CIP-014-1: Next Steps from an Auditor’s Perspective

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM

Senior Compliance Auditor, Cyber SecuritySalt Lake City, UT Office

CIP-014- Next Steps from an Auditors Perspective

August 21, 2014 Austin, Texas

2

• Where are you heading?

• Is it the right direction?

• Do you have help in charting the course?

Set your Compass!

3

• What it is:o Physical security of Transmission stations and Transmission

substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in “widespread” instability, uncontrolled separation, or Cascading within an Interconnection.

*FERC directed “widepsread” to be removed on July 17, 2014.

• What it is not:o An extension of, or related to CIP-006o Critical Cyber Asset/Protected Cyber Asset basedo A limit to physical security measureso A one-size-fits all approach to physical security

CIP-014-1 Introduction

4

• It may be helpful to view and manage CIP-014-1 as two major components.

CIP-014-1 Introduction

R1: Applicability and Risk Assessment

R2: Unaffiliated Review

R3: Control Center Notification

ApplicabilityR4: Threat and Vulnerability Assessment

R5: Security Plan

R6: Unaffiliated Review

Security

5

• Must be completed by the effective date of CIP-014-1

• Subsequent applications must be completed:o 30 months for entities who identified applicable

Stations/Substations on the previous assessmento 60 months for entities who identified null lists on the previous

assessment

CIP-014-1 R1: Applicability and Risk Assessment

6

• Create a Candidate Listo Substations/Stations operating at or above 200kVo Substations/Stations identified in an IROLo Substations/Stations critical to operation of nuclear facilities

• Apply criteria listed in 4.1.1 of CIP-014-1o Operating at or above 500kV-or-

o Identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.

-or-

o Essential to meeting Nuclear Plant Interface Requirements -or-


7

• Apply criteria listed in 4.1.1 of CIP-014-1 (continued)o Operating between 200 kV and 499 kV at a single station or

substation, where the station or substation is connected at 200 kV or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3000 according to the table below.


8

• Must be completed within 90 days of R1 Assessment and may be conducted concurrently

• Unaffiliated third party must be:o A registered Planning Coordinator, Transmission Planner, or

Reliability Coordinator

-or-o An entity that has transmission planning or analysis experience

• The SDT interprets “unaffiliated” as external to the corporate structure

• The credentials of the third party will be assessed and may impact the audit risk and subsequent rigor for R1

CIP-014-1 R2: Unaffiliated Review of R1 Assessment

9

• Unaffiliated reviewer recommendations must be addressed within 60 days of reviewo Modify its identification under Requirement R1 consistent with the

recommendation

-or-o Document the technical basis for not modifying the identification in

accordance with the recommendation This language is NOT intended to trigger TFEs

• Implement procedures to protect sensitive information throughout the review process

CIP-014-1 R2: Unaffiliated Review of R1 Assessment

10

• The entity has 7 days to notify control center operators for primary control centers associated with Stations/Substations identified in R1 assessment

• The entity has 7 days to notify control center operators for primary control centers associated with Stations/Substations removed in subsequent in R1 assessments

• Compliance tips: o Use email read receiptso Implement three part communicationso Receive and document confirmation of notification from control

center operators

CIP-014-1 R3: Notify Control Center Owners

11

• Conduct a threat and vulnerability assessment that considers:o Unique characteristicso Attack history, attacks on similar facilities

Frequency Geographic Proximity Severity

o Intelligence or threat warnings

CIP-014-1 R4: Threat and Vulnerability Assessment

12

• Unique Characteristics may include:o Terrain

Rural Urban

o Equipment/Facility Array Are critical vulnerable assets on the perimeter or are they shielded from view or

attack by less critical components of the facility?

o Existing Protectionso Facility size and shape

A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple corners, alcoves, and salient points.

o Crime statisticso Weather


13

• Assessment Tipso Identify what components of the facility are critical to the missiono Evaluate your facility from an adversary’s perspectiveo Extend the assessment beyond the fence lineo Understand the advantages and disadvantages afforded by surrounding terraino Understand your threat environment

Evaluate attacks on similar facilities globally Evaluate attacks in your geographic area even if the target facility is unlike yours

• Some Existing Assessment Methodologieso CARVERo DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool

(ECIP/IST)o Attack Tree Modeling


14

• Suggested threat vectors to considero Direct Fire

Can an adversary fire a line-of-sight weapon and damage a critical component?o Indirect Fire

Can an adversary fire a weapon on an arc trajectory and damage a critical component?

o Explosive Can an adversary place an explosive device such that it will damage a critical

component?o Vehicular Attack

Can an adversary drive a vehicle into my facility to damage a critical component?

o Forced Entry Can an adversary force his way into my facility to damage a critical component?

o Surreptitious Entry Can an adversary sneak into the facility to damage a critical component?

o Arson Can an adversary damage critical components with fire?


15

• Resourceso Physical Security Personnelo Local Law Enforcemento Federal Agencieso State Emergency Management

• Methodologieso ECIP/SAVoCARVER

Assessment Resources

16

• Observation• Avenues of Approach• Key Terrain• Obstacles• Cover and Concealment

Terrain Analysis

17

• Where can bad guys see me?• What can I see?• More importantly, what can’t I see?

Observation

18

Observation

Ravine

Hill

Hill

300’

Cliff

19

• How can bad guys get to me?o Vehicleo Foot

Avenues of Approach

20

Avenues of Approach

Ravine

Hill

Hill

300’

Cliff

21

• What do I really need to keep bad guys away from?

• What areas can bad guys conduct surveillance from?

• What areas can bad guys launch an attack from?

Key Terrain

22

Key Terrain

Ravine

Hill

Hill

300’

Cliff

23

• What do I have available to block bad guys from getting to or seeing me?oNatural

Cliffs Ravines Trees BFRs

oMan-made Fences Gates Bollards

Obstacles

24

Obstacles

Ravine

Hill

Hill

300’

Cliff

25

• What is keeping me from seeing bad guys watching me or approaching me?o Vegetationo Structureso Terrain

Cover and Concealment

26

Cover and Concealment

Ravine

Hill

Hill

300’

Cliff

27

• What is vulnerable?o Ballistics pathso Susceptible to blasto Susceptible to sabotage

• How could I be attacked?o Beware a “failure of imagination”oDo not think about the likelihood of an attack

vector at this point

Self Assessment

28

• The following few slides are a very small slice of a free three-day course that DHS provides*

• If interested in the full course contact your DHS Protective Security Advisor

Surveillance Detection

*The presenter is not responsible for curriculum changes over the past four years or the effects of time on memory.

29

Attack Planning Cycle

When can the attacker best be defeated?

Planning Cycle

Target Identification

Surveillance

Target Selection

Pre-attack surveillance and planning

Rehearsal

Attack

Escape

30

Types of Surveillance

• Fixed

• Mobile

• Technical

• Photographic

• Combination

Surveillance Detection

31

Where can an adversary effectively conduct surveillance on your facility?

Hostile Surveillance Points

32

Hostile Surveillance Points

Ravine

Hill

Hill

300’

Cliff

33

Addressing Hostile Surveillance Points

Ravine

Hill

Hill

300’

Cliff

34

Q: We’ve mitigated all the hostile surveillance points, whats next?

A: It depends

• Delay

• Detect

• Deter

• Defend

Now What?

35

Q: Why didn’t your last picture have any deter or defend mitigations?

A: There are a number of deterrents available at little or no cost

• Random security measures

• Every visible security control*

• Police patrols

Now What?

*Double-edged sword, showing all controls makes your controls easy to recon.

36

Q: What do you mean by random security measures?

A: Random security measures allow you to implement security controls that wouldn’t be fiscally possible if they were implemented across your facilities 24/7. The key to successful random security measures is to avoid any discernible pattern and to ensure the measures are enough of a departure from your standard security posture that they throw off an adversary. Random security measures are the bane of a recon scout’s existence!

Deterrents

37

Q: What are some examples of random security measures?

A:

• Flexing security guard postings

• Vehicle searches

• Random security patrols

• Additional personnel/vehicle searches

• Temporary vehicle barriers

Deterrents

38

Q: How do I get the police to patrol my remote sites?

A: Information sharing!

• Teach your first responders what’s critical

• Invite first responders out for tours/site familiarity

• Where possible offer some desk space and/or a pot of coffee

Deterrents

39

Q: How can I defend my site without hiring a small army?

A: Do you have armed drones available? If not, you’re likely limited to your response plan.

Some questions to address in your response plan:

• Will controls allow for attack intervention or merely forensics?

• Who will respond?o Guard forceo LLEo Operations personnel

• How long can you delay vs how long will your response take to get on site?

o 15 minute delay + 30 minute response = problem

Delay

40

• Define your space• Shape your environment• Improve lighting• Observation• Direct foot and vehicle traffic

CPTED Concepts

41

• Put yourself in the attacker’s position, which location would you prefer to attack?

Shape Your Environment

42

• Put yourself in the attacker’s position, which location would you prefer to attack?

Lighting

43

• Remove areas of concealment and visual barriers.

Observation

44

• Security by obscurity

Average Current Substation Defense

45

• Single high speed avenue of approach


46

• Chain link fence with barbed wire topper


47

• Cameras

• Intrusion Detection

• System redundancy

• Defense in depth for cyber assets


48

• Develop a security plan includingo Resilience or security measures

Ensure the measures address vulnerabilities identified in R4

o Law enforcement contact and coordination may include: Simply a name and phone number Meetings to discuss security concerns, site-specific hazards, etc Site-specific training for law enforcement Hosting law enforcement exercises

o Timeline for implementing physical security projects No specific dates or time frames required in this timeline, but it must pass the

common sense test

o Provision to evaluate evolving threats Should include a process or mechanism to receive threat information Should include a process to evaluate threat information as it is received

CIP-014-1 R5: Security Plan

49

• Security Plan Tipso Conduct a second assessment including the new measures

Provides valuable metrics to stakeholders and regulators If conducted in the planning phase, may prevent costly but minimally effective

security enhancements

o Ensure the plan makes sense A reasonably-informed person should be able to follow and implement the plan

without extensive knowledge of the site or entity

o Law enforcement is your friend Coordinate early and often to ensure all parties understand facility nuances and

specific hazards/concerns Law enforcement training on site = free security Ensure mutual understanding of law enforcement response procedures and

capabilities

o Consider developing a threat/risk assessment function May require additional human capital Can be achieved through vendor solutions

CIP-014-1 R5: Security Plan

50

• R6: Unaffiliated Review of R4 Assessment and R5 Plano An organization with industry physical security experience AND a

Certified Protection Professional (CPP) or Physical Security Professional (PSP) on staff.*

-or-o An organization approved by the ERO.*

-or-o A government agency with physical security expertise.

-or-o An organization with demonstrated law enforcement or military

physical security expertise.*

*WECC staff meet these criteria

CIP-014-1 R6: Unaffiliated Review of Assessment and Plan

51

• R1 Risk Assessment must be completed on or before the effective date

• R2o 2.1, 2.2, and 2.4 must be completed within 90 calendar days of

R1 assessmento 2.3 must be completed within 60 calendar days of 2.2

verification

• R3 must be completed within 7 calendar days of R2 completion

• R4 must be completed within 120 calendar days of R2 completion

CIP-014-1 Implementation

52

• R5 must be completed within 120 days of R2 completion

• R6o 6.1, 6.2, and 6.4 must be completed within 90 days of R5

completiono 6.3 must be completed within 60 days of 6.2 review


53


CIP-014-1 Implementation Timeline

R1 Assessment Effective Date 0 Days

R2 Verification Effective + 90 90 Days

R2.3 Address Discrepancies R2.2 + 60 150 Days

R3 Notify Control Center R2 + 7 157 Days

R4 Threat and Vulnerability Evaluation R2 + 120 270 Days

R5 Security Plan R2 + 120 270 Days

R6 Review R5 + 90 360 Days

R6.3 Address Discrepancies R6.2 + 60 420 Days

Less than nine months from effective date to Security Plan completion

54

• R2 – R6 must be completed within 420 calendar days after completing the risk assessment process in R1.

Maximum Timeline

55

• Notice of Proposed Rulemaking (NOPR) issued by FERC July 17, 2014.o Proposes to approve CIP-014-1, implementation plan,

and VRF/VSLo Proposes modificationso Proposes informational filingo Seeks comments

• Comments due 45 days after NOPR published in the Federal Register. Reply comments due 60 days after

NOPR published in the Federal Register.

CIP-014 (Physical Security) NOPR

56

• Proposed Modifications:o Allow Governmental Authorities (i.e., FERC and

any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity’s list of critical facilities under Requirement R1.

oRemove the term “widespread” as it appears in the proposed Reliability Standard in the phrase “widespread instability.”


57

• Proposed Informational Filings:o Within six months of the effective date of a final rule

addressing the possibility that CIP-014-1 may not provide physical security for all “High Impact” control centers as defined in CIP-002-5.1.

o Within one year of the effective date of a final rule addressing possible resiliency measures that can be taken to maintain reliable operation of the Bulk Electric System following the loss of critical facilities.


58

• Comments desired on:o Providing for applicable governmental authorities to add or

subtract facilities from an entity’s list of critical facilitieso The standard for identifying critical facilitieso Control centerso Exclusion of generators from the applicability section of the

proposed Reliability Standardo Third-party recommendationso Resiliencyo Violation risk factors and violation severity levelso Implementation plan and effective date


59

• PSWG- Get plugged in!• http://www.wecc.biz/committees/StandingCommittees/OC/

CIIMS/PSWG/default.aspx

• Phone call away We want to help.

• Always willing to provide our audit approach

At Your Service

http://www.wecc.biz/committees/StandingCommittees/OC/CIIMS/PSWG/default.aspx

http://www.wecc.biz/committees/StandingCommittees/OC/CIIMS/PSWG/default.aspx

Darren T. Nielsen, M.Ad, CISA,

CPP, PCI, PSP, CBRA, CBRM

Senior Compliance Auditor, Cyber Security

Western Electricity Coordinating Council

155 North 400 West, Suite 200

Salt Lake City, UT 84103

(801) 857-9134

[email protected]

Questions?

mailto:[email protected]




Technology

CIP-014-1: Next Steps from an Auditor’s Perspective