May 2, 2023
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case StudyROBERT LANDAVAZO, NERC SECURITY COMPLIANCE ADMIN
SLIDE 2 | May 2, 2023
ABOUT ME
ROBERT LANDAVAZO
SLIDE 3 | May 2, 2023
OVERVIEW OF OUR CASE STUDY
THE PMN JOURNEY TO NERC CIP V5
• PNM Background• Organization & functional responsibility• The state of compliance 2012• Re-implementing forgotten solutions• Compliance over time• Current environment• A look at the future, a transtion• Lessons Learned
SLIDE 4 | May 2, 2023
ABOUT PNM RESOURCES
PNM RESOURCES – PNM AND TNMP• Functional Registrations » PNM = BA, DP, GO, GOP, LSE, PA, PSE, RP, TO, TOP,
TP, TSP » TNMP = DP, LSE, TO, TOP , TP• Subject to Regional Entity(s) = WECC for PNM & TRE for
TNMP• Generation Capability = 3000+ MW; 8 Plants (PNM only)• Peak Load = 2600 MW (PNM Only)• Miles of BES Transmission = 15000+ miles at various
BES voltages (PNM and TNMP)• Control Centers = 2 in PNM and 2 for TNMP• Approximate Electric Customers Served = 750,000
SLIDE 5 | May 2, 2023
OBJECTIVE - FUNCTIONAL ALIGNMENT
Streamline support functions of key systems
• Operations systems strategy• Control Systems design• Security/Network Architecture• Control System Security Standards • Enterprise Security and Architecture
Standards• Evaluation of emerging technologies• Project Support
• Energy Management Systems • Generation Management Systems• Plant Control Systems/ Distributed
Controls Systems Applications support
• Historian Systems• DOC/OMS Systems Support• Network/communication configuration
maintenance• Network Diagnostics/ Performance
Management
• CIP Compliance Process/ Procedure Development
• OT Security Operations (security event management/ incident response/forensics)
• Disaster Recovery/Business Continuity
• Security Configuration Management
SLIDE 6 | May 2, 2023
OT STRATEGIC BENEFITS
Support across PNMR “operations” business areas
• Mitigating cyber security risks consistently across the enterprise• Aligning support, compliance, and cyber security skills • Integrating cyber security risk and compliance decision making into 3RD
party contracts and services procurement• Better positioned to support/integrate emerging OT technology and
Smart Grid initiatives • Architecture and systems standardization
SLIDE 7 | May 2, 2023
THE STATE OF COMPLIANCE IN 2012
CIP V3 COMPLIANCE WASN’T EASY AND WASN’T SUSTAINABLE
• Inadequate state of compliance• Support tools were shelfware• Smart team working the hard way• Manual controls• Support system sprawl across
Business Units and Companies• Frequent identification of potential
violations• Looming WECC audit in 2014
8
Chan
ge in
syst
ems,
pro
cess
es, o
r ope
ratio
ns
Time
CIPv3 Audit
The Fate of CIPv3 ComplianceA Model
• Business changes affect compliance
• Massive effort to achieve audit-readiness
• No reason to expect pattern to change
9
A Different Model for Maintaining ComplianceCh
ange
in sy
stem
s, p
roce
sses
, or o
pera
tions
Time
Compliance Audit Deadline or Security
Event
Quarterly Audit Review or Security Assessment
Continuous Security and ComplianceLowers CostIncreases EfficiencyIncreases SecurityReduces Risk
SLIDE 10 | May 2, 2023
BRINGING THE TOOLS BACK TO LIFE
TRANSITIONING TO AUTOMATION
Our Systems’ State:•Systems patched but content not updated and maintained – going through the motions but no care & feeding•Multiple tools untouched for years•Incorrectly configured or missing configs•More failed jobs than successful ones•Poor documentation•Non existent monitoring for health and uptime•Newly discovered issues bring to light more PVs
11
SLIDE 12 | May 2, 2023
THE RESULTS ARE WHAT COUNTS
CURRENT STATE OF COMPLIANCE AT PNM
90 Day Aggregate NERC CIP Compliance1.5 Year Aggregate NERC CIP
Compliance
SLIDE 13 | May 2, 2023
COMPLIANCE TODAY
TRANSITION TO V5
V3 Achieved in 2 years3,500 control pointsCIP-002-3CIP-004-3CIP-005-3CIP-007-3 CIP-009-3
V5 Working towards5,000+ control points by Q1 2016CIP-002-5CIP-004-6CIP-005-5CIP-007-6 CIP-009-6CIP-010-2
Use the NERC Transition Guidance!
SLIDE 14 | May 2, 2023
WHAT’S NEXT?
THE FUTURE STATE OF COMPLIANCE
• “No new people”• Need more tools!
SLIDE 15 | May 2, 2023
STREAMLINING COMPLIANCE
“IT TAKES A VILLAGE”
Automated Workflow for Asset & Change Management(CIP-002, CIP-010)
•Delivers time savings
Automated Workflow for Identity Management( CIP-004, CIP-007 )
•Ensures user account accuracy
VIM Software White List (Future)(CIP-007 R2)
•Minimizing risks•Reducing workload
Substation IED Management (CIP-007, CIP-010)
• Ensures continuous monitor & control
SLIDE 16 | May 2, 2023
ARCHITECTURE
INTEGRATED MONITOR & CONTROL
Tripwire EnterpriseTripwire Log Center IP 360
Secunia VIM
Eaton/CooperYukon IMS
Sigmaflow AlertEnterprise! IDM
HI & MI Control CentersMI Substations
Passive Compliance Monitoring
Active Compliance Monitoring
SLIDE 17 | May 2, 2023
PATHWAY TO CIP V5
Requirement Key Ask Technology SupportPatch Management
35 days or viable mitigation plan
Secunia VIM, Tripwire citede within mitigation plan
Malicious Code Prevention
“deter, detect & prevent” McAfee/Intel Security, Cisco NGFW, and Tripwire
Security Event Logging
Log events – identify & after the fact investigation
Tripwire Log Center & Yukon IMS
Ports & Services Logical network access ports Adding physical in-out ports
Tripwire Enterprise, physical port locks, tamper tape and signage
System Access Control
Verify authentication methods
Tripwire Enterprise and IP360
LEVERAGING TECHNOLOGY
SLIDE 18 | May 2, 2023
ICS-CERT RECENT INCIDENTS
ENERGY INDUSTRY CONTINUES TREND
SLIDE 19 | May 2, 2023
TAKE-AWAYS
BEST PRACTICES
Get the right people working on the right things – OT Org Recognize shortcomings and identify tools to rectify Leverage technology to automate continuous monitoring Ensure that your tools integrate to some degree – single
pane of glass The foundation of security is built on compliance – it isn’t
enough on its own
SLIDE 20 | May 2, 2023
QUESTIONS & CONTACT INFO
Robert LandavazoNERC Security Compliance AdministratorPNM [email protected]
SLIDE 21 | May 2, 2023
ENERGYSEC SESSION DESCRIPTION
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case StudyPresenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, TripwireWith countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.