NERC-Led Technical Conferences

Similar documents
Summary of FERC Order No. 791

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Physical Security Reliability Standard Implementation

CIP Technical Workshop

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

February 25, 2015 VIA ELECTRONIC FILING

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Modifications to TOP and IRO Standards

Standards Authorization Request Form

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Project CIP Modifications

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Supply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016

Project CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016

Breakfast. 7:00 a.m. 8:00 a.m.

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Standard Development Timeline

Standard Development Timeline

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

Project Modifications to CIP Standards

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Project CIP Modifications

Cyber Threats? How to Stop?

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Critical Cyber Asset Identification

CIP Standards Development Overview

NB Appendix CIP NB-0 - Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Critical Infrastructure Protection Version 5

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

BILLING CODE P DEPARTMENT OF ENERGY FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ]

CYBER SECURITY POLICY REVISION: 12

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Draft Version: August 18, 2015

CIP Cyber Security Personnel & Training

CIP Cyber Security Personnel & Training

Critical Cyber Asset Identification Security Management Controls

CIP Cyber Security Systems Security Management

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

CIP Cyber Security Security Management Controls. A. Introduction

Standard Development Timeline

CIP Cyber Security Configuration Management and Vulnerability Assessments

Industry Webinar. Project Single Points of Failure. August 23, 2018

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Standard CIP 007 4a Cyber Security Systems Security Management

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Cyber Security Incident Report

CIP Cyber Security Recovery Plans for BES Cyber Systems

Standard CIP-006-4c Cyber Security Physical Security

Project CIP Modifications

Standard Development Timeline

Standard Development Timeline

Frequently Asked Questions November 25, 2014 CIP Version 5 Standards

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

Draft CIP Standards Version 5

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Standard Development Timeline

Standard Development Timeline

Lesson Learned CIP Version 5 Transition Program

Project Retirement of Reliability Standard Requirements

Lesson Learned CIP Version 5 Transition Program CIP R1: Grouping BES Cyber Assets Version: March 2, 2014

Cyber Security Standards Drafting Team Update

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Cyber Attacks on Energy Infrastructure Continue

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Cyber Security Supply Chain Risk Management

CIP Version 5 Transition. Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014

Standard CIP-006-3c Cyber Security Physical Security

CIP Cyber Security Security Management Controls

Standard Development Timeline

Meeting Notes Project Modifications to CIP Standards Drafting Team June 28-30, 2016

Additional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Reliability Standard Audit Worksheet 1

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Implementing Cyber-Security Standards

Project Physical Security Directives Mapping Document

CIP Cyber Security Recovery Plans for BES Cyber Systems

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Compliance Exception and Self-Logging Report Q4 2014

Project Modifications to BAL Frequency Response and Frequency Bias Setting. Industry Webinar December 18, 2018

Project Modifications to CIP Standards. Consideration of Comments Initial Comment Period

Standard CIP 007 3a Cyber Security Systems Security Management

Please contact the undersigned if you have any questions concerning this filing.

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Transcription:

NERC-Led Technical Conferences NERC s Headquarters Atlanta, GA Tuesday, January 21, 2014 Sheraton Phoenix Downtown Phoenix, AZ Thursday, January 23, 2014

Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. Notice of Open Meeting Participants are reminded that this webinar is public. The access number was widely distributed. Speakers on the call should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders. 2

Agenda for Today Welcome & Safety Information Opening Remarks Standards Development Update Identify, Assess, and Correct Transition Study Communication Networks Low Impact Assets Protection Transient Devices Survey Closing 3

Opening Remarks Mark Lauby, Vice President and Director, Standards 4

Technical Conference Goals Engagement and discussion on considerations regarding the FERC Order No. 791 directives for the standard drafting team that is now being formed. Focus not on solution today but on industry input for the standard drafting team to use in finding a solution. 5

Standards Development Update

Standards Update January 15, 2014 Standards Committee authorized Standard Authorization Request (SAR) for posting. Scope of SAR January 17, 2014 SAR posted for 30-day informal comment period. End of January Standards Drafting Team appointed. 7

Project 2014-02 CIP V5 Revisions http://www.nerc.com/pa/stand/pages/project-2014-xx- Critical-Infrastructure-Protection-Version-5-Revisions.aspx Components: Standard Authorization Request 8

Project Timeline January 21, 2014 East Coast Technical Conference January 23, 2014 West Coast Technical Conference Mid-February Standard Drafting Team Kickoff May 5, 2014 VRF Filing due August 4, 2014 VSL Filing due February 3, 2015 Modifications to IAC and physical protection of communication networks due February 3, 2015 Informational Filing based on Survey due 9

Identify, Assess, and Correct

Overview Enforcement and RAI Update Purpose of IAC Language FERC Support for Principles Underlying IAC FERC s Response FERC Order No. 791 Directive Changing Context Objective: Discuss removal or modification of IAC and integration of RAI 11

RAI Enforcement Activities Information and process flow improvements Pilots Aggregation of minimal risk issues Alternative path to enforcement (discretion) Timing First cycle October 2013 to April 2014 12

Aggregation Pilot Parameters Minimal risk issues only. Record maintained by registered entity during aggregation cycle. Format and content of record is similar to FFT spreadsheet. Periodic review of aggregated issues by Regional Entity. First cycle began in October 2013; First evaluation of results will be in April 2014. Issues eligible for disposition through discretion. 13

Alternative Path to Enforcement (Discretion) Parameters Minimal risk issues only. Notifications to NERC and FERC at the time of intake and disposition. Format and content of record is similar to FFT spreadsheet. Records available for review by NERC and FERC. 14

Purpose of IAC Language Address zero tolerance compliance concerns regarding high frequency security obligations inherent to cybersecurity. Reduce administrative burden of compliance process. Incorporate lessons learned over the past four years. Promote development of strong internal controls. 15

FERC Support for Principles Underlying IAC P 70: FERC stated that it supports: NERC s move away from a zero tolerance approach to compliance. The development of strong internal controls. NERC s development of standards that focus on the activities that have the greatest impact to BPS reliability. 16

FERC s Response PP 71-72: IAC language was unclear regarding: Obligations imposed on responsible entities Implementation by responsible entities; and Enforcement. P 75: Concerned about compliance language included in standard. 17

FERC Order No. 791 Directive FERC directed NERC to remove or modify the identify, assess, and correct language. P 67: Preferably, NERC should remove the identify, assess, and correct language. P 67: Alternatively, NERC may propose equally efficient and effective modifications. P 75: FERC would prefer approaches that would not involve the placement of compliance language within the text of Reliability Standards. P 76: NERC may develop a proposal to enhance the enforcement discretion afforded to itself and the Regional Entities. February 3, 2015 deadline for modifications. 18

Changing Context Removal of IAC language does not impact NERC s commitment to address zero tolerance concerns. However, RAI had not formally begun when the IAC language was initially introduced. P 73: The Reliability Assurance Initiative (RAI) process when fully developed may afford a consistent, informed approach that provides incentives for entities to develop robust internal control programs. Swift removal of IAC supports focus on transition activities while still addressing zero tolerance concerns. 19

Transition Study

Overview Purpose of V5 Transition Program CIP V5 Transition Program Elements Scope of Study Study Approach Key Themes & Lessons Learned 21

Purpose of the V5 Transition Program Address V3 to V5 Transition issues. Provide a clear roadmap for V5 steady-state. Justifies budget for V5 implementation and compliance. Foster communication and knowledge sharing. Support all entities in the timely, effective, and efficient transition to CIP Version 5 22

CIP V5 Transition Program Elements Periodic Guidance A new transition guidance will be provided after V5 Order Implementation Study 6 entities with strong compliance cultures 6-8 month implementation of V5 for certain facilities Lessons learned throughout and after study phase Compliance and Enforcement Integration with RAI Identify approaches to address IAC alternative processes Outreach & Communications New website created for all Transition Program activity http://www.nerc.com/pa/ci/pages/transition-program.aspx Training Quarterly training opportunities will be provided to industry V5 Technical Training will be provided at the March 4th CIPC Meeting in St. Louis 23

Scope of Study BES Cyber System Type High Medium Control Centers X X Backup Control Centers X X Generation Dispatch Control Centers X Non-Routable Substations X Routable Substations X Generation facilities greater 1500 MW X Remote Access (Temporary) X X Dedicated Remote Access X X Data Centers X X 24

Study Approach Determine Scope Determine the scope of the Transition Study by selecting the Responsible Entities and their assets needed to provide a reasonable and sufficient sample of all entities who must comply with the NERC CIP Standards. Conduct Studies Conduct detailed studies with selected Responsible Entities to identify the challenges and issues associated with complying with NERC CIP Version 5. Communicate Results Communicate progress. Report conclusions and lessonslearned. Primary stakeholder audience is all Responsible Entities, not just Study Participants. 25

Key Themes & Lesson Learned Grouping BES Cyber Assets in Cyber Systems. 15 minute impact to operations. Approaches to defining PSP security controls around nonroutable BES Cyber Systems. Remote access approaches. Approaches to address substation controls. Approaches to address generation controls. Configuration management of new BES Cyber Assets. What are the TFEable requirements? Approaches to minimize risk and administrative overhead. Alternatives to the IAC approach. 26

27

Communication Networks

Overview Definition of Cyber Asset and Communication Networks FERC s Response FERC Order No. 791 Directive Communication Networks definition New or Modified Reliability Standard Objective: Gather industry input on the potential scope covered in communication networks definition and requirements 29

Definition of Cyber Asset and Communication Networks Inclusion of communication networks in the Cyber Asset definition was removed in version 5. Cyber Asset Definition: Programmable electronic devices and communication networks, including the hardware, software, and data in those devices. Many components of communication networks cannot strictly comply with the version 5 standards. 30

FERC s Response P 148: FERC was persuaded that communication networks are not necessary in the Cyber Asset definition. P 149: However, [W]e remain concerned that a gap in protection may exist, as the CIP version 5 Standards do not address security controls needed to protect the nonprogrammable components of communications networks. 31

FERC Order No. 791 Directive P 150: FERC directed NERC to: create a definition of communication networks; and develop new or modified Reliability Standards that address the protection of communication networks to be filed for approval by February 3, 2015. P 150: FERC directed FERC staff to include the issue of protecting nonprogrammable components of communication networks in the FERC staff-led technical conference. 32

FERC Order No. 791 Directive P 150: FERC Statements on Responding to Directives: The definition of communication networks should include what equipment and components should be protected. The new or modified Reliability Standards should require appropriate and reasonable controls to protect the nonprogrammable aspects of communication networks. 33

Communication Networks Definition Recognizing that the definition of communication networks needs a defined scope, what are some considerations for identifying the scope of a communication network? Examples: Current ESP networks and communications between ESPs; vendor connections; point-to-point networks, etc. 34

New or Modified Reliability Standard What considerations should the standard drafting team address when weighing the following options: Modify CIP V5 standards to address communication networks; or Develop a new standard for communication networks? 35

Lunch Resume at 1:00 p.m. MT

Low Impact Assets Protection

Overview CIP-003-5 Requirement R2 FERC s Response FERC Order No. 791 Directive FERC Order No. 791 Alternatives Examples of Approaches Objective: Discussion on considerations of options to meet the directive 38

CIP-003-5 Requirement R2 R2. Each Responsible Entity for its assets identified in CIP 002 5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] 2.1 Cyber security awareness; 2.2 Physical security controls; 2.3 Electronic access controls for external routable protocol connections and Dial up Connectivity; and 2.4 Incident response to a Cyber Security Incident. An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. 39

FERC s Response P 107: Standards do not: Require specific controls for Low Impact assets; nor Contain clear, objective criteria from which to judge sufficiency of the controls ultimately adopted by responsible entities for Low Impact assets. P 108: Absence of objective criteria to evaluate controls chosen by responsible entities: Introduces an unacceptable level of ambiguity, Brings potential inconsistency into compliance process, and Creates unnecessary gap in reliability. 40

FERC Order No. 791 Directive P 108: FERC directed NERC to develop modifications that address its concerns for Low Impact assets. P 106: [W]hile we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entity s protections for Low Impact assets. 41

FERC Order No. 791 Alternatives P 108: FERC suggested the following alternatives to address the directive: 1. Require specific controls for Low Impact assets, including subdividing the assets into different categories with different defined controls applicable to each subcategory; or 2. Develop objective criteria against which the controls adopted by responsible entities can be compared and measured in order to evaluate their adequacy, including subdividing the assets into different categories with different defined control objectives applicable to each subcategory; or 3. Define with greater specificity the processes that responsible entities must have for Low Impact facilities under CIP-003-5, Requirement R2; or 4. Develop another equally efficient and effective solution. 42

Examples of Modifications Include Low Impact assets in the matrices of other CIP standards that address cyber security awareness, physical security controls, etc. Include requirement parts from the matrices in CIP-003, Requirement R2 scaled to protect Low Impact assets. Include policy objectives in CIP-003, Requirement R2 that ensure intent is clear. 43

Examples Example of Low Impact Assets subcategories: Low Impact Assets Generation Transmission Control Centers Requirements/ Criteria Requirements/ Criteria Requirements/ Criteria 44

Objective What are important issues for the standard drafting team to consider in finding a solution? We will keep within these four technical areas: Cyber security awareness; Physical security controls; Electronic access controls for external routable protocol connections and Dial up Connectivity; and Incident response to a Cyber Security Incident. 45

Transient Devices

Overview Definition of BES Cyber Asset FERC s Response FERC Order No. 791 Directive Objective: Discussion on considerations of options to meet the directive 47

Definition of BES Cyber Asset NERC s proposed definition of BES Cyber Asset, in part, stated a Cyber Asset is not a BES Cyber Asset if: For 30 consecutive calendar days or less: o It is directly connected to: - A network within an ESP; or - A Cyber Asset within an ESP; or - A BES Cyber Asset. o AND it is used for: - Data transfer; or - Vulnerability assessment; or - Maintenance; or - Troubleshooting purposes. 48

FERC s Response P 132: Although recognizing treating all transient devices as BES Cyber Assets is unduly burdensome, FERC is concerned that CIP Version 5 Standards do not provide adequately robust protection from the risks posed by transient devices. 49

FERC Order No. 791 Directive P 132: FERC directed NERC to develop either new or modified standards to address the reliability risks posed by connecting transient electronic devices (e.g., thumb drives and laptop computers) to BES Cyber Assets and Systems. 50

FERC Order No. 791 Directive P 136: FERC expects NERC to consider the following: Device authorization as it relates to users and locations Software authorization Security patch management Malware protection Detection controls for unauthorized physical access Processes and procedures for connecting transient devices to systems at different security classification levels. 51

Objective Objective: What are considerations regarding options to address the reliability risks posed by connecting transient electronic devices to BES Cyber Assets and Systems? Example approaches: separate standard, separate requirements, applicable systems column 52

Survey

Overview Definition of BES Cyber Asset FERC s Response FERC Order No. 791 Directive Objective: Discuss appropriate questions for survey 54

Definition of BES Cyber Asset BES Cyber Asset definition Includes Cyber Assets that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment. The 15-minute parameter 55

FERC s Response P 123: BES Cyber Asset identification is critical in applying CIP Version 5 Standards. P 123: Better understanding of the scope of assets included as a result of the 15-minute parameter is key. 56

FERC Order No. 791 Directive P 124: FERC directed NERC to conduct a survey of Responsible Entities during the CIP Version 5 Standards implementation periods to determine the number of assets, by type, that fall outside the definition of BES Cyber Asset because the assets do not satisfy the 15-minute parameter specified in the definition. 57

FERC Order No. 791 Directive PP 124-25: By February 3, 2015, NERC must submit an informational filing that explains: Specific ways in which entities determine which Cyber Assets meet the 15-minute parameter. Types or functions of Cyber Assets that are excluded and why. Common problem areas of improperly designating BES Cyber Assets. Feedback from each Regional Entity participating in the CIP Implementation Study. 58

Objective How would you phrase the survey questions in order to meet FERC s directive? 59

Closing Remarks Thank you! Next Steps Getting added to the Plus List Outreach activities 60

61

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback