Forward Together • ReliabilityFirst Follow us on LinkedIn and @RFirst_Corp onTwitter #RFWorkshop
Forward Together • ReliabilityFirst
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop
2017 CIP Monitoring Plan
Ray Sefchik- Manager, CIP Compliance Monitoring, RF
CISA, CISM, CISSP
Forward Together • ReliabilityFirst
2017 ERO Enterprise CIP V5 and CIP-014
For 2017, the ERO Enterprise will continue a
focused approach to monitoring initial compliance
with CIP Version 5 and CIP-014
The goals of the 2017 monitoring approach include
understanding program effectiveness,
supporting CIP Version 5 transition and CIP-014
implementation, identifying successes and
challenges, and tailoring monitoring to
appropriate risks
3
Forward Together • ReliabilityFirst
CIP V5 and CIP-014 Areas of Focus
On July 1, 2016, the high and medium impact requirements for CIP
Version 5 went into effect. The results of the 2016 CIP-002-5.1 Self-
Certification have revealed that the scope of the CIP standards has
greatly increased the number of substations and generation facilities with
BES Cyber Assets
Entity Inherent Risk Assessments (IRAs) and Compliance Monitoring
Plans have helped to identify key risk for a given entity, however the ERO
Enterprise will continue to focus on certain elements of cybersecurity for
higher risk entities. The 2017 priorities will continue to address the Areas
of Focus (as described on slide 4) that were introduced in 2016. The
2017 priorities are further described below:
• Generation facilities greater than 1500MW
• Medium Impact BES Cyber Assets at Substations
• Network Architecture
4
Forward Together • ReliabilityFirst
2017 ERO IP - Areas of Focus
5
Standard Requirements Entities for Attention Asset Types
CIP-002-5.1 R1, R2
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-005-5 R1, R2
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-006-6 R1, R2, R3
Balancing AuthorityReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstations
CIP-007-6 R1, R2, R3, R5
Balancing AuthorityReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData Centers
CIP-014-2 R1, R2, R3 Transmission Owner Transmission Stations and Substations
Forward Together • ReliabilityFirst
CIPV5 & CIP-014 ERO Other Considerations
Oversight of the CIP V5 and CIP-014 Standards and
Requirements will also involve direct oversight of the
Responsible Entities’ CIP programs by NERC and, in some
cases, with staff from Applicable Governmental Agencies
(AGA)
• For example, Federal Energy Regulatory Commission (FERC) staff
and NERC staff have been coordinating in support of joint compliance
monitoring of registered entities in 2016. While specific entities and the
scope of 2017 activities have not been fully determined, NERC
anticipates continued coordination with FERC staff to minimize any
duplication of effort, with emphasis given to ensure that Responsible
Entity resources are not unnecessarily impacted
6
Forward Together • ReliabilityFirst
2017 RF CIP Compliance Monitoring
ReliabilityFirst performs IRAs for each Registered Entity
based upon the audit schedule
This schedule and the IRAs themselves may be revised
based on emerging risks, a Registered Entity’s
performance that requires Regional attention, or any
other changes to a Registered Entity or otherwise that
may impact a Registered Entity’s risk to the Bulk Power
System
The Entity specific IRAs are performed using both the
ERO and Regional Risk Elements and the unique Bulk
Power System characteristics of each entity
7
Forward Together • ReliabilityFirst
2017 RF IP – Areas of Focus
Standard Requirements Entities for Attention Asset Types
CIP-002-5.1 R1, R2
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-003-6 R1, Part 1.1
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-004-6 R1, R2, R3, R4, R5
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-005-5 R1, R2
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-006-6 R1, R2, R3
Balancing AuthorityReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstations
CIP-007-6 R1, R2, R3, R4, R5
Balancing AuthorityReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData Centers
8
.
Forward Together • ReliabilityFirst
2017 RF IP – Areas of Focus (cont.)
Standard Requirements Entities for Attention Asset Types
CIP-008-5 R1, R2, R3,
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-009-6 R1, R2, R3
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-010-2 R1, R2
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-011-2 R1, R2, R3, R4
Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner
Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities
CIP-014-2 R1, R2, R3, R4, R5, R6 Transmission Owner Transmission Stations and Substations
9
Forward Together • ReliabilityFirst
RF CIP Monitoring Audit Plan
CIP Compliance Monitoring Audit Plan
• ReliabilityFirst will conduct eleven (11) on-site CIP Audits
in 2017, and may conduct additional audits as necessary
• Five of the eleven audits are Multi-Region Registered
Entity (MRRE) engagements, and ReliabilityFirst is the
Lead Regional Entity for four of these audits
• ReliabilityFirst is developing the scope for these audits
through its IRA process
• ReliabilityFirst has already contacted the Registered
Entities being audited in 2017 to arrange schedules and
confirm the audit engagements
10
Forward Together • ReliabilityFirst
RF CIP Monitoring Guided Self-Certification Plan
CIP Compliance Monitoring Audit Plan
• ReliabilityFirst will perform a guided self-certification of CIP
Low Impact only Registered Entities in 2017.
‒ The guided self-certification will be based upon the results of the
2016 CIP Self-Certification which identified Registered Entities with
only Low Impact BES Assets determined through assessment
using the CIP V5 Impact Rating Criteria
‒ This guided self-certification will be focused on all CIP V5 Low
Impact Standards and Requirements in effect as of April 1, 2017
‒ Each Registered Entity will be required to submit substantiating
evidence to support its determination of compliance for those
applicable requirements
11
Forward Together • ReliabilityFirst
RF CIP “Other” Monitoring Methods and Schedule
RF reserves the right to add monitoring efforts to
our 2017 schedule based on:• Emerging Cyber and Physical Risks
• A Registered Entity’s performance that requires Regional attention
• Other changes to a Registered Entity or otherwise that may impact a
Registered Entity’s risk to the Bulk Power System
• Changes to the ERO and/or Regional Risk Elements
• Monitoring will be conducted by any of the following CMEP methods:
‒ Audit
‒ Spot Check
‒ Guided Self-Certification
‒ Data Submittal
12
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
13
Forward Together • ReliabilityFirst
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop
Keep Calm and CIP On
EDP Renewables North America’s Experience with NERC CIP Medium and Low Impact Requirements
Andy Schiefelbein, IT NERC Security Manager
16
• EDPR NA Overview
• Transition Timeline
• CIP 3
• CIP 4
• CIP 5
• CIP Program Overview
• Implementation – Successes and Challenges
• Recommendations and Lessons Learned
• Questions
Agenda
Who is EDPR NA?
EDP Renewables North America LLC developed, constructed, owns and operates 39 wind and two solar power plants throughout North America with installed capability exceeding 4,600 MW
Employs over 380 people
Ranked fourth in the U.S. in terms of total installed wind capacity
Headquartered in Houston with regional and development offices across the country
Remote Operations Control Center located in Houston, TX
Generator Owner and Generator Operator located in 7 of the 8 NERC Regional Entities with RF as Lead Regional Entity (LRE)
Owned by EDP Renewables, a leading renewable energy company that is present in the United States, Spain, Belgium, Brazil, Canada, France, Italy, Mexico, Poland, Portugal, Romania and the United Kingdom
17
Elkhorn Valley – 101 MW
Wheat Field – 97 MW
Rattlesnake Road – 103 MW
Lone Star I & II – 400 MW
Blue Canyon I & II – 225 MWBlue Canyon V – 99 MW
Meridian Way I & II – 201 MW
Lost Lakes – 101 MW
Prairie Star – 101 MW
Headwaters – 200 MW
Rail Splitter – 101 MWTwin Groves I & II – 396 MW
Top Crop I – 102 MW
Meadow Lake I – 200 MW
Madison – 12 MW
Maple Ridge I & II – 322 MW
Kittitas Valley – 101 MW
Top Crop II – 198 MW
Meadow Lake II – 99 MWMeadow Lake III & IV – 202 MW
Houston, TXU.S. Headquarters
California
Arizona
Texas
Minnesota
Wisconsin
Illinois
Ohio
Marble River – 215 MWToronto, ONCanada Headquarters
Operational
South Branch – 30 MW
Rising Tree I, II & III – 198 MW
Lone Valley I & II Solar – 30 MW
Blue Canyon VI – 100 MW
Timber Road II – 99 MW
Ontario
Maine
Arbuckle Mountain– 100 MW
Ad Astra– 200 MW
Pioneer Prairie I and II – 300 MW
18
Portland, ORWestern Region Office
EDP Renewables North America – Geographical Presence
Office
CIP-002 Critical Cyber Asset Identification
R1. Critical Asset Identification Method
RBAM
R2. Critical Asset Identification
X Critical Assets = No
R3. Critical Cyber Asset Identification
X Critical Cyber Assets = No
R4. Annual Approval
Reviewed & approved annually
19
CIP-003 Security Management Controls
R2. Leadership
Designation of CIP Senior Manager
Delegated Authority by CIP Senior Manager
Document changes within 30 calendar days
EDPR NA Under CIP v3 Requirements
20
NERC CIP Transition Timeline v3 to v4 to v5
CIP Version 4 – Due April 1, 2014
Why start here?
• As stated earlier, EDPRNA had no Assets defined as critical under version 3 requirements.
• So, the genesis of our Version 5 program started with the need to adopt CIP version 4
• First Action – Gather the Steering Committee for a New Full CIP Program.
• Members – EVP Asset Operations, General Counsel, Director of IT, Director of Control Center Ops, Director of Remote Operations
21
NERC CIP Transition Timeline v3 to v4 to v5
CIP Version 4 – Due April 1, 2014
First Actions – Q4 2012 and Q1 2013
• Steering Committee Creates the CIP Working Group
• Members – Sr. Manager Regulatory Compliance, SCADA Manager, Sr. Manager ROCC operations, Manager Operations Compliance, IT Consultants
• First Project of the Program – GAP Analysis v3 to v4
• Findings – CIP-002 v4 Attachment 1 – 1.15 “Each Control Center used to Control Generation at Multiple Locations that exceeds 1500MW in a single interconnection…..
Elkhorn Valley – 101 MW
Wheat Field – 97 MW
Rattlesnake Road – 103 MW
Lone Star I & II – 400 MW
Blue Canyon I & II – 225 MWBlue Canyon V – 99 MW
Meridian Way I & II – 201 MW
Lost Lakes – 101 MW
Prairie Star – 101 MW
Headwaters – 200 MW
Rail Splitter – 101 MWTwin Groves I & II – 396 MW
Top Crop I – 102 MW
Meadow Lake I – 200 MW
Madison – 12 MW
Maple Ridge I & II – 322 MW
Kittitas Valley – 101 MW
Top Crop II – 198 MW
Meadow Lake II – 99 MWMeadow Lake III & IV – 202 MW
Houston, TXU.S. Headquarters
California
Arizona
Texas
Minnesota
Wisconsin
Illinois
Ohio
Marble River – 215 MWToronto, ONCanada Headquarters
Operational
South Branch – 30 MW
Rising Tree I, II & III – 198 MW
Lone Valley I & II Solar – 30 MW
Blue Canyon VI – 100 MW
Timber Road II – 99 MW
Ontario
Maine
Arbuckle Mountain– 100 MW
Ad Astra– 200 MW
Pioneer Prairie I and II – 300 MW
22
Portland, ORWestern Region Office
EDP Renewables North America – Geographical Presence
Office
23
NERC CIP Transition Timeline v3 to v4 to v5
CIP Version 4 – Due April 1, 2014
…. EDPRNA now operates Critical Assets
• Next step – CIP Working Group defines objectives• Full CIP Program CIP-002 to CIP-009 by 12/31/13
• Divide program into four major project groups
• Policy and Procedures
• Infrastructure
• Security – Cyber and Physical
• Training
24
NERC CIP Transition Timeline v3 to v4 to v5
Project Breakdowns
Who is responsible for what?
• Steering Committee – CIP-002
• Policy and Procedure Project – CIP-003, CIP-008
• Infrastructure – CIP 005, CIP-006, CIP-007, CIP-009
• Security – CIP-005, CIP-006, CIP-008
• Training – CIP 004 Primarily, but all CIP Standards Required Training
25
NERC CIP Transition Timeline v3 to v4 to v5
Ready, Set, Go!
Begin Program Build Out Q2 2013
• Team consisted of nearly 30 members between FTEs (partial time requirements) and Consultants – 11 tasked only to CIP with others as needed
• 4 Projects working at the same time with joint meetings to define workflows, documentation needs, architecture, and compliance requirements
• Program management is key – Many moving parts, this is not a task that can be given to a current employee who has a few extra minutes every week.
26
NERC CIP Transition Timeline v3 to v4 to v5
Advantages
No Prior CIP v3 Environment to Adapt
• With no Critical Assets in version 3, EDPRNA had no systems to adapt to the new version
• Instead, on the recommendation of IT, a new Protected CIP environment was built from the ground up, with the requirements in hand
• Once the Infrastructure was built, tested, and approved; migrate the Identified CCA’s into the new environment
27
NERC CIP Transition Timeline v3 to v4 to v5
Disadvantages
No Prior CIP v3 Experience to Lean on
• No “real” CIP audit experience, EDPRNA had no experience with the system, and no past results to review
• Internal resources were far more familiar with the Reliability Standards (693) and CIP was a new world – from a remain online and ready mindset to a remain safe and secure mindset
• Led to a few disagreements on some back up systems
• Everything is new, training is not only needed but mandatory
28
NERC CIP Transition Timeline v3 to v4 to v5
A Hard Decision
Interactive Remote Access
EDPRNA found that the language for CIP v4 concerning interactive remote access was not defined well enough to be comfortable with providing remote access in a method that would ensure compliance. Our needs for interactive access were off hours support only. The team decision was to allow only READ access for non working hours support.
This did place more burden on our operators, as they would have to function as our remote hands for both IT and SCADA support. This determination was not made lightly, and we understood the amount of cross training required. Ultimately, it was determined that this represented less compliance and operational risk than poorly implementing interactive access.
29
NERC CIP Transition Timeline v3 to v4 to v5
A short interlude – Q4 2013
Version 4 is dead, Long live Version 5!
• Before we leave Version 4 to the recycle bin of history, a few takeaways
• Engage NERC and your EROs early and often: Compliance Conferences, Forums, and Small Group Advisory Sessions
• Training! I cannot stress enough, work with your Corporate training group as soon as you have material to train on.
• Give yourself time, do not short change how long you think this will take, if you are becoming a CIP auditable entity plan some extra time in, changes will occur
• Train some more!
30
NERC CIP Transition Timeline v3 to v4 to v5
CIP Version 5 – Due July 1, 2016
Here we go again.
• Where to begin? GAP analysis!
• This time it was quick (relatively) and involved the whole project team
• What did we find?
• Clarified Language
• Impact levels
• New Standards – CIP-010, CIP-011 – The requirements were there, just buried in other standards
CIP-002 BES Cyber System Categorization
R1. Identify High, Medium and Low Impact BCS
X High Impact BCS = No
Medium Impact BCS = Yes
Assets containing Low Impact BCS = Yes
R2. Annual Approval
Reviewed & approved annually
31
CIP-003 Security Management Controls
R1. Cyber Security Policies Reviewed/Approved Annually by CIP Senior Manager
For High and Medium Impact BCS
For Assets Containing Low Impact BCS
R2. Cyber Security Plans for Low Impact BCS (Attachment 1)
Cyber Security Awareness
Physical Security Controls
Electronic Access Controls for LERC & Dial-up Connectivity
Cyber Security Incident Response
R3. Designation of CIP Senior Manager
No process change
R4. Delegated Authority by CIP Senior Manager
No process change
EDPR NA Transitions to CIP v5
32
EDPRNA under CIP – 002-5.1
• CIP – 002-5.1 Attachment 1 2.11 - Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection.
• EDPRNA exceeds the 1500MW of generation in the Eastern Interconnect
• 1 Medium Impact Location with its supporting infrastructure
• Remote Operations Control Center in Houston
• Back Up Control Center
• CIP Protected environment in Data Center
• IT Support Office
• 30 Low Impact locations nationwide in all three interconnects and 7 of the 8 Regional Entities, sorry FRCC
CIP 002
Elkhorn Valley – 101 MW
Wheat Field – 97 MW
Rattlesnake Road – 103 MW
Lone Star I & II – 400 MW
Blue Canyon I & II – 225 MWBlue Canyon V – 99 MW
Meridian Way I & II – 201 MW
Lost Lakes – 101 MW
Prairie Star – 101 MW
Headwaters – 200 MW
Rail Splitter – 101 MWTwin Groves I & II – 396 MW
Top Crop I – 102 MW
Meadow Lake I – 200 MW
Madison – 12 MW
Maple Ridge I & II – 322 MW
Kittitas Valley – 101 MW
Top Crop II – 198 MW
Meadow Lake II – 99 MWMeadow Lake III & IV – 202 MW
Houston, TXU.S. Headquarters
California
Arizona
Texas
Minnesota
Wisconsin
Illinois
Ohio
Marble River – 215 MWToronto, ONCanada Headquarters
Operational
South Branch – 30 MW
Rising Tree I, II & III – 198 MW
Lone Valley I & II Solar – 30 MW
Blue Canyon VI – 100 MW
Timber Road II – 99 MW
Ontario
Maine
Arbuckle Mountain– 100 MW
Ad Astra– 200 MW
Pioneer Prairie I and II – 300 MW
33
Portland, ORWestern Region Office
EDP Renewables North America – Geographical Presence
Office
34
Security Management Controls
• Policies – Review v4 policies and update for the language change
• Low Impact – Add to the Medium Impact policies statements pertaining to low impact sites in the areas of Cyber Security Awareness, Physical Security, Electronic Security, Cyber Security Incident Response
CIP-003
New Full Time Employee #1
• Process to delegate authority
• CIP program has grown large enough that it requires a number of new FTE positions
• First identified need – NERC CIP Sr. Manager – Has the Delegated authority from EDPRNA’s named CIP Senior Manager to run the program on a day to day basis.
35
Personnel and Training
• One program for both Medium and Low Impact sites
• SME training is targeted to those employees in Operations, HR, SCADA, Regulatory Compliance, and IT.
• Cyber Security Awareness is company wide for all employees
• Annual Cyber Security Awareness Course
• Develop training that keys to real world events – Ukraine 2015
• Cyber Security Awareness Month - October
• Engaging with HR early is critical to ensure that workflows are adjusted to meet Compliance Requirements
• Complete Training before granting electronic or unescorted physical access
• Ensure Corporate Personal Risk Assessments meet NERC requirements
• Add dates for completion of the PRAs and confirm annually that all employees and contractors are current
• Notifications from HR to IT when employment separation events occur to ensure 24 hour requirement is met
CIP 004
36
Cyber Security Awareness
Monthly “Security Bulletin” Emails
• Sent to all EDPR NA employees & IT contractors
• Covers both cyber and physical security topics
Quarterly Posters
• Posters are placed throughout the Houston office
• Site Admins display posters at the sites
National Cyber Security Awareness Month – October
• Designated month to raise awareness
• Various activities facilitated by members of the CIP Working Group
Annual Training
• Cyber Security Training for all employees & IT contractors
• SME Workshops for specific individuals based on job role/responsibility
Same material and delivery as our Medium Impact BCS
37
Electronic Security Perimeter
• Internal CIP only authentication • Heavily segmented network – divide systems by need and use – IT support, Remote
desktop, SCADA control, and device management• Separate domain and network systems – mixed mode is accepted, but is difficult to easily
provide audit evidence. There is cost associated with implementation and maintenance of separate systems but EDPR deemed the cost manageable to provide a smooth audit
• Documentation is key – by building a new CIP only network segment, discovery was limited, build out documents became ongoing evergreen documentation
• Each system as it was stood up or migrated in was heavily tested to narrow the needed network traffic to known ports and services
• Interactive Remote Access• With the v5 revision interactive access was deemed to be manageable• CIP only VPN hardware, two factor system, and remote desktop environment
CIP-005
New Full Time Employee #2
• NERC IT Security Manager
• There is a lot of audit evidence to generate and maintain
• Second identified need – NERC IT Security Manager – Primary Technical SME for architecture, implementation, and CIP audits
38
Low Impact Site
Segmentation:
Adapt and adjust current site topology to meat new LEAP requirements. EDPRNA was in a good position when the Low Impact requirement were released. The Wind Power Plants were already designed and delivered with separation of duties in mind. One segment for corporate systems and one segment for SCADA systems. We had two tasks to complete, rework vendor access for warranty and system maintenance and a narrowing down of the access lists to meet the “necessary inbound and outbound bi-directional routable protocol access” requirement.
Low-impact Electronic Access Point (LEAP) Implementation
User SCADA/ControlTerminal
Low ImpactBES Asset
Offsite Office BES Asset Location
Other CorporateDevice
39
Physical Security of BES Cyber systems
• EDPRNA had a badge system in place to manage physical access to the office space at the corporate headquarters
• The CIP critical areas were decoupled from the now ‘Corporate’ Badge system and migrate to a ‘CIP’ badge system that resides within the ESP.
• The data center racks with the CIP systems had mag locks deployed, and were modified to pass wires between them without exposing them to the outside world
• All physical control devices reside within the space they are protecting
• The ROCC had a visitor control procedure in place for escorting guests without approved access. This was modified to meet CIP requirements and rolled out to all PSPs
• Train all employees with unescorted access privileges on visitor access procedures.
• Tie into the maintenance schedule of the corporate badge system, meets both State/Local and CIP requirements
CIP-006
40
System Security Management
• Linear migration of applications into the new CIP protected allowed for ports and service review
• Start with the end in mind – Deny all traffic and open only what is needed for operation
• EDPRNA built the Test CIP segment first, this allowed the project team to Break applications in a sand box without risking operational assets
• Patch Management
• Engage Vendors early to work out patch procedures – They are the experts for their solutions, cyber security must work with operational reliability not against it. Ensure that all information for interaction with AV, IDS/IPS, and anti Malware solutions is gathered.
CIP-007
41
Incident Reporting and Response
• Leverage same procedures for all impact levels
• Conduct SME training with cross-functional teams of personnel at our Medium and Low Impact Sites
CIP-008
Event Evaluation Board
(EOP-004-2)
Cyber Security Incident Response Team
(CIP-008-5)• Team Members -Operations &
Regulatory Compliance Personnel
• Responsible for initial evaluation and determines if a cyber related event.
• Determines whether or not an event is reportable.
• Team Members – IT NERC Security Mgr, NERC IT Team, Operations & Regulatory Compliance Personnel
• Responsible for identifying, classifying, and responding to Cyber Security Incidents.
• Determines whether or not an incident is reportable.
42
Recovery Plans for BES Cyber Assets
• Straight forward
• Adapted Corporate Recovery plans already present in the IT group
• Flesh out the who, what, and why
• Train SMEs
• Practice…but only in Test
• Build Redundancy to prevent outages
• All network devices, servers and storage were built in redundant pairs
• Utilize Virtual Technology to build further tenacity into the environment
• Additionally, to comply with other requirements we built an nearly exact replica of the environment for testing purposes –Gives IT, SCADA, and Operations groups a sandbox to test and stress the environment
• Redundancy does not replace the need for recovery but considerably reduces the possibility of a loss of function
CIP-009
43
Configuration Change Management
• Utilize existing ticket management system, deploy Operational Change Control module – work with vendor to adapt workflows – add audit step
• Build System Baseline document as environment is developed
• Begin Change Control process well before compliance date
• Drill scenarios
CIP-010
New Full Time Employee #3
• IT Configuration Manager
• This is the most paperwork intensive of the requirements
• Third Identified need – Someone to maintain all EDPRNA configurations not just CIP
44
Information Protection
• Identify all documentation, architecture, and configuration documents that meet the information protection requirement
• Leverage existing document management
• Create new security groups – tie to electronic access workflow
• Train all employees that handle CIP restricted documents
• Ensure that all electronic copies reside in the secure repository
• If physical copies are required, keep them with you, lock them up, leave them in a PSP
• Provide to all employees access to the CIP related policies, restrict access to procedures to only those roles identified within them.
CIP-011
45
Change is Hard –
• Moving from a non critical status to a critical status, and then to multiple Impact ratings is a huge culture shift.
• Asset Operations and SCADA teams are concerned primarily with the reliable operation of power plants, it is the job of IT and Compliance to stress the need for Security
• EDPRNA had time, which was a good thing, it allowed for measured changes:
• Process
• Training
• Practice and drills of the new procedures
• Vendor Contracts
Challenges
46
• Leverage your existing programs and procedures
• Engage remote sites early on in process
• Train!
• Prepare Management for a realistic timetable
• Prepare Management for realistic cost projections
• Engage with NERC and your Regional Entities early and often… They can help, lots!
• Train some more!
Lessons Learned
47
Forward Together • ReliabilityFirst
Break
The 2016 Fall Workshop Survey link will be sent via email upon
completion of the workshop.
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED49
BRIAN HARRELL, CPP
DIRECTOR - RISK MANAGEMENT,
COMPLIANCE, AND SECURITY
CIP-014 PHYSICAL SECURITY
TRENDS AND BEST
PRACTICES
RELIABILITYFIRST FALL CIP WORKSHOP
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED50
IT’S AN ISSUE OF
MAGNITUDE
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED51
Over 55,000
Substations
over 100 Kv in
size!
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED52
SECURING A REMOTE OR URBAN
ASSET!
The Real Challenge…
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED53
CRITICAL TRANSFORMERS
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED54
NERC CIP-014
PHYSICAL SECURITY
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED55
CIP-014 PHYSICAL SECURITY
STANDARD
• Purpose:
- To identify and protect transmission stations and
transmission substations, their associated primary
control centers, that if rendered inoperable or damaged
as a result of physical attack could result in widespread
instability, uncontrolled separation, or cascading within
an interconnection.
• Applicability:
- Transmission Owners (TO)
- Transmission Operators (TOP)
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED56
KEY DATES
CIP-014-2 Implementation Timeline
Activity Implementation Not Later Than Days after 10/1/15
R1 Assessment Effective Date 10/1/2015 0 days
R2 Verification Effective + 90 12/30/2015 90 days
R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 days
R3 Notify Control Center R2 +7 1/6/2016 97 days
R4 Threat & Vulnerability Evaluation R2 + 120 6/27/2016 270 days
R5 Security Plan R2 + 120 6/27/2016 270 days
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED57
• Critical facility identification (R1) complete before effective date (six months following publication in the Federal Registry)
Standard approved November 20, 2014
Mandatory and Enforceable October 1, 2015
• Third party verification (R2) complete within 90 days of completion of R1.
• Notification of other parties (R3) complete within 7 days of completion of R2.
• Evaluate threats and vulnerabilities (R4) and develop security plans (R5) within 120 days of completion of Requirement R2.
• Third party review of threats and vulnerabilities and security plans (R6) within 90 days of completion of R4/R5.
IMPLEMENTATION
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED58
REQUIREMENT 4
• Advising utilities without a robust security departments to use the
NATF CIP-014 R4 Guideline
• Provide all documentation of prior attacks, break-ins, sabotage
incidents
• OE-417, RCIS, E-ISAC reports, LEO Reports
• Seek outside threat information:
• E-ISAC
• Fusion Center
• Local, State, and Federal Law Enforcement
• Has DHS identified you as “critical”?
• Design Basis Threat (DBT)
• Accurate scenarios for potential attack
• Outside firearms attack
• “Suspicious” device left behind or thrown over perimeter fence
• Vehicle-borne Improvised Explosive Device
• Breached control/station house
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED59
REQUIREMENT 5
• Physical Security Plan (R5) should map directly to T&V
Assessment (R4)
• Are you hardening the entire facility or specific critical assets and
infrastructure within the facility?
• Discuss security measures designed to deter, detect, delay,
assess, communicate, and respond to potential physical threats
• What is the response time of security staff? Local Law
Enforcement?
• If you commit to paper, you are now obligated
• Highlight mitigation measures that have been put in place as a
result of the attack scenarios
• Remove line of sight to critical transformers
• Suspicious package procedures and response plan
• How are you slowing, checking, screening, and controlling
access to your facility?
• How are you monitoring the station house? Patrols? Procedures
for reporting a breach? Cyber!!
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED60
PHYSICAL-TECHNOLOGY
INTEGRATION
Site Specific Layered Approaches To:
Deter potential adversaries from considering the
facilities in their pre-operational planning
Detect adversaries in their planning, surveillance,
or approach stages
Delay adversaries from gaining access to critical
facilities and equipment
Minimize the impact of any intrusions or attacks
on BPS reliability
Rapidly respond to any attacks or intrusions
Preserve and assist law enforcement in evidence
recovery for potential apprehension
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED61
INDUSTRY BEST PRACTICES
Site Specific Layered Approaches To:
Deter potential adversaries from considering the facilities in their
pre-operational planning
Detect adversaries in their planning, surveillance, or approach
stages
Delay adversaries from gaining access to critical facilities and
equipment
Minimize the impact of any intrusions or attacks on BPS reliability
Rapidly respond to any attacks or intrusions
Preserve and assist law enforcement in evidence recovery for
potential apprehension
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED62
DETERRENCE
Current systems and technologies used by industry security professionals:
• Motion activated video surveillance with intrusion deterrence technologies
• Limited access smart locks and access card systems/readers
• Employee screening (insider threat)
• Security fencing to include solutions with blast and ballistic resistance
• Environmental and physical vehicle barriers
• Security lighting to include motion activated strobe illumination
• Security signage
• Prohibit non-critical storage and staging to reduce criminal draw
• Annual security program and vulnerability assessment reviews
• Security guards
• Neighbor awareness security program
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED63
DETECTION
• External/internal video analytic systems
• External/internal motion sensing systems
• External seismic detection systems
• External/internal gunshot detection systems
• UAV detection systems
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED64
DELAY
• Environmental barriers
• Access barriers
• Perimeter fencing
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED65
REQUIREMENT 6
• Consultant? DHS? Law Enforcement?
• Many government agencies do not want to sign off on
“compliance”
• Avoid overnight firms that have recently boarded the “CIP-014
train”
• Use a firm with proven experience in the electricity sector AND
doing physical security
• Client expectations:
• Proposal response
• Initial kick-off meeting to discuss timeline (R2, R4/R5 Dates?)
and milestones
• Time to review R4 and R5 documentation ahead of site visits
• On-site review of all CIP-014 sites to verify identified
vulnerabilities and mitigation measures
• Informal exit presentation
• Compliance documentation
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED66
REQUIREMENT 6 CONTINUED…
• Final document:
• Identified facility
• Unaffiliated 3rd Party statement
• Statement suggesting that security measures “mitigate the
threats identified in the R4 threat assessment”
• A determination that “the physical security plan is achievable”
• Provide security suggestions, if applicable
• Provide evidence of consultants expertise and certification(s)
▫ Do not tell me, show me
• Official company letterhead with full contact details
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED67
BRIAN HARRELL, CPPDirector of Security and Risk Management
703.965.7474
navigant.com
CONTACT
/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED68
68
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop
Overview of NP-View
Scott Pelfrey – Senior Technical Auditor, RF
Forward Together • ReliabilityFirst
Objectives
• Answer the following questions
• What is NP-View?
• Why is RF using NP-View?
70
Forward Together • ReliabilityFirst
Software from Network Perception (University of
Illinois)
Performs automated network path analysis from
raw configs
Works offline (no online or real-time)
Tool used ERO-wide – All regions
71
What is NP-View?
Forward Together • ReliabilityFirst
Supported Manufacturers
72
NP-View – Supported Manufacturers
Forward Together • ReliabilityFirst 73
NP-View – Getting Started
Forward Together • ReliabilityFirst 74
NP-View – Establishing Perimeters
Forward Together • ReliabilityFirst 75
NP-View – Path Overview
Forward Together • ReliabilityFirst 76
NP-View – Baseline Analysis
Forward Together • ReliabilityFirst
Why is RF Using NP-View?
Facts
• Used to help Audit Team “visualize” entity Network
• Helps Audit Team learn network topology (both logical &
physical)
• Helps Audit Team locate EAPs
• Reduces questions concerning firewall rulesets
• Helps entity identify data flows and look for issues
• Myths‒ RF is NOT looking for PVs with NP-View
‒ RF is NOT looking for holes, issues, or poor firewall configurations
77
Forward Together • ReliabilityFirst 78
NP-View Tutorials
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
79
Forward Together • ReliabilityFirst 80
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop
Exelon NERC CIP Program
September 29, 2016
Lois Buwalda
Agenda
• About Me, Exelon, and our V5 Implementation Program
• Exelon’s NERC CIP Program Mission & Vision– People
– Tools
– Governance
• Deeper Dive in 3 Areas– Culture
– Controls Framework & Automation
– Access Control Automation System
82 Exelon Proprietary and Confidential
My Background
B.S., M.S. Computer Science
B.A. English
Non-profit healthcare research agency
6+ years as application developer / PM
Exelon IT – 18+ years
Utilities: PECO, ComEd, Energy Delivery
Generation: Trading, Retail, Power
Enterprise: Architecture & Planning; IT
Management Model, Compliance
NERC CIP since ~2009
Exelon Proprietary and Confidential83
About Exelon
We are a FORTUNE 100 company that works in every stage of the energy
business: power generation, competitive energy sales, transmission and
delivery. As the nation's leading competitive energy provider, Exelon does
business in 48 states, D.C., and Canada and had 2015 revenues of $34.5
billion. We employ approximately 34,000 people nationwide.
• Six utilities deliver electricity and natural gas to approximately 10 million
customers in Delaware, the District of Columbia, Illinois, Maryland, New
Jersey and Pennsylvania through its Atlantic City Electric, BGE, ComEd,
Delmarva Power, PECO and Pepco subsidiaries.
• More than 32,000 megawatts of owned capacity comprising one of the
nation’s cleanest and lowest-cost power generation fleets.
• The company’s Constellation business unit provides energy products and
services to approximately 2 million residential, public sector and business
customers, including more than two-thirds of the Fortune 100.
This presentation focuses on Exelon’s V5 implementation which preceded the
merger with Pepco Holdings.
Exelon Proprietary and Confidential84
Challenges Circa 2014
• V5 represented a big increase in scope for Exelon
• We did not have the Program or the Technology to scale for this size scope
Exelon Proprietary and Confidential85
NERC CIP 2014 NERC CIP 2016
Sco
pe
~300 Critical Cyber Assets
IT supported mainly at Control
Centers and Data Centers
>3,900 Medium or High Impact BES
Cyber Assets
~270 CIP-002 Assets that contain
Low impact BES Cyber Systems
Includes assets at Substations and
Generating Plants
Imp
acte
d
Po
pu
lati
on
Performers primarily IT
Performers both IT and OT
~2,500 users with Physical,
Electronic, or Information access
V3 V5
Exelon’s NERC CIP V5 Implementation Program (VIP)
• Comprised of 14 projects plus program-wide teams under a single leader
• Reorganized later in December 2015 to combine some functions and add a
Readiness tower
Exelon Proprietary and Confidential86
NERC CIP Version 5 Co-Sponsors
CIP Senior Manager + IT VP
PMO
Finance
Architecture
Communications
& Change
Management
Foundation
• Cyber Asset Identification & Tracking
• Controls Framework & Automation
• Policy, Processes, Procedures
Access
• Information Protection Program
• Physical Security
• Electronic Security Perimeter
• Personnel Risk Assessment
• Access Controls and Automation
NERC CIP Program Leader
Lois Buwalda
NERC CIP VIP
Steering Committee
NERC CIP VIP
Executive Council
Program
IntegrationPeople
• Training
• Culture of Compliance
• Org Design
Systems
• Systems Management
• Cyber Security Monitoring and
Reporting
• Patching and Malicious Code
Prevention
CIP QA
Exelon’s NERC CIP Mission
• Focused not only on achieving the 4/1 date, but on ensuring we could
sustain that compliance moving forward. We aligned to a mission and vision
for sustained compliance success.
• Our Mission is the Security and Reliability of the BES. Compliance is enabler
of this mission. It sets a bar for performance, and provides a mechanism to
measure yourself and drive improvements
Exelon Proprietary and Confidential87
Slogan contest – 86
participants submitted
190 slogans.
Additional winners:
• It starts with me
• You’re the most
critical asset in
compliance
Vision: Ensuring a Sustainable Compliance Program
Controls
Framework
Documented
Positions
Comms &
Change
Management
Training
Culture
Structured
Management
Processes
Program
Strategy &
Architecture
Quality
Assurance,
Metrics, &
Investigation
Relationship
Management
Communications & Change Management ensures personnel are
informed and prepared as changes occur, and facilitates
enterprise-wide collaboration and information sharing
Training addresses mandated compliance
training and instills employees with the
skillsets to perform their daily compliance
roles and responsibilities
Culture drives and reinforces desired
employee behaviors in order to
achieve compliance goals
Controls Framework defines controls, evidence quality standards,
and testing procedures for each requirement and implements
controls using an automated solution to support compliance
monitoring and reporting
Automation & Workflows reduces
manual efforts through technology,
driving efficiency and decreasing
potential for errors
Program Strategy & Architecture drives
strategy and a common Integrated Model
supported by a robust Technical
Architecture to achieve compliance in an
integrated, cost effective, reliable,
and scalable manner
Relationship Management develops new and
enhances existing relationships with vendors,
regulators, and industry peers
Structured Management Processes ensure
successful program outcomes through
disciplined decision making and
management of projects, risks and issues,
resources, and information
Quality Assurance, Metrics & Investigation performs
quality assurance and monitoring of the program to
proactively identify potential risk areas and ensure
program compliance
Documented Positions documents,
researches, and defends Exelon’s positions
on standards and effectively disseminates
this information across the enterprise
Governance
A sustainable compliance program enables our mission of the reliability and security of the BES. Sustainability requires three critical
components: People, Tools, and Governance. We keep it strong via benchmarking, best practices, and continuous improvement.
Policies,
Processes, &
Procedures
Automation &
Workflows
Organization
Design
Organization Design provides clear
accountability and authority, enables
consistency, and avoids single points
of failure
Policies, Processes, & Procedures
tailored for CIP, defines what work is
performed, how, and by whom.
Provides consistency at enterprise
level while equipping performers via
job aidsSustainable
Compliance
Program
Exelon Proprietary and Confidential88
Sustainability: People Component
Communications & Change Management ensures personnel are
informed and prepared as changes occur, and facilitates
enterprise-wide collaboration and information sharing
Training addresses mandated compliance
training and instills employees with the
skillsets to perform their daily compliance
roles and responsibilities
Culture drives and reinforces desired
employee behaviors in order to
achieve compliance goals
Organization Design provides clear
accountability and authority, enables
consistency, and avoids single points
of failure
Exelon Proprietary and Confidential89
Sustainability: Tools Component
Controls Framework defines controls, evidence quality standards,
and testing procedures for each requirement and implements
controls using an automated solution to support compliance
monitoring and reporting
Automation & Workflows reduces manual
efforts through technology, driving efficiency
and decreasing potential for errors
Documented Positions documents, researches,
and defends Exelon’s positions on standards and
effectively disseminates this information across
the enterprise
Policies, Processes, & Procedures tailored
for CIP, defines what work is performed,
how, and by whom. Provides consistency
at enterprise level while equipping
performers via job aids
Exelon Proprietary and Confidential90
Sustainability: Governance Component
Program Strategy & Architecture drives
strategy and a common Integrated Model
supported by a robust Technical Architecture
to achieve compliance in an integrated, cost
effective, reliable, and scalable manner
Relationship Management develops
new and enhances existing
relationships with vendors, regulators,
and industry peers
Structured Management Processes
ensure successful program outcomes
through disciplined decision making
and management of projects, risks and
issues, resources, and information
Quality Assurance, Metrics & Investigation
performs quality assurance and monitoring
to proactively identify potential risk areas
and ensure program compliance
Exelon Proprietary and Confidential91
Sustainability: People Component
Communications & Change Management ensures personnel are
informed and prepared as changes occur, and facilitates
enterprise-wide collaboration and information sharing
Training addresses mandated compliance
training and instills employees with the
skillsets to perform their daily compliance
roles and responsibilities
Culture drives and reinforces desired
employee behaviors in order to
achieve compliance goals
Organization Design provides clear
accountability and authority, enables
consistency, and avoids single points
of failure
Exelon Proprietary and Confidential92
Deep Dive
How We Approached Culture
Exelon Proprietary and Confidential93
Adjust levers that drive and
reinforce desired compliance
behaviors
Established Exelon’s compliance strategic
objectives/prioritiesStrategic
Objectives
Culture Vision
Desired Behaviors
Culture Reinforcement Activities
(Culture Roadmap)
Defined Exelon‘s ideal NERC compliance
culture
Identified desired behaviors to support
the culture vision
Sustainable culture change involves the alignment of strategic objectives, a culture
vision and desired behaviors that are reinforced through culture-strengthening
activities, referred to as a culture roadmap.
NERC Culture of Compliance Vision
1. We prioritize reliability, security and compliance, from leadership to staff,
and embed them into our everyday business operations to protect the
Bulk Electric System
2. We act with integrity and take individual and collective accountability for
establishing, maintaining and demonstrating compliance with NERC
standards
3. We enable clear understanding of our compliance responsibilities through
open communication, and pursuing learning opportunities
4. We pursue excellence, monitor performance and drive continuous
improvement of our compliance program
5. We collaborate, share best practices and seek diverse perspectives, both
externally (with industry and regulators) and internally (across business
units and functions)
6. We recognize compliance efforts and celebrate outstanding compliance
achievements
Exelon Proprietary and Confidential94
Culture of Compliance Prioritization
Exelon Proprietary and Confidential95
Compared Exelon’s current NERC CIP compliance culture to its desired future
state, uncovering strengths and areas of improvement. Based on the
analysis, the following three areas were identified as high priority focus areas
for the VIP Culture of Compliance Roadmap.
The VIP Culture of Compliance Roadmap activities have been designed to align with
and help address the prioritized focus areas
CIP Awareness & Understanding
Need to drive better understanding of standards & linkage to BES security & reliability
Accountability & Empowerment
Need to cultivate critical thinking, questioning attitudes and continuous improvement
among personnel
Compliance Reinforcement
Need for visible leadership support, recognition of accomplishments, stronger
measures & reinforcement of compliance in performance management structure
1
2
3
VIP Culture of Compliance Roadmap Timeline
Exelon Proprietary and Confidential96
Activity
2015 2016J A S O N D J F
Build Deliver Operate
NERC CIP Overview
Telestration*
NERC CIP Slogan Contest*
VIP Roadshows
NERC CIP Portal/ Resource
Consolidation
Virtual Scavenger Hunt
NERC CIP Compliance
Achievement Award*
NERC CIP Leadership
Toolkit
Leadership Video
Thank You App
NERC CIP Performer
Summit
Manager Webinar
Print/Digital Awareness
Campaign
VIP Change Agent Network*
VIP OT Weekly Communications
NERC CIP Compliance Outlook Mailbox*
CIP
Aw
are
ne
ss/
Un
de
rsta
nd
ing
Co
mp
lia
nce
Re
info
rce
me
nt
Acco
un
tab
ilit
y/
Em
po
we
rme
nt
Mu
lti A
rea
Cu
ltu
re o
f C
om
plia
nce
Ga
ps
Develop
Submission / Selection
Nomination
Rollout
Rollout
Select / Announce
Rollout
Develop
Phase 2** Update**
Develop
Develop*** Rollout
Rollout
12
3
Transition Period
Rollout
Develop
Develop Deliver
Phase 1 Launch
Rollout & UpdateDevelop
Rollout
As illustrated below, we implemented a number of culture building activities
during Project and turned over to the Sustain organization.
NERC Leadership Toolkit Overview
Exelon Proprietary and Confidential97
4
31
2
Compliance
Fundamentals
•NERC CoC Vision
•Desired NERC
Compliance Behaviors
•NERC Behavior
Demonstration &
Reinforcement
•Leadership Reference
Materials
Additional Resources
•CIP Portal Overview
•NERC Compliance Graphics
•Key NERC Compliance
Contacts
Leadership Toolkit
Team Tools
•NERC CIP Overview
Telestration Video
•NERC CIP Leadership
Video(s)
•NERC Compliance Culture
Assessment Exercise
•NERC Moment Samples &
Template
•NERC Compliance Pledge
Recognition Resources
•NERC CIP Compliance
Achievement Award
Overview
•Thank You App Overview
•Recognition Moments &
Appreciation IdeasGreen font indicates NERC CIP-specific material
Created a toolkit to promote Exelon’s desired NERC compliance behaviors and reinforce NERC
compliance expectations. The toolkit’s four folders and the materials in each are outlined below:
Toolkit Deep Dive: Compliance Fundamentals
Exelon Proprietary and Confidential98
Toolkit Deep Dive: Recognition Resources
Exelon Proprietary and Confidential99
Recognition: NERC CIP Compliance Achievement Award
Exelon Proprietary and Confidential100
Award
Details
Award
Purpose
The NERC CIP Compliance Achievement Award was established to recognize and
celebrate individuals and teams that have made outstanding contributions to the CIP
compliance program across the enterprise
• Celebrate the achievements of those who have gone above and beyond to
safeguard the integrity of our business and position it for continued growth and
success
• Encourage innovations that support the seamless incorporation of CIP
compliance into everyday work and that reduce costs, enhance security or
decrease risk of compliance failures
• Align with Exelon core values: integrity, accountability and continuous
improvement
Three award cycles completed to date. Averaging 22 nominations per cycle. Winners
personally recognized by Exelon Utilities CEO / Chief NERC Compliance Officer
• All NERC CIP program participants are eligible
• Awarded every six months.
• Up to three NERC CIP individuals or small teams will be selected
• Award recipients will be publicly recognized as well as receive a trophy and
monetary gift to thank them for their contributions
Toolkit Deep Dive: Team Tools
Exelon Proprietary and Confidential101
Toolkit Deep Dive: Team Tools
Exelon Proprietary and Confidential102
Team Tools: Pledge Poster from a BGE Location
Exelon Proprietary and Confidential103
Team Tools: The NERC CIP Overview Telestration
The NERC CIP Overview Telestration is a short animated video that reinforces
the importance of NERC CIP compliance and each individual’s contribution to
protecting the Bulk Electric System by adhering to processes and procedures,
seeking help when unsure of CIP responsibilities, delivering quality evidence
and raising security concerns
Exelon Proprietary and Confidential104
Team Tools: NERC CIP Leadership Videos
In two short NERC CIP Leadership Videos, Denis O’Brien and Sue Ivey discuss
the importance of NERC CIP compliance and their compliance expectations.
These videos cascade leadership’s message that NERC compliance is a key
priority for Exelon.
Exelon Proprietary and Confidential105
Video 1:
Everyone’s Role in NERC CIP Compliance
Video 2:
Striving for Compliance Excellence
1 2
Sustainability: Tools Component
Controls Framework defines controls, evidence quality standards,
and testing procedures for each requirement and implements
controls using an automated solution to support compliance
monitoring and reporting
Automation & Workflows reduces manual
efforts through technology, driving efficiency
and decreasing potential for errors
Documented Positions documents, researches,
and defends Exelon’s positions on standards and
effectively disseminates this information across
the enterprise
Policies, Processes, & Procedures tailored
for CIP, defines what work is performed,
how, and by whom. Provides consistency
at enterprise level while equipping
performers via job aids
Exelon Proprietary and Confidential106
Deep Dive
Deep Dive
Two of Exelon’s Major Technology Investments
• AssurX
– Controls framework, assessments, formal evidence
– Master Asset list and drives assessment / categorization
– Patch Management (software list, discovery, applicability, installation / mitigation)
– IT Production Change Control
– Interfaces with our asset management systems, configuration control systems, and
a patch discovery service
• Access Control & Automation System (ACAS)
– Oracle’s IAM Solution
– Enforces authorization process for all access (electronic, physical, information,
shared accounts), including business need, validation of PRA and training, and
approvals
– Includes a mixture of role-based access with individual entitlements
– Automates provisioning and de-provisioning for connected systems. Uses workflows
for disconnected systems.
– Automates access certification process, identifying discrepancies between actual
and authorized lists, and on a quarterly basis confirming business need• Near real time discrepancies for connected systems. Monthly process target for
disconnected systems
Exelon Proprietary and Confidential107
AssurX Compliance Automation Solution
Exelon Proprietary and Confidential108
While the Controls Framework is the foundation upon which the Compliance Automation Solution functions, Exelon will rely on automation technology to bring the Controls Framework to life.
Exelon implemented AssurX, a Compliance Automation Solution, that provides monitoring, controls and safety nets to ensure sustained NERC CIP compliance at Exelon
AssurX
• Leverages native workflow capabilities,
dashboards, and metrics to improve
compliance monitoring capability
• Co-locates data with the controls
framework and master asset list
• Enables full traceability to the solution
implementing the controls for each
specific asset or asset type
• Links data directly to the assets they
affect (e.g., patches or change tickets
linked to assets)
• Automatically evidences data in a
central repository
• Reduces number of enterprise systems
WHY are we using Controls Framework?
Exelon Proprietary and Confidential109
Control definitions are established to provide traceability to authoritative requirements so that proper context of the requirement is retained and to provide a common control definitions that can be recognized by an organization’s various risk and compliance functions.
A process or procedure that is used to determine that a control is in place
and functioning properly
A practice, procedure, process or mechanism that treats risk and addresses
management directives
A statement of the desired result or purpose to be achieved by
implementing control procedures in a particular process
Control Definitions
Control
Objective
Control
Activities
Control
Assessment
Procedures
NERC Requirement Control Objective Control Activity Control Assessment Procedures
Example
Verify at least once each
calendar quarter that
individuals with active
electronic access or
unescorted physical access
have authorization records.
Verify authorization records
at least once every calendar
quarter.
1. Implement alert notifications in
ACAS that enables Compliance
Group to initiate quarterly review.
1. Generate a sample of quarterly
reviews.
2. Verify if an alert notification is initiated
every quarter by the compliance group.
3. Document results of the Control
Assessment.
Control Assessment
Exelon Proprietary and Confidential110
• One or many controls are defined for each NERC Requirement
• Defines control activities, assessment procedures, evidence to be collected, location of the evidence
Control Schedule Assessment TasksAssessable
Unit
• For each control, one schedule is created per business Unit.
• Schedule defines whenthe assessment needs to be performed and howfrequently it should be conducted
• Instance of an assessment is generated as defined in the schedule
• Assessment Owner has the ability to modify the scope of assessment by identifying the evidence owners and approvers
• Tasks are assigned to individuals to provide evidence of compliance
• Uploaded evidence and narratives undergo an approval cycle
• Facility, Devices, Systems, Process, People under the scope of CIP compliance
• Evidence is produced to show the assessable units are in compliance
Is tested bycreates an instance of
generates and assigns
collects evidence of
compliance for
Controls Assessment Example
Exelon Proprietary and Confidential111
SSM-PASP-02
[CIP-007_Part1.1]
Schedule Owner?
Assessment Owner?
Schedule Type?
Frequency?
Due Date?
Business Unit(s)?
Q1Task
Assignee?
Approver?
T1Evidence
Narratives
T2Evidence
Narratives
T3Evidence
Narratives
T1Evidence
Narratives
T2Evidence
Narratives
T3Evidence
Narratives
T1Evidence
Narratives
T2Evidence
Narratives
T3Evidence
Narratives
T1Evidence
Narratives
T2Evidence
Narratives
T3Evidence
Narratives
Control
Schedule
AssessmentsQ2Task
Assignee?
Approver?
Q3Task
Assignee?
Approver?
Q4Task
Assignee?
Approver?
Tasks
Information
Flow
Evidence Folders
Two of Exelon’s Major Technology Investments
• AssurX
– Controls framework, assessments, formal evidence
– Master Asset list and drives assessment / categorization
– Patch Management (software list, discovery, applicability, installation / mitigation)
– IT Production Change Control
– Interfaces with our asset management systems, configuration control systems, and
a patch discovery service
• Access Control & Automation System (ACAS)
– Oracle’s IAM Solution
– Enforces authorization process for all access (electronic, physical, information,
shared accounts), including business need, validation of PRA and training, and
approvals
– Includes a mixture of role-based access with individual entitlements
– Automates provisioning and de-provisioning for connected systems. Uses workflows
for disconnected systems.
– Automates access certification process, identifying discrepancies between actual
and authorized lists, and on a quarterly basis confirming business need• Near real time discrepancies for connected systems. Monthly process target for
disconnected systems
Exelon Proprietary and Confidential112
Protected Zones
ACAS Conceptual Design
Corporate Network
Learning Management
System
Human Resources System
Corporate Active Directory
Training Data
User Data
Authenticates
Provisions CIRs
Actual Rights
RPN
RPN Assets / Services, e.g. Antivirus,
Backup
Provision / De-Provision Electronic & Physical
Each
BU
BU ACAS
Connector
Server
BU Network AD
AD Connected Assets
Connected BU NERC CIP Assets, e.g.
SCADA servers, apps, database
Disconnected
BU Assets,
e.g. RTUs
Exelon Proprietary and Confidential113
Key Takeaways
• The mission is the Reliability and Security of the BES. Compliance is an
enabler of this mission.
• Individuals have the best of intentions to comply, but need the structures
and tools to equip them to be successful and effective.
• A compliance program itself can have vulnerabilities, and applying layers of
protections to strengthen it and the people who execute it is key.
Exelon Proprietary and Confidential114
Thank You!
Exelon Proprietary and Confidential115
Appendix
Exelon Proprietary and Confidential116
CIP Road Shows
• Interactive sessions in Exelon’s major cities to engage CIP stakeholders in
sharing information and best practices.
• Culture building with stakeholders who walked the red carpet and hung their
star in the hall of fame.
Exelon Proprietary and Confidential117
Innovation Expo Culture Dialog
• Expanded the program’s dialog on culture to an Exelon-wide event called the
Innovation Expo.
• Included a free-standing wall that asks each attendee to add one thought or
idea to the dialog on driving culture
Exelon Proprietary and Confidential118
Strong Focus on Communications and Change Management
Exelon Proprietary and Confidential119
• Regular communications
vehicles:
– Weekly Spotlight
Newsletter (250+
audience)
– Weekly CIP of Compliance
focused on the OT
Community (2,500+
audience)
– Weekly Execution Digest
(4,500+ audience) during
the final 5 weeks
• Change Agent Network with
30+ participants
• Change Impact Summaries
and Responsibility Guides
for change impacts
Internal Controls: A Case Study
Erik Johnson – Manager Entity Development, RF
Forward Together • ReliabilityFirst
Internal Controls: Processes that provide assurance that
objectives are achieved Enables Issue Spotting for Individual Standards
Management Practices: Groupings of common functional
activities Enables Issue Spotting Across Multiple Standards
Facilitates Continuous Improvement
Sustainability
Maturity Models: Tools that assess process and
implementation effectiveness
Sustainability
Forward-Looking and Big Picture
‒ “Journey not a destination”
Enables Issue Spotting
Facilitates Continuous
Improvement
What Are We Talking About?
121
Forward Together • ReliabilityFirst
RF Did Not Invent the Wheel
RF Utilizes a Maturity Model Approach to Its Evaluations
Common Groupings of commonly recognized Management Practices
Facilitates transparency and repeatability
Pragmatic and simple
Indoctrinate organizational practices for continuous improvement,
efficiency and sustained success
RF’s Approach is Nothing New
• ES-C2M2: Cybersecurity Capability Maturity Model utilized by the DoE
• CERT-RMM: CERT Resilience Management Model utilized by the
Software Engineering Institute and Carnegie Mellon University
• CMMI: Capability Maturity Model Integration used across various
industries within organizations (NASA, Lockheed Martin, Microsoft,
Motorola, etc.)
122
Maturity Models regularly utilized to help drive Operational Excellence
Forward Together • ReliabilityFirst
RF’s Approach
123
Forward Together • ReliabilityFirst
Types of Evaluations
124
Image from: http://www.raps.org/Regulatory-Focus/News/2015/03/23/21786/The-Tip-of-the-Iceberg-What-Lurks-Beneath-the-483/
Compliance Focus
– NERC ICE guide
– Short time horizon
audit to audit focusIdentified Risk
Focus – ERO
identified or Entity
identified – medium
time horizon
Continuous
Improvement +
Operational
Excellence Focus –
long time horizon
focus
Forward Together • ReliabilityFirst
EVALUATION OF ARTIFACTS PROVIDED
BY AN ENTITY AGAINST MANAGEMENT
PRACTICES AND THERMOMETERS
125
Forward Together • ReliabilityFirst
ICE Principles
ICE PRINCIPLES - The acceptance and adoption of the ICE process in
organizations making up the BES is highly dependent upon each
Registered Entities’ perception of the value and importance of the ICE
program. To accomplish this goal Internal Control Evaluations need to be
conducted with integrity and consistency, and produce high-value results
for the evaluated RE. For this reason, ICE Evaluation teams incorporate
and uphold these evaluation principles:
1. Focus on the RE’s business objectives
2. ICE Evaluation environment
3. Collaborative learning environment
4. Evaluation team decisions
5. Evaluations are a “snap-shot” of the current state
6. Artifact-based objectivity
126
Forward Together • ReliabilityFirst
Interview Process
Transparent Process
• Instant feedback
‒ Genuine interest
• No private notes
• No secret caucuses
Interview
• Sub Team
• Full Team (as necessary)
127
Forward Together • ReliabilityFirst
Sharing Results for Consideration
The Evaluation team reviews artifacts, practices, and
procedures to estimate the implementation level (%) of
identified internal controls.
128
Forward Together • ReliabilityFirst
Implementation Levels
129
Maturity levels are based predetermined levels in C2M2 and CERT-RMM
Forward Together • ReliabilityFirst
It’s your turn
Management Practice Information
Management
130
Forward Together • ReliabilityFirst
IMPLEMENTATION
BREAKOUT SESSION
20 MINUTES
131
Forward Together • ReliabilityFirst
Examples of Risks not covered in Standards
Catastrophic Weather Response
• Outside of existing black start standards
Patch Risk implications to implementation
schedule
• No determination of vulnerability severity in implementation plan
132
Forward Together • ReliabilityFirst
Value Statement
The Engagement will identify preventive, detective, and
corrective controls around standards, risks, or operations (as
elected)
All Engagements will answer:
How well are those controls documented, trained, and
implemented? (Implementation Level)
Are you only successful because of individual high-performers?
Is your success sustainable?
Engagements around risks and operations will facilitate:
Roadmap on opportunities for improvement (what processes to mature; controls to
further develop or add)
Effective management of workforce and work across business units
Motivated workforce and operational efficiencies
Elevate focus from compliance to Operational Excellence
Not rate making, or market development excellence…. it is ensuring a
secure, reliable, resilient BES !!!
133
Forward Together • ReliabilityFirst
What Drives You?
134
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
135
Forward Together • ReliabilityFirst 136
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop
Technology Roundtable,
Low Impact &
V5 Compliance Metrics
Tobias Whitney, Manager of CIP Compliance
Reliability First Fall V5 Workshop
RELIABILITY | ACCOUNTABILITY138
Purpose
• Industry opportunities exist to research and deploy new technologies that could improve the reliable operations of the Grid.
• The mystique of the CIP standards may have discouraged the investment and innovation of BES technologies for fear of compliance risk and cyber exposure.
• NERC’s Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.
RELIABILITY | ACCOUNTABILITY139
Emerging Technologies
• Cloud Computing
Big Data analysis for preventive solutions
• Renewables + New Registration Paradigms
New Generation Owner/Operators diffuse operations could impact the BES
• IEC 61850
Substation network solutions
• Remote Access (FERC mandated)
Due July 2017
• Virtualization (Standards Development)
Server, networks and storage
RELIABILITY | ACCOUNTABILITY140
Emerging Technologies
• Microgrids
Risk based analysis of load centers
• Industrial Wireless Network Communications Technologies
Point-to-point, local area wireless and unlicensed radio
• Distribution Management Systems
GIS, outage mgt and increased operational intelligence for smart metered load centers
• End of Life Systems
Assess the vulnerability unsupported, production cyber assets
• Support Systems
Understanding VOIP, UPS and building automation systems
RELIABILITY | ACCOUNTABILITY141
Approach the Topic
Tech Seminar
• Invite vendors and industry stakeholders for a 1 day discussion on the solutions
• Identify volunteers for whitepaper development
Coordinated
White Paper
• Coordinate white paper with CIPC (primarily) with support from OC and PC
• Publish draft paper for comments as part of the Section 11 Process
• Industry webinar to spotlight results
Call for Pilots
• Link interested stakeholders with research agencies
• Publish lessons learned for industry comments
RELIABILITY | ACCOUNTABILITY142
NERC Team
Techn
olo
gy R
isk
Asse
ssm
en
t Security
Operations
Regulatory
RELIABILITY | ACCOUNTABILITY143
Each Topic’s SWOT
Strengths
(reliability benefits)
Weaknesses
(current drawbacks)
Opportunities
(external factors)
Threats (Security & Regulatory)
RELIABILITY | ACCOUNTABILITY144
Technology Risk
• First Technology Roundtable will be held in Atlanta on November 14th & 15th
• Cloud Computing
Operational and reliability improvement case
Common Architecture
Security and Regulatory Considerations
• IEC 61850
Operational and reliability improvement case
Architecture
Security and Regulatory Considerations
• Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.
What is the Implementation
Timeframe for Low Impact?
NERC Small Group Advisory Sessions Low Impact Webinar
September 14, 2016
RELIABILITY | ACCOUNTABILITY146
• Implementation Plan Language
• Already required as of 7/1/2016
• Required on 4/1/17
• Required on 9/1/2018
Agenda
RELIABILITY | ACCOUNTABILITY147
Proposed Effective Date for Version 5 CIP Cyber Security Standards
Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP-011-1 as follows:
1. 24 Months Minimum – The Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.2
2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees’ approval, and CIP-003-5 R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees’ approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.
Implementation Plan Language – V5
RELIABILITY | ACCOUNTABILITY148
Effective Dates (for CIP Version 6)
The effective dates for each of the proposed Reliability Standards and NERC Glossary terms are provided below. Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The compliance date for those particular sections represents the date that entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date.
1. CIP-003-6 — Cyber Security — Security Management Controls
Reliability Standard CIP-003-6 shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Where approval by an applicable governmental authority is not required, the standard shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date the standard is adopted by the NERC Board of Trustees, or as otherwise provided for in that jurisdiction.
Implementation Plan Language – V6
RELIABILITY | ACCOUNTABILITY149
Compliance Date for CIP-003-6, Requirement R1, Part 1.2
Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R1, Part 1.2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Requirement R2
Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Attachment 1, Section 1
Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 1 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Attachment 1, Section 2
Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 2 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Implementation Plan Language – V6
RELIABILITY | ACCOUNTABILITY150
Compliance Date for CIP-003-6, Attachment 1, Section 3
Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 3 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Attachment 1, Section 4
Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 4 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Implementation Plan Language – V6
RELIABILITY | ACCOUNTABILITY151
• FERC approved CIP V5 on November 22, 2013, with an effective date of the order of February 3, 2014 (based on publication in the Federal Register), making CIP V5 effective April 1, 2016
• FERC approved the CIP V6 changes on January 21, 2016, with an effective date of the order of March 31, 2016 (based on publication in the Federal Register), making the V6 changes effective July 1, 2016
• FERC action on February 25, 2016 aligned all CIP V5 & V6 compliance dates to July 1, 2016
FERC Effective Dates
RELIABILITY | ACCOUNTABILITY152
• CIP-002-5.1
• CIP-003-6 Requirement R3
• CIP-003-6 Requirement R4
Already Required as of 7/1/2016
RELIABILITY | ACCOUNTABILITY153
• There were no changes to CIP-002-5.1 done as part of the CIP V6 SDT effort
The approved CIP V5 Implementation Plan therefore remained unchanged for CIP-002-5.1
Already Required as of 7/1/2016
RELIABILITY | ACCOUNTABILITY154
• CIP-002-5.1:
CIP-002-5.1 Requirement R1 requires identification of all high impact BES Cyber Systems, medium impact BES Cyber Systems, and identifying “each asset that contains a low impact BES Cyber System”
CIP-002-5.1 Requirement R2 requires the process be repeated, at least every 15 calendar months, and the CIP Senior Manager approved the identifications in Requirement R1
Already Required as of 7/1/2016
RELIABILITY | ACCOUNTABILITY155
• CIP-003-6 Requirement R3
Requirement R3 unchanged as part of CIP V6 SDT effort (not discussed in the CIP V6 Implementation Plan)
Requires the identification of a CIP Senior Manager
CIP Senior Manager must approve the identifications made in CIP-002-5.1, Requirement R2
Already Required as of 7/1/2016
RELIABILITY | ACCOUNTABILITY156
• CIP-003-6 Requirement R4
Requirement R4 unchanged as part of CIP V6 SDT effort (not discussed in the CIP V6 Implementation Plan)
Requires the creation of a documented process to delegate the approvals of the CIP Senior Manager, unless no delegations are used.
CIP-002-5.1 approvals may be delegated
Already Required as of 7/1/2016
RELIABILITY | ACCOUNTABILITY157
• CIP-003-6 Requirement R1, Part 1.2
• CIP-003-6 Requirement R2, Attachment 1, Section 1
• CIP-003-6 Requirement R2, Attachment 1, Section 4
Required on 4/1/2017
RELIABILITY | ACCOUNTABILITY158
• CIP-003-6 Requirement R1, Part 1.2
Requires the creation of cyber security policies for:
1. Cyber security awareness
2. Physical security controls
3. Electronic access controls for Low Impact External Routable Connectivity [Communications] (LERC and Dial-up Connectivity
4. Cyber Security Incident Response
Must be approved by the CIP Senior Manager (no delegation allowed)
Required on 4/1/2017
RELIABILITY | ACCOUNTABILITY159
• CIP-003-6 Requirement R2, Attachment 1, Section 1
Requires that each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).
Required on 4/1/2017
RELIABILITY | ACCOUNTABILITY160
• CIP-003-6 Requirement R2, Attachment 1, Section 4
Requires that Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:
4.1 Identification, classification, and response to Cyber Security Incidents;
4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E-ISAC), unless prohibited by law;
4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;
Required on 4/1/2017
RELIABILITY | ACCOUNTABILITY161
4.4 Incident handling for Cyber Security Incidents;
4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and
4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.
Required on 4/1/2017
RELIABILITY | ACCOUNTABILITY162
• Note:
In order to properly develop policy (Section 1) and incident response (Section 4), physical (Section 2) and electronic (Section 3) access control procedures (i.e., the controls to be implemented) need to be initially developed, but they will not themselves be subject to audit
Required on 4/1/2017
RELIABILITY | ACCOUNTABILITY163
• CIP-003-6 Requirement R2, Attachment 1, Section 2
• CIP-003-6 Requirement R2, Attachment 1, Section 3
Required on 9/1/2018
RELIABILITY | ACCOUNTABILITY164
• CIP-003-6 Requirement R2, Attachment 1, Section 2 (draft language)
Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.
Required on 9/1/2018
RELIABILITY | ACCOUNTABILITY165
• CIP-003-6 Requirement R2, Attachment 1, Section 3 (draft language)
Electronic Access Controls: Each Responsible Entity shall:
3.1 Implement electronic access control(s) for LERC, if any, to permit only necessary electronic access to low impact BES Cyber System(s).
3.2 Implement authentication for all Dial‐up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.
Required on 9/1/2018
RELIABILITY | ACCOUNTABILITY166
• All physical and electronic access control protections must be in place at all assets containing low impact BES Cyber Assets or BES Cyber Systems by 9/1/2018
Required on 9/1/2018
RELIABILITY | ACCOUNTABILITY167
CIP Violations (as of July 1, 2016)
RELIABILITY | ACCOUNTABILITY168
CIP Violations (as of July 1, 2016)
RELIABILITY | ACCOUNTABILITY169
Forward Together • ReliabilityFirst 170
Follow us on LinkedIn and @RFirst_Corp onTwitter
#RFWorkshop