Mick Neshem CISA, CISSP, CSSASenior Compliance Auditor – Cyber Security CIP-005-5 Compliance Outreach CIP v5 Roadshow May 14-15, 2014 Salt Lake City, UT
V5 Open Actions [SAR 1-4] • Modify or remove the IAC in the 17 impacted requirements[February 3, 2015] • Develop modifications to the CIP standards to address security controls for Low impact assets • Develop requirements to protect transient electronic devices -thumb drives, laptops that do not meet BES cyber asset definition • Create a definition of “communication networks” and develop new or modified standards that address the protection of communication networks[February 3, 2015] • Study the application of the 15-minute parameter for identification of BES Cyber Assets and the impact of this time constraint on the overall security and reliability of the BES. SDT Industry Webinar.pdf – April 22, 2014
FERC Staff Technical Conference (4/29/14) • whether additional definitions and/or security controls are needed to protect Bulk-Power System communications networks, including remote systems access • adequacy of the approved CIP version 5 Standards’ protections for Bulk-Power System data being transmitted over data networks • functional differences between the respective methods utilized for identification, categorization, and specification of appropriate levels of protection for cyber assets using CIP version 5 Standards as compared with those employed within the National Institute of Standards and Technology Security Risk Management Framework. http://ferc.gov/CalendarFiles/20140227165846-RM13-5-000TC.pdf
FERC Technical Conference Update • Significant discussion regarding Communications Network • Cyber Systems use of non routable communication • Cyber Security Procurement Processes • NIST Risk Management Framework and Cyber Security Framework
Terminology • Cyber Asset • BES Cyber Asset (BCA) • BES Cyber Systems (BCS) • Protected Cyber Asset (PCA) • Electronic Security Perimeter (ESP) • External Routable Connectivity (ERC) • Electronic Access Point (EAP) • Dial-up Connectivity
V3 vs. V5 Requirement Count • CIP v3 • 5 Requirements (Version 3) • 26 Sub-requirements • CIP v5 • 2 Requirements (Version 5) • 8 Parts
IAC • 17 CIP Requirements that include IAC (2/3/2015) • CIP-005-5 contains no Identify, Assess and Correct language in requirement.
CIP-002-5 & CIP-005-5 • CIP-002-5 is the initial identification of the BES Cyber System • It is important for the CIP-002-5 and CIP-005-5 teams in your organization to work closely in the identification of BES Cyber Systems and Impact Rating Criteria (IRC) • ESP boundaries and High Water Mark impacts may affect CIP-005-5 architecture
High Level Relationships [CIP-002-5] Control Centers and Backup Control Centers (RC, BA, TOP or GOP) that meetsCIP-002-5 Attachment 1 Section 1 requirements CIP-002-5 Attachment 1 Section 2 requirements BES Assets High Impact Facilities Medium Impact Facilities R1.1 R1.2 BES Cyber Systems (BCS) BES Cyber Systems (BCS) PCA PCA BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets
High Level Relationships [CIP-002-5] BES Assets High Impact Facilities Medium Impact Facilities One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity R1.1 R1.2 BES Cyber Systems (BCS) BES Cyber Systems (BCS) PCA PCA BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets Programmable electronic devices, including the hardware, software, and data in those devices
High Level Relationships [CIP-002-5]BES Cyber Asset - A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.(A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.) BES Assets High Impact Facilities Medium Impact Facilities R1.1 R1.2 BES Cyber Systems (BCS) BES Cyber Systems (BCS) BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets BES Cyber Assets
CIP-005-5 R1.1 [ESP] Internal Routable Connectivity? R1.1 High Impact BCS Medium Impact BCS PCA PCA YES Requires ESP The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol. One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
Electronic Security Perimeter • Version 3 (1/18/2008) • The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. • Version 5 (4/1/2016) • The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.
Electronic Security Perimeter(s) ‘defined’ • ESP defines a zone of protection around the BES Cyber System • Helps determine what systems or Cyber Assets are in scope and what Impact Rating the Cyber Systems meet, ultimately determines which requirements are applicable
ESPs • Isolated • Discrete • Extended
Isolated ESP • ESP network with no external connectivity • An ESP (a logical border) is required around every routable protocol network that contains a BES Cyber System, even if it is an isolated network and has no external connectivity
Isolated ESP – No External Communications EMS Electronic Security Perimeter Non-BCS Workstations File Server Printer PCA PCA PCA PCA PCA CIP-005 Switch CIP-007 Router BCA/PCA BCA Switch CIP-002 Printer CCA BCS BCA/PCA PCA BCA BCA BCA EMS Servers Workstations BCA BCA BCA
High Water Mark • CIP Cyber Security Standards do not require network segmentation of BES Cyber Systems by impact classification • A new concept from tiered impact model • Many different impact classifications can be identified within an ESP, however, the highest level of the BCS within the ESP sets the High Water Mark for all associated assets within that ESP
Extended ESP BES Cyber System
Extended ESP BES Cyber System CORP
Extended ESP • “If an entity wishes to state that a wide area network of sites are within one ESP, regardless of encryption, then all Cyber Assets (which includes, e.g., all communication or networking equipment) within that very large ESP become associated PCAs and must meet the Requirements of the highest level BES Cyber System in the ESP. The standards do not preclude doing this, but there are implications that Responsible Entities should take into account” Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 45)
CIP-005-5 Communication Equipment • Communications equipment between sites; • If using routable communication the communications equipment connecting discrete ESPs are not in scope (18.104.22.168) • Extended ESPs will need to include the communications equipment – not “discrete” ESPs • Serial communications equipment will be included as no exclusion exists • This is TBD by Communication standard work in progress - wait and see GET INVOLVED • Contact Ryan Stewart at NERC to be added to the SDT plus list Ryan.Stewart@nerc.net
BCS Boundaries Can a BCS span multiple facilities crossing discrete ESPs?
Example EMS ESP [Routable] EMS Electronic Security Perimeter Workstations Printer File Server Router Access Control Server Switch EAP CIP-005 Firewall CIP-007 CorpNet CIP-005 Router EAP CCA Firewall Switch DMZ CCA Switch Printer CCA CCA EMS WAN CCA EMS Servers EACM EACM CCA CCA CCA Access Control Server Intermediate Server Workstations
Example EMS ESP [Routable] EMS Electronic Security Perimeter All PCA devices take on the impact level of the BCS Non-BCS Workstations File Server Printer PCA PCA PCA PCA Router PCA Switch EAP CIP-005 CIP-007 Firewall CorpNet CIP-005 EAP Router BCA/PCA BCA Firewall Switch CIP-002 Printer DMZ CCA Switch BCS BCA/PCA PCA BCA BCA EMS WAN BCA EMS Servers Workstations EACM EACM BCA BCA BCA Access Control Server Intermediate Server
Example EMS ESP [Multi-BCS ESP] EMS Electronic Security Perimeter BCS Workstations BCS Server Printer BCS BCA BCA PCA BCA Router MEDIUM BCA Switch EAP CIP-005 CIP-007 Firewall CorpNet CIP-005 EAP Router BCA/PCA BCA Firewall Switch CIP-002 Printer DMZ CCA Switch BCS BCA/PCA PCA BCA CIP-005 BCA EMS WAN BCA EMS Servers Workstations EACM EACM BCA BCA BCA HIGH Access Control Server Intermediate Server
Example EMS ESP [High Water Mark Impact] EMS Electronic Security Perimeter All PCA devices take on the impact level of the BCS Non-BCS Workstations File Server Printer PCA PCA PCA PCA Router PCA Switch EAP Firewall CorpNet EAP Router BCA/PCA BCA Firewall Switch Printer DMZ CCA Switch BCS BCA/PCA PCA BCA BCA EMS WAN BCA EMS Servers Workstations EACM EACM BCA BCA BCA Access Control Server Intermediate Server
Non-Routable BCS • Cyber Assets are subject to the CIP standards based on their functionality and resultant potential impact to BES reliability • BES Cyber Systems and associated BES Cyber Assets are not dependent upon a routable protocol (see definitions) • A BES Cyber System may include non-routable (serial) devices. End point devices (relays) may be included within the v5 requirements and identified as BES Cyber Assets, even if no routable communications exist. Therefore, there are v5 requirements to be addressed (i.e. CIP-007-5)
BCS and ESPs • Does a BCS require an ESP? • BCS may not require an ESP • A BCA with no routable connectivity cannot be part of an ESP • The level of protection required depends on the classification (IRC) of the asset • Still required to apply the protections under CIP-007 that apply to a BCA/PCA
Mixed connectivity BCS Non-routable BCA
Non-Routable BCS BCS
Measures (Part 1.1) • List of BES Cyber Systems • List of BES Cyber Assets within each BCS • A BCA may be included in more than one BCS • List of Protected Cyber Assets (associated assets) • ESP network topology including subnets • Cyber Asset IP addresses
CIP-005-5 R1.2 [Electronic AP] Internal Routable Connectivity? R1.1 High Impact BCS Medium Impact BCS PCA PCA YES Requires ESP The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection. External Routable Connectivity? A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter. YES R1.2 Requires Electronic Access Point
Change Rationale (Part 1.2) • Changed to refer to the defined term Electronic Access Point (EAP versus ESP access point) and BES Cyber System • Where external routable connectivity and the ESP logical border are defined by the implementation of Electronic Access Points (EAPs)
Electronic Access Point ‘identified’ • Firewalls • Modems • VPN concentrators • Dual-homed systems • Protocol converters (communications controllers, FEP, etc.) • Etc.