NERC CIPC Chair Report

Transcription

1 NERC CIPC Chair Report Chuck Abell March 4, 2014

2 Recent Happenings NERC Board of Trustees Activity Acceptance of the Physical Security Response Guideline Approved CIPC EC Membership Positions o Physical Security: o Cyber Security: o Operations Security: o Policy: Looking Forward David Grubbs(City of Garland) Marc A. Child (GRE) Carl J. Eng (Dominion VP)* Ross Johnson (Capital Power) 2 RELIABILITY ACCOUNTABILITY

3 2013 Key Deliverables Coordinated Charter Update between CIPC/OC/PC Personnel Security Clearances Task Force Report Electricity Sub-sector Information Sharing Task Force Report Physical Security Response Guideline 3 RELIABILITY ACCOUNTABILITY

4 Looking Forward Recommendations from GridEx II Cyber Attack Tree Task Force BES Security Metrics Working Group Scenario Planning for GridEx III Continued Collaboration with ES-ISAC Coordination with the Reliability Issues Steering Committee (RISC) 4 RELIABILITY ACCOUNTABILITY

5 CIP Committee Structure CIPC Executive Committee Marc Chile Chuck Abell, Chair Melanie Seader David Grubbs Nathan Mitchell, Vice Chair Jack Cashin Ross Johnson Jim Brenton, Vice Chair Barry Lawson Bob Canada, Secretary Physical Security Subcommittee (David Grubbs) Cyber Security Subcommittee (Marc Child) Operating Security Subcommittee (Jim Brenton) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control System Security WG (Vacant) ES Information Sharing TF (Stephen Diebold) BES Security Metrics WG (James Sample) Physical Security Guidelines WG (John Breckenridge) Cyber Attack Tree TF (Mark Engels) Grid Exercise WG (Tim Conway) Personnel Security Clearance TF (Nathan Mitchell) Security Training WG (William Whitney) Cyber Security Analysis WG (Eric Warakomski) Compliance & Enforcement Input WG (Paul Crist) 5 RELIABILITY ACCOUNTABILITY

6 Executive Committee Elections March 2014 CIPC Meeting St. Louis, MO

7 Background One at-large position on the CIPC Executive Committee is vacant, due to the resignation of Carl Eng As per CIPC Charter, election is required to fill the vacancy

8 Nominating Subcommittee As per CIPC Charter, the Chair appointed Robert McClanahan as Chair of Nominating Subcommittee Subcommittee of five (5) members was assembled The assignment to Subcommittee was to nominate a single candidate to fill the vacancy

9 Subcommittee Membership Membership of Nominating Subcommittee Robert McClanahan, AECC, Chair Chris McColm, Manitoba Hydro Paul McClay, TECO Energy Jeffrey Fuller, DP&L Allen Klassen, Westar Energy Group represents a balance of area of expertise, NERC Region, organizational structure, etc.

10 Selection Process A request was made to CIPC Membership for recommendations A total of four (4) recommendations were received from CIPC Membership In addition, reviewed the roster of CIPC Voting Members for possible candidates Factors considered: Expertise, Sector, Region, US/Canada,, Current EC

11 Proposed Candidate The Subcommittee unanimously approved and recommends the individual to fill the vacancy: David Revill, GA Transmission

12 Election Process The following election process is defined in the CIPC Charter: Slate presented to Committee Nominations accepted from floor Vote on slate first Supermajority (2/3) vote required to approve If slate fails, ballots prepared with candidates listed in order of nomination Successive ballots until individuals receive supermajority vote

13 Election

14 Critical Infrastructure Protection Matt Blizard, PE Director, Critical Infrastructure Protection CIPC, St. Louis March 4, 2014

15 CIP Updates NERC Landscape Strategic Actions, Core Values, BP&B NERC Reorganization ESISAC, CID and Compliance Operations Activities: GridEx II Next Steps (Bill Lawrence) GridEx III November 2015 GridSecCon October 2014, Hyatt Regency, San Antonio, Tx NERC Updates: o ESISAC o CIP v5 Transition Implementation Study Lessons Learned, Guidance o CIP v5 revisions, FERC Order 791 o Security and Reliability Program (SRP) o Executive Order Update NIPP, NIST Cybersecurity Framework 2 RELIABILITY ACCOUNTABILITY

16 NERC Core Values People We value our people Teamwork We work as a team Integrity We act with integrity Leadership We lead by example Trust We trust each other Stewardship We are stewards of the responsibilities entrusted to the ERO 3 RELIABILITY ACCOUNTABILITY

17 4 RELIABILITY ACCOUNTABILITY

18 Executive Order/Presidential Policy Directive Update Critical Infrastructure Protection Committee March 4, 2014 National Infrastructure Protection Plan (NIPP) Implementation Activities The Department of Homeland Security (DHS) released the final version of the NIPP on December 20, 2013 (NIPP website: The new NIPP maintains the partnership model developed in the earlier versions; one major change is that the new NIPP includes greater emphasis on risk management. Following the release, DHS rolled out the new NIPP and established a new working group, the NIPP Implementation Working Group. This working group will: Set joint national priorities to facilitate joint planning Establish a process to annually validate priorities Develop guidance on updating the Sector-Specific Plans (SSP) Work to update the SSPs will begin around summertime DHS will stand up a separate working group in early March (kickoff meeting TBD) focused on developing guidance for the SSPs The SSP guidance developed by that working group will be incorporated into the overall NIPP implementation guidance The NIPP Implementation Working Group will consist of: Cross-Sector Councils (CI Cross-Sector Council, Federal Senior Leadership Council, SLTT GCC, Regional Consortium CC), private sector subject matter experts, National Council of ISACs, and other Federal Departments and Agencies. Next meeting is March 18; DHS plans to finalize working group consensus on national priorities by early- May.

19 Cybersecurity Framework Implementation Activities The National Institute of Standards and Technology released the Cybersecurity Framework in February. The framework overlaps considerably with both NERC CIP standards and the Electricity Sub-sector Cybersecurity Capability Maturity Model (ES-C2M2). Before the framework was finalized, DHS began initial implementation activities in November by establishing the Voluntary Program Development Working Group, now called the Critical Infrastructure Cyber Community Voluntary Program, or the C Cubed Voluntary Program ( This program will allow the Federal Government to coordinate with critical infrastructure owners and operators interested in improving their cyber risk management processes. The C Cubed Voluntary Program aims to: Support industry in increasing its cyber resilience; Increase awareness and use of the Framework; and Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management For the Electricity Sub-sector, industry will be working with our sector specific agency, the Department of Energy (DOE) to develop the implementation strategy for the sub-sector. DOE has indicated its intent to use the ES-C2M2 as our sector-specific implementation of the Framework. CIPC Update: EO/PPD 2

20 ES-ISAC Update NERC CIPC Matt Light, ES-ISAC March 4-5, 2014

21 New Personnel Carlo Castaneda joined the ES-ISAC in February Six years in U.S. Marine Reconnaissance Unit Program Analyst at DOJ ES-ISAC Team Growing More Capability, More Capacity Tim Roxey, CSO & Senior Director Fred Hintermister Ben Miller Andrew Bonser Orlando Stevenson Carlo Castaneda Matt Light 2 RELIABILITY ACCOUNTABILITY

22 Operations Weekly Reports Since September 2013, ISAC has been publishing a weekly report on the portal Every Monday, summary of past weeks activities, events, reports Monthly Calls Attendance is increasing with 350+ on the last call Always looking for recommendations on speakers and topics Portal Migration Contract established, SOW complete Migration of content to the new platform is underway [March] Anticipate a few months before new features are added [April/May] 3 RELIABILITY ACCOUNTABILITY

23 SANS The ES-ISAC is offering several free events associated with the summit on Sunday, March 16 th Exposure to Closure dramatic play Attack Tree Analysis and Control Systems Advanced CRPA/C2M2 Workshop SANS Schedule March 12-16: SANS Pre-Summit Courses March 16: Free ES-ISAC Provided Courses March 17-18: SANS ICS Security Summit (Use discount code NERC10 to save 10%) 4 RELIABILITY ACCOUNTABILITY

24 Physical Security Campaign ES-ISAC is supporting a joint DOE, DHS, and ESCC physical security outreach campaign Highlight recent events Develop and discuss lessons learned and best practices Bring together utilities and state/local law enforcement Locations Completed Washington Chicago Denver Tampa Houston San Jose Albuquerque Seattle Scheduled Boston 3/18 New York 3/21 Ottawa 3/24 Toronto 3/26 Calgary 3/28 5 RELIABILITY ACCOUNTABILITY

25 CRPA CRPA is a customized GridEx for your organization Use LoftyPerch to support scenario development Min 6 weeks planning needed Completely voluntary with no attribution to participants A subset of practices from ES-C2M2 have been incorporated into the After Action Report to frame lessons learned Status: 6 CRPAs performed last year 2 confirmed for this year [Summer] Looking for more participants [Spring/Fall] 6 RELIABILITY ACCOUNTABILITY

26 CRISP Cybersecurity Risk Information Sharing Program (CRISP) Operating under direction of the ESCC About 20 companies identified for companies deployed CRISP in Jan 2014 Working to establish an LLC and contract to support the program CRISP Report Provided in the Portal Information based on CRISP pilot effort Good industry feedback on the report content Outreach and communication to the sector Expect outreach in the near future Program is still developing Beginning to plan for industry webinar, CRISP Overview Will be continuing to reach out to companies identified by the ESCC 7 RELIABILITY ACCOUNTABILITY

27 Legislative Update Critical Infrastructure Protection Committee March 4, 2014 Nathan Mitchell, American Public Power Association

28 Legislative Update HR 3696, National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act update Senate Physical Security Briefing Update Letter from Senate Leadership: Ron Wyden, Harry Reid, Dianne Feinstein, Al Franken, Feb 7 FERC/NERC House grid security briefing March 26 Letter from Jim Bridenstine (D-OK) Feb 12 FERC Letter from Charles Schumer (D-NY) Feb 17 FERC/DHS EMP/GMD 2 RELIABILITY ACCOUNTABILITY

29 Transition to Version 5 March 4, 2014 St. Louis CIPC Tobias Whitney, Manager of CIP Compliance

30 Summary FERC approved CIP Version 5 on Nov. 7, 2013 Directed changes to the standards in the following areas: Modification of language to identify, assess, and correct deficiencies (February 3, 2015 deadline) Additional criteria for Low Impact classification category Define communications network and add protections (February 3, 2015 deadline) Add additional security for transient devices FERC Staff to conduct Technical Conference within 180 days on communications security, remote access, and the NIST Risk Management Framework 2 RELIABILITY ACCOUNTABILITY

31 Purpose of the Transition Program Address V3 to V5 Transition issues. Provide a clear roadmap for V5 steady-state. Justifies budget for V5 implementation and compliance. Foster communication and knowledge sharing. Support all entities in the timely, effective, and efficient transition to CIP Version 5 3 RELIABILITY ACCOUNTABILITY

32 CIP V 5 Transition Program Elements Periodic Guidance A new transition guidance will be provided after V5 Order Implementation Study 6 entities with strong compliance cultures 6-8 month implementation of V5 for certain facilities Lessons learned throughout and after study phase Compliance and Enforcement Integration with RAI Identify means and method to address self-corrective processes and internal controls Outreach & Communications New website created for all Transition Program activity Training Quarterly training opportunities will be provided to industry 4 RELIABILITY ACCOUNTABILITY

33 Purpose of RAI An ERO strategic initiative to transform the current compliance monitoring and enforcement program that: Focuses on high reliability risk areas Reduces unnecessary administrative burdens Three main goals: Building on the success of Find, Fix, Track and Report (FFT) Design a compliance program that: o Recognizes an entity s risk to reliability o Appropriately scopes audits and applies proper audit techniques and approaches o Evaluates and uses management controls to gain reasonable assurance of compliance which promotes reliability Reduce unnecessary administrative burdens of the compliance monitoring and enforcement program on all stakeholders. 5 RELIABILITY ACCOUNTABILITY

34 2013 Year End Progress Report Auditor Handbook The first version of auditor handbook was completed. Training and rollout efforts to occur in Prototypes and Pilot Programs The results to-date of pilot programs are being compiled. Evaluation criteria has been finalized The assessment timeline and 2014 deliverables are set. Improvements to Self-Reporting User guide to support improved self reporting process completed in December Request for broader industry review in January FFT Enhancements Triage process implemented across ERO by January 1, 2014 to expedite disposition of minimal risk issues. Enforcement pilots to test aggregation and exercise of enforcement discretion under way. 6 RELIABILITY ACCOUNTABILITY

35 V5 Compliance and Enforcement Steady State V5/RAI Key Program Elements (based on Evaluation Criteria) Risk Assessment o The Regional Entity will develop a transparent but customized compliance profile based the Registered Entity s impact to the Grid. o The Risk Assessment will be shared with the Registered Entity so that it understands how it will be monitored as a unit of the compliance profile. Internal Controls Reliance o The Registered Entity will develop internal control practices that will be provided to and reviewed by the Regional Entity. o The Regional Entity will evaluate the level of the entities internal control program to tailor compliance activities in conjunction with the Risk Assessment Aggregation of Non-Compliance o Based on the level of controls reliance and the Risk Assessment, Registered Entities may be able to participate in the aggregation of non-compliance processes. o Aggregation is allowed, in the pilot phase, to noncompliance that pose minimal risk to the reliability of the BPS. 7 RELIABILITY ACCOUNTABILITY

36 8 RELIABILITY ACCOUNTABILITY

37 Main Concepts Post FERC Order Now that FERC has approved V5, the industry should be progressing toward compliance with the assumption that IAC language will be removed or replaced. Version 3 compliance is required until the effective date of V5; however the ERO will consider V5 implementation compliant to V3 based on the compatibility tables. CEA s monitoring personnel will be trained on determining what evidence is acceptable during the transition and the nuanced differences between Version 3 and Version 5. 9 RELIABILITY ACCOUNTABILITY

38 V3 V5 Compatibility Based on the results of the Transition Study, the ERO has learned that many entities CIP programs are already mostly compatible to Version 5. Percentage of Version 3 Procedures Used in Version 5 CIP % CIP to 90% CIP % CIP % (Review required for new Assets) CIP % CIP % CIP % (Review required for new Assets) CIP % (new to V5) CIP % (new to V5) 10 RELIABILITY ACCOUNTABILITY

39 V3 V5 Compatibility Table For the Version 5 standards below, an entity can elect to implement the requirements that are mostly compatible (MC) with V3. Compliance to those standards will be considered valid Version 3 compliance actions. Requirements listed as N/A are not applicable to Version 3 compliance obligations. CIP 002 R1-MC R2-MC CIP 003 R1-N/A R2-MC R3-MC R4-MC CIP 004 R1-MC R2-MC R3-MC R4-MC 11 RELIABILITY ACCOUNTABILITY

40 V3 V5 Compatibility Table For the Version 5 standards below, an entity can elect to implement the requirements that are mostly compatible (MC) with V3. Compliance to those standards will be considered valid Version 3 compliance actions. Requirements listed as N/A are not applicable to Version 3 compliance obligations. CIP 005 R1-MC except 1.3-N/A 1.4-N/A R2-MC CIP 006 R1- R1.1-MC R1.2-MC R1.3-MC R1.4-MC R1.5-MC R1.6-N/A R1.7-N/A R1.8-MC R1.9-MC R2-MC R3-MC CIP 007 R1-MC R2-MC R3-MC R4-MC R5 R5.1-MC R5.2-MC R5.3-MC R5.4-N/A R5.5-MC R5.6-MC R5.7-MC 12 RELIABILITY ACCOUNTABILITY

41 V3 V5 Compatibility Table For the Version 5 standards below, an entity can elect to implement the requirements that are mostly compatible (MC) with V3. Compliance to those standards will be considered valid Version 3 compliance actions. Requirements listed as N/A are not applicable to Version 3 compliance obligations. CIP-008 CIP-009 CIP-010 CIP-011 R1-MC R2-MC R3-MC R1 R1.1-MC R1.2-MC R1.3-N/A R1.4-N/A R1.5-MC R2-MC R3-MC R1-N/A R2-N/A R3- R3.1-MC R3.2-N/A R3.3-N/A R3.4-MC R1-MC R2-N/A 13 RELIABILITY ACCOUNTABILITY

42 V3 V5 Compatibility Physical Security Perimeters (six-walled enclosures) will be required throughout the transition period for impacted Version 3 Critical Cyber Assets. Electronic Security Perimeter drawings will be still be required throughout the transition period. The drawing must indicate V3 or V5 elected controls. Newly identified BES Cyber Systems will not be considered in scope during the transition period. They must follow the Implementation Plan set of milestones. 14 RELIABILITY ACCOUNTABILITY

43 V5 Compliance Dates CIP Version 5 Effective Dates Requirement Effective Date Effective Date of Standard April 1, 2016 Requirement-Specific Effective Dates CIP R2 April 1, 2016 CIP R1 April 1, 2016 CIP R2 for medium and high impact BES Cyber Systems April 1, 2016 CIP R2 for low impact BES Cyber Systems April 1, 2017 CIP Part 4.4 April 15, 2016 CIP Part 2.1 May 6, 2016 CIP Part 4.2 July 1, 2016 CIP Part 2.3 April 1, 2017 CIP Part 4.3 April 1, 2017 CIP Part 4.4 April 1, 2017 CIP Part 3.1 April 1, 2017 CIP Part 2.1 April 1, 2017 CIP Part 2.1 April 1, 2017 CIP Part 2.2 April 1, 2017 CIP Part 3.1 April 1, 2017 CIP Part 2.3 April 1, 2018 CIP Part 3.2 April 1, 2018 CIP Part 3.5 Within 7 years after previous Personnel Risk Assessment 15 RELIABILITY ACCOUNTABILITY

44 Newly Identified Cyber Assets During the remainder of the transition period, newly identified assets applicable to the Version 3 based on the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities may migrate directly to Version 5 applicable standards and requirements. The Registered Entity must follow the timeline established for V3 for assets coming into compliance before V5 effective dates In the event of newly acquired companies or mergers, the Registered Entity shall coordinate with their Region to clarify anticipated compliance dates and expectations during the transition. Entities notified by Registered 3 rd parties (such as TP, RC, PA) resulting in High or Medium BES Cyber Assets during the transition period have months from the time of notification to bring the assets into compliance. The V5 Implementation Plan s Scenario for Unplanned Changes should be referenced to determine if the notified entity will be on the 12 month or 24 month implementation window. 16 RELIABILITY ACCOUNTABILITY

45 Website Updates 17 RELIABILITY ACCOUNTABILITY

46 CIP V5 Revisions and RAI Timeline 18 RELIABILITY ACCOUNTABILITY

47 19 RELIABILITY ACCOUNTABILITY

48 Project CIP Version 5 Revisions SDT Update Marisa Hecht & Ryan Stewart, NERC Standards Developers Critical Infrastructure Protection Committee March 4, 2014

49 Discussion Topics SDT Kickoff Meeting Subgroup Structure Key Messages Project Schedule 2 RELIABILITY ACCOUNTABILITY

50 SDT Kickoff Meeting February 19-21, 2014 in DC Great participation and interest Set up subgroup structure for calls Scheduled meetings through May 2014 Drafted scope statements for each of the directive areas Created discussion items for the subgroups 3 RELIABILITY ACCOUNTABILITY

51 Subgroup Structure Two SDT members assigned as leads for each subgroup Each has a two-hour conference call once a week Will work in between SDT face-to-face meetings for efficiencies Focus is on dialogue, drafting, and proposal development All calls will be on the NERC calendar 4 RELIABILITY ACCOUNTABILITY

52 Subgroup Structure 5 RELIABILITY ACCOUNTABILITY

53 Subgroup SDT Leads IAC Greg Goodrich (NYISO) & Scott Saunders (SMUD) Communication Networks David Revill (GTC) & David Dockery (AECI) Low Impact Assets Jay Cribb (Southern) & Forrest Krigbaum (BPA) Transient Devices Steven Brain (Dominion) & Christine Hasha (ERCOT) 6 RELIABILITY ACCOUNTABILITY

54 Key Messages Address all four directive areas by the filing deadline Outreach is crucial for building industry consensus Engagement by observers critical to success Stay up to date with progress through the Project project page Calendar of events Meeting and conference call agendas and notes Importance of quality during development 7 RELIABILITY ACCOUNTABILITY

55 Identify, Assess, and Correct (IAC) Team and observer straw poll at SDT meeting to remove the language Considering additional guidance language Coordination with NERC Compliance and Enforcement departments 8 RELIABILITY ACCOUNTABILITY

56 Communication Networks (CN) Definitions and Requirements to be developed Close gap identified by FERC when communications network clause was removed from definition of Cyber Asset Use NIST SP and ISO language (referenced in FERC Order 791) 9 RELIABILITY ACCOUNTABILITY

57 Low Impact (LI) Requirements need to contain objective criteria and be auditable and enforceable Considering impact on implementation schedule Coordination with IAC language work 10 RELIABILITY ACCOUNTABILITY

58 Transient Devices (TD) Looking at maintenance device work done by previous SDT Six specific issues discussed in FERC Order 791 Considering impact on implementation schedule 11 RELIABILITY ACCOUNTABILITY

59 Project Schedule Post for 45-day first comment and ballot June 2-July 17 Additional 45-day comment and ballot August 29-October 13 If necessary Final ballot October 31-November 10 Presentation to the NERC Board of Trustees November 13 File with applicable government authorities December RELIABILITY ACCOUNTABILITY

60 RELIABILITY ACCOUNTABILITY

61 Security and Reliability Program 2014 Program Status Scott R, Mix, CISSP, NERC CIP Technical Manager March CIPC March 4-5, 2014

62 2013 Program Recap 14 SRP visits complete for 2014 Draft report in progress 2 RELIABILITY ACCOUNTABILITY

63 2014 Program Program re-named Security and Reliability Program Kept SRP nomenclature Focus moved away from RBAM sufficiency review o Still perform RBAM review if desired Program now focused on holistic security review Continue to include CIP V5 education and outreach Continue to have flexibility in content and visit length Added physical security component 3 RELIABILITY ACCOUNTABILITY

64 2014 Program Added Elective option Entitles can pick from a list of pre-supplied subjects Or, entities can suggest topics of interest Selection occurs during initial setup discussions 4 RELIABILITY ACCOUNTABILITY

65 2014 Program Initial partial list of Electives Cloud Computing Virtual Computing Environments RAI update Issues within Compliance Operations at NERC Evidence Management how to show a third party the story of your environment Test Environments Events Analysis Process and industry trends o Cause Coding Enterprise vs. Operations team CVAs NERC CVA and everything in between 5 RELIABILITY ACCOUNTABILITY

66 2014 Program Password policies corporate vs. personal Firewall Tools rule set review process/procedures, NetAPT, etc. Patch management and availability issues how do you get your patches? Internal auditing and risk management development Sampling Methodologies GAGAS ES-C2M2 6 RELIABILITY ACCOUNTABILITY

67 7 RELIABILITY ACCOUNTABILITY

68 The Reliability Risk Management Process in 2014 Jim Brenton, ERCOT Regional Security Coordinator NERC CIPC Marcy 4/5, 2014

69 Process Overview Beyond STRATEGIC PLANNING ANALYSIS SOLUTION DESIGN BUSINESS PLANNING AND BUDGETING PREP EXECUTION MAINTENANCE Strategic Planning Full RISC, with input from industry, committees, and others Analysis Technical Committee RISC Members (OC, PC, CIPC) Solution Design Technical and Process Committee RISC Members (OC, PC, CIPC, CCC, SC), Staff Business Planning and Budgeting NERC Staff, Industry Preparation NERC Staff, Standing Committees, 3 rd Parties Execution NERC Staff, Standing Committees, 3 rd Parties Maintenance NERC Staff, Standing Committees, 3 rd Parties 2 RELIABILITY ACCOUNTABILITY

70 Ongoing and Cyclical Beyond STRATEGIC PLANNING for 2017 STRATEGIC PLANNING for 2018 STRATEGIC PLANNING for 2019 STRATEGIC PLANNING for 2020 SP for 2021 ANALYSIS for 2016 ANALYSIS for 2017 ANALYSIS for 2018 ANALYSIS for 2019 ANALYSIS for 2020 SOLUTION DESIGN for 2016 SOLUTION DESIGN for 2017 SOLUTION DESIGN for 2018 SOLUTION DESIGN for 2019 BP&B for 2015 BUSINESS PLANNING AND BUDGETING for 2016 BUSINESS PLANNING AND BUDGETING for 2017 BUSINESS PLANNING AND BUDGETING for 2018 BP&B 2019 PREP for 2015 PREP for 2016 PREP for 2017 PREP for 2018 EXECUTION for 2014 EXECUTION for 2015 EXECUTION for 2016 EXECUTION for 2017 EXECUTION for 2018 MAINTENANCE Overlapping tasks each year Structured, but not rigid overlap will allow for influence across years e.g., if the 2017 Strategic Planning effort uncovers a major problem, it could be addressed in the 2016 Analysis and Solution Design, the 2015 BP&B and Preparation, or even in the 2014 execution if urgent. 3 RELIABILITY ACCOUNTABILITY

71 Suggested RISC and Committee Timeline for Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb STRATEGIC PLANNING RISC Develops New 2015 RISC Recommendations BOT Reviews and Approves RISC Report 2013 ANALYSIS AND SOLUTION DESIGN Sanity Check RISC Report 2015 Committee RISC Members use Previous Year RISC Recommendations to develop Risk Profiles (i.e., Gap Analysis and Suggestions to address) Staff assembles, edits, and updates ERO Top Priority Reliability Risks for RISC Priorities Cyber Attack Workforce Capability and Human Error Protection Systems Monitoring and Situational Awareness Adaptation and Planning for Change Top Priority Business Planning and Budgeting for RELIABILITY ACCOUNTABILITY

72 ERO Top Priority Reliability Risks and Alignment with RISC Priorities ERO Top Priority Reliability Risks Blue shading indicates alignment between an ERO Top Priority and a RISC High Priority Area Changing Resource Mix Resource Planning Protection System Reliability Uncoordinated Protection Systems Extreme Physical Events SEE NOTE 2 Availability of Real-Time Tools and Monitoring Protection System Misoperations Cold Weather Preparedness SEE NOTE 3 Right of Way Clearances SEE NOTE kV Breaker Failures SEE NOTE 3 Cyber Attack SEE NOTE 1 High Priority Areas from the July 26, 2013 RISC Report "ERO Priorities: RISC Updates and Recommendations" Workforce Capability and Human Error SEE NOTE 1 Protection Systems Monitoring and Situational Awareness Adaptation and Planning for Change Long Term Planning and System Analysis Resource and Transmission Adequacy Integration of New Technologies and Operations 6 of the 10 ERO Top Priority Reliability Risks align with 5 of the 7 RISC Recommended Priorities 2 of the RISC Recommended Priorities are already being addressed sufficiently (See note 1) Note 1: These areas already have significant work underway and do not need additional focus Note 2: Based on discussions at the 2013 Reliability Leadership Summit, NERC believes this issue deserves attention Note 3: NERC management has concluded these risks should be given priority monitoring to ensure past risk management activities have been effective 5 RELIABILITY ACCOUNTABILITY

73 Suggested Committee Member Deliverables for Jan Feb Mar Apr May Jun Jul Aug Sep Oct Top Priority Primarily Technical Work - Supported by Committees Primarily Tools and Process Work RISC Report 2013 ANALYSIS AND SOLUTION DESIGN Scoping, Team Formation Prioritized List of Top Risks for each High Priority Risk Area* Draft Problem Statement, Gaps, and Measures for each Top Risk* Final Problem Statement, Gaps, and Measures for each Top Risk* Draft Risk Mgmt Strategy for each Top Risk* Rough Timelines, Target Measures* Proposed Risk Profile Completed* Staff activities Input * Worksheets, templates, and facilitation aids developed to assist in producing these deliverables consistently across all Committees 6 Staff assembles completed profiles with other information and develops ERO Top Priority Reliability Risks document for RELIABILITY ACCOUNTABILITY

74 Top Risk Areas (from the RISC Report) Cyber Attack (Lead: Jim Brenton) Workforce Capability and Human Error (Lead: Jim Case) Protection Systems (Lead: Ben Crisp) Monitoring and Situational Awareness (Lead: Jim Case) Adaptation and Planning for Change Long-Term Planning and System Analysis (Lead: Ben Crisp) Resource and Transmission Adequacy (Lead: Ben Crisp) Integration of New Technologies and Operations (Lead: Ben Crisp) 7 RELIABILITY ACCOUNTABILITY

75 Additional Requests from NERC TIME PERMITTING Coordinated Attack on Multiple Facilities (Lead: Jim Brenton) Localized Physical Attack (Lead: Jim Brenton) Extreme Weather/Acts of Nature (Lead: Ben Crisp) 8 RELIABILITY ACCOUNTABILITY

76 9 RELIABILITY ACCOUNTABILITY

77 Electricity Sector Information Sharing S Task T ForceF NERC CIPC update Stephen Diebold, Chairman St Louis March 4 th & 5 th, 2014

78 Contents ESISTF Charter Status of Deliverables Status of ES-ISTF Future Work 2 RELIABILITY ACCOUNTABILITY

79 ESISTF Charter The ESISTF will develop two deliverables: A final report meeting the goals set forth in the charter A PowerPoint presentation to be used for outreach and socialization. 3 RELIABILITY ACCOUNTABILITY

80 Status of Deliverables Report ESISTF task force report approved by CIPC on June 11, 2013 ESISTF task force report accepted by Electric Sub-Sector Coordinating Council (ESCC) on July 11, 2013 ESISTF task force report accepted by NERC BOT on August 15, RELIABILITY ACCOUNTABILITY

81 Status of Deliverables Presentation Finalized presentation given at GridSecCon II on October 16, 2013 The presentation was given a total of 10 times. Tim Roxey, the Executive sponsor, accepted the packaged presentation on December 16, RELIABILITY ACCOUNTABILITY

82 Status of ES-ISTF Time to mark this charter completed All deliverables have been completed and accepted. 6 RELIABILITY ACCOUNTABILITY

83 Future Work ESISTF recommends the following activities: Conduct case studies on how utilities are using the ES-ISAC as the Central Hub and evaluate benefits received. Evaluate the usage patterns. Are AOO participating daily? In particular Unattributed Information provided, Compliance Required Information provided, Number of users signed up for automated s, etc Determine why some companies are not using the ES-ISAC. Work with the government agencies and promote the receipt of data from the ES-ISAC. See if they have any issues or recommendations. Should there be any legal changes? Evaluate vendor participation in the ES-ISAC. 7 RELIABILITY ACCOUNTABILITY

84 ESISTF

85 9 RELIABILITY ACCOUNTABILITY

86 GridEx II Post Exercise Update Bill Lawrence, NERC Senior Manager of CIP Awareness CIPC Meeting March 4, 2014

87 GridEx II Objectives GridEx II was a successful exercise based on the lessons learned from GridEx 2011 The exercise focused on: Exercising cyber and physical crisis response Increasing information sharing Gathering lessons learned Discussing a more severe event scenario at an executive level 2 RELIABILITY ACCOUNTABILITY

88 GridEx II Scenario Escalation Timeline 3 RELIABILITY ACCOUNTABILITY

89 Distributed Play Participation GridEx 2011 had 420 compared to GridEx II with 2,000 individual participants 140 GridEx Participating Organizations Comparison Utilities 80 Government/Academia/Other Reliability Coordinator/ Independent System Operator NERC Regional Entity GridEx 2011 (76) GridEx II (234) 4 RELIABILITY ACCOUNTABILITY

90 Industry-Wide Coordination ES-ISAC and NERC BPSA saw increased communication Still room for improvement on information sharing Both coordinated with Department of Energy, Department of Homeland Security, and Federal Energy Regulatory Commission to deliver response to industry Four joint sector conference calls Five NERC-internal Crisis Action Team calls 13 Watch List postings Three NERC Alerts released o One Advisory Alert (Level 1) o Two Recommendation Alerts (Level 2) 5 RELIABILITY ACCOUNTABILITY

91 Lessons Learned Distributed Play 1. Information sharing has increased 2. NERC has improved ES-ISAC and BPSA coordination functions 3. Simultaneous cyber and physical attacks pose significant challenges 4. Industry continues to refine and enhance its all-hazard incidence response plans and protocols 5. Industry and government information sharing stakeholders can better inform incident response through coordination and consolidation of content 6 RELIABILITY ACCOUNTABILITY

92 Recommendations Executive Tabletop There were 10 recommendations in four broad areas of interest: Information Sharing between the Electricity Industry and Government o Situation assessment scalability o Public communications Operational Decision Making o Unity of Effort o Cyber attacks create unique restoration challenges o Physical attacks create unique restoration challenges o Mutual aid and critical spares Legal and Regulatory Authorities o Regulatory relief o Implementing emergency legislation Next Steps o Acting on the recommendations o Planning future exercises of this nature 7 RELIABILITY ACCOUNTABILITY

93 Next Steps GridEx II Distributed Play Report Anticipated that individual entities, NERC Critical Infrastructure Protection Committee, and other industry forums will consider and act on the recommendations GridEx II Executive Tabletop Recommendations provide several opportunitiues to enhance industry and government coordination Discussed at January 30, 2014 Electricity Sub-sector Coordinating Council (ESCC) meeting Reports will be published Q1 of 2014o late-february 8 RELIABILITY ACCOUNTABILITY

94 9 RELIABILITY ACCOUNTABILITY

95 Personnel Security Clearance Task Force (PSCTF) Critical Infrastructure Protection Committee September 17, 2013 Nathan Mitchell, Chair Policy Subcommittee

96 How we fit in! Existing CIP Committee Structure CIPC Executive Committee Physical Security Subcommittee David Grubbs Cyber Security Subcommittee Mark Child Operating Security Subcommittee Carl Eng Policy Subcommittee Nathan Mitchell Protecting Sensitive Information TF Control System Security WG Information Sharing TF BES Security Metrics WG Physical Security Guideline TF Cyber Attack Tree TF HILF Implementation TF Personnel Security Clearance TF Nathan Mitchell Physical Security Ev Analysis WG Joint w/ OC & PC Cyber Security Analysis WG Joint w/ OC & PC Grid Exercise WG Compliance & Enforcement WG Physical Security Training WG Cyber Security Training WG 2 RELIABILITY ACCOUNTABILITY

97 Recommendations Inform government of the value that industry SMEs bring to classified discussions. Use the clearance model outlined in this report to identify and validate industry nominees on a functional basis. Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. Encourage clearance nominees to use the guidance in this report during the PSCP application process. 3 RELIABILITY ACCOUNTABILITY

98 Next Steps ESCC is coordinating with DHS to develop a series of handbooks on the security clearance process. CIPC PSCTF report is being used as the template. Clearance Playbooks Who should have clearances Expectations of clearance holders Process for prioritizing and monitoring clearance nominations 4 RELIABILITY ACCOUNTABILITY

99 Next Steps Modification of the Self-nomination process Possibly add a Senior Management Sign-off line to the DHS 9014 Form Company identification of key employees who need clearances Tracking of clearance holders within the company Document the Process for Revocation of Security Clearance Changes in employment status Changes in criminal history: Changes to Financial history: 5 RELIABILITY ACCOUNTABILITY

100 Thank you PSCTF members!

101 BES Security Metrics WG Progress Report James W. Sample, Chair March 4-5, 2014

102 How we fit in! Existing CIP Committee Structure CIPC Executive Committee Physical Security Subcommittee David Grubbs Cyber Security Subcommittee Mark Child Operating Security Subcommittee Carl Eng Policy Subcommittee Nathan Mitchell Protecting Sensitive Information TF Control System Security WG Information Sharing TF BES Security Metrics WG Jamey Sample Physical Security Guideline TF Cyber Attack Tree TF HILF Implementation TF Personnel Security Clearance TF Physical Security Ev Analysis WG Joint w/ OC & PC Cyber Security Analysis WG Joint w/ OC & PC Grid Exercise WG Compliance & Enforcement WG Physical Security Training WG Cyber Security Training WG 2 RELIABILITY ACCOUNTABILITY

103 Workshop Security Metrics Workshop was held at NERC Goal: evaluate BESSMWG effort and better understand the existing Adequate Level of Reliability (ALR) framework Feb th Included representatives from Risk Assessment and Performance Analysis (RAPA) 3 RELIABILITY ACCOUNTABILITY

104 Outcomes Determine what a Strong Security Posture looks like for the sector Define those attributes (Potential Metrics) o o o o Information Sharing Program Maturity Situational Awareness Compliance Program Evaluate existing ALRs for incorporation of security measures Develop new security ALRs where needed 4 RELIABILITY ACCOUNTABILITY

105 Current ALR Framework Table 4.1: Adequate Level of Reliability Characteristics 1 Standard Objectives Boundary Contingencies Integrity Protection Restoration Adequacy Reliability Planning and Operating Performance ALR1-4 ALR3-5 ALR4-1 ALR1-3 ALR6-1 ALR6-11 ALR6-12 ALR6-13 ALR6-14 ALR6-15 ALR6-16 Frequency and Voltage Performance ALR1-5 ALR1-12 ALR2-4 ALR2-5 ALR2-3 Reliability Information Emergency Preparation ALR6-2 ALR6-3 Communications and Control Personnel Wide-area View Security 5 RELIABILITY ACCOUNTABILITY

106 ALR Integration Data Sources? Reliability Performance Group Input Develop Proposed Attributes Evaluate Proposal Identify 4 or 5 Outcomes that a Strong Security Posture would Exibit Map Attributes to the Existing ALR Framework Evaluate Existing ALRs for Security Attributes Evaluate if new ALR is Needed Identify Business Case and Challenges Proposed Set of New Security Metrics Develop New ALRs Specific to Security Develop Proposed Attributes Evaluate Proposal Data Sources? Reliability Performance Group Input 6 RELIABILITY ACCOUNTABILITY

107 Challenges Industry Driven ISAC Internal Ops NERC Support WG Challenge Areas Expertise on WG Cause Coding Lacks Security Issue Identification EST and ISAC Info Shares is still Low ISAC Lacks Formal Tracking Process Recommended Actions Recruit Additional CIO/SMEs Engage Event Analysis on Cause Coding Develop Reporting Dashboard Work with ISAC to Develop Process for Logging Engagments Support from Event Analysis and Risk Performance Groups Needed Evaluate Existing Cause Codes [Change Mgmt LTA] Provide sample Dashboard at CIPC Develop Technologies to Support Uniform Cataloging More Engagement from Industry needed work through CIPC Develop Proposed Cause Codes Explore Additional ways to Ensure Separation from Compliance Sustained Resourcing needed to Support Capturing and Measuring Metrics 7 RELIABILITY ACCOUNTABILITY

108 Industry Info-Shares Entry # Date Time Phishing Waterhole Spoof SQL Malware Scan DDOS SSH EST /16/2014 2:21 PM x /10/2014 3:07 PM x /9/2014 6:31 PM x /9/ :12 AM x /3/2014 2:36 PM x /30/2013 1:06 PM /27/ :36 PM x /27/ :47 PM x /22/2013 3:38 PM x /22/ :40 PM x /19/2013 3:25 PM x /15/2013 1:35 PM x /6/2013 3:15 PM x /4/2013 2:41 PM x /1/2013 4:34 PM EST /1/2013 3:56 PM x /1/2013 3:56 PM x /28/2013 2:48 PM x /28/2013 2:46 PM x EST /21/2013 1:53 PM x /18/2013 4:00 PM /17/2013 4:32 PM x /4/ :52 PM x /2/2013 4:31 PM x EST /26/2013 4:00 PM x /25/2013 5:08 PM x /20/2013 2:39 PM x /18/ :49 AM x 963 9/5/ :21 AM x 962 9/4/2013 2:10 PM x 931 8/23/2013 3:04 PM x 870 8/20/2013 3:06 PM x 868 8/16/2013 3:48 PM x 866 8/15/2013 6:09 PM x 865 8/2/2013 3:53 PM x 846 7/25/2013 5:49 PM x 840 7/24/2013 7:18 PM x 838 7/19/2013 2:13 PM x TOTAL RELIABILITY ACCOUNTABILITY

109 Next Steps Re-invigorate the BESSMWG Need SME and CIO engagement Evaluate ALRs relative to security Identify metric/measures for incorporation Increase sharing Develop guidance on what/how to submit info to the ISAC More industry info shared with ISAC Work with Events Analysis to develop cause codes 9 RELIABILITY ACCOUNTABILITY

110 NERC CIPC Compliance and Enforcement Input Working Group NERC CIPC Update March 4-5th, 2013 Paul Crist

111 Member List Amelia Sawyer James Boone Michael Nickels Scott Harris Andrew Jurbergs Jeff Mantong Mike Mertz Steen Fjalstad Ben Miller Joe Bucciero Mike Welch Steve J Knaebel Brenda Davis John Galloway Nathan Mitchell Summer C. Esquerre Brian Evans-Mongeon Karen Demos Nick Santora Tim Johnson Charles F. Abell Ken Burruss Paul Crist Tobias Whitney Daniel Shaffer Kent Kujala Paul F. McClay Travis Borrini David Gordon Marc A. Child Robert D. Canada Trey Cross David Thorne Martin Collin Ron Harrod Wes Davis Eric Ervin Matt Stryker Ryan Carlson 2

112 NERC CIPC Compliance and Enforcement Input Working Group Update Three Conference Calls - December 12 th, January 9 th, February 13 th, 2014

113 NERC CIPC Compliance and Enforcement Input Working Group Update Agenda Items 1. Review of the CAR s for Reliability Coordinator and Balancing Authority 2. Update on Virtualization Whitepaper work (John Galloway Taking Lead on this) 3. CIPC EC Follow-up Items for CEIWG a. NERC Transition/Implementation Guidance Review b. NERC CIP V5 Standards Revision Support (1 st meeting Feb st )

114 NERC CIPC Compliance and Enforcement Input Working Group Update Meetings 2 nd Thursday of the Month at 1:00 CST Questions?

115 CIPC Report to the NERC Reliability Issues Steering Committee (RISC) Analysis of the RISC nomination for digital certificate management (Venafi, Inc 7/29/2013) February 1, 2014 Background In July 2013, technology vendor Venafi, Inc submitted to the Reliability Issues Steering Committee a Reliablity Issues Nomination Form related to the use of digital keys and digital certificates. These technologies are used by machines as a trust mechanism to ensure privacy and non-repudiation of data passed between them. The basis of their concerns (discussed in the Technical Details below) is that poorly managed or implemented digital keys introduce risk to the bulk electric system, and Venafi s recommendations are to make specific language changes in the CIP version 5 standards to include requirements for full life-cycle management of keys, and digital certificate security. In its NOPR for CIP version 5, FERC sought comments as to whether the adoption of communications security protections, such as cryptography and protections for non-routable protocol, would improve the CIP Standards. (Ref: Docket No. RM , page 116). In response, the Commission received comments from vendors (including Venafi) and others that supported the inclusion of such cryptography requirements; while multiple other organizations such as trade groups and individual utilities disagreed, stating the deployment of cryptographic protocols may: (1) prohibitively increase latency in communications; (2) obfuscate data needed for testing and problem diagnosis; and (3) introduce communication errors from complex key management across organizations. (Ref: Docket No. RM , page 116). Version 5 of the NERC CIP standards was approved by FERC in late November 2013, and, while the Final Rule (Order 791) included directives to strengthen the physical protection of communications networks, it did not include any specific instructions for NERC to introduce cryptography requirements into the CIP standards. Recommendations On behalf of the NERC Critical Infrastructure Protection Committee (CIPC), the Control Systems Security Working Group (CSSWG) reviewed the Venafi nomination form for technical accuracy and evaluated the merits of their recommendations.

116 Specifically CSSWG reviewed the FERC NOPR and Final Rule for the CIP version 5 reliability standards, and examined the scope of the newly-formed Order 791 standards drafting team. Finally, the CSSWG contacted the Events Analysis team at NERC to study incidents related to Bulk Electric System outages where digital certificates may have been a contributing factor. The CSSWG found: There have been no Energy Management System (EMS) outages reported to NERC where digital certicates or digital keys were deemed to be a causal or contributing factor. Venafi is correct in stating that entities may have a higher susceptibility to intrusions due to poorly managed keys and certificates. However, poor engineering or poor implementation of technology cannot (and should not be in the opinion of the CSSWG) mitigated through the NERC standards process by use of prescriptive controls. The CIP standards, in particular, focus on what should be protected and not how. The CIPC committee has long recognized the value in providing utilities best practice guidance in the form of technical guidelines published on the ES-ISAC website. Technical subjects such as Connectivity to Business Networks, Identity and Access Management, Intrusion Detection, and Firewalls security topics categorically similar to digital certificate management are areas where the committee has provided guidance and technical resources to help entities design effective solutions and avoid the risk of poorly designed or incomplete security implementations. The CSSWG recommends: Short of any regulatory directives by FERC, no additional modifications to the CIP version 5 standards is planned that would include specific technical requirements for digital certicate management. The CIPC committee should direct the CSSWG to develop a guideline for digital certificate management and encryption to assist entities in choosing and implementing such technologies in a manner consistent with BES reliability. The RISC committee committee shall thank Venafi, Inc as the author of the RISC Nomination Form for volunteering their expert knowledge and bringing this issue to the attention of NERC. Technical Details In response to the four specific recommendations & comments made by Venafi, the CSSWG offers the following technical feedback. Comment #1 CIP Version 5 & FERC NOPR: The use of encryption alone is inadequate to provide secure and trusted data communications. Within the proposed CIP version 5 standards, there are multiple references to authenticated, secure, or encrypted data communications but fall short of clearly prescribing the adoption of communications security protections. FERC's suggestion for the use of cryptography for CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 2

117 encryption should not only be mandatory but should also include provisions for the management of the encryption assets known as keys and certificates. Many organizations - both inside and outside of the bulk electric system - have adopted encryption to secure and trust data communications but are still susceptible to intrusions and attacks due to the theft of poorly managed keys and certificates. The threat posed by the theft of these trust assets is increasing exponentially; if the intruder is trusted, the security defenses in place will be ineffectual to attack or theft. We propose that encryption and the management of authentication/encryption assets to secure data communications be made a part of the CIP version 5 standards. The CSSWG agrees with the statement in general, although we re not as convinced that encryption is adopted in the control systems world as much as was suggested. In our opinion there is still a great deal of misunderstanding about what an IPsec tunnel can and can not do. There is a very great appeal to the use of digital certificates to manage machine to machine (and human to machine) connections. There is general perception that rolling out a large certificate based system is not for the faint of heart. For smaller entities especially, this is a very large technical step to take and requires a great deal of subject matter expertise to get it right. It would be advisable for entities wishing to embark on such a project to visit some companies who are using certificates based encryption and see how well it was rolled out. It would also be equally helpful to visit a company that abandoned the effort as well. Comment #2 CIP-002-5: Certificate Authorities are incorrectly identified as an example of an authentication server under the definition of an Electronic Access Control or Monitoring Systems (EACMS). A Certificate Authority is not in itself an authentication server but is an integral part of a Public Key Infrastructure (PKI). A Certificate Authority (CA) does not provide active authentication, rather it relies on components of the PKI such as Certificate Revocation Lists (CRL), Online Certificate Status Protocol responders (OCSP) to validate/authenticate trust. CA's issue Root Certificates that are part of a trust store to ensure the validity of the trust chain provides authentication. As it serves as the basis to ensure the integrity of the authentication functions of keys and certificates, we propose that PKI be included as a separate category example of an EACMS. Our proposed language is more precise to what we interpret as the intent of the inclusion of Certificate Authorities in the EACMS examples: Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, LDAP Servers), Public Key Infrastructure technologies such as but not limited to (Certificate Authorities, OCSP Responders, CRLs, Registration Authorities, certificates, RSA and DSA keys, self signed certificates, CRLs and Trust Stores). Agree with the knowledge that there is OCSP already and to our knowledge it is considered a best practice and should be encouraged, but this suggestion crosses over into the how. Comment #3 CIP-002-5: Without the expansion of the EACMS definition to include PKI, the BES lowers its availability/reliability and adds significant risk to the ability to prevent or respond to a key/ certificate incident. An unavailable, degraded, or misused unmanaged key or certificate in the BES would not be remediated within 15 minutes of the compromise or outage. Venafi's extensive experience in this field indicates that in unmanaged environments with manual processes, the average recovery time to (a) diagnose the issue; (b) request a new certificate; and (c) approve and install is typically two to four hours. We believe that there is intent in the proposed CIP version 5 standards to prevent key and certificate CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 3

118 incidents from having a negative impact on the availability/reliability of the BES. To prevent this from being overlooked, we again propose specific language be added to include PKI as an example of EACMS. There are certainly safety and reliability concerns about keeping a process control or SCADA system up at all costs, and the entity choosing to use a PKI will need to determine what to do if and when a cert is untrusted or becomes untrusted. This must be accounted for in the functional design of the system. Comment #4 CIP-007-5: By limiting the focus to human interaction/authentication with cyber systems, the System Access Controls fail to account for, or place controls on, the majority authentication credentials (machine-tomachine) used in the BES. In this context, authentication falls into user credentials (User ID/Password, One- Time Password (OTP), smartcards and tokens) and machine credentials (the most common form of which are keys and certificates). Within the bulk electric system, machine credentials are used far more often to authenticate than user credentials and the gulf between the two continues to grow wider. By focusing only on User ID/Password credentials for humans, the proposed CIP version 5 standards do not adequately protect the majority of the authentication credentials or the auditability of all access within the bulk electrical system. We propose that CIP Table R5 - System Access Control be expanded to include the active management of keys and certificate credentials in line with User ID/Password credentials. Machine-to-machine credentials are important, but considering current intrusion/infection scenarios, are arguably not the most urgent problem to be addressed by NERC CIP controls. The current standard's concentration on human accounts, authentication, and remote access sets proper and realistic goals. The entity has the ultimate authority to design and implement the level and type of encryption and authorization levels to mitigate the risks identified in their own risk management programs. CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 4

119 NERC Attack Tree Task Force March 4, 2014

120 Agenda Brief Review of Attack Tree Process for Creating Attack Trees Next Steps 2 RELIABILITY ACCOUNTABILITY

121 3 RELIABILITY ACCOUNTABILITY

122 Generic Model Each BA/company has different configurations - Operational, IT and Physical 4 RELIABILITY ACCOUNTABILITY

123 Goals and Modeling Software Attack Tree Task Force (ATTF) Goals a. Fully populated set of attack trees, with meaningful data (classified and unclassified) informing key stakeholders in offsetting vulnerabilities in the North American bulk electric system. b. Establish ownership and location of the attack trees, and document the roles and responsibilities of the data custodians 5 RELIABILITY ACCOUNTABILITY

124 Attacker Goal Situational Awareness Balancing Authority - Collection of generation, transmission, and loads within metered boundaries maintaining load-resource balance Generation Load *PJM NERC Primer (June 10, 2013) Transmission 6 RELIABILITY ACCOUNTABILITY

125 Attack Scenarios Attack Scenario 9 Attack Scenarios Each minimal combination of leaf level events is known as an attack scenario. 7 RELIABILITY ACCOUNTABILITY

126 Behavioral Indicators Definition: Behavioral Indicators describe the resources that are need to be expended by the attacker in order to reach a particular state or node in the tree. Behavioral Indicators Breach of Trust Cost of Attack (What not Who) o Technical Training o Special Equipment, Hardware or Software o Insider Knowledge o Other Defender Error Noticeability Physical Presence Technical Ability (Who not What) 8 RELIABILITY ACCOUNTABILITY

127 Overall Process Attacker Goal Define Nodes in Tree Define Behavioral Indicators (BI) Analysis Define Attacker Profiles Define Victim Profile Reduction Subset of Attack Scenarios Level 1 Attacker Profile Level 2 Attacker Profile Pruning Level 1 Successful Attack Scenarios Level 2 Successful Attack Scenarios Total Population of Attack Scenarios Level 3 Attacker Profile Level 3 Successful Attack Scenarios 9 RELIABILITY ACCOUNTABILITY

128 Next Steps Incorporated Mitigations to reflect protections required by regulations (e.g. CIP, EOP, PRC, etc) Re-evaluation findings Use the Trees for educational purposes Demonstrates the link between OT, IT and Security The scores are not as important and the understand of the content in the trees Less emphasize on the attacker profiles Demonstrated interdependencies between systems Wider review of trees The team was purposely small to create the trees o Difficulty in grasping the breath of assignment, seeing all of the trees via webex / conf call Need more involvement to expand 10 RELIABILITY ACCOUNTABILITY

129 Questions Questions 11 RELIABILITY ACCOUNTABILITY

130 Cyber Security Sub-cmte Progress Report Marc Child, Chair

131 CIPC Executive Committee Physical Security Subcommittee (David Grubbs) Cyber Security Subcommittee (Marc Child) Operating Security Subcommittee (Carl Eng) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control System Security WG (Vacant) ES Information Sharing TF (Stephen Diebold) BES Security Metrics WG (James Sample) Physical Security Guidelines WG (John Breckenridge) Cyber Attack Tree TF (Mark Engels) Grid Exercise WG (Tim Conway) Personnel Security Clearance TF (Nathan Mitchell) Security Training WG (William Whitney) Cyber Security Analysis WG (Eric Warakomski) Compliance & Enforcement Input WG (Paul Crist) June RELIABILITY ACCOUNTABILITY

132 CAP HILF TF Recommendations 1. Geomagnetic Disturbance Task Force a. Work Product: Interim Report: Effects of Geomagnetic Disturbances in the Bulk Power System b. No CIPC Cyber Security Subcommittee items 2. Spare Equipment Database Task Force a. Work Product: Spare Equipment Database report b. No CIPC Cyber Security Subcommittee items 3. Severe Impact Resilience Task Force a. Work Product: Severe Impact Resilience: Considerations and Recommendations b. No CIPC Cyber Security Subcommittee items 4. Cyber Attack Task Force a. Work Product: Cyber Attack Task Force Final Report b. Item 15: Continue developing Attack Tree methodology c. Item 16: Continue to develop security and operations staff skills to address increasingly sophisticated cyber threats. d. Item 17: Augment operator training with cyber attack scenarios. 3 RELIABILITY ACCOUNTABILITY

133 NERC Attack Tree Task Force March 2014

134 Cyber Security Subcommittee Cyber Security Events Analysis WG Chair: Eric Warakomski

135 Cyber Security Events Analysis WG Chair: Eric Warakomski 1. Latest Activities a. Requested volunteers for the Chair position (Vice Chair & Co-Chair b. Continued work with the CSAWG section of the ES-ISAC portal c. Continued to encourage members to pursue DHS/DOE Clearance d. Continued assessment for the creation of the events analysis process document a. EAS - Events Analysis Process b. NIST - Computer Security Incident Handling Guide c. DOE - Cybersecurity Risk Management Process Guideline d. DOE/DHS - Electricity Subsector Cybersecurity Capabilities Maturity Model 6 RELIABILITY ACCOUNTABILITY

136 Cyber Security Events Analysis WG 2. Next Steps a. Obtain a Chair for the working group b. Continue to liaise with the ES-ISAC, EAS & CSTWG c. Begin scheduling quarterly calls, s or portal postings with liaisons d. Continue to develop priorities and establish work plans: i. Research and recommend activities to improve the security of Bulk Electric System facilities; ii. iii. iv. Develop expertise to liaise and coordinate with the Events Analysis WG; Chair: Eric Warakomski Develop procedures for evaluating malicious events while maintaining entity security; and Work with the CIP Training WG to assist in developing training products that are relevant to current threat tactics and techniques. e. Creation of, and approval for, the cyber events analysis process document 7 RELIABILITY ACCOUNTABILITY

137 Cyber Security Subcommittee Control Systems Security WG RISC Report & Discussion Chair: <vacant>

138 CSSWG Status Completed activities in March 2013 Looking for next formal assignments Chair & Vice-Chair positions are open 9 RELIABILITY ACCOUNTABILITY

139 CSSWG NERC RISC Committee Project Cyber nomination received by RISC Vendor suggesting changes to CIP v5 Encryption and Digital Key Mgmt Asked of CSSWG: Vet and report 10 RELIABILITY ACCOUNTABILITY

140 CSSWG Basis Encryption is good Grid is at risk if keys aren t managed properly CIP version 5 does not prescribe encryption 11 RELIABILITY ACCOUNTABILITY

141 CSSWG CSSWG Findings FERC NOPR asked for feedback on encryption Vendors comments were supportive Industry comments were not supportive Order 791 did not include prescriptive requirements 12 RELIABILITY ACCOUNTABILITY

142 CSSWG CSSWG Findings EAWG: There have been no EMS outages Vendor is correct in that poor implementations introduce reliability risk CIPC provides useful technical guidance outside the CIP regulations 13 RELIABILITY ACCOUNTABILITY

143 CSSWG Recommendations CSSWG CIPC EC should consider a guideline for Encryption & Digital Key Mgmt for ICS 14 RELIABILITY ACCOUNTABILITY

144 Cyber Security Subcommittee Questions?

145 PSWG Update

146 Progress Still no portal to store and share documents We have pushed ahead in several areas: Physical Security Roundtable Group Physical security training requirements survey Physical security training sessions Contribution to DHS/NRCan Substation Security sessions (Canada/US) Idaho National Lab substation armor requirements Related CEA Initiatives

147 Physical Security Roundtable Group 93 members from all over the US and Canada One-hour telecon on the first Thursday of every month list for dissemination of information Increasing engagement and discussion Three monthly teleconferences so far Copper theft prevention Insider threat programs, use of armed guards at critical substations Use of high-security fencing and fence line intrusion detection systems

148 Physical Security Training Requirements Survey Includes comprehensive list of security issues we typically run into in the electricity sector Will use to determine priorities for training sessions and PSRG agenda items Was released two weeks ago If you haven t filled it out yet, please do so

149 Training Webinar on physical security management scheduled for April Arranging presentation on Advanced Laser Detection System for CIPC training session in Orlando in June Webinar on Active Shooter scenario scheduled for July

150 DHS/NR Canada Substation Security Sessions Providing briefings on security measures to protect substations Promoting use of NERC Physical Security guideline and Physical Security Response Guideline

151 Idaho National Lab Armor Requirements Consider an Informal stakeholder/advisory role of Physical Security WG to INL on criteria and design considerations

152 CEA Initiatives Copper Theft Policy Paper changing the laws CANUS Cross-Border Mutual Aid Protocol CSO & Security Director s Skills & Experience Sheet Security Skills & Experience Matrix Common IT/Physical Security Incident Reporting System

153 Security Training WG Progress Report William Whitney III, Chair David Godfrey, Vice Chair

154 Security Training WG 1. Charter a. CIPC will provide meeting attendees with an opportunity to participate in physical, cyber, and operational security training, as well as, educational outreach opportunities. 2. Latest Activities a. Conference calls to discuss goals and actions 2 nd Friday each month b. Working on HILF recommendation to raise operator awareness about cyber attacks on the grid. c. Preparing list for monthly webinars provided to the industry d. Continuing to compile a list of free training resources available to entities e. Current members Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, and William Whitney III. 2 RELIABILITY ACCOUNTABILITY

155 Security Training WG 1. STWG & PSWG Team Up for Physical Security Success a. Physical Security Program Panel Webinar b. Ross Johnson (Capital Power), David Godfrey (TMPA), John Breckenridge (KCPL), Stan Partlow, and Mike Peterson (PG&E) c. The panelist will give the participants a brief overview of their physical security program, experiences, successes, and failures. Then the panel will open up for questions from the participants and will give either their direct experience responses or maybe something from their friend who has had the experience you are inquiring about. d. April 16, PM EST 3 RELIABILITY ACCOUNTABILITY

156 Security Training WG 1. STWG & PSWG Team Up for Success in April a. April 16 Physical Security Programs Panel Webinar b. May National Labs Physical Security Risk vs Protection/Costs Webinar c. June Orlando Pre-CIPC BC Hydro presentation on laser intrusion detection d. July Active Shooter webinar with Danny O. Coulson e. August TBD f. September Vancouver Train the Trainer Preparation for a Cyber Event g. October- TBD h. November- TBD i. December- TBD 4 RELIABILITY ACCOUNTABILITY

157 Security Training WG July Active Shooter Webinar 5 RELIABILITY ACCOUNTABILITY

158 Security Training WG 1. Training Links a. TEEX - b. DHS - c. DOD - Have a link for free, quality, training? Please share with us to add to the list. 6 RELIABILITY ACCOUNTABILITY

159 Security Training WG 4. Next Steps a. Continue to expand the list of free on demand training from reputable agencies and vendors b. Schedule and prepare future Pre-CIPC training sessions and webinars c. Work with vendors and/or individuals in the industry to provide specific training to industry a. This means you and/or your co-workers that have information to share with the industry d. Continue work with SOS to compile operator training with cyber attack scenarios per the HILF recommendations 5. CIPC Actions a. Concerns and/or suggestions for today s discussion 7 RELIABILITY ACCOUNTABILITY

160 Questions? Or

161 Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas Sector Coordinating Council, and Government Coordinating Council for Energy Ed Goff, CISSP, Duke Energy March 5, 2014

162 Development Approach Provided an open, transparent, and formal public review cycles Engaged energy sector stakeholders from acquirer, integrator, and supplier communities Built on the Department of Homeland Security Cyber Security Procurement Language for Control Systems (DHS, 2009) to tailor guidance to the specific needs of the energy sector Addressed baseline cybersecurity requirements (not all-inclusive) Updated language to address technological advancements Laser focused on procurement language Focused on what to do, not how to do it Minimized redundancies Reviewed other existing documents and approaches to understand how they complement each other as well as identify gaps or opportunities to address unique energy sector challenges 2

163 What Is Different? The new draft document is 20% the size of the original DHS (2009) document Redundancy is minimized Near identical requirements that were presented in multiple sections are reduced Technical approaches are modernized Explanations of specific technologies have been removed Accounts for the differences in acquiring components and energy delivery systems vs.

164 Status 308 specific comments from 23 entities during two public comment period Utility Vendor Consultant/Other Government Standards Body Public/Private WG Some feedback will be tracked for future revisions Final review and edit will be preformed in March Final product will be release March 28 th

165 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Gap Analysis Project Timeline Data Collection & Synthesis Draft PL Document & Internal Review Stakeholder Outreach Collect and Review Stakeholder Comments Prepare Final PL Doc 5

166 Next Steps Planning communication and rollout Context based supplier, acquirer, & integrator Point of contact for questions Long-term maintenance plan for this product Future Phase: Expand on implementation guidance Coordinate with stakeholder groups to align to other existing methodologies, standards, and practices

167 Questions? Ed Goff For more information visit: bersecurity-procurement-language-for-energy-delivery- Systems.aspx 7

168 NATF Security Practices Group Activity Update Wayne VanOsdol, NATF Program Manager - Practices NERC CIPC Meeting March 4-5, 2014

169 Discussion Topics CIP V5 Implementation Activities Physical Security Work Group Activities 2

170 CIP-002 V5 Implementation Guide Project 3

171 CIP-002 V5 Implementation Guidance Project Purpose: CIP-002 V5 Practices Guide - develop CIP-002 V5.1 Practices Guide that will provide for a common understanding of terminology and approaches for defining and classifying BES Cyber Assets and corresponding BES Cyber Systems for transmission facilities / assets. Deliverable: CIP-002 V5.1 guide containing methodology(ies) for conducting an assessment (a framework) for identifying Cyber Assets and defining corresponding BES Cyber Systems, including a recommended format for documenting the assessment results. Project Status: Groundswell of support from Security Practices Group (SPG) with numerous volunteers. Work performed via WebEx and face-to-face meetings. Two sub-teams focusing on the standard from two perspectives: 1) Control Center combined with Back-up Control Center / Data Center / Telecom and 2) Transmission Substations / Telecom Currently, the SPG (the larger group) is reviewing the draft CIP-002 V5 Control Center Methodology (decision tree / flowchart) by conducing a self-assessment and providing feedback. Substation team is also developing draft methodology (running a bit behind other team). 4

172 CIP-002 V5 Project Timeline Summary Produce a draft Control Center and Substation Methodology (decision tree / flowchart) by March 31, improve the product(s) in April, and present a proposed final draft to SPG at the May Workshop May and moving forward: the project team will work with the leadership of the SPG and NATF to determine next steps The team is fully aware of the changing environment regarding the CIP Standards and recognizes the product will need to be updated later in 2014 due to decisions identified at NERC, results from the NERC Implementation Studies, and various Technical Conferences (FERC) etc. At some point the team is interested in reviewing the product with NERC We just need to work out the details on how to make this happen 5

173 CIP V5 Risk and Controls Project

174 CIP V5 Risk and Controls Project Scope Purpose (Draft): Just getting started Develop guide for conducting risk assessments and for applying internal controls to the cyber and physical security reliability objectives contained in the CIP Version 5 standards. Deliverables (Draft): A risk assessment framework for addressing reliability risks associated with cyber and physical security in each of the following functional areas: Governance Information Protection Access Management Configuration Management Incident Response Vulnerability Management Logging & Monitoring Provide sufficient guidance for Forum members of all levels of maturity with respect to security; to establish effective risk assessment methods and processes. Guidelines for determining and implementing strong, scalable internal controls to address reliability related security risks identified through risk assessment process, that are aligned to the seven functional areas set forth above 7

175 Status Update This is a joint (Compliance Practices Group and Security Practices Group) project The draft Purpose and Deliverables are currently under review by Security Practices and Compliance Practices Group Core Teams Next steps; Identify potential team members from Compliance Practices Group and liaisons from Security Practices Group Establish detailed work plan and timetable for work products 8

176 Physical Security Work Group Physical Security has always been part of the Security Practices Group Physical Security experiences (events) are discussed during the monthly WebEx meetings However, we stood-up a Physical Security Work Group having a more direct focus on physical security as a response to the attacks that occurred in 2013 Physical Security Work Group is all about developing Superior Practices and implementing across the NATF membership NATF / EPRI MOU initiated in 2013 Held joint physical security summit in August 2013 The two organizations collaborate on continuous basis EPRI Guest Speaker at the May Security Practices Group Workshop EPRI R&D department interested in joint project pertaining to physical security NATF 2014 Peer Review Process Includes separate cyber and physical security component Team includes cyber and physical security SMEs 9

177 Thank you! Questions?