Explore the Implicit Requirements of the NERC CIP RSAWs

© 2015 MetricStream, Inc. All Rights Reserved.
Explore the Implicit Requirements of the
NERC CIP RSAWs
Karl Perman
VP Member Services
EnergySec
Shreyank Shrinath Kamat
Product Manager
MetricStream

Agenda
 RSAW format
 Implicit requirements of CIP RSAWs
 Leveraging technology for RSAW management
 Q&A

BACKGROUND
© 2015 Energy Sector Security Consortium, Inc. 3

RSAW Template
• Identifying Information
– Standard, Entity, Names of Auditors, etc.
• Applicability of Requirements by
Functional Model
• Color-coded
– Fixed text, Entity-supplied information,
Auditor-supplied information
• Findings
– Areas of Concern, Recommendations,
Positive Observations

RSAW Template
• Entity’s Subject Matter Experts
• Requirement and Measures
• Questions
– Space for entity response, may reference
other documents
• Compliance Narrative
• Evidence
– Documents and descriptions
• Guidance & Questions for Auditors

Standard Drafting Team
• CIP V5 Transition FAQ, Response to
Comments
• “It is inappropriate to suggest that there is
an implicit requirement or an inherent
requirement that must be complied with as
requirements can only be explicit.”

Actual Auditors
• Lew Folkerth, Reliability First
– SPP RE CIP Workshop, June 2, 2015
• http://www.spp.org/documents/28852/2015%20cip%20works
hop%20materials.pdf
– RF Newsletter, Issue 3
• https://www.serc1.org/docs/default-
source/outreach/communications/resource-documents/serc-
transmission-reference/201507---st/cip-v5-rsaw---rf-
newsletter-article.pdf?sfvrsn=2
• Kevin Perry, SPP
– CIP Compliance Workshop, June 3, 2015
• Wayne Lewis, NPCC
– CIP Compliance Seminar, 3/24/15
• https://www.npcc.org/Compliance/CIP%20Seminars/Spring%
202015%20CIP-010-2.pdf

IMPLICIT REQUIREMENTS

Update Policies
• CIP-003-6
• Review and obtain CIP Senior Manager approval
for policies
• “The SDT received comments that Requirements
R1 and R2 require annual review of the policy, but
never explicitly require the policy to receive
updates as a result of that review. The SDT
believes this is implicit in the Requirement, and
updates would occur as part of an entity’s ongoing
compliance with the Requirement.”
– http://www.nerc.com/pa/Stand/Project%20200806%2
0Cyber%20Security%20Order%20706%20DL/Consid
eration_of_Comments_to_draft_3_102612_final.pdf

Shared Compliance
Responsibility
• Asset name or designation
• Formal agreement describing shared
compliance responsibility

Classify assets
• CIP-002-5 requires entities to classify BES
Cyber Systems
• BES Cyber Asset will “adversely impact
one or more Facilities, systems, or
equipment”
• Classify assets as High, Medium, or Low,
and then BCA are those Cyber Assets
which affect those assets, and take rating
from the asset they effect

Cyber Assets
• CIP-002 never explicitly says to identify
(list) Cyber Assets
– Need list of Cyber Assets to show that all that
should be BES Cyber Assets were identified
as such

Identify PCA
• CIP-005-5 R1 Part 1.1
• Cyber Assets connected to network via routable
protocol shall reside within a defined ESP
– Applicable Systems
• PCA Associated with High or Medium Impact BCS
• Need to identify PCA
– Auditors will likely want to audit a sample of
PCA, so you need a list of PCA

Verify PCA
• “After the ESP is defined, verify the
“implied” requirement of identifying any
PCA within the ESP has been completed”
• Have a process
• Use that process

ESP Process
• “Verify the Responsible Entity has
documented one or more process(es) which
require all applicable Cyber Assets connected
to a network via a routable protocol to reside
within a defined ESP.”
– RSAW CIP-005-5
• “In order to verify that each Cyber Asset
residing within a defined ESP has been
identified as either a BES Cyber Asset or as a
PCA, it may be necessary to examine the
ESP and conduct an inventory of network
connections within the ESP.”

Transient Cyber Assets and
Removable Media
• Evidence that Transient Cyber Assets and Removable Media
have been connected for 30 calendar days or less
– Record of connection and disconnection
• Evidence they have been utilized as authorized
– Record who used them
– Record where used
– Record purpose
• Record of review of Transient Cyber Assets managed by third
parties
• Record of Transient Cyber Asset patching if used to mitigate
vulnerabilities
• Record of anti-malware signature file updates if used to
mitigate introduction of malware
• Record of scans or other methods to detect and remove
malicious code before introducing Removable Media into the
Electronic Security Perimeter

Configuration Change
Management
• CIP-010-2 R1.4
– 1.4.1. Prior to the change, determine required
cyber security controls in CIP‐005 and
CIP‐007 that could be impacted by the
change;
– 1.4.2. Following the change, verify that
required cyber security controls determined in
1.4.1 are not adversely affected; and
– 1.4.3. Document the results of the verification.
• Should have test procedures documented

Test Configuration
Changes
• CIP-010-2 R1.5
• Identify configuration of test environment
• Identify how test environment differs from
production environement
– High Impact BCS

© 2015 Energy Sector Security Consortium, Inc.
Where technically feasible, for each change that
deviates from the existing baseline configuration:
1.5.2. Document the results of the testing and, if a test
environment was used, the differences between the test
environment and the production environment, including a
description of the measures used to account for any
differences in operation between the test and production
environments.
• Document which identifies devices and
configurations in a test environment
20
CIP-010-2

Leveraging Technology for RSAW management
Shreyank Shrinath Kamat
Product Manager
MetricStream

Key Components: NERC Compliance Management

A Robust & Flexible Information Model

Setup Content (CIP standards, requirements, controls etc.)
Structure a logical compliance
hierarchy, including Areas of
Compliance, Standards,
Requirements, Controls and
Assets.
Configure workflows for
managing both internal and
external standards, mapping
regulations, developing
controls, performing
compliance audits, preparing
and implementing action
plans, and identifying and
remedying issues.
GRC
Library
Standards
Areas of
Compliance
ControlsAssets
Questions and
Procedures
Requirements

Update Content (Regulatory Changes)
Regulatory Alert
Interpretation
Create Channel
Subscribe Channel
Filter Alerts
Act on Alerts
Track Issues

Test Cyber Security Management Controls
 Define and Manage Controls to protect
Cyber Assets
 Manage Password Changes to CCAs
 Perform Control Assessments on regular
basis
 Control Tests to identify strength of
controls
 Notifications to appropriate officers
 Logs and audit trail maintenance
 Equivalent to Self Correcting Process
Improvement mentioned in Version 5

Issue Remediation
Review & Approve Issues
Create
Remediation Plans
Implement
Planned Actions
Monitor & Approve Actions
Close Issue
Review and Approve issues that arise from tests, self-
assessments and certifications.
Define one or more Action/Remediation plans to
Document the work done and results and send the
implemented Actions for review and approval.
Monitor the status and progress of issues and
implementation of remediation plans.
Close issues after all the action plan is implemented
and approved.

Surveys and Certifications
Create Questionnaire
Initiate
Surveys or Certifications
File Responses
Certify & Sign-Off
Log Findings & Issues
Create sections and add questions manually or from
the GRC library under every questionnaire.
Initiate a Survey or a Certification by choosing a
questionnaire and selecting respondents and
approvers.
File responses or collaborate with other respondents
for responses.
Collate the Survey responses, Approve and sign-off the
assessments and key compliance program data.
Add Findings/Issues to capture non-conformance.

RSAW Management
Initiate Survey using in-built
CIP questionnaires
Record Responses
Attach Evidences
Populate Survey Response
into RSAW template
Select a CIP questionnaires and initiate survey to one
or more users.
File responses or collaborate with other respondents
for responses.
Attach Evidence to the survey from the GRC library or
from a previous survey or from the local system.
Select the survey response and populate the same in
the in-built RSAW template.
Generate RSAW
Generate and download the completed RSAW in word
format for editing.

Enforce Policies to Effectively Manage Compliance
Creation, Storage,
Organization, Search
Creation, Review,
Approval
Mapping to Risks and
Controls
Alerts and Notifications
Awareness and Training
Tracking and Visibility
 Policies & Procedures for Implementing a physical security program
 Setting prerequisites for granting approvals, assigning work etc.
 Define methods, processes, and procedures for securing Cyber Assets & BES

Real time Monitoring and Reporting
 Risk Intelligence by Regulations &
Critical Assets
 Track NERC version and Migration
check
 Monitor NERC Compliance Audit
Readiness
 Regulatory Filings, Certifications

Data Browser

MetricStream Advantage – NERC CIP Solution
 Best in class Governance, Risk and Compliance solutions provider
 Platform based solution – with integrated risk, compliance, policy, issue and change management systems
 Experience in working with numerous electric utilities in the US ranging from co-ops to investor owned
 Built in content with controls and industry best practices
 One-Click Automated RSAW generation – reduction in RSAW production times from weeks to just few minutes/
hours.
 Have real-time visibility into business to avoid compliance concerns

About MetricStream
Vision Integrated Governance, Risk and Compliance for Better Business Performance
Solutions
• NERC CIP Compliance
• Risk Management
• Business Continuity Management
• IT GRC
• Audit Management
• Supplier Governance
• Quality Management
• EHS & Sustainability
• Governance & Ethics
• Content and Training
• Over 1,800+ employees
• Headquarters in Palo Alto, California with offices worldwide
• Over 350 enterprise customers
•Privately held – Backed by global leading VCs, Sage View Capital, Goldman
Sachs
Differentiators
• Technology - GRC Platform – 9 Patents
• Breadth of Solutions – Single Vendor for all GRC needs
• Cross-industry Best Practices and Domain Knowledge
• ComplianceOnline.com - Largest Compliance Portal on the Web
Organization
Partners

Q&A
Please submit your questions to the host by typing into the chat box on the
lower right-hand portion of your screen.
Thank you for participating!
A copy of this presentation will be made available to all participants in next 48 working hours.
For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars
Karl Perman
VP Member Services
EnergySec
Email: karl@energysec.org
Shreyank S. Kamat
Product Manager
MetricStream
Email: shreyank.kamat@metricstream.com

THANK YOU
Contact Us:
Website: www.metricstream.com | Email: webinar@metricstream.com
Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554

Explore the Implicit Requirements of the NERC CIP RSAWs

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to Explore the Implicit Requirements of the NERC CIP RSAWs (20)

More from EnergySec (15)

Recently uploaded (20)

Explore the Implicit Requirements of the NERC CIP RSAWs

Editor's Notes