Physical Security Reliability Standard Implementation

Similar documents
Project Physical Security Directives Mapping Document

Cyber Security Reliability Standards CIP V5 Transition Guidance:

151 FERC 61,066 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION ORDER DENYING REHEARING. (Issued April 23, 2015)

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

FERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC

Critical Infrastructure Protection Version 5

June 4, 2014 VIA ELECTRONIC FILING. Veronique Dubois Régie de l'énergie Tour de la Bourse 800, Place Victoria Bureau 255 Montréal, Québec H4Z 1A2

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

Project Retirement of Reliability Standard Requirements

Compliance Enforcement Initiative

CIP Version 5 Transition. Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014

ERO Enterprise Strategic Planning Redesign

Grid Security & NERC

Standards Authorization Request Form

NERC-Led Technical Conferences

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Board of Trustees Compliance Committee

Proposed Clean and Redline for Version 2 Implementation Plan

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Summary of FERC Order No. 791

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard Development Timeline

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Standard CIP Cyber Security Critical Cyber As s et Identification

History of NERC December 2012

Standards Development Update

Standard Development Timeline

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Standard CIP Cyber Security Critical Cyber As s et Identification

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Chapter X Security Performance Metrics

New Brunswick 2018 Annual Implementation Plan Version 1

Live Webinar: Best Practices in Substation Security November 17, 2014

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Unofficial Comment Form Project Operating Personnel Communications Protocols COM-002-4

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Cyber Security Standards Drafting Team Update

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP-006-4c Cyber Security Physical Security

ERO Compliance Enforcement Authority Staff Training

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Standard CIP Cyber Security Critical Cyber Asset Identification

CIP Cyber Security Configuration Management and Vulnerability Assessments

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Implementation Plan for Version 5 CIP Cyber Security Standards

Standard CIP-006-3c Cyber Security Physical Security

Critical Cyber Asset Identification Security Management Controls

The North American Electric Reliability Corporation ( NERC ) hereby submits

Cyber Threats? How to Stop?

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standards Authorization Request Form

History of NERC August 2013

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Unofficial Comment Form

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Cyber Security Supply Chain Risk Management

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Scope Cyber Attack Task Force (CATF)

Cyber Security Incident Report

Reliability Standards Development Plan

October 2, CIP-014 Report Physical Security Protection for High Impact Control Centers Docket No. RM15-14-

NERC Transmission Availability Data System (TADS): Element Identifier Data Submission Addendum

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Standard CIP 007 4a Cyber Security Systems Security Management

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

Project Posting 8 Frequently Asked Questions Guide

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Analysis of CIP-006 and CIP-007 Violations

Critical Infrastructure Protection Committee Strategic Plan

Unofficial Comment Form Project Operating Personnel Communications Protocols COM Operating Personnel Communications Protocols

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Supply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016

Reliability Standard Audit Worksheet 1

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities

Re: North American Electric Reliability Corporation Docket No. RM

Southeast Florida Regional Climate Change Compact Update. Broward Climate Change Task Force February 16, 2017

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

CIP Cyber Security Incident Reporting and Response Planning

Standard CIP 007 3a Cyber Security Systems Security Management

CIP Cyber Security Systems Security Management

CIP Cyber Security Recovery Plans for BES Cyber Systems

Critical Infrastructure Protection Committee Strategic Plan

CYBER SECURITY POLICY REVISION: 12

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Client Services Procedure Manual

CIP Standards Development Overview

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Standard Development Timeline

Standard CIP Cyber Security Incident Reporting and Response Planning

Unofficial Comment Form 1st Draft of PRC-005-3: Protection System and Automatic Reclosing Maintenance (Project )

Transcription:

Physical Security Reliability Standard Implementation Attachment 4b Action Information Background On March 7, 2014, the Commission issued an order directing NERC to submit for approval, within 90 days, one or more Reliability Standards addressing physical security risks and vulnerabilities of critical facilities on the Bulk-Power System. On May 23, 2014, NERC filed a petition for approval of proposed Reliability Standard CIP-014-1. As proposed, CIP-014-1 requires Transmission Owners and Transmission Operators to protect those critical Transmission stations and Transmission substations, and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection. On July 17, 2014, the Commission issued a NOPR proposing to: (1) approve the CIP-014-1 Reliability Standard, and (2) direct NERC to modify the standard in two respects and submit certain informational filings. On September 8, 2014, NERC filed comments in response to the NOPR. On November 20, 2014, FERC issued Order No. 802 approving Reliability Standard CIP-014-1 Physical Security. In approving the standard, he Commission also adopted its proposal to direct NERC to develop and submit modifications to the Reliability Standard, within six months of the effective date of the order, concerning the use of the term widespread in Requirement R1. In contrast, the Commission did not adopt the proposal to direct NERC to include a procedure that would allow applicable governmental authorities to add or subtract facilities from an applicable entity s list of critical facilities under Requirement R1. With respect to the proposed informational filing, the Commission adopted the proposal to direct NERC to make an informational filing addressing whether it is necessary to develop a Reliability Standard that provides physical security for all High Impact control centers. The Commission directed NERC to submit this filing within two years of the effective date of the standard. The Commission, however, did not adopt the NOPR proposal to direct NERC to make an informational filing addressing resiliency. In response to the Order No. 802 directive related to the term widespread, on December 9, 2014, NERC submitted a revised Standards Authorization Request (SAR) to the Standards Committee (SC) for authorization to post for informal comment. The SC authorized posting the SAR for a 30-day informal comment period. The revised SAR was posted for comment on December 15, 2014. Comments are due on January 13, 2015. The original standard drafting team will review the comments received on the SAR and address the directive at their January 27, 2015 meeting in Atlanta. Overview of Key Elements of CIP-014-1 and Relevant Dates Under CIP-014-1, applicable entities are required to identify their critical facilities, evaluate the security risks and vulnerabilities to those identified facilities, and implement measures to mitigate the risk of physical attack. More specifically, the proposed Reliability Standard contains the following six requirements designed to protect against and mitigate the impact of physical attacks on certain Transmission stations and Transmission substations, and their associated primary control centers: 1

Requirement R1 requires applicable Transmission Owners to perform risk assessments on a periodic basis to identify their Transmission stations and Transmission substations that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection. The Transmission Owner must then identify the primary control center that operationally controls each of the identified Transmission stations or Transmission substations. Requirement R2 provides that each applicable Transmission Owner shall have an unaffiliated third party verify the risk assessment performed under Requirement R1. The unaffiliated third party verifier may recommend additions or removals from the list of transmission stations or transmission substations under Part 2.3. The resolution of this activity could take up to 60 days. Requirement R3 requires the Transmission Owner to notify a Transmission Operator that operationally controls a primary control center identified under Requirement R1 of such identification. Requirement R4 requires each applicable Transmission Owner and Transmission Operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of its critical facilities identified in Requirement R1, as verified under Requirement R2. Requirement R5 requires each Transmission Owner and Transmission Operator to develop and implement documented physical security plan that covers each of its respective critical facilities identified in Requirement R1, as verified under Requirement R2. Requirement R6 provides that each Transmission Owner and Transmission Operator subject to Requirements R4 and R5 have an unaffiliated third party review its Requirement R4 evaluation and Requirement R5 security plan. The unaffiliated third party reviewer may recommend changes to the evaluation performed under Requirement R4 or security plan(s) developed under Requirement R5. The resolution of this activity could take up to 60 days. The manner in which entities implement these requirements is necessarily dependent upon the facts and circumstances of each facility. The standard s approach provides entities the necessary flexibility to identify and protect their critical facilities in a manner that best suits their needs. The following are relevant dates related to CIP-014-1. 1 November 20, 2014 FERC issued Order No. 802 approving CIP-014-1. November 25, 2014 Order No. 802 published in the Federal Register. January 26, 2015 Effective date of Order No. 802. 1 Note that as described in the implementation plan associated with CIP-014-1, the timing to complete performance of certain requirements (or part thereof) in CIP-014-1 is dependent upon completion of certain prior requirements (or parts thereof). Registered entities should review their own implementation activities to ensure that they meet the timing obligations under CIP-014-1, as certain requirements may need to be completed earlier than a latest date indicated here depending upon the time in which the entity completed a preceding requirement. 2

July 27, 2015 Due date for petition for approval of revisions to CIP-014-1 to address widespread directive. October 1, 2015 Effective Date of CIP-014-1 (in the U.S.) U.S. entities must comply with Requirement R1 by this date. December 30, 2015 U.S. entities must have completed Parts 2.1, 2.2, and 2.4 of Requirement R2. February 28, 2016 Latest date by which U.S. entities must have completed Part 2.3 of Requirement R2. March 6, 2016 Latest date by which U.S. entities must have completed Requirement R3. June 27, 2016 Latest date by which U.S. entities must have completed Requirements R4 and R5. September 25, 2016 Latest date by which U.S. entities must have completed Parts 6.1, 6.2 and 6.4 of Requirement R6. November 24, 2016 Latest date by which U.S. entities must have completed Part 6.3 of Requirement R6. October 1, 2017 Due date for informational filing addressing control center issue. Efforts to Support Understanding and Implementation of CIP-014-1 Based on its prior experiences, NERC understands that issues, questions, or requests for additional guidance can arise as entities implement new or revised versions of Reliability Standards. Although CIP- 014-1 represents one standard with six requirements, the implementation of the standard presents a number of considerations related to risk management and compliance expectations due to the flexibility provided in the standard. To that end, NERC is conducting several activities to support increased understanding of the various requirements in CIP-014-1 and to promote transparency and confidence in industry s implementation of the standard. During the implementation period for CIP-014-1, with the support and engagement of industry stakeholders and the Regional Entities, NERC is planning to issue guidance documents, provide training to industry and ERO compliance and enforcement staff, and conduct other outreach efforts to improve industry s understanding of the requirements of CIP-014-1 and help ensure that industry is technically ready to implement the various requirements in the standard according to the time frame provided in the implementation plan. These activities are also designed to ensure the ERO Enterprise enforces CIP-014-1 consistently, reasonably, and transparently. The following outlines NERC s key activities for supporting effective and efficient implementation of CIP- 014-1. Guidance. While CIP-014-1 contains a Guidelines and Technical Basis section to assist registered entities in implementing the requirements, NERC understands that the industry would benefit from additional guidance, especially related to the performance of the risk assessment to identify critical facilities. Accordingly, NERC is collaborating with industry participants and Regional Entities to develop additional guidance on CIP-014-1. More specifically, NERC is 3

developing a package of guidance documents for the Regional Entities, which will be publicly available, outlining the ERO s compliance and enforcement expectations for CIP-014-1. Additionally, NERC is collaborating with certain reliability-focused industry groups in developing guidance for successful implementation of specific requirements in CIP-014-1, some of whom are already developing guidance for their members. NERC may reference guidance of this type in its forthcoming guidance to Regional Entities. For example, the North American Transmission Forum (NATF) is in the process of developing guidance for certain requirements in the standard (Requirements R1, R4 and R5). In addition, NERC will interface with Reliability Coordinators for their expertise in performing reliability studies as a consideration for Requirements R1 and R2. NERC staff also expects to coordinate with representatives of the NERC Planning Committee and Critical Infrastructure Protection Committee as it develops additional guidance documents. These groups will be of particular value to help address how NERC may view the threat evaluation and security plan in Requirements R4 and R5, along with the unaffiliated third party reviews as contemplated in Requirement R6. Importantly, NERC recognizes that there may be more than one approach to achieving compliance with CIP-014-1 s requirements, so it is not planning to adopt or endorse a specific approach as the only way to comply with the standard. The timeline below summarizes the schedule for additional guidance: Requirement Guidance Posting R1 & R2 Risk assessment approach and third party January 2015 assessment considerations R4 & R5 Examples of threat & vulnerability April 2015 assessment and security plans R6 NERC third-party assessment program July 2015 Monitor and Assess Implementation. NERC management, per the Board s instruction, will monitor and assess implementation of CIP-014-1. Specifically, NERC management intends to monitor the general number and characteristics of assets identified as critical and the scope of security plans developed to meet the requirements in CIP-014-1, including the timelines provided for implementation of the various security and resiliency measures included in the plan. Following the effective date of CIP-014-1, NERC intends to report quarterly to the Board in response to the Board s request. Outreach and Communications. As FERC has issued a final order approving CIP-014-1 and Registered Entities have begun steps toward implementation, NERC will continue providing regular communications and outreach on key information to support industry s implementation of the standard. NERC presented a webinar to industry on December 18, 2014, where it provided information related to implementation support as discussed in these materials. NERC will conduct additional webinars, workshops, or technical conferences going forward based on feedback from industry and in conjunction with Regional Entity outreach activities. Training. Throughout 2015, NERC will provide training to Regional Entity staff to support consistency of approach in compliance monitoring and enforcement expectations around CIP- 014-1. Initial coordination to ensure auditor training and consistent application of CIP-014-1 began in Atlanta, Georgia, during the week of September 15, 2014. Additional training and coordination continues as part of NERC s regular CIP compliance monitoring and enforcement 4

staff training to help ensure a consistent, reasonable, and transparent approach to monitoring CIP-014-1 under the risk-based Compliance Monitoring and Enforcement Program. Collectively, these elements will help ensure a more common understanding of implementation expectations for CIP-014-1 throughout 2015. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback