NERC CIP Compliance Program Design, Implementation
NERC CIP Compliance Program Design,Implementation & Controls, and Metrics &MeasurementsTuesday, February 25, 2014, 1:15PM ‐ 2:45PMJerome FarquharsonEmail: jfarquharson@burnsmcd.comPhone: 314.737.2744Compliance & Infrastructure Protection, Burns & McDonnell Engineering Company Inc.Agenda PresentersPurposeNERC CIP Program DesignNERC CIP Program Implementation &Controls NERC CIP Program Metrics &Measurements Final Q&Awww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell1
PresentersJerome Farquharson – Leader of Burns & McDonnell’sSaint Louis Security Practice, CISSP, CRISCLeader of Burns & McDonnell’s Saint Louis securitypractice. He leads with a multi-disciplined background ofcyber and physical security, information systems andbusiness advisory consulting in all areas of NERC CIPCompliance. Mr. Farquharson is an experienced SecurityNetwork Engineer with 21 years IT experience that includesexperience in Network Design Implementation, Supportand Troubleshooting of CISCO Routers, Switches,Firewalls, VPN Devices, Intrusion Detection Systems andnetwork management systems.www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellPresentersIngrid Rayo – Sr. Compliance AnalystMs. Rayo is a NERC CIP Compliance Program Consultantassisting clients in developing a solid sustainable NERC CIPProgram which included a Sabotage Reporting Procedure,Cyber Security Policy, Internal Compliance Program, andother required policies, procedures, and processes associatedwith CIP-003 through CIP-009 for versions 2 and 3. She hasdeveloped a CIP organizational structure conducive to theentity’s size and registration; conducted audit and spot checkpreparation activities, such as SME workshops, Mock Audits,pre-audit assessments and evidence staging; and draftedTechnical Feasibility Exceptions for cyber assets that couldnot comply with CIP-005 and CIP-007 requirements.www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell2
PurposeUnderstanding the operational environment, depth of CIPknowledge of operations staff and availability of compliance toolsis critical for designing an implementable NERC CIP ComplianceProgram.As such, an engineering operations centric design that focuses onkey “pillars” of compliance: Processes, People, Systems andDocuments can lead to a successful implementation of acompliance program in Substations and Power Plants. We willdiscuss actual implementation of meeting CIP compliance.www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellNERC CIP Program Designwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell3
NERC CIP Program Design Pillars of Compliance Compliant Process Compliant People Compliant System Compliant Documentationwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellPillars of ComplianceGOVERNANCE AND ENFORCEMENTNERC CIP Compliance SETMESMSEngineering, Architecture, Construction, Environmental and Consulting SolutionsDOCUMENTS 2014 Burns & McDonnell4
Compliant ProcessEnsure NERC CIP Requirements areintegrated into all business activitiesCollect evidence at each logical break ortransition in a business processExample: Prior to commissioning cyber asset Disable Factory Accounts Disable Unneeded Ports and Services Configure Log Collection Document Security Test Procedures (for new devices)www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellCompliant rEvidence Collection Stopswww.burnsmcd.comConfiguration Management ChecksEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell5
Compliant PeopleDefine and Periodically Reinforcewww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellCompliant PeopleDevelop compliance program w/ SMEsTraining Keep it simpleMake it relevantShow benefits and consequencesHire CIP Staff with at least two subject areas: Utilities OperationsCyber SecurityAudit and Compliancewww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell6
Compliant SystemsEnsure systems support complianceAsset Management System CIP-002, CIP-005, CIP-007, and CIP-009 compatibleChange and Configuration Management System CIP-010Learning Management System CIP-004 compatibleDocument Management Systems CIP Hierarchy compatiblewww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellCompliant Documentswww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell7
Compliant DocumentsDocumentation Responsibilities:www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellNERC CIP ProgramImplementation & Controls Implementation Collaboration Cohesiveness Transparency Controls – Business Operations Controls – Evaluate Controls – Internal Audits Risk Managementwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell8
Implementation Create and improve compliance knowledgeand understanding Integrate compliance “ as part of the job” Promote a culture committed to “Excellence”.Do not focus on the minimum. Establish an education and outreach program Lead by examplewww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellImplementation Develop a culture of accepting change Use effective communication opportunities Employee (Staff) Meetings Lessons Learned On the Job (role) Training (OJT) Lunch and LearnTake the show to the road Plant Engineers / Operators / TechniciansSubstation Engineers / Operators / TechniciansControl Room Supervisors and OperatorsCorporate and Office support personnelwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell9
ImplementationCyberAssets -NERCCompliance Compliance Audit Ready Critical Infrastructure Protection Functional Business Operations Cohesiveness, Collaboration andTransparencywww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellCollaboration Create CIP Board with representation from each affectedBusiness Unit Identify SMEs for each Business Unit/Dept. Control Systems Plant/Substation Assets Corporate Security Information TechnologyRelief compliance burden from SMEs by providingcompliance support staff for: Interpretation, guidance, and administration Evidence collection and RSAW preparation Education and trainingwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell10
Cohesiveness Educate and empower identified SMEsEstablish common methodologies with SMEs and eachdepartment’s: Processes Systems People Documentation Methodology Define and establish CIP specific job roles andresponsibilitiesCreate compliance and cyber security glossary (Ex:Ports & Services, Account Management, AccessRequest) www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellTransparency Educate on compliance activities Equipment Personnel Build upon integrity and openness - “nothing tohide” Clearly determine what evidence is necessary forcompliance Speak and communicate using conforming UtilityOperations Language Ownership and accountabilitywww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell11
Business Operations Bring technical experts along, interview SMEs Assess Business Operations vs. CIP Policies,Processes and Procedures Evidence collection (Work Forms, Work Tasks,Asset Inventory Details, etc.) Establish compliance enhancement or correctiveaction plans for integration; then execute23www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellEvaluateUse real scenarios to evaluate compliance Assets Change and Configuration Management Commissioning and Decommissioning Recovery and Incident Response Access Management (Physical and Electronic) Information ManagementPersonnel PRAs Access Requests Role Specific Training and Security Awareness Access Removalwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell12
Internal Audit Involve internal auditors (ComplianceExpertise) Identify and foster levels of authority thruCIP Board Perform random and unannounced spotcheckswww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellInternal Audit Highlight Business Unit’s “Best Practices” Reward by recognition Establish and publish internal compliancedashboard Seek and accept relevant feedbackwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell13
NERC CIP Program Metrics &Measurements Understand the Purpose of Metrics What are Metrics and Measures Building Metrics Developing Metrics Metric Attributes Metric Examples (Process, People, System,Documents)www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellTried and True AdageAdversaries attack the weakest link.Where is your weakest link?PeopleProcessesSystemsDocumentsMetrics will help you identify your weaknesses!www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell14
Purpose of Metrics Measure the effectiveness of CIP Program Monitor progress toward goals Expose non-conformance to processes Catalyst for improvement to andenhancement of the CIP Program Valuable insight which can impart a level ofcomfort with regard to compliancewww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellWhyA metric is a standard of measurement.Various types of metrics: Strategic Performance Operational Compliance Cyber security technicalBlended use of these different metrics depictsthe effectiveness of a compliance program.www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell15
Building eering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellDeveloping Metrics1. Define metrics based on goals and objectives2. Implement metrics in a manner that encouragesthe utilization of appropriate tools3. Monitor established metrics frequently4. Assess goals and objectives based onmonitoring activity5. Constantly communicate and educateall stakeholderswww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell16
Metric ength w.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting SolutionsProtocol 2014 Burns & McDonnellProcess Metric ExampleESP Accessibility CountPillarProcessesDomainAccessPurposeDetermine & minimize the number of Access Points to an ESPProtocolCIP-005 Electronic Access Point policy requires business units to minimize the number ofcommunication channels into an Electronic Security Perimeter.RiskMinimizing the number of access points reduces accessibility risks.UnitDevice Count (Total number of Access Points)Strength& WeakStrength: Identify potential attack pathsWeakness: Necessity of numerous ESP access points isn’t consistentDataNetwork scan results, network configuration, and ESP diagramCollectionProcessUtilize approved network scanning tools, only if operations will NOT be impacted, to identify electronicaccess points. Review current version of the ESP diagram(s)Tool(s)Approved Network Scanner (Nmap)FrequencyMonthlyGoalLess than 5 Electronic Access Points to a single ESPwww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell17
People Metric ExampleTailgating CountPillarPeoplePurposeDetermine and minimize the number of tailgating incidentsDomainPhysical SecurityProtocolCIP-006 Control Center Physical Security policy requires each Control Center Employee, includingContractors, to present appropriate credentials at each physical entry portal to the Control Centerfloor before entering. Employees are prohibited from allowing other individuals to enter the ControlCenter without appropriate authorization.RiskEliminating tailgating activities reduces physical accessibility risks.UnitIncident Count (Total number of tailgating incidents from Corporate Security)Strength& WeakMeasurable by review of video feed and self-reports. All incidents may not be properly capturedlending to the metric weakness.DataVideo Recordings and physical security door logs depicting open portals greater than 15 seconds.CollectionProcessRequest video feed & portal logs for 30 day span from previous review. Using the portal logs,extract the entry attempts that exceed 15 seconds. Review the coinciding video feed for theidentified access attempts longer than 15 seconds to ensure that only ONE authorized BMcDEmployee/Contractor entered the Control Center.Tool(s)Video PlayerFrequencyMonthlywww.burnsmcd.comGoalZero Tailgating IncidentsEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellSystem Metric ExampleUnapproved Completed ChangesPillarSystemDomainChange ControlPurposeDetermine the number of changes made to cyber assets without the appropriate approvals in the Changeand Configuration Management System.ProtocolCIP-003 Change and Configuration Management System Policy; Cyber Asset Change ManagementProcess; Change and Configuration Management System WorkflowRiskReducing the number of unauthorized changes reduces reliability risks.UnitIncident Count (Total number of unauthorized changes completed)DataChange Request records from the Change Management SystemCollectionProcessAudit the completed and closed change request tickets and ensure the proper approvals were obtainedbefore the change was implemented.Tool(s)Change Management SystemFrequencyMonthlyGoalZero unauthorized changeswww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell18
Document Metric ExampleApproved RevisionsPillarDocumentsDomainAdministrative ControlPurposeTo determine if the current process has been documented and approved.ProtocolCorporate Document Maintenance ProgramUnitOccurrence Count (Number of documents posted but not approved)DataDocument Repository ItemsCollectionProcessReview the compliance documents in the document repository and ensure they have been approved.FrequencyQuarterlyGoalZero Occurrenceswww.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnellDiscussionsSend Questions and Comments toCybersercurity@burnsmcd.comThank You!www.burnsmcd.comEngineering, Architecture, Construction, Environmental and Consulting Solutions 2014 Burns & McDonnell19
Ms. Rayo is a NERC CIP Compliance Program Consultant assisting clients in developing a solid sustainable NERC CIP Program which included a Sabotage Reporting Procedure, Cyber Security Policy, Internal Compliance Program, and othe
CIP -003 -5, CIP -004 -5, CIP -005 -5, CIP -006 -5, CIP -007 -5, CIP -008 -5, CIP -009 -5, CIP -010 -1, . controls to mitigate risk to BES Cyber Systems. This suite of CIP Standards is referred to as the Version 5 CIP Cybe r Security Standards . Most requirement s open with , Each Responsible Entity shall implement one or more documented .
NERC CIP v5/v6 o Overview of Version 5 NERC Cyber Security Standards o Notable differences between Version 3 and Version 5 NERC CIP reliability standards Tools and resources o A few words about “tools” and NERC CIP compliance o Active vulnerability assessment tools o Danger:
This NPCC whitepaper is not intended to replace or supersede the NERC Implementation Guidance for CIP-012-1. 1. This document is intended to accompany and complement the NERC Implementation Guidance for CIP-012-1. NERC Reliability Standard CIP012- -1 is intended to “protect the confid
CIP-005-5 . 4/1/2016: CIP-006-5. 4/1/2016: CIP-007-5. 4/1/2016: CIP-008-5. 4/1/2016: CIP-009-5. 4/1/2016: CIP-010-1. 4/1/2016: CIP-011-1. 4/1/2016: Talk with Texas RE & NRWG February 18, 2016. 3 CIP
NERC CIP-014. Compliance Guide. The purpose of the NERC CIP-014 reliability standard is to protect electrical . facilities from physical attacks that could threaten the stability and operation of the electric grid distribution system. Requirement R5 man
Amazon Web Services AWS User Guide to Support Compliance with NERC CIP Standards 3 revisions, where appropriate. Industry approved revisions to CIP-004 and CIP-011 to enable and clarify use of BES Cyber System Information (BCSI) in the cloud in alignment with a NERC Practice Guidance that supports CIP auditors in assessing .
(CIP 005 and CIP 006) g, g ( ) Replacement of 500 signs and 3,000 chain markers (CIP 020) Rehabilitation of 5,000 feet of track pads/shock absorbers (CIP 021) Rehabilitation of 5 miles of third rail (CIP 023) Rehabilitation of 10 miles of running rail (CIP 024)Rehabilitati
E. Kreyszig, “Advanced Engineering Mathematics”, 8th edition, John Wiley and Sons (1999). 3. M. R. Spiegel, “Advanced Mathematics for Engineers and Scientists”, Schaum Outline Series, McGraw Hill, (1971). 4. Chandrika Prasad, Reena Garg, "Advanced Engineering Mathematics", Khanna Publishing house. RCH-054: Statistical Design of Experiments (3:1:0) UNIT 1 Introduction: Strategy of .
