Critical Infrastructure Protection Committee (CIPC)

Transcription

1 Critical Infrastructure Protection Committee (CIPC) Hyatt Regency Louisville Louisville, KY March 8-9, 2016

2 Safety and Security Hyatt Regency Louisville Staff will provide guidance concerning Fire and Evacuation Procedures for our safety 2 RELIABILITY ACCOUNTABILITY

3 CIPC Voting Members and Attendees Wireless access is available: Network: PSAV_Event_Solutions Password: NERC0001 Please sign and pass the Attendance Sheets 3 RELIABILITY ACCOUNTABILITY

4 Securing Our Assets 16,000 Transmission Substations 7098 Transmission Lines 1057 GW of Generation 334 million customers 4 RELIABILITY ACCOUNTABILITY

5 Antitrust Guidelines I. General It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another. The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC s antitrust compliance policy is implicated in any situation should consult NERC s General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions): Discussions involving pricing information, especially margin (profit) and internal cost information and participants expectations as to their future prices or internal costs. Discussions of a participant s marketing strategies. Discussions regarding how customers and geographical areas are to be divided among competitors. Discussions concerning the exclusion of competitors from markets. Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers. Any other matters that do not clearly fall within these guidelines should be reviewed with NERC s General Counsel before being discussed. 5 RELIABILITY ACCOUNTABILITY

6 Membership Expectations Our CIPC Charter Section 3 states the following Voting members of the CIPC are expected to: 1. Bring subject matter expertise to the CIPC 2. Be knowledgeable about physical and cyber security practices and challenges in the electricity sector 3. Attend and participate in all CIPC meetings 4. Express their own opinions at committee meetings but also represent the interests of their Regions 5. Discuss and debate interests rather than positions 6. Complete assigned Committee, Task Force, and Working Group assignments 7. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance 6 RELIABILITY ACCOUNTABILITY

7 Conduct of the Meeting Parliamentary Procedures: In the absence of specific provisions in NERC s Rules of Procedure, all committee meetings shall be conducted in accordance with the most recent edition of Robert s Rules of Order, Newly Revised in all cases to which they are applicable. 7 RELIABILITY ACCOUNTABILITY

8 Critical Infrastructure Protection Committee Executive Committee Joe Garmon, FMPA Marc Child, Chair, Great River Energy Melanie Seader, EEI David Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSA Ross Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, Ameren John Galloway, ISO-NE Sam Chanoski, Secretary, NERC Physical Security Subcommittee (David Grubbs) Cybersecurity Subcommittee (David Revill) Operating Security Subcommittee (Joe Garmon) Policy Subcommittee (John Galloway) Physical Security WG (Ross Johnson) Control Systems Security WG (Mikhail Falkovich) Grid Exercise WG (Tim Conway) BES Security Metrics WG (VACANT) Physical Security Guidelines WG (John Breckenridge) Security Training WG (William Whitney) Business Continuity Guideline TF (Darren Myers) Physical Security Standard WG (Allan Wick) Compliance and Enforcement Input WG (Paul Crist) 8 RELIABILITY ACCOUNTABILITY

9 CIPC Primary Voting Members Org Name Company Discipline TRE David Grubbs Executive Committee City of Garland Operations TRE (vacant) Cyber TRE Darrell Klimitchek STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Executive Committee Seminole Operations MRO Marc Child, Chair Great River Energy Cyber MRO Paul Crist Lincoln Electric System Physical MRO (vacant) Operations NPCC John Galloway Executive Committee ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC David Cadregari Iberdrola USA Networks Physical RFC Larry Bugh ReliabilityFirst Cyber RFC (vacant) Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell Executive Committee Ameren Operations SERC Cynthia Hill-Watson TVA Cyber SERC Bruce Martin Duke Energy Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Eric Ervin Westar Cyber WECC Allan Wick Tri-State G&T Physical WECC Mike Mertz PNM Cyber WECC Lisa Carrington Arizona Public Service Operations APPA Scott Smith Bryan, TX Utilities Physical APPA Nathan Mitchell, Vice Chair APPA Policy CEA Francis Bradley CEA Physical CEA Ross Johnson Executive Committee Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill, Vice Chair Georgia Transmission Policy 9 RELIABILITY ACCOUNTABILITY

10 Proxies Received and Quorum Thanks to all proxies attending today and serving as a proxy for your primary voting member! Proxies received for this meeting: FRCC Rich Kinas representing Paul McClay MRO Michael Kraft representing vacancy left by Joe Mayfield NPCC John Helme representing Greg Goodrich NPCC Yan Hugues Boily representing David Cadregari RF Mikhail Falkovich representing vacancy left by Kent Kujala SERC Guy Andrews representing Bruce Martin SPP Robert H. McClanahan representing Allen Klassen TRE Amelia Sawyer representing vacancy left by Jim Brenton 10 RELIABILITY ACCOUNTABILITY

11 Proxies Received and Quorum Announcement of CIPC Quorum of Voting Members: Based on the voting members in attendance, including the proxies received, we have achieved quorum for conducting CIPC business. 11 RELIABILITY ACCOUNTABILITY

12 CIPC Roster Changes New Voting Members None Vacancies of Voting Members: MRO (Operations), vacancy due to departure of Joe Mayfield, WAPA RF (Operations), vacancy due to retirement of Kent Kujala, DTE Energy Mikhail Falkovich, PSE&G, pending NERC Board approval TRE (Cyber), vacancy due to retirement of Jim Brenton, ERCOT Thank you for your service to CIPC! 12 RELIABILITY ACCOUNTABILITY

13 Chair s Remarks by Marc Child

14 Welcome to Louisville NERC CIPC Meeting Paul W. Thompson Chief Operating Officer NERC CIPC Meeting Louisville, Kentucky - March 8, 2016

15 Welcome to Louisville LOO-a-vul Derby City/River City Gateway to the South Strategic Central US Location Key Transportation Hub River, Highway, Air Cargo 2

16 An Active River-Trading Town 3

17 A Vibrant City.... 4

18 Home to Great Companies, People, Places 5

19 Company Overview

20 The Evolution of Our Company 7

21 PPL Overview PPL Electric Utilities Customers: 1.4 million Electric Transmission & Distribution Utility Regulatory Entity: Pennsylvania PUC Western Power Distribution Customers: 7.8 million Electric Distribution Utility Regulatory Entity: Ofgem LG&E and KU Energy Customers: 0.9 million Electric; 0.3 million Natural Gas Vertically Integrated Utility Regulated Capacity: 8.1 GW Regulatory Entities: Kentucky PSC, Virginia SCC 8

22 Number of Customers: Over 10 Million LG&E and KU 1.2M PPL Electric Utilities 1.4M Western Power Distribution 7.8M 9

23 LG&E and KU: Broadening the Portfolio 800 MW Supercritical Coal (2010) 640MW Natural Gas Combined Cycle ( MW Solar Array (2016) 10

24 Addressing Industry Challenges and the Importance of Physical and Cyber Security

25 Industry Challenges EPA regulations driving retirements of coal-fired base load Fleet migration toward gas-fired assets Increased regional presence of intermittent and distributed generation resources Outcome of the litigation on the Clean Power Plan 12

26 Physical and Cyber Security Changes the way WE WORK Physical Attacks Ted Kopple Lights Out: A Cyberattack, A nation Unprepared, Surviving the Aftermath Ukraine outage Drones 13

27 Good luck with your important meetings! Enjoy your stay in LOOa-vul

28 North American Electric Reliability Corporation Critical Infrastructure Protection Committee Meeting March 8, 2016, Louisville, Kentucky Resolution of Appreciation WHEREAS, Mr. Robert Canada has professionally and skillfully served the needs of electric industry security as a NERC and Electricity Information Sharing and Analysis Center employee since October 2013, and has recently announced his retirement as of April 1, 2016; and WHEREAS, He served as a voting member of the Critical Infrastructure Protection Committee during his tenure with Southern Company, rising to Vice Chair, and served on the SERC Critical Infrastructure Committee, and twice served as the Chairman of the Edison Electric Institute s Security Committee; and WHEREAS, His superb leadership has fostered significant and continuing progress on a broad range of physical security issues, drawing the absolute best technical and organizational focus from the committee members and stakeholders, not allowing less impactful issues to obscure his vision; and WHEREAS, He continued to progress and enhance security through the targeted development and publication of security guidelines and initiatives that demonstrated the collective experience, expertise and judgment of the industry; And Now, Therefore, be it RESOLVED, That the members of the NERC Critical Infrastructure Protection Committee hereby express their sincere thanks, deep appreciation and gratitude to Mr. Canada, a respected colleague and distinguished electric industry security leader, and wish him the best in his future endeavors. Be it Further RESOLVED, That a copy of this resolution become part of the official permanent record of the NERC Critical infrastructure Protection Committee Minutes.

29 E-ISAC Update Marc Sachs, Senior VP & Chief Security Officer Critical Infrastructure Planning Committee Meeting March 8,

30 Summary of Q Sharing and reporting 129 typosquatting notifications 184 E-ISAC staff posts to the portal 47 member responses to the portal items 46 additional posts to the portal from members 70 calls to the E-ISAC hotline Products Weekly reports every Monday afternoon Monthly reports started in October 2015 Daily reports started in January 2016 Events GridSecCon GridEx III 2

31 Summary of Q Staffing Finished adding new staff 21 in Washington office, one in Atlanta Facility Renovations completed in summer 2015 New information technology equipment installation began in December Completion of separation project expected by March 2016 Member Executive Committee Established in July 2015 Met by phone each month in fourth quarter Two working groups actively working on strategic review recommendations 3

32 2016 Plans Technology Major portal improvements, including new look/feel, chat, ability to manipulate data, and increased private collaboration space New server separate from NERC Malware/device lab Personnel Formal technical training program for individuals and teams Full-time person on NCCIC floor Industry augmentation on the Watch floor Facility Redesign Watch floor TSCM (bug) sweep 4

33 CRISP Additional government analysis capability New types of sensors and data collection Products GridEx III Distributed Play lessons learned and Executive Tabletop recommendation reports New daily one-page summary, and new annual report Events Expand GridSecCon Local/regional one-day physical and cyber security seminars Cross-sector and external partners Vice-chair of US National Council of ISACs International partners, such as CCIRC, CERT Australia, CERT UK, etc Plans 5

34 Power engineers at Ukraine s Prykarpattyaoblenergo electric utility identified failures in the robot that provided control of the substation and power equipment. Over 225,000 customers throughout the region were without power for up to six hours. Once Prykarpattyaoblenergo discovered the effects of the malware; they shifted operations into manual mode to mitigate the outage. Investigation is ongoing. Ukraine Event December 23,

35 7

36 Enhanced Background Investigation Screening Travis Moran Critical Infrastructure Planning Committee Meeting March 8,

37 2 Enhanced

38 ESCC Priority November 16, 2015 From the Electricity Sub-Sector Coordinating Council (ESCC) Meeting Notes: Action Items and Summary of Conclusions Enhanced Background Investigation Screening (EBIS) Working Group: Convene a working group that will determine methods for improving background investigations into personnel holding sensitive industry positions; including legal, human resources, and process issues. The Department of Energy (DOE) (Jim McGlone) and the Electricity Information Sharing and Analysis Center (E-ISAC) Bob Canada will colead facilitation of this working group. Owners: DOE, FBI, ESCC, and the E-ISAC. DHS participates. Time Frame: The working group will be stood-up before the end of January 2016, and a representative of the group will provide report at the next ESCC meeting. 3

39 Current Background Investigations Industry Concerns Regarding Hiring Processes What industry background investigations are and what they are not: Not a true nationwide check Not comprehensive Not universally required Differ from company to company Often conducted by human resources contractors Often no or infrequent updates (contractor changes complicate updates) No updating if subsequent arrests in between investigation periods 4

40 5 What We Know Through research and collaboration with FBI, DOE and NRC we know the following There is currently no national background check system or requirement for private electric sector critical infrastructure workers NRC and the financial sector have requirements FDIC 1000 Section 19 Prohibition For Unauthorized Participation by Convicted Individual - "Except with the written consent of the Corporation no person shall serve as a director, officer, or employee of an insured bank who has been convicted, or who is hereafter convicted of any criminal offense involving dishonesty or breach of trust. SEC f-2 Fingerprinting of securities industry personnel. (a) Exemptions for the fingerprinting requirement. Except as otherwise provided in paragraph (a)(1) or (a)(2) of this section, every member of a national securities exchange, broker, dealer, registered transfer agent and registered clearing agency shall require that each of its partners, directors, officers and employees be fingerprinted and shall submit, or cause to be submitted, the fingerprints of such persons to the Attorney General of the United States or its designee for identification and appropriate processing.

41 What We Know - Continued 1. FBI has criminal history repository via CJIS/NCIC 2. NRC has established procedures and requirements (10 CFR 73.57) 3. Fingerprints required for NRC applicants for unescorted access to FBI/CJIS 4. NRC licensee (entity) receives results and makes employment and access/denial decisions 5. NRC Backgrounds are authorized by legislation 6. Electric sector may require separate authorizing legislation 7. Legislation needs to be crafted by industry and tailored to industry s needs 8. Will require a collaborative legislative effort (industry, FBI/CJIS, DoE) 6

42 Nuclear Sector vs. Electric Sector Nuclear Sector Backgrounds Initial hire background completed by entity or 3rd party provider then referred to nuclear process. Non-Critical Workers (Outside Protected Area): Credit; fingerprints for criminal history; initial drug test. Non-protected area updates every 5 years. Critical Workers (inside Protected Area): Fingerprints for criminal history; drug test; psychological exam. Updated every 3 Years. Electricity Sector Backgrounds Often performed by Human Resources via private contractors Credit and single source (state & surrounding states criminal history if any) Not a true nationwide check Some have further vetting most do not 7

43 FBI Mission: To equip law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties. History: Established in1992 to serve as the focal point and central repository for criminal justice information services in the FBI. Largest division in the FBI. National Crime Information Center (NCIC) Uniform Crime Reporting (UCR) Automated Fingerprint Identification System (IAFIS) National Incident-Based Reporting System (NIBRS). 8

44 Known or Appropriately Suspected Terrorist (KST) Sentinel Foreign Fugitive Violent Person National Sex Offender Registry Gang Wanted Person & Terrorist Wanted Persons Immigration Violator 9 FBI Databases National Crime Information Center (NCIC) Database An electronic clearinghouse of criminal history/crime data that can be tapped into by virtually every criminal justice agency nationwide, 24 hours a day, 365 days a year. Person (criminal history) and Property Files: Missing Person Protection Order Unidentified Person Protective Interest Identity Theft Supervised Release National Instant Criminal Background Check System(NICS) Property: Consists of mostly entered stolen or suspected stolen property

45 What is included in IAFIS? Not only fingerprints: Corresponding criminal histories Mug shots Scars and tattoo photos Integrated Automated Fingerprint Identification System Physical characteristics like height, weight, hair and eye color Aliases Linkage to Sentinel system Corresponding reciprocating countries 10

46 Integrated Automated Fingerprint Identification System Initial Application Recertification & Rap-Back Program IAFIS & NextGen is maintained by the FBI s Criminal Justice Information Services (CJIS) Division in Clarksburg, WV. 11

47 Breakout Groups Operations: NERC DOE Dominion CJIS FBI Exelon Entergy Southern Co. Legal: NERC DOE Southern Co. NRC Dominion CJIS Legislative/Policy: APPA NERC Southern Co. EEI DHS DOE CJIS 12

48 13

49 Physical Security Program Bob Canada Associate Director, Physical Security and Analysis

50 Topics Covered Beyond Mandatory Reporting! Physical Security & Analysis Team Activities & Projects Reporting Physical Security Advisory Group Design Basis Threat (DBT) Enhanced Background Investigation Screening 2

51 What is the Status of Physical Security for the BES? Over 55,000 substations over 100kv! 3

52 Beyond Mandatory Reporting for Information Sharing 4

53 Greater Risk to BES! Isolation of Informed Entities! Lack of Actionable Information! Redundancies of Information Gathering! Wasted Resources and Funding! Delay of Pre-Attack Prevention Opportunities! Potential loss of life and BES Reliability! Impacts of Weak Information Sharing 5

54 6 Sharing Partnerships

55 Can we agree? Dynamic sharing among members can mitigate the rise of threats to BES Electricity Sector is at forefront vulnerability of U.S. economic stability Reporting critical and timely information can help protect the BES Strengthens existing partnership between private and public sector Question? Have you shared information with the E-ISAC? 7

56 E-ISAC Projects and Initiatives PS Bulletins 2015 June Unmanned Aircraft Systems Posted July Incident Reporting Guide Posted Aug - Suspicious Activity and Surveillance Detection - Posted Aug Update to June bulletin on Unmanned Aircraft Systems- Posted Sept Suspicious Activity and Surveillance Detection Activity Reporting Posted Oct Tabletop Exercise Template for Industry to use for Law Enforcement training-posted Nov Terrorism Trends Overseas - Posted 8

57 E-ISAC Projects and Initiatives Design Basis Threat (DBT) Completed NERC Legal and External Communications reviews Received NERC CEO Gerry Cauley Review without changes Announcement & Web Portal Posting This week! Enhanced Background Investigation Screening Working Group breakout Meetings Jan 18th and Feb 18th Recommendations due by April 1st to ESCC Agenda ESCC Meeting on May 2nd 9

58 What we are seeing from your reports sources? 10

59 Reports to E-ISAC 11

60 Shooting Incidents 230kV insulators 115kV gang switch Control building 69/12kV transformer regulator Break Ins Undisclosed facility type. Cut barbed wire, nothing stolen Substation, cut fences, grounds stolen Undisclosed facility type. Cut gate lock, tools stolen from pickup truck. Substation control house. Lock missing, copper stolen. Undisclosed facility type. Remote location, video confirmed there was unauthorized access. 12 What s getting reported?

61 What s getting reported? Suspicious Activity Photography of a substation Photography of a generating station (2 separate incidents) Photography of an LNG facility Threatening phone call 13

62 14 Reports from Entities

63 15 End of Year Report Stats:

64 Are you getting our Reports?? If not, have you set your Notifications? 16

65 International Terrorism Trends Being able to identify, detect, and respond to terrorism trends and tactics is a crucial piece of the Electricity Subsector security posture. To be able to provide asset owners and operators with a complete picture of current threat trends and tactics, the E-ISAC reviewed relevant international terrorism data and concluded that transmission and distribution towers overseas continue to be a significant attack vector for various governmental and political adversaries. Overall, the analysis revealed that: 158 attacks occurred against electricity infrastructure internationally in percent of these attacks were against transmission towers or lines The remaining attacks were against power stations, or administrative buildings The primary tool of attack was explosives 17

66 Physical Security Advisory Group (PSAG) 18

67 PSAG Members 1. Ross Johnson, Capital Power 2. Allan Wick, Tri-State G & T 3. John Breckenridge, KCP&L 4. David Godfrey, Garland P&L 5. William Whitney III, Garland P&L 6. Jim McGlone, DoE Liaison 7. Bob Canada, Associate Director, Physical Security & Analysis E-ISAC 8. Travis Moran, Sr. Security Specialist- E-ISAC 9. Max Spector, Security Specialist, E-ISAC 10.Brian Harrell,(Navigant) 10.Dan Jenkins, Dominion 11.Ben Mayo, DHS (ES-Liaison) 12.John Large, FP&L (EEI Security Committee) 13.Mike Hagee, SERC 14.Michael Lynch, DTE 15.Bruce Martin, Duke 16.Jim Spracklen, PNNL 17.Norma Brown, Ameren 18.Barry Page, C4S2 Global 19.Louie Dabdoub, Entergy 20.Marc Sachs, Sr. VP and CSO, E-ISAC 19

68 PSAG Projects 1. Design Basis Threat (DBT) 2. Enhanced Background Investigation Screening 20

69 PROJECT # 1 Design Basis Threat (DBT) Another Tool for Industry Use! SAG 21

70 Project Progress 1. PSAG Initial meeting March Pushed as a top priority! 2. DBT Workshop Sept 1st-3 rd 3. DBT final research completed with DoE Intelligence - Determine Explosive Amounts? - VBIED inclusion? - Type of Insider Threat? 4. DoE requested our DBT comparison completed 5. Final draft to be completed by PSAG this week 6. Received NERC CEO approval Feb 23 rd 7. Publish on E-ISAC Portal for Members 22

71 What is a Design Basis Threat? The DBT is used to determine the level of appropriate and cost effective physical protection measures required to protect against malicious acts i.e. theft / sabotage It is based on conservative assumptions that establish the magnitude of adversary force that the site s protective systems should be designed to defeat, expressed in terms of numbers of adversaries and their capabilities 23

72 Answers the question: What are we protecting against? Development of potential adversary scenarios Analysis of physical protection system (PPS) to determine effectiveness Identifying vulnerabilities of the PPS Improving the system and prioritizing upgrades Assessing risk and the cost-benefit tradeoffs 24

73 The DBT uses a graded threat approach (protect pencils like pencils and gold like gold). This takes into account factors such as: Attractiveness & Consequence of loss of the asset. Are there redundancies or ways to work around the loss? Assets are identified and then prioritized into Asset Protection Levels Reach consensus on realistic and credible threats against US power grid (consistent approach) Critical HV transformers Other critical nodes / infrastructure 25

74 Project # 2 Enhanced Background Investigation Screening 26

75 Project Progress 1. Born from Initial Discussions with PSAG Members, FBI and E- ISAC s PSAT. 2. Nov 6th meeting (FBI, DHS, DoE, NRC, Dominion, Entergy, Kansas City Power & Light, and FP&L in attendance). 3. ESCC gave its approval to form a smaller group. 4. First meeting in January Charged to come back with recommendations and project planning strategy. 27

76 Possible Impact 1. FBI could conduct additional screening measures against additional terrorism databases 2. Incorporate the enhanced screening of new employees 3. Incorporate a refresher background every 3-5 years 4. Incorporating an Insider Threat Mitigation strategy across the industry. 5. Incorporating additional screening across other sectors (i.e. telecommunication, water & finance) 28

77 What Can YOU Do to Help the Security of the Industry? 29

78 It s Your Job too! 1. Inform your company of and acceptance of the NERC Code of Conduct. 2. Moving past corporate fear of regulatory avoidance strategies with regard to voluntary reporting. 3. Get beyond the mandatory reporting paradigm 4. Contribute to Bulk Power System situational awareness! 5. Understand that every little piece of intelligence helps! 6. Entrusting partners to share their resources Resource Strengths Knowledge Of Threats Best Information Sharing Practices 30

79 Does your company s Physical and Cyber SMEs have an E-ISAC Membership? If Not, Why Not? Register a user account on the portal today at: General Contact: eisac@nerc.com 24 hour hotline: (404)

80 32

81 33 34 Years!

82 CIP Compliance Update CIPC Update Tobias Whitney, CIP Compliance Manager March 2016

83 Topics Issues transferred to the CIP V5 Revisions Standard Drafting Team SDT Next Steps Industry issues FERC directives Oversight and Outreach Self-Certs V5 CIP-014 Next Steps and Q&A 2 RELIABILITY ACCOUNTABILITY

84 NERC s Coordinated Approach SDT REs Standards Compliance Coordination and Oversight NERC aware, informed and engaged 3 RELIABILITY ACCOUNTABILITY

85 CIP V5 Transition Advisory Group (V5TAG) On November 22, 2013, FERC approved CIP V5 In 2014, NERC initiated a program to help industry transition from CIP V3 standards to CIP V5 The goal of the transition program is to improve industry s understanding of the technical security requirements for CIP V5, as well as the expectations for compliance and enforcement CIP V5 Transition Program website: 4 RELIABILITY ACCOUNTABILITY

86 CIP V5 Transition Advisory Group (V5TAG) V5TAG s Role & Composition Regional Entity Participants Registered Entity Participation NERC and FERC Consensus building through collaboration Over 40 CIP V5 related topics addressed o Lessons Learned o Frequently Asked Questions o 4 topics transferred to the SDT 5 RELIABILITY ACCOUNTABILITY

87 CIP V5 Transition Advisory Group (V5TAG) Recognition that standards development was needed for some issues that could not be resolved through compliance guidance Enhanced coordination with compliance and enforcement for topics being addressed via standards development Facts and specific circumstances will dictate if violations will be identified to address areas of noncompliance for the related topics Regional Entities will use Areas of Concerns and Recommendations to help identify risks associated with specific implementations Feedback from industry will be used to help guide standard development activities 6 RELIABILITY ACCOUNTABILITY

88 Cyber Asset and BES Cyber Asset Definitions The SDT should consider the definition of Cyber Asset and clarify the intent of programmable The SDT should consider clarifying and focusing the definition of BES Cyber Asset including: Focusing the definition so that it does not subsume all other cyber asset types Considering if there is a lower bound to the term adverse in adverse impact Clarify the double impact criteria (cyber asset affects a facility and that facility affects the reliable operation of the BES) such that N-1 contingency is not a valid methodology that can eliminate an entire site and all of its Cyber Assets from scope 7 RELIABILITY ACCOUNTABILITY

89 Network and Externally Accessible Devices The SDT should consider the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including: Clarify the exemption phrase between discrete Electronic Security Perimeters. When there is not an ESP at the location, consider clarity that the communication equipment considered out of scope is the same communication equipment that would be considered out of scope if it were between two ESPs The word associated in the ERC definition is unclear in that it alludes to some form of relationship but does not define the relationship between the items. Striking associated and defining the intended relationship would provide much needed clarity 8 RELIABILITY ACCOUNTABILITY

90 Network and Externally Accessible Devices (cont.) The SDT should consider the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including: Review of the applicability of ERC including the concept of the term directly used in the phrase cannot be directly accessed through External Routable Connectivity within the Applicability section. As well, consider the interplay between IRA and ERC Clarify the IRA definition to address the placement of the phrase using a routable protocol in the definition and clarity with respect to Dial-up Connectivity Address the Guidelines and Technical Basis sentence, If dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies. 9 RELIABILITY ACCOUNTABILITY

91 Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations CIP , Attachment 1 Control Center criteria for additional clarity and for possible revisions related to TOs Control Centers performing the functional obligations of a TOP, in particular for small or lower-risk entities Clarify the applicability of requirements on a TO Control Center that perform the functional obligations of a TOP, particularly if the TO has the ability to operate switches, breakers and relays in the BES The definition of Control Center The language scope of perform the functional obligations of throughout the Attachment 1 criteria 10 RELIABILITY ACCOUNTABILITY

92 Virtualization CIP V5 standards do not specifically address virtualization The SDT should consider revisions to CIP-005 and the definitions of Cyber Asset and Electronic Access Point that make clear the permitted architecture and address the security risks of network, server and storage virtualization technologies 11 RELIABILITY ACCOUNTABILITY

93 Related Parts Supply Chain Standards Revisions FERC Order No. 822 and New Directives Standards NERC Coordination Oversight and Consistency Outreach ERO Monitoring V5 ERO Monitoring CIP-014 FERC-led Audits V5 FERC-led Audits CIP-014 Complianc e 12 RELIABILITY ACCOUNTABILITY

94 FERC Order No. 822 Approved revisions to seven CIP Reliability Standards Directed NERC to develop modifications to address: Transient electronic devices Communication network components between control centers Low-impact external routable connectivity The effectiveness of remote access controls Does not address supply chain management 13 RELIABILITY ACCOUNTABILITY

95 Self-Cert (V5 and CIP-014) Looking for quantities of assets (not cyber assets) Information will support effective scoping of compliance monitoring Do not provide specific location of related sensitive information Use comment fields to provide additional clarity when needed CIP-014 Self-Certs are due on May 2nd V5 Self-Certs are due on July 15th 14 RELIABILITY ACCOUNTABILITY

96 15 RELIABILITY ACCOUNTABILITY

97 Cyber Security Program Overview March 7, 2016 Jason Christopher Sr. Technical Leader 2016 Electric Power Research Institute, Inc. All rights reserved.

98 Cyber Security Program Overview Electric Power Research Institute, Inc. All rights reserved.

99 Cyber Security Research Lab Evaluate security architectures Develop new situational awareness capabilities Test identity and access management technologies Improve threat management and incident response Electric Power Research Institute, Inc. All rights reserved.

100 Cyber Security Technology (P183B) Protective Measures Technology Security & System Monitoring with IEC DNP3 Secure Authentication v5 Threat Management Technology IDS/IPS for Power Delivery Systems Integrated Threat Analysis Framework Electric Power Research Institute, Inc. All rights reserved.

101 Information Assurance (P183D) Security Architecture Methodology Cyber Security Metric Methodology Cyber Security Compliance Tools and Techniques Electric Power Research Institute, Inc. All rights reserved.

102 P183D Risk Management Guidance Electric Power Research Institute, Inc. All rights reserved.

103 Security Metrics Methodology Strategic Tactical Operational Corporate risk and business alignment One number, heat map, infographic, etc. Programmatic health and progress Scorecards and audits Real-time, dayto-day, measurements Logs, rules, signatures, etc Electric Power Research Institute, Inc. All rights reserved.

104 Together Shaping the Future of Electricity Electric Power Research Institute, Inc. All rights reserved.

105 Legislative Update Critical Infrastructure Protection Committee March 8, 2016 Nathan Mitchell, American Public Power Association

106 Fixing America's Surface Transportation FAST Act 2015 Provides the Secretary of Energy with the authority to address grid security emergencies DOE should develop a plan to establish a Strategic Transformer Reserve The plan should address impacts from: physical attack; cyber-attack; electromagnetic pulse attack; geomagnetic disturbances; severe weather; or seismic events. The plan must also include cost estimates and funding options. 2 RELIABILITY ACCOUNTABILITY

107 Cyber Information Sharing Act 2015 DHS must certify that the automated indicator sharing ( AIS ) program is in place and running by March 17 Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government Privacy and Civil Liberties Interim Guidelines 3 RELIABILITY ACCOUNTABILITY

108 Energy Policy Act Revisited Stalled out last month due to Flint Michigan Water disagreement Restarted this week with moderate possibility for movement and possible approval this Congress. More to come 4 RELIABILITY ACCOUNTABILITY

109 5 RELIABILITY ACCOUNTABILITY

110 Electricity Sector Coordinating Council (ESCC) Critical Infrastructure Protection Committee March 8, 2015 Nathan Mitchell, American Public Power Association

111 ESCC ESCC Strategic Committees and SEWG Sub-Team Updates ESCC Leadership & Secretariat Ukraine: DHS and E-ISAC worked together to analyze the outage and provide mitigation strategy for the industry. ESCC was called in to provide unity of message across the industry. Raise this to the CEO level and make sure the electricity industry takes notice and takes action. In response to Ukraine, DHS NPPD has taken the initiative of drafting a unity of message document that highlights industrygovernment grid security efforts to inform media interviews, speaking engagements, and other public statements.

112 ESCC Government-Industry Coordination Committee Cyber Mutual Assistance: New working group formed Playbook Working Group: Update after Grid Ex III report Clear Path IV Exercise: April Exercise in Portland informs the Cascadia rising exercise in June Supply Chain Security: Energy Sector and Critical Manufacturers Working Group (ESCMWG), a joint partnership between the energy sector, critical manufacturing sector. Enhanced Background Investigation Services Working Group: Policy paper to the ESCC by May DOE Transformer Reserve proposal analysis

113 ESCC Threat Information Sharing & Processes Committee E-ISAC Member Executive Committee: On March 17, the MEC will hold its next in-person meeting to discuss key findings of E- ISAC products, services, and tools reviews, outline ways for the E-ISAC to continue improving their value to members Leveraging Infrastructure / Research & Development Committee: Electromagnetic Pulse (EMP) Taskforce: The taskforce will develop or build upon existing efforts in the public and private sector to better understand the threat and existing mitigation strategies, identify additional measures that can be developed, tested, and deployed to address the EMP Threat, and inform EMP messages to external stakeholders.

114 ESCC Confirmed Calendar of Events / Conference Calls SEWG Monthly Call: Monday, March 28, at 2-3pm EST. Enhanced Background Investigation Screening (EBIS) Working Group: Morning of Thursday, March 17. (NERC DC offices) E-ISAC Member Executive Committee: Afternoon Thursday, March 17. (NERC DC offices) Cybersecurity Mutual Assistance Task Force: Webinars (March 1, 7 & 23). In person Denver, CO from April 4-5. ESCC Plus 1 Meeting: Monday, April 11 from 9:30am-3:00pm. (EEI - DC) ESCC Playbook Working Group Meeting: Tuesday, April 12 from 9am-1pm. (EEI - DC) Clear Path IV and Cascadia Rising Exercises: Portland, OR on April Cascadia Rising exercise scheduled for June 7-10 in the Pacific Northwest.

115

116 GridEx III Update Tim Conway, GEWG Chair NERC CIPC Louisville, Kentucky March 8, 2016

117 Agenda Distributed Play and Executive Tabletop Participation Objectives Observations Recommendations

118 Distributed Play Participation

119 Communications NERC Crisis Action Team Electricity Sub-sector Coordinating Council (ESCC) Energy GCC Other SCCs Executive Coordination Regional Entities Trade Associations NERC Bulk Power System Awareness (BPSA) E-ISAC Electricity Information Sharing & Analysis Center DOE Department of Energy DHS NCCIC ICS-CERT US-CERT Other Federal Agencies US: FBI, FERC, DOD Canada: Public Safety Canada, NRCan, RCMP, CSIS, CCIRC Coordination with Government Other Critical Infrastructures Telecommunications Oil & Gas others Vendor Support IT, ICS, ISP, Anti-virus Bulk-Power System Entities Coordinated Operations Reliability Coordinators, Balancing Authorities, Generator Operators, Transmission Operators, Load Serving Entities, etc. Local, State/Provincial Government Emergency Management Organizations Emergency Operations Centers / Fusion Centers Local FBI, PSAs ExCon GridEx III Exercise Control NERC staff, GEWG, Booz Allen, Nat l Labs, SMEs for Sim-cell, etc.

120 Communications

121 Objectives Achieved? Exercise crisis response and recovery 133 organizations and 800+ individuals more than GridEx II More CEH hours for system operators and others Increase in exercise response Well and Very Well : Cyber (84%), physical (92%), and operational response (98%) Improve communications Very Well increased by at least 14% in all areas Opportunity to increase involvement of other critical infrastructure sectors for GridEx IV Identify lessons learned Opportunity for improvement, about 22% of active organizations shared lessons learned with NERC Engage senior leadership Many organizations involved their senior management and crisis teams Executive tabletop

122 1. Coordinated response and communication Observations and Recommendations Enhance internal communications procedures documentation For future exercises, test alternate communications facilities 2. Reporting mechanisms (OE-417, EOP-004, CIP-008, etc.) Improve reporting efficiency and effectiveness, eliminate redundancies 3. Active participation of system operators For future exercises, continue to encourage the active participation of Reliability Coordinators with entities in their area For future exercises, continue to encourage integration of cyber and physical security impacts with power system operation

123 4. E-ISAC information sharing Observations and Recommendations Continue to enhance E-ISAC portal (e.g., easier user search for urgent and important information) Continue to develop Watch Operations Team capabilities Design next GridEx to include a more credible, limited-scope scenario to demonstrate E-ISAC analysis capability Design next GridEx to include a more realistic Move 0 scenario to simulate emerging threat, detection, and analysis 5. Introduction of new exercise tools Improve scenario inject distribution mechanism Improve volume/capacity and test well in advance of next exercise Include notification feature to alert users of new postings to social media tool

124 6. Advance exercise planning timelines Observations and Recommendations Begin planning earlier (e.g., September for an exercise in November the following year) Continue to encourage participants to customize scenario to meet local objectives, consistent with baseline scenario and Reliability Coordinator involvement Develop player training material earlier for lead planners to deliver to their own players (not NERC) 7. After action survey and lessons learned Use similar after action survey questions for next GridEx Determine and address reasons for apparent reluctance of participants to share lessons learned with NERC

125 Executive Tabletop Participants Participants Facilitated by a member of the President s National Infrastructure Advisory Council 17 NERC and utility senior executives 15 senior government officials (from the White House, DOE, DHS, FEMA, DOD, NSA, FBI, National Guard) Observers About 70 individuals from participating organizations observed and provided feedback

126 Executive Tabletop Recommendations Three discussion themes in the context of a severe electricity emergency Unity of messaging how the industry and government receives and shares information with each other and the public (7 recommendations) Unity of effort how the industry and government could improve coordination and sharing of resources (6 recommendations) Extraordinary measures how the industry and government could consider regulatory and legislative needs to support timely recovery (10 recommendations) Executive Tabletop report by March 2016

127 A Long-Term View November 15-16

128 Tentative Timeline Planner logistics and planning 3-4 month CIPC Meeting (March 2016) C&O Meeting (June 2016 CIPC) IPC (September 2016 CIPC) MPC (March 2017 CIPC) FPC (June 2017 CIPC) Execute GridEx IV (November 15-16) Deliver AAR (Q1 2018) Working Group Kick-Off Initial Planning Phase Mid-term Planning Phase Final Planning Phase Conduct After Action Establish Working Group Members Establish Mail list GridEx Awareness Confirm goals & objectives Finalize timeline Discuss outreach goals/plan Initiate outreach Shape scenario themes Confirm exercise mechanics Craft scenario narrative Develop materials Confirm participation Finalize MSEL Conduct training Distribute player materials Set up venue and logistics Oversee distributed play Facilitate senior TTX Capture player actions and findings Analyze findings and lessons learned Draft After Action Report and Briefing

129 Nomination Form

130

131 Self-Nomination and Recommendation Form CIPC Subgroup (TF or WG) Member Name of the Subgroup: Grid Exercise IV Working Group Information about you, serving as reference (Please skip this section and go to #7 if you are self-nominating) 1. Name Your first and last name. 2. Address Your address. 3. Phone Number Your phone number. 4. Employer Who you work for or represent. 5. OC/PC/CIPC Member Are you an OC, PC or CIPC member? Yes No 6. NERC Membership sector, if applicable If your employer is a NERC member, select their NERC membership sector. If not, select Not a NERC member. Information about you for self-nomination or the person you are recommending 7. Name Nominee s name. 8. Address Nominee s address. 9. Title Nominee s business title. 10. Employer Who the nominee works for or represents. 11. Mailing Address Nominee s business address. 12. Phone Nominee s business phone number. 13. GEWG Alumni Did you participate in the GridEx Working Group for GridEx II or GridExIII? 14. GridEx Alumni Were you a player / planner in the GridEx I, GridEx II, or GridEx III exercises? 15. OC/PC/CIPC Member Is the nominee an OC, PC or CIPC member? 16. Willingness to Serve The nominee is willing to: a. Bring subject matter expertise to the subgroup. b. Attend and participate in all subgroup meetings. c. Express their opinions as well as the opinions of the sector/subgroup meetings. d. Discuss and debate interest rather than positions. e. Complete subgroup assignments. Yes Yes Yes Yes No No No

132 17. Job Description Explanation of the nominee s responsibilities and technical qualifications in sufficient details. 18. Reason for joining the subgroup Explanation of why the nominee wants to join the subgroup. 19. Additional Information Additional information about the nominee that would help the committee chair(s) decide to appoint this person. 20. GridEX IV Specific Information Participation level you anticipate your organization will have in GridEx III (None, Monitor / observer, Full Player) How to Submit this Form this form as an attachment to the following: to: Tim Conway Chair conwaytimothyj@gmail.com Copy to: Bill Lawrence (Bill.Lawrence@nerc.net) Joe Garmon ( jgarmon@seminole-electric.com) Self Nomination and Recommendation Form 2

133 Business Continuity Guideline Task Force (BCGTF) Update Assignment Guided by the recommendations from the GridEx II Distributed Play Report Tasked to estimate surge staffing requirements in the event of a nationwide crisis considering sources of support in a resource-constrained environment Analysis Determining thresholds for surge resources are plan-level details The context of the existing guideline is intended as a framework for identifying steps associated with developing operational continuity plans Proposed update Severe events have the potential to interrupt the reliable supply of electricity and cause consequential public safety and national security implications. Utilities should consider surge resource requirements prior to a crisis and consider potential sources of support in a resource-constrained environment. Recommendations from CIPC on next steps?

134 Business Continuity Guideline Task Force (BCGTF) Team Members Thanks to: Jim Brenton ERCOT (Sponsor) Darren Myers Duke Energy (Chair) Laura Brown NERC Mike Elrod - Oglethorpe Power Dave Francis MISO Energy Carter Manucy Florida Municipal Power Association Trey Melcher - E.ON Climate & Renewables Anil Mistry - ERCOT David Norton FERC Laura Ritter Exelon

135 Physical Security WG Ross Johnson, CPP 1

136 Activities Design Basis Threat Security Management Guideline for the Electricity Sector 2

137 Design Basis Threat A DBT is a comprehensive description of the motivation, intentions and capabilities of potential adversaries against which protection systems are designed and evaluated. Such definitions permit security planning on the basis of risk management. A DBT is derived from credible intelligence information and other data concerning threats, but is not intended to be a statement about actual, prevailing threats 3

138 Security Management Guideline for the Electricity Sector Writing has commenced The writing team has been recruited from the membership of the PSRG The product is one that has been recognized by the PSAG as needed by industry, and will eventually be released through the E-ISAC Three sections left to populate, then detailed review will commence We are at 35 pages so far 4

139 Security Management Guideline for the Electricity Sector (Continued) Sections include: Introduction Definitions External References Security Management Program Security Risk Management Design Basis Threat Physical Security Information Security 5

140 Security Management Guideline for the Electricity Sector (Continued) Sections include (continued): Industrial Control Systems Security Security Information Sharing and Communications Security Incident Investigation Training and Awareness Regulatory Compliance Change Management Continuous Improvement 6

141 Questions? 7

142 Threat & Incident Reporting Guideline (TF) Update - March 2016 John Breckenridge, CPP

143 How we fit in! CIP Committee Structure CIPC Executive Committee Physical Security Subcommittee David Grubbs Cyber Security Subcommittee Mark Child Operating Security Subcommittee Carl Eng Policy Subcommittee Nathan Mitchell Protecting Sensitive Information TF Control System Security WG Information Sharing TF BES Security Metrics WG Physical Security Guideline TF Cyber Attack Tree TF HILF Implementation TF Personnel Security Clearance TF Physical Security Ev Analysis WG Joint w/ OC & PC Cyber Security Analysis WG Joint w/ OC & PC Grid Exercise WG Compliance & Enforcement WG Physical Security Training WG Cyber Security Training WG 2 RELIABILITY ACCOUNTABILITY

144 Threat & Incident Reporting Guideline TF Changes made reference to E-ISAC Activity Highlights Input from Orlando Stephenson( some quick fixes to update links) Sam Chanoski participating w/ comments Team/Task Force formed Lisa Carrington, APS Currently assisting with review and revision Conference Calls/ s to team. (Last call was Mar.3 rd.) Plan to have finished product (TBD) Ensure no conflicts w/other reporting requirements OE-417, RCIS, etc. Any comments or willingness to participate Contact Randy Duncan/ RELIABILITY ACCOUNTABILITY

145 4 RELIABILITY ACCOUNTABILITY

146 BES Security Metrics WG CIPC Progress Report Nathan Mitchell, Interim Chair March 8-9, 2016

147 Executive Committee Joe Garmon, FMPA Marc Child, Chair, Great River Energy Melanie Seader, EEI David Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSA Ross Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, Ameren John Galloway, ISO-NE Sam Chanoski, Secretary, NERC Physical Security Subcommittee (David Grubbs) Cybersecurity Subcommittee (David Revill) Operating Security Subcommittee (Joe Garmon) Policy Subcommittee (John Galloway) Physical Security WG (Ross Johnson) Control Systems Security WG (Mikhail Falkovich) Grid Exercise WG (Tim Conway) BES Security Metrics WG (Larry Bugh) Physical Security Guidelines WG (John Breckenridge) Security Training WG (William Whitney) Business Continuity Guideline TF (Darren Myers) Physical Security Standard WG (Allan Wick) Compliance and Enforcement Input WG (Paul Crist) 2 RELIABILITY ACCOUNTABILITY

148 Security Metrics Development Roadmap 2015 and Beyond We are here 3 RELIABILITY ACCOUNTABILITY