CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis - - PowerPoint PPT Presentation

cip violation data trends 2012 2015
SMART_READER_LITE
LIVE PREVIEW

CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis - - PowerPoint PPT Presentation

Feb 03, 2023 25 likes •184 views

CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis Violation Volume Decreasing CIP Violations by Deemed Date 2015 53 2014 92 2013 91 2012 153 2011 165 2010 259 0 50 100 150 200 250 300 2010: Mandatory Compliance

slide-1
SLIDE 1

CIP Violation Data Trends 2012-2015

Deandra Williams-Lewis

slide-2
SLIDE 2

Forward Together • ReliabilityFirst

Violation Volume Decreasing

  • 2010: Mandatory Compliance for all CIP Standards Begins; RF commences

full scope audits; Entities at beginning stages of CIP implementation

  • 2015: Maturation of CIP programs; Increased use of automated tools;

increased outreach

259 165 153 91 92 53 50 100 150 200 250 300 2010 2011 2012 2013 2014 2015

CIP Violations by Deemed Date

slide-3
SLIDE 3

Forward Together • ReliabilityFirst

Majority of Violations are Self-Reported

 Larger Entities Drive Volume of Self-Reports  Two audit outliers in 2014 responsible for 92 of 117 audit violations,

  • therwise steady downward trend
slide-4
SLIDE 4

Forward Together • ReliabilityFirst

Volume Driven by High-Frequency Conduct

 Requirements concerning “high-frequency conduct” drive volume

CIP-004, R4 (access: lists for cyber access and physical access; revoking privileges) CIP-006, R1 (physical security of critical cyber assets: physical access logging) CIP-007, R5 (account management: passwords and access lists)

 These violations tend to be self-reported and pose a lesser risk

  • However, can be indicative of systemic issues
slide-5
SLIDE 5

Forward Together • ReliabilityFirst

 Decrease between Deemed and Reporting Dates

  • Average 317 decrease in days (trending downward)

5

Detection and Reporting Duration Impovement *Includes noncompliance start date, time to identify, assess,

correct, and then report

slide-6
SLIDE 6

Forward Together • ReliabilityFirst

Improved Risk Posture

 Year-over-year decrease in severity

  • 75% of CIP violations are Minimal to Moderate risk
  • 9% of CIP violations are serious risk
  • implementation issues
  • culture and programmatic issues
slide-7
SLIDE 7

Forward Together • ReliabilityFirst

Volume Driven by Larger Entities

 Larger entities have experienced initial implementation challenges

  • More assets, business units, and people = more challenges
  • 100% of serious risk issues concern larger entities
  • 93.3% of audit findings concern larger entities
  • 79.8% of all violations driven by large entities
  • CIP Themes Report: identified and shared common themes

7

slide-8
SLIDE 8

Forward Together • ReliabilityFirst

Observations

  • Possible Drivers of Positive Trending
  • Maturation (both RF and Entities)
  • Active Monitoring and Enforcement
  • Trending, Analytics, and Sharing

‒ Assist Visits and Outreach ‒ CIP Themes Report ‒ Case Study Outreach

  • Remain Vigilant – Moving Target
  • Dynamic Regulatory Approach

‒ Focus on continuous improvement ‒ Violations not always indicative of security state

  • Volume can indicate strong detective controls or weak

preventative/corrective controls

  • Paper compliance does not equal security

8

slide-9
SLIDE 9

Common CIP Themes

Patrick O’Connor

slide-10
SLIDE 10

Forward Together • ReliabilityFirst

Purpose of CIP Themes Report

10

  • IDENTIFY
  • Common themes underlying systemic CIP violations.
  • Possible resolutions

‒ Not directive because “one size does not fit all”

  • Based on RF’s observations through years of compliance monitoring

and enforcement activities ‒ Collaborated with entities that dealt with higher risk CIP Violations ‒ In coordination with NERC

  • COMMUNICATE
  • Raise awareness and prevent recurrence

‒ Report available on RF’s website

slide-11
SLIDE 11

Forward Together • ReliabilityFirst

The Identified CIP Themes

11

slide-12
SLIDE 12

Forward Together • ReliabilityFirst

Scenario #1

  • Entity implemented tools to monitor its account usage.
  • Entity did not configure these properly, causing voluminous logs that could not

be meaningfully digested.

  • Entity implemented tool to automatically generate revocation

notices.

  • Responsible employee did not review notifications and thus did not perform

necessary revocations.

12

slide-13
SLIDE 13

Forward Together • ReliabilityFirst

Scenario #2

13

  • Entity utilized a vendor’s asset management system.
  • Protecting Critical Cyber Asset Information was not considered nor

mentioned in the vendor contract.

  • Entity contracted with vendor to provide security patch

management.

  • Vendor did not provide entity with timely assessments of patch releases.
slide-14
SLIDE 14

Forward Together • ReliabilityFirst

Scenario # 3

  • Entity used its mirrored-back-up

data center constituted as its disaster recovery data center.

  • Entity did not understand that

corruption of the main data center would promptly result in a corrupted back-up data center.

14

  • Entity permitted compromised

assets to communicate freely with command and control server.

  • Entity did not understand firewall

commands (“permit any any” on

  • utbound traffic).
slide-15
SLIDE 15

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

15