Dec-2018 Meeting Jodi A. Jensen Senior SCADA Advisor WECC SASMS, - - PowerPoint PPT Presentation

NERC CIP-C Highlights Dec-2018 Meeting

Jodi A. Jensen Senior SCADA Advisor WECC SASMS, February 7, 2019

1

New CIP-C Initiatives for 2019

2

Utility Essential Security Practices Whitepaper Cyber-Physical Resiliency Task Force Supply Chain Risk Mitigation guidelines

NERC Board Meeting Highlights

• Jim Robb’s Top 4
• Reliability Coordination in the West
• Inverter-based resources
• Changing resource mix
• Cyber security
• Possible Reorganization of Committees:
• Task-based teams

3

FERC and NERC Updates

• FERC
• CIP-012 - Commission is Deliberating
• Supply Chain – Approved
• NERC
• Looking for Input on the following:
• Virtualization - RSAWS
• Cyber Security Incident Reporting – CIP-008
• CIP Evidence Tool, Version 2
• Writing Implementation Guidance
• Encrypting BCSI

4

Supply Chain Update

• FERC Order 850
• Supply Chain Standards Approved with a directive to address

EACMS, PACS, and PCAs

• NERC Activities:
• CIPC Advisory Task Force
• EPRI supply chain risk study – Final report due Feb 2019
• Communication of supply chain risks:
• NERC Alerts
• E-ISAC - Incorporate into GridEx IV
• Include in Workshops
• CIPC development of guidelines
• Supply Chain Webpage - Forum and Association whitepapers
• Presentations of whitepapers to industry

5

National Labs Updates

• Argonne
• RC and ISO – Restoration Training Activity Scenarios
• Idaho Labs – Andrew Bochman
• DOE is going to bring back the National SCADA Test Bed
• CyTRICS – Cyber Testing for Resilience of Industrial

Control Systems

• Reverse Engineering of OT devices – different brands may be

more alike than they seem

• Collections of common subcomponents for similar functions

could introduce common vulnerability vectors

6

Legislative Update

• Sept 20 – Trump signed national Cyber Strategy
• DOE Cybersecurity, Energy Security and Emergency Response

(CESER)

• DHS Cybersecurity and Infrastructure Security Agency (CISA)
• Infrastructure Bill
• Background Investigation
• Data Breach Notification
• Resiliency
• Securing the supply chain
• Cyber Mutual Assistance
• Liberty Eclipse Exercise – Oct 11
• Focus on coordinated cyber security incident response.

7

Electricity Subsector Coordinating Council Update

EPRI Update

• DER – Distributed Energy Resources
• Smart Inverters – Risk
• Two way communication to inverters.
• 3rd party aggregator example: over 1 million inverters

connected to solar resources. Directly control energy. Impact could be greater than many utilities.

• GPS Time Clock Impacts – Relay Misoperation
• Cloud Security
• Whitepaper in February
• Risk Analysis
• Data Storage of BES Cyber System Information
• EACMS
• Managed Security Services

8

North American Transmission Forum - Update

• Compliance Implementation Guidance:
• Endorsed:
• CIP-010 R1.6 (Software Integrity and Authenticity)
• CIP-014 R4 Practices Document (Threat and Vulnerability Evaluations)
• CIP-014 R5 Practices Document (Physical Security Plans)
• Not Endorsed:
• CIP-010 R4 Transient Cyber Assets
• CIP-005 R2.4 and R2.5 Vendor Remote Access
• Being Revised. Target posting in January 2019.
• Pending Compliance Implementation Guidance
• CIP-013 (Supply Chain)
• Publicly available CIP-Related documents
• BES Operations absent EMS and SCADA Capabilities – a Spare Tire Approach
• Cyber Security Supply Chain Risk Management Guidance
• Guidance for CIP-005 Vendor Remote Access
• Transmission System Resiliency – An Overview

9

CIP Standards Development Update

• Modifications to CIP-008:
• Two New Definitions
• Cyber Security Incident
• Reportable Cyber Security Incident
• EACMS added
• Reporting timeframe is 1 hour
• Attempts to compromise – report by end of next calendar day
• Allows entity to define “attempts”
• Reporting to E-ISAC and NCCIC
• Virtualization:
• ESP transition to Logical Isolation Zone
• Accommodate advances in network security
• Retaining backward compatibility
• Management plane isolation
• BES cyber systems with a 15 minute impact share infrastructure with systems that

do not share that time constraint (e.g. a control system and its historian)

10

Subcommittee Updates

• Security Metrics Working Group
• CRISP data not yet suitable as a source for BPS-impactive cyber metrics
• CIP-008 will provide opportunities to enhance Metric #1
• Compliance Input Working Group
• Cloud Computing Pilot Plan
• Microsoft presentation on complying with CIP and FEDRAMP
• Encryption Team Formed – Alice Ireland – How does encryption of BCSI in the cloud impact compliance
• Reliability Issues Steering Committee
• Resilience Framework
• Robustness, Resourcefulness, Rapid Recovery, Adaptability
• Physical Security Subcommittee
• Physical Security Guideline for the Electricity Sector: Extreme Events
• Physical Security Guideline for the Electricity Sector: Security Considerations, High Impact Control

Centers (this is for new control centers)

11

Other Items of Interest

• University of Arkansas Survey
• Vulnerability and Patch Management
• Objectives
• Workforce Management Problem
• How to reduce workload – Optimize to focus on the few patches when

vulnerabilities have a true significant impact

• Initial results
• 2 Annual FTE savings in small Control Center through machine learning and

risk-based work optimization

• Mostly by reducing patching frequency
• Future Research
• Decision support tool implementation for two utilities next month.
• Develop automated mitigation plan support
• Publish survey results in Q1 of 2019
• Contact them if we have interest in the decision support tool

12