1 / 14

William Fletcher, ICF International

tausiq
Download Presentation

William Fletcher, ICF International

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. William Fletcher, ICF International Vulnerabilities with Protective Relays Serially-Connected to BES Substation Networks

    2. Presenter Overview CIP-002 v1 – v3 R1 – R3 Refresher Problem Setup – “Notes from the field” Shortcomings To Protection: CIP v1-v4 R3 Discussion: Solutions, Questions? Agenda

    3. Present: Technical Director, ICF Cybersecurity 2009-2010 Senior Compliance Engineer with WECC1 Extensive work with CIP-002 in CEA space 2001-2009 Telecommunications – Oregon COU 1989 – 2001 “Ex a lot of things” in IT and Telecom

    4. CIP-002 R1 v1-v3 Refresher Identify Critical Assets / Critical Cyber Assets

    5. NERC Guideline CCA Identification Serial Connectivity – Page 28 “Essential or nonessential serially-connected Cyber Assets that do not communicate with systems outside the preliminary ESP using a routable protocol are not required to be located within an ESP.”p3 “Essential serially-connected Cyber Assets, such as RTUs, which communicate outside the preliminary ESP using a routable protocol, for example to an Energy Management System (EMS), meet the qualifying connectivity requirement of R3.1, regardless of whether they communicate using a data concentrator or through a local control system.”p5

    6. NERC Guideline CCA Identification Accessibility via Routable Protocol Page 28 “... Requirement 3.1 requires that the Cyber Asset “use a routable protocol to communicate outside the Electronic Security Perimeter” to be considered as having qualifying connectivity. The requirement does not state that the Cyber Asset itself must be directly connected by a routable protocol. Thus serially connected Cyber Assets can meet the qualifying connectivity criterion in Requirement 3.1, if a routable connection is used to communicate outside the preliminary ESP….”p4

    7. NERC Guideline CCA Identification Issue Condition: Preliminary ESP

    8. “… CIP-002 Doesn’t require you to define preliminary ESPs …” “… If the relays are serially connected I don’t have to identify them as CCAs per CIP-002, regardless of what they are connected to and regardless of their PRC-005 status because I have no ESP…” “ … Our rules don’t allow us to remotely access relays, even though, yes, our system permits it. But with our rules, this issue is out of scope….” “... Sovereign Immunity makes it so I don’t have to comply…”

    9. NERC Guideline CCA Identification Kudos to SGWG – Page 37

    10. NERC Guideline CCA Identification Page 35 “a perilous CIP-002 R3 null”

    11. NERC Guideline CCA Identification Problem Statement - Shortcomings

    12. NERC Guideline CCA Identification WECC CIP Auditor Presentation - Feb 2011

    13. What about Status Quo? CIP-002 v5? Compliance Application Notice? New CMEP paradigm? Revised Sufficiency Review? Compliance vs. Security….. Obstacles

    14. Email: wfletcher@icfi.com Thank you!

More Related