Critical Infrastructure Protection Committee Draft Minutes March 4-5, 2014

Transcription

1 Critical Infrastructure Protection Committee Draft Minutes March 4-5, 2014 Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO The Critical Infrastructure Protection Committee (CIPC) Chair Chuck Abell called the meeting to order and being duly noticed, the regular meeting of CIPC on March 4, 2014 began at 1:00 p.m. (CST). Mr. Bob Canada, CIPC Secretary declared a quorum to conduct business with 33 members present. The meeting announcement, agenda, and a list of attendees are attached as Exhibits A, B, and C respectively. Note: Slides presentations from this meeting are available at: Meeting Presentations Secretary Canada announced a quorum achieved with 33 of the 33 members present which includes the following proxies: 1. CEA Mr. Ron Gentle proxy for Mr. David Dunn 2. MRO Mr. Joe Mayfield, WAPA filling the vacancy as an Alternate until NERC Board approval 3. FRCC Mr. Carlos Maldonado proxy for Mr. Paul McClay 4. NPCC Mr. John Helme proxy for NPCC 5. SERC Ms. Cynthia Hill-Watson proxy for Mr. Tommy Clark 6. SERC Mr. Ed Goff, Duke filling the vacancy as an Alternate until NERC Board approval 7. WECC Mr. Jon Aust proxy for Mr. James Sample Opening Remarks from Ms. Maureen Borkowski, Ameren President and CEO Meeting Safety Briefing Hyatt Regency at the Arch The security and safety staff briefed CIPC and attendees on safety and emergency evacuations procedures to include rally points outside the hotel. NERC Antitrust Compliance Guidelines Secretary Canada called attention to the NERC Antitrust Compliance Guidelines distributed with the agenda and read the statement concerning publicly announced meetings.

2 Introductions of Members, Proxies, Alternates, Associates, and Others Chair Abell called for introductions of CIPC members and other attendees and also requested all present to sign the meeting attendance sheets being passed around the room. Consent Agenda Upon motion by Chair Abell to approve the Consent Agenda including the posted CIPC Agenda for the December 10-11, 2013 meeting. The Consent Agenda was approved by CIPC without any corrections edits or modifications. CIPC Chair s Report Mr. Abell provided CIPC with a report, covering CIPC s past, present, and future actions. Mr. Abell placed special emphasis upon the reports made on behalf of CIPC to the NERC Board of Trustees and the Electricity Sub-sector Coordinating Council (ESCC) meeting. (Presentation 1) Nomination Subcommittee Report Chair Robert McClanahan presented the recommendation of Mr. David Revill, Georgia Transmission for the Operations Security Subject Matter Expert (SME) replacing Carl Eng, Dominion on the CIPC Executive Committee. Upon motion by Mr. David Grubbs was made to close the nomination process and approve Mr. Revill by acclamation. CIPC voted unanimously to approve the motion. (Presentation 2) Critical Infrastructure Protection Director s Remarks Mr. Matt Blizard, Director of Critical Infrastructure Protection briefed CIPC on the following topics: GridEx II, GridSecCon, Critical Infrastructure Protection Transition Guidance, and the Transition Implementation Study. (Presentations 3) Cybersecurity Executive Order and Presidential Policy Directive Update Ms. Laura Brown, NERC staff briefed CIPC on the progress of the National Infrastructure Protection Plan (NIPP). Ms. Brown also briefed on the Presidential Policy Directive-21. DHS rolled out the new NIPP and established a new working group, the NIPP Implementation Working Group. This working group will: Set joint national priorities to facilitate joint planning Establish a process to annually validate priorities Develop guidance on updating the Sector-Specific Plans (SSP) Work to update the SSPs will begin around summertime Department of Homeland Security (DHS) will stand up a separate working group in early- March (kickoff meeting TBD) focused on developing guidance for the SSPs The SSP guidance developed by that working group will be incorporated into the overall NIPP implementation guidance

3 The National Institute of Standards and Technology released the Cybersecurity Framework in February. The framework overlaps considerably with both NERC CIP standards and the Electricity Sub-sector Cybersecurity Capability Maturity Model (ES-C2M2). DHS began initial implementation activities in November by establishing the Voluntary Program Development Working Group, now called the Critical Infrastructure Cyber Community Voluntary Program, or the C Cubed Voluntary Program. (Presentation 4) Electricity Sector Information Sharing and Analysis Center (ES-ISAC) Update Mr. Matt Light, ES-ISAC briefed CIPC on the ES-ISAC portal support, information sharing, and various other ongoing activities including new personnel, operations, SANS event dates, DHS/DOE physical security campaign, Cyber Risk Preparedness Assessment (CRPAs) status, and Cybersecurity Risk Information Sharing Program (CRISP). (Presentation 5) Legislative Update Mr. Nathan Mitchell, American Public Power Association briefed CIPC on current legislation pending or contemplated as well as the impact upon the industry through the U.S. House and Senate. (Presentation 6) Critical Infrastructure Protection (CIP) Transition Program Update Mr. Tobias Whitney, NERC staff briefed CIPC on the purpose of the Transition Program, program elements, study approach, scope of study, key themes, and lessons-learned. He also briefed on the purpose and goals of the Reliability Assurance Initiative (RAI) program, and year-end progress report. Also covered was the V3 V5 compatibility and a CIP Version 5 Revisions and RAI Timeline. (Presentation 7) Version 5 Revisions Drafting Team Activities Mr. Ryan Stewart and Ms. Marisa Hecht briefed on the Standards (SDT) kickoff, subgroup structure, key messages, and the project schedule. (Presentation 8) Sufficiency Review Program (SRP) Mr. Scott Mix, NERC staff briefed CIPC on the 2013 SRP overview, program status, preliminary lessons-learned, best practices, and other observations. (Presentation 9) Reliability Issues Steering Committee (RISC) Update and the Reliability Risk Control Process Mr. Jim Brenton briefed CIPC on the RISC status and progress to include a process overview, suggested RISC and Committee timeline for 2014, electricity reliability organization (ERO) top priority risks and alignment with RISC priorities. (Presentation 10) Operating Security Subcommittee Chair Jim Brenton (No presentation) Electricity Sector Information Sharing Task Force (ESISTF) Chair Stephen Diebold briefed CIPC on the ESISTF status of work completed. The presentation briefed on the progress and accomplishments under the charter for the task forces. The EISTF prepared an outreach campaign presentation to promote the use of the ES-ISAC as the central hub of information sharing by the industry and government partners. (Presentation 11)

4 Grid Exercise Working Group (GEWG) Mr. Bill Lawrence, NERC staff briefed CIPC on behalf of Chair Tim Conway, on the success of the exercise, the number of entities participating and his personal observations. He also advised the CIPC that the CIPC Executive Committee convened and were mapping the recommendations for CIPC tasking of existing or new task forces and working groups for continued work. (Presentation 12) Policy Subcommittee Chair Nathan Mitchell (No Presentation) Personnel Security Clearance Task Force (PSCTF) Chair Nathan Mitchell mentioned that the report was approved by CIPC on June 11, 2013, accepted by the ESCC on July 11, 2013, and accepted by the NERC Board of Trustees on August 15, The PSCTF is awaiting for ES-ISAC s collaboration to process and track industry clearance applications. He briefed on next steps including ESCC coordinating with DHS to develop a series of playbooks on who should apply for clearances, expectations of holders and a process for prioritizing, and monitoring nominations. (Presentation 13) Bulk Electric System Security Metrics Working Group (BESSMWG) Mr. Matt Light, NERC staff support to the working group briefed on behalf of Chair James Sample, on the ongoing progress to include the ES-ISAC activities, workshop held with Reliability Assessments and Performance Analysis (RAPA) to discuss their Adequate Level of Reliability framework. The outcomes included a better understanding of potential metrics and next steps. (Presentation 14) Compliance and Enforcement Input Working Group (CEIWG) Chair Paul Crist gave a progress report on the working group. Mr. Crist covered discussions on future work including: guidelines, process for Compliance Analysis Report (CAR) development, RAI support, and virtualization of the whitepaper review. (Presentation 15) Cyber Security Subcommittee Chair Mr. Marc Child Mr. Child gave an overview of the subcommittee s activities including: recent activities, next steps, and requested CIPC actions. (Presentation 15) Control Systems Security Working Group (CSSWG) Update and a RISC Technical Project Mr. Child reported on the analysis of the RISC nomination for digital certificate management. (Presentation 16) Cyber Attack Tree Task Force (CATTF) Chair Mark Engels gave an update on the activities which included: key assumptions, process of creating the attack trees, overview of the software, behavioral indicators, characteristics of an attacker, and characteristics of a victim. (Presentation 17) The CIPC Meeting on March 4 th was concluded for the day at 5:36 p.m. (CST) and was reconvened on March 5 th at 8:00 a.m. (CST)

5 Cyber Security Analysis Working Group (CSAWG) Mr. Marc Child, on behalf of Chair Eric Warakomski gave an update on recent activities and existing liaisons with the ES-ISAC, Cyber Security Training Working Group, and Events Analysis Subcommittee. Mr. Warakomski submitted his resignation since he could not continue as his duties have changed and could not continue to chair the working group. (Presentation 18; included in Cyber Subcommittee report) Physical Security Subcommittee Chair Mr. David Grubbs (No Presentation) Physical Security Guideline Task Force (PSGTF) (No Presentation) Physical Security Working Group (PSWG) Chair Ross Johnson briefed CIPC on activities contemplated. The PSWG through the Physical Security Roundtable Group (PSRG) has conducted three conference calls. A total of 35 participants have been included in the current security practices and investigations of impact to the industry and their companies. The PSWG will evaluate the effectiveness of technology and develop a survey for determining the needs of physical security across the NERC Regions. Additionally, Mr. Johnson introduced Mr. Ben Langhorst of the Idaho National Laboratory (INL) who briefed CIPC on ballistic protection for critical electrical infrastructure. The INL conceptual solution was introduced which included prototype for ballistic panel shielding and cost feasibility. The working group has pushed ahead in several areas physical security training sessions using webinars and CIPC workshops. (Presentation 19) Security Training Working Group (STWG) Chair William Whitney, on the latest activities, including the announcement of additional training opportunities using CIPC workshops and webinars. The June CIPC workshops will include a panel on physical security programs on April 16, 2014 from 1-3 p.m. (EST). (Presentation 20) Also listed were the following: April 16 Physical Security Programs Panel Webinar May National Labs Physical Security: Risk vs. Protection/Costs Webinar June Orlando Pre-CIPC BC Hydro presentation on laser intrusion detection July Active Shooter Webinar with Danny O. Coulson August TBD September Vancouver Train the Trainer Preparation for a Cyber Event October TBD November TBD December TBD Cybersecurity Procurement Language Update for Energy Delivery Systems Mr. Ed Goff, Duke Energy, updated CIPC concerning the progress for establishing procurement language tailored to the specific needs of the energy sector, why it is necessary, phases for development, timeline, and meeting the Department of Energy Roadmap mission. (Presentation 21)

6 North American Transmission Forum (NATF) Security Practices Group Activity Update Mr. Wayne VanOsdol, NATF staff briefed CIPC on CIP V5 Implementation activities, Physical Security Work Group activities and 2014 projects. (Presentation 22) Agency Updates Federal Energy Regulatory Commission (FERC) No one in attendance. Department of Homeland Security (DHS) No one in attendance. Department of Energy (DOE) No one in attendance. Adjournment There being no further business and upon motion to adjourn by Chair Abell. The motion approved by CIPC with adjournment at 12:03 p.m. (CST). Submitted by, R.D. Canada Bob Canada CIPC Secretary

7 2014 Future Meetings Dates Time Type Location Hotel April 3, 2014 April 4, :00 a.m. 5:00 p.m. (EST) 8:00 a.m. Noon (EST) Energy Sector Classified Briefing DOE HQ 1000 Independence Ave Washington, DC Per your travel arrangements June 10, :30 a.m. Noon (EDT) CIPC Physical Security Workshop Orlando, FL June 10, :00 5:00 p.m. (EDT) CIPC Meeting Orlando, FL June 11, :00 a.m. Noon (EDT) CIPC Meeting Orlando, FL September 16, :30 a.m. Noon CIPC Cyber Security Workshop Vancouver BC, Canada September 16, :00 5:00 p.m. CIPC Meeting Vancouver BC, Canada September 17, :00 a.m. Noon CIPC Meeting Vancouver BC, Canada September 17, 2014 September 18, 2014 Noon 5:00 p.m. 8:00 a.m. Noon CIPC Executive Committee Annual Planning Meeting Vancouver BC, Canada October 14-16, :00 a.m. 5:00 p.m. GridSecCon 2014 San Antonio, Texas December 9, :00 a.m. Noon (EST) Energy Sector Classified Briefing (No CIPC Workshop) Atlanta, GA Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency San Antonio Riverwalk 123 Losoya Street San Antonio, Texas Westin Buckhead December 9, :00 5:00 p.m. (EST) CIPC Meeting Atlanta, GA Westin Buckhead December 10, :00 a.m. Noon (EST) CIPC Meeting Atlanta, GA Westin Buckhead

8

9 Agenda Critical Infrastructure Protection Committee March 4, :00 5:00 p.m. (CST) March 5, :00 a.m. Noon (CST) Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO (314) CIP Technical Workshop Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO March 4, :30 a.m. Noon (CST) Room: Park View Critical Infrastructure Protection Committee Meeting Hyatt Regency at the Arch CIPC Working Lunch: Regency AB March 4, 2014 Noon 1:00 p.m. (CST) March 4, :00 5:00 p.m. (CST) March 5, :00 a.m. Noon (CST) Room: Regency EF Welcome and Introductions Chair Chuck Abell NERC Antitrust Compliance Guidelines and Public Meeting Announcement Agenda 1. Remarks by Ms. Maureen Borkowski Chairman, President, and CEO, Ameren Transmission Co. 2. Administrative CIPC Secretary Bob Canada a. Safety Briefing and Emergency Precautions Hyatt at the Arch Staff b. Declaration of Quorum c. CIPC Roster Page 13 d. Parliamentary Procedures In the absence of specific provisions in the CIPC charter, the Committee shall conduct its meetings guided by the most recent edition of Robert s Rules of Order, Newly Revised. e. Introductions

10 3. Consent Agenda Chair Chuck Abell a. December 10-11, 2013 Draft Minutes for CIPC Approval b. March CIPC Agenda c. Committee Membership Appointments and Changes: TRE David Grubbs City of Garland Operations TRE Jim Brenton ERCOT Cyber TRE Darrell Klimitcheck STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Great River Cyber MRO Paul Crist LES Physical MRO Vacant TBD Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC Vacant TBD Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell Ameren Cyber SERC Vacant TBD Operations SERC Tommy Clark SMEPA Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Robert McClanahan AECC Cyber WECC Allen Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Jamey Sample PGE Operations APPA David Godfrey TMPA Physical APPA Nathan Mitchell APPA Policy CEA Chris McColm Manitoba Physical CEA Ross Johnson Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Georgia Trans Policy 4. Chair s Remarks Chair Chuck Abell a. NERC Meetings Update and Other Items of CIPC Interest 5. CIPC Nominations Subcommittee Report Chair Robert McClanahan a. Recommendation for Subject Matter Expert (SME) member to replace Carl Eng on the CIPC Executive Committee b. Election of an SME to CIPC Executive Committee 6. CID Director Remarks Matt Blizard, Director of Critical Infrastructure Protection Critical Infrastructure Protection Committee Agenda March 4-5,

11 7. ES-ISAC Update and Cyber Risk Preparedness Assessment (CRPA) Program Update Matt Light, NERC Staff 8. CIP Transition Update Tobias Whitney, NERC Staff 9. Version 5 Revisions Drafting Team Activities Ryan Stewart and Marisa Hecht, NERC Staff Sufficiency Review Program and Directions Scott Mix, NERC Staff 11. Executive Order and Presidential Policy Directive Update Laura Brown, NERC Staff 12. RISC Update and Reliability Risk Control Process Jim Brenton, CIPC Representative to RISC 13. Legislative Update Nathan Mitchell, American Public Power Association 14. Subcommittee Chairs, Subgroups, Progress, and Remarks Chair Chuck Abell 15. Operating Security Subcommittee Subcommittee Chair Jim Brenton a. Electricity Sector Information Sharing Task Force (ESISTF) Chair Stephen Diebold will report on activities, second phase, and outreach efforts. ESISTF Charter ESISTF Report: Approved by CIPC June 11, 2013 Accepted by ESCC July 11, 2013 Accepted by NERC BOT August 15, 2013 b. Grid Exercise Working Group (GEWG) Chair Tim Conway GEWG Charter Briefing on GridEx II Report Bill Lawrence, NERC Staff 16. Policy Subcommittee Subcommittee Chair Nathan Mitchell a. Personnel Security Clearance Task Force (PSCTF) Chair Nathan Mitchell will report on the progress of the work completed and contemplated. Critical Infrastructure Protection Committee Agenda March 4-5,

12 Recommendation #3: Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. Next step includes ES-ISAC process development collaboration with the PSCTF. PSCTF Charter PSCTF Report: Approved by CIPC June 11, 2013 Accepted by ESCC July 11, 2013 Accepted by NERC BOT August 15, 2013 b. Bulk Electric System Security Metrics Working Group (BESSMWG) Chair James Sample will report on the progress of work completed and contemplated. BESSMWG Charter BESSMWG Report was endorsed by CIPC June 11, c. Compliance Enforcement and Input Working Group (CEIWG) Chair Paul Crist will report on the progress of the work completed and contemplated. CEIWG Charter 17. Cyber Security Subcommittee Subcommittee Chair Marc Child a. RISC Technical Project and CSSWG Update Marc Child will report on the review for the RISC. b. Cyber Attack Tree Task Force (CATTF) Chair Mark Engels will report on the progress of the work completed and contemplated. CATTF Charter c. Cyber Security Analysis Working Group (CSAWG) Chair Eric Warakomski will report on the progress of the work completed and contemplated. CSAWG Charter 18. Physical Security Subcommittee Subcommittee Chair David Grubbs a. Electricity Sector: Physical Response Guideline Task Force (PSGTF) Chair John Breckenridge PSGTF Charter Electricity Sector: Physical Security Response Guideline CIPC approved by ballot on October 25, Critical Infrastructure Protection Committee Agenda March 4-5,

13 b. Physical Security Working Group (PSWG) Chair Ross Johnson will report on the progress of work completed and contemplated. PSWG Charter c. Security Training Working Group (STWG) Chair William Whitney III will report on progress of work completed and contemplated. STWG Charter 19. Cybersecurity Procurement Language Update for Energy Delivery Systems Ed Goff, Duke 20. North American Transmission Forum (NATF) a. Security Practices Group Activity Update Wayne VanOsdol, Program Manager 21. Agency Updates a. Federal Energy Regulatory Commission (FERC) Cathy Eade, Office of Energy Infrastructure Security b. Department of Homeland Security (DHS) Richard Alt, Sector Outreach and Programs c. Department of Energy (DOE) Ken Friedman, Senior Policy Advisor Critical Infrastructure Protection Committee Agenda March 4-5,

14 Schedule of Important Dates: Dates Time Type Location Hotel April 3, 2014 April 4, :00 a.m. 5:00 p.m. (EST) 8:00 a.m. Noon (EST) Energy Sector Classified Briefing DOE HQ 1000 Independence Ave, SW Washington, DC Per your travel arrangements June 10, :30 a.m. Noon (EDT) CIPC Physical Security Workshop Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL June 10, :00 5:00 p.m. (EDT) CIPC Meeting Orlando, FL June 11, :00 a.m. Noon (EDT) CIPC Meeting Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL September 16, :30 a.m. Noon CIPC Cyber Security Workshop September 16, :00 5:00 p.m. CIPC Meeting September 17, :00 a.m. Noon CIPC Meeting Vancouver BC, Canada Vancouver BC, Canada Vancouver BC, Canada TBD TBD TBD September 17, 2014 September 18, 2014 Noon 5:00 p.m. 8:00 a.m. Noon CIPC EC Annual Planning Meeting Vancouver BC, Canada TBD October 14-16, :00 a.m. 5:00 p.m. GridSecCon 2014 San Antonio, Texas Hyatt Regency San Antonio Riverwalk 123 Losoya Street San Antonio, Texas December 9, :00 a.m. Noon (EST) Energy Sector Classified Briefing (No CIPC Workshop) Atlanta, GA TBD December 9, :00 5:00 p.m. (EST) CIPC Meeting Atlanta, GA TBD December 10, :00 a.m. Noon (EST) CIPC Meeting Atlanta, GA TBD 23. Closing Remarks and Action Items 24. Adjournment Critical Infrastructure Protection Committee Agenda March 4-5,

15 CIPC Report to the NERC Reliability Issues Steering Committee (RISC) Analysis of the RISC nomination for digital certificate management (Venafi, Inc 7/29/2013) February 1, 2014 Background In July 2013, technology vendor Venafi, Inc submitted to the Reliability Issues Steering Committee a Reliablity Issues Nomination Form related to the use of digital keys and digital certificates. These technologies are used by machines as a trust mechanism to ensure privacy and non-repudiation of data passed between them. The basis of their concerns (discussed in the Technical Details below) is that poorly managed or implemented digital keys introduce risk to the bulk electric system, and Venafi s recommendations are to make specific language changes in the CIP version 5 standards to include requirements for full life-cycle management of keys, and digital certificate security. In its NOPR for CIP version 5, FERC sought comments as to whether the adoption of communications security protections, such as cryptography and protections for non-routable protocol, would improve the CIP Standards. (Ref: Docket No. RM , page 116). In response, the Commission received comments from vendors (including Venafi) and others that supported the inclusion of such cryptography requirements; while multiple other organizations such as trade groups and individual utilities disagreed, stating the deployment of cryptographic protocols may: (1) prohibitively increase latency in communications; (2) obfuscate data needed for testing and problem diagnosis; and (3) introduce communication errors from complex key management across organizations. (Ref: Docket No. RM , page 116). Version 5 of the NERC CIP standards was approved by FERC in late November 2013, and, while the Final Rule (Order 791) included directives to strengthen the physical protection of communications networks, it did not include any specific instructions for NERC to introduce cryptography requirements into the CIP standards. Recommendations On behalf of the NERC Critical Infrastructure Protection Committee (CIPC), the Control Systems Security Working Group (CSSWG) reviewed the Venafi nomination form for technical accuracy and evaluated the merits of their recommendations.

16 Specifically CSSWG reviewed the FERC NOPR and Final Rule for the CIP version 5 reliability standards, and examined the scope of the newly-formed Order 791 standards drafting team. Finally, the CSSWG contacted the Events Analysis team at NERC to study incidents related to Bulk Electric System outages where digital certificates may have been a contributing factor. The CSSWG found: There have been no Energy Management System (EMS) outages reported to NERC where digital certicates or digital keys were deemed to be a causal or contributing factor. Venafi is correct in stating that entities may have a higher susceptibility to intrusions due to poorly managed keys and certificates. However, poor engineering or poor implementation of technology cannot (and should not be in the opinion of the CSSWG) mitigated through the NERC standards process by use of prescriptive controls. The CIP standards, in particular, focus on what should be protected and not how. The CIPC committee has long recognized the value in providing utilities best practice guidance in the form of technical guidelines published on the ES-ISAC website. Technical subjects such as Connectivity to Business Networks, Identity and Access Management, Intrusion Detection, and Firewalls security topics categorically similar to digital certificate management are areas where the committee has provided guidance and technical resources to help entities design effective solutions and avoid the risk of poorly designed or incomplete security implementations. The CSSWG recommends: Short of any regulatory directives by FERC, no additional modifications to the CIP version 5 standards is planned that would include specific technical requirements for digital certicate management. The CIPC committee should direct the CSSWG to develop a guideline for digital certificate management and encryption to assist entities in choosing and implementing such technologies in a manner consistent with BES reliability. The RISC committee committee shall thank Venafi, Inc as the author of the RISC Nomination Form for volunteering their expert knowledge and bringing this issue to the attention of NERC. Technical Details In response to the four specific recommendations & comments made by Venafi, the CSSWG offers the following technical feedback. Comment #1 CIP Version 5 & FERC NOPR: The use of encryption alone is inadequate to provide secure and trusted data communications. Within the proposed CIP version 5 standards, there are multiple references to authenticated, secure, or encrypted data communications but fall short of clearly prescribing the adoption of communications security protections. FERC's suggestion for the use of cryptography for CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 2

17 encryption should not only be mandatory but should also include provisions for the management of the encryption assets known as keys and certificates. Many organizations - both inside and outside of the bulk electric system - have adopted encryption to secure and trust data communications but are still susceptible to intrusions and attacks due to the theft of poorly managed keys and certificates. The threat posed by the theft of these trust assets is increasing exponentially; if the intruder is trusted, the security defenses in place will be ineffectual to attack or theft. We propose that encryption and the management of authentication/encryption assets to secure data communications be made a part of the CIP version 5 standards. The CSSWG agrees with the statement in general, although we re not as convinced that encryption is adopted in the control systems world as much as was suggested. In our opinion there is still a great deal of misunderstanding about what an IPsec tunnel can and can not do. There is a very great appeal to the use of digital certificates to manage machine to machine (and human to machine) connections. There is general perception that rolling out a large certificate based system is not for the faint of heart. For smaller entities especially, this is a very large technical step to take and requires a great deal of subject matter expertise to get it right. It would be advisable for entities wishing to embark on such a project to visit some companies who are using certificates based encryption and see how well it was rolled out. It would also be equally helpful to visit a company that abandoned the effort as well. Comment #2 CIP-002-5: Certificate Authorities are incorrectly identified as an example of an authentication server under the definition of an Electronic Access Control or Monitoring Systems (EACMS). A Certificate Authority is not in itself an authentication server but is an integral part of a Public Key Infrastructure (PKI). A Certificate Authority (CA) does not provide active authentication, rather it relies on components of the PKI such as Certificate Revocation Lists (CRL), Online Certificate Status Protocol responders (OCSP) to validate/authenticate trust. CA's issue Root Certificates that are part of a trust store to ensure the validity of the trust chain provides authentication. As it serves as the basis to ensure the integrity of the authentication functions of keys and certificates, we propose that PKI be included as a separate category example of an EACMS. Our proposed language is more precise to what we interpret as the intent of the inclusion of Certificate Authorities in the EACMS examples: Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, LDAP Servers), Public Key Infrastructure technologies such as but not limited to (Certificate Authorities, OCSP Responders, CRLs, Registration Authorities, certificates, RSA and DSA keys, self signed certificates, CRLs and Trust Stores). Agree with the knowledge that there is OCSP already and to our knowledge it is considered a best practice and should be encouraged, but this suggestion crosses over into the how. Comment #3 CIP-002-5: Without the expansion of the EACMS definition to include PKI, the BES lowers its availability/reliability and adds significant risk to the ability to prevent or respond to a key/ certificate incident. An unavailable, degraded, or misused unmanaged key or certificate in the BES would not be remediated within 15 minutes of the compromise or outage. Venafi's extensive experience in this field indicates that in unmanaged environments with manual processes, the average recovery time to (a) diagnose the issue; (b) request a new certificate; and (c) approve and install is typically two to four hours. We believe that there is intent in the proposed CIP version 5 standards to prevent key and certificate CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 3

18 incidents from having a negative impact on the availability/reliability of the BES. To prevent this from being overlooked, we again propose specific language be added to include PKI as an example of EACMS. There are certainly safety and reliability concerns about keeping a process control or SCADA system up at all costs, and the entity choosing to use a PKI will need to determine what to do if and when a cert is untrusted or becomes untrusted. This must be accounted for in the functional design of the system. Comment #4 CIP-007-5: By limiting the focus to human interaction/authentication with cyber systems, the System Access Controls fail to account for, or place controls on, the majority authentication credentials (machine-tomachine) used in the BES. In this context, authentication falls into user credentials (User ID/Password, One- Time Password (OTP), smartcards and tokens) and machine credentials (the most common form of which are keys and certificates). Within the bulk electric system, machine credentials are used far more often to authenticate than user credentials and the gulf between the two continues to grow wider. By focusing only on User ID/Password credentials for humans, the proposed CIP version 5 standards do not adequately protect the majority of the authentication credentials or the auditability of all access within the bulk electrical system. We propose that CIP Table R5 - System Access Control be expanded to include the active management of keys and certificate credentials in line with User ID/Password credentials. Machine-to-machine credentials are important, but considering current intrusion/infection scenarios, are arguably not the most urgent problem to be addressed by NERC CIP controls. The current standard's concentration on human accounts, authentication, and remote access sets proper and realistic goals. The entity has the ultimate authority to design and implement the level and type of encryption and authorization levels to mitigate the risks identified in their own risk management programs. CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 4

19

20

21

22

23

24

25

26

27

28