Cyber and Physical Security: An Integrated Approach Tim Rigg Managing Director, Enterprise Protective Services

Size: px
Start display at page:

Download "Cyber and Physical Security: An Integrated Approach Tim Rigg Managing Director, Enterprise Protective Services"

Transcription

1 A Cultural Petri Dish Cyber and Physical Security: An Integrated Approach Tim Rigg Managing Director, Enterprise Protective Services 2012 NERC Grid Security Conference San Diego, CA October 16-18, 2012

2 Overview Introduction to New Duke EPS Scope and High level Organization EPS Regulatory Compliance Organization Organizational Skills and Controls Integration CIP Standards The Game Changer Cyber Controls Mandate Cyber Security Incident Response Past NERC CIP Cyber/Physical Integration What s Next? Q&A 2

3 The New Duke The New Duke Number of employees = 29,000+ Generating Capacity = 49,600 MW Transmission Lines = 32,000 Miles Distribution Lines = 250,200 miles Size of Service Territory = 104,000 sq miles Total Customers: 7.1 million 3

4 Enterprise Protective Services (EPS) Scope Reports to Vice President of Administrative Services and HR Executive VP Enterprise responsibilities include: Non-Nuclear Physical Security Field Operations/Investigations Executive Protection Emergency Preparedness and Business Continuity Regulatory Compliance (Physical/Cyber) Infrastructure Support (Technical Systems) Field Operations organized by Region Midwest, Carolinas West, Carolinas East, Florida 4

5 EPS Compliance Organization Managing Director EPS Director Security Ops Security Analyst Director Preparedness Director Security Risk & Compliance Director Infrastructure Protection Exec Protection Managers Midwest Manager BC/CM Manager Midwest NERC/FERC Compliance Program Mgr Mgr PACS/Security Sys & Console Ops Duke Carolina s Manager PE Carolina s Manager BC/CM Manager Charlotte BC/CM Manager St. Pete NERC/FERC Compliance Analysts NERC Project Manager System Admins (6) PSIM Technology Program Mgr 24/7 Contract Security (25) Florida Manager Security Coordinators MARSEC Compliance Spec FERC Dam Coordinator Contract Security BC/CM Planners (2) Matrixed BU Planners (130) DHS Compliance Program Mgr DHS Compliance Analysts PACS System Design & Security Tech Projects (2) Pre-employment BI s/nerc CIP PRA s -2 5

6 Organizational Skills and Cyber/Physical Controls Integration Director of Security Risk and Compliance has IT and Audit background, NERC CIP background back to pre-cip Compliance Program Manager has strong industry compliance program development for CIP, CFATS, etc. Compliance Analysts include former IT Auditors Speak the same language, understand cyber controls, can be taught physical controls by seasoned security personnel Mix of skills to tackle any NERC CIP issue, no misunderstandings with IT gurus Dedicated PACS Regulatory System Admin has strong CIP compliance experience 6

7 The Game Changer Critical Infrastructure Protection (CIP) Standards 002 through 009 is a game changer for most physical security centric organizations CIP Standards focused primarily on cyber security with key physical security ties such as: Establishing physical security perimeters to protect critical cyber assets Cyber security controls targeted at Physical Access Control Systems Physical security systems maintenance and testing programs Responsibilities associated with cyber security incident response 7

8 Cyber Controls Mandate CIP R2 (specifically R2.2) require EPS organizations to get in the cyber security game for automated Physical Access Control Systems (PACS) they support and use Methodology for classification of PACS cyber assets Application of cyber security controls around these asset types Ports & Services Security Patch Management Malicious Software Prevention Account Management Security Status Monitoring Cyber Vulnerability Assessments These are foreign concepts to most Physical Security practitioners! 8

9 Cyber Security Incident Response CIP requires Entities to maintain a Cyber Security Incident Response Plan IT Security owns the plan EPS has shared responsibility along with other business units for notification of potential reportable cyber security incidents to the Computer Incident Reponses Team (CIRT) Commander NERC-CIP Reportable Cyber Security Incident Guidelines provide details on reportable cyber security incidents Current plan includes EPS notification to CIRT Commander in the event a PSP was breached or believed to be breached IT Security works with ECCs for reporting requirements to ES-ISAC 9

10 Past NERC CIP Cyber/Physical Integration Issues Historically physical security had not focused on cyber security controls around physical access control systems Dependent on immature NERC CIP compliance programs in Corporate IT Failures due to communication and involvement How should standards be applied to PACS cyber assets? Confusion around the spaghetti requirements Poor assumptions were made as to who was responsible (IT or EPS) for what requirement which resulted in Self Reports (SFs) Physical Security professionals do not normally speak computer language with IT, and especially not the NERC CIP dialect EACMS in our ESPs were not located in our PSPs and it was a SF that turned into a PV and OEA. (Translation There was a screw-up! ) 10

11 So when considering your options. Don t think of this Think of this: 11

12 What s Next? Continue staffing EPS organization with appropriate skills sets needed to navigate through existing standards and future versions of the standards Stand up an EPS Compliance Program that is best in class and sustainable through a dynamic changing regulatory landscape Continue educating the industry on the importance of integrating physical and cyber security CIP is a game changer for physical security organizations 12

13 Questions? 13

NERC Staff Organization Chart

NERC Staff Organization Chart NERC Staff Organization Chart President and CEO Administrative Associate Director to the Office of the CEO Associate Director, Member Relations and MRC Secretary Senior Vice President and Chief Reliability

More information

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security. Interactive Remote Access Compliance Workshop October 27, 2016 Eric Weston Compliance Auditor Cyber Security 2 Agenda Interactive Remote Access Overview Review of Use Cases and Strategy 1 Interactive Remote

More information

NERC Staff Organization Chart Budget

NERC Staff Organization Chart Budget NERC Staff Organization Chart 2013 2014 President and CEO (Dept. 2100) Executive Assistant (Dept. 2100) Senior Vice President and Chief Operating Officer (Dept. 2100) Senior Vice President General Counsel

More information

NERC Staff Organization Chart 2015 Budget

NERC Staff Organization Chart 2015 Budget NERC Staff Organization Chart President and CEO (Dept. 2100) Executive Assistant (Dept. 2100) Associate Director, Member Relations and MRC Secretary (Dept. 2100) Senior Vice President and Chief Reliability

More information

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I

More information

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I

More information

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment Unofficial Comment Form Project 2016-02 Modifications to CIP Standards Virtualization in the CIP Environment Do not use this form for submitting comments. Use the electronic form to submit comments on

More information

Cyber Security Incident Report

Cyber Security Incident Report Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New

More information

NERC Staff Organization Chart Budget 2017

NERC Staff Organization Chart Budget 2017 NERC Staff Organization Chart Budget 2017 President and CEO Administrative Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel

More information

CIP Version 5 Evidence Request User Guide

CIP Version 5 Evidence Request User Guide CIP Version 5 Evidence Request User Guide Version 1.0 December 15, 2015 NERC Report Title Report Date I Table of Contents Preface... iv Introduction... v Purpose... v Evidence Request Flow... v Sampling...

More information

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP V5 Updates Midwest Energy Association Electrical Operations Conference CIP V5 Updates Midwest Energy Association Electrical Operations Conference May 2015 Bob Yates, CISSP, MBA Principal Technical Auditor ReliabilityFirst Corporation Agenda Cyber Security Standards Version

More information

Grid Security & NERC

Grid Security & NERC Grid Security & NERC Janet Sena, Senior Vice President, Policy and External Affairs Southern States Energy Board 2017 Associate Members Winter Meeting February 27, 2017 Recent NERC History Energy Policy

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

CIP V5 Implementation Study SMUD s Experience

CIP V5 Implementation Study SMUD s Experience CIP V5 Implementation Study SMUD s Experience Tim Kelley October 16, 2014 Powering forward. Together. SMUD Fast Facts General Information SMUD employs approximately 2,000 individuals Service area of 900

More information

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft

More information

Cyber Threats? How to Stop?

Cyber Threats? How to Stop? Cyber Threats? How to Stop? North American Grid Security Standards Jessica Bian, Director of Performance Analysis North American Electric Reliability Corporation AORC CIGRE Technical Meeting, September

More information

Low Impact Generation CIP Compliance. Ryan Walter

Low Impact Generation CIP Compliance. Ryan Walter Low Impact Generation CIP Compliance Ryan Walter Agenda Entity Overview NERC CIP Introduction CIP-002-5.1, Asset Classification What Should Already be Done CIP-003-7, Low Impact Requirements Tri-State

More information

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP 007 4a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for

More information

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks NERC Standard Requirement Requirement Text Measures ConsoleWorks

More information

Welcome to the webinar! We will start within a few minutes

Welcome to the webinar! We will start within a few minutes Welcome to the webinar! We will start within a few minutes Agenda Introduction Solarplaza Presentations Threat assessment - Tom Tansy SunSpec Alliance Cyber Security & Solar A consultant s view - John

More information

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

NERC Staff Organization Chart Budget 2018

NERC Staff Organization Chart Budget 2018 NERC Staff Organization Chart Budget 2018 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate

More information

Disaster Recovery and Business Continuity Planning (Mile2)

Disaster Recovery and Business Continuity Planning (Mile2) Disaster Recovery and Business Continuity Planning (Mile2) Course Number: DRBCP Length: 4 Day(s) Certification Exam This course will help you prepare for the following exams: ABCP: Associate Business Continuity

More information

NERC Staff Organization Chart Budget 2017

NERC Staff Organization Chart Budget 2017 NERC Staff Organization Chart Budget 2017 President and CEO Administrative Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

Summary of FERC Order No. 791

Summary of FERC Order No. 791 Summary of FERC Order No. 791 On November 22, 2013, the Federal Energy Regulatory Commission ( FERC or Commission ) issued Order No. 791 adopting a rule that approved Version 5 of the Critical Infrastructure

More information

CYBER SECURITY POLICY REVISION: 12

CYBER SECURITY POLICY REVISION: 12 1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Access Control and CIP 10/20/2011

Access Control and CIP 10/20/2011 Access Control and CIP 10/20/2011 Agenda Access Control Requirements Impact on Entities Risk Discussion Response Discussion Future pursuit 2 RELIABILITY ACCOUNTABILITY Let s Talk CIP 3 RELIABILITY ACCOUNTABILITY

More information

Critical Infrastructure Protection Version 5

Critical Infrastructure Protection Version 5 Critical Infrastructure Protection Version 5 Tobias Whitney, Senior CIP Manager, Grid Assurance, NERC Compliance Committee Open Meeting August 9, 2017 Agenda Critical Infrastructure Protection (CIP) Standards

More information

Peter J. Buerling Director, Records & Information Compliance. ReliabilityFirst Workshop April 15, 2016

Peter J. Buerling Director, Records & Information Compliance. ReliabilityFirst Workshop April 15, 2016 Peter J. Buerling Director, Records & Information Compliance April 15, 2016 Opening Comments Presentation Topic Disclaimer Presentation Support Introductions Mark Koziel Consultant, CIP Compliance Don

More information

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION NARUC Energy Regulatory Partnership Program The Public Services Regulatory Commission of Armenia and The Iowa Utilities Board Janet Amick Senior Utility

More information

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-4a 3. Purpose: Standard CIP-005-4a requires the identification and protection of the Electronic Security Perimeter(s)

More information

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)

More information

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-1 3. Purpose: Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s)

More information

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2019 NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

CIP Cyber Security Security Management Controls. A. Introduction

CIP Cyber Security Security Management Controls. A. Introduction CIP-003-7 - Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-7 3. Purpose: To specify consistent and sustainable security

More information

Standard CIP Cyber Security Incident Reporting and Response Planning

Standard CIP Cyber Security Incident Reporting and Response Planning A. Introduction 1. Title: Cyber Security Incident Reporting and Response Planning 2. Number: CIP-008-4 3. Purpose: Standard CIP-008-4 ensures the identification, classification, response, and reporting

More information

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2019 NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Officer Senior Vice President, General Counsel and Corporate

More information

Threat and Vulnerability Assessment Tool

Threat and Vulnerability Assessment Tool TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...

More information

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012 Cyber Security Update Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012 Agenda Timeline Regulatory / Compliance Environment Smart Grid Threats

More information

IT Vulnerabilities: What an IT Auditor Should be Thinking About

IT Vulnerabilities: What an IT Auditor Should be Thinking About IT Vulnerabilities: What an IT Auditor Should be Thinking About Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF Agenda 1. About the Speaker 2. IT Vulnerability: The Term Defined 3. Identification

More information

Rich Powell Director, CIP Compliance JEA

Rich Powell Director, CIP Compliance JEA Rich Powell Director, CIP Compliance JEA Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation Account Control

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

CIP Cyber Security Information Protection

CIP Cyber Security Information Protection A. Introduction 1. Title: Cyber Security Information Protection 2. Number: CIP-011-2 3. Purpose: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements

More information

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016 Grid Security & NERC Council of State Governments The Future of American Electricity Policy Academy Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016 1965 Northeast blackout

More information

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Securing the Grid and Your Critical Utility Functions. April 24, 2017 Securing the Grid and Your Critical Utility Functions April 24, 2017 1 Securing the Grid Effectively and Efficiently Recent threats to the Electric Grid and the importance of security Standards and Requirements

More information

Implementing Cyber-Security Standards

Implementing Cyber-Security Standards Implementing Cyber-Security Standards Greg Goodrich TFIST Chair, CISSP New York Independent System Operator Northeast Power Coordinating Council General Meeting Montreal, QC November 28, 2012 Topics Critical

More information

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.

More information

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities Critical Asset Identification Methodology William E. McEvoy Northeast Utilities Disclaimer This NPCC TFIST workshop provides a forum for the presentation and discussion of member experience in the implementation

More information

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018 Industry Webinar Project 2018-02 Modifications to CIP-008 Cyber Security Incident Reporting November 16, 2018 Agenda Presenters Standard Drafting Team NERC Staff - Alison Oswald Administrative Items Project

More information

Standard Development Timeline

Standard Development Timeline CIP-003-67(i) - Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when

More information

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric

More information

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards Violation Risk Factor and Violation Severity Level Justifications Project 2016-02 Modifications to CIP Standards This document provides the standard drafting team s (SDT s) justification for assignment

More information

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Project 2014-02 - Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives Violation Risk Factor and Justifications The tables

More information

Analysis of CIP-006 and CIP-007 Violations

Analysis of CIP-006 and CIP-007 Violations Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-006 Physical Security of Critical Cyber Assets Reliability Standard CIP-007 Systems Security Management December

More information

CIP Cyber Security Systems Security Management

CIP Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security System Security Management 2. Number: CIP-007-5 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in

More information

Cyber Security Standards Drafting Team Update

Cyber Security Standards Drafting Team Update Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications

More information

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-5.1 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals

More information

Critical Cyber Asset Identification Security Management Controls

Critical Cyber Asset Identification Security Management Controls Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.

More information

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791. Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Cybersecurity for the Electric Grid

Cybersecurity for the Electric Grid Cybersecurity for the Electric Grid Electric System Regulation, CIP and the Evolution of Transition to a Secure State A presentation for the National Association of Regulatory Utility Commissioners March

More information

FDIC InTREx What Documentation Are You Expected to Have?

FDIC InTREx What Documentation Are You Expected to Have? FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the

More information

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra CIP-014 JEA Compliance Approach FRCC Fall Compliance Workshop Presenter Daniel Mishra Acronyms & Terminologies DHS Department of Homeland Security JEA It s not an acronym JSO Jacksonville Sheriff's Office

More information

Technical Questions and Answers CIP Version 5 Standards Version: June 13, 2014

Technical Questions and Answers CIP Version 5 Standards Version: June 13, 2014 Technical s and s CIP Version 5 Standards Version: June 13, 2014 This document is designed to convey lessons learned from NERC s various activities. It is not intended to establish new requirements under

More information

FERC Hydroproject Cyber Security [FERC 3A Section 9 versus CIP v5]

FERC Hydroproject Cyber Security [FERC 3A Section 9 versus CIP v5] FERC Hydroproject Cyber Security [FERC 3A Section 9 versus CIP v5] Presentation Goals Provide a clear distinction between the intent of FERC cyber security and NERC CIP cyber security Discuss opportunities

More information

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Cyber Security Incident Reporting Reliability Standards Docket Nos. RM18-2-000 AD17-9-000 COMMENTS OF THE AMERICAN PUBLIC POWER

More information

REQUEST FOR EXPRESSIONS OF INTEREST

REQUEST FOR EXPRESSIONS OF INTEREST REQUEST FOR EXPRESSIONS OF INTEREST (CONSULTING SERVICES FIRMS SELECTION) Country : INDIA Project : FINANCING PUBLIC PRIVATE PARTNERSHIP THROUGH SUPPORT TO THE INDIA INFRASTRUCTURE FINANCE COMPANY LIMITED

More information

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018. Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada

More information

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014 Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance

More information

Scope Cyber Attack Task Force (CATF)

Scope Cyber Attack Task Force (CATF) Scope Cyber Attack Task Force (CATF) PART A: Required for Committee Approval Purpose This document defines the scope, objectives, organization, deliverables, and overall approach for the Cyber Attack Task

More information

Comprehensive Mitigation

Comprehensive Mitigation Comprehensive Mitigation Jenny Anderson Compliance Engineer - CIP janderson.re@spp.org 501.614.3299 July 25, 2013 Goals and Benefits of Mitigation Mitigation should lessen the risk of unintended consequences

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft

More information

COURSE BROCHURE CISA TRAINING

COURSE BROCHURE CISA TRAINING COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within

More information

EHS Steering Team Meting, 2008

EHS Steering Team Meting, 2008 EHS Steering Team Meting t, 2008 Duke Energy Fast Facts Duke Energy Corporation is an energy company headquartered in Charlotte, N.C. Its Regulated Utilities business unit serves 7.3 million retail electric

More information

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure

More information

Cyber Security Supply Chain Risk Management

Cyber Security Supply Chain Risk Management Cyber Security Supply Chain Risk Management JoAnn Murphy, SDT Vice Chair, PJM Interconnection May 31, 2017 FERC Order No. 829 [the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA,

More information

THE TRIPWIRE NERC SOLUTION SUITE

THE TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED BUSINESS INTELLIGENCE SOLUTION BRIEF THE TRIPWIRE NERC SOLUTION SUITE A TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on

More information

Reliability Standard Audit Worksheet 1

Reliability Standard Audit Worksheet 1 Reliability Standard Audit Worksheet 1 CIP-006-6 Cyber Security Physical Security of BES Cyber Systems This section to be completed by the Compliance Enforcement Authority. Audit ID: Registered Entity:

More information

NERC-Led Technical Conferences

NERC-Led Technical Conferences NERC-Led Technical Conferences NERC s Headquarters Atlanta, GA Tuesday, January 21, 2014 Sheraton Phoenix Downtown Phoenix, AZ Thursday, January 23, 2014 Administrative Items NERC Antitrust Guidelines

More information

Certified Information Security Manager (CISM) Course Overview

Certified Information Security Manager (CISM) Course Overview Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,

More information

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed

More information

How to get the Enterprise to Understand the Value of Security

How to get the Enterprise to Understand the Value of Security PART 1 of 2 Insight into Security Leader Success How to get the Enterprise to Understand the Value of Security A SEC Research Finding Intended Audience This presentation is intended for security leaders

More information

DRAFT Voice Communications in a CIP Environment Critical Infrastructure Protection Committee Implementation Recommendation May 22, 2017

DRAFT Voice Communications in a CIP Environment Critical Infrastructure Protection Committee Implementation Recommendation May 22, 2017 DRAFT Voice Communications in a CIP Environment Critical Infrastructure Protection Committee Implementation Recommendation May 22, 2017 1 Introduction The Critical Infrastructure Protection Committee (CIPC)

More information

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security LTI Security Intelligent & integrated Approach to Cyber & Digital Security Overview As businesses are expanding globally into new territories, propelled and steered by digital disruption and technological

More information

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed

More information

Reliability Standards Development Plan

Reliability Standards Development Plan Reliability Standards Development Plan Steven Noess, Director of Standards Development Standards Oversight and Technology Committee Meeting November 1, 2016 2017-2019 Reliability Standards Development

More information

2015 General Rate Case

2015 General Rate Case Application No.: Exhibit No.: Witness: A.13-11-003 SCE-07, Vol. 04 D. Daigler C. Miller (U 338-E) 2015 General Rate Case ERRATA Safety, Security, & Compliance (SS&C) Volume 4 Corporate Security and Business

More information

CIP Cyber Security Physical Security of BES Cyber Systems

CIP Cyber Security Physical Security of BES Cyber Systems A. Introduction 1. Title: Cyber Security Physical Security of BES Cyber Systems 2. Number: CIP-006-5 3. Purpose: To manage physical access to BES Cyber Systems by specifying a physical security plan in

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016 For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission

More information

Position Description IT Auditor

Position Description IT Auditor Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership

More information

FUNDAMENTALS OF CYBER SECURITY FOR UTILITIES

FUNDAMENTALS OF CYBER SECURITY FOR UTILITIES COURSE FUNDAMENTALS OF CYBER SECURITY FOR UTILITIES November 13-14, 2018 EUCI Conference Center Denver, CO Furthered my learning regarding cyber security initiatives. Director, CPS Energy RELATED EVENT:

More information