cip014rgh
TRANSCRIPT
“Approach To Compliance”
NERC CIP- 014 Physical Security Richard Hyatt, Corporate Security Professional “Similar Slide-deck presented at WECC and NERC’s CIPC”
Contains No Propriety or Sensitive Information
Disclaimer
Due to unfortunate acts of sabotage in our industry on unmanned EHV substations, we are no longer just concerned with breaches into our substations for copper theft.
The purpose of this presentation is to discuss my mindset and approach to achieving compliance with this new developing standard.
Disclaimer: The approach to conducting a TVA and subsequent Physical Security Implementation Plan in this fashion is an on-going process and I understand there are many other methodologies to consider.
This presentation reflects industry best practices, input from various security professionals, and my own personal interpretation of the NERC CIP 014 standard.
Opportunity
What is CIP 014?
• A new (36) page standard for Physical Security to address mitigating or eliminating the effects of a physical attack for:
– Transmission Stations – Transmission Substations – Primary Control Centers
• Created as a result of intense public scrutiny and negative media exposure of the Metcalf incident (WSJ & Senate)
• (6) Requirements and (18) Sub Requirements – R1 = Applicability and Risk Assessment – R2 = Unaffiliated Review – R3 = Control Center Notification – R4 = Threat & Vulnerability Assessment – R5 = Security Plan – R6 = Unaffiliated Review
Security
Tran - Planner
My Initial Approach – Get Ahead!
• Concentrate and focus on the portion of the standard that applies to Physical Security (R4, R5, & R6)
• Reach out to numerous internal departments to discuss substation hardening, garner cooperation – Increase Awareness (assemble a taskforce)
• Research Various TVA methodologies – CARVER method was my first choice (military-centric) – Found available training via Security Management International – Arranged a training date for SME to do in-house training for 3 days
• Research the Metcalf Substation Incident – Attended DOE and DHS briefings – Attended WECC sponsored events (PSWG) – Formed professional work relationships with PG&E – Regional collaboration among security professionals – Feedback
Selling Security – Objectives
• Demonstrate Value to the Organization – Utilize strengths and expertise of current team – Opportunity to learn more about substations – Build relationships with various business units – Save $$$ on outside consultants to do TVA’s – ROI using in-house staff (savings $35k/site) – Physical Security is just as important as Cyber…… – Professional pride in developing a needed skill
• Physical Security & Substation Hardening Goals – Increase security awareness among all employees – Direct future design changes for new construction – Opportunity for SME’s to work closely with Security – Elevate Security’s image with Senior Management – Budget justification for possible rate case
Develop a TVA Team
• The TVA Team needs to be comprised of diversified Security Professionals that have extensive experience and backgrounds from law enforcement, military, facilities, physical security, and security management.
• If no formal experience of doing a Threat Vulnerability Assessment …Utilize all of their acquired skills of investigation, report writing, case preparation, intelligence gathering, tactical knowledge, surveillance, and physical security as a starting point.
• You can become students by working hard to develop a knowledge base with formal training. Practice and going through the process will get your team better on every TVA.
Now The Fun……
• Schedule Training – Allocate approximately $1500/head – Clear calendar for 3-4 days for security team members
• Formal Training on CARVER – 2 days of classroom, videos & report components – 1-2 days in the field doing a mock TVA – Pressure test to put together a presentation from A-Z – Great & knowledgeable Instructor: Leo Labaj – Useful template – Fantastic Charts that have built-in formulas – Numerous examples of TVA report writing formats – Giving the Team assignments to complete numerous TVA’s
Why CARVER?
• Criticality – Single points of failure and degree of importance to the system operations.
• Accessibility – Ease of access to critical assets
• Recoverability – The time and effort to recover system operations after loss.
• Vulnerability – The level of exposure to attack based on adversary capability.
• Effect – Magnitude of adverse consequences resulting from the loss of the asset.
• Recognizability – Likelihood an adversaries would recognize an asset was critical.
CARVER can be used from an offensive (what to attack) or defensive (what to protect) perspective:
Now the Reality…. • Compile all of the data
– Edit your report – on-going process – Constant refinement when getting feedback – Multiple field visits to verify information
• Verify Information – Different SME’s will contradict same info – Obtain consensus on costs and downtime
• Get in Front of Senior Executives – Opportunity to sell security – Opportunity to show value – Opportunity to lead company initiative (Task-Force) – Opportunity to improve, enhance, and elevate our profile – Justification for Budget Funding to “Harden Subs”
Covering Requirement R4 - TVA • R4.1 – Unique Characteristics
– Define Security Profile & Site Overview – Identify Critical Assets as Potential Targets
• R4.2 – Security History & Past Events – Document incidents including regional events – Design Based Threats & Analysis – Threat Spectrum and Adversary Paths & Profiles
• R4.3 – Threats & Intelligence – Proactive monitoring – Antenna up – Strong local LE networking – Industry & regional contacts – ES-ISAC briefings & notifications – DHS Tripwire portal – FBI Infragard & Fusion Centers
TVA Process – Starting Point
• Field Visits……Go into “Bad Guy” mode – Compile information & photographs – Identify areas outside of substations – Red Cell current security measures in place – Assessment of current security systems (CCTV & Alarms)
• Team & SME discussions…Numerous What If ?’s – Methods of Attack – Paths & Line of Sight – Adversary Profiles – What’s critical in the substation? – How would we damage substation? – How much does this equipment cost? – What happens if the substation goes down? – How long will it take to get back online? – How much $$$$ Lost Revenue/Costs/Expenses/Repairs?
Four Phases of the TVA
Design Based Threats – The How
Crime Overview & Incident Profile
Threat Spectrum – Types
R5.1 – Resiliency & Measures
• Concentrate on a balance of resiliency and upgraded Physical Security measures:
– Inventory & Spare Parts – reduce downtime & quick restoral – Update ALL Emergency Response Plans – Build Stronger Mutual Aid Agreements
• Request Substation Engineering to develop: – Ballistic Shielding around transformers – Use of enhanced fencing - anti-climb/anti-cut – Lighting – remote and motion activated
• Holistic Security Systems Approach: – Deter: CCTV & extended perimeter signage – Detect: CCTV Video Analytics & IDS – Delay: Barriers, Fences, Supermaze, Ultra Barrier – Assess: HD Day/Night CCTV, Patrols, Video Management – Response: Security, Armed Operators, & LE
R5.2 - Law Enforcement
• Recommend: – Conduct Tours of Substations for every agency and numerous
LEO’s – Distribute Sabotage & Substation information and consider
Awareness Flyers to issue to all agencies – Outreach and deliver presentation at various LE agencies
about your EHV substations to discuss Metcalf incident – Provide addresses & GPS coordinates to 911’s CAD system
to identify your substations as “Critical Infrastructure”
• Develop and enhance a working relationship with DHS and local FBI for incident response
– Previous incidents you may have had……. – Frequent communication & interaction – Information exchange & be proactive – Host meetings & sponsor lunch/learn tours
R5.3 – Physical Security Plan
• System priorities – What Do You Upgrade First? – Video Management System – Increase & manage bandwidth – Thermal CCTV capabilities tied to IDS – Surveillance detection capabilities beyond our fence line
• Product Selection & Review – Budget Conscious $$ – Field Test before purchasing – Integrate with existing platform??
• SOW’s and RFP’s: – Vendor Selection – Procurement process – Project documentation – including Red Cell Pen Tests afterwards – Target projects with budgetary considerations – Project Management to stay on schedule
R5.4 – Evaluation Threats & Measures
• Work closely within the security industry and other departments to monitor all threats that occur in the region as well as within the organization.
• Respond to incidents at all facilities, and identify potential insider threats due to terminations or social engineering.
• System Tests and Site Visits (Red Cell/Pen Tests)
Deliverables – Detailed Report
1. Critical Assets Identified 2. Threats Identified 3. Vulnerabilities Addressed 4. Compliant Implementation Plan
R6 – Unaffiliated Third Party
• NERC’s Physical Security Standards Working Group has created formal guidelines for entities seeking assistance on meeting compliance for R4, R5, & R6
• Compliance Tip: – Work closely with your Transmission Planner – Stay on top of the timeline for compliance due dates – Anticipate sites and start the TVA process early – Be active in the industry (work hard to network) – Join various working groups for Physical Security – Get involved with NERC’s CIPC and ES-ISAC – Network and join the Coordinating Councils in your region – Get to know your DHS Protective Security Advisor – Become active in ASIS International
