1. CIP v5 Workshop
CIP-002-5.1 Medley
Salt Lake City, UT
September 9, 2015
Bryan Carr PMP, CISA, PSP
Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
2. Speaker Intro: Bryan Carr
• Joined WECC in August 2012
• Dr. TFE (Emeritus)
• Past compliance Program Manager at PacifiCorp
• Prior experience in project and program
management
September 10, 2015 Western Electricity Coordinating Council
2
3. Agenda
• CIP-002-5.1 Requirements
• CIPv5 Transition Guidance
• Pre-Audit Data Request
• Lessons Learned & FAQs
• Site Visits
• Questions
Western Electricity Coordinating Council
3
4. Daily Dose of Dilbert
Slide 4
Western Electricity Coordinating Council
5. CIP-002-5.1: R1
• Each Responsible Entity shall implement a process that
considers each of the following assets for purposes of
parts 1.1 through 1.3: [Violation Risk Factor: High][Time
Horizon: Operations Planning]
– i. Control Centers and backup Control Centers;
– ii. Transmission stations and substations;
– iii. Generation resources;
– iv. Systems and facilities critical to system restoration,
including Blackstart Resources and Cranking Paths and initial
switching requirements;
– v. Special Protection Systems that support the reliable
operation of the Bulk Electric System; and
– vi. For Distribution Providers, Protection Systems specified in
Applicability section 4.2.1 above.
Western Electricity Coordinating Council
5
6. CIP-002-5.1: R1.1 - R1.3
• Each Responsible Entity shall implement a process
that considers each of the following assets for
purposes of parts 1.1 through 1.3:
– 1.1. Identify each of the high impact BES Cyber Systems
according to Attachment 1, Section 1, if any, at each
asset;
– 1.2. Identify each of the medium impact BES Cyber
Systems according to Attachment 1, Section 2, if any, at
each asset; and
– 1.3. Identify each asset that contains a low impact BES
Cyber System according to Attachment 1, Section 3, if any
(a discrete list of low impact BES Cyber Systems is not
required).
Western Electricity Coordinating Council
6
7. CIP-002-5.1: Direction
• CIP-002-5.1 R1.1 - R1.3 are applicable for the
transition period in lieu of the CIP-002-3 R2 list of
Critical Assets (Option 3).
• Focus on High BCS (R1.1) and Medium BCS (R1.2) for
immediate CIPv5 compliance efforts (Option 3).
• Compliance date for Low impact BES Assets on April
1, 2017.
– Be sure to use CIP-003-6 when developing program and
controls for Lows
– Four programmatic controls specified in CIP-003-6
Attachment 1
– Don’t ignore, but don’t prioritize for now.
Western Electricity Coordinating Council
7
8. CIPv5 Transition Guidance
• As a practical matter, NERC understands that
Responsible Entities cannot complete transition to
the CIP V5 Standards in a single instance; rather,
transition to full implementation will occur over a
period of time as Responsible Entities develop the
necessary procedures, software, facilities, or other
relevant capabilities necessary for effective
compliance with the CIP V5 Standards. (NERC,
2014 Aug 12, Transition Guidance, p. 2)
Western Electricity Coordinating Council
8
9. CIPv5 Transition Guidance
• To help ensure that they are fully compliant with the CIP
V5 Standards upon the effective date, Responsible
Entities may need or prefer to transition from
compliance with the requirements of the CIP V3
Standards to implementation of the requirements of the
CIP V5 Standards during the Transition Period. As such,
there may be a period of time prior to the effective date
of the CIP V5 Standards date when Responsible Entities
begin to operate in accordance with the CIP V5
Standards while the CIP V3 Standards are still
mandatory and enforceable. (NERC, 2014 Aug 12,
Transition Guidance, p. 2).
Western Electricity Coordinating Council
9
10. CIP v5 Transition Options*
*see Options Table (NERC, 2014 Aug 12, Transition Guidance, p. 5)
Western Electricity Coordinating Council
10
11. CIP v5 Transition
Guidance
• WECC recommends entities
choose Option 3 and immediately
start transitioning to CIPv5
compliance
– Freeze your CIPv3 program
– Roll forward the “mostly
compatible” parts of CIPv3
– Integrate the remaining elements of
CIPv5
• Not a huge burden for CIP-002-5.1
compliance, but may present
challenges for other Standards.
• A feasible sequence of Standards
for transition efforts
September 10, 2015 Western Electricity Coordinating Council
11
12. An Entity Documents Option 3
Slide 12
Western Electricity Coordinating Council
13. Quiz Time
• In 1916, how much did the U.S. pay for the
Danish West Indies (Virgin Islands)?
$25,000,000 in gold
Slide 13
September 10, 2015 Western Electricity Coordinating Council
14. Attachment G*: CIP-002-5.1 Evidence
• [R1]: Provide documentation of the process and its
implementation to consider each BES asset included in the asset
types listed in R1.i - R1.vi to identify the following lists:
– [R1.1]: A list of High impact BCS at each asset identified by application
of Attachment 1, Section 1.
– [R1.2]: A list of Medium impact BCS at each asset identified by
application of Attachment 1, Section 2.
– [R1.3]: A list of identified Low impact BES Assets identified by
application of Attachment 1, Section 3].
• [R2]: Signed and dated records of the CIP Senior Manager or
delegate reviews and approvals of the identifications required by
R1, even if such lists are null.
* 2016 Attachment G document is still in progress and may change to some degree, but these
basic sets of evidence will expected in the initial evidence package.
Slide 14
Western Electricity Coordinating Council
15. Lessons Learned
Western Electricity Coordinating Council
15
• “Throughout the Implementation Study, study
participants identified potential issues and
asked NERC and Regional Entity staff to clarify
certain aspects of the CIP Version 5 standards,
or confirm that their approach was consistent
with good security practices and compliance
expectations.” (NERC, 2014 Aug 12, Transition
Guidance, p. 23).
16. What is a Lesson-Learned?
• One of the key goals of the pilot study was to
develop Lessons-Learned by the study
participants to:
– Inform and support entity transition activities
– Identify obstacles
– Develop commonly understood solutions
• This portion of the presentation will cover WECC’s
current understanding of the Lessons-Learned
and FAQs [LL/FAQ] relative to CIP-002-5.1
16
Western Electricity Coordinating Council
17. What is a Lesson-Learned?
• To date, there are currently 23 LL/FAQ in various stages
of development (NERC, 2014 Oct, Implementation
Study Final Report: Table 7, pp. 24-26).
• Most Lesson-Learned documents were developed
under this preamble:
– This document is designed to convey lessons learned from
NERC’s various activities. It is not intended to establish new
requirements under NERC’s Reliability Standards or to modify
the requirements in any existing reliability standards.
Compliance will continue to be determined based on
language in the NERC Reliability Standards as they may be
amended from time to time. Implementation of this lesson
learned is not a substitute for compliance with requirements
in NERC’s Reliability Standards.
17
Western Electricity Coordinating Council
18. Caveats
• WECC does not provide prescriptive solutions, but
bases its audit approach on the CIPv5 Standards and
makes recommendations based on Best Practices.
• As of this presentation, most of the LL/FAQ documents
are still fluid and may change before their final
versions.
– If significant changes are introduced, WECC’s audit approach
relative to the LL/FAQ may also change.
– While WECC does not expect major changes in direction, if
they do occur, the WECC CIP Team will publicize any impacts
on its CIPv5 audit approach as soon as possible.
18
Western Electricity Coordinating Council
19. Lessons Learned Summary
Requirement: Title Description Type
1. CIP‐002‐5 R1: Impact rating of
generation resources
(generation segmentation)
What options are available to
categorize the impact rating of BES
Cyber Assets at plants greater than
1500 MW?
LL
2. CIP‐002‐5 R1: Relay protection
in substations with different
impact ratings (i.e., far‐end
relay/transfer trip)
How should the impact rating of line
protection relays at each end of a
transmission line connecting two
substations be determined?
LL
3. CIP‐002‐5 R1: Programmable
electronic devices
What are some practical examples for
what is or is not a programmable
electronic device?
LL
19
Western Electricity Coordinating Council
20. Lessons Learned Summary
Requirement: Title Description Type
4. CIP‐002‐5 R1: BES impact of
transmission scheduling
systems
Should transmission scheduling systems
be considered medium‐ or high‐impact
rating BES Cyber Systems?
LL
5. CIP‐002‐5 R1: Identifying BES
Cyber Systems and BES Cyber
Assets
What are some practical approaches to
identify BES Cyber Systems and BES
Cyber Assets?
LL
6. CIP‐002‐5 R1: Distributed BES
Cyber Assets at generating
plants and substations
Are instrumentation devices such as
sensors, actuators, and controllers
considered to be programmable
electronic devices? If so, what methods
would be appropriate to secure them
from a compliance perspective?
LL
20
Western Electricity Coordinating Council
21. Lessons-Learned / FAQ Summary
Requirement: Title Description Type
7. CIP‐002‐5 R1: Grouping
BES Cyber Assets
What are the advantages of grouping BES
Cyber Assets into BES Cyber Systems, and
how can this help demonstrate compliance?
LL
8. CIP‐002‐5 R1: Shared
equipment at a substation
What issues need to be addressed related to
substations that are shared by different
entities (e.g., identifying ownership,
compliance responsibilities, emergency
management, physical access controls)?
LL
9. CIP‐002‐5 R1: Applicability
of Control Centers to
Transmission Operators
(TOP) and Transmission
Owners (TO)
How would CIP‐002‐5 Attachment 1 criterion
2.12 apply to medium‐impact Control Centers
if the functional obligations are performed by
the TO on behalf of the TOP?
LL
21
Western Electricity Coordinating Council
22. Lessons Learned Summary
Requirement: Title Description Type
10. CIP‐002‐5 R1:
Generation
interconnection points
Clarify the terms “generation interconnection
point,” “generation interconnection Facility,”
and “collector bus” for the purposes of
applying CIP‐002‐5 Attachment 1 impact
rating criteria 2.1 and 2.2.
LL
11. CIP‐003‐5 R2:
Medium‐impact rating,
non‐routable, no
dial‐up access Cyber
Assets
What is the complete set of CIP Version 5
Requirements that apply to BES Cyber
Systems without routable or dial‐up access?
LL
17. CIP‐006‐5 R1: Multiple
physical access controls
Discuss options for using two or more physical
access controls for high‐impact BES Cyber
System Physical Security Perimeters.
LL
22
Western Electricity Coordinating Council
23. Lessons Learned
• Two published/final related to CIP-002-5.1
– Generation Segmentation
– Far-End Relay
September 10, 2015 Western Electricity Coordinating Council
23
24. 1a. Generation Segmentation
Requirement: Title Description
CIP‐002‐5 R1: Impact rating of
generation resources (generation
segmentation)
What options are available to categorize the impact
rating of BES Cyber Assets at plants greater than 1500
MW?
Impact of the Lesson-Learned on WECC Audit Approach
This LL describes the options used by pilot study participants for identifying BCS
located at generation plant sites with a net Real Power capability => 1500 MWs. The LL
provides two options for protecting BCS at such generation sites:
A. Protect the BCS as Medium-impact at a single location, in which the all CIP
standards are applicable
B. Segment the Generating Units and their Associated BCS to ensure no BCS could
have an adverse impact on any combination of units =>1500 MWs within 15
minutes. If this option is chosen, the entity must provide sufficient evidence that
all BCS have been segmented effectively, such that there are no common-mode
vulnerabilities that could cause the loss of 1500 MW or more at the plant site.
24
Western Electricity Coordinating Council
25. 1b. Generation Segmentation
Acceptable Evidence of Generation Segmentation
This evidence could include engineering analyses that demonstrate effective
segmentation of, for example:
• Systems protected by the segmented unit network.
• Components shared by multiple generating units or group of units, and
analysis that loss, compromise, or misuse of the BES Cyber Systems could have
on the reliable operation of the BES within 15 minutes.
• BES Cyber Systems shared by multiple generating units or group of units, and
analysis that loss, compromise, or misuse of the BES Cyber Systems could have
on the reliable operation of the BES within 15 minutes.
• Network interfaces between each generating unit or group of units and
external networks (e.g., firewall rules).
25
Western Electricity Coordinating Council
26. 1c. Generation Segmentation
Impact of the Lesson-Learned on WECC Audit Approach
When reviewing entity BCS evaluations relative to IRC 2.1, WECC will expect
evidence that indicates the entity evaluated the aggregate highest net rated
Real Power capability of the preceding 12 calendar months to establish the
generation plant’s net output relative to the 1500 MW threshold.
If the plant net output equals or exceeds the 1500 MW threshold, WECC will
expect documentation demonstrating all BCS, including, but not limited to,
DCS, fuel, air, and water support systems at the plant were examined to test
the second condition in IRC 2.1 of an adverse impact within 15 minutes for
any combination of units that equal or exceed 1500 MW. BCS that meet
both conditions should be classified as Medium-impact BCS, while BCS that
fail one or both conditions should be classified as Low-impact BCS (the dual
conditions are also true for IRC 2.2).
26
Western Electricity Coordinating Council
27. 2. Far End Relays
Requirement: Title Description
CIP‐002‐5 R1: Relay protection in
substations with different impact ratings
(i.e., far‐end relay/transfer trip)
How should the impact rating of line protection
relays at each end of a transmission line
connecting two substations be determined?
Impact of the Lesson-Learned on WECC Audit Approach
This LL clarifies that line protection relays at each end of a transmission line
connecting two substations may have different BCS impact ratings. The rating of
each relay is dependent on whether the Transmission Facilities at the station or
substation at which the relay is located meets the rating criteria for Medium- or
Low-impact. Although the term “SPS” is being replaced by the more generic term
“RAS,” this same LL concept may apply to all SPS and RAS that do NOT meet IRC 2.9.
WECC will review the entity’s R1.1, R1.2, & R1.3 lists and ask questions, as
necessary, to determine the effectiveness of the process implemented to create
these lists.
27
Western Electricity Coordinating Council
28. Quiz Time
Name of electric utility serving the U.S. Virgin
Islands?
WAPA
Virgin Islands Water and Power Authority
Slide 28
Western Electricity Coordinating Council
32. Quiz Time
• What is the primary generation fuel source on
the U.S. Virgin Islands?
Fuel Oil
Slide 32
Western Electricity Coordinating Council
33. CIP Site Visits
• Purpose
• What to expect
• Rules of engagement
• Tips
Western Electricity Coordinating Council
33
34. Site Visit Purpose
• “… auditors obtain reasonable assurance that
evidence is sufficient and appropriate to
support the auditors’ findings and conclusions
in relation to the audit objectives.” (GAGAS, p.
124)
• Visual Verification
• Direct Observation
Western Electricity Coordinating Council
34
35. What to Expect…
• Data Requests
– Site Visit Analysis
• Typically for large numbers of assets/facilities or
complex systems
• Seeking clarification and additional information to
make informed decisions
– Site Visit Data Request
• List sites selected, propose schedule
Western Electricity Coordinating Council
35
36. Site Visit DR Example
The WECC Audit Team requests:
Please schedule tours on Wednesday (September 9, 2015) of the following BILL BES Assets, including all
areas with BES Cyber Systems located at:
Day One (September 9, 2015)
– Primary Control Center
– Backup Control Center
– Substation1
– Substation2
BILL shall propose a meeting location, route, and schedule that optimizes the time the WECC audit team
will have available at each BES Asset and minimizes the impact the audit team will have on BILL
operations. If possible, the WECC audit team would like to end the tour at the facility nearest the audit
team location, but the team is flexible and understands any operational requirements for BILL
scheduling.
The WECC audit team recognizes that BILL has BES operational responsibilities at the BES Asset(s) and
will make an effort to minimize interference with the duties of BILL personnel once on site.
Western Electricity Coordinating Council
36
37. Site Visit DR Example
During the tour, BILL will provide Subject Matter Experts in the three standards (CIP-002, CIP-005, & CIP-
006) and the following hard copy lists and/or diagrams for use by the WECC Audit team during the site
visits:
• For each Asset identified as a BILL Asset containing High BCS or Medium BCS, BILL shall provide
hard copies (filtered by location) of its inventory of BCS at each site. This inventory should contain
sufficient information to support validation of the entity’s compliance efforts at each location. For
each Asset identified as a Low-impact BES Asset, please be prepared to discuss planned CIP
protections including any expected LERC and LEAP implementations.
• For each site with one or more ESPs, BILL shall provide a hard copy diagram of each such ESP. If
there is no ESP, please provide a network diagram to support the validation of the BCS perimeter(s).
• For each site with one or more PSPs, BILL shall provide a hard copy diagram of each such PSP. If
there is no PSP, please provide a physical diagram to allow the CIP-006 audit team to note current
physical protections for the BES Asset.
The WECC audit team will use these documents to validate BCS, ESPs, and PSPs and will annotate the
documents while on site. The WECC audit team will return these documents to BILL prior to leaving
each site. A separate DR – subsequent to the site visits – will request scanned PDF copies of the
annotated lists and/or diagrams for review and inclusion into the audit records.
Western Electricity Coordinating Council
37
38. Rules of Engagement
• WECC Audit Team WILL:
– Work to make everyone feel at ease and comfortable
through open and candid dialogue
– Verify lists and drawings against actual deployment
– Typically split into two groups – CIP-002 and 005
together, with CIP-006 on its own
– Ask SMEs to perform ALL tasks & testing (login, open
cabinet doors, generate failed login attempts, hold
door open, etc.)
– Notify you of concerns/issues identified
Western Electricity Coordinating Council
38
39. Rules of Engagement
• WECC Audit Team WILL NOT:
– Attempt to ditch their escorts
– Touch any equipment, keyboards, buttons,
switches, levers, dials, etc.
– Attempt to ditch their escorts
– Ask the SMEs to do anything that poses a risk to
reliable operation of the BES
– Play the gotchya game
Western Electricity Coordinating Council
39
40. CIP Site Tours – Helpful Tips
• The cast of Ben Hur isn’t necessary to ensure a
successful site visit
• Tailboards and other site-specific safety
meetings are great
• Be sure the right SMEs are there, and
prepared
Western Electricity Coordinating Council
40
41. References
• FERC. (2013 December 3). Order No. 791: Version 5 Critical
Infrastructure Protection Reliability Standards. 18 CFR Part 40: 145
FERC ¶ 61,160: Docket No. RM13-5-000. Published in Federal
Register: Vol. 78, No. 232 (pp. 72756-72787). Retrieved from
http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/2013-28628.pdf
• NERC. (2013 November 22). CIP-002-5.1 – Cyber Security Standard –
BES Cyber System Categorization. Retrieved from
http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumbe
r=CIP-002-5.1&title=Cyber%20Security%20—
%20BES%20Cyber%20System%20Categorization&jurisdiction=null
• NERC. (2014 April). Bulk Electric System Definition Reference
Document (Version 2). Retrieved from
http://www.nerc.com/pa/Stand/Project%20201017%20Proposed%
20Definition%20of%20Bulk%20Electri/bes_phase2_reference_docu
ment_20140325_final_clean.pdf
Western Electricity Coordinating Council
41
42. References
• NERC. (2014 August 12). Cyber Security Standards
Transition Guidance: ERO Compliance and Enforcement
Activities during the Transition to the CIP Version 5
Reliability Standards. Retrieved from
http://www.nerc.com/pa/CI/Documents/V3-
V5%20Transition%20Guidance%20FINAL.pdf
• NERC. (2014 September 17). Glossary of Terms used in
NERC Reliability Standards. Retrieved from
http://www.nerc.com/pa/stand/glossary%20of%20ter
ms/glossary_of_terms.pdf
Slide 42
Western Electricity Coordinating Council