Physical Security Reliability Standard Implementation Workshops Library/… · R1 Assessment Effective Date 10/1/2015 0 days R2 Verification Effective + 90 12/30/2015 90 days R2.3

Physical Security Reliability Standard ImplementationTobias Whitney, Manager of CIP Compliance (NERC)

Carl Herron, Physical Security Leader (NERC)

NERC Sub-Committee Meeting

New Orleans, Louisiana

RELIABILITY | ACCOUNTABILITY2

CIP-014 Implementation Program

Implementation Readiness

Clarify Compliance Expectations

Understanding scoping and 3rd

party reliance

Consistent Enforcement

Increased Industry Awareness

“Support all entities in the timely, effective, and

efficient implementation of CIP-014”


Key Dates

CIP-014-2 Implementation Timeline

Activity Implementation Not Later Than Days after 10/1/15

R1 Assessment Effective Date 10/1/2015 0 days

R2 Verification Effective + 90 12/30/2015 90 days

R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 days

R3 Notify Control Center R2 +7 1/6/2016 97 days

R4 Threat & Vulnerability Evaluation R2 + 120 6/27/2016 270 days

R5 Security Plan R2 + 120 6/27/2016 270 days


• Industry must assess the loss of certain substations (R1)

To start, entities must identify in-scope substations. Assess:

o Transmission Facilities at 500 kv or higher

o Substations exceeding the “aggregate weighted value” of 3000

o Substations identified by RCs, PCs or TP that are critical to IROL derivations

o Essential to meeting Nuclear Plant Interface Requirements

From there, various processes can be used to determine the list:

o Entities may reference the NATF R1 approach

o Entities may reference the method in the Guidelines and Technical Basis

o Entities may use the process described in TPL-001-4 R4 and R6

• To be compliant, the industry must demonstrate: A transparent process that can be validated by their CEA

The resulting list is commensurate with their process and BES risks

Risk Assessment Guidance


• February guidance memo references the North American Transmission Forum Guidance as a means to perform R1:

1. Identify stations to analyzed based on 4.1.1

2. TO identifies cases/system conditions to be analyzed

o summer peak vs. winter peak load levels

o shoulder peak load levels with system transfers

o alternative generation dispatch assumptions

o alternative load models (i.e., different penetration of inductive load)

3. Define the nature of initiating event and how it will be modeled in assessment.

o Event over several minutes

o Instantaneous event (such as an explosion)

4. TO is responsible for documenting the criteria for instability, uncontrolled separation or Cascading, based on engineering knowledge or judgment.

5. TO performs steady-state power flow or stability analysis.

NATF Guidance


• Requirement R2 mandates that an unaffiliated third-party verify the result of the risk assessment performed under Requirement R1. The third-party for Requirement R2 must be either:

A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator; or

An entity that has transmission planning or analysis experience.

• Pages 26-28 of the Guidelines and Technical Basis section (Section 4) of the standard provides additional guidance on selecting a third-party verifier, stating that entities should consider the following characteristics:

R2 – 3rd Party Verification


• Registered entity with applicable planning and reliability functions.

• Experience in power system studies and planning.

• The third-party’s understanding of the MOD standards, TPL standards, and facility ratings as they pertain to planning studies.

• The third-party’s familiarity with the Interconnection within which the Transmission Owner is located.

R2 – 3rd Party Verifier Characteristics


• TO’s must demonstrate the appropriate rigor and analysis when performing R1 and R2. Consider how the following questions can be answered:

Why certain stations or substations are identified to meet the criteria in Requirement R1

Similarly, why certain stations or substations were not identified by Requirement R1

What are defining characteristics of stations and substations identified by Requirement R1

How the third party verifying the risk assessment meets the qualifications in Requirement R2 and the means the third party used to ensure effective verification

Compliance Expectations


• Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3.

Shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified in R1 and verified according to R2.

Unique characteristics

History of security events

Intelligence or Threat Warnings

R4 Threat and Vulnerabilities Assessment


• R4 – practices containing an approach, common practices and understanding evaluations of the potential vulnerabilities and threats of a physical attack of facilities.

• Site Specific vulnerability considerations

No protection of facility (fencing, locks, or monitoring)

Gaps in or lack of security mitigation(physical and human)

Gaps in or lack of physical security policies and procedures, failure to enforce controls for vehicle and security equipment testing.

Access control – how is it granted, what is the process.

NATF – R4 Guidance Memo June 2015


• Physical Security evaluation checklist. (The physical security evaluation checklist is a format that can be used to provide self assessment of security program).

Facility Information: address, contact numbers Executive Management, Security Management, Maintenance and First Responders

Perimeter: Fence(type, height, anchored and enhancements)crash gate, lighting, surrounding area and landscape

Security Systems(CCTV, Intrusion detection, fire alarms and locks & doors) Information Technology Systems and Sensitive Information storage

Security and Response Plans

NATF - R4 Guidance memo June 2015


• CIP-014 Questionnaire – Threat Assessment

List all of facility history of sabotage, vandalism, physical attack and Law Enforcement response

List all historical criminal incidents to similar sites within the U. S.

Threat Assessment, Intelligence Bulletins or Threat Warnings prepared by State Fusion Centers, Local Law Enforcement, DHS or FBI



• Resiliency Measures – measures already existing to prevent a physical attack

Existing physical security measures to deter such as: Perimeter signage, fencing, gates, lighting, locks and security officers/roving patrols

Existing physical security measures to detect such as: CCTV, Intrusion Detection and alarms

Existing physical security measures to delay such as: Vehicle barriers, crash gates, fencing and security officers

Existing physical security measures to assess such as: Video surveillance, video analytics and security command centers



• Resiliency Measures – continued

Existing physical security measures to communicate such as: Security Operations Center(SOC) initiates response, protection of communication transmission to the SOC, alarm systems and Intercom system.

Existing physical security measures to respond such as: Documented procedures, responses to alarms, State or local Law Enforcement and armed security officers deployment.



• Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3.

Shall develop and implement a documented physical security plan(s) that cover their Transmission station(s), Transmission substation(s), and primary control center(s). The physical security plan(s) shall be developed within 120 calendar days following the completion of R2 and executed according to the timeline specified in the physical security plans.

The security plan should address the mitigation and response to the threats and vulnerabilities identified.

A measureable timeline of executing the physical security enhancements and modifications should be included in the security plan.

The timeline should include a project plan on how security enhancements and modifications will be implemented.

R5 Security Plan


• R5 – provides an approach for development and implementation of Physical Security Plans. Areas for consideration:

Deterrence Measures – Visible physical security measures installed to persuade individuals to seek other, less secure targets.

Detection Measures – Physical security measures installed to detect unauthorized intrusion and provide local and/ or remote intruder notification.

Delay Measures – Physical security measures installed to delay an intruder’s access to a physical asset and provide time for incident assessment and response.



• Assessment Measures – The process of evaluating the legitimacy of an alarm and determining the procedural steps required to respond.

• Communicate – Systems used to send and receive alarm/video signals, audio, and data.

• Respond – The immediate measures taken to assess, deploy, interrupt, to an incident.

• Physical Security Plan Template.



• R6 - Each Transmission Owner and Transmission Operator shall select an unaffiliated third party reviewer from the following:

An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional(CPP) or Physical Security Professional(PSP) certification.

An entity or organization approved by the ERO.

A government agency with physical security expertise.

An entity or organization with demonstrated law enforcement, government, or military physical security expertise.

R6


• CIPC has developed guidance to support industry’s implementation of Requirement R6.

Provides examples of experience/documentation for third party reviewer with electric industry

o Proof of past or current employment as an employee(s) or contractor(s) in the electric industry;

o Proof of past or current employment as an employee(s) or contractor(s) as an ERO regional entity auditor; or

o Documented experience in threat vulnerability assessments or development of security plans in the electric industry.

Critical Infrastructure Protection Committee (CIPC) R6


• Provides examples of government agencies that might be selected

• Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise.

CIPC – R6 Guidance


• Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise.

Conducting and/or evaluating threat and vulnerability analysis of physical attack

Designing and/or evaluating physical security plans

Third party review of threat and vulnerability analyses or physical security plans

Designing, implementing, or evaluating asset protection plans, specifically those related to facilities with special emphasis on industrial complexes

CIPC – R6 Guidance


ERO approval process guidance (September 2015)

• This process will be applied when registered entity has a third party that does not meet one of the other three criteria.

• Candidate 3rd parties shall work through their Registered Entity to obtain certification.

• The ERO will review the qualifications against industry-vetted criteria, which is included in the Appendix A.

• Appendix A - request third party reviewer must have at least one criteria from the physical security experience plus one from electric sector experience.

R6 Guidance


• Physical Security experience(at least one):

Certified Critical Infrastructure Protection Specialist (CCIPS) and ten (10) years.

Certified Homeland Protection Professional (CHPP) and ten (10) years’

Professional in Critical Infrastructure Protection (PCIP) and ten (10) years’

Certified Security Consultant (CSC) and ten (10) years’ experience as a physical security professional.

Ten (10) years employment in a physical security department with responsibilities in facility protection.

Physical security subject matter expert.

Ten (10) years of experience in physical security program development, risk assessments, and threat assessment.

Twenty (20) engagements as a security consultant for facility physical security assessments or security program design.

ERO approval process guidance (September 2015) Appendix – A


• Electric Sector Experience(at least one):

Ten (10) years employment with an electric utility transmission organization.

Three (3) years employment as an ERO regional entity auditor

Ten (10) assignments as a physical security consultant for a North American electric utility transmission organization

Five (5) years military service with training in critical infrastructure interdiction.

ERO approval process guidance (September 2015) Appendix – A


• Number of assets critical under the standard

Per Region

Q4 2015 – Q1 2016

• Defining characteristics of the assets identified as critical Per Region

Q4 2015 – Q1 2016

• Scope of security plans By Q4 2016

Information obtained Guided Self-Certs, Off-site Audits, Audits

Consider compliance monitoring schedule

ERO to Monitor Implementation


• Timelines for implementing security and resiliency measures

Regions: Periodic Guided Self-Certs, Off-site Audits, Audits to determine implementation schedule and progress

NERC will aggregate results

• Industry’s progress in implementing the standard Beginning in Q4, Quarterly NERC Board Updates

• Reliability Standard Audit Worksheet for CIP-014-2, will be sent to drafting team(September 2015).

ERO to Monitor Implementation


mailto:[email protected]

mailto:[email protected]

Documents

Physical Security Reliability Standard Implementation Workshops Library/… · R1 Assessment Effective Date 10/1/2015 0 days R2 Verification Effective + 90 12/30/2015 90 days R2.3