06a Additonal Considerations

Additional Considerations

Morgan King CISSP-ISSAP, CISA

Senior Compliance Auditor – Cyber Security

Transition Program

• Why is the Version 5 Transition Program needed? – There are major changes between the current

Version 3 and new Version 5 of the CIP standards, which were approved by the Federal Energy Regulatory Commission (FERC) on November 22, 2013. The Transition Program should help entities implement the Version 5 standards in a timely and efficient manner.

Slide 2

Western Electricity Coordinating Council

http://www.nerc.com/pa/CI/Pages/Transition-Program-FAQs.aspx

Transition Program

• How will entities not participating in the Implementation Study learn from the experiences of those involved in the Study? – Throughout the Implementation Study, NERC will

help participating entities address implementation challenges and develop lessons learned documentation. These lessons learned will be posted on this NERC web page. Webinars and workshops will also be held throughout the entire Transition Program.

Slide 3


http://www.nerc.com/pa/CI/Pages/Transition-Program-FAQs.aspx

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

Audits During the Transition Period

• August 12, 2014 – March 30, 2016 • CIP v3 controls that map to CIP v5 • Leverage IRA and ICE • Verify progress and approach to CIP v5

– Area of concern – Recommendation

• Provide outreach, not free consulting

Slide 4


Compliance and Enforcement Approach for the Transition Period

• NERC will therefore allow Responsible Entities to transition to the CIP V5 Standards, in whole or in part, during the Transition Period. In short, Responsible Entities may: – (1) continue to comply with all of the CIP V3

Standards during the Transition period, or – (2) begin transitioning to compliance with some

or all of the CIP V5 Standards

Slide 5


http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf

Compliance and Enforcement Approach for the Transition Period

The goal is to support Responsible Entities’ implementation of the CIP V5 Standards as early as necessary to ensure that they may become fully compliant with the CIP V5 Standards by their effective date. (Section 2, pp. 2-3)

Slide 6


http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf

Breaking LERC/ERC

• FERC NOPR – Supply Chain – Protecting communication links between control

centers – Adequacy of existing remote access controls in CIP

Version 5 – Protections for Transient Devices at Low Impact – Clearer descriptions and definitions of LERC

Slide 7


Breaking LERC/ERC

• CIP-003-6 Reference Model - 6 (Example) – Layer 7 application layer break – The Cyber Asset requires authentication and then

establishes a new connection • Protocol Break

• The expectation is that the non-BES Cyber Asset has provided a “protocol break” so that access to the low impact BES Cyber System is only from the non-BES Cyber Asset that is located within the asset containing the low impact BES Cyber System

Slide 8


FERC NOPR

• Seeks comments (and may direct modifications) – purpose of the meaning of the term “direct” in

relation to the phrases “direct user-initiated interactive access” and “direct device-to-device connection”

– implementation of the “layer 7 application layer break” contained in certain reference diagrams in the Guidelines and Technical Basis section of proposed Reliability Standard CIP-003-6

Slide 9


FERC NOPR

• Concern: – It appears that guidance provided in the Guidelines

and Technical Basis section of the proposed standard may conflict with the plain reading of the term “direct.”

– A conflict in the reading of the term “direct” could lead to complications in the implementation of the proposed CIP Reliability Standards, hindering the adoption of effective security controls for Low Impact BES Cyber Assets. Depending upon the responses received, we may direct NERC to develop a modification to the definition of Low Impact External Routable Connectivity.

Slide 10


NERC’s Response to NOPR

• As explained in the Technical Guideline and Basis section of proposed Reliability Standard CIP-003-6, the definition covers situations where a user or device could directly access a low impact BES Cyber Asset from outside the asset containing the low impact BES Cyber System absent a security break (e.g., without having to go through a firewall or another Cyber Asset).

Slide 11


NERC’s Response to NOPR

• Should comments to the NOPR indicate that there is confusion as to the meaning and application of LERC, NERC will take the necessary steps, such as issuing additional guidance or modifying the definition, to ensure entities can effectively and efficiently implement the proposed Reliability Standards.

Slide 12


External Routable Connectivity

• September 9th External Routable Connectivity Lesson Learned Posting

• Comment period closed October 9th

Slide 13


NERC Lesson Learned

Communications to BES Cyber Systems and BES Cyber Assets

Slide 14


Breaking ERC Slide 15


Breaking ERC Slide 16


Associated EACMS

• Scenario 1 – The EACMS (Digi Server) is within an ESP and

would be subject to the high water mark within that ESP

• Scenario 2 – The EACMS (Digi Server) is not within an ESP and

would be associated with the RTU BCS impact rating for which it is performing the EACMS function for

Slide 17


ERC Question

Can External Routable Connectivity be removed from a Cyber Asset by blocking all access to that Cyber Asset at the Electronic Access Point (EAP)?

Slide 18


Blocking ERC at EAP Slide 19


ERC Defined

The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.

Slide 20


Access

• The use of the phrase “ability to access” in the definition implies that any communication path, whether direct or indirect, from outside the ESP to “PLC” would constitute External Routable Connectivity.

Slide 21


Approach

• If any Cyber Asset within an ESP has External Routable Connectivity, then all Cyber Assets within that ESP should be considered to have External Routable Connectivity.

Slide 22


CIP-007-6 R2, Part 2.4 Mitigation Plan

What constitute a “revision to the plan" in the mitigation plan? For CIP Senior Manager or delegate approval, is it simply the end date or do we need approval if a task is added or removed?

Slide 23


Approach

• It is specifically the WHEN (timeframe) and the HOW (planned actions) in the mitigation plan. If either of those change, consider it a “change of plan”

• Senior manager or delegate approval is required if the HOW and WHEN changes pertaining to the mitigation plan

• Newly identified patch could be added to an existing mitigation plan

Slide 24


CIP-007-6 R3

• If utilizing application whitelisting in addition

to utilizing AV for defense-in-depth, is testing of AV signatures still expected?

Slide 25


Approach

• The implementation of the additional method (Application Whitelisting) to deter, detect or prevent malicious code to meet CIP-007-6 R3 does not negate Part 3.3 for both are methods identified in Part 3.1 of which the AV uses ‘signatures or patterns’ and therefore would be required to address ‘testing and installing the signatures or patterns.’

Slide 26

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Mixed Impacts and Shared Storage

• Can we have Medium and High Impact BCS with virtual Cyber Assets on the same SAN Storage?

Slide 27



http://bit.ly/1uKsrAS



http://bit.ly/1uKsrAS


Approach

• An entity can consider implementing a mixed trust SAN environment for virtual systems in Medium and High Impact BCSs.

• Hypervisor should be a BCA within an ESP and all associated guest workloads would be classified as associated Protected Cyber Assets to the High Impact BCS

• Consider SAN and virtual environment management taking place from within an ESP.

Slide 30


CIP-007-6 R2 Patch Management Slide 31


April 1, 2016 and Patching

• If you haven’t already, assess security patches on newly identified CIP v5 BCA for applicability

• On or before April 1st 2016 develop a security patch management process

• Develop a baseline configuration of any security patches applied pursuant to CIP-010-2 R1, Part 1.1.4

• On or before May 5th 2016 assess security patches for applicability and either: – Apply the patch on or before June 9th 2016 or – Create a mitigation plan on or before June 9th 2016

Slide 32


April 1, 2016 and 90-day of Logs

• For the requirements requiring 90 consecutive

calendar days of logs, do the 90 days of logs start from April 1, 2016 or is it required to have 90 consecutive days of logs prior to the CIP Version 5 compliance date of April 1, 2016?

Slide 33


April 1, 2016 and 90-day of Logs

• On or before April 1, 2016 – Verify an entity had one or more documented

processes addressing 90 days of logs for all Applicable Systems

• On April 1, 2016 and after

– Verify the required control has been implemented for all Applicable Systems

Slide 34


Per Cyber Asset Capability

• Cyber Assets that meet the definition of a BES Cyber Asset but have limitations in their ability to protect the BES Cyber Assets with the entire suite of the CIP Version 5 Standards

• FERC also approved a new set of terms “per (device/system) capability,”

Slide 35


Per Cyber Asset Capability

• The SDT has also determined that there are some requirement parts that should not require a TFE, as certain parameters are not essential themselves, but should apply if a device is capable of the parameter

• Building upon this concept, NERC will extend the “per (device/system) capability” available in some of the CIP Version 5 Standards to all of CIP-007-6, CIP-009-6, and CIP-010-2 standards for rudimentary BES Cyber Assets found in substations and generating facilities

Slide 36


Example

• Pressure sensor that is microprocessor based, but lacks many of the features that the standards seek to protect – lacks network accessible ports and services; – does not authenticate users; and – lacks the ability to log events.

• For these rudimentary BES Cyber Assets, NERC expects Responsible Entities to document the capabilities of the Cyber Assets and provide CIP Version 5 Standards protection commensurate with the Cyber Asset’s capabilities

Slide 37


CIP-007-6 R2 and CIP-007-6 R5

• If a Cyber Assets only has 6 character password length ‘per device capability’

• An available patch for a Cyber Asset would make the Cyber Asset capable of an 8 character password

• Is the patch a security patch or a security “enhancement”

Slide 38


Network Gear a BCA or PCA

• BES Cyber Asset definition – Availability ‘when needed’

• Demarcation is network gear inside an ESP and not the communication gear outside of the ESP

• For an entities one or more documented process for BCA identification consider an exclusion for network gear for BROS functionality

Slide 39


Communications and Networking Cyber Assets

Slide 40


Communications and Networking Cyber Assets

Slide 41


Interactive Remote Access

Is it permissible to directly login to an Intermediate System and then use the

Intermediate System to access a BES Cyber System within an ESP?

42


Intermediate System Resides in a DMZ 43


Intermediate System Resides in a DMZ 44


Interactive Remote Access User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.

Slide 45

February 5, 2015 Western Electricity Coordinating Council


• Direct login to an Intermediate System is not prohibited

• Use of an Intermediate System to access Cyber Assets within an Electronic Security Perimeter is not prohibited

• Such access does not meet the definition of Interactive Remote Access; therefore CIP-005-5 R2 does not apply in this case

46


Control Consoles Designated as Intermediate Systems

47



• Intermediate System is required to be identified as an EACMS and protected accordingly

• Carefully review the capabilities of the Intermediate System to ensure it does not meet the definition of a BES Cyber Asset

48


Questions

Morgan King CISSP-ISSAP,CISA Senior Compliance Auditor, Cyber Security [email protected] Cell: 801-608-6652

mailto:[email protected]

mailto:[email protected]