Breakfast 7:00 a.m. 8:00 a.m. Opening Announcements NERC 2015 - - PowerPoint PPT Presentation

Breakfast

7:00 a.m. – 8:00 a.m.

Opening Announcements

NERC 2015 Standards and Compliance Spring Workshop

April 3, 2015

RELI ABI LI TY | ACCOUNTABI LI TY 2

NERC Antitrust Compliance Guidelines It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition.

RELI ABI LI TY | ACCOUNTABI LI TY 3

Public Announcement Participants are reminded that this meeting is public. Notice of the meeting was posted on the NERC website and widely

• distributed. The notice included the number for dial-in
• participation. Participants should keep in mind that the

audience may include members of the press and representatives of various governmental authorities.

RELI ABI LI TY | ACCOUNTABI LI TY 4

• Westin-Meeting
• Wi-Fi Code: NERCWB

General Announcements

RELI ABI LI TY | ACCOUNTABI LI TY 5

• 8:15–9:15 a.m.: Overview of Stakeholder Guidance on

Standards Associated with Risk Elements

• 9:15–9:30 a.m.: Legal and Regulatory Update
• 9:30–10:45 a.m.: CIP Cyber Security Standards
• 10:45–11:00 a.m.: Break
• 11:00–11:30 a.m.: 2015 and Beyond
• 11:30–Noon: Miscellaneous Q&A and Closing Remarks

Today’s Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 6

Guidance on Standards Associated with Risk Elements

Marisa Hecht, Senior Advisor, Compliance Assurance Ed Kichline, Senior Counsel, Associate Director of Enforcement 2015 Standards & Compliance Spring Workshop April 3, 2015

RELI ABI LI TY | ACCOUNTABI LI TY 2

• Purpose
• Background
• What are Risk Elements?
• Risk Elements Development Process
• Compliance Monitoring and Enforcement Program (CMEP)

Implementation Plan

• 2015 Risk Elements
• Webinar Series
• Focus on COM-002-2, Requirement R2

Overview

RELI ABI LI TY | ACCOUNTABI LI TY 3

• Educate stakeholders on role of Risk Elements in compliance

monitoring

• Introduce webinar series that will provide helpful best practices

regarding standards and requirements associated with Risk Elements Purpose

RELI ABI LI TY | ACCOUNTABI LI TY 4

• Annual Implementation Plan tailored to risk-based approach to

CMEP

• Replacement of a static, one-size-fits-all list of Reliability

Standards, Actively Monitored List (AML)

• Risk focus areas ≠ AML ≠ Audit Scope
• Monitoring plan reflects risk focus areas and Inherent Risk Assessment

(IRA) and Internal Controls Evaluation (ICE) processes

• Removal of six-year audit cycles
• Three-year cycles remain for BA, RC, and TOP
• Regional Entities (REs) will determine compliance oversight plan for other

registered entities

• Use existing CMEP tools

Background

RELI ABI LI TY | ACCOUNTABI LI TY 5

• First step in Risk-based Compliance Oversight Framework
• Identification and prioritization of enterprise-wide risks
• Potential impact to the reliability of the Bulk Power System (BPS)
• Risk Elements map to Reliability Standards
• Replace prior actively monitored lists
• REs also consider Region-specific risks

What are Risk Elements?

RELI ABI LI TY | ACCOUNTABI LI TY 6

What are Risk Elements?

Risk-based Compliance Oversight Framework (Framework)

RELI ABI LI TY | ACCOUNTABI LI TY 7

• Assessment of Risk Elements occurs at least annually
• Revised as needed
• Supports Regional assessment of risks
• Input into the annual ERO CMEP Implementation Plan

What are Risk Elements?

RELI ABI LI TY | ACCOUNTABI LI TY 8

• Steps to identify risks outlined in the Risk Elements Guide
• Includes areas of focus and associated Reliability Standards

Risk Elements Development Process

RELI ABI LI TY | ACCOUNTABI LI TY 9

Risk Elements Development Process

Post Implementation Plan in September each year. Consider Requirements and functional entities remaining and determine if any additional guidance should be provided to CEAs Review functional entities to determine their importance to the remaining Requirements Consider additional factors and remove Requirements not appropriate for additional focus Identify the specific Requirements related to their management of risk. Select a sub-set of risks for additional focus based on significance and existence of Reliability Standards for that risk Identify an effective body of Reliability Standards related to the risks. Develop a matrix and prioritize reliability risks. Collect the ERO Enterprise data.

RELI ABI LI TY | ACCOUNTABI LI TY 10

• Purpose
• Annual operating plan for NERC and the REs
• Implementation of risk-based approach for CMEP activities
• NERC release on or about September 1 of preceding year
• REs submit Regional IPs on or about October 1
• NERC reviews and posts revised IP in November to include RE IPs
• RE IPs subject to review and approval by NERC
• Updates occur throughout implementation year, as needed

CMEP I mplementation Plan

RELI ABI LI TY | ACCOUNTABI LI TY 11

• CMEP IP provides details on:
• ERO Enterprise’s Risk-based Compliance Oversight Framework
• Prioritized list of Enterprise-wide risk focus areas
• Map to associated Reliability Standards
• Do not include all potential risks to BPS
• REs consider local risks and circumstances within regional footprint
• Guidance on Regional Risk Assessments
• Enforcement activities
• Compliance exceptions
• Self-logging program

CMEP I mplementation Plan

RELI ABI LI TY | ACCOUNTABI LI TY 12

• Consider ERO Enterprise risk focus areas
• Risks identified in the ERO CMEP IP
• Regional risks
• Explain how regional risks were identified
• Including why risk elements in the ERO CMEP IP are not included

Regional CMEP I mplementation Plans

RELI ABI LI TY | ACCOUNTABI LI TY 13

• Regional IPs provide further detail on risk focus areas and

compliance oversight plans

• REs tailor compliance oversight plans for registered entities
• REs are at varying stages of implementing IRA and ICE processes
• NERC oversight and continued training will help ensure

consistency Key Takeaways

RELI ABI LI TY | ACCOUNTABI LI TY 14

• Nine areas of focus for 2015 consideration

1.Infrastructure maintenance 2.Uncoordinated protection systems 3.Protection systems misoperations 4.Workforce capability 5.Monitoring and situational awareness 6.Long term planning and system analysis 7.Threats to cyber systems 8.Human error 9.Extreme physical events

2015 Risk Elements

RELI ABI LI TY | ACCOUNTABI LI TY 15

• Highlights one Risk Element
• Provides training on associated standards
• Third Thursday of every month starting in April
• Starts at 1 pm Eastern

Webinar Series

RELI ABI LI TY | ACCOUNTABI LI TY 16

Subject Date Uncoordinated Protection Systems April 16, 2015 Monitoring and Situational Awareness May 21, 2015 Infrastructure Maintenance June 18, 2015 Protection System Misoperation July 16, 2015 Workforce Capability August 20, 2015 Long Term Planning and System Analysis September 17, 2015 Extreme Physical Events October 15, 2015 Threats to Cyber Systems November 19, 2015

Webinar Series

RELI ABI LI TY | ACCOUNTABI LI TY 17

Webinar Series

RELI ABI LI TY | ACCOUNTABI LI TY 18

• 2015 ERO CMEP IP located on NERC website at:

http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initia tive/Final_2015%20CMEP%20IP_V7_090814.pdf

• Risk Elements Guide for Development of the 2015 CMEP IP

located at: http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initia tive/Final_RiskElementsGuide_090814.pdf

• RAI website for activities and updates:

http://www.nerc.com/pa/comp/Pages/Reliability-Assurance- Initiative.asp Resources

2015 Risk Element: Human Error

Marisa Hecht, Senior Advisor, Compliance Assurance Ed Kichline, Senior Counsel, Associate Director of Enforcement Spring 2015 Standards & Compliance Workshop April 3, 2015

RELI ABI LI TY | ACCOUNTABI LI TY 20

2015 Risk Element: Human Error

RELI ABI LI TY | ACCOUNTABI LI TY 21

• ERO Priorities: RISC Updates and Recommendations
• Organizational or management challenges contribute to operational error
• Communication errors
• ERO Top Priority Reliability Risks 2014-2017 report
• Human error appropriately addressed
• Need for continued attention

2015 Risk Element: Human Error I nputs

RELI ABI LI TY | ACCOUNTABI LI TY 22

• Effective communication reduces errors
• Clear communications enable effective operations
• COM standards developed to address communications
• Operating Committee developed best practices for communications

2015 Risk Element: Human Error Communications

RELI ABI LI TY | ACCOUNTABI LI TY 23

• Top Violated Serious Risk Standards (by date of filing)

2015 Risk Element: Human Error COM-002-2

RELI ABI LI TY | ACCOUNTABI LI TY 24

2015 Risk Element: Human Error COM-002-2, Requirement R2

RELI ABI LI TY | ACCOUNTABI LI TY 25

2015 Risk Element: Human Error Three-part Communication

• Emergency vs. Routine Operations
• When reliability matters, ensure effective communication
• Routine Operating Instructions Considerations
• Expected use
• Introductory phrase
• Script
• Internal Procedures or Policies
• Who
• When
• How

RELI ABI LI TY | ACCOUNTABI LI TY 26

2015 Risk Element: Human Error Common Challenges

• Sender/receiver identification
• Distracted receiver
• Too much information or multiple actions
• Not enough information
• No explicit verification of receiver’s understanding
• Clarification not requested
• Receiver acting before communication is complete
• Receiver not using tools (e.g. writing down) to remember
• Too quiet or poor enunciation

RELI ABI LI TY | ACCOUNTABI LI TY 27

2015 Risk Element: Human Error Best Practices

• Clear policies and procedures
• Elements of effective communication
• Etiquette
• Opening phrase
• Acknowledgement
• Content
• Training
• Performance Assessment
• Aids to Communication

RELI ABI LI TY | ACCOUNTABI LI TY 28 3 part communication process is clearly established Operators trained regularly on 3 part communication Operators use 3 part communication for all information exchange and not just directives Operator consoles have a visual reminder to use 3 part communication All directives recorded on tapes Shift supervisor regularly listens to the tapes to verify 3 part communication Feedback to operators on improving 3 part communication

2015 Risk Element: Human Error Controls Example

RELI ABI LI TY | ACCOUNTABI LI TY 29

2015 Risk Element: Human Error Examples of Documentation Related to R2

• Processes, procedures, or job description that direct need for

three-part communication

• Evidence of implementation (e.g., training curriculum, training records)
• Summary of incidents where directives were issued
• Evidence of internal controls
• E.g., periodic monitoring of voice communications and feedback to

personnel)

• Sample audio recordings
• Sample system operator logs
• Verify three-part communications

RELI ABI LI TY | ACCOUNTABI LI TY 30

2015 Risk Element: Human Error COM-002-4 Update

• Requires the following:
• Documented communications protocols
• Training
• Assessment of adherence to protocols and effectiveness
• Three-part communication for Operating Instruction during Emergency
• Adopted by NERC Board of Trustees May 7, 2014
• Filed at FERC May 14, 2014
• Effective date 12 months after regulatory approval or after

Board adoption, as applicable

RELI ABI LI TY | ACCOUNTABI LI TY 31

• Registration for Risk Elements Webinar Series:

http://www.nerc.com/pa/comp/Pages/Webinars.aspx

• Operating Committee - Verbal Communications Industry

Practices: http://www.nerc.com/comm/OC/Related%20Files%20DL/OC%20 Approved_COM-002-2%20Guideline_6-24- 2012_For%20Posting_w%20line%20numbers_Clean_Version%202 .pdf Resources

RELI ABI LI TY | ACCOUNTABI LI TY 32

Legal & Regulatory Update

Andrew Wills, NERC Associate Counsel 2015 Standards and Compliance Spring Workshop April 3, 2015

Cyber Security Standards: Version 5 Revisions

Scott Mix, CISSP Spring 2015 Standards and Compliance Workshop April 3, 2015

2 RELIABILITY | ACCOUNTABILITY

• Standard Drafting Team (SDT) appointed to address these

revisions in Project 2014-02.

• Maggy Powell, Exelon
• Philip Huff, AECC
• David Revill, GTC
• Jay Cribb, Southern Company
• Forrest Krigbaum, BPA
• David Dockery, AECI
• Greg Goodrich, NYISO
• Christine Hasha, ERCOT
• Steve Brain, Dominion
• Scott Saunders, SMUD

Overview of Development Activities The Team

3 RELIABILITY | ACCOUNTABILITY

CI P Standards – “Version 5”

• CIP-002-5.1*: BES Cyber Asset and BES Cyber System

Categorization

• CIP-003-6**: Security Management Controls
• CIP-004-6**: Personnel and Training
• CIP-005-5: Electronic Security Perimeter(s)
• CIP-006-6: Physical Security of BES Cyber Systems
• CIP-007-6**: Systems Security Management

* - Changed “Devices” to “Systems” in background section ** - Developed as version 7

4 RELIABILITY | ACCOUNTABILITY

CI P Standards – “Version 5”

• CIP-008-5: Incident Reporting and Response Planning
• CIP-009-6: Recovery Plans for BES Cyber Assets and Systems
• CIP-010-2***: Configuration Management and Vulnerability

Assessments

• CIP-011-2***: Information Protection

*** - Developed as version 3

5 RELIABILITY | ACCOUNTABILITY

• Four directive areas
• One year filing deadline
• Outreach during development and comment period

Overview of Development Activities Key Objectives

6 RELIABILITY | ACCOUNTABILITY

FERC Final Rule

• Issued November 3, 2013
• Effective February 3, 2014
• Four directives:
• Identify Assess and Correct language
• Communication Networks
• Low Impact BES Cyber Systems
• Transient Devices
• First two had one-year deadline
• Filing deadline February 3, 2015

7 RELIABILITY | ACCOUNTABILITY

I dentify, Assess, and Correct

• FERC preferred to not have “compliance language” included

within technical requirement

• SDT responded by deleting language from 17 requirements
• RAI (Risk-based Compliance Monitoring and Enforcement)

concepts replaced need for IAC language

8 RELIABILITY | ACCOUNTABILITY

Communication Networks

• FERC Directed creation of definition of “communication

networks” and requirements to address issues:

• Locked wiring closets
• Disconnected or locked spare jacks
• Protection of cabling by conduit or cable trays

9 RELIABILITY | ACCOUNTABILITY

Communication Networks

• SDT responded by adding CIP-006 Part 1.10 to address

protections of “non programmable” components of communication networks that are inside an ESP, but outside of a PSP

• SDT also modified CIP-007 Part 1.2 to address unused physical

ports on nonprogrammable communication components and devices at high and medium impact Control Centers

• Formal definition determined by SDT to be unnecessary at this

time

10 RELIABILITY | ACCOUNTABILITY

Transient Devices

• Described in Final Rule as devices connected

for less than 30-days (USB, laptop, etc)

• FERC directed modifications to address the following concerns:
• Device authorization
• Software authorization
• Security patch management
• Malware prevention
• Unauthorized physical access
• Procedures for connecting to different impact level systems

11 RELIABILITY | ACCOUNTABILITY

Transient Devices

• SDT developed two additional definitions
• Removable Media
• Transient Cyber Assets
• Added CIP-010 Requirement R4 dealing with issue
• Detailed requirements in attachment and measures in a separate

attachment

• Separated into three areas:
• Transient Cyber Assets managed by Responsible Entity
• Transient Cyber Assets managed by other parties
• Removable Media
• Modified CIP-004 Part 2.1 to address training on risks associated

with Transient Cyber Assets and Removable Media

12 RELIABILITY | ACCOUNTABILITY

Transient Cyber Assets

• Transient Cyber Asset: A Cyber Asset that (i) is capable of

transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

13 RELIABILITY | ACCOUNTABILITY

Transient Cyber Assets (continued)

• Removable Media: Storage media that (i) are not Cyber Assets,

(ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber

• Asset. Examples include, but are not limited to, floppy disks,

compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.

14 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems

• FERC concerned with lack of objective criteria

for evaluating Low Impact protections

• “Introduces unacceptable level of ambiguity and potential inconsistency

into the compliance process”

• Open to alternative approaches
• “… the criteria NERC proposes for evaluating a responsible entities’

protections for Low impact facilities should be clear, objective and commensurate with their impact on the system, and technically justified.”

• No detailed inventory required … list of locations / Facilities OK

15 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

• SDT maintained all low impact requirements in

CIP-003

• “Low-only entities” only need to comply with CIP-002 and CIP-

003

• Added CIP-003 Part 1.2 dealing with security policy for low

impact BES Cyber Systems

• Added Attachments dealing with the technical requirement and

measures

• Kept four original “areas”

16 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

• Security Awareness
• “… reinforce, at least every 15 calendar months, cyber security practices…”
• Incident Response
• Modeled from medium impact
• 5 elements (of 9: collapsed process requirements and update

requirements together; no documentation of deviations or specific record retention – but still need to demonstrate compliance)

• Physical Security
• “…control physical access based on need…”

17 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

• Electronic Security
• Two new definitions – LERC and LEAP
• Similar to but different from ERC and EAP concepts at medium & high
• “…permit only necessary inbound and outbound bi-directional

routable protocol access…”

• “…authentication for all Dial-up Connectivity…”
• Seven “reference model” drawings showing LERC & LEAP in

Guidelines and Technical Basis section

18 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

• Low Impact External Routable Connectivity (LERC):

Direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point- to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).

19 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

• Low Impact BES Cyber System Electronic Access Point (LEAP): A

Cyber Asset interface that controls Low Impact External Routable

• Connectivity. The Cyber Asset containing the LEAP may reside at a

location external to the asset or assets containing low impact BES Cyber Systems.

20 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

21 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

22 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

23 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

24 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

25 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

26 RELIABILITY | ACCOUNTABILITY

Low I mpact BES Cyber Systems (continued)

27 RELIABILITY | ACCOUNTABILITY

I mplementation Plan

• Phased implementation plan:
• IAC – no change (4/1/16)
• Communication Networks – 9 months after the effective date of the

standard

• Transient Devices – 9 months after the effective date of the standard
• Low Impact
• Latter of 4/1/17 or 9 months after the effective date of the standard for policy,

plan, security awareness, and response

• Latter of 9/1/18 or 9 months after the effective date of the standard for physical

and electronic security

28 RELIABILITY | ACCOUNTABILITY

Current Status

• NERC Board approved responses to IAC and Communication

Networks directives on November 13, 2014

• NERC Board approved responses to Low Impact and Transient

Device directives on February 12, 2015

• Board action adjusted version numbers to -6 and -3
• All four directive areas filed with FERC on February 13, 2015 (10-

day extension granted due to scheduled NERC board meeting)

• FERC must go through its approval process

29 RELIABILITY | ACCOUNTABILITY

References

• Project 2014-02 Development History:
• CIP Version 5 Revisions page:
• http://www.nerc.com/pa/Stand/Pages/Project-2014-XX-

Critical-Infrastructure-Protection-Version-5-Revisions.aspx

• CIP Version 5 Transition page:
• http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

Questions

Scott Mix, CISSP scott.mix@nerc.net 215-853-8204

Break

10:45 a.m. – 11:00 a.m.

2015 & Beyond

Valerie Agnew, NERC Senior Director of Standards Ryan Stewart, NERC Manager of Standards Development Marisa Hecht, NERC Senior Advisor of Compliance Assurance 2015 Standards and Compliance Spring Workshop April 3, 2015

Closing Remarks Q&A