C L A R I T Y ▪ A S S U R A N C E ▪ R E S U LT S
MIDWEST
R E L I AB I L I T Y
O R G AN I Z AT I O N
Notable Changes to NERC
Reliability Standard CIP-010-3
Cyber Security – Configuration Change
Management and Vulnerability Assessments
Bill Steiner
MRO Principal Risk Assessment and Mitigation Engineer
MRO CIP Version 5 Workshop
February 12 and 18, 2015
Improving RELIABILITY and mitigating RISKS to the Bulk
Power System
Agenda
Applicable Systems
Baseline Configuration Concept
Vulnerability Assessment
Transient Cyber Assets and Removable media
Plan(s) for Transient Cyber Assets
Plan(s) for Removable Media
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
2
Applicable Systems
Notable Changes in CIP-010-3
This Standard includes the Configuration Management
requirements for:
• High Impact BES Cyber Systems
• Medium Impact BES Cyber Systems
• Electronic Access Control or Monitoring Systems (EACMS)
• Physical Access Control Systems (PACS)
• Protected Cyber Assets (PCA)
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
3
Baseline Configuration Concept
Notable Changes in CIP-010-3
Baseline Configuration Concept
• The baseline concept is designed to provide clarity on requirement
language (“Significant”) found in previous CIP Standard Versions
• The baseline provides the triggering mechanism for when entities must
apply the change management processes
• Five required items in baseline:
—Operating system(s) (including version) or firmware where no OS exist
—Any commercially available or open-source application software (including version)
intentionally installed
—Any custom software installed
—Any logical network accessible ports
—Any security patches applied
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
4
Baseline Configuration Concept
Notable Changes in CIP-010-3
Baseline Configuration Concept (continued)
• Authorize and document changes that deviate from the existing baseline
(change management system)
• Baseline document must be updated within 30 days of change
• Prior to the change – determine security controls (CIP-005 and CIP-007)
which could be impacted
• Following the change – verify the controls have not been adversely
impacted
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
5
Baseline Configuration Concept
Notable Changes in CIP-010-3
Baseline Configuration Concept (continued)
• Document Results
—Evidence must provide reasonable assurance of completion of the test
• This is typically done by providing screen shots or electronic results of testing
• STRONG procedural controls, which would include signed, dated, detailed test
results along with clear expectations and instructions of work to be completed can
meet this requirement
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
6
Baseline Configuration Concept
Notable Changes in CIP-010-3
High Impact Control Centers have additional requirements:
• Changes which impact the baseline configuration must be tested in an
environment which minimize adverse effects to the production environment
—Environment must be sufficient to ensure CIP-005 and CIP-007 test will be meaningful
• Along with the test results, the environment of the test must also be
documented
—Include measures which were used to account for differences
• Must monitor at least every 35 days for changes to the baseline
—Intent is for automated monitoring when possible, manual procedural controls when not
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
7
Vulnerability Assessment
Notable Changes in CIP-010-3
Must conduct a paper or active vulnerability assessment at least
every 15 calendar months
Initial assessment must be completed within 12 months after the
effective date of CIP Version 5
Paper Vulnerability Assessment
• Intended to be a comprehensive review and verification of security controls without
the impact of active network scanning tools
Active Vulnerability Assessment
• Use of active discovery tools (Nmap, etc.) to provide Network (including wireless),
Ports/services, and vulnerability assessment of enabled services
• Required at least every 36 months (in a test environment) at High Impact Control
Centers
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
8
Transient Cyber Assets and Removable Media
Notable Changes in CIP-010-3
Proposed Definition – Transient Cyber Asset
(NERC Glossary of Terms)
• A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii)
is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA),
and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or
wireless, including near field or Bluetooth communication) for 30 consecutive
calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA.
Examples include, but are not limited to, Cyber Assets used for data transfer,
vulnerability assessment, maintenance, or troubleshooting purposes.
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
9
Transient Cyber Assets and Removable Media
Notable Changes in CIP-010-3
Proposed Definition – Removable Media (NERC Glossary of Terms)
• Storage media that (i) are not Cyber Assets, (ii) are capable of transferring
executable code, (iii) can be used to store, copy, move, or access data, and (iv)
are directly connected for 30 consecutive calendar days or less to a BES Cyber
Asset, a network within an ESP, or a Protected Cyber Asset. Examples include,
but are not limited to, floppy disks, compact disks, USB flash drives, external hard
drives, and other flash memory cards/drives that contain nonvolatile memory.
These types of devices represent the highest risk to BES
Attachment 1 of CIP-010-3
• Details the required sections in the plan which must be implemented for Transient
Cyber Assets and Removable Media
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
10
Plan Requirements for Transient Cyber Assets
Notable Changes in CIP-010-3
Highlights - Transient Cyber Assets owned by Registered
Entities
• Authorization (all apply)
—Users, either individually, group, or role
—Locations, either individually, group, or role
—Uses, which shall be limited to what is necessary to perform business functions
• Software Vulnerability Mitigation (use one or combination)
—Security patching
—OS and software from read-only media
—System Hardening
—Other method(s)
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
11
Plan Requirements for Transient Cyber Assets
Notable Changes in CIP-010-3
Highlights - Transient Cyber Assets owned by Registered
Entities
• Introduction of Malicious Code Mitigation (one or combination)
—Antivirus software
—Application whitelisting
—Other method(s)
• Unauthorized Use Mitigation (one or combination)
—Restrict physical access
—Full-disk encryption with authentication
—Multi-factor authentication
—Other method(s)
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
12
Plan Requirements for Transient Cyber Assets
Notable Changes in CIP-010-3
Highlights - Transient Cyber Assets managed by Third Party
• Software Vulnerabilities (one or combination)
—Review installed security patch(es)
—Review security patching process used by the party
—Review other mitigation performed by the party
—Other method(s)
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
13
Plan Requirements for Transient Cyber Assets
Notable Changes in CIP-010-3
Highlights - Transient Cyber Assets managed by Third Party,
(continued)
• Introduction of malicious code mitigation (one or combination)
—Review antivirus update level
—Review antivirus update process used by the party
—Review of application whitelisting used by the party
—Review use of OS and software executable on from read-only media
—Review of system hardening used by the party
—Other method(s)
• Determination of 3rd party policies for sufficiency
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
14
Plan Requirements for Removable Media
Notable Changes in CIP-010-3
Highlights - Removable Media
• Authorization
—Users, either individually, by group, or role
—Locations, either individually or by group
• Malicious Code Mitigation
—Use method(s) to detect malicious code on Removable Media using a Cyber Asset
other that a BCS or PCA
—Mitigate the threat of detected malicious code on Removable Media prior to connecting
to a BCA or PCA
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
15
Plan Requirements - Transient Cyber Assets and
Removable Media
Attachment 2 of CIP-010-3
• Provides detailed examples of expected evidence
Can get complicated with Jointly owned facilities
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
16
Questions?
CL A RI T Y
▪ A S S URA NCE ▪
RE S ULT S
17