NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role

NERC-CIP V5 and Beyond

Compliance and the Vendor’s Role

Joe LoomisGroup Leader

Embedded Systems Security GroupIntelligent Systems Department

05/02/2023 1

05/02/2023

Outline• Changes in V5

• Vendors, Asset Owners, and Compliance

• The Vendor’s Role

• Case Studyo Backgroundo Compliance Roadmap Development Approacho Test Plan

• Beyond Version 5

• Conclusion

2

05/02/2023 3

Audience Survey• Asset Owners?

• Vendors?

• Compliance and Auditing?

05/02/2023 4

Changes in Version 5• Bright-line criteria for identify Critical Cyber

Assets (CCA)

• Risk Assessment Process

• Terminology

• Guidance and Technical Basis (GTB)

05/02/2023 5

Vendors, Asset Owners and Compliance

• Standards apply to entity Facilities that are part of the Bulk Electric System (BES)

• Compliance is sole responsibility of the Asset Owner of the Facility

• Vendor’s product deployed in a Facility may be considered part of a BES Cyber System

• Asset Owner responsible for demonstrating compliance of product…

05/02/2023 6

The Vendor’s Role• Asset Owners often rely on technical data from

Vendor to demonstrate compliance

• As a Vendor, you may want to provide technical data to the Asset Owner to support a compliance audit

• Question: What requirements may the Vendor’s product be subject to? (to furnish technical data)

05/02/2023 7

Case StudyVendor of a Bulk Cyber System Technology

05/02/2023 8

Background• Vendor currently has a product which may be used within a

BCS.

• Asset Owners request that Vendor furnish technical data to prove that product can meet NERC-CIP V5 requirements

• Vendor approached SwRI to help understand requirements and develop technical data

• Product Details: Provides protocol level translation (e.g., DNP3, MODBus), analytics, and edge processing

05/02/2023 9

Outline of Approach• Compliance Roadmap

o Determine requirements applicabilityo Assess current state of complianceo Develop guidance on what technical information may need to be

generated; or what product updates may be needed

• Test Plano Based on requirements, develop test cases to verify compliance in-

house and also through using a third-party

05/02/2023 10

Compliance Roadmap Development

• Categorize Systemo Impact Criteria of BES Cyber System? Low, Medium, Higho Determine what Cyber Asset category or categories the product fits in

• Map to Requirementso Based directly on Impact and Cyber Asset category

• Assess State of Complianceo Review product documentation, development documentation, software and conduct

interviews with developers

• Develop Guidanceo Based on Requirement’s Guidance and Technical Basis (GTB) and professional

experience

05/02/2023 11

Categorization• Categorization is of requirements affecting Product is

based on the Facility where product is deployed (CIP-002-5.1) and the type of system the Product is a part of:o Impact Criteria: High, Medium, and (Low)o Cyber Asset Category: “EACMS”, “PACS”, “PCA”

• Since the Vendor does not know where their Product will be deployed, conservative assume High Impact criteria

• Cyber Asset Category based on actual product function and usage. In this case Product is a protected cyber asset “PCA”

05/02/2023 12

Mapping• Each Requirement in the standard specifies the

Impact Criteria and associated system

05/02/2023 13

Mapping Criteria• Based on Vendor’s product create a Matrix which

maps to the Requirements

• Determine applicability criteria and later assess state of compliance

05/02/2023 14

Mapping Matrix• Vendor solution column indicate which requirements apply.• Product column indicates state of compliance (redacted)

05/02/2023 15

Developing Guidance• Based on professional experience performing

security assessments and Requirement Guidance and Technical Basis (GTB) sectionso Note that GTB sections are not legally binding and is only one way of

interpreting standards

05/02/2023 16

Test Plan• Provides tests for Product to determine if it meets

requirements

• Based on SwRI’s risk-based assessment methodology

• May include tests for vulnerabilities that go beyond CIP requirements

• Can be executed by the vendor during development or by a trusted Third Party

05/02/2023 17

Beyond Version 5• Version 6 Filed and Pending Approval

• Version 7 – Final Draft 02/02/15 – Not Yet Filed

05/02/2023 18

Version 6 Major Changes

• Identifies, Assesses, and Corrects Removed

• (New) CIP-006-6 – R1.10 – Physical Security for Cabling …. Or

05/02/2023 19

Version 7 Changes (1 of 2)

• New Terms: LERC and LEAP

05/02/2023 20

Version 7 Changes(2 of 3)

• Definition for Transient Cyber Asset

• Definition for Removable Media

05/02/2023 21

Version 7 Changes(3 of 3)

• CIP-010-3 – R4 – Transient Cyber Asset and Removable Media Plan

o 1.1 – Transient Cyber Asset Management ...o 1.3 – Software Vulnerability Mitigationo 1.4 – Introduction of Malicious Code Mitigation

o -- Similar to Section 2o 2.1 – Software Vulnerabilities Mitigationo 2.2 – Introduction of Malicious Code Mitigation

05/02/2023 22

Final Thoughts

Conclusion• For more information

please contacto Joe Loomiso jloomis@swri.org o (210)-522-3367

Custom solutions that immediately improve

security

2305/02/2023