For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment? Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty. Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond): •Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7). •How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements. •Practical highlights and key controls from those already working on the most pressing issues.

1. Stop Chasing the Version:
Compliance with CIPv5 through CIPv99
Dealing with the ever-changing landscape of CIP compliance

2. Sid Shaffer (MBA, CISA)
Energy Sector Lead,
Commercial Cybersecurity &
Compliance
Jason Iler (ITIL, CISA)
Principal Services Architect
Trey Kirkpatrick
Vice President, Energy &
Utility Compliance Services

3. Thank You!
Cybersecurity &
Compliance Advisory
and Implementation
Services
NERC Compliance
Management
Software Solutions
Security and compliance
assessment, monitoring
automation and threat
intelligence technology for
IT/OT environments

4. Agenda and Key Takeaways
3
2
1

5. About ICF
• 70+ offices worldwide
• 5,000 employees, 1,500+ IT professionals
• 2014 revenue of $1.3 billion
• Assisting clients with NERC and CIP
compliance since 2006
• End-to-end technology, advisory,
implementation, and assessment services

6. Overview of Shifting Landscape

7. • CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
Key Changes

8. • CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
• CIP v6 / v7
• More new terms, clarifications
• Changes for Low Impact, Transient Devices, Removable Media
Key Changes

9. • CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
• CIP v6 / v7
• More new terms, clarifications
• Changes for Low Impact, Transient Devices, Removable Media
• Beyond
• More uncertainty (Virtualization, NIST Cyber, ES-C2M2, DHS C³)
• Increased awareness = Increased Likelihood of Change
Key Changes

10. Commonly Seen Compliance Program

11. Compliance Program Goal

12. • Companies are re-aligning / upgrading existing programs with:
• Letter of the Law Approaches
• Increased use of RAI and Risk Based Approaches
• Holistic Approaches
What We Are Seeing

13. • Compliance
• Know relevant
regulations
• Understand
specifics
• Represents the base
• Cyber
• Beyond Scope of
specific compliance
• Cyber Risks to
reliable delivery of
energy
• Cyber Risks to the
organization
• Controls
• Identify
• Rationalize
• Ownership
• Map to Risk
• Resiliency
• Not all risk will be
addressed
• Organization
incident & event
response

14. • More compelling “Compliance Story”
• Greater Consistency Through Regulatory Changes
• Reduces Risk
• Increase Efficiency
• Closer Alignment with Regulatory Direction
– Potentially Decreases Regulatory Burden
Advantages of the Holistic Approach

15. • Both Based on Internal Control Approaches
– Preventative, Detective, Corrective
• Ties directly to “Internal Controls Evaluation” (ICE)
• Generates audit ready evidence
• Supports zero fine paths:
– Find Fix Track (FFT) / Compliance Exception / Self Logging
How Holistic Approach Supports RAI (and more)

16. • Prepare for Change
• Create a Cross Functional Team
• Determine a solid baseline
• “Knowing yourself is the beginning of all wisdom.” - Aristotle
• Analyze Risk
• Set your goals
• Implement Controls & Controls Based Program
• “Regurgitating the Requirement language does not constitute developing
a program, process, or procedure.” - WECC
Implementing the Strategy

17. Example – Critical Data
• COMPLIANCE
– CIP-011-1, HIPAA, DHS, Etc.
• CYBER
– Impact of sensitive information being exposed
• CONTROLS
– Data Classification & Credentials (P) , Access Alerting Mechanism (D),
Event Driven SLA (C)
• RESILIENCY
– Execution of what’s been stated in SLA

18. Example – CIP-004-5 R4.1 (Access Management)
• COMPLIANCE
– [A “need based” authorization process for Electronic Access, Physical
Access, and Critical Information]*
• CYBER
– Not just BES Cyber System components
• CONTROLS
– Onboarding / Offboarding process (P), Log review of unauthorized access
attempts (D), Access revocation & password change protocols (C)
• RESILIENCY
– What happens when unauthorized use is detected?
* Paraphrased

19. • Upgrading Program is an opportunity to:
• Implement Controls
• Automate
• Utilize tools
• to manage & report compliance
• to monitor & automate responses
Program Upgrade Considerations

21. • Establish CIP Policies & Procedures
– With Periodic Review & Approval
• Periodic/Scheduled Activities
– Collect Log files, Review Security Patches, Access Review, etc…
• Asset & Change Management
– BES Cyber Systems, Cyber Assets, Security Perimeters, Asset Groups
• Access Management
– Users, Access Roles
• Mitigation Plans
– EUEM Corrective Action Process
NERC CIP v5 and Beyond Standards

22. AssurX CIP Solution
User
Access
Role
Cyber Asset
Asset
Group
Has Access To
Security
Perimeter
System

23. AssurX CIP Change Request

24. AssurX CIP Baseline

25. AssurX CIP Access Change Request

26. Tripwire Has Been Providing NERC CIP Security and
Compliance since the first CIP Requirements in 2007

27. The Goal:
-Identify secure
configurations of all
High and Medium
Cyber Assets
(“80% benchmarks”)
Continuous security configuration
management
 Understands changes – controls “drift”,
continuously
 Monitors your attack surface
 Detects threats in real-time and enables fast
response
 Lower costs, greater efficiency

30. “The Responsible Entity shall establish, document and implement a process to
ensure that only those ports and services required for normal and emergency
operations are enabled.”
• Document every port and active service on every BCA, with justification,
confirm regularly, and be able to prove it
• Tripwire customized solution: “Whitelist Profiler” approach
– Capture port/services list once in .csv file, including asset tags and discrete names
– Tripwire agent downloads file and applies to its local system
– Use element content report to documents port/service state on every monitored host
– Use custom policy test to monitor continuously, display on dashboard and provide
alerts
Example of Tripwire Solution Extensions

31. • Used for CIP 007 (Ports & Services), CIP 007 (Patch Levels) and
CIP 003 (Access Privileges)
NERC Solution – Whitelist Profiling
Tripwire Enterprise Server
File Systems

32. • – collect current
status & changes on all critical cyber
assets
• – analyze
security data and alert on suspicious
events
• – generate
reports and dashboards that document
compliance
Tripwire NERC Solution Suite – Key Benefits
wide range of device
and software inventory, and can be asset tagged for
High/Medium/Low Impact Cyber Assets

33. • Remember - Not a “Silver Bullet” to solve compliance
• Start with and document what you have
• Leverage a recognized framework (COSO, NIST, ISO27k)
• Institutionalize a corrective action process
• Identify accountable parties / communication paths
• Prevent atrophy with regular evaluation of program
Tips for Holistic Cyber Program Implementation

34. • Don’t try to ELIMINATE risk
– Diminishing returns
– A company can spend a lot and never reach
a 100% level of risk assurance
– Objective is to lower risk
• Don’t add controls for the sake of adding controls
– More controls is not always better
– Tailor the controls to the risks and address the higher risk items
• Don’t identify controls without control owners & performers
identified
Pitfalls to Avoid

35. • What are our greatest areas of Risk?
• Does our company already have an internal controls program?
• Are our controls defined & documented anywhere?
• What basis / framework did we use for our controls?
• How often are our controls reviewed / tested?
• How much is enough? How much is too much?
• Do we consider resiliency?
Questions to ask

36. • Manage
– Holistic corporate controls framework covers multiple areas of
business risk (including NERC)
• Maintain
– Ongoing operation of internal controls will ensure that compliance is
maintained
• Improve
– Reviewing & Revising steps to ensure internal controls are effective
will continuously improve the compliance efforts
– Corrective actions taken as a result of ongoing monitoring of the
control environment will improve overall risk profile
Example of an End State

37. • FBI cybersecurity experts will brief us on the current attack landscape on
energy Critical Infrastructure, and what you can do about it.
• Sam Visner, ICF’s Senior Vice President and General Manager, Cybersecurity
is former Chief of Signals Intelligence Programs at the NSA and adjunct
professor at Georgetown University. Sam will discuss how “the sky is falling”
thinking can give way to reasoned, useful, and appropriate investments in
cybersecurity as a national imperative.
• You’ll receive in-depth practical “How Tos” to shorten your audit preparation,
save time and costs and build a “business as usual” culture for security
• Compliance Workshop (Limit 40 attendees), CE credit available
• URL: https://tripwirenercworkshop.eventbrite.com
Join Us in Houston March 25-26 for a Free 1.5 Day Workshop

38. Thank You!
Cybersecurity &
Compliance Advisory
and Implementation
Services
NERC Compliance
Management
Software Solutions
Security and
compliance
assessment, monitoring
and automation
technology for IT/OT
environments