...

Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS

by user

on
Category: Documents
12

views

Report

Comments

Transcript

Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
Information documents are for information purposes only and are intended to provide guidance. In the
event of any discrepancy between the information document and the related authoritative document(s) in
effect, the authoritative document(s) governs. Please submit any questions or comments regarding this
information document to [email protected].
1
Purpose
This information document supports Alberta Reliability Standard – CIP-002-AB-4A Cyber Security-Critical
Cyber Asset Identification (CIP-002-AB-4a). The purpose of this information document is to provide
guidance and procedural details giving context to requirements R1 through R9 and the application of the
critical asset criteria in Appendix 1. This information document may be of interest to legal owners and
operators of transmission facilities, generating units, aggregated generating facilities and electric
distribution systems.
2
Background
NERC has issued documentation with respect to the rationale and intent of the NERC CIP Standard
Drafting Team. The AESO has referenced certain of these documents below as they may provide
guidance to market participants in implementing CIP-002-AB. The AESO has also provided examples for
reference purposes only.
3. NERC Documentation
3.1 Critical Asset Identification
(a) CIP-002-4 – Cyber Security – Critical Cyber Asset Identification (December, 2010)
http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-0024_Guidance_clean_20101220.pdf
(b) Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets (June 17, 2010)
http://www.nerc.com/fileUploads/File/Standards/Critcal%20Cyber%20Asset_approved%20by%20
CIPCl%20and%20SC%20for%20Posting%20with%20CIP-002-1,%20CIP-002-2,%20CIP-0023.pdf
3.2 Implementation Plan
(a) Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities
http://www.nerc.com/docs/standards/sar/Project_200806_Draft_v4_Imp_Plan_Newly_Id_CCA_and_RE_clean_20101130.pdf
This is provided for reference purposes only.
Also note that CIP-002-AB has implementation timelines that are significantly different from those
referenced in the document above.
3.3 Compliance Application Notices
NERC has issued the following Compliance Application Notices on various aspects of compliance
application which notices may provide guidance to market participants when implementing CIP-002-AB.
(a) Compliance Application Notice – 0005 (CAN – 0005) NERC CIP-002 R3 Critical Cyber Asset
Designation for System Operator Laptops
“…this CAN provides instruction for assessing whether system operator laptops with the
capability and purpose of controlling Critical Assets remotely (either in normal operations or in
emergencies) should be designated as CCAs.”
Information Document
Effective: xxxx-xx-xx
Page 1
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
This guidance may be of assistance to market participants when applying requirement R4 in CIP-002AB.
(a) Compliance Application Notice -0024 (CAN-0024) NERC CIP – 002 R3 Routable Protocols and Data
Diode Devices
“…this CAN provides instruction for assessing whether the communication characteristics of data
diode devices can be used to exclude Cyber Assets from consideration as Critical Cyber Assets
(CCA) when a routable protocol is used when not at a control center.”
This guidance may be of assistance to market participants when applying requirement R4 in CIP-002AB.
4. Terminology
The following information is provided regarding certain terms used in CIP-002-AB-4a. These are provided
for reference purposes only.
(i) CIP Senior Manager
The term CIP Senior Manager is defined in the AESO Consolidated Authoritative Documents
Glossary (Glossary) as “meaning a single senior management official with overall authority and
responsibility for leading and managing implementation of and adherence to the requirements within
the CIP reliability standards.”
Given the importance of cyber security, the AESO encourages all relevant market participants to
ensure that the CIP Senior Manager is an individual of appropriate authority.
(ii) Control Centre
The term control centre is not defined in the AESO Glossary. NERC has provided guidance on this
term in the aforementioned Security Guideline for the Electricity Sector: Identifying Critical Cyber
Assets (June 17, 2010). An excerpt is provided below:
“A Control Centre is capable of performing one (1) or more of the functions listed below for
multiple (i.e. two or more) BPS assets, such as generation plants and transmission substations.
Functions that support Real-time operations of a Control Centre typically include one (1) or more
of the following:
(i) Supervisory control of BPS assets, including generation plants, transmission facilities,
substations, automatic generation control systems and automatic load-shedding systems;
(ii) Acquisition, aggregation, processing, inter-utility exchange or display of BPS reliability and/or
operability data, used for real-time operations;
(iii) BPS and system status monitoring and processing for reliability and asset management
purposes (e.g., providing information used by Responsible Entities to make operational
decisions regarding reliability and operability of the BPS);
(iv) Alarm monitoring and processing specific to operation and restoration functions; and
(v) Coordination of BPS restoration activities.”
(iii) Essential
The term essential is used in requirement R4 of CIP-002-AB-4a however is not defined in the AESO
Glossary.
The following excerpt from the Interpretation 2010-05 CIP-002-1 Requirement R3 for Duke Energy
(July 22, 2010) may be of assistance to market participants when applying requirement R4 in CIPInformation Document
Effective: xxxx-xx-xx
Page 2
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
002-AB.
“The word “essential” is not defined in the Glossary of Terms used in NERC Reliability Standards,
but the well-understood meaning and ordinary usage of the word “essential” implies “inherent to”
or “necessary.” The phrase “essential to the operation of the Critical Asset” means inherent to or
necessary for the operation of the Critical Asset.
A Cyber Asset that “may” be used, but is not “required” (i.e., a Critical Asset cannot function as
intended without the Cyber Asset), for the operation of a Critical Asset is not “essential to the
operation of the Critical Asset” for purposes of Requirement R3. Similarly, a Cyber Asset that is
merely “valuable to” the operation of a Critical Asset, but is not necessary for or inherent to the
operation of that Critical Asset, is not “essential to the operation” of the Critical Asset.”
(iv) Routable
The term routable is used in requirement R4 of CIP-002-AB-4a however is not defined in the AESO
Glossary.
NERC’s explanation of the term routable in the aforementioned Security Guideline for the Electricity
Sector: Identifying Critical Cyber Assets (July 17, 2010), may be of assistance to market participants
when applying requirement R4.
An excerpt is provided below:
“Routing takes place at Layer 3 (also called the routing layer) of the OSI model, thus using a
routing protocol, such as IP (“Internet protocol”), to route data from one local area network to
another.
In general, if the communications uses IP or IPX/SPX (“Internetwork Packet
Exchange/Sequenced Packet Exchange”), it is considered routable. If the communications does
not use IP or IPX/SPX, it is not routable. (Note that other routable protocols such as OSI exist, but
are not widely used in North America.) Thus, “DNP over IP” is routable, while “DNP” over a serial
connection is not routable.
Also, Layer 3 protocols such as IP are often encapsulated in Layer 2 protocols such as Frame
Relay, ATM (“Asynchronous Transfer Mode”), and MPLS (“Multiprotocol Label Switching”) for
delivery of packets to distant networks. When such mechanisms are employed, the IP routable
protocol is still in use,” and
“Examples of routable protocols used in the power industry include:

DNP/IP

ICCP (IEC 60870-6/TASE.2)/IP

IEC 60870-5-104/IP

IEC 61850/IP

MODBUS/TCP

Telegyr 8979/ UDP
Examples of non-routable protocols used in the power industry include:

CONITEL

CDC Type 1 and Type 2
Information Document
Effective: xxxx-xx-xx
Page 3
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS

DNP (serial)

GETAC

Harris 9000

IEC 60870-5-101

MODBUS / MODBUS RTU (serial)

TRW 2000

SCI RDACS”
5. AESO Examples
5.1 Updating of Critical Cyber Asset List (corresponds to CIP-002-AB-4a, requirement R5)
Requirement R5 requires a responsible entity to update the critical cyber asset list “as necessary in
requirement R4 when cyber assets change…” For example, if a new facility is identified as a critical asset
per requirement R2, and critical cyber assets are identified per requirement R4, then per requirement R5,
the responsible entity is required to update the critical cyber asset list.
5.2 Example 1- Critical Cyber Assets for a Transmission Substation
This example was developed by the ARC Technical Work Group to provide general guidance regarding
which cyber assets in a typical substation would be considered critical. The following single line diagram
represents a typical 138/25kV substation with two (2) 138kV lines, a capacitor bank, a step down
transformer, and three (3) distribution feeders. This example is provided for information purposes only.
The following substation would need to be identified as a critical asset per requirement R1 and Appendix
1, criteria 1.5, 1.8, 1.11 or 1.12.
In addition, it is assumed the identified devices utilize a routable protocol and would affect the facility in
less than fifteen (15) minutes.
Information Document
Effective: xxxx-xx-xx
Page 4
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
BK-2
L 2 - 138 kV Line
BK-1
L 1 - 138 kV Line
138 kV
BK-3
BK-4
BK-5
T1
138/25kV
37.5/50/ 63 MVA
Cap Bank
BK-6
T2
138/25kV
37.5/50/ 63 MVA
BK-7
25 kV
BK-8
BK-9
Information Document
Effective: xxxx-xx-xx
BK-
1
0
Page 5
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
Programmable Devices
Cyber Asset Essential to Operation?
Tap Changer Controls
Y
138kV Step Distance Relays
Y
Revenue Meters (PML)
Y (very dependent on how they are implemented)
Digital Fault Recorder
N
PMU
Y
Uninterruptable Power Supply -
Y (very dependent on model and implementation)
Battery Monitoring Equipment
N
Building Security (Note – Other ARS’s deal with
this topic separately)
N
VoIP Communication Equipment
Y (very dependent on implementation, review
Applicability section as well)
Engineering LAN (router, switches)
Y
UVLS
Y
UFLS
Y
Programmable Logic Controller
Y
138kV Cap Bank Protection
Y
Transformer Monitoring (Hydran)
N
Breaker Monitoring
N
Feeder Overcurrent Relays
N
Remote Terminal Units
Y
Local Human Machine Interface
Y
Microwave Tower (not shown on diagram)
N
TeleProtection Equipment
Y
Fiber Optic Communications Link (not shown on
diagram)
Y
Maintenance Laptop
N
Corporate Network Access
N
GPS Clock
Y (very dependent on usage)
WiFi System
Y (very dependent on usage)
Communication Leased Lines (watch Applicability
section)
Y
Dial Up Access
Y
Information Document
Effective: xxxx-xx-xx
Page 6
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
5.3 Example 2- Cyber Asset Assessment for a Generating Facility
This example was developed by the Alberta Reliability Committee (“ARC”) Technical Work Group to
provide general guidance regarding which programmable devices provide operating services in a typical
power plant. This example is provided for information purposes only.
The following single line diagram represents a typical generating facility with two generators, two (2)
generating unit transformers, site load, and two (2) 138vkV lines. In this example, Legal owners would
have to review their specific facilities on an item-by-item basis to ensure correct classification as the
implementation of the device can affect the assessment.
The following generators would be identified as critical assets; per requirement R1 and Appendix 1,
criteria 1.1, 1.3, 1.4, 1.5, 1.8, 1.10, 1.11 or 1.14.
In addition, it is assumed the identified devices utilize a routable protocol and would affect the facility in
less than fifteen (15) minutes.
AB-1
BK-1
B1
T1
BK-3
Generator
1
L1 - 138 kV Line
AB-2
BK-2
T2
BK-4
Generator
2
L2 - 138 kV Line
Site Load
Programmable Devices
Cyber Asset Essential to Operation?
Coal Plant
No
Water Plant
No
Vibration Monitoring - Tripping
Yes
Process Control
Yes
Burner Control
Yes
Motor Control System
Yes
Alarm System (critical plant alarms, excluding fire alarm
system)
Yes
Data Handling System
No
Inlet Heating System
Yes
Governor
Yes
Information Document
Effective: xxxx-xx-xx
Page 7
Public Information
Information Document
Cyber Security-Critical Cyber Asset Identification
ID # 2012-007RS
Gas Compression
Yes
Turbine Control
Yes
Metering
No
Exciter (AVR/PSS)
Yes
SCADA / AGC
Yes
HRSG
Yes
CEMS
No
Protective Relaying
Yes
Teleprotection
Yes
RAS
Yes
Business LAN
No
Run Up System
No
Breaker Control
Yes
Emissions control
Yes
Cooling water control
Yes
Revision History
yyyy-mm-dd
Description of
Changes
Information Document
Effective: xxxx-xx-xx
Page 8
Public Information
Fly UP