1 / 116

Ben Christensen Senior CIP Enforcement Analyst

Ben Christensen Senior CIP Enforcement Analyst. CIP-010-1 May 15, 2014 SLC, UT. Pop Quiz!!. Who invented the electric motor? William Sturgeon Thomas Davenport Michael Faraday. Pop Quiz!!. Who invented the electric motor?. Michael Faraday. Agenda.

zaynah
Download Presentation

Ben Christensen Senior CIP Enforcement Analyst

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ben ChristensenSenior CIP Enforcement Analyst CIP-010-1 May 15, 2014 SLC, UT

  2. Pop Quiz!! • Who invented the electric motor? • William Sturgeon • Thomas Davenport • Michael Faraday

  3. Pop Quiz!! • Who invented the electric motor? Michael Faraday

  4. Agenda • Help entities understand and prepare for the upcoming CIP 010-1 • Differences and relations to current requirements • Possible pitfalls to look for while implementing CIP 010-1 • WECC’s audit approach • Best practices

  5. CIP 010-1

  6. Purpose of CIP 010-1 • Prevent and detect unauthorized changes to BES Cyber Systems. • Specify vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise. • Document and maintain device baselines and periodically verify they are accurate.

  7. Applicable Systems

  8. CIP 010-1 Similarities with V.3 • CIP 003-3 R6: Change Control and Configuration Management • CIP 007-3 R1: Test procedures • CIP 005-3 R4 and CIP 007-3 R8: Cyber Vulnerability Assessment(s) • CIP 007-3 R9 andCIP 005-3 R5: Documentation review and maintenance

  9. POP Quiz!! • Who invented the modern automobile? • Henry Ford • Karl Benz • Ransom Olds

  10. Pop Quiz!! • Who invented the modern automobile? Karl Benz

  11. CIP 010-1 R1

  12. CIP 010-1 R1.1 • Applicable to Protected Cyber Assets (PCA) and specifies information required in device baselines CIP 003-3 R6 CIP 010-1 R1.1

  13. CIP-010-1 R1.1 - Possible Pitfall #1 • CIP 003-3 R6 was previously not applicable to Non-CCAs that resided within an ESP. Thus entity did not create baselines or update procedures to ensure baselines were maintained for these devices.

  14. CIP-010-1 R1.1 - Possible Pitfall #2 • Entity does not ensure documented baselines for all devices contain operating system, commercial/open source software, custom software, logical ports, and security patches applied.

  15. CIP-010-1 R1.1 Approach • Ensure entity has documented baselines for all devices (or group of devices) in applicable BES Cyber Systems • Verify Baselines include operating system/firmware, commercial software, custom software, logical network accessible ports, and security patches applied

  16. CIP 010-1 R1.1 Best Practice • Use combination of automated tools and manual walkthroughs/verifications to ensure lists and baselines are accurate • Minimize applications on devices to only what is necessary • Include step to periodically verify accuracy of applicable device lists and baselines

  17. CIP 010-1 R1.1 Best Practice • Discussions and careful planning should be conducted on the method for maintaining device baselines • Review CIP 007 R3 presentation from Oct 2013 CIPUG for common methods to maintain information • What method is best for your organization: • Commercial Software • Custom Software • Spreadsheet

  18. CIP 010-1 R1.1 Best Practice • Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining information. • See Joe B presentation from October 2011 CIPUG on advantages of moving from spreadsheet to relational database • Includes some labeling schema tips as well for when implementing a database for device management

  19. CIP 010-1 R1.2 • Applicable to PCA and requires changes to be authorized CIP 003-3 R6 CIP 010-1 R1.2

  20. CIP-010-1 R1.2 - Possible Pitfall • Entity cannot demonstrate all changes made to baseline(s) were authorized

  21. CIP 010-1 R1.2 - Approach • Ensure all changes made to baselines have been authorized.

  22. CIP 010-1 R1.2 – Best Practice • Update procedural documentation to include at minimum: • Who can authorize changes, and to what • When authorization needs to occur • How the authorization will be documented, stored, and tracked • Segregation of duties • The implementer should be different from the authorizer

  23. CIP 010-1 R1.3 • Baselines must be updated within 30 days of change CIP 005-3 R5 CIP 010-1 R1.3 CIP 007-3 R9

  24. CIP 010-1 R1.3 – Possible Pitfall • Entity cannot demonstrate baselines are updated within 30 days of changes made

  25. CIP 010-1 R1.3 - Approach • Ensure entity is updating baselines within 30 days of when change was made. • Start date will be determined by reviewing work orders, tracking sheet, or other documentation that details when the change actually occurred.

  26. CIP 010-1 R1.3 – Best Practices • Procedures for updating baselines should address: • Who will communicate the changes made to the baselines • How changes will be communicated • Who the changes are communicated to • When the changes will be made

  27. CIP 010-1 R1.3 – Best Practices • Maintain a version history when updating documentation. • Version number • Who performed the update to the documentation • Who made the change to the device • Who authorized the change • What was changed

  28. POP Quiz!! • Who invented the printing press?

  29. POP Quiz!! • Who invented the printing press? Johannes Gutenberg

  30. CIP 010-1 R1.4 • Impact due to a change must consider security controls in CIP 005 and CIP 007 CIP 010-1 R1.4 CIP 007-3 R1

  31. CIP 010-1 R1.4 – Possible Pitfall • Entity verifies same controls for all changes made to any baseline. • Thus entity does not account for different environments, devices, or changes when determining what controls could be impacted • May be ok if all controls are verified every time

  32. CIP 010-1 R1.4 - Approach • Verify all changes made to device baselines are documented • Ensure controls that may be impacted were identified and documented prior to the change • Why were some controls not included? • Review evidence supporting identified controls were not adversely impacted

  33. CIP 010-1 R1.4 – Best Practices • Procedures should include: • Documenting date all steps taken to support cyber security controls were identified prior to change taking place • How are potential impacted cyber security controls identified? • Who does this? • How will adverse impacts will be detected • Who does this and when?

  34. CIP 010-1 R1.4 – Best Practices • Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted • Coordinate testing processes between departments, business units, etc. to ensure consistency

  35. CIP 010-1 R1.5 CIP 010-1 R1.5 CIP 007-3 R1

  36. CIP 010-1 R1.5 cont.. • Only applicable to High Impact systems • Specific to security controls that must be tested • Security Controls in CIP 005 and CIP 007 • New test environment requirements • Document if test environment was used • Document differences between test and production environment • Measures taken to account for these differences

  37. CIP 010-1 R1.5 Possible Pitfall • Entity does not document differences between production and testing environment • Entity does not take measures to account for differences in the production and testing environment.

  38. CIP 010-1 R1.5 - Approach • For each change that deviates from existing baseline: • List of cyber security controls tested • Test results • List of differences between the production and test environments • Descriptions of how any differences were accounted for • When testing occurred.

  39. CIP 010-1 R1.5 – Best Practices • Use checklist or other task managing tool to reduce likelihood of not testing all controls • Document specific test procedures for all cyber assets or group of assets? • Describe the test procedures • Describe the test environment and how It reflects the production environment

  40. CIP 010-1 R2

  41. POP Quiz!! • When was the atomic bomb first invented?

  42. POP Quiz!! • When was the atomic bomb first invented? July 1945

  43. CIP 010-1 R2.1 • Must actively search for unauthorized changes to baseline • Automated preferred but can be manual • Must document and investigate unauthorized changes CIP 003-3 R6 CIP 010-1 R2.1

  44. CIP-010-1 R2.1 – Possible Pitfall • Not consistently monitoring for changes every 35 days • Entity begins process at end of month • Thus entity continuously misses 35 day deadline as it does not have enough time to complete review • Documentation is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuration changes

  45. CIP 010-1 R2.1 - Approach • logs from a system that is monitoring configurations • Work orders, tracking sheets, raw data evidence of manual investigations • Records investigating detected unauthorized changes

  46. CIP 010-1 R2 – Best Practice • Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring • Start monitoring process with enough advance to complete review • Consider using an automated task managing tool

  47. CIP 010-1 R2 – Best Practice • What if you find an unauthorized change? • What change(s) have been madewithout authorization • Who made the change(s)? • When were the change(s) made? • How can a similar issue be prevented?

  48. CIP 010-1 R1 and R2 QUIZ Time

  49. CIP 010-1 R1 and R2 • Entities are required to test all changes in a test environment that reflects the production environment. False

More Related