Cyber Threats? How to Stop? North American Grid Security Standards Jessica Bian, Director of Performance Analysis North American Electric Reliability Corporation AORC CIGRE Technical Meeting, September 4-5, 2013
Agenda Overview of Critical Infrastructure Protection Version 5 Focus on Correcting Deficiencies Examples CIP V5 Implementation Timeline Question and Answer 2 RELIABILITY ACCOUNTABILITY
What is NERC? NERC was certified as ERO by the U.S. Federal Energy Regulatory Commission (FERC) in 2006 Partnership with eight (8) regional entities to manage reliability in North America FERC provides oversight, approves standards and ERO budgets (NERC/regions) 3 RELIABILITY ACCOUNTABILITY
About NERC: Mission To ensure the reliability of the North American bulk power system Develop and enforce reliability standards Assess, measure, and investigate historic trends and future projections to improve bulk power system reliability Develop solid technical understanding of the reliability risks Solutions, strategies, and initiatives to enhance bulk reliability Analyze system events and recommend improved practices 4 RELIABILITY ACCOUNTABILITY
CIP Version 5 CIP 002 5 Cyber Security BES Cyber System Categorization CIP 003 5 Cyber Security Security Management Controls CIP 004 5 Cyber Security Personnel and Training CIP 005 5 Cyber Security Electronic Security Perimeter(s) CIP 006 5 Cyber Security Physical Security of BES Cyber Systems CIP 007 5 Cyber Security Systems Security Management CIP 008 5 Cyber Security Incident Reporting and Response Planning CIP 009 5 Cyber Security Recovery Plans for BES Cyber Systems CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments CIP 011 1 Cyber Security Information Protection 5 RELIABILITY ACCOUNTABILITY
CIP Standards Version History Urgent Action 1200 CIP Version 1 CIP Version 2 CIP Version 3 Currently Effective CIP Version 4 Effective 10/1/2014 CIP Version 5 Effective in 2015/2016 BOT Approved 07/2003 Renewed 2005 BOT Approval 5/2006 FERC Approval 1/2008 BOT Approval 5/2009 FERC Approval 9/2009 BOT Approval 12/2009 FERC Approval 3/2010 BOT Approval 1/2011 FERC Approval 4/2012 (effective 10/2014) BOT Approval 11/2012 FERC Notice for Approval 4/2013 6 RELIABILITY ACCOUNTABILITY
Comparative Table Version 4 Version 5 42 requirements; 113 parts 32 requirements; 110 Parts No contextual information Many documentary compliance requirements Measures on high level requirement only 14 requirements with TFE triggering language Undefined periodic terms Many binary VSLs Includes background, rationale, and guidelines and technical Basis Many requirements include consideration for self correcting process improvement Measures for each requirement, including parts 10 requirements with TFE triggering language Clear periodic requirements: initial requirements in Implementation Plan More gradated VSLs 7 RELIABILITY ACCOUNTABILITY
CIP V5 Approach to Correcting Deficiencies Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable items. Empowers industry Shifts focus from whether deficiencies occur to correcting deficiencies Continuous Improvement o From: backward looking, individual violations o To: forward looking, holistic focus Reliability and security emphasis that promotes the identification and correction of deficiencies 8 RELIABILITY ACCOUNTABILITY
Incorporation into V5 Instances of Identify, Assess, and Correct Deficiencies Language in CIP Version 5 Standard CIP 003 5 CIP 004 5 CIP 006 5 CIP 007 5 CIP 009 5 CIP 010 1 CIP 011 1 Requirement R2,R4 R2, R3, R4, R5 R1, R2 R1, R2, R3, R4, R5 R2 R1, R2 R1 9 RELIABILITY ACCOUNTABILITY
BES Cyber Asset Definitions A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the BES reliable operation. Control Center One or more facilities hosting operating personnel that monitor and control the BES in real time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generation Operator for generation Facilities at two or more locations. 10 RELIABILITY ACCOUNTABILITY
ESPs and PCAs Electronic Security Perimeters Network security, not compliance boundary focus Only required on routable protocol networks Protected Cyber Assets Historically known as non critical Cyber Assets 11 RELIABILITY ACCOUNTABILITY
High Water Marking High Water Marking A new concept from our tiered impact model Highest impact BES Cyber System in a network determines impact level of all Cyber Assets in the ESP 12 RELIABILITY ACCOUNTABILITY
Asset based approach List of types of assets to be considered o 3000 MW threshold for High BA Control Center o 1500 MW threshold for Medium BA Control Center o 1500 MW threshold for Medium GOP Control Center CIP-002-5 Identify and categorize High and Medium Impact BES Cyber Systems, if any, at each asset Identify assets that contain Low Impact BES Cyber Systems 13 RELIABILITY ACCOUNTABILITY
CIP-007-5 Patch Management Changed to a monthly process instead of per patch process No mitigation plans needed if patch installed Existing mitigation plans may be modified with approval Malware 35 day signature update requirement replaced Have a process for updating that includes testing and installing 14 RELIABILITY ACCOUNTABILITY
CIP-006-5 R1 Each Responsible Entity shall implement one or more documented physical security plans that includes: 15 RELIABILITY ACCOUNTABILITY
CIP-006-5 R1 (continued) Each Responsible Entity shall implement, in a manner that identifies, assesses and corrects deficiencies, one or more documented physical security plans that includes: 16 RELIABILITY ACCOUNTABILITY
Violation Severity Level VSLs Old Language The Responsible Entity does not have a process to monitor the Physical Security Perimeter twenty four hours a day, seven days a week for unauthorized circumvention of a physical access control into a Physical Security Perimeter. New Language The Responsible Entity has a process to monitor for unauthorized access through a physical access point into a Physical Security Perimeter and identified deficiencies but did not assess or correct the deficiencies 17 RELIABILITY ACCOUNTABILITY
CIP Implementation 18 RELIABILITY ACCOUNTABILITY
When to Self-Report Plan does not exist Plan has not been implemented Did not assess or correct identified deficiencies Deficiencies that create high risk to the Bulk Electric System 19 RELIABILITY ACCOUNTABILITY
Questions and Answers 20 RELIABILITY ACCOUNTABILITY
Background Materials 21 RELIABILITY ACCOUNTABILITY
All CIP Standards View at: http://www.nerc.com/pa/stand/reliability%20standards%20complete%20set/rscompleteset.pdf 1. Title: Sabotage Reporting Number: CIP 001 2a Purpose: Disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies. 22 RELIABILITY ACCOUNTABILITY
All CIP Standards 2. Title: Cyber Security BES Cyber System Categorization Number: CIP 002 5 Purpose: To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES. 23 RELIABILITY ACCOUNTABILITY
All CIP Standards 3. Title: Cyber Security Security Management Controls Number: CIP 003 5 Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. 4. Title: Cyber Security Personnel & Training Number: CIP 004 5 Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems. 24 RELIABILITY ACCOUNTABILITY
All CIP Standards 5. Title: Cyber Security Electronic Security Perimeter(s) Number: CIP 005 5 Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. 6. Title: Cyber Security Physical Security of BES Cyber Systems Number: CIP 006 5 Purpose: To manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. 25 RELIABILITY ACCOUNTABILITY
All CIP Standards 7. Title: Cyber Security System Security Management Number: CIP 007 5 Purpose: To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. 8. Title: Cyber Security Incident Reporting and Response Planning Number: CIP 008 3 Purpose: Standard CIP 008 3 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP 008 23 should be read as part of a group of standards numbered Standards CIP 002 3 through CIP 009 3. 26 RELIABILITY ACCOUNTABILITY
All CIP Standards 9. Title: Cyber Security Recovery Plans for BES Cyber Systems Number: CIP 009 5 Purpose: To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES. 10. Title: Cyber Security Configuration Change Management and Vulnerability Assessments Number: CIP 010 1 Purpose: To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES. 27 RELIABILITY ACCOUNTABILITY
All CIP Standards 11.Title: Cyber Security Information Protection Number: CIP 011 1 Purpose: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. 28 RELIABILITY ACCOUNTABILITY