Critical Infrastructure Protection Committee Draft Minutes March 4-5, 2014
|
|
- Patrick Henderson
- 5 years ago
- Views:
Transcription
1 Critical Infrastructure Protection Committee Draft Minutes March 4-5, 2014 Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO The Critical Infrastructure Protection Committee (CIPC) Chair Chuck Abell called the meeting to order and being duly noticed, the regular meeting of CIPC on March 4, 2014 began at 1:00 p.m. (CST). Mr. Bob Canada, CIPC Secretary declared a quorum to conduct business with 33 members present. The meeting announcement, agenda, and a list of attendees are attached as Exhibits A, B, and C respectively. Note: Slides presentations from this meeting are available at: Meeting Presentations Secretary Canada announced a quorum achieved with 33 of the 33 members present which includes the following proxies: 1. CEA Mr. Ron Gentle proxy for Mr. David Dunn 2. MRO Mr. Joe Mayfield, WAPA filling the vacancy as an Alternate until NERC Board approval 3. FRCC Mr. Carlos Maldonado proxy for Mr. Paul McClay 4. NPCC Mr. John Helme proxy for NPCC 5. SERC Ms. Cynthia Hill-Watson proxy for Mr. Tommy Clark 6. SERC Mr. Ed Goff, Duke filling the vacancy as an Alternate until NERC Board approval 7. WECC Mr. Jon Aust proxy for Mr. James Sample Opening Remarks from Ms. Maureen Borkowski, Ameren President and CEO Meeting Safety Briefing Hyatt Regency at the Arch The security and safety staff briefed CIPC and attendees on safety and emergency evacuations procedures to include rally points outside the hotel. NERC Antitrust Compliance Guidelines Secretary Canada called attention to the NERC Antitrust Compliance Guidelines distributed with the agenda and read the statement concerning publicly announced meetings.
2 Introductions of Members, Proxies, Alternates, Associates, and Others Chair Abell called for introductions of CIPC members and other attendees and also requested all present to sign the meeting attendance sheets being passed around the room. Consent Agenda Upon motion by Chair Abell to approve the Consent Agenda including the posted CIPC Agenda for the December 10-11, 2013 meeting. The Consent Agenda was approved by CIPC without any corrections edits or modifications. CIPC Chair s Report Mr. Abell provided CIPC with a report, covering CIPC s past, present, and future actions. Mr. Abell placed special emphasis upon the reports made on behalf of CIPC to the NERC Board of Trustees and the Electricity Sub-sector Coordinating Council (ESCC) meeting. (Presentation 1) Nomination Subcommittee Report Chair Robert McClanahan presented the recommendation of Mr. David Revill, Georgia Transmission for the Operations Security Subject Matter Expert (SME) replacing Carl Eng, Dominion on the CIPC Executive Committee. Upon motion by Mr. David Grubbs was made to close the nomination process and approve Mr. Revill by acclamation. CIPC voted unanimously to approve the motion. (Presentation 2) Critical Infrastructure Protection Director s Remarks Mr. Matt Blizard, Director of Critical Infrastructure Protection briefed CIPC on the following topics: GridEx II, GridSecCon, Critical Infrastructure Protection Transition Guidance, and the Transition Implementation Study. (Presentations 3) Cybersecurity Executive Order and Presidential Policy Directive Update Ms. Laura Brown, NERC staff briefed CIPC on the progress of the National Infrastructure Protection Plan (NIPP). Ms. Brown also briefed on the Presidential Policy Directive-21. DHS rolled out the new NIPP and established a new working group, the NIPP Implementation Working Group. This working group will: Set joint national priorities to facilitate joint planning Establish a process to annually validate priorities Develop guidance on updating the Sector-Specific Plans (SSP) Work to update the SSPs will begin around summertime Department of Homeland Security (DHS) will stand up a separate working group in early- March (kickoff meeting TBD) focused on developing guidance for the SSPs The SSP guidance developed by that working group will be incorporated into the overall NIPP implementation guidance
3 The National Institute of Standards and Technology released the Cybersecurity Framework in February. The framework overlaps considerably with both NERC CIP standards and the Electricity Sub-sector Cybersecurity Capability Maturity Model (ES-C2M2). DHS began initial implementation activities in November by establishing the Voluntary Program Development Working Group, now called the Critical Infrastructure Cyber Community Voluntary Program, or the C Cubed Voluntary Program. (Presentation 4) Electricity Sector Information Sharing and Analysis Center (ES-ISAC) Update Mr. Matt Light, ES-ISAC briefed CIPC on the ES-ISAC portal support, information sharing, and various other ongoing activities including new personnel, operations, SANS event dates, DHS/DOE physical security campaign, Cyber Risk Preparedness Assessment (CRPAs) status, and Cybersecurity Risk Information Sharing Program (CRISP). (Presentation 5) Legislative Update Mr. Nathan Mitchell, American Public Power Association briefed CIPC on current legislation pending or contemplated as well as the impact upon the industry through the U.S. House and Senate. (Presentation 6) Critical Infrastructure Protection (CIP) Transition Program Update Mr. Tobias Whitney, NERC staff briefed CIPC on the purpose of the Transition Program, program elements, study approach, scope of study, key themes, and lessons-learned. He also briefed on the purpose and goals of the Reliability Assurance Initiative (RAI) program, and year-end progress report. Also covered was the V3 V5 compatibility and a CIP Version 5 Revisions and RAI Timeline. (Presentation 7) Version 5 Revisions Drafting Team Activities Mr. Ryan Stewart and Ms. Marisa Hecht briefed on the Standards (SDT) kickoff, subgroup structure, key messages, and the project schedule. (Presentation 8) Sufficiency Review Program (SRP) Mr. Scott Mix, NERC staff briefed CIPC on the 2013 SRP overview, program status, preliminary lessons-learned, best practices, and other observations. (Presentation 9) Reliability Issues Steering Committee (RISC) Update and the Reliability Risk Control Process Mr. Jim Brenton briefed CIPC on the RISC status and progress to include a process overview, suggested RISC and Committee timeline for 2014, electricity reliability organization (ERO) top priority risks and alignment with RISC priorities. (Presentation 10) Operating Security Subcommittee Chair Jim Brenton (No presentation) Electricity Sector Information Sharing Task Force (ESISTF) Chair Stephen Diebold briefed CIPC on the ESISTF status of work completed. The presentation briefed on the progress and accomplishments under the charter for the task forces. The EISTF prepared an outreach campaign presentation to promote the use of the ES-ISAC as the central hub of information sharing by the industry and government partners. (Presentation 11)
4 Grid Exercise Working Group (GEWG) Mr. Bill Lawrence, NERC staff briefed CIPC on behalf of Chair Tim Conway, on the success of the exercise, the number of entities participating and his personal observations. He also advised the CIPC that the CIPC Executive Committee convened and were mapping the recommendations for CIPC tasking of existing or new task forces and working groups for continued work. (Presentation 12) Policy Subcommittee Chair Nathan Mitchell (No Presentation) Personnel Security Clearance Task Force (PSCTF) Chair Nathan Mitchell mentioned that the report was approved by CIPC on June 11, 2013, accepted by the ESCC on July 11, 2013, and accepted by the NERC Board of Trustees on August 15, The PSCTF is awaiting for ES-ISAC s collaboration to process and track industry clearance applications. He briefed on next steps including ESCC coordinating with DHS to develop a series of playbooks on who should apply for clearances, expectations of holders and a process for prioritizing, and monitoring nominations. (Presentation 13) Bulk Electric System Security Metrics Working Group (BESSMWG) Mr. Matt Light, NERC staff support to the working group briefed on behalf of Chair James Sample, on the ongoing progress to include the ES-ISAC activities, workshop held with Reliability Assessments and Performance Analysis (RAPA) to discuss their Adequate Level of Reliability framework. The outcomes included a better understanding of potential metrics and next steps. (Presentation 14) Compliance and Enforcement Input Working Group (CEIWG) Chair Paul Crist gave a progress report on the working group. Mr. Crist covered discussions on future work including: guidelines, process for Compliance Analysis Report (CAR) development, RAI support, and virtualization of the whitepaper review. (Presentation 15) Cyber Security Subcommittee Chair Mr. Marc Child Mr. Child gave an overview of the subcommittee s activities including: recent activities, next steps, and requested CIPC actions. (Presentation 15) Control Systems Security Working Group (CSSWG) Update and a RISC Technical Project Mr. Child reported on the analysis of the RISC nomination for digital certificate management. (Presentation 16) Cyber Attack Tree Task Force (CATTF) Chair Mark Engels gave an update on the activities which included: key assumptions, process of creating the attack trees, overview of the software, behavioral indicators, characteristics of an attacker, and characteristics of a victim. (Presentation 17) The CIPC Meeting on March 4 th was concluded for the day at 5:36 p.m. (CST) and was reconvened on March 5 th at 8:00 a.m. (CST)
5 Cyber Security Analysis Working Group (CSAWG) Mr. Marc Child, on behalf of Chair Eric Warakomski gave an update on recent activities and existing liaisons with the ES-ISAC, Cyber Security Training Working Group, and Events Analysis Subcommittee. Mr. Warakomski submitted his resignation since he could not continue as his duties have changed and could not continue to chair the working group. (Presentation 18; included in Cyber Subcommittee report) Physical Security Subcommittee Chair Mr. David Grubbs (No Presentation) Physical Security Guideline Task Force (PSGTF) (No Presentation) Physical Security Working Group (PSWG) Chair Ross Johnson briefed CIPC on activities contemplated. The PSWG through the Physical Security Roundtable Group (PSRG) has conducted three conference calls. A total of 35 participants have been included in the current security practices and investigations of impact to the industry and their companies. The PSWG will evaluate the effectiveness of technology and develop a survey for determining the needs of physical security across the NERC Regions. Additionally, Mr. Johnson introduced Mr. Ben Langhorst of the Idaho National Laboratory (INL) who briefed CIPC on ballistic protection for critical electrical infrastructure. The INL conceptual solution was introduced which included prototype for ballistic panel shielding and cost feasibility. The working group has pushed ahead in several areas physical security training sessions using webinars and CIPC workshops. (Presentation 19) Security Training Working Group (STWG) Chair William Whitney, on the latest activities, including the announcement of additional training opportunities using CIPC workshops and webinars. The June CIPC workshops will include a panel on physical security programs on April 16, 2014 from 1-3 p.m. (EST). (Presentation 20) Also listed were the following: April 16 Physical Security Programs Panel Webinar May National Labs Physical Security: Risk vs. Protection/Costs Webinar June Orlando Pre-CIPC BC Hydro presentation on laser intrusion detection July Active Shooter Webinar with Danny O. Coulson August TBD September Vancouver Train the Trainer Preparation for a Cyber Event October TBD November TBD December TBD Cybersecurity Procurement Language Update for Energy Delivery Systems Mr. Ed Goff, Duke Energy, updated CIPC concerning the progress for establishing procurement language tailored to the specific needs of the energy sector, why it is necessary, phases for development, timeline, and meeting the Department of Energy Roadmap mission. (Presentation 21)
6 North American Transmission Forum (NATF) Security Practices Group Activity Update Mr. Wayne VanOsdol, NATF staff briefed CIPC on CIP V5 Implementation activities, Physical Security Work Group activities and 2014 projects. (Presentation 22) Agency Updates Federal Energy Regulatory Commission (FERC) No one in attendance. Department of Homeland Security (DHS) No one in attendance. Department of Energy (DOE) No one in attendance. Adjournment There being no further business and upon motion to adjourn by Chair Abell. The motion approved by CIPC with adjournment at 12:03 p.m. (CST). Submitted by, R.D. Canada Bob Canada CIPC Secretary
7 2014 Future Meetings Dates Time Type Location Hotel April 3, 2014 April 4, :00 a.m. 5:00 p.m. (EST) 8:00 a.m. Noon (EST) Energy Sector Classified Briefing DOE HQ 1000 Independence Ave Washington, DC Per your travel arrangements June 10, :30 a.m. Noon (EDT) CIPC Physical Security Workshop Orlando, FL June 10, :00 5:00 p.m. (EDT) CIPC Meeting Orlando, FL June 11, :00 a.m. Noon (EDT) CIPC Meeting Orlando, FL September 16, :30 a.m. Noon CIPC Cyber Security Workshop Vancouver BC, Canada September 16, :00 5:00 p.m. CIPC Meeting Vancouver BC, Canada September 17, :00 a.m. Noon CIPC Meeting Vancouver BC, Canada September 17, 2014 September 18, 2014 Noon 5:00 p.m. 8:00 a.m. Noon CIPC Executive Committee Annual Planning Meeting Vancouver BC, Canada October 14-16, :00 a.m. 5:00 p.m. GridSecCon 2014 San Antonio, Texas December 9, :00 a.m. Noon (EST) Energy Sector Classified Briefing (No CIPC Workshop) Atlanta, GA Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada, V6C2R Hyatt Regency San Antonio Riverwalk 123 Losoya Street San Antonio, Texas Westin Buckhead December 9, :00 5:00 p.m. (EST) CIPC Meeting Atlanta, GA Westin Buckhead December 10, :00 a.m. Noon (EST) CIPC Meeting Atlanta, GA Westin Buckhead
8
9 Agenda Critical Infrastructure Protection Committee March 4, :00 5:00 p.m. (CST) March 5, :00 a.m. Noon (CST) Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO (314) CIP Technical Workshop Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO March 4, :30 a.m. Noon (CST) Room: Park View Critical Infrastructure Protection Committee Meeting Hyatt Regency at the Arch CIPC Working Lunch: Regency AB March 4, 2014 Noon 1:00 p.m. (CST) March 4, :00 5:00 p.m. (CST) March 5, :00 a.m. Noon (CST) Room: Regency EF Welcome and Introductions Chair Chuck Abell NERC Antitrust Compliance Guidelines and Public Meeting Announcement Agenda 1. Remarks by Ms. Maureen Borkowski Chairman, President, and CEO, Ameren Transmission Co. 2. Administrative CIPC Secretary Bob Canada a. Safety Briefing and Emergency Precautions Hyatt at the Arch Staff b. Declaration of Quorum c. CIPC Roster Page 13 d. Parliamentary Procedures In the absence of specific provisions in the CIPC charter, the Committee shall conduct its meetings guided by the most recent edition of Robert s Rules of Order, Newly Revised. e. Introductions
10 3. Consent Agenda Chair Chuck Abell a. December 10-11, 2013 Draft Minutes for CIPC Approval b. March CIPC Agenda c. Committee Membership Appointments and Changes: TRE David Grubbs City of Garland Operations TRE Jim Brenton ERCOT Cyber TRE Darrell Klimitcheck STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Great River Cyber MRO Paul Crist LES Physical MRO Vacant TBD Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC Vacant TBD Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell Ameren Cyber SERC Vacant TBD Operations SERC Tommy Clark SMEPA Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Robert McClanahan AECC Cyber WECC Allen Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Jamey Sample PGE Operations APPA David Godfrey TMPA Physical APPA Nathan Mitchell APPA Policy CEA Chris McColm Manitoba Physical CEA Ross Johnson Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Georgia Trans Policy 4. Chair s Remarks Chair Chuck Abell a. NERC Meetings Update and Other Items of CIPC Interest 5. CIPC Nominations Subcommittee Report Chair Robert McClanahan a. Recommendation for Subject Matter Expert (SME) member to replace Carl Eng on the CIPC Executive Committee b. Election of an SME to CIPC Executive Committee 6. CID Director Remarks Matt Blizard, Director of Critical Infrastructure Protection Critical Infrastructure Protection Committee Agenda March 4-5,
11 7. ES-ISAC Update and Cyber Risk Preparedness Assessment (CRPA) Program Update Matt Light, NERC Staff 8. CIP Transition Update Tobias Whitney, NERC Staff 9. Version 5 Revisions Drafting Team Activities Ryan Stewart and Marisa Hecht, NERC Staff Sufficiency Review Program and Directions Scott Mix, NERC Staff 11. Executive Order and Presidential Policy Directive Update Laura Brown, NERC Staff 12. RISC Update and Reliability Risk Control Process Jim Brenton, CIPC Representative to RISC 13. Legislative Update Nathan Mitchell, American Public Power Association 14. Subcommittee Chairs, Subgroups, Progress, and Remarks Chair Chuck Abell 15. Operating Security Subcommittee Subcommittee Chair Jim Brenton a. Electricity Sector Information Sharing Task Force (ESISTF) Chair Stephen Diebold will report on activities, second phase, and outreach efforts. ESISTF Charter ESISTF Report: Approved by CIPC June 11, 2013 Accepted by ESCC July 11, 2013 Accepted by NERC BOT August 15, 2013 b. Grid Exercise Working Group (GEWG) Chair Tim Conway GEWG Charter Briefing on GridEx II Report Bill Lawrence, NERC Staff 16. Policy Subcommittee Subcommittee Chair Nathan Mitchell a. Personnel Security Clearance Task Force (PSCTF) Chair Nathan Mitchell will report on the progress of the work completed and contemplated. Critical Infrastructure Protection Committee Agenda March 4-5,
12 Recommendation #3: Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. Next step includes ES-ISAC process development collaboration with the PSCTF. PSCTF Charter PSCTF Report: Approved by CIPC June 11, 2013 Accepted by ESCC July 11, 2013 Accepted by NERC BOT August 15, 2013 b. Bulk Electric System Security Metrics Working Group (BESSMWG) Chair James Sample will report on the progress of work completed and contemplated. BESSMWG Charter BESSMWG Report was endorsed by CIPC June 11, c. Compliance Enforcement and Input Working Group (CEIWG) Chair Paul Crist will report on the progress of the work completed and contemplated. CEIWG Charter 17. Cyber Security Subcommittee Subcommittee Chair Marc Child a. RISC Technical Project and CSSWG Update Marc Child will report on the review for the RISC. b. Cyber Attack Tree Task Force (CATTF) Chair Mark Engels will report on the progress of the work completed and contemplated. CATTF Charter c. Cyber Security Analysis Working Group (CSAWG) Chair Eric Warakomski will report on the progress of the work completed and contemplated. CSAWG Charter 18. Physical Security Subcommittee Subcommittee Chair David Grubbs a. Electricity Sector: Physical Response Guideline Task Force (PSGTF) Chair John Breckenridge PSGTF Charter Electricity Sector: Physical Security Response Guideline CIPC approved by ballot on October 25, Critical Infrastructure Protection Committee Agenda March 4-5,
13 b. Physical Security Working Group (PSWG) Chair Ross Johnson will report on the progress of work completed and contemplated. PSWG Charter c. Security Training Working Group (STWG) Chair William Whitney III will report on progress of work completed and contemplated. STWG Charter 19. Cybersecurity Procurement Language Update for Energy Delivery Systems Ed Goff, Duke 20. North American Transmission Forum (NATF) a. Security Practices Group Activity Update Wayne VanOsdol, Program Manager 21. Agency Updates a. Federal Energy Regulatory Commission (FERC) Cathy Eade, Office of Energy Infrastructure Security b. Department of Homeland Security (DHS) Richard Alt, Sector Outreach and Programs c. Department of Energy (DOE) Ken Friedman, Senior Policy Advisor Critical Infrastructure Protection Committee Agenda March 4-5,
14 Schedule of Important Dates: Dates Time Type Location Hotel April 3, 2014 April 4, :00 a.m. 5:00 p.m. (EST) 8:00 a.m. Noon (EST) Energy Sector Classified Briefing DOE HQ 1000 Independence Ave, SW Washington, DC Per your travel arrangements June 10, :30 a.m. Noon (EDT) CIPC Physical Security Workshop Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL June 10, :00 5:00 p.m. (EDT) CIPC Meeting Orlando, FL June 11, :00 a.m. Noon (EDT) CIPC Meeting Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL Hyatt Regency Orlando Int l Airport 9300 Jeff Fuqua Blvd Orlando, FL September 16, :30 a.m. Noon CIPC Cyber Security Workshop September 16, :00 5:00 p.m. CIPC Meeting September 17, :00 a.m. Noon CIPC Meeting Vancouver BC, Canada Vancouver BC, Canada Vancouver BC, Canada TBD TBD TBD September 17, 2014 September 18, 2014 Noon 5:00 p.m. 8:00 a.m. Noon CIPC EC Annual Planning Meeting Vancouver BC, Canada TBD October 14-16, :00 a.m. 5:00 p.m. GridSecCon 2014 San Antonio, Texas Hyatt Regency San Antonio Riverwalk 123 Losoya Street San Antonio, Texas December 9, :00 a.m. Noon (EST) Energy Sector Classified Briefing (No CIPC Workshop) Atlanta, GA TBD December 9, :00 5:00 p.m. (EST) CIPC Meeting Atlanta, GA TBD December 10, :00 a.m. Noon (EST) CIPC Meeting Atlanta, GA TBD 23. Closing Remarks and Action Items 24. Adjournment Critical Infrastructure Protection Committee Agenda March 4-5,
15 CIPC Report to the NERC Reliability Issues Steering Committee (RISC) Analysis of the RISC nomination for digital certificate management (Venafi, Inc 7/29/2013) February 1, 2014 Background In July 2013, technology vendor Venafi, Inc submitted to the Reliability Issues Steering Committee a Reliablity Issues Nomination Form related to the use of digital keys and digital certificates. These technologies are used by machines as a trust mechanism to ensure privacy and non-repudiation of data passed between them. The basis of their concerns (discussed in the Technical Details below) is that poorly managed or implemented digital keys introduce risk to the bulk electric system, and Venafi s recommendations are to make specific language changes in the CIP version 5 standards to include requirements for full life-cycle management of keys, and digital certificate security. In its NOPR for CIP version 5, FERC sought comments as to whether the adoption of communications security protections, such as cryptography and protections for non-routable protocol, would improve the CIP Standards. (Ref: Docket No. RM , page 116). In response, the Commission received comments from vendors (including Venafi) and others that supported the inclusion of such cryptography requirements; while multiple other organizations such as trade groups and individual utilities disagreed, stating the deployment of cryptographic protocols may: (1) prohibitively increase latency in communications; (2) obfuscate data needed for testing and problem diagnosis; and (3) introduce communication errors from complex key management across organizations. (Ref: Docket No. RM , page 116). Version 5 of the NERC CIP standards was approved by FERC in late November 2013, and, while the Final Rule (Order 791) included directives to strengthen the physical protection of communications networks, it did not include any specific instructions for NERC to introduce cryptography requirements into the CIP standards. Recommendations On behalf of the NERC Critical Infrastructure Protection Committee (CIPC), the Control Systems Security Working Group (CSSWG) reviewed the Venafi nomination form for technical accuracy and evaluated the merits of their recommendations.
16 Specifically CSSWG reviewed the FERC NOPR and Final Rule for the CIP version 5 reliability standards, and examined the scope of the newly-formed Order 791 standards drafting team. Finally, the CSSWG contacted the Events Analysis team at NERC to study incidents related to Bulk Electric System outages where digital certificates may have been a contributing factor. The CSSWG found: There have been no Energy Management System (EMS) outages reported to NERC where digital certicates or digital keys were deemed to be a causal or contributing factor. Venafi is correct in stating that entities may have a higher susceptibility to intrusions due to poorly managed keys and certificates. However, poor engineering or poor implementation of technology cannot (and should not be in the opinion of the CSSWG) mitigated through the NERC standards process by use of prescriptive controls. The CIP standards, in particular, focus on what should be protected and not how. The CIPC committee has long recognized the value in providing utilities best practice guidance in the form of technical guidelines published on the ES-ISAC website. Technical subjects such as Connectivity to Business Networks, Identity and Access Management, Intrusion Detection, and Firewalls security topics categorically similar to digital certificate management are areas where the committee has provided guidance and technical resources to help entities design effective solutions and avoid the risk of poorly designed or incomplete security implementations. The CSSWG recommends: Short of any regulatory directives by FERC, no additional modifications to the CIP version 5 standards is planned that would include specific technical requirements for digital certicate management. The CIPC committee should direct the CSSWG to develop a guideline for digital certificate management and encryption to assist entities in choosing and implementing such technologies in a manner consistent with BES reliability. The RISC committee committee shall thank Venafi, Inc as the author of the RISC Nomination Form for volunteering their expert knowledge and bringing this issue to the attention of NERC. Technical Details In response to the four specific recommendations & comments made by Venafi, the CSSWG offers the following technical feedback. Comment #1 CIP Version 5 & FERC NOPR: The use of encryption alone is inadequate to provide secure and trusted data communications. Within the proposed CIP version 5 standards, there are multiple references to authenticated, secure, or encrypted data communications but fall short of clearly prescribing the adoption of communications security protections. FERC's suggestion for the use of cryptography for CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 2
17 encryption should not only be mandatory but should also include provisions for the management of the encryption assets known as keys and certificates. Many organizations - both inside and outside of the bulk electric system - have adopted encryption to secure and trust data communications but are still susceptible to intrusions and attacks due to the theft of poorly managed keys and certificates. The threat posed by the theft of these trust assets is increasing exponentially; if the intruder is trusted, the security defenses in place will be ineffectual to attack or theft. We propose that encryption and the management of authentication/encryption assets to secure data communications be made a part of the CIP version 5 standards. The CSSWG agrees with the statement in general, although we re not as convinced that encryption is adopted in the control systems world as much as was suggested. In our opinion there is still a great deal of misunderstanding about what an IPsec tunnel can and can not do. There is a very great appeal to the use of digital certificates to manage machine to machine (and human to machine) connections. There is general perception that rolling out a large certificate based system is not for the faint of heart. For smaller entities especially, this is a very large technical step to take and requires a great deal of subject matter expertise to get it right. It would be advisable for entities wishing to embark on such a project to visit some companies who are using certificates based encryption and see how well it was rolled out. It would also be equally helpful to visit a company that abandoned the effort as well. Comment #2 CIP-002-5: Certificate Authorities are incorrectly identified as an example of an authentication server under the definition of an Electronic Access Control or Monitoring Systems (EACMS). A Certificate Authority is not in itself an authentication server but is an integral part of a Public Key Infrastructure (PKI). A Certificate Authority (CA) does not provide active authentication, rather it relies on components of the PKI such as Certificate Revocation Lists (CRL), Online Certificate Status Protocol responders (OCSP) to validate/authenticate trust. CA's issue Root Certificates that are part of a trust store to ensure the validity of the trust chain provides authentication. As it serves as the basis to ensure the integrity of the authentication functions of keys and certificates, we propose that PKI be included as a separate category example of an EACMS. Our proposed language is more precise to what we interpret as the intent of the inclusion of Certificate Authorities in the EACMS examples: Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, LDAP Servers), Public Key Infrastructure technologies such as but not limited to (Certificate Authorities, OCSP Responders, CRLs, Registration Authorities, certificates, RSA and DSA keys, self signed certificates, CRLs and Trust Stores). Agree with the knowledge that there is OCSP already and to our knowledge it is considered a best practice and should be encouraged, but this suggestion crosses over into the how. Comment #3 CIP-002-5: Without the expansion of the EACMS definition to include PKI, the BES lowers its availability/reliability and adds significant risk to the ability to prevent or respond to a key/ certificate incident. An unavailable, degraded, or misused unmanaged key or certificate in the BES would not be remediated within 15 minutes of the compromise or outage. Venafi's extensive experience in this field indicates that in unmanaged environments with manual processes, the average recovery time to (a) diagnose the issue; (b) request a new certificate; and (c) approve and install is typically two to four hours. We believe that there is intent in the proposed CIP version 5 standards to prevent key and certificate CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 3
18 incidents from having a negative impact on the availability/reliability of the BES. To prevent this from being overlooked, we again propose specific language be added to include PKI as an example of EACMS. There are certainly safety and reliability concerns about keeping a process control or SCADA system up at all costs, and the entity choosing to use a PKI will need to determine what to do if and when a cert is untrusted or becomes untrusted. This must be accounted for in the functional design of the system. Comment #4 CIP-007-5: By limiting the focus to human interaction/authentication with cyber systems, the System Access Controls fail to account for, or place controls on, the majority authentication credentials (machine-tomachine) used in the BES. In this context, authentication falls into user credentials (User ID/Password, One- Time Password (OTP), smartcards and tokens) and machine credentials (the most common form of which are keys and certificates). Within the bulk electric system, machine credentials are used far more often to authenticate than user credentials and the gulf between the two continues to grow wider. By focusing only on User ID/Password credentials for humans, the proposed CIP version 5 standards do not adequately protect the majority of the authentication credentials or the auditability of all access within the bulk electrical system. We propose that CIP Table R5 - System Access Control be expanded to include the active management of keys and certificate credentials in line with User ID/Password credentials. Machine-to-machine credentials are important, but considering current intrusion/infection scenarios, are arguably not the most urgent problem to be addressed by NERC CIP controls. The current standard's concentration on human accounts, authentication, and remote access sets proper and realistic goals. The entity has the ultimate authority to design and implement the level and type of encryption and authorization levels to mitigate the risks identified in their own risk management programs. CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 4
19
20
21
22
23
24
25
26
27
28
Agenda Critical Infrastructure Protection Committee March 4, :00 5:00 p.m. (CST) March 5, :00 a.m. Noon (CST)
Agenda Critical Infrastructure Protection Committee March 4, 2014 1:00 5:00 p.m. (CST) March 5, 2014 8:00 a.m. Noon (CST) Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO 63102 (314) 655-1234
More informationCritical Infrastructure Protection Committee Draft Minutes September 16-17, 2014
Critical Infrastructure Protection Committee Draft Minutes September 16-17, 2014 Hyatt Regency Vancouver 655 Burrard Street Vancouver, BC, Canada V6C2R7 The Critical Infrastructure Protection Committee
More informationCritical Infrastructure Protection Committee Minutes June 11-12, 2013
Critical Infrastructure Protection Committee Minutes June 11-12, 2013 Westin Buckhead Atlanta, Georgia The Critical Infrastructure Protection Committee (CIPC) Chair Chuck Abell called the meeting to order
More informationNERC Critical Infrastructure Protection Committee (CIPC) Highlights
NERC Critical Infrastructure Protection Committee (CIPC) Highlights Mike Kraft, Basin Electric Power Cooperative MRO Board of Directors Meeting March 17, 2016 Midwest Reliability Organization Standards
More informationCritical Infrastructure Protection Committee Strategic Plan
Critical Infrastructure Protection Committee Strategic Plan 2018-2019 CIPC Executive Committee Updated:xxxxxxxx NERC Report Title Report Date I Table of Contents Preface... iii CIPC Organizational Structure...
More informationElectricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013
Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013 Purpose and Scope The purpose of the Electricity Sub-Sector Coordinating Council (ESCC) is to facilitate and support
More informationAgenda Critical Infrastructure Protection Committee March 8, :00 5:00 p.m. Eastern March 9, :00 a.m. Noon Eastern
Agenda Critical Infrastructure Protection Committee March 8, 2017 1:00 5:00 p.m. Eastern March 9, 2017 8:00 a.m. Noon Eastern Ritz-Carlton Buckhead 3434 Peachtree Road Atlanta, GA 30326 Room: Salon 2678
More informationGrid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016
Grid Security & NERC Council of State Governments The Future of American Electricity Policy Academy Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016 1965 Northeast blackout
More informationEfficiency and Effectiveness of Stakeholder Engagement
Efficiency and Effectiveness of Stakeholder Engagement Michael Walker, Senior Vice President and Chief Enterprise Risk and Strategic Development Officer Member Representatives Committee Meeting February
More informationCritical Infrastructure Protection Committee Strategic Plan
Critical Infrastructure Protection Committee Strategic Plan 2015-2018 CIPC Executive Committee Updated: December 13, 2016 NERC Report Title Report Date I Table of Contents Preface... iv Executive Summary...
More informationCritical Infrastructure Protection Committee Strategic Plan
Critical Infrastructure Protection Committee Strategic Plan 2013-2016 CIPC Executive Committee 5/14/2013 3353 Peachtree Road NE Suite 600, North Tower Atlanta, Georgia 30326 404-446-2560 www.nerc.com Table
More informationPhysical Security Reliability Standard Implementation
Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days,
More informationGrid Security & NERC
Grid Security & NERC Janet Sena, Senior Vice President, Policy and External Affairs Southern States Energy Board 2017 Associate Members Winter Meeting February 27, 2017 Recent NERC History Energy Policy
More informationCyber Security Incident Report
Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New
More informationNORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION NARUC Energy Regulatory Partnership Program The Public Services Regulatory Commission of Armenia and The Iowa Utilities Board Janet Amick Senior Utility
More informationNERC CIPC Chair Report
NERC CIPC Chair Report Chuck Abell March 4, 2014 Recent Happenings NERC Board of Trustees Activity Acceptance of the Physical Security Response Guideline Approved CIPC EC Membership Positions o Physical
More informationMeeting Minutes Critical Infrastructure Protection Committee
Meeting Minutes Critical Infrastructure Protection Committee Toronto Airport Marriott Hotel June 8-9, 2011 Toronto, Ontario, Canada Critical Infrastructure Protection Committee Vice-Chairman Bob Canada
More informationCritical Infrastructure Protection Version 5
Critical Infrastructure Protection Version 5 Tobias Whitney, Senior CIP Manager, Grid Assurance, NERC Compliance Committee Open Meeting August 9, 2017 Agenda Critical Infrastructure Protection (CIP) Standards
More informationMeeting Notes Project Modifications to CIP Standards Drafting Team June 28-30, 2016
Meeting Notes Project 2016-02 Modifications to CIP Standards Drafting Team June 28-30, 2016 Exelon Chicago, IL Administrative 1. Introductions / Chair s Remarks The meeting was brought to order by S. Crutchfield
More informationHistory of NERC December 2012
History of NERC December 2012 Timeline Date 1962-1963 November 9, 1965 1967 1967-1968 June 1, 1968 July 13-14, 1977 1979 1980 Description Industry creates an informal, voluntary organization of operating
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Cyber Security Incident Reporting Reliability Standards ) ) Docket Nos. RM18-2-000 AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC
More informationERO Enterprise IT Projects Update
ERO Enterprise IT Projects Update Stan Hoptroff, Vice President, Chief Technology Officer and Director of Information Technology Technology and Security Committee Meeting November 6, 2018 Agenda ERO IT
More informationOPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith
OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1 CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC
More informationStandards. Howard Gugel, Director of Standards Board of Trustees Meeting February 11, 2016
Standards Howard Gugel, Director of Standards Board of Trustees Meeting February 11, 2016 Balancing Authority Reliability-based Controls Reliability Benefits Data requirements for Balancing Authority (BA)
More informationAgenda Event Analysis Subcommittee Conference Call
Agenda Event Analysis Subcommittee Conference Call August 14, 2013 11:00 a.m. 1:00 p.m. Eastern Ready Talk Conference Call and Web Meeting Information: Dial-In: 1-866-740-1260 Access Code: 6517175 Security
More informationMember Representatives Committee. Pre-Meeting and Informational Webinar January 16, 2013
Member Representatives Committee Pre-Meeting and Informational Webinar January 16, 2013 Objectives Review preliminary agenda topics for February 6 Member Representatives Committee (MRC) meeting. Review
More informationLive Webinar: Best Practices in Substation Security November 17, 2014
Live Webinar: Best Practices in Substation Security November 17, 2014 1 Agenda & Panelists Welcome & Introduction - Allan Wick, CFE, CPP, PSP, PCI, CBCP Enterprise Security Manager-CSO Tri-State Generation
More informationBILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers
This document is scheduled to be published in the Federal Register on 07/28/2016 and available online at http://federalregister.gov/a/2016-17854, and on FDsys.gov BILLING CODE 6717-01-P DEPARTMENT OF ENERGY
More informationFERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC
: ERO Performance and Initiatives June 4, 2015 Chairman Bay, Commissioners, and fellow panelists, I appreciate the opportunity to address the topics identified for the third panel of today s important
More informationPrivate Sector Clearance Program (PSCP) Webinar
Private Sector Clearance Program (PSCP) Webinar Critical Infrastructure Protection Committee November 18, 2014 Nathan Mitchell, ESCC Clearance Liaison Agenda History NERC CIPC Private Sector Clearance
More informationMember Representatives Committee Meeting
Member Representatives Committee Meeting August 13, 2014 1:15 p.m. 5:15 p.m. Pacific The Westin Bayshore, Vancouver 1601 Bayshore Drive Vancouver, BC V6G 2V4 Canada Opening Remarks by MRC Chair Consent
More informationStandards Authorization Request Form
Standards Authorization Request Form When completed, email this form to: sarcomm@nerc.com NERC welcomes suggestions to improve the reliability of the bulk power system through improved reliability standards.
More informationAgenda Critical Infrastructure Protection Committee March 6, :00 p.m. 5:00 p.m. Eastern March 7, :00 a.m. Noon Eastern
Agenda Critical Infrastructure Protection Committee March 6, 2018 1:00 p.m. 5:00 p.m. Eastern March 7, 2018 8:00 a.m. Noon Eastern Hyatt Regency Jacksonville Riverfront 225East Coastline Drive Jacksonville,
More informationHistory of NERC January 2018
History of NERC January 2018 Date 1962 1963 The electricity industry created an informal, voluntary organization of operating personnel to facilitate coordination of the bulk power system in the United
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationCritical Infrastructure Protection Committee Meeting
Critical Infrastructure Protection Committee Meeting September 15-16, 2015 New Orleans, LA *All presentations are posted with the written consent of the presenters. Agenda Item 2 Critical Infrastructure
More informationEEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,
EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP)
More informationAgenda Critical Infrastructure Protection Committee September 12, :00 5:00 p.m. Eastern September 13, :00 a.m.
Agenda Critical Infrastructure Protection Committee September 12, 2017 1:00 5:00 p.m. Eastern September 13, 2017 8:00 a.m. Noon Eastern The Hilton Quebec 1100, boul. René-Lévesque Est Quebec, QC, G1R 4P3
More informationChapter X Security Performance Metrics
Chapter X Security Performance Metrics Page 1 of 10 Chapter X Security Performance Metrics Background For many years now, NERC and the electricity industry have taken actions to address cyber and physical
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationCompliance Enforcement Initiative
Compliance Enforcement Initiative Filing and Status Update November 2, 2011 Rebecca Michael Status of the Filings NERC filed several components of the Compliance Enforcement Initiative on September 30,
More informationHistory of NERC August 2013
History of NERC August 2013 Timeline Date 1962 1963 November 9, 1965 1967 1967 1968 June 1, 1968 July 13 14, 1977 1979 Description The electricity industry creates an informal, voluntary organization of
More informationScope Cyber Attack Task Force (CATF)
Scope Cyber Attack Task Force (CATF) PART A: Required for Committee Approval Purpose This document defines the scope, objectives, organization, deliverables, and overall approach for the Cyber Attack Task
More informationCyber Security Standards Drafting Team Update
Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications
More informationChapter X Security Performance Metrics
Chapter X Security Performance Metrics Page 1 of 9 Chapter X Security Performance Metrics Background For the past two years, the State of Reliability report has included a chapter for security performance
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Foundation for Resilient Societies ) Docket No. AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION IN OPPOSITION
More informationERO Enterprise Strategic Planning Redesign
ERO Enterprise Strategic Planning Redesign Mark Lauby, Senior Vice President and Chief Reliability Officer Member Representatives Committee Meeting February 10, 2016 Strategic Planning Redesign Current
More informationRELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO
RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO June 27, 2016 Training provided for Ontario market participants by the Market Assessment and Compliance Division of the IESO Module 1 A MACD training presentation
More informationMeeting Minutes Reliability Metrics Working Group
Meeting Minutes Reliability Metrics Working Group August 18, 2010 2 p.m. 3 p.m. Conference Call Convene Chair William Adams convened the Reliability Metrics Working Group (RMWG) conference call on Aug
More informationReliability Standards Development Plan
Reliability Standards Development Plan Steven Noess, Director of Standards Development Standards Oversight and Technology Committee Meeting November 1, 2016 2017-2019 Reliability Standards Development
More informationAnalysis of CIP-006 and CIP-007 Violations
Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December
More informationMeeting Minutes Reliability Metrics Working Group
Meeting Minutes Reliability Metrics Working Group May 18, 2010 8 a.m. 5 p.m. May 19, 2010 8 a.m. 1 p.m. Xcel Energy 414 Nicollet Mall Minneapolis, Minnesota 55401 Convene Chair Herbert Schrayshuen convened
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationStandards Development Update
Standards Development Update Steven Noess, Director of Standards Development FRCC Reliability Performance Industry Outreach Workshop September 20, 2017 Supply Chain Risk Management 1 Cyber Security Supply
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationJim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas
Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I
More informationCyber Security Reliability Standards CIP V5 Transition Guidance:
Cyber Security Reliability Standards CIP V5 Transition Guidance: ERO Compliance and Enforcement Activities during the Transition to the CIP Version 5 Reliability Standards To: Regional Entities and Responsible
More informationNERC Overview and Compliance Update
NERC Overview and Compliance Update Eric Ruskamp Manager, Regulatory Compliance August 17, 2018 1 Agenda NERC Overview History Regulatory Hierarchy Reliability Standards Compliance Enforcement Compliance
More informationIndustry role moving forward
Industry role moving forward Discussion with National Research Council, Workshop on the Resiliency of the Electric Power Delivery System in Response to Terrorism and Natural Disasters February 27-28, 2013
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationNERC-Led Technical Conferences
NERC-Led Technical Conferences NERC s Headquarters Atlanta, GA Tuesday, January 21, 2014 Sheraton Phoenix Downtown Phoenix, AZ Thursday, January 23, 2014 Administrative Items NERC Antitrust Guidelines
More informationJim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas
Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I
More informationAgenda Technology and Security Committee November 6, :15 a.m.-12:00 p.m. Eastern
Agenda Technology and Security Committee November 6, 2018 11:15 a.m.-12:00 p.m. Eastern Grand Hyatt Atlanta in Buckhead 3300 Peachtree Rd NE Atlanta, GA 30305 Conference Room: Grand Ballroom - Lower Lobby
More informationDRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1
DRAFT Cyber Security Communications between Control Centers Technical Rationale and Justification for Reliability Standard CIP-012-1 March May 2018 NERC Report Title Report Date I Table of Contents Preface...
More informationViews on the Framework for Improving Critical Infrastructure Cybersecurity
This document is scheduled to be published in the Federal Register on 12/11/2015 and available online at http://federalregister.gov/a/2015-31217, and on FDsys.gov Billing Code: 3510-13 DEPARTMENT OF COMMERCE
More informationStandard Authorization Request Form
Title of Proposed Standard Cyber Security Request Date May 2, 2003 SAR Requestor Information Name Charles Noble (on behalf of CIPAG) Company Telephone SAR Type (Check box for one of these selections.)
More informationMeeting Minutes Personnel Certification Governance Committee
Meeting Minutes Personnel Certification Governance Committee November 6-7, 2012 JW Marriott Hotel New Orleans 614 Canal Street New Orleans, LA 70130 Administrative A meeting of the Personnel Certification
More informationERO Reliability Risk Priorities Report. Peter Brandien, Reliability Issues Steering Committee Chair WECC Reliability Workshop March 21, 2018
ERO Reliability Risk Priorities Report Peter Brandien, Reliability Issues Steering Committee Chair WECC Reliability Workshop March 21, 2018 Reliability Issues Steering Committee (RISC) Background 2 RISC
More informationAgenda Event Analysis Subcommittee Conference Call
Agenda Event Analysis Subcommittee Conference Call September 11, 2013 11:00 a.m. 1:00 p.m. Eastern Ready Talk Conference Call and Web Meeting Information: Dial-In: 1-866-740-1260 Access Code: 6517175 Security
More informationPhilip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011
CIP Standards Version 5 Requirements & Status Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company David Revill Georgia Transmission Corporation CSO706 SDT Webinar
More informationIndustry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018
Industry Webinar Project 2018-02 Modifications to CIP-008 Cyber Security Incident Reporting November 16, 2018 Agenda Presenters Standard Drafting Team NERC Staff - Alison Oswald Administrative Items Project
More informationImplementing Cyber-Security Standards
Implementing Cyber-Security Standards Greg Goodrich TFIST Chair, CISSP New York Independent System Operator Northeast Power Coordinating Council General Meeting Montreal, QC November 28, 2012 Topics Critical
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationTestimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON
Testimony Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON Defending Our Democracy: Building Partnerships to Protect America
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationJuly 5, Mr. John Twitty, Chair NERC Member Representatives Committee. Dear John:
July 5, 2017 Mr. John Twitty, Chair NERC Member Representatives Committee Dear John: I invite the Member Representatives Committee (MRC) to provide policy input on one issue of particular interest to the
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationStandard CIP-006-3c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security
More informationBlackout 2003 Reliability Recommendations
Blackout 2003 Reliability Recommendations 2005 NPCC General Meeting The Cranwell Resort Lenox, MA September 29, 2005 Philip A. Fedora Director, Market Reliability Interface Northeast Power Coordinating
More informationStatement for the Record
Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before
More informationStandard Authorization Request Form
Standard Authorization Request Form Title of Proposed Standard: Project 2009-02: Real-time Reliability Monitoring and Analysis Capabilities Original Request Date: June 4, 2009 Revised Date: January 15,
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationDecember 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development
December 10, 2014 Statement of the Securities Industry and Financial Markets Association Senate Committee on Banking, Housing, and Urban Development Hearing Entitled Cybersecurity: Enhancing Coordination
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationBoard of Trustees Compliance Committee
Board of Trustees Compliance Committee August 13, 2014 10:00 a.m. 11:00 a.m. Pacific The Westin Bayshore 1601 Bayshore Drive Vancouver, BC V6G 2V4 Reliability Assurance Initiative (RAI) Progress Report
More informationUnofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)
Unofficial Comment Form Project 2016-02 Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i) Do not use this form for submitting comments. Use the electronic form to submit
More informationUNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION ON NIST FRAMEWORK AND ROADMAP
More informationCompliance Monitoring and Enforcement Program Technology Project Update
Compliance Monitoring and Enforcement Program Technology Project Update Stan Hoptroff, Vice President, Chief Technology Officer and Director of Information Technology Technology and Security Committee
More informationAugust Meeting Minutes Personnel Certification Governance Committee
August Meeting Minutes Personnel Certification Governance Committee August 28-29, 2012 Catamaran Resort San Diego, CA Administrative A meeting of the Personnel Certification Governance Committee was held
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationStandards Authorization Request Form
Standards Authorization Request Form When completed, email this form to: sarcomm@nerc.com NERC welcomes suggestions to improve the reliability of the bulk power system through improved reliability standards.
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) ) ) COMMENTS OF THE LARGE PUBLIC POWER COUNCIL
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Cyber Security Incident Reporting Reliability Standards ) ) ) Docket Nos. RM18-2-000 AD17-9-000 COMMENTS OF THE LARGE PUBLIC POWER
More informationStandard CIP-006-4c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-4c 3. Purpose: Standard CIP-006-4c is intended to ensure the implementation of a physical security
More informationCIP Version 5 Transition. Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014
CIP Version 5 Transition Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014 Purpose of the Transition Program Transitioning entities confident in
More informationSupply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016
Supply Chain Cybersecurity Risk Management Standards Technical Conference November 10, 2016 Agenda Opening remarks Review conference objectives and ground rules Standards project overview Discuss draft
More informationMarch 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices
March 6, 2019 Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices On July 21, 2016, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More informationCritical Infrastructure Protection Committee (CIPC)
Critical Infrastructure Protection Committee (CIPC) Westin Buckhead Atlanta Atlanta, GA December 15-16, 2015 Safety and Security Westin Buckhead Atlanta Staff will inform the CIPC concerning Fire and Evacuation
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More information