Supply Chain Risk Management - texasre.org Chain Risk... · SUPPLY CHAIN RISK MANAGEMENT PLAN(S) CIP-013-1 Spring Standards and Compliance Workshop April 25, 2019 . 3 CIP-013-1 Applicability

Kenath Carver — Manager, CIP Compliance Monitoring

Supply Chain Risk Management

Effective July 1, 2020

Meeting Title

Date

2

SUPPLY CHAIN RISK MANAGEMENT

PLAN(S)

CIP-013-1

Spring Standards and Compliance Workshop

April 25, 2019

3

CIP-013-1 Applicability


April 25, 2019

BES Cyber Systems

High Medium

Contracts

No renegotiation or abrogation

Beyond the scope of R2

Actual terms and conditions

Vendor performance

and adherence

4

CIP-013-1 R1 Discussion


April 25, 2019

NERC Supply Chain Report

EACMS

Excluding monitoring and logging

PACS

Excluding alarming and

logging

PCA

No modification

needed

Low impact BES Cyber Systems

Voluntary

5

CIP-013-1 R1 1.1


April 25, 2019

Identify and Assess Cyber Security Risk(s)

Planning Procurement of BES Cyber Systems

Vendor products or services

• (i) Procuring and installing vendor equipment and software

• (ii)Transitions from one vendor(s) to another vendor(s)

6

CIP-013-1 R1 1.1 Discussion


April 25, 2019

Existing Inventory

Restocking Inventory

Emergency Purchases

Upgrades

• Software

• Hardware

7

CIP-013-1 R1 1.1 Audit Approach

Does the Entity Have Process(es)?

Does the Process(es) Address How the Entity Will Identify and Assess Cyber Security Risk(s)?

• Framework

Does the Process(es) Address How the Entity Will Mitigate These Risks when Planning for BES Cyber Systems?


April 25, 2019

8

CIP-013-1 R1 1.1 and R2 Audit Approach

Is the Entity Planning to Procure BES Cyber Systems?

What Cyber Security Risk(s) Were Identified and Assessed?

Were the Cyber Security Risk(s) Mitigated?

Is the Entity Monitoring Cyber Security Risk(s)?

Contracts


April 25, 2019

9


Is There a Project Plan and/or Change Request?

• Detailed description

• Equipment

• Software

• Vendor(s) transitions

• Essential dates

• Start

• End

Sample Sets


April 25, 2019

10

CIP-013-1 R1 1.2


April 25, 2019

Notification

Vendor-identified incidents

Remote or onsite access should no longer be granted

Coordination

Vendor-identified incidents

Disclosure

Known vulnerabilities

Verification

Integrity and authenticity of all

software and patches

11


When is Procurement Completed?

• Bidding process complete and terms agreed

• Contract(s) approved

• Project plan/change request completed

Applicable after Procurement?

• Yes

1.2.3

• Electronic or physical

Contracts


April 25, 2019

12



Does the Process(es) Address How the Entity Will Implement 1.2.1-1.2.6?


April 25, 2019

13


Is the Entity Procuring BES Cyber Systems?

Has the Entity Procured BES Cyber Systems?

Does the Entity Have Evidence that 1.2 (1.2.1-1.2.6) Was Implemented?

• Correspondence

• Emails

• Notification

• Alerts

• Call logs

• Voicemail

• Contracts


April 25, 2019

14


Is There a Project Plan and/or Change Request?

• Detailed description

• Equipment

• Software

• Vendor(s) transitions

• Essential dates (procuring/procured)

• Start

• End

Sample Sets


April 25, 2019

15

CIP-013-1 R3


April 25, 2019

CIP Senior Manager or Delegate Approval

15 calendar months

16

CIP-013-1 R3 Audit Approach


April 25, 2019

Did a CIP Senior Manager or delegate approve the supply chain cyber security risk management plan(s) on or before July 1, 2020?

Did a CIP Senior Manager or delegate approve the supply chain cyber security risk management plan(s) at least once every 15 calendar months?

17

VENDOR REMOTE ACCESS

CIP-005-6


April 25, 2019

18

CIP-005-6 Applicability


April 25, 2019

BES Cyber Systems

HighMedium w/ERC

PCA

19

CIP-005-6 R2 2.4-2.5


April 25, 2019

20

CIP-005-6 R2 2.4-2.5


April 25, 2019

21

CIP-005-6 R2 2.4-2.5 Discussion

Parts 2.1-2.3

• Intermediate System

• Encryption that terminates at Intermediate System

• Multi-factor authentication

All Vendor Remote Access Sessions

• User-initiated

• Machine-to-machine

Vendors, Consultants, and Contractors

You Do Not Have to Allow (Interactive Remote Access or System-to-System)


April 25, 2019

22


System-to-System Remote Access

• Not defined

• Could be non-routable protocol

• Scripts, batch jobs, cron jobs (Linux), executables, custom software

• Encryption

• Multi-factor authenticationSpring Standards and Compliance Workshop

April 25, 2019

23


Disable?

•No longer needed

•System breach

•Compromise

•DisruptionSpring Standards and Compliance Workshop

April 25, 2019

24

CIP-005-6 R2 2.4-2.5 Audit Approach


Does the Process(es) Address How the Entity Will Implement 2.4 and 2.5?

Sample Sets

Does the Entity Have Evidence the Methods are Enabled or Implemented?

• Configurations

• Firewall, switch, router, Intermediate System, etc.

• Software

• Remote access tools

• ACLs, rules

• IDS/IPS

• Ports and services

• Multi-factor authentication

• Permissions

• Network Access Control (NAC)


April 25, 2019

• Logs

• Alerts

• Screenshots

• Video

• Audio

• Change request tickets

25

SOFTWARE AND PATCH INTEGRITY

AND AUTHENTICITY

CIP-010-3


April 25, 2019

26

CIP-010-3 R1 Applicability


April 25, 2019

BES Cyber Systems

High Medium

27

CIP-010-3 R1 1.6


April 25, 2019

!ABC123# !ABC123#

28



April 25, 2019

1.1.1. Operating system(s)

(including version) or firmware where

no independent operating system

exists;

1.1.2. Any commercially

available or open-source application software (including

version) intentionally

installed;

1.1.5. Any security patches applied.

29


Change Requests

• Essential dates

• Screenshots

• Completed forms

• Reports

• Approvals

Third-Party Accreditation

Open-Source May Be Difficult to Verify


April 25, 2019

30



April 25, 2019

Part 1.1

Baseline configuration

Part 1.2

Authorized and documented change

Part 1.4

Prior to the change

Determine cyber security controls

Part 1.5

Prior to the change

Test in test environment or

production

Document the results and any

differences between test and production

Part 1.6

Prior to the change

Verify identity of source and integrity

of software

Part 1.4

Following the change

Verify cyber security controls are not

adversely affected

Document the results

Part 1.3

Baseline configuration

updated within 30 days of change

High and medium BCS,

EACMS, PACS, PCA

High BCS High and medium

BCSHigh and medium BCS,

EACMS, PACS, PCA

31



Does the Process(es) Address How the Entity Will Implement 1.6?

Sample Sets

Does the Entity Have Evidence That 1.6 Was Implemented?

• Vendor Chain of Custody forms

• Vendor documentation

• Digital Certificates

• Encrypted transmission

• Hash/Checksum value verification


April 25, 2019

• Signed Code

• Vulnerability management tools

• Whitelisting tools

• Baseline tools

32


If the Method to Do So Is Unavailable, Does the Entity Have Evidence?

• Logs

• Reports

• Screenshots

• Change request details


April 25, 2019

33

SUPPLY CHAIN MANAGEMENT

POTENTIAL RELATIONSHIPS


April 25, 2019

34

Verification of Software and Patches

CIP-013-1 R1

• 1.2.5

CIP-007-6 R2

• 2.1-2.4

CIP-010-3 R1

• 1.1-1.6


April 25, 2019

35

Vendor Remote Access


April 25, 2019

CIP-013-1 R1 1.2.6

CIP-004-6 R1-R5

CIP-005-6 R2 2.1-2.5

CIP-007-6 R4

CIP-007-6 R5

CIP-010-3 R4 Sections 1, 2,

and 3 (TCA and RM)

36

CIP Senior Manager or Delegate


April 25, 2019

CIP-013-1 R3

CIP-003-7 R3 and

R4

37

Replacement or Upgrade of SCADA


April 25, 2019

TOP

CIP-013-1

Certification

38

Questions?


April 25, 2019

Documents

Supply Chain Risk Management - texasre.org Chain Risk... · SUPPLY CHAIN RISK MANAGEMENT PLAN(S) CIP-013-1 Spring Standards and Compliance Workshop April 25, 2019 . 3 CIP-013-1 Applicability