Low Impact BES Assets: Best PracticesBC Outreach Webinar: Session 3
Salt Lake City UT – January 9, 2018
Joseph B. Baugh, PhD
Senior Compliance Auditor – Cyber Security
Western Electricity Coordinating Council
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Speaker Intro: Dr. Joseph B. Baugh• Electrical Utility Experience (44+ years)
– Senior Compliance Auditor, Cyber Security– IT Manager & Power Trading/Scheduling Manager– IT Program Manager & Project Manager – NERC Certified System Operator– Barehand Qualified Transmission Lineman
• Educational Experience – Degrees earned: Ph.D., MBA, BS-Computer Science– Certifications: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-IAM/IEM – Academic & Technical Course Teaching Experience (20+ years)
• Business Strategy, Leadership, and Management • Information Technology, IT Security, and Project Management• PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation • CIP Compliance workshops and other outreach sessions
2
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Agenda• CIP-003-5 R2
• WECC Low Impact Case Study [LICS]– Challenges
• Administrative
• Technical
• Protecting Low impact BES Assets – Frequently Asked Questions
– Lessons Learned
– Best Practices
• Differences between CIP-003-5 and CIP-003-7– LERC/LEAP vs. electronic access controls
– Additional protections and controls
3
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-003-5 R2
• Since BCUC may replace CIP-003-5 with CIP-003-7, entities may ignore the IAC language in R2 for CIP-003-5 compliance
• No adverse impact on R2 compliance is incurred by this action
4
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS Participation Details
• The WECC LICS pilot study ran from October 2015 through May 2016 (Wood, 2016 March 24)
• Four (4) participants from the WECC region:
– One (1) mixed impact municipal entity
• This entity had prior CIP-002-3 Critical Cyber Assets [CCA]
• Some v3 Critical Assets contained higher impact BCS under v5
• Entity identified multiple Low impact BES Assets
– Three (3) Low impact only entities
• These entities had prior null lists of CCA
• All three identified only Low impact BES Assets
• CIP compliance experience levels were also mixed
5
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Low Impact Case Study Goals6
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Ensure an Efficient and Effective Transition
Understand and address
challenges
Foster Communication and knowledge
sharing
Identify Guidance Topics
Administrative Challenges
• Programs, Policies, Procedures, and Plans
– Reconciling internal definitions with NERC definitions
– Updating documentation to match
• Small, but critical staff
– Staffing the project, if a team member was sick, project progress came to a grinding halt
• Finding a place to start
– Picked one or two prototype BES Assets to develop and fine-tune the processes and procedures before rolling it out across the gamut of BES Assets
7
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Technical Challenges• Small Technical Staff
– Finding time to review and create the required documentation
• Meeting Compliance AND Security Needs– Ensuring requirements are met, also focusing on physical
and electronic access controls, securing the network and facilities, at a reasonable cost
• Learning Curve– Translating compliance language from the Standards to IT
and layman language
– Documenting technical issues in an easy-to-grasp manner
– Bringing field and other personnel into the compliance fold
8
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ - Policies• Do we need to have the policies in one document or
can they be separated and tied to the associated plan (e.g., awareness, physical access controls, electronic access controls, incident response)?– From an audit perspective it doesn't matter how the
information is laid out or put together, so long as you have it and can demonstrate it for audit
– You may choose to have one document with all the policies, or you may choose to have the each policy within the plan documentation
– Provide pointers to the associated section(s) of the attachment, if you do keep the policies together in a separate document
9
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ - Policies• What is the difference between program, policy, plan
and procedure?– A program is the overarching name for the documentation
(or the "why") that provides both strategic and tactical elements that create compliance
– A policy is the documentation that provides the strategic overview of "what" you will do to become compliant
– The plans, practices, processes and procedures describe "how" you will perform policy requirements and are part of the tactical elements to the program• Plans and processes are the overview of how you will be compliant
• Practices and procedures are the step-by-step details of how you perform compliance tasks
10
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Low impact Strategic & Tactical Elements11
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Auditing Low-impact Compliance
• At audit, the CIP-003 team will review and validate each strategic and tactical step down through the flowchart
• A prudent entity will develop and maintain auditable artifacts that demonstrate the entity documented and implemented a sound CIP-003 cyber security compliance program with associated policies, plans, processes, and/or procedures that cover all of its applicable Low impact BES Assets
12
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R2.1 Awareness• What is awareness and what should be included?
– Webster defines "aware" as knowing that something exists. Awareness is the state of such knowledge
– In terms of the CIP-003-5 Guidelines and Technical Basis, awareness would then mean each employee is aware or cognizant of specific cyber security measures
– These measures may include any or all of the following (CIP-003-7, Attachment 2: Section 1, p. 24):• Direct communications (for example, e-mails, memos, or
computer-based training);
• Indirect communications (for example, posters, intranet, or brochures); or
• Management support and reinforcement (for example, presentations or meetings).
13
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R2.1 Awareness
• What are examples of reinforcement?
– In terms of the CIP-003-5 R2.1 low-impact cyber security awareness policy, the entity should present cybersecurity awareness measures to its personnel at least once every 15 calendar months
– This is the bare minimum to demonstrate compliance and may be part of an ongoing cybersecurity awareness effort that includes signage, training, case studies, and any other means of raising cybersecurity awareness
14
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R2.2 Physical Security Controls
• Mark Lemery will cover these topics in his presentation this afternoon
15
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R2.3 Electronic Access Controls
• What do I need to implement electronic access controls for external routable connections and/or dial-up connectivity?– Until such time that additional guidance is provided by
BCUC relative to CIP-003-7, a prudent entity would ensure that any protocol conversion device provides an actual authentication break between the IP and attached serial devices
– In the absence of such demonstrated evidence, the audit team may determine that unprotected electronic access is present in the serial devices and take further compliance action
16
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R2.3 Electronic Access Controls
• Do we need to provide a diagram and the configuration files associated with electronic access controls?– While such diagrams and files are not specifically
required by CIP-003-5, an entity should be able to demonstrate the required controls (as defined in the R2.3 policy) are afforded where external routable access or dial-up connectivity exists into an asset containing Low impact BES Cyber Systems
– The audit team may check a sampling of Low impact Cyber Assets with electronic access to validate that such devices are protected, as required by the entity’s electronic access control policy
17
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R2.4 Incident Response• Is monitoring or intrusion detection required? If not,
how do I know to respond to an incident if I'm not monitoring for one?– No, monitoring is not specifically required. The Standard
Drafting Team left R2.4 as a policy to respond to an incident that somehow created its own awareness
– Although monitoring is not required by the Standard, as a best cyber security practice, a prudent entity would monitor all electronic access points to ensure it becomes aware of any cyber incident in a timely manner
– This issue has been addressed much more extensively in CIP-003-7, as well as a recent FERC NOPR (2017 December 21) on incident response and malware
18
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R3 CIP Senior Manager
• Can a CIP Senior Manager be a contractor?
– No, the CIP Senior Manager is a defined term in the NERC Glossary and specifically states this person must be a ”single senior management official with overall authority and responsibility” (NERC, 2018 January 2, Glossary of Terms, p. 9) for an entity’s CIP compliance program
– The BCUC adopted the NERC Glossary dated October 1, 2014 via BCUC Order R-38-15 (2015 July 15, Article H, p. 2), including the CIP Senior Manager term (Ibid, p. 16), so this response is equally valid in the BCUC footprint
19
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R3 CIP Senior Manager
• What kind of documentation would you expect to see for CIP-003-5 R3?
– A document on company letter head that includes the name and title of the CIP Senior Manager, with the date of his or her assignment is sufficient
20
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – R4 Delegations • Can the CIP Senior Manager information and
delegate information reside in the same document, or do they need to be in separate documents? – For audit purposes, R3 and R4 simply must be
documented. It doesn't matter if these assignments are in one document or multiple documents
– However, the CIP Senior Manager is generally assigned by the CEO, General Manager, or some other high-level executive. Delegates may be assigned for specific CIP duties on shorter timeframes by the CIP Senior Manager, so the audit team generally sees multiple documents
21
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – General Questions • If an entity opts to combine their low impact policy and plan
documentation with their High and/or Medium impact documents, how could this information be shared with low impact personnel since there are additional requirements for Highs and Medium BCS pertaining to BESCSI (CIP-004 R2 and R4)?– Entities are allowed to combine their documents for Highs,
Mediums, and Lows, but if the combined documentation contains BES Cyber System Information (BCSI), an entity would need to include everyone with access to the BCSI within the associated programs (e.g., access management) when the entity implemented the applicable requirements. This would include individuals who are only associated with Low Impact BCS
– With that in mind, it may be more feasible to use the High and/or Medium BCS documentation as a starting point and develop a specific set of documentation for Low-impact BES Assets for use by a wider set of personnel
22
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS FAQ – General Questions
• Can we use our existing system inventory as Low Impact Cyber Assets List knowing it is not required?
– Even though discrete lists of Low-impact BCS are not required by CIP-002-5.1 R1.3, LICS participants found it almost impossible to ensure all required controls were afforded without such lists of applicable Cyber Assets for each LIBCS at each identified and documented Low-impact BES Asset
23
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS Lessons Learned
• LICS participants were asked these questions during the panel discussion at the WECC Compliance Workshop in La Jolla (Wood, 2016):
– What are your perspectives on necessary resources?
– What are some of the key conclusions, lessons learned, and recommendations for transitioning to CIP Version 5 for entities with assets containing low impact BCS?
– Did you find any ambiguity in the Requirements? If so, how did you clarify these issues?
• The responses are captured in the following slides
24
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS Lessons Learned• Review the standards and clarify all of the
documentation requirements for each standard early on– Kept each documentation requirement as a highlighted
action item in all of their drafts
• Create internal cascading project timeline w/deliverables– Develop Gantt charts to track tasks and updated, as
applicable each week
• Research, Research, Research– Tap unlikely sources such as your commercial insurance
carrier/broker – One entity used a “great template” from its insurance
carrier for its cyber incident response plan
25
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS Lessons Learned
• Don’t be fooled by the generic and oversimplified requirements for policies– They are simplistic by design to allow you the flexibility
to build your own workable policies and plans, but they are going to take more time to develop and implement than you think, so build some extra time into your project timeline for testing & feedback, budget cycles, and unplanned contingencies
• Engage Subject Matter Experts [SMEs] and plant/field personnel who are going to have to live with the results of your transition project early on– “No use flying 8000 RPMs down the road to a technically
unattainable or cost-prohibitive goal”
26
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
LICS Lessons Learned• Have weekly team meetings
– Even if there’s not much to discuss, this practice keeps the project on everyone’s radar
• Make sure all documents at minimum undergo a basic technical and legal review and then a final formatting review – Copy & paste is both a blessing and a curse!
• Avoid business silos– If you are coming from the IT side of the house, go shake
hands with and learn about the OT environment, as it will allow you to better understand the assets you’re trying to protect
– The OT side of the house will also gain a better understanding of why you’re doing the things you do to achieve compliance
27
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Best Practices and Next Steps
• Approach the Low impact compliance implementation as an approved & funded project
• Develop a sound project plan including tasks, schedules, and anticipated costs
• Begin with one or two nearby Low impact BES Assets as part of a prototype program to test and implement electronic and physical security controls
• Roll out the cyber security training and awareness programs early on to minimize resistance to change from field personnel
28
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Best Practices and Next Steps• Vet documents as they are implemented and make
any necessary changes to reflect actual field conditions
• Continue to develop and improve electronic and physical security measures and controls during the implementation
• Integrate additional BES Assets on your project timeline based on the knowledge gained and lessons learned during the prototype phase
• Develop lists of Cyber Assets during the implementation phase, this practice will help greatly during the implementation of CIP-003-7
29
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-003-x Standard Versions• CIP-003-5 only requires an entity to implement four cyber
security policies (R2.1-R2.4)• CIP-003-5 becomes effective October 1, 2018 (BCUC Order R-
38-15, 2015 July 24) • Subsequent versions moved the cyber security policies to
R1.2, while R2 now requires more extensive plans, processes, and procedures for Low impact BES Assets
• CIP-003-6 was held in abeyance for British Columbia due to the pending CIP-003-7 revision (adopted by NERC Board of Trustees February 9, 2017), which is awaiting FERC approval in the US
• FERC proposed approval of CIP-003-7 on October 26, 2017 in a Notice of Public Rulemaking [NOPR] published in the Federal Register (2017 October 29), with a comment period ending December 26, 2017
30
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
CIP-003-7 Items of Interest• Since FERC approval of CIP-003-7 is expected in the
first quarter of 2018, a prudent entity would review CIP-003-7 (NERC, 2017 February 9) and prepare for possible BCUC adoption of that Standard
• CIP-003-7 clarifies elements for which electronic access protections need to be applied as directed by FERC to NERC as a condition of adopting CIP-003-6
• BCUC may not adopt LERC and LEAP terms, which will be retired from the NERC Glossary upon FERC approval of CIP-003-7 and addressed as electronic access controls (see NERC, 2017 Feb 9, CIP-003-7: Attachment 1 Section 3, p. 22)
• CIP-003-7 may be in the next BC Hydro Standard assessment report filed with the BCUC this year
31
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Key Changes in CIP-003-7• CIP-003-7 moved Low impact cyber security policies
from R2 to R1.2 (p. 5) and added policies for malicious code mitigation for Transient Cyber Assets [TCA] and Removable Media [RM] (R1.2.5) as well as CIP Exceptional Circumstances (R1.2.6)
• R2 references Attachment 1 (pp. 22-24), which includes specific provisions for cyber security plans:– Section 1: Cyber Security Awareness,– Section 2: Physical Security Controls,– Section 3: Electronic Access Controls,– Section 4: Cyber Security Incident Response, and– Section 5: TCA and RM Malicious Code Risk Mitigation.
• Attachment 2 (pp. 25-27) provides examples of evidence for the five section plans cited above
32
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Speaker Contact Information
Joseph B. Baugh, Ph.D., MBAPMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor -Cyber Security
Western Electricity Coordinating Council (WECC)
jbaugh (at) wecc (dot) biz
(C) 520.331.6351
(O) 360.600.6631W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
References• BCUC. (2015 July 24). Order R-38-15. Retrieved from
http://www.bcuc.com/Documents/Orders/2015/DOC_44244_R-38-15_BCH_MRS_RPT_8.pdf
• FERC. (2017 October 29). Revised Critical Infrastructure Protection Reliability Standard CIP– 003–7—Cyber Security—Security Management Controls [Notice of Public Rulemaking], 18 CFR Part 40, Docket No. RM17-11-000. In Federal Register, 82(206), (pp. 49541-49549). Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2017-10-26/pdf/2017-23287.pdf
• FERC. (2017 December 21). Cyber Security Incident Reporting Reliability Standards [Notice of Public Rulemaking], 161 FERC ¶ 61,291 18 CFR Part 40 Docket Nos. RM18-2-000 and AD17-9-000. Retrieved from https://www.ferc.gov/whats-new/comm-meet/2017/122117/E-1.pdf
34
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
References• NERC. (2018 January 2). Glossary of Terms Used in NERC
Reliability Standards. Retrieved from http://www.nerc.com/files/glossary_of_terms.pdf
• NERC. (2017 February 9). CIP-003-7 – Cyber Security – Security Management Controls [Adopted by NERC Board of Trustees]. Retrieved from http://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-003-7.pdf
• Wood, L. (2016 March 24). Low Impact Case Study (LICS) Presentation/Panel. Presentation at WECC Compliance Workshop in La Jolla CA. Retrieved from https://www.wecc.biz/_layouts/15/WopiFrame.aspx?sourcedoc=/Administrative/13a%20Low%20Impact%20Case%20Study%20March%202016%20Wood.pdf&action=default&DefaultItemOpen=1
35
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
