OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1
CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC Road Shows, March 18-19, 2014, and May 14, 2014 PGE Attended EEI CIP Version 5 Workshop, PGE Attended WECC CIP 101 devoted to Version 5, September 24-25, 2014 Managing the Project Project manager started in early 2014 Kickoff meetings March 20,2014, and April 2, 2014 Key Stakeholders: Information Technology (for Balancing Authority/EMS assets) Substation Operations (for Transmission Owner/Operator) Power Supply Engineering Services (for Generation Owner/Operator) Corporate Security (for Physical Security at all sites) Human Resources (for Training Program and for Personnel Risk Assessments) 2
CIP Version 5 PGE Implementation Process of Version 5 Implementation BROS (Bulk Electric System Reliability Operating Services) BES Cyber System Site Identification BES Cyber System Identification Gap Analysis Project List Project Charters 3
CIP Version 5 PGE Implementation Capital Projects for Version 5 Compliance Corporate: CIP Tracking Tool for Physical/Logical Access Corporate Security: Two-Factor Authentication Hardware Corporate Security: Physical Protection of Physical Access Control System Corporate Security: Radar Surveillance Corporate Security: DC Backup for Physical Security Devices Corporate Security: Physical Hardening of Medium Impact Substations IT: Test Environment for Energy Network Substation Operations: Test Environment for Medium Impact Substations PGE Next Steps Execute capital projects by year-end Update Version 3 controls to align with Version 5 Identify all procedural gaps Strengthen current Version 3 procedures to bring into compliance with Version 5 Begin to retain evidence of compliance Fully compliant for High Impact and Medium Impact Systems by April 1, 2016 4
CIP Version 5 New Version Submitted to FERC NERC Request for FERC Approval of New CIP Standards - Feb. 13, 2015 Modifications to Respond to FERC Order Initial changes effective April 1, 2016 More significant changes have longer implementation periods Remove Identify, Assess, Correct Language Strengthen Controls for Low Impact Cyber Systems Protect Transient Devices & Removable Media (thumb drives, laptops, etc.) Protect Communications Networks Proposed Implementation Dates: Removal of Identify, Assess, and Correct: 4/1/16 original High/Med. implementation date Cyber Security Plan for Low Impact Cyber Systems 4/1/17 - original Low implementation date Physical Security Controls and Electronic Access Controls get another year 4/1/18 Other changes to Low 4/1/17 original Low implementation date Transient Devices and Communications Networks: 1/1/17 (gives nine additional months) 5
CIP-014-1: Physical Security Standard Unprecedented Speed of Development April 16, 2013: Metcalf Substation is Attacked March 7, 2014:FERC Orders NERC to develop physical security standard within 90 days May 23, 2014: NERC files CIP-014-1 with FERC July 17, 2014: FERC Issues Notice of Proposed Rulemaking to Approve CIP-014-1 November 20, 2014: FERC Approves CIP-014-1 Milestones and Effective Dates 10/1/15: Entity Completes Risk Assessment and Asset Identification 12/30/15: Third-Party Reviewer Verifies Identified Assets 6/27/16: Entity Drafts Threat and Vulnerability Evaluation and Security Plan (if necessary) 9/25/16: Third Party Reviews Security Plan Ongoing: Assets Protected Under Physical Security Plan 6
Information Sharing Current Information Resources: InfraGard Vendors ES-ISAC Industry Experts US-CERT NERC Blogs Security Researchers Other Utilities Cyber-security summit information sharing summary Public-Private information sharing was the focal point 90% of critical infrastructure is in the Private Industry Government has more information gathering capabilities The ability to gain access to actionable intelligence could result in security benefits Mechanism has yet to be fully developed DHS encouraged critical infrastructure sectors to create information sharing and analysis organizations (ISAO) DHS intends to serve as the central information flow (regional hub) and the ISAOs will provide the local interface 7
Information Sharing PGE management has expressed an interest in sharing information on a national level Many benefits to be gained Requires ongoing coordination and collaboration with those who can identify the threat government officials and those who can engineer solutions the private-sector owners, users, and operators of the electric grid Current lack of liability protections are slowing the process Will continue to monitor the development of this effort at the regional and national level 8
2014 Audits / Security Assessments PGE tries to blend internal / external resources in its testing and auditing to provide greatest coverage and assurance External WECC audit for CIP in 2014 3 rd Party testing of Generation plant facilities Internal Enterprise wide Assessment against NIST 800-53 standards (32 systems / 9 locations) Certification testing on new capital investments (21) Annual Vulnerability testing of all CIP assets 9
2015 Audits / Security Assessments External 3 rd Party Assessment of PGE Security Program 3 rd party testing of Real Time Dispatch tool Internal Calibration against Electric Sector Cybersecurity Capability Maturity Model (ES-C2M2) Certification testing of 2 new plants Enterprise wide Assessment against NIST 800-53 standards (19 systems / 13 locations) Certification testing on all new capital investments (37) Annual Vulnerability testing of all CIP assets Breach Response Assessment 10