Upload
vuonghuong
View
235
Download
4
Embed Size (px)
Citation preview
CIP-014JEA Compliance Approach
FRCC Fall Compliance WorkshopPresenter – Daniel Mishra
Acronyms & Terminologies
• DHS – Department of Homeland Security
• JEA – It’s not an acronym
• JSO – Jacksonville Sheriff's Office
• PSSE – Power System Simulator for Engineering (Siemens)
• SRP – Security Review Program
• TO – Transmission Owner
• TOP – Transmission Operator
Risk – Net Impact considering the probability that a particular threat will exploit a available vulnerability.
Threat – Potential for a person or thing to exploit a specific vulnerability
Vulnerability – Flaw or weakness in security process design, implementation, or internal control that could be exploited
JEA Security Mission Statement
• To protect the critical infrastructure that
provides life sustaining services to more
than a million of our friends, family and
neighbors as well as the lives of more than
two thousand members of the JEA family
• Compliance is great tool that supports good
security programs but never the primary
driver for security.
Applicability
1. Applicability –
1. TO (Substation)
2. TOP (Control Center – Primary)
2. Start with the results of CIP-002
1. Identify the Applicable Assets (4 criteria in
section 4.1.1)
2. Include Assets, yet to be commissioned (24
Months)
CIP-014 Objectives
Identify and protect Transmission stations and
Transmission substations, and their associated
primary control centers, that if rendered
inoperable or damaged as a result of a
physical attack could result in widespread
instability, uncontrolled separation, or
Cascading within an Interconnection.
CIP-014 Overview
• To identify and protect JEA assets from physical attacks which would result in widespread or cascading instability/outages etc.
• CIP-006 manages physical access to CIP cyber assets whereas CIP-014 focuses on protecting the physical location of the selected CIP assets.
• Why it needs to be treated different from CIP-006– Event based timelines for compliance
– Risk (internal vs external situational awareness)
– Frequency of activities
CIP-014 & CIP-006
VulnerabilityThreat
Risk = Threat x Vulnerability x Cost
1. Perimeter Defense1. Physical barriers2. Natural surveillance3. Security lighting4. Projectile Protection
2. Intrusion detection and electronic Surveillance 1. Alarm systems and sensors2. Video surveillance3. Motion Detection4. Doppler Radar
3. Access control 1. Mechanical access control systems2. Electronic access control system3. Anti-Tailgating4. Identification systems and access
policies5. Multi-Factor
4. Security personnel1. Station Guards2. Roving Observation posts3. Security Response Units
Asset Protection
CIP-014 CIP-006
1. PSP Protection1. Card Readers2. Door Sensors3. Logging Monitoring4. Cameras and Motion Detectors
2. Access control 1. Mechanical access control systems2. Electronic access control system3. Anti Tailgating4. Identification systems and access
policies5. Multi-Factor
3. Electronic Security 1. Patching2. Anti-Malware Protection3. Access Control4. Electronic Access Logging5. Business Continuity
1. PRA/Background Screening
2. Training3. Awareness4. Visitor Control
Program5. Incident Response6. Workforce
Management
TO Risk Assessment
• PSSE by Siemens
• 2014 FRCC Load Flow Data Bank - summer seasons, years 2016 and 2020
• The summer peak load case had firm power (2400 MW) from Southern
• Transient stability simulations - the local substation protection system schemes inoperable
• Third Party concurred with all our findings
CIP-014 Dates
R1DAY ZERO
60 DAYS
7 DAYS
60 DAYS
Deadline Dates 1-Oct-15 N/A 23-Oct-15 18-Jul-16
JEA Completed 28-Aug-15 N/A 21-Oct-15 1-Jun-16
NERC 1-Oct-15 28-Jan-16 4-Feb-16 28-Oct-16
19-May-16
R6
16-Oct-15
1-Jan-16 28-May-16 28-Aug-16
1-Jan-15
3RD PARTY
VERIFICATION
90 DAYS
120 DAYS
120 DAYS
90 DAYS
3RD PARTY
VERIFICATION
RESPOND TO
3RD PARTY
COMMENTS
18-Feb-16
R2 R3 & R4 & R5
INITIAL RISK
ASSESSMENT
18-May-16
RESPOND TO 3RD
PARTY COMMENTS
PHYSICAL THREAT REVIEW AND PHYSICAL
SECURITY PLAN
COMMUNICATE
TRANS. OWNERS
18-Feb-16
CIP-014 Roles
Keeping the trends of CIP – Multi group
involvement
• R1-R2-R3
– Transmission Planning
• R4-R5-R6
– Physical Security
CIP-014 Activities
1. Risk Assessment
2. 3rd party review of risk assessment
3. Respond to 3rd party
4. Communication to Transmission Operators
5. Physical Security Review of threats and vulnerabilities
6. Physical Security Plan
7. 3rd party review
8. JEA Response
9. NDA Agreements
1. October 1, 2015, 30th or 60th Calendar month
2. 90 Days
3. 60 Days (add or remove)
4. 7 Days
5. 120 Days of completion of step two
6. 120 Days of completion of step two
7. 90 Days
8. 60 Days
9. Executed by 3rd parties
JEA Physical Security
• Key Driving Factors –
– Critical Infrastructure/ NERC CIP
– Customers Experience
– Reputation & Trust
• Security Management (Physical) –
– Scalable based on criticality (Threat & Vulnerability Data Driven*)
– Shared services Model (Various agencies from city combine to create a better resource and pricing model)
– Efficient use of technology (Doppler Radars, Fence Motion Sensors, Electronic Access Control, Effective Guard Force, 24X7 Camera monitoring etc.)
– Embedded Law Enforcement
Security Vulnerability Assessment
JEA Physical Security Team completed its vulnerability
assessment and Physical Security Plan May 2016
• DHS Survey
• Face-to-face interviews with business owners
• Field assessments
• Jacksonville Security Office-DHS branch performed
Third-Party assessment.
Recurring assessment is expected to take place early
2018. (February)
Sample Mitigation - Physical Access
• Many Hundreds had access, now number reduced to 150
• Physical access of all substations will be covered by CIP including the Lows
• Multiple Physical Security design corrections
• Lighting
• Structural designs
• Access gates removed (were not needed)
Third Party Support
• Use out of state third party for operation risk assessment.
• Used JSO DHS department
• NDA for all those who were contracted
• All parties were unaffiliated.
• The term “unaffiliated” means that the selected verifying entity cannot be a corporate affiliate (i.e., the verifying entity cannot be an entity that controls, is controlled by, or is under common control with, the Transmission owner).
• The term “unaffiliated” is not intended to prohibit a governmental entity from using another government entity to be a verifier under Requirement R2. (reference NERC CIP-014, page 9)
NERC Visit
• NERC SRP and NERC Physical Security
Group representative and FRCC team
members visited
• JEA has benefitted from NERC program like
SRP
JEA
• Onsite JSO Detective
• Access to DHS vulnerability and Threat data
• Small/Medium Footprint
• Limited external dependencies (very few
shared facilities)
• Excellent JEA Support Teams
Questions?