310 likes | 499 Views
Lisa Wood CISA, CBRM, CBRA Associate Compliance Auditor, Cyber Security. CIP Version 5 Low Impact Update Open Webinar Thursday, March 20, 2014. Agenda. CIP-003-5 R2 SDT Meeting (3/19/2014) original and proposed language Action Items Upcoming Events. CIP-003-5 R2 Original Language .
E N D
Lisa Wood CISA, CBRM, CBRAAssociate Compliance Auditor, Cyber Security CIP Version 5 Low Impact Update Open Webinar Thursday, March 20, 2014
Agenda • CIP-003-5 R2 SDT Meeting (3/19/2014) • original and proposed language • Action Items • Upcoming Events
CIP-003-5 R2 Original Language Original Language • R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] • 2.1 Cyber security awareness; • 2.2 Physical security controls; • 2.3 Electronic access controls for external routable protocol connections and Dial-up Connectivity; and • 2.4 Incident response to a Cyber Security Incident. • An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required.
Original Measure Original Measure M2. Examples of evidence may include, but are not limited to, one or more documented cyber security policies and evidence of processes, procedures, or plans that demonstrate the implementation of the required topics; revision history, records of review, or workflow evidence from a document management system that indicate review of each cyber security policy at least once every 15 calendar months; and documented approval by the CIP Senior Manager for each cyber security policy.
CIP-003-5 R2 Proposed Language Proposed Language • R2 – Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 (assets containing one or more low impact BES Cyber Systems), shall implement one or more documented processes that collectively address the following topics: and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months • 2.1 Operational or procedural controls that restrict physical access to low impact BES Cyber Systems. • 2.2 Access controls to restrict access to low impact BES Cyber Systems via the assets external routable protocol connections and Dial-up Connectivity, if any. • 2.3 Cyber security incident response, including conditions for activation of the response plan(s) in a timely manner, roles and responsibilities of responders • 2.4 Security awareness for the responsible entity’s personnel that, at least once each calendar quarter, reinforces cyber security practices (which may include associated physical security practices) and at least every 15 calendar months reinforces 2.1, 2.2, and 2.3 above. An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Note: This is a draft and is subject to change.
Proposed Requirement Measures • Not discussed, more to come • Need to pin down the requirement and associated topics (R2.1, R2.2, R2.3, and R2.4)
SDT Action Items 3/19/2014 • Address suggestions for draft language • Complete the sentence (R2.3) • Develop guidance (e.g. R2.1 and R2.2 on controls) • Address individuals that may not have electronic access • Review “timely” verbiage (R2.3) • Consider those entities with joint ownership/access • Change wording to make it flow better
Upcoming Events • Next Standard Drafting Team meeting • April 22-24, 2014, NERC (Atlanta, GA) – Register • CIP v5 Roadshow • May 14-15, 2014, WECC (Salt Lake City) • WECC CIPUG • June 5, 2014, WECC (Salt Lake City)
Lisa Wood, CISA, CBRM, CBRA Associate Compliance Auditor, Cyber Security lwood@wecc.biz Desk: 801-819-7601 Cell: 801-300-0225 Questions?
Bryan Carr, PMP, CISACompliance Auditor, Cyber Security CIP Version 5 Standards Update and Question & Answer
Phil O’DonnellManager Operations and Planning Audits Compliance Open Webinar March 20, 2014
Automatic Time Error Correction • BAL-001-1 • BAL-004-WECC-2 • Implementation Times • Method of Calculation • Maximum Inadvertent
ATEC Implementation Times • Standard is effective at midnight 4/1/2014 • Algebraic change. Should not alter operating ACE. • Biggest risk of implementation are technical issues with EMS changes • Should perform at time when most appropriate for your company • 4/1 is weekday • Sometime on 3/31 to Sometime on 4/1 • Does not have to be at midnight.
ATEC Method of Calculation • Can be manual Warning • Calculation is not intuitive or simple • Several terms change each hour • Time stamp required (prove by H + 50 min)
ATEC Maximum Inadvertent • R1.Following the conclusion of each month each Balancing Authority shall verify that the absolute value of its Accumulated Primary Inadvertent Interchange (PIIaccum) for both the monthly On-Peak period and the monthly Off-Peak period are each individuallyless than or equal to: • 1.1. For load-serving Balancing Authorities, 150% of the previous calendar year’s integrated hourly Peak Demand • 1.2. For generation-only Balancing Authorities, 150% of the previous calendar year’s integrated hourly peak generation.
EOP-004-2 Requirement 1 • R1. Each Responsible Entity shall have an event reporting Operating Plan in accordance with EOP-004-2 Attachment 1 that includes the protocol(s) for reporting to the Electric Reliability Organization and other organizations (e.g., the Regional Entity, company personnel, the Responsible Entity’s Reliability Coordinator, law enforcement, or governmental authority).
EOP-004-2 Perodic Data Submittal • Will be required for 1st quarter • Form available • Reportable event occurred • Time/Date of Start/Date of Report/Method • Did you comply
PER-005 Reliability Related Tasks R1.1. Each Reliability Coordinator, Balancing Authority and Transmission Operator shall create a list of BES company-specific reliability-related tasks performed by its System Operators. What is an acceptable “task list”
PER-005 Purpose • To ensure that System Operators performing real-time, reliability-related tasks on the North American Bulk Electric System (BES) are competent to perform those reliability-related tasks. The competency of System Operators is critical to the reliability of the North American Bulk Electric System.
PER-005 Tasks Includes tasks that are: Real-Time BES Company Specific Reliability Related* *Emergency Tasks – YES *Abnormal Operations – YES *Normal Operations -YES
PER-005 Areas • Monitoring of normal conditions • Routine operations that if done incorrectly can have adverse impact. • Coordination and Communications • Response to abnormal conditions • Response to emergencies
PER-005 Thresholds & Audit Approach…Evolving… Audit Team Options • No identifiable ommissions - no comments • Some areas for the entity to consider during it’s next review of the task list - Make verbal suggestions • List is missing some significant operating areas or topics - Issue a “Recommendation” • List is missing so many tasks that a different audit team may not find it sufficient or could contribute to an event - Issue an “Area of Concern” • List is missing so many tasks or task areas that it is not credible to call it a “list” developed under the requirements of PER-005-1 – Possible Violation
Phil O’Donnell Manager, Operations & Planning Audits (801) 734-8274 podonnell@wecc.biz
Keshav SarinManager, Enforcement O&P and CIP Best Practices Web Page March 2014, 2014
Best Practices Web Page • One location for best practices related to NERC Reliability Standards • These recommendations are industry practices provided by WECC staff during: • Outreach Events such as CUG and CIPUG • Self Report/Self Cert Review • Mitigation Plan and CMP Reviews • Requested by Registered Entities
Best Practices Web Page – How to get there? • http://www.wecc.biz/compliance/Pages/Best-Practices.aspx
Best Practices Web Page - Future • Could include any applicable • Audit Recommendations • Reliability Recommendations • Will be updated to include any best practices/recommendations presentations after future CUG and CIPUG • Your feedback is always important!
KeshavSarin Manager, Enforcement O&P and CIP (801) 819-7648 ksarin@wecc.biz Questions?
2014 Generation • April 15th and 16th at PG&E’s San Ramon, California facility. • • There is no cost for attending • • The event will be limited, so please sign up early! • • WICF has posted link for registration: • https://www.surveymonkey.com/s/QHG3NLH • Contact Leland McMillan(LMcmillan@pplweb.com)
Laura Scholl Director of Stakeholder Relations and Outreach lscholl@wecc.biz