Low Impact Focus Group Monthly Meeting January 23, 2018 Opening - - PowerPoint PPT Presentation

low impact focus group
SMART_READER_LITE
LIVE PREVIEW

Low Impact Focus Group Monthly Meeting January 23, 2018 Opening - - PowerPoint PPT Presentation

May 08, 2023 273 likes •447 views

Low Impact Focus Group Monthly Meeting January 23, 2018 Opening Comments This meeting is being recorded All lines will be muted. In order to comment, you may: Use the WebEx Raise Hand feature. Send a message to the

slide-1
SLIDE 1

Low Impact Focus Group

Monthly Meeting January 23, 2018

slide-2
SLIDE 2

Forward Together • ReliabilityFirst

Opening Comments

2

  • This meeting is being recorded
  • All lines will be muted.
  • In order to comment, you may:
  • Use the WebEx “Raise Hand” feature.
  • Send a message to the presenter via WebEx chat.
  • When commenting, be mindful that this is an
  • pen call. RF cannot fully pre-screen the

attendees.

slide-3
SLIDE 3

Forward Together • ReliabilityFirst

Announcements

  • NERC’s Antitrust Guidelines are available at:
  • http://www.nerc.com/pa/Stand/Resources/Documents/NER

C_Antitrust_Compliances_Guidelines.pdf

  • This is a public call. RF cannot fully pre-screen

the attendees.

3

slide-4
SLIDE 4

Forward Together • ReliabilityFirst

Mailing List

  • ciplifg@lists.rfirst.org
  • This list is intended as a discussion forum.
  • List changes, such as additions or removals,

should be sent to: lew.folkerth@rfirst.org

4

slide-5
SLIDE 5

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Background
  • On January 13, 2017, the Foundation for Resilient

Societies submitted a petition (https://elibrary.ferc.gov/ idmws/common/opennat.asp?fileID=14475801) requesting changes to the CIP Standards regarding enhanced:

‒ Malware detection, ‒ Malware reporting, ‒ Malware mitigation, and ‒ Malware removal.

  • In response, on December 21, 2017, FERC issued a

Notice of Proposed Rulemaking (NOPR) proposing to enhance the reporting of Cyber Security Incidents.

5

slide-6
SLIDE 6

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • CIP-008-5
  • R1: Document one or more Cyber Security Incident

response plans

  • R2: Periodically test the plans from R1 by responding to or

simulating a Reportable Cyber Security Incident

  • R2: Implement the plans from R1 for an occurrence of a

Reportable Cyber Security Incident

  • R2: Retain records of each Reportable Cyber Security

Incident

  • R3: Maintain the plans from R1

6

slide-7
SLIDE 7

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • CIP-003-6/7 R2 Attachment 1 Section 4
  • Have one or more Cyber Security Incident response plans
  • Implement the plans from R1 for an occurrence of a Cyber

Security Incident

  • Periodically test the plans from R1 by responding to or

simulating a Reportable Cyber Security Incident

  • Maintain the plans from R1

7

slide-8
SLIDE 8

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Definitions
  • Cyber Security Incident

‒ “A malicious act or suspicious event that:

  • Compromises, or was an attempt to compromise, the Electronic

Security Perimeter or Physical Security Perimeter or,

  • Disrupts, or was an attempt to disrupt, the operation of a BES Cyber

System.”

  • Reportable Cyber Security Incident

‒ “A Cyber Security Incident that has compromised or disrupted one

  • r more reliability tasks of a functional entity.”

8

slide-9
SLIDE 9

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Three elements of the proposed directive:
  • Cyber Security Incident Reporting Threshold
  • Content of Cyber Security Incident Reports
  • Timing of Cyber Security Incident Reports

9

slide-10
SLIDE 10

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Cyber Security Incident Reporting Threshold
  • Expand the scope of Cyber Security Incident reporting by:

‒ Including compromises or attempts to compromise ‒ Including ESP and EACMS

10

slide-11
SLIDE 11

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Content of Cyber Security Incident Reports
  • The functional impact achieved or that was attempted

‒ Functional impact is a measure of the actual, ongoing impact to:

  • The organization,
  • The affected BES Cyber Systems, and
  • The ability to protect or operate those BES Cyber Systems.
  • The attack vector used

‒ The attack vector is the method used to exploit a vulnerability

  • The level of intrusion that was achieved or attempted

‒ The level of intrusion is the extent of the penetration into protected systems

11

slide-12
SLIDE 12

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Timing of Cyber Security Incident Reports
  • Create deadline for filing report with information specified

above

‒ Take into consideration the severity of the incident

  • Submission of detailed report to both E-ISAC and ICS-

CERT

12

slide-13
SLIDE 13

Forward Together • ReliabilityFirst

Standards Update – Incident Reporting NOPR

  • Observations
  • Use of the terms “ESP,” “EACMS,” and “BES Cyber

Systems within the ESP” may mean that the proposed revisions will be intended for high and medium impact BES Cyber Systems only, although this is not yet clear.

  • CIP-008-5 will need to be modified to require activation of

the incident response plans for any Cyber Security Incident, not just Reportable Cyber Security Incidents.

13

slide-14
SLIDE 14

Forward Together • ReliabilityFirst

Standards Update – Supply Chain NOPR

  • Background
  • FERC Order 829 required NERC to develop Supply Chain

Cyber Security Standards

  • NERC, through the Standards Development Process,

produced and filed the new Standard CIP-013-1 and revised Standards CIP-005-6 and CIP-010-3

  • In approving these Standards for submission to FERC, the

NERC Board of Trustees (BoT) approved six resolutions to further study supply chain risks, including the risks to low impact BES Cyber Systems

  • On January 18, 2018, FERC issued a Notice of Proposed

Rulemaking (NOPR) proposing to approve these Standards and to order further revisions

14

slide-15
SLIDE 15

Forward Together • ReliabilityFirst

Standards Update – Supply Chain NOPR

  • Key Points – The NOPR proposes to:
  • Approve CIP-013-1, CIP-005-6, and CIP-010-3
  • Order inclusion of EACMS in the scope of these Standards
  • Oder NERC to include PACS and PCA in the BoT-

requested study

  • Wait for the BoT-requested study of cyber security supply

chain risks associated with low impact assets before taking action on low impact

  • Change the implementation period from 18 months to 12

months

15

slide-16
SLIDE 16

Forward Together • ReliabilityFirst

Future Meetings

  • Next conference call (WebEx):
  • Tuesday, February 20, 2017 at 11:00AM EST

16

slide-17
SLIDE 17

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

17