Low Impact Focus Group August 16, 2018
Opening Comments This meeting is being recorded All lines will be muted. In order to comment, you may: • Use the WebEx “Raise Hand” feature. • Send a message to the presenter via WebEx chat. When commenting, be mindful that this is an open call. RF cannot fully pre-screen the attendees. 2 Forward Together • ReliabilityFirst
Announcements NERC’s Antitrust Guidelines are available at: • http://www.nerc.com/pa/Stand/Resources/Documents/NER C_Antitrust_Compliances_Guidelines.pdf This is a public call. RF cannot fully pre-screen the attendees. 3 Forward Together • ReliabilityFirst
Mailing List ciplifg@lists.rfirst.org This list is intended as a discussion forum. List changes, such as additions or removals, should be sent to: lew.folkerth@rfirst.org 4 Forward Together • ReliabilityFirst
Low Impact-related Questions RF received a set of questions assembled by multiple entities with respect to low impact BES Cyber Systems (LIBCS). The questions posed and RF’s answers follow. The questions have been edited to adapt to this slide deck and to reflect the approval of CIP-003-7. As is normal practice, RF cannot pre-validate a compliance program. Each compliance program must be subjected to audit to determine its effectiveness in establishing compliance with the applicable Standards. 5 Forward Together • ReliabilityFirst
LIBCS Question 1 Would the following addition to a corporate Security Plan be the MINIMUM operational or procedural control/evidence needed to demonstrate compliance with CIP-003-7 Attachment 1 Section 2? 6 Forward Together • ReliabilityFirst
LIBCS Question 1 Provisions of the Proposed Cyber Security Plan Physical Security Boundaries Low Impact Physical Security Boundaries (LIPSBs) are defined as access restricted physical boundaries surrounding locations containing: 1. Low impact BES Cyber Systems, and/or 2. The Cyber Asset(s) that provide electronic access control(s) implemented for CIP-003 Attachment 1 Section 3.1. The LIPSB is established by a physical barrier consisting of one or more of the following: fences, gates, walls, enclosures or other physical barriers. Each LIPSB will have at least one controlled access point protected by Physical Security Controls. 7 Forward Together • ReliabilityFirst
LIBCS Question 1 Physical Security Controls Physical Security Controls consist of the following: • Physical locks or locking mechanisms that allow access using a physical key. • Electronic locks or locking mechanisms that allow access by scanning a keycard on a reader. 8 Forward Together • ReliabilityFirst
LIBCS Question 1 Access Authorization Physical access to all entity identified LIPSBs will be restricted to personnel with a need based on job function. Personnel with the following job functions are authorized based on need by this Security Plan to access all entity LIPSBs. A documented list of authorized personnel will not be created: • Generation, Transmission, Distribution and IT Operations • Physical/Cyber Security • Building/Property Maintenance or Infrastructure Support 9 Forward Together • ReliabilityFirst
LIBCS Question 1 Revocation of Access Personnel authorized for physical access to LIPSBs will be provided physical keys, passwords and/or keycards that allow access via the Physical Security Controls. The following steps will be taken for individuals who no longer perform any of the job functions listed due to job transfers or terminations: • Physical keys issued to personnel will be collected • Keycard access credentials will be removed 10 Forward Together • ReliabilityFirst
LIBCS Question 1 Visitor Management Personnel who are not authorized for access to LIPSBs will be considered visitors who must be escorted within the LIPSB by personnel who have been authorized by this Security Plan. The degree of escorting required will depend on the personnel involved and the job function being performed and will be based on the professional judgment of the authorized individual who provided the access. Documentation of LIPSB visitors will not be created. 11 Forward Together • ReliabilityFirst
LIBCS Question 1 RF Response As noted above, RF cannot pre-validate a compliance program. Each compliance program must be subjected to audit to determine its effectiveness in establishing compliance with the applicable Standards. The Entity Cyber Security Plan as described appears to meet the compliance requirements for low impact BES Cyber Systems. Comments regarding the individual sections of the Entity Cyber Security Plan follow. 12 Forward Together • ReliabilityFirst
LIBCS Question 1 Physical Security Boundaries The concept of a low impact physical security boundary (LIPSB), kept distinct from the definition of a Physical Security Perimeter, should prove useful. A LIPSB can serve as the basis for physical access controls to a given facility. 13 Forward Together • ReliabilityFirst
LIBCS Question 1 Physical Security Controls The use of physical keys implies a key management program that will control the reproduction and distribution of physical keys. Without such a program, it may be difficult to establish that access to low impact BES Cyber Systems is controlled. Similarly, the use of card-based access systems implies some form of control over how the cards are created, authorized, activated, and distributed. A structure for such controls should be included in the Entity Cyber Security Plan. 14 Forward Together • ReliabilityFirst
LIBCS Question 1 Access Authorization CIP-003-7 R2 specifically states, “Lists of authorized users are not required.” However, authorization of access is an essential part of controlling access. The described plan to authorize access based on job function appears to provide an acceptable balance between individual authorizations and uncontrolled authorizations. 15 Forward Together • ReliabilityFirst
LIBCS Question 1 Revocation of Access Revocation of access is also a necessary part of access control. The proposed provisions appear to meet that need. RF suggests that in addition to the provisions stated, that target timeframes be associated with access revocations in the Entity Cyber Security Plan, and that provisions be made in the case that physical or electronic keys cannot be recovered. 16 Forward Together • ReliabilityFirst
LIBCS Question 1 Visitor Management Visitor management for low impact BES Cyber Systems is not an explicit requirement of CIP-003-7. Visitors could gain access to low impact BES Cyber Systems by either accompanying someone who has a key or by the facility being left unlocked. The latter would be a violation as access is not controlled. But if the visitor is permitted access by someone with implicit authorization (possesses a key) then that access has been controlled. In the interest of ensuring that the entity is able to “control physical access,” the method of handling visitors to low impact facilities should be established in the Entity Cyber Security Plan. 17 Forward Together • ReliabilityFirst
LIBCS Question 2 As it specifically relates to an entity being able to demonstrate compliance during an audit, which of the following types of evidence will an entity be expected/required to provide (please note this is not a question concerning best security or reliability practices, but strictly in terms of demonstrating compliance with the language of the CIP-003 Standard)? 18 Forward Together • ReliabilityFirst
LIBCS Question 2 1. List of Assets containing Low Impact BES Cyber Systems RF: A list of BES assets containing low impact BES Cyber Systems is required by CIP-002, and will be required as evidence in any compliance engagement. 19 Forward Together • ReliabilityFirst
LIBCS Question 2 2. List of low impact BES Cyber Systems 3. List of BES Cyber Assets contained within each low impact BES Cyber System 4. List of Cyber Assets providing electronic access control for low impact BES Cyber Systems 5. Firewall rules, access control lists (ACLs), etc. for Cyber Assets providing electronic access control for low impact BES Cyber Systems 6. Information showing the relationship of firewall rules and ACLs to individual low impact BES Cyber Systems 7. Connectivity diagrams (e.g. network diagrams) showing low impact BES Cyber System connections to each other, Cyber Assets providing electronic access control for low impact BES Cyber Systems, and external communication circuits 20 Forward Together • ReliabilityFirst
LIBCS Question 2 RF: Items 2-7 may be needed to demonstrate compliance, depending on how the entity has designed its networks. If the entity’s networks are designed such that all Cyber Assets within the applicable asset are protected, such as shown in CIP-003-7 Guidelines and Technical Basis, Reference Models 1 and 2, then network diagrams and specific lists of low impact BES Cyber Systems and specific information about those systems may not be required to demonstrate compliance. However, if there is a mix of low impact BES Cyber Systems and cyber assets not part of a BES Cyber System, such as in Reference Models 6 through 10, then detailed information may need to be provided to demonstrate compliance with CIP-003-7 R2. In most cases, sampling and evidence review will be based on a list of assets, not a list of BES Cyber Systems. 21 Forward Together • ReliabilityFirst
Recommend
More recommend