CIP Update

1
CIP Update

• Compliance User Group
• Marriott City Center, Denver, CO
• September 17, 2009
• Patrick Miller CISA CISSP-ISSAP
• Manager, CIP Audits and Investigations

2
Disclaimer

• The Western Electricity Coordinating Council
  (WECC) makes no representation as to the accuracy
  or completeness of the information contained
  herein or otherwise provided by WECC, their
  affiliates or third parties, and accept no
  responsibility or liability, in contract, in
  tort, in negligence, or otherwise, should the
  information be found to be inaccurate or
  incomplete in any respect. WECC is not acting as
  an advisor to the recipient of this information,
  and the ultimate decision to proceed with any
  action rests solely with the recipient of this
  information. Therefore, prior to entering into
  any action, the recipient of this information
  should determine, without reliance upon WECC, the
  economic risks and merits, as well as the legal,
  and accounting characterizations and
  consequences, of the transaction and that it is
  able to assume these risks.

3
CIP Audits Investigations Staff

• Josh Axelrod Compliance Engineer, Cyber
  Security
• 360.567.4067
• jaxelrod_at_wecc.biz
• Bill Fletcher Compliance Engineer, Cyber
  Security
• 360.567.4061
• wfletcher_at_wecc.biz
• Stacy Bresler Sr. Compliance Engineer, Cyber
  Security
• 360.567.4058
• sbresler_at_wecc.biz
• Steven Parker Sr. Compliance Engineer, Cyber
  Security
• 360.567.4055
• sparker_at_wecc.biz
• Patrick Miller Manager, CIP Audits
  Investigations
• 360.567.4056
• pmiller_at_wecc.biz

4
CIP Compliance Organization
5
CIP Statistics

• Recorded Violations 94
• Violations Fully Mitigated 60
• Entities with Critical Assets 81
• Entities with Critical Cyber Assets 63
• CIP-applicable entities 360
• Most Violated Standard CIP-004
• Most Violated Requirement CIP-004.R3

Since 7/1/2008
6
CIP Backlog
As of 9/11/2009 Under review
7
CIP Self Certifications

• Reviewing 7/1/2009 results 360 entities
• Will contact you for Not Applicable explanations
• Tracking and processing violations reported
  through self certifications
• Reviewing supplemental questionnaire results with
  other Regions and NERC

Under review
8
CIP Spot Checks

• Feedback has been very positive so far from
  registered entities, NERC and FERC
• WECCs spot check process
• Breadth and depth of review
• Adherence to the CMEP
• Expertise and professionalism of WECC team
• Receiving regular attendance from FERC and NERC

9
CIP Approach Security Policy

• Must address the requirements of CIP-002 through
  CIP-009
• WECC does a crosswalk to validate addresses the
  requirements per R1.1
• Company shall adhere to all Federal, State and
  Local regulations is too generic
• Not a procedure but a policy
• Does not need to be a single policy document

10
CIP Approach Security Policy
11
CIP Approach Security Policy

• Readily available can be challenging to prove
• Intranet?
• Binders?
• When was it originally posted?

12
CIP Approach Personnel

• CIP-004 is the most violated CIP standard
• CCWG whitepaper may be coming soon
• Similar to PRC whitepaper
• Evidence of specific access rights, training and
  personnel risk assessments will be requested for
  employees, contractors and vendors
• Do not provide actual results of background
  checks, only verification and type

13
CIP Approach - Personnel

• CIP-004 summary table can really help (supporting
  data is still required)
• Employee ID and name
• Date electronic access granted
• Date physical access granted
• Date electronic access removed
• Date physical access removed
• Date of original training
• Date of annual training
• Date PRA completed

14
CIP Approach Security Testing

• CIP-007.R1
• Functional testing vs. security testing
• See the FAQ CIP-007 Q4, page 23
• Basic port scans
• File integrity checking
• User account review
• Access controls, audit functions, etc
• Test results vs. performance results

15
CIP Approach - Annual

• 12 months plus or minus one month
• AOT/CMPWG consensus approach
• CCWG consensus approach
• No official/public NERC position - yet
• Be mindful of the book end issue
• When does annual begin?
• Must happen at or before Compliance date within
  CIP Implementation Plan

16
Documentation

• Be prepared to provide all evidence and
  documentation for the entire audit period
• CIP Implementation Plan C date or
• Accepted Completed Mitigation Plan date
• Include revision histories within documentation
  with specific changes
• Document owners, dates, versions, classification,
  etc - formalize

17
Show and Tell

• Tell the auditor how you meet the requirement
  (protocol)
• Often policy, process, procedure, etc
• Show the auditor that you are actually meeting
  the requirement (proof)
• Supporting evidence logs, spreadsheets,
  documents, database extracts, captures, etc
• Covering both angles is necessary

18
CIP Evidence Handling

• At some point in the near future, WECC will be
  taking all CIP evidence provided before/at/during
  the CIP Spot Check or Compliance Audit
• This will be a shift from previous practice of
  leaving all sensitive information with the entity
• All Regions are moving to this model

19
CIP Evidence Handling

• What gives WECC the authority to do this?
• Energy Policy Act of 2005
• Section 215 of the Federal Power Act
• Implementing Rule 18 CFR 39 (Order 672)
• Responsibility Oversight assigned to FERC
• FERC designated NERC as Electric Reliability Org.
• NERC has delegation agreement with WECC
• Authority to Request Evidence
• Mandatory Reliability Standards
• Implementing Rule 18 CFR 40 (Order 706)
• Issued January 18th 2008
• NERC CPB 2009-004v2.0

20
CIP Evidence Handling

• Best practice security measures will be used to
  protect the Regions CIP data
• Will not remove/receive CIP sensitive information
  until appropriate security measures are in place
• Will keep the Registered Entities informed of all
  changes in advance
• Expected date of process change is not yet known

21
CIP Spot Check Schedule

• CIP Spot Checks will be conducted through
  December 2010
• Previous schedule had all CIP Spot Checks
  completed by 6/30/2010, with only the first 13
  requirements as initial scope
• CIP Spot Checks conducted after 7/1/2010 will
  cover all 41 CIP requirements
• The new schedule is posted on the Compliance
  website

http//compliance.wecc.biz/Application/ContentPa
geView.aspx?ContentId195
22
CIP Spot Check Schedule

• CIP Spot Checks were bundled into pre-existing
  Order 693 Compliance Audit cycles
• Entities with no Order 693 Compliance Audit this
  scheduled for this cycle will have a standalone
  CIP Spot Check
• 60-day notice will still be given for both
  (combo or standalone)

23
CIP Spot Check Timetable

• Monday
• Onsite arrival and team meeting
• 1 PM - Introductory Presentations
• 3 PM - Start the auditing process
• Tuesday, Wednesday and Thursday
• 8 AM to 5 PM - Auditing
• Final call for evidence is 2 PM Thursday
• Friday
• Spot check team determines findings
• Develop closing presentation
• 1 PM (no later than) Closing Presentation

24
Spot Check (Audit) Logistics

• Spot Check (Audit) Room
• One conference room large enough to comfortably
  hold WECC spot check team with room for laptops
  and working documents
• One USB printer is needed
• Interview Rooms
• At least one, preferably two smaller conference
  rooms or closed enclaves to perform interviews.
  Need to be able to hold at least four persons.
• Lunches and Refreshments (WECC Spot Check Team)
• Onsite coffee, lunches, afternoon snack need to
  provided
• Please provide bill/receipt to WECC Spot Check
  Team Lead for reimbursement

25
Opening Presentations

• WECC Presentation
• WECC Spot Check Team Lead will need about 15
  minutes to set up
• 15-20 minute opening presentation
• Overview of Spot Check process
• Entity Presentation
• Brief (30 min max) presentation describing
  company history, organizational structure,
  computer systems, compliance culture, etc.

26
CIP Spot Check Scope - Required

• Currently monitored and enforceable CIP standards
  (First 13)
• CIP-002, Requirements 1, 2 and 3
• CIP-003, Requirements 1, 2 and 3
• CIP-004, Requirements, 2, 3 and 4
• CIP-007, Requirement 1
• CIP-008, Requirement 1
• CIP-009, Requirements, 1 and 2

27
CIP Spot Check Scope - Expanded

• Though the default required set is only the 13
  actively monitored standards and requirements,
  the WECC Spot Check Team has authority to expand
  the Spot Check scope to any CIP requirement in
  the Compliant phase of the CIP Implementation
  Plan for all applicable functions during the spot
  check if there is reason to believe violations
  exist.

28
CIP Spot Check Scope - Expanded

• Will only expand scope for cause
• Not an arbitrary decision
• Based on evidence
• Will communicate reasoning and extent of scope
  expansion to entity as early as possible during
  the spot check
• Will document scope expansion within spot check
  report and respective QRSAW

29
CIP Spot Check Process

• Entity will be required to submit information in
  advance via portal
• Entity will list all documents to be offered as
  evidence in the Supporting Evidence and
  Documentation section of the RSAW for each
  Standard/Requirement
• Do not enter statements of compliance or embed
  documents in the RSAWs
• No binders

30
CIP Spot Check Evidence

• Shall be provided on
• CD/DVD ROM
• Weve had problems with USB
• Folder structure one folder per standard, one
  folder per requirement
• SHA-256 hash shall be provided for every document
  submitted as evidence may come as table,
  spreadsheet, etc for all evidence

31
CIP Spot Check Process

• RSAWs are used to document evidence reviewed and
  determinations of compliance
• All audit information is stored in RSAWs,
  including hashes and locations or pointers to
  evidence (document title, revision, dates,
  approving authority, page, section, etc)
  interview notes and auditor observations

32
CIP Spot Check Exit Presentation

• The exit presentation will
• Summarize all spot check findings
• Present any areas of concern or suggestions
• Concerns do not result in a possible violation
• Suggestions help future compliance position
• Explain all next steps (spot check report
  completion, comments, review, approval, etc)
• Spot check reports are not sent to NERC
• Only violations are forwarded, per CMEP

33
Lessons Learned

• At least one daily check in with the entity
  contact is highly beneficial to both parties
• Monitor all data and interview requests closely
  to allow appropriate time for delivery and review
  escalate if needed

34
Lessons Learned

• Electronic evidence is good and bad
• Some things are just easier to read in print
• Please provide a shred bin
• PDFs are not always the best option
• Often come as image scans, no OCR
• Often come locked with no ability to copy, print,
  etc
• CD/DVD ROM is best
• Some documents change just by being opened
• Hashing is less difficult than originally thought

35
Lessons Learned

• Label classified media such as CD/DVD ROMs and
  all appropriate evidence, per CIP-003.R4
• Provide attestations of no event
• E.g. No exceptions to policy per CIP-003.R3

36
Break
37
TFE Background

• Not a CIP-003.R3 exception
• Interim guidance originally issued by NERC on
  7/1/2009
• Process posted for comment on 8/25/2009
• New process and forms are being developed and
  should be available in the very near future
• Significant/substantive industry comments

38
WECC Position on TFEs

• Not adopted yet, much is still in question
• WECC does not currently consent to the process as
  proposed on 8/25/2009
• WECC wants 90 days for all Regions to begin
  processing TFEs, assess workload and develop
  appropriate work plan without deadlines
• Lesson learned from prior experience

39
Current TFE Process Status

• NERC is reviewing this week (one week window),
  may or may not change proposal
• NERC expects to issue additional interim guidance
  at the end of the week or early next week
• NERC plans to open doors for TFE processing by
  9/21/09
• NERC will release the final instructions with the
  Interim Bulletin

40
TFE Next Steps, Upon Approval

• File the ROP change to FERC (if adopted by NERC
  BOT)
• Develop a final educational package and program
  for Industry
• Stand up TFE program(s) and staff/develop
  implementation for all Regions and NERC
• Technical implementation projects to develop
  information exchange tools between NERC and
  Regions

41
Potential TFE Scope

• Requirements most likely eligible for TFE
  Request, but there may be more
• CIP-005-1/R2.4
• CIP-005-1/R2.6
• CIP-005-1/R3.1
• CIP-005-1/R3.2
• CIP-006-1/R1.1
• CIP-007-1/R2.3
• CIP-007-1/R3.2
• CIP-007-1/R4
• CIP-007-1/R4.1
• CIP-007-1/R5.3
• CIP-007-1/R5.3.1
• CIP-007-1/R5.3.2
• CIP-007-1/R5.3.3
• CIP-007-1/R6.
• CIP-007-1/R6.3

42
Possible TFE Areas

• The following slides provide supplemental
  awareness with respect to use of the proposed
  Technical Feasibility Exception (TFE) Process,
  prepared by the CCWG
• The slides list potential factors that might
  trigger a TFE.
• The proposed Technical Feasibility Exception
  Process is located at http//www.nerc.com/files/F
  inal_TFE_Posting_08-25-09.pdf
• This presentation is not authoritative and should
  not be used to supersede information in the above
  referenced document

43
CIP-005-1/R2.4

• R2.4. Where external interactive access into the
  Electronic Security Perimeter has been enabled,
  the Responsible Entity shall implement strong
  procedural or technical controls at the access
  points to ensure authenticity of the accessing
  party, where technically feasible.
• Legacy system
• No feasible upgrade path

44
CIP-005-1/R2.6

• R2.6. Appropriate Use Banner Where technically
  feasible, electronic access control devices shall
  display an appropriate use banner on the user
  screen upon all interactive access attempts. The
  Responsible Entity shall maintain a document
  identifying the content of the banner.
• Access control point that does not support a
  login banner
• External dial-up modem that cannot support a
  banner
• ILO and other out-of-band interfaces that do not
  support banners

45
CIP-005-1/R3.1

• R3.1. For dial-up accessible Critical Cyber
  Assets that use non-routable protocols, the
  Responsible Entity shall implement and document
  monitoring process(es) at each access point to
  the dial-up device, where technically feasible.
• Dial-up device cannot be front-ended with an
  access control device

46
CIP-005-1/R3.2

• R3.2. Where technically feasible, the security
  monitoring process(es) shall detect and alert for
  attempts at or actual unauthorized accesses.
  These alerts shall provide for appropriate
  notification to designated response personnel.
  Where alerting is not technically feasible, the
  Responsible Entity shall review or otherwise
  assess access logs for attempts at or actual
  unauthorized accesses at least every ninety
  calendar days.
• Systems implemented do not support alerting
• Systems cannot connect to an external
  communication system to communicate alerts

47
CIP-006-1/R1.1

• R1.1. Processes to ensure and document that all
  Cyber Assets within an Electronic Security
  Perimeter also reside within an identified
  Physical Security Perimeter. Where a completely
  enclosed (six-wall) border cannot be
  established, the Responsible Entity shall deploy
  and document alternative measures to control
  physical access to the Critical Cyber Assets.
• Entity has implemented alternative measures in
  lieu of a six-wall boundary

48
CIP-007-1/R2.3

• R2.3. In the case where unused ports and services
  cannot be disabled due to technical limitations,
  the Responsible Entity shall document
  compensating measure(s) applied to mitigate risk
  exposure or an acceptance of risk.
• Permitted where ports and services cannot be
  configured

49
CIP-007-1/R3.2

• R3.2. The Responsible Entity shall document the
  implementation of security patches. In any case
  where the patch is not installed, the Responsible
  Entity shall document compensating measure(s)
  applied to mitigate risk exposure or an
  acceptance of risk.
• Decision has been made that the patch cannot be
  installed at this time
• Vendor directive
• Testing proves incompatibility
• Insufficient information to make determination
  for installation

50
CIP-007-1/R4

• R4. Malicious Software Prevention The
  Responsible Entity shall use anti-virus software
  and other malicious software (malware)
  prevention tools, where technically feasible, to
  detect, prevent, deter, and mitigate the
  introduction, exposure, and propagation of
  malware on all Cyber Assets within the Electronic
  Security Perimeter(s).
• Device with embedded processor such as
• Relay, PLC, network switch, hub, printer, remote
  KVM, serial server, VOIP phone, stand-alone
  firewall, router, RTU, storage devices (SAN/NAS),
  alarm panel, badge reader, GPS receiver
• Product maintained by vendor which does not
  permit anti-malware installation (black box)

51
CIP-007-1/R4.1

• R4.1. The Responsible Entity shall document and
  implement anti-virus and malware prevention
  tools. In the case where anti-virus software and
  malware prevention tools are not installed, the
  Responsible Entity shall document compensating
  measure(s) applied to mitigate risk exposure or
  an acceptance of risk.
• See R4

52
CIP-007-1/R5.3

• R5.3. At a minimum, the Responsible Entity shall
  require and use passwords, subject to the
  following, as technically feasible
• Legacy systems that do not support passwords

53
CIP-007-1/R5.3.1

• R5.3.1. Each password shall be a minimum of six
  characters.
• Legacy and other devices that do not support a
  restriction of six character or greater passwords
• Legacy devices that do not permit passwords as
  long as six characters

54
CIP-007-1/R5.3.2

• R5.3.2. Each password shall consist of a
  combination of alpha, numeric, and special
  characters.
• Legacy and other devices that do not support a
  restriction to complex passwords with all 3
  elements
• Systems and devices that cannot be configured to
  restrict the complexity of passwords to that
  specified
• Note that, in most cases, it is feasible to apply
  appropriate complexity rules within the Microsoft
  Active Directory (Windows) environment

55
CIP-007-1/R5.3.3

• R5.3.3. Each password shall be changed at least
  annually, or more frequently based on risk.
• Legacy devices that do not permit password
  changes
• Devices that cannot be changed without an outage
  of the device (may need to wait for a planned
  outage of sufficient duration)

56
CIP-007-1/R6

• R6. Security Status Monitoring The Responsible
  Entity shall ensure that all Cyber Assets within
  the Electronic Security Perimeter, as technically
  feasible, implement automated tools or
  organizational process controls to monitor system
  events that are related to cyber security.
• Systems and devices that do not support
  monitoring and that cannot be effectively
  monitored by an external device

57
CIP-007-1/R6.3

• R6.3. The Responsible Entity shall maintain logs
  of system events related to cyber security, where
  technically feasible, to support incident
  response as required in Standard CIP-008.
• Legacy and other systems that do not support a
  log of sufficient size to comply
• Systems that cannot configure log retention to at
  least the required time

58
Proposed TFE Forms

• Part A
• Brief overview of the request for TFE and
  mitigating measures (and/or plan)
• Must be complete to be processed
• See instructions included with TFE proposal from
  NERC (five pages)
• Will likely be submitted through the Portal
• Part B
• Specific and detailed portion of the request

59
Informal TFE Survey

• How many will your organization be submitting?
• Rough numbers are fine
• Use this presentation as a guide
• Use the proposed public process, forms and
  instructions as a guide even though the process
  is not formally adopted yet
• Please provide your TFE forecast numbers to
  lmilanes_at_wecc.biz by 9/30/2009 or sooner

60
Getting Help

• CUG
• CIPUG
• EnergySec
• WICF
• NERC (training webinars starting soon)
• Choose your vendors carefully

61
Upcoming CIPUG/EnergySec

• September 22nd CIPUG Meeting
• September 23rd and 24th EnergySec
• Joint Meeting, but separate events
• Same hotel, Seattle WA
• Different registrations
• CIPUG is 100
• EnergySec Summit is free

62
9/22 Seattle CIPUG Agenda
63
Questions?
Patrick Miller CISA, CISSP-ISSAPManager, CIP
Audits and Investigations Western Electricity
Coordinating Council360.567.4056
pmiller_at_wecc.biz 7600 NE 41st Street, Suite
160 Vancouver, WA 98662