CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

Transcription

1 CIP-014 JEA Compliance Approach FRCC Fall Compliance Workshop Presenter Daniel Mishra

2 Acronyms & Terminologies DHS Department of Homeland Security JEA It s not an acronym JSO Jacksonville Sheriff's Office PSSE Power System Simulator for Engineering (Siemens) SRP Security Review Program TO Transmission Owner TOP Transmission Operator Risk Net Impact considering the probability that a particular threat will exploit a available vulnerability. Threat Potential for a person or thing to exploit a specific vulnerability Vulnerability Flaw or weakness in security process design, implementation, or internal control that could be exploited

3 JEA Security Mission Statement To protect the critical infrastructure that provides life sustaining services to more than a million of our friends, family and neighbors as well as the lives of more than two thousand members of the JEA family Compliance is great tool that supports good security programs but never the primary driver for security.

4 Applicability 1. Applicability 1. TO (Substation) 2. TOP (Control Center Primary) 2. Start with the results of CIP Identify the Applicable Assets (4 criteria in section 4.1.1) 2. Include Assets, yet to be commissioned (24 Months)

5 CIP-014 Objectives Identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

6 CIP-014 Overview To identify and protect JEA assets from physical attacks which would result in widespread or cascading instability/outages etc. CIP-006 manages physical access to CIP cyber assets whereas CIP-014 focuses on protecting the physical location of the selected CIP assets. Why it needs to be treated different from CIP- 006 Event based timelines for compliance Risk (internal vs external situational awareness) Frequency of activities

7 CIP-014 & CIP-006 Risk = Threat x Vulnerability x Cost Threat Vulnerability 1. Perimeter Defense 1. Physical barriers 2. Natural surveillance 3. Security lighting 4. Projectile Protection 2. Intrusion detection and electronic Surveillance 1. Alarm systems and sensors 2. Video surveillance 3. Motion Detection 4. Doppler Radar 3. Access control 1. Mechanical access control systems 2. Electronic access control system 3. Anti-Tailgating 4. Identification systems and access policies 5. Multi-Factor 4. Security personnel 1. Station Guards 2. Roving Observation posts 3. Security Response Units CIP PRA/Background Screening 2. Training 3. Awareness 4. Visitor Control Program 5. Incident Response 6. Workforce Management Asset Protection 1. PSP Protection 1. Card Readers 2. Door Sensors 3. Logging Monitoring 4. Cameras and Motion Detectors 2. Access control 1. Mechanical access control systems 2. Electronic access control system 3. Anti Tailgating 4. Identification systems and access policies 5. Multi-Factor 3. Electronic Security 1. Patching 2. Anti-Malware Protection 3. Access Control 4. Electronic Access Logging 5. Business Continuity CIP-006

8 TO Risk Assessment PSSE by Siemens 2014 FRCC Load Flow Data Bank - summer seasons, years 2016 and 2020 The summer peak load case had firm power (2400 MW) from Southern Transient stability simulations - the local substation protection system schemes inoperable Third Party concurred with all our findings

9 CIP-014 Dates R1 DAY ZERO INITIAL RISK ASSESSMENT 90 DAYS 3RD PARTY VERIFICATION R2 60 DAYS RESPOND TO 3RD PARTY COMMENTS R3 & R4 & R5 COMMUNICATE TRANS. OWNERS 7 DAYS 120 DAYS 120 DAYS PHYSICAL THREAT REVIEW AND PHYSICAL SECURITY PLAN 90 DAYS 3RD PARTY VERIFICATION 60 DAYS RESPOND TO 3RD PARTY COMMENTS Deadline Dates 1-Oct-15 1-Jan-15 N/A 23-Oct Feb May Jul-16 JEA Completed 28-Aug Oct-15 N/A 21-Oct Feb May-16 1-Jun-16 NERC 1-Oct-15 1-Jan Jan-16 4-Feb May Aug Oct-16 R6

10 Keeping the trends of CIP Multi group involvement CIP-014 Roles R1-R2-R3 Transmission Planning R4-R5-R6 Physical Security

11 CIP-014 Activities 1. Risk Assessment 2. 3 rd party review of risk assessment 3. Respond to 3 rd party 4. Communication to Transmission Operators 5. Physical Security Review of threats and vulnerabilities 6. Physical Security Plan 7. 3 rd party review 8. JEA Response 9. NDA Agreements 1. October 1, 2015, 30th or 60th Calendar month Days Days (add or remove) 4. 7 Days Days of completion of step two Days of completion of step two Days Days 9. Executed by 3rd parties

12 JEA Physical Security Key Driving Factors Critical Infrastructure/ NERC CIP Customers Experience Reputation & Trust Security Management (Physical) Scalable based on criticality (Threat & Vulnerability Data Driven*) Shared services Model (Various agencies from city combine to create a better resource and pricing model) Efficient use of technology (Doppler Radars, Fence Motion Sensors, Electronic Access Control, Effective Guard Force, 24X7 Camera monitoring etc.) Embedded Law Enforcement

13 Security Vulnerability Assessment JEA Physical Security Team completed its vulnerability assessment and Physical Security Plan May 2016 DHS Survey Face-to-face interviews with business owners Field assessments Jacksonville Security Office-DHS branch performed Third-Party assessment. Recurring assessment is expected to take place early (February)

14 Sample Mitigation - Physical Access Many Hundreds had access, now number reduced to 150 Physical access of all substations will be covered by CIP including the Lows Multiple Physical Security design corrections Lighting Structural designs Access gates removed (were not needed)

15 Third Party Support Use out of state third party for operation risk assessment. Used JSO DHS department NDA for all those who were contracted All parties were unaffiliated. The term unaffiliated means that the selected verifying entity cannot be a corporate affiliate (i.e., the verifying entity cannot be an entity that controls, is controlled by, or is under common control with, the Transmission owner). The term unaffiliated is not intended to prohibit a governmental entity from using another government entity to be a verifier under Requirement R2. (reference NERC CIP-014, page 9)

16 NERC Visit NERC SRP and NERC Physical Security Group representative and FRCC team members visited JEA has benefitted from NERC program like SRP

17 JEA Onsite JSO Detective Access to DHS vulnerability and Threat data Small/Medium Footprint Limited external dependencies (very few shared facilities) Excellent JEA Support Teams

18 Questions?