Weitere ähnliche Inhalte Ähnlich wie Explore the Implicit Requirements of the NERC CIP RSAWs Ähnlich wie Explore the Implicit Requirements of the NERC CIP RSAWs (20) Kürzlich hochgeladen (20) Explore the Implicit Requirements of the NERC CIP RSAWs1. © 2015 MetricStream, Inc. All Rights Reserved.
Explore the Implicit Requirements of the
NERC CIP RSAWs
Karl Perman
VP Member Services
EnergySec
Shreyank Shrinath Kamat
Product Manager
MetricStream
2. © 2015 MetricStream, Inc. All Rights Reserved.
Agenda
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
Q&A
4. RSAW Template
• Identifying Information
– Standard, Entity, Names of Auditors, etc.
• Applicability of Requirements by
Functional Model
• Color-coded
– Fixed text, Entity-supplied information,
Auditor-supplied information
• Findings
– Areas of Concern, Recommendations,
Positive Observations
© 2015 Energy Sector Security Consortium, Inc. 4
5. RSAW Template
• Entity’s Subject Matter Experts
• Requirement and Measures
• Questions
– Space for entity response, may reference
other documents
• Compliance Narrative
• Evidence
– Documents and descriptions
• Guidance & Questions for Auditors
© 2015 Energy Sector Security Consortium, Inc. 5
7. Standard Drafting Team
• CIP V5 Transition FAQ, Response to
Comments
• “It is inappropriate to suggest that there is
an implicit requirement or an inherent
requirement that must be complied with as
requirements can only be explicit.”
© 2015 Energy Sector Security Consortium, Inc. 7
8. Actual Auditors
• Lew Folkerth, Reliability First
– SPP RE CIP Workshop, June 2, 2015
• http://www.spp.org/documents/28852/2015%20cip%20works
hop%20materials.pdf
– RF Newsletter, Issue 3
• https://www.serc1.org/docs/default-
source/outreach/communications/resource-documents/serc-
transmission-reference/201507---st/cip-v5-rsaw---rf-
newsletter-article.pdf?sfvrsn=2
• Kevin Perry, SPP
– CIP Compliance Workshop, June 3, 2015
• Wayne Lewis, NPCC
– CIP Compliance Seminar, 3/24/15
• https://www.npcc.org/Compliance/CIP%20Seminars/Spring%
202015%20CIP-010-2.pdf
© 2015 Energy Sector Security Consortium, Inc. 8
10. Update Policies
• CIP-003-6
• Review and obtain CIP Senior Manager approval
for policies
• “The SDT received comments that Requirements
R1 and R2 require annual review of the policy, but
never explicitly require the policy to receive
updates as a result of that review. The SDT
believes this is implicit in the Requirement, and
updates would occur as part of an entity’s ongoing
compliance with the Requirement.”
– http://www.nerc.com/pa/Stand/Project%20200806%2
0Cyber%20Security%20Order%20706%20DL/Consid
eration_of_Comments_to_draft_3_102612_final.pdf
© 2015 Energy Sector Security Consortium, Inc. 10
12. Classify assets
• CIP-002-5 requires entities to classify BES
Cyber Systems
• BES Cyber Asset will “adversely impact
one or more Facilities, systems, or
equipment”
• Classify assets as High, Medium, or Low,
and then BCA are those Cyber Assets
which affect those assets, and take rating
from the asset they effect
© 2015 Energy Sector Security Consortium, Inc. 12
13. Cyber Assets
• CIP-002 never explicitly says to identify
(list) Cyber Assets
– Need list of Cyber Assets to show that all that
should be BES Cyber Assets were identified
as such
© 2015 Energy Sector Security Consortium, Inc. 13
14. Identify PCA
• CIP-005-5 R1 Part 1.1
• Cyber Assets connected to network via routable
protocol shall reside within a defined ESP
– Applicable Systems
• PCA Associated with High or Medium Impact BCS
• Need to identify PCA
– Auditors will likely want to audit a sample of
PCA, so you need a list of PCA
© 2015 Energy Sector Security Consortium, Inc. 14
15. Verify PCA
• “After the ESP is defined, verify the
“implied” requirement of identifying any
PCA within the ESP has been completed”
• Have a process
• Use that process
© 2015 Energy Sector Security Consortium, Inc. 15
16. ESP Process
• “Verify the Responsible Entity has
documented one or more process(es) which
require all applicable Cyber Assets connected
to a network via a routable protocol to reside
within a defined ESP.”
– RSAW CIP-005-5
• “In order to verify that each Cyber Asset
residing within a defined ESP has been
identified as either a BES Cyber Asset or as a
PCA, it may be necessary to examine the
ESP and conduct an inventory of network
connections within the ESP.”
© 2015 Energy Sector Security Consortium, Inc. 16
17. Transient Cyber Assets and
Removable Media
• Evidence that Transient Cyber Assets and Removable Media
have been connected for 30 calendar days or less
– Record of connection and disconnection
• Evidence they have been utilized as authorized
– Record who used them
– Record where used
– Record purpose
• Record of review of Transient Cyber Assets managed by third
parties
• Record of Transient Cyber Asset patching if used to mitigate
vulnerabilities
• Record of anti-malware signature file updates if used to
mitigate introduction of malware
• Record of scans or other methods to detect and remove
malicious code before introducing Removable Media into the
Electronic Security Perimeter
© 2015 Energy Sector Security Consortium, Inc. 17
18. Configuration Change
Management
• CIP-010-2 R1.4
– 1.4.1. Prior to the change, determine required
cyber security controls in CIP‐005 and
CIP‐007 that could be impacted by the
change;
– 1.4.2. Following the change, verify that
required cyber security controls determined in
1.4.1 are not adversely affected; and
– 1.4.3. Document the results of the verification.
• Should have test procedures documented
© 2015 Energy Sector Security Consortium, Inc. 18
19. Test Configuration
Changes
• CIP-010-2 R1.5
• Identify configuration of test environment
• Identify how test environment differs from
production environement
– High Impact BCS
© 2015 Energy Sector Security Consortium, Inc. 19
20. © 2015 Energy Sector Security Consortium, Inc.
Where technically feasible, for each change that
deviates from the existing baseline configuration:
1.5.2. Document the results of the testing and, if a test
environment was used, the differences between the test
environment and the production environment, including a
description of the measures used to account for any
differences in operation between the test and production
environments.
• Document which identifies devices and
configurations in a test environment
20
CIP-010-2
21. © 2015 MetricStream, Inc. All Rights Reserved.
Leveraging Technology for RSAW management
Shreyank Shrinath Kamat
Product Manager
MetricStream
24. © 2015 MetricStream, Inc. All Rights Reserved.
Setup Content (CIP standards, requirements, controls etc.)
Structure a logical compliance
hierarchy, including Areas of
Compliance, Standards,
Requirements, Controls and
Assets.
Configure workflows for
managing both internal and
external standards, mapping
regulations, developing
controls, performing
compliance audits, preparing
and implementing action
plans, and identifying and
remedying issues.
GRC
Library
Standards
Areas of
Compliance
ControlsAssets
Questions and
Procedures
Requirements
25. © 2015 MetricStream, Inc. All Rights Reserved.
Update Content (Regulatory Changes)
Regulatory Alert
Interpretation
Create Channel
Subscribe Channel
Filter Alerts
Act on Alerts
Track Issues
26. © 2015 MetricStream, Inc. All Rights Reserved.
Test Cyber Security Management Controls
Define and Manage Controls to protect
Cyber Assets
Manage Password Changes to CCAs
Perform Control Assessments on regular
basis
Control Tests to identify strength of
controls
Notifications to appropriate officers
Logs and audit trail maintenance
Equivalent to Self Correcting Process
Improvement mentioned in Version 5
27. © 2015 MetricStream, Inc. All Rights Reserved.
Issue Remediation
Review & Approve Issues
Create
Remediation Plans
Implement
Planned Actions
Monitor & Approve Actions
Close Issue
Review and Approve issues that arise from tests, self-
assessments and certifications.
Define one or more Action/Remediation plans to
Document the work done and results and send the
implemented Actions for review and approval.
Monitor the status and progress of issues and
implementation of remediation plans.
Close issues after all the action plan is implemented
and approved.
28. © 2015 MetricStream, Inc. All Rights Reserved.
Surveys and Certifications
Create Questionnaire
Initiate
Surveys or Certifications
File Responses
Certify & Sign-Off
Log Findings & Issues
Create sections and add questions manually or from
the GRC library under every questionnaire.
Initiate a Survey or a Certification by choosing a
questionnaire and selecting respondents and
approvers.
File responses or collaborate with other respondents
for responses.
Collate the Survey responses, Approve and sign-off the
assessments and key compliance program data.
Add Findings/Issues to capture non-conformance.
29. © 2015 MetricStream, Inc. All Rights Reserved.
RSAW Management
Initiate Survey using in-built
CIP questionnaires
Record Responses
Attach Evidences
Populate Survey Response
into RSAW template
Select a CIP questionnaires and initiate survey to one
or more users.
File responses or collaborate with other respondents
for responses.
Attach Evidence to the survey from the GRC library or
from a previous survey or from the local system.
Select the survey response and populate the same in
the in-built RSAW template.
Generate RSAW
Generate and download the completed RSAW in word
format for editing.
30. © 2015 MetricStream, Inc. All Rights Reserved.
Enforce Policies to Effectively Manage Compliance
Creation, Storage,
Organization, Search
Creation, Review,
Approval
Mapping to Risks and
Controls
Alerts and Notifications
Awareness and Training
Tracking and Visibility
Policies & Procedures for Implementing a physical security program
Setting prerequisites for granting approvals, assigning work etc.
Define methods, processes, and procedures for securing Cyber Assets & BES
31. © 2015 MetricStream, Inc. All Rights Reserved.
Real time Monitoring and Reporting
Risk Intelligence by Regulations &
Critical Assets
Track NERC version and Migration
check
Monitor NERC Compliance Audit
Readiness
Regulatory Filings, Certifications
33. © 2015 MetricStream, Inc. All Rights Reserved.
MetricStream Advantage – NERC CIP Solution
Best in class Governance, Risk and Compliance solutions provider
Platform based solution – with integrated risk, compliance, policy, issue and change management systems
Experience in working with numerous electric utilities in the US ranging from co-ops to investor owned
Built in content with controls and industry best practices
One-Click Automated RSAW generation – reduction in RSAW production times from weeks to just few minutes/
hours.
Have real-time visibility into business to avoid compliance concerns
34. © 2015 MetricStream, Inc. All Rights Reserved.
About MetricStream
Vision Integrated Governance, Risk and Compliance for Better Business Performance
Solutions
• NERC CIP Compliance
• Risk Management
• Business Continuity Management
• IT GRC
• Audit Management
• Supplier Governance
• Quality Management
• EHS & Sustainability
• Governance & Ethics
• Content and Training
• Over 1,800+ employees
• Headquarters in Palo Alto, California with offices worldwide
• Over 350 enterprise customers
•Privately held – Backed by global leading VCs, Sage View Capital, Goldman
Sachs
Differentiators
• Technology - GRC Platform – 9 Patents
• Breadth of Solutions – Single Vendor for all GRC needs
• Cross-industry Best Practices and Domain Knowledge
• ComplianceOnline.com - Largest Compliance Portal on the Web
Organization
Partners
35. © 2015 MetricStream, Inc. All Rights Reserved.
Q&A
Please submit your questions to the host by typing into the chat box on the
lower right-hand portion of your screen.
Thank you for participating!
A copy of this presentation will be made available to all participants in next 48 working hours.
For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars
Karl Perman
VP Member Services
EnergySec
Email: karl@energysec.org
Shreyank S. Kamat
Product Manager
MetricStream
Email: shreyank.kamat@metricstream.com
36. © 2015 MetricStream, Inc. All Rights Reserved.
THANK YOU
Contact Us:
Website: www.metricstream.com | Email: webinar@metricstream.com
Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554
Hinweis der Redaktion Might as well end the webinar, NERC said there’s no such thing. Example of Quote from Lew Folkerth at CIP Workshop, June 2, 2015 No definition for security control has been offered. It Is highly recommended that entities establish a list of security controls that they consider in-scope for testing. This list of controls should be considered when determining which controls could be adversely impacted by any proposed change. This can be used to more easily document the differences between the test environment and the production environment.