Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Slides:



Advertisements
Similar presentations
NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
Advertisements

Federal Energy Regulatory Commission July Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.
CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
PER
1 PER-005 Update Impact on Operators System Operator Conference April and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
Update in NERC CIP Activities September 4, Update on CIP Update on Revisions to CIP Version 5  -x Posting  v6 Posting Questions Agenda.
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
Environmental Management System (EMS)
Brent Castagnetto Manager, Cyber Security Audits & Investigations Team CIP v5 Implementation Guidance CIP v5 Roadshow Salt Lake City, UT May 14-15, 2014.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
Compliance Application Notice Process Update and Discussion with NERC MRC.
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
CIP Version 5 Update OC Meeting November 7, 2013.
Physical Security CIP NERC Standing Committees December 9-10, 2014.
A Review ISO 9001:2015 Draft What’s Important to Know Now
Network security policy: best practices
Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.
Critical Infrastructure Protection Update Christine Hasha CIP Compliance Lead Advisor, ERCOT TAC March 27, 2014.
Update in NERC CIP Activities June 5, Update on CIP Update on Revisions to CIP Version 5 –BES Cyber Asset Survey –Implementation Plan Questions.
GOP and QSE Relationship Jeff Whitmer Manager, Compliance Assessments Talk with Texas RE June 25, 2012.
Minnesota’s Internal Control Initiative National Association of State Comptrollers March 25, 2011 Speaker Jeanine Kuwik, MBA, CPA, CISA Director of Internal.
Ship Recycling Facility Management System IMO Guideline A.962
Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.
1 Hot Topics in the CIP Standards Second Quarter 2010 Questions by Audience Answers by RFC Staff June 22, 2010.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?
Overview of WECC and Regulatory Structure
Critical Infrastructure Protection Update Christine Hasha CIP Compliance Lead Advisor, ERCOT TAC March 27, 2014.
Status Report for Critical Infrastructure Protection Advisory Group
July 2008 CPS2 Waiver SDT Technical Workshop for Draft BAL-001-TRE-01 Judith A. James Reliability Standards Manager TRE.
Project System Protection Coordination Requirement revisions to PRC (ii) Texas Reliability Entity NERC Standards Reliability Subcommittee.
Project (COM-001-3) Interpersonal Communications Capabilities Michael Cruz-Montes, CenterPoint Energy Senior Consultant, Policy & Compliance, SDT.
Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Bill Lewis, Compliance Team Lead NERC Reliability Working Group May 16, 2013 Texas RE Update Talk with Texas RE April 25, 2013.
Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.
Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.
Page 1 of 13 Texas Regional Entity ROS Presentation April 16, 2009 T EXAS RE ROS P RESENTATION A PRIL 2009.
Projects System Protection Coordination Draft 2 of TOP Texas Reliability Entity NERC Standards Reliability Subcommittee November 2, 2015.
Darren T. Nielsen M.Ad, CPP, CISA, PCI, PSP, CHPP, CBRA, CBRM Senior Compliance Auditor, Cyber & Physical Security V5/FERC Order 822 updates February 25,
Business Continuity Planning 101
March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.
MOPC Meeting Oct , 2016 Little Rock, AR
Planning Geomagnetic Disturbance Task Force (PGDTF) Update to the ROS
ERCOT Technical Advisory Committee June 2, 2005
NERC CIP Implementation – Lessons Learned and Path Forward
NERC Cyber Security Standards Pre-Ballot Review
Understanding Existing Standards:
Larry Bugh ECAR Standard Drafting Team Chair January 2005
Background (history, process to date) Status of CANs
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
Larry Bugh ECAR Standard Drafting Team Chair January 2005
NERC Critical Infrastructure Protection Advisory Group (CIP AG)
Cyber System-Centric Approach To Cyber Security and CIP
Mandatory Reliability Standards
NERC Reliability Standards Development Plan
Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005
NERC Reliability Standards Development Plan
Neopay Practical Guides #2 PSD2 (Should I be worried?)
DISASTER RECOVERY RUNBOOK
Presentation transcript:

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security CIP v5 Roadshow May 14-15, 2014 CIP-003-5 Security Management Controls

Agenda Differences and relations to current requirements Audit approach Possible pitfalls to look for while transitioning to version 5 Implementation tips

CIP 003-5 R1 Differences CIP 003-3 R1 CIP 003-5 R1 Each Responsible Entity, for its high impact and medium impact BES Cyber Systems shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: 1.1 Personnel & training (CIP‐004); 1.2 Electronic Security Perimeters (CIP‐005) including Interactive Remote Access; 1.3 Physical security of BES Cyber Systems (CIP‐006); 1.4 System security management (CIP‐007); 1.5 Incident reporting and response planning (CIP‐008); 1.6 Recovery plans for BES Cyber Systems (CIP‐009); 1.7 Configuration change management and vulnerability assessments (CIP‐010); 1.8 Information protection (CIP‐011); and 1.9 Declaring and responding to CIP Exceptional Circumstances Note: Implementation of these policies is addressed in standards CIP-004-5 through CIP-011-1, therefore it is not part of this requirement CIP 003-3 R1 CIP 003-5 R1

What is a CIP Exceptional Circumstance? “A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.” (NERC, 2014, Glossary of Terms, p. 19)

CIP-003-5 R1 Audit Approach Is there a documented policy or policies that address the nine (9) topics? There can either be a single policy that covers all topics or an individual policy for each Do the policies specifically state High and Medium Impact BES Cyber systems?

CIP-003-5 R1 Audit Approach (cont.) Cyber Security Policy: Was it reviewed by CIP Senior Manager once every 15 calendar months Evidence of review/approval including wet ink or electronic signature and version control/revision history with action and date If document is in a document management system, provide a screen shot of what the CIP Senior Manager reviewed, and include an approval signature page associated with the reviewed document

CIP-003-5 R1 – Possible Pitfall Policy doesn’t address all identified topics in the requirement Not consistently reviewing every 15 months Current annual schedule may not meet requirement Notifications and Alerts may not get updated

CIP-003-5 R1 Implementation tips Set-up or update annual review notifications and alerts to meet 15 calendar month criteria Address High and Medium in policies Review Best Practices: Managing Evidence Presentation http://www.wecc.biz/compliance/outreach/Lists/101Links/AllItems.aspx

CIP-003-5 R2 New Requirement R2. Each Responsible Entity for its assets identified in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] 2.1 Cyber security awareness; 2.2 Physical security controls; 2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity; and 2.4 Incident response to a Cyber Security Incident. An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required (NERC, 2012, CIP-003-5, p. 5)

CIP‐002‐5, R1, Part R1.3 = Low Impact BES Cyber Systems P 106: “[W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s protections for Low Impact assets.” (FERC, 2013, Order 791, p. 72769)

CIP-003-5 R2 Progress The Standard Drafting Team (SDT) has been hard at work The SDT is still working on the requirements, measures, and rationale. Nothing is definitive as of yet Have changed to table format

CIP-003-5 R2 Current Draft R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing low impact BES Cyber Systems), shall:

CIP-003 R2 Draft (continued) R2.3 Electronic access controls for external routable protocol connections and Dial‐up Connectivity

CIP-003 R2 Draft (continued) 2.4 Incident Response to Cyber Incidents

CIP-003 R2 Draft (continued) 2.5 Cyber Security Awareness

CIP-003-5 R2 Firm Dates Standard Drafting Team (SDT) must complete work by February 3, 2015 Draft goes to industry for comment June 2, 2014 If you’d like to get involved, contact Ryan Stewart with NERC at: ryan.stewart@nerc.net

CIP-003-5 R2 Comment Form

CIP-003-5 R2 – Possible Pitfall Entity may not know what Low Impact BES Cyber Systems are Not consistently reviewing every 15 months Current annual schedule may not meet requirement Notifications and Alerts may not get updated Policies may not address all parts of the requirement

CIP-003-5 R2 Implementation tips Stay on top of WECC’s outreach for more direction on Low Impact BES Cyber Systems Update annual review notifications and alerts to meet version 5 timeline

CIP-003-5 R3 No Change Each Responsible Entity shall: Identify a CIP Senior Manager by name Document any change within 30 calendar days of the change CIP 003-3 R2.1 R2.2 CIP 003-5 R3

CIP-003-5 R3 Audit Approach CIP Senior Manager’s name Include the date identified Version control and revision history Include action specific to the change and include dates. Note: If you are not retaining the original document designating the CIP Senior Manager, entities still need to demonstrate compliance with the standard on or before April 1, 2016. We recommend reaffirming the CIP Senior Manager on or before April 1, 2016 and provide that document as evidence.

CIP-003-5 R3 – Possible Pitfall Entity did not identify CIP Senior Manager by name and did not include the date identified Changes to the CIP Senior Manager were not documented within 30 calendar days

CIP-003-5 R3 Implementation tips Update processes to ensure there are steps for documenting changes within 30 calendar days

CIP-003-5 R4 Minor Clarifications The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used CIP Senior Manager may delegate authority for specific actions Include delegates name or title, the specific actions delegated, and the date of the delegation; Approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation Delegation changes do not need to be reinstated with a change to the delegator. CIP 003-3 R2.3 CIP 003-5 R4

CIP-003-5 R4 Audit Approach Were there any delegations? Who was delegated and what were they delegated to do? Was the delegation approved by the CIP Senior Manager?

CIP-003-5 R4 – Possible Pitfall Entity did not document a process to delegate authority Entity did not Identify delegates by name and did not include the date identified or specific actions delegated The CIP Senior manager did not approve the delegation

CIP 003-5 R4 Implementation tips Document a process for delegating authority, and ensure the process addresses the specific requirements Follow the documented process

CIP-003-5 Modifications Reorganized to only include elements of policy and cyber security program governance. CIP 003-3 R3 CIP 003-3 R4 CIP 011-1 CIP 003-3 R5 CIP 004-5 CIP 003-3 R6 CIP 010-1

Wrap-up Know what is required for each BES cyber system(s) Attend future WECC outreach events to get further clarity on Low Impact BES Cyber Systems.

References FERC. (2013 November 22). Order No. 791: Version 5 Critical Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5-000. In Federal Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf NERC. (2014 March 12). Glossary of Terms Used in NERC Reliability Standards. Retrieved from http://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf NERC. (2012 November 26). CIP-003-5 – Cyber Security – Security Management Controls. Retrieved from http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-003-5&title=Cyber%20Security%20-%20Security%20Management%20Controls&jurisdiction=null

Questions? Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security lwood@wecc.biz Desk: 801-819-7601 Cell: 801-300-0225

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.