Cybersecurity for the Electric Grid

Size: px
Start display at page:

Download "Cybersecurity for the Electric Grid"

Transcription

1 Cybersecurity for the Electric Grid Electric System Regulation, CIP and the Evolution of Transition to a Secure State A presentation for the National Association of Regulatory Utility Commissioners March 7, 2016

2 Table of Contents Introduction Cyber Security and Critical Infrastructure Critical Infrastructure Who to Regulate? Bulk Electric System Cyber Regulation Governance Structure Bulk Electric System Cyber Regulation Critical Infrastructure Protection Standards Overview Power & Utility Legislation Cyber vs. Non-cyber Legislation

3 Shari Gribbin Senior Manager Deloitte & Touche LLP Office: / Mobile: Shari is a senior manager in the Regulatory & Compliance market offering based in Washington, D.C. She specializes in compliance, governance, oversight, regulatory analysis and operational risk; cyber security regulatory analysis and program development; as well as compliance audit and investigation. Shari has more than 15 years of experience as both a regulatory lawyer and compliance leader across energy generation, transmission and distribution as well as wholesale power marketing and retail commodity businesses. Prior to joining Deloitte, Shari worked at Exelon Corporation and held a dual role as the enterprise-wide FERC Compliance Manager and lead counsel for FERC/NERC enforcement issues. She has led more than 45 FERC, NERC and state- level enforcement actions as well as hundreds of internal investigations and audits. She was also responsible for the development and implementation of corporate and business unit level compliance programs

4 Importance of Cyber Security: Why do we care? Executive Order Improving Critical Infrastructure Cyber security Incapacity or destruction of critical infrastructural assets or systems would have a debilitating impact on national economic security, public health, and safety. Directed NIST to work with industry leaders to develop Version 1.0 of the NIST Cybersecurity Framework. It is the policy of the U.S. to enhance the security and resilience of the Nation s critical infrastructure...through a partnership with the owners and operators of critical infrastructure -Executive Order Historic Blackouts Blackout of 2003, northeast US and Central Canada 50 million affected Cost of >$4 billion Hacking Cyber attacks against Saudi and Qatari energy companies Shamoon virus 30,000 computers destroyed Source:

5 Importance of Cyber Security: Critical Infrastructure Based on Industrial Control Systems Cyber Emergency Response Team s (ICS-CERT) recent report on incidence response activity, the energy sector reported the highest percentage of incidents reported (53%). The image below graphically depicts the most targeted critical infrastructure sectors. You are here Source: ICS-CERT Incidents October 2012 to May

6 Importance of Cyber Security: Critical Infrastructure Complex interconnections between systems (SCADA, Industrial Control Systems (ICS), smart grid, intelligent substations, and new customer systems) are dramatically reshaping the cyber threat landscape for the Power and Utilities Sector. 82 Percent of Energy Sector IT Pros Say a Cyber Attack Could Cause Physical Damage esecurity Planet, February, 2016 Attackers hacked Department of Energy 159 times in 4 years Computerworld.com, September, 2015 Energy Sector Beware: Cybersecurity Now Top Security Threat thelegalintelligencer.com, October, 2015 Utilities rank highest for risk of data breaches SmartGridNews, April 2015 If not acted upon, threats to the security and stability of the Power and Utility grid are expected to grow

7 Importance of Cyber Security: Motivated Threat Actors The cyber threat landscape is continually evolving and the impact of successful attacks on the Electrical grid is heightened. Threat actors are amassing individual footprints to target their attacks. Target External threats Power Grid Cyber criminals Hacktivists Organized crime Social media/ underground chatter Nation states Critical Infrastructure & Resources Data Center Network Infrastructure Nuclear Facility Employee Data Now more than ever, we need to be Cyber Aware! - 7 -

8 Critical Infrastructure Cyber Security: Who to regulate? Cyber Security Frameworks: The Voluntary/Mandatory Solution National Institute of Standards and Technology (NIST) Version 1.0 NIST Cybersecurity Framework - Issued February 2014 Voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk Other Frameworks and Standards ETSI Cyber Security Technical Committee Standards to increase privacy and security for organizations and citizens across Europe ISO provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system ISO a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management. ISA/IEC is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS) - 8 -

9 Critical Infrastructure Cyber Security: Who to regulate? Bulk Electric System: NERC CIP Mandatory Regulatory scheme for Bulk Electric System (BES) or The Grid is full suite of operationalized cyber security requirements designed to assure the reliability of the electric grid BES defined - fundamental to compliance, complicated NERC (North American Electric Reliability Corporation) is a nonprofit corporation whose mission is to ensure reliability of the Bulk-Power System in North America, responsible for developing, promulgating and enforcing BES cyber regulations As the electric reliability organization (ERO), NERC is subject to oversight by the Federal Energy Regulatory Commission (FERC) Develops and enforces reliability standards for planning and operating the collective bulk-power system Cyber Security suite of regulations focus on the cyber assets that are critical to operation and capable of impacting Bulk Electric System reliability - 9 -

10 Critical Infrastructure Cyber Security: Who to regulate? Energy Industry Readiness State regulatory focus on distribution level regulation of smart grid and similar customer facing technologies. Replacement of aging infrastructure and dated systems will result in a technology transformation that requires a new approach to cyber security. P&U is the tip of the spear for other Industrial Control System (ICS) driven businesses (Natural Gas, Oil & Gas, Water Utilities, and manufacturing / processing). Coordination of agencies, regulators, industry, private sector is essential. Security + IT + Compliance = Cyber Security The CIP Transition - Lessons Learned Transition to CIP shows building formal compliance structures around NIST and other frameworks can mitigate risks and failures. Consider the IT organization and their role in cyber security and compliance programs. Assess how to integrate and formalize cyber frameworks for the implementation of programs applicable to regulated and non-regulated assets to improve cyber security posture

11 BES Cyber Regulation: NERC Critical Infrastructure Protection (CIP) Standards NERC CIP (the cyber rules) focuses on protecting BES Cyber Systems and support systems used in the Bulk Electric System (BES) Urgent Action Standard (2003) responsive to increasing concerns around physical and cyber security out of 9/11 Evolved from UA 1200 to formal suite of enforceable regulation in parallel with NERC s journey to certified ERO Currently effective version, NERC CIP Version 3, which was effective for most entities in January Version 5 will take effect in July 2016 first major overhaul and biggest impact since Version 3 initial implementation Industry in process of transitioning to Version 5 and now Version 6. Consists standards covering the security of electronic perimeters, physical security of BES Cyber Systems, personnel and training, security management, disaster recovery, and more Source:

12 BES Cyber Regulation: NERC CIP Updates to Version 5 from Version 3 The v3/v4 to v5 facilities comparison Significant NERC CIP V5/V6 Updates NERC CIP covered systems and assets have become more explicit in their classification such as classifying Operations Technology (OT) Cyber Assets and systems at Generation plants, Utility substations, and Transmission facilities. Changes in language and terminology: The terms Critical Assets and Critical Cyber Assets are no longer used. BES Cyber Systems and BES Cyber Assets are new definitions. V5 BES Cyber Systems are now classified by their impact to the Bulk Electric System as High, Medium, or Low. Source for diagram: Implementation Plan.pdf?Mobile=1

13 BES Cyber Regulation - Terminology: Commonly Used NERC CIP Terms See NERC s Glossary of Terms used in NERC Reliability Standards, for a complete listing. Terminology CIP Senior Manager Cyber Asset BES Cyber System Electronic Security Perimeter (ESP) Physical Security Perimeter (PSP) Definition A single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011. A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol. The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled

14 BES Cyber Regulation: NERC CIPv5 Standards Overview CIP : BES Cyber System Categorization CIP-003-5: Security Management Controls CIP : Personnel & Training CIP-005-5: Electronic Security Perimeter CIP-006-5: Physical Security of BES Cyber Systems CIP-007-5: Systems Security Management CIP-008-5: Incident Reporting & Response Planning CIP-009-5: Recovery Plans for BES Cyber Systems CIP-010-1: Configuration Change Management & Vulnerability Assessments CIP-011-1: Information Protection Identifies all BES Cyber Systems as having a High, Medium, or Low Impact on the reliability of the Bulk Electric System. Establishes consistent and sustainable security management controls to protect the Bulk Electric System. Requires documented processes or programs for security awareness, cyber security training, personnel risk assessment, and access management. Ensures High Impact and Medium Impact with ERC BES Cyber Systems are maintained within an Electronic Security Perimeter (ESP). Requires implementation of one or more documented physical security plans, and one or more documented visitor control programs. Addresses system security by specifying technical, operational, and procedural requirements in support of BES Cyber Systems. Requires documentation of one or more Cyber Security Incident response plans for BES Cyber Systems. Specifies the controls needed to protect data and implement a plan to recover reliability functions of BES Cyber Systems. Ensures configurations are monitored, changes are approved, and adverse impact is avoided to BES Cyber Systems. Requires the implementation of one or more documented information protection programs for BES Cyber Systems

15 Power & Utility Legislation Challenges (Illustrative) 14 Energy Legislation Status Number of Energy Bills/Laws Failed to pass over veto Introduced Passed House Resolving Differences Coordination is critical to success Status of Energy Bills/Laws

16 Cyber vs. Non-cyber Legislation Challenges (Illustrative) 7 Cyber Legislation Status 6 5 Number of Energy Bills/Laws Introduced Passed House Coordination is critical to success Status of Energy Bills/Laws

17 Questions/Comments

18 Copyright 2016 Deloitte & Touche, LLC. All rights reserved. 36 USC Member of Deloitte Touche Tohmatsu Limited

Cyber Threats? How to Stop?

Cyber Threats? How to Stop? Cyber Threats? How to Stop? North American Grid Security Standards Jessica Bian, Director of Performance Analysis North American Electric Reliability Corporation AORC CIGRE Technical Meeting, September

More information

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Purpose. ERO Enterprise-Endorsed Implementation Guidance Lesson Learned CIP Version 5 Transition Program CIP-002-5.1 Requirement R1: Impact Rating of Generation Resource Shared BES Cyber Systems Version: January 29, 2015 Authorized by the Standards Committee

More information

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION NARUC Energy Regulatory Partnership Program The Public Services Regulatory Commission of Armenia and The Iowa Utilities Board Janet Amick Senior Utility

More information

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013 COMPASS FOR THE COMPLIANCE WORLD Asia Pacific ICS Security Summit 3 December 2013 THE JOURNEY Why are you going - Mission Where are you going - Goals How will you get there Reg. Stnd. Process How will

More information

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015 Lesson Learned CIP Version 5 Transition Program CIP-002-5.1: Communications and Networking Cyber Assets Version: October 6, 2015 Authorized by the Standards Committee on October 29, 2015 for posting as

More information

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP)

More information

Grid Security & NERC

Grid Security & NERC Grid Security & NERC Janet Sena, Senior Vice President, Policy and External Affairs Southern States Energy Board 2017 Associate Members Winter Meeting February 27, 2017 Recent NERC History Energy Policy

More information

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016 Grid Security & NERC Council of State Governments The Future of American Electricity Policy Academy Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016 1965 Northeast blackout

More information

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed

More information

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc. Cyber Security For Utilities Risks, Trends & Standards IEEE Toronto March 22, 2017 Doug Westlund Senior VP, AESI Inc. Agenda Cyber Security Risks for Utilities Trends & Recent Incidents in the Utility

More information

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed

More information

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018. Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada

More information

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers This document is scheduled to be published in the Federal Register on 07/28/2016 and available online at http://federalregister.gov/a/2016-17854, and on FDsys.gov BILLING CODE 6717-01-P DEPARTMENT OF ENERGY

More information

Cyber Attacks on Energy Infrastructure Continue

Cyber Attacks on Energy Infrastructure Continue NERC Cybersecurity Compliance Stephen M. Spina February 26, 2013 www.morganlewis.com Cyber Attacks on Energy Infrastructure Continue According to DHS, the energy sector was the focus of 40% of the reported

More information

Summary of FERC Order No. 791

Summary of FERC Order No. 791 Summary of FERC Order No. 791 On November 22, 2013, the Federal Energy Regulatory Commission ( FERC or Commission ) issued Order No. 791 adopting a rule that approved Version 5 of the Critical Infrastructure

More information

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014 Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed

More information

Physical Security Reliability Standard Implementation

Physical Security Reliability Standard Implementation Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days,

More information

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I

More information

Statement for the Record

Statement for the Record Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before

More information

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010 Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes

More information

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS siemens.com/ruggedcom INTERACTIVE REMOTE ACCESS INTELLIGENT ELECTRONIC DEVICES Intelligent Electronic Devices (IEDs) Devices that can provide real-time

More information

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1 DRAFT Cyber Security Communications between Control Centers Technical Rationale and Justification for Reliability Standard CIP-012-1 March May 2018 NERC Report Title Report Date I Table of Contents Preface...

More information

Cyber Security Incident Report

Cyber Security Incident Report Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New

More information

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015 Implementation Plan Project 2014-02 CIP Version 5 Revisions January 23, 2015 This Implementation Plan for the Reliability Standards developed as part of Project 2014 02 CIP Version 5 Revisions replaces

More information

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015 Implementation Plan Project 2014-02 CIP Version 5 Revisions January 23, 2015 This Implementation Plan for the Reliability Standards developed as part of Project 2014-02 CIP Version 5 Revisions replaces

More information

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015 Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently

More information

History of NERC December 2012

History of NERC December 2012 History of NERC December 2012 Timeline Date 1962-1963 November 9, 1965 1967 1967-1968 June 1, 1968 July 13-14, 1977 1979 1980 Description Industry creates an informal, voluntary organization of operating

More information

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO June 27, 2016 Training provided for Ontario market participants by the Market Assessment and Compliance Division of the IESO Module 1 A MACD training presentation

More information

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program Regulatory Impacts on Research Topics Jennifer T. Sterling Director, Exelon NERC Compliance Program The 2003 Blackout On August 14, 2003, an electric power blackout affected large portions of the Northeast

More information

Cyber Security Standards Drafting Team Update

Cyber Security Standards Drafting Team Update Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications

More information

CYBER SECURITY POLICY REVISION: 12

CYBER SECURITY POLICY REVISION: 12 1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred

More information

Securing Industrial Control Systems

Securing Industrial Control Systems L OCKHEED MARTIN Whitepaper Securing Industrial Control Systems The Basics Abstract Critical infrastructure industries such as electrical power, oil and gas, chemical, and transportation face a daunting

More information

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017 DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.

More information

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP Cyber Security Critical Cyber As s et Identification A. Introduction 1. Title: Cyber Security Critical Cyber Asset Identification 2. Number: CIP-002-4 3. Purpose: NERC Standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identification

More information

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices March 6, 2019 Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices On July 21, 2016, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability

More information

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-4a 3. Purpose: Standard CIP-005-4a requires the identification and protection of the Electronic Security Perimeter(s)

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive

More information

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1 CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC

More information

THE TRIPWIRE NERC SOLUTION SUITE

THE TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED BUSINESS INTELLIGENCE SOLUTION BRIEF THE TRIPWIRE NERC SOLUTION SUITE A TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on

More information

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP Cyber Security Critical Cyber As s et Identification A. Introduction 1. Title: Cyber Security Critical Cyber Asset Identification 2. Number: CIP-002-4 3. Purpose: NERC Standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identification

More information

October 2, CIP-014 Report Physical Security Protection for High Impact Control Centers Docket No. RM15-14-

October 2, CIP-014 Report Physical Security Protection for High Impact Control Centers Docket No. RM15-14- October 2, 2017 Ms. Kimberly D. Bose Secretary Federal Energy Regulatory Commission 888 First Street, NE Washington, D.C. 20426 Re: CIP-014 Report Physical Security Protection for High Impact Control Centers

More information

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) ) UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Cyber Security Incident Reporting Reliability Standards ) ) Docket Nos. RM18-2-000 AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC

More information

SECURING THE SUPPLY CHAIN

SECURING THE SUPPLY CHAIN SECURING THE SUPPLY CHAIN BY Jerome Farquharson, CISSP, Donald Dustin Williams, PE, AND Courtney Buser The advance of smart grids, smart devices and increasingly interconnected systems provides exceptional

More information

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION ON NIST FRAMEWORK AND ROADMAP

More information

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft

More information

Standard CIP Cyber Security Security Management Controls

Standard CIP Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-4 3. Purpose: Standard CIP-003-4 requires that Responsible Entities have minimum security management controls in

More information

CIP V5 Implementation Study SMUD s Experience

CIP V5 Implementation Study SMUD s Experience CIP V5 Implementation Study SMUD s Experience Tim Kelley October 16, 2014 Powering forward. Together. SMUD Fast Facts General Information SMUD employs approximately 2,000 individuals Service area of 900

More information

Cyber Security Internal Audit Approach. AGA-EEI 2016 Internal Audit Training. August 23, 2016

Cyber Security Internal Audit Approach. AGA-EEI 2016 Internal Audit Training. August 23, 2016 Cyber Security Internal Audit Approach AGA-EEI 2016 Internal Audit Training August 23, 2016 About Cyber Security and What Has Changed 2 About Cyber Security Cyber criminals are actively profiling organizations

More information

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity Security Guideline for the Electricity Sector: Business Processes and Operations Continuity Preamble: It is in the public interest for NERC to develop guidelines that are useful for improving the reliability

More information

Security Standards for Electric Market Participants

Security Standards for Electric Market Participants Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

History of NERC August 2013

History of NERC August 2013 History of NERC August 2013 Timeline Date 1962 1963 November 9, 1965 1967 1967 1968 June 1, 1968 July 13 14, 1977 1979 Description The electricity industry creates an informal, voluntary organization of

More information

Critical Cyber Asset Identification Security Management Controls

Critical Cyber Asset Identification Security Management Controls Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.

More information

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No. UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Foundation for Resilient Societies ) Docket No. AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION IN OPPOSITION

More information

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce

More information

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP 007 4a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for

More information

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Project 2014-02 - Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Violation Risk Factor and Justifications The tables

More information

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I

More information

Cybersecurity Overview

Cybersecurity Overview Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where

More information

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding

More information

Implementing Cyber-Security Standards

Implementing Cyber-Security Standards Implementing Cyber-Security Standards Greg Goodrich TFIST Chair, CISSP New York Independent System Operator Northeast Power Coordinating Council General Meeting Montreal, QC November 28, 2012 Topics Critical

More information

DHS Cybersecurity: Services for State and Local Officials. February 2017

DHS Cybersecurity: Services for State and Local Officials. February 2017 DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)

More information

Smart Grid Standards and Certification

Smart Grid Standards and Certification Smart Grid Standards and Certification June 27, 2012 Annabelle Lee Technical Executive Cyber Security alee@epri.com Current Environment 2 Current Grid Environment Legacy SCADA systems Limited cyber security

More information

Implementation Plan for Version 5 CIP Cyber Security Standards

Implementation Plan for Version 5 CIP Cyber Security Standards Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 17, 2012 Note: On September 17, 2012, NERC was alerted that some references in the Initial Performance of Certain Periodic

More information

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK 23.11.2015 DEFINITION OF CRITICAL INFRASTRUCTURE US EU The nation's

More information

FERC's Revised Critical Infrastructure Protection Demands Active Vigilance

FERC's Revised Critical Infrastructure Protection Demands Active Vigilance RESEARCH North America Power and Utilities Smart Grid FERC's Revised Critical Infrastructure Protection Demands Active Vigilance New Designation Includes All Cyber Assets Connected to Bulk Electric System

More information

NB Appendix CIP NB-0 - Cyber Security Recovery Plans for BES Cyber Systems

NB Appendix CIP NB-0 - Cyber Security Recovery Plans for BES Cyber Systems This appendix establishes modifications to the FERC approved NERC standard CIP-009-6 for its specific application in New Brunswick. This appendix must be read with CIP-009-6 to determine a full understanding

More information

History of NERC January 2018

History of NERC January 2018 History of NERC January 2018 Date 1962 1963 The electricity industry created an informal, voluntary organization of operating personnel to facilitate coordination of the bulk power system in the United

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager 2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager NIST Cybersecurity Framework (CSF) Executive Order 13636 Improving Critical Infrastructure Cybersecurity tasked the National

More information

Critical Information Infrastructure Protection Law

Critical Information Infrastructure Protection Law Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia.

More information

Standard CIP Cyber Security Incident Reporting and Response Planning

Standard CIP Cyber Security Incident Reporting and Response Planning A. Introduction 1. Title: Cyber Security Incident Reporting and Response Planning 2. Number: CIP-008-4 3. Purpose: Standard CIP-008-4 ensures the identification, classification, response, and reporting

More information

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP V5 Updates Midwest Energy Association Electrical Operations Conference CIP V5 Updates Midwest Energy Association Electrical Operations Conference May 2015 Bob Yates, CISSP, MBA Principal Technical Auditor ReliabilityFirst Corporation Agenda Cyber Security Standards Version

More information

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development December 10, 2014 Statement of the Securities Industry and Financial Markets Association Senate Committee on Banking, Housing, and Urban Development Hearing Entitled Cybersecurity: Enhancing Coordination

More information

Reliability Standard Audit Worksheet 1

Reliability Standard Audit Worksheet 1 Reliability Standard Audit Worksheet 1 CIP-002-5.1 Cyber Security BES Cyber System Categorization This section to be completed by the Compliance Enforcement Authority. Audit ID: Registered Entity: NCR

More information

Analysis of CIP-006 and CIP-007 Violations

Analysis of CIP-006 and CIP-007 Violations Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December

More information

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Physical Security Reliability : Standard : Docket No. RD14-15-000 COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION I. INTRODUCTION On

More information

Industrial Control System Cyber Security

Industrial Control System Cyber Security Industrial Control System Cyber Security Disaster Recovery Information Exchange Bruce Tyson June 28, 2017 Lunch and Learn Introduction Bruce Tyson is a certified engineering technologist (CET Telecommunications

More information

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF2017 5 Dec 2017, Egypt Agenda Why? Threats Traditional security? What to secure?

More information

Low Impact Generation CIP Compliance. Ryan Walter

Low Impact Generation CIP Compliance. Ryan Walter Low Impact Generation CIP Compliance Ryan Walter Agenda Entity Overview NERC CIP Introduction CIP-002-5.1, Asset Classification What Should Already be Done CIP-003-7, Low Impact Requirements Tri-State

More information

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra CIP-014 JEA Compliance Approach FRCC Fall Compliance Workshop Presenter Daniel Mishra Acronyms & Terminologies DHS Department of Homeland Security JEA It s not an acronym JSO Jacksonville Sheriff's Office

More information

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP-006-4c Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-4c 3. Purpose: Standard CIP-006-4c is intended to ensure the implementation of a physical security

More information

Ad Hoc Smart Grid Executive Committee. February 10, 2011 New Orleans, LA

Ad Hoc Smart Grid Executive Committee. February 10, 2011 New Orleans, LA Ad Hoc Smart Grid Executive Committee February 10, 2011 New Orleans, LA Agenda Time Topic and Location Lead 3:00 3:10p Welcome & Introductions George Bjelovuk, AEP 3:10 3:40p Regulatory Trends for Cyber

More information

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)

More information

NERC Overview and Compliance Update

NERC Overview and Compliance Update NERC Overview and Compliance Update Eric Ruskamp Manager, Regulatory Compliance August 17, 2018 1 Agenda NERC Overview History Regulatory Hierarchy Reliability Standards Compliance Enforcement Compliance

More information

Chapter X Security Performance Metrics

Chapter X Security Performance Metrics DRAFT February 19, 15 BES Security s Working Group Page 1 of 7 Chapter X Security Performance s 1 3 3 3 3 0 Background The State of Reliability 1 report noted that the NERC PAS was collaborating with the

More information

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014 Critical Infrastructure Protection (CIP) Version 5 Revisions Standard Drafting Team Update Industry Webinar September 19, 2014 Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice

More information

Information Assurance 101

Information Assurance 101 BUILT FOR SECURITY Information Assurance 101 Barbara Wert, Regulatory Compliance Specialist FoxGuard Solutions, Inc. The value of an organization lies within its information its security is critical for

More information

Exercise of FERC Authority for Cybersecurity of the North American Electric Grid

Exercise of FERC Authority for Cybersecurity of the North American Electric Grid Exercise of FERC Authority for Cybersecurity of the North American Electric Grid Thomas S. Popik Joseph M. Weiss George R. Cotter FERC Docket RM15-14-000 www.resilientsocieties.org Agenda Overall Concerns

More information

Project Physical Security Directives Mapping Document

Project Physical Security Directives Mapping Document Document Background In Order No. 802 (final order on CIP-014-1 Physical Security), issued on November 20, 2014, FERC directed NERC to remove the term widespread from Reliability Standard CIP-014-1 or,

More information

Industry role moving forward

Industry role moving forward Industry role moving forward Discussion with National Research Council, Workshop on the Resiliency of the Electric Power Delivery System in Response to Terrorism and Natural Disasters February 27-28, 2013

More information

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities NRECA TechAdvantage March 2014 Patti Metro Manager, Transmission & Reliability Standards NRECA

More information

CIP Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Recovery Plans for BES Cyber Systems A. Introduction 1. Title: Cyber Security Recovery Plans for BES Cyber Systems 2. Number: CIP-009-6 3. Purpose: To recover reliability functions performed by BES Cyber Systems by specifying recovery plan

More information

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP-006-3c Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security

More information