#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
CIP Version 5 Immersion Workshop
1. CIP Version 5 Immersion
EnergySec Summit
August 19, 2014
Steven Parker
Stacy Bresler
2. Welcome
Logistics
Workshop format
Introductions
Agenda
– Overview of major changes in V5
– Discussion of key definitions
– Discussion of key transition issues
– Q&A
2
3. Major Changes
19 new or revised definitions
Bright Line Criteria
BES Cyber Assets/Systems
High/Medium/Low
Requirement Applicability Tables
Guidelines and Technical Basis
New and relocated requirements
4. Bright Line Criteria
Assigns impact levels to BES Cyber
Systems associated with Facilities based
on specific criteria
Provides three levels of impact
May depend on 3rd party designations
In practice, not so bright.
4
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
5. Impact Levels
High – Primarily large control centers
Medium – Primarily large generation,
critical generation, major substations, and
remaining control centers
Low – Everything else that meets the
definition of BES
5
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
6. Applicability Tables
New approach to requirements
Each requirement lists in-scope asset
types
Requirements vary by impact level and
type of asset
EACMS and PACS are directly listed
instead of included by reference.
6
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
7. Guidelines and Technical
Basis
Provides substantial narrative discussion
on the requirements
Provides the SDT’s intent for certain
requirements
Discussed the technical basis for certain
requirements
Contains some conflicting or unsupported
statements
Legal status is uncertain
7
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
8. Definitions
CIP version 5 has 19 new or revised
definitions to the NERC Glossary.
We will review the most pertinent here today
8
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
9. Cyber Assets
Programmable electronic devices, including
the hardware, software, and data in those
devices.
• Communication networks have been removed
from the definition of Cyber Asset
10. BES Cyber Assets
A Cyber Asset that if rendered unavailable, degraded, or
misused would, within 15 minutes of its required operation,
misoperation, or non-operation, adversely impact one or
more Facilities, systems, or equipment, which, if
destroyed, degraded, or otherwise rendered unavailable
when needed, would affect the reliable operation of the
Bulk Electric System. Redundancy of affected Facilities,
systems, and equipment shall not be considered when
determining adverse impact. Each BES Cyber Asset is
included in one or more BES Cyber Systems. (A Cyber
Asset is not a BES Cyber Asset if, for 30 consecutive
calendar days or less, it is directly connected to a network
within an ESP, a Cyber Asset within an ESP, or to a BES
Cyber Asset, and it is used for data transfer, vulnerability
assessment, maintenance, or troubleshooting purposes.)
11. BES Cyber Assets
Steve’s Translation:
A Cyber Asset that, if pwned, would allow a
bad guy to disrupt the operation of a facility
that meets the Bright Line criteria.
12. BES Cyber Systems
One or more BES Cyber Assets logically
grouped by a responsible entity to perform
one or more reliability tasks for a functional
entity
13. BES Cyber System
Information
Information about the BES Cyber System that could be
used to gain unauthorized access or pose a security threat
to the BES Cyber System. BES Cyber System Information
does not include individual pieces of information that by
themselves do not pose a threat or could not be used to
allow unauthorized access to BES Cyber Systems, such
as, but not limited to, device names, individual IP
addresses without context, ESP names, or policy
statements. Examples of BES Cyber System Information
may include, but are not limited to, security procedures or
security information about BES Cyber Systems, Physical
Access Control Systems, and Electronic Access Control or
Monitoring Systems that is not publicly available and could
be used to allow unauthorized access or unauthorized
distribution; collections of network addresses; and network
topology of the BES Cyber System.
13
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
14. Electronic Access Control or
Monitoring Systems
Cyber Assets that perform electronic access
control or electronic access monitoring of the
Electronic Security Perimeter(s) or BES
Cyber Systems. This includes Intermediate
Devices.
14
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
15. Electronic Access Point
A Cyber Asset interface on an Electronic Security
Perimeter that allows routable communication
between Cyber Assets outside an Electronic
Security Perimeter and Cyber Assets inside an
Electronic Security Perimeter.
Routable communications only
Refers to interface, not a device
Direction not specified (See External Routable
Connectivity)
16. Electronic Security Perimeter
[OLD] The logical border surrounding a
network to which Critical Cyber Assets are
connected and for which access is
controlled.
[NEW] The logical border surrounding a
network to which BES Cyber Systems are
connected using a routable protocol.
Now limited to routable protocols
17. External Routable
Connectivity
The ability to access a BES Cyber System
from a Cyber Asset that is outside of its
associated Electronic Security Perimeter via
a bi-directional routable protocol connection.
18. Interactive Remote Access
User-initiated access by a person employing a remote
access client or other remote access technology using a
routable protocol. Remote access originates from a Cyber
Asset that is not an Intermediate Device and not located
within any of the Responsible Entity’s Electronic Security
Perimeter(s) or at a defined Electronic Access Point
(EAP).
Remote access may be initiated from: 1) Cyber Assets
used or owned by the Responsible Entity, 2) Cyber Assets
used or owned by employees, and 3) Cyber Assets used
or owned by vendors, contractors, or consultants.
Interactive remote access does not include system-to-
system process communications.
19. Interactive Remote Access
User-initiated access by a person employing a remote
access client or other remote access technology using a
routable protocol. Remote access originates from a Cyber
Asset that is not an Intermediate Device and not located
within any of the Responsible Entity’s Electronic Security
Perimeter(s) or at a defined Electronic Access Point
(EAP).
IRA must be controlled pursuant to CIP-005 R2
ESP to ESP access is not covered by this definition
By definition, does not include non-routable protocols
access
Encryption and intermediate devices are required
20. Intermediate System
A Cyber Asset or collection of Cyber Assets
performing access control to restrict
Interactive Remote Access to only
authorized users. The Intermediate System
must not be located inside the Electronic
Security Perimeter.
20
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
22. Top 10 Issues
1. Asset Identification
2. BES Cyber System grouping
3. Impact level assessment
4. New ESP Definitions
5. Detection of Malicious Communications
6. Interactive Remote Access
7. Patch Management
8. Handling of BES Cyber System
Information
22
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
23. Top 10 Issues
9. Protection of Physical I/O Ports
A. Low Impact Assets
B. New Definitions
C. Data Preservation During Recovery
D. Baseline Configurations
E. Vulnerability Assessments
F. Security Event Monitoring
10.Documentation Updates
23
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
24. Asset Identification
15 minute criteria
BROS
Inventory
Not your father’s RBAM
24
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
25. BES Cyber System Grouping
Definition
Logical or not?
Considerations
– Location
– Connectivity
– Impact Ratings
25
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
26. Impact Level Assessment
Bright Lines
Impact ratings are applied to BES Cyber
Systems, NOT assets or Facilities
Not based on connectivity
High includes location consideration
Medium does NOT include location
Associated with
Low Impact
26
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
27. New ESP Definitions
Routable protocols only
External Routable Connectivity
– ESP?
– Cyber System?
– Cyber Asset?
Non-programmable network elements
Non-routable connections
27
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
28. Detection of Malicious
Communications
New requirement
Many ways to skin the cat
Functional requirement
Plausibly effective
28
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
29. Interactive Remote Access
New Requirements
Intermediate Systems
Technical Architecture
– Placement of IS
– Multi-factor auth
– Encryption
29
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
30. Patch Management
Source identification
Must implement or mitigate
New timelines
Windows XP
TFEs
30
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
31. Handling of BES Cyber System
Information
New Definition
Storage
Use
Transit
BCSI Repositories
Disposal and redeployment
31
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
32. Low Impact Assets
Implementation of policies
Uncertainty on V6
External routable protocol paths
Lists vs. inventory
32
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
33. Baseline Configurations
New requirements
Specific attributes to be collected
Broad applicability
Change management of configurations
33
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
34. Vulnerability Assessments
Not well defined
Paper vs. active
Not a pen test
Documentation and follow up requirements
34
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
35. Security Event Monitoring
Functional requirements
Plausibly effective
Guidance and technical basis comments
35
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
36. Data Preservation During
Recovery
Recovery plans need to address
preservation of forensics evidence
Timelines
36
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
37. Protection of Physical I/O
Ports
Control centers only
Does not need to be preventative
Device configuration can suffice
37
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
38. Documentation Updates
New terminology
Renumbered and relocated requirements
Cybersecurity policy requirements
expanded
Nearly all requirements require
documented processes
38
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
39. New Definitions and
Terminology
Time to relearn the language
READ THE GLOSSARY!
39
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy