Upload
energysec
View
803
Download
1
Embed Size (px)
Citation preview
NERC-CIP V5 and Beyond
Compliance and the Vendor’s Role
Joe LoomisGroup Leader
Embedded Systems Security GroupIntelligent Systems Department
05/02/2023 1
05/02/2023
Outline• Changes in V5
• Vendors, Asset Owners, and Compliance
• The Vendor’s Role
• Case Studyo Backgroundo Compliance Roadmap Development Approacho Test Plan
• Beyond Version 5
• Conclusion
2
05/02/2023 3
Audience Survey• Asset Owners?
• Vendors?
• Compliance and Auditing?
05/02/2023 4
Changes in Version 5• Bright-line criteria for identify Critical Cyber
Assets (CCA)
• Risk Assessment Process
• Terminology
• Guidance and Technical Basis (GTB)
05/02/2023 5
Vendors, Asset Owners and Compliance
• Standards apply to entity Facilities that are part of the Bulk Electric System (BES)
• Compliance is sole responsibility of the Asset Owner of the Facility
• Vendor’s product deployed in a Facility may be considered part of a BES Cyber System
• Asset Owner responsible for demonstrating compliance of product…
05/02/2023 6
The Vendor’s Role• Asset Owners often rely on technical data from
Vendor to demonstrate compliance
• As a Vendor, you may want to provide technical data to the Asset Owner to support a compliance audit
• Question: What requirements may the Vendor’s product be subject to? (to furnish technical data)
05/02/2023 7
Case StudyVendor of a Bulk Cyber System Technology
05/02/2023 8
Background• Vendor currently has a product which may be used within a
BCS.
• Asset Owners request that Vendor furnish technical data to prove that product can meet NERC-CIP V5 requirements
• Vendor approached SwRI to help understand requirements and develop technical data
• Product Details: Provides protocol level translation (e.g., DNP3, MODBus), analytics, and edge processing
05/02/2023 9
Outline of Approach• Compliance Roadmap
o Determine requirements applicabilityo Assess current state of complianceo Develop guidance on what technical information may need to be
generated; or what product updates may be needed
• Test Plano Based on requirements, develop test cases to verify compliance in-
house and also through using a third-party
05/02/2023 10
Compliance Roadmap Development
• Categorize Systemo Impact Criteria of BES Cyber System? Low, Medium, Higho Determine what Cyber Asset category or categories the product fits in
• Map to Requirementso Based directly on Impact and Cyber Asset category
• Assess State of Complianceo Review product documentation, development documentation, software and conduct
interviews with developers
• Develop Guidanceo Based on Requirement’s Guidance and Technical Basis (GTB) and professional
experience
05/02/2023 11
Categorization• Categorization is of requirements affecting Product is
based on the Facility where product is deployed (CIP-002-5.1) and the type of system the Product is a part of:o Impact Criteria: High, Medium, and (Low)o Cyber Asset Category: “EACMS”, “PACS”, “PCA”
• Since the Vendor does not know where their Product will be deployed, conservative assume High Impact criteria
• Cyber Asset Category based on actual product function and usage. In this case Product is a protected cyber asset “PCA”
05/02/2023 12
Mapping• Each Requirement in the standard specifies the
Impact Criteria and associated system
05/02/2023 13
Mapping Criteria• Based on Vendor’s product create a Matrix which
maps to the Requirements
• Determine applicability criteria and later assess state of compliance
05/02/2023 14
Mapping Matrix• Vendor solution column indicate which requirements apply.• Product column indicates state of compliance (redacted)
05/02/2023 15
Developing Guidance• Based on professional experience performing
security assessments and Requirement Guidance and Technical Basis (GTB) sectionso Note that GTB sections are not legally binding and is only one way of
interpreting standards
05/02/2023 16
Test Plan• Provides tests for Product to determine if it meets
requirements
• Based on SwRI’s risk-based assessment methodology
• May include tests for vulnerabilities that go beyond CIP requirements
• Can be executed by the vendor during development or by a trusted Third Party
05/02/2023 17
Beyond Version 5• Version 6 Filed and Pending Approval
• Version 7 – Final Draft 02/02/15 – Not Yet Filed
05/02/2023 18
Version 6 Major Changes
• Identifies, Assesses, and Corrects Removed
• (New) CIP-006-6 – R1.10 – Physical Security for Cabling …. Or
05/02/2023 19
Version 7 Changes (1 of 2)
• New Terms: LERC and LEAP
05/02/2023 20
Version 7 Changes(2 of 3)
• Definition for Transient Cyber Asset
• Definition for Removable Media
05/02/2023 21
Version 7 Changes(3 of 3)
• CIP-010-3 – R4 – Transient Cyber Asset and Removable Media Plan
o 1.1 – Transient Cyber Asset Management ...o 1.3 – Software Vulnerability Mitigationo 1.4 – Introduction of Malicious Code Mitigation
o -- Similar to Section 2o 2.1 – Software Vulnerabilities Mitigationo 2.2 – Introduction of Malicious Code Mitigation
05/02/2023 22
Final Thoughts
Conclusion• For more information
please contacto Joe Loomiso [email protected] o (210)-522-3367
Custom solutions that immediately improve
security
2305/02/2023