Low Impact Focus Group Monthly Meeting January 23, 2018
Opening Comments This meeting is being recorded All lines will be muted. In order to comment, you may: • Use the WebEx “Raise Hand” feature. • Send a message to the presenter via WebEx chat. When commenting, be mindful that this is an open call. RF cannot fully pre-screen the attendees. 2 Forward Together • ReliabilityFirst
Announcements NERC’s Antitrust Guidelines are available at: • http://www.nerc.com/pa/Stand/Resources/Documents/NER C_Antitrust_Compliances_Guidelines.pdf This is a public call. RF cannot fully pre-screen the attendees. 3 Forward Together • ReliabilityFirst
Mailing List ciplifg@lists.rfirst.org This list is intended as a discussion forum. List changes, such as additions or removals, should be sent to: lew.folkerth@rfirst.org 4 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Background • On January 13, 2017, the Foundation for Resilient Societies submitted a petition (https://elibrary.ferc.gov/ idmws/common/opennat.asp?fileID=14475801) requesting changes to the CIP Standards regarding enhanced: ‒ Malware detection, ‒ Malware reporting, ‒ Malware mitigation, and ‒ Malware removal. • In response, on December 21, 2017, FERC issued a Notice of Proposed Rulemaking (NOPR) proposing to enhance the reporting of Cyber Security Incidents. 5 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR CIP-008-5 • R1: Document one or more Cyber Security Incident response plans • R2: Periodically test the plans from R1 by responding to or simulating a Reportable Cyber Security Incident • R2: Implement the plans from R1 for an occurrence of a Reportable Cyber Security Incident • R2: Retain records of each Reportable Cyber Security Incident • R3: Maintain the plans from R1 6 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR CIP-003-6/7 R2 Attachment 1 Section 4 • Have one or more Cyber Security Incident response plans • Implement the plans from R1 for an occurrence of a Cyber Security Incident • Periodically test the plans from R1 by responding to or simulating a Reportable Cyber Security Incident • Maintain the plans from R1 7 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Definitions • Cyber Security Incident ‒ “A malicious act or suspicious event that: • Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter or, • Disrupts, or was an attempt to disrupt, the operation of a BES Cyber System.” • Reportable Cyber Security Incident ‒ “A Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.” 8 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Three elements of the proposed directive: • Cyber Security Incident Reporting Threshold • Content of Cyber Security Incident Reports • Timing of Cyber Security Incident Reports 9 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Cyber Security Incident Reporting Threshold • Expand the scope of Cyber Security Incident reporting by: ‒ Including compromises or attempts to compromise ‒ Including ESP and EACMS 10 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Content of Cyber Security Incident Reports • The functional impact achieved or that was attempted ‒ Functional impact is a measure of the actual, ongoing impact to: • The organization, • The affected BES Cyber Systems, and • The ability to protect or operate those BES Cyber Systems. • The attack vector used ‒ The attack vector is the method used to exploit a vulnerability • The level of intrusion that was achieved or attempted ‒ The level of intrusion is the extent of the penetration into protected systems 11 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Timing of Cyber Security Incident Reports • Create deadline for filing report with information specified above ‒ Take into consideration the severity of the incident • Submission of detailed report to both E-ISAC and ICS- CERT 12 Forward Together • ReliabilityFirst
Standards Update – Incident Reporting NOPR Observations • Use of the terms “ESP,” “EACMS,” and “BES Cyber Systems within the ESP” may mean that the proposed revisions will be intended for high and medium impact BES Cyber Systems only, although this is not yet clear. • CIP-008-5 will need to be modified to require activation of the incident response plans for any Cyber Security Incident, not just Reportable Cyber Security Incidents. 13 Forward Together • ReliabilityFirst
Standards Update – Supply Chain NOPR Background • FERC Order 829 required NERC to develop Supply Chain Cyber Security Standards • NERC, through the Standards Development Process, produced and filed the new Standard CIP-013-1 and revised Standards CIP-005-6 and CIP-010-3 • In approving these Standards for submission to FERC, the NERC Board of Trustees (BoT) approved six resolutions to further study supply chain risks, including the risks to low impact BES Cyber Systems • On January 18, 2018, FERC issued a Notice of Proposed Rulemaking (NOPR) proposing to approve these Standards and to order further revisions 14 Forward Together • ReliabilityFirst
Standards Update – Supply Chain NOPR Key Points – The NOPR proposes to: • Approve CIP-013-1, CIP-005-6, and CIP-010-3 • Order inclusion of EACMS in the scope of these Standards • Oder NERC to include PACS and PCA in the BoT- requested study • Wait for the BoT-requested study of cyber security supply chain risks associated with low impact assets before taking action on low impact • Change the implementation period from 18 months to 12 months 15 Forward Together • ReliabilityFirst
Future Meetings Next conference call (WebEx): • Tuesday, February 20, 2017 at 11:00AM EST 16 Forward Together • ReliabilityFirst
Questions & Answers Forward Together ReliabilityFirst 17 Forward Together • ReliabilityFirst
Recommend
More recommend