Agenda Critical Infrastructure Protection Committee March 4, 2014 | 1:00–5:00 p.m. (CST) March 5, 2014 | 8:00 a.m.–Noon (CST)

Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO 63102 (314) 655-1234

CIP Technical Workshop Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO 63102 March 4, 2014 | 7:30 a.m.–Noon (CST) Room: Park View

Critical Infrastructure Protection Committee Meeting Hyatt Regency at the Arch CIPC Working Lunch: Regency AB | March 4, 2014 | Noon–1:00 p.m. (CST) March 4, 2014 | 1:00–5:00 p.m. (CST) March 5, 2014 | 8:00 a.m.–Noon (CST) Room: Regency EF

Welcome and Introductions – Chair Chuck Abell

NERC Antitrust Compliance Guidelines and Public Meeting Announcement

Agenda

1. Remarks by Ms. Maureen Borkowski – Chairman, President, and CEO, Ameren Transmission Co.

2. Administrative – CIPC Secretary Bob Canada

a. Safety Briefing and Emergency Precautions – Hyatt at the Arch Staff

b. Declaration of Quorum

c. CIPC Roster – Page 13

d. Parliamentary Procedures – In the absence of specific provisions in the CIPC charter, the Committee shall conduct its meetings guided by the most recent edition of Robert’s Rules of Order, Newly Revised.

e. Introductions

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 2

3. Consent Agenda – Chair Chuck Abell

a. December 10-11, 2013 Draft Minutes for CIPC Approval

b. March CIPC Agenda

c. Committee Membership Appointments and Changes: TRE David Grubbs City of Garland Operations TRE Jim Brenton ERCOT Cyber TRE Darrell Klimitcheck STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Great River Cyber MRO Paul Crist LES Physical MRO Vacant TBD Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC Vacant TBD Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell Ameren Cyber SERC Vacant TBD Operations SERC Tommy Clark SMEPA Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Robert McClanahan AECC Cyber WECC Allen Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Jamey Sample PGE Operations APPA David Godfrey TMPA Physical APPA Nathan Mitchell APPA Policy CEA Chris McColm Manitoba Physical CEA Ross Johnson Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Georgia Trans Policy

4. Chair’s Remarks – Chair Chuck Abell

a. NERC Meetings Update and Other Items of CIPC Interest

5. CIPC Nominations Subcommittee Report – Chair Robert McClanahan

a. Recommendation for Subject Matter Expert (SME) member to replace Carl Eng on the CIPC Executive Committee

b. Election of an SME to CIPC Executive Committee

6. CID Director Remarks – Matt Blizard, Director of Critical Infrastructure Protection

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 3

7. ES-ISAC Update and Cyber Risk Preparedness Assessment (CRPA) Program Update – Matt Light, NERC Staff

8. CIP Transition Update – Tobias Whitney, NERC Staff

9. Version 5 Revisions Drafting Team Activities – Ryan Stewart and Marisa Hecht, NERC Staff

10. 2014 Sufficiency Review Program and Directions – Scott Mix, NERC Staff

11. Executive Order and Presidential Policy Directive Update – Laura Brown, NERC Staff

12. RISC Update and Reliability Risk Control Process – Jim Brenton, CIPC Representative to RISC

13. Legislative Update – Nathan Mitchell, American Public Power Association

14. Subcommittee Chairs, Subgroups, Progress, and Remarks – Chair Chuck Abell

15. Operating Security Subcommittee – Subcommittee Chair Jim Brenton

a. Electricity Sector Information Sharing Task Force (ESISTF) – Chair Stephen Diebold will report on activities, second phase, and outreach efforts.

ESISTF Charter

ESISTF Report: Approved by CIPC – June 11, 2013 Accepted by ESCC – July 11, 2013 Accepted by NERC BOT – August 15, 2013

b. Grid Exercise Working Group (GEWG) – Chair Tim Conway

GEWG Charter

Briefing on GridEx II Report – Bill Lawrence, NERC Staff

16. Policy Subcommittee – Subcommittee Chair Nathan Mitchell

a. Personnel Security Clearance Task Force (PSCTF) – Chair Nathan Mitchell will report on the

progress of the work completed and contemplated.

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 4

Recommendation #3: Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. Next step includes ES-ISAC process development collaboration with the PSCTF.

PSCTF Charter

PSCTF Report: Approved by CIPC – June 11, 2013 Accepted by ESCC – July 11, 2013 Accepted by NERC BOT – August 15, 2013

b. Bulk Electric System Security Metrics Working Group (BESSMWG) – Chair James Sample will report on the progress of work completed and contemplated.

BESSMWG Charter

BESSMWG Report – was endorsed by CIPC June 11, 2013.

c. Compliance Enforcement and Input Working Group (CEIWG) – Chair Paul Crist will report on the progress of the work completed and contemplated.

CEIWG Charter

17. Cyber Security Subcommittee – Subcommittee Chair Marc Child

a. RISC Technical Project and CSSWG Update – Marc Child will report on the review for the RISC.

b. Cyber Attack Tree Task Force (CATTF) – Chair Mark Engels will report on the progress of the work

completed and contemplated.

CATTF Charter

c. Cyber Security Analysis Working Group (CSAWG) – Chair Eric Warakomski will report on the progress of the work completed and contemplated.

CSAWG Charter

18. Physical Security Subcommittee – Subcommittee Chair David Grubbs

a. Electricity Sector: Physical Response Guideline Task Force (PSGTF) – Chair John Breckenridge

PSGTF Charter

Electricity Sector: Physical Security Response Guideline – CIPC approved by email ballot on October 25, 2013.

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 5

b. Physical Security Working Group (PSWG) – Chair Ross Johnson will report on the progress of work completed and contemplated.

PSWG Charter

c. Security Training Working Group (STWG) – Chair William Whitney III will report on progress of work completed and contemplated.

STWG Charter

19. Cybersecurity Procurement Language Update for Energy Delivery Systems – Ed Goff, Duke

20. North American Transmission Forum (NATF)

a. Security Practices Group Activity Update – Wayne VanOsdol, Program Manager

21. Agency Updates

a. Federal Energy Regulatory Commission (FERC) – Cathy Eade, Office of Energy Infrastructure Security

b. Department of Homeland Security (DHS) – Richard Alt, Sector Outreach and Programs

c. Department of Energy (DOE) – Ken Friedman, Senior Policy Advisor

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 6

22. 2014 Schedule of Important Dates:

23. Closing Remarks and Action Items

24. Adjournment

Dates Time Type Location Hotel

April 3, 2014 April 4, 2014

8:00 a.m.–5:00 p.m. (EST)

8:00 a.m.–Noon (EST)

Energy Sector Classified Briefing

DOE HQ 1000 Independence

Ave, SW Washington, DC

Per your travel arrangements

June 10, 2014 7:30 a.m.–Noon (EDT) CIPC Physical Security

Workshop

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

June 10, 2014 1:00–5:00 p.m. (EDT) CIPC Meeting

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

June 11, 2014 8:00 a.m.–Noon (EDT) CIPC Meeting

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

September 16, 2014 7:30 a.m.–Noon CIPC Cyber Security

Workshop

Vancouver BC, Canada TBD

September 16, 2014 1:00–5:00 p.m. CIPC Meeting Vancouver BC,

Canada TBD

September 17, 2014 8:00 a.m.–Noon CIPC Meeting Vancouver BC,

Canada TBD

September 17, 2014 September 18, 2014

Noon – 5:00 p.m. 8:00 a.m. – Noon

CIPC EC Annual Planning Meeting

Vancouver BC, Canada

TBD

October 14-16, 2014 8:00 a.m.–5:00 p.m. GridSecCon 2014 San Antonio, Texas

Hyatt Regency San Antonio Riverwalk 123 Losoya Street

San Antonio, Texas 78205

December 9, 2014 8:00 a.m.–Noon (EST)

Energy Sector Classified Briefing

(No CIPC Workshop)

Atlanta, GA TBD

December 9, 2014 1:00–5:00 p.m. (EST) CIPC Meeting Atlanta, GA TBD

December 10, 2014 8:00 a.m.–Noon (EST) CIPC Meeting Atlanta, GA TBD

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) Analysis of the RISC nomination for digital certificate management (Venafi, Inc – 7/29/2013) February 1, 2014 Background In July 2013, technology vendor Venafi, Inc submitted to the Reliability Issues Steering Committee a Reliablity Issues Nomination Form related to the use of digital keys and digital certificates. These technologies are used by machines as a trust mechanism to ensure privacy and non-repudiation of data passed between them. The basis of their concerns (discussed in the Technical Details below) is that poorly managed or implemented digital keys introduce risk to the bulk electric system, and Venafi’s recommendations are to make specific language changes in the CIP version 5 standards to include requirements for full life-cycle management of keys, and digital certificate security. In its NOPR for CIP version 5, FERC sought comments as to whether “…the adoption of communications security protections, such as cryptography and protections for non-routable protocol, would improve the CIP Standards…”. (Ref: Docket No. RM13-5-000, page 116). In response, the Commission received comments from vendors (including Venafi) and others that supported the inclusion of such cryptography requirements; while multiple other organizations such as trade groups and individual utilities disagreed, stating “…the deployment of cryptographic protocols may: (1) prohibitively increase latency in communications; (2) obfuscate data needed for testing and problem diagnosis; and (3) introduce communication errors from complex key management across organizations.” (Ref: Docket No. RM13-5-000, page 116). Version 5 of the NERC CIP standards was approved by FERC in late November 2013, and, while the Final Rule (Order 791) included directives to strengthen the physical protection of communications networks, it did not include any specific instructions for NERC to introduce cryptography requirements into the CIP standards.

Recommendations On behalf of the NERC Critical Infrastructure Protection Committee (CIPC), the Control Systems Security Working Group (CSSWG) reviewed the Venafi nomination form for technical accuracy and evaluated the merits of their recommendations.

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 2

Specifically CSSWG reviewed the FERC NOPR and Final Rule for the CIP version 5 reliability standards, and examined the scope of the newly-formed Order 791 standards drafting team. Finally, the CSSWG contacted the Events Analysis team at NERC to study incidents related to Bulk Electric System outages where digital certificates may have been a contributing factor. The CSSWG found:

There have been no Energy Management System (EMS) outages reported to NERC where digital certicates or digital keys were deemed to be a causal or contributing factor.

Venafi is correct in stating that entities may have a higher susceptibility to intrusions due to poorly managed keys and certificates. However, poor engineering or poor implementation of technology cannot (and should not be in the opinion of the CSSWG) mitigated through the NERC standards process by use of prescriptive controls. The CIP standards, in particular, focus on ‘what’ should be protected and not ‘how’.

The CIPC committee has long recognized the value in providing utilities best practice guidance in the form of technical guidelines published on the ES-ISAC website. Technical subjects such as ‘Connectivity to Business Networks’, ‘Identity and Access Management’, ‘Intrusion Detection’, and ‘Firewalls’ – security topics categorically similar to digital certificate management – are areas where the committee has provided guidance and technical resources to help entities design effective solutions and avoid the risk of poorly designed or incomplete security implementations.

The CSSWG recommends:

Short of any regulatory directives by FERC, no additional modifications to the CIP version 5 standards is planned that would include specific technical requirements for digital certicate management.

The CIPC committee should direct the CSSWG to develop a guideline for digital certificate management and encryption to assist entities in choosing and implementing such technologies in a manner consistent with BES reliability.

The RISC committee committee shall thank Venafi, Inc as the author of the RISC Nomination Form for volunteering their expert knowledge and bringing this issue to the attention of NERC.

Technical Details

In response to the four specific recommendations & comments made by Venafi, the CSSWG offers the following technical feedback. Comment #1 CIP Version 5 & FERC NOPR: The use of encryption alone is inadequate to provide secure and trusted data communications. Within the proposed CIP version 5 standards, there are multiple references to authenticated, secure, or encrypted data communications but fall short of clearly prescribing the adoption of communications security protections. FERC's suggestion for the use of cryptography for

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 3

encryption should not only be mandatory but should also include provisions for the management of the encryption assets known as keys and certificates. Many organizations - both inside and outside of the bulk electric system - have adopted encryption to secure and trust data communications but are still susceptible to intrusions and attacks due to the theft of poorly managed keys and certificates. The threat posed by the theft of these trust assets is increasing exponentially; if the intruder is trusted, the security defenses in place will be ineffectual to attack or theft. We propose that encryption and the management of authentication/encryption assets to secure data communications be made a part of the CIP version 5 standards.

The CSSWG agrees with the statement in general, although we’re not as convinced that encryption is adopted in the control systems world as much as was suggested. In our opinion there is still a great deal of misunderstanding about what an IPsec tunnel can and can not do. There is a very great appeal to the use of digital certificates to manage machine to machine (and human to machine) connections. There is general perception that rolling out a large certificate based system is not for the faint of heart. For smaller entities especially, this is a very large technical step to take and requires a great deal of subject matter expertise to get it right. It would be advisable for entities wishing to embark on such a project to visit some companies who are using certificates based encryption and see how well it was rolled out. It would also be equally helpful to visit a company that abandoned the effort as well.

Comment #2 CIP-002-5: Certificate Authorities are incorrectly identified as an example of an authentication server under the definition of an Electronic Access Control or Monitoring Systems (EACMS). A Certificate Authority is not in itself an authentication server but is an integral part of a Public Key Infrastructure (PKI). A Certificate Authority (CA) does not provide active authentication, rather it relies on components of the PKI such as Certificate Revocation Lists (CRL), Online Certificate Status Protocol responders (OCSP) to validate/authenticate trust. CA's issue Root Certificates that are part of a “trust store” to ensure the validity of the trust chain provides authentication. As it serves as the basis to ensure the integrity of the authentication functions of keys and certificates, we propose that PKI be included as a separate category example of an EACMS. Our proposed language is more precise to what we interpret as the intent of the inclusion of Certificate Authorities in the EACMS examples: “Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, LDAP Servers), Public Key Infrastructure technologies such as but not limited to (Certificate Authorities, OCSP Responders, CRLs, Registration Authorities, certificates, RSA and DSA keys, self signed certificates, CRLs and Trust Stores)”.

Agree with the knowledge that there is OCSP already and to our knowledge it is considered a best practice and should be encouraged, but this suggestion crosses over into the ‘how’.

Comment #3 CIP-002-5: Without the expansion of the EACMS definition to include PKI, the BES lowers its availability/reliability and adds significant risk to the ability to prevent or respond to a key/ certificate incident. An unavailable, degraded, or misused unmanaged key or certificate in the BES would not be remediated within 15 minutes of the compromise or outage. Venafi's extensive experience in this field indicates that in unmanaged environments with manual processes, the average recovery time to (a) diagnose the issue; (b) request a new certificate; and (c) approve and install is typically two to four hours. We believe that there is intent in the proposed CIP version 5 standards to prevent key and certificate

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 4

incidents from having a negative impact on the availability/reliability of the BES. To prevent this from being overlooked, we again propose specific language be added to include PKI as an example of EACMS.

There are certainly safety and reliability concerns about keeping a process control or SCADA system up at all costs, and the entity choosing to use a PKI will need to determine what to do if and when a cert is untrusted or becomes untrusted. This must be accounted for in the functional design of the system.

Comment #4 CIP-007-5: By limiting the focus to human interaction/authentication with cyber systems, the System Access Controls fail to account for, or place controls on, the majority authentication credentials (machine-to-machine) used in the BES. In this context, authentication falls into user credentials (User ID/Password, One-Time Password (OTP), smartcards and tokens) and machine credentials (the most common form of which are keys and certificates). Within the bulk electric system, machine credentials are used far more often to authenticate than user credentials and the gulf between the two continues to grow wider. By focusing only on User ID/Password credentials for humans, the proposed CIP version 5 standards do not adequately protect the majority of the authentication credentials or the auditability of all access within the bulk electrical system. We propose that “CIP-007-5 Table R5 - System Access Control” be expanded to include the active management of keys and certificate credentials in line with User ID/Password credentials. Machine-to-machine credentials are important, but considering current intrusion/infection scenarios, are arguably not the most urgent problem to be addressed by NERC CIP controls. The current standard's concentration on human accounts, authentication, and remote access sets proper and realistic goals. The entity has the ultimate authority to design and implement the level and type of encryption and authorization levels to mitigate the risks identified in their own risk management programs.