EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Similar documents
Physical Security Reliability Standard Implementation

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Security Standards Drafting Team Update

Standard CIP Cyber Security Critical Cyber Asset Identification

Critical Cyber Asset Identification Security Management Controls

Standard CIP 007 3a Cyber Security Systems Security Management

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Cyber Security Reliability Standards CIP V5 Transition Guidance:

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP Cyber Security Security Management Controls

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Critical Cyber As s et Identification

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Standard CIP Cyber Security Critical Cyber As s et Identification

Implementing Cyber-Security Standards

CIP Cyber Security Configuration Management and Vulnerability Assessments

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

CYBER SECURITY POLICY REVISION: 12

Cyber Threats? How to Stop?

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Standard Development Timeline

Standard CIP Cyber Security Systems Security Management

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard Development Timeline

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Standard CIP Cyber Security Electronic Security Perimeter(s)

Cyber Attacks on Energy Infrastructure Continue

Standard CIP-006-3c Cyber Security Physical Security

Cyber Security Supply Chain Risk Management

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

History of NERC December 2012

Compliance: Evidence Requests for Low Impact Requirements

History of NERC August 2013

Standard CIP Cyber Security Systems Security Management

Analysis of CIP-006 and CIP-007 Violations

Standard CIP-006-4c Cyber Security Physical Security

CIP Cyber Security Systems Security Management

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Critical Infrastructure Protection Version 5

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Implementation Plan for Version 5 CIP Cyber Security Standards

CIP Standards Development Overview

Standard CIP Cyber Security Physical Security

CIP Cyber Security Security Management Controls. Standard Development Timeline

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Summary of FERC Order No. 791

Standard CIP Cyber Security Incident Reporting and Response Planning

Smart Grid Standards and Certification

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

CIP Cyber Security Security Management Controls. A. Introduction

Cybersecurity for the Electric Grid

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training

Standard Development Timeline

Standard Development Timeline

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Grid Security & NERC

History of NERC January 2018

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

New Brunswick 2018 Annual Implementation Plan Version 1

CIP Cyber Security Recovery Plans for BES Cyber Systems

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

Project Physical Security Directives Mapping Document

Standard EOP Disturbance Reporting

CIP Cyber Security Recovery Plans for BES Cyber Systems

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

A. Introduction. Page 1 of 22

Proposed Clean and Redline for Version 2 Implementation Plan

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

5. Effective Date: The first day of the first calendar quarter after applicable regulatory approval.

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Standard CIP 004 3a Cyber Security Personnel and Training

Project Retirement of Reliability Standard Requirements

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Incident Reporting and Response Planning

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

CIP Substation Security Project Update

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

CIP Cyber Security Recovery Plans for BES Cyber Systems

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

Re: North American Electric Reliability Corporation Docket No. RM

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Standard CIP-006-1a Cyber Security Physical Security

Standard CIP Cyber Security Physical Security

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

Transcription:

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1, 2008 www.morganlewis.com

Overview Reliability Standards Enforcement Framework Critical Infrastructure Protection (CIP) Standards NERC Response to FERC Directives Current Trends in CIP Violations Emerging Issues Federal Legislation 2

Reliability Enforcement Framework Section 215 of the Federal Power Act requires NERC to develop mandatory and enforceable Reliability Standards, subject to FERC review and approval. Once approved, the Reliability Standards may be enforced by NERC, subject to FERC oversight. FERC may independently enforce Reliability Standards. 3

Reliability Enforcement Framework NERC delegates compliance and enforcement of Reliability Standards to Regional Entities. Reliability Standards became mandatory and enforceable in June, 2007. The original Reliability Standards submitted to FERC did not include CIP Reliability Standards (except for CIP-001 Sabotage Reporting). CIP-002 through CIP-009 approved by FERC in Order No. 706 (effective April 7, 2008). 4

CIP Reliability Standards CIP Reliability Standards require users, owners and operators of the Bulk Power System to safeguard critical cyber assets. Process: Develop methodology to identify critical assets (e.g. generators, substations, and control centers). Apply the methodology to create list of critical assets. Use the list of critical assets to determine associated critical cyber assets. 5

CIP Reliability Standards CIP Reliability Standards: CIP-001 Sabotage Reporting CIP-002 Critical Cyber Asset Identification CIP-003 Security Management Controls CIP-004 Personnel & Training (Background Checks) CIP-005 Electronic Security Perimeters CIP-006 Physical Security of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets 6

CIP Reliability Standards Order No. 706 approved the CIP Reliability Standards but required modifications. FERC directed NERC to remove references to reasonable business judgment and acceptable risk from the standards. NERC also directed to develop specific conditions necessary to invoke technical feasibility exception. 7

CIP Reliability Standards Technical Feasibility Exception: Recognizes the difficulty with replacement of legacy equipment before the end of its useful life. FERC states, however, that replacement equipment should meet the CIP Reliability Standard requirements. The technical feasibility exception may include technically safe and operationally reasonable. The exception does not release entity from requirements but rather requires alternative obligation. 8

CIP Reliability Standards Technical Feasibility Exception Framework: Develop, document and implement a mitigation plan that achieves comparable level of security. Include a remediation plan and timeline for eliminating the use of the exception. Exception requires the approval of a senior manager. Provide notice to Regional Entity of any technical feasibility exception as part of self-certification with review by Regional Entity during audit process. 9

NERC Response FERC, among other things, required NERC to: Submit a work plan for modifications required by FERC and prepare modifications to CIP Reliability Standards. Prepare a technical feasibility exceptions report. Prepare a critical asset methodology guidance document. 10

NERC Response NERC s efforts on this are on-going. NERC appointed Mike Assante as Chief Security Officer. NERC held a Cyber Security Summit in September. NERC guidance document on critical asset identification methodology due in December. NERC team formed to revise standards; scheduled to submit revised standards to FERC by the end of March, 2009. 11

CIP Standards Violations CIP-001 was mandatory and enforceable in June 2007. Only CIP-001 was enforceable at the time the original Notices of Penalty were filed with the Commission. Of the 37 Notices of Penalty filed to date, 17 (46%) contained violations of CIP-001 (Sabotage Reporting). 12

CIP Standards Violations Of the 17 violations of CIP-001: 11 were for violations of all 4 Requirements in CIP-001. 1 was for a violation of Requirement R1 (recognition and awareness procedures). 2 were for violations of Requirement R2 (interconnection communication procedures). 3 were for violations of Requirement R4 (FBI communication contacts and procedures). 13

CIP Standards Violations Self-Certifications regarding CIP compliance were submitted in July. Entities must continue to self-certify every six months. Regions have begun to identify possible violations in the self-certifications: CIP-004 R2 Training CIP-004 R3 Background Checks CIP-004 R4 Access CIP-008 R1 Cyber Security Incident Response Plan CIP-009 R2 Recovery Plans 14

Emerging Issues Development of Critical Asset Identification Methodology no clear guidance at this point. Sabotage Reporting several reported violations of CIP- 001 in the initial notice of penalties filed with FERC by NERC. Why? Vendor Issues: Background checks Requirement to maintain lists of those with access to critical cyber assets Document retention issues. Replacement of legacy equipment. 15

Legislation Chairman Kelliher: FERC authority over cybersecurity is insufficient to deal with emerging threats. The timeline for developing Reliability Standards through the NERC process takes too long. House held hearings, but legislation did not emerge. Congress may address issue early in 111 th Congress. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback