• No results found

Cyber Security Standards: Version 5 Revisions. Security Reliability Program 2015

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cyber Security Standards: Version 5 Revisions. Security Reliability Program 2015"

Copied!
33
0
0

Loading.... (view fulltext now)

Download now ( 33 Page )

Full text

(1)

Cyber Security Standards:

Version 5 Revisions

(2)

• Standard Drafting Team (SDT) appointed to address these revisions in Project 2014-02.

 Maggy Powell, Exelon

 Philip Huff, AECC

 David Revill, GTC

 Jay Cribb, Southern Company

 Forrest Krigbaum, BPA

 David Dockery, AECI

 Greg Goodrich, NYISO

(3)

CIP Standards – “Version 5” • CIP-002-5.1*: BES Cyber Asset and BES Cyber System

Categorization

• CIP-003-6**: Security Management Controls

• CIP-004-6**: Personnel and Training

• CIP-005-5: Electronic Security Perimeter(s)

• CIP-006-6: Physical Security of BES Cyber Systems

(4)

CIP Standards – “Version 5” • CIP-008-5: Incident Reporting and Response Planning

• CIP-009-6: Recovery Plans for BES Cyber Assets and Systems

• CIP-010-2***: Configuration Management and Vulnerability Assessments

(5)

• Four directive areas

• One year filing deadline

• Outreach during development and comment period

(6)

FERC Final Rule • Issued November 3, 2013

 Effective February 3, 2014

• Four directives:

 Identify Assess and Correct language

 Communication Networks

 Low Impact BES Cyber Systems

 Transient Devices

(7)

Identify, Assess, and Correct • FERC preferred to not have “compliance language” included

within technical requirement

• SDT responded by deleting language from 17 requirements

(8)

Communication Networks

• FERC Directed creation of definition of “communication networks” and requirements to address issues:

 Locked wiring closets

 Disconnected or locked spare jacks

(9)

Communication Networks • SDT responded by adding CIP-006 Part 1.10 to address

protections of “non programmable” components of

communication networks that are inside an ESP, but outside of a PSP

• SDT also modified CIP-007 Part 1.2 to address unused physical ports on nonprogrammable communication components and devices at high and medium impact Control Centers

(10)

Transient Devices • Described in Final Rule as devices connected

for less than 30-days (USB, laptop, etc)

• FERC directed modifications to address the following concerns:

 Device authorization

 Software authorization

 Security patch management

 Malware prevention

 Unauthorized physical access

(11)

Transient Devices • SDT developed two additional definitions

 Removable Media

 Transient Cyber Assets

• Added CIP-010 Requirement R4 dealing with issue

 Detailed requirements in attachment and measures in a separate attachment

 Separated into three areas:

o Transient Cyber Assets managed by Responsible Entity

o Transient Cyber Assets managed by other parties

o Removable Media

(12)

Transient Cyber AssetsTransient Cyber Asset: A Cyber Asset that (i) is capable of

transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial,

Universal Serial Bus, or wireless, including near field or

Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or

(13)

Transient Cyber Assets (continued)Removable Media: Storage media that (i) are not Cyber Assets,

(ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly

(14)

Low Impact BES Cyber Systems • FERC concerned with lack of objective criteria

for evaluating Low Impact protections

 “Introduces unacceptable level of ambiguity and potential inconsistency into the compliance process”

 Open to alternative approaches

 “… the criteria NERC proposes for evaluating a responsible entities’ protections for Low impact facilities should be clear, objective and

commensurate with their impact on the system, and technically justified.”

(15)

Low Impact BES Cyber Systems (continued) • SDT maintained all low impact requirements in

CIP-003

 “Low-only entities” only need to comply with 002 and CIP-003

• Added CIP-003 Part 1.2 dealing with security policy for low impact BES Cyber Systems

• Added Attachments dealing with the technical requirement and measures

(16)

Low Impact BES Cyber Systems (continued) • Security Awareness

 “… reinforce, at least every 15 calendar months, cyber security practices…”

• Incident Response

 Modeled from medium impact

 6 elements (of 9: collapsed process requirements and update

requirements together; no documentation of deviations or specific record retention – but still need to demonstrate compliance)

• Physical Security

(17)
(18)

Low Impact BES Cyber Systems (continued) • Electronic Security

 Two new definitions – LERC and LEAP

 Similar to but different from ERC and EAP concepts at medium & high

• “…permit only necessary inbound and outbound bi-directional routable protocol access…”

• “…authentication for all Dial-up Connectivity…”

(19)

ERC - External Routable Connectivity - The ability to

access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.

LERC – Low Impact External Routable Connectivity - Direct user‐initiated interactive access or a direct device‐to‐device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi‐directional routable protocol connection. Point‐to‐point communications between intelligent electronic devices that use routable communication protocols for

time‐sensitive protection or control functions between

Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC

(20)

EAP - Electronic Access Point - A Cyber Asset

interface

on an Electronic Security Perimeter

that

allows routable communication between Cyber Assets

outside an Electronic Security Perimeter and Cyber

Assets inside an Electronic Security Perimeter.

LEAP – Low Impact BES Cyber System Electronic

Access Point - A Cyber Asset interface that

controls

Low Impact External Routable Connectivity

. The Cyber

Asset containing the LEAP may reside at a location

(21)
(22)
(23)
(24)
(25)
(26)
(27)
(28)

Implementation Plan

Phased implementation plan:

 IAC – no change (4/1/16)

 Communication Networks – 9 months after the effective date of the standard

 Transient Devices – 9 months after the effective date of the standard

 Low Impact

o Latter of 4/1/17 or 9 months after the effective date of the standard for policy,

plan, security awareness, and response

o Latter of 9/1/18 or 9 months after the effective date of the standard for physical

(29)

Implementation Plan

Standard/Requirement Revision 3Q15 4Q15 1Q16

CIP-002-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16 CIP-003-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-003-6, R1, part 1.1 H/M - Policy 1-Apr-16 1-Apr-16 1-Apr-16 CIP-003-6, R1, part 1.2 LI - Policy 1-Apr-17 1-Apr-17 1-Apr-17 CIP-003-6, R2 LI - Plan 1-Apr-17 1-Apr-17 1-Apr-17 CIP-003-6, Att 1, Sect. 1 LI - Sec Awareness 1-Apr-17 1-Apr-17 1-Apr-17 CIP-003-6, Att 1, Sect. 2 LI - Phys Security 1-Sep-18 1-Sep-18 1-Sep-18 CIP-003-6, Att 1, Sect. 3 LI - Elec. Access 1-Sep-18 1-Sep-18 1-Sep-18 CIP-003-6, Att 1, Sect. 4 LI - Incident Resp 1-Apr-17 1-Apr-17 1-Apr-17 CIP-004-6 TCA & RM added to Training 1-Apr-16 1-Apr-16 1-Jul-16 CIP-005-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16 CIP-006-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-006-6, R1, part 1.10* CN 1-Jan-17 1-Jan-17 1-Apr-17 CIP-007-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-007-6, R1, part 1.2* CN, RM capitalized 1-Jan-17 1-Jan-17 1-Apr-17 CIP-008-5 not up for revision 1-Apr-16 1-Apr-16 1-Apr-16 CIP-009-6 1-Apr-16 1-Apr-16 1-Jul-16 CIP-010-2 1-Apr-16 1-Apr-16 1-Jul-16 CIP-010-2, R4 TD 1-Jan-17 1-Jan-17 1-Apr-17 CIP-011-2 TCA & RM added to Guidelines 1-Apr-16 1-Apr-16 1-Jul-16

NERC Board Adoption

If FERC approves CIPV5R in:

(30)

Current Status • NERC Board approved responses to IAC and Communication

Networks directives on November 13, 2014

• NERC Board approved responses to Low Impact and Transient Device directives on February 12, 2015

 Board action adjusted version numbers to -6 and -2

• All four directive areas filed with FERC on February 13, 2015 (10-day extension granted due to scheduled NERC board meeting)

(31)

CIP Version What?

CIP-003-6/CIP-010-2

July Initial Ballot

CIP-003-6/CIP-010-2 CIP-003-6/CIP-010-2 Version X IAC/CN Only CIP-003-X/CIP-010-X CIP-003-7/CIP-010-3 4 directives CIP-003-7/CIP-010-3 4 directives CIP-003-6/CIP-010-2 Lows/Transients

October Additional Ballot

October Final Ballot

November Board Adoption

January Additional Ballot

January Final Ballot

CIP-003-6/CIP-004-6/CIP-006-6/ CIP-007-6/CIP-009-6/CIP-010-2/CIP-011-2

(32)

References

Project 2014-02 Development History:

CIP Version 5 Revisions page:

 http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-Critical-Infrastructure-Protection-Version-5-Revisions.aspx

CIP Version 5 Transition page:

(33)

Questions

Scott Mix, CISSP

References

Download now ( PDF - 33 Page - 2.34 MB )

Related documents

CIP Definitions Project Modifications to CIP Standards

Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems , Shared Cyber Infrastructure

Scheduling Algorithms for Dynamic Workload

• In the past a lot of research effort was devoted to understand and develop job scheduling algorithms (e.g. FCFS, Backfilling, Gang scheduling, etc.). • Nowadays many of

UNIVERSITY OF NAIROBI SCHOOL OF THE ARTS AND DESIGN 2012 ANNUAL REPORT

Under the three degree programmes, the students are currently able to specialize in; Graphic Design, Interior Design, Fashion Design, Product Design, and

Host specificity and adaptation of Schistocephalus to its stickleback hosts

second parasite had a better chance of survival and better growth than the first parasite (Jäger & Schjørring, 2006), indicating some kind of facilitation by immune manipulation

A geometrically constrained multimodal approach for convolutive blind source separation

A novel constrained multimodal approach for convolutive blind source separation is presented which incorporates video information related to geometrical position of both the

A Natural Language Interface to Databases

In this case, the user wants the Natural Language Query Generator ( NLQG) to generate a query for listing all the males in the database.. The user presses the Select

IMS Primer. Rick Long, Mark Harrington, Robert Hain, Geoff Nicholls. International Technical Support Organization.

Application Program BMP Application Program IFP Application Program MPP DLI Seprate Address Space DBRC Region Network IMS Message Queues Control Region Address Space Logs Full

CHAPTER -1: AN OVERVIEW OF TELECOM SECTOR & CONSTRUCTION OF CONCEPTUAL FRAMEWORK

India has opened its telecom sector to foreign investors up to 100 percent holding in manufacturing of telecom equipment, internet services, and