Supply Chain Risk Management - texasre.org Chain Risk... · SUPPLY CHAIN RISK MANAGEMENT PLAN(S)...

Kenath Carver — Manager, CIP Compliance Monitoring

Supply Chain Risk Management

Effective July 1, 2020

Meeting Title

SUPPLY CHAIN RISK MANAGEMENT

PLAN(S)

CIP-013-1

Spring Standards and Compliance Workshop

April 25, 2019

CIP-013-1 Applicability

April 25, 2019

BES Cyber Systems

High Medium

Contracts

No renegotiation or abrogation

Beyond the scope of R2

Actual terms and conditions

Vendor performance

and adherence

CIP-013-1 R1 Discussion

April 25, 2019

NERC Supply Chain Report

Excluding monitoring and logging

Excluding alarming and

logging

No modification

needed

Low impact BES Cyber Systems

Voluntary

CIP-013-1 R1 1.1

April 25, 2019

Identify and Assess Cyber Security Risk(s)

Planning Procurement of BES Cyber Systems

Vendor products or services

• (i) Procuring and installing vendor equipment and software

• (ii)Transitions from one vendor(s) to another vendor(s)

CIP-013-1 R1 1.1 Discussion

April 25, 2019

Existing Inventory

Restocking Inventory

Emergency Purchases

Upgrades

• Software

• Hardware

CIP-013-1 R1 1.1 Audit Approach

Does the Entity Have Process(es)?

Does the Process(es) Address How the Entity Will Identify and Assess Cyber Security Risk(s)?

• Framework

Does the Process(es) Address How the Entity Will Mitigate These Risks when Planning for BES Cyber Systems?

April 25, 2019

CIP-013-1 R1 1.1 and R2 Audit Approach

Is the Entity Planning to Procure BES Cyber Systems?

What Cyber Security Risk(s) Were Identified and Assessed?

Were the Cyber Security Risk(s) Mitigated?

Is the Entity Monitoring Cyber Security Risk(s)?

Contracts

April 25, 2019

Is There a Project Plan and/or Change Request?

• Detailed description

• Equipment

• Software

• Vendor(s) transitions

• Essential dates

• Start

• End

Sample Sets

April 25, 2019

CIP-013-1 R1 1.2

April 25, 2019

Notification

Vendor-identified incidents

Remote or onsite access should no longer be granted

Coordination

Vendor-identified incidents

Disclosure

Known vulnerabilities

Verification

Integrity and authenticity of all

software and patches

When is Procurement Completed?

• Bidding process complete and terms agreed

• Contract(s) approved

• Project plan/change request completed

Applicable after Procurement?

• Yes

• Electronic or physical

Contracts

April 25, 2019

Does the Process(es) Address How the Entity Will Implement 1.2.1-1.2.6?

April 25, 2019

Is the Entity Procuring BES Cyber Systems?

Has the Entity Procured BES Cyber Systems?

Does the Entity Have Evidence that 1.2 (1.2.1-1.2.6) Was Implemented?

• Correspondence

• Emails

• Notification

• Alerts

• Call logs

• Voicemail

• Contracts

April 25, 2019

Is There a Project Plan and/or Change Request?

• Detailed description

• Equipment

• Software

• Vendor(s) transitions

• Essential dates (procuring/procured)

• Start

• End

Sample Sets

April 25, 2019

CIP-013-1 R3

April 25, 2019

CIP Senior Manager or Delegate Approval

15 calendar months

CIP-013-1 R3 Audit Approach

April 25, 2019

Did a CIP Senior Manager or delegate approve the supply chain cyber security risk management plan(s) on or before July 1, 2020?

Did a CIP Senior Manager or delegate approve the supply chain cyber security risk management plan(s) at least once every 15 calendar months?

VENDOR REMOTE ACCESS

CIP-005-6

April 25, 2019

CIP-005-6 Applicability

April 25, 2019

BES Cyber Systems

HighMedium w/ERC

CIP-005-6 R2 2.4-2.5

April 25, 2019

CIP-005-6 R2 2.4-2.5

April 25, 2019

CIP-005-6 R2 2.4-2.5 Discussion

Parts 2.1-2.3

• Intermediate System

• Encryption that terminates at Intermediate System

• Multi-factor authentication

All Vendor Remote Access Sessions

• User-initiated

• Machine-to-machine

Vendors, Consultants, and Contractors

You Do Not Have to Allow (Interactive Remote Access or System-to-System)

April 25, 2019

System-to-System Remote Access

• Not defined

• Could be non-routable protocol

• Scripts, batch jobs, cron jobs (Linux), executables, custom software

• Encryption

• Multi-factor authenticationSpring Standards and Compliance Workshop

April 25, 2019

Disable?

•No longer needed

•System breach

•Compromise

•DisruptionSpring Standards and Compliance Workshop

April 25, 2019

CIP-005-6 R2 2.4-2.5 Audit Approach

Does the Process(es) Address How the Entity Will Implement 2.4 and 2.5?

Sample Sets

Does the Entity Have Evidence the Methods are Enabled or Implemented?

• Configurations

• Firewall, switch, router, Intermediate System, etc.

• Software

• Remote access tools

• ACLs, rules

• IDS/IPS

• Ports and services

• Multi-factor authentication

• Permissions

• Network Access Control (NAC)

April 25, 2019

• Logs

• Alerts

• Screenshots

• Video

• Audio

• Change request tickets

SOFTWARE AND PATCH INTEGRITY

AND AUTHENTICITY

CIP-010-3

April 25, 2019

CIP-010-3 R1 Applicability

April 25, 2019

BES Cyber Systems

High Medium

CIP-010-3 R1 1.6

April 25, 2019

!ABC123# !ABC123#

April 25, 2019

1.1.1. Operating system(s)

(including version) or firmware where

no independent operating system

exists;

1.1.2. Any commercially

available or open-source application software (including

version) intentionally

installed;

1.1.5. Any security patches applied.

Change Requests

• Essential dates

• Screenshots

• Completed forms

• Reports

• Approvals

Third-Party Accreditation

Open-Source May Be Difficult to Verify

April 25, 2019

Part 1.1

Baseline configuration

Part 1.2

Authorized and documented change

Part 1.4

Prior to the change

Determine cyber security controls

Part 1.5

Prior to the change

Test in test environment or

production

Document the results and any

differences between test and production

Part 1.6

Prior to the change

Verify identity of source and integrity

of software

Part 1.4

Following the change

Verify cyber security controls are not

adversely affected

Document the results

Part 1.3

Baseline configuration

updated within 30 days of change

High and medium BCS,

EACMS, PACS, PCA

High BCS High and medium

BCSHigh and medium BCS,

EACMS, PACS, PCA

Does the Process(es) Address How the Entity Will Implement 1.6?

Sample Sets

Does the Entity Have Evidence That 1.6 Was Implemented?

• Vendor Chain of Custody forms

• Vendor documentation

• Digital Certificates

• Encrypted transmission

• Hash/Checksum value verification

April 25, 2019

• Signed Code

• Vulnerability management tools

• Whitelisting tools

• Baseline tools

If the Method to Do So Is Unavailable, Does the Entity Have Evidence?

• Logs

• Reports

• Screenshots

• Change request details

April 25, 2019

SUPPLY CHAIN MANAGEMENT

POTENTIAL RELATIONSHIPS

April 25, 2019

Verification of Software and Patches

CIP-013-1 R1

• 1.2.5

CIP-007-6 R2

• 2.1-2.4

CIP-010-3 R1

• 1.1-1.6

April 25, 2019

Vendor Remote Access

April 25, 2019

CIP-013-1 R1 1.2.6

CIP-004-6 R1-R5

CIP-005-6 R2 2.1-2.5

CIP-007-6 R4

CIP-007-6 R5

CIP-010-3 R4 Sections 1, 2,

and 3 (TCA and RM)

CIP Senior Manager or Delegate

April 25, 2019

CIP-013-1 R3

CIP-003-7 R3 and

Replacement or Upgrade of SCADA

April 25, 2019

CIP-013-1

Certification

Questions?

April 25, 2019

Supply Chain Risk Management - texasre.org Chain Risk... · SUPPLY CHAIN RISK MANAGEMENT PLAN(S)...

Documents

Supply Chain Risk Management - riskmethods.net BME Supply Chain Risk... · SUPPLY CHAIN RISK MANAGEMENT HERAUSFORDERUNGEN UND STATUS QUO Ergebnisse einer gemeinsamen Umfrage von riskmethods

Managing supply chain risk for reward: How businesses are responding to supply-chain risk

Supply Chain Risk Solutions - clresearch.com Chain Risk Solutions...Supply Chain Risk Solutions: A Market Overview. By Bill McBeath . As critical as supply chain risk management has

Risk Mangment in Supply Chain

A Review of Supply Chain Risk Management: Definition ......sustainable supply chain management, supply chain risk & resilience, supply chain flexibility, and production planning &

Supply Chain Risk Mitigation

Mitigating Supply Chain Risk

Why eat low on the food chain from 2010 cip talk

Supply Chain Risk Management in the Swedish Armed … · Master Degree Project in Logistics and Transport Management . Supply Chain Risk Management in the . ... Supply Chain Risk

Risk management in supply chain

SUPPLY CHAIN NETWORK DESIGN: RISK-AVERSE VS. RISK …

Managing supply chain risk - A HCL perspective · MANAGING RISK ACROSS THE SUPPLY CHAIN 4 SUPPLY CHAIN RISK MANAGEMENT (SCRM) 7 THE FOUNDATION—SUPPLY CHAIN VISIBILITY 8 HOW HCL

insights - The Atlanticcdn.theatlantic.com/.../zurich-risk/SupplyChainRiskInsights_Zurich.pdf · Supply Chain Risk Insights Protecting your value chain insights SUPPLY CHAIN RISK

the cip report · the cip report ... 3 In keeping with the two-person risk-pooling example discussed above, ... Size on Risk Diversification. The CIP Report September 2014 4

Supply Chain Risk Assessments

Supply Chain Risk Assessment - CNNadvertisementfeature.cnn.com/zurich/ir/pdf/Supply Chain Risk Asses… · management, relationships, IP issues, skills, experience. See Supply Chain

Lecture 3: Supply Chain Risk Management 3: Supply Chain Risk Management ... Supply Chain Risk Management Such supply chain risks are directly ... Supply Chain Professor Anna Nagurney

Software Supply Chain Risks and Mitigations for NERC CIP

Supply Chain Risk Mitigation - NUS - TLIAP … · III. Supply Chain Risk Management with Demand Uncertainty: Bilevel Multi-criteria Game ... supply chain risk mitigation strategies

Supply Chain Risk