Powering BC Highlights and...1. Application Control 2. IT/OT Security Reference Architecture 3. Improvements in Real Time Monitoring 8 Thank you and welcome to Vancouver!! 9 NERC CIPC

Powering BC

NERC Critical Infrastructure Protection CommitteeSeptember 16, 2014

Jim AttridgeManager, Cyber Security

About BC Hydro

700 kms

1300

km

s

944,700 km2

2

Technology Drivers for BC HydroOur business environment

•Need to deliver clean reliable electricity in safe manner

•Aging assets

•Capital constraints

•Pressure to keep rates low

•Human resource constraints – aging workforce + new skills needed

•Emergence of disruptive technologies

•Challenging energy policies

3

Key Technology Investments

Looking to the Future

Electric vehicle charging stations

Wide-area situational awareness Widely-deployed sensors

Microgrids

4

Cyber Security at BC Hydro - Overview

5

Segregation? That is so 2009!

Cyber Security Challenges at BC Hydro

6

Cyber Security at BC Hydro – Another Challenge

RIP Antivirus Table showing yearly unique malware instances

7

Cyber Security at BC Hydro – Challenge Accepted!

BC Hydro Initiatives Underway

1. Application Control

2. IT/OT Security Reference Architecture

3. Improvements in Real Time Monitoring

8

Thank you and welcome to Vancouver!!

9

NERC CIPC Chair ReportChuck Abell

September 16, 2014

2 RELIABILITY | ACCOUNTABILITY

2014 Efforts & Activities

• Security Technology Awareness Workshop

• Grid Security Conference – San Antonio, TX

• CIP-014-1 Physical Security Standard

• CIP V5 “791” Standards Drafting Team

• CIP V5 Transition Program

• CRISP Program Expansion/Funding

• GridEx III – Team forming / Planning beginning

• CIPC Strategic Plan Bi-annual Update


CIP Committee Structure

Physical Security Subcommittee(David Grubbs)

Cyber Security Subcommittee

(Marc Child)

Operating Security Subcommittee

(Jim Brenton)

Policy Subcommittee(Nathan Mitchell)

Physical Security WG

(Ross Johnson)

CIPC Executive CommitteeMarc Child Chuck Abell, Chair Melanie SeaderDavid Grubbs Nathan Mitchell, Vice Chair Jack CashinRoss Johnson Jim Brenton, Vice Chair Barry Lawson David Revill Bob Canada, Secretary

Security Training WG

(William Whitney)

Control System Security WG

(Mikhail Flakovich)

Cyber Security AnalysisWG

(Vacant)

ES Information Sharing TF

(Stephen Diebold)

Grid Exercise WG

(Tim Conway)

Cyber Attack Tree TF

(Mark Engels)

BES Security Metrics WG

(James Sample)

Personnel Security Clearance TF

(Nathan Mitchell)

Compliance & Enforcement Input WG

(Paul Crist)

Physical Security Guidelines

WG(John Breckenridge)

Business Continuity Guideline TF

(Darren Meyers)

Critical Infrastructure Protection

Matt Blizard, PEDirector, Critical Infrastructure ProtectionCIPC, VancouverSeptember 16th, 2014


CIP Updates and Activities

• NERC Updates: o CID/ESISAC Restoration and Recovery (training…)o ES-ISAC – update (CRISP, Cyber IQ, etc.)o CIP v5 transition – “effective and efficient implementation”o CIP v5 revisions, FERC Order 791 - updateo Security Reliability Program (SRP) advancementso Physical Security – CIP-014-1 Implementationo Manager, Physical Security and CIPCo GridEx II lessons learned actions – “address and act upon…”o GridEx III – moving forward…o CIPC – Work Groups and Task Forceso CIPC – Annual Planning

• Activities: GridSecCon 14-17 October 2014, Hyatt Regency, San Antonio, TX GridEx III 18-19 November 2015


ES-ISAC UpdateCIPCSeptember 16-17, 2014

RELIABILITY | ACCOUNTABILITY2

Portal Upgrades

Under Active Development Since June• Moved to new provider in May• Various platform (OS, etc) upgrades• Custom user provisioning and user authentication system

deployed in August• Impending Cyber Awareness Monitoring pilot


Remaining 2014 Upgrades

Q4 of 2014 Rollout of Industry Rolodex (ESCC asked)

o Emergency POCso IP Space identification

Rollout of Threat Collaborationo Consolidate and target threat information feeds for the user

STIX/TAXII services Piloto Uniform data format for sharing IOCs

Site look and feel will slowly improve as well

Presenter

Presentation Notes

Rolodex Industry Rolodex is an opt-in directory system to share emergency point of contact information. This functionality was asked by DHS to the ESCC. ESCC concluded ES-ISAC is ideal location. This is an opt-in system to allow lookup of contact information. This includes ops center numbers, individual contact information and also an opt-in to provide Member IP space. Why IP Space? If you have an egress point that is owned by AT&T and it’s found infected with, let’s say Havex, having this directory will allow either esisac or gov partner to easily identify it as you. No GOOD way to do this currently but with simple functionality we can address a major gap. Threat Collaboration Threat Collaboration is an umbrella term for a webapp we will be releasing soon and continually adding functionality to. It will collapse all the various documents and blogs we currently have into one platform to allow for easy searching and one-stop shopping. It will allow transparent information handling and routing functionaly, “variable” attribution, discussion, hydra groups, and filtering capability. What is filtering capability? If you are a physical security guy you can limit the information you see to solely physical. Same for cyber. What is ‘variable attribution”? Whatever you post, you can specifiy if the submittor is say “Matt from Acme”, “Acme Corporation”, “ESISAC Member” or simply “Anonymous”. And information handling: we are adding ability to have Originator Controls, Transparent Chain of Custody logs, and Information Handling rules to enforce who sees what and how. Our first release for this is later this month and slow migration of current data will continue throughout the year as we add additional functionality. STIZ/TAXII Services We are working with another vendor to offer a TAXII datafeed.. This is similar to Cyber Fed Model (Which we will also be publishing content to). ES-ISAC believes STIX will be the first true data format for sharing cyber indicators of compromise. We expect several tools to be released in 2014 and 2015 that will spur adoption and we are trying to get out in front of this adoption through this pilot. More will be announced in the next month or two.


Upcoming Events

• GridSecCon CRPA Workshop ES-ISAC Room

• SANS ICS Summit 2015 CRPA Workshop ES-ISAC Room Exposure 2 closure

Presenter

Presentation Notes

We have partnered with SANS to offer several ES-ISAC options at SANS ICS Summit in Orlando FL in the first quarter of 2015. This includes CRPA Workshops. We are also working on setting up an ES-ISAC room prior to the conference where you can learn about how ES-ISAC does threat intelligence, demo the new portal fetatures and meet the ES-ISAC staff. We will be doing this at both GSC and ICS Summit. We are nearly confirmed to also host exposure 2 closure again; this is ‘training’ in a dramatic play format to offer real life scenarios and lessons learned at both an asset owner and global level. We expect that we will also have a number of highly discounted tickets available to the sector.


CRISP Update

We are nearing the finish line….or the starting line!

• This is a very significant effort Huge cross section of industry Nearly $10M program

• Takes the public-private partnership to a new level • Positions this industry to address cybersecurity more

effectively• It’s not just about technology – its about building the

mechanisms for greater collaboration and coordination of effort


CRISP Update Cont’d

• Significant progress Master Services Agreement Complete Finalizing PNNL Contract Statement of Work and Budgets Developed

• Outreach 20 One-on-One Calls with Prospective Participants Targeting 28 Companies by Q1 2015 Good response from across the industry Will only succeed if we get sufficient participation


Continue the discussion by engaging the team:

[email protected]

CIP V3-V5 Transition

Strategic Plan and Tactical ExecutionSeptember 2014Tobias Whitney, Manager of CIP Assurance


Purpose of the Transition Program

Transitioning entities confident in implementation

Vision 2016: smooth transition to CIP Version 5

“Support all entities in the timely, effective, and efficient transition to CIP Version 5”


Responsibilities of the ERO (NERC & Regional Entities)• The purpose of the strategy is to supplement the overall transition program to

validate that communications and tools are delivered and to assure that:1. As of the effective date the registered entities have confidence that what they are doing

is actually compliant and there is confidence that the compliance auditors will perform oversight in a consistent manner.

2. Over 90% of all registered functions have been contacted and provided with tools and resources to assure a successful transition. Specifically focusing on the identification and classification of assets, understanding types and adequacy of evidence, clear understanding of testing methodology.

3. Requisite training is delivered to 100% of compliance auditors for assessing risk, scoping audits, gathering and evaluating evidence, and utilizing defined approved audit approaches.

4. Execute the vision and concepts of the Transition Guidance document.5. Proactively identify and resolve issues that may result in violations prior to formal

compliance monitoring activity.

Goal of the Transition Program


Transition Elements

Continuous Outreach

Compliance and Enforcement

Periodic Guidance

Training


CIP Market Segmentation

Type 1“New High and

Medium”

Large Substation

Mix

No V3 compliance

history

<100 Entities

Type 2“Legacy V3”

Large Substation

Mix

Significant V3 History

<200 Entities

Type 3“Large Entity

w/Low”

Large Substation &

Gen Mix


<200 Entities

Type 4“Small Entity

w/Low”

Small Substation &

Gen Mix

No V3 Compliance

History

>1000 Entities

2016 2017


Type 1: Outreach Approach

• NERC will work closely with Regions to identify specific entities impacted by V5 WECC has already identified 27 New V5 entities (for High

and Medium) Less than 100 of these entities ERO-wide

• Targeted SRPs – based on Regional target group Contact each entity individually Organize group specific training for the “newcomers”

• IRA and compliance monitoring planning for these entities will be critical

Type 1“New High and

Medium”

Small-Med Substation

Mix

No V3 compliance

history

<100 Entities



• Regions are the lead for outreach NERC staff shall support regional outreach activities May accompany V3 audits for discussion re: V5

• Execute Transition Guidance Evaluate entity’s V5 progress Proactively address V5 related questions 50% of time or more should be allocated to

assessing V5 readiness

• Continue Current Outreach Approach CIPC Auditor Training Workshops Regional Workshops

Type 2“Legacy V3”

Large Substation

Mix


<200 Entities



• Monitor SDT efforts closely to determine requirements for Low Impact

• Begin developing RAI-based audit Approach for Lows While lists may not be required, what are methods that could be

used to enable entities to demonstrate their compliance with Low remotely (off-site audit)

Consider guided self-certification forms for annual Low Impact certifications

• Continue Current Outreach Approach Regional Workshops NERC Standards and Compliance Workshops Webinars & SRPs

• Entity type may pose significant risk to BPS reliability due to sheer size and scale

Type 3“Large Entity

w/Low”

Large Substation &

Gen Mix


<200 Entities



• Monitor SDT efforts closely to determine requirements for Low Impact

• Most entities in this group are not well plugged into NERC communications engine thus will require partnering with APPA and NRECA to perform targeted outreach

• Review 693 compliance history to determine and develop RAI profile

• Overwhelming majority of Responsible Entities but individually do not pose a significant BPS risk, but a significant compliance risk.

• Outreach: “ERO Advisory Sessions” in coordination with Trades

• Develop a Compliance Reference guide (ERO Compliance and Enforcement)

Type 4“Small Entity

w/Low”

Small Substation &

Gen Mix

No V3 Compliance

History

>1000 Entities


Transition Guidance Highlights

• CIP Version 5 will be reviewed in the course of audits during the transition period Entities will be able to signal to their RE which Version applies to which

assets Recommendations and Areas of Concern will be used for V5 issues as

opposed to PVs

• Off-site Audits have been postponed until further notice Additional outreach Proactively identify Type 1 entity’s in your region

• Entities may elect to use a V3 RBAM, continue to use the V4 BLC or use the V5 IRC to identify in-scope assets during the transition.


Compliance Monitoring During the Transition Period


Reference Compatibility Tables

http://www.nerc.com/pa/CI/Documents/V3-V5%20Compatibility%20Tables.pdf


• Additional Guidance: Responsible Entities adopting either the CIP V4 Critical Asset Criteria or

the CIP V5 Impact Rating Criteria must adopt the Criteria in their entirety, subject to the caveats documented in the CIP V5 Transition Guidance.

Adoption of either the CIP V4 Critical Asset Criteria or the CIP V5 Impact Rating Criteria should be documented by a Memorandum of Record or other, similar memorialization. A documented RBAM is not required.

Responsible Entities must annually apply the CIP V3 RBAM or alternative CIP V4 or V5 Criteria to derive an updated Critical Asset list.

Critical Asset Identification


• Adoption and application of either the CIP V4 Critical Asset Criteria or the CIP V5 Impact Rating Criteria will result in an updated Critical Asset list. Most existing Critical Assets will continue to be Critical Assets. Some Critical Assets will not satisfy the Criteria and can be immediately

removed from the Critical Asset list. New Critical Assets may be identified as a result of adopting and

applying the Criteria.o Newly identified Critical Assets should be flagged on the updated Critical

Asset list as resulting from applying the CIP V4 Critical Asset Criteria or the CIP V5 Impact Rating Criteria.

Newly Identified Critical Assets


• After updating the Critical Asset list, the performance of CIP-002-3, Requirement R3, will result in an updated Critical Cyber Asset list.

• Any newly identified Critical Cyber Assets associated with a newly identified Critical Asset will not be expected to come into compliance with the CIP V3 Standards. Newly identified Critical Cyber Assets should be flagged on the updated

Critical Cyber Asset list Such Critical Cyber Assets will be taken straight to CIP V5 compliance

per the CIP V5 Implementation Plan.

Updated Critical Cyber Asset List


• After updating the Critical Asset list, the performance of CIP-002-3, Requirement R3, will result in an updated Critical Cyber Asset list.

• Any newly identified Critical Cyber Assets associated with a newly identified Critical Asset will not be expected to come into compliance with the CIP V3 Standards. Newly identified Critical Cyber Assets should be flagged on the updated

Critical Cyber Asset list Such Critical Cyber Assets will be taken straight to CIP V5 compliance

per the CIP V5 Implementation Plan.



• Critical Cyber Assets associated with removed Critical Assets may be immediately removed from the Critical Cyber Asset list. Removed Critical Cyber Assets will immediately come out of the CIP V3

compliance program. Such Cyber Assets will likely come back into the CIP compliance program

under CIP V5 as Low impacting BES Cyber Systems. Resumed compliance under CIP V5 will be pursuant to the CIP V5

Standards Implementation Plan.



• Existing Critical Cyber Assets that remained on the Critical Cyber Asset list after adoption and application of the CIP V4 or V5 Criteria and subsequent performance of CIP-002-3, Requirement R3, shall remain in the CIP V3 compliance program through the Transition Period. No lapse of CIP compliance is permitted. CIP V3 compliance must be maintained subject to the provisions of the

CIP V5 Transition Guidance. Replacement Cyber Assets must be CIP V3 or V5 compliant upon

commissioning.



• Consistent with the CIP V3 Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entitiesand the CIP V5 Implementation Plan, new and upgraded/replaced Critical Cyber Assets resulting from a planned change must be fully compliant upon commissioning. During the Transition Period, compliance may be with either the CIP V3

or CIP V5 standards. Examples include planned replacement of the SCADA/EMS and planned

conversion from a non-routable to a routable protocol in a Transmission substation or generating plant.

Changes to Existing CAs/CCAs


• A planned change that elevates BES Cyber Systems to a higher categorization during the Transition Period must be compliant with the higher impacting CIP V5 requirements by the effective date of the requirement. Example includes a planned increase in generation that results in a

higher categorization of BES Cyber Systems at the Control Center.

• Unplanned changes will need to be compliant by the later of the CIP V5 Standards effective date or the Compliance Implementation date shown in the CIP V5 Implementation Plan Examples include Criteria 2.3 and 2.6 notifications.

Changes to Existing CAs/CCAs


• On-site CIP compliance audits of Responsible Entities registered as Reliability Coordinators, Balancing Authorities, or Transmission Operators, and other Responsible Entities with Critical Cyber Assets will continue through the Transition Period.

• Off-site CIP compliance audits of Responsible Entities with no Critical Cyber Assets (other than Reliability Coordinators, Balancing Authorities, and Transmission Operators) are cancelled through the Transition Period. Self-reports, spot checks, and self-certifications still allowed. Audits of “off-site entities” may resume with CIP V5.



• Responsible Entities audited during the Transition Period may choose to be audited against the CIP V3 or CIP V5 Standards. Election made on requirement-by-requirement basis. Election may be made on a site-by-site basis.

• Request for Information will be issued 45 days prior to issuance of the 90-day audit notice (135 days prior to the audit). Regions will issue a spreadsheet with selection options. Entities will have 15 days to respond.





• At audit, in-scope requirements will be initially evaluated per the Responsible Entity’s selection. If CIP V5 selected and compliance with the V5 language is determined,

the V5 compliance will be viewed as CIP V3 compliant and a “No Finding” will be issued.

If CIP V5 is selected and non-compliance with the V5 language is determined, the audit team will revert back to the CIP V3 language. If V3 compliance is determined, a “No Finding” will be issued.

If neither CIP V3 nor V5 compliance is determined, a “Possible Violation” or “Area of Concern” will be issued.



• If a CIP V5 Requirement is selected by the entity, a “Possible Violation” will not be found for any part of the Requirement that is unique to CIP V5. The audit team will conduct outreach to help steer the Responsible

Entity back on course to CIP V5 compliance. An “Area of Concern” may be issued to document the future potential

non-compliance issue.

• Example includes aspects of the annual security training requirements of CIP-004-5, Requirement R2, such as Requirement R2.1.4 (the visitor control program).



• While not specified by the CIP V5 Transition Guidance, Responsible Entities selecting the CIP V3 audit option will not eliminate a CIP V5 evaluation opportunity. If the V3 option is selected and non-compliance is determined, the audit

team will determine if the issue of non-compliance would also be a CIP V5 violation.

If CIP V5 has eliminated the non-compliant aspect of the CIP V3 requirement, the audit team will issue an “Area of Concern” and not a “Possible Violation.”o Example includes lack of an Electronic Access Point for non-routable

communications as required by CIP-005-3, Requirement R1.



• Mitigation of any Open Enforcement Actions during the Transition Period should focus on achieving full compliance with the “Mostly Compatible” CIP V5 Requirement. This includes violations found prior to the August 12, 2014 release of

the CIP V5 Transition Guidance that have not completed mitigation. Full compliance with the CIP V5 Standards must be achieved by the CIP

V5 effective date. An unmitigated Open Enforcement Action cannot be used to extend the

CIP V5 compliance date.



• TFEs are still required for certain CIP V5 Requirements. Existing TFEs carried forward for equivalent CIP V5 Requirements. New TFEs required for CIP V5 Requirements with no equivalent V3

Requirement. TFEs for CIP V3 Requirements with no equivalent V5 Requirement will

be terminated upon the CIP V5 effective date.

• CIP V5 TFEs cannot be submitted before October 1, 2015 to allow time for required portal changes.

Technical Feasibility Exceptions


• TFEs under the CIP V3 Standards with equivalent CIP V5 Requirements (i.e., carry forward).



• New CIP V5 TFE-eligible Requirements with no equivalent CIP V3 Requirement (i.e., submit).



• CIP V3 TFEs no longer required under CIP V5 (i.e., will be terminated).



• What is the Stakeholder Advisory Group? A group that reflect Industry, Regions, SDT and NERC to help build consensus on

industry issues. Prioritizes the development of guidance document to aide the transition.

• How will issues be addressed that identify during the course of an Audit? The Regions are encouraged to send their questions to the CCWG listserv. All draft questions and answers will be tracked and vetted by the Stakeholder

Group.• Are guidance documents enforceable?

Guidance documents and lessons learned are written to support the Standards and can be used to clarify or reinforce the SDT’s intended language.

• Will more training be made available? Yes – NERC and Regions will have 2 CIP auditor seminars between each auditor

workshops.

General Q&A


Resources


CIP Version 5 RevisionsAdditional Comment Period and Ballot OutreachSeptember 2014

Scott Mix, NERC CIP Technical ManagerCIPCSeptember 16-17, 2014


• Development Steps• CIP-003-6 Revisions• CIP-010-2 Revisions• -X Posting• Next Steps

Discussion Topics

Presenter

Presentation Notes

Ryan/Marisa


• Initial comment period and ballot ended July 16, 2014

• SDT received over 200 pages of comments

• SDT met July 29-31 and August 19-21 to revise the standards based on stakeholder comments

• Latest revisions and consideration of comments posted for additional comment and ballot period Sept 3-Oct 17

Development Steps

Directive Area Standard

Weighted Segment

Vote

Communication Networks

CIP-006-6 76.20%

CIP-007-6 78.35%

Identify, Assess, Correct CIP-009-6 85.29%

Lows Impact Assets CIP-003-6 35.72%

Transient Devices

CIP-004-6 80.71%

CIP-010-2 49.48%

CIP-011-2 82.51%

Definitions 78.52%

Presenter

Presentation Notes

Maggy


• Define external routable protocol path• Security awareness timeframes• More guidance• Inventory implications• Requirement placement

CIP-003-6 Comment Themes

Presenter

Presentation Notes

Philip


CIP-003-6 New Definitions

• Low Impact BES Cyber System Electronic Access Point (LEAP) A Cyber Asset interface that allows Low Impact External Routable

Connectivity. The Cyber Asset may reside at a location external to the asset or assets containing low impact BES Cyber Systems. The Low Impact BES Cyber System Electronic Access Point is not an Electronic Access Control or Monitoring System.

• Low Impact External Routable Connectivity (LERC) Bi-directional routable communications between low impact BES Cyber

System(s) and Cyber Assets outside the asset containing those low impact BES Cyber System(s). Communication protocols created for Intelligent Electronic Device (IED) to IED communication for protection and/or control functions from assets containing low impact BES Cyber Systems are excluded (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).


Use Case 1


Use Case 2


Use Case 3


• Requirement R1 now contains a separate requirement part for inclusion of lows topics

• The term policy refers to one or a collection of written documents that are used to communicate the Responsible Entities’ management goals, objectives and expectations for how the Responsible Entity will protect its BES Cyber Systems. The use of policies also establishes an overall governance foundation for creating a culture of security and compliance with laws, regulations, and standards.

CIP-003-6, Requirement R1


• Attachment 1 – Required Elements for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems

• Attachment 2 – Examples of Evidence for Cyber Security Plan(s) for Assets Containing Low Impact BES Cyber Systems



• Authorization• Inspection• Vendor-managed devices• “Prior to use”• More guidance

CIP-010-2 Comment Themes



• Attachment 1 – Required Elements for Plans for Transient Cyber Assets and Removable Media

• Attachment 2 – Examples of Evidence for Plans for Transient Cyber Assets and Removable Media


-X Posting

• Purpose of the posting is as a practical contingency• -X decouples the IAC and Communication Network revisions

from the Low Impact and Transient Device revisions• Single ballot for the –X package• Approval of the –X standards enables the SDT to meet the

FERC filing deadline of February 3, 2015 should the Lows or Transient Device revisions fail in the second ballot

• All proposed revisions will be subject to final ballot

Presenter

Presentation Notes

Maggy


Next Steps

• Additional comment period – September 3-October 17• Webinar September 19 – 11:30am-1:00pm ET• Ballot period – October 8-17• SDT meeting October 22-24 – ERCOT (Austin, TX)• Targeted final ballot – October 31 – November 10• Targeted NERC BOT meeting to approve revisions – November

13• The SDT appreciates your support


Update on RISC Activities

CIPC Meeting September 16/17, 2014

Jim Brenton CIPC RISC MemberPrincipal, Regional Security Coordinator ERCOT – Electric Reliability Council of Texas


RISC Mission & Purpose*

• Provides a framework for steering, developing, formalizing, and organizing recommendations to help NERC and the industry effectively focus their resources on the critical issues needed to best improve the reliability of the BPS

• Benefits of the RISC include improved efficiency of the NERC standards program. In some cases, that includes recommending reliability solutions other than the development of new or revised standards and offering high-level stakeholder leadership engagement and input on issues that enter the standards process.

* Per the RISC Charter


RISC Mission & Purpose*

• Triages and provides front-end, high-level leadership and accountability for nominated issues of strategic importance to bulk power system (BPS) reliability

• Assists the Board, NERC standing committees, NERC staff, regulators, Regional Entities, and industry stakeholders in establishing a common understanding of the scope, priority, and goals for the development of solutions to address these issues

* Per the RISC Charter


Recent RISC Activity – Jun - Sep

• June Reviewed 2015-2017 DRAFT Reliability Standards Development Plan Initiated Update to RISC Priority Recommendations

• July Reviewed ERO Risk Profiles to inform RISC Priorities

• Aug RISC met with Board of Trustees and Member Representatives

Committee to recap RISC activity. Reviewed work 2014 Risk Profile and Prioritization Review. Finalized RLS planning

• Sep RLS Summit Finalize work on RISC Priority Recommendations

Presenter

Presentation Notes

2014 Risk Prioritization RISC assessed the reliability risk areas for 2014. As input into the assessment, RISC reviewed a comparison of the 2013 Reliability Issues and Priorities to 2014-2017 ERO Top Priority Reliability Risks. Differences between these risks areas were highlighted. RISC provided feedback on clarification needed in each risk area and recommended additions as well. These risk areas will be used to further both the ERO Strategic planning and budgeting processes.


NERC RLS: Sep 11 in Washington

• Reliability Leadership Summit Focused on Key Strategies to Address BES Reliability Challenges Changing resource mix Integration of renewables and potential generation retirements

and low-cost natural gas and environmental regulations Electricity-gas interdependency Communications during and while recovering from bulk power

system emergencies, and Importance of ES-ISAC and new systems/processes (CRISP)

• Cyber and Physical Security issues were addressed but NOT the focus of discussions as in previous Summits Good/Bad: Too soon to tell, NERC has lot of activities focused on

CPS and there is perception by leadership that all is on track

6 RELIABILITY | ACCOUNTABILITYRELIABILITY | ACCOUNTABILITY

Risk Profiles & Priority Mapping


Risk Profiles & Priorities

1. Changing Resource Mix (Operational Risks)

2. Cyber Attacks

3. Extreme Physical Events – Acts of Nature

4. Extreme Physical Events – Man Made

5. Failure to Maintain and Manage Assets

6. Generator Unavailability

7. Loss of Situational Awareness

8. Pandemic


Risk Profiles & Priorities – Cont

9. Poor Human Performance

10. Protection System Failures

11. Regulatory Uncertainty

12. Uncoordinated Planning

13. Poor Event Response / Recovery

14. Poor Resource Planning


Cyber Attack - High Priority

• NERC CID monitoring current activities and reports to RISC on those efforts, and their support to address this highest priority item.

• NERC CIPC EC met with NERC RISC Staff to review lessons learned from GridEx-2013 into the RISC Priorities and ensure projects support CID activities.


Future RISC Meetings

• Oct 7 – Conference Call - 9-12 ET• Nov 13 – Atlanta - Post-BOT Meeting - 12:30-2:30 ET• December 2 – Phoenix - RISC Meeting – 8-5 MT


Questions ?

Electricity Sector Information Sharing Task ForceE

FS

TSIProgress Report

September 2014Stephen Diebold, ChairmanJoe Doetzl, Vice Chairman


Contents

Charter Task Force Members Mission Statement Timeline Outreach


Charter

• CIPC approved the ESISTF Charter on August 21, 2014

• ESISTF members recruited August 2014

• ESISTF has started work on its deliverables


Task Force Members

• Stephen Diebold Chair• Joe Doetzl Vice Chair

• Donald Roberts Core Team• Fred Hintermister Core Team• Orlando Stevenson Core Team• Bob Canada Core Team

• John Breckenridge Secondary Reviewer• Brian Harrell Secondary Reviewer

• Jim Brenton Final Reviewer


Mission Statement

• Develop a presentation to be used for communicating across industry, especially to cybersecurity and operations personnel, Hydra Team roles and functions.

• Develop a presentation to be used for outreach promoting the ES-ISAC portal use as a central coordination point and reporting tool in crisis.


TimelineBegin Outreach Program

June CIPC

Select Task Force Members

Approval of ES-ISAC and Hydra Presentation

March CIPC

December CIPC

Charter Approved

September CIPC

CIPC Status Report

September CIPC

Aug ------- 2014

CIPC Status Report

Finalize ES-ISAC Presentation

Finalize Hydra Presentation

Draft of Hydra Presentation

Draft of ES-ISAC Presentation

CIPC Status Report

Begin Work on ES-ISAC Presentation

CIPC Status Report

Begin Work on Hydra Presentation

--

Sep ------- 2015

--

--

Jun ------- 2015

--

--

Mar ------- 2015

--

--

Dec ------ 2014

--

--

Sep ------- 2014


Outreach

• The ESISTF will schedule a webinar for disseminating the information

• Would like to present at NERC Region meetings• Looking for other opportunities at relevant

electricity sector conferences

ESISTF

[email protected]

ESISTF

[email protected]

Personnel Security Clearance Task Force (PSCTF)Critical Infrastructure Protection CommitteeSeptember 16, 2014

Nathan Mitchell, Chair – Policy Subcommittee


Executive CommitteeDavid Revill, NRECA Chuck Abell, Chair, Ameren Melanie Seader, EEIDavid Grubbs, ERCOT Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA Jim Brenton, Vice Chair, ERCOT Marc Child, Great River

Bob Canada, Secretary

Physical Security Subcommittee(David Grubbs)


(Marc Child)

Operating Security Subcommittee

(Jim Brenton)

Policy Subcommittee(Nathan Mitchell)

Physical SecurityWG

(Ross Johnson)


(William Whitney)

Control System Security WG

(Mikhail Falkovich)

Cyber Security AnalysisWG

(TBD)

ES Information Sharing TF

(Stephen Diebold)

Grid Exercise WG

(Tim Conway)

Cyber Attack Tree TF

(Mark Engels)

BES Security Metrics WG

(James Sample)

Personnel Security Clearance TF

(Nathan Mitchell)

Compliance & Enforcement Input WG

(Paul Crist)

Physical Security Guidelines

WG(John Breckenridge)

September 2014

Business Continuity Guideline TF

(Darren Meyers)

Critical Infrastructure Protection Committee


Current Activity

• ESCC is coordinating with DHS to develop a handbook on the security clearance process.

• Set to be adopted at the October 8, 2014 ESCC Meeting

• Key Changes: Initial and Annual Security Training Report of Foreign Travel ([email protected]) Termination of Need to Know Deactivation of a clearance

mailto:[email protected]


Current Activity

• Deactivation of a clearance• DHS will deactivate a clearance for any of the

following reasons: Failure to complete annual security refresher training Change in employment (a new DHS Form 9014 must be

submitted to reactivate) Change in Name Change in citizenship No access to classified information for more than one (1)

year

Questions?Nathan Mitchell

ESCC Clearance [email protected]

202-467-2925


BES Security Metrics WGProgress Report

James W. Sample, ChairRoland Miller, Vice-ChairSeptember 17, 2014

Presenter

Presentation Notes

Notes:


How we fit in!


Activities

Previous Update:

• Discussed the outcome of the February workshop and the introduction of macro/micro metrics

• Macro metrics focused primarily on what a Strong Security Posture looks like for the sector

• Micro metrics focused primarily on evidence supporting the macro metrics

• Discussed we were looking into how to leverage ALR by adding security attributes

Activity Since Previous Update:

• Conducted three day workshop at NERC (Aug 6-8)


Strong Security Posture: Macro Metrics


Micro Metric:ALR Framework (Lagging)


Next Steps

• Assimilate data out of workshop

• Determine if we can deliver any metrics to be included in the State of Reliability Report

NERC CIPC Update

Sept. 16-17th, 2014

John Galloway

• CEIWG Conference Calls- August 14th, 2014

Agenda Items1. Update on Virtualization Lessons Learned/Whitepaper

work

2. Draft Review of Lessons Learned for Interactive Remote Access (IRA)

• Participation in Lessons Learned Document Reviews

• Participation in the RAI Advisory Group

• Participation in the V3-V5 Transition Advisory Group

•Meetings• 2nd Thursday of the Month at 1:00 CST

Questions?

Cyber Security Sub-cmteProgress Report

Marc Child, Chair

2 RELIABILITY | ACCOUNTABILITYJune 2013


CAP – HILF TF Recommendations

1. Geomagnetic Disturbance Task Forcea. Work Product: Interim Report: Effects of Geomagnetic Disturbances in the Bulk Power Systemb. No CIPC Cyber Security Subcommittee items

2. Spare Equipment Database Task Forcea. Work Product: Spare Equipment Database report b. No CIPC Cyber Security Subcommittee items

3. Severe Impact Resilience Task Forcea. Work Product: Severe Impact Resilience: Considerations and Recommendationsb. No CIPC Cyber Security Subcommittee items

4. Cyber Attack Task Forcea. Work Product: Cyber Attack Task Force – Final Reportb. Item 15: Continue developing Attack Tree methodologyc. Item 16: Continue to develop security and operations staff skills to

address increasingly sophisticated cyber threats.d. Item 17: Augment operator training with cyber attack scenarios.

NERC Attack Tree Task Force

September 2014


CSSWG

• Upcoming Activities Continue working on the document to support the actual

attack trees. Will contain the assumptions and methods used by the team.

Augment the attack trees to incorporate more mitigations and reflect that in the findings to see what changed.

Migrate to next version of Amenaza SecurITree software Provide next update on additional findings in December. Determine when to turn attack trees over to ES-ISAC.

Chair: Mark Engels


Cyber Security Events Analysis WG

Chair: <open>


Cyber Security Events Analysis WG

1. Next Stepsa. Obtain a Chair for the working groupb. Continue to liaise with the ES-ISAC, EAS & STWGc. Begin scheduling quarterly calls, emails or portal postings with liaisons d. Continue to develop priorities and establish work plans:

i. Research and recommend activities to improve the security of Bulk Electric System facilities;ii. Develop expertise to liaise and coordinate with the Events Analysis WG;iii. Develop procedures for evaluating malicious events while maintaining entity security; andiv. Work with the CIP Training WG to assist in developing training products that are relevant to

current threat tactics and techniques.

e. Creation of, and approval for, the cyber events analysis process document

Chair: <open>


Control Systems Security WGChair: Mikhail Falkovich


CSSWG

Status Charter has been approved First assignment: Business Network

connectivity guidelineo Due Date: 12/31/2014

Solicitation of additional volunteers in progress

Kick-off call scheduled for 9/19/2014 Working with ESISAC to create a

collaboration space on the portal

GridEx II

Lesson Learned #4 Recommendations SummaryAssess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis.


CSSWG

NIST Mapping Project

Requested by the ESCC Map the NIST CSF to CIP v5 and CIP v3


CSSWG

Task Force Members

Mark Morgan (PNNL) Nadya Bartol (UTC)Cynthia Hill-Watson (TVA) Bill Noto (GE)Christine Hasha (ERCOT) Beth Lemke (WPS)Cliff Glantz (PNNL) Jarrid Hall (CSGI)

NERC Staff: Laura Brown


CSSWG

Remaining Tasks

Error-check and balance the CIP v5 mappings

Finalize guidance where mapping is not obvious

Convert to CIP v3 Determine final format and publish October completion date


Questions?

Physical Security WGProgress Report

Ross Johnson, CPP


How We Fit in



PSRGTwo calls held in previous quarter

• Discussed CIP 14-1 requirements related to ERO approval of third-party security contractors

• Brian Harrell discussed recent shooting attacks on electricity infrastructure



PortalMuch-improved portal available, but ability to upload

documents is crucial to the activities of the group



PSWGWe have been concentrating on the Physical Security

Roundtable Group, but with the portal almost ready it's time to get the Working Group reconstituted. I'm looking for volunteers


1. Security Management Program2. Security Risk Management3. Information Security Management4. Information Technology/Control Systems Security5. Personnel Security6. Physical Security Measures7. Security Incident Management8. Change Management Process9. Evaluation & Review10.Continuous Improvement

Security Management Program (proposed for discussion)

Based on the Canadian StandardAssociation’s Z246.1-09 Security Management for Petroleum and Natural Gas Industry Systems

6

[email protected]

or [email protected]

Security Training WGProgress Report

William Whitney III, ChairDavid Godfrey, Vice Chair



1. Chartera. CIPC will provide meeting attendees with an opportunity to participate in

physical, cyber, and operational security training, as well as, educational outreach opportunities.

2. Current MembersBob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, and William Whitney III


How We Fit in



3. Latest Activitiesa. Conference calls to discuss goals and actions – 2nd Friday each monthb. Working on HILF recommendation to raise operator awareness about cyber

attacks on the grid with SOS and SANS. SANS is currently developing the Operator training.

c. Provided a successful security training webinar to the industrya. 7/17 – Active Shooter Training Webinar (Open Forum) – 161 Registeredb. 9/16 – Cyber Incident Response Planning Workshop – Registered – 54 Registered

d. Working on tasks assigned to us from the GridEx II Lessons Learnede. Now recording webinars and CIPC training events. Working on making

content available online.f. Continuing to compile a list of free training resources available to entities



1. Webinar Schedule 2014a. April – Physical Security Programs Panel Webinarb. May – National Labs Physical Security – Risk vs Protection/Costs Webinarc. June – BC Hydro presentation on laser intrusion detectiond. July – Active Shooter webinar with Danny O. Coulsone. August – Skippedf. September – Cyber Incident Response Planning Workshopg. October- TBDh. November- Proposed ES-ISAC Portal Trainingi. December- TBD



1. Training Linksa. TEEX - http://www.teex.org/

b. DHS - http://www.dhs.gov/training-programs-infrastructure-partners

c. DOD - http://iase.disa.mil/eta/online-catalog.html

d. FEMA - https://training.fema.gov/IS/

e. DOE - https://ntc.doe.gov/

Have a link for free, quality, training? Please share with us to add to the list.

http://www.teex.org/

http://www.dhs.gov/training-programs-infrastructure-partners

http://iase.disa.mil/eta/online-catalog.html

https://training.fema.gov/IS/

https://ntc.doe.gov/



4. Next Stepsa. Continue to expand the list of free on demand training from reputable

agencies and vendorsb. Schedule and prepare future Pre-CIPC training sessions and webinarsc. Work with vendors and/or individuals in the industry to provide specific

training to industrya. This means you and/or your co-workers that have information to share

with the industryd. Continue work with SOS and SANS to compile operator training with cyber

attack scenarios per the HILF recommendations and plan a training date.e. Complete GridEx II Lessons Learned assignments from EC

5. CIPC Actionsa. Concerns and/or suggestions for today’s discussion

[email protected]

Or [email protected]

NATF Security Practices Group Activity Update

Wayne VanOsdol, NATF Program Manager - Practices

NERC CIPC MeetingSeptember 16-17, 2014

2

Discussion Topics

• Brief NATF Overview

• Cyber Security Project Update: CIP-002 V5 Guide

• Physical Security Project Update: CIP-014-1 R4 & R5

• Modeling / Planning Project Update: CIP-014-1 R1

NATF Membership

Organization types (75 Members)– Investor-owned– State/Municipal– Cooperative– Federal/Provincial– ISO/RTO

Expertise– 3600 subject-matter experts

Coverage (North America Wide)– 85% Peak Demand– 75% 100kV and higher circuits• Membership open to companies that

own/operate 50 circuit miles 100 kV transmission or, operate 24/7 control center

3

NATF Mission, Vision, Approach

Mission Promote excellence in the reliable operation of the electric transmission system

Vision Continuously improve the reliability of the electric transmission system

Approach Pursue reliability and security excellence via: Constructive peer challenge Effective, relevant information sharing

o lessons learned, superior practices, etc.

4

Guiding Principles

Community The complex, interconnected grid requires active collaboration to promote higher levels of reliability, security, and resiliency

Confidentiality Confidentiality promotes open, candid intra-membership dialogue

Candor Direct, objective performance feedback is delivered as a membership norm

Commitment Members’ senior leaders commit to the NATF’s mission of promoting excellence

5

Value Add and Strategic Goals

Value Proposition(s)• Improve transmission

reliability, security, and resilience

• Increase member compliance margin

• Promote efficient use of resources

Strategic Goals1. Increase Industry Impact2. Achieve Results3. Manage Knowledge

Effectively4. Continuously Improve5. Proactively identify and

address emerging issues

6

7

Cyber Security Project Update

CIP-002 V5 Practices Guide

8

CIP-002 V5 Project Update

Other Items To Note:• Tom Galloway (NATF President & CEO) will be

meeting with Gerry Cauley during 4th quarter of 2014 to discuss how the CIP-002 V5 Guide could be shared with a broader audience

• Tom Galloway is having discussions with EPRI, who has requested to receive a copy of the guide

• The CIP-002 V5 Guide Maintenance Oversight Team is responsible for obtaining Use Cases from NATF members throughout the second half of 2014, and for logging information pertaining to any Industry or Regulatory decisions, and adding attachments or addendums to the guide throughout the year

Purpose: • The purpose was to develop a NERC CIP-002

Version 5 Guide for identifying Cyber Assets and defining corresponding BES Cyber Systems for transmission facilities and assets.

Deliverables:• Security CIP-002 V5 Guide became an approved

practice document on July 1, 2014. • New product includes recommendations,

examples, and templates for documenting a program, such as diagrams / flow charts, that will assist in standardizing CIP-002 documentation across the NATF membership.

Physical Security Project Update

CIP-014-1 R4 & R5 Practices Guide

Physical Security Project UpdatePhysical Security Work Group “New Project”: CIP-014-1 R4 & R5 Practices Guide

Purpose & Deliverable: • The purpose of this project is to develop a NERC CIP-014-1 R4 and R5 Reliability Standard guide

that is defensible (but not prescriptive) for conducting evaluations as required in requirement 4, and for developing and implementing a physical security plan as required in requirement 5.

• Complete project by year-end 2014 or early 2015.NERC CIP-014-1:R4 - Conduct evaluation of potential threats and vulnerabilities of a physical attack to stations and primary control centers identified under R1 and verified under R2, and R5- Develop and implement a documented physical security plan.

– Step 1 (completed): Create project scope and timeline – Step 2 (completed): Discussed new project at the August Security Practices Group Core

Team and All-Group meetings– Step 3 (completed): Identify project team participants– Step 4: Schedule meetings and begin work

Modeling / Planning Project Update

CIP-014-1 R1 Assessment Guide

Modeling / Planning Project UpdateModeling / Planning Work Group “New Project”: CIP-014-1 Assessment Guide

Purpose & Deliverable: • The purpose of this project is to develop a general guideline to be used for the risk

assessment identified in R1 of CIP-014-1 “Physical Security”.• Complete project in the fall of 2014

– Step 1: Identify stations to be analyzed based on criteria 4.1.1. – Step 2: Identify cases/system conditions to be analyzed. – Step 3: Define nature of initiating event and how it will be modeled – Step 4: Develop criteria/proxies for widespread instability, uncontrolled separation or

Cascading, based on the engineering knowledge and judgment of the planner performing the actual studies

– Step 5: Perform steady-state power flow analysis– Step 6: Conduct stability simulations, if determined to be required

Thank you!

• Questions?

GridEx IIIGrid Security Exercise

NERC CIPCSeptember 16-17, 2014


What You Need to Know

GridEx III DatesIncreased RC focusRefresh of Working Group


Table Top Exercises

Fire Drill Scavenger Hunt

Simulation


Calendar and Entity Prep

November 18 – 19, 2015Leadership Buy InIdentify Level of Play CapabilityObtain Internal Player / Planer

CommitmentsIdentify Training Needs - CEHParticipate in GridEx Planner /

Player Calls

-


Distributed Play Participation

GridEx 2011 had 420 individual participants compared to GridEx II with 2,000

42

115

19

97

914

6 8

0

20

40

60

80

100

120

140

GridEx 2011 (76) GridEx II (234)

GridEx Participating Organizations Comparison

Utilities

Government/Academia/Other

Reliability Coordinator/Independent System Operator

NERC Regional Entity


Growth

173 % 410 % 376 %Utility Growth Government

GrowthPlayer Growth

Growth from GridEx 2011 to GridEx 2013

We need to mature the exercise model due to increasing participation.


GridEx II Distributed Play


Proposed GridEx III Distributed Play


Grid Reliability during GridEx II


GridEx III Scenario Escalation Timeline


• David London• James P. Miller• Susan Mueller• Cynthia M Peluso• Don Roberts• Edmond Rogers• Jim Rowan• Chris Sawall• Paul Skare• William O. Thompson• Robert D. Canada• Brian M Harrell• Bill Lawrence

GridEx II Working Group

• John Breckenridge• Jim Brenton• Stuart J. Brindley• Bobby Brown• Larry Bugh• Glen Clarkson• Tim Conway• Carl J. Eng• Mark Fabro• Mikhail Falkovich• Greg Goodrich• Scott King


GridEx III Working Group

• Operations

• Cybersecurity

• Physical Security


WorkingGroup

Initial Planning

Phase

Mid-term Planning

Phase

Final Planning

PhaseConduct After

Action

Establish Working Group Members

Establish Mail list

GridExTraining

Initiate outreach

Shape scenario themes

Confirm exercise mechanics

Craft scenario narrative

Develop materials

Confirm participation

Oversee distributed play

Facilitate senior TTX

Capture player actions and findings

Analyze findings and lessons learned

Draft After Action Report and Briefing

Finalize MSEL Conduct

training Distribute

player materials

Set up venue and logistics

CIPC Meeting(December)

IPC(March ?)

MPC(June ?)

FPC(October ?)

Execute GridEx II(November 18-19)

Deliver Final Report

(Q1 2016)

GridEx III Timeline

2014 - 2015

Kick-Off

Confirm goal & objectives

Finalize timeline

Discuss outreach goals/plan

C&O Meeting(February ?)

- 2016


-

Physical Security Implementation

September 16-17, 2014Stephen Crutchfield – NERC Standards


• Background on CIP-014-1, Physical Security Standard FERC Order Summary NOPR Concerns

• Applicability and Requirements• Implementation

Agenda


• On March 7, 2014 – FERC Order: Perform a risk assessment to identify facilities that, if rendered

inoperable or damaged, could result in instability, uncontrolled separation, or cascading failures on the BPS.

Evaluate the potential threats and vulnerabilities to those identified facilities.

Develop and implement a security plan designed to protect against physical attacks to those identified facilities based on the assessment of the potential threats and vulnerabilities to their physical security.

Background


• Additionally, FERC directed that the proposed Standard(s) should also Include confidentiality provisions for sensitive or confidential

information. Include a procedure for a third party to verify the list of identified

facilities and allow the verifying entity, as well as FERC, to add or remove facilities from the list of critical facilities.

Include a procedure for a third party to review the evaluation of threats and vulnerabilities and the security plan.

Require that the identification of the facilities, the assessment of the potential risks and vulnerabilities, and the security plans be periodically reevaluated and revised to ensure their continued effectiveness.

Background


• Overview of Physical Security NOPR July 17, 2014 Proposes to approve CIP-014-1 and NERC to modify the standard in two

respects:o Include a procedure to allow governmental authorities to add or subtract

facilities from an entity’s list of critical facilities.o Remove the term “widespread” from CIP-014-1.

In addition to comments on the proposed directives, FERC is seeking comments on:o Applicability to GOs and GOPs – FERC proposes to approve the applicability

of CIP-014-1 without the inclusion of GOs and GOPs.o Third-Party Recommendations – FERC proposes to approve CIP-014’s

approach to third-party review and verification. Proposes to direct NERC to submit two informational filings addressing

need to include all “High Impact” control centers and addressing resiliency measures that can be taken to maintain the reliable operation following loss of critical facilities.

NOPR


• CIP-014-1 Purpose: “To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.”

Overview


• The applicability of proposed CIP-014-1 starts with those Transmission Owners that own Transmission facilities that meet the bright line criteria in Reliability Standard CIP-002-5.1 for a “medium impact” rating.

• The SDT sought to ensure that entities could apply the same set of criteria to assist with identification of facilities under CIP Version 5 and proposed CIP-014-1.

• By application of the requirements, only certain Transmission Operators that are notified under the standard’s Requirement R3 have obligations under the standard.

Applicability


• The first three requirements of CIP-014-1 require Transmission Owners to: Perform risk assessments to identify those Transmission

stations/substations that meet the “medium impact” criteria from CIP-002-5.1, and their associated primary control centers

Arrange for a third party verification of the identifications; and Notify Transmission Operators of identified primary control centers. Periodically repeat the risk assessments Only an entity that owns or operates one or more of the identified

facilities has further obligations in Requirements R4 through R6. If an entity identifies a null set after applying Requirements R1 through

R2, the rest of the standard does not apply.

Requirements R1-R3


• The final three requirements of CIP-014-1 require: The evaluation of potential threats and vulnerabilities of a physical

attack to the facilities identified and verified according to the earlier requirements,

The development and implementation of a security plan(s) designed in response to the evaluation, and

A third party review of the evaluation and security plan(s) (as directed in the order).

Requirements R4-R6


• Critical facility identification must be verified by third party Directed by FERC order Verifier must be PC, TP, RC, or entity with transmission planning

experience Verification may recommend addition/subtraction

• Threat evaluation and security plan must be reviewed by third party Directed by FERC order Reviewer must meet certain experience criteria Review may recommend changes to security plan

Third-party verifications/reviews


• Physical Security Order, Paragraph 10: “…NERC should include in the Reliability Standards a procedure that

will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.”

Addressed in Requirement R2, Part 2.4 and Requirement R6, Part 6.4.

• CIP-014-1, Section 1.4. Additional Compliance Information Confidentiality: To protect the confidentiality and sensitive nature of

the evidence for demonstrating compliance with this standard, all evidence will be retained at the Transmission Owner’s and Transmission Operator’s facilities.

Confidentiality


• Transmission Owner to identify critical facilities on or before the effective date of CIP-014-1 (6 months following FERC approval)

• Tiered implementation timeline for balance of requirements (within15 months)

• Security Plan implementation may specify timelines for completion of security measures

• ERO to monitor implementation

CIP-014-1 Implementation


CIP-014-1 Implementation Timeline


Information

• NERC Standards Developer, Steve Crutchfield Email at [email protected] Telephone: 609-651-9455

Project Web Page is: http://www.nerc.com/pa/Stand/Pages/Project-2014-04-Physical-Security.aspx CIP-014-1 Standard may be found here:

http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-014-1&title=Physical%20Security&jurisdiction=United%20States

Presenter

Presentation Notes


http://www.nerc.com/pa/Stand/Pages/Project-2014-04-Physical-Security.aspx

http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumber=CIP-014-1&title=Physical%20Security&jurisdiction=United%20States


Presenter

Presentation Notes

Barb

Legislative Update

Critical Infrastructure Protection CommitteeSeptember 16, 2014

Nathan Mitchell, American Public Power Association


• Cyber Intelligence and Protection Act (CISPA)• To provide for the sharing of certain cyber threat

intelligence and cyber threat information between the intelligence community and cybersecurity entities.

• Passed House on 4/18/2013; Referred to Senate Select Committee on Intelligence

• Mike Rogers (R-MI), Dutch Ruppersberger (D-MD)

HR 624


• Cybersecurity Information Sharing Act of 2014• To improve cybersecurity in the United States

through enhanced sharing of information about cybersecurity threats.

• Introduced to Senate Select Committee on Intelligence 7/10/2014

• Diane Feinstein (D-CA)

S 2588


• National Cybersecurity and Critical Infrastructure Protection Act of 2014

• To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastructure protection.

• Passed House on 7/28/2014; Referred to Senate Committee on Homeland Security and Governmental Affairs

• Michael McCaul (R-TX), Bennie Thompson (D-MS)

HR 3696


• Cybersecurity Act of 2014• To provide for an ongoing, voluntary public-

private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.

• Introduced to Senate Committee on Commerce, Science, and Transportation 7/24/2014

• John Rockefeller (D-WV), John Thune (R-SD)

S 1353


• The Federal Information Modernization Act• To amend chapter 35 of title 44, United States

Code, to provide for reform to Federal information security.

• Referred to Senate Committee on Homeland Security and governmental Affairs 6/24/2014

• Thomas Carper (D-DE), Tom Coburn (R-OK)

S 2521


• National Cybersecurity and Communications Integration Act of 2014

• To codify an existing operations center for cybersecurity.

• Referred to Senate Committee on Homeland Security and Governmental Affairs 6/25/2014

• Thomas Carper (D-DE), Tom Coburn (R-OK)

S 2519


• Critical Infrastructure Research and Development Advancement Act of 2014 (CIRDA Act of 2014)

• To authorize the Secretary of Education to make grants for the establishment of State Networks on Science, Technology, Engineering, and Mathematics Education.

• Passed House 7/28/2014; Referred to Senate Committee on Homeland Security and Governmental Affairs

• Patrick Meehan (R-PA)

HR 2952


Questions?