CIP-014JEA Compliance Approach

FRCC Fall Compliance WorkshopPresenter – Daniel Mishra

Acronyms & Terminologies

• DHS – Department of Homeland Security

• JEA – It’s not an acronym

• JSO – Jacksonville Sheriff's Office

• PSSE – Power System Simulator for Engineering (Siemens)

• SRP – Security Review Program

• TO – Transmission Owner

• TOP – Transmission Operator

Risk – Net Impact considering the probability that a particular threat will exploit a available vulnerability.

Threat – Potential for a person or thing to exploit a specific vulnerability

Vulnerability – Flaw or weakness in security process design, implementation, or internal control that could be exploited

JEA Security Mission Statement

• To protect the critical infrastructure that

provides life sustaining services to more

than a million of our friends, family and

neighbors as well as the lives of more than

two thousand members of the JEA family

• Compliance is great tool that supports good

security programs but never the primary

driver for security.

Applicability

1. Applicability –

1. TO (Substation)

2. TOP (Control Center – Primary)

2. Start with the results of CIP-002

1. Identify the Applicable Assets (4 criteria in

section 4.1.1)

2. Include Assets, yet to be commissioned (24

Months)

CIP-014 Objectives

Identify and protect Transmission stations and

Transmission substations, and their associated

primary control centers, that if rendered

inoperable or damaged as a result of a

physical attack could result in widespread

instability, uncontrolled separation, or

Cascading within an Interconnection.

CIP-014 Overview

• To identify and protect JEA assets from physical attacks which would result in widespread or cascading instability/outages etc.

• CIP-006 manages physical access to CIP cyber assets whereas CIP-014 focuses on protecting the physical location of the selected CIP assets.

• Why it needs to be treated different from CIP-006– Event based timelines for compliance

– Risk (internal vs external situational awareness)

– Frequency of activities

CIP-014 & CIP-006

VulnerabilityThreat

Risk = Threat x Vulnerability x Cost

1. Perimeter Defense1. Physical barriers2. Natural surveillance3. Security lighting4. Projectile Protection

2. Intrusion detection and electronic Surveillance 1. Alarm systems and sensors2. Video surveillance3. Motion Detection4. Doppler Radar

3. Access control 1. Mechanical access control systems2. Electronic access control system3. Anti-Tailgating4. Identification systems and access

policies5. Multi-Factor

4. Security personnel1. Station Guards2. Roving Observation posts3. Security Response Units

Asset Protection

CIP-014 CIP-006

1. PSP Protection1. Card Readers2. Door Sensors3. Logging Monitoring4. Cameras and Motion Detectors

2. Access control 1. Mechanical access control systems2. Electronic access control system3. Anti Tailgating4. Identification systems and access

policies5. Multi-Factor

3. Electronic Security 1. Patching2. Anti-Malware Protection3. Access Control4. Electronic Access Logging5. Business Continuity

1. PRA/Background Screening

2. Training3. Awareness4. Visitor Control

Program5. Incident Response6. Workforce

Management

TO Risk Assessment

• PSSE by Siemens

• 2014 FRCC Load Flow Data Bank - summer seasons, years 2016 and 2020

• The summer peak load case had firm power (2400 MW) from Southern

• Transient stability simulations - the local substation protection system schemes inoperable

• Third Party concurred with all our findings

CIP-014 Dates

R1DAY ZERO

60 DAYS

7 DAYS

60 DAYS

Deadline Dates 1-Oct-15 N/A 23-Oct-15 18-Jul-16

JEA Completed 28-Aug-15 N/A 21-Oct-15 1-Jun-16

NERC 1-Oct-15 28-Jan-16 4-Feb-16 28-Oct-16

19-May-16

R6

16-Oct-15

1-Jan-16 28-May-16 28-Aug-16

1-Jan-15

3RD PARTY

VERIFICATION

90 DAYS

120 DAYS

120 DAYS

90 DAYS

3RD PARTY

VERIFICATION

RESPOND TO

3RD PARTY

COMMENTS

18-Feb-16

R2 R3 & R4 & R5

INITIAL RISK

ASSESSMENT

18-May-16

RESPOND TO 3RD

PARTY COMMENTS

PHYSICAL THREAT REVIEW AND PHYSICAL

SECURITY PLAN

COMMUNICATE

TRANS. OWNERS

18-Feb-16

CIP-014 Roles

Keeping the trends of CIP – Multi group

involvement

• R1-R2-R3

– Transmission Planning

• R4-R5-R6

– Physical Security

CIP-014 Activities

1. Risk Assessment

2. 3rd party review of risk assessment

3. Respond to 3rd party

4. Communication to Transmission Operators

5. Physical Security Review of threats and vulnerabilities

6. Physical Security Plan

7. 3rd party review

8. JEA Response

9. NDA Agreements

1. October 1, 2015, 30th or 60th Calendar month

2. 90 Days

3. 60 Days (add or remove)

4. 7 Days

5. 120 Days of completion of step two

6. 120 Days of completion of step two

7. 90 Days

8. 60 Days

9. Executed by 3rd parties

JEA Physical Security

• Key Driving Factors –

– Critical Infrastructure/ NERC CIP

– Customers Experience

– Reputation & Trust

• Security Management (Physical) –

– Scalable based on criticality (Threat & Vulnerability Data Driven*)

– Shared services Model (Various agencies from city combine to create a better resource and pricing model)

– Efficient use of technology (Doppler Radars, Fence Motion Sensors, Electronic Access Control, Effective Guard Force, 24X7 Camera monitoring etc.)

– Embedded Law Enforcement

Security Vulnerability Assessment

JEA Physical Security Team completed its vulnerability

assessment and Physical Security Plan May 2016

• DHS Survey

• Face-to-face interviews with business owners

• Field assessments

• Jacksonville Security Office-DHS branch performed

Third-Party assessment.

Recurring assessment is expected to take place early

2018. (February)

Sample Mitigation - Physical Access

• Many Hundreds had access, now number reduced to 150

• Physical access of all substations will be covered by CIP including the Lows

• Multiple Physical Security design corrections

• Lighting

• Structural designs

• Access gates removed (were not needed)

Third Party Support

• Use out of state third party for operation risk assessment.

• Used JSO DHS department

• NDA for all those who were contracted

• All parties were unaffiliated.

• The term “unaffiliated” means that the selected verifying entity cannot be a corporate affiliate (i.e., the verifying entity cannot be an entity that controls, is controlled by, or is under common control with, the Transmission owner).

• The term “unaffiliated” is not intended to prohibit a governmental entity from using another government entity to be a verifier under Requirement R2. (reference NERC CIP-014, page 9)

NERC Visit

• NERC SRP and NERC Physical Security

Group representative and FRCC team

members visited

• JEA has benefitted from NERC program like

SRP

JEA

• Onsite JSO Detective

• Access to DHS vulnerability and Threat data

• Small/Medium Footprint

• Limited external dependencies (very few

shared facilities)

• Excellent JEA Support Teams

Questions?