Version 5 of the CIP cybersecurity standards was approved in 2012 and filed with FERC in 2013. It features a risk-based, results-focused approach and addresses directives from FERC Order 706. Version 5 improves upon previous versions by focusing on identifying, assessing, and correcting deficiencies. It also takes a systems approach to applicability and tailors security based on impact and connectivity. The effective date for Version 5 is July 1, 2015 or later, allowing entities a minimum of 24 months for implementation.
3. CIP Standards – Version 5
• CIP Version 5 ‐ Draft 4 – Final Version
Approved by industry on Nov 5, 2012
Approved by NERC Board of Trustees on Nov 26.
2012
Filed with FERC on February 1 2013 Filed with FERC on February 1, 2013
oFERC Docket RM13‐5
o10,483 page filing, p g g
3 RELIABILITY | ACCOUNTABILITY
4. CIP Standards – Version 5
• CIP‐002‐5: BES Cyber Asset and BES Cyber System
Categorization
i l• CIP‐003‐5: Security Management Controls
• CIP‐004‐5: Personnel and Training
• CIP‐005‐5: Electronic Security Perimeter(s)• CIP 005 5: Electronic Security Perimeter(s)
• CIP‐006‐5: Physical Security of BES Cyber Systems
• CIP‐007‐5: Systems Security Management
• CIP‐008‐5: Incident Reporting and Response Planning
• CIP‐009‐5: Recovery Plans for BES Cyber Assets and
S tSystems
• CIP‐010‐1: Configuration Management and Vulnerability
Assessments
4 RELIABILITY | ACCOUNTABILITY
Assessments
• CIP‐011‐1: Information Protection
5. CIP Standards – Version 5
• New / Modified Terms:
BES Cyber Asset
BES Cyber System
Electronic Access Point (EAP)
Electronic Security Perimeter BES Cyber System
BES Cyber System
Information
CIP Exceptional
y
(ESP)
External Routable Connectivity
Interactive Remote Access CIP Exceptional
Circumstance
CIP Senior Manager
C t l C t
Interactive Remote Access
Intermediate Device
Physical Access Control Systems
(PACS) Control Center
Cyber Assets
Cyber Security Incident
(PACS)
Physical Security Perimeter
(PSP)
Protected Cyber Asset (PCA)
Dial‐up Connectivity
Electronic Access Control
and Monitoring Systems
Protected Cyber Asset (PCA)
Reportable Cyber Security
Incident
5 RELIABILITY | ACCOUNTABILITY
g y
(EACMS)
6. CIP Standards – Version 5
• Retired Terms
Critical Assets
C iti l C b A t Critical Cyber Assets
6 RELIABILITY | ACCOUNTABILITY
7. CIP Standards – Version 5
• CIP‐002
Builds on “bright lines” in CIP‐002‐4g
“Version 4” Critical Asset control centers – High
Other “Version 4” Critical Assets – Medium
Some “Version 4” non‐critical asset control centers –
Medium
Transmission now looking at “capacity” rather than
number of lines at a voltage level
C t h ll t f ifi ll t i d L Catch‐all category for non‐specifically categorized – Low
o“Something everywhere” – within the BES
oProgrammatic requirement: CIP 003 5 Requirement R2
7 RELIABILITY | ACCOUNTABILITY
oProgrammatic requirement: CIP‐003‐5 Requirement R2
8. CIP Standards – Version 5
• High Impact
– Large Control Centers
– CIP‐003 through 009 “plus”CIP 003 through 009 plus
• Medium Impact
– Generation and Transmission
C l C– Control Centers
– Similar to CIP‐003 to 009 V4
• All other BES Cyber Systems
(Low Impact) must implement a
policy to address:
– Cybersecurity Awareness
– Physical Security Controls
– Electronic Access Controls
– Incident Response
8 RELIABILITY | ACCOUNTABILITY
Incident Response
• High Watermarking
9. CIP Standards – Version 5
Rationale,
Guidance &
Changes,
Main
Requirement
and Measure
Applicable Systems for
requirement part
Requirement part text Requirement part
Measure text
9 RELIABILITY | ACCOUNTABILITY
Requirement part Reference Requirement part change rationale
10. CIP Standards – Version 5
• Format
Following Results‐based Standards format
Background section before requirements
Requirement and Measurement next to each other
Rationale and guidance developed in parallel with
requirements – still being developed and augmented
T i f i h id / i l Two posting formats – one with guidance/rationale text
boxes inline; other with guidance and rational text
grouped at endg p
Still must audit only to the requirement
Guidelines and Technical Basis section at end
10 RELIABILITY | ACCOUNTABILITY
11. CIP Standards – Version 5
• Applicable Systems column in tables
What systems or entities the row in the table apply to
Listed in each standard
Specific phrases – consistent across all standards
A requirement part (row) may have multiple applicability A requirement part (row) may have multiple applicability
statements
Examples:
o High Impact BES Cyber Systems
o Medium Impact BES Cyber Systems
o Medium Impact BES Cyber Systems at Control Centers
o Medium Impact BES Cyber Systems with External Routable
Connectivity
o Protected Cyber Assets
11 RELIABILITY | ACCOUNTABILITY
y
o Electronic Access Control Systems
12. CIP Standards – Version 5
• Connectivity
No longer a blanket exemption
Now listed in applicability section – Routable Connectivity or
Dial‐up Connectivity
“Routable protocol” applicability now applies where large Routable protocol applicability now applies where large
volume, real‐time communications requirements are listed –
e.g., logging
• Low Impact
CIP‐003‐5 Requirement R2
“Programmatic” controls (i.e., have a program for …)
Requires physical and cyber security protections for
“locations” containing low
12 RELIABILITY | ACCOUNTABILITY
locations containing low
Does not require lists of every low impact BES Cyber System
13. CIP Standards – Version 5
• TFEs
Attempting to minimize required TFEs (e.g., anti‐malware on
switches)
Reduced from 14 requirements to 10
But still have TFEs (including new ones where existing V1 V4 But … still have TFEs (including new ones where existing V1 – V4
problems exist)
Have added “per Cyber Asset capability” language to allow strict
compliance with the language of the requirement, without
requiring a TFE (~5 requirements)
• Measures• Measures
Guidance to auditors as well as entities
“An example of evidence may include, but is not limited to, …”
13 RELIABILITY | ACCOUNTABILITY
An example of evidence may include, but is not limited to, …
No longer a “meaningless restatement of the requirement”
14. CIP-002-4
• Notes when reading NERC Standards:
Capitalization is very important.
Capitalized words refer to terms in the NERC Glossary of
Terms Used in Reliability Standards
(http://www.nerc.com/pa/Stand/Glossary%20of%20Terms(http://www.nerc.com/pa/Stand/Glossary%20of%20Terms
/Glossary_of_Terms.pdf)
Non‐capitalized terms do not refer to NERC glossary terms
i “R l i ” i h “ l i ”o i.e., “Real‐time” is not the same as “real‐time”
o “Facilities” is not the same as “facilities”
Terms with well known and authoritative definitions defer
to those authoritative sources (e.g., “FACTS”)
Not all terms used have either NERC Glossary definitions or
authoritative definitions (e g “control center”)
14 RELIABILITY | ACCOUNTABILITY
authoritative definitions (e.g., control center )
15. CIP Standards – Version 5
• Bulleted lists vs. numbered lists
Bulleted lists are separated by “or”p y
Bulleted lists imply that not all of the items in the list
are required
Numbered lists are separated by “and”
Numbered lists imply that all of the items in the lists
dare required
• Both bulleted and numbered lists are used in
both requirements and measures
15 RELIABILITY | ACCOUNTABILITY
16. Features of Version 5
• Closes out directives in FERC Order No. 706 (also, FERC
Order No. 761 imposes March 31, 2013, filing deadline)
• Results‐based standards
Focus on reliability and security‐related result
Non‐technology specificNon technology specific
Smarter use of Technical Feasibility Exception (TFE) process
“Plain language of the requirement”, i.e., “per device
bili ”capability”
• Risk‐informed systems approach
Adopt solutions and tailor security based on function andAdopt solutions and tailor security based on function and
risk
No longer a harsh “in or out” demarcation for applicability
Impact and connecti it informs applicabilit
16 RELIABILITY | ACCOUNTABILITY
Impact and connectivity informs applicability
17. Features of Version 5
• Systems approach illustration
Cyber Assets function together as a complex system
Identify the system and apply requirements to the whole
rather than the part
17 RELIABILITY | ACCOUNTABILITY
“High Watermarking” inside boundary
18. CIP V5 Approach to
Correcting Deficiencies
• Empowers industry
Shifts focus from whether deficiencies occur to correcting
d fi i ideficiencies
Continuous Improvement
o From: backward‐looking, individual violationso From: backward looking, individual violations
o To: forward‐looking, holistic focus
• Reliability and security emphasis that promotes the
identification and correction of deficiencies
• Consistent with NERC “Internal Controls” approach to
licompliance
• Version 5 triggering language: “… implement, in a manner
that identifies assesses and corrects deficiencies ”
18 RELIABILITY | ACCOUNTABILITY
that identifies, assesses, and corrects deficiencies, …
19. CIP V5 Approach to
Correcting Deficiencies (Continued)
• Corrected deficiency is a component of satisfying the
requirement
• Does not require “internal controls” or additional
process
d d h f d f• Standards approach of correcting deficiencies
complements the compliance concept of internal controls
• Reliability Standard Authorization Worksheets (RSAWs)• Reliability Standard Authorization Worksheets (RSAWs)
and Violation Severity Levels (VSLs) must support
approachapproach
Does not expand obligations
Clarifies that method of identifying, assessing, and correcting
19 RELIABILITY | ACCOUNTABILITY
deficiencies is not evaluated
20. Draft RSAW
• Deficiencies refer to possible non‐compliances with
the standard; not all deficiencies would become
issues of non‐compliance
• Entities are not required to self‐report deficiencies if
h id if i i d i hthey are identifying, assessing and correcting them
• CEA samples identified, assessed and corrected
d fi i ideficiencies
CEA considers impact of correction in determining the
sample sizesample size
20 RELIABILITY | ACCOUNTABILITY
21. When to Self-Report
• Plan does not exist
• Plan has not been implemented
• Did not assess or correct identified deficiencies
• Deficiencies that create high risk to the Bulk Electric g
System
21 RELIABILITY | ACCOUNTABILITY
22. Implementation Plan
• Proposed Effective Date (from CIP‐002‐5;
all standards use the same language):
1. 24 Months Minimum – CIP‐002‐5 shall become effective
on the later of July 1, 2015, or the first calendar day of
the ninth calendar quarter after the effective date of thethe ninth calendar quarter after the effective date of the
order providing applicable regulatory approval.
2. In those jurisdictions where no regulatory approval is j g y pp
required CIP‐002‐5 shall become effective on the first
day of the ninth calendar quarter following Board of
Trustees’ approval or as otherwise made effectiveTrustees approval, or as otherwise made effective
pursuant to the laws applicable to such ERO
governmental authorities.
22 RELIABILITY | ACCOUNTABILITY
23. Implementation Plan
• Implementation issues:
Specified initial performance of all periodic requirements in
implementation plan
24 months following regulatory approval for all
requirementsrequirements
Identity Verification does not need to be repeated
Discussion of unplanned re‐categorization to a higher p g g
impact level
Discussion of disaster recovery actions
Discussion of requirements applied to access control
systems (physical and electronic), and Protected Cyber
Assets
23 RELIABILITY | ACCOUNTABILITY
25. Applicability
• Applicability Example:
For Distribution Providers – only those registered DPs that
own specifically called out pieces of equipment, such as
UFLS systems, must comply with the standards
For those DPs only the specifically called out pieces ofFor those DPs, only the specifically called out pieces of
equipment must comply with the standards
• If a DP does not own any called out equipment, it y q p
does not need to comply with the standards
• If a DP owns a piece of called out equipment, only
that called out equipment must comply with the
standards
25 RELIABILITY | ACCOUNTABILITY
29. CIP Standards – Version 5
• CIP‐002‐5 through CIP‐009‐5, CIP‐010‐1, CIP‐011‐1
• “Results‐based Standard” format
Requirements and measures together
Guidance and rational in text boxes
• “Looks” bigger
~1” printout for Version 5 (includes VSLs) compared to
¼” i t t f V i 4~¼” printout for Version 4
Includes much more guidance and rationale for each
requirementequ e e t
29 RELIABILITY | ACCOUNTABILITY
30. Version 5 Requirement Counts
• CIP‐002
2 Requirements; 5 Parts; Attachment with bright lines for High and Medium
• CIP‐003
4 Requirements; 13 Partsq ;
• CIP‐004
5 Requirements; 18 Parts
• CIP‐005
2 Requirements; 8 Parts
• CIP‐006
3 Requirements; 13 Parts
• CIP‐007
5 Requirements; 20 Partsq ;
• CIP‐008
3 Requirements; 9 Parts
• CIP‐009
3 Requirements; 10 Parts 3 Requirements; 10 Parts
• CIP‐010
3 Requirements; 10 Parts
• CIP‐011
2 R i 4 P
30 RELIABILITY | ACCOUNTABILITY
2 Requirements; 4 Parts
• Total: 32 Requirements; 110 Parts
32. CIP Standards – Version 5
• Sub‐Requirements
Each Requirement / Sub‐Requirement is a compliance
touch‐point
Non‐compliance with a sub‐requirement stands on its own
Sub requirements have independent VSLs (unless rolled up) Sub‐requirements have independent VSLs (unless rolled‐up)
• Requirement Parts
Only the Requirement is a compliance touch point Only the Requirement is a compliance touch‐point
Cannot be independently in non‐compliance with a Part
VSLs written only at the Requirement level (making very S s tte o y at t e equ e e t e e ( a g e y
long and complicated VSL language)
Parts allow flexibility in development and implementation
f h i
32 RELIABILITY | ACCOUNTABILITY
of the requirement
33. CIP Standards – Version 5
• “Annual” – interaction with CAN – now “15 months”
• Monthly requirements – changed to 35 days
l h b ll d l f• Measures are examples with bulleted lists; format,
wording
• Compliance artifacts in requirements (e gCompliance artifacts in requirements (e.g.,
“documentation of …”)
• LSE (removed), replaced with DP
LSE functions changed since original standards development
timeframe
• 300 MW threshold on UFLS/UVLS• 300 MW threshold on UFLS/UVLS
No justification for a different value
• Notifications: IROL, “must run” (resolving as part of V4)
33 RELIABILITY | ACCOUNTABILITY
• IROL’s in WECC
34. CIP Standards – Version 5
• Definition / threshold of Control Center
Includes “data centers”
C ti it ( t bl di l )• Connectivity (routable, dial‐up)
• Low Impact (policy only)
List not requiredq
• Date tracking (PRA, training, access, etc)
• Access revocation (reassignments, timing, immediate)
d l b l h• Removed 99.9% availability phrasing
Difficult to track and audit
Replaced with “IAC” languagep g g
• Interactive Remote Access
Clarify encryption and multi‐factor authentication points
R l f i t / f ti
34 RELIABILITY | ACCOUNTABILITY
Remove examples from requirements / purpose of encryption
35. CIP Standards – Version 5
• Ports & Services –
Physical ports ‐ FERC Directive
N di ti l if i t ll t h ithi 35 d• No remediation plan if install patches within 35 days
Allow updates to existing plans rather than new plans all the
time
• Periodic review of patch sources – not individual patches
• Anti‐malware – clarify system level
• “Per device capability” clauses added
• Password changing / pseudorandom passwords
(RuggedCom vulnerability impacts)(RuggedCom vulnerability impacts)
• Evidence Retention (compliance vs. security monitoring)
35 RELIABILITY | ACCOUNTABILITY
36. CIP Standards – Version 5
• Take back reporting requirement from
EOP‐004 into CIP‐008
• Guidance on “active” vs. “passive” vulnerability
assessment
• V4 bypass language still in implementation plan• V4 bypass language still in implementation plan
36 RELIABILITY | ACCOUNTABILITY
37. Version 5 NOPR
• Issued April 18, 2013
Posted at http://www.ferc.gov/whats‐new/comm‐
meet/2013/041813/E‐7.pdf
75 pages
Comments due June 24 2013 (60 days after publication in Comments due June 24, 2013 (60 days after publication in
Federal Register)
Contains 48 specific requests for comment (may be overlap)p q ( y p)
Proposes 11 directives for change
Proposes 16 areas where FERC “may” direct changes
37 RELIABILITY | ACCOUNTABILITY
38. Version 5 NOPR
• Major Themes:
“Identify, Assess and Correct” language
Impact Categorization
o No reference to studies supporting bright‐line thresholds
o No consideration of coordinated attack on multiple low impacto No consideration of coordinated attack on multiple low impact
systems
o Only based on BES impact (i.e., no assessment of “confidentiality,
integrity or availability”)integrity or availability )
Low Impact BES cyber Systems
o Specificity of requirements
o Lack of inventory
38 RELIABILITY | ACCOUNTABILITY
39. Version 5 NOPR
Definitions:
o 15 minute impact in BES Cyber Asset
Generation Control Centers (vs control rooms)o Generation Control Centers (vs. control rooms)
o Removal of “communication networks” from Cyber Asset
o Use of “reliability tasks” phrase
o “Intermediate System” vs. “intermediate device”
39 RELIABILITY | ACCOUNTABILITY
40. Version 5 NOPR
Implementation Plan
o Proposes to accept the “Version 4 bypass” language
Are 24 /36 months necessary?o Are 24 /36 months necessary?
Violation Risk Factors
o Inconsistent with prior versions
Violation Severity Levels
o Inconsistent with Commission guidelines
M d t b difi d b d t f “IAC” di io May need to be modified based on outcome of “IAC” discussion
40 RELIABILITY | ACCOUNTABILITY
41. Version 5 NOPR
• New Topics (post Order No. 706)
Communications Security
o Including encryption, protections for serial communications
Remote Access (more than proposed Version 5 language?)
o May already be covered by Version 5 languageo May already be covered by Version 5 language
NIST topics
o Maintenance devices
o Separation of duties
o Threat / risk based categorization
o May include other areaso May include other areas
May be others
41 RELIABILITY | ACCOUNTABILITY
42. Version 5 NOPR
• NERC Response:
60 page response (largest response)
Supports standards as filed:
o IAC:
- Discusses meaning of IAC languageDiscusses meaning of IAC language
- Reliability Benefit of IAC Language
- Compliance obligations of IAC language
- Consistency with NIST FrameworkConsistency with NIST Framework
oBES Cyber Asset Categorization and Protection
- Supports Facility rating approach
P i f l i BES C b A- Protections of low impact BES Cyber Assets
- Supports not requiring inventory of low impact BES Cyber Assets
42 RELIABILITY | ACCOUNTABILITY
43. Version 5 NOPR
• NERC Response (continued):
o Definitions: BES Cyber Asset
15 i- 15‐minute parameter
- 30‐day exclusion
o Definitions: Control Center
- Geographically disperse generating plants
o Definitions: Cyber Assets
- Removal of “communications networks”
o Definitions: Reliability Tasks
- Well‐understood term
o Definitions: Intermediate Deviceso Definitions: Intermediate Devices
- Filing oversight
43 RELIABILITY | ACCOUNTABILITY
44. Version 5 NOPR
• NERC Response (continued):
o Implementation Plan:
24 d 36 h i f i d- 24‐ and 36‐month timeframes appropriate and necessary
- Transition guidance and pilot program
o VRF & VSL
- Severity of violation as expressed in duration of violation
- Not two separate violations
o Other Technical Concerns
- Technical conferences to discuss issues
- Use Reliability Standards Development Process
o Remote Accesso Remote Access
- Concerns addressed in CIP‐004
44 RELIABILITY | ACCOUNTABILITY
45. Version 5 NOPR
• NOPR Comments:
65 files submitted from 62 parties
782 pages
Generally supportive of NERC positions
I i h IAC lo Issues with IAC language
o Issues with RFA analysis and estimates (cost & time)
• Next Steps:Next Steps:
FERC must read, summarize and react to all comments while
writing final rule
45 RELIABILITY | ACCOUNTABILITY
46. References
• Standard project 2008‐06 page:
http://www.nerc.com/filez/standards/Project_2008‐
06_Cyber_Security.html
• Version 4 page:
// / / / http://www.nerc.com/filez/standards/Project_2008‐
06_Cyber_Security_PhaseII_Standards.html
• Version 4 Guidance Document• Version 4 Guidance Document
http://www.nerc.com/docs/standards/sar/Project_2008‐
06_CIP‐002‐4_Guidance_clean_20101220.pdf
• Version 5 page:
http://www.nerc.com/filez/standards/Project_2008‐
46 RELIABILITY | ACCOUNTABILITY
06_Cyber_Security_Version_5_CIP_Standards_.html