20140514 - Presenation - 6 - CIP-006_May_V5_SLC

advertisement

Darren T. Nielsen, M.Ad., CISA,

CPP, PCI, PSP, CBRA, CBRM

Senior Compliance Auditor, Cyber Security

Salt Lake City, UT Office

CIP-006 V3 to CIP-006 V5 Transition Overview

5/14/2014

V5 Outreach

Salt Lake City, UT

2

Revision History of Road Show

• Lessons Learned updates to slide deck

CIP-006

R1

Change History

Added R1.10

Date

5/8/2014 NERC SDT addition per FERC Order

3

Speaker Intro:

Darren T. Nielsen, CISA, CPP, PCI, PSP,

• 24 years Physical Security Experience o Marine Corps Veteran (PRP) o Retired Law Enforcement Officer o 7 years Critical Infrastructure Protection Program o ASIS Utilities Security Council – Chairman o ASIS Physical Security Council o Education: M.Ad. (Leadership Emphasis) w/Distinction

- Northern Arizona University o BA- Police Science- Ottawa University

(Summa Cum Laude)

4

Purpose of V5 transition Presentation

Provide a basic overview of the changes

• Share WECC audit approach

• Provide examples of Best Practices

• Answer questions to assist your compliance efforts

5

Summary of CIP-006-5 Changes

Physical Security Program o Must define the operational or procedural controls to restrict physical access o Removed current “6 wall” wording to instead require a Physical Border- PSP o For High Impact, added the need to utilize two or more different and complementary physical access controls to restrict physical access o Testing changed to a 24-month cycle http://www.nerc.com/pa/Stand/Project20086CyberSecurityOrder706Version5CIPStanda/Mapping_D ocument_for_CIP_V5_Clean_(2012-0911).pdf

6

CIP-006-5 -Physical Security of BES

Cyber Systems

• A new Purpose….and some new language

• To manage physical access to “BES Cyber

Systems” by specifying a physical security plan in support of protecting BES Cyber

Systems against compromise that could lead to misoperation or instability in the

BES.

7

New language to assist going forward

• High Impact BES Cyber Systems –

• Medium Impact BES Cyber Systems–

• Medium Impact BES Cyber Systems without

External Routable Connectivity –

• Medium Impact BES Cyber Systems with External

Routable Connectivity – o This also excludes Cyber Assets in the BES Cyber System that cannot be directly accessed through External Routable Connectivity

.

8

New language (Continued)

• Physical Access Control Systems (PACS) –

Applies to each Physical Access Control

System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System.

9

New language (Continued)

• Locally mounted hardware or devices at the

Physical Security Perimeter – Applies to the locally mounted hardware or devices (e.g. such as motion sensors, electronic lock control mechanisms, and badge readers) at a Physical Security Perimeter associated with a referenced high impact BES Cyber System or medium impact BES Cyber System with External Routable

Connectivity, and that does not contain or store access control information or independently perform access authentication. These hardware and devices are excluded in the definition of Physical Access Control Systems.

10

You're now bilingual CIP personnel (end of new language)

• Protected Cyber Assets (PCA) – Applies to each Protected

Cyber Asset associated with a referenced high impact

BES Cyber System or medium impact BES Cyber System.

• Electronic Access Control or Monitoring Systems

(EACMS) – Applies to each Electronic Access Control or

Monitoring System associated with a referenced high impact BES Cyber System or medium impact BES Cyber

System. Examples may include, but are not limited to, firewalls, authentication servers, and log monitoring and alerting systems

.

11

CIP-006-5 —R1

A new look- Requirements and Measures

• A substantive change to your Plan.. now becomes a program. No Annual Approval.

12

CIP-006-5 —R1.2

A new look- Requirements and Measures

• Methods to control, log and monitor access remain the same as CIP-006-3 R4, R5, and R6

13

CIP-006-5 —R1.2

A new look- Requirements and Measures o Aligns to old V3 for CCA’s and protecting PACS assets

.

CIP-006-5 —R1.3

A new look- Requirements and Measures

• Major Change- Physical Access control to

High Impact BES Cyber Systems assets

14

For physically layered protection, a locked gate in combination with a locked controlbuilding could be acceptable, provided no single authenticator (e.g., key or card key) would provide access through both.

15

CIP-006-5 —R1.3 – Audit Approach

• Two forms of access control means access needs to require two of the following:

1. Something you know (PIN, password, etc.)

2. Something you are (biometrics, security guard identity verification, etc.)

3. Something you have (Hard key, token, card key, etc.)

CIP-006-5 —R1.3 – Audit Approach

Methods of physical access control include:

• Card Key: A means of electronic access where the access rights of the card holder are predefined in a computer database.

Access rights may differ from one perimeter to another.

• Special Locks: These include, but are not limited to, locks with

“restricted key” systems, magnetic locks that can be operated remotely, and “man ‐ trap” systems.

• Security Personnel: Personnel responsible for controlling physical access who may reside on ‐ site or at a monitoring station.

• Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access into the Physical

Security Perimeter.

16

17

CIP-006-5 —R1.4

A new look- Requirements and Measures

 This is the old CIP-006-3 R5 Monitoring

Requirement

18

CIP-006-5 —R1.5

A new look- Requirements and Measures

More of the old R5 for High Impact and

Medium with ERC within 15 minutes

19

CIP-006-5 —R1.6

A new look- Requirements and Measures

• Specific to PACS associated with….this is the old CIP-006 R2.1 with a twist. PACS must now be monitored in addition to the

Physical Security Perimeter.

20

CIP-006-5 —R1.7

A new look- Requirements and Measures

NOTE: within 15 minutes for “detected” UA access to a PACS.

Added notification emphasis to contact identified in CSIRP.

21

CIP-006-5 —R1.8

A new look- Requirements and Measures

• Logs requirement (old CIP-006-3 R6)

22

CIP-006-5 —R1.9

A new look- Requirements and Measures

• Log retention stays the same (Old V3- R7)

23

CIP-006-5 —R1.10 (in work SDT)

24

CIP-006-5 —R2

A new look- Requirements and Measures

• Visitor Control Program Old (V3 R1.6)

• Added CIP Exceptional Circumstances

25

CIP-006-5 —R2.2 & 2.3

A new look- Requirements and Measures

Major change: log visitor only once per day.

(Initial entry and exit)- Point of Contact req.

• maintain logs for 90 days (R2.3)

26

CIP-006-5 —R3

A new look- Requirements and Measures

• Testing & Maintenance (CIP-006-3 R8) changed from 3 year to 2 year cycle

27

Physical Access Controls

• Key Control Program o Who has them?

o How do you log the use of a hard key?

o Is an alarm triggered when the door is opened? o Do they have a PRA?

o Training

28

Logging

• Visitor/escort forgets to log out.

• Are you in a Possible Violation situation?

o Can you retrieve data via Cameras?

o Other Logs?

o Ask and update to ensure completeness of logs.

At Your Service

• PSWG- Get plugged in!

• http://www.wecc.biz/committees/StandingCommittees/OC/

CIIMS/PSWG/default.aspx

• Phone call away-

 We want to help.

29

• Always willing to provide our “audit approach”

Questions?

Darren T. Nielsen, M.Ad, CISA,

CPP, PCI, PSP, CBRA, CBRM

Senior Compliance Auditor, Cyber Security

Western Electricity Coordinating Council

155 North 400 West, Suite 200

Salt Lake City, UT 84103

(801) 857-9134 dnielsen@wecc.biz

Download