cip violation data trends 2012 2015
play

CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis - PowerPoint PPT Presentation

CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis Violation Volume Decreasing CIP Violations by Deemed Date 2015 53 2014 92 2013 91 2012 153 2011 165 2010 259 0 50 100 150 200 250 300 2010: Mandatory Compliance


  1. CIP Violation Data Trends 2012-2015 Deandra Williams-Lewis

  2. Violation Volume Decreasing CIP Violations by Deemed Date 2015 53 2014 92 2013 91 2012 153 2011 165 2010 259 0 50 100 150 200 250 300  2010: Mandatory Compliance for all CIP Standards Begins; RF commences full scope audits; Entities at beginning stages of CIP implementation  2015: Maturation of CIP programs; Increased use of automated tools; increased outreach Forward Together • ReliabilityFirst

  3. Majority of Violations are Self-Reported  Larger Entities Drive Volume of Self-Reports  Two audit outliers in 2014 responsible for 92 of 117 audit violations, otherwise steady downward trend Forward Together • ReliabilityFirst

  4. Volume Driven by High-Frequency Conduct  Requirements concerning “high-frequency conduct” drive volume CIP-004, R4 ( access: lists for cyber access and physical access; revoking privileges) CIP-006, R1 ( physical security of critical cyber assets: physical access logging) CIP-007, R5 ( account management: passwords and access lists)  These violations tend to be self-reported and pose a lesser risk  However, can be indicative of systemic issues Forward Together • ReliabilityFirst

  5. Detection and Reporting Duration Impovement  Decrease between Deemed and Reporting Dates  Average 317 decrease in days (trending downward) * Includes noncompliance start date, time to identify, assess, correct, and then report 5 Forward Together • ReliabilityFirst

  6. Improved Risk Posture  Year-over-year decrease in severity  75% of CIP violations are Minimal to Moderate risk  9% of CIP violations are serious risk • implementation issues • culture and programmatic issues Forward Together • ReliabilityFirst

  7. Volume Driven by Larger Entities  Larger entities have experienced initial implementation challenges  More assets, business units, and people = more challenges • 100% of serious risk issues concern larger entities • 93.3% of audit findings concern larger entities • 79.8% of all violations driven by large entities  CIP Themes Report: identified and shared common themes 7 Forward Together • ReliabilityFirst

  8. Observations  Possible Drivers of Positive Trending • Maturation (both RF and Entities) • Active Monitoring and Enforcement • Trending, Analytics, and Sharing ‒ Assist Visits and Outreach ‒ CIP Themes Report ‒ Case Study Outreach  Remain Vigilant – Moving Target  Dynamic Regulatory Approach ‒ Focus on continuous improvement ‒ Violations not always indicative of security state • Volume can indicate strong detective controls or weak preventative/corrective controls • Paper compliance does not equal security 8 Forward Together • ReliabilityFirst

  9. Common CIP Themes Patrick O’Connor

  10. Purpose of CIP Themes Report  IDENTIFY • Common themes underlying systemic CIP violations. • Possible resolutions ‒ Not directive because “one size does not fit all” • Based on RF’s observations through years of compliance monitoring and enforcement activities ‒ Collaborated with entities that dealt with higher risk CIP Violations ‒ In coordination with NERC  COMMUNICATE • Raise awareness and prevent recurrence ‒ Report available on RF’s website 10 Forward Together • ReliabilityFirst

  11. The Identified CIP Themes 11 Forward Together • ReliabilityFirst

  12. Scenario #1  Entity implemented tools to monitor its account usage. • Entity did not configure these properly, causing voluminous logs that could not be meaningfully digested.  Entity implemented tool to automatically generate revocation notices. • Responsible employee did not review notifications and thus did not perform necessary revocations. 12 Forward Together • ReliabilityFirst

  13. Scenario #2  Entity utilized a vendor’s asset management system. • Protecting Critical Cyber Asset Information was not considered nor mentioned in the vendor contract.  Entity contracted with vendor to provide security patch management. • Vendor did not provide entity with timely assessments of patch releases. 13 Forward Together • ReliabilityFirst

  14. Scenario # 3  Entity used its mirrored-back-up  Entity permitted compromised data center constituted as its assets to communicate freely disaster recovery data center. with command and control server. • Entity did not understand that corruption of the main data center • Entity did not understand firewall would promptly result in a commands (“permit any any” on corrupted back-up data center. outbound traffic). 14 Forward Together • ReliabilityFirst

  15. Questions & Answers Forward Together ReliabilityFirst 15 Forward Together • ReliabilityFirst

Recommend


More recommend