Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security CIP-004-5 Personnel & Training May 14 , 2014 CIP v5 Roadshow – Salt Lake City, UT Agenda • Applicability • Implementation • CIP-004-5 R1-R5 o Overview o Audit Approach o Tips 2 Compliance is like an onion… 3 Positives: Negatives: o Important ingredient in the stew of reliability o Adds flavor to an organization o Improves overall health of the BES o Peel back layers of evidence o It stinks o Makes people cry o Known to aggravate certain medical conditions o Causes indigestion o Can be dry o Known to cause shock Goal Communicate WECC’s audit approach for each Requirement of CIP-004-5 4 CIP-004-5 Purpose “To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.” 5 Policy, Program, Process, Procedure… Regurgitating the Requirement language does not constitute developing a policy, program, process, or procedure. 6 CIP-004-5 Extreme Acronyms • • • • • 7 HIBESCS MIBESCS HIBESCSATAEACMSAPACS HIBESCSATAEACMS MIBESCSWERCATAEACMSAPACS CIP-004-5 Applicability • HIBESCS o High Impact BES Cyber Systems (R1) • MIBESCS o Medium Impact BES Cyber Systems (R1) • HIBESCSATAEACMSAPACS o High Impact BES Cyber Systems and their associated EACMS and PACS (R2-R5 except 5.5) • HIBESCSATAEACMS o High Impact BES Cyber Systems and their associated EACMS (Part 5.5 only) • MIBESCSWERCATAEACMSAPACS o Medium Impact BES Cyber Systems with external routable connectivity and their associated EACMS and PACS (R2-R5 except 5.5) 8 CIP-004-5 Implementation • By April 1, 2016 o CIP-004-5 R1-R5 except as noted below… • On or before July 1, 2016: o CIP-004-5, R4, Part 4.2 • On or before April 1, 2017: o CIP-004-5, R2, Part 2.3 o CIP-004-5, R4, Part 4.3, Part 4.4 • Within 7 years after last PRA performed: o CIP-004-5, Requirement R3, Part 3.5 9 CIP-004-5 R1 Overview • Security Awareness Program o Reinforce cyber (and physical) security practices o Once each calendar quarter • High & Medium BESCS 10 CIP-004-5 R1 Audit Approach • Documented process covering all of R1 • Quarterly reinforcement • Evidence demonstrating: o Content o Delivery method 11 CIP-004-5 R1 Tips • Informational program reinforcing logical and physical security practices • Strong awareness programs leverage various content and content delivery methods • R1 applies to High and Medium BES Cyber Systems 12 CIP-004-5 R2 Overview • Cyber security training specific to roles, functions, responsibilities o Training content specified in 2.1.1 – 2.1.9 o Train PRIOR to granting access o Refresh annually (at least 1x/15 months) • High & Medium (w/ERC) BESCS + EACM + PACS 13 Training 14 CIP-004-5 R2 Audit Approach • Documented role-based training programs o e.g. Sys Admin vs. Operator vs. Security Guard • Does training cover 2.1.1 – 2.1.9? • Validate training prior to access o Compare dates • Validate annual refresh • Review controls in place to ensure timely delivery of training and annual refreshers 15 CIP-004-5 R2 Tips • You have flexibility to develop customized/personalized training program(s) • Don’t get too granular with role-based training • Not intended to be technical training • CIP Exceptional Circumstances – consider how it applies to your organization 16 Quiz Time!! • All programs and policies specified throughout CIP-004-5 require CIP Senior Manager approval. False 17 CIP-004-5 R3 Overview • Personnel risk assessment o o o o o 18 Confirm identity 7-year criminal history check Process & criteria to evaluate results PRAs for contractors & vendors Renewal process Personnel Risk Assessment 19 CIP-004-5 R3 Audit Approach • Documented PRA process – does it include: o Identity validation o 7-year criminal history o Supporting documentation if 7 years cannot be completed o Evaluation of results • Tracking PRA dates - initial & renewal • Evaluate controls in place to ensure timely completion, renewal, and tracking of PRAs 20 CIP-004-5 R3 Tips • Criteria or process to evaluate criminal history (3.3) is NEW – clearly identify criteria or evaluation process & associated outputs • Check that PRA dates are PRIOR to access granted dates • Be prepared to request PRA evidence from vendors & contractors • PRAs performed for v3 don’t need to be redone for v5 21 CIP-004-5 R4 Overview • Access Management Program o Access authorization process covering: Cyber Physical BES Cyber System Information o Quarterly verification of authorization o Annual verification of: Privileges to BES Cyber Systems Access to BES Cyber System Information 22 Access Management 23 CIP-004-5 R4 Audit Approach • Documented access management program – does it address all aspects of 4.1 – 4.4, including deliverables? • Validate quarterly & annual reviews • Validate access grants against system records • Evaluate controls related to access list maintenance, and quarterly & annual reviews 24 CIP-004-5 R4 Tips • Quarterly reviews = compare individuals actually provisioned against authorization records • Annual review = more detailed to ensure least privilege is enabled • Work towards evolving beyond spreadsheets and paper forms • Continue tracking individuals and their role-based access rights • Consider separation of duties: provisioner vs. reviewer 25 CIP-004-5 R5 Overview • Documented access revocation process o Terminations Initiate removal of ability for physical and interactive remote access immediately and complete w/in 24 hours Revoke logical/physical access to designated storage locations by end of next calendar day Revoke non-shared user accounts w/in 30 days Change shared account passwords w/in 30 days o Transfers/Reassignments: Revoke logical & physical access by end of next business day Change shared account passwords w/in 30 days 26 Access Revocation 27 CIP-004-5 R5 Audit Approach • Processes for terminations and transfers/reassignments • Does the processes cover everything in 5.1 through 5.5? • Do your processes point to procedures detailing how each action is carried out? • Proof of performance: records, lists, screenshots, tickets, emails, system reports, forms, etc. 28 CIP-004-5 R5 Tips • Define start trigger for termination/transfer process • Read Part 5.1 carefully – deliberate wording. Document how you define ability to access • NEW – designated storage locations, whether physical or electronic, for BES Cyber System Information – identify and document • NEW – extenuating operating circumstances (changing shared account passwords 5.5) – define, document, and track • Part 5.5 only applies to High Impact BES CA and associated EACMS • Workflow diagrams are an auditors best friend 29 Resources, References, & Light Reading • NERC v3 to v5 mapping document (pp. 8-11) • FERC Order 791 (pp. 15-16) • 2011 v5 SDT Presentation (pp. 36-46) 30 Questions? Bryan J. Carr, PMP, CISA Compliance Auditor, Cyber Security O: 801.819.7691 M: 801.837.8425 bcarr@wecc.biz