Critical Infrastructure Protection Committee Meeting

Transcription

1 Critical Infrastructure Protection Committee Meeting September 15-16, 2015 New Orleans, LA *All presentations are posted with the written consent of the presenters.

2 Agenda Item 2 Critical Infrastructure Protection Committee JW Marriott New Orleans September 15-16, 2015

3 Safety and Security JW Marriott New Orleans Staff will inform the CIPC concerning Fire and Evacuation Procedures for your safety 2

4 CIPC Voting Members and Attendees Wireless Access Network: JWMarriott_CONF Password: NERC Please sign and pass the Attendance Sheets 3

5 Securing our Assets Over 55,000 Substations over 100Kv 4

6 Antitrust Guidelines 5

7 Membership Expectations Our CIPC Charter Section 3 states the following "Voting members of the CIPC are expected to: Bring subject matter expertise to the CIPC; Be knowledgeable about physical and cyber security practices and challenges in the electricity sector; Attend and participate in all CIPC meetings; Express their own opinions at committee meetings but also represent the interests of their Regions; Discuss and debate interests rather than positions; Complete assigned Committee, Task Force, and Working Group assignments; Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance. 6

8 Conduct of the Meeting Parliamentary Procedures: In the absence of specific provisions in NERC s Rules of Procedure, all committee meetings shall be conducted in accordance with the most recent edition of Robert s Rules of Order, Newly Revised in all cases to which they are applicable. 7

9 Critical Infrastructure Protection Committee Executive Committee David Revill, NRECA Chuck Abell, Chair, Ameren Melanie Seader, EEI David Grubbs, ERCOT Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSA Ross Johnson, CEA Jim Brenton, Vice Chair, ERCOT Marc Child, Great River Laura Brown, Secretary Physical Security Subcommittee (David Grubbs) Cybersecurity Subcommittee (Marc Child) Operating Security Subcommittee (Jim Brenton) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control Systems Security WG (Mikhail Falkovich) Grid Exercise WG (Tim Conway) BES Security Metrics WG (Roland Miller) Physical Security Guidelines WG (John Breckenridge) Security Training WG (William Whitney) Business Continuity Guideline TF (Darren Myers) Physical Security Standard WG (Allan Wick) Compliance and Enforcement Input WG (Paul Crist) September

10 CIPC Primary Voting Members 9 Org Name Company Discipline TRE David Grubbs Executive Committee City of Garland Operations TRE Jim Brenton, Vice Chair ERCOT Cyber TRE Darrell Klimitchek STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Executive Committee Great River Cyber MRO Paul Crist LES Physical MRO Joe Mayfield WAPA Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC David Cadregari Iberdrola USA Networks Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell, Chair Ameren Operations SERC Cynthia Hill-Watson TVA Cyber SERC Bruce Martin Duke Energy Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Eric Ervin Westar Cyber WECC Allan Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Vacant Vacant Operations APPA Scott Smith Bryan TX Utilities Physical APPA Nathan Mitchell, Vice Chair APPA Policy CEA Francis Bradley CEA Physical CEA Ross Johnson Executive Committee Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Executive Committee Georgia Trans Policy

11 Proxies Received and Quorum Thanks to all proxies attending today and serving as a proxy for your primary voting member! Proxies received for this meeting: SPP Doug Alexander representing John Breckenridge WECC Lisa Carrington representing vacancy left by Jamey Sample CEA Ron Gentle representing Francis Bradley Announcement of CIPC Quorum of Voting Members: Based on the voting members in attendance, including the proxies received, we have achieved quorum for conducting CIPC business. 10

12 CIPC Roster Changes New Voting Members NPCC David Cadregari Iberdrola USA Networks o Nomination was approved by NERC Board of Trustees CEA Francis Bradley CEA o Nomination was approved by NERC Board of Trustees Vacancies of Voting Members: WECC vacancy is due to Jamey Sample s departure from PG&E Thank you for your service to CIPC! 11

13 Schedule of Future Meetings Dates Time Type Location Hotel October 13-16, :00 a.m. 5:00 p.m. GridSecCon 2015 Philadelphia, PA Hyatt Regency Philadelphia at Penn s Landing 201 South Columbus Boulevard Philadelphia, PA (215) November 18-19, :00 a.m. 5:00 p.m. GridEx III Remote Play NA December 15, 2015 December 15, 2015 December 16, :00 a.m. Noon Noon 5:00 p.m. 8:00 a.m. - Noon DHS/DOE Energy Sector Classified Briefing (No CIPC Workshop) CIPC Meeting TBD Atlanta, GA FBI Training Room, 3 rd floor FBI Atlanta 2635 Century Parkway, N.E. Atlanta, GA Westin Buckhead Hotel 3391 Peachtree Rd N.E. Atlanta, GA (404) March 8, :00 a.m. Noon CIPC Workshop Louisville, KY TBD March 8, 2016 March 9, 2016 Noon 5:00 p.m. 8:00 a.m. - Noon CIPC Meeting Louisville, KY TBD June 7, :00 a.m. Noon CIPC Workshop Atlanta, GA June 7, 2016 June 8, 2016 Noon 5:00 p.m. 8:00 a.m. - Noon CIPC Meeting Atlanta, GA Westin Buckhead Hotel 3391 Peachtree Rd N.E. Atlanta, GA (404) Westin Buckhead Hotel 3391 Peachtree Rd N.E. Atlanta, GA (404)

14 Chair Chuck Abell s Remarks

15 14

16 Nominating Subcommittee Report Mike Mertz, Chair NERC Critical Infrastructure Protection Committee

17 Subcommittee Assignment As per the CIPC Charter (Section 8-2), the Nominating Subcommittee Chair was appointed at the June 2015 CIPC to form a subcommittee of five members to prepare a slate of candidates for election as follows: September 2015 CIPC Meeting: Chair Vice Chairs (2) December 2015 CIPC Meeting: Physical Security SME Cyber Security SME Operations SME Policy SME 2

18 Subcommittee Members The Nominating Subcommittee Members are: Mike Mertz, Chair o PNM Resources / WECC / Cyber Paul Crist o Lincoln Electric System / MRO / Physical Larry Bugh o ReliabilityFirst / RFC / Cyber Joe Mayfield o Western Area Power Administration / MRO / Operations John Breckenridge o Kansas City Power & Light / SPP / Physical 3

19 Subcommittee Meetings The Nominating Subcommittee held multiple conference calls to develop a list of candidates The nominating subcommittee members contacted all candidates to validate interest and availability to fulfill the role Nominating subcommittee finalized the ballot via 4

20 Election Process The Nominating Subcommittee presents its slate of candidates. The Secretary will open the floor for additional nominations. Upon the close of nominations, elections will be held as follows: The first ballot will be composed of the Nominating Subcommittee s slate of candidates. If the slate is approved with a 2/3 majority, the slate is elected and the election is closed. If the slate fails, subsequent paper ballots will be distributed with the names of all candidates listed in the order in which they were nominated. Each ballot will be tallied and any candidate receiving a 2/3 majority shall be deemed elected. 5

21 CIPC Nominee Slate For the Vice Chair positions, the Subcommittee nominates: David Revill o Georgia Transmission / NRECA Nathan Mitchell o American Public Power Association / APPA For the Chair position, the Subcommittee nominates: Marc Child o Great River Energy / MRO 6

22 7

23 Agenda Item 7 CIP NOPR Supply Chain Management Shamai Elstein, NERC Senior Counsel

24 FERC CIP V5 Revisions NOPR Supply Chain Management Issued July 16, 2015 Proposed directive on Supply Chain Management Develop a new or modified Reliability Standard to provide security controls for supply chain management for industrial control system hardware and software, and computing and networking services associated with [BES] operations. Cited recent malware campaigns targeting supply chain vendors. Stated NERC CIP Standards do not address supply chain risks (as opposed to NIST and DOE Guidelines). Looking for forward-looking, objective-driven standard addressing activities throughout the system development life cycle. 2

25 FERC CIP V5 Revisions NOPR Supply Chain Management continued Standard to accommodate variety in entities procurement processes, vendor relations, system requirements, IT implementation, privileged and commercial information. Stated that supply chain management standard would: o Address only the obligations of entities registered under FERC reliability rules (i.e., would not apply to vendors/suppliers). o Be forward-looking - no abrogation or renegotiation of contracts. o Set goals about what to do while allowing flexibility for how an entity achieves those goals. o Allow for exceptions given the diversity of acquisition processes. o Be specific enough so that compliance obligations are clear and enforceable. 3

26 FERC CIP V5 Revisions NOPR Supply Chain Management continued Next Steps NOPR Comments due September 21, FERC committed in NOPR to engage in outreach efforts after receipt and consideration of comments. FERC to issue Final Rule after considering comments no set timeline. If FERC Final Rule includes supply chain management directive, NERC to work with stakeholder to develop a standard within timeframe established in Final Rule, if any. 4

27 5

28 Agenda Item 8 Physical Security Reliability Standard Implementation Tobias Whitney, Manager of CIP Compliance (NERC) Carl Herron, Physical Security Leader (NERC) NERC Sub-Committee Meeting New Orleans, Louisiana

29 CIP-014 Implementation Program Implementation Readiness Clarify Compliance Expectations Increased Industry Awareness Understanding scoping and 3 rd party reliance Consistent Enforcement Support all entities in the timely, effective, and efficient implementation of CIP-014 2

30 Key Dates CIP Implementation Timeline Activity Implementation Not Later Than Days after 10/1/15 R1 Assessment Effective Date 10/1/ days R2 Verification Effective /30/ days R2.3 Address Discrepancies R /28/ days R3 Notify Control Center R2 +7 1/6/ days R4 Threat & Vulnerability Evaluation R /27/ days R5 Security Plan R /27/ days 3

31 Risk Assessment Guidance Industry must assess the loss of certain substations (R1) To start, entities must identify in-scope substations. Assess: o Transmission Facilities at 500 kv or higher o Substations exceeding the aggregate weighted value of 3000 o Substations identified by RCs, PCs or TP that are critical to IROL derivations o Essential to meeting Nuclear Plant Interface Requirements From there, various processes can be used to determine the list: o Entities may reference the NATF R1 approach o Entities may reference the method in the Guidelines and Technical Basis o Entities may use the process described in TPL R4 and R6 To be compliant, the industry must demonstrate: A transparent process that can be validated by their CEA The resulting list is commensurate with their process and BES risks 4

32 NATF Guidance February guidance memo references the North American Transmission Forum Guidance as a means to perform R1: 1. Identify stations to analyzed based on TO identifies cases/system conditions to be analyzed o summer peak vs. winter peak load levels o shoulder peak load levels with system transfers o alternative generation dispatch assumptions o alternative load models (i.e., different penetration of inductive load) 3. Define the nature of initiating event and how it will be modeled in assessment. o Event over several minutes o Instantaneous event (such as an explosion) 4. TO is responsible for documenting the criteria for instability, uncontrolled separation or Cascading, based on engineering knowledge or judgment. 5. TO performs steady-state power flow or stability analysis. 5

33 R2 3 rd Party Verification Requirement R2 mandates that an unaffiliated third-party verify the result of the risk assessment performed under Requirement R1. The third-party for Requirement R2 must be either: A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator; or An entity that has transmission planning or analysis experience. Pages of the Guidelines and Technical Basis section (Section 4) of the standard provides additional guidance on selecting a third-party verifier, stating that entities should consider the following characteristics: 6

34 R2 3 rd Party Verifier Characteristics Registered entity with applicable planning and reliability functions. Experience in power system studies and planning. The third-party s understanding of the MOD standards, TPL standards, and facility ratings as they pertain to planning studies. The third-party s familiarity with the Interconnection within which the Transmission Owner is located. 7

35 Compliance Expectations TOs must demonstrate the appropriate rigor and analysis when performing R1 and R2. Consider how the following questions can be answered: Why certain stations or substations are identified to meet the criteria in Requirement R1 Similarly, why certain stations or substations were not identified by Requirement R1 What are defining characteristics of stations and substations identified by Requirement R1 How the third party verifying the risk assessment meets the qualifications in Requirement R2 and the means the third party used to ensure effective verification 8

36 R4 Threat and Vulnerabilities Assessment Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3. Shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified in R1 and verified according to R2. Unique characteristics History of security events Intelligence or Threat Warnings 9

37 NATF R4 Guidance Memo June 2015 R4 practices containing an approach, common practices and understanding evaluations of the potential vulnerabilities and threats of a physical attack of facilities. Site Specific vulnerability considerations No protection of facility (fencing, locks, or monitoring) Gaps in or lack of security mitigation(physical and human) Gaps in or lack of physical security policies and procedures, failure to enforce controls for vehicle and security equipment testing. Access control how is it granted, what is the process. 10

38 NATF - R4 Guidance memo June 2015 Physical Security evaluation checklist. (The physical security evaluation checklist is a format that can be used to provide self assessment of security program). Facility Information: address, contact numbers Executive Management, Security Management, Maintenance and First Responders Perimeter: Fence(type, height, anchored and enhancements)crash gate, lighting, surrounding area and landscape Security Systems(CCTV, Intrusion detection, fire alarms and locks & doors) Information Technology Systems and Sensitive Information storage Security and Response Plans 11

39 NATF - R4 Guidance memo June 2015 CIP-014 Questionnaire Threat Assessment List all of facility history of sabotage, vandalism, physical attack and Law Enforcement response List all historical criminal incidents to similar sites within the U. S. Threat Assessment, Intelligence Bulletins or Threat Warnings prepared by State Fusion Centers, Local Law Enforcement, DHS or FBI 12

40 NATF - R4 Guidance memo June 2015 Resiliency Measures measures already existing to prevent a physical attack Existing physical security measures to deter such as: Perimeter signage, fencing, gates, lighting, locks and security officers/roving patrols Existing physical security measures to detect such as: CCTV, Intrusion Detection and alarms Existing physical security measures to delay such as: Vehicle barriers, crash gates, fencing and security officers Existing physical security measures to assess such as: Video surveillance, video analytics and security command centers 13

41 NATF - R4 Guidance memo June 2015 Resiliency Measures continued Existing physical security measures to communicate such as: Security Operations Center(SOC) initiates response, protection of communication transmission to the SOC, alarm systems and Intercom system. Existing physical security measures to respond such as: Documented procedures, responses to alarms, State or local Law Enforcement and armed security officers deployment. 14

42 R5 Security Plan Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3. Shall develop and implement a documented physical security plan(s) that cover their Transmission station(s), Transmission substation(s), and primary control center(s). The physical security plan(s) shall be developed within 120 calendar days following the completion of R2 and executed according to the timeline specified in the physical security plans. The security plan should address the mitigation and response to the threats and vulnerabilities identified. A measureable timeline of executing the physical security enhancements and modifications should be included in the security plan. The timeline should include a project plan on how security enhancements and modifications will be implemented. 15

43 NATF - R5 Guidance memo June 2015 R5 provides an approach for development and implementation of Physical Security Plans. Areas for consideration: Deterrence Measures Visible physical security measures installed to persuade individuals to seek other, less secure targets. Detection Measures Physical security measures installed to detect unauthorized intrusion and provide local and/ or remote intruder notification. Delay Measures Physical security measures installed to delay an intruder s access to a physical asset and provide time for incident assessment and response. 16

44 NATF - R5 Guidance memo June 2015 Assessment Measures The process of evaluating the legitimacy of an alarm and determining the procedural steps required to respond. Communicate Systems used to send and receive alarm/video signals, audio, and data. Respond The immediate measures taken to assess, deploy, interrupt, to an incident. Physical Security Plan Template. 17

45 R6 R6 - Each Transmission Owner and Transmission Operator shall select an unaffiliated third party reviewer from the following: An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional(CPP) or Physical Security Professional(PSP) certification. An entity or organization approved by the ERO. A government agency with physical security expertise. An entity or organization with demonstrated law enforcement, government, or military physical security expertise. 18

46 Critical Infrastructure Protection Committee (CIPC) R6 CIPC has developed guidance to support industry s implementation of Requirement R6. Provides examples of experience/documentation for third party reviewer with electric industry o Proof of past or current employment as an employee(s) or contractor(s) in the electric industry; o Proof of past or current employment as an employee(s) or contractor(s) as an ERO regional entity auditor; or o Documented experience in threat vulnerability assessments or development of security plans in the electric industry. 19

47 CIPC R6 Guidance Provides examples of government agencies that might be selected Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise. 20

48 CIPC R6 Guidance Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise. Conducting and/or evaluating threat and vulnerability analysis of physical attack Designing and/or evaluating physical security plans Third party review of threat and vulnerability analyses or physical security plans Designing, implementing, or evaluating asset protection plans, specifically those related to facilities with special emphasis on industrial complexes 21

49 R6 Guidance ERO approval process guidance (September 2015) This process will be applied when registered entity has a third party that does not meet one of the other three criteria. Candidate 3 rd parties shall work through their Registered Entity to obtain certification. The ERO will review the qualifications against industry-vetted criteria, which is included in the Appendix A. Appendix A - request third party reviewer must have at least one criteria from the physical security experience plus one from electric sector experience. 22

50 ERO approval process guidance (September 2015) Appendix A Physical Security experience(at least one): Certified Critical Infrastructure Protection Specialist (CCIPS) and ten (10) years. Certified Homeland Protection Professional (CHPP) and ten (10) years Professional in Critical Infrastructure Protection (PCIP) and ten (10) years Certified Security Consultant (CSC) and ten (10) years experience as a physical security professional. Ten (10) years employment in a physical security department with responsibilities in facility protection. Physical security subject matter expert. Ten (10) years of experience in physical security program development, risk assessments, and threat assessment. Twenty (20) engagements as a security consultant for facility physical security assessments or security program design. 23

51 ERO approval process guidance (September 2015) Appendix A Electric Sector Experience(at least one): Ten (10) years employment with an electric utility transmission organization. Three (3) years employment as an ERO regional entity auditor Ten (10) assignments as a physical security consultant for a North American electric utility transmission organization Five (5) years military service with training in critical infrastructure interdiction. 24

52 ERO to Monitor Implementation Number of assets critical under the standard Per Region Q Q Defining characteristics of the assets identified as critical Per Region Q Q Scope of security plans By Q Information obtained Guided Self-Certs, Off-site Audits, Audits Consider compliance monitoring schedule 25

53 ERO to Monitor Implementation Timelines for implementing security and resiliency measures Regions: Periodic Guided Self-Certs, Off-site Audits, Audits to determine implementation schedule and progress NERC will aggregate results Industry s progress in implementing the standard Beginning in Q4, Quarterly NERC Board Updates Reliability Standard Audit Worksheet for CIP-014-2, will be sent to drafting team(september 2015). 26

54 27

55 Agenda Item 9 Cyber Security Standards Program Update Tobias Whitney, NERC - Manager of CIP Compliance Critical Infrastructure Protection Committee September 2015

56 Status of CIP V5 Transition V5 Transition Advisory Group Is active, meets often to complete final guidance documents Engages Standards Committee to finalize guidance and to ensure industry input has been incorporated Over 40 FAQs and lessons learned from all sources have been finalized via the Section 11 process Industry webinars scheduled when new guidance is posted July 1 Way Forward Meeting was held to address key issues. As a result, several actions have been taken: April Memoranda have been removed Guidance will continue to use the Section 11 process 2

57 Guidance: Effective Approaches Section 11 Guidance Development Process 3

58 Where to Access the New Postings 4

59 Key Posting IRC 2.3 and 2.6 Compliance Dates The Implementation Plan is silent on how to treat changes that occur prior to April 1, The ERO Enterprise, consistent with the timelines in the Scenario of Unplanned Changes After the Effective Date table of the Implementation Plan, will provide affected Responsible Entities 12 or 24 months from the Responsible Entity s performance of their CIP , Requirement R1 assessment that follows a notification from a Reliability Coordinator, Planning Coordinator, or Transmission Planner. 5

60 Key Posting Generation Interconnection (IRC 2.5) Reliability Standard CIP Requirement R1, Attachment 1, criterion 2.5 requires responsible entities to assess Transmission Facilities by determining the weighted value per line for each incoming and each outgoing BES Transmission Line that is connected to another Transmission station or substation. Consistent with the language of criterion 2.5 and the Guidelines and Technical Basis section of CIP , a radial generator lead line with no network flows (i.e., no power would flow through the line if the generator is off-line) and with the sole purpose of connecting generator output to a networked Transmission system would not qualify as a Transmission Line to be included in the criterion 2.5 calculation. 6

61 Communications and Networking 7

62 Background The following exemption exists in Version 3 and Version 5 of the CIP Standards Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters (ESP). Version 5 of the CIP Standards doesn t always require an ESP for BES Cyber Systems Need to establish an approach for identifying Cyber Assets associated with communication networks and data communication links for non-routable communications 8

63 Guidance The guidance outlines the following considerations: Evaluate the reliability tasks performed locally at the asset without external communications Identify any network and communication devices that should be categorized as BES Cyber Assets (BCA) based on the reliability tasks Identify any network and communication devices that would meet the definition of a Protected Cyber Asset (PCA) Keep the focus on the reliability tasks performed locally at the asset 9

64 Examples One approach was to establish a demarcation point between BES Cyber Systems at the asset and devices used for external communication Demarcation point is not a requirement of the standards The approach using a demarcation point is shown in the examples for: ESP to ESP ESP to No ESP No ESP to No ESP Allows identification of equipment that is considered out of scope/exempted from CIP applicability. 10

65 Example: ESP to ESP 11

66 Example: ESP to No ESP 12

67 Example: No ESP to No ESP 13

68 External Routable Connectivity 14

69 ERC The CIP version 5 requirements do not specifically address access to serial devices from networks that use a routable protocol. Intermediate System or Similar BES Cyber Asset #1 Routable communications Serial communications BES Cyber Asset #2 Port Server The BES Cyber Assets connected using serial communications were not considered BES Cyber Assets with External Routable Connectivity. The port server was evaluated to determine if it had a 15 minute impact on the Bulk Electric System. 15

70 BES Cyber Assets 16

71 BES Cyber Assets Function Impact Timeframe Security Function Communication Function Connection Duration Capability 17

72 Posting Schedule Guidance Posting Date Closing Date Webinar Communications and Networking August 19, 2015 September 18, 2015 August 20, 2015 IRC 2.3 & 2.6 August 19, 2015 September 18, 2015 August 20, 2015 Generation Interconnection August 19, 2015 September 18, 2015 August 20, 2015 BCAs/PEDs September 9, 2015 October 9, 2015 September 10, 2015 External Routable Connectivity September 9, 2015 October 9, 2015 September 10, 2015 Vendor Management September 23, 2015 TBD September 24, 2015 Patch Management September 23, 2015 TBD September 24, 2015 TO Control Centers September 23, 2015 TBD September 24,

73 Major Initiatives Related to CIP CIP NOPR highlighted the following topics for comment: Supply Chain Protecting communication links between control centers Adequacy of existing remote access controls in CIP Version 5 Protections for Transient Devices at Low Impact Clearer descriptions and definitions of LERC Interpretations Patch Management Shared BES Cyber Assets & common mode vulnerability Compliance Dates for Unplanned changes Standards Revisions V5 Transition Issues 19

74 Contact Information Manager of CIP Compliance, Tobias Whitney at Telephone: Transition Program web pages: Implementation-Study.aspx 20

75 21

76 Agenda Item 15a GridEx III CIPC Update New Orleans, LA September 15, 2015

77 GridEx III Objectives 1 GridEx III Exercise crisis response and recovery 2 3 Improve communication Identify lessons learned Local Objectives Each Organization may choose to create and work towards local objectives through the exercise 4 Engage senior leadership 2

78 GridEx III Map *As of 12:00 EDT on 09/01/2015 3

79 SimulationDeck Metrics: Number of registered participants: 1173 Number of registered organizations: 226 Utilities Participation Status Breakdown Active: 93 Observing: 47 Unmarked: 5 GridEx III Metrics Utilities Government/Academia/Other RCs NERC Regional Entity 4

80 Exercise Control Preparation GridEx III by Calendar Date November 2015 Tuesday Wednesday Thursday Eastern 4 hrs Move 1 Move Move 3 3 Pause Pause Move 2 Move Move 4 4 Pause Pause 5

81 Remember 1, 2, 3 6 Access: Exercise: Additional Information: SimulationDeck All Registered GridEx III Participants (Lead Planners, Planners, Players, Observers) SimulationDeck will host social and traditional media material as well as inject releases Treat SimulationDeck like your public-facing websites. No sensitive information should be posted here. This will be the only tool available for Observing organizations and Observers. Exercise Directory Access: All Exercise Participants Exercise: Exercise, Exercise, Exericse Access: Planning: ES-ISAC Portal Only participants who would normally have access as a part of their real job Complete refresh coming soon! The ES-ISAC Portal will be used to post alerts and Exercise: information as it would in the real world

82 Future Deliverables Player Handbook Pause guidance for C/Es Additional communications guidance OE-417, EOP-004, ES-ISAC Portal Quick-start guide Communications tests (up to November 10) Inject artifact upgrades 7

83 8

84 Agenda Item 16 Cyber Security Subcommittee Progress Report Marc Child, Chair

85 Control Systems Security Working Group Mikhail Falkovich, Chair

86 CSSWG Status Team Reviewed 119 industry submitted comments on the draft guideline. Minor edits were made to the document to fix errata and provide clarity. Language provided to GEWG for consideration in development of GRID Ex III. Final document has been provided to NERC and the CIPC EC for posting. 3

87 CSSWG Core Contributors Nadya Bartol Mikhail Falkovich Larry Bugh Cynthia Hill-Watson Marc Child Michael Johnson Frances Cleveland Carter Manucy Tim Conway Paul Skare Dustin Cornelius NERC Staff: Laura Brown 4

88 5

89 Security Training Working Group Progress Report William Whitney III, Chair David Godfrey, Vice Chair Bob Canada, NERC Rep.

90 Security Training Working Group Charter CIPC will provide meeting attendees with an opportunity to participate in physical, cyber, and operational security training, as well as, educational outreach opportunities. Current Members Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Rick Carter, James McQuiggan, Jason Phillips, David Scott, Ronald Keen, Tim Conway, Steen Fjalstad, Daniel Moore, Jason Phillips, Nick Rasey, and William Whitney III 7

91 Security Training Working Group Latest Activities Monthly conference calls to discuss long term goals and short term actions Coordinate and provide platform for presentations (webinars and in-person) 8

92 Security Training Working Group 2015 Training Schedule April SHODAN Conversations with Your Control System May Insider Protection June ES-ISAC Portal Training Aug Insider Threat Program Development Sept Cyber Track - CIPv5 Vulnerability Assessment Physical Track - Surveillance Detection and Countermeasures Oct 8th UAS Update Webinar Nov TBA Dec - Briefings Please let us know what training you and/or your fellow colleagues would like to see so we can secure the speakers for that topic. If you or someone you know would like to present on a topic let us know because we would enjoy the information sharing. Remember, what you may think is common knowledge others might not know! 9

93 Security Training Working Group Recorded Training, Slides, and Documents Go to nerc.com Hover over Program Areas & Departments Click Critical Infrastructure Click CIP Training on the left of the page 10

94 Security Training Working Group Training Links TEEX - DHS - DOD - FEMA - DOE - MS-ISAC - Have a link for free, quality, training? Please share with us to add to the list. 11

95 Security Training Working Group Next Steps Continue to expand the list of free on demand training from reputable agencies and vendors Secure volunteers to join the group Schedule and prepare future Pre-CIPC training sessions and webinars Work with vendors and/or individuals in the industry to provide specific training to industry This means you and/or your co-workers that have information to share with the industry CIPC Actions Concerns and/or suggestions for today s discussion 12

96 13

97 Agenda Item 17b Threat & Incident Reporting Guideline (TF) Update - September 2015 Doug Alexander, KCP&L (proxy) John Breckenridge, Chair

98 How we fit in! CIP Committee Structure CIPC Executive Committee Physical Security Subcommittee David Grubbs Cyber Security Subcommittee Mark Child Operating Security Subcommittee Carl Eng Policy Subcommittee Nathan Mitchell Protecting Sensitive Information TF Control System Security WG Information Sharing TF BES Security Metrics WG Physical Security Guideline TF Cyber Attack Tree TF HILF Implementation TF Personnel Security Clearance TF Physical Security Ev Analysis WG Joint w/ OC & PC Cyber Security Analysis WG Joint w/ OC & PC Grid Exercise WG Compliance & Enforcement WG Physical Security Training WG Cyber Security Training WG 2

99 Changes made reference to ES-ISAC Physical Security Response Guideline TF Activity Highlights Input from Orlando Stephenson (some quick fixes to update links) Team/Task Force starting to be formed Need to get a new Charter o Review and Revise Conference Calls/ s to team Plan to have finished product (TBD) RCIS Sam Chanoski participating w/ comments OE-417 Ensure no conflicts w/ other reporting requirements Any comments or willingness to participate Contact Randy Duncan/ or Randy.duncan@kcpl.com 3

100 4

101 Agenda Item 18a BES Security Metrics WG CIPC Progress Report Roland Miller, Chair September 15-16, 2015

102 Executive Committee David Revill, NRECA Chuck Abell, Chair, Ameren Melanie Seader, EEI David Grubbs, ERCOT Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSA Ross Johnson, CEA Jim Brenton, Vice Chair, ERCOT Marc Child, Great River Laura Brown, Secretary Physical Security Subcommittee (David Grubbs) Cyber Security Subcommittee (Marc Child) Operating Security Subcommittee (Jim Brenton) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control System Security WG (Mikhail Falkovich) ES Information Sharing TF (Stephen Diebold) BES Security Metrics WG (Roland Miller) Physical Security Guidelines WG (John Breckenridge) Cybersecurity Analysis WG (TBD) Grid Exercise WG (Tim Conway) Physical Security Standard WG (Alan Wick) Security Training WG (William Whitney) Business Continuity Guideline TF (Darren Meyers) Compliance and Enforcement Input WG (Paul Crist) June

103 June 2015 CIPC Update BESSMWG Activities NERC State of Reliability Report including new Security Metrics chapter approved by NERC Board of Trustees on May 14, 2015 Drafted strawman Security Metrics Development Roadmap to plan future BESSMWG activities June 9, 2015, BESSMWG met to review Roadmap and define future direction Activities Since June 2015 Conducted 2 conference calls to accept the Roadmap and to review/assess the relative value of over 150 metrics from the universe of security metrics Met F2F Sept 15, 2015, to further define the proposed next set of security metrics and potentially enhance the existing metrics 3

104 Security Metrics Development Roadmap 2015 and Beyond We are here 4

105 Assessment of Additional Metrics Reviewed and assessed over 150 metrics from the universe of security metrics and answered the following questions: Relevant to the BES? Data available at NERC? Data available at individual entities? Classified each metric according to the following criteria: Suitable, for near-term development (during 2015) Suitable, for mid-term development (by end-2016) Suitable, for long-term development (2017 and later) Unsuitable, does not meet SMART criteria Unsuitable, as the data is already available through NERC s compliance monitoring and enforcement program (no need to duplicate) 5

106 Results of BESSMWG Assessment BESSMWG Assessment Number of Metrics Suitable for near-term development (during 2015) 0 Suitable for mid-term development (by end-2016) 4 Suitable for long-term development (2017 and later) 27 Unsuitable 26 Unsuitable as the data is already available through NERC s compliance monitoring and enforcement program 97 Total considered 154 6

107 Potential Enhancements to Existing Metrics Metric Reportable Cyber Security Incidents Reportable Physical Security Incidents ES-ISAC Membership Industry-Sourced Information Sharing Global Cyber Vulnerabilities Potential Enhancement Further breakdown of the reported data as a sub-metric Further breakdown of the reported data as a sub-metric Develop a more meaningful sub-metric based on demographic data Develop a measure of the value of information shared as a sub-metric Replace with a sector-based future threat trending metric 7

108 Timeline Establish Roadmap direction and timeline (completed) Present Roadmap to CIPC (completed) Consider and prioritize proposed new metrics from the universe of security metrics (completed) Draft definitions for development during 2016 (December 2015) Enhance the approved metrics (February 2016) Finalize detailed definitions for new metrics, including data sources (February 2016) Consider pilot program to field test new metrics If necessary, prepare NERC data request to collect data for new metrics Obtain approval and roll-out new/updated metrics and security chapter for 2016 State of Reliability Report (March 2016) 8

109 9

110 Agenda Item 18C Physical Security Standard WG Progress Report Allan Wick, Chair Toni Linenberger, Vice-Chair Brian Harrell, Vice Chair September16, 2015

111 Objectives/Duties The PSSWG will develop a roster of technical experts from the CIPC voting members, alternate members, and other willing observers and conduct the following activities: Develop a process for handling requests from NERC staff. Provide guidance to NERC on prioritizing CIP-014 products under development. Develop guidance documents for CIP-014 for NERC. Specifically, draft guidance documents for R4, R5, and R6. Provide timely technical reports, if requested by NERC, on technical matters related to physical security. Collaborate with other CIPC Working Groups and Task Forces regarding the implementation of the PSSWG deliverables. Provide CIPC updates on progress at the CIPC face-to-face meetings. 2

112 Our Team Chair Vice-Chair EC Sponsor NERC Staff Team Members Allan Wick Toni Linenberger Brian Harrell Nathan Mitchell Laura Brown Kurt Aikman Bruce W. Barnes Tim Basch Richard Bouchey John Breckenridge Bob Canada Mark L. Comer Steen J. Fjalstad Mike Hagee Ross Johnson Mike Ketchens Craig P. Lawrence Chris McColm Leslie (Les) Morton Barry Page Bobby Parker Peter Scalici Matt Stryker Douglas G. Williams 3

113 Progress Past quarter R6 Guide 45 day comment period ended August 10, 2015 o Posted under the PSSWG webpage g%20group%20psswg/final%20cip-014%20r6%20guide_ pdf Current two projects CIP-014 R5.1 survey Mike Hagee team lead o October delivery Roadmap project John Breckenridge team lead 4

114 5