Recap Of FERC Order 822
Recap of FERC Order 822and CIP V5 Implementation Plan UpdateRay Sefchik – Manager, CIP Compliance MonitoringApril 14, 2016
FERC Order No. 822 (Final Rule) Docket No. RM15-14-000 61-page order Issued January 21, 2016 Published in the Federal Register January 26, 2016 Effective Date: March 31, 20162Forward Together ReliabilityFirst
FERC Order No. 822 Approves submitted standards, definitions, VRF,VSL, and implementation plan Directs changes to some definitions Directs development of controls for transient devices at lowimpact Directs development of requirements for communicationsbetween all Control Centers Directs NERC to conduct a survey of the “strength” ofremote access controls and associated vulnerabilities andmitigations3Forward Together ReliabilityFirst
FERC Order No. 822 Transient Devices at Low Impact “ adoption of controls for transient devices at Low ImpactBES Cyber Systems, including Low Impact ControlCenters, will provide an important enhancement of thesecurity posture by reinforcing the defense-in-depthnature at all impact levels.” (p.32) NERC directed to provide mandatory protections based onthe risk posed to the BES (p.32) Commission not persuaded that existing CIP-003-6electronic security controls address the issue (p.33) “ responsible entities may not foresee and configuredevices to limit all unwanted traffic” (p.33)4Forward Together ReliabilityFirst
FERC Order No. 822 Transient Devices at Low Impact (cont’d) “entities have discretion which does not provide enoughcertainty that all protocols or ports targeted by future, asyet-unknown malware would result in the firewall rulesdropping malicious traffic.” (p.33) Firewall monitoring not required for low (as they are byCIP-007-06 for medium and high), and malicious trafficcould spread to other Low Impact BES Cyber Systemswithout “swift action” to prevent it (p.34) “[C]ontrols for low impact transient cyber assets could beadopted at the asset level (i.e., facility or site-level)” (p.36)5Forward Together ReliabilityFirst
FERC Order No. 822 Communication Networks Alternative approach (definition) adequately addressesconcerns set forth in Order No. 791 (p.52) Directs NERC to “require responsible entities to implementcontrols to protect, at a minimum, communication links andsensitive bulk electric system data communicated betweenbulk electric system Control Centers tailored to addressthe risks posed by the assets being protected” (p.53) Includes high, medium and low impact (p.53) “[A]dditional measures to protect both the integrity andavailability of sensitive bulk electric system data arewarranted” (p.54)6Forward Together ReliabilityFirst
FERC Order No. 822 Communication Networks (cont’d) Rule doesn’t define “sensitive bulk electric system data”,but references IRO and TOP standards, specifically TOP003-3 Requirements R1, R3 and R5 (P.54, fn61) Notes some “data will be sensitive to data manipulationtype attacks”, while other data will be sensitive toeavesdropping type attacks aimed at collecting operationalinformation” (p.54) Allows NERC flexibility to respond to directive (p.55) Agrees with issues raised by NERC –1) no adverse effecton reliability; 2) account for various risk levels, 3) resultsbased (p.55)7Forward Together ReliabilityFirst
FERC Order No. 822 Communication Networks (cont’d) NERCs response should “identify the scope of sensitivebulk electric system data that must be protected, andspecify how the confidentiality, integrity, and availability ofeach type of bulk electric system data should be protectedwhile it is being transmitted or at rest” (p.56) The “record” does not support including additionalcommunications (i.e., substation telemetry and control) indirective, but may revisit (p.57) Clarifies facilities at all impact levels regardless ofownership (p.58) Entities may be held individually accountable depending onarrangements with neighbors; recognize “joint andcoordinated functional registration (p.59)8Forward Together ReliabilityFirst
FERC Order No. 822 Communication Networks (cont’d) Notes that “responsible Entities are required to exchangereal-time operational planning data necessary to operatethe [BES] using mutually agreeable security principles”, butthere are no technical specifications for how this it to beaccomplished (p.60) Declines to clarify the meaning and scope of “ControlCenter”, but notes that the directive applies to ControlCenters at all levels (p.61) Notes there may be technical difficulties in certainimplementations, and suggests using the TFE process(p.62)9Forward Together ReliabilityFirst
FERC Order No. 822 Remote Access Persuaded to assess current controls before directingchanges (p.64) Directs NERC to conduct a study to assess theeffectiveness of the CIP V5 remote access controls, risksposed by remote access-related threats and vulnerabilities,and appropriate mitigating controls for any identified risks(p.64) Focuses on remote access to High and Medium impactBES Cyber Systems (p.64) NERC should consult with Commission staff to determinegeneral contents of the report (p.64) Report due within one year (i.e., by June 30, 2017)10Forward Together ReliabilityFirst
FERC Order No. 822 Definitions “[M]odifications to the Low Impact External RoutableConnectivity definitions to reflect the commentary in theGuidelines and Technical Bases section of CIP-003-6 isnecessary to provide needed clarity to the definition andeliminate ambiguity surrounding the term ‘direct’ as it isused in the proposed definition.” (p.73) Modification due within one year (i.e., by March 31, 2017)(p.73)11Forward Together ReliabilityFirst
FERC Order No. 822 Definitions (cont’d) Notes the difference between a connection “without asecurity break” and a connection “with a security break”,noting that the “security break must be ‘complete’”, andmay “require the assets to maintain a ‘separateconversation’” (p.74) Decline to require using ESP/EAP (from medium) at low,but may revisit (p.75)12Forward Together ReliabilityFirst
FERC Order No. 822 Implementation Plan “The Commission approves NERC’s proposedimplementation plan.” (p.80) Standards become effective on the 1st day of the calendarquarter three months after the effective date of the orderfor high and medium (p.80)‒ March 31, 2016 - April 1, 2016 3 months July 1, 2016 Low impact beginning April 1, 2017, “consistent withNERC’s proposed implementation plan.” (p.80) Commission “willing to consider a request to alignimplementation dates or another reasonable approachto addressing potential implementation issues” (p.81)13Forward Together ReliabilityFirst
FERC Order No. 822 (Next Steps) NERC staff is working on a communication thatclarifies all implementation dates Dependent upon FERC action responding to petitionrequesting alignment of dates per p.81 of the order Regardless, it is the ERO’s intention to not auditor enforce the “identify, assess, and correctlanguage” Remote Access survey will be conducted byNERC and Regional Entity staff (exact process tobe determined)14Forward Together ReliabilityFirst
Drafting Activity Next Steps Number of issues were identified during the transitionstudy for SDT activity Cyber Asset and BES Cyber Asset definition Network and external access Transmission Owner (TO) Control Centers Virtualization A SAR (Project 2016-02 Modifications to CIP Standards)for the proposed directives will be developed and theNERC Standards Committee will process it It is reasonable to assume that a single SDT will be tasked withupdating the standards for both transition issues, as well as thesedirectives NERC is holding a Technical Conference on Tuesday,April 19, 2016 to address these issues.15Forward Together ReliabilityFirst
References Project 2014-02 Development History: CIP Version 5 Revisions page:‒ ions.aspx CIP Version 5 Transition m.aspxForward Together ReliabilityFirst
Questions & AnswersForward Together17Forward Together ReliabilityFirstReliabilityFirst
CIP Violation Data Trends2012-2015Deandra Williams-Lewis
Violation Volume DecreasingCIP Violations by Deemed 50200250300 2010: Mandatory Compliance for all CIP Standards Begins; RF commencesfull scope audits; Entities at beginning stages of CIP implementation 2015: Maturation of CIP programs; Increased use of automated tools;increased outreachForward Together ReliabilityFirst
Majority of Violations are Self-Reported Larger Entities Drive Volume of Self-Reports Two audit outliers in 2014 responsible for 92 of 117 audit violations,otherwise steady downward trendForward Together ReliabilityFirst
Volume Driven by High-Frequency Conduct Requirements concerning “high-frequency conduct” drive volumeCIP-004, R4 (access: lists for cyber access and physical access; revoking privileges)CIP-006, R1 (physical security of critical cyber assets: physical access logging)CIP-007, R5 (account management: passwords and access lists) These violations tend to be self-reported and pose a lesser risk However, can be indicative of systemic issuesForward Together ReliabilityFirst
Detection and Reporting Duration Impovement Decrease between Deemed and Reporting Dates Average 317 decrease in days (trending downward)*Includes noncompliance start date, time to identify, assess,correct, and then report5Forward Together ReliabilityFirst
Improved Risk Posture Year-over-year decrease in severity 75% of CIP violations are Minimal to Moderate risk 9% of CIP violations are serious risk implementation issues culture and programmatic issuesForward Together ReliabilityFirst
Volume Driven by Larger Entities Larger entities have experienced initial implementationchallenges More assets, business units, and people more challenges 100% of serious risk issues concern larger entities 93.3% of audit findings concern larger entities 79.8% of all violations driven by large entities CIP Themes Report: identified and shared common themes7Forward Together ReliabilityFirst
Observations Possible Drivers of Positive Trending Maturation (both RF and Entities) Active Monitoring and Enforcement Trending, Analytics, and Sharing‒ Assist Visits and Outreach‒ CIP Themes Report‒ Case Study Outreach Remain Vigilant – Moving Target Dynamic Regulatory Approach‒ Focus on continuous improvement‒ Violations not always indicative of security state Volume can indicate strong detective controls or weakpreventative/corrective controls Paper compliance does not equal security8Forward Together ReliabilityFirst
Common CIP ThemesPatrick O’Connor
Purpose of CIP Themes Report IDENTIFY Common themes underlying systemic CIP violations. Possible resolutions‒ Not directive because “one size does not fit all” Based on RF’s observations through years of compliance monitoringand enforcement activities‒ Collaborated with entities that dealt with higher risk CIP Violations‒ In coordination with NERC COMMUNICATE Raise awareness and prevent recurrence‒ Report available on RF’s website10Forward Together ReliabilityFirst
The Identified CIP Themes11Forward Together ReliabilityFirst
Scenario #1 Entity implemented tools to monitor its account usage. Entity did not configure these properly, causing voluminous logs that could notbe meaningfully digested. Entity implemented tool to automatically generate revocationnotices. Responsible employee did not review notifications and thus did not performnecessary revocations.12Forward Together ReliabilityFirst
Scenario #2 Entity utilized a vendor’s asset management system. Protecting Critical Cyber Asset Information was not considered normentioned in the vendor contract. Entity contracted with vendor to provide security patchmanagement. Vendor did not provide entity with timely assessments of patch releases.13Forward Together ReliabilityFirst
Scenario # 3 Entity used its mirrored-back-updata center constituted as itsdisaster recovery data center. 14Entity did not understand thatcorruption of the main data centerwould promptly result in acorrupted back-up data center. Entity permitted compromisedassets to communicate freelywith command and controlserver. Forward Together ReliabilityFirstEntity did not understand firewallcommands (“permit any any” onoutbound traffic).
Questions & AnswersForward Together15Forward Together ReliabilityFirstReliabilityFirst
Vectren NERC CIP Version 5/6TransitionApril 14, 2016
2Topics Vectren at a Glance Transition Timeline Transition – What went well, Approach, Challenges March 2016 Audit
3Vectren at a glance Headquartered in Evansville,Indiana 5,400 total employees 1,800 utility employees 3,600 nonutility employees Customers 1M natural gas customers 140K electric customers
4Vectren at a Glance - ElectricVectren Energy Delivery of Indiana –“Vectren South” (SIGECO) 1,828 MW total peak load 1,288 MW total generating capacityNERC Registered Functions Balancing Authority Transmission Operator Transmission Owner Transmission Planner Generator Operator Generator Owner Resource Planner Distribution ProviderTransmission infrastructure 345kV – 64 miles 138kV – 374 miles 69kV – 565 miles 25 transmission substations
5Vectren Transition Timeline 2014 – Analyze and Draft Researching guidance from NERC, RF, and other regions Revising procedures Implementing technical solutions (application layer firewalls)2015 – Q1 2016 – Implementation and Audit Implementing technical solutions (upgraded SCADA, TripWire, Avamar) Finalizing and Reviewing processes Implementing Processes and Gathering Evidence Audit Preparation (Collecting samples, RFIs)2016 – Check and Adjust Revising processes to incorporate audit recommendations Continuously improving processes as we use them Low Impact Assets
6TransitionWhat went wellKey Challenges Consistent and dedicatedsubject matter experts,compliance personnel, andmanagement Fresh faces, Fresh look atprocesses New technical solutions andtools Re-thinking our currentprocesses (automation,reconciliations) Director level reviews – similarto audit sessions Third party review New terminology within thestandards Greater volume of guidance Learning curve associated withnew technical solutions Multiple moving parts of theproject with a relatively smallgroup
CIP-002Overall outcome - similar to Version 3Challenges New approach with much debate Understanding the standard New Terms Where do the components list, EACMS/PACS fit in? Developing the template to communicate our process Low Impact AssetsApproach Outlined the process and template to use based on guidance andmodel templates Documented the decisions we made Collaborated with key subject matter experts from all groups involved(Transmission, Power Supply, Engineering)7
8CIP-004Re-examined and revised existing process for key changes: 24 hour revocation - Walked through multiple scenarios. Key controls in place: Identified triggers – HR notification (employees), Contractor notification to CyberSystem Owner Contract language was revised to require contractors to notify us immediately of atermination. All employees with access to a BES Cyber System or BES Cyber SystemInformation are flagged in the HR System HR calls Compliance in addition to sending the termination notice via email whenan individual is flagged. Compliance follows up with all parties involved in access revocation to verify anddocument access was revoked.Training requirements - Review of training by role, revised internal training material
9CIP-004 (continued) BES Cyber System Information (BCSI) requirements - BCSIrepositories were identified, and a process was determined to securethem Personnel Risk Assessments (PRA) for contractors - Requiredcontractors to complete a form to verify a PRA was performedaccording to our process, in addition to contract requirements.
CIP-007 – Physical PortsNew Requirement: Protect against use of unnecessary physicalinput/output portsMulti-Layered Approach: Disable physical ports in BIOS and through Group Policy USB and Network Port Blockers Signage10
CIP-007 – Security PatchingKey Challenge: Documenting that all evaluated patches were applied within 35 days.Items to watch for: New patches (that supersede the original evaluated patch) can come out between thetime of evaluation and the time that they are applied. Application of new patches that have not been evaluated.Approach: Utilizing Security Patching Software for a majority of assets. Documented meeting each month to review patches released since last evaluationmeeting, patches applied since last evaluation meetings, mitigation plans (if applicable). Reconciliation of evaluated patches to applied patches to verify and document allevaluated patches were applied. Check and adjust of processes and reports during implementation.11
CIP-009 – Recovery Plan TestingKey Challenges: New equipment installed for the backup and storage of information(learning curve) Determining a representative sample of information for testingApproach: Used system inventory list to show coverage by asset type andbackup strategy. Large sample size.12
CIP-010 – Configuration Change ManagementKey Challenges: Developing and documenting baselines and changes to baselines. Cyber Security Testing – changes to the requirement language.Approach: Tripwire Enterprise for configuration management – provides anautomated method to gather baseline configurations and changes. Test cyber security controls using Tripwire. Test all controls, even if it isdetermined that the control will not be impacted by the change.Items to watch for : Linux does not identify what is a security patch after installed.13
CIP-011 – Information ProtectionChallenges: BES Cyber System Information definition New language in the standardApproach: Created a robust program, streamlining the version 3 program. Incorporated version 5 concepts into program. Considered multiple scenarios14
15Audit – March 2016General Observations and Approach: RF Attachment C was easy to fill out and understand Multiple population lists Numbered evidence list that helped us arrange our evidence. Prepare for in-depth sampling All evidence is reviewed prior to the on-site review Data requests (RFIs) prior to the On-site visit helped answermany of the Audit Team’s questions.
16Audit – March 2016Key Takeaways : Provide the evidence that is requested, not everything they could dreamof requesting Utilize tools to prepare evidence as much as possible Work with the auditors to determine evidence to provide Prepare your process and evidence with the audit in mind; cansomeone else understand what was performed. Reconciliations are a good way to “show your work”
Questions?
CIP-005-5 R1.5Spring CIP Audit WorkshopApril 14, 2016Scott Pelfrey, CISA, CISSP, GISP, MBASenior Technical Auditor
CIP-005-5 Part 1.5 – Learning Objectives Terminology Discussion of IPS/IDS & firewall Questions Answered Overview of Requirement Audit Approach by RF2Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Terminology BES Cyber Asset (BCA) High Impact BES Cyber Systems (BCS) Protected Cyber Asset (PCA) Electronic Security Perimeter (ESP) Electronic Access Point (EAP) Intrusion Prevention System (IPS) Intrusion Detection System (IDS) Firewall3Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Discussion Firewalls, Intrusion Detection Systems(IDS), Intrusion Prevention Systems (IPS)4Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 - Firewall Firewall – Analyzes packet headers,enforces policy‒Policy based on: Protocol Type Source Address Destination Address Source Port Destination Port‒Transparent and Fast5Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Firewall Details (1) Capabilities Single point for monitoring, exclusion of attacks,unauthorized users, malware, viruses, etc. Convenient platform for Internet functions notsecurity related Can log or audit ingress / egress activities Stateful Inspection‒ Keeps “directory” of TCP connections‒ Only allows incoming traffic for “known”connections‒ May also keep track of TCP sequence numbersas well6Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Firewall Details (2) Limitations Cannot protect against attacks bypassingdevice (Transient devices) May not fully protect against threats‒ May be vulnerable to IP address spoofing,source route attacks & tiny fragmentattacks‒ Vulnerable to TCP/IP protocol bugs Improper configuration may lead to breaches Wireless connections may circumvent firewall7Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Firewall Example8Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Intrusion Detection System (IDS) Analyzes packets – both header andpayload – looks for known events‒ known event detected; a logmessage generated detailing event9Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Details (1) Two Physical Types Host-Based‒ Resident on one system‒ Monitors only that system’s activity‒ Can detect both Internal / External intrusions Network-Based‒ Monitors particular network segments ordevices‒ May be inline (as part of another net device)or passive (copy of traffic through tap ormirrored port)10Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Details (2) Two Detection Types Signature or Rules Detection‒ Analyze records for match with current rules orsignatures‒ Requires constant updates for protection‒ Issue: only knows known intrusions, new intrusions maynot be found Anomaly Detection‒ Builds profile or keeps thresholds‒ Matches incoming packets to profiles or thresholds‒ Issue: May have false positives during “extreme” events Events generated from deviations of either11Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IDS ExampleCorporateNetwork12Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Intrusion Prevention System (IPS)analyzes packets – both header andpayload – looks for known events‒ known event detected the packetis rejected13Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Details (1) Host Based Resident on one systemMonitors only that system’s activityCan detect both Internal / External intrusionsUses both Signature/Rules & AnomalyDetection Can be tailored for specific purpose‒ Web, Database, General May use sandbox to monitor behavior May give file, registry, or I/O protection14Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Details (2) Network Based Inline IPS can discard packets or terminate TCPconnections Uses both Signature/Rules & Anomaly Detection May provide content flow protection Identifies malicious packets using multiplemethods15Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IPS ExampleHost-Based IPS16Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Differences (1) Firewall – use of rules to “pass” trafficthrough (looking for a rule to allowpackets through) IPS – use of rules to “block” trafficthrough (looking for a rule to droppackets) Firewall/IPS – “control” devices, sittinginline and controlling packets IDS – “visibility” tool17Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Differences (2) IPS/IDS – Functional difference verysubtle between two IPS/IDS – Sometimes only configurationsetting IPS/IDS – May or may not be physicalmodules IPS/IDS – Often functionallyindistinguishable (even if they are twoseparate devices or modules)18Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – IDS/IPS Management19Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW (1) Next Generation Firewall (NGFW) Newer concept Single device converges FW andIDS/IPS Deep packet inspection of bothHeader and Payload in one action Decision-making capabilities forpolicy enforcement20Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW (2) Supports typical FW capabilities(NAT, VPN, QoS, packet filtering) Adds 21Intrusion PreventionSSL / SSH inspectionReputation-based Malware detectionApplication AwarenessSignature-based antivirusForward Together ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW (3)22Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – NGFWSingle Pass Architecture23Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Overview (1)24Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Overview (2) Applies to only Electronic Access Points (EAPs) Applies only to High/Medium Control Centers specifically RC, BA, TO, GO Best Practice – apply to all EAPs 25Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Questions A couple of questions answered first 26Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Question 1 Why include outbound communications?27Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Answer Compromised BCA – outside communication(Command and Control) First level of defense to stop Command &Control (C&C) exploit Know what you connect to and limit traffic tothose communications needs to include: 28Normal OperationsEmergency OperationsSupportMaintenanceTroubleshootingForward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Question 2 Do we need two separate devices? Part 1.5 direct result of FERC Order 706,Paragraphs 496-503 ESPs required to have two DISTINCT securitymeasures Further explanation in FERC Order 706-A,paragraph 66 - requirement for two separateand distinct electronic devices (but that doesn’tnecessarily mean two physical devices) fordefense-in-depth29Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 - Answer Short Answer: No. CIP Version 5 FAQs – Need one or moreMETHODS not physical devices modulesCAN reside on same appliance30Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Guidelines Guidelines and Technical Basis Overview31Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Guidelines (1) Large ranges of internal addresses allowed(ephemeral ports ) You know what ranges are required –(Document) Suggest communication through EAP toEntities address space ONLY – no internet Know what you talk to – both inside andoutside of ESP – (Document) Need to detect rogue connections and block32Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Guidelines (2) “Deny by default” – need to see explicit (orimplicit) “deny all” in ruleset Direct serial or non-routable connections notincluded Use common sense and due diligence Fail “open” but maintain perimeter protection Show malicious traffic inspection – (Document) Require “deep packet inspection” Redundancy of firewalls does NOT count33Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Audit Approach ReliabilityFirst’s Audit Approach34Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Audit Approach (1) Most entities – EAP is firewall (Juniper, Cisco,Microsoft, Check Point, Palo Alto, Sophos,WatchGuard, Barracuda, many others ) - firstline of defense May add modules, separate systems, taps tomonitor ingress – egress traffic on EAP May be host-based or network-based formalicious communications – Entity decision –(Document) Updates – Software / Firmware Change control for updates35Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Audit Approach (2) Testing signatures and rules prior todeployment Testing of recovery from failure Process updates from new or unknownalarms or alerts Process for false positives? Tell us your story – help audit teamunderstand your environment36Forward Together ReliabilityFirst
CIP-005-5 Part 1.5 – Review Need to show separation of method Failure of IPS/IDS must be “open” Deny by default rules Justification for rules Outgoing rules required Testing of signatures and rules updates Unrestricted rules (any any) heavilyscrutinized Tell your story – know your connections37Forward Together ReliabilityFirst
Questions & AnswersForward Together38Forward Together ReliabilityFirstReliabilityFirst
Logical Ports and ServicesDavid Sopata4/14/2016
Agenda High level methodology and tips from arecovering CIP Auditor on how to: Identify Ports and Services for BES Cyber Systems and/orAssets CIP-007-6 Justifying the use of Ports and Services CIP-007-6 Incorporating the information into a baseline CIP-010-2 Monitoring the Baseline CIP-010-2, CIP-008-52Forward Together ReliabilityFirst
A little bit about me I am a recovering CIP Auditor I love technology I enjoy helping others I’m not afraid of a terminal I enjoy learning from others I consider myself a process improvement hacker I also enjoy memes!3Forward Together ReliabilityFirst
WARNING!!!! I might just get silly and talk about thingsoutside of the standards. However, these wouldbe the next maturity step towards good practice. Also 4Forward Together ReliabilityFirst
CIP-007-6 Part 1.1Asset Level Requirement, High and Medium Impact5Forward Together ReliabilityFirst
CIP-007-6 R1.1 CIP-007-6 R1.1: Protecting LogicalPorts This is similar to CIP-007-3 R2 This includes:‒ All enabled logical ports that are generallyassociated with “layer 4” of the OSI Network modelon BES Cyber Assets/other cyber assets.‒ “windows services” for Windows environments orPID for the “*nix” type environments. Other appliances/devices may call thissomething different.6Forward Together ReliabilityFirst
CIP-007-6 R1.2 CIP-007-7-6 R1.2: Protecting Physical Ports Add
Vectren NERC CIP Version 5/6 Transition April 14, 2016. 2 Topics Vectren at a Glance Transition Timeline Transition –What went well, Approach, Challenges March 2016 Audit . 3 Headquartered in Evansvil
FERC Accounting & Reporting. FERC to U.S GAAP Accounting Differences. Examples of common differences: –All Subsidiaries, regardless of ownership percentage or control, are accounted for using the equity method –No distinction in FERC reporting between current and lo
Mar 16, 2021 · See also ONEOK Rockies Midstream, 138 FERC ¶ 61,333 at ¶ 4 (2012); Sinclair Pipeline Co., 134 FERC ¶ 61,077 at ¶ 6 (2011); Chevron Pipe Line Co., 134 FERC ¶ 61,073 at ¶ 4 (2011); MarkWest Pipeline Co., LLC, 147 FERC ¶ 61,035 (2014). 5 See footnote 2, supra. D
FERC ACCOUNTING 101 The Basics of the Uniform System of Accounts (USofA) for Electric and Gas Utilities . Therefore, it is beneficial o anyone whose work involves public utilities to have a basic . Review USofA Financial Statements in the FERC Form No. 1 for electric utilities and the FERC Form No. 2 for gas utilities
25G of Autodesk 360 cloud storage to support multiple 3D reconstructions concurrently. If you don't have a subscription with another Autodesk product, a ReCap 360 subscription plan provides you with the maximum amount of Autodesk 360 cloud storage available. If your storage needs exceed 25G, you can purchase an additional ReCap
Draft Presented by the EAC—April 2021 1 FERC Order 2222—Recommendations for the U.S. Department of Energy. Introduction During the Electricity Advisory Committee (EAC) meetings in February 2021, members participated in two panels. 1. related to Federal Energy Regulatory Commission (FERC) Order 2222. 2. that featured
TIRE CHANGER ED. 06/2011 PANZITTA SALES & SERVICE 72 George Avenue Wilkes-Barre, PA 18705 570-822-6720 800-822-6720 www.panzittasales.com 2 / 26 REV. 01 2011 TAV.1.1 BODY ED. 06/11 PANZITTA SALES & SERVICE 72 George Avenue Wilkes-Barre, PA 18705 570-822-6720 800-822-6720
Aug 17, 2011 · CE11-59 Gary Moland's Request to FERC for Critical Energy Infrastructure Information - Garrad Hassan America, Inc. FERC issued a Notice of Intent to Release on August 23, 2011. CE11-66 Martin Baker's Request for Critical Energy Infrastructure Information - Washington State University FERC issued a Notice of Intent to Release on August 24, 2011.
and wide area weather events," NERC President and Chief Executive Officer Jim Robb said. "The FERC-NERC-Regional Entity Staff Report also highlights the need for substantially better coordination between the natural gas system and the electric system to ensure a reliable supply that nearly 400 million people across North America depend upon to
