CIP-014-1: An Overview Nick Weber, CPP, PSP Compliance Auditor, Physical and Cyber Security
Transcription
CIP-014-1: An Overview Nick Weber, CPP, PSP Compliance Auditor, Physical and Cyber Security
CIP-014-1: An Overview Nick Weber, CPP, PSP Compliance Auditor, Physical and Cyber Security W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L Speaker Intro: Nick Weber, CPP, PSP • 17 Years first responder, military, and security experience – US Army Reserve Information Operations (Cyber) • Network Defense Team Leader • Dynamic Defense Deputy Team Leader – US Department of Homeland Security • Energy Sector Specialist • Site Assistance Visit Team Leader – US Army Cavalry Officer • OIF veteran • Bronze Star Medal • National Training Center (NTC) Opposing Force (OPFOR) – Account Manager at a security guard provider – Wildland firefighter W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L Physical Security: Who Cares? W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 Introduction What it is: – Physical security of transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation or cascading within an Interconnection. What it is not: An extension of or related to CIP-006 Critical Cyber Asset/Protected Cyber Asset based A limit to physical security measures A one-size-fits all approach to physical security – – – – W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 Introduction It may be helpful to view and manage CIP-014-1 as two major components. W E R1: Applicability and Risk Assessment R4: Threat and Vulnerability Assessment R2: Unaffiliated Review R5: Security Plan R3: Control Center Notification R6: Unaffiliated Review S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 Process Overview R2: Unaffiliated Review R1: Applicability W E S T E R N E L E C T R I C I T Y R5: Develop a Security Plan R4: Conduct Threat and Vulnerability Assessment R3: Notify Control Centers C O O R D I R6: Unaffiliated Review N A T I N G C O U N C I L CIP-014-1 Identification R1: Does Station/Substation meet 4.1.1 criteria? (R1) Could Station/Substation cause instability, uncontrolled separation, or cascading? (R1) Yes No Does the unaffiliated 3rd party reviewer concur? (R2) Does the unaffiliated 3rd party reviewer concur? (R2) Yes In Scope Yes No No No Yes No Concur with 3rd party recommendations? Not in Scope Document the technical basis for non-concurrence Yes Adjust List List of Stations/Substations in Scope for R3-R6 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 Assessment and Plan Conduct Threat and Vulnerability Assessment (R4) Develop security plan to address threats and vulnerabilities identified in assessment (R5) Does the unaffiliated 3rd party reviewer concur with assessment? (R6) Does the unaffiliated 3rd party reviewer concur with security plan? (R6) Yes No Yes Yes Concur with 3rd party? No Adjust plan No Yes Concur with 3rd party? Document reasons for nonconcurrence Adjust assessment No Completed Security Plan Document reasons for nonconcurrence W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R1: Applicability and Risk Assessment • Must be completed by the effective date of CIP-014-1* • Subsequent applications must be completed: – 30 months for entities who identified applicable Stations/Substations on the previous assessment – 60 months for entities who identified null lists on the previous assessment *Effective date TBD pending FERC ruling W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R1: Applicability and Risk Assessment • Create a Candidate List – Substations/Stations operating at or above 200kV – Substations/Stations identified in an IROL – Substations/Stations critical to operation of nuclear facilities • Apply criteria listed in 4.1.1 of CIP-014-1 – Operating at or above 500kV -or- – Identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies. -or- – Essential to meeting Nuclear Plant Interface Requirements -or- W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R1: Applicability and Risk Assessment • Apply criteria listed in 4.1.1 of CIP-014-1 (continued) – Operating between 200 kV and 499 kV at a single station or substation, where the station or substation is connected at 200 kV or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below. W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R1: Applicability and Risk Assessment • List developed after application of Applicability Section 4.1.1 • Conduct transmission analysis of stations/substations identified 4.1.1 application, identify stations/substations that if rendered inoperable or damaged could result in: – Widespread Instability* – Uncontrolled Separation – Cascading within the Interconnection *FERC NOPR indicated concern with the term “widespread”. W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R2: Unaffiliated Review of R1 Assessment • Must be completed within 90 days of R1 Assessment and may be conducted concurrently • Unaffiliated third party must be: – A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator -or– An entity that has transmission planning or analysis experience • The Standards Drafting Team (SDT) interprets “unaffiliated” as external to the corporate structure • The credentials of the third party will be assessed and may impact the audit risk and subsequent rigor for R1 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R2: Unaffiliated Review of R1 Assessment • Unaffiliated reviewer recommendations must be addressed within 60 days of review – Modify its identification under Requirement R1 consistent with the recommendation -or– Document the technical basis for not modifying the identification in accordance with the recommendation • This language is NOT intended to trigger TFEs • Implement procedures to protect sensitive information throughout the review process W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R3: Notify Control Center Owners • The entity has 7 days to notify control center operators for primary control centers associated with Stations/Substations identified in R1 assessment • The entity has 7 days to notify control center operators for primary control centers associated with Stations/Substations removed in subsequent in R1 assessments • Compliance tips: – Use email read receipts – Implement three part communications – Receive and document confirmation of notification from control center operators W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R4: Threat and Vulnerability Assessment Conduct a threat and vulnerability assessment that considers: – Unique characteristics – Attack history, attacks on similar facilities • Frequency • Geographic Proximity • Severity – Intelligence or threat warnings W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R4: Threat and Vulnerability Assessment Unique Characteristics may include: – Terrain • Rural • Urban – Equipment/Facility Array • Are critical vulnerable assets on the perimeter or are they shielded from view or attack by less critical components of the facility? – Existing Protections – Facility size and shape • A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple corners, alcoves, and salient points. – Crime statistics – Weather W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R4: Threat and Vulnerability Assessment Assessment Tips – – – – – Identify what components of the facility are critical to the mission Evaluate your facility from an adversary’s perspective Extend the assessment beyond the fence line Understand the advantages and disadvantages afforded by surrounding terrain Understand your threat environment • Evaluate attacks on similar facilities globally • Evaluate attacks in your geographic area even if the target facility is unlike yours Some Existing Assessment Methodologies – CARVER – DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool (ECIP/IST) – Attack Tree Modeling W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R4: Threat and Vulnerability Assessment Suggested threat vectors to consider – Direct Fire • Can an adversary fire a line-of-sight weapon and damage a critical component? – Indirect Fire • Can an adversary to fire a weapon on an arc trajectory and damage a critical component? – Explosive • Can an adversary place an explosive device such that it will damage a critical component? – Vehicular Attack • Can an adversary drive a vehicle into my facility to damage a critical component? – Arson • Can an adversary damage critical components with fire? – Forced Entry* • Can an adversary force his way into my facility to damage a critical component? – Surreptitious Entry* • Can an adversary sneak into the facility to damage a critical component? – Insider Threat* *Enabling Attacks W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R4 DHS IST • Infrastructure Survey Tool – Conducted by a DHS Protective Security Advisor – Somewhat checklist-driven – Finished product is a dashboard • Compares posture to like facilities • Allows for temporary adjustments to show security posture impact from proposed changes • Does not meet CIP-014 R4 Part 4.3 by itself – To use the IST for R4 compliance a threat assessment must also be conducted – Vulnerabilities identified in the IST must be compared against the threat assessment W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R4 CARVER • Approach combines metrics and “subjectives” • Scalable • Evaluates: Criticality – importance of the target Accessibility – ease of access to the target Recuperability – ability to recover Vulnerability – ease of successful attack Effect –direct loss from attack Recognizability – ease of target recognition – – – – – – W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CARVER: High Voltage Transformer Application Value Criticality Accessibility Recuperability Vulnerability Effect Recognizability 9-10 Loss would stop operations Easily accessible, not secured Replacement lead time 1 year or more Attack vector requires no training or special tools Extreme socioeconomic impact Easily recognized with no training and no confusion 7-8 Loss would significantly reduce operations Easily accessible, limited security Replacement lead time 6-12 months Attack vector requires little training or special tools Significant socioeconomic impact Easily recognized by most with minimal confusion 5-6 Loss would reduce operations Accessible, but secured Replacement lead time 2-6 months Attack vector requires training and special tools Noticeable socioeconomic impact Recognized with some training 3-4 Loss may reduce operations Difficult to access Replacement lead time 2-8 weeks Attack vector requires intensive training and special tools Minimal socioeconomic impact Difficult to recognize without extensive training 1-2 Loss would not affect operations Very difficult to access Replacement lead time less than 2 weeks Attack vector requires welltrained team with numerous special tools No noticeable impact Extremely difficult to recognize without training and surveillance W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CARVER Asset C A R V E R Total Transformer 8 8 10 8 9 5 48 Control House 6 5 5 5 6 7 34 Transmission Tower 5 10 1 9 1 9 35 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5 Security Plan • We all understand it’s not realistic to make every substation a mini Fort Knox • Leverage terrain • Low/no-cost • Randomization W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5: Security Plan Develop a security plan including: – Resilience or security measures • Ensure the measures address vulnerabilities identified in R4 – Law enforcement contact and coordination may include: Simply a name and phone number Meetings to discuss security concerns, site-specific hazards, etc Site-specific training for law enforcement Hosting law enforcement exercises • • • • – Timeline for implementing physical security projects • No specific dates or time frames required in this timeline, but it must pass the common sense test – Provision to evaluate evolving threats • Should include a process or mechanism to receive threat information • Should include a process to evaluate threat information as it is received W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5: Security Plan Security Plan Tips – Conduct a second assessment including the new measures • Provides valuable metrics to stakeholders and regulators • If conducted in the planning phase, may prevent costly but minimally effective security enhancements – Ensure the plan makes sense • A reasonably-informed person should be able to follow and implement the plan without extensive knowledge of the site or entity – Law enforcement is your friend • Coordinate early and often to ensure all parties understand facility nuances and specific hazards/concerns • Law enforcement training on site = free security • Ensure mutual understanding of law enforcement response procedures and capabilities – Consider developing a threat/risk assessment function • May require additional human capital • Can be achieved through vendor solutions W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5 Acceptable Risk CIP-014 is ambiguous about which vulnerabilities and threats rise to the level of mitigation – It is fiscally impractical to mitigate every vulnerability • Plane flying into a substation • Substation sitting in the bottom of a valley – Include a defensible threshold for vulnerabilities that will be mitigated W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5 Security Measures • Every vulnerability identified in R4 at or above your threshold must be addressed • One security measure may mitigate multiple vulnerabilities • One security measure may meet multiple aspects of detect, delay, deter, assess, communicate, and respond W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5 Additional Security Measures • Security measures aren’t limited to installing new/more technology • Random Security Measures • Crime Prevention Through Environmental Design (CPTED) • Law Enforcement Coordination W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R5 CPTED Concepts Define your space Shape your environment Improve lighting Observation Direct foot and vehicle traffic • • • • • W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 R6: Unaffiliated Review of Assessment and Plan • R6: Unaffiliated Review of R4 Assessment and R5 Plan – An organization with industry physical security experience AND a Certified Protection Professional (CPP) or Physical Security Professional (PSP) on staff.* -or– An organization approved by the ERO.* -or– A government agency with physical security expertise. -or– An organization with demonstrated law enforcement or military physical security expertise.* *WECC staff meet these criteria W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L WECC CIP-014 SME Team Darren Nielsen, M.AD, CISA, CPP, PCI, PSP, CBRM, CBRA Senior Compliance Auditor Joe Andrews, MSc.IA, CISSP-ISSEP, ISSAP, ISSMP, CISA, CEH, PSP Senior Compliance Auditor Bryan Carr, PMP, CISA, PSP Compliance Auditor Nick Weber, CPP, PSP Compliance Auditor W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L CIP-014-1 Implementation Less than nine months from effective date to Security Plan completion CIP-014-1 Implementation Timeline W R1 Assessment Effective Date 0 Days R2 Verification Effective + 90 90 Days R2.3 Address Discrepancies R2.2 + 60 150 Days R3 Notify Control Center R2 + 7 157 Days R4 Threat and Vulnerability Evaluation R2 + 120 270 Days R5 Security Plan R2 + 120 270 Days R6 Review R5 + 90 360 Days R6.3 Address Discrepancies R6.2 + 60 420 Days E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L At Your Service • PSWG- Get plugged in! http://www.wecc.biz/committees/StandingCommittees/OC/CIIM S/PSWG/default.aspx • Phone call or email away • We want to help • cip@wecc.biz • Always willing to provide our audit approach W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L