Critical Infrastructure Protection Committee Strategic Plan

Transcription

1 Critical Infrastructure Protection Committee Strategic Plan CIPC Executive Committee 5/14/ Peachtree Road NE Suite 600, North Tower Atlanta, Georgia

2 Table of Contents Introduction... 3 Missions, Vision, and Guiding Principles... 4 Areas of Strategic Focus in Support of ERO Goals... 5 Appendix 1: ERO Strategic Plan

3 Introduction This is a living document, meant to provide a plan to address the current and future Critical Infrastructure Protection Committee (CIPC) strategic issues. The landscape in which the entire electric industry operates within is dynamic and rapidly changing. Therefore, a bi-annual review by the CIPC Executive Committee will take place to update the strategic plan to ensure that it remains current, and that the CIPC is focused on the most important and topical areas. This document is created to identify strategic activities as well as highlight the alignment of CIPC activities from several perspectives, including: Supporting priorities of the NERC ERO enterprise, Federal, state/provincial regulators, and the Electricity Sub Sector Coordinating Council (ESCC); Providing technical expertise to help address physical and cyber security threats and vulnerabilities; Matching CIPC and industry resources with priorities; and Efficiently using CIPC and industry resources. Furthermore, if there are any needed changes to the CIPC Strategic Plan , CIPC will revisit the plan to ensure alignment with the NERC Electric Reliability Organization (ERO) Enterprise Strategic Plan This plan addresses all activities, interests, and concerns of the NERC ERO Enterprise related to the physical and cyber security of the North American bulk power system. Regular Strategic Plan updates from the CIPC Chair will be provided to the CIPC members at their meetings and progress reports will be presented to the NERC Board of Trustees. 3

4 Missions, Vision, and Guiding Principles NERC Mission Statement: The North American Electric Reliability Corporation s (NERC) mission is to ensure the reliability of the North American bulk power system. NERC is the electric reliability organization (ERO) certified by the Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk-power system. NERC develops and enforces reliability standards; assesses adequacy annually via a 10-year forecast, and summer and winter forecasts; monitors the bulk power system; and educates, trains and certifies industry personnel. ERO activities in Canada related to the reliability of the bulk-power system are recognized and overseen by the appropriate governmental authorities in that country. CIPC Mission: The mission of the Critical Infrastructure Protection Committee (CIPC) is to advance the physical and cyber security of the of the North American bulk power system. Vision: Foster information sharing, engage industry security expertise and a forum for exchanging ideas and promote dialogue on key issues around the important risks to reliability of the North American bulk power system. Guiding Principles: Continue to strive for excellence in: Maintain relationship with and promote information sharing with other committees Maintain high level of security expertise Align priorities with ERO and across the other standing committees Ensure CIPC resources are efficiently used 4

5 Areas of CIPC s Strategic Focus in Support of ERO Goals Continue support of the ERO Strategic Goals The purpose of CIPC s Strategic Plan is to establish a high level direction for the CIPC and create a foundational strategy that balances long term objectives, operational priorities, and efficient use of industry resources in support of NERC s ERO Strategic Goals. This plan seeks to focus the CIPC expertise upon physical and cyber security threats to support the reliability of the bulk power system. It also establishes the committee s goals for that time period. Ensure proper focus and resources are dedicated to current critical infrastructure protection issues. CIPC will continue to monitor threats to the security of the bulk power system through liaison with the ES-ISAC and event assessment, as well as information supplied through various government agencies. Based upon those inputs, the CIPC will engage the cyber and physical expertise of the CIPC with a tactical response in the form of guidelines, standards input, communications (reports and whitepapers), training and an operational interface with industry to apply the proper response. Achieve a balanced focus on cyber and physical security CIPC will maintain a balance us on physical and cyber security issues by seeking a balance in these areas in membership expertise, agenda topics and workshop content. This balance will be complimented by operations and policy expertise to ensure CIPC has a proper understanding of the operational and reliability implications of security issues facing the North American bulk power system. Continue to leverage the expertise of the CIPC CIPC will create and maintain appropriate Task Forces and Working Groups to develop, periodically review, revise and issue security guidelines in accordance with the CIPC Charter, and to perform other work as requested by the stakeholders. 5

6 CIPC Work Plan The Critical Infrastructure Protection Committee will deliver on this strategy by undertaking the following work plan activities: BES Security Metrics CIPC Strategic Goal # 1 and ERO Strategic Plan Goal 3 CIPC will utilize the expertise of its members, NERC staff and others to provide direction, technical oversight, feedback on the collection of industry metrics, and reporting of BES security performance metrics. The BES Security Metrics Working Group (BESSMWG) has been created to develop measureable security metrics to monitor leading indicators of cyber and physical security threats to the BES. The BESSMWG will also collaborate with the ES-ISAC to produce an annual security assessment of the BES. The CIPC will continue to deliver recommendations with the following actions: CIPC will support the BES Security Metrics WG to develop benchmark recommendations to the ESCC for BES Security metrics to include cyber and physical controls. CIPC, ES-ISAC and NERC Staff will contribute to the development of an Annual Security Assessment report based upon security metrics reported by entities. Electric Sector Security Clearances CIPC Strategic Goal # 2 and NERC ERO Strategic Plan Goal - Goal 5 and CIPC Charter Section 3 CIPC will determine and recommend appropriate U.S. Government Security clearances be available to members of the Electricity Sub-sector. The CIPC will deliver by the following actions: Identify industry needs and rationale for clearances. CIPC will continue to support the Personnel Security Clearance TF (PSCTF) by identifying subject matter experts from industry and government to serve on the task force. The PSCTF will report and make recommendations to CIPC, BOT and ESCC on security clearances. The PSCTF will examine protocols in place for granting private sector clearances as well as the government s legal and policy requirements of the industry. 6

7 Public-Private Partnership for Information Sharing CIPC Strategic Goal 2 and NERC ERO Strategic Plan Goal 5 and CIPC Section 3a The protection of the Bulk Electric System requires the prompt dissemination of securityrelated information between public and private stakeholders and across international boundaries. Common information-sharing protocols will enhance passage of this information, ensuring that vital actionable information is disseminated quickly and accurately. The CIPC will deliver recommendations by the following actions: CIPC will continue to support the Electric Sub-sector Information Sharing TF to study present protocols existing between industry and government The TF will finalize and document information-sharing requirements The TF will continue to identify and research the information sharing structures, methods and requirements, and search for efficiencies and alternatives to improve or recommend changes in protocols. Propose recommendations that will build on practices and tools already in place. Propose a process for secure information sharing with other entities and government partners through leveraging the ES-ISAC Portal Cyber and Physical Security Guidelines CIPC Strategic Goal # 3 and ERO Strategic Plan Goal 3 and CIPC Charter Section 2.5 CIPC will continue to support the reliability and resilience of the bulk power system with the following activities: CIPC will create and maintain appropriate Task Forces and Working Groups to develop, periodically review, and revise CIPC security guidelines. Issue guidelines in accordance with the process described in Appendix 1 of the CIPC Charter. CIP Training and Educational Outreach CIPC Strategic Goal # 4 and NERC ERO Strategic Goal 5, CIPC Charter Section 2.7 The CIPC will deliver with the following actions: CIPC will support Security Training WG and the GridEx WG CIPC will continue to contribute to exercises (i.e. GridEx), forums and workshops (i.e. CIPC cyber and physical) related to the scope of CIPC and in cooperation with NERC. The WGs will identify and prioritize current topics related to the scope of CIPC. The WGs will coordinate with by requesting NERC resources, if necessary, to support their activities for the forums and workshops. The WGs will report their recommendations at the CIPC meetings. 7

8 Activities Required by CIPC Charter Advisory Panel to Board of Trustees CIPC Charter Section 2.1 CIPC will fulfill this commitment with the following activities: Provide reports of CIPC activities at the BOT meeting. Chair will serve as an active member of the ESCC contributing expertise on CIP matters. Chair will serve on the Standing Committee Coordination Group (SCCG) Chair will serve as a CIPC point of contact to the ES-ISAC requests for input and assistance. Coordinate across all NERC committees and working groups to assure the highest degree of collaboration possible. Encourage and solicit CIPC engagement and assist ESCC as appropriate NERC Industry Alerts ERO Strategic Goal Plan Goal 5b, CIPC Strategic Goal # 2 and CIPC Charter Sections 2.2 and 2.4 CIPC will continue to support the coordinated action of NERC s technical committees (OC, CIPC, and PC) for pending NERC Alerts with the following actions: CIPC EC, if called upon by ES-ISAC, will review pending NERC Alerts and coordinate with the NERC staff and other NERC technical committees. NERC Standards Development Support ERO Strategic Plan Goal 1, CIPC Strategic Goal # 4 and CIPC Charter Section 2.6 CIPC will continue to support the NERC reliability standards with the following activities: Assist the standards process by providing expert resources in support of the development of critical infrastructure protection standards authorization requests and standards. Review draft critical infrastructure protection standards authorization requests and standards and provide comments. Provide requested support to SDTs upon direction by NERC or the Standards Committee 8

9 Compliance and Enforcement Input ERO Strategic Plan Goal 3 and CIPC Strategic Goal #1 CIPC will continue to support the NERC Compliance Monitoring and Enforcement with the following activities: Assist the Compliance Operations and Enforcement initiatives at NERC by providing timely topical expertise on matters related to cyber and physical security. CIPC Member and Industry Involvement CIPC Strategic Goal # 4and CIPC Charter Section 4.2 The Critical Infrastructure Protection Committee will deliver on this strategy by: Encouraging and engaging CIPC Voting member active participation. Encouraging and engaging CIPC Alternate members as active participants. Encouraging and engaging industry experts as active participants even though they may not be members. CIPC EC will identify potential leadership candidates for subgroups. CIPC subcommittees will review TFs and WG rosters to identify gaps in expertise. CIPC subcommittees will review Task Force and Work Group deliverables CIPC EC will encourage, recognize and reward excellence. 9

10 Appendix 1: CIPC Work Plan Matrix BES Security Metrics ERO Strategic Plan Goal 4, 5, & 6 Year Task Next Step Status CIPC will support the BES Security Metrics WG to develop benchmark recommendations to the ESCC for BES Security metrics to include cyber and physical controls. Draft report to be presented to CIPC June 2013 for endorse ment of direction CIPC, ES-ISAC and NERC Staff will contribute to the development of an Annual Security Assessment report based upon security metrics reported by entities. Not begun Electric Sector Security Clearances NERC ERO Strategic Plan Goal - Goal 5 and CIPC Charter Year Task Next Step Status CIPC will continue to support the Personnel Security Clearance TF (PSCTF) by identifying subject matter experts from industry and government to serve on the task force The PSCTF will examine protocols in place for granting private sector clearances as well as the government s legal and policy requirements of the industry The PSCTF will report and make recommendations to CIPC BOT and ESCC on security clearances. ESCC approval with changes June agenda for CIPC approval The PSCTF will examine the use of a model for industry use to determine which for personnel should seek a security clearance from government Identify industry needs and rationale for clearances. 10

11 Public-Private Partnership for Information Sharing NERC ERO Strategic Plan Goal 5 and CIPC Section 3a Year Task Next Step Status The ES-Information Sharing TF will present recommendations to CIPC, ESCC and NERC Board of Trustees for approval & endorsement for improvement of the Public-Private Partnership, streamlining of the event reporting process for the industry with the ES-ISAC and the sharing of actionable information between government and industry CIPC will continue to support the Electric Sub-sector Information Sharing TF to study present protocols existing between industry and government CIPC Agenda June 2013 for approval The TF will finalize and document information-sharing requirements 2013 The TF will continue to identify and research the information sharing structures, methods and requirements, and search for efficiencies and alternatives to improve or recommend changes in protocols Propose recommendations that will build on practices and tools already in place Propose a process for secure information sharing with other entities and government partners through leveraging the ES-ISAC Portal Cyber and Physical Security Guidelines ERO Strategic Plan Goal 3 and CIPC Charter Section 2.5 Year Task Next Step Status Identify and develop needed guidelines and technical reports on CIP matters. NA 2012 Protecting Sensitive Information Guideline Completed 6/20/ Security Guideline for the Electricity Sector: Physical Security Response Completed 6/20/ The PSGTF will revise the Physical Response Guideline to reflect changes by the Department of Homeland Security (NTAS) National Threat Advisory System. CIPC Sept agenda for approval 11

12 CIP Training and Educational Outreach NERC ERO Strategic Goal 5, CIPC Charter Section 2.7 Year Task Next Step Status The Security Training WG and the GridEx WG CIPC will contribute to exercises (i.e. GridEx), forums and workshops (i.e. CIPC cyber and physical) related to the scope of CIPC and in cooperation with NERC The WGs will identify and prioritize current topics related to the scope of CIPC The WGs will coordinate with by requesting NERC resources, if necessary, to support their activities for the forums and workshops The WGs will report their recommendations at the CIPC meetings. 12

13 Appendix 1: ERO Strategic Plan ERO Strategic Goals The ERO Enterprise has identified seven goals in the strategic areas of standards; compliance, registration and certification; risks to reliability; and coordination and collaboration. Standards Goal 1. Develop clear, reasonable and technically sound mandatory reliability standards in a timely and efficient manner. These standards establish threshold requirements for ensuring the bulk power system is planned, operated, and maintained in a manner that minimizes risks of cascading failures, avoids damage to major equipment, or limits interruptions of bulk power supply. Objectives and valued outcomes include: a. Standards are timely, clear and responsive to reliability and security risks. Complete standards development governance and process reforms as identified in 2012 resolutions by the NERC Board of Trustees. Ensure all existing and new standards meet quality and results-based criteria1within five years with subsequent review every five years thereafter Evaluate significant bulk power system events (Category 3 and above) to identify gaps in standards and address any gaps Develop a bulk power system risk profile and assess standards compared to the profile, address the most important risk gaps Address all high-risks designated for control by a standard within one year or two years if technical study is required Address all new FERC directives within one year or two years if technical study is required; close existing directives by 2015 (by filing or negotiated resolution) b. Standards are practical to implement and cost effective. Facilitate smooth transition of new standards (e.g., CIP Version 5) Consolidate to a common set of application guides or RSAWs for all standards Identify and file requirements to be retired (Paragraph 81 Phase 2) Explore options for assessing the cost effectiveness of appropriate reliability standards 1 Quality criteria are the attributes of excellent reliability standards as stated in Section 300 of NERC s Rules of Procedure. Results based criteria mean each requirement defines a performance outcome, risk mitigation, or essential competency necessary for a reliable bulk power system. 13

14 Compliance, Registration and Certification Goal 2. Be a strong enforcement authority that is independent, without conflict of interest, objective and fair. The ERO retains and refines its ability to use standards enforcement when warranted and impose penalties and sanctions commensurate with risk. Objectives and valued outcomes include: a. The ERO registers entities commensurate with risk to the bulk power system and ensures all key reliability entities are certified to have essential capabilities. Develop and implement BES exception process Evaluate certification program for sufficiency and effectiveness, modify as needed Develop framework and criteria for registration based on risk to the bulk power system Develop common and consistent registration processes, information systems and methods among regions b. The ERO holds industry accountable for violations that create serious risk to the bulk power system; resulting actions are timely and transparent to industry. Develop and implement Reliability Assurance Initiative (compliance reform) Develop and implement new caseload and mitigation aging curves and monitor caseload and mitigation performance Develop and implement enforcement strategies based on Reliability Assurance Initiative Goal 3. Promote a culture of compliance that addresses reliability risks across the industry. The ERO works with industry to identify standards, procedures, practices and controls to address reliability risks. Objectives and valued outcomes include: a. Industry has effective procedures and programs to monitor, detect, correct, report, and prevent compliance, reliability, and security issues. Develop and implement Reliability Assurance Initiative (compliance reform) (same as 2b) Make effective internal controls models and information available to industry Initiate compliance phase-in learning periods for new standards 14

15 b. The ERO uses efficient processes and proportional exercise of discretion to verify that compliance objectives are met by industry. Continue to expand use of discretion through Find, Fix, and Track (FFT) Develop and implement Reliability Assurance Initiative (compliance reform) (same as 2b) Risks to Reliability Goal 4. Identify the most significant risks to reliability. The ERO identifies and prioritizes reliability risks, facilitates effective solutions and interventions, and monitors results. Objectives and valued outcomes include: a. Risks are identified and prioritized based on reliability impacts, cost/practicality assessments, projected resources, and emerging issues. Continue to mature RISC and develop risk profile to include HILF issues Prepare an annual state of reliability report Develop project plans and business case assessments for high priority risks; implement or facilitate initiatives to address high priority risks (see 5a first bullet) b. Events and system performance are consistently analyzed for sequence, cause, and remediation to identify reliability risks and trends, and to inform standards, compliance, and other programs. Industry is well informed of system events, emerging trends, risk analysis, lessons learned and expected actions. Analyze significant events to identify gaps in standards, compliance effectiveness, registration, and risk controls effectiveness Make all bulk power system event reports available to industry through secure portal Provide lessons learned and recommendations from events and identified risks Merge event driven databases and cause codes into one (e.g., event analysis, TADS, GADS, relay mis-operations) 15

16 Goal 5. Be accountable for mitigating reliability risks. The ERO works with industry stakeholders and experts to ensure the mitigation of known risks to reliability. Objectives and valued outcomes include: a. The ERO is tracking industry accountability for critical reliability and security recommendations. Manage risk control initiatives to be completed by ERO and coordinate other initiatives with industry (e.g., relay misoperations, situational awareness, human error, cyber attack) Develop and deploy a recommendations tracking system b. Industry is aware of and is effectively addressing security vulnerabilities and threats. Industry security posture is being evaluated and continuously improved. During crisis situations, ERO facilitates sharing of information among industry, Regions, and government. Expand security maturity model assessments to be widely accessible across industry Issue and track security recommendations to protect the bulk power system (related to 5a second bullet) Expand the use and value of security threat and vulnerability information sharing, analytics, and analysis Implement periodic wide area security exercises (e.g., GridEx)) Increase security clearances available to industry and facilitate access to secured briefings through local fusion centers Goal 6. Promote a culture of reliability excellence. The ERO facilitates a learning environment throughout the industry through event causal analysis, communication of lessons learned, tracking of recommendations, and implementation of best practices. Objectives and valued outcomes include: a. ERO is a leading resource to industry and policy makers for reliability information. Publish quality reliability assessment reports (LTRA, seasonal and special reports) Promote effective actions as needed to address identified gaps in future reliability 16

17 b. Reliability models and data accurately represent system behavior and are shared among reliability entities. Assess data and modeling needs and develop recommendations to ensure quality planning and operating data/models are available to registered entities across each interconnection Evaluate event disturbances using phasor measurements and other methods to assess sufficiency of data and models ERO Enterprise Strategic Plan February 13, Coordination and Collaboration Goal 7. Improve transparency, consistency, quality and timeliness of results; operate as a collaborative enterprise; and improve efficiencies and cost effectiveness. The ERO accomplishes this through effective coordination, collaboration and process improvements. The ERO communicates expectations clearly and fosters collaboration to deliver important results in advancing system reliability. The ERO engages the support and expertise of stakeholders, is an efficient steward of resources, and leverages information systems to create efficiencies and process controls. Objectives and valued outcomes include: a. The ERO acquires, engages, and retains highly qualified talent suited to the mission. Implement employee climate surveys and succession planning and promote favorable hiring and retention of ERO staffs Develop ERO qualifications requirements for auditors and other key positions across the ERO and implement training as needed b. The ERO internal risks are understood and managed; ERO processes are effective, efficient, and continuously improved. Develop test and deploy ERO enterprise applications, platform and database Develop five-year ERO self-assessment and close all recommendations from threeyear assessment and FERC audit Implement an ERO-wide internal risk management program 17