310 likes | 319 Views
Mitigate risks by implementing personnel risk assessment, training, and awareness programs to protect BES Cyber Systems.
E N D
Protecting Cyber System stability through management of user privileges April 9, 2019 Domenic Darling Associate Compliance Auditor
Opening Statement To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
Agenda • Cyber Security Awareness • Cyber Security Training • Personnel Risk Assessment • Access Management • Access Revocation • CIP Exceptional Circumstances • Extenuating Operating Circumstances • CIP Data Set – Personnel Tab
R1- Security Awareness • Reinforced each calendar quarter • Evidence • For personnel with authorized electronic access and unescorted physical access
R2 - Cyber Security Training • Cyber security training specific to roles, functions, responsibilities • Training content specified in 2.1.1 – 2.1.9
R2 - Cyber Security Training • 2.1.1. Cyber security policies; • 2.1.2. Physical access controls; • 2.1.3. Electronic access controls; • 2.1.4. The visitor control program; • 2.1.5. Handling of BES Cyber System Information and its storage; • 2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity’s incident response plan; • 2.1.7. Recovery plans for BES Cyber Systems; • 2.1.8. Response to Cyber Security Incidents; and • 2.1.9. Cyber security risks associated with a BES Cyber System’s electronic interconnectivity and interoperability with other Cyber Assets, including Transient Cyber Assets, and with Removable Media.
R2 - Cyber Security Training • Train PRIOR to granting access • Complete annually (at least once every 15 months)
R2 - Security Objectives • Documented role-based training programs • Needs to cover 2.1.1 – 2.1.9 • Verify training dates prior to access • Verify annual completion
Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Lack of details in training content • Individuals receiving incorrect role based training • Best practice is to make it one for all, all for one
R3 - Personnel Risk Assessment Personnel Risk Assessment • Confirm identity • Seven-year criminal history check • Process and criteria to evaluate results • PRAs for contractors and vendors • Renewal process
Security Objectives • Documented PRA process, that includes: • Identity validation • Seven-year criminal history • Supporting documentation if seven years cannot be completed • Evaluation of results • Verification of PRA dates • Initial and renewal
Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Personally identifiable information (PII) contained in PRA’s • Contractor/Vendors inconsistencies • Expired renewals
Exercise What is NOT required in a personnel risk assessment? A – Seven years of criminal history B – Identity check C – How many friends they have on Facebook D – Current residence
R4 – Access Management • Access Management Program • Access authorization process covering: • Electronic access • Unescorted physical access • Designated BES Cyber System Information (BCSI) storage locations • Quarterly Verification of Authorization Records • Annual Verification of: • Electronic access privileges to applicable BES Cyber Systems • Access to designated BCSI storage locations
Security Objectives • Documented access management program • Must address all aspects of 4.1 – 4.4 • Verify quarterly & annual reviews are conducted
Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Not capturing the business need • Missing review segments • Silos • Separation of duties
R5 – Access Revocation • Documented access revocation process • Terminations • Initiate removal of ability for unescorted physical and Interactive Remote Access immediately and complete within 24 hours • Revoke electronic/physical access to designated storage locations for BCSI by end of next calendar day • Revoke Non-shared user accounts within 30 days • Change Shared account passwords within 30 days • Transfers/Reassignments: • Revoke electronic and physical access by end of next business day when determined no longer needed by entity • Change shared account passwords within 30 days
Security Objective • Processes for terminations and transfers/reassignments, which must include everything in 5.1 through 5.5 • Evidence of implementation
Observations • Lack of details in documented processes • Processes and procedures should include more than the language of the standard • Evidence to demonstrate revocations • Silos
Exercise What types of access needs to be removed within 24 hours of the termination action? A – Physical Access to BCSI Storage Locations B – Interactive Remote Access C – Unescorted Physical Access D – Electronic Access to BCSI Storage Locations E – All of the above F – B & C
CIP Exceptional Circumstances A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability Applies to CIP-004-6 R2 (Training), R4 (Authorization) • Verify with entity if CECs have been invoked • If so, documentation in accordance to CIP-003-6 R1 1.1.9 • Data request, RSAW narrative, evidence, or interview
Extenuating Operating Circumstances • Longer time period needed to change shared password (5.5) • Must be changed and documented 10 days after extenuating operating circumstances end date
Automation • Centralized Access Management • Evidence • Configurations • Queries • Workflow
Personnel Tab – CIP Data Set • Personnel information
Personnel Tab – CIP Data Set • Initial Access • Transfer or reassignments, and terminations
Personnel Tab – CIP Data Set • Types of Access
Summary • Cyber Security Awareness • Cyber Security Training • Personnel Risk Assessment • Access Management • Access Revocation • CIP Exceptional Circumstances • Extenuating operating circumstances • CIP Data Set – Personnel Tab
Domenic Darling Associate Compliance Auditor ddarling@wecc.org