Cybersecurity for the Electric Grid

Similar documents
Cyber Threats? How to Stop?

Purpose. ERO Enterprise-Endorsed Implementation Guidance

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Grid Security & NERC

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Standard CIP Cyber Security Critical Cyber Asset Identification

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

Cyber Attacks on Energy Infrastructure Continue

Summary of FERC Order No. 791

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Physical Security Reliability Standard Implementation

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Statement for the Record

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Standard Development Timeline

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Cyber Security Incident Report

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

History of NERC December 2012

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

Cyber Security Standards Drafting Team Update

CYBER SECURITY POLICY REVISION: 12

Securing Industrial Control Systems

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Standard CIP Cyber Security Critical Cyber As s et Identification

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Why you should adopt the NIST Cybersecurity Framework

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

THE TRIPWIRE NERC SOLUTION SUITE

Standard CIP Cyber Security Critical Cyber As s et Identification

October 2, CIP-014 Report Physical Security Protection for High Impact Control Centers Docket No. RM15-14-

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

SECURING THE SUPPLY CHAIN

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard CIP Cyber Security Security Management Controls

CIP V5 Implementation Study SMUD s Experience

Cyber Security Internal Audit Approach. AGA-EEI 2016 Internal Audit Training. August 23, 2016

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Security Standards for Electric Market Participants

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Standard Development Timeline

History of NERC August 2013

Critical Cyber Asset Identification Security Management Controls

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.

The NIST Cybersecurity Framework

Standard CIP 007 4a Cyber Security Systems Security Management

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Standard CIP Cyber Security Systems Security Management

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Cybersecurity Overview

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Implementing Cyber-Security Standards

DHS Cybersecurity: Services for State and Local Officials. February 2017

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Smart Grid Standards and Certification

Implementation Plan for Version 5 CIP Cyber Security Standards

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK

FERC's Revised Critical Infrastructure Protection Demands Active Vigilance

NB Appendix CIP NB-0 - Cyber Security Recovery Plans for BES Cyber Systems

History of NERC January 2018

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Critical Information Infrastructure Protection Law

Standard CIP Cyber Security Incident Reporting and Response Planning

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Reliability Standard Audit Worksheet 1

Analysis of CIP-006 and CIP-007 Violations

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

Industrial Control System Cyber Security

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Low Impact Generation CIP Compliance. Ryan Walter

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

Standard CIP-006-4c Cyber Security Physical Security

Ad Hoc Smart Grid Executive Committee. February 10, 2011 New Orleans, LA

Standard CIP Cyber Security Electronic Security Perimeter(s)

NERC Overview and Compliance Update

Chapter X Security Performance Metrics

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Information Assurance 101

Exercise of FERC Authority for Cybersecurity of the North American Electric Grid

Project Physical Security Directives Mapping Document

Industry role moving forward

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities

CIP Cyber Security Recovery Plans for BES Cyber Systems

Standard CIP-006-3c Cyber Security Physical Security

Transcription:

Cybersecurity for the Electric Grid Electric System Regulation, CIP and the Evolution of Transition to a Secure State A presentation for the National Association of Regulatory Utility Commissioners March 7, 2016

Table of Contents Introduction Cyber Security and Critical Infrastructure Critical Infrastructure Who to Regulate? Bulk Electric System Cyber Regulation Governance Structure Bulk Electric System Cyber Regulation Critical Infrastructure Protection Standards Overview Power & Utility Legislation Cyber vs. Non-cyber Legislation

Shari Gribbin Senior Manager Deloitte & Touche LLP Email: sgribbin@deloitte.com Office: 571.766.7708 / Mobile: 202.207.6465 Shari is a senior manager in the Regulatory & Compliance market offering based in Washington, D.C. She specializes in compliance, governance, oversight, regulatory analysis and operational risk; cyber security regulatory analysis and program development; as well as compliance audit and investigation. Shari has more than 15 years of experience as both a regulatory lawyer and compliance leader across energy generation, transmission and distribution as well as wholesale power marketing and retail commodity businesses. Prior to joining Deloitte, Shari worked at Exelon Corporation and held a dual role as the enterprise-wide FERC Compliance Manager and lead counsel for FERC/NERC enforcement issues. She has led more than 45 FERC, NERC and state- level enforcement actions as well as hundreds of internal investigations and audits. She was also responsible for the development and implementation of corporate and business unit level compliance programs. - 3 -

Importance of Cyber Security: Why do we care? Executive Order Improving Critical Infrastructure Cyber security Incapacity or destruction of critical infrastructural assets or systems would have a debilitating impact on national economic security, public health, and safety. Directed NIST to work with industry leaders to develop Version 1.0 of the NIST Cybersecurity Framework. It is the policy of the U.S. to enhance the security and resilience of the Nation s critical infrastructure...through a partnership with the owners and operators of critical infrastructure -Executive Order Historic Blackouts Blackout of 2003, northeast US and Central Canada 50 million affected Cost of >$4 billion Hacking Cyber attacks against Saudi and Qatari energy companies Shamoon virus 30,000 computers destroyed Source: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity - 4 -

Importance of Cyber Security: Critical Infrastructure Based on Industrial Control Systems Cyber Emergency Response Team s (ICS-CERT) recent report on incidence response activity, the energy sector reported the highest percentage of incidents reported (53%). The image below graphically depicts the most targeted critical infrastructure sectors. You are here Source: ICS-CERT Incidents October 2012 to May 2013-5 -

Importance of Cyber Security: Critical Infrastructure Complex interconnections between systems (SCADA, Industrial Control Systems (ICS), smart grid, intelligent substations, and new customer systems) are dramatically reshaping the cyber threat landscape for the Power and Utilities Sector. 82 Percent of Energy Sector IT Pros Say a Cyber Attack Could Cause Physical Damage esecurity Planet, February, 2016 Attackers hacked Department of Energy 159 times in 4 years Computerworld.com, September, 2015 Energy Sector Beware: Cybersecurity Now Top Security Threat thelegalintelligencer.com, October, 2015 Utilities rank highest for risk of data breaches SmartGridNews, April 2015 If not acted upon, threats to the security and stability of the Power and Utility grid are expected to grow. - 6 -

Importance of Cyber Security: Motivated Threat Actors The cyber threat landscape is continually evolving and the impact of successful attacks on the Electrical grid is heightened. Threat actors are amassing individual footprints to target their attacks. Target External threats Power Grid Cyber criminals Hacktivists Organized crime Social media/ underground chatter Nation states Critical Infrastructure & Resources Data Center Network Infrastructure Nuclear Facility Employee Data Now more than ever, we need to be Cyber Aware! - 7 -

Critical Infrastructure Cyber Security: Who to regulate? Cyber Security Frameworks: The Voluntary/Mandatory Solution National Institute of Standards and Technology (NIST) Version 1.0 NIST Cybersecurity Framework - Issued February 2014 Voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk Other Frameworks and Standards ETSI Cyber Security Technical Committee Standards to increase privacy and security for organizations and citizens across Europe ISO 27001 - provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system ISO 27002 -a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management. ISA/IEC-62443 - is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS) - 8 -

Critical Infrastructure Cyber Security: Who to regulate? Bulk Electric System: NERC CIP Mandatory Regulatory scheme for Bulk Electric System (BES) or The Grid is full suite of operationalized cyber security requirements designed to assure the reliability of the electric grid BES defined - fundamental to compliance, complicated NERC (North American Electric Reliability Corporation) is a nonprofit corporation whose mission is to ensure reliability of the Bulk-Power System in North America, responsible for developing, promulgating and enforcing BES cyber regulations As the electric reliability organization (ERO), NERC is subject to oversight by the Federal Energy Regulatory Commission (FERC) Develops and enforces reliability standards for planning and operating the collective bulk-power system Cyber Security suite of regulations focus on the cyber assets that are critical to operation and capable of impacting Bulk Electric System reliability - 9 -

Critical Infrastructure Cyber Security: Who to regulate? Energy Industry Readiness State regulatory focus on distribution level regulation of smart grid and similar customer facing technologies. Replacement of aging infrastructure and dated systems will result in a technology transformation that requires a new approach to cyber security. P&U is the tip of the spear for other Industrial Control System (ICS) driven businesses (Natural Gas, Oil & Gas, Water Utilities, and manufacturing / processing). Coordination of agencies, regulators, industry, private sector is essential. Security + IT + Compliance = Cyber Security The CIP Transition - Lessons Learned Transition to CIP shows building formal compliance structures around NIST and other frameworks can mitigate risks and failures. Consider the IT organization and their role in cyber security and compliance programs. Assess how to integrate and formalize cyber frameworks for the implementation of programs applicable to regulated and non-regulated assets to improve cyber security posture. - 10 -

BES Cyber Regulation: NERC Critical Infrastructure Protection (CIP) Standards NERC CIP (the cyber rules) focuses on protecting BES Cyber Systems and support systems used in the Bulk Electric System (BES) Urgent Action Standard (2003) responsive to increasing concerns around physical and cyber security out of 9/11 Evolved from UA 1200 to formal suite of enforceable regulation in parallel with NERC s journey to certified ERO Currently effective version, NERC CIP Version 3, which was effective for most entities in January 2010. Version 5 will take effect in July 2016 first major overhaul and biggest impact since Version 3 initial implementation Industry in process of transitioning to Version 5 and now Version 6. Consists standards covering the security of electronic perimeters, physical security of BES Cyber Systems, personnel and training, security management, disaster recovery, and more Source: http://www.nerc.com/aboutnerc/pages/default.aspx - 11 -

BES Cyber Regulation: NERC CIP Updates to Version 5 from Version 3 The v3/v4 to v5 facilities comparison Significant NERC CIP V5/V6 Updates NERC CIP covered systems and assets have become more explicit in their classification such as classifying Operations Technology (OT) Cyber Assets and systems at Generation plants, Utility substations, and Transmission facilities. Changes in language and terminology: The terms Critical Assets and Critical Cyber Assets are no longer used. BES Cyber Systems and BES Cyber Assets are new definitions. V5 BES Cyber Systems are now classified by their impact to the Bulk Electric System as High, Medium, or Low. Source for diagram: - 12 - https://rfirst.org/compliance/documents/rf%20cipv5%20workshop%20cip%20v5v6 Implementation Plan.pdf?Mobile=1

BES Cyber Regulation - Terminology: Commonly Used NERC CIP Terms See NERC s Glossary of Terms used in NERC Reliability Standards, for a complete listing. Terminology CIP Senior Manager Cyber Asset BES Cyber System Electronic Security Perimeter (ESP) Physical Security Perimeter (PSP) Definition A single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011. A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol. The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled. - 13 -

BES Cyber Regulation: NERC CIPv5 Standards Overview CIP-002-5.1: BES Cyber System Categorization CIP-003-5: Security Management Controls CIP-004-5.1: Personnel & Training CIP-005-5: Electronic Security Perimeter CIP-006-5: Physical Security of BES Cyber Systems CIP-007-5: Systems Security Management CIP-008-5: Incident Reporting & Response Planning CIP-009-5: Recovery Plans for BES Cyber Systems CIP-010-1: Configuration Change Management & Vulnerability Assessments CIP-011-1: Information Protection Identifies all BES Cyber Systems as having a High, Medium, or Low Impact on the reliability of the Bulk Electric System. Establishes consistent and sustainable security management controls to protect the Bulk Electric System. Requires documented processes or programs for security awareness, cyber security training, personnel risk assessment, and access management. Ensures High Impact and Medium Impact with ERC BES Cyber Systems are maintained within an Electronic Security Perimeter (ESP). Requires implementation of one or more documented physical security plans, and one or more documented visitor control programs. Addresses system security by specifying technical, operational, and procedural requirements in support of BES Cyber Systems. Requires documentation of one or more Cyber Security Incident response plans for BES Cyber Systems. Specifies the controls needed to protect data and implement a plan to recover reliability functions of BES Cyber Systems. Ensures configurations are monitored, changes are approved, and adverse impact is avoided to BES Cyber Systems. Requires the implementation of one or more documented information protection programs for BES Cyber Systems. - 14 -

Power & Utility Legislation Challenges (Illustrative) 14 Energy Legislation Status 12 10 Number of Energy Bills/Laws 8 6 4 2 0 Failed to pass over veto Introduced Passed House Resolving Differences Coordination is critical to success Status of Energy Bills/Laws - 15 -

Cyber vs. Non-cyber Legislation Challenges (Illustrative) 7 Cyber Legislation Status 6 5 Number of Energy Bills/Laws 4 3 2 1 0 Introduced Passed House Coordination is critical to success Status of Energy Bills/Laws - 16 -

Questions/Comments - 17 -

Copyright 2016 Deloitte & Touche, LLC. All rights reserved. 36 USC 220506 Member of Deloitte Touche Tohmatsu Limited

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback