Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP-002-1 through CIP-009-1 Larry Bugh ECAR Standard Drafting Team.

Slides:

Advertisements

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

Advertisements

2004 NERC, NPCC & New England Compliance Programs John Norden Manager, Operations Training, Documentation & Compliance August 31, 2003 RC Meeting.

Federal Energy Regulatory Commission July Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

CIP Cyber Security – Security Management Controls

Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.

Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.

Update in NERC CIP Activities September 4, Update on CIP Update on Revisions to CIP Version 5  -x Posting  v6 Posting Questions Agenda.

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

State of Standards and Standards in Development Sean Cavote, Manager of Standards Development WECC Operating Committee Meeting March 26, 2015.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Information Security Policies and Standards

Stephen S. Yau CSE , Fall Security Strategies.

Physical Security CIP NERC Standing Committees December 9-10, 2014.

Cyber Security Standard Workshop Status of Draft Cyber Security Standards Larry Bugh ECAR Standard Drafting Team Chair January 2005.

Critical Infrastructure Protection Update Christine Hasha CIP Compliance Lead Advisor, ERCOT TAC March 27, 2014.

Update in NERC CIP Activities June 5, Update on CIP Update on Revisions to CIP Version 5 –BES Cyber Asset Survey –Implementation Plan Questions.

GOP and QSE Relationship Jeff Whitmer Manager, Compliance Assessments Talk with Texas RE June 25, 2012.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

1 Texas Regional Entity Report December Performance Highlights ERCOT’s Control Performance Standard (NERC CPS1) score for October – Initial.

Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

1 Remote Access Update ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Texas Regional Entity Update Sam Jones Interim CEO and President Board of Directors July 18, 2006.

K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.

Status Report for Critical Infrastructure Protection Advisory Group

SPS policy – Information Presentation Presentation to ROS June 16, 2004.

Project System Protection Coordination Requirement revisions to PRC (ii) Texas Reliability Entity NERC Standards Reliability Subcommittee.

Project (COM-001-3) Interpersonal Communications Capabilities Michael Cruz-Montes, CenterPoint Energy Senior Consultant, Policy & Compliance, SDT.

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

WebCast 5 May 2003 Proposed NERC Cyber Security Standard Presentation to IT Standing Committee Stuart Brindley, IMO May 26, 2003.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Bill Lewis, Compliance Team Lead NERC Reliability Working Group May 16, 2013 Texas RE Update Talk with Texas RE April 25, 2013.

Problem Areas Updates Penalties FRCC Compliance Workshop September / October

Date CIP Standards Update Chris Humphreys Texas RE CIP Compliance.

NERC Project S ystem Protection Coordination - PRC-027 Presentation to the NSRS Conference Call August 17, 2015 Sam Francis Oncor Electric Delivery.

NERC Project S ystem Protection Coordination - PRC-027 Presentation to the NSRS Conference Call April 20, 2015 Sam Francis Oncor Electric Delivery.

Page 1 of 13 Texas Regional Entity ROS Presentation April 16, 2009 T EXAS RE ROS P RESENTATION A PRIL 2009.

Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.

Texas Regional Entity Report Mark Henry June 6, 2008.

Compliance Update September Control Performance Highlights  NERC CPS1 Performance ERCOT’s August score was ERCOT’s CPS1 scores show significant.

IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.

Grid Operations Report To ERCOT Board Of Directors December 16, 2003 Sam Jones, COO.

Projects System Protection Coordination Draft 2 of TOP Texas Reliability Entity NERC Standards Reliability Subcommittee November 2, 2015.

October 29, 2012 RARF Workshop 2 Introduction to ERCOT Modeling Process Jay Teixeira Manager, Model Administration.

Reliability Standards Development Plan David Taylor Manager Standards Development Standards Committee Meeting June 12-13, 2008.

Page 1 Portfolio Committee on Water and Environmental Affairs 14 July 2009.

MOPC Meeting Oct , 2016 Little Rock, AR

ERCOT Technical Advisory Committee June 2, 2005

NERC CIP Implementation – Lessons Learned and Path Forward

NERC Cyber Security Standards Pre-Ballot Review

Understanding Existing Standards:

Larry Bugh ECAR Standard Drafting Team Chair January 2005

Larry Bugh ECAR Standard Drafting Team Chair January 2005

NERC Cyber Security Standard

Reliability Standards Development Plan

NERC Reliability Standards Development Plan

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

NERC Reliability Standards Development Plan

WebCast on Draft Cyber Security Standard 1300 October 18, 2004

Presentation transcript:

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

2 Status Update ● Draft 3 of the standards, updated FAQ, Development Highlights, Draft 2 of the Implementation Plan, and the comment form posted May 9, 2005 for 45 day comment period.  Permanent.html ● Drafting team responses to Draft 2 comments to be posted soon.

3 Significant Changes ● Overall  Definitions revised.  Major review for consistency across the standards.  Two Tech Editors helped with review  Matching Requirements with Measures  Reviewing Levels of Non-Compliance  Consistency with Measures  Consistency across all eight standards

4 Significant Changes ● Cyber Security – Critical Cyber Assets – CIP  The purpose statement has been revised.  Critical Assets in Requirement 1 have been split into Required Critical Assets and Additional Critical Assets.  Requirement for updating Critical Asset/Critical Cyber Asset list has been changed to 90 days from 30 days.  Requirement to list non-critical assets on the same network as critical assets has been removed and the Requirements to protect non-critical assets within the Electronic Security Perimeter have been moved to CIP  Requirements for Critical Cyber Assets with dial-up access and not using a routable protocol have been moved to CIP

5 Significant Changes ● Cyber Security – Critical Cyber Assets – CIP  Cyber Assets at a substation or generating station using a routable protocol that does not extend through the electronic security perimeter, and without direct dial-up access, will not be identified as Critical Cyber Assets.  The review and approval of the Critical Asset and Critical Cyber Asset lists by a senior manager has been revised to be done annually.  The standard recognizes that a Responsible Entity may determine it has no Critical Assets or Critical Cyber Assets. If such a determination is made, the Responsible Entity must document that determination to show compliance with this standard.

6 Significant Changes ● Cyber Security – Security Management Controls – CIP  Draft 2 incorrectly introduced new Requirements in the Measures section. Draft 3 corrects this error and matches Requirements to Measures.  In response to several comments, titles have been added to all top-level requirements for clarity. The Levels of Non-compliance section has been revised. ● Cyber Security – Personnel and Training – CIP  Levels of Non-compliance were modified to address issues raised in public comments.

7 Significant Changes ● Cyber Security – Electronic Security – CIP  Requirement R1 been broken into sub-requirements for clarity.  Requirement R1 now also includes a sub-requirement to provide the same Electronic Security Perimeter protections to Cyber Assets used to implement access controls and monitoring of the Electronic Security Perimeter(s).  Requirement R2 from Draft 2 (network ports and services) has been moved as a sub-requirement (R2.1) of an overall Access Control requirements section R2 in Draft 3.  Requirement R3 from Draft 2 (access control for modems) has been moved as a sub-requirement (R2.3) of an overall Access Control requirements section R2 in Draft 3.  The Requirement for strong access controls for external interactive access to the Electronic Security Perimeter has been clarified. References to specific technologies have been removed and are more appropriately addressed in the FAQ.

8 Significant Changes ● Cyber Security – Electronic Security – CIP  For clarity, Requirement R3 includes sub-requirements for reviewing authorized access on a periodic basis where monitoring cannot be implemented or can only be partially implemented.  The requirements for vulnerability assessment of the access points to the Electronic Security Perimeters, originally included in CIP-007-1, have been moved to this standard for consistency.  Corresponding changes to the Measures and Levels of Non- compliance were made.

9 Significant Changes ● Cyber Security – Physical Security – CIP  The Requirement for defining physical access controls of a security cage has been removed.  The access controls for a security cage should be addressed in the physical security plan as a perimeter. ● Cyber Security – Systems Security Management – CIP  References to attended and unattended facilities have been removed.  Titles for the following Requirements have changed; Account and Password Management changed to Account Management, Operating Status Monitoring Tools changed to Security Status Monitoring, Integrity Software changed to Anti-Virus Software, and Identification of Vulnerabilities and Responses changed to Cyber Vulnerability Assessment.  Requirements for non-critical assets within the Electronic Security Perimeter have been added to this standard.

10 Significant Changes ● Cyber Security – Systems Security Management – CIP  Test Procedures and Account Management Requirements have been broken out into separate sub-requirements.  What constitutes “significant changes” for Test Procedures has been clarified.  The Requirements for Patch Management and Anti-Virus Software have been updated for clarity.  The Requirement for Cyber Vulnerability Assessment was updated to clarify the intent.  The Requirement for Ports and Services was clarified to apply to devices inside the Electronic Security Perimeter (those devices on the Perimeter are addressed in CIP-005.)  A Requirement was added specifying that field devices without electronic access controls shall have physical access controls.  A Requirement for protection of Critical Cyber Assets disposed or redeployed was added.

11 Significant Changes ● Cyber Security – Systems Security Management – CIP  Requirements for Documentation Review and Maintenance were added.  The Measures and Levels of Non-compliance were updated to reflect the updated Requirements.  The stand-alone Requirement for Retention of System Logs was removed and the retention requirement added as a sub- requirement in the appropriate Requirements.  Requirements for Configuration Management were removed from CIP-007 as they are addressed in CIP-003.  The Backup and Recovery requirement was moved to CIP-009.

12 Significant Changes ● Cyber Security – Incident Reporting and Response Planning – CIP  The definition of Cyber Security Incident has been updated to clearly include the Electronic Security Perimeter.  References to “incident” were changed to “Cyber Security Incident” as appropriate.  Testing the Incident Response Plan has been added as a requirement. ● Cyber Security – Recovery Plans – CIP  Language has been added to address backup of information critical to successful restoration of Critical Cyber Assets.

13 Proposed Development Schedule ● Tentative posting/review schedule for CIP — CIP-009-1:  May 9 – June 23Post draft 3 for a 45-day comment period  June 1WebEx on Draft 3  June 24 – July 21Resolve comments on Draft 3 and prepare final draft  July 22 – August 21Post final draft for 30-day review prior to ballot  August 22 – Sep. 26Hold two rounds of balloting (includes time to respond to first ballots cast with negative comments.)  Sept 27 – October 26Post for 30 days prior to BOT adoption into the compliance program (assuming a positive vote by the ballot pool)

14 Proposed Implementation Plan ● Draft 2 modified to recognize the time necessary to fully implement standards. ● Includes a new phase of implementation referred to as “Begin Work.” ● The Implementation Plan has been divided into three separate tables to recognize three separate groups of Responsible Entities:  Balancing Authorities and Transmission Operators that were required to self- certify compliance to NERC’s Urgent Action Cyber Security Standard 1200 (UA 1200), and Reliability Coordinators;  Transmission Operators and Balancing Authorities that were not required to self- certify compliance to UA Standard 1200, Transmission Providers, and the offices of NERC and the Regional Reliability Organizations.  Interchange Authorities, Transmission Owners, Generator Owners, Generator Operators, and Load-Serving Entities. ● For Responsible Entities in the first two groups, the implementation plan requires Auditable Compliance to all Requirements by second quarter ● For Responsible Entities in the third group, the implementation plan requires Auditable Compliance to all Requirements within 36 months of the registration to a Functional Model function.

15 Proposed Implementation Plan Table 1 Compliance Schedule for Standards CIP through CIP Balancing Authorities and Transmission Operators Required to Self-certify to UA Standard 1200, and Reliability Coordinators 2ndQtr 20062ndQtr 20072ndQtr 20082ndQtr 2009 Requirement System Control Center Other Facilities System Control Center Other Facilities System Control Center Other Facilities System Control Center Other Facilities Standard CIP — Critical Cyber Assets R1SCBWACSCACSCAC R2SCBWACSCACSCAC R3SCBWACSCACSCAC

16 Contact info: Larry Bugh – ECAR