cip-014-1: next steps from an auditor’s perspective
DESCRIPTION
A walk-through by an experienced security practitioner with years of relevant industry experience in physical security, compliance, and NERC CIP auditing on how to identify and protect Transmission stations and Transmission substations in accordance with NERC CIP-0014-1. This session will aid you in preparing for the assessment and evaluation process of the potential threats and vulnerabilities of a physical attack. This course is perfect for both professionals involved with NERC CIP physical security and compliance personnel seeking to gain an understanding of the new physical security standard and how to avoid potential pitfalls.TRANSCRIPT
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber SecuritySalt Lake City, UT Office
CIP-014- Next Steps from an Auditors Perspective
August 21, 2014 Austin, Texas
2
• Where are you heading?
• Is it the right direction?
• Do you have help in charting the course?
Set your Compass!
3
• What it is:o Physical security of Transmission stations and Transmission
substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in “widespread” instability, uncontrolled separation, or Cascading within an Interconnection.
*FERC directed “widepsread” to be removed on July 17, 2014.
• What it is not:o An extension of, or related to CIP-006o Critical Cyber Asset/Protected Cyber Asset basedo A limit to physical security measureso A one-size-fits all approach to physical security
CIP-014-1 Introduction
4
• It may be helpful to view and manage CIP-014-1 as two major components.
CIP-014-1 Introduction
R1: Applicability and Risk Assessment
R2: Unaffiliated Review
R3: Control Center Notification
ApplicabilityR4: Threat and Vulnerability Assessment
R5: Security Plan
R6: Unaffiliated Review
Security
5
• Must be completed by the effective date of CIP-014-1
• Subsequent applications must be completed:o 30 months for entities who identified applicable
Stations/Substations on the previous assessmento 60 months for entities who identified null lists on the previous
assessment
CIP-014-1 R1: Applicability and Risk Assessment
6
• Create a Candidate Listo Substations/Stations operating at or above 200kVo Substations/Stations identified in an IROLo Substations/Stations critical to operation of nuclear facilities
• Apply criteria listed in 4.1.1 of CIP-014-1o Operating at or above 500kV-or-
o Identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.
-or-
o Essential to meeting Nuclear Plant Interface Requirements -or-
CIP-014-1 R1: Applicability and Risk Assessment
7
• Apply criteria listed in 4.1.1 of CIP-014-1 (continued)o Operating between 200 kV and 499 kV at a single station or
substation, where the station or substation is connected at 200 kV or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below.
CIP-014-1 R1: Applicability and Risk Assessment
8
• Must be completed within 90 days of R1 Assessment and may be conducted concurrently
• Unaffiliated third party must be:o A registered Planning Coordinator, Transmission Planner, or
Reliability Coordinator
-or-o An entity that has transmission planning or analysis experience
• The SDT interprets “unaffiliated” as external to the corporate structure
• The credentials of the third party will be assessed and may impact the audit risk and subsequent rigor for R1
CIP-014-1 R2: Unaffiliated Review of R1 Assessment
9
• Unaffiliated reviewer recommendations must be addressed within 60 days of reviewo Modify its identification under Requirement R1 consistent with the
recommendation
-or-o Document the technical basis for not modifying the identification in
accordance with the recommendation This language is NOT intended to trigger TFEs
• Implement procedures to protect sensitive information throughout the review process
CIP-014-1 R2: Unaffiliated Review of R1 Assessment
10
• The entity has 7 days to notify control center operators for primary control centers associated with Stations/Substations identified in R1 assessment
• The entity has 7 days to notify control center operators for primary control centers associated with Stations/Substations removed in subsequent in R1 assessments
• Compliance tips: o Use email read receiptso Implement three part communicationso Receive and document confirmation of notification from control
center operators
CIP-014-1 R3: Notify Control Center Owners
11
• Conduct a threat and vulnerability assessment that considers:o Unique characteristicso Attack history, attacks on similar facilities
Frequency Geographic Proximity Severity
o Intelligence or threat warnings
CIP-014-1 R4: Threat and Vulnerability Assessment
12
• Unique Characteristics may include:o Terrain
Rural Urban
o Equipment/Facility Array Are critical vulnerable assets on the perimeter or are they shielded from view or
attack by less critical components of the facility?
o Existing Protectionso Facility size and shape
A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple corners, alcoves, and salient points.
o Crime statisticso Weather
CIP-014-1 R4: Threat and Vulnerability Assessment
13
• Assessment Tipso Identify what components of the facility are critical to the missiono Evaluate your facility from an adversary’s perspectiveo Extend the assessment beyond the fence lineo Understand the advantages and disadvantages afforded by surrounding terraino Understand your threat environment
Evaluate attacks on similar facilities globally Evaluate attacks in your geographic area even if the target facility is unlike yours
• Some Existing Assessment Methodologieso CARVERo DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool
(ECIP/IST)o Attack Tree Modeling
CIP-014-1 R4: Threat and Vulnerability Assessment
14
• Suggested threat vectors to considero Direct Fire
Can an adversary fire a line-of-sight weapon and damage a critical component?o Indirect Fire
Can an adversary fire a weapon on an arc trajectory and damage a critical component?
o Explosive Can an adversary place an explosive device such that it will damage a critical
component?o Vehicular Attack
Can an adversary drive a vehicle into my facility to damage a critical component?
o Forced Entry Can an adversary force his way into my facility to damage a critical component?
o Surreptitious Entry Can an adversary sneak into the facility to damage a critical component?
o Arson Can an adversary damage critical components with fire?
CIP-014-1 R4: Threat and Vulnerability Assessment
15
• Resourceso Physical Security Personnelo Local Law Enforcemento Federal Agencieso State Emergency Management
• Methodologieso ECIP/SAVoCARVER
Assessment Resources
16
• Observation• Avenues of Approach• Key Terrain• Obstacles• Cover and Concealment
Terrain Analysis
17
• Where can bad guys see me?• What can I see?• More importantly, what can’t I see?
Observation
18
Observation
Ravine
Hill
Hill
300’
Cliff
19
• How can bad guys get to me?o Vehicleo Foot
Avenues of Approach
20
Avenues of Approach
Ravine
Hill
Hill
300’
Cliff
21
• What do I really need to keep bad guys away from?
• What areas can bad guys conduct surveillance from?
• What areas can bad guys launch an attack from?
Key Terrain
22
Key Terrain
Ravine
Hill
Hill
300’
Cliff
23
• What do I have available to block bad guys from getting to or seeing me?oNatural
Cliffs Ravines Trees BFRs
oMan-made Fences Gates Bollards
Obstacles
24
Obstacles
Ravine
Hill
Hill
300’
Cliff
25
• What is keeping me from seeing bad guys watching me or approaching me?o Vegetationo Structureso Terrain
Cover and Concealment
26
Cover and Concealment
Ravine
Hill
Hill
300’
Cliff
27
• What is vulnerable?o Ballistics pathso Susceptible to blasto Susceptible to sabotage
• How could I be attacked?o Beware a “failure of imagination”oDo not think about the likelihood of an attack
vector at this point
Self Assessment
28
• The following few slides are a very small slice of a free three-day course that DHS provides*
• If interested in the full course contact your DHS Protective Security Advisor
Surveillance Detection
*The presenter is not responsible for curriculum changes over the past four years or the effects of time on memory.
29
Attack Planning Cycle
When can the attacker best be defeated?
Planning Cycle
Target Identification
Surveillance
Target Selection
Pre-attack surveillance and planning
Rehearsal
Attack
Escape
30
Types of Surveillance
• Fixed
• Mobile
• Technical
• Photographic
• Combination
Surveillance Detection
31
Where can an adversary effectively conduct surveillance on your facility?
Hostile Surveillance Points
32
Hostile Surveillance Points
Ravine
Hill
Hill
300’
Cliff
33
Addressing Hostile Surveillance Points
Ravine
Hill
Hill
300’
Cliff
34
Q: We’ve mitigated all the hostile surveillance points, whats next?
A: It depends
• Delay
• Detect
• Deter
• Defend
Now What?
35
Q: Why didn’t your last picture have any deter or defend mitigations?
A: There are a number of deterrents available at little or no cost
• Random security measures
• Every visible security control*
• Police patrols
Now What?
*Double-edged sword, showing all controls makes your controls easy to recon.
36
Q: What do you mean by random security measures?
A: Random security measures allow you to implement security controls that wouldn’t be fiscally possible if they were implemented across your facilities 24/7. The key to successful random security measures is to avoid any discernible pattern and to ensure the measures are enough of a departure from your standard security posture that they throw off an adversary. Random security measures are the bane of a recon scout’s existence!
Deterrents
37
Q: What are some examples of random security measures?
A:
• Flexing security guard postings
• Vehicle searches
• Random security patrols
• Additional personnel/vehicle searches
• Temporary vehicle barriers
Deterrents
38
Q: How do I get the police to patrol my remote sites?
A: Information sharing!
• Teach your first responders what’s critical
• Invite first responders out for tours/site familiarity
• Where possible offer some desk space and/or a pot of coffee
Deterrents
39
Q: How can I defend my site without hiring a small army?
A: Do you have armed drones available? If not, you’re likely limited to your response plan.
Some questions to address in your response plan:
• Will controls allow for attack intervention or merely forensics?
• Who will respond?o Guard forceo LLEo Operations personnel
• How long can you delay vs how long will your response take to get on site?
o 15 minute delay + 30 minute response = problem
Delay
40
• Define your space• Shape your environment• Improve lighting• Observation• Direct foot and vehicle traffic
CPTED Concepts
41
• Put yourself in the attacker’s position, which location would you prefer to attack?
Shape Your Environment
42
• Put yourself in the attacker’s position, which location would you prefer to attack?
Lighting
43
• Remove areas of concealment and visual barriers.
Observation
44
• Security by obscurity
Average Current Substation Defense
45
• Single high speed avenue of approach
Average Current Substation Defense
46
• Chain link fence with barbed wire topper
Average Current Substation Defense
47
• Cameras
• Intrusion Detection
• System redundancy
• Defense in depth for cyber assets
Average Current Substation Defense
48
• Develop a security plan includingo Resilience or security measures
Ensure the measures address vulnerabilities identified in R4
o Law enforcement contact and coordination may include: Simply a name and phone number Meetings to discuss security concerns, site-specific hazards, etc Site-specific training for law enforcement Hosting law enforcement exercises
o Timeline for implementing physical security projects No specific dates or time frames required in this timeline, but it must pass the
common sense test
o Provision to evaluate evolving threats Should include a process or mechanism to receive threat information Should include a process to evaluate threat information as it is received
CIP-014-1 R5: Security Plan
49
• Security Plan Tipso Conduct a second assessment including the new measures
Provides valuable metrics to stakeholders and regulators If conducted in the planning phase, may prevent costly but minimally effective
security enhancements
o Ensure the plan makes sense A reasonably-informed person should be able to follow and implement the plan
without extensive knowledge of the site or entity
o Law enforcement is your friend Coordinate early and often to ensure all parties understand facility nuances and
specific hazards/concerns Law enforcement training on site = free security Ensure mutual understanding of law enforcement response procedures and
capabilities
o Consider developing a threat/risk assessment function May require additional human capital Can be achieved through vendor solutions
CIP-014-1 R5: Security Plan
50
• R6: Unaffiliated Review of R4 Assessment and R5 Plano An organization with industry physical security experience AND a
Certified Protection Professional (CPP) or Physical Security Professional (PSP) on staff.*
-or-o An organization approved by the ERO.*
-or-o A government agency with physical security expertise.
-or-o An organization with demonstrated law enforcement or military
physical security expertise.*
*WECC staff meet these criteria
CIP-014-1 R6: Unaffiliated Review of Assessment and Plan
51
• R1 Risk Assessment must be completed on or before the effective date
• R2o 2.1, 2.2, and 2.4 must be completed within 90 calendar days of
R1 assessmento 2.3 must be completed within 60 calendar days of 2.2
verification
• R3 must be completed within 7 calendar days of R2 completion
• R4 must be completed within 120 calendar days of R2 completion
CIP-014-1 Implementation
52
• R5 must be completed within 120 days of R2 completion
• R6o 6.1, 6.2, and 6.4 must be completed within 90 days of R5
completiono 6.3 must be completed within 60 days of 6.2 review
CIP-014-1 Implementation
53
CIP-014-1 Implementation
CIP-014-1 Implementation Timeline
R1 Assessment Effective Date 0 Days
R2 Verification Effective + 90 90 Days
R2.3 Address Discrepancies R2.2 + 60 150 Days
R3 Notify Control Center R2 + 7 157 Days
R4 Threat and Vulnerability Evaluation R2 + 120 270 Days
R5 Security Plan R2 + 120 270 Days
R6 Review R5 + 90 360 Days
R6.3 Address Discrepancies R6.2 + 60 420 Days
Less than nine months from effective date to Security Plan completion
54
• R2 – R6 must be completed within 420 calendar days after completing the risk assessment process in R1.
Maximum Timeline
55
• Notice of Proposed Rulemaking (NOPR) issued by FERC July 17, 2014.o Proposes to approve CIP-014-1, implementation plan,
and VRF/VSLo Proposes modificationso Proposes informational filingo Seeks comments
• Comments due 45 days after NOPR published in the Federal Register. Reply comments due 60 days after
NOPR published in the Federal Register.
CIP-014 (Physical Security) NOPR
56
• Proposed Modifications:o Allow Governmental Authorities (i.e., FERC and
any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity’s list of critical facilities under Requirement R1.
oRemove the term “widespread” as it appears in the proposed Reliability Standard in the phrase “widespread instability.”
CIP-014 (Physical Security) NOPR
57
• Proposed Informational Filings:o Within six months of the effective date of a final rule
addressing the possibility that CIP-014-1 may not provide physical security for all “High Impact” control centers as defined in CIP-002-5.1.
o Within one year of the effective date of a final rule addressing possible resiliency measures that can be taken to maintain reliable operation of the Bulk Electric System following the loss of critical facilities.
CIP-014 (Physical Security) NOPR
58
• Comments desired on:o Providing for applicable governmental authorities to add or
subtract facilities from an entity’s list of critical facilitieso The standard for identifying critical facilitieso Control centerso Exclusion of generators from the applicability section of the
proposed Reliability Standardo Third-party recommendationso Resiliencyo Violation risk factors and violation severity levelso Implementation plan and effective date
CIP-014 (Physical Security) NOPR
59
• PSWG- Get plugged in!• http://www.wecc.biz/committees/StandingCommittees/OC/
CIIMS/PSWG/default.aspx
• Phone call away We want to help.
• Always willing to provide our audit approach
At Your Service
Darren T. Nielsen, M.Ad, CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
155 North 400 West, Suite 200
Salt Lake City, UT 84103
(801) 857-9134
Questions?