NERC CIPC Chair Report

Transcription

1 NERC CIPC Chair Report Chuck Abell June 10, 2014

2 2014 Efforts & Activities Security Technology Awareness Workshop CIP Physical Security Standard CIP V5 791 Standards Drafting Team CIP V5 Transition Program Scenario Planning for GridEx III Continuation of CRISP Program Heartbleed Vulnerability Response 2 RELIABILITY ACCOUNTABILITY

3 2014 Efforts & Activities Continued EO/PPD Efforts David Revill Approved by Board to CIPC EC CIPC Executive Committee Annual Planning Grid Security Conference 2014 Reactivation of the CSSWG Business Continuity Guideline Task Force 3 RELIABILITY ACCOUNTABILITY

4 GridEx II Assignments Security Training Working Group (w/ ESISTF) Develop a training module to help individual entities understand when, how, and what information should be shared or reported, and how it is used by the receiving organizations. 4 RELIABILITY ACCOUNTABILITY

5 GridEx II Assignments Control System Security Working Group (CSSWG) Complete Business Networks Guideline work begun in 2011 by the CSSWG to specifically address separation of business networks and control networks during an emergency. 5 RELIABILITY ACCOUNTABILITY

6 GridEx II Assignments Electricity Subsector Information Sharing TF (ESISTF) While the ES-ISAC has the responsibility for this item, the ESISTF will assist by providing early input regarding priorities & options, and help develop mechanisms to communicate these processes to stakeholders. 6 RELIABILITY ACCOUNTABILITY

7 GridEx II Assignments Business Continuity Guideline TF Complete Business Continuity guideline work to specifically address preservation of forensic data following a physical or cyber attack. 7 RELIABILITY ACCOUNTABILITY

8 CIP Committee Structure CIPC Executive Committee Marc Child Chuck Abell, Chair Melanie Seader David Grubbs Nathan Mitchell, Vice Chair Jack Cashin Ross Johnson Jim Brenton, Vice Chair Barry Lawson David Revill Bob Canada, Secretary Physical Security Subcommittee (David Grubbs) Cyber Security Subcommittee (Marc Child) Operating Security Subcommittee (Jim Brenton) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control System Security WG (Mikhail Flakovich) ES Information Sharing TF (Stephen Diebold) BES Security Metrics WG (James Sample) Physical Security Guidelines WG (John Breckenridge) Cyber Attack Tree TF (Mark Engels) Grid Exercise WG (Tim Conway) Personnel Security Clearance TF (Nathan Mitchell) Security Training WG (William Whitney) Cyber Security Analysis WG (Vacant) Business Continuity Guideline TF (Darren Meyers) Compliance & Enforcement Input WG (Paul Crist) 8 RELIABILITY ACCOUNTABILITY

9 Critical Infrastructure Protection Matt Blizard, PE Director, Critical Infrastructure Protection CIPC, Orlando June 10th, 2014

10 CIP Updates and Activities NERC Updates: o ESISAC (CRISP, CRAPA, Aurora, Threats & Vulnerabilities ) o CIP v5 transition Effective and Efficient Roll Out o CIP v5 revisions, FERC Order 791 o Physical Security CIP o Physical Security Manager o Security Reliability Program (SRP) o GridEx II Lessons Learned Distributed Play and Executive Table Top o Executive Order NIPP, NIST Cybersecurity Framework o CIPC Work Groups and Task Forces Activities: GridSecCon October 2014, Hyatt Regency, San Antonio, Tx GridEx III November RELIABILITY ACCOUNTABILITY

11 3 RELIABILITY ACCOUNTABILITY

12 CIP Version 5 Revisions Standard Drafting Team Update Ryan Stewart, NERC Standards Developer June 11, 2014 CIPC

13 Agenda Overview of FERC Directives Overview of Development Activities Overview of Revisions Identify, Assess, and Correct struck from 17 Requirements Low Impact Assets revised CIP-003 Communication Networks revised CIP-006 & CIP-007 Transient Devices revised CIP-004 & CIP-010 Implementation Plan Next Steps 2 RELIABILITY ACCOUNTABILITY

14 Overview of FERC Directives FERC approved CIP standards in January FERC directed NERC to modify certain aspects. Identify, Assess, and Correct language. Communication Networks. Low Impact assets protections Transient Devices. Identify, Assess, and Correct and Communication Networks modifications must be filed at FERC by February 3, RELIABILITY ACCOUNTABILITY

15 Overview of Development Activities SDT and observers participated in aggressive development schedule from February to May Ten hours of conference calls per week, including subgroup calls focused on each directive area Four face-to-face SDT meetings Participation from variety of stakeholders ensured that the SDT considered different perspectives from industry, government, and NERC 4 RELIABILITY ACCOUNTABILITY

16 Key Objectives Address all four directive areas by the filing deadline Outreach crucial during development and during comment period Observer engagement critical to success 5 RELIABILITY ACCOUNTABILITY

17 Identify, Assess, Correct Identify, Assess, Correct language struck from all 17 requirements SDT determined that the requirements should state the performance expectation and compliance language should be removed Substantive requirements remain the same Violation Severity Levels revised accordingly 6 RELIABILITY ACCOUNTABILITY

18 Identify, Assess, Correct SDT continues coordination with NERC Compliance and Enforcement Staff on supporting documents NERC presented draft RSAWs for CIP-002, CIP-007, and CIP-009 to the SDT at its last meeting RSAW development team continuing to modify drafts to prepare for concurrent posting with standards SDT suggested scenarios for NERC to address under RAI FAQ document on IAC and RAI NERC staff will offer a more comprehensive view of RAI beyond CIP standards in a June 19 webinar (following SDT webinar) 7 RELIABILITY ACCOUNTABILITY

19 Identify, Assess, Correct SDT posed questions to NERC Enforcement and Compliance regarding Reliability Assurance Initiative (RAI) Questions are included in a Frequently Asked Questions document posted as a supplement to the revised standards Document focuses on how the RAI will handle high frequency low risk security obligations in the compliance and enforcement domains once IAC is removed 8 RELIABILITY ACCOUNTABILITY

20 Low Impact Assets CIP Requirement R2 now in table format SDT kept all requirements applicable to low impact assets in this requirement Technical areas same as CIP passed by industry but with more specificity to meet FERC directive Proposed requirement language borrowed from existing, FERC- and industry-approved V5 standards but tailored to low impact Parent requirement above table parts is as follows: 9 RELIABILITY ACCOUNTABILITY

21 Low Impact Assets CIP Requirement R2 now in table format Part 2.1 CIP Senior Manager review and approval Part 2.2 Operational or procedural control(s) to restrict physical access Part 2.3 Physical access controls at Control Centers Part 2.4 Electronic access controls Part 2.5 Cyber Security Incident response plan(s) Part 2.6 Reinforcing of security awareness 10 RELIABILITY ACCOUNTABILITY

22 Communication Networks CIP Requirement R1, new Part 1.10 Restrict physical access to cabling and other nonprogrammable communication components used for connection between applicable Cyber Assets within the same ESP in those instances when such cabling and components are located outside of a PSP. Where physical access restrictions are not implemented, entity shall document and implement: o Encryption of data o Monitoring the status of the communication link and issuing an alarm o Equally effective logical protection Applicable to High Impact BES Cyber Systems and PCAs and Medium BES Cyber Systems at Control Centers and PCAs 11 RELIABILITY ACCOUNTABILITY

23 Communication Networks CIP Requirement R1, Part 1.2: new applicability and incorporated new glossary term 12 RELIABILITY ACCOUNTABILITY

24 Transient Devices New and Modified Definitions Transient Cyber Asset - A Cyber Asset directly connected for 30 consecutive calendar days or less, to: (1) a BES Cyber Asset, (2) a network within an ESP, or (3) a Protected Cyber Asset. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. Removable Media - Portable media, connected for 30 consecutive calendar days or less, that can be used to copy, move and/or access data. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. A Cyber Asset is not Removable Media. 30-day exemption removed from BES Cyber Asset and Protected Cyber Asset definitions 13 RELIABILITY ACCOUNTABILITY

25 Transient Devices CIP modified Requirement R2, Part Adds Transient Cyber Assets and Removable Media to cybersecurity training program requirement CIP new Requirement R authorize the usage of Transient Cyber Assets prior to initial use 4.2- use method(s) to deter, detect, or prevent malicious code on Transient Cyber Assets 4.3- use method(s) to detect malicious code on Removable Media 4.4- mitigate the threat of detected malicious code 4.5- update signatures or patterns for methods in 4.2 and evaluate Transient Cyber Assets for deviations 4.7- evaluate Transient Cyber Assets to ensure patches are up-to-date 14 RELIABILITY ACCOUNTABILITY

26 Transient Device Protection Modification to Other Standards CIP Adds Transient Cyber Assets and Removable Media to cybersecurity training program in Requirement R2, Part 2.1. CIP Added clarifying language in guidance for Requirement R3 (malware protection) to remind entities of the Transient Device Protections in CIP-010-2, Requirement R4. CIP Added qualifiers to guidance for entities to include Transient Cyber Assets and Removable Media in their information protection programs. 15 RELIABILITY ACCOUNTABILITY

27 Implementation Plan Builds from April 1, 2016 effective date of V5 While the standard has an effective date, a compliance date may differ for Requirements Do not expect IAC language from V5 to go into effect The following from V5 implementation remains the same: Initial performance of certain periodic requirements Previous identity verification Planned or unplanned changes resulting in a higher categorization 16 RELIABILITY ACCOUNTABILITY

28 Implementation Plan For those requirements and parts not listed below, compliance date would be effective date of standard, which is proposed to be later of April 1, 2016 or 3 months following govt. approval. 17 RELIABILITY ACCOUNTABILITY

29 Posting Schedule NERC Standards Committee authorized posting for 45-day comment and ballot on May 30 Comment period open June 2-July 16 Join the ballot pool from June 2-July 2 Reliability Standards Audit Worksheets (RSAWs) will be posted by June 17 Not a part of the record for standards development. Ballot period open July 7-16 Will use the current ballot and commenting system. 18 RELIABILITY ACCOUNTABILITY

30 Next Steps Industry SDT webinar June 19: 1-3pm ET Followed by RAI webinar from 3-5 pm ET SDT will consider all comments and make appropriate revisions SDT meeting week of July 28 in St. Paul, MN SDT meeting week of August 19 in San Francisco, CA 19 RELIABILITY ACCOUNTABILITY

31 RELIABILITY ACCOUNTABILITY

32 National Infrastructure Protection Plan (NIPP) Updates Laura Brown Critical Infrastructure Protection Committee Meeting June 10, 2014

33 NIPP Overview The revised NIPP was completed in Greater focus on integrating cybersecurity and physical security efforts. More closely aligned with national preparedness efforts. Increased focus on cross-sector and cross-jurisdictional coordination. Integrates information sharing as an essential component of the risk management framework. Drives action toward long-term improvement. 2 RELIABILITY ACCOUNTABILITY

34 Joint National Priorities Section 6 Call to Action includes setting national focus through jointly developed priorities. The Department of Homeland Security (DHS) worked with government and industry to identify priorities and submitted the following: Integrating Cyber and Physical Risk Management Improving Resilience Decision Making Strengthening Risk Management Partnerships to Enhance National Capacity Executing Enhanced Incident Response and Recovery 3 RELIABILITY ACCOUNTABILITY

35 Next Steps The priorities are generally consistent with the Energy Sector-Specific Plan and Electricity Sub-sector Coordinating Council activities. As the Sector-Specific Agency, the Department of Energy submitted comments to DHS on the joint national priorities. DHS is holding a meeting Thursday to discuss the latest version of the joint national priorities. 4 RELIABILITY ACCOUNTABILITY

36 5 RELIABILITY ACCOUNTABILITY

37 Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order Improving Critical Infrastructure Cybersecurity May 2014

38 Role of the National Institute of Standards and Technology in Cybersecurity The National Institute of Standards and Technology s mission is to stimulate innovation, foster industrial competitiveness, and improve the quality of life. Role in Cyber security began in 1972 with the development of the Data Encryption Standard began when commercial sector also has a legitimate need for cryptography, including in ATMs. Responsibilities were strengthened through the Computer Security Act of 1987 and reaffirmed through the Federal Information Security Management Act of

39 Improving Critical Infrastructure Cybersecurity Executive Order It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 3

40 Based on the Executive Order, the Cybersecurity Framework Must... Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Incorporate international voluntary consensus standards and industry best practices to the fullest extent possible Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations 4

41 Development of the Cybersecurity Framework Engage the Framework Stakeholders EO Issued February 12, 2013 NIST Issues RFI February 26, st Framework Workshop April 03, 2013 Analyze RFI Responses 2 nd Framework Workshop at CMU May 29-31, 2013 Draft Outline of Preliminary Framework June 2013 Identify Framework Elements 3 rd Framework Workshop at UCSD July 10-12, 2013 Discussion Draft of the Preliminary Framework - August 28, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Prepare and Publish Preliminary Framework 4 th Framework Workshop at UT Dallas September 11-13, 2013 Publish Preliminary Framework October 29, 2013 Final Framework 5 th Framework Workshop at NCSU Nov 14-15, 2013 Publish Final Framework February 13,

42 Framework Components Framework Core Cybersecurity activities common across critical infrastructure sectors and organized around particular outcomes Enables communication of cyber risk across an organization Framework Profile Aligns industry standards and best practices to a particular implementation scenario Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization Describes degree to which an organization s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive) 6

43 Framework Core 7

44 Framework Core - Sample 8

45 How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program

46 What s Next: Using the Cybersecurity Framework Organizations led by their senior executives should use the framework now, and provide feedback to NIST Industry groups, associations, and non-profits can play key roles in assisting their members to understand and use the framework by: Building or mapping their organizations s specific standards, guidelines, and best practices to the framework Developing and sharing examples of how organizations are using the framework NIST is committed to helping organizations understand and use the framework The Administration will also look at possible incentives and other policy drivers 10

47 What s Next: Areas for Development, Alignment, and Collaboration The Executive Order calls for the framework to identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations High-priority areas for development, alignment, and collaboration were identified based on stakeholder input: Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 11

48 Recapping Key Points about the Framework It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone, and allow for interoperability The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change Practices, technology, and standards will change over time principals will not 12

49 Where to Learn More and Stay Current The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: Material on NIST s work in cybersecurity can be found at: 13

50 P R O G R A M O V E R V I E W Welcome to the community.

51 Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. - The White House, Executive Order 13636

52 SOLUTION PROPOSED BY EO o NIST to develop a Cybersecurity Framework o A voluntary program for critical infrastructure cybersecurity to promote use of the Framework o A whole of community approach to risk management, security and resilience. o Joint action by all levels of government and the owners and operators of critical infrastructure

53 The C 3 Voluntary Program is the coordination point within the Federal Government for members of the critical infrastructure community interested in improving their cyber resilience. R O L E O F T H E C R I T I C A L I N F R A S T R U C T U R E C Y B E R C O M M U N I T Y V O L U N T A R Y P R O G R A M

54 OUR ROLE EO highlights the need for improved cybersecurity among critical infrastructure. PPD-21 calls for efforts to strengthen the physical and cyber security and resilience of our Nation s critical infrastructure. Administration Policies Ranging from emergency services and transportation systems to small and medium sized businesses, the U.S. critical infrastructure provides the essential services that underpin American society. Critical Infrastructure Framework implementation guidance Focal point for resources and tools Relationship management Feedback collection Cybersecurity Framework One of the major components of the EO is the development of the Framework by NIST to help critical infrastructure sectors and organizations reduce and manage their cyber risk as part of their approach to enterprise risk management.

55 GOALS o Support increasing critical infrastructure cyber resilience o Increase awareness and use of the Framework o Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management

56 CONVERGING There are three key activities the program is supporting, which we emphasize as the Three C s: o Converging critical infrastructure community resources to CONVERGING support C O cybersecurity N V E R G risk I N management G and resilience through use of the Framework; C O N N E C T I N G o Connecting critical infrastructure stakeholders to the national resilience effort through cybersecurity resilience advocacy, engagement and awareness; and C O O R D I N A T I N G o Coordinating critical infrastructure cross sector efforts to maximize national cybersecurity resilience.

57 CONVERGING RESOURCES C 3 Voluntary Program website offers an overview of the program, downloadable tools, and outreach materials Links to the US-CERT C 3 Voluntary Program gateway Existing programs/resources have been aligned with the Framework Core Function Areas (Identify, Protect, Detect, Respond, Recover) Broken out by stakeholder type Demonstrates offerings to support the Framework s principles As they become available, cross sector, private sector, S/L resources will be referenced

58 CONVERGING RESOURCES, cont. DHS will support use of the Cybersecurity Framework primarily through the Cyber Resiliency Review (CRR). No-cost, voluntary, non-technical assessment to evaluate an organization s information technology resilience. The CRR may be conducted as a self-assessment or in-person. To date, DHS has conducted more than 330 CRRs at the request of critical infrastructure entities nationwide. The inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. Analyzes current practices and how they compare to the principles of the Cybersecurity Framework.

59 CONNECTING STAKEHOLDERS Business-to-Business Government-to-Business Engage each of the sectors through the CIPAC Framework to establish sector-specific approaches and guidance, utilizing established partnership mechanisms, models, and approaches Work directly with organizations interested in receiving information about the Framework, resources, and initiatives Encourage organizations to develop use cases or to work with their industry peers and business partners to promote the Framework (the Framework) Government-to- Government Federal Work with Federal departments and agencies to understand use of the Framework SLTT outreach Work with state and local governments to promote government use of the Framework and to reach businesses in their localities

60 COORDINATING EFFORTS Phase 1 Momentum Development February 2014 February 2015 Phase 2 Sector Strategy Rollout February 2015 February 2016 Phase 3 Ongoing Support for Framework Use based on Lessons Learned February 2016 Ongoing

61 NEXT STEPS Get engaged The C 3 Voluntary Program will be supporting engagement during the coming year The program will visit sector by sector events, potentially regional events/workshops utilizing our CSAs, and will potentially look into RFIs for broad public engagement Visit us at or Check out the website, download and use the messaging kit, and reach out to the different programs for support Try out the CRR and reach out to CSEP if you have questions on the methodology or need assistance Contact us at CCubedVP@hq.dhs.gov Contact the C 3 Voluntary Program to send feedback or for any questions about what resources DHS is offering or how to engage different programs

62 dhs.gov/ccubedvp #ccubedvp

63 Welcome to the community.

64 Update on RISC Activities CIPC Meeting June 10/11, 2014 Jim Brenton CIPC RISC Member Principal, Regional Security Coordinator ERCOT Electric Reliability Council of Texas

65 RISC Mission & Purpose* Provides a framework for steering, developing, formalizing, and organizing recommendations to help NERC and the industry effectively focus their resources on the critical issues needed to best improve the reliability of the BPS Benefits of the RISC include improved efficiency of the NERC standards program. In some cases, that includes recommending reliability solutions other than the development of new or revised standards and offering high-level stakeholder leadership engagement and input on issues that enter the standards process. * Per the RISC Charter 2 RELIABILITY ACCOUNTABILITY

66 RISC Mission & Purpose* Triages and provides front-end, high-level leadership and accountability for nominated issues of strategic importance to bulk power system (BPS) reliability Assists the Board, NERC standing committees, NERC staff, regulators, Regional Entities, and industry stakeholders in establishing a common understanding of the scope, priority, and goals for the development of solutions to address these issues * Per the RISC Charter 3 RELIABILITY ACCOUNTABILITY

67 Planned RISC Agenda - June :2017 Reliability Standards Development Plan, RSDP Integration of Variable Generation Task Force (IVGTF) report State of Reliability 2014 Report Emerging Trends in the Long Term Reliability Assessment, LTRA Committee Reports: Planning, Operations, Critical Infrastructure Protection and Standards Compliance and Certification Committee 4 RELIABILITY ACCOUNTABILITY

68 Gap Analysis Prioritization Adjustments Review/Analysis of different ERO activities Assess risk focus areas as HIGH/Medium/Low RISC members to evaluate key areas Impact and probability? Priority? Existing Controls? Gaps? How to address gaps?!! 5 RELIABILITY ACCOUNTABILITY

69 High Priority Items Gap Analysis Cyber Attack Workforce Capability and Human Error Protection Systems Monitoring and Situational Awareness 6 RELIABILITY ACCOUNTABILITY

70 Cyber Attack - High Priority NERC CID monitoring current activities and reports to RISC on those efforts, and their support to address this highest priority item. NERC CIPC EC met with NERC RISC Staff to review lessons learned from GridEx-2013 into the RISC Priorities and ensure projects support CID activities. 7 RELIABILITY ACCOUNTABILITY

71 Other High Priority Gap Analysis Analysis/Review to be presented at June 17 th RISC Meeting Workforce Capability and Human Error Protection Systems Monitoring and Situational Awareness 8 RELIABILITY ACCOUNTABILITY

72 Coordinated Attack - Multiple Facilities Medium Priority Item Coordinated Physical/Cyber Attack NERC CID Staff monitors and reports to RISC on their efforts to address this Medium priority item, and what additional efforts (if any) are recommended. 9 RELIABILITY ACCOUNTABILITY

73 Other Medium Priority Gap Analysis Operational Modeling and Model Inputs Equipment Maintenance and Management Generator Availability Increased dependence on Natural Gas Generation 10 RELIABILITY ACCOUNTABILITY

74 Low Strategic Focus Areas Generation Resource Adequacy Transmission Right of Way Geomagnetic Disturbance (GMD) Long Term Planning and Modeling Climate Change, Environmental Regs, Changing Resource Mix due to Environmental or Other Market Conditions, Integration of Variable Gen 11 RELIABILITY ACCOUNTABILITY

75 Low Strategic Focus Areas Integration of New Technologies Extreme Weather/Acts of Nature Demand Response Localized Physical Attack Smart Grid Electro-Magnetic Pulse (EMP) Post-Recession Demand Growth Pandemic 12 RELIABILITY ACCOUNTABILITY

76 Future RISC Meetings June 17 Atlanta, GA July 10 Conference Call August 14 Post-BOT Meeting, Vancouver, BC Sept 11/12 Leadership Summit, Washington, DC October 7 Conference Call November 13 Post-BOT Meeting, Atlanta GA December 2 RISC Meeting, Phoenix, AZ 13 RELIABILITY ACCOUNTABILITY

77 Questions? 14 RELIABILITY ACCOUNTABILITY

78 Legislative Update Critical Infrastructure Protection Committee June 10, 2014 Nathan Mitchell, American Public Power Association

79 Legislative Update Senate Committee on Intelligence Chair Feinstein and vice chair Chambliss trying to restart companion bill to House approved Cyber Intelligence Sharing and Protection Act (CISPA) June 6, 2014 letter from trade associations highlighting the ES- ISAC and ESCC as models for information sharing. Action needs to be taken by August No action expected due to the November elections. 2 RELIABILITY ACCOUNTABILITY

80 Legislative Update American Public Power Association Canadian Electricity Association Edison Electric Institute Electric Power Supply Association GridWise Alliance Large Public Power Council National Association of Regulatory Utility Commissioners National Rural Electric Cooperative Association Nuclear Energy Institute Transmission Access Policy Study Group 3 RELIABILITY ACCOUNTABILITY

81 Legislative Update 2015 Defense Authorization Bill awaiting Senate floor action Trade associations are having meetings with Senate staff on impact of the bill on electric utilities. 4 RELIABILITY ACCOUNTABILITY

82 CIP V3-V5 Transition Tobias Whitney, NERC Manager of CIP Compliance NERC CIPC June 2014

83 CIP V5 Transition Program Elements Periodic Guidance A new transition guidance will be provided in Q2 Implementation Study 6 entities with strong compliance cultures 6-8 month implementation of V5 for certain facilities Lessons learned throughout and after study phase Compliance and Enforcement Integration with RAI Identify means and method to address self-corrective processes and internal controls Outreach & Communications Off-site audits will be replace with outreach and training events June 19 CIP V5 and RAI Webinar Transition Guidance Webinar in July Training Quarterly training opportunities will be provided to industry 2 RELIABILITY ACCOUNTABILITY

84 CIP V3 V5 Transition Responsibilities of the ERO (NERC & Regional Entities) Monitor the cyber security measures used to protect the reliable operation of the Bulk Electric System (BES) Recognize the challenges facing Responsible Entities Establishing compliance with V5 will be an ongoing process No single point in time when they will move from compliance with V3 to compliance with V5 3 RELIABILITY ACCOUNTABILITY

85 CIP V3 V5 Transition Big Picture The Effective Date of V5 was April 1, 2014 Based on the date that V5 Standards were approved by FERC Beginning of the implementation stage/transition period The Compliance Enforcement Date of V5 is April 1, 2016 Applies to Responsible Entities with High and Medium Impact Cyber Systems Compliance with V3 remains mandatory and enforceable, and will be assessed until the V5 compliance enforcement date V4 is no longer in the picture (that includes use of V4 bright-line criteria for identifying Critical Cyber Assets) 4 RELIABILITY ACCOUNTABILITY

86 CIP V3 V5 Transition Mapping the path Responsible Entities with High and Medium Impact Cyber Assets need to prepare for April 1, 2016 ERO focus during transition period is not gotcha, but an effective and successful implementation of V5 5 RELIABILITY ACCOUNTABILITY

87 CIP V3 V5 Transition Transition Guidance Draft of next version is currently being vetted Supersedes previous versions Provides guidance and flexibility that will allow Responsible Entities to focus on implementing changes to achieve compliance with V5 During the transition period, there will be a flexible approach to the evaluation of V3 compliance 6 RELIABILITY ACCOUNTABILITY

88 CIP V3 V5 Transition Next version of Transition Guidance Narrative similar to content of current version with explanations, considerations, and recommendations. Compatibility table spreadsheet listing V5 requirements that are Mostly Compatible with V3 requirements 7 RELIABILITY ACCOUNTABILITY

89 CIP V3 V5 Transition Mostly Compatible? Many V5 requirements are mostly compatible (MC) with Version 3 In those cases, processes and documents that demonstrate compliance are not significantly different from V3 to V5 Requirement numbers may not always align, but the requirements themselves are considered MC Not necessarily one to one mapping; e.g., CIP R4 and CIP R2 both address senior manager approval of the asset list 8 RELIABILITY ACCOUNTABILITY

90 CIP V3 V5 Transition Mostly Compatible! As described in the guidance document, V5 compliance to designated requirements can be considered compliance with the MC Version 3 requirement For V5 requirements with no V3 counterpart, V5 compliance will not be a factor during the transition period 9 RELIABILITY ACCOUNTABILITY

91 CIP V3 V5 Transition Similar V3/V5 requirements CIP % CIP to 90% CIP % CIP % (Review required for new Assets) CIP % CIP % CIP % (Review required for new Assets) CIP % (new to V5) CIP % (new to V5) 10 RELIABILITY ACCOUNTABILITY

92 CIP V3 V5 Transition Guidance Narrative 1. Introduction 2. Background 3. Newly Identified BES Cyber Systems 4. Compliance during the Transition Period 5. Transition Period Audits 6. V5 Implementation Study 7. Technical Feasibility Exceptions (TFEs) 11 RELIABILITY ACCOUNTABILITY

93 CIP V3 V5 Transition Guidance Narrative Section 1. Introduction Overarching philosophy: apply the appropriate cyber security measures to protect the reliable operation of the Bulk Electric System (BES). Applies to Regional Entities and Responsible Entities Provides guidance and flexibility for implementing changes to achieve compliance with V5 without undue concerns regarding compliance status with V3 Supersedes previous Cyber Security Standards Transition Guidance 12 RELIABILITY ACCOUNTABILITY

94 CIP V3 V5 Transition Guidance Narrative Section 2. Background FERC Order 791 was issued on November 22, 2013 Some directives referred to a specially formed Standards Drafting Team for resolution Version 4 CIP Reliability Standards (V4) will never be mandatory and enforceable 13 RELIABILITY ACCOUNTABILITY

95 CIP V3 V5 Transition Guidance Narrative Section 3. Newly Identified BES Cyber Systems When guidance is issued, a Responsible Entity with newly identified systems and facilities shall begin implementing V5 Applies to Responsible Entities that previously would have referred to Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities in CIP V3 or used V5 Impact Ratings to identify new assets 14 RELIABILITY ACCOUNTABILITY

96 CIP V3 V5 Transition Guidance Narrative Section 3. Newly Identified BES Cyber Systems Responsible Entities that have assets identified by an acquisition or that receive a Registered Third-Party Designation (i.e., Impact Rating 2.3, 2.6, or 2.8) will be provided the latter of 12 calendar month implementation window from the time of notification (per the V5 Implementation Plan) or Implementation date of April 1, 2016 for any newly identified BES Cyber Systems 15 RELIABILITY ACCOUNTABILITY

97 CIP V3 V5 Transition Guidance Narrative Section 4. Compliance during the Transition Period Responsible Entities are expected to take the appropriate actions to become compliant with the V5 Standards by the compliance enforcement date Those that previously identified CCAs according to the bright-line criteria in V4 no longer have that approach available Regional Entities will exercise discretion when assessing compliance to V3 requirements during the transition period 16 RELIABILITY ACCOUNTABILITY

98 CIP V3 V5 Transition Guidance Narrative Section 5. Transition Period Audits Compliance Monitoring and Enforcement Program (CMEP) will continue to be the guiding directive for the conduct of CIP audits Regional Entity may use outreach and annual Self- Certifications in lieu of off-site audits for entities without V3 Critical Assets or Critical Cyber Assets Details regarding the scope and performance of audits during the transition period described in the guidance document 17 RELIABILITY ACCOUNTABILITY

99 CIP V3 V5 Transition Guidance Narrative Section 6. V5 Implementation Study Six Responsible Entities participated in a study to voluntarily implement the V5 Standards prior to the enforcement date of April 1, 2016 Goals of the study include identification of processes, tools, and guidance for achieving V5 compliance V5 Implementation Study page at NERC s website ( Implementation-Study.aspx) 18 RELIABILITY ACCOUNTABILITY

100 CIP V3 V5 Transition Guidance Narrative Section 7. Technical Feasibility Exceptions (TFEs) In general, TFEs will align with the overall transition process They will be considered in context of underlying requirement(s) V5 TFEs pertinent to V3 TFEs V5 V3 CIP R2.3 CIP R2.4 CIP R1.1 CIP R2.3 CIP R4.3 CIP R6.4 CIP R5.6 CIP R RELIABILITY ACCOUNTABILITY

101 CIP V3 V5 Transition Guidance Narrative Section 7. Technical Feasibility Exceptions (TFEs) TFE requests will be needed for systems or devices unable to meet strict compliance with a V5 requirement that has no associated TFE in V3 V5 TFEs not associated with V3 TFEs CIP CIP CIP CIP R1.4 R1.3 R5.1 R1.5 R2.1 R5.7 R3.2. R RELIABILITY ACCOUNTABILITY

102 CIP V3 V5 Transition Guidance Narrative Section 7. Technical Feasibility Exceptions (TFEs) Existing TFEs that are no longer applicable per V5 requirements will NOT remain in effect V3 TFEs superseded when V5 is Implemented CIP CIP CIP R3.1 R1.1 R3.2 R4 R5.3 R R R6 21 RELIABILITY ACCOUNTABILITY

103 CIP V3 V5 Transition Guidance Compatibility Tables Show the requirements from V5 that have been deemed as mostly compatible with a V3 counterpart Comparison is intended to help Responsible Entities maintain adequate protection of BES assets as they move from compliance with V3 to compliance with V5 of the CIP Reliability Standards 22 RELIABILITY ACCOUNTABILITY

104 CIP V3 V5 Transition Guidance Compatibility Tables 23 RELIABILITY ACCOUNTABILITY

105 CIP V3 V5 Transition Guidance Compatibility Tables 24 RELIABILITY ACCOUNTABILITY

106 CIP V3 V5 Transition Guidance Underlying philosophy Still a lot to do, but leveraging appropriate V3 policies, procedures, and processes will contribute to successful transition to V5 ERO wants to facilitate the transition 25 RELIABILITY ACCOUNTABILITY

107 CIP V5 Implementation Study Responsible Entity Volunteers Broad Mix Scope of assets is relevant to the industry Six to nine months Study period Provide feedback to industry during the Study FAQs: Training Sessions Webinars Capture lessons learned Study.aspx Publish a report at the end of the Study 26 RELIABILITY ACCOUNTABILITY

108 CIP V5 Implementation Study LL: Generation Disaggregation CIP , Attachment 1, criterion 2.1 Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection. 27 RELIABILITY ACCOUNTABILITY

109 CIP V5 Implementation Study LL: Generation Disaggregation How do you define 1500 MW? What is acceptable disaggregation? What is a shared BES Cyber System? What are common mode vulnerabilities? 28 RELIABILITY ACCOUNTABILITY

110 CIP V5 Implementation Study LL: Transmission Facility Impact Rating CIP , Attachment 1, criterion 2.5 Transmission Facilities operating between 200 and 499 kv at a single substation Connected to three or more other substations Aggregate weighted value of 3000 or more per weight table Facility: A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.). A Facility is a component of a substation not the substation itself. 29 RELIABILITY ACCOUNTABILITY

111 CIP V5 Implementation Study LL: Transmission Facility Impact Rating If the convergence of Transmission Facilities at a single substation meets criterion 2.5, then each BES Cyber System associated with the Transmission Facility is rated Medium Impact. NERC s Current Position: Physical location IS a determinant factor for impact classification. Therefore the far-end relay is not in scope of Medium Impact. 30 RELIABILITY ACCOUNTABILITY

112 CIP V5 Implementation Study LL: Transmission Facility Impact Rating 31 RELIABILITY ACCOUNTABILITY

113 CIP V5 Implementation Study LL: Virtualization Virtualized servers may run multiple operating systems or application software within a single physical server, as opposed to conventional servers that may operate a single operating system and a dedicated suite of application software. VLANs are networks that operate multiple logically-separated networks by sharing common hardware devices such as switches and routers. 32 RELIABILITY ACCOUNTABILITY

114 CIP V5 Implementation Study LL: Virtualization Definition of Cyber Assets: Programmable electronic devices, including the hardware, software, and data in those devices. CIP R1, Part 1.1: All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. 33 RELIABILITY ACCOUNTABILITY

115 CIP V5 Implementation Study LL: Virtualization Virtualization technologies present security challenges if different levels of protection are provided to different systems within the same virtual environment. Virtual Servers and VLANs cannot/may have mixed-trust usage. 34 RELIABILITY ACCOUNTABILITY

116 CIP V5 Implementation Study LL: Programmable Electronic Devices BES Cyber Asset: A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Cyber Assets: Programmable electronic devices, including the hardware, software, and data in those devices. 35 RELIABILITY ACCOUNTABILITY

117 CIP V5 Implementation Study LL: Programmable Electronic Devices What makes something programmable? Contains firmware Firmware is modifiable via device interface (Ethernet, serial, parallel, USB, etc.) Configurable is not programmable? Electro-mechanical relays Dip switches If physical removal of chip is required to program device (EPROM etc.) The NERC Survey or 15-minute Impact will ask questions to address this issue 36 RELIABILITY ACCOUNTABILITY

118 37 RELIABILITY ACCOUNTABILITY

119 BES Security Metrics WG Progress Report James W. Sample, Chair Roland Miller, Vice-Chair June 11-12, 2014

120 How we fit in! Existing CIP Committee Structure CIPC Executive Committee Physical Security Subcommittee David Grubbs Cyber Security Subcommittee Mark Child Operating Security Subcommittee Carl Eng Policy Subcommittee Nathan Mitchell Protecting Sensitive Information TF Control System Security WG Information Sharing TF BES Security Metrics WG Jamey Sample Physical Security Guideline TF Cyber Attack Tree TF HILF Implementation TF Personnel Security Clearance TF Physical Security Ev Analysis WG Joint w/ OC & PC Cyber Security Analysis WG Joint w/ OC & PC Grid Exercise WG Compliance & Enforcement WG Physical Security Training WG Cyber Security Training WG 2 RELIABILITY ACCOUNTABILITY

121 Previous Update Security Metrics Workshop was held at NERC Determine what a Strong Security Posture looks like for the sector Define those attributes (Potential Metrics) o o o o Information Sharing Program Maturity Situational Awareness Compliance Program Evaluate existing ALRs for incorporation of security measures Develop new security ALRs where needed 3 RELIABILITY ACCOUNTABILITY

122 Strong Security Posture: Macro Metrics 4 RELIABILITY ACCOUNTABILITY

123 Micro Metric: ALR Framework (Lagging) 5 RELIABILITY ACCOUNTABILITY

124 Micro Metric: ES-ISAC (Leading) # Shares Aug Sep Oct Nov Dec Jan Feb Mar Apr May Top 4 Types of Threats Aug Sep Oct Nov Dec Jan Feb Mar Apr May Phishing SSL DDOS Waterhole 6 RELIABILITY ACCOUNTABILITY

125 Challenges Industry Driven ISAC Internal Ops NERC Support WG Challenge Areas Expertise on WG Cause Coding Lacks Security Issue Identification EST and ISAC Info Shares is still Low ISAC Lacks Formal Tracking Process Recommended Actions Recruit Additional CIO/SMEs Engage Event Analysis on Cause Coding Develop Reporting Dashboard Work with ISAC to Develop Process for Logging Engagments Support from Event Analysis and Risk Performance Groups Needed Evaluate Existing Cause Codes [Change Mgmt LTA] Provide sample Dashboard at CIPC Develop Technologies to Support Uniform Cataloging More Engagement from Industry needed work through CIPC Develop Proposed Cause Codes Explore Additional ways to Ensure Separation from Compliance Sustained Resourcing needed to Support Capturing and Measuring Metrics 7 RELIABILITY ACCOUNTABILITY

126 Workshop August 6-8, 2014 Atlanta, GA Purpose: identify Macro Metrics and ALR criteria Show of hands on who would be interested in attending or sending someone Logistics to be distributed June 13, RELIABILITY ACCOUNTABILITY

127 Next Steps Continue to build out Macro and Micro Metrics ALR s, ES-ISAC, etc. Increase sharing Develop guidance on what/how to submit info to the ISAC More industry info shared with ISAC Continue to work with Events Analysis to develop cause codes Industry Workshop in August (Date TBD) 9 RELIABILITY ACCOUNTABILITY

128 NERC CIPC Compliance and Enforcement Input Working Group NERC CIPC Update June 10-11, 2014 Paul Crist

129 Member List Amelia Sawyer James Boone Michael Nickels Scott Harris Andrew Jurbergs Jeff Mantong Mike Mertz Steen Fjalstad Ben Miller Joe Bucciero Mike Welch Steve J Knaebel Brenda Davis John Galloway Nathan Mitchell Summer C. Esquerre Brian Evans-Mongeon Karen Demos Nick Santora Tim Johnson Charles F. Abell Ken Burruss Paul Crist Tobias Whitney Daniel Shaffer Kent Kujala Paul F. McClay Travis Borrini David Gordon Marc A. Child Robert D. Canada Trey Cross David Thorne Martin Collin Ron Harrod Wes Davis Eric Ervin Matt Stryker Ryan Carlson

130 NERC CIPC Compliance and Enforcement Input Working Group Update Conference Calls March 13, 2014 April 11, 2014

131 NERC CIPC Compliance and Enforcement Input Working Group Update March 13 Conference Call Follow-up from CIPC Meeting Transition Guidance Review Physical Security FERC Order Virtualization Whitepaper Update CIP Version 5 Revisions Standard Drafting Team Update

132 NERC CIPC Compliance and Enforcement Input Working Group Update April 11 Conference Call Transition Guidance Review Study ends on June 30, 2014 Physical Security FERC Order Virtualization Whitepaper Update CIP Version 5 Revisions Standard Drafting Team Update CIP Version 5 webinar April CIP Version 5 revisions calendar

133 NERC CIPC Compliance and Enforcement Input Working Group Update NERC Virtualization Lessons Learned Conference Calls (John Galloway, ISO-NE) May 5 May 7 May 16 Future Virtualization Whitepaper

134 NERC CIPC Compliance and Enforcement Input Working Group Update Future Work Transition Guidance Review Virtualization Whitepaper

135 NERC CIPC Compliance and Enforcement Input Working Group Update Meetings 2 nd Thursday of the month 1:00 p.m. CST Questions?

136 ES-ISAC Update NERC CIPC Matt Light, ES-ISAC June 10-11, 2014

137 DNP3 Hydra Objective: Determine the DNP3 vulnerability status of DNP3 Masters used in Energy Management Systems 1) List all of the DNP3 Masters used in North American EMSs, with their DNP3 vulnerability status 2) Fuzz test any equipment which hasn t been tested May need to develop standard testing script/process We will originally focus on Project Robus free tools, but are open to other suggestions 3) Inform ICS-CERT of any vulnerable masters ICS-CERT is proficient in vulnerability disclosures 4) Post our results on the ES-ISAC Asset Owner Portal Do we post all results, or only non-vulnerable/ones with patches? 2 RELIABILITY ACCOUNTABILITY

138 Portal Project- Lookingglass Pilot Platform Migration and Upgrade Completed (Jan-April 2014) Task Force / Workgroup areas issues remain, resolution in progress Developing pipeline of continuing enhancements Value focus near-term: improving user access, threat collaboration, and Lookingglass Lite cyber awareness monitoring widget Our Ask: Lookingglass-Lite Pilot Volunteers (5-10, July-Sep) Goal centers on providing useful reputation cyber-hygiene check Enter your AOO Internet facing profile information (IP ranges, etc.) Each organization has it s own view of profile and status. Pilot provide feedback, help ensure value, prepare for broader rollout Please let us know if your organization would like to assist! 3 RELIABILITY ACCOUNTABILITY

139 CRPA CRPA is a customized GridEx for your organization Use LoftyPerch to support scenario development Min 6 weeks planning needed Completely voluntary with no attribution to participants A subset of practices from ES-C2M2 have been incorporated into the After Action Report to frame lessons learned Status: 6 CRPAs performed last year 1 occurring in a few weeks Looking for more participants [Spring/Fall] 4 RELIABILITY ACCOUNTABILITY

140 CRISP Cybersecurity Risk Information Sharing Program (CRISP) Operating under direction of the ESCC About 20 companies identified for companies deployed CRISP in Jan companies deploying in the next month NERC/ES-ISAC will be managing CRISP Determined an LLC was not the best way for the companies to implement CRISP NERC/ES-ISAC is working with PNNL and first set of sites to establish contracts Outreach and communication to the sector Expect outreach in the near future Comprehensive program plan is under development 5 RELIABILITY ACCOUNTABILITY

141 Cyber Security Sub-cmte Progress Report Marc Child, Chair

142 June RELIABILITY ACCOUNTABILITY

143 CAP HILF TF Recommendations 1. Geomagnetic Disturbance Task Force a. Work Product: Interim Report: Effects of Geomagnetic Disturbances in the Bulk Power System b. No CIPC Cyber Security Subcommittee items 2. Spare Equipment Database Task Force a. Work Product: Spare Equipment Database report b. No CIPC Cyber Security Subcommittee items 3. Severe Impact Resilience Task Force a. Work Product: Severe Impact Resilience: Considerations and Recommendations b. No CIPC Cyber Security Subcommittee items 4. Cyber Attack Task Force a. Work Product: Cyber Attack Task Force Final Report b. Item 15: Continue developing Attack Tree methodology c. Item 16: Continue to develop security and operations staff skills to address increasingly sophisticated cyber threats. d. Item 17: Augment operator training with cyber attack scenarios. 3 RELIABILITY ACCOUNTABILITY

144 NERC Attack Tree Task Force June 2014

145 Attack Tree Task Force (ATTF) Upcoming Activities Chair: Mark Engels Solicit more SMEs to review what has been done so far. Continue working on the document to support the actual attack trees. Will contain the assumptions and methods used by the team Augment the attack trees to incorporate more mitigations and reflect that in the findings to see what changed. 5 RELIABILITY ACCOUNTABILITY

146 Cyber Security Subcommittee Cyber Security Events Analysis WG Chair: <open>

147 Cyber Security Events Analysis WG 1. Next Steps a. Obtain a Chair for the working group b. Continue to liaise with the ES-ISAC, EAS & STWG c. Begin scheduling quarterly calls, s or portal postings with liaisons d. Continue to develop priorities and establish work plans: i. Research and recommend activities to improve the security of Bulk Electric System facilities; ii. iii. iv. Chair: <open> Develop expertise to liaise and coordinate with the Events Analysis WG; Develop procedures for evaluating malicious events while maintaining entity security; and Work with the CIP Training WG to assist in developing training products that are relevant to current threat tactics and techniques. e. Creation of, and approval for, the cyber events analysis process document 7 RELIABILITY ACCOUNTABILITY

148 Cyber Security Subcommittee Control Systems Security WG Chair: Mikhail Falkovich

149 CSSWG Status New Chair Charter under review and development Solicitation of additional volunteers First assignment: Business Network connectivity guideline o Due Date: 12/31/2014 GridEx II Lesson Learned #4 Recommendations Summary Assess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis. 9 RELIABILITY ACCOUNTABILITY

150 CSSWG NIST Mapping Project Requested by the ESCC Map the NIST CSF to CIP v5 and CIP v3 Asked of CSSWG: Complete by August 10 RELIABILITY ACCOUNTABILITY

151 CSSWG Task Force Members Mark Morgan (PNNL) Nadya Bartol (UTC) Cynthia Hill-Watson (TVA) Bill Noto (GE) Christine Hasha (ERCOT) Beth Lemke (WPS) Cliff Glantz (PNNL) Jarrid Hall (CSGI) NERC Staff: Laura Brown 11 RELIABILITY ACCOUNTABILITY

152 CSSWG 12 RELIABILITY ACCOUNTABILITY

153 CSSWG 13 RELIABILITY ACCOUNTABILITY

154 CSSWG Remaining Tasks Complete CIP v5 mapping Write guidance where mapping is not obvious Write guidance where no mapping exists Convert to CIP v3 14 RELIABILITY ACCOUNTABILITY

155 Cyber Security Subcommittee Questions?

156 Physical Security WG Progress Report Ross Johnson, CPP June 11-12, 2014

157 How we fit in! 2 RELIABILITY ACCOUNTABILITY

158 CIP Physical Security FERC Order issued 7 March with 90-day completion window SDT included four physical security professionals: myself, John Breckenridge, Alan Wick, and Kathleen Judge Additional input from Bob Canada and Brian Harrell One technical conference, two face-to-face meetings, one teleconference, two webinars, and two ballots Proposed Standard approved by NERC BOT, and filed with FERC on 23 May 3 RELIABILITY ACCOUNTABILITY

159 CIP Physical Security First three requirements deal with a risk assessment to identify in-scope assets, a review of the risk assessment by an unaffiliated third-party reviewer, and sharing of information with affected entities Three subsequent requirements dealing specifically with physical security issues: R4 - evaluate potential threats and vulnerabilities R5 - develop and implement a documented physical security plan R6 unaffiliated third-party review the evaluation of threats and vulnerabilities, and the corresponding security plan 4 RELIABILITY ACCOUNTABILITY

160 CIP Physical Security R4 The evaluation shall consider the following: 4.1. Unique characteristics of the identified and verified Transmission station(s), Transmission substation(s), and primary control center(s); 4.2. Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and 4.3. Intelligence or threat warnings received from sources such as law enforcement, the Electric Reliability Organization (ERO), the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), U.S. federal and/or Canadian governmental agencies, or their successors. 5 RELIABILITY ACCOUNTABILITY

161 CIP Physical Security R5 The physical security plan(s) shall include the following attributes: Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4 Law enforcement contact and coordination information A timeline for executing the physical security enhancements and modifications specified in the physical security plan Provisions to evaluate evolving physical threats, and their corresponding security measures, to the Transmission station(s), Transmission substation(s), or primary control center(s). 6 RELIABILITY ACCOUNTABILITY

162 CIP Physical Security R6 shall have an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5 Each Transmission Owner and Transmission Operator shall select an unaffiliated third party reviewer from the following: o An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification o An entity or organization approved by the ERO o A governmental agency with physical security expertise o An entity or organization with demonstrated law enforcement, government, or military physical security expertise. 7 RELIABILITY ACCOUNTABILITY

163 CIP Physical Security 6.2 The Transmission Owner or Transmission Operator, respectively, shall ensure that the unaffiliated third party review is completed within 90 calendar days of completing the security plan(s) developed in Requirement R5. The unaffiliated third party review may, but is not required to, include recommended changes to the evaluation performed under Requirement R4 or the security plan(s) developed under Requirement R5 8 RELIABILITY ACCOUNTABILITY

164 CIP Physical Security 6.3 If the unaffiliated third party reviewer recommends changes to the evaluation performed under Requirement R4 or security plan(s) developed under Requirement R5, the Transmission Owner or Transmission Operator shall, within 60 calendar days of the completion of the unaffiliated third party review, for each recommendation: Modify its evaluation or security plan(s) consistent with the recommendation; or Document the reason(s) for not modifying the evaluation or security plan(s) consistent with the recommendation 9 RELIABILITY ACCOUNTABILITY

165 CIP Physical Security 6.4 Each Transmission Owner and Transmission Operator shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party reviewer and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure 10 RELIABILITY ACCOUNTABILITY

166 PSRG Physical Security Roundtable Group now has 122 members Held several calls in preceding months on: March and April calls cancelled because of CIPC travel (March) and Physical Security Standard drafting team meeting May meeting on CIP-014 Physical Security Standard Would appreciate more input from members on issues they would like to discuss 11 RELIABILITY ACCOUNTABILITY

167 STWG PSWG contributed to training on: April - physical security program management May - physical security design (Lawrence Livermore National Labs) June Advanced Laser Detection System July active shooter 12 RELIABILITY ACCOUNTABILITY

168 Fun Fact Canada/US Border Crossing (between North Dakota and Manitoba) As of 1 June 2014 there were still hundreds of homes in Winnipeg, Manitoba whose water pipes are still frozen. (CTV News) 13 RELIABILITY ACCOUNTABILITY

169 Security Training WG Progress Report William Whitney III, Chair David Godfrey, Vice Chair

170 Security Training WG 1. Charter a. CIPC will provide meeting attendees with an opportunity to participate in physical, cyber, and operational security training, as well as, educational outreach opportunities. 2. Current Members 1. Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, and William Whitney III 2 RELIABILITY ACCOUNTABILITY

171 How We Fit in 3 RELIABILITY ACCOUNTABILITY

172 Security Training WG 3. Latest Activities a. Conference calls to discuss goals and actions 2 nd Friday each month b. Working on HILF recommendation to raise operator awareness about cyber attacks on the grid with SOS and SANS. We are in the final stages and should have news shortly after SOS and SANS work out their contracts. c. Provided 2 successful security training webinars to the industry a. 4/16 Physical Security Management and Programs 174 Registered, 104 Attended b. 5/14 Physical Security Assessments, Design, and Protection Strategies 277 registered, 135 attended d. Working on tasks assigned to us from the GridEx II Lessons Learned e. Continuing to compile a list of free training resources available to entities 4 RELIABILITY ACCOUNTABILITY

173 Security Training WG 1. Webinar Schedule 2014 a. April 16 Physical Security Programs Panel Webinar b. May National Labs Physical Security Risk vs Protection/Costs Webinar c. June Orlando Pre-CIPC BC Hydro presentation on laser intrusion detection d. July Active Shooter webinar with Danny O. Coulson e. August TBD f. September Vancouver Train the Trainer Preparation for a Cyber Event g. October- TBD h. November- TBD i. December- TBD 5 RELIABILITY ACCOUNTABILITY

174 Security Training WG July 17th Active Shooter Webinar 6 RELIABILITY ACCOUNTABILITY

175 Security Training WG 1. Training Links a. TEEX - b. DHS - c. DOD - d. FEMA - e. DOE - Have a link for free, quality, training? Please share with us to add to the list. 7 RELIABILITY ACCOUNTABILITY

176 4. Next Steps Security Training WG a. Continue to expand the list of free on demand training from reputable agencies and vendors b. Schedule and prepare future Pre-CIPC training sessions and webinars c. Work with vendors and/or individuals in the industry to provide specific training to industry a. This means you and/or your co-workers that have information to share with the industry d. Continue work with SOS and SANS to compile operator training with cyber attack scenarios per the HILF recommendations e. Work on GridEx II Lessons Learned assignments 5. CIPC Actions a. Concerns and/or suggestions for today s discussion 8 RELIABILITY ACCOUNTABILITY

177 Questions? Or

178 Cybersecurity Procurement Language for Energy Delivery Systems Ed Goff, CISSP Duke Energy, Energy Sector Control Systems Working Group June 11, 2014

179 Agenda Background Managing the Cyber Supply Chain Risks Approach Behind the scenes The Differences the update ESCSWG Roadmap Next Steps 2

180 Background on Procurement Language In 2009, DHS worked with control system security experts, asset owners and operators, suppliers, state and federal governments, international stakeholders Covers control systems across several sectors, including electricity, oil and natural gas, water, transportation, chemical Summarizes security principles and controls Provides example language 3

181 Why Update Procurement Language for the Energy Sector? Since 2009, the energy sector continues to evolve: New cybersecurity threats Changes in security practices and requirements Advancing technologies Asset owners, operators, and suppliers are experiencing increased pressure for meeting stringent regulatory requirements Procurement can help manage risks resulting from extended and geographically dispersed supply chains Need to build cybersecurity into solutions from the beginning Acquirers, integrators, and suppliers need to communicate expectations and requirements in a clear and repeatable manner 4

182 Managing Cyber Supply Chain Risks Procurement is part of the overall supply chain program Dialogue before contract to communicate expectations Embedding cybersecurity in procurement process helps manage supply chain risks and reduce risk of compromise: Request cybersecurity from the beginning Request transparent security practices from the beginning Encourage transparency on where sub-suppliers are located (and any changes) Agreement on appropriate time for notification of breaches/mitigating measures Transparency can help improve supply chain risk management practices Preserves system integrity; trust that only intended functions are performed and control is not lost 5

183 What is the Cybersecurity Procurement Language for Energy Delivery Systems? This document seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector Provides baseline cybersecurity procurement language for the acquisition of: Individual components of energy delivery systems (e.g., PLCs, relays, RTUs) Individual energy delivery systems (SCADA, EMS, DCS) Network of energy delivery systems (e.g., substation) Helps to address some of the energy sectors evolving challenges Ensures cybersecurity is considered starting with design phase (continuing through testing, manufacturing, delivery, installation, and support) Focused on what to do, not how to do it 6

184 Behind the Scenes ESCSWG: Leading this effort, spearheaded by Ed Goff (Duke Energy) Pacific Northwest National Laboratory (PNNL): Facilitation and writing Energetics Incorporated: Facilitation, coordination, and outreach U.S. Department of Energy Office of Electricity Delivery and Energy Reliability: Leadership, guidance, funding, and support Core Team of Technical Advisors: Volunteered significant time and expertise in advising the development of this document. Core team includes representatives from: U.S. Department of Homeland Security, Edison Electric Institute, Electric Power Research Institute, Independent Electricity System Operator Ontario, Utilities Telecom Council, American Public Power Association, American Gas Association 7

185 Development Approach Developed over the last year by core team of experts and stakeholders Built on DHS (2009) to tailor guidance to the specific needs of the energy sector Reviewed other documents and approaches Talked with other energy sector stakeholders to understand their needs Held open, transparent, public review cycles to guide direction of document 8

186 Two open, transparent, and formal public review cycles (November 2013 & February 2014) Engaged energy sector stakeholders from acquirer, integrator, and supplier communities 308 specific comments from 23 entities during comment periods Utility Vendor Consultant/Other Public Review Cycles Government Standards Body Public/Private WG Lots of support for this effort, demonstrating the need in this sector Some feedback beyond scope and tracked for future revisions 9

187 Procurement Aligns with Energy Sector Cybersecurity Initiatives Cybersecurity Capability Maturity Model (C2M2): Consideration of supply chain issues and cybersecurity procurement are elements of the maturity model, which procurement language helps to address. Electricity Subsector Cybersecurity Risk Management Process (RMP): Procurement language can help asset owners with their risk management process by requesting cybersecurity features prior to acquisition. NIST s Framework for Improving Critical Infrastructure Cybersecurity: Procurement language can help to identify the different categories of users and their roles in the procurement process, which is one element of this NIST framework. 10

188 How Can This Be Used in the Procurement Process? Intended to: Help all energy sector stakeholders more clearly communicate expectations and requirements Can help inform acquirers in RFP/RFI process Provide a starting point for the procurement process Users can select areas that are most applicable to their procurements Menu of options Not intended to: Be inserted verbatim into procurement contracts Replace or specify applicable IT or OT standards Document suggests some standards to consider, but not all 11

189 Key Sections: General Cybersecurity Procurement Language Language that is more generally applicable across energy delivery systems and components: 2.1 Software and Services 2.2 Access Control 2.3 Account Management 2.4 Session Management 2.5 Authentication/Password Policy and Management 2.6 Logging and Auditing 2.7 Communication Restrictions 2.8 Malware Detection and Protection 2.9 Heartbeat Signals 2.10 Reliability and Adherence to Standards 12

190 Key Sections: The Supplier s Life Cycle Program Covers the product design, development, manufacturing, storage, delivery, implementation, maintenance, and disposal: 3.1 Secure Development Practices 3.2 Documentation and Tracking of Vulnerabilities 3.3 Problem Reporting 3.4 Patch Management and Updates 3.5 Supplier Personnel Management 3.6 Secure Hardware and Software Delivery 13

191 Technology Specific Sections Other technology specific sections in the document, include: Intrusion detections systems (IDS) Physical security Wireless technologies Cryptographic system management How to Use this Document section provides: Examples for adding, modifying, or negotiating procurement language between Acquirers and Suppliers (or Integrators) Examples of procurements with multiple Suppliers/Integrators 14

192 What Is Different? The new document is 30% the size of the DHS (2009) document, with a specific focus on the energy sector Easier to navigate and read Accounts for the differences in acquiring entire energy delivery systems and system components vs. How? Minimized redundancies Near identical requirements that were presented in multiple sections are reduced Reduced explanation of technologies More general for future applicability 15

193 Differences (cont.) Laser focused on procurement language Removed detailed Factory and Site Acceptance Testing and Maintenance Guidance Updated for new approaches and technologies Similar concepts are grouped together in only a few sections DHS (2009) System Hardening (with 6 sections) Perimeter Protection (3 sections) Account Management (7 sections) Coding Practices (1 section) Flaw Remediation (2 sections) Malware Detection and Protection (1 section) Host Name Resolution (1 section) End Devices (4 sections) Remote Access (6 sections) Physical Security (4 sections) Network Partitioning (2 sections) Wireless Technologies (11 sections) ESCSWG (2014) General Procurement Language (10 sections) Supplier s Lifecycle Security Program (6 sections) Intrusion Detection (2 sections) Physical Security (3 sections) Wireless Security (1 section) Cryptographic System Management (2 sections) 16

194 Sample Update: Wireless Technologies DHS (2009) has 27 pages devoted to this topic and 105 procurement language items EDS PL has one page and only 8 procurement language items DHS (2009) WIRELESS TECHNOLOGIES 1. Bluetooth 2. Wireless Closed Circuit TV 3. Radio Frequency Identification ZigBee 6. WirelessHART 7. Mobile Radios 8. Wireless Mesh Networks 9. Cellular 10. WiMAX 11. Microwave 12. Satellite EDS PL WIRELESS TECHNOLOGIES 1. General Wireless 17

195 Cryptographic System Management Cryptographic-based security systems more widely used today New section to address basic cryptographic system documentation and management capabilities Does not prescribe which type of cryptographic-based security systems are appropriate for any particular environment Does provide sample procurement language for» Cryptographic system documentation (e.g., crypto methods used, phases of key management)» Variable Cryptoperiods so crypto keys don t stay the same forever» Remote crypto key update capability (to avoid truck rolls) 18

196 The Supplier s Life Cycle Program Encourage robust products with fewer weaknesses and vulnerabilities Secure development practices include: Quality assurance, quality control, testing, code reviews, timely communication Specifying country of origin Timely notification of vulnerabilities or breaches, with accompanying mitigating measures (testing/validation of patches and updates) Managing access to sensitive information Ensuring that the product is implemented as specified Maintain/ Retire Implement Design Development Life Cycle Develop Produce Deliver Store 19

197 Sample Language Example Documentation/ Verification Not Applicable Language Period of Applicability Sample Language 2.73 The Supplier shall provide a method to restrict communication traffic between different network security zones. The Supplier shall provide documentation on any method or equipment used to restrict communication traffic The Supplier shall identify heartbeat signals or protocols and recommend which should be included in network monitoring. At a minimum, a last gasp report from a dying component or equivalent shall be included in network monitoring Upon the Acquirer submitting a problem report to the Supplier, the Supplier shall review the report, develop an initial action plan within [a negotiated time period], and provide status reports of the problem resolution to the Acquirer within [a negotiated time period].

198 Meeting the Vision of the Roadmap to Achieve Energy Delivery Systems Cybersecurity Roadmap Vision By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. Developed by the Energy Sector Control Systems Working Group (ESCSWG) for asset owners, operators, government, regulators, standards bodies, researchers, academia, vendors and other solution providers Synthesis of energy delivery systems security challenges, R&D needs, and implementation milestones Provides strategic framework to align activities to sector needs coordinate public and private programs stimulate investments in energy delivery systems security For more information visit:

199 Alignment with Roadmap Strategies 1. Build a Culture of Security 2. Assess and Monitor Risk 3. Develop and Implement New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements Near-term (0 3 yrs) Executive engagement and support of cyber resilience efforts Industry-driven safe code development and software assurance awareness workforce training campaign launched 2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings 3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes commercially available Tools to identify cyber events across all levels of energy delivery system networks commercially available Tools to support and implement cyber attack response decision making for the human operator commercially available Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholders Federal and state incentives available to accelerate investment in resilient energy delivery systems Mid-term (4-7 years) Vendor systems and components using sophisticated secure coding and software assurance practices widely available Field-proven best practices for energy delivery systems security widely employed Compelling business case developed for investment in energy delivery systems security 2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics Scalable access control for all energy delivery system devices available Next-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented Incident reporting guidelines accepted and implemented by each energy subsector Real-time forensics capabilities commercially available Cyber event detection tools that evolve with the dynamic threat landscape commercially available Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining Long-term (8-10 years) 1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry 2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains commercially available Self-configuring energy delivery system network architectures widely available Capabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutions Next-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented Lessons learned from cyber incidents shared and implemented throughout the energy sector Capabilities for automated response to cyber incidents, including best practices for implementing these capabilities available Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systems Mature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector

200 Building a Culture of Security 1. Build a Culture of Security 2. Assess and Monitor Risk 1. Build a Culture of Security 3. Develop and Implement New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements Near-term (0 3 yrs) Near-term (0 3 yrs) Executive engagement and 1.1 support of cyber resilience efforts Industry-driven safe code development and software 1.2 assurance awareness workforce training campaign launched 2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings Executive engagement and support of cyber resilience efforts Industry-driven safe code development and software assurance awareness workforce training campaign launched 3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes commercially available Tools to identify cyber events across all levels of energy delivery system networks commercially available Tools to support and implement cyber attack response decision making for the human operator commercially available Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholders Federal and state incentives available to accelerate investment in resilient energy delivery systems Mid-term (4-7 years) Long-term (8-10 years) Mid-term (4-7 years) 1.5 Long-term (8-10 years) 1.3 Vendor systems and components using sophisticated secure coding and software assurance practices widely available available Field-proven best practices for energy delivery systems security widely employed Compelling business case employed developed for investment in energy delivery systems security Vendor systems and components using sophisticated secure coding and software assurance practices widely 1.6 Significant increase in the number security of workers skilled in energy delivery, information systems, and cybersecurity employed by industry 2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics Field-proven best practices for energy delivery systems security widely Compelling business case developed for investment in energy delivery systems 2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across 1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry cyber-physical domains commercially available Scalable access control for all energy delivery system devices available Next-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented Self-configuring energy delivery system network architectures widely available Capabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutions Next-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented Incident reporting guidelines accepted and implemented by each energy subsector Real-time forensics capabilities commercially available Cyber event detection tools that evolve with the dynamic threat landscape commercially available Lessons learned from cyber incidents shared and implemented throughout the energy sector Capabilities for automated response to cyber incidents, including best practices for implementing these capabilities available Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systems Mature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector

201 Communication and rollout Spread the word Next Steps Solicit endorsement from different trade organizations Recommended Future Activities: Expand on implementation guidance Continue coordination and communication with stakeholder groups Account for feedback not addressed in this version 24

202 We need your help! Tell your friends and colleagues Use the document to mature your procurement process Provide feedback: What works well What doesn t work What is missing comments to: es-pl@energetics.com 25

203 Questions? For more information visit: Pages/es-pl.aspx questions to: 26

204 References Roadmap to Achieve Energy Delivery Systems Cybersecurity: dmap.pdf Cybersecurity Capability Maturity Model (C2M2) program Electricity Subsector Cybersecurity Risk Management Process (RMP) t%20process%20guideline%20-%20final%20-%20may% pdf NIST s Framework for Improving Critical Infrastructure Cybersecurity: final.pdf 27

205 NATF Security Practices Group Activity Update Ken Keels, NATF Program Manager - Practices NERC CIPC Meeting June 10-11, 2014

206 Discussion Topics Brief NATF Overview Security Practices Group CIP-002 V5 Guide Update Physical Security Work Group Update 2

207 NATF Membership Membership open to companies that own/operate 50 circuit miles 100 kv transmission or, operate 24/7 control center Organization types (75 Members) Investor-owned State/Municipal Cooperative Federal/Provincial ISO/RTO Expertise 3600 subject-matter experts Coverage (North America Wide) 85% Peak Demand 75% 100kV and higher circuits 3

208 NATF Mission, Vision, Approach Mission Vision Approach Promote excellence in the reliable operation of the electric transmission system Continuously improve the reliability of the electric transmission system Pursue reliability and security excellence via: Constructive peer challenge Effective, relevant information sharing o lessons learned, superior practices, etc. 4

209 Guiding Principles Community The complex, interconnected grid requires active collaboration to promote higher levels of reliability, security, and resiliency Confidentiality Confidentiality promotes open, candid intramembership dialogue Candor Commitment Direct, objective performance feedback is delivered as a membership norm Members senior leaders commit to the NATF s mission of promoting excellence 5

210 Value Add and Strategic Goals Value Proposition(s) Improve transmission reliability, security, and resilience Increase member compliance margin Promote efficient use of resources Strategic Goals 1. Increase Industry Impact 2. Achieve Results 3. Manage Knowledge Effectively 4. Continuously Improve 5. Proactively identify and address emerging issues 6

211 Security Practices Group CIP-002 V5 Guide Update 7

212 CIP-002 V5 Project Purpose and Deliverables Purpose: The purpose is to develop a NERC CIP-002 Version 5 Guide containing agreed upon approaches and / or descriptions of common understanding used for identifying Cyber Assets and defining corresponding BES Cyber Systems for transmission facilities and assets. Other Items Noted: Scope currently limited to transmission control centers and substations The project team recognizes the changing environment / pending decisions on the CIP standards Deliverables: CIP-002 V5 Guide containing descriptions of approaches and / or common understanding used for identifying Cyber Assets and defining corresponding BES Cyber Systems. In addition, the subject matter expert team is to develop a recommended format for documenting a program, such as diagrams / flow charts, that will assist with standardizing CIP-002 documentation across the NATF membership. The product will be updated throughout the year by adding attachments and / or addendums as Industry and Regulator determinations are made 8

213 Recent / Current Activities and Next Steps Draft CIP-002 V5 Guide presented to Security Practices Group at its May Workshop discussion and initial feedback understanding that the Guide will be a living document Currently collecting feedback from NATF Members Control Center Pilots Currently Underway at three Member Companies feedback from pilots will be incorporated into the document Project team to continue to meet through June to refine document Release to Security Practices Group as an approved practices guide in July 2014 Plan is to maintain the project team through

214 Security Practices Group Physical Security Update

215 Physical Security Initiatives CIP Standard Held weekly joint Security / Compliance Practice Group web meetings during the 90-day Standard development period Weekly calls included members of the Standard Drafting Team NATF plans to conduct a second series of calls for members to discuss how they plan to implement the Standard (probably starting in July) NATF Physical Security Work Group Monthly web meetings initiated earlier this year Monthly meeting includes members reporting-out on practices they use and issues they re confronting Initiating a project associated with the development of a library of physical security monitoring systems used by NATF members 11

216 Physical Security Initiatives (Cont'd) NATF 2014 Peer Review Process Added a separate physical security component to augment the cyber security review Peer Review Security Team includes cyber and physical security subject matter experts NATF / EPRI Memorandum of Understanding initiated in 2013 Held joint physical security summit in August 2013 The two organizations collaborate on continuous basis EPRI Guest Speaker at the May Security Practices Group Workshop EPRI R&D department interested in joint project pertaining to physical security 12

217 Thank you! Questions?