proposes to approve standards, VRF, VSL, and Implementation Plan
Possible directed modifications
Proposes to direct development of requirements relating to supply chain
26 RELIABILITY | ACCOUNTABILITY
NOPR
• Proposes to approve requirements (p.15-20)
The proposed revisions address the 4 directives from Order No. 791
Revisions “improve the base-line cybersecurity posture” compared to the currently approved standards
Propose to approve new definitions (with possible directed changes)
Propose to accept VRF and VSL
Propose to approve the submitted implementation plan
27 RELIABILITY | ACCOUNTABILITY
NOPR
• Proposed directives for change
Propose to modify CIP-006 to require protections for “communication links and sensitive bulk electric system data communicated between all bulk electric system Control Centers.” (p.59)
o This includes “communication between two (or more) Control Centers, but not between a Control Center and non-Control Center facilities such as substations.” (p.59)
o If “latency concerns mitigate against the use of encryption … our understanding is that other logical protections are available, and we seek comment on this point.” (p.59)
28 RELIABILITY | ACCOUNTABILITY
NOPR
• Proposed directives for change Propose to direct development of requirements “to provide
security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.” (p.66)o It “should not impose obligations on suppliers, vendors or other
entities that provide services”o It “should not dictate the abrogation or re-negotiation of effective
contracts”o It should set goals for achieving the outcome while allowing
flexibility in how to achieve the outcomeo It “may need to allow exceptions, e.g., to meet safety requirements
and fill operational requirements if no secure products are availableo It should “provide enough specificity so that compliance obligations
are clear and enforceable”; requiring “a plan” would not sufficeo References DOE Procurement Guide and NIST SP800-161
29 RELIABILITY | ACCOUNTABILITY
NOPR
• Seeks comment (and may direct modifications) On the general proposal for a supply chain requirement,
including: features and requirements that should be included; and a reasonable timeframe to develop the standard.
On the purpose of the meaning of the term “direct” in the definition of LERC (i.e., “direct user-initiated interactive access” and “direct device-to-device connection”), and the implementation of the “layer 7 application protocol break” contained in reference model 6
30 RELIABILITY | ACCOUNTABILITY
NOPR
• Concerns
The commission is concerned about the lack of transient device controls at Low Impact BES Cyber Systems, including Low Impact Control Centers (p.42)
o NERC has not provided adequate justification to limit the applicability for transient devices to high and medium impact only based on information in the record, and directs NERC to provide additional information supporting limiting transient device requirements to high and medium impact only (p.43)
o May direct NERC to address potential reliability gap (e.g., extend transient device applicability to low impact)
31 RELIABILITY | ACCOUNTABILITY
NOPR
• Next Steps
Industry (including NERC) will provide comments and responses to the NOPR
FERC must read and summarize all the comments
Based on comments received, FERC will issue the final order, and may alter or accept proposed directed modifications
Possible timeframe for final order by the end of 2015 or early 2016
32 RELIABILITY | ACCOUNTABILITY
NOPR Responses
• Due to FERC September 21, 2015
• 38 sets of comments filed
Many comments on Supply Chain
33 RELIABILITY | ACCOUNTABILITY
NERC Response
• Supply Chain
Supports Commission's attention to the issue
Request two year development time to include possible technical conferences and development,
Need to consider existing industry practices to mitigate supply chain risks
Should focus on procedures that responsible entitles can reasonably be expected to implement during procurement
Existing standards already contain requirements to help mitigate risks associated with supply chain
34 RELIABILITY | ACCOUNTABILITY
NERC Response
• Control Center communication
Not opposed to further evaluation and standards development
Requirements should not introduce reliability problems (e.g., latency)
Should account for various risk levels of BES Control Centers
Should be results-based and allow flexibility in how to achieve the desired outcome.
35 RELIABILITY | ACCOUNTABILITY
NERC Response
• Transient Devices at Low Impact BES Cyber Systems Existing standards take a risk-based approach, and requiring
protection of transient devices at Low Impact may be counter to that approach
Documenting how Low Impact devices are protected may divert from protecting high and medium BES Cyber Assets
Transient Devices used at both High/Medium and Low will be protected by the proposed revised requirements
The Commission's assertion about unfettered propagation of malware is incorrect; the mandated implementation of LEAP will help block such propagation
If a directive is determined, is should account for the large number and significant diversity of Low Impact BES Cyber Systems
36 RELIABILITY | ACCOUNTABILITY
NERC Response
• Definition of LERC
Approved definition requires that access controls are required, and the definition covers situations where a Low Impact BES Cyber System is directly access from outside the asset containing the Low Impact BES Cyber System
LEAP is used to control communication directly to the Low Impact BES Cyber System; if the communication does not go directly to the Low Impact BES Cyber System, no LEAP is required
If NOPR responses indicate confusion, NERC can issue additional guidance or modify the definition to address the confusion.
37 RELIABILITY | ACCOUNTABILITY
Other Responses
• Concerns with clarity of the communications discussion
• Concepts of LERC and LEAP should be rejected; use existing ERC, EAP and ESP definitions at low
• Need clarification as to what a Control Center is in order to know what communications to protect
• Suggest guidance rather than a standard for Supply Chain; standard not required
• Request 36-month implementation timeframe for communications
• Apply Control Center communications directive to High / Medium only
38 RELIABILITY | ACCOUNTABILITY
Other Responses
• Move Version 5 implementation timeframe to April 1, 2017, and CIP-003-5 R2 to April 1, 2018
• Commission should require a cost/benefit analysis as part of a supply chain standards petition
• Does communication between control centers include voice? Email?
• Extend low implementation date by 3 years• Questions about TCAs (timing, connections, use)• Transient Device controls not needed for low• Questions about non-programmable communications
components (i.e., what are they? list of them?)• Communications requirements belong in EOP-008
39 RELIABILITY | ACCOUNTABILITY
Other Responses
• Field communications should be protected as well (and synchrophasor data)
• Convene a technical conference on supply chain issues• Timing issues with communication standards
implementation• Transient Device requirements for low would
inherently require and inventory of Low Impact BES Cyber Systems
• Transient device requirements should be applied to low
• Control Center communications should be encrypted
40 RELIABILITY | ACCOUNTABILITY
References
• Project 2014-02 Development History:
• CIP Version 5 Revisions page:
http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-Critical-Infrastructure-Protection-Version-5-Revisions.aspx
• CIP Version 5 Transition page:
http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx