Cyber Security Standards Update: Version 5 with Revisions

(1)

Cyber Security Standards Update:

Version 5 with Revisions

(2)

2 RELIABILITY | ACCOUNTABILITY

Agenda

• CIP Standards History

(3)

CIP Standards History

• Pre-Version 1

 FERC Request for Standard Market Design

o Request from FERC Staff to develop language May 8, 2002 o Modeled after ISO17799

o Transmitted to FERC on July 25, 2002

o Included in Standard Market Design NOPR as “Appendix G”

 Urgent Action 1200

o Follow-on to SMD Appendix G work

(4)

CIP Standards History

• Version 1

 SAR Effort started August 2003

 Requirements drafting started June 8, 2004  Filed with FERC August 28, 2006

 Approved by FERC January 18, 2008

(5)

CIP Standards History

• Version 2

 SAR started February 2008

 Requirements development started October 6, 2008  Low-hanging fruit

 Filed with FERC May 22, 2009

 Approved by FERC September 30, 2009  Effective April 1, 2010

• Version 3 (current effective version)

 Compliance filing to Version 2

(6)

CIP Standards History

• Version 4

 Critical Asset bright-lines

 Approved by Industry on December 30, 2010  Filed with FERC on February 10, 2011

 Approved by FERC on April 19, 2012

(7)

(8)

CIP Standards – Version 5 D1

• Post for

60 -day comment and concurrent

ballot period – November 7, 2011 to January 6,

2012



₂₀

_{-day ballot period (December 17, 2011 – January}

6, 2012)



Multiple separate ballots

o

_{One for each standard (10 standards)}

o

One for Implementation Plan

(9)

CIP Standards – Version 5 D2

• Post for

40 -day comment and concurrent

ballot period – April 12, 2012 to May 21, 2012



_{10-day ballot period (May 11, 2012 – May 21,}

2012)



Multiple separate ballots

o

_{Single ballot pool}

(10)

CIP Standards – Version 5 D3

• Post for 30-day comment and concurrent

ballot period – September 11, 2012 to October

10, 2012



_{10-day ballot period (October 1, 2012 – October}

10, 2012)



Multiple separate ballots

o

_{Single ballot pool}

(11)

CIP Standards – Version 5 D4

• Post for 10-day recirculation ballot period –

October 26, 2012 to November 5, 2012



_{No “substantial” changes made to standards}

o

_{Clarifications and corrections based on}

comments received from Draft 3



_{Changes to existing votes from last successive}

ballot

o

No action – maintain Draft 3 vote



_{Multiple separate ballots}

o

Single ballot pool

(12)

Version 5 Ballot Results

(13)

FERC Approval Process

• Filed with FERC February 1, 2013 (after 5:00 PM on 1/31)  FERC Docket RM13-5

 10,483 page filing (yes, ten thousand pages)  Available on NERC Website at:

o http://www.nerc.com/news/Headlines%20DL/Final_Petition_CIP_V5_0 1-31-13%20and%20Exhibits%20A-E.pdf o http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC %20DL/Exhibit%20F%20(Part%201%20of%202).pdf o http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC %20DL/Exhibit%20F%20(Part%202%20of%202).pdf o http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC %20DL/Exhibits%20G-H.pdf  FERC version at http://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=13167892 (76MB file)

(14)

CIP Standards – Version 5

• CIP-002-5: BES Cyber Asset and BES Cyber System

Categorization

• CIP-003-5: Security Management Controls

• CIP-004-5: Personnel and Training

• CIP-005-5: Electronic Security Perimeter(s)

• CIP-006-5: Physical Security of BES Cyber Systems

• CIP-007-5: Systems Security Management

• CIP-008-5: Incident Reporting and Response Planning

• CIP-009-5: Recovery Plans for BES Cyber Assets and

Systems

• CIP-010-1: Configuration Management and Vulnerability

Assessments

(15)

SDT’s Development Goals

Goal 1: To address the remaining

requirements-related directives from all CIP related FERC orders, all approved interpretations, and CAN topics within applicable existing requirements.

Goal 5: To minimize technical

feasibility exceptions.

Goal 2: To develop consistent

identification criteria of BES Cyber

Systems and application of cyber security requirements that are appropriate for the risk presented to the BES.

Goal 6: To develop requirements that

foster a “culture of security” and due diligence in the industry to complement a “culture of compliance”.

Goal 3: To provide guidance and context

for each Standard Requirement.

Goal 7: To develop a realistic and

comprehensible implementation plan for the industry.

Goal 4: To leverage current stakeholder

(16)

CIP Standards – Version 5

• New / Modified Terms:

 BES Cyber Asset

 BES Cyber System

 BES Cyber System Information

 CIP Exceptional Circumstance

 CIP Senior Manager

 Control Center

 Cyber Assets

 Cyber Security Incident

 Dial-up Connectivity

 Electronic Access Control and Monitoring Systems (EACMS)

 Electronic Access Point (EAP)

 Electronic Security Perimeter (ESP)

 External Routable Connectivity

 Interactive Remote Access

 Intermediate System

 Physical Access Control Systems (PACS)

 Physical Security Perimeter (PSP)

 Protected Cyber Asset (PCA)

(17)

BES Cyber Systems

• Cyber Assets: Programmable electronic devices,

and

communication networks

including the hardware,

(18)

BES Cyber Systems

• BES Cyber Asset: A Cyber Asset that if rendered unavailable,

degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if

destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and

(19)

BES Cyber Systems

• BES Cyber System: One or more BES Cyber Assets

(20)

Electronic Perimeters

• External Routable Connectivity: The ability to access

a BES Cyber System from a Cyber Asset that is outside

of its associated Electronic Security Perimeter via a

bi-directional routable protocol connection.

• Dial-up Connectivity: A data communication link that

(21)

Electronic Perimeters

• Electronic Security Perimeter (“ESP”) : The logical

border surrounding a network to which

Critical Cyber

Assets BES Cyber Systems

are connected

using a

routable protocol and for which access is controlled

.

• Electronic Access Point (“EAP”): A Cyber Asset

interface on an Electronic Security Perimeter that

allows routable communication between Cyber Assets

outside an Electronic Security Perimeter and Cyber

(22)

Electronic Perimeters

• Electronic Access Control or Monitoring Systems (“EACMS”): Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Devices.

• Protected Cyber Assets (“PCA”): One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES

Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the

network within the ESP, and it is used for data transfer,

(23)

Interactive Remote Access

• Interactive Remote Access: User-initiated access by a

(24)

Interactive Remote Access

• Intermediate System: A Cyber Asset or collection of

(25)

Physical Perimeters

• Physical Security Perimeter (“PSP”):

The physical,

completely enclosed (“six-wall”) border surrounding

computer rooms, telecommunications rooms,

operations centers, and other locations in which

Critical Cyber Assets are housed and for which access

is controlled. The physical border surrounding

locations in which BES Cyber Assets, BES Cyber

(26)

Physical Perimeters

• Physical Access Control Systems (“PACS”): Cyber

Assets that control, alert, or log access to the Physical

Security Perimeter(s), exclusive of locally mounted

hardware or devices at the Physical Security Perimeter

such as motion sensors, electronic lock control

(27)

Control Centers

• Control Center: One or more facilities hosting

operating personnel that monitor and control the Bulk

Electric System (BES) in real-time to perform the

reliability tasks, including their associated data

centers, of: 1) a Reliability Coordinator, 2) a Balancing

Authority, 3) a Transmission Operator for transmission

Facilities at two or more locations, or 4) a Generator

Operator for generation Facilities at two or more

(28)

CIP Standards – Version 5

• Retired Terms

 Critical Assets

(29)

CIP Standards – Version 5

• CIP-002

 Eliminates the “Critical Asset” step of the identification process

 Builds on “bright line” concepts introduced in CIP-002-4

 “Version 3/4” Critical Asset control centers – High

 Other “Version 3/4” Critical Assets – Medium

 Some “Version 3/4” non-critical assets – Medium

 Transmission now looking at a “capacity calculation” rather than number of lines at a voltage level

oSee http://www.nerc.com/docs/pc/rmwg/pas/index_team/ SRI_Equation_Refinement_May6_2011.pdf

 Catch-all category for non-specifically categorized – Low o“Something everywhere” – within the BES

(30)

CIP Standards – Version 5

• High Impact

– Large Control Centers

– CIP-003 to 009 V3/V4 “plus” • Medium Impact

– Generation and Transmission – Control Centers

– Similar to CIP-003 to 009 V3/V4 • All other BES Cyber Systems (Low

Impact) must implement a policy to address:

– Cybersecurity Awareness – Physical Security Controls – Electronic Access Controls – Incident Response High Non-Critical Critical Non-Impactful (Distribution, Marketing, Business) Medium Low Generation and Transmission Large Control Centers

V3/V4 V5

Control Centers

Small Control Centers

Generation and Transmission Generation and

(31)

CIP-002-5

• Notes when reading NERC Standards:

 Capitalization is very important.

 Capitalized words refer to terms in the NERC Glossary of

Terms Used in Reliability Standards

(http://www.nerc.com/pa/Stand/Glossary%20of%20Terms /Glossary_of_Terms.pdf)

 Non-capitalized terms do not refer to NERC glossary terms o i.e., “Real-time” is not the same as “real-time”

o “Facilities” is not the same as “facilities”

 Terms with well known and authoritative definitions defer to those authoritative sources (e.g., “FACTS”)

(32)

Version 5 Impact Rating Criteria

• High Impact Rating (H):

Each BES Cyber System used by and located at any of the following:

1.1. Each Control Center or backup Control Center used to perform the functional obligations of the Reliability Coordinator. (V4 1.14)

1.2. Each Control Center or backup Control Center used to perform the

functional obligations of the Balancing Authority: 1) for generation equal to or greater than an aggregate of 3000 MW in a single Interconnection, or 2) for one or more of the assets that meet criterion 2.3, 2.6, or 2.9. (V4 1.15)

1.3. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10. (V4 1.16)

1.4 Each Control Center or backup Control Center used to perform the

(33)

Version 5 Impact Rating Criteria

• Medium Impact Rating (M):

Each BES Cyber System, not included in Section 1 above, associated with any of the following:

2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the

preceding 12 calendar months equal to or exceeding 1500 MW in a single

Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection. (V4 1.1)

(34)

Version 5 Impact Rating Criteria

2.3. Each generation Facility that its Planning

Coordinator or Transmission Planner designates,

and informs the Generator Owner or Generator

Operator, as necessary to avoid an Adverse

Reliability Impact in the planning horizon

of more

than one year

.

(V4 1.3)

2.4. Transmission Facilities operated at 500 kV or

higher.

For the purpose of this criterion, the

collector bus for a generation plant is not

(35)

Version 5 Impact Rating Criteria

2.5. Transmission Facilities that are operating between 200 kV and

499 kV at a single station or substation, where the station or substation is connected at 200 kV or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below. The "aggregate weighted value" for a single station or substation is determined by summing the "weight value per line" shown in the table below for each incoming and each outgoing BES Transmission Line that is connected to another Transmission station or

substation. For the purpose of this criterion, the collector bus for a

generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility. (V4 1.7)

Voltage Value of a Line Weight Value per Line

less than 200 kV (not applicable) (not applicable) 200 kV to 299 kV 700

300 kV to 499 kV 1300

(36)

Version 5 Impact Rating Criteria

2.6. Generation at a single plant location or Transmission

Facilities at a single station or substation location that are

identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of

Interconnection Reliability Operating Limits (IROLs) and their associated contingencies. (V4 1.8 & 1.9)

2.7. Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements. (v4 1.11)

2.8. Transmission Facilities, including generation interconnection Facilities, providing the generation interconnection required to connect generator output to the Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered

(37)

Version 5 Impact Rating Criteria

2.9. Each Special Protection System (SPS), Remedial Action

Scheme (RAS), or automated switching System that operates BES Elements, that, if destroyed, degraded, misused or otherwise

rendered unavailable, would cause one or more Interconnection Reliability Operating Limits (IROLs) violations for failure to

operate as designed or cause a reduction in one or more IROLs if destroyed, degraded, misused, or otherwise rendered

unavailable. (V4 1.12)

2.10. Each system or group of Elements that performs automatic

Load shedding under a common control system, without human operator initiation, of 300 MW or more implementing

(38)

Version 5 Impact Rating Criteria

2.11. Each Control Center or backup Control Center, not

already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an

aggregate highest rated net Real Power capability of the

preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. (V4 1.15)

2.12. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not

included in High Impact Rating (H), above. (V4 1.16)

(39)

Version 5 Impact Rating Criteria

• Low Impact Rating (L)

BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability

qualifications in Section 4 - Applicability, part 4.2 – Facilities, of this standard:

3.1. Control Centers and backup Control Centers. 3.2. Transmission stations and substations.

3.3. Generation resources.

3.4. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements. (V4 1.4 & 1.5)

3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System. (V4 1.12)

(40)

CIP Standards – Version 5

• Non-CCA assets in Version 3

are also covered

 “Non-Critical Cyber Assets within an ESP” are now named Protected Cyber Assets, are associated with a BES Cyber System, and called out in the Applicable Systems column

 EACMS and PACS are associated with a BES Cyber System, and are

(41)

CIP Standards – Version 5

• High Water Marking

 Within an ESP, all

systems are treated as if they are at the highest impact level of any

system in the same ESP

 Includes non-impactful Cyber Assets (e.g.,

market systems,

distribution systems, corporate systems)

 (See definition of PCA)

Market System

Market System High Impact BES Cyber System

High Impact BES Cyber System

Medium Impact BES Cyber System

Medium Impact

BES Cyber System _{BES Cyber System}_{BES Cyber System}Low Impact Low Impact

All treated as

High Impact BES Cyber Systems

All treated as

(42)

CIP Standards – Version 5

Rationale, Guidance & Changes, Main Requirement and Measure

Applicable Systems for requirement part

Requirement part text Requirement part Measure text

(43)

CIP Standards – Version 5

• Format

 Following Results-based Standards format  Background section before requirements

 Requirement and Measurement next to each other  Rationale and guidance developed in parallel with

requirements

 Two posting formats – one with guidance/rationale text boxes inline; other with guidance and rational text

grouped at end

 Still must audit only to the requirement

(44)

CIP Standards – Version 5

• Applicable Systems column in tables



What systems the row in the table apply to



Listed in each standard



Specific phrases – consistent across all standards



A requirement part (row) may have multiple applicability

statements



Examples:

o High Impact BES Cyber Systems

o Medium Impact BES Cyber Systems

o Medium Impact BES Cyber Systems at Control Centers

o Medium Impact BES Cyber Systems with External Routable Connectivity

o Protected Cyber Assets

(45)

CIP Standards – Version 5

• Connectivity

 No longer a blanket exemption

 Now listed in applicability section – Routable Connectivity or Dial-up Connectivity

 “Routable protocol” applicability now applies where large volume, real-time communications requirements are listed – e.g., logging

• Low Impact

 CIP-003-5 Requirement R2

 “Programmatic” controls (i.e., have a program for …)

 _{Requires physical and cyber security protections for}

“locations” containing low

(46)

CIP Standards – Version 5

• TFEs

 Attempting to minimize required TFEs (e.g., anti-malware on switches)

 Reduced from 14 requirements/subs to 8 requirements (13 parts)

 But … still have TFEs (including new ones where existing V1 – V4 problems exist)

 Have added “per Cyber Asset capability” language to allow strict compliance with the language of the requirement, without

requiring a TFE (~5 requirements)

• Measures

 Guidance to auditors as well as entities

 “An example of evidence may include, but is not limited to, …”

(47)

CIP Standards – Version 5

• Bulleted lists vs. numbered lists

 Bulleted lists are separated by “or”

 Bulleted lists imply that not all of the items in the list are required

 Numbered lists are separated by “and”

 Numbered lists imply that all of the items in the lists are required

(48)

Features of Version 5

• Closes out directives in FERC Order No. 706 (also,

FERC Order No. 761 imposed March 31, 2013, filing

deadline)

• Results-based standards

 Focus on reliability and security-related result

 Non-technology specific

 Smarter use of Technical Feasibility Exception (TFE) process

 “Plain language of the requirement”, i.e., “per device capability”

• Risk-informed systems approach

 Adopt solutions and tailor security based on function and risk

 No longer a harsh “in or out” demarcation for applicability

(49)

Features of Version 5

• Systems approach illustration

 Cyber Assets function together as a complex system

 Identify the system and apply requirements to the whole rather than the part

(50)

Features of Version 5

• Paradigm shift that builds on experience

 Informed by and responsive to implementation and audit lessons from Versions 1 through 3

 Framework for establishing a culture of security

• Balanced flexibility

 Demonstrates clear accountability for Critical Infrastructure Protection, yet . . .

 Allows adaptation of requirements to individual operations

(51)

CIP Standards – Version 5

• Proposed Effective Date (from CIP-002-5; all

standards use the same language):

1. 24 Months Minimum – CIP-002-5 shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. 2. In those jurisdictions where no regulatory approval is

required CIP-002-5 shall become effective on the first day of the ninth calendar quarter following Board of Trustees’ approval, or as otherwise made effective pursuant to the laws applicable to such ERO

(52)

CIP Standards – Version 5

• Implementation issues:

 Specified initial performance of all periodic requirements in implementation plan

 24 months following regulatory approval for all requirements

 Identity Verification does not need to be repeated

 Discussion of unplanned re-categorization to a higher impact level

 Discussion of disaster recovery actions

(53)

CIP Standards – Version 5

• Applicability Section:

 Section 4.1 Functional Entities

oDescribes which asset owners, based on their functional model designation, and specific ownership of assets,

must comply with the standards

oMay have no qualifications – applies to all entities registered for that function

 Section 4.2 Facilities

oDescribes which assets must comply with the standards oMay have no qualifications – applies to all BES assets

(54)

CIP Standards – Version 5

• Applicability Example:

 For Distribution Providers – only those registered DPs that own specifically called out pieces of equipment, such as UFLS systems, must comply with the standards

 For those DPs, only the specifically called out pieces of equipment must comply with the standards

• If a DP does not own any called out equipment, it

does not need to comply with the standards

(55)

(56)

(57)

(58)

CIP Standards – Version 5

• CIP-002-5 through CIP-009-5,

CIP-010-1, CIP-011-1

• “Results-based Standard” format

 Requirements and measures together

 Guidance and rational in text boxes

• “Looks” bigger

 ~1” printout for Version 5 compared to ~¼” printout for Version 3/4

(59)

CIP Standards – Version 5

• CIP-002

 2 Requirements; 5 Parts; Attachment with bright lines for High and Medium • CIP-003  4 Requirements; 13 Parts • CIP-004  5 Requirements; 18 Parts • CIP-005  2 Requirements; 8 Parts • CIP-006  3 Requirements; 13 Parts • CIP-007  5 Requirements; 20 Parts • CIP-008  3 Requirements; 9 Parts • CIP-009  3 Requirements; 10 Parts • CIP-010  3 Requirements; 10 Parts • CIP-011  2 Requirements; 4 Parts

(60)

Version 3 Requirement Counts

(61)

CIP Standards – Version 5

• Sub-Requirements

 Each Requirement / Sub-Requirement is a compliance touch-point

 Non-compliance with a sub-requirement stands on its own

 Sub-requirements have independent VSLs (unless rolled-up)

• Requirement Parts

 Only the Requirement is a compliance touch-point

 Cannot be independently in non-compliance with a Part

 VSLs written only at the Requirement level (making very long and complicated VSL language)

(62)

Version 5 Technical Webinar

• Draft 1 Technical Webinar on format and

CIP-002

 Industry lead

 November 15, 2011

• Draft 1 Technical webinar on CIP-003 through CIP-011

 Industry lead

 November 29, 2011

(63)

Version 5 Webinars

• Draft 2 Technical Webinar

 SDT Lead

 April 10, 2012

• Draft 3 Technical Webinar

 SDT Lead

 September 21, 2012

(64)

CIP Standards – Version 5

• “Annual” – interaction with CAN-0010 – now “15 months”

• _{Monthly requirements – changed to 35 days}

• _{Measures are examples with bulleted lists; format,}

wording

• Compliance artifacts in requirements (e.g.,

“documentation of …”)

• LSE (removed), replaced with DP

 LSE functions changed since original standards development timeframe

• 300 MW threshold on UFLS/UVLS

 No justification for a different value

(65)

CIP Standards – Version 5

• Definition / threshold of Control Center

 Includes “data centers”

• Connectivity (routable, dial-up)

• Low Impact (policy only)

 List not required

• Date tracking (PRA, training, access, etc)

• Access revocation (reassignments, timing, immediate)

• _{Removed 99.9% availability phrasing}

 Difficult to track and audit

• Interactive Remote Access

 Clarify encryption and multi-factor authentication points

(66)

CIP Standards – Version 5

• Ports & Services –

 Physical ports - FERC Directive

• No remediation plan if install patches within 35 days

 Allow updates to existing plans rather than new plans all the

time

• Periodic review of patch sources – not individual patches

• Anti-malware – clarify system level

• “Per device capability” clauses added

• Password changing / pseudorandom passwords

(RuggedCom vulnerability impacts)

(67)

CIP Standards – Version 5

• Take back reporting requirement from

EOP-004 into CIP-008

• Guidance on “active” vs. “passive” vulnerability

assessment

(68)

Version 5 NOPR

• Issued April 18, 2013

 Posted at http://www.ferc.gov/whats-new/comm-meet/2013/041813/E-7.pdf  75 pages

 Comments due June 24, 2013 (60 days after publication in Federal Register)

 Contains 48 specific requests for comment (may be overlap)  Proposes 11 directives for change

(69)

Version 5 NOPR

• Major Themes:

 “Identify, Assess and Correct” language  Impact Categorization

o No reference to studies supporting bright-line thresholds

o No consideration of coordinated attack on multiple low impact systems

o Only based on BES impact (i.e., no assessment of “confidentiality, integrity or availability”)

 Low Impact BES cyber Systems

(70)

Version 5 NOPR

 Definitions:

o 15 minute impact in BES Cyber Asset

o Generation Control Centers (vs. control rooms)

o Removal of “communication networks” from Cyber Asset o Use of “reliability tasks” phrase

(71)

Version 5 NOPR

 Implementation Plan

o Proposes to accept the “Version 4 bypass” language o Are 24 /36 months necessary?

 Violation Risk Factors

o Inconsistent with prior versions  Violation Severity Levels

o Inconsistent with Commission guidelines

(72)

Version 5 NOPR

• New Topics (post Order No. 706)

 Communications Security

o Including encryption, protections for serial communications

 Remote Access (more than proposed Version 5 language?)

o May already be covered by Version 5 language  NIST topics

o Maintenance devices o Separation of duties

o Threat / risk based categorization o May include other areas

(73)

Version 5 NOPR

• NERC Response:

 60 page response (largest response)

o (http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC% 20DL/NERC%20Comments%20to%20CIPV5%20NOPR%20_%20FINAL.pdf)

 Supports standards as filed:

o IAC:

- Discusses meaning of IAC language

- Reliability Benefit of IAC Language

- Compliance obligations of IAC language

- Consistency with NIST Framework

oBES Cyber Asset Categorization and Protection

- Supports Facility rating approach

- Protections of low impact BES Cyber Assets

(74)

Version 5 NOPR

• NERC Response (continued):

o Definitions: BES Cyber Asset

- 15-minute parameter

- 30-day exclusion

o Definitions: Control Center

- Geographically disperse generating plants

o Definitions: Cyber Assets

- Removal of “communications networks”

o Definitions: Reliability Tasks

- Well-understood term

o Definitions: Intermediate Devices

(75)

Version 5 NOPR

• NERC Response (continued):

o Implementation Plan:

- 24- and 36-month timeframes appropriate and necessary

- Transition guidance and pilot program

o VRF & VSL

- Severity of violation as expressed in duration of violation

- Not two separate violations

o Other Technical Concerns

- Technical conferences to discuss issues

- Use Reliability Standards Development Process

o Remote Access

(76)

Version 5 NOPR

• NOPR Comments:

 65 files submitted from 62 parties  782 pages

 Generally supportive of NERC positions

o Issues with IAC language

o Issues with RFA analysis and estimates (cost & time)

• Next Steps:

(77)

• Final Rule Issued November 22, 2013



Docket RM13-5



Order No. 791



146 page rule



Published in Federal Register December 3, 2013

(78)

• Effective Date of Final Rule: February 3, 2014



Effective Date for Compliance with all non-periodic

requirements:

April 1, 2016 for High and Medium Impact

April 1, 2017 for Low Impact



Compliance with initial performance of periodic

requirements as discussed in the Implementation Plan,

using an Effective Date of April 1, 2016

(79)

• Approved technical requirements

• Approved 19 definitions

• Approved implementation plan



_{Approved bypass of Version 4}

• Approve, with modifications, VRF / VSL

(80)

• Submit modified VRF / VSL within 90 days

• Submit two directed changes and one informational

filing within one year



IAC



Communications Networks



Survey: 15-minute clause

• Two other directed changes do not have specified

time frame



Low Impact BES Cyber Systems



Transient Devices

(81)

• Address concerns with IAC Language



Prefer to have compliance language removed from

requirements



Allow for flexibility for addressing concerns

• Supports move away from “zero tolerance”

compliance approach for the 17 requirements

• IAC language ambiguous, concerns about inconsistent

application, unclear expectations placed on industry

• Submit within one year

(82)

• Allow impact-based categorization



May revisit in future



Not persuaded to move blackstart from Low to

Medium, but may revisit



Does not consider connectivity, but may revisit



Confirm that Low will not include non-BES assets

(83)

• Lack of objective criteria for evaluating

Low Impact protections



“Introduces unacceptable level of ambiguity and

potential inconsistency into the compliance process”



Open to alternative approaches



“… the criteria NERC proposes for evaluating a

responsible entities’ protections for Low impact facilities

should be clear, objective and commensurate with their

impact on the system, and technically justified.”

• No detailed inventory required … list of locations /

Facilities OK

(84)

• Survey industry about impacts of 15-minute

parameter, during transition period



What Cyber Assets are included / excluded by the

15-minute parameter

• Informational filing to FERC in one year

• Commission may revisit issue following informational

filing

(85)

• Do not direct change to definition

• Directed modifications to address transient devices

issues

(86)

• Devices connected for less than 30-days

(USB, laptop, etc)

• Direct modifications to address the following concerns:



Device authorization



Software authorization



Security patch management



Malware prevention



Unauthorized physical access



Procedures for connecting to different impact level

systems

(87)

• Accept definition without change

(88)

• Approve definition of Cyber Asset without change

• Direct creation of definition of “communication

networks” and requirements to address issues:



Locked wiring closets



Disconnected or locked spare jacks



Protection of cabling by conduit or cable trays

• Submit within one year

• Include discussion in FERC Staff-led conference

(89)

• No need to define phrase

• Refers to Functional Model tasks

(90)

• Accept errata filing (Intermediate Devices ->

Intermediate Systems)

(91)

• Approve implementation Plan as filed



24-month for High & Medium



36-month for Low



Bypass Version 4

• Support NERC proposal to develop transition guidance

and pilot program

• Declined to extend implementation plan

• Not persuaded to allow early shift to V5



However, “issues of early compliance can be addressed

by NERC and Registered Entities as appropriate.”

(92)

• Approve 30 (of 32) VRFs



Move two VRFs from Lower to Medium

• Modify VSLs:



IAC Language



Address typographical errors



Clarify unexplained elements

• Submit within 90 days

• Additional VSL changes will be required for any

changed requirement



IAC

(93)

• FERC Staff-led conference within 180 days



NIST Framework for categorizations (C-I-A)



Communications security



Remote access



Differences between CIP & NIST

• May produce new or modified directives

(94)

Errata Notice

• Issued Dec 13, 2013

• Corrects P 16 of order to confirm effective date of

standard:

 This errata notice serves to correct P 16. Specifically, the reference to “eighth” in the seventh line of P 16 is changed to “[ninth].” The sentence as revised would thus read,

(95)

VRF/VSL Compliance Filing

• Updated VRFs & VSLs filed with FERC on

May 15, 2014

 Response to Order No. 791

• VRF modifications filed for:

 CIP-006-5, Requirement R3

 CIP-004-5.1, Requirement R4

• VSL modifications filed for

 CIP-003-5, Requirements R1 and R2

 CIP-004-5.1, Requirement R4

(96)

Steps Forward

• Any change to the requirements language

must be made pursuant to the NERC Standards

Process Manual



Standards Drafting Team will need to be involved



Opportunity for industry command and ballot

• Two directives with timeframes



Must file in prescribed timeframe

• Desire to address all directives as soon as possible

• VRF/VSL changes and Survey will happen outside of

(97)

References

• Project 2008-06 Development History:

• Version 4 page:

 http://www.nerc.com/pa/Stand/Pages/Project_2008-06_Cyber_Security_PhaseII_Standards.aspx

• Version 4 Guidance Document

 http://www.nerc.com/pa/Stand/Pages/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdf

• Version 5 page:

 http://www.nerc.com/pa/Stand/Pages/Project_2008-06_Cyber_Security_Version_5_CIP_Standards.aspx

• Version 5 Transition Guidance

(98)

Questions

Scott Mix, CISSP