CIP-014-1: An Overview Nick Weber, CPP, PSP Compliance Auditor, Physical and Cyber Security

Transcription

CIP-014-1: An Overview Nick Weber, CPP, PSP Compliance Auditor, Physical and Cyber Security
CIP-014-1: An Overview
Nick Weber, CPP, PSP
Compliance Auditor,
Physical and Cyber Security
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
Speaker Intro:
Nick Weber, CPP, PSP
• 17 Years first responder, military, and security experience
– US Army Reserve Information Operations (Cyber)
• Network Defense Team Leader
• Dynamic Defense Deputy Team Leader
– US Department of Homeland Security
• Energy Sector Specialist
• Site Assistance Visit Team Leader
– US Army Cavalry Officer
• OIF veteran
• Bronze Star Medal
• National Training Center (NTC) Opposing Force (OPFOR)
– Account Manager at a security guard provider
– Wildland firefighter
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
Physical Security: Who Cares?
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 Introduction
What it is:
– Physical security of transmission stations and transmission substations,
and their associated primary control centers, that if rendered inoperable
or damaged as a result of a physical attack could result in widespread
instability, uncontrolled separation or cascading within an
Interconnection.
What it is not:
An extension of or related to CIP-006
Critical Cyber Asset/Protected Cyber Asset based
A limit to physical security measures
A one-size-fits all approach to physical security
–
–
–
–
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 Introduction
It may be helpful to view and manage CIP-014-1 as two major
components.
W
E
R1: Applicability and Risk
Assessment
R4: Threat and Vulnerability
Assessment
R2: Unaffiliated Review
R5: Security Plan
R3: Control Center
Notification
R6: Unaffiliated Review
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 Process Overview
R2:
Unaffiliated
Review
R1:
Applicability
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
R5: Develop
a Security
Plan
R4: Conduct
Threat and
Vulnerability
Assessment
R3: Notify
Control
Centers
C
O
O
R
D
I
R6:
Unaffiliated
Review
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 Identification
R1: Does
Station/Substation
meet 4.1.1 criteria?
(R1)
Could
Station/Substation
cause instability,
uncontrolled
separation, or
cascading? (R1)
Yes
No
Does the
unaffiliated 3rd
party reviewer
concur? (R2)
Does the
unaffiliated 3rd
party reviewer
concur? (R2)
Yes
In Scope
Yes
No
No
No
Yes
No
Concur with 3rd party
recommendations?
Not in Scope
Document the
technical basis for
non-concurrence
Yes
Adjust List
List of
Stations/Substations
in Scope for R3-R6
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 Assessment and Plan
Conduct Threat and
Vulnerability
Assessment (R4)
Develop security plan to
address threats and
vulnerabilities identified
in assessment (R5)
Does the unaffiliated 3rd
party reviewer concur
with assessment? (R6)
Does the unaffiliated 3rd
party reviewer concur
with security plan? (R6)
Yes
No
Yes
Yes
Concur with 3rd
party?
No
Adjust plan
No
Yes
Concur with 3rd
party?
Document reasons
for nonconcurrence
Adjust
assessment
No
Completed
Security Plan
Document reasons
for nonconcurrence
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R1: Applicability and Risk Assessment
• Must be completed by the effective date of CIP-014-1*
• Subsequent applications must be completed:
– 30 months for entities who identified applicable Stations/Substations on
the previous assessment
– 60 months for entities who identified null lists on the previous
assessment
*Effective date TBD pending FERC ruling
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R1: Applicability and Risk Assessment
• Create a Candidate List
– Substations/Stations operating at or above 200kV
– Substations/Stations identified in an IROL
– Substations/Stations critical to operation of nuclear facilities
• Apply criteria listed in 4.1.1 of CIP-014-1
– Operating at or above 500kV
-or-
– Identified by its Reliability Coordinator, Planning Coordinator, or Transmission
Planner as critical to the derivation of Interconnection Reliability Operating
Limits (IROLs) and their associated contingencies.
-or-
– Essential to meeting Nuclear Plant Interface Requirements
-or-
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R1: Applicability and Risk Assessment
• Apply criteria listed in 4.1.1 of CIP-014-1 (continued)
– Operating between 200 kV and 499 kV at a single station or
substation, where the station or substation is connected at 200 kV or
higher voltages to three or more other Transmission stations or
substations and has an "aggregate weighted value" exceeding 3000
according to the table below.
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R1: Applicability and Risk Assessment
• List developed after application of Applicability Section 4.1.1
• Conduct transmission analysis of stations/substations
identified 4.1.1 application, identify stations/substations that
if rendered inoperable or damaged could result in:
– Widespread Instability*
– Uncontrolled Separation
– Cascading within the Interconnection
*FERC NOPR indicated concern with the term “widespread”.
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R2: Unaffiliated Review of R1
Assessment
• Must be completed within 90 days of R1 Assessment and may
be conducted concurrently
• Unaffiliated third party must be:
– A registered Planning Coordinator, Transmission Planner, or Reliability
Coordinator
-or– An entity that has transmission planning or analysis experience
• The Standards Drafting Team (SDT) interprets “unaffiliated” as
external to the corporate structure
• The credentials of the third party will be assessed and may
impact the audit risk and subsequent rigor for R1
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R2: Unaffiliated Review of R1
Assessment
• Unaffiliated reviewer recommendations must be addressed
within 60 days of review
– Modify its identification under Requirement R1 consistent with the
recommendation
-or– Document the technical basis for not modifying the identification in
accordance with the recommendation
• This language is NOT intended to trigger TFEs
• Implement procedures to protect sensitive information
throughout the review process
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R3: Notify Control Center Owners
• The entity has 7 days to notify control center operators for
primary control centers associated with Stations/Substations
identified in R1 assessment
• The entity has 7 days to notify control center operators for
primary control centers associated with Stations/Substations
removed in subsequent in R1 assessments
• Compliance tips:
– Use email read receipts
– Implement three part communications
– Receive and document confirmation of notification from control
center operators
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R4: Threat and Vulnerability
Assessment
Conduct a threat and vulnerability assessment that considers:
– Unique characteristics
– Attack history, attacks on similar facilities
• Frequency
• Geographic Proximity
• Severity
– Intelligence or threat warnings
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R4: Threat and Vulnerability
Assessment
Unique Characteristics may include:
– Terrain
• Rural
• Urban
– Equipment/Facility Array
• Are critical vulnerable assets on the perimeter or are they shielded from view or
attack by less critical components of the facility?
– Existing Protections
– Facility size and shape
• A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple
corners, alcoves, and salient points.
– Crime statistics
– Weather
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R4: Threat and Vulnerability
Assessment
Assessment Tips
–
–
–
–
–
Identify what components of the facility are critical to the mission
Evaluate your facility from an adversary’s perspective
Extend the assessment beyond the fence line
Understand the advantages and disadvantages afforded by surrounding terrain
Understand your threat environment
• Evaluate attacks on similar facilities globally
• Evaluate attacks in your geographic area even if the target facility is unlike
yours
Some Existing Assessment Methodologies
– CARVER
– DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool (ECIP/IST)
– Attack Tree Modeling
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R4: Threat and Vulnerability
Assessment
Suggested threat vectors to consider
– Direct Fire
• Can an adversary fire a line-of-sight weapon and damage a critical component?
– Indirect Fire
• Can an adversary to fire a weapon on an arc trajectory and damage a critical component?
– Explosive
• Can an adversary place an explosive device such that it will damage a critical component?
– Vehicular Attack
• Can an adversary drive a vehicle into my facility to damage a critical component?
– Arson
• Can an adversary damage critical components with fire?
– Forced Entry*
• Can an adversary force his way into my facility to damage a critical component?
– Surreptitious Entry*
• Can an adversary sneak into the facility to damage a critical component?
– Insider Threat*
*Enabling Attacks
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R4 DHS IST
• Infrastructure Survey Tool
– Conducted by a DHS Protective Security Advisor
– Somewhat checklist-driven
– Finished product is a dashboard
• Compares posture to like facilities
• Allows for temporary adjustments to show security posture
impact from proposed changes
• Does not meet CIP-014 R4 Part 4.3 by itself
– To use the IST for R4 compliance a threat assessment
must also be conducted
– Vulnerabilities identified in the IST must be compared
against the threat assessment
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R4 CARVER
• Approach combines metrics and “subjectives”
• Scalable
• Evaluates:
Criticality – importance of the target
Accessibility – ease of access to the target
Recuperability – ability to recover
Vulnerability – ease of successful attack
Effect –direct loss from attack
Recognizability – ease of target recognition
–
–
–
–
–
–
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CARVER: High Voltage Transformer
Application
Value
Criticality
Accessibility
Recuperability
Vulnerability
Effect
Recognizability
9-10
Loss would
stop
operations
Easily accessible,
not secured
Replacement lead
time 1 year or more
Attack vector
requires no
training or special
tools
Extreme
socioeconomic
impact
Easily recognized
with no training and
no confusion
7-8
Loss would
significantly
reduce
operations
Easily accessible,
limited security
Replacement lead
time 6-12 months
Attack vector
requires little
training or special
tools
Significant
socioeconomic
impact
Easily recognized by
most with minimal
confusion
5-6
Loss would
reduce
operations
Accessible, but
secured
Replacement lead
time 2-6 months
Attack vector
requires training
and special tools
Noticeable
socioeconomic
impact
Recognized with
some training
3-4
Loss may
reduce
operations
Difficult to access
Replacement lead
time 2-8 weeks
Attack vector
requires intensive
training and
special tools
Minimal
socioeconomic
impact
Difficult to recognize
without extensive
training
1-2
Loss would
not affect
operations
Very difficult to
access
Replacement lead
time less than 2
weeks
Attack vector
requires welltrained team with
numerous special
tools
No noticeable
impact
Extremely difficult to
recognize without
training and
surveillance
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CARVER
Asset
C
A
R
V
E
R
Total
Transformer
8
8
10
8
9
5
48
Control House
6
5
5
5
6
7
34
Transmission Tower
5
10
1
9
1
9
35
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5 Security Plan
• We all understand it’s not realistic to make
every substation a mini Fort Knox
• Leverage terrain
• Low/no-cost
• Randomization
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5: Security Plan
Develop a security plan including:
– Resilience or security measures
• Ensure the measures address vulnerabilities identified in R4
– Law enforcement contact and coordination may include:
Simply a name and phone number
Meetings to discuss security concerns, site-specific hazards, etc
Site-specific training for law enforcement
Hosting law enforcement exercises
•
•
•
•
– Timeline for implementing physical security projects
• No specific dates or time frames required in this timeline, but it must pass
the common sense test
– Provision to evaluate evolving threats
• Should include a process or mechanism to receive threat information
• Should include a process to evaluate threat information as it is received
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5: Security Plan
Security Plan Tips
– Conduct a second assessment including the new measures
• Provides valuable metrics to stakeholders and regulators
• If conducted in the planning phase, may prevent costly but minimally effective security
enhancements
– Ensure the plan makes sense
• A reasonably-informed person should be able to follow and implement the plan without
extensive knowledge of the site or entity
– Law enforcement is your friend
• Coordinate early and often to ensure all parties understand facility nuances and specific
hazards/concerns
• Law enforcement training on site = free security
• Ensure mutual understanding of law enforcement response procedures and capabilities
– Consider developing a threat/risk assessment function
• May require additional human capital
• Can be achieved through vendor solutions
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5 Acceptable Risk
CIP-014 is ambiguous about which
vulnerabilities and threats rise to the level of
mitigation
– It is fiscally impractical to mitigate every
vulnerability
• Plane flying into a substation
• Substation sitting in the bottom of a valley
– Include a defensible threshold for vulnerabilities
that will be mitigated
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5 Security Measures
• Every vulnerability identified in R4 at or above
your threshold must be addressed
• One security measure may mitigate multiple
vulnerabilities
• One security measure may meet multiple
aspects of detect, delay, deter, assess,
communicate, and respond
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5 Additional Security Measures
• Security measures aren’t limited to installing
new/more technology
• Random Security Measures
• Crime Prevention Through Environmental Design
(CPTED)
• Law Enforcement Coordination
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R5 CPTED Concepts
Define your space
Shape your environment
Improve lighting
Observation
Direct foot and vehicle traffic
•
•
•
•
•
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 R6: Unaffiliated Review of
Assessment and Plan
• R6: Unaffiliated Review of R4 Assessment and R5 Plan
– An organization with industry physical security experience AND a
Certified Protection Professional (CPP) or Physical Security
Professional (PSP) on staff.*
-or– An organization approved by the ERO.*
-or– A government agency with physical security expertise.
-or– An organization with demonstrated law enforcement or military
physical security expertise.*
*WECC staff meet these criteria
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
WECC CIP-014 SME Team
Darren Nielsen, M.AD, CISA, CPP, PCI, PSP, CBRM, CBRA
Senior Compliance Auditor
Joe Andrews, MSc.IA, CISSP-ISSEP, ISSAP, ISSMP, CISA, CEH, PSP
Senior Compliance Auditor
Bryan Carr, PMP, CISA, PSP
Compliance Auditor
Nick Weber, CPP, PSP
Compliance Auditor
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
CIP-014-1 Implementation
Less than nine months from effective date to Security Plan completion
CIP-014-1 Implementation Timeline
W
R1 Assessment
Effective Date
0 Days
R2 Verification
Effective + 90
90 Days
R2.3 Address Discrepancies
R2.2 + 60
150 Days
R3 Notify Control Center
R2 + 7
157 Days
R4 Threat and Vulnerability Evaluation
R2 + 120
270 Days
R5 Security Plan
R2 + 120
270 Days
R6 Review
R5 + 90
360 Days
R6.3 Address Discrepancies
R6.2 + 60
420 Days
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L
At Your Service
• PSWG- Get plugged in!
http://www.wecc.biz/committees/StandingCommittees/OC/CIIM
S/PSWG/default.aspx
• Phone call or email away
• We want to help
• cip@wecc.biz
• Always willing to provide our audit approach
W
E
S
T
E
R
N
E
L
E
C
T
R
I
C
I
T
Y
C
O
O
R
D
I
N
A
T
I
N
G
C
O
U
N
C
I
L