Developing SCRM Plans & Internal Controls What should I consider or include when developing my CIP-013-1 SCRM procurement plan? • R1 procurement plan and processes ◦ Part R1.1 ◦ Part 1.2 (Parts R1.2.1 – R1.2.6) ◦ CIP-005-6 (Parts 2.4, 2.5) ◦ CIP-010-3 (Part 1.6) • R2 implementation aspects (i.e., How will I document each applicable procurement implementation) • R3 review and approval processes Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes 5
Specific Vendor Risks The Standard establishes minimum expectations for six key areas [R1.2.1 – R1.2.6] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products and/or services: 1. Notifications of vendor-identified incidents, 2. Coordination of responses to such incidents, 3. Notification of termination of remote or onsite access to BCS for vendor representatives, 4. Disclosure by vendors of known vulnerabilities, 5. Verification of software and patch integrity and authenticity, and 6. Coordination of controls for vendor-initiated IRA and system-to-system remote access. 6
CIP-013-1 R1 CIP-013-1 recognizes the risks posed by compromised BCS through vendor products and/or services and expressly requires applicable Responsible Entities to: “develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. The plan(s) shall include” [see Parts R1.1 and R1.2]: How can I comply with R1? • “ Responsible entities should consider how to leverage the various components and phases of their processes (e.g. defined requirements, request for proposal, bid evaluation, external vendor assessment tools and data, third party certifications and audit reports* , etc.) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risks . ”(NERC, 2017 April, SCRM Implementation Guidance: General Considerations , p. 1) * Bold font indicates [emphasis added], where applicable, to draw attention to specific items 7
CIP-013-1 Part R1.1 One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: i. procuring and installing vendor equipment and software; and ii. transitions from one vendor(s) to another vendor(s). What does “ identify and assess ” mean in terms of developing and documenting the R1 SCRM plan? Should an entity mitigate identified cyber security risks? • Yes, remember the CIP-013-1 Security Objective, “ To mitigate cyber security risks… ” (p. 1), which is reinforced by the note in the Requirement 1: Rationale section, “ The security objective is to ensure entities consider … options for mitigating these risks (Part 1.1, p. 11) 8
CIP-013-1 Part R1.2 One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable : Do I really need to include specific processes and/or procedures for each of the six R1.2 Parts in my SCRM procurement plan? What does “ as applicable ” mean in terms of my R1 plan and R2 implementation? 9
CIP-013-1 Part R1.2.1 Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity ; How can an entity encourage vendors to provide such notifications? What would a prudent entity do to mitigate identified risks? 10
CIP-013-1 Part R1.2.2 Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity ; How can an entity establish this coordination of responses for such incidents? What would a prudent entity do if and when notified of vendor-identified, SCRM-related incidents? 11
CIP-013-1 Part R1.2.3 Notification by vendors when remote or onsite access should no longer be granted to vendor representatives ; How can an entity encourage vendors to provide such notifications? What would a prudent entity do upon such access notifications? 12
CIP-013-1 Part R1.2.4 Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity ; How can an entity encourage vendors to provide such disclosures? How would a prudent entity mitigate the risks of such vulnerabilities? 13
CIP-013-1 Part R1.2.5 Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and How can an entity verify the software integrity and authenticity of software and patches provided by vendors? What would a prudent entity do once the integrity and authenticity of a software update or patch is verified? 14
CIP-013-1 Part R1.2.6 Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to- system remote access with a vendor(s). How would a prudent entity establish coordination of controls for remote access? 15
Documenting Parts 1.2.1-1.2.6 How can an entity document compliance with Parts 1.2.1 through 1.2.6: • In its R1 procurement plan? • For each applicable R2 implementation? 16
Don’t Forget CIP-005 & CIP-010 A prudent entity will prepare for compliance with CIP-005-6 Part 2.4 and Part 2.5, as well as CIP-010-3 Part 1.6, on or before the effective date (July 1, 2020) These components will be audited by the CIP- 005 and CIP-010 audit teams, as applicable 17
Auditing CIP-013-1 R1 What R1 evidence will the CIP-013 audit team expect? What R1 internal controls would a prudent entity develop? 18
Implementing the SCRM Plan (R2) Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 . What R2 evidence demonstrating an implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date? Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity develop? 19
Approving the SCRM Plan (R3) Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months . Initial review and approval is due on or before July 1, 2020 (NERC, 2017 July, Implementation Plan: Initial Performance section, p. 3) No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect? What R3 internal controls would a prudent entity develop ? 20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM • Addresses FERC’s directive to “ develop modifications to include EACMS associated with medium and high BES Cyber Systems ” (FERC, Order 850 , para. 5, p. 54994) within 24 months of the effective date of Order 850 • Also addresses FERC concerns relative to the SCRM impacts of PACS, PCA, and LIBCS • Provides insight into various industry white papers (NERC, Supply Chain Risk Mitigation Program ) Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS, with more to come later on from FERC, NERC, and the SDT The SCWG is developing SCRM procurement documents, which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents 21
ERO References FERC. (2018 October 26). Order No. 850: CIP-013-1—Supply Chain Risk Management Reliability Standard Final Rule. 165 FERC ¶ 61, 020, 18 CFR Part 40, Docket No. RM17-13-000. In Federal Register, 83 (208), pp. 53992-54005. Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2018-10-26/pdf/2018-23201.pdf NERC. (2019 February 9). Cybersecurity Supply Chain Risks: Staff Report and Recommended Actions [Draft]. In MRC Agenda Item 9, pp. 4-43. Retrieved from https://www.rtoinsider.com/wp-content/uploads/Draft-NERC-Supply-Chain- Report-2-6-19.pdf NERC. (2018 October 18). CIP-013-1 – Cyber Security - Supply Chain Risk Management [Reliability Standard]. Retrieved from https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf NERC. (n. d.) Supply Chain Risk Mitigation Program [Links to Industry White Papers]. Retrieved from https://www.nerc.com/pa/comp/Pages/Supply-Chain- Risk-Mitigation-Program.aspx 22
Industry References Executive Order 13873. (2019 May 17). Securing the Information and Communications Technology and Services Supply Chain . In Federal Register, 84 (96), pp. 22689-22692. Retrieved from https://www.govinfo.gov/content/pkg/FR-2019-05-17/pdf/2019-10538.pdf Executive Order 13636. (2013 February 19). Improving Critical Infrastructure Cybersecurity . In Federal Register, 78 (33), pp. 11739-11744. Retrieved from https://www.federalregister.gov/documents/2013/02/19/2013-03915/improving-critical- infrastructure-cybersecurity NATF. (2017 November 6). Software Integrity & Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 1.6 [ERO Approved Guidance Document] . Retrieved from https://www.nerc.com/pa/comp/guidance/EROEndorsedImplementationGuidance/ CIP-010-3%20R1.6%20Software%20Integrity%20and%20Authenticity.pdf 24
Other References Department of Homeland Security [DHS-CISA]. (2019 May 20) Unmanned Aircraft Systems (UAS) - Critical Infrastructure . Retrieved from https://www.dhs.gov/cisa/uas-critical-infrastructure Network Security. (2018 August). Russian Hackers Breach US Electricity Network . Elsevier Press. ISSN 1353-4858 (pp. 1-3). Retrieved from https://www.sciencedirect.com/science/article/pii/S1353485818300722?via%3Dihub Smith, R. (2018 July 23). Russian Hackers Reach U.S. Utility Control Rooms. The Wall Street Journal [Online]. Retrieved from https://www.wsj.com/articles/russian- hackers-reach-u-s-utility-control-rooms-homeland-security-officials- say-1532388110 Smith, R., & Barry, R. (2019 January 10). America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It . The Wall Street Journal [Online]. Retrieved from https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back- doorand-russia-walked-through-it-11547137112 25
Audit Approach & IC Summary Approach CIP-013-1 compliance as a project with well-defined tasks, timelines, and processes designed to: • Develop and document the R1 SCRM procurement plan • Develop an R2 implementation plan for the R1 SCRM plan • Approve the initial R1 SCRM plan on or before July 1, 2020 • Ensure the R1 SCRM procurement plan is reviewed, updated, and approved at least once every 15 calendar months thereafter Maintain R1-R3 audit evidence relative to new procurement of all vendor products and/or services obtained for High and Medium BCS after July 1, 2020 Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans, processes and procedures Be proactive and monitor for future changes in CIP-013-2 Time permitting, are there any other questions? 26
Contact: Dr. Joseph B. Baugh Senior Compliance Auditor—Cyber Security jbaugh@wecc.org 27
Facility Rating Internal Controls Keith Smith Manager, O& P Compliance Monitoring Meeting Title Date
Objectives ● Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings ● Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring 2
Internal Controls Internal controls are the processes and tools an entity utilizes to meet the identified objectives All entities will have some level of internal controls in place Internal control expectations dependent on inherent risk of entity 3
Internal Controls Methodology Inventory Verification Change Management 4
Facility Rating Methodology FAC-008 requires registered entities to have a methodology and/or documentation that includes the method, assumptions, and process for determining Facility Ratings 5
Facility Rating Methodology Example #1 ● Low Bar Power Company has a methodology addressing each item required by the Standard at a high level. 6
Facility Rating Methodology Example #2 ● Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes: Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions 7
Inventory Inventory tracking of Facility Ratings, the equipment that comprises each Facility, and all Equipment Ratings is necessary for: - Establishing Facility Ratings - Evaluating change impacts - Verifying Facility Ratings 8
Inventory Example #1 ● Low Bar Power Company maintains a spreadsheet that identifies the series equipment, Equipment Ratings, and Facility Rating for its Facilities 9
Inventory Example #2 ● Max Reliability Power Company maintains a database that identifies the series equipment, Equipment Ratings, and Facility Rating for its Facilities, and includes: Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes 10
Verification Verification of Facility Ratings is a detective control to help ensure Facility Ratings respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility. 11
Verification Example #1 ● Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings 12
Verification Example #2 ● Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate. Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections 13
Change Management Change management processes are necessary to ensure: • Equipment Rating changes are evaluated to identify impacts to Facility Ratings • Facility Rating changes are evaluated to identify impacts to protection, analysis, and monitoring of the Bulk Electric System 14
Change Management Example TOP- 003-3 PRC- TOP- 023-4 001-4 Facility Ratings TOP- MOD- 032-1 002-4 IRO- TPL- 010-2 001-4 15
Change Management Example #1 ● Low Bar Power Company has no documented change management processes but states: Its personnel will know to review Facility Ratings if equipment changes occur Appropriate personnel should receive an email when Facility Ratings change 16
Change Management Example #2 ● Max Reliability Power Company has robust documented change management processes for equipment changes that include: Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned 17
Change Management Example #2 ● Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include: Automated notification of Facility Rating changes • Protection Engineering • System Planning • System Operations • Operations Support Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models 18
Questions? Meeting Title Date 19
Break Webinar participants: We will return at 3:45 p.m. Central RELI ABI LI TY | RESI LI ENCE | SECURI TY
NERC 2019 Compliance & Standards Workshop Eversource Energy Service Company July 23 – 24 th , 2019 Minneapolis, MN 55402 Paolo D’ D’Alessandro, J JD Senio ior S Specia ialist Relia iabil ilit ity C Compliance Safety First and Always
Eversource Energy: Service Territories Eversource provides electric service in CT, MA, and NH states through the following regulated subsidiaries (all doing business as Eversource Energy): – Connecticut Light & Power with over 1,270,000 electric customers – NSTAR Electric, including former Western Massachusetts Electric Company with 1,380,000 electric customers – Public Service of New Hampshire with 528,000 electric customers Eversource Energy Service Company provides certain functions, such as transmission operations and transmission planning. ESCC Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas, delivering natural gas to approximately 524,000 customers. NSTAR ISO-NE Eversource serves nearly 230,000 water customers through Aquarion Water Company. Eversource has approx. 8,000 employees . CONVEX 2 Safety First and Always
Eversource Energy: One Registered Entity Effective January 1, 2018, Eversource Energy Service Company (NCR07176) registration was • consolidated with: Connecticut Light and Power (NCR07044) • NSTAR Electric Company (NCR7180) • Public Service of New Hampshire (NCR07203) • Western Massachusetts Electric (NCR07232) • Benefits of registration consolidation include the following: • Supports efforts for consistency and best practice across 3 states • Efficiency through consolidation of external audits • In January 2018, PSNH completed the sale of its fossil fuel and generation units, therefore • Eversource is no longer a GO or GOP As of January 2018, Eversource Energy’s functional registration is now: • r e d n n n n i v o o o o o n i i i i s s s s r o P s s s s i r t r i i o i i r u e m m m m e e r t b d a c e s s s n s i i r i r v n n n n n n v e t o r a w a a a a s p e r i r r r l r O O D P P S T T T T DP TO TOP TP TSP Eversource Energy Service Company NCR07176 X X X X X Safety First and Always
A Strong Compliance Culture Continued efforts to consolidate three state organizations for consistency and identification • of best practices, tools and controls. Strong senior management commitment. Executives are regularly engaged in supporting • compliance related activities. Dedicated departments to focus on compliance (Reliability Compliance, Operational • Compliance and Internal Audit). Work activities foster a systematic approach to operational excellence and compliance. • Reportability Determinations / Root Cause Analysis Self Assessments > Lessons Learned > Roadshow Presentations Internal Audits Events Analysis Training (i.e. CIP annual training) Eversource SMEs lead on embedding compliance within their respective functional teams. • SME responsibilities primarily effect the following enterprise level groups: Safety First and Always
Organization: Dedicated Committees & Departments to Ensure Compliance Comm mmittees es Compliance and Ethics Committee Reliability Steering Committee - Quarterly Compliance Work Plan (CWP) - Monthly Departments Reliability Compliance / Operational Compliance Internal Audit Enterprise Risk Management Safety First and Always
Eversource - Enterprise-Wide Controls Examples of internal controls that support NERC compliance at an enterprise-wide level consist of the following: Relia iabil ilit ity C Compliance Oversee and assist the business in ensuring compliance with all Department applicable Reliability Standards & Requirements Co Compl pliance a and nd E Ethics Executive level committee that oversees all compliance activity Com ommi mittee within the organization Int nternal A Aud udit Independently conducts periodic audits of compliance activities, including NERC Reliability Standards Enterprise R Risk Framework and process that enables enterprise wide view of Man anagem agement business risks and how they are appropriately managed and mitigated Co Compl pliance Work Plan n Monthly meetings to brief leadership on compliance activity including (1) KPI’s (2) standards development & implementation (3) review of compliance activity (4) emerging issues CAT ATSWeb Database system used to track and ensure completion of gap analysis and action plans for applicable NERC Standards and NPCC Directories Safety First and Always
Eversource Cyber Strategy Risk Based, Defense In Depth strategy that evolves based on the business and industry trends Ensure OT/SCADA Ensure Cloud Ensure New Technologies Systems are Secure Technologies are Secure are Secure (IT & OT) 3 rd party reviews D evice authentication Privilege Access Mgmt. • • D evice and network Identity & Access Mgmt. Application testing • • monitoring End Point Security Penetration testing • • Strict external/remote • Application isolation • Mobile device security access protocols Secure Legacy Systems Technologies that isolate or protect vulnerable systems from being exploited Ensure Strong Cyber Hygiene Policies, Vulnerability Management, Anti-malware technology, Security Monitoring, Security Awareness, Incident Response, Encryption, Secure Architecture Safety First and Always
Eversource O&P/CIP ICE Lessons Learned In 2018, Eversource participated in both an O&P and CIP ICE exercise. Positive feedback was received from SMEs and Senior Management on the following: While resource intensive, the benefit of having a full review of internal controls, enhancement to existing controls and the reduction in audit scope outweighed the impact to the line. Flowcharts were useful to demonstrate internal controls (detective, preventative) that support ongoing compliance. If an entity decides to participate, don’t underestimate the time needed to work with SMEs to review controls, complete the ICE Template and create flowcharts. Safety First and Always
FAC-003-4 Flowchart Safety First and Always
TOP-002-4 Flowchart Safety First and Always
MOD-032-1 Flowchart Safety First and Always
CIP-011-2 Flowchart Safety First and Always
Questions? Safety First and Always
Control Development Kristen Long, Sr. Analyst C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
DRAFT NERC CONTROLS DEVELOPMENT OVERVIEW Purpose: NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective, corrective, preventative) to address compliance, reliability, security, financial, and/or operational risks, and document the updated controls in Archer Gather existing Kickoff meeting Development Approval Upload to GRC Tool information with BU meetings •NERC standard •Outline the process •Review the •Control owners standard •Current RSAW •Create schedule •NERC Compliance •Determine the need SMEs •Policies and •Define deliverables for a process map procedures •NERC Compliance •Review and management •Enforcement updated existing history controls •Existing controls •Develop new •Etc. controls and tests to address risks HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 2
Archer – NERC Compliance Control Development End Goal – develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy Priority – start with CMEP standards, focus on CMEP requirements with Med/High VRF (2019) Approach – tailored to the individual standard: • CMEP med/high requirements vs entire standard • Complete process mapping where applicable • Consider all risks – compliance, reliability, security, etc. • Control & Testing rigor based on violation risk factor VRF and enforcement history • Partner with Projects SME and BU SMEs • RSAW updates – where applicable HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 3
Risk Drives Robustness of Internal Controls All controls address some type of risk: compliance (RSAW measures), reliability (relay settings being in sync, preventing cascading outages), security (unauthorized physical or cyber intrusion), financial, operational. Items that could affect risk: • Monitoring objectives • Inherent risk (CMEP) • Known or potential internal deficiencies (e.g., inexperience of owners/testers, complicated manual process, etc.), and • Previous enforcement history HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 4
Control & Test Balancing Approach to Control & Test Deployment • Requires a balancing of considerations Established Process Less persuasive evidence/ = No More persuasive documentation, fewer Violations evidence/ controls & tests = documentation, increased controls & Lower Risk tests Higher Risk HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 5
How do I start? • Create Process Map – process map is a visual depiction of the high level process. It should include the following information: • Flowchart style picture of process(es) • Implementing Procedures/Policies • Critical steps • Area responsibilities • Known Risks • Procedure steps • Link to requirements HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 6
FOR ILLUSTRATIVE PURPOSES ONLY HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 7
HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 8
Additional Considerations • Is the control, to the largest extent possible, automated? • Are compensating and supporting internal controls needed? • Is the level of documentation available for the control sufficient? • Are any controls necessary to meet the objective missing? • Even if the control operates as designed, will it fail to meet the objective? (if so = improperly designed) . HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 9
Recommend
More recommend