CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis
Violation Volume Decreasing CIP Violations by Deemed Date 2015 53 2014 92 2013 91 2012 153 2011 165 2010 259 0 50 100 150 200 250 300 2010: Mandatory Compliance for all CIP Standards Begins; RF commences full scope audits; Entities at beginning stages of CIP implementation 2015: Maturation of CIP programs; Increased use of automated tools; increased outreach Forward Together • ReliabilityFirst
Majority of Violations are Self-Reported Larger Entities Drive Volume of Self-Reports Two audit outliers in 2014 responsible for 92 of 117 audit violations, otherwise steady downward trend Forward Together • ReliabilityFirst
Volume Driven by High-Frequency Conduct Requirements concerning “high-frequency conduct” drive volume CIP-004, R4 ( access: lists for cyber access and physical access; revoking privileges) CIP-006, R1 ( physical security of critical cyber assets: physical access logging) CIP-007, R5 ( account management: passwords and access lists) These violations tend to be self-reported and pose a lesser risk However, can be indicative of systemic issues Forward Together • ReliabilityFirst
Detection and Reporting Duration Impovement Decrease between Deemed and Reporting Dates Average 317 decrease in days (trending downward) * Includes noncompliance start date, time to identify, assess, correct, and then report 5 Forward Together • ReliabilityFirst
Improved Risk Posture Year-over-year decrease in severity 75% of CIP violations are Minimal to Moderate risk 9% of CIP violations are serious risk • implementation issues • culture and programmatic issues Forward Together • ReliabilityFirst
Volume Driven by Larger Entities Larger entities have experienced initial implementation challenges More assets, business units, and people = more challenges • 100% of serious risk issues concern larger entities • 93.3% of audit findings concern larger entities • 79.8% of all violations driven by large entities CIP Themes Report: identified and shared common themes 7 Forward Together • ReliabilityFirst
Observations Possible Drivers of Positive Trending • Maturation (both RF and Entities) • Active Monitoring and Enforcement • Trending, Analytics, and Sharing ‒ Assist Visits and Outreach ‒ CIP Themes Report ‒ Case Study Outreach Remain Vigilant – Moving Target Dynamic Regulatory Approach ‒ Focus on continuous improvement ‒ Violations not always indicative of security state • Volume can indicate strong detective controls or weak preventative/corrective controls • Paper compliance does not equal security 8 Forward Together • ReliabilityFirst
Common CIP Themes Patrick O’Connor
Purpose of CIP Themes Report IDENTIFY • Common themes underlying systemic CIP violations. • Possible resolutions ‒ Not directive because “one size does not fit all” • Based on RF’s observations through years of compliance monitoring and enforcement activities ‒ Collaborated with entities that dealt with higher risk CIP Violations ‒ In coordination with NERC COMMUNICATE • Raise awareness and prevent recurrence ‒ Report available on RF’s website 10 Forward Together • ReliabilityFirst
The Identified CIP Themes 11 Forward Together • ReliabilityFirst
Scenario #1 Entity implemented tools to monitor its account usage. • Entity did not configure these properly, causing voluminous logs that could not be meaningfully digested. Entity implemented tool to automatically generate revocation notices. • Responsible employee did not review notifications and thus did not perform necessary revocations. 12 Forward Together • ReliabilityFirst
Scenario #2 Entity utilized a vendor’s asset management system. • Protecting Critical Cyber Asset Information was not considered nor mentioned in the vendor contract. Entity contracted with vendor to provide security patch management. • Vendor did not provide entity with timely assessments of patch releases. 13 Forward Together • ReliabilityFirst
Scenario # 3 Entity used its mirrored-back-up Entity permitted compromised data center constituted as its assets to communicate freely disaster recovery data center. with command and control server. • Entity did not understand that corruption of the main data center • Entity did not understand firewall would promptly result in a commands (“permit any any” on corrupted back-up data center. outbound traffic). 14 Forward Together • ReliabilityFirst
Questions & Answers Forward Together ReliabilityFirst 15 Forward Together • ReliabilityFirst
Recommend
More recommend