Change and Configuration Management

Change and Configuration

Management

for CIP Compliance

for CIP Compliance

Presenters

y Bart Thielbar, CISA

S i R h A l t

Senior Research Analyst

Sierra Energy Group, a Division of Energy Central

‰ CIP-003, R6 Primer and Related Requirements

y Kim Morris

Director, Architecture and Information Security

Public Service of New Mexico (PNM)

Change and Configuration

Management

Management

CIP-003, R6 Primer and Related

i

Requirements

B A R T T H I E L B A R , C I S A

S E N I O R R E S E A R C H A N A LY S T S E N I O R R E S E A R C H A N A LY S T

Disclaimer

The information from this webcast is provided for informational

l A tit ' dh t th l t i d ithi

purposes only. An entity's adherence to the examples contained within this presentation does not constitute compliance with the NERC

Compliance Monitoring and Enforcement Program ("CMEP")

requirements NERC Critical Infrastructure Protection ("CIP") Reliability requirements, NERC Critical Infrastructure Protection ( CIP ) Reliability Standards, or any other NERC Reliability Standards or rules. While the information included in this material may provide some of the

methodology that NERC has elected to use to assess compliance with methodology that NERC has elected to use to assess compliance with the requirements of the Reliability Standard, this material should not be treated as a substitute for the Reliability Standard or viewed as

additional Reliability Standard requirements. In all cases, the entity y q , y

should rely on the language contained in the Reliability Standard itself, and not on the language contained in this presentation, to determine compliance with the CIP Reliability Standards.

Agenda

y

Purpose, Applicable CIP Standards

y

Change and Configuration Management

y

New Developments related

to V2 and TFE’s

to V2 and TFE s

Why Good Change and

Configuration Management?

Configuration Management?

y Differing practices and polices among departments and/or units within

d t t

departments

y Differing documentation practices

y Managerial visibility and organizational control

y Risk Management

Applicable CIP Standards and Rules

y CIP 003, R6: Change Control and Configuration Management

y CIP 007: Within Context of Change and Configuration Management

‰ Test Procedures

‰ Ports and Services

‰ Security Patch Management

‰ Malicious Software Prevention

S it St t M it i

‰ Security Status Monitoring

‰ Disposal or Redeployment

Schedule for Table 3 Entities

Requirement Begin Work Substantially

Compliant Compliant

Auditably Compliant CIP 003, R6 12/31/06 12/31/08 12/31/09 12/31/10

Change Management

y Documented process of change control

‰ Adding, modifying, replacing, or removing Critical Cyber Assets

y Applies to hardware and software

E t d l t l i i d f l ft

‰ Easy to develop tunnel vision and focus only on software

Configuration Management

y Documented process of change control

‰ Identify, control, and document

y All entity or vendor related changes to Critical Cyber Assets

Overview/Explanation

y Documentation that tracks changes to Critical Cyber Asset hardware or

ft t i l d

software to include:

‰ Adding: adding hardware/software to existing system

‰ Modifying: making a change to existing hardware/software

‰ Replacing: adding new hardware/software

‰ Replacing: adding new hardware/software

‰ Removing: retire/redeploy hardware/software

y Configuration management activities to:

y Configuration management activities to:

‰ Identify: when a change needs to be made or has been made

‰ Control: approval for changes

Process Summary

y Items requiring documentation when changed:

‰ Process documentation (use good version control)

‰ Critical Asset & Critical Cyber Asset List

‰ Test environment

‰ Patch management

‰ Patch management

‰ Changes to Electronic Security Perimeter (ESP)

‰ Changes to Physical Security Perimeter (PSP)

‰ Process for identifying and changing ports and services settingsy g g g p g

y Criteria in the change process:

‰ Types of changes

‰ Who initiates the changes

‰ Who approves the changes

‰ Approvals and dates for all auditable items

T ti d

Change Management vs. Configuration

Management (One View)

Management (One View)

y Change Management – Process and activities undertaken to make

h t CCA’

changes to CCA’s

‰ Ex: Applying a software upgrade or adding additional memory to laptop

C fi ti M t P d ti iti d t k t

y Configuration Management – Process and activities undertaken to

establish and/or make changes to configuration of CCA’s

‰ Ex: Setting up a new CCA and/or changing configuration of existing CCA such as port activation

activation

Testing

y Why: Ensure that new cyber assets and/or changes to cyber assets

( t j t CCA) d t i CCA i B lk El t i S t

(not just CCA) do not compromise CCA serving Bulk Electric System

‰ Significant Change: Security patches, service packs, vendor releases/upgrades (including operating systems, applications, databases, etc.)

y Environment: Test Environment is very important Æ must “reflect” the

production environment

y Documentation: Test results must be documented

(good, bad or neutral)

All consistent with generally accepted

“best practices”best practices for change management

Speaking of that…

y Good change and configuration management practices are just good

b i

business

y Should be viewed as a part of overall control and governance

framework

y CIP Standards have specific requirements, but individual policy and p q , p y

practice may go beyond

A Simplified View

Change Control and Configuration

Management (CIP 003, R6)

Test Procedures _ManagementAsset Documentation Review and

S

it I

d I

t

Management

A

Maintenance

Security Issues and Impacts

(e.g., patch management,

virus protection, etc.)

Access

Review and

Maintenance

The Audit Trail

y Recall -> Once again, all associated measures,

“ ” d t ti

“measure” documentation

y Documentation emphasizing:

‰ Process for change control and configuration management

‰ Test procedures, test environment, test results

‰ Security & Access issues (Ports & Services, Patch Mgmt, Malicious Software Protection Security Status Monitoring Cyber Vulnerability Assessment & Account Protection, Security Status Monitoring, Cyber Vulnerability Assessment & Account Management)

‰ Disposal or Redeployment

y Annual review & update of CIP 007 Documentation

New Developments

y 9/30/09 FERC Order changes documentation requirement from 90

d t 30 d f CIP 007 R9 Thi i ff ti i A il 2010

days to 30 days for CIP 007, R9. This is effective in April, 2010.

‰ Also applicable to CIP 006, R1.7, CIP 008, R1.4; and CIP 009, R3

10/12/09 NERC C li B ll ti #2009 007 Add I t i

y 10/12/09 NERC Compliance Bulletin #2009-007 Addresses Interim

Approach to Technical Feasibility Exceptions (TFE’s)

Possible Penalties and Sanctions

y Up to $1 M per day, per violation

‰ Violation Severity (level of non compliance)

‰ Violation Risk Factors

Mitigating factors may reduce penalties and sanctions

y Mitigating factors may reduce penalties and sanctions

‰ Quality of compliance program, self-reporting, voluntary corrective actions, etc.

A ti f t i lti d ti

y Aggravating factors may increase penalties and sanctions

‰ Repeat violations, evasion, inaction, unwarranted intentional violations based on

economic choice, etc.

Final Thoughts

y Always remember the importance of tone at the top and how it

i fl lt f li

influences a culture of compliance

y Change and Configuration Management Practices are about Risk

Management and impact many areas of CIP compliance efforts

y Compliance is a process, not an eventp p ,

y Documentation, documentation, documentation

Change and Configuration

Management

Management

Change and Configuration

S

i

f

C

Strategies for CIP

K I M M O R R I S

D I R E C T O R A R C H I T E C T U R E A N D D I R E C T O R , A R C H I T E C T U R E A N D

Agenda

y

NERC Guidance

y

CIP Interdependencies with

Ch

C

t l

d C

fi

ti

Change Control and Configuration

Management

Based in Albuquerque, N.M., PNM Resources is an energy holding company with 2008 company with 2008 consolidated operating revenues from continuing and discontinued operations of $2.5 billion. Through of $2.5 billion. Through its utilities -PNMand TNMP- and energy subsidiary -First Choice Power- PNM Resources serves electricity to

Current Capacity

859,000 homes and businesses in New Mexico and Texas.

Current Capacity 2717 MW

CIP Component Breakdown

C iti l A

t I

t

Critical Asset Inventory

Selection

Criteria

Security Perimeter

Perimeter

Definition

Cyber Assets

Ch C fi ti

Asset

Selection _ControlsAccess

Change

CC & CM in a Nutshell

y Applies to Hardware and Software in the Security Perimeter

‰ Industrial control systems

Ù Example: Control Center SCADA

‰ Physical Security Management Systems

Ù Example: CCTV, Badge reader systems

‰ Communications within ESP

‰ IT Management Services

Change Control

Definition Summary

y Establish and Document a process for managing Change for

Critical Cyber Assets Applicability

y Change Management Process

‰ Requestorsq

‰ Approval Authority

‰ Testers

‰ Implementers

Configuration Management

Definition Summary

y Establish and Document configuration management process for adding, modifying, replacing or removing critical cyber asset

hardware or software Applicability

y Document Management – 90 Day window (change to 30-days in V2)g y ( g y )

‰ Version Control

‰ Classification and Protection

y Testingg

y Training

y Asset Inventory

y Ports and Services

Interdependencies

rity _nsel _urces _ions

Function _{Industrial Co Systems Control Cent}

e

Operations IT Managem

e

Services Physical Sec

u General Cou n Human Reso u Communicat i Generation Substations Access Control X X X X X X X Change Management X X X X X X Document Control X X X X X X X X X

Testing and Quality Assurance X X X X X X

Network Management X X X X X Incident Response X X X X X X X X S t M t X X X X X Systems Management X X X X X Training X X X X X X X X X Recovery Operations X X X X X X Governance X X X X X X X X X Governance X X X X X X X X X

Documentation, Documentation

y Cyber Security Policy

y Test Plans

y Recovery Plans

Document Maintenance

y Change Management

y Ensure ongoing document review via change management process

‰ Asset Configuration

Ù Ports and Services

Ù Hardware/Software Release & Patch Level

R Pl

‰ Recovery Plans

‰ Training Plans

‰ Testing and Q/A Procedures and Testing Results

Document Governance

Scheduled Periodic Reviews

y Annual Review

‰ Internal Governance Team

y Vulnerability Assessment

Leverage Existing Processes

y Corporate IT SecurityCorporate IT Security

y Existing Policies and Procedures

Organization Roles for Compliance

Senior

Manager

Manager

Compliance

Manager

3

_Party

S

t

E i

Security

E i

Network

E i

Training

IT S

Corporate

it

Manager

Leverage Existing Programs and

Standards Organizations

Standards Organizations

y Financial – Sarbanes Oxley (SOX)

y Reliability – NERC

y Information Technology Infrastructure Library – ITIL

y National Institute of Standards NIST

y National Institute of Standards – NIST

Test Procedures

y Change Management Applicability

‰ Security Patches

‰ Application and OS Updates

‰ Database Updates

‰ Firmware/Hardware

‰ Firmware/Hardware

y Documentation Considerations

‰ Testing and Q/A

‰ Testing and Q/A

‰ Back out Plans

‰ Contingency Operations

Ù i.e. Illness, weather, disaster

‰ Recovery Operations

‰ Ports and Services ‰ Training

TFE’

Training, Training, Training

y Change and Configuration Management Training

y Asset Additions, Changes, Disposals

y Incident Response

y Governance

y Governance

Change and Configuration Guidance for

Malicious Software Prevention

Malicious Software Prevention

y Change Control and Configuration Management

y Antivirus and Malware

‰ Engines and Management Software

‰ Dat and Signature files

y Intrusion Prevention

‰ Host-Based versus Appliance-Based ‰ Signature updates

Technical Feasibility Exceptions (TFE’s)

Recommendations per current NERC guidance:

y Establish standardized policy and process for TFE’s

y Capture forms for TFE’s in Security Policy

y Utilize standard exception process for TFE’s

A Look into the Future…..

AMI and Smart Grid Impacts

y IP enabled networks

y Integrated Utility

‰ Electronic Security Perimeter

y “Smart” Controls

N t k i ibilit t th h

Final Thoughts

y Additional Cyber Risks will continue to be identified

‰ Ensure compliance program can adapt to meet the changing demands of the organization and reliability

St li P d C t l

y Streamline Processes and Controls

‰ Six Sigma

‰ Tools and automated processes

y Find opportunities to use existing processes and controls

Questions & Answers

9/30/09 FERC Order:

http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf

NERC Compliance Bulletin:

http://www.nerc.com/files/2009-007 Public Notice-V1.pdf

Contact Information:

webcastquestions@energycentral.com

http://www.nerc.com/files/2009 007_Public_Notice V1.pdf

The magazine for building a smart grid and delivering information-enabled energy. FREE subscriptions

available at www intelligentutility com

Questions & Answers

9/30/09 FERC Order:

http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf

NERC Compliance Bulletin:

http://www.nerc.com/files/2009-007 Public Notice-V1.pdf

Contact Information:

webcastquestions@energycentral.com

http://www.nerc.com/files/2009 007_Public_Notice V1.pdf

Your source for IT and smart grid research, analysis, and consulting. Visit www.sierraenergygroup.net.

Questions & Answers

9/30/09 FERC Order:

http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf

NERC Compliance Bulletin:

http://www.nerc.com/files/2009-007 Public Notice-V1.pdf

Contact Information:

webcastquestions@energycentral.com

http://www.nerc.com/files/2009 007_Public_Notice V1.pdf

Go to where the power industry gathers for news, information, and analysis, visit

www energycentral com www.energycentral.com.

Questions & Answers

9/30/09 FERC Order:

http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf

NERC Compliance Bulletin:

http://www.nerc.com/files/2009-007 Public Notice-V1.pdf

Contact Information:

webcastquestions@energycentral.com

http://www.nerc.com/files/2009 007_Public_Notice V1.pdf

Get the inside scoop with Energy Central

Professional News Service Start your FREE trial at Professional News Service. Start your FREE trial at

Questions & Answers

9/30/09 FERC Order:

http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf

NERC Compliance Bulletin:

http://www.nerc.com/files/2009-007 Public Notice-V1.pdf

Contact Information:

webcastquestions@energycentral.com

http://www.nerc.com/files/2009 007_Public_Notice V1.pdf

Join the discussion, raise your question,

Questions & Answers

9/30/09 FERC Order:

http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf

NERC Compliance Bulletin:

http://www.nerc.com/files/2009-007 Public Notice-V1.pdf

Contact Information:

webcastquestions@energycentral.com

http://www.nerc.com/files/2009 007_Public_Notice V1.pdf

The magazine for C-level executives about the business of energy. FREE subscriptions available at

www energybizmag com www.energybizmag.com.

CIP Compliance Series Webcasts

For comprehensive preparation for the implementation, compliance, and auditing phases of the CIP standards p g p program, attend all six.

Upgrade and save 10%. Apply your single event purchase to the cost of the entire series Call 800 459 2233 or e mail

Date Topic

to the cost of the entire series. Call 800-459-2233 or e-mail

orders@energycentral.com for information.

9/23/09 Identifying Critical Assets (On Demand) 10/6/09 Program Governance Issues (On Demand) 10/21/09 Change Management Systems (On Demand) 10/21/09 Change Management Systems (On Demand)

11/11/09 Personnel Issues & Training

12/2/09 Physical & Electronic Access Controls 12/16/09 Testing Procedures & Recovery Plans

Thank You for Joining Us

For the latest news, articles

and blogs please visit

and blogs, please visit. . .