ERO CIP v5 Evidence Request

Felek Abbas, NERC, Senior CIP Compliance Advisor

FRCC Compliance CIP Workshop

May 10 - 12, 2016

RELIABILITY | ACCOUNTABILITY2

• Provide a set of common evidence request documents to promote consistency within the ERO

• Establish a consistent set of evidence to complement the RSAWs

• Provide a guide to evidence that may be requested during an audit

• Provide a framework for organization and submission of detailed evidence

Purpose

RELIABILITY | ACCOUNTABILITY3

• Resulting documents and approach must not compromise auditor independence.

• It is up to the entity to show how it implements the security practices specified by each Requirement. The audit team should review these practices to verify that the entity is protecting its BES Cyber Systems at an appropriate level of security and in a manner that is in compliance with each applicable requirement.

• Requests for information beyond that which will actually be reviewed should be avoided.

• The earlier in the process that information can be requested, the better.

Guiding Principles

RELIABILITY | ACCOUNTABILITY4

Development Approach

• Basic evidence request – 3 Levels• Populate the detail tabs of a sample evidence request as an example and

for training purposes.• Create a back-end (auditor only) database from the population tabs for

correlation and sampling.• Provide guidance on processes for sampling, conveying sampled

populations to the entity, and receiving evidence from those samples.

• Incorporate risk factors

• Eliminate selected requests.

• Provide guidance on sample size based on risk.

• Select specific BES assets to reduce sample populations.

RELIABILITY | ACCOUNTABILITY5

• Audit Approach Review processes and procedures to verify all required components are

included.

Verify the entity’s performance to the Requirement.

Verify the completeness of the entity’s performance.

• Strategies Ask as much as possible up front (Level 1).

Do not ask for more information than will be reviewed by the audit team.

Level 2 and later requests will be directed requests, usually based on a sample of assets under review.

Ask for TFE information in a separate Level 1 request.

Ask for CIP Exceptional Circumstances in a separate Level 1 request.

Considerations

RELIABILITY | ACCOUNTABILITY6

Approach

Initial Evidence Request - Level 1

Sampling Populations

Sample Sets – Level 2

Sampled Evidence Request - Level 2

Detail Populations

Sample Sets – Level 3

Evidence Request – Level 3

Level 2 Evidence

Level 1 Evidence

Level 3 Evidence

RELIABILITY | ACCOUNTABILITY7

• Evidence Requests occur in “Levels” Level 1

o Request for Information (RFI) delivered as part of the initial audit notification

o Requests applicable processes, procedures, policies, etc.

o Requests lists of various items to form populations for sampling

o Requests sufficient evidence to develop directed samples

Level 2

o Directed requests for specific evidence based on a sample of the applicable population

Level 3

o Tightly focused requests for specific evidence

Approach

RELIABILITY | ACCOUNTABILITY8

In general, CIP Version 5 Requirements consist of three types:

1. Periodic Requirements – Requirements that must be performed at certain intervalsExample: CIP-004-6 R2 Part 2.3 requires cyber security training to be completed at least every 15 calendar months.

2. Event-Driven Requirements – Requirements that are triggered by a specific event or occurrenceExample: CIP-004-6 R2 Part 2.2 requires cyber security training before access is granted. The triggering event would be the request for access.

3. Ongoing Requirements – Requirements that must be maintained continuouslyExample: CIP-005-5 R1 Part 1.1 requires that all high or medium impact BES Cyber Systems be protected by a defined ESP. The ESP must be maintained in place at all times.

Fundamentals

RELIABILITY | ACCOUNTABILITY9

Types of Review

• Documentation Review Does the required documentation exist?

Does the required documentation look reasonable and complete?

• Process Evaluation Does the process include the required steps?

Is the process adequate to ensure security?

Is the process adequate to ensure compliance?

• Outcome Verification Has the entity performed the compliance tasks required by the Standard?

Has the entity adequately secured its assets as intended by the Standard?

Fundamentals

RELIABILITY | ACCOUNTABILITY10

• Verify required processes, policies, programs, or plans are in place and contain the elements required by the Standard.

• Verify required reviews and approvals are documented and occur within the required timeframe.

• With the exception of CIP-004-6 R3, CIP-008-5 R1, and CIP-009-6 R1, documentation review of most Requirements should be supplemented by on-site verification.

• Most Requirements are written with BES Cyber Systems as the Applicable Systems. But the actions required by the Standard are mostly applicable at the Cyber Asset level. This is why most samples are conducted at the Cyber Asset level.

General

RELIABILITY | ACCOUNTABILITY11

• Verify the entity’s process to identify its BES Cyber Systems will result in a comprehensive set of BES Cyber Systems.

• Verify the entity’s implementation of its process did not miss any BES Cyber Assets. To this end, CIP-002-R1-L1-04 requests BES asset information such as one-

line transmission drawings.

• Verify that BES Cyber Assets are members of at least one BES Cyber System.

• Verify that the correct impact rating was assigned to BES Cyber Systems.

• Verify that assets containing low impact BES Cyber Systems were identified.

CIP-002-5.1 R1

RELIABILITY | ACCOUNTABILITY12

• Verify the entity’s cybersecurity policies are in place and meet the minimum requirements of the Standard [see CIP-003-6 Background, second paragraph]. Verify the entity’s cybersecurity policies communicate the management:

o Goals

o Objectives

o Expectations

Verify the entity’s policies also establish an overall governance foundation for creating a culture of security and compliance.

• Verify the reviews and approvals of each cybersecurity policy were performed within the specified timeframe.

CIP-003-6 R1

RELIABILITY | ACCOUNTABILITY13

• Requirements for low impact BES Cyber Systems are addressed independently for each section of Attachment 1.

• Processes and procedures for low impact BES Cyber Systems are reviewed at a general level.

• Review of actual implementation will be addressed by site visits to judgmentally sampled low impact BES Cyber System sites.

• Separate samples are requested for assets with low impact BES Cyber Systems, low impact BES Cyber Systems with LERC, and low impact BES Cyber Systems with Dial-up Connectivity.

• In order to perform this sampling in an optimal manner, substantial information about the characteristics of each facility is requested as part of CIP-002-5.1.

CIP-003-6 R2

RELIABILITY | ACCOUNTABILITY14

• Review the training content of each training program to verify the required elements are included (See Notes to Auditor for CIP-004-6, R2, Part 2.1 in the RSAWs).

• Verify personnel were trained as required using one of the submitted training programs.

CIP-004-6 R2

RELIABILITY | ACCOUNTABILITY15

• Verify personnel risk assessments have been performed as required – evidence is requested at a non-detail level to avoid exposure of Personally Identifiable Information to the audit team.

CIP-004-6 R3

RELIABILITY | ACCOUNTABILITY16

• Verifications of authorizations and quarterly reviews are performed on a sample of personnel, rather than on a sample of BES Cyber Systems. Sampling is used to control the amount of evidence submitted and

reviewed.

• Verification of actual account privileges is performed on a sample of applicable Cyber Assets.

• Verification of access privileges to BES Cyber System Information (BCSI) is performed on a sample of BCSI storage locations.

• Diversity of sampling (personnel, Cyber Assets, BCSI storage locations) is used to provide a more rounded picture of an entity’s compliance.

CIP-004-6 R4

RELIABILITY | ACCOUNTABILITY17

• The sample structure of personnel changes is designed to avoid requiring excessive information, while still obtaining sufficient information to determine compliance.

• The Level 1 population (“Personnel” tab) requests a list of all personnel with CIP access during the audit period, including a flag for personnel that had a permissions change; this information is used to select a directed sample of those individuals with changed access during the audit period.

CIP-004-6 R5

RELIABILITY | ACCOUNTABILITY18

• Verify that required processes are not only implemented, but are also maintained in continuous effect.

• Gather populations, sample, ask directed questions against the sample: ESPs

EAPs

Dial-up

Non-ESP Cyber Assets

• Request EAP configuration information in a format usable by automated network analysis tools.

CIP-005-5 R1

RELIABILITY | ACCOUNTABILITY19

• Verify the entity uses “jump hosts,” encryption, and multi-factor authentication when implementing Interactive Remote Access.

• Verify all Cyber Assets involved in provisioning Interactive Remote Access are identified and protected as EACMS.

• Verify all Cyber Assets performing the function of an Intermediate System are identified and protected as EACMS.

• Verify the solution implemented for Interactive Remote Access encrypts the remote access session, authenticates the remote access user with multi-factor authentication, and uses a “jump host” to prevent direct external access of a BES Cyber System.

CIP-005-5 R2

RELIABILITY | ACCOUNTABILITY20

• For sampled PSPs, verify that the PSP is documented, that access points have been identified, and that mechanisms are in place to control access.

• Verify that monitoring, alarming, and logging is in place for PSPs.

• Verify that physical access to PACS is restricted, monitored, and alarmed.

• Auditing of this Requirement should be a documentation review supplemented by on-site verification (“walk-downs”).

CIP-006-6 R1

RELIABILITY | ACCOUNTABILITY21

• The most effective way to verify that unnecessary physical ports are protected from use is to physically examine the applicable devices.

• To make most effective use of audit resources, the sample sets used here are the same sample sets used for physical walk-downs in CIP-006-6.

CIP-007-6 R1

RELIABILITY | ACCOUNTABILITY22

• In Part 4.3, the Level 2 request asks for the number of log entries for each day in a date range for each sampled Cyber Asset; the Level 3 request then asks for actual logs for selected dates.

CIP-007-6 R4

RELIABILITY | ACCOUNTABILITY23

• As R1 only requires a plan to be created, this becomes a documentation review only.

CIP-008-5 R1, CIP-009-6 R1

RELIABILITY | ACCOUNTABILITY24

• A baseline contains extensive information about a Cyber Asset, but the baseline also changes over time; entities may have widely varying techniques for documenting these changes.

• The software identified as part of the baseline should feed the patch management process in CIP-007-6 R2.

CIP-010-2 R1

RELIABILITY | ACCOUNTABILITY25

• Level 2 is used to select specific Cyber Assets for review; a Level 3 request is used to select a set of mitigation plans to assess.

CIP-010-2 R3

RELIABILITY | ACCOUNTABILITY26

• The entity may elect to manage Transient Cyber Assets (TCAs) in an ongoing manner and/or an on-demand manner; this will affect the audit approach.

CIP-010-2 R4

RELIABILITY | ACCOUNTABILITY27

• General information about approved Technical Feasibility Exceptions (TFEs) is requested at Level 1.

• Additional, device-specific evidence is requested for the selected samples at Level 2.

TFEs

RELIABILITY | ACCOUNTABILITY28

• Evidence regarding any declared CIP Exceptional Circumstances is requested at Level 1.

• This information can be referenced if anomalies are encountered during the review of Level 2 evidence.

CIP Exceptional Circumstances

RELIABILITY | ACCOUNTABILITY29

• General: Plans, programs, processes, and procedures are not only implemented, but are also maintained in continuous effect for ongoing protection of BES Cyber Systems.

• General: Entities may not be aware that there are three types of Requirements: Periodic

Event-driven

Ongoing

Items of Possible Concern

RELIABILITY | ACCOUNTABILITY30

• CIP-002-5.1 R1: Due to the wording of the Standard, detailed information about low impact BES Cyber Systems is not being requested.

• CIP-004-6 R3: Detailed personal information should not be reviewed by the audit teams due to confidentiality concerns.

Items of Possible Concern

RELIABILITY | ACCOUNTABILITY31

• CIP-004-6 R5: Concerns were noted that previous evidence requests had asked for all dates of permissions changes for all personnel. This information can be voluminous and difficult to obtain for a sizeable entity. Therefore, the information requested is for personnel that had a change of permissions during the audit period, allowing a meaningful sample to be generated without placing an undue burden on the entity or the audit teams.

• CIP-011-2 R1: Note that CIP-004-6 R4 addresses access authorization to BCSI storage locations.

Items of Possible Concern

RELIABILITY | ACCOUNTABILITY32