OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Similar documents
EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Physical Security Reliability Standard Implementation

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP Cyber Security Incident Reporting and Response Planning

Project Physical Security Directives Mapping Document

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Live Webinar: Best Practices in Substation Security November 17, 2014

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

Smart Grid Standards and Certification

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Critical Infrastructure Protection Version 5

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Standard Development Timeline

CIP Cyber Security Configuration Management and Vulnerability Assessments

Compliance: Evidence Requests for Low Impact Requirements

CIP Standards Development Overview

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard Development Timeline

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard CIP Cyber Security Critical Cyber As s et Identification

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Security Standards for Electric Market Participants

Standard CIP 007 4a Cyber Security Systems Security Management

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP 007 3a Cyber Security Systems Security Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP Cyber Security Critical Cyber As s et Identification

Implementation Plan for Version 5 CIP Cyber Security Standards

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Cyber Security Incident Report

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP-006-3c Cyber Security Physical Security

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.

Standard CIP Cyber Security Security Management Controls

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Standard CIP Cyber Security Physical Security

Standard Development Timeline

Cyber Security Standards Drafting Team Update

Standard CIP Cyber Security Systems Security Management

Standard CIP Cyber Security Electronic Security Perimeter(s)

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Critical Cyber Asset Identification Security Management Controls

Grid Security & NERC

primary Control Center, for the exchange of Real-time data with its Balancing

Proposed Clean and Redline for Version 2 Implementation Plan

Cyber Security Supply Chain Risk Management

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities

Managing SCADA Security. NISTIR 7628 and the NIST/SGIP CSWG. Xanthus. May 25, Frances Cleveland

2011 North American SCADA & Process Control Summit March 1, 2011 Orlando, Fl

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities

Low Impact Generation CIP Compliance. Ryan Walter

CYBER SECURITY POLICY REVISION: 12

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Overview of the Cybersecurity Framework

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Cybersecurity for the Electric Grid

CIP Substation Security Project Update

Cyber Attacks on Energy Infrastructure Continue

Implementing Executive Order and Presidential Policy Directive 21

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

A. Introduction. B. Requirements and Measures

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Standard CIP Cyber Security Electronic Security Perimeter(s)

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

Analysis of CIP-006 and CIP-007 Violations

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Recent Issues in Electric Grid Physical Security

Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities

Updates to the NIST Cybersecurity Framework

Standard Development Timeline

Scope Cyber Attack Task Force (CATF)

Implementing Cyber-Security Standards

CIP Cyber Security Security Management Controls. A. Introduction

Cybersecurity and Data Protection Developments

CIP Cyber Security Systems Security Management

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

playbook OpShield for NERC CIP 5 sales PlAy

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Summary of FERC Order No. 791

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

CIP Version 5 Transition. Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014

ERO Enterprise IT Projects Update

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Transcription:

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1

CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC Road Shows, March 18-19, 2014, and May 14, 2014 PGE Attended EEI CIP Version 5 Workshop, PGE Attended WECC CIP 101 devoted to Version 5, September 24-25, 2014 Managing the Project Project manager started in early 2014 Kickoff meetings March 20,2014, and April 2, 2014 Key Stakeholders: Information Technology (for Balancing Authority/EMS assets) Substation Operations (for Transmission Owner/Operator) Power Supply Engineering Services (for Generation Owner/Operator) Corporate Security (for Physical Security at all sites) Human Resources (for Training Program and for Personnel Risk Assessments) 2

CIP Version 5 PGE Implementation Process of Version 5 Implementation BROS (Bulk Electric System Reliability Operating Services) BES Cyber System Site Identification BES Cyber System Identification Gap Analysis Project List Project Charters 3

CIP Version 5 PGE Implementation Capital Projects for Version 5 Compliance Corporate: CIP Tracking Tool for Physical/Logical Access Corporate Security: Two-Factor Authentication Hardware Corporate Security: Physical Protection of Physical Access Control System Corporate Security: Radar Surveillance Corporate Security: DC Backup for Physical Security Devices Corporate Security: Physical Hardening of Medium Impact Substations IT: Test Environment for Energy Network Substation Operations: Test Environment for Medium Impact Substations PGE Next Steps Execute capital projects by year-end Update Version 3 controls to align with Version 5 Identify all procedural gaps Strengthen current Version 3 procedures to bring into compliance with Version 5 Begin to retain evidence of compliance Fully compliant for High Impact and Medium Impact Systems by April 1, 2016 4

CIP Version 5 New Version Submitted to FERC NERC Request for FERC Approval of New CIP Standards - Feb. 13, 2015 Modifications to Respond to FERC Order Initial changes effective April 1, 2016 More significant changes have longer implementation periods Remove Identify, Assess, Correct Language Strengthen Controls for Low Impact Cyber Systems Protect Transient Devices & Removable Media (thumb drives, laptops, etc.) Protect Communications Networks Proposed Implementation Dates: Removal of Identify, Assess, and Correct: 4/1/16 original High/Med. implementation date Cyber Security Plan for Low Impact Cyber Systems 4/1/17 - original Low implementation date Physical Security Controls and Electronic Access Controls get another year 4/1/18 Other changes to Low 4/1/17 original Low implementation date Transient Devices and Communications Networks: 1/1/17 (gives nine additional months) 5

CIP-014-1: Physical Security Standard Unprecedented Speed of Development April 16, 2013: Metcalf Substation is Attacked March 7, 2014:FERC Orders NERC to develop physical security standard within 90 days May 23, 2014: NERC files CIP-014-1 with FERC July 17, 2014: FERC Issues Notice of Proposed Rulemaking to Approve CIP-014-1 November 20, 2014: FERC Approves CIP-014-1 Milestones and Effective Dates 10/1/15: Entity Completes Risk Assessment and Asset Identification 12/30/15: Third-Party Reviewer Verifies Identified Assets 6/27/16: Entity Drafts Threat and Vulnerability Evaluation and Security Plan (if necessary) 9/25/16: Third Party Reviews Security Plan Ongoing: Assets Protected Under Physical Security Plan 6

Information Sharing Current Information Resources: InfraGard Vendors ES-ISAC Industry Experts US-CERT NERC Blogs Security Researchers Other Utilities Cyber-security summit information sharing summary Public-Private information sharing was the focal point 90% of critical infrastructure is in the Private Industry Government has more information gathering capabilities The ability to gain access to actionable intelligence could result in security benefits Mechanism has yet to be fully developed DHS encouraged critical infrastructure sectors to create information sharing and analysis organizations (ISAO) DHS intends to serve as the central information flow (regional hub) and the ISAOs will provide the local interface 7

Information Sharing PGE management has expressed an interest in sharing information on a national level Many benefits to be gained Requires ongoing coordination and collaboration with those who can identify the threat government officials and those who can engineer solutions the private-sector owners, users, and operators of the electric grid Current lack of liability protections are slowing the process Will continue to monitor the development of this effort at the regional and national level 8

2014 Audits / Security Assessments PGE tries to blend internal / external resources in its testing and auditing to provide greatest coverage and assurance External WECC audit for CIP in 2014 3 rd Party testing of Generation plant facilities Internal Enterprise wide Assessment against NIST 800-53 standards (32 systems / 9 locations) Certification testing on new capital investments (21) Annual Vulnerability testing of all CIP assets 9

2015 Audits / Security Assessments External 3 rd Party Assessment of PGE Security Program 3 rd party testing of Real Time Dispatch tool Internal Calibration against Electric Sector Cybersecurity Capability Maturity Model (ES-C2M2) Certification testing of 2 new plants Enterprise wide Assessment against NIST 800-53 standards (19 systems / 13 locations) Certification testing on all new capital investments (37) Annual Vulnerability testing of all CIP assets Breach Response Assessment 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback