WIXLIB

EnergySec Partnered Webinar with MetricStreamTransitioning to NERC CIP Version 5: What Does itMean for Electric UtilitiesJANUARY 28, 2015

Housekeeping Items§ Submit questions using control panel§ Contact information at the end foradditional questions

PanelistsKarl Perman is a skilled business executive with 30 years of business protection,compliance, risk management, human resources and law enforcement experience. Hehas created, evaluated and implemented NERC reliability and critical infrastructureprotection compliance programs for electric generation and transmission entities.Steven Parker’s experience includes more than a decade of full-time security work at criticalinfrastructure organizations including the Western Electricity Coordinating Council,PacifiCorp, and US Bank. He has contributed to a broad range of security projects coveringareas such as e-commerce, identity management, intrusion detection, forensics, andsecurity event monitoring.Mr. Schmutzler is a Regional VP for GRC solutions with a broad background includinggovernance, risk and compliance (GRC), IT audit, risk and controls assessment, informationsystems design and implementation. Prior to joining MetricStream he was a Partner withKPMG LLP in the Risk Advisory Practice focused on GRC, risk assessment and systemsimplementation.

Agenda§ § § § § § § § Effective DatesCyber Assets/BES Cyber AssetsStructural ChangesBright Lines and Asset ce Management Framework

Effective Dates§ April 1, 2016 for high and medium systems§ April 1, 2017 for low impact systems§ Areas of Concern– Do not wait/Start now– Changing requirements (V6, V7)– Develop a plan including people/process/technology

CYBER ASSETS/ BES CYBERASSETS/ BES CYBER SYSTEMS

Cyber AssetsProgrammable electronic devices, including thehardware, software, and data in those devices. Communication networks have been removed fromthe definition of Cyber Asset

BES Cyber AssetsA Cyber Asset that if rendered unavailable, degraded, ormisused would, within 15 minutes of its required operation,misoperation, or non-operation, adversely impact one ormore Facilities, systems, or equipment, which, if destroyed,degraded, or otherwise rendered unavailable when needed,would affect the reliable operation of the Bulk ElectricSystem. Redundancy of affected Facilities, systems, andequipment shall not be considered when determiningadverse impact. Each BES Cyber Asset is included in one ormore BES Cyber Systems. (A Cyber Asset is not a BES CyberAsset if, for 30 consecutive calendar days or less, it isdirectly connected to a network within an ESP, a Cyber Assetwithin an ESP, or to a BES Cyber Asset, and it is used fordata transfer, vulnerability assessment, maintenance, ortroubleshooting purposes.)

BES Cyber SystemsOne or more BES Cyber Assets logicallygrouped by a responsible entity to perform oneor more reliability tasks for a functional entity

Retired Terms§ Critical Asset§ Critical Cyber Asset

STRUCTURAL CHANGES

Table Based Requirements§ Applicable Systems– Lists device categories in-scope for requirement§ Requirements– Lists what must be done or accomplished§ Measures– Lists examples of compliance evidence§ Tables exist for requirements in CIP-004through CIP-011

Guideline and Technical Basis§ Provides substantial narrative discussion onthe requirements§ Provides the SDT’s intent for certainrequirements§ Provides the technical basis for certainrequirements§ Contains some conflicting or unsupportedstatements§ Legal status is uncertain

BRIGHT LINES AND ASSETCATEGORIZATION

Asset Categorization§ Bright Lines vs. RBAM– CIP-002 Attachment 1– Facilities and BES Cyber Systems§ Impact levels vs. CCA– High– Medium (ERC)– Low

Asset Categorization§ All BES Facilities should be included in theapplication of the Impact Rating Criteria.§ All Cyber Assets located at or associated withany BES Facility should be evaluated forpossible identification as a BES Cyber Asset§ BES Cyber Assets need to be logicallygrouped into BES Cyber Systems

Areas of Concern§ Identification of all Cyber Assets– Asset management system– Physical walk downs§ Categorization of BES Cyber Assets– Stakeholder engagement§ Logical grouping of BES Cyber Assets intoBES Cyber Systems– Approach should align with environment

EVIDENCE

Evidence§ Evidence is a collection of artifacts thatdemonstrate your compliance with theunderlying requirements––––––program documentation,system logs,email records,interviews,database records, andmany other items.§ Consider items listed in Measures Section ofStandards

ApproachesManualAutomated§ Cumbersome & countlessspreadsheets§ Time consuming§ Prone to errors§ Drain on resources§ Inconsistent quality§ Difficulty in reporting§ § § § One system- control pointSaves timeReduces errorsReduces resourcerequirements§ Consistent and repeatable§ Real time reports

Automation§ Automation aligns with several of thestandards– CIP-002: Asset Management (Inventory)– CIP-004: Tying different systems into anintegrated portal (HRIS, Learning, Logical Access,Physical Access)– CIP-007: Ports and Services and PatchManagement– CIP-010: Change Configuration Management andVulnerability Assessments

Compliance ManagementFramework§ Does your framework?– Support a uniform methodology (PM)– Embrace collaboration– Integrate methodologies and processes– Facilitate continuous monitoring and assessment– Establish clear accountability/leadership– Foster a culture of compliance

Thank You!

The Role of Automation in Complying with New etricStream 2015 MetricStream, Inc. All Rights Reserved.

Agenda Best Approaches to implement transition programs forNERC CIP version 5 compliance Advantages of having a NERC CIP ComplianceManagement Framework The role of automation in complying with new standards Q&A 2015 MetricStream, Inc. All Rights Reserved.

NERC CIP Compliance ManagementIssue/TasksEnsuring NERC CIPComplianceng &Traini rcesuReso 2015 MetricStream, Inc. All Rights Reserved.ThreVulne at &rability

Comparing Approaches for NERC CIP ComplianceTraditional ApproachesAutomated System Manual or Spreadsheets Automated system Time consuming; RSAWproduction – up to 2000hrs Click of a button; RSAWgeneration is automated Error prone Reduction in errors More resources used Reduced resource needs Difficult to track changes Change controls in place Tough to manage records Audit trail convenience Limited Reports &generation takes time Real time reporting withslice and dice capability 2015 MetricStream, Inc. All Rights Reserved.

Effective NERC – CIP Compliance ProgramCollaborative – flexible and allows for inclusions or changes as requiredIntegrated: Compliance, Risk, Policy, Control, Audit, Personnel, Training, Threat & Vulnerability etc.Enforces methodology, rigor and disciplineFacilitate continuous assessments and captures all necessary NERC compliance data & artifactsIntegration with Third party Systems – Patch & Surveillance, SCADA, ICS, Security, HR Systems etc.NERC CIP StandardsComplianceRiskAuditPolicyContinuous Monitoring & Improvement 2015 MetricStream, Inc. All Rights Reserved.Threat &VulnerabilityIssue/ TaskManagement

Automate Compliance Assessment & ManagementRegulatory Alerts, Map Standards & RequirementsStartRegulatory DocumentationIssues and RemediationExecutive Program ManagementComplianceAssessment/ AuditsSelf- Certification, Reportingand FilingReports Review & Approval 2015 MetricStream, Inc. All Rights Reserved.

Keep up with Regulatory ChangesRegulatory AlertInterpretation 2015 MetricStream, Inc. All Rights Reserved.

Centralize Information Repository Compliance Requirements Risks & Controls BES Cyber Assets Threats & Vulnerabilities Policies & Procedures Personnel & Training Access rights and privileges Manage Multiple versions Validity dates ESPs, PSPs, TFEs. Logs & Audit Trail 2015 MetricStream, Inc. All Rights Reserved.Library of Compliance Standards Mapped to Org Structure

A Robust & Flexible Information ModelArea ofComplianceFunctions,Standards,Frameworks NERC COBIT Processes,Guidelines CIP BAL . References IT Applications Intranet links Records ties. Policies/Documents NERC ReliabilityStandards Corp. Policies Corp. Procedures Training Records GRC CoreDMSCMPERM 2015 MetricStream, Inc. All Rights Reserved.CIP-002:Cyber AssetIdentificationIssue MgmtRequirements CIP-002-R01 BAL-001-0.1a R1 Risk AssessmentsControlsControl Tests CIP-002-R01Methodology Tests & SelfAssessments Area ControlError (ACE)Threshold . Tasks & Actions Risk-Based Action Plan Requirement-Based Implement Business Unit-Based Monitor

Collaborative Risk and Compliance ManagementRiskAssessmentDevelop strategies forlowering riskRiskMitigationRiskScoping§ § § § Location/DivisionStatutory GroupProduct LineCommodity GroupForce-Rankingof RisksInherent RisksRisk MitigationResidual RiskManagementConsensusLibrary ofRiskse.g.,§ Financial§ External, e.g.,Political§ OperationalRisk FactorsRiskAnalytics 2015 MetricStream, Inc. All Rights Reserved.Gain managementconsensus for riskassessmentInternal AuditControlsSelf Audit3rd PartyTestingComplianceStrategy

Facilitate BES Cyber Asset Identification Create or Import AssetInformation Risk based Assessments toidentify Cyber Assets Bright line criteria Threat & VulnerabilityAssessments on Assets Impact Analysis on Assets Assigning Assets to specificElectronic Security Perimeters(ESPs) Automate Annual ReviewApproval 2015 MetricStream, Inc. All Rights Reserved.Identify and Manage Assets and Asset Ratings

Implement Cyber Security Management Controls Define and Manage Controls toprotect Cyber Assets Manage Password Changes Perform Control Assessmentson regular basis Control Tests to identifystrength of controls Notifications to appropriateofficers Logs and audit trailmaintenance Equivalent to Self CorrectingProcess Improvementmentioned in Version 5 2015 MetricStream, Inc. All Rights Reserved.Implement and Assess Controls

Integrate Personnel & Training Management into ComplianceSelecting & assigningappropriate Courses toEmployeesAdministering TestsInitiate TrainingReport CourseCompletionReports - TrainingGapCreating and AssigningCompetency 2015 MetricStream, Inc. All Rights el risk assessment,training, and securityawarenessUnderstanding ComplianceRegulationsAccepting and understandingorganization policiesReports – Training Medium,Gaps, Trained-UntrainedEmployee Breakup

Enforce Policies to Effectively Manage Compliance Policies & Procedures for Implementing a physical security programSetting prerequisites for granting approvals, assigning work etc.Define methods, processes, and procedures for securing Cyber Assets & BESCreation, Storage,Organization, SearchCreation, Review,ApprovalAwareness and TrainingTracking and VisibilityMapping to Risks andControlsAlerts and Notifications 2015 MetricStream, Inc. All Rights Reserved.

Real time Monitoring and Reporting Risk Intelligence byRegulations & Assets Track NERC version andMigration status Monitor NERC ComplianceAudit Readiness Regulatory Filings,Certifications 2015 MetricStream, Inc. All Rights Reserved.

MetricStream Advantage – NERC CIP Solution Best in class Governance, Risk and Compliance solutionsprovider Platform based solution – with integrated risk, compliance,policy, issue and change management systems Experience in working with numerous electric utilities in the USranging from co-ops to investor owned Built in content with controls and industry best practices One-Click Automated RSAW generation – reduction in RSAWproduction times from weeks to just few hours/ days. Have real-time visibility into business to avoid complianceconcerns 2015 MetricStream, Inc. All Rights Reserved.