1 / 31

Protecting Cyber System stability through management of user privileges

Mitigate risks by implementing personnel risk assessment, training, and awareness programs to protect BES Cyber Systems.

beckham
Download Presentation

Protecting Cyber System stability through management of user privileges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Cyber System stability through management of user privileges April 9, 2019 Domenic Darling Associate Compliance Auditor

  2. Opening Statement To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.

  3. Agenda • Cyber Security Awareness • Cyber Security Training • Personnel Risk Assessment • Access Management • Access Revocation • CIP Exceptional Circumstances • Extenuating Operating Circumstances • CIP Data Set – Personnel Tab

  4. R1- Security Awareness • Reinforced each calendar quarter • Evidence • For personnel with authorized electronic access and unescorted physical access

  5. R2 - Cyber Security Training • Cyber security training specific to roles, functions, responsibilities • Training content specified in 2.1.1 – 2.1.9

  6. R2 - Cyber Security Training • 2.1.1. Cyber security policies; • 2.1.2. Physical access controls; • 2.1.3. Electronic access controls; • 2.1.4. The visitor control program; • 2.1.5. Handling of BES Cyber System Information and its storage; • 2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity’s incident response plan; • 2.1.7. Recovery plans for BES Cyber Systems; • 2.1.8. Response to Cyber Security Incidents; and • 2.1.9. Cyber security risks associated with a BES Cyber System’s electronic interconnectivity and interoperability with other Cyber Assets, including Transient Cyber Assets, and with Removable Media.

  7. R2 - Cyber Security Training • Train PRIOR to granting access • Complete annually (at least once every 15 months)

  8. R2 - Security Objectives • Documented role-based training programs • Needs to cover 2.1.1 – 2.1.9 • Verify training dates prior to access • Verify annual completion

  9. Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Lack of details in training content • Individuals receiving incorrect role based training • Best practice is to make it one for all, all for one

  10. R3 - Personnel Risk Assessment Personnel Risk Assessment • Confirm identity • Seven-year criminal history check • Process and criteria to evaluate results • PRAs for contractors and vendors • Renewal process

  11. Security Objectives • Documented PRA process, that includes: • Identity validation • Seven-year criminal history • Supporting documentation if seven years cannot be completed • Evaluation of results • Verification of PRA dates • Initial and renewal

  12. Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Personally identifiable information (PII) contained in PRA’s • Contractor/Vendors inconsistencies • Expired renewals

  13. Exercise What is NOT required in a personnel risk assessment? A – Seven years of criminal history B – Identity check C – How many friends they have on Facebook D – Current residence

  14. R4 – Access Management • Access Management Program • Access authorization process covering: • Electronic access • Unescorted physical access • Designated BES Cyber System Information (BCSI) storage locations • Quarterly Verification of Authorization Records • Annual Verification of: • Electronic access privileges to applicable BES Cyber Systems • Access to designated BCSI storage locations

  15. Security Objectives • Documented access management program • Must address all aspects of 4.1 – 4.4 • Verify quarterly & annual reviews are conducted

  16. Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Not capturing the business need • Missing review segments • Silos • Separation of duties

  17. R5 – Access Revocation • Documented access revocation process • Terminations • Initiate removal of ability for unescorted physical and Interactive Remote Access immediately and complete within 24 hours • Revoke electronic/physical access to designated storage locations for BCSI by end of next calendar day • Revoke Non-shared user accounts within 30 days • Change Shared account passwords within 30 days • Transfers/Reassignments: • Revoke electronic and physical access by end of next business day when determined no longer needed by entity • Change shared account passwords within 30 days

  18. Security Objective • Processes for terminations and transfers/reassignments, which must include everything in 5.1 through 5.5 • Evidence of implementation

  19. Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Evidence to demonstrate revocations • Silos

  20. Exercise What types of access needs to be removed within 24 hours of the termination action? A – Physical Access to BCSI Storage Locations B – Interactive Remote Access C – Unescorted Physical Access D – Electronic Access to BCSI Storage Locations E – All of the above F – B & C

  21. CIP Exceptional Circumstances A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability Applies to CIP-004-6 R2 (Training), R4 (Authorization) • Verify with entity if CECs have been invoked • If so, documentation in accordance to CIP-003-6 R1 1.1.9 • Data request, RSAW narrative, evidence, or interview

  22. Extenuating Operating Circumstances • Longer time period needed to change shared password (5.5) • Must be changed and documented 10 days after extenuating operating circumstances end date

  23. Automation • Centralized Access Management • Evidence • Configurations • Queries • Workflow

  24. Personnel Tab – CIP Data Set

  25. Personnel Tab – CIP Data Set • Personnel information

  26. Personnel Tab – CIP Data Set • Initial Access • Transfer or reassignments, and terminations

  27. Personnel Tab – CIP Data Set • Types of Access

  28. Personnel Tab – CIP Data Set

  29. Summary • Cyber Security Awareness • Cyber Security Training • Personnel Risk Assessment • Access Management • Access Revocation • CIP Exceptional Circumstances • Extenuating operating circumstances • CIP Data Set – Personnel Tab

  30. For CIP Questions

  31. Domenic Darling Associate Compliance Auditor ddarling@wecc.org

More Related