Transcription
Transitioning from Version 3 toVersion 5 of the NERC CriticalInfrastructure ProtectionReliability StandardsAndrew GalloDirector, Reliability ComplianceAustin Energy1SpeakerEducation/Training J.D (1985)Certified Compliance & Ethics Professional (CCEP since 2009)Career Most Recently:– Austin Energy: Director, Reliability Compliance, June 2010 ‐ Present– Calpine: VP Regulatory Compliance, 2010– Seattle City Light: Chief Compliance Officer, 2008 ‐2010– ERCOT: Asst. General Counsel, 2002 – 2008Roles Member of NERC Standards CommitteeNERC Quality ReviewerChair, Texas RE Regional Standards CommitteePast Chair – Texas RE NERC Standards Review Subcommittee (NSRS)Past Chair – ERCOT NERC Reliability Working Group (NRWG)21
Background3How We Got Here CIP Version 1– Approved 1/18/2008 (Order 706)– Effective 7/1/2008 (18 CFR Part 40)– FERC Order with directives: Remove “Reasonable Business Judgment” and “Acceptance ofRisk” Address Technical Feasibility Exceptions CIP Version 2– Effective 4/1/2010 to 9/30/2010– Minor changes (Low‐hanging fruit) CIP Version 3– Approved 3/31/2010– Effective 10/1/2010 to 4/1/201642
Why New Version(s) News Reports– Congress Concerns– White House (Cybersecurity Framework) Concerns5Why New Version(s) (cont’d) Versions 1, 2 & 3 ‐ Disorganized– Change Control / Information Protection / Governance– Vulnerability Assessments in two Standards Too much discretion to industry– Risk‐Based Assessment Methodology (RBAM) Too few in‐scopeassets Perceived “loopholes” NERC Action before FERC or Congress– FERC: “Progress Being Made on Cybersecurity Guidelines, but KeyChallenges Remain to be Addressed” – Feb. 14, 201263
NERC CIP Version 4 Approved 4/19/2012 (Order 761)Replaced RBAM with “bright line”Effective 4/1/14, postponed to 10/1/2014, except .Switch from Risk‐Based Assessment Methodology (RBAM)to “Bright‐line”– But kept “Critical Assets” and “Critical Cyber Assets” (CCAs) Bright‐line (CIP‐002‐4)– 17 criteria– Tied to operational Standards (IROL, Black Start, ContingencyReserves) No technical changes in other Standards Never became effective– Skipped to V57Version 4 Bright‐Line CriteriaIgnore (sort of) 1.1 – Gen Plants 1500 MWs 1.2 – Reactive resources 1000 MVAR 1.3 – “RMR” resources 1.4 – Black Start resources 1.5 – Cracking Paths 1.6 – Transmission facilities 500 kV 1.7 ‐ Transmission facilities 300 kV and connected to 3other facilities 300 kV 1.8 – Transmission facilities deemed “critical” by RC, PA orTP84
Version 4 Bright‐Line Criteria 1.9 – Flexible AC Transmission Systems (FACTS) deemed“critical” by RC, PA or TP 1.10 – Transmission facilities which, if lost or compromised,would cause the loss of gen from criteria 1.1 or 1.3 1.11 – Transmission facilities necessary for NPIRs 1.12 – SPS/RAS which, if lost, would affect anInterconnection Reliability Operating Limit (IROL) 1.13 – Load shedding systems 300 MW w/o humanintervention 1.14 – RC Control Centers (and back‐ups)9Version 4 Bright‐Line Criteria 1.15 – Control Centers (and back‐ups) used to control gen atmultiple plant locations and identified in 1.1, 1.3 or 1.4.Each control center (and back‐up) used to control gen 1500 MW 1.16 – Control Center (and back‐up) used by a TOP whichincludes control of at least one asset identified in 1.2, 1.5 –1.12 1.17 – BA Control Center (and back‐up) which includes atleast one asset from 1.1, 1.3, 1.4, 1.13105
NERC CIP Version 5 Approved 11/22/2013 (Order 791) Effective 4/1/2016 (mostly) Still not entirely finished .––––“Identify, Assess & Correct”Transient Devices (thumb drives; laptops)“Communication Network” definitionSecurity Controls for Low Impact assets Final Ballot closed 2/2/1511New Versions CIP Version 5 Effective Dates126
CIP Version 5 ‐ Approach CIP V5 priorities shift– Primarily focuses on improving security instead of “compliance”– A turning point for the CIP Standards– Compliance is important but can leave security gaps compliant secure– Version 5 tries to combine compliance and security by achievingcompliance through security Structure Corrections– Versions 1 – 4 Change Control and Information Protection embedded in Governancestandard– Change Control: CIP‐003‐3, R6– Info Protection: CIP‐003‐3, R4– Version 5 CIP‐010‐5: Change Control / Vulnerability Assessments CIP‐011‐5: Information Protection13CIP Version 5 – Approach (cont’d) New Format– Background section– Requirements/Measures (usually w/ table) Suggested evidence– Guidelines and Technical Basis Transition Period – 11/22/13 to 4/1/16 (Now)– Entities may maintain V3 RBAM– May adopt bright‐line criteria (compliance will notaddress black start units and cranking paths)– Entities must identify when requested147
Version 5 ‐ Major Changes Move from “Critical Assets” and “Critical Cyber Assets” toBES Cyber Assets and BES Cyber Systems High/Medium/Low Impact BES Cyber Systems External Routable Connectivity (ERC)15Version 5 – New DefinitionsNot verbatim Annual – Once every 15 months (or less) BES Cyber Asset –Cyber Asset if rendered unavailable/degraded/misused would, w/n 15 minutes, adversely impact Facilitie(s), system(s)or equipment, which, if destroyed/degraded/rendered unavailable (asneeded) would affect reliable operation of Bulk Electric System (BES) BES Cyber System – 1 BES Cyber Asset logically grouped to performreliability task(s) (aka BROS) BES Reliability Operating Service – BES Cyber Systems in‐scope underV5 (b/c of impact on BES reliability)–––––––––Dynamic Response to BES conditionsBalancing Load and GenerationControlling Frequency (Real Power)Controlling Voltage (Reactive Power)Managing ConstraintsMonitoring & ControlBES RestorationSituational AwarenessInter‐Entity Real‐Time Coordination and Communication168
Version 5 – New Definitions (cont’d) BROS by Registration17Version 5 – New Definitions Electronic Access Control or Monitoring System (EACMS) ‐ CyberAssets performing electronic access control or monitoring of ElectronicSecurity Perimeter (ESP) or BES Cyber Systems (includes IntermediateSystems) (previously ACM) Physical Access Control System (PACS) ‐ Cyber Assets which control,alert or log access to the Physical Security Perimeter (PSP) (exc. locallymounted hardware or devices) at PSP (e.g. motion sensors, electroniclock control mechanisms and badge readers) Protected Cyber Asset (PCA) ‐ 1 Cyber Asset connected using aroutable protocol w/n or on an ESP which is not part of the highestimpact BES Cyber System w/n the same ESP (previously NCCA)– Impact rating of PCA the highest rated BES Cyber System in same ESP– Cyber Asset is not a PCA if connected to either a Cyber Asset within the ESPor the network within the ESP for 30 consecutive days and used for datatransfer, vulnerability assessment, maintenance or troubleshootingpurposes (aka “transient device” ‐ e.g. troubleshooter laptop)189
Version 5 – New Definitions (cont’d) Low Impact BES Cyber System Electronic Access Point (LEAP) ‐ CyberAsset interface which allows Low Impact External Routable Connectivity– Cyber Asset may reside at a location external to the asset(s)containing low impact BES Cyber System– LEAP is not an Electronic Access Control or Monitoring System Low Impact External Routable Connectivity (LERC) ‐ Bi‐directionalroutable communications between low impact BES Cyber System(s) andCyber Assets outside the asset containing the low impact BES CyberSystem(s)– Communication protocols created for Intelligent Electronic Device(IED) to IED communication for protection and/or control functionsfrom assets containing low impact BES Cyber Systems are excluded(e.g. IEC 61850 GOOSE or vendor proprietary protocols)19Version 5 – New Definitions (cont’d) BES Cyber System Information (BCSI) ‐ Information about BES CyberSystem which could be used to gain unauthorized access or pose asecurity threat to BES Cyber System– Does not include individual pieces of information which, bythemselves, do not pose a threat or could not be used to allowunauthorized access to BES Cyber Systems (e.g. device names,individual IP addresses w/o context, ESP name or policystatements).– Examples of BCSI: security procedures or security information aboutBES Cyber Systems, PACS and EACMS not publicly available andwhich could be used to allow unauthorized access or unauthorizeddistribution; collections of network addresses; and networktopology of BES Cyber System2010
V5 Problems/Issues (FERC Order 791) FERC ordered NERC to:– Revise or remove “Identify, Assess and Correct” language– Define communication networks and create new/modified Standards toprotect nonprogrammable components of communication networks(e.g. cables and wires)– Add objective criteria re: sufficiency of controls for Low Impact assets– Develop new or modified Standards for Transient Devices (e.g. thumbdrives and laptops) NERC Project 2014‐02––––Removed “identify, assess, and correct” languageAddress security controls for Low Impact assetsDevelop requirements to protect transient electronic devicesDefine “communication networks” and develop new/modifiedstandards to address protection of communication networks– (More later .maybe)21Transition from Version 3toVersion 52211
Disclaimer This presentation contains general information about legal matters. The information isnot advice and you should not treat it as such. I am not your lawyer.Limitation of warranties– The information in this presentation is provided “as is” without any representationsor warranties, express or implied. I make no representations or warranties inrelation to the legal information in this presentation.Without limiting the generality of the foregoing paragraph, I do not warrant that:– the information in this presentation will be constantly available, or available at all; or– the information in this presentation is complete, true, accurate, up‐to‐date or non‐misleading.You should not rely on the information in this presentation as an alternative to legaladvice from your attorney or other professional legal services provider. If you have anyspecific questions about any legal matter, you should consult your attorney or otherprofessional legal services provider. You should never delay seeking legal advice, disregardlegal advice or commence or discontinue any legal action because of information in thispresentation.Nothing in this disclaimer will limit any liabilities in any way not permitted underapplicable law or exclude any liabilities which may not be excluded under applicable law.I’m just doing the best I can like the rest of you . 23Asset Identification Options Option 1 – Continue to comply with all CIP V3Standards during Transition Period Option 2 – Begin transitioning to compliance w/some or all CIP V5 Standards Option 3 ‐ Adopt V5 “High” and “Medium” ImpactRating Criteria (CIP‐002‐5.1, Attachment 1) in lieuof RBAM2412
Critical Asset Identification – Option 125Critical Asset Identification – Option 2 Responsible Entities which adopted CIP V4 CriticalAsset Criteria may continue in lieu of RBAM Adoption of V4 Criteria must have occurred before 8/12/14 Critical Assets identified per criteria 1.4 and 1.5 (BlackStart Resources and Cranking Paths) not subject to CIPV3 but TOP Control Centers controlling Cranking Pathassets will be treated as Critical Assets Annually approve adoption of V4 Critical Asset Criteria2613
Critical Asset Identification – Option 3 May adopt V5 “High” and “Medium” Impact RatingCriteria (CIP-002-5.1, Attachment 1) in lieu of RBAM Do so at any time May immediately adopt V5 criteria to derive “CriticalAsset” list May remove Critical Assets and CCAs if they do notsatisfy V5 “High” or “Medium” impact criteria Annually approve adoption of V5 Impact RatingCriteria27Critical Asset Identification2814
High Impact BES Cyber Systems Control Center (or backup) used to perform obligations of: Reliability Coordinator (C1.1) Balancing Authority (C1.2) For generation aggregate of 3000 MW in a singleInterconnection, or For 1 assets meeting criterion 2.3 (RMR), 2.6 (IROL) or2.9 (SPS/RAS) Transmission Operator for 1 assets meeting criterion 2.2, 2.4,2.5, 2.7, 2.8, 2.9 or 2.10 (C1.3) Generator Operator for 1 assets meeting criterion 2.1, 2.3,2.6 or 2.9 (C1.4)29Medium Impact BES Cyber Systems Generation at a single plant with aggregate highest rated net RealPower capability (preceding 12 months) 1500 MW in a singleInterconnection (C2.1) Only BES Cyber Systems which could, w/n 15 minutes, adverselyimpact reliable operation of units which aggregate 1500 MW inone Interconnection BES reactive resource(s) at one location (excl. gen Facilities) w/aggregate max. Reactive Power rating 1000 MVAR (C2.2) Only BES Cyber Systems which could, w/n 15 minutes, adverselyimpact reliable operation of resources which aggregate 1000MVAR Gen Facility designated by Planning Coordinator or TransmissionPlanner as necessary to avoid Adverse Reliability Impact in theplanning horizon 1 year (RMR) (C2.3)3015
Medium Impact BES Cyber Systems (cont’d) Transmission Facilities operated at 500 kV (C2.4) Collector bus for gen plant “Transmission Facility” Generation at one plant or Transmission Facilities at one stationidentified by Reliability Coordinator, Planning Coordinator orTransmission Planner as critical to derive Interconnection ReliabilityOperating Limit (IROL) and associated contingencies (C2.6) Transmission Facilities identified as essential to meet Nuclear PlantInterface Requirements (C2.7) Transmission Facilities (incl. gen interconnection) to connect generatoroutput to the Transmission Systems which, ifdestroyed/degraded/misused/rendered unavailable, would result inloss of gen Facilities from criterion 2.1 ( 1500MW) or 2.3 (RMR) (C2.8) System/group of Elements performing under-voltage load shedding(UVLS) or under-frequency load shedding (UFLS), w/o humaninitiation, of 300 MW under a load shedding program subject to 1NERC or regional standards (C2.10)31Medium Impact BES Cyber Systems (cont’d) Transmission Facilities operating between 200 kV and 499 kV at asingle station if that station is connected at 200 kV to 3 or moreother Transmission stations and w/ "aggregate weighted value" 3000 according to table below (C2.5) “Aggregate weighted value" sum of the "weight value perline" in table for each incoming and outgoing BESTransmission Line connected to another Transmission station Collector bus for gen plant “Transmission Facility”3216
Medium Impact BES Cyber Systems (cont’d) Each Special Protection System (SPS), Remedial Action Scheme(RAS) or automated switching System which, if destroyed/degraded/misused/rendered unavailable, would cause 1 IROL violation forfailure to operate or cause a reduction in 1 IROL if destroyed/degraded/misused/rendered unavailable (C2.9) Control Center (or backup) not deemed “High Impact” used toperform obligations of: Generator Operator for aggregate highest rated net Real Powercapability 1500 MW in one Interconnection (C2.11) Transmission Operator (C2.12) Balancing Authority for gen 1500 MW in one Interconnection(C2.13)33Low Impact BES Cyber Systems BES Cyber Systems not “High” or “Medium” impact and associatedw/ assets meeting the applicability qualifications in Section 4: Control Centers (and backup) (C3.1) Transmission stations and substations (C3.2) Generation resources (C3.3) Systems and facilities critical to system restoration, includingBlack Start Resources and Cranking Paths/initial switchingrequirements (C3.4) SPS supporting reliable operation of BES (C3.5) For Distribution Providers, Protection Systems specified inApplicability Section 4.2.1 (C3.6)3417
Critical Asset Identification Apply CIP V5 High, Medium and Low criteria: Read each criterion as “Critical Asset” evaluationcriterion Do not consider BES Cyber Systems at the assets Any asset matching “High” or “Medium” criteria is a“Critical Asset”35Updated Critical Cyber Asset List After updating Critical Asset list, apply CIP-002-3, R3 to create CCAlist Any newly-identified CCAs associated w/ newly-identified CriticalAssets need not comply w/ V3 Flag newly-identified CCAs in your CCA list Those CCAs must comply w/ V5 per the V5 ImplementationPlan Immediately remove from CCA list all CCAs associated w/ removedCritical Assets Will most likely be “low” impact under V5 Resumed compliance (CIP V5) will be per CIP V5 00251RD/Implementation Plan clean 4 (2012-1024-1352).pdf3618
Updated Critical Cyber Asset List Original CCAs still on CCA list after applying V4 or V5 criteria:– No lapse of CIP compliance permitted– Must maintain CIP V3 compliance (subject to CIP V5 TransitionGuidance)– Replacement Cyber Assets must comply w/ CIP V3 or V5 uponcommissioning New or upgraded/replaced CCAs resulting from plannedchange must comply upon commissioning (e.g. SCADA systemreplacement or upgrade; change from non‐routable protocolto routable protocol) May comply with V3 or V5 during Transition Period37Updated Critical Cyber Asset List Planned change which elevates a BES Cyber System to highercategory (e.g. medium to high) during Transition Period mustcomply with higher impact V5 requirements by the effectivedate of the requirement– e.g. Planned increase in gen resulting in higher categorization of BESCyber Systems at Control Center Unplanned changes must comply by later of V5 effective dateor date in V5 Implementation Plan e.g. Criteria 2.3 and 2.6 notifications3819
Compliance Monitoring during Transition Period39Compliance Monitoring during Transition PeriodRegional Entity willissuean RFI with sectionoptions in advance.4020
Compliance Monitoring during Transition Period41Compliance Monitoring during Transition Period Mitigation of Open Enforcement Action (OEA) should focuson full compliance w/ “Mostly Compatible” V5 Requirement– Includes violations before 8/12/14 CIP V5 Transition Guidance*– Full compliance w/ V5 by V5 effective date– Unmitigated OEA cannot extend the CIP V5 compliance date* sition%20Guidance%20FINAL.pdf4221
Technical Feasibility Exceptions (TFEs) Don’t go away Existing TFEs carried forward to equivalent V5Requirements: New TFEs for V5 (no V3 equivalent):43Technical Feasibility Exceptions (TFEs) Existing V3 TFEs w/ no equivalent V5 Requirement terminated on V5 effective date:4422
CIP V5 Transition in Practice45Two‐Step Transition ApproachSTEP 1: “Top‐Down”1.Apply CIP‐002‐5.1 Bright Line criteriaa) Review one‐line drawings to find facilities meeting “High” and“Medium” Impact criteriab) Verify findings w/ SMEs2. High and Medium facilities “Critical Assets”a) Flag newly‐identified Critical Assets3. Apply CIP‐002‐3, R3 to create CCA lista) Newly‐identified CCAs associated w/ newly‐identified CriticalAssets need not comply w/ V3b) Flag newly‐identified CCAs in CCA listc) Newly‐identified CCAs must comply w/ V5 per the V5Implementation Plan4623
Two‐Step Transition Approach4.To prepare for V5 compliance, identify BES Cyber Assets/Systemsa) Identify BES Reliability Operating Services (BROS) at High andMedium facilities1) Part of Guidance2) SCADA/EMS, etc.b) Identify BES Cyber Systems used by and located at each Highand Medium facilityc) Inventory supporting Cyber Assetsd) Apply “15 minute” criteria to identify BES Cyber Assets47Two‐Step Transition ApproachSTEP 2: “Bottom‐Up”(To minimize possibility of missing in‐scope BES Cyber Assets)1. Apply “15 minute criteria” to current CCA list toidentify potential BES Cyber Assets Cyber assets currently in‐scope under CIP‐002‐32. Determine if identified BES Cyber Assets are “used by”and “located at” identified High or Medium impactlocations4824
V5 Compliance Need not look at all BROS across entire footprint and searchfor systems part of those BROS at this time– Doing s
CIP Version 5 ‐Approach 13 New Format – Background section – Requirements/Measures (usually w/ table) Suggested evidence – Guidelines and Technical Basis Transition Period – 11/22/13 to 4/1/16 (Now) – Entities may maintain V3 RBAM
