Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ben Christensen Senior CIP Enforcement Analyst

Published byLacey Hueston Modified over 9 years ago

Similar presentations

Presentation on theme: "Ben Christensen Senior CIP Enforcement Analyst"— Presentation transcript:

1 Ben Christensen Senior CIP Enforcement Analyst
May 15, 2014 SLC, UT

2 Pop Quiz!! Who invented the electric motor? William Sturgeon
Thomas Davenport Michael Faraday

3 Pop Quiz!! Who invented the electric motor? Michael Faraday

4 Agenda Help entities understand and prepare for the upcoming CIP 010-1
Differences and relations to current requirements Possible pitfalls to look for while implementing CIP 010-1 WECC’s audit approach Best practices

5 CIP 010-1

6 Purpose of CIP 010-1 Prevent and detect unauthorized changes to BES Cyber Systems. Specify vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise. Document and maintain device baselines and periodically verify they are accurate.

7 Applicable Systems

8 CIP 010-1 Similarities with V.3
CIP R6: Change Control and Configuration Management CIP R1: Test procedures CIP R4 and CIP R8: Cyber Vulnerability Assessment(s) CIP R9 and CIP R5: Documentation review and maintenance

9 POP Quiz!! Who invented the modern automobile? Henry Ford Karl Benz
Ransom Olds

10 Pop Quiz!! Who invented the modern automobile? Karl Benz

11 CIP R1

12 CIP R1.1 Applicable to Protected Cyber Assets (PCA) and specifies information required in device baselines CIP R1.1 CIP R6

13 CIP-010-1 R1.1 - Possible Pitfall #1
CIP R6 was previously not applicable to Non-CCAs that resided within an ESP. Thus entity did not create baselines or update procedures to ensure baselines were maintained for these devices.

14 CIP-010-1 R1.1 - Possible Pitfall #2
Entity does not ensure documented baselines for all devices contain operating system, commercial/open source software, custom software, logical ports, and security patches applied.

15 CIP R1.1 Approach Ensure entity has documented baselines for all devices (or group of devices) in applicable BES Cyber Systems Verify Baselines include operating system/firmware, commercial software, custom software, logical network accessible ports, and security patches applied

16 CIP R1.1 Best Practice Use combination of automated tools and manual walkthroughs/verifications to ensure lists and baselines are accurate Minimize applications on devices to only what is necessary Include step to periodically verify accuracy of applicable device lists and baselines

17 CIP R1.1 Best Practice Discussions and careful planning should be conducted on the method for maintaining device baselines Review CIP 007 R3 presentation from Oct 2013 CIPUG for common methods to maintain information What method is best for your organization: Commercial Software Custom Software Spreadsheet

18 CIP R1.1 Best Practice Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining information. See Joe B presentation from October 2011 CIPUG on advantages of moving from spreadsheet to relational database Includes some labeling schema tips as well for when implementing a database for device management

19

20 CIP 010-1 R1.2 Applicable to PCA and requires changes to be authorized

21 CIP-010-1 R1.2 - Possible Pitfall
Entity cannot demonstrate all changes made to baseline(s) were authorized

22 CIP R1.2 - Approach Ensure all changes made to baselines have been authorized.

23 CIP R1.2 – Best Practice Update procedural documentation to include at minimum: Who can authorize changes, and to what When authorization needs to occur How the authorization will be documented, stored, and tracked Segregation of duties The implementer should be different from the authorizer

24 CIP 010-1 R1.3 Baselines must be updated within 30 days of change

25 CIP 010-1 R1.3 – Possible Pitfall
Entity cannot demonstrate baselines are updated within 30 days of changes made

26 CIP R1.3 - Approach Ensure entity is updating baselines within 30 days of when change was made. Start date will be determined by reviewing work orders, tracking sheet, or other documentation that details when the change actually occurred.

27 CIP R1.3 – Best Practices Procedures for updating baselines should address: Who will communicate the changes made to the baselines How changes will be communicated Who the changes are communicated to When the changes will be made

28 CIP R1.3 – Best Practices Maintain a version history when updating documentation. Version number Who performed the update to the documentation Who made the change to the device Who authorized the change What was changed

29 POP Quiz!! Who invented the printing press?

30 POP Quiz!! Who invented the printing press? Johannes Gutenberg

31 CIP R1.4 Impact due to a change must consider security controls in CIP 005 and CIP 007 CIP R1.4 CIP R1

32 CIP 010-1 R1.4 – Possible Pitfall
Entity verifies same controls for all changes made to any baseline. Thus entity does not account for different environments, devices, or changes when determining what controls could be impacted May be ok if all controls are verified every time

33 CIP R1.4 - Approach Verify all changes made to device baselines are documented Ensure controls that may be impacted were identified and documented prior to the change Why were some controls not included? Review evidence supporting identified controls were not adversely impacted

34 CIP 010-1 R1.4 – Best Practices Procedures should include:
Documenting date all steps taken to support cyber security controls were identified prior to change taking place How are potential impacted cyber security controls identified? Who does this? How will adverse impacts will be detected Who does this and when?

35 CIP R1.4 – Best Practices Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted Coordinate testing processes between departments, business units, etc. to ensure consistency

36 CIP R1.5 CIP R1.5 CIP R1

37 CIP 010-1 R1.5 cont.. Only applicable to High Impact systems
Specific to security controls that must be tested Security Controls in CIP 005 and CIP 007 New test environment requirements Document if test environment was used Document differences between test and production environment Measures taken to account for these differences

38 CIP 010-1 R1.5 Possible Pitfall
Entity does not document differences between production and testing environment Entity does not take measures to account for differences in the production and testing environment.

39 CIP R1.5 - Approach For each change that deviates from existing baseline: List of cyber security controls tested Test results List of differences between the production and test environments Descriptions of how any differences were accounted for When testing occurred.

40 CIP R1.5 – Best Practices Use checklist or other task managing tool to reduce likelihood of not testing all controls Document specific test procedures for all cyber assets or group of assets? Describe the test procedures Describe the test environment and how It reflects the production environment

41 CIP R2

42 POP Quiz!! When was the atomic bomb first invented?

43 POP Quiz!! When was the atomic bomb first invented? July 1945

44 CIP R2.1 Must actively search for unauthorized changes to baseline Automated preferred but can be manual Must document and investigate unauthorized changes CIP R2.1 CIP R6

45 CIP-010-1 R2.1 – Possible Pitfall
Not consistently monitoring for changes every 35 days Entity begins process at end of month Thus entity continuously misses 35 day deadline as it does not have enough time to complete review Documentation is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuration changes

46 CIP R2.1 - Approach logs from a system that is monitoring configurations Work orders, tracking sheets, raw data evidence of manual investigations Records investigating detected unauthorized changes

47 CIP R2 – Best Practice Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring Start monitoring process with enough advance to complete review Consider using an automated task managing tool

48 CIP 010-1 R2 – Best Practice What if you find an unauthorized change?
What change(s) have been made without authorization Who made the change(s)? When were the change(s) made? How can a similar issue be prevented?

49 CIP R1 and R2 QUIZ Time

50 CIP R1 and R2 Entities are required to test all changes in a test environment that reflects the production environment. False

51 CIP 010-1 R1 and R2 Entity baselines are required to include: TRUE
Operating system/Firmware Commercial/open source software Custom software Logical ports All security patches applied TRUE But what about devices where some of these don’t apply?

52 CIP R3

53 CIP R3.1 No more annual requirement, and CVA can be active or paper CIP R4 CIP R3.1 CIP R8

54 CIP-010-1 R3.1 – Possible Pitfall
Entity conducts initial Vulnerability Assessment in January then not again until April the next year (16 months) Remember the CIP 003 pitfalls

55 CIP-010-1 R3.1 – Approach Verify when last CVA was conducted
Verify current CVA was conducted within 15 calendar months of previous CVA Evidence could include: A document listing the date of the assessment and the output of any tools used to perform the assessment.

56 CIP R3.2 – Best Practices Vulnerability assessment should include at minimum: Network and access point discovery Port and service Identification Review of default accounts, passwords, and network management community strings Wireless access point review

57 CIP R3.1 – Best Practice Consider keeping Vulnerability Assessments for devices or groups of devices on the same cycle Implement a task managing tool to help track needed tasks and deadlines Review NIST SP800‐115 for guidance on conducting a vulnerability assessment

58 POP Quiz!! What was the first home video game console? Atari 2600
Magnavox Odyssey VES RCA Studio II

59 Magnavox Odyssey POP Quiz!!
What was the first home video game console? Developed in 1972 Magnavox Odyssey

60 CIP R3.2 CIP R4 CIP R3.2 CIP R8

61 CIP 010-1 R3.2 cont.. Only applicable to High Impact BES systems
Required to be performed at least every 36 months CVA must be active and can be performed in production or test environment Test environment must reflect production Document differences between test and production environment Take and document measures to address the differences between test and production environment

62 CIP 010-1 R3.2 – Possible Pitfall
Entity does not conduct active Vulnerability Assessments at least every 36 months Entity does manual review on devices that are technically feasible to have active review

63 CIP R3.2 – Approach Verify active Vulnerability Assessments conducted at least every 36 months Description of test environment and how differences were account for (if test environment used for assessment) Raw data outputs of assessment for applicable devices

64 CIP R3.2 – Best Practices Vulnerability assessment should include at minimum: Network and access point discovery Port and service Identification Review of default accounts, passwords, and network management community strings Wireless access point review

65 CIP R3.2 – Best Practice Where possible conduct the Vulnerability Assessment on the production environment Implement a task managing tool to help track needed tasks and deadlines Document SMEs responsible for conducting the Vulnerability Assessment and for what cyber assets

66 CIP R3.3 New devices need an active Vulnerability Assessment prior to deployment CIP R3.3 CIP R1

67 CIP-010-1 R3.3 – Possible Pitfall
Entity adds new asset to production without first conducting active Vulnerability Assessment

68 CIP R3.3 – Approach Ensure all newly added assets have had active vulnerability scan conducted prior to device being added to production Verify all necessary controls were verified as part of assessment Verify raw data output of vulnerability assessment can be provided

69 CIP R3.3 – Best Practice Document specific procedures that include: Responsible personnel for conducting the test When testing needs to occur Where testing should occur How the testing should be conducted for each cyber asset or group of cyber assets Use a checklist and/or peer reviews to reduce chance of human error

70

71 CIP R3.4 Document planned completion date for each remediation action CIP R4 CIP R3.4 CIP R8

72 CIP-010-1 R3.4 – Possible Pitfall
Entity is not actively maintaining an action plan to remediate vulnerabilities found in the CVA. Entity is not documenting or updating planned date of completion for remediation actions

73 CIP-010-1 R3.4 – Approach Document results or the review or assessment
List of action items to remediate issues Status of the action items Documented proposed dates of completion for the action plan

74 CIP R3.4 – Best Practice Tie actions outlined in the plan to specific SMEs Use an automated task managing tool to track all required tasks and ensure they are being completed Have steps to ensure action plan is updated and reflects actual proposed completion date of actions

75 CIP R3 QUIZ Time

76 CIP R3 Entities are required to test all changes in a test environment that reflects the production environment. False Active CVA not required for Medium impact facilities or for like devices with similar baseline configurations

77 CIP R3 Entity’s will be required to meet expected completion date of action plans to remediate issues found during Vulnerability Assessment However, entity can update the expected date if more time is needed. If the update is reasonable, justified, and done prior to the due date TRUE

78 Additional Resources CIP-010-1 NERC version 4 to version 5 mapping
Glossary of Terms Used in NERC Reliability Standards NIST SP800‐115 – Security testing

79 Summary Know what is required for each BES cyber system(s)
Create and Maintain device baselines Track and manage deadlines Review referenced NIST documents for added guidance

80 Ben Christensen Senior CIP Enforcement Analyst
May 15, 2014 SLC, UT

81 Agenda Help entities understand and prepare for the upcoming CIP standard Differences and relations to current requirements Possible pitfalls to look for while implementing CIP 011-1 Implementation tips

82 CIP 011-1 General Pitfalls Identify, Assess, and Correct (IAC)
FERC has conditionally approved CIP on the basis that NERC’s Standard Drafting Team make clarifications or remove the IAC language BES Cyber System Pay special attention to the applicable BES cyber systems in each requirement

83 Purpose Prevent unauthorized access to BES Cyber System Information

84 BES Cyber System Information
Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System – NERC glossary

85 BES Cyber System Information
Includes: Security procedures/information BES Cyber Systems PACS EACMS List of devices with IP addresses Network diagrams

86 BES Cyber System Information
Does NOT include: Individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access Devices names Individual IP addresses ESP names Policy statements

87 CIP 011-1 Similarities with V.3
CIP R4: Information Protection CIP R7: Disposal or Redeployment

88 CIP 011-1 similarities to V.3 CIP 011-1 R1.1 CIP 011-1 R1.2

89 CIP R1 - Intro

90 CIP R1 CIP R1.1 CIP R1.2 CIP R4

91 CIP R1.1 Language No longer a requirement to classify BES cyber system information CIP R1.1 CIP R4

92 CIP R1.2 Procedures for protecting information must now address storage, transit, and use CIP R1.1 CIP R4

93 CIP R1.1 - Evidence Documented BES Cyber System Information method How you identify BES Cyber System Information (labels, classification)? Repository or electronic and physical locations to house BES Cyber System Information

94 CIP 011-1 R1.2 - Evidence Procedure for protecting BES Cyber System
Storage Transit Use Records information was handled per your procedures Change control ticket

95 CIP 011-1 R1 Possible Pitfall
Information Protection plan does not address storage, transit, and use of BES Cyber System Information

96 CIP 011-1 R1 - Implementation tips
Consider different variables when determining how to properly protect information during transit, storage, and use Digital information stored locally Physical information stored in a PSP or not Information being held by vendors or accessed by vendors

97 CIP R1 QUIZ

98 CIP R1 Which of the following would be considered BES Cyber System Information? Device host name ESP diagram PSP name Inventory list with network addresses

99 CIP R1 Which of the following would be considered BES Cyber System Information? Device host name ESP diagram PSP name Inventory list with network addresses

100 CIP R2

101 CIP R2.1 Focus is now on preventing unauthorized retrieval instead of data destruction CIP R2.1 CIP R7

102 CIP R2.2 Focus is now on preventing unauthorized retrieval instead of data destruction CIP R2.2 CIP R7

103 CIP 011-1 R2.1 – Evidence Records of sanitization actions
Clearing Purging Destroying Records tracking Encryption Held in PSP

104 CIP R2.2 – Evidence Records showing media was destroyed prior to disposal Other records of actions taken to prevent unauthorized retrieval of BES Cyber System Information

105 CIP 011-1 R2 – Possible Pitfall
Entity secures cyber assets no longer used that contain BES cyber system information in a location that is not restricted to only those individuals with access to the BES cyber system information

106 CIP 011-1 R2 – Implementation tips
Review NIST SP for guidance on developing media sanitation processes Where possible erase, destroy, degauss, or encrypt data as soon as possible after a device is no longer needed to reduce mishandling of devices or BES cyber system information

107 CIP 011-1 – Scenario 1 What if I have a 3rd party host my email?
Do I need to protect this information under CIP-011-1?

108 CIP – Scenario 2 I have hard copies of my network diagrams located in a secure facility. Do I need to include these in my CIP program?

109 Purpose Prevent unauthorized access to BES Cyber System information

110 It Depends CIP 011-1 – Scenario 1
What if I have a 3rd party host my ? Do I need to protect this information under CIP-011-1? It Depends

111 CIP – Scenario 1 What type of information is stored on the exchange server? BES Cyber System Information How do your procedures account for s containing this information?

112 CIP – Scenario 2 I have hard copies of my network diagrams located in a secure facility. Do I need to include these in my CIP program? YES

113 CIP 011-1 – Scenario 2 What type of information is on the diagrams?
BES Cyber System Information List of all IP addresses List of all network access points What do your procedures state about securing hard copies? What facilities might contain this information?

114 Additional Resources CIP-011-1 NERC version 4 to version 5 mapping
Glossary of Terms Used in NERC Reliability Standards NIST SP – Disposal guidance

115 Summary Purpose Differences Pitfalls Implementation tips

116 Questions? Ben Christensen

Download ppt "Ben Christensen Senior CIP Enforcement Analyst"

Similar presentations

Configuration Management

Configuration Management
Software Quality Assurance Plan

Software Quality Assurance Plan
Keshav Sarin Manager, Compliance Risk Analysis

Keshav Sarin Manager, Compliance Risk Analysis
Configuration Management

Configuration Management
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Software Quality Assurance Plan

Software Quality Assurance Plan
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.

1 Compliance Guidance for Initial Compliance Review Dates Lew Folkerth 2Q2010 Webinar June 22, 2010.
Auditing Computer Systems

Auditing Computer Systems
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.

1 Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance.
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security

Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security
SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance

SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle

Similar presentations

Ads by Google