Cyber Security Standards:

Low Impact Requirements

Scott R. Mix, CISSP, NERC Senior CIP Technical Manager

FRCC Compliance Fall Workshop

November 10, 11, 12, 2015

2 RELIABILITY | ACCOUNTABILITY

Goals of Low Impact

• High Impact

– Large Control Centers

– CIP-003 to 009 V3 “plus”

• Medium Impact

– Generation and Transmission

– Control Centers

– Similar to CIP-003 to 009 V3

• All other BES Cyber Systems (Low Impact) must implement a policy to address:

– Cybersecurity Awareness

– Physical Security Controls

– Electronic Access Controls

– Incident Response

High

Non-Critical

Critical

Non-Impactful(Distribution,

Marketing, Business)

Medium

Low

Generation and Transmission

Large Control Centers

V3/V4 V5

Control Centers

Small Control Centers

Generation and Transmission

Generation and Transmission

3 RELIABILITY | ACCOUNTABILITY

FERC Final Rule

• Issued November 3, 2013

Effective February 3, 2014

• Four directives:

Identify Assess and Correct language

Communication Networks

Low Impact BES Cyber Systems

Transient Devices

• First two had one-year deadline

Filing deadline February 3, 2015

4 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber Systems

• FERC concerned with lack of objective criteria for evaluating Low Impact protections

“Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process”

Open to alternative approaches

“… the criteria NERC proposes for evaluating a responsible entities’ protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified.”

• No detailed inventory required … list of locations / Facilities OK

5 RELIABILITY | ACCOUNTABILITY

What are Low Impact BES Cyber Systems?

• Low Impact Rating (L) BES Cyber Systems not included in Sections 1 or 2 above that are associated

with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 – Facilities, of this standard:

3.1. Control Centers and backup Control Centers.

3.2. Transmission stations and substations.

3.3. Generation resources.

3.4. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements.

3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System.

3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

6 RELIABILITY | ACCOUNTABILITY

What are Low Impact BES Cyber Systems?

7 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber Systems

• SDT maintained all low impact requirements in CIP-003

“Low-only entities” only need to comply with CIP-002 and CIP-003

• Added CIP-003 Part 1.2 dealing with security policy for low impact BES Cyber Systems

• Added Attachments dealing with the technical requirement and measures

Kept four original “areas”

8 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsSecurity Awareness

• Security Awareness

“Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).”

Essentially the same language as CIP-004 Requirement 1 Part 1.1 for high / medium except for timing

Can be the same program as high/medium

9 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsPhysical Security

• Physical Security

“Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any.”

Key Concepts:

o “… control access …”

o “… based on need as determined by the Responsible Entity …”

Includes locations containing LEAP devices

10 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsIncident Response

• Incident Response

Modeled from medium impact

6 elements (of 9: collapsed process requirements and update requirements together; no documentation of deviations or specific record retention – but still need to demonstrate compliance)

11 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsIncident Response

12 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

• Electronic Security Two new definitions – LERC and LEAP Similar to but different from ERC and EAP concepts at medium &

high• Electronic Access Controls: Each Responsible Entity shall:• 3.1 For LERC, if any, implement a LEAP to permit only necessary

inbound and outbound bi-directional routable protocol access; and• 3.2 Implement authentication for all Dial-up Connectivity, if any, that

provides access to low impact BES Cyber Systems, per Cyber Asset capability.

• Seven “reference model” drawings showing LERC & LEAP in Guidelines and Technical Basis section

• Models are suggestions and guidance – not binding requirements

13 RELIABILITY | ACCOUNTABILITY

• ERC - External Routable Connectivity - The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.

• LERC – Low Impact External Routable Connectivity - Direct user‐initiated interactive access or a direct device‐to‐device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi‐directional routable protocol connection. Point‐to‐point communications between intelligent electronic devices that use routable communication protocols for time‐sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).

Low Impact BES Cyber SystemsElectronic Security

14 RELIABILITY | ACCOUNTABILITY

• EAP - Electronic Access Point - A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.

• LEAP – Low Impact BES Cyber System Electronic Access Point - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.

Low Impact BES Cyber SystemsElectronic Security

15 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

16 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

17 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

18 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

19 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

20 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

21 RELIABILITY | ACCOUNTABILITY

Low Impact BES Cyber SystemsElectronic Security

22 RELIABILITY | ACCOUNTABILITY

Implementation Plan

• Phased implementation plan:

IAC – no change (4/1/16)

Communication Networks – 9 months after the effective date of the standard

Transient Devices – 9 months after the effective date of the standard

Low Impact

o Latter of 4/1/17 or 9 months after the effective date of the standard for policy, plan, security awareness, and response

o Latter of 9/1/18 or 9 months after the effective date of the standard for physical and electronic security

23 RELIABILITY | ACCOUNTABILITY

Implementation Plan

Standard/Requirement Revision 3Q15 4Q15 1Q16

CIP-002-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16

CIP-003-6 1-Apr-16 1-Apr-16 1-Jul-16

CIP-003-6, R1, part 1.1 H/M - Policy 1-Apr-16 1-Apr-16 1-Apr-16

CIP-003-6, R1, part 1.2 LI - Policy 1-Apr-17 1-Apr-17 1-Apr-17

CIP-003-6, R2 LI - Plan 1-Apr-17 1-Apr-17 1-Apr-17

CIP-003-6, Att 1, Sect. 1 LI - Sec Awareness 1-Apr-17 1-Apr-17 1-Apr-17

CIP-003-6, Att 1, Sect. 2 LI - Phys Security 1-Sep-18 1-Sep-18 1-Sep-18

CIP-003-6, Att 1, Sect. 3 LI - Elec. Access 1-Sep-18 1-Sep-18 1-Sep-18

CIP-003-6, Att 1, Sect. 4 LI - Incident Resp 1-Apr-17 1-Apr-17 1-Apr-17

CIP-004-6 TCA & RM added to Training 1-Apr-16 1-Apr-16 1-Jul-16

CIP-005-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16

CIP-006-6 1-Apr-16 1-Apr-16 1-Jul-16

CIP-006-6, R1, part 1.10* CN 1-Jan-17 1-Jan-17 1-Apr-17

CIP-007-6 1-Apr-16 1-Apr-16 1-Jul-16

CIP-007-6, R1, part 1.2* CN, RM capitalized 1-Jan-17 1-Jan-17 1-Apr-17

CIP-008-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16

CIP-009-6 1-Apr-16 1-Apr-16 1-Jul-16

CIP-010-2 1-Apr-16 1-Apr-16 1-Jul-16

CIP-010-2, R4 TD 1-Jan-17 1-Jan-17 1-Apr-17

CIP-011-2 TCA & RM added to Guidelines 1-Apr-16 1-Apr-16 1-Jul-16

TCA, RM Glossary Terms TD 1-Jan-17 1-Jan-17 1-Apr-17

BCA, PCA Glossary Terms TD 1-Jan-17 1-Jan-17 1-Apr-17

LERC, LEAP Glossary Terms LIA 1-Apr-17 1-Apr-17 1-Apr-17

NERC

Board

Adoption

If FERC approves CIPV5R in:

V5 E-

Date

IAC

, CN

revisio

ns - N

ove

mb

er 1

3, 2

01

4

LI, TD re

vision

s - Feb

ruary 1

2, 2

01

5

Ap

ril 1, 2

01

6 - C

IP V

5 A

pp

rove

d Effe

ctive D

ate

24 RELIABILITY | ACCOUNTABILITY

CIP Version What?CIP-003-6/CIP-

010-2 July Initial Ballot

CIP-003-6/CIP-010-2

CIP-003-6/CIP-010-2

Version XIAC/CN Only

CIP-003-X/CIP-010-X

CIP-003-7/CIP-010-34 directives

CIP-003-7/CIP-010-34 directives

CIP-003-6/CIP-010-2Lows/TransientsOctober Additional Ballot

October Final Ballot

November Board Adoption

January Additional Ballot

January Final Ballot

CIP-003-6/CIP-004-6/CIP-006-6/CIP-007-6/CIP-009-6/CIP-010-2/CIP-011-2

February Board Adoption

FERC Filing –2/13/2015

25 RELIABILITY | ACCOUNTABILITY

NOPR

• NOPR for approval issued July 16, 2015

Publication in Federal Register July 22, 2015

Comments due back September 21, 2015

Docket RM15-14

57 pages long

Proposes to approve standards, VRF, VSL, and Implementation Plan

Possible directed modifications

Proposes to direct development of requirements relating to supply chain

26 RELIABILITY | ACCOUNTABILITY

NOPR

• Proposes to approve requirements (p.15-20)

The proposed revisions address the 4 directives from Order No. 791

Revisions “improve the base-line cybersecurity posture” compared to the currently approved standards

Propose to approve new definitions (with possible directed changes)

Propose to accept VRF and VSL

Propose to approve the submitted implementation plan

27 RELIABILITY | ACCOUNTABILITY

NOPR

• Proposed directives for change

Propose to modify CIP-006 to require protections for “communication links and sensitive bulk electric system data communicated between all bulk electric system Control Centers.” (p.59)

o This includes “communication between two (or more) Control Centers, but not between a Control Center and non-Control Center facilities such as substations.” (p.59)

o If “latency concerns mitigate against the use of encryption … our understanding is that other logical protections are available, and we seek comment on this point.” (p.59)

28 RELIABILITY | ACCOUNTABILITY

NOPR

• Proposed directives for change Propose to direct development of requirements “to provide

security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.” (p.66)o It “should not impose obligations on suppliers, vendors or other

entities that provide services”o It “should not dictate the abrogation or re-negotiation of effective

contracts”o It should set goals for achieving the outcome while allowing

flexibility in how to achieve the outcomeo It “may need to allow exceptions, e.g., to meet safety requirements

and fill operational requirements if no secure products are availableo It should “provide enough specificity so that compliance obligations

are clear and enforceable”; requiring “a plan” would not sufficeo References DOE Procurement Guide and NIST SP800-161

29 RELIABILITY | ACCOUNTABILITY

NOPR

• Seeks comment (and may direct modifications) On the general proposal for a supply chain requirement,

including: features and requirements that should be included; and a reasonable timeframe to develop the standard.

On the purpose of the meaning of the term “direct” in the definition of LERC (i.e., “direct user-initiated interactive access” and “direct device-to-device connection”), and the implementation of the “layer 7 application protocol break” contained in reference model 6

30 RELIABILITY | ACCOUNTABILITY

NOPR

• Concerns

The commission is concerned about the lack of transient device controls at Low Impact BES Cyber Systems, including Low Impact Control Centers (p.42)

o NERC has not provided adequate justification to limit the applicability for transient devices to high and medium impact only based on information in the record, and directs NERC to provide additional information supporting limiting transient device requirements to high and medium impact only (p.43)

o May direct NERC to address potential reliability gap (e.g., extend transient device applicability to low impact)

31 RELIABILITY | ACCOUNTABILITY

NOPR

• Next Steps

Industry (including NERC) will provide comments and responses to the NOPR

FERC must read and summarize all the comments

Based on comments received, FERC will issue the final order, and may alter or accept proposed directed modifications

Possible timeframe for final order by the end of 2015 or early 2016

32 RELIABILITY | ACCOUNTABILITY

NOPR Responses

• Due to FERC September 21, 2015

• 38 sets of comments filed

Many comments on Supply Chain

33 RELIABILITY | ACCOUNTABILITY

NERC Response

• Supply Chain

Supports Commission's attention to the issue

Request two year development time to include possible technical conferences and development,

Need to consider existing industry practices to mitigate supply chain risks

Should focus on procedures that responsible entitles can reasonably be expected to implement during procurement

Existing standards already contain requirements to help mitigate risks associated with supply chain

34 RELIABILITY | ACCOUNTABILITY

NERC Response

• Control Center communication

Not opposed to further evaluation and standards development

Requirements should not introduce reliability problems (e.g., latency)

Should account for various risk levels of BES Control Centers

Should be results-based and allow flexibility in how to achieve the desired outcome.

35 RELIABILITY | ACCOUNTABILITY

NERC Response

• Transient Devices at Low Impact BES Cyber Systems Existing standards take a risk-based approach, and requiring

protection of transient devices at Low Impact may be counter to that approach

Documenting how Low Impact devices are protected may divert from protecting high and medium BES Cyber Assets

Transient Devices used at both High/Medium and Low will be protected by the proposed revised requirements

The Commission's assertion about unfettered propagation of malware is incorrect; the mandated implementation of LEAP will help block such propagation

If a directive is determined, is should account for the large number and significant diversity of Low Impact BES Cyber Systems

36 RELIABILITY | ACCOUNTABILITY

NERC Response

• Definition of LERC

Approved definition requires that access controls are required, and the definition covers situations where a Low Impact BES Cyber System is directly access from outside the asset containing the Low Impact BES Cyber System

LEAP is used to control communication directly to the Low Impact BES Cyber System; if the communication does not go directly to the Low Impact BES Cyber System, no LEAP is required

If NOPR responses indicate confusion, NERC can issue additional guidance or modify the definition to address the confusion.

37 RELIABILITY | ACCOUNTABILITY

Other Responses

• Concerns with clarity of the communications discussion

• Concepts of LERC and LEAP should be rejected; use existing ERC, EAP and ESP definitions at low

• Need clarification as to what a Control Center is in order to know what communications to protect

• Suggest guidance rather than a standard for Supply Chain; standard not required

• Request 36-month implementation timeframe for communications

• Apply Control Center communications directive to High / Medium only

38 RELIABILITY | ACCOUNTABILITY

Other Responses

• Move Version 5 implementation timeframe to April 1, 2017, and CIP-003-5 R2 to April 1, 2018

• Commission should require a cost/benefit analysis as part of a supply chain standards petition

• Does communication between control centers include voice? Email?

• Extend low implementation date by 3 years• Questions about TCAs (timing, connections, use)• Transient Device controls not needed for low• Questions about non-programmable communications

components (i.e., what are they? list of them?)• Communications requirements belong in EOP-008

39 RELIABILITY | ACCOUNTABILITY

Other Responses

• Field communications should be protected as well (and synchrophasor data)

• Convene a technical conference on supply chain issues• Timing issues with communication standards

implementation• Transient Device requirements for low would

inherently require and inventory of Low Impact BES Cyber Systems

• Transient device requirements should be applied to low

• Control Center communications should be encrypted

40 RELIABILITY | ACCOUNTABILITY

References

• Project 2014-02 Development History:

• CIP Version 5 Revisions page:

http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-Critical-Infrastructure-Protection-Version-5-Revisions.aspx

• CIP Version 5 Transition page:

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

Questions

Scott Mix, CISSP

Senior CIP Technical Manager

Scott.Mix@nerc.net