340 likes | 458 Vues
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security. CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT. Agenda. Applicability Implementation CIP-008-5 & 009-5 Overview Audit Approach Tips TFEs and CIP v5. Goal.
E N D
Bryan J. Carr, PMP, CISACompliance Auditor, Cyber Security CIP-008-5, 009-5, & TFEs May 14, 2014 CIP v5 Roadshow – Salt Lake City, UT
Agenda • Applicability • Implementation • CIP-008-5 & 009-5 • Overview • Audit Approach • Tips • TFEs and CIP v5
Goal Communicate WECC’s audit approach for each Requirement in CIP-008-5 & 009-5
CIP-008-5 Purpose “To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.”
CIP-008-5 Applicability • HIBESCS • High Impact BES Cyber Systems (R1-R3) • MIBESCS • Medium Impact BES Cyber Systems (R1-R3)
CIP-008-5 Implementation • By April 1, 2016 • All of CIP-008-5, except as noted below • On or before April 1, 2017: • CIP-008-5, Requirement R2, Part 2.1 • CIP-008-5, Requirement R3, Part 3.1
CIP-008-5 R1 Overview • Ingredients of the Cyber Security Incident Response Plan • Identify, classify, and respond to Cyber Security Incident (CSI) • Process to determine if CSI is a Reportable CSI (RCSI) • Notify ES-ISAC w/in 1hr of determination of RCSI • Roles and responsibilities • Incident handling procedures
CIP-008-5 R1 Audit Approach • Documentation requirement • Does the CSIRP addresses each Part of R1? • Does the CSIRP tie all the necessary resources together? • Revision history with sufficient details
CIP-008-5 R1 Tips • Man on the street(ish) test • Can someone else in your organization pick up the CSIRP and have everything they need to respond? • Roles and responsibilities may include contact lists with names/numbers/emails • Assumption is you’ll have Cyber Security Incidents, emphasis on RCSI and criteria used to determine elevation of CSI to RCSI • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
CIP-008-5 R2 Overview • Annual test of CSIRP • Actual Incident • Paper • Operational • Use the plan during annual test & document any deviations from the plan • Retain records of Incidents
CIP-008-5 R2 Audit Approach • Performance Requirement: • How has the plan been implemented? • How do you test/exercise the plan? • Did you document deviations from the plan during exercise/test? • How are records kept and where?
CIP-008-5 R2 Tips • Anytime the words “test” or “exercise” are used – lessons learned should follow. If you have no lessons learned, you may not be doing it right • It’s ok to get a little creative with test and exercise scenarios
CIP-008-5 R3 Overview • Complete w/in 90 days of test/exercise or actual Incident response: • Document lessons learned • Update the Plan • Notify responsible parties of updates • Complete w/in 60 days of change in roles/responsibilities/technology • Update the Plan • Notify responsible parties
CIP-008-5 R3 Audit Approach • Performance Requirement: • Updates tracked through revision history or other means of sufficient detail • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
CIP-008-5 R3 Tips • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates. • Suggest outlining how this is supposed to happen in the actual plan
CIP-008-5 Questions?
CIP-009-5 Purpose “To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.”
CIP-009-5 Applicability • HIBESCS • High Impact BES Cyber Systems (2.3) • MIBESCSACCATAEACMSAPACS • Medium Impact BES Cyber Systems at Control Centers and their associated EACMS and PACS (1.4, 2.1, 2.2, 3.1, 3.2) • HIBESCSATAEACMSAPACS • High Impact BES Cyber Systems and their associated EACMS and PACS (R1-R3 except 2.3) • MIBESCSATAEACMSAPACS • Medium Impact BES Cyber Systems and their associated EACMS and PACS (R1 except 1.4)
CIP-009-5 Implementation • By April 1, 2016 • All of CIP-009-5, except as noted below • On or before April 1, 2017: • CIP-009-5, Requirement R2, Parts 2.1, 2.2 • CIP-009-5, Requirement R3, Part 3.1 • On or before April 1, 2018: • CIP-009-5, Requirement R2, Part 2.3
CIP-009-5 R1 Overview • Ingredients of the recovery plan • Conditions for activation of the plan • Roles and responsibilities • Process for backup and storage • Process to verify successful completion of backups • Process to preserve data
CIP-009-5 R1 Audit Approach • Documentation requirement • Does the plan (or plans) address all processes required? • Review associated procedures, flowcharts, etc. • Revision history with sufficient details
CIP-009-5 R1 Tips • Two new Requirements (1.4 & 1.5) – read carefully, plan accordingly • Regurgitating the Requirement language does not constitute developing a program/process • Man on the street(ish) test • Can someone else in your organization pick up the CSIRP and have everything they need to respond? • Flowcharts, process diagrams, decision trees, etc. are auditor’s friends
CIP-009-5 R2 Overview • Annual test of recovery plan • Actual Incident • Paper • Operational • Test representative sample of backups to ensure validity and compatibility • Operational exercise req’d 1x/36 months for High BES Cyber Systems
CIP-009-5 R2 Audit Approach • Performance Requirement: • How has the plan been implemented? • How do you test/exercise the plan? • Representative sample – how did you determine the sample set? • Documentation of test/exercise, outcomes & lessons learned
CIP-009-5 R2 Tips • R2-related testing and exercise processes can integrated into R1 plan, or bolted on as attachments, or as separate docs • Focus on outputs of R2, what are the deliverables? • Part 2.3 – First full operational exercise must occur by 4/1/2017, then at least once every 36 months
CIP-009-5 R3 Overview • Complete w/in 90 days of test/exercise or actual recovery: • Document lessons learned • Update the plan • Notify responsible parties of updates • Complete w/in 60 days of change in roles/responsibilities/technology • Update the plan • Notify responsible parties
CIP-009-5 R3 Audit Approach • Performance Requirement: • Updates tracked through revision history or other means of sufficient detail • Track dates of “triggering” events such as completion of exercise/Incident, or when roles/responsibilities/technology changed • Evidence of notification to responsible parties, i.e. email, meeting minutes, etc.
CIP-009-5 R3 Tips • Make sure you (and the auditors) can connect the dots between plan exercise…lessons learned…plan updates…notifications of updates. • Good idea to outline how this is supposed to happen in the actual plan
CIP v5 and TFEs • TFEs will be necessary in v5 • Definitive list of Requirements/Parts to be determined – 9 have “where technically feasible” • Appendix 4D will be updated to accommodate v5 • webCDMS will be updated as necessary • Streamlined process will remain in place
Resources, References, & Light Reading • NERC v3 to v5 mapping document • FERC Order 791 • 2011 v5 SDT Presentation • DHS: Developing an Industrial Control Systems Cybersecurity Incident Response Capability • NIST Computer Security Incident Handling Guide
Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security O: 801.819.7691 M: 801.837.8425 bcarr@wecc.biz Questions?