Ben Christensen
Senior CIP Enforcement Analyst
CIP-010-1
May 15, 2014
SLC, UT
Pop Quiz!!
• Who invented the electric motor?
A. William Sturgeon
B. Thomas Davenport
C. Michael Faraday
2
Pop Quiz!!
• Who invented the electric motor?
Michael
Faraday
3
Agenda
• Help entities understand and prepare for
the upcoming CIP 010-1
o Differences and relations to current
requirements
o Possible pitfalls to look for while implementing
CIP 010-1
o WECC’s audit approach
o Best practices
4
CIP 010-1
5
Purpose of CIP 010-1
• Prevent and detect unauthorized changes
to BES Cyber Systems.
• Specify vulnerability assessment
requirements in support of protecting BES
Cyber Systems from compromise.
• Document and maintain device baselines
and periodically verify they are accurate.
6
Applicable Systems
7
CIP 010-1 Similarities with V.3
• CIP 003-3 R6: Change Control and
Configuration Management
• CIP 007-3 R1: Test procedures
• CIP 005-3 R4 and CIP 007-3 R8: Cyber
Vulnerability Assessment(s)
• CIP 007-3 R9 and CIP 005-3 R5:
Documentation review and maintenance
8
POP Quiz!!
• Who invented the modern automobile?
A. Henry Ford
B. Karl Benz
C. Ransom Olds
9
Pop Quiz!!
• Who invented the modern automobile?
Karl Benz
10
CIP 010-1 R1
11
CIP 010-1 R1.1
• Applicable to Protected Cyber Assets (PCA) and
specifies information required in device baselines
CIP 010-1 R1.1
CIP 003-3 R6
CIP-010-1 R1.1 - Possible Pitfall #1
• CIP 003-3 R6 was previously not
applicable to Non-CCAs that
resided within an ESP. Thus
entity did not create baselines
or update procedures to ensure
baselines were maintained for
these devices.
13
CIP-010-1 R1.1 - Possible Pitfall #2
• Entity does not ensure documented
baselines for all devices contain operating
system, commercial/open source software,
custom software, logical ports, and security
patches applied.
14
CIP-010-1 R1.1 Approach
• Ensure entity has documented baselines for
all devices (or group of devices) in
applicable BES Cyber Systems
o Verify Baselines include operating
system/firmware, commercial software, custom
software, logical network accessible ports, and
security patches applied
15
CIP 010-1 R1.1 Best Practice
• Use combination of automated tools and manual
walkthroughs/verifications to ensure lists and
baselines are accurate
• Minimize applications on devices to only what is
necessary
• Include step to periodically verify accuracy of
applicable device lists and baselines
16
CIP 010-1 R1.1 Best Practice
• Discussions and careful planning should be
conducted on the method for maintaining
device baselines
o Review CIP 007 R3 presentation from Oct 2013
CIPUG for common methods to maintain
information
o What method is best for your organization:
 Commercial Software
 Custom Software
 Spreadsheet
17
CIP 010-1 R1.1 Best Practice
• Consider Moving away from spreadsheets
and other manual methods, look into more
advanced methods for retaining information.
o See Joe B presentation from October 2011
CIPUG on advantages of moving from
spreadsheet to relational database
 Includes some labeling schema tips as well for when
implementing a database for device management
18
CIP 010-1 R1.2
• Applicable to PCA and requires changes to
be authorized
CIP 010-1 R1.2
CIP 003-3 R6
CIP-010-1 R1.2 - Possible Pitfall
• Entity cannot demonstrate all changes
made to baseline(s) were authorized
21
CIP 010-1 R1.2 - Approach
• Ensure all changes made to baselines have
been authorized.
22
CIP 010-1 R1.2 – Best Practice
• Update procedural documentation to
include at minimum:
o Who can authorize changes, and to what
o When authorization needs to occur
o How the authorization will be documented,
stored, and tracked
• Segregation of duties
o The implementer should be different from the
authorizer
23
CIP 010-1 R1.3
• Baselines must be updated within 30 days
of change
CIP 005-3 R5
CIP 010-1 R1.3
CIP 007-3 R9
CIP 010-1 R1.3 – Possible Pitfall
• Entity cannot demonstrate baselines are
updated within 30 days of changes made
25
CIP 010-1 R1.3 - Approach
• Ensure entity is updating baselines within
30 days of when change was made.
o Start date will be determined by reviewing work
orders, tracking sheet, or other documentation
that details when the change actually occurred.
26
CIP 010-1 R1.3 – Best Practices
• Procedures for updating baselines should
address:
o Who will communicate the changes made to
the baselines
o How changes will be communicated
o Who the changes are communicated to
o When the changes will be made
27
CIP 010-1 R1.3 – Best Practices
• Maintain a version history when updating
documentation.
o Version number
o Who performed the update to the
documentation
o Who made the change to the device
o Who authorized the change
o What was changed
28
POP Quiz!!
• Who invented the printing press?
29
POP Quiz!!
• Who invented the printing press?
Johannes
Gutenberg
30
CIP 010-1 R1.4
• Impact due to a change must consider
security controls in CIP 005 and CIP 007
CIP 010-1 R1.4
CIP 007-3 R1
CIP 010-1 R1.4 – Possible Pitfall
• Entity verifies same controls for all changes
made to any baseline.
o Thus entity does not account for different
environments, devices, or changes when
determining what controls could be impacted
 May be ok if all controls are verified every time
32
CIP 010-1 R1.4 - Approach
• Verify all changes made to device baselines
are documented
• Ensure controls that may be impacted were
identified and documented prior to the
change
o Why were some controls not included?
• Review evidence supporting identified
controls were not adversely impacted
33
CIP 010-1 R1.4 – Best Practices
• Procedures should include:
o Documenting date all steps taken to support
cyber security controls were identified prior to
change taking place
o How are potential impacted cyber security
controls identified?
 Who does this?
o How will adverse impacts will be detected
 Who does this and when?
34
CIP 010-1 R1.4 – Best Practices
• Include a peer review step for reviewing
what controls may be impacted and when
verifying controls weren’t adversely
impacted
• Coordinate testing processes between
departments, business units, etc. to ensure
consistency
35
CIP 010-1 R1.5
CIP 010-1 R1.5
CIP 007-3 R1
CIP 010-1 R1.5 cont..
• Only applicable to High Impact systems
• Specific to security controls that must be
tested
o Security Controls in CIP 005 and CIP 007
• New test environment requirements
o Document if test environment was used
o Document differences between test and
production environment
 Measures taken to account for these differences
37
CIP 010-1 R1.5 Possible Pitfall
• Entity does not document differences
between production and testing
environment
• Entity does not take measures to account
for differences in the production and testing
environment.
38
CIP 010-1 R1.5 - Approach
• For each change that deviates from existing
baseline:
o List of cyber security controls tested
 Test results
 List of differences between the production and test
environments
 Descriptions of how any differences were accounted
for
 When testing occurred.
39
CIP 010-1 R1.5 – Best Practices
• Use checklist or other task managing tool to
reduce likelihood of not testing all controls
• Document specific test procedures for all
cyber assets or group of assets?
o Describe the test procedures
• Describe the test environment and how It
reflects the production environment
40
CIP 010-1 R2
POP Quiz!!
• When was the atomic bomb first invented?
42
POP Quiz!!
• When was the atomic bomb first invented?
July 1945
43
CIP 010-1 R2.1
• Must actively search for unauthorized
changes to baseline
– Automated preferred but can be manual
• Must document and investigate
unauthorized changes
CIP 010-1 R2.1
CIP 003-3 R6
CIP-010-1 R2.1 – Possible Pitfall
• Not consistently monitoring for changes
every 35 days
o Entity begins process at end of month
 Thus entity continuously misses 35 day deadline as
it does not have enough time to complete review
o Documentation is inconsistent and SMEs can’t
keep track if specific devices have automated
or manual process for tracking configuration
changes
45
CIP 010-1 R2.1 - Approach
• logs from a system that is monitoring
configurations
• Work orders, tracking sheets, raw data
evidence of manual investigations
• Records investigating detected
unauthorized changes
46
CIP 010-1 R2 – Best Practice
• Consider using a commercial or open
source File Integrity Monitoring software for
continuous monitoring
• Start monitoring process with enough
advance to complete review
o Consider using an automated task managing
tool
CIP 010-1 R2 – Best Practice
• What if you find an unauthorized change?
o What change(s) have been made without
authorization
o Who made the change(s)?
o When were the change(s) made?
o How can a similar issue be prevented?
48
CIP 010-1 R1 and R2
QUIZ Time
49
CIP 010-1 R1 and R2
• Entities are required to test all changes in a
test environment that reflects the production
environment.
False
50
CIP 010-1 R1 and R2
• Entity baselines are required to include:
1.
2.
3.
4.
5.
Operating system/Firmware
Commercial/open source software
Custom software
Logical ports
All security patches applied
TRUE
But what about devices where
some of these don’t apply?
51
CIP 010-1 R3
CIP 010-1 R3.1
• No more annual requirement, and CVA can
be active or paper
CIP 005-3 R4
CIP 010-1 R3.1
CIP 007-3 R8
CIP-010-1 R3.1 – Possible Pitfall
• Entity conducts initial Vulnerability
Assessment in January then not again until
April the next year (16 months)
• Remember the CIP 003 pitfalls
54
CIP-010-1 R3.1 – Approach
• Verify when last CVA was conducted
• Verify current CVA was conducted within 15
calendar months of previous CVA
• Evidence could include:
o A document listing the date of the assessment
and the output of any tools used to perform the
assessment.
55
CIP 010-1 R3.2 – Best Practices
• Vulnerability assessment should
include at minimum:
o Network and access point discovery
o Port and service Identification
o Review of default accounts, passwords,
and network management community
strings
o Wireless access point review
56
CIP-010-1 R3.1 – Best Practice
• Consider keeping Vulnerability
Assessments for devices or groups of
devices on the same cycle
• Implement a task managing tool to help
track needed tasks and deadlines
• Review NIST SP800‐115 for guidance on
conducting a vulnerability assessment
57
POP Quiz!!
• What was the first home video game
console?
A.
B.
C.
D.
58
Atari 2600
Magnavox Odyssey
VES
RCA Studio II
POP Quiz!!
• What was the first home video game
console?
Magnavox
Odyssey
• Developed in 1972
59
CIP 010-1 R3.2
CIP 005-3 R4
CIP 010-1 R3.2
CIP 007-3 R8
CIP 010-1 R3.2 cont..
• Only applicable to High Impact BES systems
• Required to be performed at least every 36 months
• CVA must be active and can be performed in
production or test environment
o Test environment must reflect production
o Document differences between test and production
environment
o Take and document measures to address the differences
between test and production environment
61
CIP 010-1 R3.2 – Possible Pitfall
• Entity does not conduct active Vulnerability
Assessments at least every 36 months
• Entity does manual review on devices that
are technically feasible to have active
review
62
CIP 010-1 R3.2 – Approach
• Verify active Vulnerability Assessments
conducted at least every 36 months
• Description of test environment and how
differences were account for (if test
environment used for assessment)
• Raw data outputs of assessment for
applicable devices
63
CIP 010-1 R3.2 – Best Practices
• Vulnerability assessment should
include at minimum:
o Network and access point discovery
o Port and service Identification
o Review of default accounts, passwords,
and network management community
strings
o Wireless access point review
64
CIP 010-1 R3.2 – Best Practice
• Where possible conduct the Vulnerability
Assessment on the production environment
• Implement a task managing tool to help
track needed tasks and deadlines
• Document SMEs responsible for conducting
the Vulnerability Assessment and for what
cyber assets
65
CIP 010-1 R3.3
• New devices need an active Vulnerability
Assessment prior to deployment
CIP 010-1 R3.3
CIP 007-3 R1
CIP-010-1 R3.3 – Possible Pitfall
• Entity adds new asset to production without
first conducting active Vulnerability
Assessment
67
CIP 010-1 R3.3 – Approach
• Ensure all newly added assets have had
active vulnerability scan conducted prior to
device being added to production
• Verify all necessary controls were verified
as part of assessment
• Verify raw data output of vulnerability
assessment can be provided
68
CIP 010-1 R3.3 – Best Practice
• Document specific procedures that include:
o
o
o
o
Responsible personnel for conducting the test
When testing needs to occur
Where testing should occur
How the testing should be conducted for each
cyber asset or group of cyber assets
• Use a checklist and/or peer reviews to
reduce chance of human error
69
CIP 010-1 R3.4
• Document planned completion date for
each remediation action
CIP 005-3 R4
CIP 010-1 R3.4
CIP 007-3 R8
CIP-010-1 R3.4 – Possible Pitfall
• Entity is not actively maintaining
an action plan to remediate
vulnerabilities found in the CVA.
o Entity is not documenting or
updating planned date of completion
for remediation actions
72
CIP-010-1 R3.4 – Approach
• Document results or the review or
assessment
• List of action items to remediate issues
• Status of the action items
o Documented proposed dates of completion for
the action plan
73
CIP-010-1 R3.4 – Best Practice
• Tie actions outlined in the plan to specific
SMEs
• Use an automated task managing tool to
track all required tasks and ensure they are
being completed
• Have steps to ensure action plan is updated
and reflects actual proposed completion
date of actions
74
CIP 010-1 R3
QUIZ Time
75
CIP 010-1 R3
• Entities are required to test all changes in a
test environment that reflects the production
environment.
False
76
Active CVA not required for
Medium impact facilities or for
like devices with similar
baseline configurations
CIP 010-1 R3
• Entity’s will be required to meet expected
completion date of action plans to
remediate issues found during Vulnerability
Assessment
However, entity can update the
expected date if more time is
needed.
TRUE
77
If the update is reasonable,
justified, and done prior to the due
date
Additional Resources
• CIP-010-1
• NERC version 4 to version 5 mapping
• Glossary of Terms Used in NERC Reliability
Standards
• NIST SP800‐115 – Security testing
78
Summary
• Know what is required for each BES cyber
system(s)
• Create and Maintain device baselines
• Track and manage deadlines
• Review referenced NIST documents for
added guidance
79
Ben Christensen
Senior CIP Enforcement Analyst
CIP-011-1
May 15, 2014
SLC, UT
Agenda
• Help entities understand and prepare for
the upcoming CIP 011-1 standard
o Differences and relations to current
requirements
o Possible pitfalls to look for while implementing
CIP 011-1
o Implementation tips
81
CIP 011-1 General Pitfalls
• Identify, Assess, and Correct (IAC)
o FERC has conditionally approved CIP 011-1 on
the basis that NERC’s Standard Drafting Team
make clarifications or remove the IAC language
• BES Cyber System
o Pay special attention to the applicable BES
cyber systems in each requirement
82
Purpose
• Prevent unauthorized access to BES Cyber
System Information
83
BES Cyber System Information
• Information about the BES Cyber System
that could be used to gain unauthorized
access or pose a security threat to the BES
Cyber System – NERC glossary
84
BES Cyber System Information
• Includes:
o Security procedures/information
 BES Cyber Systems
 PACS
 EACMS
o List of devices with IP addresses
o Network diagrams
85
BES Cyber System Information
• Does NOT include:
o Individual pieces of information that by
themselves do not pose a threat or could not be
used to allow unauthorized access




86
Devices names
Individual IP addresses
ESP names
Policy statements
CIP 011-1 Similarities with V.3
• CIP 003-3 R4: Information Protection
• CIP 007-3 R7: Disposal or Redeployment
87
CIP 011-1 similarities to V.3
CIP 011-1 R1.1
CIP 011-1 R1.2
CIP 003-3 R4
CIP 011-1 R2.1
CIP 007-3 R7
CIP 011-1 R2.2
CIP 011-1 R1 - Intro
CIP 011-1 R1
CIP 011-1 R1.1
CIP 011-1 R1.2
CIP 003-3 R4
CIP-011-1 R1.1 Language
• No longer a requirement to classify BES
cyber system information
CIP 011-1 R1.1
CIP 003-3 R4
CIP 011-1 R1.2
• Procedures for protecting information must
now address storage, transit, and use
CIP 011-1 R1.1
CIP 003-3 R4
CIP 011-1 R1.1 - Evidence
• Documented BES Cyber System
Information method
• How you identify BES Cyber System
Information (labels, classification)?
• Repository or electronic and physical
locations to house BES Cyber System
Information
93
CIP 011-1 R1.2 - Evidence
• Procedure for protecting BES Cyber
System
o Storage
o Transit
o Use
• Records information was handled per your
procedures
o Change control ticket
94
CIP 011-1 R1 Possible Pitfall
• Information Protection plan does not
address storage, transit, and use of BES
Cyber System Information
95
CIP 011-1 R1 - Implementation tips
• Consider different variables when
determining how to properly protect
information during transit, storage, and use
o Digital information stored locally
o Physical information stored in a PSP or not
o Information being held by vendors or accessed
by vendors
96
CIP 011-1 R1
QUIZ
97
CIP 011-1 R1
Which of the following would be considered
BES Cyber System Information?
A. Device host name
B. ESP diagram
C. PSP name
D. Inventory list with network addresses
98
CIP 011-1 R1
Which of the following would be considered
BES Cyber System Information?
A. Device host name
B. ESP diagram
C. PSP name
D. Inventory list with network addresses
99
CIP 011-1 R2
10
CIP 011-1 R2.1
• Focus is now on preventing unauthorized
retrieval instead of data destruction
CIP 011-1 R2.1
CIP 007-3 R7
CIP 011-1 R2.2
• Focus is now on preventing unauthorized
retrieval instead of data destruction
CIP 011-1 R2.2
CIP 007-3 R7
CIP 011-1 R2.1 – Evidence
• Records of sanitization actions
o Clearing
o Purging
o Destroying
• Records tracking
o Encryption
o Held in PSP
10
CIP 011-1 R2.2 – Evidence
• Records showing media was destroyed
prior to disposal
• Other records of actions taken to prevent
unauthorized retrieval of BES Cyber
System Information
10
CIP 011-1 R2 – Possible Pitfall
• Entity secures cyber assets no longer used
that contain BES cyber system information
in a location that is not restricted to only
those individuals with access to the BES
cyber system information
10
CIP 011-1 R2 – Implementation tips
• Review NIST SP800-88 for guidance on
developing media sanitation processes
• Where possible erase, destroy, degauss, or
encrypt data as soon as possible after a
device is no longer needed to reduce
mishandling of devices or BES cyber
system information
10
CIP 011-1 – Scenario 1
• What if I have a 3rd party host my email?
• Do I need to protect this information under
CIP-011-1?
10
CIP 011-1 – Scenario 2
• I have hard copies of my network diagrams
located in a secure facility. Do I need to
include these in my CIP-011-1 program?
10
Purpose
• Prevent unauthorized access to BES Cyber
System information
10
CIP 011-1 – Scenario 1
• What if I have a 3rd party host my email?
• Do I need to protect this information under
CIP-011-1?
It Depends
11
CIP 011-1 – Scenario 1
• What type of information is stored on the
exchange server?
o BES Cyber System Information
• How do your procedures account for emails
containing this information?
111
CIP 011-1 – Scenario 2
• I have hard copies of my network diagrams
located in a secure facility. Do I need to
include these in my CIP-011-1 program?
YES
11
CIP 011-1 – Scenario 2
• What type of information is on the
diagrams?
o BES Cyber System Information
o List of all IP addresses
o List of all network access points
• What do your procedures state about
securing hard copies?
• What facilities might contain this
information?
11
Additional Resources
• CIP-011-1
• NERC version 4 to version 5 mapping
• Glossary of Terms Used in NERC Reliability
Standards
• NIST SP800-88 – Disposal guidance
11
Summary
•
•
•
•
11
Purpose
Differences
Pitfalls
Implementation tips
Questions?
Ben Christensen
801.819.7666
bchristensen@wecc.biz