NERC CIP - United States Energy Association
NERC CIPCybersecurity Standards and Best Practices:Part 1 - US Standards (NERC CIP)SpeakersTim ConwayPhoto– SANS Institute– InstructorDean Parsons– Herjavec Group– SANS Certified InstructorSANS ICS sans.org/ics
Critical InfrastructureProtectionNERC CIPBasicsCIP Best OfCIP LessonsLearned andFailsSANS ICS sans.org/ics
NERC CIPNERC CIPBasicsSANS ICS sans.org/ics3
Capture a dialog acrossindividuals who have designed,implemented, managed andmaintained various Standardsprograms Educate on challenges Capture lessons learned Provide guidance on how tomove forward Attempt to stop Standardsexplosion for eachimplementationSANS ICS sans.org/ics4
What Is NERC CIP?Requirements designed to ensure physical and electronic security ofCyber Assets required for operating North America's BESSANS ICS sans.org/ics5
Current CIP Standards in Effect *Standard - VersionStandard NameCIP-002-5.1BES Cyber System CategorizationCIP-003-8Security Management ControlsCIP-004-6Personnel & TrainingCIP-005-6Electronic Security Perimeter(s)CIP-006-6Physical Security of BES Cyber SystemsCIP-007-6System Security ManagementCIP-008-5Incident Reporting and Response PlanningCIP-009-6Recovery Plans for BES Cyber SystemsCIP-010-3Configuration Change Management and Vulnerability AssessmentsCIP-011-2Information ProtectionCIP-012-1Communications Between Control CentersCIP-013-1Supply Chain Risk ManagementCIP-014-2Physical SecuritySANS ICS sans.org/ics
CIP-002 Scoping Standard Identify in scope sites: Control Centers and Backup Control Centers Transmission substations Generation resources Systems and facilities critical for grid restoration, includingblackstart generation and cranking paths Remedial Action Schemes Determine in scope BES Cyber AssetsSANS ICS sans.org/ics
CIP-003 Policy and Governance Low Requirements or Establishes CIP Senior Manager requirements and identifiesrequired policies for High and Medium 1.1 Personnel & training (CIP-004) 1.2 Electronic Security Perimeters (CIP-005) including Interactive Remote Access 1.3 Physical security of BES Cyber Systems (CIP-006) 1.4 System security management (CIP-007) 1.5 Incident reporting and response planning (CIP-008) 1.6 Recovery plans for BES Cyber Systems (CIP-009) 1.7 Configuration change management and vulnerability assessments (CIP-010) 1.8 Information protection (CIP-011) 1.9 Declaring and responding to CIP Exceptional Circumstances Also identifies four / six required policies and plans forLows Cyber security awareness; Physical security controls; Electronic access controls; Cyber Security Incident response Malicious code risk mitigation for Transient CyberAssets & Removable Media; Declaring & responding to CIP ExceptionalCircumstancesSANS ICS sans.org/ics
CIP-004 Personnel Management Establishes required personnel quarterlysecurity awareness training and annualtraining requirements for those withaccess Requirements for entities to performPersonnel Risk Assessments andbackground checks Electronic and Physical access controlreviews and authorization verification aswell as timely revocation when necessarySANS ICS sans.org/ics
CIP-005 Electronic Security Perimeter Establishes electronic perimetersaround BES Cyber Systems Defines requirements aroundExternal Routable Connectivityand allowed communications Also addresses requirementsaround remote access to BES CyberSystemsSANS ICS sans.org/ics
CIP-006 Physical Security Perimeter Establishes physical perimeteraround BES Cyber Systems Provide monitoring andalerting of unauthorizedaccess Establish visitor escort andcontrol programSANS ICS sans.org/ics
CIP-007 System Security Management Harden and manage in scope BES CyberAssets:– Ports and Services – logical and physical– Security Patch Management – identify, apply, ormitigate– Malicious Code Prevention – mitigate threat ofmalicious code– Security Event Monitoring – log, alert, andreview– System Access Control – account and passwordmanagementSANS ICS sans.org/ics
CIP-008 Incident Response Requires an incident response plan– Identify, classify, and respond to Cyber Securityincidents– Reporting requirements for RCSI Test and update the incident response planSANS ICS sans.org/ics
Change is Coming Report—compromise, or attemptto compromise, the ESP orassociated EACMS Require minimum reportingdetail Reporting timeline Reporting to DHS as well as EISAC NERC to develop summaryreports to FERCSANS ICS sans.org/ics14
CIP-009 Recovery Plans for BES Cyber Systems Requires BES Cyber System recovery plans– Backup capability of information necessary torestore BES Cyber Assets– Verification that backups performed are valid Test and update the recovery plansSANS ICS sans.org/ics
CIP-010 Change Management Develop baselines for BES Cyber Systems– Operating system or firmware– Commercial and open source software intentionally installed– Logical network accessible ports– Security patch level Test and verify changes do not effect security controlsMonitor for unauthorized changes to baselinePerform vulnerability assessmentsTransient Cyber Asset and Removable MediarequirementsSANS ICS sans.org/ics
CIP-011 Information Protection Process to identify BESCyber System Informationand protect it fromunauthorized access– During data storage– Data transit– Data use Process for disposal orsanitizationSANS ICS sans.org/ics
CIP-012 Communications between Control Centers Response to FERC directivein Order 822 to protectsensitive BES data andcommunications linksbetween Control Centers Currently NERC BOTapproved pending FERCapproval Intended focus could beconfusing with the use ofcapital “C” Control CentersSANS ICS sans.org/ics
CIP-013 Supply Chain* 7/1/2020 Develop supply chain riskmanagement plans Addressing identifying andassessing risk whenprocuring / transitioning Vendor incident / breach /vulnerability notification Software integrity andauthenticity requirements Vendor remote accessSANS ICS sans.org/ics
CIP-014 Physical Security Perform Substation RiskAssessments Required Third-Party Verificationof BES Reliability assessments Perform a physical security threatevaluation Required Third-Party Verificationof physical security assessmentsSANS ICS sans.org/ics
Asset Owner PerspectiveSANS ICS sans.org/ics21
NERC CIPCIP Best OfSANS ICS sans.org/ics22
Defined AuthorityQuasi-JudicialBranchAppointed the EROUnder Energy PolicyAct of 2005US ExecutiveBranchDepartment ofEnergyFERCNERC –EROIndependentCommissionSupported by DOENERC RegionsSANS ICS sans.org/ics23
EnforcementSANS ICS sans.org/ics24
Penalty Matrix*Limits are per day, per violationSANS ICS sans.org/ics25
Standards Development ProcessAuthorizePosting SARAppoint SDTDraft StandardConsider, Respond,ReviseCollect InformalFeedbackPost for Comment& BallotConsider, Respond,ReviseImplementRegulatoryAgencies ApproveBoardAdoptsPost for FinalBallotSANS ICS sans.org/ics26
Standards Balloting Open participationBalance of interest: by segmentNotification of standards developmentTransparencyConsideration of views and objectionsConsensus vote: registered entities only– quorum 75% of participating ballot pool– 2/3 majority to affirmYes No Abstain# in Ballot PoolYesYes No TimelinessSANS ICS sans.org/ics27
Focus on BES Reliability Operating Services (BROS)BES ReliabilityOperatingServices: Thoseservicescontributing to thereal-time reliableoperation of theBulk ElectricSystem (BES) Dynamic ResponseBalancing Load & GenerationControlling Frequency (Real Power)Controlling Voltage (Reactive Power)Managing ConstraintsMonitoring & ControllingRestoration of BESSituational AwarenessInter-Entity Real-Time Coordination andCommunicationSANS ICS sans.org/ics28
Standards CoverageAssets Physical Protection Electronic Protection Lists of individual accessInformation Physical Protection Electronic Protection Lists of individuals who control accessPeople Qualifications for access (PRA / Training) Approval for access Removal of accessSANS ICS sans.org/ics
IT & OT Inclusion OT ITSANS ICS sans.org/ics
OT LearningsIT LearningsTeam Learnings Admit you needIT Do not say airgap Considermisuse Provide a seatat the table Explainhardwarerestrictions, anddevicelimitations withpatience Improvecommunications Deliveractionable info Do you need it Most everythinghas a reason Measure theright thing Balancecompliance,security, andreliability Focus on themission Manage acomplex system,safely andreliably Work togetheron projects fromspecification toimplementationand defineongoing rolesandresponsibilities.SANS ICS sans.org/ics31
Security and Compliance MathTruthsNew Math① Security Compliance② Compliance Security③Security MagicComplianceSANS ICS sans.org/ics
Managed Operational Assets Examples of routine CIP maintenance tasks assigned to CIPperformers Pulled from CIP-002 through CIP-011 and TFE-related tasks as wellas compliance process tasksSANS ICS sans.org/ics33
Recurring Activities (1)15 Calendar Days CIP-007: Sample Log Review35 Calendar Days CIP-007: Patch Evaluation CIP-010: Baseline ReviewCalendar Quarter Security Awareness Reinforcement Verify Individuals with ActiveElectronic Access or UnescortedPhysical AccessSANS ICS sans.org/ics34
Recurring Activities (2)15 CalendarMonths CIP-002: BES Cyber System Identification CIP-003: CIP Senior Manager Approval ofPolicies CIP-004: Verify Access to BES CyberSystem Information CIP-004: Verify Access Privileges CIP-004: Cyber Security Training CIP-004: Cyber Security AwarenessReinforcement CIP-007: Password Change CIP-008: Incident Response Plan Test CIP-009: Test Sample of RecoveryInformation CIP-009: Recovery Plan Test for High &Medium CIP-010: Paper or Active VASANS ICS sans.org/ics35
Recurring Activities (3)24 CalendarMonths CIP-006: Maintenance and Testing ofPACS36 CalendarMonths CIP-003: Incident Response Plan Test forLow Impact CIP-009: Recovery Plan Test for High Impact CIP-010: Active VA for High Impact7 Years CIP-004: Personnel Risk AssessmentSANS ICS sans.org/ics36
Recurring Activities (4)As neededOn going CIP-003: Update to CIP Senior Manager andDelegations CIP-004: Granting/Removal Physical and/orCyber Access CIP-006: Visitor Escort and Logging into PSP CIP-007: Patch Install or Mitigation PlanDevelopment/Update CIP-007: Malicious Code Signature Update CIP-008: Incident Response and Update toIncident Response Plan CIP-009: Lessons Learned & Plan Updates CIP-010: Baseline updates and documentation CIP-006: Monitor and Response to Unauthorizedaccess into PSP CIP-006: Monitoring and Alarming ofUnauthorized Access to PACS CIP-006: PSP Activity Logging and Log Retention CIP-007: System Logging, Alerting, and LogRetentionSANS ICS sans.org/ics37
Infographichttps://securingthehuman.sans.org/SANS ICS sans.org/ics38
NERC CIP Best Of Staggered Implementation with focus on wide area impactAsset owner standards developmentPeer evaluations during safe harbor periodFinancial enforcement capabilityCriteria based facility determinationSystematic approachNon prescriptiveFocus on Real Time operational impactsInclusive of IT/OT assetsScope includes Cyber, Physical, Operations, and PersonnelSANS ICS sans.org/ics39
Asset Owner PerspectiveSANS ICS sans.org/ics40
NERC CIPCIP LessonsLearned andFailsSANS ICS sans.org/ics41
Implementation?SANS ICS sans.org/ics42
The CIP Versions2003 – 2005Urgent Action Standard 1200 and 1300 draft2006 – 2009CIP-002 – CIP-009 Version 12010 AprilCIP-002 – CIP-009 Version 22010 OctoberCIP-002 – CIP-009 Version 32011 Approved – Implementation N/ACIP-002 – CIP-009 Version 42013 Approved – Implementation 2016 – 2017CIP-002 – CIP-011 Version 52016 Approved – Implementation 2016 – 2018CIP-002 – CIP-011 Version 6SANS ICS sans.org/ics43
Culture of Compliance Commitment to Compliance:-Management culture that encourages complianceOrganizational chain allowing access to CEO/boardEstablished, formal program for internal complianceSufficient resources dedicated to the programTools and training sufficient to enable employees to complySystems and protocols for monitoring, identifying, and correcting possible violationsCompliance tied to performance objectivesConsequences for infractionsSANS ICS sans.org/ics44
NERC CIP Lessons Learned Interpretation inconsistenciesThe stronger the internal controls program, the more violationsRegulatory lagPotential innovation impactsTFE ProcessFear of auditor greater than fear of attackerPrograms can lean toward document driven compliancePredictive targets for adversariesCompliance / Audit economies demand funding and resourcesNeed for funding and incentivesSANS ICS sans.org/ics45
Asset Owner PerspectiveSANS ICS sans.org/ics46
QuestionsSANS ICS sans.org/ics47
1.3 Physical security of BES Cyber Systems (CIP -006) 1.4 System security management (CIP -007) 1.5 Incident reporting and response planning (CIP -008) 1.6 Recovery plans for BES Cyber Systems (CIP -009) 1.7 Configuration change management and vulnerability ass
CIP -003 -5, CIP -004 -5, CIP -005 -5, CIP -006 -5, CIP -007 -5, CIP -008 -5, CIP -009 -5, CIP -010 -1, . controls to mitigate risk to BES Cyber Systems. This suite of CIP Standards is referred to as the Version 5 CIP Cybe r Security Standards . Most requirement s open with , Each Responsible Entity shall implement one or more documented .
NERC CIP v5/v6 o Overview of Version 5 NERC Cyber Security Standards o Notable differences between Version 3 and Version 5 NERC CIP reliability standards Tools and resources o A few words about “tools” and NERC CIP compliance o Active vulnerability assessment tools o Danger:
This NPCC whitepaper is not intended to replace or supersede the NERC Implementation Guidance for CIP-012-1. 1. This document is intended to accompany and complement the NERC Implementation Guidance for CIP-012-1. NERC Reliability Standard CIP012- -1 is intended to “protect the confid
CIP-005-5 . 4/1/2016: CIP-006-5. 4/1/2016: CIP-007-5. 4/1/2016: CIP-008-5. 4/1/2016: CIP-009-5. 4/1/2016: CIP-010-1. 4/1/2016: CIP-011-1. 4/1/2016: Talk with Texas RE & NRWG February 18, 2016. 3 CIP
The Guidelines and Technical Basis from NERC CIP-007-5, clears away a lot of possible confusion. The Guideline states that "the SDT intends for the entity to know what network accessible ports and associated services are accessible on their assets".1 This NERC CIP clarification limits the ports to listening ports and their respective services.
(CIP 005 and CIP 006) g, g ( ) Replacement of 500 signs and 3,000 chain markers (CIP 020) Rehabilitation of 5,000 feet of track pads/shock absorbers (CIP 021) Rehabilitation of 5 miles of third rail (CIP 023) Rehabilitation of 10 miles of running rail (CIP 024)Rehabilitati
Ms. Rayo is a NERC CIP Compliance Program Consultant assisting clients in developing a solid sustainable NERC CIP Program which included a Sabotage Reporting Procedure, Cyber Security Policy, Internal Compliance Program, and othe
black holes are fascinating objects where space and time become so warped that time practically stops in the vicinity of a black hole. Contrary to popular belief, there is a great deal of observational evidence for the existence of two types of black holes; those with masses of a typical star, and those with masses of a typical galaxy. The former type have measured masses ranging from 4 to 15 .
