Change and Configuration
Management
for CIP Compliance
for CIP Compliance
Presenters
y Bart Thielbar, CISA
S i R h A l t
Senior Research Analyst
Sierra Energy Group, a Division of Energy Central
CIP-003, R6 Primer and Related Requirements
y Kim Morris
Director, Architecture and Information Security
Public Service of New Mexico (PNM)
Change and Configuration
Management
Management
CIP-003, R6 Primer and Related
i
Requirements
B A R T T H I E L B A R , C I S A
S E N I O R R E S E A R C H A N A LY S T S E N I O R R E S E A R C H A N A LY S T
Disclaimer
The information from this webcast is provided for informational
l A tit ' dh t th l t i d ithi
purposes only. An entity's adherence to the examples contained within this presentation does not constitute compliance with the NERC
Compliance Monitoring and Enforcement Program ("CMEP")
requirements NERC Critical Infrastructure Protection ("CIP") Reliability requirements, NERC Critical Infrastructure Protection ( CIP ) Reliability Standards, or any other NERC Reliability Standards or rules. While the information included in this material may provide some of the
methodology that NERC has elected to use to assess compliance with methodology that NERC has elected to use to assess compliance with the requirements of the Reliability Standard, this material should not be treated as a substitute for the Reliability Standard or viewed as
additional Reliability Standard requirements. In all cases, the entity y q , y
should rely on the language contained in the Reliability Standard itself, and not on the language contained in this presentation, to determine compliance with the CIP Reliability Standards.
Agenda
y
Purpose, Applicable CIP Standards
y
Change and Configuration Management
y
New Developments related
to V2 and TFE’s
to V2 and TFE s
Why Good Change and
Configuration Management?
Configuration Management?
y Differing practices and polices among departments and/or units within
d t t
departments
y Differing documentation practices
y Managerial visibility and organizational control
y Risk Management
Applicable CIP Standards and Rules
y CIP 003, R6: Change Control and Configuration Management
y CIP 007: Within Context of Change and Configuration Management
Test Procedures
Ports and Services
Security Patch Management
Malicious Software Prevention
S it St t M it i
Security Status Monitoring
Disposal or Redeployment
Schedule for Table 3 Entities
Requirement Begin Work Substantially
Compliant Compliant
Auditably Compliant CIP 003, R6 12/31/06 12/31/08 12/31/09 12/31/10
Change Management
y Documented process of change control
Adding, modifying, replacing, or removing Critical Cyber Assets
y Applies to hardware and software
E t d l t l i i d f l ft
Easy to develop tunnel vision and focus only on software
Configuration Management
y Documented process of change control
Identify, control, and document
y All entity or vendor related changes to Critical Cyber Assets
Overview/Explanation
y Documentation that tracks changes to Critical Cyber Asset hardware or
ft t i l d
software to include:
Adding: adding hardware/software to existing system
Modifying: making a change to existing hardware/software
Replacing: adding new hardware/software
Replacing: adding new hardware/software
Removing: retire/redeploy hardware/software
y Configuration management activities to:
y Configuration management activities to:
Identify: when a change needs to be made or has been made
Control: approval for changes
Process Summary
y Items requiring documentation when changed:
Process documentation (use good version control)
Critical Asset & Critical Cyber Asset List
Test environment
Patch management
Patch management
Changes to Electronic Security Perimeter (ESP)
Changes to Physical Security Perimeter (PSP)
Process for identifying and changing ports and services settingsy g g g p g
y Criteria in the change process:
Types of changes
Who initiates the changes
Who approves the changes
Approvals and dates for all auditable items
T ti d
Change Management vs. Configuration
Management (One View)
Management (One View)
y Change Management – Process and activities undertaken to make
h t CCA’
changes to CCA’s
Ex: Applying a software upgrade or adding additional memory to laptop
C fi ti M t P d ti iti d t k t
y Configuration Management – Process and activities undertaken to
establish and/or make changes to configuration of CCA’s
Ex: Setting up a new CCA and/or changing configuration of existing CCA such as port activation
activation
Testing
y Why: Ensure that new cyber assets and/or changes to cyber assets
( t j t CCA) d t i CCA i B lk El t i S t
(not just CCA) do not compromise CCA serving Bulk Electric System
Significant Change: Security patches, service packs, vendor releases/upgrades (including operating systems, applications, databases, etc.)
y Environment: Test Environment is very important Æ must “reflect” the
production environment
y Documentation: Test results must be documented
(good, bad or neutral)
All consistent with generally accepted
“best practices”best practices for change management
Speaking of that…
y Good change and configuration management practices are just good
b i
business
y Should be viewed as a part of overall control and governance
framework
y CIP Standards have specific requirements, but individual policy and p q , p y
practice may go beyond
A Simplified View
Change Control and Configuration
Management (CIP 003, R6)
Test Procedures ManagementAsset Documentation Review and
S
it I
d I
t
Management
A
Maintenance
Security Issues and Impacts
(e.g., patch management,
virus protection, etc.)
Access
Review and
Maintenance
The Audit Trail
y Recall -> Once again, all associated measures,
“ ” d t ti
“measure” documentation
y Documentation emphasizing:
Process for change control and configuration management
Test procedures, test environment, test results
Security & Access issues (Ports & Services, Patch Mgmt, Malicious Software Protection Security Status Monitoring Cyber Vulnerability Assessment & Account Protection, Security Status Monitoring, Cyber Vulnerability Assessment & Account Management)
Disposal or Redeployment
y Annual review & update of CIP 007 Documentation
New Developments
y 9/30/09 FERC Order changes documentation requirement from 90
d t 30 d f CIP 007 R9 Thi i ff ti i A il 2010
days to 30 days for CIP 007, R9. This is effective in April, 2010.
Also applicable to CIP 006, R1.7, CIP 008, R1.4; and CIP 009, R3
10/12/09 NERC C li B ll ti #2009 007 Add I t i
y 10/12/09 NERC Compliance Bulletin #2009-007 Addresses Interim
Approach to Technical Feasibility Exceptions (TFE’s)
Possible Penalties and Sanctions
y Up to $1 M per day, per violation
Violation Severity (level of non compliance)
Violation Risk Factors
Mitigating factors may reduce penalties and sanctions
y Mitigating factors may reduce penalties and sanctions
Quality of compliance program, self-reporting, voluntary corrective actions, etc.
A ti f t i lti d ti
y Aggravating factors may increase penalties and sanctions
Repeat violations, evasion, inaction, unwarranted intentional violations based on
economic choice, etc.
Final Thoughts
y Always remember the importance of tone at the top and how it
i fl lt f li
influences a culture of compliance
y Change and Configuration Management Practices are about Risk
Management and impact many areas of CIP compliance efforts
y Compliance is a process, not an eventp p ,
y Documentation, documentation, documentation
Change and Configuration
Management
Management
Change and Configuration
S
i
f
C
Strategies for CIP
K I M M O R R I S
D I R E C T O R A R C H I T E C T U R E A N D D I R E C T O R , A R C H I T E C T U R E A N D
Agenda
y
NERC Guidance
y
CIP Interdependencies with
Ch
C
t l
d C
fi
ti
Change Control and Configuration
Management
Based in Albuquerque, N.M., PNM Resources is an energy holding company with 2008 company with 2008 consolidated operating revenues from continuing and discontinued operations of $2.5 billion. Through of $2.5 billion. Through its utilities -PNMand TNMP- and energy subsidiary -First Choice Power- PNM Resources serves electricity to
Current Capacity
859,000 homes and businesses in New Mexico and Texas.
Current Capacity 2717 MW
CIP Component Breakdown
C iti l A
t I
t
Critical Asset Inventory
Selection
Criteria
Security Perimeter
Perimeter
Definition
Cyber Assets
Ch C fi ti
Asset
Selection ControlsAccess
Change
CC & CM in a Nutshell
y Applies to Hardware and Software in the Security Perimeter
Industrial control systems
Ù Example: Control Center SCADA
Physical Security Management Systems
Ù Example: CCTV, Badge reader systems
Communications within ESP
IT Management Services
Change Control
Definition Summary
y Establish and Document a process for managing Change for
Critical Cyber Assets Applicability
y Change Management Process
Requestorsq
Approval Authority
Testers
Implementers
Configuration Management
Definition Summary
y Establish and Document configuration management process for adding, modifying, replacing or removing critical cyber asset
hardware or software Applicability
y Document Management – 90 Day window (change to 30-days in V2)g y ( g y )
Version Control
Classification and Protection
y Testingg
y Training
y Asset Inventory
y Ports and Services
Interdependencies
Organization ntrol e r e nt urity nsel urces ions
Function Industrial Co Systems Control Cent
e
Operations IT Managem
e
Services Physical Sec
u General Cou n Human Reso u Communicat i Generation Substations Access Control X X X X X X X Change Management X X X X X X Document Control X X X X X X X X X
Testing and Quality Assurance X X X X X X
Network Management X X X X X Incident Response X X X X X X X X S t M t X X X X X Systems Management X X X X X Training X X X X X X X X X Recovery Operations X X X X X X Governance X X X X X X X X X Governance X X X X X X X X X
Documentation, Documentation
Governance Documents: y Policy y Procedures y Controls y Asset Configuration Examples: Examples:y Cyber Security Policy
y Test Plans
y Recovery Plans
Document Maintenance
y Change Management
y Ensure ongoing document review via change management process
Asset Configuration
Ù Ports and Services
Ù Hardware/Software Release & Patch Level
R Pl
Recovery Plans
Training Plans
Testing and Q/A Procedures and Testing Results
Document Governance
Scheduled Periodic Reviews
y Annual Review
Internal Governance Team
y Vulnerability Assessment
Leverage Existing Processes
y Governance Methodologies Incident Management Vulnerability Management Risk Management Change Management Change Management Configuration Managementy Corporate IT SecurityCorporate IT Security
y Existing Policies and Procedures
Organization Roles for Compliance
Senior
Manager
Manager
Compliance
Manager
3
rdParty
S
t
E i
Security
E i
Network
E i
Training
IT S
Corporate
it
Manager
Leverage Existing Programs and
Standards Organizations
Standards Organizations
y Financial – Sarbanes Oxley (SOX)
y Reliability – NERC
y Information Technology Infrastructure Library – ITIL
y National Institute of Standards NIST
y National Institute of Standards – NIST
Test Procedures
y Change Management Applicability
Security Patches
Application and OS Updates
Database Updates
Firmware/Hardware
Firmware/Hardware
y Documentation Considerations
Testing and Q/A
Testing and Q/A
Back out Plans
Contingency Operations
Ù i.e. Illness, weather, disaster
Recovery Operations
Ports and Services Training
TFE’
Training, Training, Training
y Change and Configuration Management Training
y Asset Additions, Changes, Disposals
y Incident Response
y Governance
y Governance
Change and Configuration Guidance for
Malicious Software Prevention
Malicious Software Prevention
y Change Control and Configuration Management
y Antivirus and Malware
Engines and Management Software
Dat and Signature files
y Intrusion Prevention
Host-Based versus Appliance-Based Signature updates
Technical Feasibility Exceptions (TFE’s)
Recommendations per current NERC guidance:
y Establish standardized policy and process for TFE’s
y Capture forms for TFE’s in Security Policy
y Utilize standard exception process for TFE’s
A Look into the Future…..
AMI and Smart Grid Impacts
y IP enabled networks
y Integrated Utility
Electronic Security Perimeter
y “Smart” Controls
N t k i ibilit t th h
Final Thoughts
y Additional Cyber Risks will continue to be identified
Ensure compliance program can adapt to meet the changing demands of the organization and reliability
St li P d C t l
y Streamline Processes and Controls
Six Sigma
Tools and automated processes
y Find opportunities to use existing processes and controls
Questions & Answers
9/30/09 FERC Order:
http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf
NERC Compliance Bulletin:
http://www.nerc.com/files/2009-007 Public Notice-V1.pdf
Contact Information:
webcastquestions@energycentral.com
http://www.nerc.com/files/2009 007_Public_Notice V1.pdf
The magazine for building a smart grid and delivering information-enabled energy. FREE subscriptions
available at www intelligentutility com
Questions & Answers
9/30/09 FERC Order:
http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf
NERC Compliance Bulletin:
http://www.nerc.com/files/2009-007 Public Notice-V1.pdf
Contact Information:
webcastquestions@energycentral.com
http://www.nerc.com/files/2009 007_Public_Notice V1.pdf
Your source for IT and smart grid research, analysis, and consulting. Visit www.sierraenergygroup.net.
Questions & Answers
9/30/09 FERC Order:
http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf
NERC Compliance Bulletin:
http://www.nerc.com/files/2009-007 Public Notice-V1.pdf
Contact Information:
webcastquestions@energycentral.com
http://www.nerc.com/files/2009 007_Public_Notice V1.pdf
Go to where the power industry gathers for news, information, and analysis, visit
www energycentral com www.energycentral.com.
Questions & Answers
9/30/09 FERC Order:
http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf
NERC Compliance Bulletin:
http://www.nerc.com/files/2009-007 Public Notice-V1.pdf
Contact Information:
webcastquestions@energycentral.com
http://www.nerc.com/files/2009 007_Public_Notice V1.pdf
Get the inside scoop with Energy Central
Professional News Service Start your FREE trial at Professional News Service. Start your FREE trial at
Questions & Answers
9/30/09 FERC Order:
http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf
NERC Compliance Bulletin:
http://www.nerc.com/files/2009-007 Public Notice-V1.pdf
Contact Information:
webcastquestions@energycentral.com
http://www.nerc.com/files/2009 007_Public_Notice V1.pdf
Join the discussion, raise your question,
Questions & Answers
9/30/09 FERC Order:
http://www.ferc.gov/EventCalendar/Files/20090930165448-RD09-7-000.pdf
NERC Compliance Bulletin:
http://www.nerc.com/files/2009-007 Public Notice-V1.pdf
Contact Information:
webcastquestions@energycentral.com
http://www.nerc.com/files/2009 007_Public_Notice V1.pdf
The magazine for C-level executives about the business of energy. FREE subscriptions available at
www energybizmag com www.energybizmag.com.
CIP Compliance Series Webcasts
For comprehensive preparation for the implementation, compliance, and auditing phases of the CIP standards p g p program, attend all six.
Upgrade and save 10%. Apply your single event purchase to the cost of the entire series Call 800 459 2233 or e mail
Date Topic
to the cost of the entire series. Call 800-459-2233 or e-mail
orders@energycentral.com for information.
9/23/09 Identifying Critical Assets (On Demand) 10/6/09 Program Governance Issues (On Demand) 10/21/09 Change Management Systems (On Demand) 10/21/09 Change Management Systems (On Demand)
11/11/09 Personnel Issues & Training
12/2/09 Physical & Electronic Access Controls 12/16/09 Testing Procedures & Recovery Plans