The document discusses the implementation of CIP-014 from an auditor's perspective, including an overview of the requirements for conducting risk assessments of transmission stations and developing security plans, and tips for entities in complying with the standard within the required timeframe of less than one year. It also summarizes the FERC's proposed modifications to CIP-014 and requests for additional filings on physical security.
CIP-014-1: Next Steps from an Auditor’s Perspective
1. Darren T. Nielsen, M.Ad., CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Salt Lake City, UT Office
CIP-014- Next Steps from an Auditors Perspective
August 21, 2014
Austin, Texas
2. 2
• Where are you heading?
• Is it the right direction?
• Do you have help in charting the course?
Set your Compass!
3. 3
• What it is:
o Physical security of Transmission stations and Transmission
substations, and their associated primary control centers, that if
rendered inoperable or damaged as a result of a physical attack
could result in “widespread” instability, uncontrolled separation, or
Cascading within an Interconnection.
*FERC directed “widepsread” to be removed on July 17, 2014.
• What it is not:
o An extension of, or related to CIP-006
o Critical Cyber Asset/Protected Cyber Asset based
o A limit to physical security measures
o A one-size-fits all approach to physical security
CIP-014-1 Introduction
4. 4
• It may be helpful to view and manage CIP-014-1 as two
major components.
CIP-014-1 Introduction
R1: Applicability and Risk
Assessment
R2: Unaffiliated Review
R3: Control Center Notification
R4: Threat and Vulnerability
Assessment
R5: Security Plan
R6: Unaffiliated Review
5. 5
• Must be completed by the effective date of CIP-014-1
• Subsequent applications must be completed:
o 30 months for entities who identified applicable
Stations/Substations on the previous assessment
o 60 months for entities who identified null lists on the previous
assessment
CIP-014-1 R1: Applicability and Risk
Assessment
6. 6
• Create a Candidate List
o Substations/Stations operating at or above 200kV
o Substations/Stations identified in an IROL
o Substations/Stations critical to operation of nuclear facilities
• Apply criteria listed in 4.1.1 of CIP-014-1
o Operating at or above 500kV
-or-
o Identified by its Reliability Coordinator, Planning Coordinator, or
Transmission Planner as critical to the derivation of Interconnection
Reliability Operating Limits (IROLs) and their associated contingencies.
-or-
o Essential to meeting Nuclear Plant Interface Requirements
-or-
CIP-014-1 R1: Applicability and Risk
Assessment
7. 7
• Apply criteria listed in 4.1.1 of CIP-014-1 (continued)
o Operating between 200 kV and 499 kV at a single station or
substation, where the station or substation is connected at 200 kV
or higher voltages to three or more other Transmission stations or
substations and has an "aggregate weighted value" exceeding
3000 according to the table below.
CIP-014-1 R1: Applicability and Risk
Assessment
8. 8
• Must be completed within 90 days of R1 Assessment and
may be conducted concurrently
• Unaffiliated third party must be:
o A registered Planning Coordinator, Transmission Planner, or
Reliability Coordinator
-or-
o An entity that has transmission planning or analysis experience
• The SDT interprets “unaffiliated” as external to the
corporate structure
• The credentials of the third party will be assessed and
may impact the audit risk and subsequent rigor for R1
CIP-014-1 R2: Unaffiliated Review of R1
Assessment
9. 9
• Unaffiliated reviewer recommendations must be
addressed within 60 days of review
o Modify its identification under Requirement R1 consistent with the
recommendation
-or-
o Document the technical basis for not modifying the identification in
accordance with the recommendation
This language is NOT intended to trigger TFEs
• Implement procedures to protect sensitive information
throughout the review process
CIP-014-1 R2: Unaffiliated Review of R1
Assessment
10. 10
• The entity has 7 days to notify control center operators for
primary control centers associated with
Stations/Substations identified in R1 assessment
• The entity has 7 days to notify control center operators for
primary control centers associated with
Stations/Substations removed in subsequent in R1
assessments
• Compliance tips:
o Use email read receipts
o Implement three part communications
o Receive and document confirmation of notification from control
center operators
CIP-014-1 R3: Notify Control Center Owners
11. 11
• Conduct a threat and vulnerability assessment that
considers:
o Unique characteristics
o Attack history, attacks on similar facilities
Frequency
Geographic Proximity
Severity
o Intelligence or threat warnings
CIP-014-1 R4: Threat and Vulnerability
Assessment
12. 12
• Unique Characteristics may include:
o Terrain
Rural
Urban
o Equipment/Facility Array
Are critical vulnerable assets on the perimeter or are they shielded from view or
attack by less critical components of the facility?
o Existing Protections
o Facility size and shape
A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple
corners, alcoves, and salient points.
o Crime statistics
o Weather
CIP-014-1 R4: Threat and Vulnerability
Assessment
13. 13
• Assessment Tips
o Identify what components of the facility are critical to the mission
o Evaluate your facility from an adversary’s perspective
o Extend the assessment beyond the fence line
o Understand the advantages and disadvantages afforded by surrounding terrain
o Understand your threat environment
Evaluate attacks on similar facilities globally
Evaluate attacks in your geographic area even if the target facility is unlike yours
• Some Existing Assessment Methodologies
o CARVER
o DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool
(ECIP/IST)
o Attack Tree Modeling
CIP-014-1 R4: Threat and Vulnerability
Assessment
14. 14
• Suggested threat vectors to consider
o Direct Fire
Can an adversary fire a line-of-sight weapon and damage a critical component?
o Indirect Fire
Can an adversary fire a weapon on an arc trajectory and damage a critical
component?
o Explosive
Can an adversary place an explosive device such that it will damage a critical
component?
o Vehicular Attack
Can an adversary drive a vehicle into my facility to damage a critical
component?
o Forced Entry
Can an adversary force his way into my facility to damage a critical component?
o Surreptitious Entry
Can an adversary sneak into the facility to damage a critical component?
o Arson
Can an adversary damage critical components with fire?
CIP-014-1 R4: Threat and Vulnerability
Assessment
15. 15
• Resources
o Physical Security Personnel
o Local Law Enforcement
o Federal Agencies
o State Emergency Management
• Methodologies
o ECIP/SAV
o CARVER
Assessment Resources
16. 16
• Observation
• Avenues of Approach
• Key Terrain
• Obstacles
• Cover and Concealment
Terrain Analysis
17. 17
• Where can bad guys see me?
• What can I see?
• More importantly, what can’t I see?
Observation
21. 21
• What do I really need to keep bad guys
away from?
• What areas can bad guys conduct
surveillance from?
• What areas can bad guys launch an attack
from?
Key Terrain
23. 23
• What do I have available to block bad guys from
getting to or seeing me?
o Natural
Cliffs
Ravines
Trees
BFRs
o Man-made
Fences
Gates
Bollards
Obstacles
27. 27
• What is vulnerable?
o Ballistics paths
o Susceptible to blast
o Susceptible to sabotage
• How could I be attacked?
o Beware a “failure of imagination”
o Do not think about the likelihood of an attack
vector at this point
Self Assessment
28. 28
• The following few slides are a very small
slice of a free three-day course that DHS
provides*
• If interested in the full course contact your
DHS Protective Security Advisor
Surveillance Detection
*The presenter is not responsible for curriculum
changes over the past four years or the effects of
time on memory.
29. 29
Attack Planning Cycle
When can the attacker best be
defeated?
Planning Cycle
Target
Identification
Surveillance
Target Selection
Pre-attack
surveillance and
planning
Rehearsal
Attack
Escape
30. 30
Types of Surveillance
• Fixed
• Mobile
• Technical
• Photographic
• Combination
Surveillance Detection
31. 31
Where can an adversary effectively conduct
surveillance on your facility?
Hostile Surveillance Points
34. 34
Q: We’ve mitigated all the hostile
surveillance points, whats next?
A: It depends
• Delay
• Detect
• Deter
• Defend
Now What?
35. 35
Q: Why didn’t your last picture have any deter or defend
mitigations?
A: There are a number of deterrents available at little or no
cost
• Random security measures
• Every visible security control*
• Police patrols
Now What?
*Double-edged sword, showing all controls makes
your controls easy to recon.
36. 36
Q: What do you mean by random security measures?
A: Random security measures allow you to implement
security controls that wouldn’t be fiscally possible if they
were implemented across your facilities 24/7. The key to
successful random security measures is to avoid any
discernible pattern and to ensure the measures are enough
of a departure from your standard security posture that they
throw off an adversary. Random security measures are the
bane of a recon scout’s existence!
Deterrents
37. 37
Q: What are some examples of random security
measures?
A:
• Flexing security guard postings
• Vehicle searches
• Random security patrols
• Additional personnel/vehicle searches
• Temporary vehicle barriers
Deterrents
38. 38
Q: How do I get the police to patrol my remote sites?
A: Information sharing!
• Teach your first responders what’s critical
• Invite first responders out for tours/site familiarity
• Where possible offer some desk space and/or a pot of
coffee
Deterrents
39. 39
Q: How can I defend my site without hiring a small army?
A: Do you have armed drones available? If not, you’re likely limited to
your response plan.
Some questions to address in your response plan:
• Will controls allow for attack intervention or merely forensics?
• Who will respond?
o Guard force
o LLE
o Operations personnel
• How long can you delay vs how long will your response take to get
on site?
o 15 minute delay + 30 minute response = problem
Delay
40. 40
• Define your space
• Shape your environment
• Improve lighting
• Observation
• Direct foot and vehicle traffic
CPTED Concepts
41. 41
• Put yourself in the attacker’s position, which
location would you prefer to attack?
Shape Your Environment
42. 42
• Put yourself in the attacker’s position, which
location would you prefer to attack?
Lighting
46. 46
• Chain link fence with barbed wire topper
Average Current Substation Defense
47. 47
• Cameras
• Intrusion Detection
• System redundancy
• Defense in depth for cyber assets
Average Current Substation Defense
48. 48
• Develop a security plan including
o Resilience or security measures
Ensure the measures address vulnerabilities identified in R4
o Law enforcement contact and coordination may include:
Simply a name and phone number
Meetings to discuss security concerns, site-specific hazards, etc
Site-specific training for law enforcement
Hosting law enforcement exercises
o Timeline for implementing physical security projects
No specific dates or time frames required in this timeline, but it must pass the
common sense test
o Provision to evaluate evolving threats
Should include a process or mechanism to receive threat information
Should include a process to evaluate threat information as it is received
CIP-014-1 R5: Security Plan
49. 49
• Security Plan Tips
o Conduct a second assessment including the new measures
Provides valuable metrics to stakeholders and regulators
If conducted in the planning phase, may prevent costly but minimally effective
security enhancements
o Ensure the plan makes sense
A reasonably-informed person should be able to follow and implement the plan
without extensive knowledge of the site or entity
o Law enforcement is your friend
Coordinate early and often to ensure all parties understand facility nuances and
specific hazards/concerns
Law enforcement training on site = free security
Ensure mutual understanding of law enforcement response procedures and
capabilities
o Consider developing a threat/risk assessment function
May require additional human capital
Can be achieved through vendor solutions
CIP-014-1 R5: Security Plan
50. 50
• R6: Unaffiliated Review of R4 Assessment and R5 Plan
o An organization with industry physical security experience AND a
Certified Protection Professional (CPP) or Physical Security
Professional (PSP) on staff.*
-or-
o An organization approved by the ERO.*
-or-
o A government agency with physical security expertise.
-or-
o An organization with demonstrated law enforcement or military
physical security expertise.*
*WECC staff meet these criteria
CIP-014-1 R6: Unaffiliated Review of
Assessment and Plan
51. 51
• R1 Risk Assessment must be completed on or before
the effective date
• R2
o 2.1, 2.2, and 2.4 must be completed within 90 calendar days of
R1 assessment
o 2.3 must be completed within 60 calendar days of 2.2
verification
• R3 must be completed within 7 calendar days of R2
completion
• R4 must be completed within 120 calendar days of R2
completion
CIP-014-1 Implementation
52. 52
• R5 must be completed within 120 days of R2
completion
• R6
o 6.1, 6.2, and 6.4 must be completed within 90 days of R5
completion
o 6.3 must be completed within 60 days of 6.2 review
CIP-014-1 Implementation
53. 53
CIP-014-1 Implementation
CIP-014-1 Implementation Timeline
R1 Assessment Effective Date 0 Days
R2 Verification Effective + 90 90 Days
R2.3 Address Discrepancies R2.2 + 60 150 Days
R3 Notify Control Center R2 + 7 157 Days
R4 Threat and Vulnerability Evaluation R2 + 120 270 Days
R5 Security Plan R2 + 120 270 Days
R6 Review R5 + 90 360 Days
R6.3 Address Discrepancies R6.2 + 60 420 Days
Less than nine months from effective date to Security Plan completion
54. 54
• R2 – R6 must be completed within 420 calendar days after
completing the risk assessment process in R1.
Maximum Timeline
55. 55
• Notice of Proposed Rulemaking (NOPR) issued by FERC
July 17, 2014.
o Proposes to approve CIP-014-1, implementation plan,
and VRF/VSL
o Proposes modifications
o Proposes informational filing
o Seeks comments
• Comments due 45 days after NOPR published in the
Federal Register. Reply comments due 60 days after
NOPR published in the Federal Register.
CIP-014 (Physical Security) NOPR
56. 56
• Proposed Modifications:
o Allow Governmental Authorities (i.e., FERC and
any other appropriate federal or provincial
authorities) to add or subtract facilities from an
applicable entity’s list of critical facilities under
Requirement R1.
o Remove the term “widespread” as it appears in
the proposed Reliability Standard in the phrase
“widespread instability.”
CIP-014 (Physical Security) NOPR
57. 57
• Proposed Informational Filings:
o Within six months of the effective date of a final rule
addressing the possibility that CIP-014-1 may not
provide physical security for all “High Impact” control
centers as defined in CIP-002-5.1.
o Within one year of the effective date of a final rule
addressing possible resiliency measures that can be
taken to maintain reliable operation of the Bulk Electric
System following the loss of critical facilities.
CIP-014 (Physical Security) NOPR
58. 58
• Comments desired on:
o Providing for applicable governmental authorities to add or
subtract facilities from an entity’s list of critical facilities
o The standard for identifying critical facilities
o Control centers
o Exclusion of generators from the applicability section of the
proposed Reliability Standard
o Third-party recommendations
o Resiliency
o Violation risk factors and violation severity levels
o Implementation plan and effective date
CIP-014 (Physical Security) NOPR
59. 59
• PSWG- Get plugged in!
• http://www.wecc.biz/committees/StandingCommittees/OC/
CIIMS/PSWG/default.aspx
• Phone call away
We want to help.
• Always willing to provide our audit approach
At Your Service
60. Darren T. Nielsen, M.Ad, CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
155 North 400 West, Suite 200
Salt Lake City, UT 84103
(801) 857-9134
dnielsen@wecc.biz
Questions?
Editor's Notes
D
Don’t waste valuable resources by designing ineffective physical security programs that offer unnecessary protections or worse, fail to provide adequate security for critical sites.
Smartly planning and implementing effective physical protection systems involves a lock, stock, and barrel approach that strategically harmonizes your people, procedures, and equipment. Make this holistic scenario an everyday reality for your security program while maintaining realistic budget goals.
In the second proposed modification, the Commission would direct NERC to revise wording that it believes could narrow the scope and number of identified critical facilities. Specifically, the NOPR seeks comment on the Commission’s concern that NERC’s use of the phrase “widespread instability” rather than “instability,” as stated in the March order, could create ambiguity since the term “widespread” is not defined.
You have a number of resources available to conduct assessments, both in-house and external.
DISCUSS VALUE OF EXTERNAL (new set of eyes) vs INTERNAL (little/no cost, information control, minimal coordination) ASSESSMENT RESOURCES
There are countless methodologies available, but I’m going to focus on two that I’ve personally conducted, ECIP/SAV and CARVER
You must understand the terrain around your facility for an effective, efficient defense.
Know how to use the terrain to your advantage
Understand how the terrain can be used against you
Like CPTED, we want to maximize our observable space
Additionally, we want to know where the adversary can observe us
There are a few barriers to our observation here:
Hills
Ravine
Trees
Bushes
Cliff
An adversary can observe us from:
Hills
Trees
Bushes
Open Space
Again, like CPTED we must understand how an adversary can reach us and work to control those avenues through barriers and/or observation
Without mitigation, the adversaries can approach us from just about everywhere.
Notice there are no water-borne Ewoks, while it’s possible that an adversary could scale the 300’ cliff, it’s unlikely with so many other easy approaches.
We tend to look at design of utilities only through a functional lens with minimal concern for aesthetics or design.
Adversaries notice that.
Let’s talk about a few high-level crime prevention through environmental design concepts worth considering.
An adversary is far less likely to attack a facility that appears well-maintained and attended than one that shows signs of disrepair
Good lighting reduces an adversary’s concealment, making them easier to detect and making the facility less enticing.
Like lighting, we want to remove potential hiding spots and improve our ability to see to and beyond our perimeter
More details to come from NERC on what Unaffiliated Review is. Bottom line is an entity does not need to spend a lot or any money to complete this task. However, note WECC Audit staff will conduct an arduous audit and request documentation on the training and experience for who and entity choses to use as a reviewer. A CPP or PSP security professional will likely receive less rigor based on the auditors professional judgment.
Note: just because the reviewers are govt, (FBI.DHS etc), law enforcement or military does not mean WECC staff will accept based on title. Be prepared to show and deliver docs to support experience in industry, training etc. More is better, A resume is not enough for an auditor to obtain reasonable assurance.
Cannot provide Directives or prescribe compliance..will provide our audit approach and answer What if’s