CIP Standards Development Overview

Similar documents
Standard CIP Cyber Security Security Management Controls

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP Cyber Security Incident Reporting and Response Planning

CIP Standards Development Overview

Standard CIP Cyber Security Critical Cyber As s et Identification

Standard CIP-006-4c Cyber Security Physical Security

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standard CIP Cyber Security Systems Security Management

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Security Management Controls. Standard Development Timeline

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP 007 3a Cyber Security Systems Security Management

CIP Cyber Security Configuration Management and Vulnerability Assessments

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP Cyber Security Critical Cyber Asset Identification

Critical Cyber Asset Identification Security Management Controls

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard Development Timeline

Standard CIP Cyber Security Critical Cyber Asset Identification

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard CIP Cyber Security Physical Security

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP Cyber Security Systems Security Management

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Standard Development Timeline

Implementation Plan for Version 5 CIP Cyber Security Standards

Proposed Clean and Redline for Version 2 Implementation Plan

CIP Cyber Security Systems Security Management

Cyber Security Supply Chain Risk Management

CIP Cyber Security Personnel & Training

Cyber Security Standards Drafting Team Update

Implementing Cyber-Security Standards

Standard Development Timeline

Standard CIP-006-1a Cyber Security Physical Security

CIP Cyber Security Incident Reporting and Response Planning

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Purpose. ERO Enterprise-Endorsed Implementation Guidance

CIP Cyber Security Personnel & Training

Cyber Security Reliability Standards CIP V5 Transition Guidance:

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

CIP Cyber Security Physical Security of BES Cyber Systems

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Additional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014

CIP Cyber Security Standards. Development Update

Standard CIP Cyber Security Physical Security

Standard Development Timeline

Philip Huff Arkansas Electric Cooperative Corporation Doug Johnson Commonwealth Edison Company. CSO706 SDT Webinar August 24, 2011

Standard Development Timeline

CIP Cyber Security Recovery Plans for BES Cyber Systems

NERC Relay Loadability Standard Reliability Standards Webinar November 23, 2010

CIP Cyber Security Critical Cyber Asset Identification. Rationale and Implementation Reference Document

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Draft CIP Standards Version 5

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Standard Development Timeline

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

CIP Cyber Security Recovery Plans for BES Cyber Systems

Standard Development Timeline

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standards Authorization Request Form

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Standard Development Timeline

CIP Cyber Security Recovery Plans for BES Cyber Systems

CIP Cyber Security Electronic Security Perimeter(s)

Re: North American Electric Reliability Corporation Docket No. RM

Standard Development Timeline

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Project Retirement of Reliability Standard Requirements

Additional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015

CIP Cyber Security Physical Security of BES Cyber Systems

Unofficial Comment Form

1. SAR posted for comment on January 15, Standard Drafting Team appointed on January 29, 2014

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

CIP Cyber Security Security Management Controls. A. Introduction

The North American Electric Reliability Corporation ( NERC ) hereby submits

Please contact the undersigned if you have any questions concerning this filing.

requirements in a NERC or Regional Reliability Standard.

Physical Security Reliability Standard Implementation

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Summary of FERC Order No. 791

requirements in a NERC or Regional Reliability Standard.

NERC-Led Technical Conferences

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Cyber Security Incident Report

Draft CIP Standards Version 5

Standard Development Timeline

Standard Development Timeline

Supply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Exhibit G. Order No. 672 Criteria for Approving Proposed Reliability Standards

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

Transcription:

CIP Standards Development Overview CSSDTO706 Meeting with FERC Technical Staff July 28, 2011

Objectives Historical Timeline CIP-002-4 CIP-005-4 CIP Version 5 2

Project 2008-06 Overview FERC Order 706 SDT appointed August 2008 CIP Version 2 September 2009 CIP Version 3 March 2010 CIP Version 4 Ongoing Effort 3

CSO706 SDT Members 17 members almost all asset owners Representation from IOUs, US and Canadian Government, Cooperatives, Municipals, Independent Power Producers, and ISO/RTO Worked together for 3 years Monthly face-to-face meetings, several interim conference calls and multiple webinars/workshops Worked through 3 successful ballots 4

CIP-002-4 Overview Version 4 of the CIP Standards Approved by Industry December 30, 2010 Submitted to FERC February 10, 2011 2,232 page filing http://www.nerc.com/files/final_final_cip_v4_petition_2011021 0.pdf Filing included CIP-002-4 through CIP-009-4, but only changes in CIP-002-4 5

CIP-002-4 Overview (cont.) Replaces risk-based assessment methodology with bright-line criteria Still maintains the concept of Critical Asset and Critical Cyber Asset Uniform application across all entities and regions Eliminates subjectivity by entities over what is critical 17 defined criteria To the greatest extent possible, bright line criteria tied to operational standards 6

CIP-002-4 Applicability 4.2. The following are exempt from Standard CIP-002-4: 4.2.1 Facilities regulated by the Canadian Nuclear Safety Commission. 4.2.2 Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. 4.2.3 Cyber Assets associated with Cyber Security Plans submitted to and verified by the U. S. Nuclear Regulatory Commission pursuant to 10 C.F.R. Section 73.54. 7

CIP-002-4 Effective Date Effective Date: The first day of the eighth calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required) 8

CIP-002-4 Requirement R1 R1. Critical Asset Identification The Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 Critical Asset Criteria. The Responsible Entity shall update this list as necessary, and review it at least annually. 9

CIP-002-4 Requirement R2 R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The Responsible Entity shall update this list as necessary, and review it at least annually. For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed Attachment 1, criterion 1.1 10

CIP-002-4 Requirement R3 R3. Annual Approval The senior manager or delegate(s) shall approve annually the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1 and R2 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s) s approval of the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null.) 11

Remote Access UA Implements requirements on Cyber Assets used for monitoring or support of Critical Cyber Assets when communication is initiated from outside an Electronic Security Perimeter i.e., remote laptop or desktop systems accessing Critical Cyber Assets, but not for the purpose of control Remote access for the purpose of control is the subject of CAN-0005 Development now integrated into CIP Version 5 12

CIP V5 The Drafting Team continues to work to address the remaining issues in Order 706 Using the CIP-002 to CIP-009 + organization Monthly meetings and many conference calls Initial ballot by December 2011 The Drafting Team developed a set of development goals 13

Development Goals Goal 1: To address the remaining Requirements-related directives from all CIP related FERC orders, all approved interpretations, and CAN topics within applicable existing requirements. Goal 2: To develop consistent identification criteria of BES Cyber Systems and application of cyber security requirements that are appropriate for the risk presented to the BES. Goal 3: To provide guidance and context for each Standard Requirement Goal 4: To leverage current stakeholder investments used for complying with existing CIP requirements. Goal 5: To minimize technical feasibility exceptions. Goal 6: To develop requirements that foster a culture of security and due diligence in the industry to complement a culture of compliance. Goal 7: To develop a realistic and comprehensible implementation plan for the industry. 14

Levels of impact High Impact Large Control Centers CIP-003 through 009+ Medium Impact Generation and Transmission Other Control Centers Similar to CIP-003 to 009 v4 All other BES Cyber Systems Security Policy Security Awareness Incident Response Boundary Protection 15

Example Format 16

Requirement Filters Why are we doing this? What do we hope to accomplish? What security concept are we trying to implement? If these questions cannot be answered, is the requirement necessary? Is it absolutely necessary to be done only this way to protect the BES? Are there other ways of accomplishing this requirement? If so, the requirement may be too specific. Is the timeframe arbitrary? Is the desired outcome clear and unambiguous? Can the measure clarify the desired outcome? 17

Questions?

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback