WECC Compliance User Group Meeting<br />Top 10 Most Violated Standards in WECC<br />Approaches to Compliance <br />Februar...
Agenda<br />Speaker Intro<br />Sources of Information<br />Top 10 Most Violated Standards NERC and WECC<br />Common Violat...
Introduction<br />Bill Addington – Intellibind, LLC <br />Over 20 years Cyber Security expertise<br /><ul><li>Involved in ...
Sources of Information<br />NERC published research and reviews<br />WECC documents<br />Research into Violation Reports f...
NERC and WECC Top 10 Most Violated Standards<br />May 1, 2009 to April 30, 2010 – Summary Table<br />
Top Ten Most Violated WECC Standards<br /><ul><li>PRC-005 	Transmission Protection System Maintenance and Testing
EOP-005	System Restoration Plans
CIP-001	Sabotage Reporting
TOP-002	Normal Operations Planning
CIP-004	Cyber Security – Personnel and training
CIP-007	Cyber Security – System Security Management
PER-002	Operating Personnel Training
EOP-001	Emergency Operations Planning
CIP-003	Cyber Security – Security Management Controls
COM-001	Telecommunications</li></li></ul><li>Common Violation Findings<br />Poorly written or non-existent procedures and ...
Common Violation Findings<br />Poorly written RSAWs<br />RSAWS do not clearly describe processes<br />RSAWS do not describ...
Evidence – Proof of Compliance	<br />Procedures and Processes <br />Output of Procedures and Processes<br />Proof of Compl...
Top Most Violated Operational Standards (693)<br />
Top Most Violated WECC Operational Standards<br /><ul><li>CIP-001		Sabotage Reporting
COM-001	Telecommunications
EOP-001		Emergency Operations Planning
EOP-005		System Restoration Plans
PER-002		Operating Personnel Training
PRC-005 		Transmission Protection System 			Maintenance and Testing
TOP-002		Normal Operations Planning</li></li></ul><li>CIP-001 Sabotage Reporting <br />
CIP-001 – Sabotage Reporting<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-complian...
CIP-001 – Sabotage Reporting<br />CIP-001 Primary Non-Compliance Factors<br />Lack of required records demonstrating compl...
CIP-001 – Sabotage Reporting<br />CIP-001 Primary Non-Compliance Factors (cont.)<br />Deficiencies were found in procedure...
CIP-001 – Sabotage Reporting<br />Recommendations<br />Have a thoroughly documented and tested procedure in place for deal...
CIP-001 – Sabotage Reporting<br />Recommendations (cont.)<br />Verify that procedures are clearly identified and current i...
COM-001 Telecommunications<br />
COM-001 – Telecommunications<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-complian...
COM-001 – Telecommunications<br />COM-001 Primary Non-Compliance Factors<br />Lack of required documentation demonstrating...
COM-001 – Telecommunications<br />COM-001 Primary Non-Compliance Factors (cont.)<br />Entity unable to provide evidence th...
COM-001 – Telecommunications<br />Recommendations<br />Design, develop, implement and maintain procedures addressing the p...
COM-001 – Telecommunications<br />Recommendations (cont.)<br />Design, develop, implement and maintain written operating i...
EOP-001 Emergency Operations Planning <br />
EOP-001 – Emergency Operations Planning<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for n...
EOP-001 – Emergency Operations Planning<br />EOP-001 Primary Non-Compliance Factors<br />Failed to have in place an operat...
EOP-001 – Emergency Operations Planning<br />EOP-001 Primary Non-Compliance Factors<br />Failure to provide evidence that ...
EOP-001 – Emergency Operations Planning<br />Recommendations<br />Obtain an operating agreement with provisions to obtain ...
EOP-001 – Emergency Operations Planning<br />Recommendations (cont.)<br />Design, develop, implement and maintain a proced...
EOP-005 System Restoration Plans <br />
EOP-005 – System Restoration Plans<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-co...
EOP-005 – System Restoration Plans<br />EOP-005 Primary Non-Compliance Factors<br />Failure to provide a Restoration Plan ...
EOP-005 – System Restoration Plans<br />EOP-005 Primary Non-Compliance Factors (cont.)<br />Failure to coordinate restorat...
EOP-005 – System Restoration Plans<br />EOP-005 Primary Non-Compliance Factors (cont.)<br />Failure to properly train oper...
EOP-005 – System Restoration Plans<br />Recommendations<br />Design, develop, implement and maintain a Restoration Plan th...
EOP-005 – System Restoration Plans<br />Recommendations (cont.)<br />Design, develop, implement and maintain a Restoration...
PER-002 Operating Personnel Training <br />
PER-002 – Operating Personnel Training<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for no...
PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors<br />Failure to staff operating personn...
PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors (cont.)<br />Training program did not e...
PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors (cont.)<br />Failure to include trainin...
PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors (cont.)<br />Failure to prove the compe...
PER-002 – Operating Personnel Training<br />Recommendations<br />Provide required training to staff operating personnel th...
PER-002 – Operating Personnel Training<br />Recommendations (cont.)<br />Program objectives should:<br />Be based on NERC ...
PER-002 – Operating Personnel Training<br />Recommendations (cont.)<br />Training programs must cover and allot time for t...
PER-002 – Operating Personnel Training<br />Recommendations (cont.)<br />Provide training staff with training programs for...
PRC-005  Transmission Protection System Maintenance and Testing<br />
PRC-005 - Transmission Protection System Maintenance and Testing<br />Overall Non-Compliance Analysis Statement<br />Probl...
PRC-005 - Transmission Protection System Maintenance and Testing<br />PRC-005 Primary Non-Compliance Factors<br />Document...
PRC-005 - Transmission Protection System Maintenance and Testing<br />PRC-005 Primary Non-Compliance Factors (cont.)<br />...
PRC-005 - Transmission Protection System Maintenance and Testing<br />Recommendations<br />Entities subject to standard PR...
PRC-005 - Transmission Protection System Maintenance and Testing<br />Recommendations (cont.)<br />Verify that testing pro...
TOP-002 Normal Operations Planning <br />
TOP-002 – Normal Operations Planning<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-...
TOP-002 – Normal Operations Planning<br />TOP-002 Primary Non-Compliance Factors<br />Failure to coordinate current-day, n...
TOP-002 – Normal Operations Planning<br />TOP-002 Primary Non-Compliance Factors (cont.)<br />Failure to notify appropriat...
TOP-002 – Normal Operations Planning<br />Recommendations<br />Design, develop, implement and maintain procedures to coord...
TOP-002 – Normal Operations Planning<br />Recommendations (cont.)<br />Confirm all line identifiers are consistent with th...
TOP-002 – Normal Operations Planning<br />Recommendations (cont.)<br />Design, develop, implement and maintain procedures ...
Top Violated Cyber Security CIP Standards (706)<br />
Top Most Violated WECC Cyber Security Standards<br /><ul><li>CIP-003	Cyber Security - Security Management 			Controls
CIP-004 	Cyber Security - Personnel and Training
CIP-007	Cyber Security - Systems Security 				Management</li></li></ul><li>CIP-003 Cyber Security - Security Management Co...
CIP-003  Cyber Security – Security Management Controls<br />Overall Non-Compliance Analysis Statement<br />Problem areas i...
CIP-003  Cyber Security – Security Management Controls<br />CIP-003 Primary Non-Compliance Factors<br />Failure to documen...
CIP-003  Cyber Security – Security Management Controls<br />CIP-003 Primary Non-Compliance Factors (cont.)<br />Failure to...
CIP-003  Cyber Security – Security Management Controls<br />Recommendations<br />Document a procedure that ensures a CIP S...
CIP-003  Cyber Security – Security Management Controls<br />Recommendations (cont.)<br />Procedures should exist to manage...
CIP-004 Cyber Security - Personnel and Training <br />
CIP-004  Cyber Security – Personnel & Training<br />Overall Non-Compliance Analysis Statement<br />Problem areas identifie...
CIP-004  Cyber Security – Personnel & Training<br />CIP-004 Primary Non-Compliance Factors<br />Lack of required records d...
CIP-004  Cyber Security – Personnel & Training<br />CIP-004 Primary Non-Compliance Factors (cont.)<br />Unable to prove tr...
CIP-004  Cyber Security – Personnel & Training<br />Recommendations<br />Ensure and verify that all employees with access ...
CIP-004  Cyber Security – Personnel & Training<br />Recommendations (cont.)<br />Entities need to ensure and verify that r...
CIP-004  Cyber Security – Personnel & Training<br />Recommendations (cont.)<br />Entities need to ensure that appropriate ...
CIP-007 System Security Management <br />
CIP-007 Cyber Security – System Security Management<br />Overall Non-Compliance Analysis Statement<br />Problem areas iden...
CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors<br />Failure to demonstrat...
CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to do...
CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to pr...
CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to de...
Upcoming SlideShare
Loading in …5
×

Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)

1,590 views

Published on

This is the presentation made at the WECC CUG meeting in Feburuary 2011 and sponsored by LADWP. This presentation can also be found on the WECC website.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,590
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)

  1. 1. WECC Compliance User Group Meeting<br />Top 10 Most Violated Standards in WECC<br />Approaches to Compliance <br />February 9, 2011<br />Thanks to Los Angeles Department of Water and Power for sponsoring this session<br />
  2. 2. Agenda<br />Speaker Intro<br />Sources of Information<br />Top 10 Most Violated Standards NERC and WECC<br />Common Violation Findings<br />Evidence and Proof of Compliance<br />Details for 693 (Reliability) Standards<br />Primary Non-Compliance Factors<br />Recommendations<br />Details for 706 (CIP) Standards<br />Primary Non-Compliance Factors<br />Recommendations<br />
  3. 3. Introduction<br />Bill Addington – Intellibind, LLC <br />Over 20 years Cyber Security expertise<br /><ul><li>Involved in creation of original cyber security standard BS7799</li></ul>Over 10 years with Electric Power Utilities<br />Principle author and speaker, NERC Cyber Security Workshop<br />Author of EPRI papers on Cyber Security<br />Former Interim Security Manager at ERCOT<br />Kevin Conway – Intellibind, LLC <br />26 Years in the Industry<br />NERC Reliability Program<br />NERC OC Representative<br />NERC Functional Model Workgroup<br />NERC Standards Drafting Team<br />System Reliability Manager<br />Marketing and Trading<br />NERC Certified System Operator<br />
  4. 4. Sources of Information<br />NERC published research and reviews<br />WECC documents<br />Research into Violation Reports for details and common causes<br />Field Experience<br />Audit and readiness team experience across U.S.<br />Experience as SME’s in audit in various utilities in WECC<br />Interviews with utilities<br />
  5. 5. NERC and WECC Top 10 Most Violated Standards<br />May 1, 2009 to April 30, 2010 – Summary Table<br />
  6. 6. Top Ten Most Violated WECC Standards<br /><ul><li>PRC-005 Transmission Protection System Maintenance and Testing
  7. 7. EOP-005 System Restoration Plans
  8. 8. CIP-001 Sabotage Reporting
  9. 9. TOP-002 Normal Operations Planning
  10. 10. CIP-004 Cyber Security – Personnel and training
  11. 11. CIP-007 Cyber Security – System Security Management
  12. 12. PER-002 Operating Personnel Training
  13. 13. EOP-001 Emergency Operations Planning
  14. 14. CIP-003 Cyber Security – Security Management Controls
  15. 15. COM-001 Telecommunications</li></li></ul><li>Common Violation Findings<br />Poorly written or non-existent procedures and processes.<br />No evidence of testing procedures.<br />Documentation – inability to prove that processes where in place to prove compliance with the standard. <br />
  16. 16. Common Violation Findings<br />Poorly written RSAWs<br />RSAWS do not clearly describe processes<br />RSAWS do not describe the relevance of evidence<br />SME interviews do not match RSAW statements<br />Under or over documented evidence <br />
  17. 17. Evidence – Proof of Compliance <br />Procedures and Processes <br />Output of Procedures and Processes<br />Proof of Compliance (Evidence) <br />
  18. 18. Top Most Violated Operational Standards (693)<br />
  19. 19. Top Most Violated WECC Operational Standards<br /><ul><li>CIP-001 Sabotage Reporting
  20. 20. COM-001 Telecommunications
  21. 21. EOP-001 Emergency Operations Planning
  22. 22. EOP-005 System Restoration Plans
  23. 23. PER-002 Operating Personnel Training
  24. 24. PRC-005 Transmission Protection System Maintenance and Testing
  25. 25. TOP-002 Normal Operations Planning</li></li></ul><li>CIP-001 Sabotage Reporting <br />
  26. 26. CIP-001 – Sabotage Reporting<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Procedures<br />Reporting<br />Communication<br />Documentation<br />
  27. 27. CIP-001 – Sabotage Reporting<br />CIP-001 Primary Non-Compliance Factors<br />Lack of required records demonstrating compliance.<br />Procedures were missing or deficient for reporting events of sabotage.<br />
  28. 28. CIP-001 – Sabotage Reporting<br />CIP-001 Primary Non-Compliance Factors (cont.)<br />Deficiencies were found in procedures to communicate information regarding sabotage events to other appropriate personnel.<br />Contact list was too incomplete to report sabotage events to the local FBI and appropriate personnel.<br />
  29. 29. CIP-001 – Sabotage Reporting<br />Recommendations<br />Have a thoroughly documented and tested procedure in place for dealing with sabotage events. This includes steps for recognizing and making sure relevant personnel and entities are informed of a sabotage event.<br />Perform periodic review of the communication reporting procedure and confirm that contact lists are complete and current. This includes making sure all “operating personnel” and local government contacts are correctly identified and included.<br />
  30. 30. CIP-001 – Sabotage Reporting<br />Recommendations (cont.)<br />Verify that procedures are clearly identified and current in all Operator Procedure manuals.<br />
  31. 31. COM-001 Telecommunications<br />
  32. 32. COM-001 – Telecommunications<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Procedures<br />Testing<br />Coordination<br />Documentation<br />
  33. 33. COM-001 – Telecommunications<br />COM-001 Primary Non-Compliance Factors<br />Lack of required documentation demonstrating that entity was managing, alarming, testing, and monitoring its vital telecommunications facilities.<br />Failure to test its vital telecommunications facilities was evident with its documented testing procedures.<br />
  34. 34. COM-001 – Telecommunications<br />COM-001 Primary Non-Compliance Factors (cont.)<br />Entity unable to provide evidence that it had the ability to investigate and recommend solutions to telecommunications problems within its own area and other areas, nor that it had procedures in place that confirm it would be able to continue operation of the system during a loss of telecommunications facilities.<br />
  35. 35. COM-001 – Telecommunications<br />Recommendations<br />Design, develop, implement and maintain procedures addressing the process of managing, alarming, testing, and monitoring vital telecommunications facilities and methods of documentation for recording this process.<br />Supply evidence that you test vital telecommunications facilities consistent with the testing procedures and document test records at the time testing occurred.<br />
  36. 36. COM-001 – Telecommunications<br />Recommendations (cont.)<br />Design, develop, implement and maintain written operating instructions and procedures to provide a means to coordinate telecommunications among respective areas. <br />This coordination shall include the ability to investigate and recommend solutions to telecommunications problems within the area and with other areas.<br />
  37. 37. EOP-001 Emergency Operations Planning <br />
  38. 38. EOP-001 – Emergency Operations Planning<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Procedures<br />Documentation<br />Incomplete Emergency Operations Plans<br />
  39. 39. EOP-001 – Emergency Operations Planning<br />EOP-001 Primary Non-Compliance Factors<br />Failed to have in place an operating agreement with provisions to obtain emergency assistance from remote and adjacent Balancing Authorities.<br />Emergency Plan did not directly address all of the necessary elements, such as, system restoration plans, communication protocol, mitigate operating emergencies, tasks to be coordinated and staffing levels during emergencies.<br />
  40. 40. EOP-001 – Emergency Operations Planning<br />EOP-001 Primary Non-Compliance Factors<br />Failure to provide evidence that it reviews and annually updates its emergency plans.<br />Failure to provide updated emergency plans to all of the required entities at the time the plans were updated.<br />
  41. 41. EOP-001 – Emergency Operations Planning<br />Recommendations<br />Obtain an operating agreement with provisions to obtain emergency assistance from remote and adjacent Balancing Authorities.<br />Design, develop, implement and maintain an Emergency Plan and procedures that directly address all of the necessary elements, such as, system restoration plans, communication protocol, mitigate operating emergencies, tasks to be coordinated and staffing levels during emergencies.<br />
  42. 42. EOP-001 – Emergency Operations Planning<br />Recommendations (cont.)<br />Design, develop, implement and maintain a procedure that requires review and annually update to emergency plans.<br />Design, develop, implement and maintain a procedure to provide updated emergency plans to all of the required entities at the time the plans were updated.<br />
  43. 43. EOP-005 System Restoration Plans <br />
  44. 44. EOP-005 – System Restoration Plans<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Procedures<br />Annual Review<br />Testing<br />Documentation<br />Coordination <br />Training <br />
  45. 45. EOP-005 – System Restoration Plans<br />EOP-005 Primary Non-Compliance Factors<br />Failure to provide a Restoration Plan that would re-establish its electric system in a stable and orderly manner in cases where there is a partial or total shutdown of its system.<br />Restoration Plan was not reviewed and updated at the least annually.<br />
  46. 46. EOP-005 – System Restoration Plans<br />EOP-005 Primary Non-Compliance Factors (cont.)<br />Failure to coordinate restoration plan with the Generator Owners and Balancing Authorities within its area, its Reliability Coordinator, and neighboring Transmission Operators and Balancing Authorities.<br />Restoration Plan did not contain procedures for the loss of vital telecommunication channels and had not periodically tested its telecommunication facilities that are required to implement the restoration plan.<br />
  47. 47. EOP-005 – System Restoration Plans<br />EOP-005 Primary Non-Compliance Factors (cont.)<br />Failure to properly train operating personnel on how to implement the restoration plan.<br />Restoration plan was not verified by actual testing or simulation.<br />
  48. 48. EOP-005 – System Restoration Plans<br />Recommendations<br />Design, develop, implement and maintain a Restoration Plan that will re-establish its electric system in a stable and orderly manner in cases where there is a partial or total shutdown of its system.<br />Review and update the Restoration Plan at least annually and document this process.<br />Coordinate the Restoration Plan with the Generator Owners and Balancing Authorities within its area, its Reliability Coordinator, and neighboring Transmission Operators and Balancing Authorities.<br />
  49. 49. EOP-005 – System Restoration Plans<br />Recommendations (cont.)<br />Design, develop, implement and maintain a Restoration Plan that contains operating instructions and procedures for the loss of vital telecommunication channels and periodically test its telecommunication facilities that are required to implement the restoration plan.<br />Properly train operating personnel on how to implement the restoration plan.<br />Verify restoration procedure by actual testing or by simulation. <br />
  50. 50. PER-002 Operating Personnel Training <br />
  51. 51. PER-002 – Operating Personnel Training<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Documentation<br />Training <br />Competency<br />
  52. 52. PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors<br />Failure to staff operating personnel that have direct impact on the real-time operation of the BES with adequately trained and qualified people.<br />Training program lacked specificity with respect to the training of operating personnel.<br />
  53. 53. PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors (cont.)<br />Training program did not effectively identify objectives, but merely provided a list of skills.<br />Failure to identify in the training plans the necessary knowledge, skills, or competencies for system operators to conduct reliable operations.<br />Failure to include a plan for initial and continuing training of operating personnel.<br />
  54. 54. PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors (cont.)<br />Failure to include training time for operating personnel.<br />Lack of organized records for the completion of training.<br />
  55. 55. PER-002 – Operating Personnel Training<br />PER-002 Primary Non-Compliance Factors (cont.)<br />Failure to prove the competencies of training staff in both knowledge of system operations and/or formal training or other evidence of instructional skill competencies.<br />Failure to conduct annual training and drills using realistic simulations of system emergencies at least five days per year.<br />
  56. 56. PER-002 – Operating Personnel Training<br />Recommendations<br />Provide required training to staff operating personnel that have direct impact on the real-time operation of the BES.<br />A well-designed training program must start with the identification of job tasks. From this identification of the tasks required, learning objectives can be developed to give operators the abilities to perform the tasks. The knowledge, skills, and abilities are identified as required to meet the objectives, Training is then designed to the objectives and the related knowledge, skills, and abilities that are associated with them.<br />
  57. 57. PER-002 – Operating Personnel Training<br />Recommendations (cont.)<br />Program objectives should:<br />Be based on NERC and regional Reliability Standards, entity operating procedures, and applicable regulatory requirements.<br />Reference the knowledge and competencies needed to apply these standards, procedures and requirement.<br />Consider normal, emergency, and restoration conditions.<br />
  58. 58. PER-002 – Operating Personnel Training<br />Recommendations (cont.)<br />Training programs must cover and allot time for the operating personnel who have primary responsibility for real-time operations, or who are directly responsible for complying with NERC and regional Reliability Standards.<br />It is essential to carry out training according to plans for all operators to whom this reliability standard is applicable. <br />Document the records of all trained operators.<br />
  59. 59. PER-002 – Operating Personnel Training<br />Recommendations (cont.)<br />Provide training staff with training programs for instructional methods. <br />Annual practice sessions should use practice simulations of real emergency conditions, and records should be logged with date, participants, and events.<br />Overall training program should be based on a systemic approach to training, and address all aspects of the requirements, execute them and provide evidence. <br />
  60. 60. PRC-005 Transmission Protection System Maintenance and Testing<br />
  61. 61. PRC-005 - Transmission Protection System Maintenance and Testing<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Understanding <br />Documentation <br />Organization<br />MOST FREQUENTLY VIOLATED STANDARD<br />
  62. 62. PRC-005 - Transmission Protection System Maintenance and Testing<br />PRC-005 Primary Non-Compliance Factors<br />Documentation of testing and maintenance results missing or inadequate.<br />Not all components of the protection systems were identified or tested.<br />Inventory lists of applicable devices are incomplete and therefore, devices were not scheduled appropriately. <br />
  63. 63. PRC-005 - Transmission Protection System Maintenance and Testing<br />PRC-005 Primary Non-Compliance Factors (cont.)<br />Lacking basis to determine the appropriate testing intervals.<br />Failure to complete maintenance and testing activities on time.<br />Lack of complete and thorough monitoring of testing and maintenance programs.<br />  <br />
  64. 64. PRC-005 - Transmission Protection System Maintenance and Testing<br />Recommendations<br />Entities subject to standard PRC-005 need to have a thorough and rigorous documented maintenance and testing plan in place for devices that qualify as protection systems.<br />Perform periodic physical inventories, including walkthroughs where needed, to ensure the active device inventory list is complete and accurate, and all pertinent devices appear on maintenance and testing schedules. CHANGE MANAGEMENT.<br />
  65. 65. PRC-005 - Transmission Protection System Maintenance and Testing<br />Recommendations (cont.)<br />Verify that testing programs include the appropriate basis of testing to ensure the reliability of the Bulk Electric System.<br />Complete maintenance and testing programs on schedule and within defined intervals.<br />Emphasis on the urgency to meet the specified time intervals must be made explicitly clear regardless of what situations the company may encounter that interfere with planned maintenance.<br />
  66. 66. TOP-002 Normal Operations Planning <br />
  67. 67. TOP-002 – Normal Operations Planning<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Coordination<br />Notification<br />Documentation<br />
  68. 68. TOP-002 – Normal Operations Planning<br />TOP-002 Primary Non-Compliance Factors<br />Failure to coordinate current-day, next-day, and seasonal operations with appropriate entities.<br />Failure to provide documentation showing that it was providing forecasts to appropriate entities.<br />Failure to coordinate planning and operations with neighboring entities<br />
  69. 69. TOP-002 – Normal Operations Planning<br />TOP-002 Primary Non-Compliance Factors (cont.)<br />Failure to notify appropriate entities of changes in capabilities and characteristics, such as changes in real output capabilities.<br />Failure to provide documentation demonstrating that it used uniform line identifiers when discussing transmission facilities among a shared interconnect.<br />
  70. 70. TOP-002 – Normal Operations Planning<br />Recommendations<br />Design, develop, implement and maintain procedures to coordinate current-day, next-day, and seasonal operations with appropriate entities.<br />Create a standardized document to be utilized for providing forecasts with a mutually agreed upon format when providing forecasts to appropriate entities. Create an electronic file system for storage of these documents.<br />Design, develop, implement and maintain procedures to coordinate planning and operations with neighboring entities.<br />
  71. 71. TOP-002 – Normal Operations Planning<br />Recommendations (cont.)<br />Confirm all line identifiers are consistent with the identifiers used when discussing transmission facilities among a shared interconnect. Obtain a letter of agreement between entities on identifiers used when discussing transmission facilities among a shared interconnect or obtain an agreed upon one-line diagram demonstrating uniform line identifiers.<br />
  72. 72. TOP-002 – Normal Operations Planning<br />Recommendations (cont.)<br />Design, develop, implement and maintain procedures to utilize uniform line identifiers when discussing transmission facilities among a shared interconnect.<br />Design, develop, implement and maintain procedures to notify appropriate entities of changes in capabilities and characteristics, such as changes in real output capabilities.<br />
  73. 73. Top Violated Cyber Security CIP Standards (706)<br />
  74. 74. Top Most Violated WECC Cyber Security Standards<br /><ul><li>CIP-003 Cyber Security - Security Management Controls
  75. 75. CIP-004 Cyber Security - Personnel and Training
  76. 76. CIP-007 Cyber Security - Systems Security Management</li></li></ul><li>CIP-003 Cyber Security - Security Management Controls<br />
  77. 77. CIP-003 Cyber Security – Security Management Controls<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Documentation<br />Review<br />
  78. 78. CIP-003 Cyber Security – Security Management Controls<br />CIP-003 Primary Non-Compliance Factors<br />Failure to document or incomplete documentation of designated CIP Sr. Manager or failure to update documentation upon changes to designated CIP Sr. Manager.<br />Failure to properly document exceptions to the Cyber Security Policy.<br />
  79. 79. CIP-003 Cyber Security – Security Management Controls<br />CIP-003 Primary Non-Compliance Factors (cont.)<br />Failure to properly review and approve exceptions annually or failure to properly document the review.<br />Failure to perform or properly document annual review of Cyber Security Policy.<br />
  80. 80. CIP-003 Cyber Security – Security Management Controls<br />Recommendations<br />Document a procedure that ensures a CIP Sr. Manager is designated by Name, Title, and Date of Designation. Ensure procedure requires an update to the documentation upon any changes. <br />Implementation of Cyber Security Policy review of procedures and develop methods such as a compliance calendar to ensure the review occurs annually.<br />
  81. 81. CIP-003 Cyber Security – Security Management Controls<br />Recommendations (cont.)<br />Procedures should exist to manage so they are properly documented and reported. <br />Personnel should be trained on exception management procedures that ensure all responsible parties follow through with their obligations to identify, document and mitigate instances where exceptions to the Cyber Security Policy must be made.<br />
  82. 82. CIP-004 Cyber Security - Personnel and Training <br />
  83. 83. CIP-004 Cyber Security – Personnel & Training<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Access<br />Training<br />Documentation<br />Risk Assessment<br />
  84. 84. CIP-004 Cyber Security – Personnel & Training<br />CIP-004 Primary Non-Compliance Factors<br />Lack of required records demonstrating compliance.<br />Employees or contractors were granted access to critical cyber assets without documented proof of clearance or escorted access.<br />
  85. 85. CIP-004 Cyber Security – Personnel & Training<br />CIP-004 Primary Non-Compliance Factors (cont.)<br />Unable to prove training was offered and/or completed in a timely manner by personnel.<br />Background checks for employees or contractors with access to critical cyber assets were missing or incomplete.<br />
  86. 86. CIP-004 Cyber Security – Personnel & Training<br />Recommendations<br />Ensure and verify that all employees with access to Critical Cyber Assets, including contractors and service vendors, have the appropriate training prior to access. Train annually thereafter. <br />Entity procedures should have control points designed to prevent granting access to untrained individuals or individuals who have not passed the Personnel Risk Assessment as well as methods to ensure annual re-training requirements are met.<br />
  87. 87. CIP-004 Cyber Security – Personnel & Training<br />Recommendations (cont.)<br />Entities need to ensure and verify that risk assessments on employees, contractors, and service vendors with access to Critical Cyber Assets are not only completed prior to access, but that the assessment focuses on relevant information.<br />Entities need to ensure and verify that the training provided to employees, contractors, and service vendors being granted access to Critical Cyber Assets focuses on the relevant information.<br />
  88. 88. CIP-004 Cyber Security – Personnel & Training<br />Recommendations (cont.)<br />Entities need to ensure that appropriate changes are made to access lists upon termination, or transfer of employees from or to areas that contain Critical Cyber Assets, and that access lists are frequently updated to contain contractors or service vendors. <br />Procedure should exist to ensure all access lists are current and properly maintained within the provided timeframe required by the standard.<br />
  89. 89. CIP-007 System Security Management <br />
  90. 90. CIP-007 Cyber Security – System Security Management<br />Overall Non-Compliance Analysis Statement<br />Problem areas identified for non-compliance: <br />Procedures<br />Documentation<br />Testing<br />Logical Account Management<br />
  91. 91. CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors<br />Failure to demonstrate that testing is conducted to ensure new Cyber Assets and significant changes to existing Cyber Assets within an ESP do not adversely affect ALL existing cyber security controls. <br />Documented procedures insufficient to prove only ports and services required for normal and emergency operations are enabled.<br />
  92. 92. CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to document the assessment of security patches and upgrade availability within thirty calendar days of availability of the patches or updates.<br />Failure to document and implement a process for the update of anti-virus and malware prevention tools (including “signatures”).<br />
  93. 93. CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to properly document and control access to shared and system accounts.<br />Failure to enable logging on cyber assets located within the ESP and/or lack of operational processes to manually monitor system events related to cyber security.<br />
  94. 94. CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to destroy or erase data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.<br />Failure to document disposal/redeployment activities.<br />
  95. 95. CIP-007 Cyber Security – System Security Management<br />CIP-007 Primary Non-Compliance Factors (cont.)<br />Failure to perform cyber vulnerability assessment of all Cyber Assets at least annually.<br />Failure to perform cyber vulnerability assessment of all Cyber Assets at least annually.<br />
  96. 96. CIP-007 Cyber Security – System Security Management<br />Recommendations<br />Require testing documentation be retained to prove testing was performed in accordance with the test plans.<br />Testing should focus on the impact to cyber security controls rather than functionality. The standard does not require functionality testing but requires testing of ALL security controls.<br />
  97. 97. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />If tools are used for implementing changes, these tools also need to be tested to ensure they will not adversely affect the systems. <br />Work with all vendors of systems and applications of applicable cyber assets to identify and document which ports and services are required for normal and emergency operations. Consider running manual or automated ports and services scans as part of normally scheduled maintenance on cyber assets (as part of the test plan for example).<br />
  98. 98. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Entities should consider leveraging corporate level patch management program for tracking, evaluating, testing, and installing applicable cyber security patches required for all Cyber Security Assets within the ESP. <br />Entities should understand the scope of their patch management programs and ensure that security patches for all applications, operating systems, databases and firmware is being actively tracked.<br />
  99. 99. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />For patches that cannot be tracked automatically, develop a tracking form listing the URL where patches and updates are posted to help streamline the identification of new patches.<br />Develop procedures designed to identify and evaluate patches and updates.<br />
  100. 100. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Ensure testing of anti-virus and malware signatures is part of the process. Consider leveraging a corporate level program for updating anti-virus and malware if one does not exist. Successful installation of signatures on corporate systems can be leveraged to satisfy the testing requirements of the standard.<br />
  101. 101. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Ensure technical and procedural controls exist to minimize the risk of unauthorized system access by shared and system accounts and that these procedures are followed when specified events occur. <br />Employee training and accountability is critical to ensuring adherence to security practices.<br />
  102. 102. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Test cyber asset logging capabilities in a pre-production environment prior to moving to production to ensure the assets are properly configured to send automated events to a centralized logging server and/or generate event logs for manual review. <br />Implement automated review systems to reduce manual log reviews.<br />
  103. 103. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Implement and document procedures that ensure all cyber assets within the ESP are properly configured to log to a centralized location or identified as a system requiring manual review. <br />File a TFE if logging capabilities do not exist. <br />Documented, repeatable methods help ensure consistency in your compliance program.<br />
  104. 104. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Implement documented procedures for disposal or redeployment of sensitive electronic media which include the records proving erasure or destruction occurred. <br />Tracking electronic media (acquisition, deployment, destruction) is necessary to prove compliance.<br />Refer to NIST Special Publication 800-88; Guidelines for Media Sanitation for methods for destroying or erasing electronic media.<br />
  105. 105. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Consider leveraging corporate level vulnerability assessment programs where they exist so long as they meet the requirements of CIP-007 R8.<br />Vulnerability assessments can be included in the test plans to help minimize the scope of the annual assessment. As systems are changed and tested, vulnerability assessments are performed to satisfy the annual assessment requirement.<br />
  106. 106. CIP-007 Cyber Security – System Security Management<br />Recommendations (cont.)<br />Ensure the documented vulnerability assessments explicitly cover the specific items required in the Standard.<br />Create comprehensive document review procedures to ensure review of all CIP-007 documentation is performed and implement methods to ensure the review occurs annually.<br />
  107. 107. Summary<br />Need to have an overall approach to compliance.<br />There is no substitute for documented procedures.<br />Procedures must show implementation.<br />Notable rise in Violations of CIP-006 Physical Security in 2010, heading for the Top 10 List.<br />
  108. 108. QUESTIONS ? <br />

×