Audit Preparation and Expectations – “The Low-Down”

June 27, 2017

Jeremy Withers, CISSP, Security+, Network+, CISASenior Compliance Specialist - CIPSPP RE Staff

1

Overview

• Audit preparation tips

• Audit overview

• Cyber security plan

• CIP Version 5 Evidence Request

• RSAW completion

• Evidence Request Workbooks

• Summary

2

Compliance is an ongoing process

• Get support from the top-down

• Conduct continual review of documentation and procedures

• Documentation of evidence

⁻ Maintain version history

⁻ Maintain and review documentation yearly

⁻ Ensure process changes are addressed in documentation updates

⁻ Ensure evidence is relevant, valid, and reliable

3

Be organized

• Assign responsibility to specific people

• Use checklists for documentation reviews⁻ Define/assign responsibilities

⁻ Timing (quarterly, annual, etc.)

⁻ Establish/document internal controls

Outlook calendars

Excel spreadsheets

SharePoint

• Know where documentation is stored4

Self-assess compliance

• Self-Certifications

• Periodic Data Submittals

• Internal auditing

• Self-Report when non-compliance is found

⁻ Shows good culture of compliance

⁻ Strongly encouraged

• Third-party review

5

Consider using outside resources

• Define, improve technical processes

• Assist with regulatory approaches

• Provide pre-audit reviews and support for compliance programs and supplement available resources

• Be sure to check out the resources

⁻ Call references

• Mock audits

• Internal Audit department

6

Audit Overview

• Audited Standards/Requirements based on BES Cyber System Categorization

• Audit Period: July 1, 2016 until date of audit

• Audit Cycle: Nominally 3-year (BA, TOP, RC) and 6-year (IA, GO, GOP, DP, TO)

• Pre-Audit: Inherent Risk Assessment, Notification, Request for information, Review of evidence, Supplemental requests

• Audit: Opening presentations, Interviews, Review of Evidence, End-of-day briefing, Exit Presentation

• Post-Audit: Draft audit report, Registered Entity comments (10 days), Feedback forms, Final audit report (non-public)

7

CIP Audit Scope (Low Impact BES Cyber Systems)

• CIP-002-5.1a Requirement R1 & R2

• CIP-003-6 Requirement R1.2

⁻ Part 1.2.1

⁻ Part 1.2.2

⁻ Part 1.2.3

⁻ Part 1.2.4

8

CIP Audit Scope (Low Impact BES Cyber Systems)

• CIP-003-6 Requirement R2

⁻ Physical security controls (effective September 1, 2018)

⁻ Electronic access controls for Low Impact External Routable Connectivity and Dial-up Connectivity (effective September 1, 2018)

• CIP-003-6 Requirement R3

• CIP-003-6 Requirement R4

9

Low Impact BES Cyber Systems Overview

• An inventory, list, or discrete identification of Low Impact BCS or their BES Cyber Assets is not required

• BUT!!!!

⁻ A list containing the name of “each asset that contains a Low Impact BES Cyber System” is required, such as a list of:

Generating plants

Transmission stations

Certain distribution stations

Certain “small” control centers that contain Low Impact BCS

Blackstart resources and cranking paths

10

CIP-003-6 R1.2

• Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:

• R1.2 For its assets identified in CIP‐002 containing Low Impact BES Cyber Systems, if any:

⁻ 1.2.1. Cyber security awareness;

⁻ 1.2.2. Physical security controls;

⁻ 1.2.3. Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial‐up Connectivity; and

⁻ 1.2.4. Cyber Security Incident response

11

CIP-003-6 R2

• Each Responsible Entity with at least one asset identified in CIP‐002 containing Low Impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its Low Impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]

⁻ Note: An inventory, list, or discrete identification of Low Impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.

12

CIP-003-6 R2 Attachment 1 Section 1

• Section 1 – Cyber Security Awareness

⁻ Shall reinforce cyber security practices at least every 15 months

⁻ May include physical security practices

13

CIP-003-6 R2 Attachment 1 Section 2

• Section 2 – Physical Security Controls (effective September 1, 2018)

⁻ Shall control physical access, based on need as determined by the Responsible Entity to:

Low Impact BCS within the asset

LEAPs, if any

14

CIP-003-6 R2 Attachment 1 Section 3

• Section 3 – Electronic Access Controls (effective September 1, 2018)

⁻ 3.1 For Low Impact LERC, if any, implement a LEAP to permit only necessary inbound and outbound bi-directional routable protocol access

⁻ 3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to Low Impact BES Cyber Systems, per Asset capability

15

CIP-003-6 R2 Attachment 1 Section 4

• Section 4 – Cyber Security Incident Response plan(s)

⁻ 4.1 Identification, Classification and Response to a Cyber Security Incident

⁻ 4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E‐ISAC), unless prohibited by law;

16

CIP-003-6 R2 Attachment 1 Section 4 (cont.)

• Section 4 – Cyber Security Incident Response plan(s)

⁻ 4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;

⁻ 4.4 Incident handling for Cyber Security Incidents;

⁻ 4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident

17

CIP-003-6 R2 Attachment 1 Section 4 (cont.)

• Section 4 – Cyber Security Incident Response plan(s)

⁻ 4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.

18

19

Example: Acme Power’s Low Impact BCS

• Acme has documented and implemented the following for its Low Impact BCS:

⁻ Electronic access controls

⁻ Physical security controls

⁻ Cyber security awareness (strong passwords, virus protection, etc.)

⁻ Inclusion in a Cyber Security Incident response plan

1.Substation Alpha

2.Substation Beta

3.Substation Charlie

4.Edison Coal Plant

5.Acme Primary Control Center

20

21

CIP Version 5 Evidence Request

• Level 1

⁻ High level documentation

⁻ Policies, procedures, processes, etc.

⁻ List of all BES assets

• Level 2

⁻ More granular documentation

⁻ Evidence of implementation

⁻ Selected sample of BES assets

22

BES Assets Tab

23

Level 1 Tab

24

Level 1 Tab (cont.)

25

Sample Sets L2 Tab

26

Level 2 Tab

27

Example: Acme’s R2 Evidence• For Acme’s 5 assets that contain BCS, evidence of:

⁻ Electronic access controls

Network diagram - Level 1

access control list - Level 2

⁻ Physical security controls

Documentation of card readers, key locks, etc. - Level 2

⁻ Cyber security awareness

Security policies - Level 1

Awareness training (posters, learning modules) – Level 2

⁻ Cyber Security Incident response plan

Copy of the plan – Level 1

Evidence of testing prior to April 1, 2017 – Level 2 28

29

Complete RSAW for each Standard

• RSAWs included in audit packet are pre-populated with audit team and entity information

• Provide detailed narrative of how you meet compliance for each requirement

• Best practice:

⁻ Complete all applicable RSAWS for every applicable requirement

⁻ Hold those labeled not required in initial audit notice in case the audit team requests them as part of audit scope expansion

⁻ Be prepared to provide evidence for all applicable requirements in case audit scope is expanded

30

CIP-003-6 RSAW completion example

31

CIP-003-6 RSAW completion example (cont.)

32

CIP-003-6 RSAW completion example (cont.)

33

CIP-003-6 RSAW completion example (cont.)

34

CIP-003-6 RSAW completion example (cont.)

35

CIP-003-6 RSAW completion example (cont.)

36

Evidence Request Workbook Completion

37

Complete Evidence Request Workbook for each Standard

• Evidence Request Workbooks included in audit packet are pre-populated with entity information

• Provide a record of evidence artifact submissions

• Allows auditors to correlate evidence artifacts with Requirement Parts

• You may reference the Evidence Request Workbook in the RSAWs, but you may not reference the RSAWs in the Evidence Request Workbook

38

Evidence Request Workbook example

39

Evidence Request Workbook example (cont.)

40

EFT Upload

• All audit documentation should be uploaded to the EFT server in the following format:

41

Questions

42

Summary

• Compliance is an ongoing process, not a one-time process

• Ensure you identify each asset that contains a Low Impact BES Cyber System

• Ensure you implement all sections of CIP-003-6 Attachment 1 for each asset that contains a Low Impact BES Cyber System

• Provide adequate evidence to support all requirements in scope

• Provide detailed narrative of how you meet compliance for each requirement in RSAWs

43

References

• Audit Processes & Sampling

• CIP V5 - Preparing for Audit

• CIP V5 Identifying BES Cyber Systems

• CIP V5 Low Impact Auditing

• EFT Server Tutorial

• CIP Version 5 Evidence Request

44

SPP RE CIP Team

• Kevin Perry, Director of Critical Infrastructure Protection(501) 614-3251

• Shon Austin, Lead Compliance Specialist-CIP(501) 614-3273

• Ted Bell, Senior Compliance Specialist-CIP(501) 614-3535

• Jeremy Withers, Senior Compliance Specialist-CIP(501) 688-1676

• Robert Vaughn, Compliance Specialist II-CIP(501) 482-2301

• Sushil Subedi, Compliance Specialist II-CIP(501) 482-2332

• Leesa Oakes, Compliance Enforcement(501) 614-3274 45