Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Physical Security Reliability Standard ImplementationTobias Whitney, Manager of CIP Compliance (NERC)
Carl Herron, Physical Security Leader (NERC)
NERC Sub-Committee Meeting
New Orleans, Louisiana
RELIABILITY | ACCOUNTABILITY2
CIP-014 Implementation Program
Implementation Readiness
Clarify Compliance Expectations
Understanding scoping and 3rd
party reliance
Consistent Enforcement
Increased Industry Awareness
“Support all entities in the timely, effective, and
efficient implementation of CIP-014”
RELIABILITY | ACCOUNTABILITY3
Key Dates
CIP-014-2 Implementation Timeline
Activity Implementation Not Later Than Days after 10/1/15
R1 Assessment Effective Date 10/1/2015 0 days
R2 Verification Effective + 90 12/30/2015 90 days
R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 days
R3 Notify Control Center R2 +7 1/6/2016 97 days
R4 Threat & Vulnerability Evaluation R2 + 120 6/27/2016 270 days
R5 Security Plan R2 + 120 6/27/2016 270 days
RELIABILITY | ACCOUNTABILITY4
• Industry must assess the loss of certain substations (R1)
To start, entities must identify in-scope substations. Assess:
o Transmission Facilities at 500 kv or higher
o Substations exceeding the “aggregate weighted value” of 3000
o Substations identified by RCs, PCs or TP that are critical to IROL derivations
o Essential to meeting Nuclear Plant Interface Requirements
From there, various processes can be used to determine the list:
o Entities may reference the NATF R1 approach
o Entities may reference the method in the Guidelines and Technical Basis
o Entities may use the process described in TPL-001-4 R4 and R6
• To be compliant, the industry must demonstrate: A transparent process that can be validated by their CEA
The resulting list is commensurate with their process and BES risks
Risk Assessment Guidance
RELIABILITY | ACCOUNTABILITY5
• February guidance memo references the North American Transmission Forum Guidance as a means to perform R1:
1. Identify stations to analyzed based on 4.1.1
2. TO identifies cases/system conditions to be analyzed
o summer peak vs. winter peak load levels
o shoulder peak load levels with system transfers
o alternative generation dispatch assumptions
o alternative load models (i.e., different penetration of inductive load)
3. Define the nature of initiating event and how it will be modeled in assessment.
o Event over several minutes
o Instantaneous event (such as an explosion)
4. TO is responsible for documenting the criteria for instability, uncontrolled separation or Cascading, based on engineering knowledge or judgment.
5. TO performs steady-state power flow or stability analysis.
NATF Guidance
RELIABILITY | ACCOUNTABILITY6
• Requirement R2 mandates that an unaffiliated third-party verify the result of the risk assessment performed under Requirement R1. The third-party for Requirement R2 must be either:
A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator; or
An entity that has transmission planning or analysis experience.
• Pages 26-28 of the Guidelines and Technical Basis section (Section 4) of the standard provides additional guidance on selecting a third-party verifier, stating that entities should consider the following characteristics:
R2 – 3rd Party Verification
RELIABILITY | ACCOUNTABILITY7
• Registered entity with applicable planning and reliability functions.
• Experience in power system studies and planning.
• The third-party’s understanding of the MOD standards, TPL standards, and facility ratings as they pertain to planning studies.
• The third-party’s familiarity with the Interconnection within which the Transmission Owner is located.
R2 – 3rd Party Verifier Characteristics
RELIABILITY | ACCOUNTABILITY8
• TO’s must demonstrate the appropriate rigor and analysis when performing R1 and R2. Consider how the following questions can be answered:
Why certain stations or substations are identified to meet the criteria in Requirement R1
Similarly, why certain stations or substations were not identified by Requirement R1
What are defining characteristics of stations and substations identified by Requirement R1
How the third party verifying the risk assessment meets the qualifications in Requirement R2 and the means the third party used to ensure effective verification
Compliance Expectations
RELIABILITY | ACCOUNTABILITY9
• Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3.
Shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified in R1 and verified according to R2.
Unique characteristics
History of security events
Intelligence or Threat Warnings
R4 Threat and Vulnerabilities Assessment
RELIABILITY | ACCOUNTABILITY10
• R4 – practices containing an approach, common practices and understanding evaluations of the potential vulnerabilities and threats of a physical attack of facilities.
• Site Specific vulnerability considerations
No protection of facility (fencing, locks, or monitoring)
Gaps in or lack of security mitigation(physical and human)
Gaps in or lack of physical security policies and procedures, failure to enforce controls for vehicle and security equipment testing.
Access control – how is it granted, what is the process.
NATF – R4 Guidance Memo June 2015
RELIABILITY | ACCOUNTABILITY11
• Physical Security evaluation checklist. (The physical security evaluation checklist is a format that can be used to provide self assessment of security program).
Facility Information: address, contact numbers Executive Management, Security Management, Maintenance and First Responders
Perimeter: Fence(type, height, anchored and enhancements)crash gate, lighting, surrounding area and landscape
Security Systems(CCTV, Intrusion detection, fire alarms and locks & doors) Information Technology Systems and Sensitive Information storage
Security and Response Plans
NATF - R4 Guidance memo June 2015
RELIABILITY | ACCOUNTABILITY12
• CIP-014 Questionnaire – Threat Assessment
List all of facility history of sabotage, vandalism, physical attack and Law Enforcement response
List all historical criminal incidents to similar sites within the U. S.
Threat Assessment, Intelligence Bulletins or Threat Warnings prepared by State Fusion Centers, Local Law Enforcement, DHS or FBI
NATF - R4 Guidance memo June 2015
RELIABILITY | ACCOUNTABILITY13
• Resiliency Measures – measures already existing to prevent a physical attack
Existing physical security measures to deter such as: Perimeter signage, fencing, gates, lighting, locks and security officers/roving patrols
Existing physical security measures to detect such as: CCTV, Intrusion Detection and alarms
Existing physical security measures to delay such as: Vehicle barriers, crash gates, fencing and security officers
Existing physical security measures to assess such as: Video surveillance, video analytics and security command centers
NATF - R4 Guidance memo June 2015
RELIABILITY | ACCOUNTABILITY14
• Resiliency Measures – continued
Existing physical security measures to communicate such as: Security Operations Center(SOC) initiates response, protection of communication transmission to the SOC, alarm systems and Intercom system.
Existing physical security measures to respond such as: Documented procedures, responses to alarms, State or local Law Enforcement and armed security officers deployment.
NATF - R4 Guidance memo June 2015
RELIABILITY | ACCOUNTABILITY15
• Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3.
Shall develop and implement a documented physical security plan(s) that cover their Transmission station(s), Transmission substation(s), and primary control center(s). The physical security plan(s) shall be developed within 120 calendar days following the completion of R2 and executed according to the timeline specified in the physical security plans.
The security plan should address the mitigation and response to the threats and vulnerabilities identified.
A measureable timeline of executing the physical security enhancements and modifications should be included in the security plan.
The timeline should include a project plan on how security enhancements and modifications will be implemented.
R5 Security Plan
RELIABILITY | ACCOUNTABILITY16
• R5 – provides an approach for development and implementation of Physical Security Plans. Areas for consideration:
Deterrence Measures – Visible physical security measures installed to persuade individuals to seek other, less secure targets.
Detection Measures – Physical security measures installed to detect unauthorized intrusion and provide local and/ or remote intruder notification.
Delay Measures – Physical security measures installed to delay an intruder’s access to a physical asset and provide time for incident assessment and response.
NATF - R5 Guidance memo June 2015
RELIABILITY | ACCOUNTABILITY17
• Assessment Measures – The process of evaluating the legitimacy of an alarm and determining the procedural steps required to respond.
• Communicate – Systems used to send and receive alarm/video signals, audio, and data.
• Respond – The immediate measures taken to assess, deploy, interrupt, to an incident.
• Physical Security Plan Template.
NATF - R5 Guidance memo June 2015
RELIABILITY | ACCOUNTABILITY18
• R6 - Each Transmission Owner and Transmission Operator shall select an unaffiliated third party reviewer from the following:
An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional(CPP) or Physical Security Professional(PSP) certification.
An entity or organization approved by the ERO.
A government agency with physical security expertise.
An entity or organization with demonstrated law enforcement, government, or military physical security expertise.
R6
RELIABILITY | ACCOUNTABILITY19
• CIPC has developed guidance to support industry’s implementation of Requirement R6.
Provides examples of experience/documentation for third party reviewer with electric industry
o Proof of past or current employment as an employee(s) or contractor(s) in the electric industry;
o Proof of past or current employment as an employee(s) or contractor(s) as an ERO regional entity auditor; or
o Documented experience in threat vulnerability assessments or development of security plans in the electric industry.
Critical Infrastructure Protection Committee (CIPC) R6
RELIABILITY | ACCOUNTABILITY20
• Provides examples of government agencies that might be selected
• Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise.
CIPC – R6 Guidance
RELIABILITY | ACCOUNTABILITY21
• Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise.
Conducting and/or evaluating threat and vulnerability analysis of physical attack
Designing and/or evaluating physical security plans
Third party review of threat and vulnerability analyses or physical security plans
Designing, implementing, or evaluating asset protection plans, specifically those related to facilities with special emphasis on industrial complexes
CIPC – R6 Guidance
RELIABILITY | ACCOUNTABILITY22
ERO approval process guidance (September 2015)
• This process will be applied when registered entity has a third party that does not meet one of the other three criteria.
• Candidate 3rd parties shall work through their Registered Entity to obtain certification.
• The ERO will review the qualifications against industry-vetted criteria, which is included in the Appendix A.
• Appendix A - request third party reviewer must have at least one criteria from the physical security experience plus one from electric sector experience.
R6 Guidance
RELIABILITY | ACCOUNTABILITY23
• Physical Security experience(at least one):
Certified Critical Infrastructure Protection Specialist (CCIPS) and ten (10) years.
Certified Homeland Protection Professional (CHPP) and ten (10) years’
Professional in Critical Infrastructure Protection (PCIP) and ten (10) years’
Certified Security Consultant (CSC) and ten (10) years’ experience as a physical security professional.
Ten (10) years employment in a physical security department with responsibilities in facility protection.
Physical security subject matter expert.
Ten (10) years of experience in physical security program development, risk assessments, and threat assessment.
Twenty (20) engagements as a security consultant for facility physical security assessments or security program design.
ERO approval process guidance (September 2015) Appendix – A
RELIABILITY | ACCOUNTABILITY24
• Electric Sector Experience(at least one):
Ten (10) years employment with an electric utility transmission organization.
Three (3) years employment as an ERO regional entity auditor
Ten (10) assignments as a physical security consultant for a North American electric utility transmission organization
Five (5) years military service with training in critical infrastructure interdiction.
ERO approval process guidance (September 2015) Appendix – A
RELIABILITY | ACCOUNTABILITY25
• Number of assets critical under the standard
Per Region
Q4 2015 – Q1 2016
• Defining characteristics of the assets identified as critical Per Region
Q4 2015 – Q1 2016
• Scope of security plans By Q4 2016
Information obtained Guided Self-Certs, Off-site Audits, Audits
Consider compliance monitoring schedule
ERO to Monitor Implementation
RELIABILITY | ACCOUNTABILITY26
• Timelines for implementing security and resiliency measures
Regions: Periodic Guided Self-Certs, Off-site Audits, Audits to determine implementation schedule and progress
NERC will aggregate results
• Industry’s progress in implementing the standard Beginning in Q4, Quarterly NERC Board Updates
• Reliability Standard Audit Worksheet for CIP-014-2, will be sent to drafting team(September 2015).
ERO to Monitor Implementation