Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
CIP-004-5 Personnel & Training
May 14 , 2014
CIP v5 Roadshow – Salt Lake City, UT
Agenda
• Applicability
• Implementation
• CIP-004-5 R1-R5
o Overview
o Audit Approach
o Tips
2
Compliance is like an onion…
3
Positives:
Negatives:
o Important ingredient in the
stew of reliability
o Adds flavor to an
organization
o Improves overall health of
the BES
o Peel back layers of
evidence
o It stinks
o Makes people cry
o Known to aggravate certain
medical conditions
o Causes indigestion
o Can be dry
o Known to cause shock
Goal
Communicate WECC’s audit approach for
each Requirement of CIP-004-5
4
CIP-004-5 Purpose
“To minimize the risk against compromise that
could lead to misoperation or instability in the
BES from individuals accessing BES Cyber
Systems by requiring an appropriate level of
personnel risk assessment, training, and
security awareness in support of protecting BES
Cyber Systems.”
5
Policy, Program, Process, Procedure…
Regurgitating the Requirement
language does not constitute
developing a policy, program,
process, or procedure.
6
CIP-004-5 Extreme Acronyms
•
•
•
•
•
7
HIBESCS
MIBESCS
HIBESCSATAEACMSAPACS
HIBESCSATAEACMS
MIBESCSWERCATAEACMSAPACS
CIP-004-5 Applicability
• HIBESCS
o High Impact BES Cyber Systems (R1)
• MIBESCS
o Medium Impact BES Cyber Systems (R1)
• HIBESCSATAEACMSAPACS
o High Impact BES Cyber Systems and their associated
EACMS and PACS (R2-R5 except 5.5)
• HIBESCSATAEACMS
o High Impact BES Cyber Systems and their associated
EACMS (Part 5.5 only)
• MIBESCSWERCATAEACMSAPACS
o Medium Impact BES Cyber Systems with external routable
connectivity and their associated EACMS and PACS (R2-R5
except 5.5)
8
CIP-004-5 Implementation
• By April 1, 2016
o CIP-004-5 R1-R5 except as noted below…
• On or before July 1, 2016:
o CIP-004-5, R4, Part 4.2
• On or before April 1, 2017:
o CIP-004-5, R2, Part 2.3
o CIP-004-5, R4, Part 4.3, Part 4.4
• Within 7 years after last PRA performed:
o CIP-004-5, Requirement R3, Part 3.5
9
CIP-004-5 R1 Overview
• Security Awareness Program
o Reinforce cyber (and physical) security
practices
o Once each calendar quarter
• High & Medium BESCS
10
CIP-004-5 R1 Audit Approach
• Documented process covering all of R1
• Quarterly reinforcement
• Evidence demonstrating:
o Content
o Delivery method
11
CIP-004-5 R1 Tips
• Informational program reinforcing logical
and physical security practices
• Strong awareness programs leverage
various content and content delivery
methods
• R1 applies to High and Medium BES Cyber
Systems
12
CIP-004-5 R2 Overview
• Cyber security training specific to roles,
functions, responsibilities
o Training content specified in 2.1.1 – 2.1.9
o Train PRIOR to granting access
o Refresh annually (at least 1x/15 months)
• High & Medium (w/ERC) BESCS + EACM +
PACS
13
Training
14
CIP-004-5 R2 Audit Approach
• Documented role-based training programs
o e.g. Sys Admin vs. Operator vs. Security Guard
• Does training cover 2.1.1 – 2.1.9?
• Validate training prior to access
o Compare dates
• Validate annual refresh
• Review controls in place to ensure timely
delivery of training and annual refreshers
15
CIP-004-5 R2 Tips
• You have flexibility to develop
customized/personalized training program(s)
• Don’t get too granular with role-based
training
• Not intended to be technical training
• CIP Exceptional Circumstances – consider
how it applies to your organization
16
Quiz Time!!
• All programs and policies specified
throughout CIP-004-5 require CIP Senior
Manager approval.
False
17
CIP-004-5 R3 Overview
• Personnel risk assessment
o
o
o
o
o
18
Confirm identity
7-year criminal history check
Process & criteria to evaluate results
PRAs for contractors & vendors
Renewal process
Personnel Risk Assessment
19
CIP-004-5 R3 Audit Approach
• Documented PRA process – does it include:
o Identity validation
o 7-year criminal history
o Supporting documentation if 7 years cannot be
completed
o Evaluation of results
• Tracking PRA dates - initial & renewal
• Evaluate controls in place to ensure timely
completion, renewal, and tracking of PRAs
20
CIP-004-5 R3 Tips
• Criteria or process to evaluate criminal
history (3.3) is NEW – clearly identify criteria
or evaluation process & associated outputs
• Check that PRA dates are PRIOR to access
granted dates
• Be prepared to request PRA evidence from
vendors & contractors
• PRAs performed for v3 don’t need to be redone for v5
21
CIP-004-5 R4 Overview
• Access Management Program
o Access authorization process covering:
 Cyber
 Physical
 BES Cyber System Information
o Quarterly verification of authorization
o Annual verification of:
 Privileges to BES Cyber Systems
 Access to BES Cyber System Information
22
Access Management
23
CIP-004-5 R4 Audit Approach
• Documented access management program
– does it address all aspects of 4.1 – 4.4,
including deliverables?
• Validate quarterly & annual reviews
• Validate access grants against system
records
• Evaluate controls related to access list
maintenance, and quarterly & annual
reviews
24
CIP-004-5 R4 Tips
• Quarterly reviews = compare individuals actually
provisioned against authorization records
• Annual review = more detailed to ensure least
privilege is enabled
• Work towards evolving beyond spreadsheets and
paper forms
• Continue tracking individuals and their role-based
access rights
• Consider separation of duties: provisioner vs.
reviewer
25
CIP-004-5 R5 Overview
• Documented access revocation process
o Terminations
 Initiate removal of ability for physical and interactive
remote access immediately and complete w/in 24 hours
 Revoke logical/physical access to designated storage
locations by end of next calendar day
 Revoke non-shared user accounts w/in 30 days
 Change shared account passwords w/in 30 days
o Transfers/Reassignments:
 Revoke logical & physical access by end of next business
day
 Change shared account passwords w/in 30 days
26
Access Revocation
27
CIP-004-5 R5 Audit Approach
• Processes for terminations and
transfers/reassignments
• Does the processes cover everything in 5.1
through 5.5?
• Do your processes point to procedures
detailing how each action is carried out?
• Proof of performance: records, lists,
screenshots, tickets, emails, system reports,
forms, etc.
28
CIP-004-5 R5 Tips
• Define start trigger for termination/transfer process
• Read Part 5.1 carefully – deliberate wording.
Document how you define ability to access
• NEW – designated storage locations, whether physical
or electronic, for BES Cyber System Information –
identify and document
• NEW – extenuating operating circumstances
(changing shared account passwords 5.5) – define,
document, and track
• Part 5.5 only applies to High Impact BES CA and
associated EACMS
• Workflow diagrams are an auditors best friend
29
Resources, References, & Light Reading
• NERC v3 to v5 mapping document (pp. 8-11)
• FERC Order 791 (pp. 15-16)
• 2011 v5 SDT Presentation (pp. 36-46)
30
Questions?
Bryan J. Carr, PMP, CISA
Compliance Auditor, Cyber Security
O: 801.819.7691
M: 801.837.8425
bcarr@wecc.biz