bs information systems – university of redlands as electronic technology
DESCRIPTION
Michael Espinoza. BS Information Systems – University of Redlands AS Electronic Technology Project Management Certification Program- UCSD. 22 Years SDG&E, Sr EMS Hardware Analyst EMS Hardware Supervisor Infra Project Technical Lead. Agenda. Purpose NERC CIP Standards Standards - PowerPoint PPT PresentationTRANSCRIPT
• BS Information Systems – BS Information Systems – University of RedlandsUniversity of Redlands
• AS Electronic TechnologyAS Electronic Technology
• Project Management Project Management Certification Program- Certification Program- UCSDUCSD
Michael EspinozaMichael Espinoza
• 22 Years SDG&E, 22 Years SDG&E,
• Sr EMS Hardware AnalystSr EMS Hardware Analyst
• EMS Hardware Supervisor EMS Hardware Supervisor
• Infra Project Technical LeadInfra Project Technical Lead
AgendaAgenda
• PurposePurpose
• NERC CIP Standards NERC CIP Standards
• StandardsStandards
• Goals/ChallengesGoals/Challenges
• Establishing Project DirectionEstablishing Project Direction
• Project RoadmapProject Roadmap
• Communication is Essential Communication is Essential
• FeedbackFeedback
• Disclaimer – This presentation represents my own personal Disclaimer – This presentation represents my own personal interpretation.interpretation.
Purpose of CIP Cyber Security Purpose of CIP Cyber Security StandardsStandards
•Ensure that all entities responsible for Ensure that all entities responsible for the reliability of the Bulk Electric the reliability of the Bulk Electric Systems in North America identify and Systems in North America identify and protect Critical Cyber Assets that protect Critical Cyber Assets that control or could impact the reliability control or could impact the reliability of the Bulk Electric Systems.of the Bulk Electric Systems.
NERC is made up of eight regions that oversee the reliability and operation of the Bulk Electric System.
>All Electric Generation and Transmission agencies report to one of these regions.
SDG&E reports to the WECC, Western Area reporting agency,
>All regions must comply with NERC CIP 002-009 Standards.
North American Electric SystemsOverview
CIP-002Critical Cyber
AssetIdentification
CIP-003Security
ManagementControls
CIP-004Personnel
& Training
CIP-005ElectronicSecurity
Perimeters
CIP-006Physical Security
OfCritical Cyber Assets
CIP-007Systems Security
Management
CIP-008Incident
Reporting And
Response Planning
CIP-009Recovery
PlansFor
Critical CyberAssets
NERC CYBER SECURITY8
Standards
NERC CIP
NERC CIPCYBER SECURITY REQUIREMENTS
0123456789
10
CIP002
CIP003
CIP004
CIP005
CIP006
CIP007
CIP008
CIP009
41 REQUIREMENTS
41 Requirements41 Requirements
Compliant (C) - means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records”
Auditably Compliant (AC) - means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12-calendar-months of auditable “data,” “documents,” “documentation,” “logs,” and “records”
2009
Audit Preparation - Compliance Levels
2010
Penalty Matrix*
Violation Severity Level
ViolationRisk
Factor
Lower Moderate High Severe
Range Limits Range Limits Range Limits Range Limits
Low High Low High Low High Low High
Lower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $5,000 $25,000
Medium $2,000 $30,000 $4,000 $100,000 $6,000 $200,000 $10,000 $335,000
High $4,000 $125,000 $8,000 $300,000 $12,000 $625,000 $20,000 $1,000,000
FERC statutory limit:
$1,000,000,000 per day,
per violation
Other limits may apply in Canada
*Matrix undergoing revision
• Comply with new NERC CIP002-009 Comply with new NERC CIP002-009 Cyber Security Standards in advance of Cyber Security Standards in advance of the required deadlinesthe required deadlines
GOAL
• Obstacles Not Withstanding:Obstacles Not Withstanding: - Significant effort is required- Significant effort is required - Additional funding and / or personnel- Additional funding and / or personnel may be neededmay be needed
CIP Standards Applicability CIP Standards Applicability to the following Functionsto the following Functions
•Generation OwnerGeneration Owner
•Generator OperatorGenerator Operator
•Transmission OwnerTransmission Owner
•Transmission OperatorTransmission Operator
•Load Serving EntityLoad Serving Entity
STANDARD
CIP-001
CIP-002
CIP-003
CIP-004
CIP-005
CIP-006
CIP-007
CIP-008
CIP-009
Corporate Security
InformationTechnology
Grid Operations Human Resources
Regulatory
WECC
NERC
&FERC
Corp Security
IT
Regulatory
Electric Ops
HR
Facilities
Project Links“The Challenge”
Organizational Links Internal
Auditing
*The key for success -> Ensure allOrganizations have the same goal.
1.Enterprise Environmental factors
2.OrganizationalProcess Assets
3.Roles and Responsibilities
4.Project organization Charts
5.Staffing Mgmnt plan
1.Pre-assignment
2.Negotiation
3.Acquisition
4.Virtual Teams
Tools & TechniquesInputs Outputs
1.Project staff assignments
2.Resource availability
3.StaffingManagement plan(updates)
Acquire Project Teams
(PMBOK Guide)
AuditAttest & Report
Management Sign-off
Supporting NERC CIP002-009Reporting/Certification
ProcessesData, Documents, Documentation, Logs, Records,
1. Build Processes
3. Audit Sign Off
NERC CIPPROJECT PYRAMID
2. Mgmt Approvals
Physical Access Specifics
Cyber Access Specifics
Training Completion Date
Background Check Date
Name
Employee ID
FIELDS
Process #6 CXxxx System – Physical security access
CCAsystem
Cyber Access Specifics
Employee ID or Name
Physical Access Specifics
Employee ID or Name
EMPLOYEE SYSTEM(S)
Process #1 – Employee Training
Process #3 – Employee Background checks
Non-EMPLOYEE SYSTEM(S)
Process #2 – non-Employee Training
Process #4 – non-Employee Background checks
Process #5 – Hardware cyber access
CONCEPTUAL DATA FLOW DIAGRAM CIP-004-1 R2, R3, R4
1. AUTHORIZED CYBER ACCESSOR
2. AUTHORIZED UNESCORTED PHYSICAL ACCESS
Populate master CCA access list
from existing worksheets
Database
QUERIES
CONCEPT PROCESS EXAMPLE
Grid Operations, Human Resources, Corporate Security, IT
Establishing Project Establishing Project DirectionDirection
• Develop a master project planDevelop a master project plan
• Assign qualified members to each Assign qualified members to each internal NERC teaminternal NERC team
• Use standardized templates for Use standardized templates for documentationdocumentation
• Run an ongoing gap analysis to identify Run an ongoing gap analysis to identify redundant and missed processes redundant and missed processes
CommunicationsCommunicationsUpdates/FeedbackUpdates/Feedback
• Executive Updates - MonthlyExecutive Updates - Monthly– CEO/VPCEO/VP– DirectorsDirectors– ManagersManagers
• Team FeedbackTeam Feedback– Monitor Teams for resource requirementsMonitor Teams for resource requirements– Establish monthly goals for Levels of ComplianceEstablish monthly goals for Levels of Compliance– Review Team suggestions Review Team suggestions
• Utilize Tools/ResourcesUtilize Tools/Resources– Consultants, wicf · Western Interconnection Consultants, wicf · Western Interconnection
Compliance Forum, Common Data site (SharePoint), Compliance Forum, Common Data site (SharePoint), TicklersTicklers
• PurposePurpose
• NERC CIP Standards NERC CIP Standards
• StandardsStandards
• Goals/ChallengesGoals/Challenges
• Establishing Project DirectionEstablishing Project Direction
• Project RoadmapProject Roadmap
• Communication is Essential Communication is Essential
• FeedbackFeedback
ReviewReview
FeedbackFeedback