Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Explore the Implicit Requirements of the NERC CIP RSAWs

1,097 views

Published on

Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.

In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:

RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Explore the Implicit Requirements of the NERC CIP RSAWs

  1. 1. © 2015 MetricStream, Inc. All Rights Reserved. Explore the Implicit Requirements of the NERC CIP RSAWs Karl Perman VP Member Services EnergySec Shreyank Shrinath Kamat Product Manager MetricStream
  2. 2. © 2015 MetricStream, Inc. All Rights Reserved. Agenda  RSAW format  Implicit requirements of CIP RSAWs  Leveraging technology for RSAW management  Q&A
  3. 3. BACKGROUND © 2015 Energy Sector Security Consortium, Inc. 3
  4. 4. RSAW Template • Identifying Information – Standard, Entity, Names of Auditors, etc. • Applicability of Requirements by Functional Model • Color-coded – Fixed text, Entity-supplied information, Auditor-supplied information • Findings – Areas of Concern, Recommendations, Positive Observations © 2015 Energy Sector Security Consortium, Inc. 4
  5. 5. RSAW Template • Entity’s Subject Matter Experts • Requirement and Measures • Questions – Space for entity response, may reference other documents • Compliance Narrative • Evidence – Documents and descriptions • Guidance & Questions for Auditors © 2015 Energy Sector Security Consortium, Inc. 5
  6. 6. © 2015 Energy Sector Security Consortium, Inc. 6
  7. 7. Standard Drafting Team • CIP V5 Transition FAQ, Response to Comments • “It is inappropriate to suggest that there is an implicit requirement or an inherent requirement that must be complied with as requirements can only be explicit.” © 2015 Energy Sector Security Consortium, Inc. 7
  8. 8. Actual Auditors • Lew Folkerth, Reliability First – SPP RE CIP Workshop, June 2, 2015 • http://www.spp.org/documents/28852/2015%20cip%20works hop%20materials.pdf – RF Newsletter, Issue 3 • https://www.serc1.org/docs/default- source/outreach/communications/resource-documents/serc- transmission-reference/201507---st/cip-v5-rsaw---rf- newsletter-article.pdf?sfvrsn=2 • Kevin Perry, SPP – CIP Compliance Workshop, June 3, 2015 • Wayne Lewis, NPCC – CIP Compliance Seminar, 3/24/15 • https://www.npcc.org/Compliance/CIP%20Seminars/Spring% 202015%20CIP-010-2.pdf © 2015 Energy Sector Security Consortium, Inc. 8
  9. 9. IMPLICIT REQUIREMENTS © 2015 Energy Sector Security Consortium, Inc. 9
  10. 10. Update Policies • CIP-003-6 • Review and obtain CIP Senior Manager approval for policies • “The SDT received comments that Requirements R1 and R2 require annual review of the policy, but never explicitly require the policy to receive updates as a result of that review. The SDT believes this is implicit in the Requirement, and updates would occur as part of an entity’s ongoing compliance with the Requirement.” – http://www.nerc.com/pa/Stand/Project%20200806%2 0Cyber%20Security%20Order%20706%20DL/Consid eration_of_Comments_to_draft_3_102612_final.pdf © 2015 Energy Sector Security Consortium, Inc. 10
  11. 11. Shared Compliance Responsibility • Asset name or designation • Formal agreement describing shared compliance responsibility © 2015 Energy Sector Security Consortium, Inc. 11
  12. 12. Classify assets • CIP-002-5 requires entities to classify BES Cyber Systems • BES Cyber Asset will “adversely impact one or more Facilities, systems, or equipment” • Classify assets as High, Medium, or Low, and then BCA are those Cyber Assets which affect those assets, and take rating from the asset they effect © 2015 Energy Sector Security Consortium, Inc. 12
  13. 13. Cyber Assets • CIP-002 never explicitly says to identify (list) Cyber Assets – Need list of Cyber Assets to show that all that should be BES Cyber Assets were identified as such © 2015 Energy Sector Security Consortium, Inc. 13
  14. 14. Identify PCA • CIP-005-5 R1 Part 1.1 • Cyber Assets connected to network via routable protocol shall reside within a defined ESP – Applicable Systems • PCA Associated with High or Medium Impact BCS • Need to identify PCA – Auditors will likely want to audit a sample of PCA, so you need a list of PCA © 2015 Energy Sector Security Consortium, Inc. 14
  15. 15. Verify PCA • “After the ESP is defined, verify the “implied” requirement of identifying any PCA within the ESP has been completed” • Have a process • Use that process © 2015 Energy Sector Security Consortium, Inc. 15
  16. 16. ESP Process • “Verify the Responsible Entity has documented one or more process(es) which require all applicable Cyber Assets connected to a network via a routable protocol to reside within a defined ESP.” – RSAW CIP-005-5 • “In order to verify that each Cyber Asset residing within a defined ESP has been identified as either a BES Cyber Asset or as a PCA, it may be necessary to examine the ESP and conduct an inventory of network connections within the ESP.” © 2015 Energy Sector Security Consortium, Inc. 16
  17. 17. Transient Cyber Assets and Removable Media • Evidence that Transient Cyber Assets and Removable Media have been connected for 30 calendar days or less – Record of connection and disconnection • Evidence they have been utilized as authorized – Record who used them – Record where used – Record purpose • Record of review of Transient Cyber Assets managed by third parties • Record of Transient Cyber Asset patching if used to mitigate vulnerabilities • Record of anti-malware signature file updates if used to mitigate introduction of malware • Record of scans or other methods to detect and remove malicious code before introducing Removable Media into the Electronic Security Perimeter © 2015 Energy Sector Security Consortium, Inc. 17
  18. 18. Configuration Change Management • CIP-010-2 R1.4 – 1.4.1. Prior to the change, determine required cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change; – 1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and – 1.4.3. Document the results of the verification. • Should have test procedures documented © 2015 Energy Sector Security Consortium, Inc. 18
  19. 19. Test Configuration Changes • CIP-010-2 R1.5 • Identify configuration of test environment • Identify how test environment differs from production environement – High Impact BCS © 2015 Energy Sector Security Consortium, Inc. 19
  20. 20. © 2015 Energy Sector Security Consortium, Inc. Where technically feasible, for each change that deviates from the existing baseline configuration: 1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. • Document which identifies devices and configurations in a test environment 20 CIP-010-2
  21. 21. © 2015 MetricStream, Inc. All Rights Reserved. Leveraging Technology for RSAW management Shreyank Shrinath Kamat Product Manager MetricStream
  22. 22. © 2015 MetricStream, Inc. All Rights Reserved. Key Components: NERC Compliance Management
  23. 23. © 2015 MetricStream, Inc. All Rights Reserved. A Robust & Flexible Information Model
  24. 24. © 2015 MetricStream, Inc. All Rights Reserved. Setup Content (CIP standards, requirements, controls etc.) Structure a logical compliance hierarchy, including Areas of Compliance, Standards, Requirements, Controls and Assets. Configure workflows for managing both internal and external standards, mapping regulations, developing controls, performing compliance audits, preparing and implementing action plans, and identifying and remedying issues. GRC Library Standards Areas of Compliance ControlsAssets Questions and Procedures Requirements
  25. 25. © 2015 MetricStream, Inc. All Rights Reserved. Update Content (Regulatory Changes) Regulatory Alert Interpretation Create Channel Subscribe Channel Filter Alerts Act on Alerts Track Issues
  26. 26. © 2015 MetricStream, Inc. All Rights Reserved. Test Cyber Security Management Controls  Define and Manage Controls to protect Cyber Assets  Manage Password Changes to CCAs  Perform Control Assessments on regular basis  Control Tests to identify strength of controls  Notifications to appropriate officers  Logs and audit trail maintenance  Equivalent to Self Correcting Process Improvement mentioned in Version 5
  27. 27. © 2015 MetricStream, Inc. All Rights Reserved. Issue Remediation Review & Approve Issues Create Remediation Plans Implement Planned Actions Monitor & Approve Actions Close Issue Review and Approve issues that arise from tests, self- assessments and certifications. Define one or more Action/Remediation plans to Document the work done and results and send the implemented Actions for review and approval. Monitor the status and progress of issues and implementation of remediation plans. Close issues after all the action plan is implemented and approved.
  28. 28. © 2015 MetricStream, Inc. All Rights Reserved. Surveys and Certifications Create Questionnaire Initiate Surveys or Certifications File Responses Certify & Sign-Off Log Findings & Issues Create sections and add questions manually or from the GRC library under every questionnaire. Initiate a Survey or a Certification by choosing a questionnaire and selecting respondents and approvers. File responses or collaborate with other respondents for responses. Collate the Survey responses, Approve and sign-off the assessments and key compliance program data. Add Findings/Issues to capture non-conformance.
  29. 29. © 2015 MetricStream, Inc. All Rights Reserved. RSAW Management Initiate Survey using in-built CIP questionnaires Record Responses Attach Evidences Populate Survey Response into RSAW template Select a CIP questionnaires and initiate survey to one or more users. File responses or collaborate with other respondents for responses. Attach Evidence to the survey from the GRC library or from a previous survey or from the local system. Select the survey response and populate the same in the in-built RSAW template. Generate RSAW Generate and download the completed RSAW in word format for editing.
  30. 30. © 2015 MetricStream, Inc. All Rights Reserved. Enforce Policies to Effectively Manage Compliance Creation, Storage, Organization, Search Creation, Review, Approval Mapping to Risks and Controls Alerts and Notifications Awareness and Training Tracking and Visibility  Policies & Procedures for Implementing a physical security program  Setting prerequisites for granting approvals, assigning work etc.  Define methods, processes, and procedures for securing Cyber Assets & BES
  31. 31. © 2015 MetricStream, Inc. All Rights Reserved. Real time Monitoring and Reporting  Risk Intelligence by Regulations & Critical Assets  Track NERC version and Migration check  Monitor NERC Compliance Audit Readiness  Regulatory Filings, Certifications
  32. 32. © 2015 MetricStream, Inc. All Rights Reserved. Data Browser
  33. 33. © 2015 MetricStream, Inc. All Rights Reserved. MetricStream Advantage – NERC CIP Solution  Best in class Governance, Risk and Compliance solutions provider  Platform based solution – with integrated risk, compliance, policy, issue and change management systems  Experience in working with numerous electric utilities in the US ranging from co-ops to investor owned  Built in content with controls and industry best practices  One-Click Automated RSAW generation – reduction in RSAW production times from weeks to just few minutes/ hours.  Have real-time visibility into business to avoid compliance concerns
  34. 34. © 2015 MetricStream, Inc. All Rights Reserved. About MetricStream Vision Integrated Governance, Risk and Compliance for Better Business Performance Solutions • NERC CIP Compliance • Risk Management • Business Continuity Management • IT GRC • Audit Management • Supplier Governance • Quality Management • EHS & Sustainability • Governance & Ethics • Content and Training • Over 1,800+ employees • Headquarters in Palo Alto, California with offices worldwide • Over 350 enterprise customers •Privately held – Backed by global leading VCs, Sage View Capital, Goldman Sachs Differentiators • Technology - GRC Platform – 9 Patents • Breadth of Solutions – Single Vendor for all GRC needs • Cross-industry Best Practices and Domain Knowledge • ComplianceOnline.com - Largest Compliance Portal on the Web Organization Partners
  35. 35. © 2015 MetricStream, Inc. All Rights Reserved. Q&A Please submit your questions to the host by typing into the chat box on the lower right-hand portion of your screen. Thank you for participating! A copy of this presentation will be made available to all participants in next 48 working hours. For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars Karl Perman VP Member Services EnergySec Email: karl@energysec.org Shreyank S. Kamat Product Manager MetricStream Email: shreyank.kamat@metricstream.com
  36. 36. © 2015 MetricStream, Inc. All Rights Reserved. THANK YOU Contact Us: Website: www.metricstream.com | Email: webinar@metricstream.com Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554

×