Joseph B. Baugh, Ph.D., PMP,
CISA, CISSP, CRISC, CISM
Senior Compliance Auditor – Cyber Security
WECC: Vancouver WA Office
CIP-002-5 Outreach Session
CIP v5 Roadshow
Salt Lake City
May 14-15, 2014
Speaker Intro: Dr. Joseph Baugh
• Over 40 years of Electrical Utility Experience
o
o
o
o
o
o
Transmission Lineman
NERC Certified System Operator
IT Manager & Power Operations Manager
20 years Information Technology & IT Security Experience
Project Manager & IT Program Manager
PMP, CISA, CISSP, CRISC, CISM, NSA-IAM/IEM certs
• 20 years of Educational Experience
o Degrees earned: Ph.D., MBA, BS-Computer Science
o Academic & Technical Course Teaching Experience




2
Information Technology and IT Security
Business Strategy, Leadership, and Management
Project Management
PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparation
WECC Disclaimer
• The contents of this presentation represent sound practices based
on WECC’s understanding of CIP-002-5.1, however:
o WECC neither provides prescriptive solutions nor endorses
specific vendors, tools, or products for compliance with CIP
Standards.
o The processes and applications discussed in this presentation
represent one approach toward compliance efforts for CIP-0025.1, but this is not the only possible method.
o WECC will not provide the actual spreadsheets used to
explicate the processes described in this presentation to
entities or other interested parties.
o Blind adherence to any process does not guarantee
compliance.
o Each Registered Entity is responsible for demonstrating its
compliance with CIP-002-5.1 in a manner befitting the entity’s
registered functions and operational requirements relative to
the reliability of the BES.
3
Agenda
•
•
•
•
•
Definition of Terms
Mapping CIP-002-x Compliance Evolution
Review CIP-002-5.1
CIP-002-5.1 Process Overview
Breaking Down the Process Steps
o Demonstrating Compliance through Auditable
Processes
• Questions
4
Definition of Terms - BES
• Current Bulk Electric System [BES] Definition –
o Expires June 30, 2014
o As defined by the Regional Reliability
Organization, the electrical generation resources,
transmission lines, interconnections with
neighboring systems, and associated equipment,
generally operated at voltages of 100 kV or
higher. Radial transmission facilities serving only
load with one transmission source are generally
not included in this definition (NERC, 2013 Nov,
Glossary of Terms, p. 12).
5
Definition of Terms - BES
• New Bulk Electric System [BES] Definition
o Effective July 1, 2014
o Unless modified by the lists shown below
[Emphasis Added], all Transmission Elements
operated at 100 kV or higher and Real Power and
Reactive Power resources connected at 100 kV or
higher. This does not include facilities used in the
local distribution of electric energy (NERC, 2013
Nov, Glossary of Terms, pp. 13-20).
o New definition maps to an extensive list of Inclusions
and Exclusions (NERC, 2014 April, BES Definition
Reference Document, pp. 1-66).
6
Definition of Terms - IRC
• Impact Rating Criteria (CIP-002-5.1 – Attachment 1, pp.
14-16)
o 1. High Impact Rating (H)
Each BES Cyber System used by and located at
any of the following: (See IRC 1.1 – 1.4)
o 2. Medium Impact Rating (M)
Each BES Cyber System, not included in Section 1
above, associated with any of the following: (See
IRC 2.1 – 2.13)
o 3. Low Impact Rating (L)
BES Cyber Systems not included in Sections 1 or 2
above that are associated with any of the following
assets and that meet the applicability qualifications
in Section 4 ‐ Applicability, part 4.2 – Facilities, of
this standard: (See IRC 3.1 – 3.6)
7
Definition of Terms - BCA
• BES Cyber Asset (BCA) – Effective April 1, 2016
o A Cyber Asset that if rendered unavailable, degraded, or misused
would, within 15 minutes of its required operation, misoperation, or
non-operation, adversely impact one or more Facilities, systems, or
equipment, which, if destroyed, degraded, or otherwise rendered
unavailable when needed, would affect the reliable operation of the
Bulk Electric System.
o Redundancy of affected Facilities, systems, and equipment shall not
be considered when determining adverse impact.
o Each BES Cyber Asset is included in one or more BES Cyber
Systems.
o (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive
calendar days or less, it is directly connected to a network within an
ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is
used for data transfer, vulnerability assessment, maintenance, or
troubleshooting purposes.) (NERC, 2013 Nov, Glossary of Terms, p.
9).
8
Definition of Terms - BCS
• BES Cyber System (BCS) – Effective April 1,
2016
o One or more BES Cyber Assets logically
grouped by a responsible entity to perform one
or more reliability tasks for a functional entity
(NERC, 2013 Nov, Glossary of Terms, p. 10).
9
Definition of Terms - Reliability Tasks
• Reliability Tasks
o Identified in the NERC Functional Model as listed
under the various Functions, “the Model provides the
framework on which the NERC Reliability Standards
are developed and applied. To ensure that this
framework remains viable, the Model itself is
governed by a set of “guiding principles” that define a
Function's Tasks and establish the relationships
between the functional entities which are responsible
for meeting the requirements in the NERC Reliability
Standards that correspond to these Tasks” (NERC,
2009 Nov, Functional Model v5, p. 11).
10
Definition of Terms - Reliability Tasks
• Reliability Tasks
o FERC also commented on reliability tasks in the
CIPv5 Final Ruling, “we believe that the NERC
Functional Model is the basis for the phrase
“reliability task” while the Guidelines and
Technical Basis section provides clarity on how
the term applies to the CIP version 5 Standards”
(FERC, 2013, Order 791: P. 156, p. 72774)
11
Definition of Terms - Reliability Tasks
• Reliability Tasks
o In order to identify BES Cyber Systems,
Responsible Entities determine whether the BES
Cyber Systems perform or support any BES
reliability function according to those reliability
tasks identified for their reliability function and
the corresponding functional entity’s
responsibilities as defined in its relationships
with other functional entities in the NERC
Functional Model (NERC, 2013 Nov, CIP-0025.1, p. 5).
12
Definition of Terms - BROS
• BES Reliability Operating Services (BROS)
o The concept of BES reliability operating service
is useful in providing Responsible Entities with
the option of a defined process for scoping those
Systems that would be subject to CIP‐002‐5.1
(NERC, 2013 Nov, CIP-002-5.1, pp. 17-18).
o WECC recommends a good review of BROS
details (NERC, 2013 Nov, CIP-002-5.1, pp. 1822) relative to your specific Registered
Functions prior to application of the IRC and
subsequent BCS identification.
13
Definition of Terms - BROS
• The BROS “includes a number of named BES
reliability operating services. These named services
include” (NERC, 2013 Nov, CIP-002-5.1, p. 18):
o
o
o
o
o
o
o
o
o
14
Dynamic Response to BES conditions
Balancing Load and Generation
Controlling Frequency (Real Power)
Controlling Voltage (Reactive Power)
Managing Constraints
Monitoring & Control
Restoration of BES
Situational Awareness
Inter‐Entity Real‐Time Coordination and Communication
Definition of Terms - BROS
• The BROS may provide guidance to determine which BCS
are applicable to a specific Registered Function (NERC,
2013 Nov, CIP-002-5.1, p. 18).
15
CIP-002-x Compliance Evolution
Mapping the Compliance Flow from CIP-002-3 to CIP-002-5
CIP-002-3
CIP-002-4a 1
CIP-002-5.1 2
Critical Cyber Asset Identification
Critical Cyber Asset Identification
BES Cyber System Categorization
R1: Instead of identifying Critical Assets as in previous versions, the Responsible
Entity must Identify Facilities, systems, or equipment (see R1.i-R1.vi, p. 6 for
assets that must be considered) that meet the Impact Rating Criteria [IRC] (CIP002-5.1 Attachment 1, pp. 14-16) as high impact BCS (R1.1), medium impact BCS
(R1.2), or low impact (R1.3) assets.
R1. Apply the Bright-Line Criteria (CIP-002-4a
R1: Identify and document a Risk-Based Assessment
Attachment 1, pp. 6-7) to entity's inventory of BES
Methodology [RBAM] to use to develop a list of
Assets to identify and document a list of Critical
Critical Assets.
Assets.
Using the lists of Facilities, systems, or equipment identified through the
application of the IRC, the Responsible Entity must identify and categorize its
BES Cyber Systems as high impact or medium impact. BES Cyber Systems not
identified as high impact or medium impact default to lLow impact.
New standard identifies BES Cyber Systems as a grouping of BES Cyber Assets
because it allows entities to apply some requirements at a system level rather
than an individual asset level.
R4: The CIP Senior Manager or delegate shall
approve annualy the RBAM, list of Critical Assets,
and list of Critical Cyber Assets. Keep signed and
dated records of these approvals, even if such lists
are null.
1
2
R3: The CIP Senior Manager or delegate shall
approve annually the RBAM, list of Critical Assets,
and list of Critical Cyber Assets. Keep signed and
dated records of these approvals, even if such lists
are null.
CIP-00x-4 Standards were retired under FERC Order approving CIP v5 standards (2013 November 22)
CIP-002-5.1 approved by FERC order (became effective 2014 February 3, enforceable on 2016 April 1)
16
R2: Annual review (R2.1) and approval (R2.2) of the High and Medium BES Cyber
System Lists (R1.1, R1.2) and the list of Low Impact BES Assets (R1.3).
The first reviews and approval must occur on or before April 1, 2016 and must
occur at least once every 15 calendar months thereafter.
The CIP-002-5.1 Compliance Model
CIP-002-5.1
BES Cyber System Categorization
R1: Instead of identifying Critical Assets as in previous versions, the Responsible Entity must Identify
Facilities, systems, or equipment (see R1.i-R1.vi, p. 6 for assets that must be considered) that meet the
Impact Rating Criteria [IRC] (CIP-002-5.1 Attachment 1, pp. 14-16) as high impact BCS (R1.1), medium
impact BCS (R1.2), or low impact (R1.3) assets.
Using the lists of Facilities, systems, or equipment identified through the application of the IRC, the
Responsible Entity must identify and categorize its BES Cyber Systems as high impact or medium
impact. BES Cyber Systems not identified as high impact or medium impact default to Low impact.
New standard identifies BES Cyber Systems as a grouping of BES Cyber Assets because it allows
entities to apply some requirements at a system level rather than an individual asset level.
R2: Annual review (R2.1) and approval (R2.2) of the High and Medium BES Cyber System Lists (R1.1,
R1.2) and the list of Low Impact BES Assets (R1.3).
The initial reviews and approval pursuant to R2 must occur on or before April 1, 2016 and must occur
at least once every 15 calendar months after the initial review and approval.
17
CIP-002-5.1 Compliance Date
• Specific Version 5 CIP Cyber Security Standards have
periodic requirements that contain time parameters for
subsequent and recurring iterations of the
requirement, such as, but not limited to, “. . . at least
once every 15 calendar months . . .”, and responsible
entities shall comply initially with those periodic
requirements as follows (Implementation Plan, p. 2):
1. On or before the Effective Date of the Version 5
CIP Cyber Security Standards for the following
requirements:
• CIP-002-5, Requirement R2
• April 1, 2016
18
CIP-002-5.1: R1
• R1. Each Responsible Entity shall implement a
process that considers each of the following
assets for purposes of parts 1.1 through 1.3:
i.
ii.
iii.
iv.
Control Centers and backup Control Centers;
Transmission stations and substations;
Generation resources;
Systems and facilities critical to system restoration,
including Blackstart Resources and Cranking Paths and
initial switching requirements;
v. Special Protection Systems that support the reliable
operation of the Bulk Electric System; and
vi. For Distribution Providers, Protection Systems specified in
Applicability section 4.2.1 above.
19
R1: …shall implement a process…
Outputs
20
R1.1,
R1.2,
R1.3
Lists
Outputs
Inputs
R1
Process
• Process: “a series of
actions or operations
conducing to an end.”
• Two schools of thought
on the R1 process flow
• Top-down process first
evaluates the inventory
of BES Assets against
the IRC
• Bottom-up process
evaluates the inventory
of BES Cyber Assets
against the IRC
R1.1,
R1.2,
R1.3
Lists
R1
Process
Inputs
Inventory
of
BES
Assets
Inventory
of
Cyber
Assets
Top-Down Process Flow Chart Groups
Begin CIP-002-5 Process
with Inventory of BES
Assets
R1.i - R1.vi: Apply IRC to Inventory
of BES Assets to Identify & List
High- Medium-, & Low-Impact
Rated Facilities
Use the inventory of BES Cyber
Assets at the High (R1.1) or
Medium (R1.2) Facility to identify
and list BES Cyber Systems
(BCS) at each such facility
Validate List of BES Cyber Assets
to account for all BCS, PCA, EACM
& PACS within/around each
tentative ESP at the Facility
Yes
Are there
More High or
Medium
Facilities?
No
R2.1: Compile (or Update) &
Review Three Lists:
R1.1: High Impact BCS,
R1.2: Medium Impact BCS, &
R1.3: Low Impact Facilities
R2.2: CIP Senior Manager or
Delegate Reviews and Approves
Lists
Apply CIP-003-5 through
CIP-011-1 protections to
the three lists, as
applicable
Beginning the Process
• Start with inventory of
BES Assets
• Which BES Definition?
• Apply the IRC to
identify High- &
Medium-Impact
Facilities
• All other BES Assets
and applicable
Distribution Assets
(IRC 3.6) default to
Low-Impact
22
Begin CIP-002-5 Process with
Inventory of BES Assets
R1.i - R1.vi: Apply IRC to Inventory of BES
Assets to Identify & List High- Medium-, &
Low-Impact Rated Facilities
Deriving the R1.1-R1.3 Lists
• Start with your BES Assets as defined in R1.iR1.v, plus Distribution Assets, if any, from R1.vi
o Apply a logical process to identify your High,
Medium, and Low impact rated Facilities
o Applicable Distribution Protection Systems default to
Low impact (IRC 3.6), add their host facilities to Low
Impact List (R1.3)
• Whichever methodology you ultimately use is up
to each entity, however, be sure to document
and review your considerations to ensure you
have not let any BCA or BCS slip through the
cracks.
23
High IRC (Control Centers)
24
Medium IRC (Control Centers)
25
What is Net Real Power Capability?
• Criterion 2.11 contains the term “aggregate highest rated
net Real Power capability of the preceding 12 calendar
months.”
• Also applicable to criterion 2.1 for generation resources.
• A best practice would be to use the calculation material
found in the new MOD-025-2 standard (see NERC, 2014
March 20, MOD-025-2: Attachment 2, pp. 17-20), including
this specific formula:
o “Net Real Power Capability (*MW) equals Gross Real Power
Capability (*MW) minus Aux Real Power connected at the same
bus (*MW) minus tertiary Real Power connected at the same
bus(*MW)” (p. 19).
• The highest calculated value(s) for the preceding 12
calendar month period is/are acceptable as valid audit
evidence for Criteria 2.1 and 2.11.
26
Low IRC (Control Centers)
27
R1.i: Example of Auditable Process
28
Medium IRC (Transmission)
29
Medium IRC (Transmission)
30
Medium IRC (Transmission)
31
Medium / Low IRC (Transmission)
32
R1.ii: Example of Auditable Process
33
Medium IRC (Generation)
34
Medium / Low IRC (Generation)
35
R1.iii-iv: Example of Auditable Process
36
Medium IRC (Protection Systems)
37
Low IRC (Protection Systems)
38
R1.v-vi: Example of Auditable Process
39
CIP-002-5.1: R1.1-R1.3
• R1. Each Responsible Entity shall implement a
process that considers each of the following
assets for purposes of parts 1.1 through 1.3: …
1.1. Identify each of the high impact BES Cyber
Systems according to Attachment 1, Section 1, if
any, at each asset;
1.2. Identify each of the medium impact BES Cyber
Systems according to Attachment 1, Section 2, if
any, at each asset; and
1.3. Identify each asset that contains a low
impact BES Cyber System according to
Attachment 1, Section 3, if any (a discrete list of
low impact BES Cyber Systems is not required).
40
R1: Identify and Document BCS
List of
High &
Medium
Assets
List of
Low Impact
Assets
Inputs
Input
Identify
BCS
Outputs
R1.1,
R1.2,
Lists
41
R1.3
List
• Use list of High- &
Medium-impact BES
Assets
• Identify BCA associated
with each BES Asset
• Logically group BCA into
BCS
• Document BCS on R1.1
or R1.2 list, as
appropriate
R1.1-R1.2: Identifying BCS
• Develop an auditable
process to examine
each High and Medium
impact Facility
o Examine inventory of
BCA at each Facility
o Consider reliability
functions
o Group BCA into logical
BCS
o Identify PCA, EACMS,
and PACS
42
Process to Identify BCS
Use the inventory of BES Cyber Assets at
the High (R1.1) or Medium (R1.2) Facility to
identify and list BES Cyber Systems (BCS)
at each such facility
Validate List of BES Cyber Assets to account
for all BCS, PCA, EACM & PACS within/
around each tentative ESP at the Facility
CIP-002-5 requires the identification
of High & Medium impact BCS, but it
may be a good idea to consider &
identify the different types of BCS
(CIP-005-5, pp. 4-5) and associated
Cyber Assets (CIP-002-5, p. 6) at this
point to facilitate later determinations in
the Applicability Matrices of other CIP
standards:
•
•
•
•
•
Yes
Are there
More High or
Medium
Facilities?
No
43
•
•
•
•
•
High Impact BCS
High Impact BCS w/ Dial-up
Connectivity
High Impact BCS w/ External
Routable Connectivity
Medium Impact BCS
Medium Impact BCS at Control
Centers
Medium Impact BCS w/ Dial-up
Connectivity
Medium Impact BCS with
External Routable Connectivity
PCA
EACM
PACS
Consider Reliable Operation of the BES
• Determine whether the BES Cyber Systems
perform or support any BES reliability function
according to those reliability tasks identified for
their reliability function and the corresponding
functional entity’s responsibilities as defined in
its relationships with other functional entities in
the NERC Functional Model (CIP-002-5.1, p. 5).
• Ensures the initial scope for consideration
includes only those BES Cyber Systems and
their associated BES Cyber Assets that perform
or support the reliable operation of the BES.
(CIP-002-5.1, p. 5).
44
Consider Real-Time Operations
• BES Cyber Assets are those Cyber Assets that,
if rendered unavailable, degraded, or misused,
would adversely impact the reliable operation of
the BES within 15 minutes (CIP-002-5.1, p. 5).
• Do not consider redundancy in the application of
the 15-minute time threshold (CIP-002-5.1, p. 5).
• 15-minute limitation will typically "result in the
identification of SCADA, Energy Management
Systems, transmission protection systems, and
generation control systems as BES Cyber
Assets” (FERC, 2013, Order 791: P. 123, p.
72771).
45
Consider Ancillary BES Cyber Assets
• Protected Cyber Assets
o Examples may include, to the extent they are within the ESP:
file servers, ftp servers, time servers, LAN switches, networked
printers, digital fault recorders, and emission monitoring
systems (CIP-002-5.1, p. 6)
o May also be lower impact BCA or BCS by virtue of the highwater mark (CIP-005-5, p. 14)
• Electronic Access Control or Monitoring Systems
o Examples include: Electronic Access Points, Intermediate
Systems, authentication servers (e.g., RADIUS servers, Active
Directory servers, Certificate Authorities), security event
monitoring systems, and intrusion detection systems (CIP-0025.1, p. 6)
• Physical Access Control Systems
o Examples include: authentication servers, card systems, and
badge control systems (CIP-002-5.1, p. 6).
46
Identifying BES Cyber Assets
• Identify if the
Cyber Asset
meets the
definition of BCA
• Check for length
of installation
o If < 30 days,
determine if the
Cyber Asset is a
transient device.
• Group into logical
BCS with
associated PCA
47
Grouping BCA into BCS
• Entity determines level of granularity of a BCS
o There may be one or more BCA within a given BCS
o Consider the BROS for your registrations
• In transitioning from version 4 [and version 3] to
version 5, a BES Cyber System can be viewed simply
as a grouping of Critical Cyber Assets (as that term is
used in version 4 [and version 3]). The CIP Cyber
Security Standards use the “BES Cyber System” term
primarily to provide a higher level for referencing the
object of a requirement… Another reason for using the
term “BES Cyber System is to provide a convenient
level at which an entity can organize their documented
implementation of the requirements and compliance
efforts (CIP-002-5.1, 2013, p. 4)
48
Graphic Source: http://www.sas.com/news/preleases/energy-visual-analytics.html
Examples of BCS
49
Examples of BCA Groupings: BA/TOP
•
•
•
•
•
•
50
Energy Management Systems (EMS)
Automatic Generation Control (AGC)
SCADA systems
Network Management Systems (NMS)
PI systems (Historians)
ICCP systems (Communications)
Graphic Source: http://www.energy.siemens.com/us/pool/hq/automation/controlcenter/control_center_details.jpg
Examples of BCA Groupings:
BA/TOP
51
Examples of BCA Groupings: TO/TOP
• SCADA Component Systems
• RTU Systems (Telecommunications)
• Protective Relay Systems
52
Graphic Source: Pacific Northwest National Laboratory (Dagle, J., 2010 Jan)
Retrieved from http://publicintelligence.net/scada-a-deeper-look/
Examples of BCA Groupings: TO/TOP
53
Pilot Study Lesson-Learned: TO/TOP
54
Pilot Study Lesson-Learned: TO/TOP
• Programmable Electronic Devices [PEDs]
o aka Intelligent Electronic Devices [IEDs]
• Found as data aggregators for CTs/PTs
• May be located in breaker cabinets
• Evaluate to determine if the PED/IED meets
BCA criteria
• If so, consider inclusion in Protective Relay
BCS
55
Examples of BCA Groupings: GO/GOP
•
•
•
•
•
•
•
•
56
Digital Control System (DCS)
Control Air System (CAS)
Water Demineralization System
Coal Handling System
Gas Control System
Environmental Monitoring System
RTU (Communications)
Generator Protection Systems (Relays)
Graphic Source: https://www.fujielectric.com/company/tech/pdf/r51-3/06.pdf
Examples of BCA Groupings: GO/GOP
57
Pilot Study Lesson-Learned: GO/GOP
•
•
•
•
58
How is the 1,500 MW threshold defined?
What about segregated systems?
What is a segregated system?
What is a common-mode vulnerability?
Consider BCS Types
•
•
•
•
•
•
•
High Impact BCS,
High Impact BCS w/ Dial-up Connectivity,
High Impact BCS w/ External Routable Connectivity,
Medium Impact BCS,
Medium Impact BCS at Control Centers,
Medium Impact BCS w/ Dial-up Connectivity,
Medium Impact BCS w/ External Routable
Connectivity,
• Protected Cyber Assets [PCA], and
• Electronic Access Points [EAP] (CIP-005-5, pp. 4-5)
59
R1.1: Example of Auditable Process
60
R1.1: Example of Auditable Process
61
R1.3: Example of Auditable Process
• Any BES Asset (i.e. Facility) not rated as High
or Medium defaults to a Low Impact rating
• BCS associated with a Low impact BES Asset
also become Low impact BCS.
• At this time, all you need to do is list the Low
Impact BES Assets to satisfy R1.3.
• Comply with CIP-003-5 R2
62
R2: Review and Approve the Lists
• R2. The Responsible Entity shall
2.1 Review the identifications in Requirement
R1 and its parts (and update them if there
are changes identified) at least once every
15 calendar months, even if it has no
identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate
approve the identifications required by
Requirement R1 at least once every 15
calendar months, even if it has no identified
items in Requirement R1.
63
R1.3 Lists: What to Do? CIP-003-5 R2
64
Stay tuned for future developments
Review and Approve Lists
Yes
Are there
More High or
Medium
Facilities?
No
R2.1: Compile (or Update) &
Review Three Lists:
R1.1: High Impact BCS,
R1.2: Medium Impact BCS, &
R1.3: Low Impact Facilities
R2.2: CIP Senior Manager or
Delegate Reviews and Approves
Lists
65
Apply CIP-003-5 through
CIP-011-1 protections to
the three lists, as
applicable
R2: Observe 15 calendar
month time limits
R2: Example of Auditable Process
R1.1,
R1.2,
R1.3
Lists
Inputs
R2
Process
Outputs
Review &
Approval
Documents
66
• Review and document initial R1.1 - R1.3
lists (R2.1)
o Document CIP Senior Manager approval of
the R1.1-R1.3 lists (R2.2)
o Ensure review & approval cycle does not
exceed the 15-month limitation (R2.2)
• Review (and update) lists, as necessary,
and approve subsequent R1.1-R1.3 lists
(R2.1-R2.2)
o Maintain documentation of reviews and
approvals for audit period to demonstrate
compliance to audit team
References
• FERC. (2013 December 3). Order No. 791: Version 5
Critical Infrastructure Protection Reliability Standards. 18
CFR Part 40: 145 FERC ¶ 61,160: Docket No. RM13-5000. Published in Federal Register: Vol. 78, No. 232 (pp.
72756-72787). Retrieved from
http://www.gpo.gov/fdsys/pkg/FR-2013-12-03/pdf/201328628.pdf
• NERC. (2009 November 30). Reliability Functional Model
(v5, pp. 1-55). Retrieved from
http://www.nerc.com/files/Functional_Model_V5_Final_200
9Dec1.pdf
• NERC. (2012 October 26). Implementation Plan for
Version 5 CIP Cyber Security Standards. Retrieved from
http://www.nerc.com/pa/Stand/CIP00251RD/Implementatio
n_Plan_clean_4_(2012-1024-1352).pdf
67
References
• NERC. (2013 November 21). Glossary of Terms Used in NERC
Reliability Standards. Retrieved from
http://www.nerc.com/pa/stand/glossary%20of%20terms/glossary_o
f_terms.pdf
• NERC. (2013 November 22). CIP-002-5.1 – Cyber Security – BES
Cyber System Categorization. Retrieved from
http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber
=CIP-002-5.1&title=Cyber%20Security%20—
%20BES%20Cyber%20System%20Categorization&jurisdiction=nu
ll
• NERC. (2014 April). Bulk Electric System Definition Reference
Document. Retrieved from
http://www.nerc.com/pa/Stand/Project%20201017%20Proposed%
20Definition%20of%20Bulk%20Electri/bes_phase2_reference_doc
ument_20140325_final_clean.pdf
68
CIP-002-5.1 Presentation Revision History
Version
69
Change History
Date
By
v1
Developed initial presentation for SLC
Outreach
01/21/14
J. Baugh
v2
Minor changes for SLC Outreach
02/01/14
J. Baugh
v3
Added IRC slides for SMUD presentation
02/16/14
J. Baugh
v4
Added examples of BCS Groupings for
MDR Outreach
03/13/14
J. Baugh
v5
Minor changes for SMUD Outreach
05/03/14
J. Baugh
v6
Added slides to discuss Pilot Study
lessons learned proposals; Included
discussion on Net Real Power Capability;
Added revision history for SLC Outreach
05/09/14
J. Baugh
Questions?
Joseph B. Baugh, Ph.D., PMP
CISA, CISSP, CRISC, CISM
Senior Compliance Auditor - Cyber Security
Western Electricity Coordinating Council (WECC)
7400 NE 41st Street, Suite 320
Vancouver, WA 98662
jbaugh (at) wecc (dot) biz
(C) 520.331.6351 (O) 801.734.8357