Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS
by user
Comments
Transcript
Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS
Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS Information documents are for information purposes only and are intended to provide guidance. In the event of any discrepancy between the information document and the related authoritative document(s) in effect, the authoritative document(s) governs. Please submit any questions or comments regarding this information document to [email protected]. 1 Purpose This information document supports Alberta Reliability Standard – CIP-002-AB-4A Cyber Security-Critical Cyber Asset Identification (CIP-002-AB-4a). The purpose of this information document is to provide guidance and procedural details giving context to requirements R1 through R9 and the application of the critical asset criteria in Appendix 1. This information document may be of interest to legal owners and operators of transmission facilities, generating units, aggregated generating facilities and electric distribution systems. 2 Background NERC has issued documentation with respect to the rationale and intent of the NERC CIP Standard Drafting Team. The AESO has referenced certain of these documents below as they may provide guidance to market participants in implementing CIP-002-AB. The AESO has also provided examples for reference purposes only. 3. NERC Documentation 3.1 Critical Asset Identification (a) CIP-002-4 – Cyber Security – Critical Cyber Asset Identification (December, 2010) http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-0024_Guidance_clean_20101220.pdf (b) Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets (June 17, 2010) http://www.nerc.com/fileUploads/File/Standards/Critcal%20Cyber%20Asset_approved%20by%20 CIPCl%20and%20SC%20for%20Posting%20with%20CIP-002-1,%20CIP-002-2,%20CIP-0023.pdf 3.2 Implementation Plan (a) Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities http://www.nerc.com/docs/standards/sar/Project_200806_Draft_v4_Imp_Plan_Newly_Id_CCA_and_RE_clean_20101130.pdf This is provided for reference purposes only. Also note that CIP-002-AB has implementation timelines that are significantly different from those referenced in the document above. 3.3 Compliance Application Notices NERC has issued the following Compliance Application Notices on various aspects of compliance application which notices may provide guidance to market participants when implementing CIP-002-AB. (a) Compliance Application Notice – 0005 (CAN – 0005) NERC CIP-002 R3 Critical Cyber Asset Designation for System Operator Laptops “…this CAN provides instruction for assessing whether system operator laptops with the capability and purpose of controlling Critical Assets remotely (either in normal operations or in emergencies) should be designated as CCAs.” Information Document Effective: xxxx-xx-xx Page 1 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS This guidance may be of assistance to market participants when applying requirement R4 in CIP-002AB. (a) Compliance Application Notice -0024 (CAN-0024) NERC CIP – 002 R3 Routable Protocols and Data Diode Devices “…this CAN provides instruction for assessing whether the communication characteristics of data diode devices can be used to exclude Cyber Assets from consideration as Critical Cyber Assets (CCA) when a routable protocol is used when not at a control center.” This guidance may be of assistance to market participants when applying requirement R4 in CIP-002AB. 4. Terminology The following information is provided regarding certain terms used in CIP-002-AB-4a. These are provided for reference purposes only. (i) CIP Senior Manager The term CIP Senior Manager is defined in the AESO Consolidated Authoritative Documents Glossary (Glossary) as “meaning a single senior management official with overall authority and responsibility for leading and managing implementation of and adherence to the requirements within the CIP reliability standards.” Given the importance of cyber security, the AESO encourages all relevant market participants to ensure that the CIP Senior Manager is an individual of appropriate authority. (ii) Control Centre The term control centre is not defined in the AESO Glossary. NERC has provided guidance on this term in the aforementioned Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets (June 17, 2010). An excerpt is provided below: “A Control Centre is capable of performing one (1) or more of the functions listed below for multiple (i.e. two or more) BPS assets, such as generation plants and transmission substations. Functions that support Real-time operations of a Control Centre typically include one (1) or more of the following: (i) Supervisory control of BPS assets, including generation plants, transmission facilities, substations, automatic generation control systems and automatic load-shedding systems; (ii) Acquisition, aggregation, processing, inter-utility exchange or display of BPS reliability and/or operability data, used for real-time operations; (iii) BPS and system status monitoring and processing for reliability and asset management purposes (e.g., providing information used by Responsible Entities to make operational decisions regarding reliability and operability of the BPS); (iv) Alarm monitoring and processing specific to operation and restoration functions; and (v) Coordination of BPS restoration activities.” (iii) Essential The term essential is used in requirement R4 of CIP-002-AB-4a however is not defined in the AESO Glossary. The following excerpt from the Interpretation 2010-05 CIP-002-1 Requirement R3 for Duke Energy (July 22, 2010) may be of assistance to market participants when applying requirement R4 in CIPInformation Document Effective: xxxx-xx-xx Page 2 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS 002-AB. “The word “essential” is not defined in the Glossary of Terms used in NERC Reliability Standards, but the well-understood meaning and ordinary usage of the word “essential” implies “inherent to” or “necessary.” The phrase “essential to the operation of the Critical Asset” means inherent to or necessary for the operation of the Critical Asset. A Cyber Asset that “may” be used, but is not “required” (i.e., a Critical Asset cannot function as intended without the Cyber Asset), for the operation of a Critical Asset is not “essential to the operation of the Critical Asset” for purposes of Requirement R3. Similarly, a Cyber Asset that is merely “valuable to” the operation of a Critical Asset, but is not necessary for or inherent to the operation of that Critical Asset, is not “essential to the operation” of the Critical Asset.” (iv) Routable The term routable is used in requirement R4 of CIP-002-AB-4a however is not defined in the AESO Glossary. NERC’s explanation of the term routable in the aforementioned Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets (July 17, 2010), may be of assistance to market participants when applying requirement R4. An excerpt is provided below: “Routing takes place at Layer 3 (also called the routing layer) of the OSI model, thus using a routing protocol, such as IP (“Internet protocol”), to route data from one local area network to another. In general, if the communications uses IP or IPX/SPX (“Internetwork Packet Exchange/Sequenced Packet Exchange”), it is considered routable. If the communications does not use IP or IPX/SPX, it is not routable. (Note that other routable protocols such as OSI exist, but are not widely used in North America.) Thus, “DNP over IP” is routable, while “DNP” over a serial connection is not routable. Also, Layer 3 protocols such as IP are often encapsulated in Layer 2 protocols such as Frame Relay, ATM (“Asynchronous Transfer Mode”), and MPLS (“Multiprotocol Label Switching”) for delivery of packets to distant networks. When such mechanisms are employed, the IP routable protocol is still in use,” and “Examples of routable protocols used in the power industry include: DNP/IP ICCP (IEC 60870-6/TASE.2)/IP IEC 60870-5-104/IP IEC 61850/IP MODBUS/TCP Telegyr 8979/ UDP Examples of non-routable protocols used in the power industry include: CONITEL CDC Type 1 and Type 2 Information Document Effective: xxxx-xx-xx Page 3 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS DNP (serial) GETAC Harris 9000 IEC 60870-5-101 MODBUS / MODBUS RTU (serial) TRW 2000 SCI RDACS” 5. AESO Examples 5.1 Updating of Critical Cyber Asset List (corresponds to CIP-002-AB-4a, requirement R5) Requirement R5 requires a responsible entity to update the critical cyber asset list “as necessary in requirement R4 when cyber assets change…” For example, if a new facility is identified as a critical asset per requirement R2, and critical cyber assets are identified per requirement R4, then per requirement R5, the responsible entity is required to update the critical cyber asset list. 5.2 Example 1- Critical Cyber Assets for a Transmission Substation This example was developed by the ARC Technical Work Group to provide general guidance regarding which cyber assets in a typical substation would be considered critical. The following single line diagram represents a typical 138/25kV substation with two (2) 138kV lines, a capacitor bank, a step down transformer, and three (3) distribution feeders. This example is provided for information purposes only. The following substation would need to be identified as a critical asset per requirement R1 and Appendix 1, criteria 1.5, 1.8, 1.11 or 1.12. In addition, it is assumed the identified devices utilize a routable protocol and would affect the facility in less than fifteen (15) minutes. Information Document Effective: xxxx-xx-xx Page 4 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS BK-2 L 2 - 138 kV Line BK-1 L 1 - 138 kV Line 138 kV BK-3 BK-4 BK-5 T1 138/25kV 37.5/50/ 63 MVA Cap Bank BK-6 T2 138/25kV 37.5/50/ 63 MVA BK-7 25 kV BK-8 BK-9 Information Document Effective: xxxx-xx-xx BK- 1 0 Page 5 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS Programmable Devices Cyber Asset Essential to Operation? Tap Changer Controls Y 138kV Step Distance Relays Y Revenue Meters (PML) Y (very dependent on how they are implemented) Digital Fault Recorder N PMU Y Uninterruptable Power Supply - Y (very dependent on model and implementation) Battery Monitoring Equipment N Building Security (Note – Other ARS’s deal with this topic separately) N VoIP Communication Equipment Y (very dependent on implementation, review Applicability section as well) Engineering LAN (router, switches) Y UVLS Y UFLS Y Programmable Logic Controller Y 138kV Cap Bank Protection Y Transformer Monitoring (Hydran) N Breaker Monitoring N Feeder Overcurrent Relays N Remote Terminal Units Y Local Human Machine Interface Y Microwave Tower (not shown on diagram) N TeleProtection Equipment Y Fiber Optic Communications Link (not shown on diagram) Y Maintenance Laptop N Corporate Network Access N GPS Clock Y (very dependent on usage) WiFi System Y (very dependent on usage) Communication Leased Lines (watch Applicability section) Y Dial Up Access Y Information Document Effective: xxxx-xx-xx Page 6 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS 5.3 Example 2- Cyber Asset Assessment for a Generating Facility This example was developed by the Alberta Reliability Committee (“ARC”) Technical Work Group to provide general guidance regarding which programmable devices provide operating services in a typical power plant. This example is provided for information purposes only. The following single line diagram represents a typical generating facility with two generators, two (2) generating unit transformers, site load, and two (2) 138vkV lines. In this example, Legal owners would have to review their specific facilities on an item-by-item basis to ensure correct classification as the implementation of the device can affect the assessment. The following generators would be identified as critical assets; per requirement R1 and Appendix 1, criteria 1.1, 1.3, 1.4, 1.5, 1.8, 1.10, 1.11 or 1.14. In addition, it is assumed the identified devices utilize a routable protocol and would affect the facility in less than fifteen (15) minutes. AB-1 BK-1 B1 T1 BK-3 Generator 1 L1 - 138 kV Line AB-2 BK-2 T2 BK-4 Generator 2 L2 - 138 kV Line Site Load Programmable Devices Cyber Asset Essential to Operation? Coal Plant No Water Plant No Vibration Monitoring - Tripping Yes Process Control Yes Burner Control Yes Motor Control System Yes Alarm System (critical plant alarms, excluding fire alarm system) Yes Data Handling System No Inlet Heating System Yes Governor Yes Information Document Effective: xxxx-xx-xx Page 7 Public Information Information Document Cyber Security-Critical Cyber Asset Identification ID # 2012-007RS Gas Compression Yes Turbine Control Yes Metering No Exciter (AVR/PSS) Yes SCADA / AGC Yes HRSG Yes CEMS No Protective Relaying Yes Teleprotection Yes RAS Yes Business LAN No Run Up System No Breaker Control Yes Emissions control Yes Cooling water control Yes Revision History yyyy-mm-dd Description of Changes Information Document Effective: xxxx-xx-xx Page 8 Public Information