NERC CIP Information Protection

Similar documents
NERC Overview and Compliance Update

Proposed Convention for Numbering of NERC Reliability Standards Draft September 9, 2004

New Brunswick 2018 Annual Implementation Plan Version 1

British Columbia Utilities Commission Reliability Standards with Effective Dates adopted in British Columbia

Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

CIP Cyber Security Information Protection

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Meeting- Overview of. Development

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

NERC and Regional Coordination Update

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Critical Cyber As s et Identification

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Standard CIP Cyber Security Critical Cyber As s et Identification

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

requirements in a NERC or Regional Reliability Standard.

CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard Development Timeline

Standard CIP Cyber Security Security Management Controls

Standard CIP Cyber Security Systems Security Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Electric Transmission Reliability

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP Cyber Security Incident Reporting and Response Planning

Standards Development Update

CIP Cyber Security Personnel & Training

Standard CIP Cyber Security Physical Security

Standard CIP 007 4a Cyber Security Systems Security Management

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard Development Timeline

A. Introduction. Page 1 of 22

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Critical Cyber Asset Identification

CIP Cyber Security Configuration Management and Vulnerability Assessments

Standard CIP Cyber Security Critical Cyber Asset Identification

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Blackout 2003 Reliability Recommendations

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Standard CIP-006-3c Cyber Security Physical Security

A. Introduction. B. Requirements and Measures

CIP Cyber Security Security Management Controls. A. Introduction

CIP Cyber Security Personnel & Training

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

CIP Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Recovery Plans for BES Cyber Systems

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Reliability Standards Development Plan

Standard CIP-006-4c Cyber Security Physical Security

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

Cyber Threats? How to Stop?

5. Effective Date: The first day of the first calendar quarter after applicable regulatory approval.

Standard EOP Disturbance Reporting

Reliability Standard Audit Worksheet 1

Standard and Project Cross References

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

CIP Cyber Security Recovery Plans for BES Cyber Systems

requirements in a NERC or Regional Reliability Standard.

Project Retirement of Reliability Standard Requirements

Standard CIP-006-1a Cyber Security Physical Security

CIP Cyber Security Systems Security Management

History of NERC December 2012

Standards Authorization Request Justification

Implementing Cyber-Security Standards

Standard INT Dynamic Transfers

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

State of Reliability Report 2013

primary Control Center, for the exchange of Real-time data with its Balancing

History of NERC August 2013

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

NERC Management Response to the Questions of the NERC Board of Trustees on Reliability Standard COM September 6, 2013

Standard CIP 004 3a Cyber Security Personnel and Training

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Standard INT Dynamic Transfers

Standard COM-002-2a Communications and Coordination

CIP Cyber Security Electronic Security Perimeter(s)

Standard Development Timeline

Standard CIP Cyber Security Physical Security

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

Critical Cyber Asset Identification Security Management Controls

NERC and Regional Coordination Update. Operating Committee Preston Walker January 9, 2018

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Implementation Plan for Version 5 CIP Cyber Security Standards

2014 Annual Compliance Assessment

History of NERC January 2018

Appendix A3 - Northeast Power Coordinating Council (NPCC) 2015 CMEP Implementation Plan for Entities within the U.S.

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

NB Appendix CIP NB-0 - Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

The Common Controls Framework BY ADOBE

Security Standards for Electric Market Participants

Analysis of CIP-006 and CIP-007 Violations

Cyber Security Standards Drafting Team Update

Transcription:

NERC CIP Information Protection Eric Ruskamp Manager, Regulatory Compliance September 13, 2017 1

Agenda NERC History NERC Compliance Overview of Reliability Standards Compliance with Reliability Standards Penalty for noncompliance CIP Reliability Standards CIP Information Protection 2

NERC History Nov 9, 1965 Blackout A single wrongly set relay in Ontario caused a key transmission line to trip Escalating line overloads... more trips 25 Million people were without electricity for 12 hours Reason: varying operating standards 3

NERC History The Result North American Electric Reliability Council (NERC) formed on June 1, 1968 under the Electric Power Reliability Act of 1967 Began developing Operating Policies Adopted Planning Standards in 1997 4

NERC History August 14, 2003 Blackout Largest Blackout in North American history Affected 50 million people Financial loses estimated at $6 Billion 5

NERC History 1965 2003 7

NERC History Enforcement Needed EPACT 2005 signed by President Bush June 18, 2007 Mandatory Enforcement began 8

NERC Reliability Standards generation-load balance contingency reserves communication protocols cyber security physical security system restoration emergency operations interconnection requirements vegetation management facility ratings operating limits transmission loading relief outage coordination real-time assessments model development system operator training system protection underfrequency load shedding generator capability coordination operations planning transmission planning voltage control 9

NERC Reliability Standards 99 enforceable NERC Reliability Standards 69 applicable to LES 549 Requirements 281 applicable to LES An additional 1,100 sub Requirements within the standards (not counting bullet points and attachments) 10

NERC Enforcement Mechanisms to monitor, assess, and enforce compliance with Reliability Standards: 1. Compliance Audits 2. Self-Certifications 3. Self-Reporting 4. Spot Checking 5. Compliance Violation Investigations 6. Periodic Data Submittals 7. Exception Reporting 8. Complaints 11

NERC Enforcement 12

NERC Reliability Standards BAL Resource and Demand Balancing COM Communications CIP Critical Infrastructure Protection EOP Emergency Preparedness and Operations FAC Facilities Design, Connections and Maintenance INT Interchange Scheduling and Coordination IRO Interconnection Reliability Operations and Coordination MOD Modeling, Data, and Analysis NUC Nuclear PER Personnel Performance, Training and Qualifications PRC Protection and Control TOP Transmission Operations TPL Transmission Planning VAR Voltage and Reactive 13

CIP Critical Infrastructure Protection 1. Identify the cyber assets critical to operating the BES 2. Harden against physical and cyber threats o o o o o o o physical access electronic access incident response recovery plans change management security patching information protection 14

CIP Information Protection BES Cyber System Information (BCSI) 1. Identification of BCSI 2. Protecting and Handling BCSI 3. Reuse or Disposal of cyber assets containing BCSI 15

CIP Information Protection 1. Identification of BCSI Criteria: Usernames and passwords Known vulnerabilities Network diagrams with IP addresses Ports and services Firewall access rules Classification Internal Restricted: CIP BCSI Electronic Labeling header/footer, watermark Physical Labeling stamp, handwritten Filename Login banner 16

CIP Information Protection 2. Protecting and Handling BCSI BCSI in Storage Electronic storage permitted cyber assets Physical location of electronic storage Hardcopy storage designated file cabinets BCSI in Use LES owned device Lock device when not in use Return to Storage at end of day BCSI in Transit Signed confidentiality agreement Approval from CIP Senior Manager Secure share or tamper evident packaging May result in creation of another Storage location 17

CIP Information Protection 3. Reuse or Disposal of cyber assets containing BCSI Proper storage Sanitize or destroy per: - NIST SP 800-88, - Degaussing, or - Secure Erase Cyber Security department validation Record keeping of actions taken 18

19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback