E-ISAC Update - NERC Highlights and Minutes...2 •Sharing and reporting 198 E-ISAC staff posts to the portal 33 member responses to the portal items 17 additional posts to the portal

1

E-ISAC Update

Marcus Sachs, Senior VP & Chief Security OfficerCIPC MeetingDecember 12, 2016

2

• Sharing and reporting 198 E-ISAC staff posts to the portal 33 member responses to the portal items 17 additional posts to the portal from members 42 calls to the E-ISAC hotline 211 new portal accounts

• Engagement (monthly average during the quarter) 263 webinar attendees 414 downloads of the daily report

• Active portal membership on September 30, 2016 1201 NERC registered entities (86% of 1389 registered entities) 366 non-NERC registered entities (18% of estimated 2000 eligible) 114 partners (government, other ISACs, etc.)

Summary of Q3 2016

3

• Mid-year Report (July)• Engaging the E-ISAC (August) Second publication on how to use the E-ISAC’s products and services Produce with input from the Member Executive Committee

• Security Management in the North American Electricity Sub-Sector (September) Framework for comprehensive physical security of electricity assets

• Recommendations to Oblenergoes (September) Timeline of issues in 2015 that led to the December incident Assessment of the problem and detailed list of recommendations Checklist of actions that should be immediately implemented

Advisories and Reports

4

• Explosive growth of “smart devices” in the past two years Things that can communicate over the Internet Security cameras, digital video recorders, alarms, light switches, coffee

pots, refrigerators

• Most are not designed to be secure against unauthorized access Can be hijacked by malicious actors Are being used to attack other systems

• Three attacks on October 21, 2016 against an Internet service provider Caused hundreds of popular web sites to be unavailable

• E-ISAC issued TLP-AMBER, TLP-GREEN, and TLP-WHITE advisories at the end of October

Internet of Things Issue

5

• Staffing 17 employees plus three contractors in the Washington, DC office Physical security manager transferred internally Member services manager (ESCC recommendation) hired in August Active search for a new Watch Operations Team director

• Technology Web portal upgrade project initiated in June, will finish in November New platform project RFP issued in late October STIX/TAXII pilot in final stages of vendor procurement CRISP unclassified data center initiative started

E-ISAC Staffing and Support

6

• 2016 work plan execution is on track Publish a “How-To” Guide (“Understanding Your E-ISAC”) Develop E-ISAC Products and Services List Define E-ISAC Role in Classified Briefings Establish User Communities Develop Strawmen for E-ISAC Reports Pilot Automated Information Sharing (Platform) Initiate Improvements to the Portal Develop Plan to Evaluate 24/7 Watch and Notification Capability Conduct Site Pen Testing

• MEC face-to-face meeting in September Discussed Board’s request for a strategic plan

Member Executive Committee

7

• Sign up online at https://www.eisac.com• Download our “how to” guides Brochure Understanding Your E-ISAC Engaging the E-ISAC

Learn More About Us!

https://www.eisac.com/

8

1

GridSecCon

Review and UpdateCIPC

Bill Lawrence, Director, Programs and Engagement,

E-ISAC

December 14, 2016

2

•Great:

Location!

Attendance!

Training!

Summit sessions!

Networking!

Tours / threat briefs!

GridSecCon 2016

http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx

http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx

GridSecCon 2017

October

17-20

2017

1

E-ISAC Cyber Update

Steve Herrin, CRISP ManagerCIPC MeetingDecember 13, 2016

2

• Overall Trends Internet of Things (IoT) DDoS attacks – Mirai Botnet Redirect to compromised websites Phishing Suspicious Traffic Reporting Trojanized software/hardware (Supply Chain Issues)

• E-ISAC Cyber Security Capabilities Increased reporting by E-ISAC partners

Focus on obtaining, analyzing, and sharing indicators of compromise and actionable threat information

Enabling electricity companies to identify sector-relevant threats and attacks

Summary of Q3 2016

3

Cyber Observations

Reconnaissance only15%

Attempts to compromise65%

Compromised hosts20%

Reconnaissance only

Attempts to compromise

Compromised hosts

4

Cyber Bulletin Topics

Trojan24%

Botnet24%

Ransom/scam-ware14%

VPN/SSH session14%

Browser Hijacker9%

Exploit Kit10%

Unknown5%

Trojan

Botnet

Ransom/scam-ware

VPN/SSH session

Browser Hijacker

Exploit Kit

Unknown

5

• DDoS attack against Electric Utility ISP recorded 30-35 GBPS against outside IP ranges DDoS was sourced from millions of spoofed IP addresses and

came in as an ACK attack vs the typical SYN DDoS

• Source code for Mirai Botnet released

• Threat actors continue to use internet-enabled devices to conduct small scale DDoS attacks

Internet of Things Scanning

6

• Attempts at Social Engineering Redirect to compromised websites that contain malware Dridex malware Typical indicators include email subjects related to “Purchase

Orders”

• “Whaling” Catching a “big fish” – typically focused on C-suite employees

Typically requesting funds transfer to another employee

Phishing

7

• E-ISAC Implementing Elasticsearch, Logstash and Kibana (ELK) Platform for enhanced analytic capability

• CRISP is now attributed in portal postings

• The E-ISAC STIX/TAXII pilot with 7-10 companies is in progress

• Portal improvements continue to be implemented

Updates

8

1

STIX/TAXII and CRISP ProjectsStatus of information sharing projects

Marc Sachs, Senior VP & Chief Security Officer, NERCCIPC MeetingDecember 13, 2016

TLP GREEN

2

• STIX/TAXII pilot is a technology proof-of-concept project Called for in 2015 ESCC recommendations Results of the pilot will be integrated into future platform 7-10 pilot participants needed, more are welcome

• NERC pays for back-end services Participants pay for any hardware or software needed at user’s sites

• RFP sent to selected vendors end of Q2, selection made in Q3• Two complimentary solutions chosen: ThreatConnect – Front end GUI for analysis and STIX package creation Soltra Edge – Back end machine-to-machine communications TAXII server

(Soltra Edge was sold to NC4 in November)

STIX / TAXII Pilot

STIX = Structured Threat Information eXpressionTAXII = Trusted Automated Exchange of Indicator Information

TLP GREEN

3

• 2016: October – Budget validation and contract negotiations November – Product installation and internal user acceptance testing Early December – Participant beta testing (3-4 participants) Mid-December – Participant pilot testing (remaining participants)

• 2017: Integrate STIX / TAXII technology into Portal Platform Ecosystem Pilot and test STIX / TAXII technology with additional participants Continue to seek membership feedback and determine long term viability

STIX / TAXII Implementation Timeline

TLP GREEN

4

• All CRISP data currently flows to PNNL CRISP participants use Information Sharing Devices (ISDs) to collect and send

data PNNL provides system to “write up” to classified networks for analysis E-ISAC currently relies on PNNL for analysis of CRISP data and reports

• New capability will give E-ISAC analysts the ability to store and analyze unclassified data locally Up to 200 TB storage array to be installed at the E-ISAC Three stand-alone analyst workstations in place now Currently evaluating equipment quotes and new analytical tools Plan to have capability functional by December 2016

• Once complete the E-ISAC will be able to query and analyze unclassified CRISP data with minimal PNNL involvement

CRISP Unclassified Data Center

TLP GREEN

5

Program Title Description Number of Participants Start Date End Date

CRISP • ISDs in front of corporate perimeters collect data for analysis 75% of US based customers Oct 2014 Ongoing

Enhanced Analytics

• Partnership with INL, ANL, ORNL, PNNL• Enhance the classified enrichment

process with new tools and analytic capabilities

• Augment services to CRISP industry participants

Subset of CRISP participants Oct 2016 Ongoing

Operational Technology Pilot

• INL led with ANL, ORNL support• Industry participants• Project in requirements development

stage

4 industry participants 2016 2017

Operational Technology Sensor

Project

• INL led with ANL, ORNL support• Industry participants• Project in requirements development

stage

4 industry participants 2017 2018

Improved Cyber and Physical

Security Culture for APPA and

NRECA

• $15 million funding subject to appropriations - $5 million in 2016

• Develop security tools• Educational resources• Updated guidelines• Training

APPA and NRECA members 2016 2018

DoE and E-ISAC Initiatives

TLP GREEN

6

Program Title Description Number of Participants Start Date End Date

STIX/TAXII Pilot• E-ISAC led with support from DoE• Limited deployment of automated

information sharing system8-10 industry participants 2016 2018

Portal Improvements

• Three development sprints, incremental members capability improvements

• Also addressing issues with M&S • Priority focus recognizing platform

initiative delivery and migration

ESCC MECAll E-ISAC Members June 2016 December 2017

Platform Initiative • Platform selection criterial and RFP development in progress All E-ISAC Members June 2016 2017

CRISP Data Repository

• E-ISAC Elastic Search, Logstash and Kibana (ELK) platform for unclassified CRISP analysis

• Future growth to allow participant access for further analysis

All CRISP participants November 2016 2017

Virtual Forensics (Malware Analysis

Dropbox)

• DOE Funded Automated Malware Analysis Facility

• Use case and requirements development in progress

• To support portal platform integration for submissions, results dashboard

TBD industry participants Oct 2016(kickoff) 2017

DoE and E-ISAC Initiatives

TLP GREEN

7

Supply Chain Risk Management StandardsMark Olson, Senior Standards DeveloperCIPC MeetingDecember 13, 2016

RELIABILITY | ACCOUNTABILITY2

[the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.

- July 2016

• Standards must be filed by September 2017

FERC Order No. 829


• Plans must address four objectives as they relate to security of BES Cyber Systems: Software integrity and authenticity Vendor remote access including machine-to-machine Including security considerations during information system planning Vendor risk management and procurement controls

“Responsible entities should be required to achieve these four objectives but have the flexibility as to how to reach the objective…”

Security Objectives


• Drafting team appointed September 2016

• Standards Authorization Request (SAR) posted October 2016

• Technical conference November 2016

• September 2017 filing deadline will limit ballot opportunities

Standards Development Process

October – December 2016

Initial drafting Technical Conference

January 2017 -Formal Comment and

Balloting

August 2017NERC Board Adoption

September 2017Deadline for filing


• New standard v. revisions to approved standards• Scope of cyber systems High, Medium, Low BES Cyber Systems BES Cyber Systems and associated Electronic Access Control or Monitoring

Systems, Physical Access Control Systems, and Protected Cyber Assets

• Combination of procurement controls and technical controls needed to satisfy directives

• Technical and compliance guidance to support understanding of results-based standards

Issues


Assess / Plan

Procure / Acquire

Deploy / Implement

Operate / Maintain

Notional BES Cyber System Life Cycle

R1 and R2 are meant to address “procurement” activities

performed during these phases of the life cycle

R3, R4, and R5 are meant to address “operational”

activities performed during this phase of the life cycle

*Note: Plans developed in R1 should “identify and assess risk(s) during the procurement and deployment of vendor products and services” (R1 1.1.1) thus addressing risks during these three life cycle phases


• Title: Cyber Security – Supply Chain Risk Management• Purpose: To mitigate risks of cyber security incidents

affecting the reliable operation of the Bulk Electric System (BES) by implementing security controls in the supply chain for the protection of BES Cyber Systems.

Draft CIP-013-1


• Requires entities to implement a supply chain risk management plan(s) for mitigating risks to BES Cyber Systems and associated cyber systems

• Plans must include: Controls for BES Cyber System planning and development:o Assess risk(s) during the procurement and deployment of vendor products and

services; ando Evaluate methods to address identified risk(s)

Controls for procuring vendor products and services

Requirement R1


• Plans must include procurement controls for notifications or coordination: Vendor security events Vendor employee access termination Vulnerability disclosure Response to vendor-related cyber incidents Verification of software integrity and authenticity Vendor remote access coordination including machine-to-machine

Requirement R1


• Implementation of the cyber security risk management plan(s) does not require the Responsible Entity to renegotiate or abrogate existing contracts (P 36)

• Plans should address all BES Cyber Systems (high, medium, and low) but can do so with a risk-based approach “…flexibility as to how to reach the objective…” (see Order No. 829 P. 13)

Notes on Requirement R1


• Requires entities to review the plan every 15 calendar months and address new risks or mitigation measures, if any

Requirement R2


• Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber Systems

Requirement R3


• Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems Authorization by the entity; Logging and monitoring of remote access; and Disabling or otherwise responding to unauthorized remote access.

• Applies to vendor-initiated Interactive Remote Access and machine-to-machine remote access

Requirement R4


• Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems

• Similar to approved CIP-003-6 Requirement R1 Part 1.2

• Consistent with approved standards in not requiring inventory of low impact BES Cyber Systems or lists of authorized users

Requirement R5


• Preparing for formal comment period in early 2017

• Development of technical guidance continues

Standards Development Process

October – December 2016

Initial drafting Technical Conference

January 2017 -Formal Comment and

Balloting

August 2017NERC Board Adoption

September 2017Deadline for filing


Contact Information

• Refer to the Project 2016-03 page for more information• Email [email protected] to join the email list• Corey Sellers, Southern Company, SDT Chair Email at [email protected]

• JoAnn Murphy, PJM Interconnection, SDT Vice Chair Email at [email protected]

http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx

mailto:[email protected]




Project 2016-02CIP ModificationsNERC CIPC MeetingDecember 13-14, 2016


2016-02 CIP Standards Drafting Team

Name Entity

Co-Chair Christine Hasha Electric Reliability Council of Texas

Co-Chair David Revill Georgia Transmission Corporation

Members Steven Brain Dominion

Jay Cribb Southern Company

Jennifer Flandermeyer Kansas City Power and Light

Tom Foster PJM Interconnection

Richard Kinas Orlando Utilities Commission

Forrest Krigbaum Bonneville Power Administration

Philippe Labrosse Hydro-Quebec TransEnergie

Mark Riley Associated Electric Cooperative, Inc.


Drafting Team Scope

• Revisions will cover eight issue areas: – FERC Order 822

• LERC definition (deadline of March 31, 2017)• Transient devices used at low-impact BES Cyber Systems• Communication network components between BES Control Centers

– NERC CIP V5 Transition Advisory Guidance Team• Cyber Asset and BES Cyber Asset Definitions• Network and Externally Accessible Devices• Transmission Owner (TO) Control Centers Performing Transmission Operator

(TOP) Obligations• Virtualization

– New• CIP Exceptional Circumstances

• SDT also served as an IDT– Consider Request for Interpretation concerning shared BES Cyber

Systems from EnergySec over the term “shared BES Cyber Systems” in CIP-002-5.1


• The latest ballot on LERC closed December 5, 2016. The ballot received strong support from stakeholders. CIP-003-7: 85.56% Implementation Plan for CIP-003-7: 75.54%

• While some stakeholders expressed support for retaining the definition of LERC including aligning it with language used in medium and high impact, the SDT decided to move forward with the retirement of the terms There was strong stakeholder support for the retirement of LERC and LEAP. The SDT determined that the new criteria developed for CIP-003-7,

Attachment 1, Section 3.1 provided additional clarity needed for low impact over the language which exists at high or medium impact.

Low Impact Electronic Access Controls


• Additionally, while there was stakeholder support for the implementation plan, stakeholders provided comments requesting 18 months following regulatory approval rather than the proposed 12 months. Examples of justifications for the 18 month implementation timeline

included budget cycles, additional effort required to demonstrate electronic access controls for indirect access, and operational efficiencies created by implementing electronic access controls and TCA requirements together

• The SDT approved modifying the implementation plan for low impact electronic access controls to 18 months.

• CIP-003-7 and the associated implementation plan has been posted for final ballot.

Low Impact Electronic Access Controls


• CIP-003-TCA with a new Section 5 in Attachment 1 was posted for informal comment

• Stakeholders provided generally positive feedback on the draft standard. Comments included the following themes: Request modifications to the specified security objective to address the

“risk” of the introduction of malicious code Modify Removable Media definition to be consistent with the changes to

the Transient Cyber Asset definition Include the option for CIP Exceptional Circumstances consistent with CIP-

010 Extend the implementation plan Request updates to the Guideline & Technical Basis section

Transient Cyber Assets & Removable Media at Low Impact


• The modified definition of Removable Media is as follows:Storage media that:1. are not Cyber Assets,2. are capable of transferring executable code,3. can be used to store, copy, move, or access data, and4. are directly connected for 30 consecutive calendar days or less to a:

• BES Cyber Asset, a

• network within an Electronic Security Perimeter (ESP), containing high or medium impact BES Cyber Systems, or a

• Protected Cyber Asset associated with high or medium impact BES Cyber Systems.

Examples of Removable Media include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.

Transient Cyber Assets at Lows –Definition of Removable Media


CIP-003-7(i) Proposed Implementation Plan Milestones

Revised CIP-003-7 (i) Implementation Plan (LERC and TCA at Lows) - Worksheetas proposed December 2016

Order 822 Effective Date:March 31, 2016

Standard/RequirementCompliance Deadline

2Q17 3Q17 4Q17 1Q18

CIP-002-5 1-Jul-16CIP-003-6 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16CIP-003-6, R1, part 1.1* 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16

CIP-003-6, R1, part 1.2 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-6, R2 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-6, Att 1, Sect. 1 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-7, Att 1, Sect. 2 1-Sep-18 1-Jan-19 1-Apr-19 1-Jul-19 1-Oct-19CIP-003-7, Att 1, Sect. 3 1-Sep-18 1-Jan-19 1-Apr-19 1-Jul-19 1-Oct-19CIP-003-6, Att 1, Sect. 4 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-7(i), Att 1, Sect. 5 NA 1-Jan-19 1-Apr-19 1-Jul-19 1-Oct-19CIP-004-6 1-Jul-16

CIP-005-5 1-Jul-16CIP-006-6 1-Jul-16CIP-006-6, R1, part 1.10** 1-Apr-17CIP-007-6 1-Jul-16CIP-007-6, R1, part 1.2** 1-Apr-17CIP-008-5 1-Jul-16CIP-009-6 1-Jul-16

CIP-010-2 1-Jul-16

CIP-010-2, R4 1-Apr-17CIP-011-2 1-Jul-16

TCA, RM Glossary Terms 1-Apr-17BCA, PCA Glossary Terms 1-Apr-17LERC, LEAP Glossary Terms 1-Apr-17

V5 Enforcement

Date***

NERC Board Adoption

IAC, CN revisions - N

ovember 13, 2014

LI, TD revisions - February 12, 2015

July 1, 2016 - CIP V5 Approved Compliance Date

If effective date of the FERC approval, then LERC revisions become effective:

All dates and deadlines remain active under CIP V6 implementation plan

Retirement of Terms


The LERC only version of CIP-003-7 moved to final ballot concurrent with an additional ballot of CIP-003-7(i) containing modifications for both LERC and TCA. If the LERC and TCA revisions pass stakeholder ballot and final ballot, all revisions could be presented to the Board in February for adoption.

Potential Posting Schedule

TCA Comment

Nov 1 Nov 18

TCA Comment/Ballot

Dec 12 Jan 25

LERC+TCA Final Ballot

Jan 30 Feb 8

NERC Board

Meeting

Feb 8-9

LERC Comment/Ballot

Oct 21 Dec 5

LERC Final Ballot

Dec 9 Dec 18


• Implementation plan for LERC revised to make the effective date of CIP-003-7 18 months following regulatory approval.

• CIP-003-7 moved forward to final ballot on Friday, December 9th

following the SDT’s meeting.• The SDT also received positive feedback on the informal

comment period for TCAs/RM @ Lows.• Standards Committee authorized posting CIP-003-7(i) for

comment and ballot which contains the modifications for both LERC and TCA/RM.

• CIP-003-7(i) posted for formal comment and ballot on Monday, December 12th. The ballot closes on Wednesday, January 25th.

Key Messages


2017 Planned Dates : January 24-26 – New Orleans, LA - Entergy February 21-23 – St. Petersburg, FL – Duke Energy March 21-23 – Houston, TX - Occidental Energy Ventures April 18-20 – Tampa, FRCC May 23-25 – Columbus, OH - American Electric Power June 20-22 July 18-20 August 22-24 September 19-21 October 10-12 November 14-16

SDT Meeting Schedule


• This slide deck and other information relative to the CIP Modifications SDT may be found on the Project 2016-02 Project Page under Related Files:

Project 2016-02 Modifications to CIP Standards

Resources

http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx


Emerging Technologies Roundtable UpdateTobias Whitney, Senior Manager of CIP Compliance, NERC Reliability AssuranceCIPC MeetingDecember 13-14, 2016


• Opportunities exist to research and deploy new technologies that could improve the reliable operations of the Grid.

• The mystique of the CIP standards may have challenged the investment and innovation of BES technologies based on compliance risk and cyber exposure.

• Opportunities exist to foster coordinated technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.

Technology Risk


11/15 & 11/16 Roundtable

Roundtable Day 1: IEC 61850

Click here for: Slide Presentations

Click here for Recordings: Morning Afternoon

Click here for: Detailed Agenda

Roundtable Day 2: Cloud Computing

Click here for: Slide Presentations

Click here for Recordings: Morning Afternoon

Click here for: Detailed Agenda

http://www.nerc.com/pa/CI/Documents/roundtable%20-%20IEC%2061850%20slides%20%20(20161115).pdf

http://cc.readytalk.com/play?id=4pfo9w

http://cc.readytalk.com/play?id=8d5kq5

http://www.nerc.com/pa/CI/Documents/roundtable%20recording%20details%20-%20IEC%2061850%20%20(20161115).pdf

http://www.nerc.com/pa/CI/Documents/roundtable%20-%20cloud%20computing%20slides%20%20(20161116).pdf

http://cc.readytalk.com/play?id=2el58v

http://cc.readytalk.com/play?id=93l1l9

http://www.nerc.com/pa/CI/Documents/roundtable%20recording%20details%20-%20cloud%20computing%20%20(20161116).pdf


• Opening remarksGerry Cauley, President and CEO, NERC

• Overview of IEC 61850Deepak Maragal, Senior Protection & Control Engineer, New York Power Authority (NYPA)Herb Falk, Senior Solutions Architect, Systems Integration Specialists Company (SISCO)

• Building the business case for automationJeff Gooding, IT Principal Manager, Enterprise Architecture & Strategy, Southern California Edison (SCE)

IEC-61850: Day 1


• Describing the Architecture of IEC 61850 and Generic Object Oriented Substation Event (GOOSE) MessagingCraig Preuss, Engineering Manager, Black and VeatchEric Stranz, Business Development Manager, Siemens

• Security and CIP compliance considerations during deploymentScott Mix, CIP Technical Manager, NERC

• Roundtable discussion, Industry and Vendor Experiences

IEC-61850: Day 1


EX

AM

PLE

LA

N A

RC

HIT

EC

TU

RE

S61850-90-4-2013 EXAMPLE LAN

ARCHITECTURES

6

Drawing Provided by: Craig Preuss, Black & Veatch


• Value-Add Paper Describes operational and reliability benefits of IEC 61850 Industry examples of the use of the technology

• Implementation Guide: CIPCV and IEC-61850 Deployments Describes common methods to comply with standards Address common substation network design concerns regarding layer-2,

layer-3 networks and VLANs

Outcome and Next Steps


• Opening remarksMark Lauby, Senior Vice President and Chief Reliability Officer, NERC

• Overview of IEC 61850Jianhui Wang, Ph.D., Section Manager, Advanced Power Grid Modeling, Energy Systems Division, Argonne National Laboratory

• Building the business case for automationJeff Gooding, IT Principal Manager, Enterprise Architecture & Strategy, Southern California Edison (SCE)Xiaochuan Luo, Technical Manager, Business Architecture & Technology, ISO New England

Cloud Computing: Day 2


• Describing the Architecture of IEC 61850 and Generic Object Oriented Substation Event (GOOSE) MessagingStevan Vidich, Ph.D., Principal Program Manager, Azure Global Ecosystem engineering team, Microsoft

• Security and CIP compliance considerations during deploymentTobias Whitney, Senior Manager of CIP Compliance, NERC

• Roundtable discussion, Industry and Vendor ExperiencesAlan Boissy, Director of Security Assurance, Amazon Web Services (and panelists)

Cloud Computing


3rd Parties & CIP Applicability

Information Access•Data classification• Information

Protection

Temporary Access• Escorted Access• Periodic On-site

Operational Support•Decision Support•Data Analytics•Remote Access to Cyber Assets•Access to CEII

Real-time Operations•Dedicated Interface to BES Cyber Assets•Operations & Maintenance of EACMS•Cloud Control Center Operations

CIP-004 – Training and AwarenessCIP-005 – Interactive Remote AccessCIP-006 – Escorted Access

All applicable standards and requirements associated with the Cyber Assets used to:- perform the Registered

Entity’s reliability tasks

- Manage or operate the Registered Entities applicable systems.

CIP-004 – Training and AwarenessCIP-004 – Personnel Risk AssessmentCIP-005 – Interactive Remote AccessCIP-011 – Information Protection

CIP-011 – Information Protection


Physical vs. Virtual

X = BCA, O = PCA X = BCA, O = PCA

Hypervisor

X XXX X

XX

ESPESP


Physical vs. Virtual

X = BCA, O = PCA X = BCA, O = CAs

Can other Cyber Assets (O) be securely operated within one logically separated virtual environment? Is this concept supported by the standard? No it is not.

Hypervisor

X XXX X

XX

ESP


• Value-Add Paper Describes operational and reliability benefits of Cloud Industry examples of the use of the technology

• Implementation Guide: CIPV5 Cloud Deployments Describes common methods to comply with standards Address common concerns regarding 3rd party operations and how to

obtain compliance evidence from cloud providers

Outcome and Next Steps


Emerging Technologies

Cloud Computing Big Data analysis for preventive solutions

Renewables + New Registration Paradigms New Generation Owner/Operators diffuse operations could impact the BES

IEC 61850 Substation network solutions

Remote Access (FERC mandated) Due July 2017

Virtualization (Standards Development) Server, networks and storage


Emerging Technologies

Microgrids Risk based analysis of load centers

Industrial Network Communications Technologies Point-to-point, local area wireless and unlicensed radio

Distribution Management Systems GIS, outage mgt and increased operational intelligence for smart metered

load centers

End of Life Systems Assess the vulnerability unsupported, production cyber assets

Support Systems Understanding VOIP, UPS and building automation systems


NERC Team

Tech

nolo

gy R

isk A

sses

smen

t

Security

Operations

Regulatory


Approach the Topic

Tech Seminar

• Invite Vendors and industry stakeholders for a 1 day discussion on the solutions

• Identify volunteers for whitepaper development

CoordinatedWhite Paper

•Coordinate white paper with CIPC (primarily) with support from OC and PC

•Publish draft paper for comments as part guidance documents• Industry webinar to spotlight results

Call for Pilots

• Link interested stakeholders with research agencies•Publish lessons learned for industry comments


Each Topic’s SWOT

Strengths(reliability benefits)

Weaknesses(current

drawbacks)

Opportunities(external factors)

Threats (Security & Regulatory)


• Which deliverables would best address the need? Implementation guide Whitepaper Reliability Guideline

Questions


Annual Strategic PlanningCritical Infrastructure Protection Committee

Marc Child, CIPC ChairCIPC MeetingDecember 13-14, 2016


• Align CIPC efforts with NERC strategic plan• Review workgroup & task force charters• Retire workgroups & task forces as necessary• Identify new work areas• Modify CIPC work plan• Review CIPC Charter• Review quarterly meeting agenda (content)

Annual Planning Goals

EC Meeting – September - Albuquerque


• Changes CIPC voting members are asked to chair or co-chair a working group or task

force at least once within a two-year term Clarifications on what level of expertise is requested for a cyber, physical,

or operations voting member Executive committee (EC) has responsibility for ensuring adequate

technical representation and level of participation Clarification on handling of committee and EC vacancies Clarify that CIPC and EC meetings are open unless specifically declared as

confidential Removed option to vote via facsimile Guideline approval process updated to reflect NERC’s new processes for

implementation guidance

CIPC Charter


Workgroups & Task Forces


• Changes Remains mapped to NERC Strategic Plan (strategic) Workplan now mapped to RISC priorities (tactical)

• Risk profile #8: Physical Security Seven Near-term recommendations (1-2 years) Nine Mid-term recommendations (3-5 years) Two Long-term recommendations (>5 years)

• Risk profile #9: Cybersecurity Eleven Near-term recommendations Four Mid-term recommendations Three Long-term recommendations

CIPC Strategic Plan & Workplan


• Today E-ISAC update Presentations provided with the agenda packet

• Future? More content heavy Working Group and Task Force updates to be more interactive Regional CIPC updates Listen to feedback

What do YOU want for your investment in time/effort?

CIPC Meeting Agenda


Legislative Update

Critical Infrastructure Protection CommitteeDecember 13, 2016

Nathan Mitchell, American Public Power Association

2 RELIABILITY | ACCOUNTABILITY

Fixing America's Surface TransportationFAST Act 2015

• The new Section 215A(a) defines, among other terms, a ‘‘grid security emergency” and Section 215A(b) authorizes the Secretary of Energy to order emergency measures after the President declares a grid security emergency

• Grid Security Emergency Orders: Procedures for Issuance was posted in the Federal Register (FR DOC# 2016-28974, Pages 88136-88143).

• https://www.federalregister.gov/documents/2016/12/07/2016-28974/grid-security-emergency-orders-procedures-for-issuance

https://www.federalregister.gov/documents/2016/12/07/2016-28974/grid-security-emergency-orders-procedures-for-issuance


Fixing America's Surface TransportationFAST Act 2015

• Application of emergency order: An order for emergency measures under section FPA 215A(b)

may apply to the Electric Reliability Organization, a regional entity, or any owner, user, or operator of critical electric infrastructure or of defense critical electric infrastructure within the US.

• Outreach & consultation: To the extent practicable, prior to issuance of an emergency

order DOE will alert stakeholders of the grid security emergency through existing alert mechanisms, such as the NERC alert system and ESCC communication coordination processes. All reasonable efforts will be made to consult with stakeholders and appropriate government authorities prior to the issuance of an emergency order.


National Defense Authorization Act

• The National Defense Authorization Act was sent to the President December 8, 2016.

• Sec. 1913 directs the Department of Homeland Security (DHS) to “…conduct an intelligence-based review and comparison of the risks and consequences of EMP [electromagnetic pulses] and GMD [geomagnetic disturbances] facing critical infrastructure…” and to prepare a “recommended strategy to protect and prepare the critical infrastructure of the homeland against the threats of EMP and GMD.”


Other Activity

• Senator Susan Collins (R-ME) was working to insert language into the Intelligence Authorization Bill to increase intelligence community assistance to the critical infrastructure community. The bill stalled in the Senate.

• Congressman Ami Bera (D-CA) is planning to re-introduce H.R. 6227, the "Grid Cybersecurity Research and Development Act," in the next Congress.


Enhance Background Investigation Screening (EBIS)

Initial evaluation areas of concern:• It is unclear whether the FBI will inform a utility if an applicant is on

the Known or Suspected Terrorist (KST) list. • Requests for FBI background checks must be submitted to a

designated state or federal agency; utilities cannot make a direct request to the FBI. It is unclear whether state legislation is necessary or required to

authorize a state-level agency in each state to perform this intermediary role.

• The utility industry must agree on and define what offenses would disqualify an individual from working in a position with access to critical infrastructure.

• With ESCC concurrence the trade associations will proceed to develop legislative language to propose in the 115th Congress


Questions?

How Industry & Government Work Together to Protect Critical Infrastructure

LOCATION, DATE

Approach to Grid Security

Standards

Physical

Cyber

Industry-Government Partnership

Electricity Subsector Coordinating Council

(ESCC)

Electricity Information Sharing & Analysis

Center (E-ISAC)

Partnerships with federal, state, & local

governments

Incident Response

Grid Resiliency

Mutual Assistance

Spare Equipment Programs

2

Purpose & Scope

3

Purpose: The ESCC is the principal liaison between the electric sector and the federal government for coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure.

Scope: The ESCC facilitates and supports policy and public affairs-related activities and initiatives designed to enhance the reliability and resilience of the electric grid. The ESCC is not operational.

Key Scenarios

4

ESCC Strategic Coordination Responsibilities

5

Industry• Utilities• Trade Associations• ISOs & RTOs• NERC• E-ISAC• Canadian Utilities External Groups

• Other Critical Sectors• Vendors• Critical Customers• Media

Government• Federal Agencies• Regulators• PMAs• Law Enforcement• State, Local, Tribal, &

Territorial• Canadian Agencies &

Provinces

ESCC Committee StructureLeadership

Threat InformationSharing & Processes

Industry-Government Coordination

Leveraging Infrastructure/

Research & Development

6

Communications

Transportation

Financial Services

Downstream Gas

Water

Cross-SectorCoordination

Committee Missions & ProjectsLeveraging Infrastructure /Research & Development

Mission: Coordinate government and industry efforts on strategic infrastructure investments and R&D for resilience and national security-related products and processes.

Projects: Spare Equipment Strategy, EMP, National Lab & vendor outreach

Industry-GovernmentCoordination

Mission: Establish unity of effort and unity of messaging between industry and government partners to support the missions of the ESCC both during crises and in steady state.

Projects: ESCC Playbook, Public Affairs, Supply Chain, Cyber Mutual Assistance, Exercises

Threat Information Sharing& Processes

Mission: Improve and institutionalize the flow of, and access to, information among public- and private-sector stakeholders.

Projects: Member Executive Committee, CRISP, Clearances

Cross-Sector Coordination

Mission: Develop partnerships between electricity and other critical sectors to prepare for major incidents, better understand and protect mutual dependencies, and share information effectively.

• Communications• Transportation• Financial Services• Downstream Gas• Water / Wastewater

ESCC Leadership

ESCC SupportSecretariat • Administers enabling functions of the ESCC

• Preps executives• Notifies members of crisis activation • Provides coordination and support• Manages Plus 1s and Senior Executive Working Group• Leads education and socialization effort

Plus 1s • Supports the work of their respective ESCC CEOs• Informs ESCC priorities and strategic vision• Leads or participates in ESCC committee deliverables

Senior Executive Working Group (SEWG)

• Consists of experts and executives representing both the industry and government is called on to accomplish the goals and deliverables set by the ESCC committees

• 14 industry and government organizations• 70+ electric power owners and operators

8

9

Industry Organizations Reliability Organizations The Government

Senior Executive Working Group Engagement

Electric Power Sector Owners & Operators (81) AES Alabama Power Alliant Energy American Electric Power Ameren Corp. Arizona Public Service Arkansas Electric Cooperative Corp. AVANGRID Avista Corp. Basin Electric Power Corp. Berkshire Hathaway Energy Bonneville Power Administration CA Independent System Operator CenterPoint Energy City Utilities of Springfield Missouri Colorado Springs Utilities ComEd Consolidated Edison Consumers Energy (MI) Dominion

DTE Energy Duke Energy Edison International ELCON Energy Future Holdings Energy Reliability Council of Texas Enmax Entergy Corp. Eversource Energy Exelon Corp. FirstEnergy Corp. Florida Power & Light Garland Power & Light Georgia Power Georgia Transmission Corp. Great River Energy Hawaiian Electric Company Hydro One IESO InfraREIT

ITC Transmission Co. Kansas City Power & Light LG&E & KU Lincoln Electric Power System MidAmerican Energy MISO NextEra Energy NiSource Norwich Public Utilities NY Independent System Operator NY Power Authority NV Energy Oklahoma Gas & Electric Old Dominion Electric Cooperative Oncor Pacific Gas & Electric Pacificorp Pepco PJM Interconnection PNGC Power

PPL Electric Utilities Public Service Electric & Gas Co. PECO Energy Company PNM Resources Sacramento Municipal Utility District Salt River Project Santee Cooper Sempra Energy Snohomish County Public Utility Southern California Edison Southern Company Tacoma Power TECO Energy Tullahoma Utilities Board TVA TXU Energy United Technologies Corp. Vectren WEC Energy Group Westar Energy Xcel Energy

Recent Meeting

• November 29, 2016 – Washington DC– Threat Briefing– Morning meeting industry only– Afternoon session with Government Coordinating

Council and one representative from the Trump transition team

– ESCC will continue to function as before to show the value of the public/private partnership in the new administration.

10

R&D Committee

• ESCC R&D Committee priorities– EPRI EMP Project – Advanced Information Sharing Capabilities– Resilient Grid Operations Communications

• R&D Alignment Workshop: – DOE will convene the national labs, EPRI, trade

associations, electric companies, and other R&D organizations to align priorities for the electricity sector and support commercialization of technologies.

11

Threat Information Sharing Committee

Incident Response & Exercises Discussion• Cyber Mutual Assistance • IoT Cyber Threat• National Cyber Incident Response Plan• GridEx IV

Future activities:• CRISP analysis and recruitment• DOE Comparative Risk and Hazard Analysis• E-ISAC redistribute Ransomware Best Practices• Enhanced Background Information Screening

12

Cross-Sector

• Procurement Best Practices: DOE and DHS will provide the ESCC an update on foreign and domestic procurement best practices, particularly as it relates to critical infrastructure equipment. The ESCC will organize industry, critical manufacturing, and the government to create a voluntary framework that addresses supply chain issues.

• Strategic Infrastructure Coordinating Council: The coordination between electricity, telecommunication and finance to start.

13

Next ESCC Meetings

May 2017 July 2017 November 2017 – coordination with Grid Ex IVFocus areas:• Transition to new Administration• Industry Government Coordination• Leveraging Infrastructure/R&D• Threat Information Sharing & Processes• Cross Sector Coordination

14

Contact Information

Nathan MitchellSr. Director of Electric Reliability Standards and SecurityAmerican Public Power [email protected]

For more information: electricitysubsector.org

15

http://www.electricitysubsector.org/

NERC RISC Update

Critical Infrastructure Protection CommitteeDecember 13, 2016

Nathan Mitchell, American Public Power Association


RISC Report

ERO Reliability Risk PrioritiesRISC Recommendations to the NERC Board of Trusteeshttp://www.nerc.com/comm/RISC/Related%20Files%20DL/ERO_Reliability_Risk_Priorities_RISC_Reccommendations_Board_Approved_Nov_2016.pdf

http://www.nerc.com/comm/RISC/Related%20Files%20DL/ERO_Reliability_Risk_Priorities_RISC_Reccommendations_Board_Approved_Nov_2016.pdf


RISC Meetings

• Future Meeting Dates• RISC Committee Call• December 16, 2016 | 9:00 a.m. – 10:00 a.m. Eastern• Dial-in: 1-866-740-1260 | Access Code: 5247071 |

Security Code: 486651

• March 21, 2017 – Reliability Leadership Summit • March 22, 2017 – RISC In-person meeting


Questions?

1

Grid Exercise

Working GroupCIPC

Bill Lawrence, Director, Programs and Engagement,

E-ISAC

December 14, 2016

2

Where we were

Establish the Scope

• NERCleadership and GEWG

• Determine the level and type of impact desired

• Determine what will be targeted

• Determine the attack vectors

Develop a Narrative

• Backstory or ground truth:• Attacker

profile

• The Who, How, and Why of the attack

• Timing of the attack

• Expected Player actions

MSEL Development

• Detailed sequence of exercise events with inject timing

• Expected Player Actions

• Dynamic injectdevelopment

• Custom injects within entitiesand RC areas

3

Where are we now

Establish the Scope

• NERCleadership and GEWG

• Determine the level and type of impact desired

• Determine what will be targeted

• Determine the attack vectors

Develop a Narrative

• Backstory or ground truth:• Attacker

profile

• The Who, How, and Why of the attack

• Timing of the attack

• Expected Player actions

MSEL Development

• Detailed sequence of exercise events with inject timing

• Expected Player Actions

• Dynamic injectdevelopment

• Custom injects within entitiesand RC areas

4

• Wednesday, December 14, 2016 GEWG meeting: Ritz-Carlton Buckhead, Atlanta, GA, 1 – 5 p.m. Eastern

https://decgewg.eventbrite.com

• Midterm Planning Meeting – Friday, February 10, 2017. Location: McLean, VA

• GEWG – Thursday, March 9, 2017. Location: Atlanta

• Final Planning Meeting – May 1, 2017. Location: McLean, VA

• Summer meetings and planner/player training presentations

• GridSecCon 2017 – October 17-20, 2017. Location: TBD (Minneapolis/St. Paul, MN) Move Zero training, GridEx IV kickoff

• GridEx IV – November 14-17, 2017 (four days?!?) Warmup ExCon day

Main days / Rapid Deployment day?

Calendar

5

TTTL (Tim’s Top Ten List)

What should you be doing?

1. Login to GridEx Portal2. Identify your internal team of planners that will help you

throughout GridEx3. Identify which parts of your organization will be playing4. Download draft Scenario Narrative with your team5. Start thinking about and discussing schedules

a) Player (IT, OT, Physical, Operators) schedules for GridEx dates b) Move 0 participation schedule / GridSec con attendance 10/17/17 c) Reserve necessary conference rooms and work areas with phones

and appropriate computers / AVd) Planner participate in GEWG calls and in person Planning meetings

6

TTTL (Tim’s Top Ten List)

What should you be getting ready to do?

6. Review and comment on the MSEL with your planners7. Identify the injects that your organization will be

subscribing to8. Work with your RC during GridEx planning meetings to

discuss system impacts and injects being selected by organizations within a region

9. Assist in the development of generic inject artifacts for the use by all organizations

10. Work with your internal planners and utilize your systems to develop and create high value custom inject artifacts for your players

7

• Register your organization for GridEx IV by identifying your Lead Planner to get GridEx IV Portal access ([email protected]) Look for updates on the GridEx Portal’s calendar or Lead Planner folders regularly

(weekly)

Update notifications will be transmitted to Lead Planners only

• Begin Player identification and block off GridEx IV dates for their training (November 15-16, 2017)

• Download and review exercise Scenario Narrative

• Attend Planning Meetings (on February 10 and May 1, 2017) and be aware of follow-on Planner and Player training opportunities

Next Steps


[email protected]


Security Training Working GroupDavid Godfrey, STWG Co-chair, City of Garland Power and LightCritical Infrastructure Protection CommitteeDecember 13-14, 2016


• Charter CIPC will provide meeting attendees with an opportunity to participate in

physical, cyber, and operational security training, as well as, educational outreach opportunities.

• Current Members Tobias Whitney, John Breckenridge, Ross Johnson, Tim Conway and David

Godfrey

STWG Update


• Latest Activities Working with NERC to re-establish monthly conference calls Working with SANS for pre CIPC meeting training opportunities.

• 2017 Training Schedule and Opportunities March 9 – 10, 2017 - Physical Security Training Course – This course has

been designed with CIP-014 in mind and to assist in understanding and helping to prepare for the comprehensive ASIS International Physical Security Professional Certification Exam. Currently the course is open to ERO folks unless the class is not filled.

June 2017 – TBA September 2017 – TBA December 2017 – Annual Classified Electricity Sector Threat Briefing

STWG Update


• Next Steps Continue to expand the list of free on demand training from reputable

agencies and vendors Secure volunteers to join the group Schedule and prepare future Pre-CIPC training sessions and webinars Work with vendors and/or individuals in the industry to provide specific

training to industry.

• CIPC Actions Concerns and/or suggestions for today’s discussion

STWG Update


BES Security Metrics WGCIPC Update

Larry Bugh, ChairAtlanta GADecember 13-14, 2016


Critical Infrastructure Protection Committee

April 2016

Business Continuity Guideline TF(Darren Myers)

Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(David Godfrey)

Control Systems Security

WG(VACANT)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


Security Metrics Development Roadmap2015 and Beyond

We are here


BESSMWG Activities

Activities Since September 2016• Conference call on November 6 to:

• Review Q3 2016 metrics results• Discuss status of draft metrics under development

• Met on December 12 to:• Discuss status and next steps for metrics under development

• Industrial Control System Vulnerabilities• NERC Alerts

• Review timeline and activities to prepare Security Metrics chapter of NERC’s 2017 State of Reliability report

• Review Roadmap document for longer-term next steps


CIPC Update

BES Security MetricsQ3 2016 Results


Reportable Cyber Security Incidents


Reportable Physical Security Incidents


E-ISAC Membership


Industry-Sourced Information Sharing

Note: Physical Bulletins started in Q4 2014.


Global Cyber Vulnerabilities


Global Cyber Vulnerabilities and Incidents

Note: Only annual data available.


GridEx Exercise Participation

Electricity industry participating organizations(i.e., utilities, independent system operators, E-ISAC, NERC, regional entities)• “Active” organizations participate similar to a real event• “Observing” organizations participate in a more limited fashion (e.g., tabletop exercise)


Next Steps

• Continue supporting the E-ISAC to review and validate quarterly data Define and implement sub-categories for cyber and physical

incidents

• Complete development of detailed definitions for new metrics Industrial control system vulnerabilities Frequency of NERC Alerts (Industry Advisory,

Recommendation to Industry, Essential Action)

• Begin drafting the Security Metrics chapter for the 2017 State of Reliability report

• Consider metrics for longer-term development


Compliance and Enforcement Input Working Group

Paul Crist, CEIWG Chair, Lincoln Electric SystemCIPC MeetingDecember 13-14, 2016


Critical Infrastructure Protection Committee

April 2016

Business Continuity Guideline TF

(Darren Myers)

Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee

(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(David Godfrey)

Control Systems Security

WG(VACANT)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input WG

(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


• Follow-up from NERC Alert Review

• Update on CEIWG providing implementation guidance and industry concerns on CIP Standards – Tobias Whitney, NERC

• NEI/NERC Unescorted Access Privileges • VoIP for BES Operations (BCS?)• TO/TOP Control Centers (waiting for SDT)

• CIP-002 Criteria 2.6 and the implementation schedule

Agenda Items


Implementation Guidance?





Is CIPC in agreement with the CEIWG developing the proposed implementation guidance documents?


• Meetings– 2nd Thursday of the month at 1:00 CST

(Please let me know if you need the call-in information)

Next Conference Call: January 12th, 2017 at 1:00 CST


LEVERA G ING EXISTING NRC BA CKG ROUND CHECKS TO SA TISFY

NERC CIP CYBER SECURITY PERSONA L RISK A SSESSMENTS

Nuclear GO/GOP Security Background Checks

WENDI CROFT, EXELON NUCLEARNEI NUCLEAR ISSUES TASK FORCE MEMBER

DECEMBER 14, 2016

1

The NEI NERC Issues Task Force

• To represent licensees on NERC issues that have a unique impact on Nuclear GO/GOPs, specifically addressing those issues that conflict with or duplicate existing regulations or present a potential challenge to nuclear safety or security

Purpose

• Represents 100 nuclear generating units in the United States (66 PWRs and 34 BWRs) which generate about 20% of our nation's electrical use.

• Affiliated with the North American Generator Forum (NAGF).Membership

• NEI-NITF White Papers• NEI-NITF Interface with NERC, FERC and the Regions• NEI Web Board for sharing information securely• Benchmarking, Lessons Learned, and Audit Support

Products

The Nuclear Energy Institute (NEI) –NERC Issues Task Force (NITF) is a NEI-sponsored Task Force established in 2012.

2

Issue, Recommendations, and Benefits

Issue: NERC Critical Infrastructure Protection (CIP) Standards require

Transmission Owners (TOs) to perform cyber security Personal Risk Assessments (PRAs) prior to providing personnel unescorted access to TO-owned assets. For Nuclear workers , the NERC CIP PRA duplicates the existing Nuclear Regulatory Commission (NRC) required security background checks performed by the licensee for unescorted access to the Nuclear Power Plant.

Recommendations: Gain approval from NERC for TOs to use the existing NRC security

background checks and a GO/GOP attestation to satisfy NERC CIP PRAs.

Benefits: Eliminates the inefficiency of repeating equivalent background checks Maintains the privacy of the Nuclear workers’ information. Provides an effective and timely alternate access solution to escorted access.

3

Background: NERC Access Requirements

NERC Reliability Standard CIP-004 “Cyber Security -Personnel & Training” requires that: R3. Each Responsible Entity shall implement one or more documented

personnel risk assessment program(s) to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively include each of the applicable requirement parts in CIP-004-6 Table R3 – Personnel Risk Assessment Program.

4

Background: NRC Access Regulations

Background checks are required for ALL individuals at a Nuclear Power Plant with unescorted access 10CFR73.56 “Personnel access authorization requirements for nuclear power

plants” 10CFR73.57 “Requirements for criminal history records checks of

individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information” also have background check requirements

5

Background: NRC Access Authorization6

NRC Access Authorization (AA) Program and Inspection The licensee1 for each nuclear power plant licensed under 10 CFR Part 50 is

required to develop, implement, and maintain an program to protect against an insider threat at the plant.

The requirements for an AA program apply to each nuclear power plant licensee including their contractors, subcontractors and vendors.

These regulations require the licensee to: Perform reviews and screenings of each person granted unescorted access. Ensure that each person granted unescorted access be observed by a supervisor

trained to detect, at a minimum, changes in behavior that could indicate degraded or impaired performance.

Perform initial, follow-up and random drug testing of each person granted unescorted access.

The NRC conducts inspections of licensees' security programs on a continuing, regular basis and requires licensee to report quarterly on associated Performance Indicators.

1. Licensee, as defined by the NRC, is “a company, organization, institution, or other entity to which the NRC or an Agreement State has granted a general license or specific license to construct or operate a nuclear facility, or to receive, possess, use, transfer, or dispose of source material, byproduct material, or special nuclear material.”

Background: Access for Nuclear Workers

1. Unescorted Access for Nuclear workers1. Perform both NERC and NRC required background checks independently

PROs: No TO concerns related to audit evidence for background check/personnel information

CONs: Duplicative background checks for both the TO and Nuclear workers costing time, money, and resources.

2. Use of existing NRC required security background checks performed by the licensee to satisfy requirements for NERC CIP PRAs. PROs: One background check that satisfies both CIP Standards and NRC

requirements for Nuclear workers

2. Escorted Access by TO personnel PROs: No background checks under the CIP Standards CONs: Time consuming and ineffective for both the TO and Nuclear workers.

7

Preferred Option and Barriers

Preferred Option TO granted unescorted access for nuclear workers by use of existing NRC

required security background checks performed by the licensee to satisfy requirements for NERC CIP PRAs.

Barriers to Implementation1. Validate the equivalency of NERC CIP PRA / NRC-required background

checks2. Verify the acceptability of a signed attestation letter stating the individual

Nuclear worker has been granted and continues to maintain unescorted access to a nuclear power facility in accordance with the requirements set forth in 10CFR73.56 and 10CFR73.57

8

CIP-004 Required

10CFR73.56/57 Required

NERC / NRC Access Comparison

Positive social security number id FBI fingerprint analysisEntire criminal history record check7 year criminal history record Check

Positive Social Security Number ID Yes Yes

FBI Fingerprint Analysis No Yes

Criminal History Record Check 7 Years Entire History 1

Employment History Evaluation No Yes

Credit History Evaluation No Yes

Character and Reputation Evaluation No Yes

Psychological Assessment No Yes

Ongoing Behavioral Observation Program No Yes

Criminal History Update 7 Years 5 Years (max)

Self-Reporting of Legal Actions No Yes

1. As a matter of practice, Nuclear workers’ background checks go back to the 18th birthday when conducting the first criminal record check.

9

Precedent: 2010 “Bright Line” Discussions

Discussions between FERC, NERC, and NRC to identify NERC and NRC authority.

FERC requested and finalized a gap analysis between NERC and NRC requirements .

10

TO Documentation for Compliance

Nuclear GO/GOPs cannot provide detailed personnel information used for Access Authorization 10CFR73.56 (m), “Protection of information” requires the personnel

information used to determine access authorization at Nuclear site be held confidential except in particular circumstances which include “(m)(iv) A licensee’s, applicant’s, or contractor’s or vendor’s representatives who have a need to have access to the information in performing assigned duties, including determinations of trustworthiness and reliability and audits of access authorization programs.”

Nuclear GO/GOPs can provide TOs an attestation Attestation from the Nuclear GO/GOP would state the individuals

requesting access to TO-owned switchyards and associated relay houses have been granted and continue to maintain unescorted access to a nuclear power facility in accordance with the requirements set forth in 10CFR73.56 and 10CFR73.57.

11

Precedent: NERC March 10, 2016 Letter12

Letter from NERC Senior Director of Reliability Assurance (V. Agnew) to Director, Division of Engineering, NRC Office of Reactor Regulation (J. Lubinski), dated March 10, 2016 “For purposes of a licensee’s compliance with Reliability Standard CIP-004,

Requirement R3, the licensee shall not be required to perform a PRA for NRC employee(s) prior to granting unescorted access per CIP-004-6 Requirement R3, nor shall the licensee be required to maintain records of PRA details for those NRC employees, provided that the licensee has verified that the NRC employee for which unescorted access would be granted (i) holds valid, current NRC credentials, (ii) holds an “L” or “Q” level clearance, and (iii) has successfully undergone an NRC background check. Consistent with Federal Energy Regulatory Commission precedent, the NRC background checks for NRC inspectors are at least equal to those required by the CIP standards and, in turn, may be accepted in lieu of a separate PRA.”

Only Applies to NRC Employees NOT Nuclear Workers

Precedent: NRC RIS-2016-12

NRC RIS-2016-12, “NRC Employee Access to Switchyards at Licensee Facilities,” dated November 22, 2016 The RIS reiterated the March 10, 2016 NERC letter and was directed

towards those Nuclear licensees that also own their switchyard and would potentially have CIP obligations.

“In 2015, several NRC resident inspectors informed NRC management that they were having issues with gaining unescorted access to the switchyard at their plants. NRC licensees cited NERC Reliability Standard CIP-004 as their basis to deny unescorted access to the switchyard.”

“The NRC staff communicated with NERC staff to clarify this matter.” “…NERC has stated that, consistent with FERC precedent, NRC background

checks and security clearances for NRC inspectors are at least equal to those required by CIP standards and may, in turn, be accepted in lieu of a separate PRA.”

13

Going Forward

Request for NERC acknowledgement of the equivalency of the CIP-004 PRA / 10CFR73.56/57 Background Check Requirements and the Nuclear GO/GOP attestation as acceptable evidence to satisfy the TO CIP-004 Standard obligations.

Considerations: Revision to the CIP-004 Standard Issuance of a NERC Guideline Issuance of a letter to Nuclear

GO/GOPs and affected TOs similar to the March 10, 2016 NERC letter to NRC Employees

14

References15

CIP-004-3 “Cyber Security - Personnel & Training,: retrieved from http://www.nerc.com/files/cip-004-3.pdf

CIP-004-6 “Cyber Security - Personnel & Training,” , retrieved from http://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-004-6.pdf

10CFR73.56 “Personnel access authorization requirements for nuclear power plants.” , retrieved from http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0056.html

10CFR 73.57 “Requirements for criminal history records checks of individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information.” , retrieved from http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0057.html

Status Report of the North American Electric Reliability Corporation in Response to the Federal Energy Regulatory Commission’s March 19, 2009 Order No. 706-B, Docket No. RM06-22-000, October 15, 2010, retrieved from http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/Final_Final_Oct_15_Bright-Line_Filing.pdf

Letter from NERC Senior Director of Reliability Assurance (V. Agnew) to the Director, Division of Engineering, NRC Office of Reactor Regulation (J. Lubinski), dated March 10, 2016; retrieved fromhttp://pbadupws.nrc.gov/docs/ML1608/ML16084A070.pdf

NRC RIS-2016-12, “NRC Employee Access to Switchyards at Licensee Facilities,” dated November 22, 2016; retrieved from http://www.nrc.gov/docs/ML1615/ML16154A034.pdf

http://www.nerc.com/files/cip-004-3.pdf

http://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-004-6.pdf

http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0056.html

http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0057.html

http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/Final_Final_Oct_15_Bright-Line_Filing.pdf

http://pbadupws.nrc.gov/docs/ML1608/ML16084A070.pdf

http://www.nrc.gov/docs/ML1615/ML16154A034.pdf

Questions?16