CI P Cyber Security Update CI P Cyber Security Update John Lim - - PowerPoint PPT Presentation

CI P Cyber Security Update CI P Cyber Security Update

John Lim John Lim Consolidated Edison Co. of New York, Inc.

December 1, 2010 1

Disclaim er

Materials presented or discussed here are the presenter’s own and do not necessarily represent th f C Edi NPCC those of Con Edison or NPCC.

December 1, 2010 2

h

Agenda

h

• Developm ent Process Changes

CI P 0 0 2 4 d V i 4

• CI P-0 0 2 -4 and Version 4
• CI P-0 0 5 -4 – Rem ote Access
• CI P-0 0 5 -4 – Rem ote Access
• CI P-1 0 and CI P-0 1 1

December 1, 2010 3

CIP St d rd D l p t Pr CIP Standard Development Process

 Approved by NERC Standards Com m ittee  I nform al Com m ents  Forms  Forms  Webinars  Workshops  Other venues (regional meetings, etc.)  Formal response to each comment not

required

December 1, 2010 4

required

CIP Standard Development Pr (2) Process(2)

 Form al Com m ents ( 4 5 days)

• a Co

e ts ( 5 days)

 Concurrent Ballot Pool formation/ Pre-Ballot

Review (1st 30 days) Ballot (Last 15 days)

 Ballot (Last 15 days)  All comments must be responded to.

 Re-ballot

 Can make changes to standard between ballots  As many as required for consensus

December 1, 2010 5

Wh t H B C pl t d What Has Been Completed

 Version 2 ( CI P-0 0 2 -2 – CI P-0 0 9 -2 )

e s o ( C 0 0 C 0 0 9 )

 Phase 1  Low Hanging Fruits for FERC 706 Directives  Became Effective 4/ 2010

 Version 3 ( CI P-0 0 2 -3 – CI P-0 0 9 -3 )  Version 3 ( CI P 0 0 2 3

CI P 0 0 9 3 )

 90 day FERC directed changes to Version 2  Effective 10/ 2010

December 1, 2010 6

What’s In Progress g

 CI P-0 0 2 -4

1 t f l ti / t b ll t S t b 2010

 1st formal posting/ concurrent ballot: September 2010

• Closed Novem ber 3

 2nd Ballot – In Progress  Target: Complete by 12/ 2010

g p y

 CI P-0 0 5 -4

 Urgent Action: Response to Remote Access Vulnerability  Separate Drafting Team  Intent to File to FERC with CIP-002-4 package

 CI P-1 0 & CI P-0 1 1

 Concept Paper: July 2009  Informal Posting: CIP-002-4 12/ 2009 (not the same as the

current CIP-002-4)

 Informal Posting: CIP-010 and CIP-011 07/ 2010  Target: 2011

December 1, 2010 7

 Target: 2011

CIP 002 4 CIP-002-4

 CI P-0 0 2 -4 – Narrow Scope

N if li ti f th d l i f

 Non-uniform application of methodologies for

identifying Critical Assets, resulting in wide variation in the types and number of critical assets across regions regions.

 Replace the Entity defined Risk-Based Methodology

requirement with a bright-line based criteria requirement for identifying Critical Assets requirement for identifying Critical Assets.

 FERC Order 706 comments and directives regarding

• versight of the lists of identified Critical Assets in

CIP 002 (Para 329) Requirement for oversight is CIP-002. (Para. 329). Requirement for oversight is significantly mitigated.

 External perceptions of insufficiency of the Entity

defined methodologies in identification of Critical

December 1, 2010 8

defined methodologies in identification of Critical Assets.

CIP 002 4 CIP-002-4

 Replace Risk-Based Methodology with Bright-line

C it i (R1 & Att h t 1) Criteria (R1 & Attachment 1)

 Generation  Transmission  Transmission  Control Centers  Minor changes to R2 – Identification of Critical  Minor changes to R2

Identification of Critical Cyber Assets

 No changes to CIP-003-CIP-009 except

f i h conforming changes

 Reference Document and Implementation Plan

December 1, 2010 9

CIP 005 4 CIP-005-4

 In “expedited revision” Process  In expedited revision Process  Addresses Remote Access vulnerability  Follows Urgent Action Formal comments  Follows Urgent Action Formal comments

and Pre-ballot Review: 8/ 18/ 2010 to 9/ 17/ 2010 / /

 1st Ballot: 9/ 18

 Currently in 30 day review (November 12

y y ( – December 11)

 In expedited revision process  Ballot in last 10 days

December 1, 2010 10

CIP 010 CIP-010

 Categorized list of BES Cyber Systems  Categorized list of BES Cyber Systems  Based on Impact on Functions

 High  High  Medium  Low

 Basis for Application of Appropriate

Controls (CIP-011)

 Formal Comment: 7/ 2011

December 1, 2010 11

CIP 011 CIP-011

 Posted for informal comment May 2010

y

 SDT reviewed comments and feedback received

at the May 2010 workshop in Dallas.

 SDT determined it was infeasible to address all of  SDT determined it was infeasible to address all of

the concerns and achieve industry consensus on CIP-011 by the initial target date of December 2010 2010.

 Efforts on updating CIP-011 have been

substantially deferred, with plans to resume in D b Eff t t i d d t

• December. Efforts to review and respond to

comments has continued.

December 1, 2010 12

CIP 011 S p d Obj ti CIP-011 Scope and Objectives

 Address remaining FERC Order 706  Address remaining FERC Order 706

Directives:

 2 or more diverse security measures for

defense in depth at the security boundaries

 Active vulnerability assessments every 3 years

I t f i d t ll ti d

 Incorporate forensic data collection and

procedures

 Consideration of adapting the NIST  Consideration of adapting the NIST

Security Risk Management Framework

December 1, 2010 13

CIP 011 G idi Pri ipl CIP-011 Guiding Principles

 Policy focuses on high-level subject areas.  Policy focuses on high level subject areas.  To draft standards at a higher level to

minimize the need for TFEs. e t e eed o s

 STD will attempt to preserve the effort

invested by Responsible Entities by y p y developing a mapping from the existing standards 003-009 to 011.

December 1, 2010 14

Q&A Q&A

Questions or Com m ents?

December 1, 2010 15