Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Kenath Carver — Manager, CIP Compliance Monitoring
Supply Chain Risk Management
Effective July 1, 2020
Meeting Title
Date
2
SUPPLY CHAIN RISK MANAGEMENT
PLAN(S)
CIP-013-1
Spring Standards and Compliance Workshop
April 25, 2019
3
CIP-013-1 Applicability
Spring Standards and Compliance Workshop
April 25, 2019
BES Cyber Systems
High Medium
Contracts
No renegotiation or abrogation
Beyond the scope of R2
Actual terms and conditions
Vendor performance
and adherence
4
CIP-013-1 R1 Discussion
Spring Standards and Compliance Workshop
April 25, 2019
NERC Supply Chain Report
EACMS
Excluding monitoring and logging
PACS
Excluding alarming and
logging
PCA
No modification
needed
Low impact BES Cyber Systems
Voluntary
5
CIP-013-1 R1 1.1
Spring Standards and Compliance Workshop
April 25, 2019
Identify and Assess Cyber Security Risk(s)
Planning Procurement of BES Cyber Systems
Vendor products or services
• (i) Procuring and installing vendor equipment and software
• (ii)Transitions from one vendor(s) to another vendor(s)
6
CIP-013-1 R1 1.1 Discussion
Spring Standards and Compliance Workshop
April 25, 2019
Existing Inventory
Restocking Inventory
Emergency Purchases
Upgrades
• Software
• Hardware
7
CIP-013-1 R1 1.1 Audit Approach
Does the Entity Have Process(es)?
Does the Process(es) Address How the Entity Will Identify and Assess Cyber Security Risk(s)?
• Framework
Does the Process(es) Address How the Entity Will Mitigate These Risks when Planning for BES Cyber Systems?
Spring Standards and Compliance Workshop
April 25, 2019
8
CIP-013-1 R1 1.1 and R2 Audit Approach
Is the Entity Planning to Procure BES Cyber Systems?
What Cyber Security Risk(s) Were Identified and Assessed?
Were the Cyber Security Risk(s) Mitigated?
Is the Entity Monitoring Cyber Security Risk(s)?
Contracts
Spring Standards and Compliance Workshop
April 25, 2019
9
CIP-013-1 R1 1.1 and R2 Audit Approach
Is There a Project Plan and/or Change Request?
• Detailed description
• Equipment
• Software
• Vendor(s) transitions
• Essential dates
• Start
• End
Sample Sets
Spring Standards and Compliance Workshop
April 25, 2019
10
CIP-013-1 R1 1.2
Spring Standards and Compliance Workshop
April 25, 2019
Notification
Vendor-identified incidents
Remote or onsite access should no longer be granted
Coordination
Vendor-identified incidents
Disclosure
Known vulnerabilities
Verification
Integrity and authenticity of all
software and patches
11
CIP-013-1 R1 1.2 Discussion
When is Procurement Completed?
• Bidding process complete and terms agreed
• Contract(s) approved
• Project plan/change request completed
Applicable after Procurement?
• Yes
1.2.3
• Electronic or physical
Contracts
Spring Standards and Compliance Workshop
April 25, 2019
12
CIP-013-1 R1 1.2 Audit Approach
Does the Entity Have Process(es)?
Does the Process(es) Address How the Entity Will Implement 1.2.1-1.2.6?
Spring Standards and Compliance Workshop
April 25, 2019
13
CIP-013-1 R1 1.2 and R2 Audit Approach
Is the Entity Procuring BES Cyber Systems?
Has the Entity Procured BES Cyber Systems?
Does the Entity Have Evidence that 1.2 (1.2.1-1.2.6) Was Implemented?
• Correspondence
• Emails
• Notification
• Alerts
• Call logs
• Voicemail
• Contracts
Spring Standards and Compliance Workshop
April 25, 2019
14
CIP-013-1 R1 1.2 and R2 Audit Approach
Is There a Project Plan and/or Change Request?
• Detailed description
• Equipment
• Software
• Vendor(s) transitions
• Essential dates (procuring/procured)
• Start
• End
Sample Sets
Spring Standards and Compliance Workshop
April 25, 2019
15
CIP-013-1 R3
Spring Standards and Compliance Workshop
April 25, 2019
CIP Senior Manager or Delegate Approval
15 calendar months
16
CIP-013-1 R3 Audit Approach
Spring Standards and Compliance Workshop
April 25, 2019
Did a CIP Senior Manager or delegate approve the supply chain cyber security risk management plan(s) on or before July 1, 2020?
Did a CIP Senior Manager or delegate approve the supply chain cyber security risk management plan(s) at least once every 15 calendar months?
17
VENDOR REMOTE ACCESS
CIP-005-6
Spring Standards and Compliance Workshop
April 25, 2019
18
CIP-005-6 Applicability
Spring Standards and Compliance Workshop
April 25, 2019
BES Cyber Systems
HighMedium w/ERC
PCA
19
CIP-005-6 R2 2.4-2.5
Spring Standards and Compliance Workshop
April 25, 2019
20
CIP-005-6 R2 2.4-2.5
Spring Standards and Compliance Workshop
April 25, 2019
21
CIP-005-6 R2 2.4-2.5 Discussion
Parts 2.1-2.3
• Intermediate System
• Encryption that terminates at Intermediate System
• Multi-factor authentication
All Vendor Remote Access Sessions
• User-initiated
• Machine-to-machine
Vendors, Consultants, and Contractors
You Do Not Have to Allow (Interactive Remote Access or System-to-System)
Spring Standards and Compliance Workshop
April 25, 2019
22
CIP-005-6 R2 2.4-2.5 Discussion
System-to-System Remote Access
• Not defined
• Could be non-routable protocol
• Scripts, batch jobs, cron jobs (Linux), executables, custom software
• Encryption
• Multi-factor authenticationSpring Standards and Compliance Workshop
April 25, 2019
23
CIP-005-6 R2 2.4-2.5 Discussion
Disable?
•No longer needed
•System breach
•Compromise
•DisruptionSpring Standards and Compliance Workshop
April 25, 2019
24
CIP-005-6 R2 2.4-2.5 Audit Approach
Does the Entity Have Process(es)?
Does the Process(es) Address How the Entity Will Implement 2.4 and 2.5?
Sample Sets
Does the Entity Have Evidence the Methods are Enabled or Implemented?
• Configurations
• Firewall, switch, router, Intermediate System, etc.
• Software
• Remote access tools
• ACLs, rules
• IDS/IPS
• Ports and services
• Multi-factor authentication
• Permissions
• Network Access Control (NAC)
Spring Standards and Compliance Workshop
April 25, 2019
• Logs
• Alerts
• Screenshots
• Video
• Audio
• Change request tickets
25
SOFTWARE AND PATCH INTEGRITY
AND AUTHENTICITY
CIP-010-3
Spring Standards and Compliance Workshop
April 25, 2019
26
CIP-010-3 R1 Applicability
Spring Standards and Compliance Workshop
April 25, 2019
BES Cyber Systems
High Medium
27
CIP-010-3 R1 1.6
Spring Standards and Compliance Workshop
April 25, 2019
!ABC123# !ABC123#
28
CIP-010-3 R1 1.6 Discussion
Spring Standards and Compliance Workshop
April 25, 2019
1.1.1. Operating system(s)
(including version) or firmware where
no independent operating system
exists;
1.1.2. Any commercially
available or open-source application software (including
version) intentionally
installed;
1.1.5. Any security patches applied.
29
CIP-010-3 R1 1.6 Discussion
Change Requests
• Essential dates
• Screenshots
• Completed forms
• Reports
• Approvals
Third-Party Accreditation
Open-Source May Be Difficult to Verify
Spring Standards and Compliance Workshop
April 25, 2019
30
CIP-010-3 R1 1.6 Discussion
Spring Standards and Compliance Workshop
April 25, 2019
Part 1.1
Baseline configuration
Part 1.2
Authorized and documented change
Part 1.4
Prior to the change
Determine cyber security controls
Part 1.5
Prior to the change
Test in test environment or
production
Document the results and any
differences between test and production
Part 1.6
Prior to the change
Verify identity of source and integrity
of software
Part 1.4
Following the change
Verify cyber security controls are not
adversely affected
Document the results
Part 1.3
Baseline configuration
updated within 30 days of change
High and medium BCS,
EACMS, PACS, PCA
High BCS High and medium
BCSHigh and medium BCS,
EACMS, PACS, PCA
31
CIP-010-3 R1 1.6 Audit Approach
Does the Entity Have Process(es)?
Does the Process(es) Address How the Entity Will Implement 1.6?
Sample Sets
Does the Entity Have Evidence That 1.6 Was Implemented?
• Vendor Chain of Custody forms
• Vendor documentation
• Digital Certificates
• Encrypted transmission
• Hash/Checksum value verification
Spring Standards and Compliance Workshop
April 25, 2019
• Signed Code
• Vulnerability management tools
• Whitelisting tools
• Baseline tools
32
CIP-010-3 R1 1.6 Audit Approach
If the Method to Do So Is Unavailable, Does the Entity Have Evidence?
• Logs
• Reports
• Screenshots
• Change request details
Spring Standards and Compliance Workshop
April 25, 2019
33
SUPPLY CHAIN MANAGEMENT
POTENTIAL RELATIONSHIPS
Spring Standards and Compliance Workshop
April 25, 2019
34
Verification of Software and Patches
CIP-013-1 R1
• 1.2.5
CIP-007-6 R2
• 2.1-2.4
CIP-010-3 R1
• 1.1-1.6
Spring Standards and Compliance Workshop
April 25, 2019
35
Vendor Remote Access
Spring Standards and Compliance Workshop
April 25, 2019
CIP-013-1 R1 1.2.6
CIP-004-6 R1-R5
CIP-005-6 R2 2.1-2.5
CIP-007-6 R4
CIP-007-6 R5
CIP-010-3 R4 Sections 1, 2,
and 3 (TCA and RM)
36
CIP Senior Manager or Delegate
Spring Standards and Compliance Workshop
April 25, 2019
CIP-013-1 R3
CIP-003-7 R3 and
R4
37
Replacement or Upgrade of SCADA
Spring Standards and Compliance Workshop
April 25, 2019
TOP
CIP-013-1
Certification
38
Questions?
Spring Standards and Compliance Workshop
April 25, 2019