150 likes | 164 Vues
This report analyzes CIP violation data trends from 2012 to 2015, highlighting the decrease in violation volume, increased use of automated tools, and self-reporting by larger entities. It also discusses the drivers behind positive trends and observations, emphasizing the importance of continuous improvement in ensuring compliance and security.
E N D
CIP Violation Data Trends2012-2015 Deandra Williams-Lewis
Violation Volume Decreasing • 2010: Mandatory Compliance for all CIP Standards Begins; RF commences full scope audits; Entities at beginning stages of CIP implementation • 2015: Maturation of CIP programs; Increased use of automated tools; increased outreach
Majority of Violations are Self-Reported • Larger Entities Drive Volume of Self-Reports • Two audit outliers in 2014 responsible for 92 of 117 audit violations, otherwise steady downward trend
Volume Driven by High-Frequency Conduct • Requirements concerning “high-frequency conduct” drive volume • CIP-004, R4(access: lists for cyber access and physical access; revoking privileges) • CIP-006, R1 (physical security of critical cyber assets: physical access logging) • CIP-007, R5 (account management: passwords and access lists) • These violations tend to be self-reported and pose a lesser risk • However, can be indicative of systemic issues
Detection and Reporting Duration Impovement • Decrease between Deemed and Reporting Dates • Average 317 decrease in days (trending downward) *Includes noncompliance start date, time to identify, assess, correct, and then report
Improved Risk Posture • Year-over-year decrease in severity • 75% of CIP violations are Minimal to Moderate risk • 9% of CIP violations are serious risk • implementation issues • culture and programmatic issues
Volume Driven by Larger Entities • Larger entities have experienced initial implementation challenges • More assets, business units, and people = more challenges • 100% of serious risk issues concern larger entities • 93.3% of audit findings concern larger entities • 79.8% of all violations driven by large entities • CIP Themes Report: identified and shared common themes
Observations • Possible Drivers of Positive Trending • Maturation (both RF and Entities) • Active Monitoring and Enforcement • Trending, Analytics, and Sharing • Assist Visits and Outreach • CIP Themes Report • Case Study Outreach • Remain Vigilant – Moving Target • Dynamic Regulatory Approach • Focus on continuous improvement • Violations not always indicative of security state • Volume can indicate strong detective controls or weak preventative/corrective controls • Paper compliance does not equal security
Common CIP Themes Patrick O’Connor
Purpose of CIP Themes Report • IDENTIFY • Common themes underlying systemic CIP violations. • Possible resolutions • Not directive because “one size does notfit all” • Based on RF’s observations through years of compliance monitoring and enforcement activities • Collaborated with entities that dealt with higher risk CIP Violations • In coordination with NERC • COMMUNICATE • Raise awareness and prevent recurrence • Report available on RF’s website
Scenario #1 • Entity implemented tools to monitor its account usage. • Entity did not configure these properly, causing voluminous logs that could not be meaningfully digested. • Entity implemented tool to automatically generate revocation notices. • Responsible employee did not review notifications and thus did not perform necessary revocations.
Scenario #2 • Entity utilized a vendor’s asset management system. • Protecting Critical Cyber Asset Information was not considered nor mentioned in the vendor contract. • Entity contracted with vendor to provide security patch management. • Vendor did not provide entity with timely assessments of patch releases.
Scenario # 3 • Entity permitted compromised assets to communicate freely with command and control server. • Entity did not understand firewall commands (“permit any any” on outbound traffic). • Entity used its mirrored-back-up data center constituted as its disaster recovery data center. • Entity did not understand that corruption of the main data center would promptly result in a corrupted back-up data center.