Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.

Slides:



Advertisements
Similar presentations
Federal Energy Regulatory Commission July Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
Advertisements

NERC Orientation Joint Guidance Committee WECC Leadership
WELCOME Keyscans Access Control KIMA SECURITY INC.
Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits
Keshav Sarin Manager, Compliance Risk Analysis
CIP Cyber Security – Security Management Controls
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.
Factors to be taken into account when designing ICT Security Policies
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Introduction to Network Defense
EC4019PA Intrusion & Access Control Technology (IACT) Chapter 4- CAMS Prepared by Sandy Tay.
Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
Chapter 10: Authentication Guide to Computer Network Security.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Understanding Security Layers
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Configuration Management T3 Webinar Feb 21, 2008 Chuck Larsen ITS Program Coordinator Oregon Department of Transportation.
Physical Security By: Christian Hudson. Overview Definition and importance Components Layers Physical Security Briefs Zones Implementation.
Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.
1 CIP Physical Security of Critical Cyber Assets A Compliance Perspective Lew Folkerth CIP Compliance Workshop Baltimore, MD August 19-20, 2009 ©
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Jefferson Lab Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010.
Project Cyber Security Order 706 Version 5 CIP Standards Potential to Adversely Impact ERCOT Black Start Capability.
Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.
Physical (Environmental) Security
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Physical security By Ola Abd el-latif Abbass Hassan.
WHAT YOU NEED TO KNOW ABOUT NERC ERO COMPLIANCE Louise McCarren Chief Executive Officer – WECC APPA National Conference June 16, 2009 Salt Lake City, Utah.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Physical Security Concerns for LAN Management By: Derek McQuillen.
Access Control Jeff Wicklund Computer Security Fall 2013.
Darren T. Nielsen M.Ad, CPP, CISA, PCI, PSP, CHPP, CBRA, CBRM Senior Compliance Auditor, Cyber & Physical Security V5/FERC Order 822 updates February 25,
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.
Draft for Discussion & Policy Purposes Only Money Room Security Assessment June 29, 2016.
Unit 1: Protecting the Facility (Virtual Machines)
Payment Card Industry (PCI) Rules and Standards
Understanding Security Layers
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
NERC CIP Implementation – Lessons Learned and Path Forward
Understanding Existing Standards:
Cyber System-Centric Approach To Cyber Security and CIP
Lieberman Management Services
Security of Data  
CEBAF Control System Access
Physical Security.
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
IS4680 Security Auditing for Compliance
Managing the IT Function
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Presentation transcript:

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5 Transition Overview 5/14/2014 V5 Outreach Salt Lake City, UT

2 Lessons Learned updates to slide deck Revision History of Road Show CIP-006Change HistoryDate R1Added R1.105/8/2014NERC SDT addition per FERC Order

3 24 years Physical Security Experience o Marine Corps Veteran (PRP) o Retired Law Enforcement Officer o 7 years Critical Infrastructure Protection Program o ASIS Utilities Security Council – Chairman o ASIS Physical Security Council o Education: M.Ad. (Leadership Emphasis) w/Distinction - Northern Arizona University o BA- Police Science- Ottawa University (Summa Cum Laude) Speaker Intro: Darren T. Nielsen, CISA, CPP, PCI, PSP,

4 Provide a basic overview of the changes Share WECC audit approach Provide examples of Best Practices Answer questions to assist your compliance efforts Purpose of V5 transition Presentation

5 Physical Security Program o Must define the operational or procedural controls to restrict physical access o Removed current “6 wall” wording to instead require a Physical Border- PSP o For High Impact, added the need to utilize two or more different and complementary physical access controls to restrict physical access o Testing changed to a 24-month cycle ocument_for_CIP_V5_Clean_( ).pdf Summary of CIP Changes

6 A new Purpose….and some new language To manage physical access to “BES Cyber Systems” by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. CIP Physical Security of BES Cyber Systems

7 High Impact BES Cyber Systems – Medium Impact BES Cyber Systems– Medium Impact BES Cyber Systems without External Routable Connectivity – Medium Impact BES Cyber Systems with External Routable Connectivity – o This also excludes Cyber Assets in the BES Cyber System that cannot be directly accessed through External Routable Connectivity. New language to assist going forward

8 Physical Access Control Systems (PACS) – Applies to each Physical Access Control System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. New language (Continued)

9 Locally mounted hardware or devices at the Physical Security Perimeter – Applies to the locally mounted hardware or devices (e.g. such as motion sensors, electronic lock control mechanisms, and badge readers) at a Physical Security Perimeter associated with a referenced high impact BES Cyber System or medium impact BES Cyber System with External Routable Connectivity, and that does not contain or store access control information or independently perform access authentication. These hardware and devices are excluded in the definition of Physical Access Control Systems. New language (Continued)

10 Protected Cyber Assets (PCA) – Applies to each Protected Cyber Asset associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Electronic Access Control or Monitoring Systems (EACMS) – Applies to each Electronic Access Control or Monitoring System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Examples may include, but are not limited to, firewalls, authentication servers, and log monitoring and alerting systems. You're now bilingual CIP personnel (end of new language)

11 A substantive change to your Plan.. now becomes a program. No Annual Approval. CIP —R1 A new look- Requirements and Measures

12 Methods to control, log and monitor access remain the same as CIP R4, R5, and R6 CIP —R1.2 A new look- Requirements and Measures

13 o Aligns to old V3 for CCA’s and protecting PACS assets. CIP —R1.2 A new look- Requirements and Measures

14 Major Change- Physical Access control to High Impact BES Cyber Systems assets CIP —R1.3 A new look- Requirements and Measures For physically layered protection, a locked gate in combination with a locked control- building could be acceptable, provided no single authenticator (e.g., key or card key) would provide access through both.

15 Two forms of access control means access needs to require two of the following: 1.Something you know (PIN, password, etc.) 2.Something you are (biometrics, security guard identity verification, etc.) 3.Something you have (Hard key, token, card key, etc.) CIP —R1.3 – Audit Approach

16 Methods of physical access control include: Card Key: A means of electronic access where the access rights of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another. Special Locks: These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “man ‐ trap” systems. Security Personnel: Personnel responsible for controlling physical access who may reside on ‐ site or at a monitoring station. Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access into the Physical Security Perimeter. CIP —R1.3 – Audit Approach

17  This is the old CIP R5 Monitoring Requirement CIP —R1.4 A new look- Requirements and Measures

18 More of the old R5 for High Impact and Medium with ERC within 15 minutes CIP —R1.5 A new look- Requirements and Measures

19 Specific to PACS associated with….this is the old CIP-006 R2.1 with a twist. PACS must now be monitored in addition to the Physical Security Perimeter. CIP —R1.6 A new look- Requirements and Measures

20 CIP —R1.7 A new look- Requirements and Measures NOTE: within 15 minutes for “detected” UA access to a PACS. Added notification emphasis to contact identified in CSIRP.

21 Logs requirement (old CIP R6) CIP —R1.8 A new look- Requirements and Measures

22 Log retention stays the same (Old V3- R7) CIP —R1.9 A new look- Requirements and Measures

23 CIP —R1.10 (in work SDT)

24 Visitor Control Program Old (V3 R1.6) Added CIP Exceptional Circumstances CIP —R2 A new look- Requirements and Measures

25 Major change: log visitor only once per day. (Initial entry and exit)- Point of Contact req. maintain logs for 90 days (R2.3) CIP —R2.2 & 2.3 A new look- Requirements and Measures

26 Testing & Maintenance (CIP R8) changed from 3 year to 2 year cycle CIP —R3 A new look- Requirements and Measures

27 Key Control Program o Who has them? o How do you log the use of a hard key? o Is an alarm triggered when the door is opened? o Do they have a PRA? o Training Physical Access Controls

28 Visitor/escort forgets to log out. Are you in a Possible Violation situation? o Can you retrieve data via Cameras? o Other Logs? o Ask and update to ensure completeness of logs. Logging

29 PSWG- Get plugged in! CIIMS/PSWG/default.aspxhttp:// CIIMS/PSWG/default.aspx Phone call away-  We want to help. Always willing to provide our “audit approach” At Your Service

Darren T. Nielsen, M.Ad, CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT (801) Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.