1.16k likes | 1.3k Views
Ben Christensen Senior CIP Enforcement Analyst. CIP-010-1 May 15, 2014 SLC, UT. Pop Quiz!!. Who invented the electric motor? William Sturgeon Thomas Davenport Michael Faraday. Pop Quiz!!. Who invented the electric motor?. Michael Faraday. Agenda.
E N D
Ben ChristensenSenior CIP Enforcement Analyst CIP-010-1 May 15, 2014 SLC, UT
Pop Quiz!! • Who invented the electric motor? • William Sturgeon • Thomas Davenport • Michael Faraday
Pop Quiz!! • Who invented the electric motor? Michael Faraday
Agenda • Help entities understand and prepare for the upcoming CIP 010-1 • Differences and relations to current requirements • Possible pitfalls to look for while implementing CIP 010-1 • WECC’s audit approach • Best practices
Purpose of CIP 010-1 • Prevent and detect unauthorized changes to BES Cyber Systems. • Specify vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise. • Document and maintain device baselines and periodically verify they are accurate.
CIP 010-1 Similarities with V.3 • CIP 003-3 R6: Change Control and Configuration Management • CIP 007-3 R1: Test procedures • CIP 005-3 R4 and CIP 007-3 R8: Cyber Vulnerability Assessment(s) • CIP 007-3 R9 andCIP 005-3 R5: Documentation review and maintenance
POP Quiz!! • Who invented the modern automobile? • Henry Ford • Karl Benz • Ransom Olds
Pop Quiz!! • Who invented the modern automobile? Karl Benz
CIP 010-1 R1.1 • Applicable to Protected Cyber Assets (PCA) and specifies information required in device baselines CIP 003-3 R6 CIP 010-1 R1.1
CIP-010-1 R1.1 - Possible Pitfall #1 • CIP 003-3 R6 was previously not applicable to Non-CCAs that resided within an ESP. Thus entity did not create baselines or update procedures to ensure baselines were maintained for these devices.
CIP-010-1 R1.1 - Possible Pitfall #2 • Entity does not ensure documented baselines for all devices contain operating system, commercial/open source software, custom software, logical ports, and security patches applied.
CIP-010-1 R1.1 Approach • Ensure entity has documented baselines for all devices (or group of devices) in applicable BES Cyber Systems • Verify Baselines include operating system/firmware, commercial software, custom software, logical network accessible ports, and security patches applied
CIP 010-1 R1.1 Best Practice • Use combination of automated tools and manual walkthroughs/verifications to ensure lists and baselines are accurate • Minimize applications on devices to only what is necessary • Include step to periodically verify accuracy of applicable device lists and baselines
CIP 010-1 R1.1 Best Practice • Discussions and careful planning should be conducted on the method for maintaining device baselines • Review CIP 007 R3 presentation from Oct 2013 CIPUG for common methods to maintain information • What method is best for your organization: • Commercial Software • Custom Software • Spreadsheet
CIP 010-1 R1.1 Best Practice • Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining information. • See Joe B presentation from October 2011 CIPUG on advantages of moving from spreadsheet to relational database • Includes some labeling schema tips as well for when implementing a database for device management
CIP 010-1 R1.2 • Applicable to PCA and requires changes to be authorized CIP 003-3 R6 CIP 010-1 R1.2
CIP-010-1 R1.2 - Possible Pitfall • Entity cannot demonstrate all changes made to baseline(s) were authorized
CIP 010-1 R1.2 - Approach • Ensure all changes made to baselines have been authorized.
CIP 010-1 R1.2 – Best Practice • Update procedural documentation to include at minimum: • Who can authorize changes, and to what • When authorization needs to occur • How the authorization will be documented, stored, and tracked • Segregation of duties • The implementer should be different from the authorizer
CIP 010-1 R1.3 • Baselines must be updated within 30 days of change CIP 005-3 R5 CIP 010-1 R1.3 CIP 007-3 R9
CIP 010-1 R1.3 – Possible Pitfall • Entity cannot demonstrate baselines are updated within 30 days of changes made
CIP 010-1 R1.3 - Approach • Ensure entity is updating baselines within 30 days of when change was made. • Start date will be determined by reviewing work orders, tracking sheet, or other documentation that details when the change actually occurred.
CIP 010-1 R1.3 – Best Practices • Procedures for updating baselines should address: • Who will communicate the changes made to the baselines • How changes will be communicated • Who the changes are communicated to • When the changes will be made
CIP 010-1 R1.3 – Best Practices • Maintain a version history when updating documentation. • Version number • Who performed the update to the documentation • Who made the change to the device • Who authorized the change • What was changed
POP Quiz!! • Who invented the printing press?
POP Quiz!! • Who invented the printing press? Johannes Gutenberg
CIP 010-1 R1.4 • Impact due to a change must consider security controls in CIP 005 and CIP 007 CIP 010-1 R1.4 CIP 007-3 R1
CIP 010-1 R1.4 – Possible Pitfall • Entity verifies same controls for all changes made to any baseline. • Thus entity does not account for different environments, devices, or changes when determining what controls could be impacted • May be ok if all controls are verified every time
CIP 010-1 R1.4 - Approach • Verify all changes made to device baselines are documented • Ensure controls that may be impacted were identified and documented prior to the change • Why were some controls not included? • Review evidence supporting identified controls were not adversely impacted
CIP 010-1 R1.4 – Best Practices • Procedures should include: • Documenting date all steps taken to support cyber security controls were identified prior to change taking place • How are potential impacted cyber security controls identified? • Who does this? • How will adverse impacts will be detected • Who does this and when?
CIP 010-1 R1.4 – Best Practices • Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted • Coordinate testing processes between departments, business units, etc. to ensure consistency
CIP 010-1 R1.5 CIP 010-1 R1.5 CIP 007-3 R1
CIP 010-1 R1.5 cont.. • Only applicable to High Impact systems • Specific to security controls that must be tested • Security Controls in CIP 005 and CIP 007 • New test environment requirements • Document if test environment was used • Document differences between test and production environment • Measures taken to account for these differences
CIP 010-1 R1.5 Possible Pitfall • Entity does not document differences between production and testing environment • Entity does not take measures to account for differences in the production and testing environment.
CIP 010-1 R1.5 - Approach • For each change that deviates from existing baseline: • List of cyber security controls tested • Test results • List of differences between the production and test environments • Descriptions of how any differences were accounted for • When testing occurred.
CIP 010-1 R1.5 – Best Practices • Use checklist or other task managing tool to reduce likelihood of not testing all controls • Document specific test procedures for all cyber assets or group of assets? • Describe the test procedures • Describe the test environment and how It reflects the production environment
POP Quiz!! • When was the atomic bomb first invented?
POP Quiz!! • When was the atomic bomb first invented? July 1945
CIP 010-1 R2.1 • Must actively search for unauthorized changes to baseline • Automated preferred but can be manual • Must document and investigate unauthorized changes CIP 003-3 R6 CIP 010-1 R2.1
CIP-010-1 R2.1 – Possible Pitfall • Not consistently monitoring for changes every 35 days • Entity begins process at end of month • Thus entity continuously misses 35 day deadline as it does not have enough time to complete review • Documentation is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuration changes
CIP 010-1 R2.1 - Approach • logs from a system that is monitoring configurations • Work orders, tracking sheets, raw data evidence of manual investigations • Records investigating detected unauthorized changes
CIP 010-1 R2 – Best Practice • Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring • Start monitoring process with enough advance to complete review • Consider using an automated task managing tool
CIP 010-1 R2 – Best Practice • What if you find an unauthorized change? • What change(s) have been madewithout authorization • Who made the change(s)? • When were the change(s) made? • How can a similar issue be prevented?
CIP 010-1 R1 and R2 QUIZ Time
CIP 010-1 R1 and R2 • Entities are required to test all changes in a test environment that reflects the production environment. False