nerc cipc chair report highlights... · nerc presented draft rsaws for cip -002, cip -007, and cip...
TRANSCRIPT
2 RELIABILITY | ACCOUNTABILITY
2014 Efforts & Activities
• Security Technology Awareness Workshop
• CIP-014-1 Physical Security Standard
• CIP V5 “791” Standards Drafting Team
• CIP V5 Transition Program
• Scenario Planning for GridEx III
• Continuation of CRISP Program
• Heartbleed Vulnerability Response
3 RELIABILITY | ACCOUNTABILITY
2014 Efforts & Activities
• Continued EO/PPD Efforts
• David Revill Approved by Board to CIPC EC
• CIPC Executive Committee Annual Planning
• Grid Security Conference 2014
• Reactivation of the CSSWG
• Business Continuity Guideline Task Force
4 RELIABILITY | ACCOUNTABILITY
GridEx II Assignments
Security Training Working Group (w/ ESISTF)
Develop a training module to help individual entities
understand when, how, and what information should
be shared or reported, and how it is used by the
receiving organizations.
5 RELIABILITY | ACCOUNTABILITY
GridEx II Assignments
Control System Security Working Group (CSSWG)
Complete Business Networks Guideline work begun in
2011 by the CSSWG to specifically address separation
of business networks and control networks during an
emergency.
6 RELIABILITY | ACCOUNTABILITY
GridEx II Assignments
Electricity Subsector Information Sharing TF (ESISTF)
While the ES-ISAC has the responsibility for this item,
the ESISTF will assist by providing early input
regarding priorities & options, and help develop
mechanisms to communicate these processes to
stakeholders.
7 RELIABILITY | ACCOUNTABILITY
GridEx II Assignments
Business Continuity Guideline TF
Complete Business Continuity guideline work to
specifically address preservation of forensic data
following a physical or cyber attack.
8 RELIABILITY | ACCOUNTABILITY
CIP Committee Structure
Physical Security Subcommittee(David Grubbs)
Cyber Security Subcommittee
(Marc Child)
Operating Security Subcommittee
(Jim Brenton)
Policy Subcommittee(Nathan Mitchell)
Physical Security WG
(Ross Johnson)
CIPC Executive CommitteeMarc Child Chuck Abell, Chair Melanie SeaderDavid Grubbs Nathan Mitchell, Vice Chair Jack CashinRoss Johnson Jim Brenton, Vice Chair Barry Lawson David Revill Bob Canada, Secretary
Security Training WG
(William Whitney)
Control System Security WG
(Mikhail Flakovich)
Cyber Security AnalysisWG
(Vacant)
ES Information Sharing TF
(Stephen Diebold)
Grid Exercise WG
(Tim Conway)
Cyber Attack Tree TF
(Mark Engels)
BES Security Metrics WG
(James Sample)
Personnel Security Clearance TF
(Nathan Mitchell)
Compliance & Enforcement Input WG
(Paul Crist)
Physical Security Guidelines
WG(John Breckenridge)
Business Continuity Guideline TF
(Darren Meyers)
Critical Infrastructure Protection
Matt Blizard, PEDirector, Critical Infrastructure ProtectionCIPC, OrlandoJune 10th, 2014
2 RELIABILITY | ACCOUNTABILITY
CIP Updates and Activities
• NERC Updates: o ESISAC – (CRISP, CRAPA, Aurora, Threats & Vulnerabilities…)o CIP v5 transition – Effective and Efficient Roll Outo CIP v5 revisions, FERC Order 791o Physical Security – CIP-014-1o Physical Security Managero Security Reliability Program (SRP)o GridEx II Lessons Learned – Distributed Play and Executive Table Topo Executive Order – NIPP, NIST Cybersecurity Frameworko CIPC – Work Groups and Task Forces
• Activities: GridSecCon 14-16 October 2014, Hyatt Regency, San Antonio, Tx GridEx III 18-19 November 2015
CIP Version 5 RevisionsStandard Drafting Team Update
Ryan Stewart, NERC Standards DeveloperJune 11, 2014CIPC
RELIABILITY | ACCOUNTABILITY2
• Overview of FERC Directives• Overview of Development Activities• Overview of Revisions• Identify, Assess, and Correct – struck from 17 Requirements• Low Impact Assets – revised CIP-003• Communication Networks – revised CIP-006 & CIP-007• Transient Devices – revised CIP-004 & CIP-010• Implementation Plan• Next Steps
Agenda
RELIABILITY | ACCOUNTABILITY3
• FERC approved CIP standards in January 2013.• FERC directed NERC to modify certain aspects.
Identify, Assess, and Correct language. Communication Networks. Low Impact assets protections Transient Devices.
• Identify, Assess, and Correct and Communication Networks modifications must be filed at FERC by February 3, 2015.
Overview of FERC Directives
RELIABILITY | ACCOUNTABILITY4
• SDT and observers participated in aggressive development schedule from February to May Ten hours of conference calls per week, including subgroup calls
focused on each directive area Four face-to-face SDT meetings
• Participation from variety of stakeholders ensured that the SDT considered different perspectives from industry, government, and NERC
Overview of Development Activities
RELIABILITY | ACCOUNTABILITY5
• Address all four directive areas by the filing deadline• Outreach crucial during development and during comment
period• Observer engagement critical to success
Key Objectives
RELIABILITY | ACCOUNTABILITY6
• Identify, Assess, Correct language struck from all 17 requirements SDT determined that the requirements should state the performance
expectation and compliance language should be removed
• Substantive requirements remain the same• Violation Severity Levels revised accordingly
Identify, Assess, Correct
RELIABILITY | ACCOUNTABILITY7
• SDT continues coordination with NERC Compliance and Enforcement Staff on supporting documents NERC presented draft RSAWs for CIP-002, CIP-007, and CIP-009 to the
SDT at its last meeting RSAW development team continuing to modify drafts to prepare for
concurrent posting with standards SDT suggested scenarios for NERC to address under RAI FAQ document on IAC and RAI
• NERC staff will offer a more comprehensive view of RAI beyond CIP standards in a June 19 webinar (following SDT webinar)
Identify, Assess, Correct
RELIABILITY | ACCOUNTABILITY8
• SDT posed questions to NERC Enforcement and Compliance regarding Reliability Assurance Initiative (RAI)
• Questions are included in a Frequently Asked Questions document posted as a supplement to the revised standards
• Document focuses on how the RAI will handle high frequency low risk security obligations in the compliance and enforcement domains once IAC is removed
Identify, Assess, Correct
RELIABILITY | ACCOUNTABILITY9
• CIP-003-6 Requirement R2 now in table format SDT kept all requirements applicable to low impact assets in this
requirement Technical areas same as CIP-003-5 passed by industry but with more
specificity to meet FERC directive Proposed requirement language borrowed from existing, FERC- and
industry-approved V5 standards but tailored to low impact
• Parent requirement above table parts is as follows:
Low Impact Assets
RELIABILITY | ACCOUNTABILITY10
• CIP-003-6 Requirement R2 now in table format Part 2.1 – CIP Senior Manager review and approval Part 2.2 – Operational or procedural control(s) to restrict physical access Part 2.3 – Physical access controls at Control Centers Part 2.4 – Electronic access controls Part 2.5 – Cyber Security Incident response plan(s) Part 2.6 – Reinforcing of security awareness
Low Impact Assets
RELIABILITY | ACCOUNTABILITY11
• CIP-006-6 Requirement R1, new Part 1.10 Restrict physical access to cabling and other nonprogrammable
communication components used for connection between applicable Cyber Assets within the same ESP in those instances when such cabling and components are located outside of a PSP.
Where physical access restrictions are not implemented, entity shall document and implement:o Encryption of datao Monitoring the status of the communication link and issuing an alarmo Equally effective logical protection
Applicable to High Impact BES Cyber Systems and PCAs and Medium BES Cyber Systems at Control Centers and PCAs
Communication Networks
RELIABILITY | ACCOUNTABILITY12
• CIP-007-6 Requirement R1, Part 1.2: new applicability and incorporated new glossary term
Communication Networks
RELIABILITY | ACCOUNTABILITY13
• Transient Cyber Asset - A Cyber Asset directly connected for 30 consecutive calendar days or less, to: (1) a BES Cyber Asset, (2) a network within an ESP, or (3) a Protected Cyber Asset. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
• Removable Media - Portable media, connected for 30 consecutive calendar days or less, that can be used to copy, move and/or access data. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. A Cyber Asset is not Removable Media.
• 30-day exemption removed from BES Cyber Asset and Protected Cyber Asset definitions
Transient Devices –New and Modified Definitions
RELIABILITY | ACCOUNTABILITY14
• CIP-004-6 modified Requirement R2, Part 2.1.9 Adds Transient Cyber Assets and Removable Media to cybersecurity
training program requirement
• CIP-010-2 new Requirement R4 4.1- authorize the usage of Transient Cyber Assets prior to initial use 4.2- use method(s) to deter, detect, or prevent malicious code on
Transient Cyber Assets 4.3- use method(s) to detect malicious code on Removable Media 4.4- mitigate the threat of detected malicious code 4.5- update signatures or patterns for methods in 4.2 and 4.3 4.6- evaluate Transient Cyber Assets for deviations 4.7- evaluate Transient Cyber Assets to ensure patches are up-to-date
Transient Devices
RELIABILITY | ACCOUNTABILITY15
• CIP-004-6 – Adds Transient Cyber Assets and Removable Media to cybersecurity training program in Requirement R2, Part 2.1.
• CIP-007-6 – Added clarifying language in guidance for Requirement R3 (malware protection) to remind entities of the Transient Device Protections in CIP-010-2, Requirement R4.
• CIP-011-2 – Added qualifiers to guidance for entities to include Transient Cyber Assets and Removable Media in their information protection programs.
Transient Device Protection –Modification to Other Standards
RELIABILITY | ACCOUNTABILITY16
• Builds from April 1, 2016 effective date of V5• While the standard has an effective date, a compliance date
may differ for Requirements• Do not expect IAC language from V5 to go into effect• The following from V5 implementation remains the same:
Initial performance of certain periodic requirements Previous identity verification Planned or unplanned changes resulting in a higher categorization
Implementation Plan
RELIABILITY | ACCOUNTABILITY17
• For those requirements and parts not listed below, compliance date would be effective date of standard, which is proposed to be later of April 1, 2016 or 3 months following govt. approval.
Implementation Plan
RELIABILITY | ACCOUNTABILITY18
• NERC Standards Committee authorized posting for 45-day comment and ballot on May 30
• Comment period open June 2-July 16• Join the ballot pool from June 2-July 2• Reliability Standards Audit Worksheets (RSAWs) will be posted
by June 17 Not a part of the record for standards development.
• Ballot period open July 7-16 Will use the current ballot and commenting system.
Posting Schedule
RELIABILITY | ACCOUNTABILITY19
• Industry SDT webinar June 19: 1-3pm ET Followed by RAI webinar from 3-5 pm ET
• SDT will consider all comments and make appropriate revisions• SDT meeting week of July 28 in St. Paul, MN• SDT meeting week of August 19 in San Francisco, CA
Next Steps
National Infrastructure Protection Plan (NIPP) UpdatesLaura BrownCritical Infrastructure Protection Committee MeetingJune 10, 2014
RELIABILITY | ACCOUNTABILITY2
NIPP Overview
• The revised NIPP was completed in 2013.• Greater focus on integrating cybersecurity
and physical security efforts.• More closely aligned with national
preparedness efforts.• Increased focus on cross-sector and cross-jurisdictional
coordination.• Integrates information sharing as an essential
component of the risk management framework.• Drives action toward long-term improvement.
RELIABILITY | ACCOUNTABILITY3
Joint National Priorities
• Section 6 “Call to Action” includes setting national focus through jointly developed priorities.
• The Department of Homeland Security (DHS) worked with government and industry to identify priorities and submitted the following: Integrating Cyber and Physical Risk Management Improving Resilience Decision Making Strengthening Risk Management Partnerships to Enhance
National Capacity Executing Enhanced Incident Response and Recovery
RELIABILITY | ACCOUNTABILITY4
Next Steps
• The priorities are generally consistent with the Energy Sector-Specific Plan and Electricity Sub-sector Coordinating Council activities.
• As the Sector-Specific Agency, the Department of Energy submitted comments to DHS on the joint national priorities.
• DHS is holding a meeting Thursday to discuss the latest version of the joint national priorities.
Framework for Improving Critical Infrastructure Cybersecurity
Overview and StatusExecutive Order 13636
“Improving Critical Infrastructure Cybersecurity”
May 2014
• The National Institute of Standards and Technology’s mission is to stimulate innovation, foster industrial competitiveness, and improve the quality of life.
• Role in Cyber security began in 1972 with the development of the Data Encryption Standard – began when commercial sector also has a legitimate need for cryptography, including in ATMs.
• Responsibilities were strengthened through the Computer Security Act of 1987 and reaffirmed through the Federal Information Security Management Act of 2002.
Role of the National Institute of Standards and Technology in Cybersecurity
2
Improving Critical Infrastructure CybersecurityExecutive Order
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber
environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality,
privacy, and civil liberties”
President Barack Obama Executive Order 13636, Feb. 12, 2013
• The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
• Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work
3
Based on the Executive Order, the Cybersecurity Framework Must...
• Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks
• Incorporate international voluntary consensus standards and industry best practices to the fullest extent possible
• Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
• Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations
4
Development of the Cybersecurity Framework
Engage the Framework
Stakeholders
Analyze RFI Responses
Identify Framework Elements
Prepare and Publish
Preliminary Framework
Final Framework
EO 13636 Issued – February 12, 2013NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013
2nd Framework Workshop at CMU – May 29-31, 2013Draft Outline of Preliminary Framework – June 2013
3rd Framework Workshop at UCSD – July 10-12, 2013Discussion Draft of the Preliminary Framework - August 28, 2013
5th Framework Workshop at NCSU –Nov 14-15, 2013Publish Final Framework – February 13, 2014
Ongoing Engagement:
Open public comment and review
encouraged and promoted throughout
the process
4th Framework Workshop at UT Dallas – September 11-13, 2013Publish Preliminary Framework – October 29, 2013
5
Framework ComponentsFramework Core
• Cybersecurity activities common across critical infrastructure sectors and organized around particular outcomes
• Enables communication of cyber risk across an organization
Framework Profile• Aligns industry standards and best practices to a particular
implementation scenario • Supports prioritization and measurement of progress toward the
Target Profile, while factoring in other business needs— including cost-effectiveness and innovation
Framework Implementation Tiers• Describes how cybersecurity risk is managed by an organization• Describes degree to which an organization’s cybersecurity risk
management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive)
6
How to Use the Cybersecurity FrameworkThe Framework is designed to complement existing business and cybersecurity operations, and can be used to:
• Understand security status• Establish / Improve a cybersecurity program• Communicate cybersecurity requirements with stakeholders,
including partners and suppliers• Identify opportunities for new or revised standards• Identify tools and technologies to help organizations use the
Framework• Integrate privacy and civil liberties considerations into a
cybersecurity program
What’s Next: Using the Cybersecurity Framework
• Organizations—led by their senior executives—should use the framework now, and provide feedback to NIST
• Industry groups, associations, and non-profits can play key roles in assisting their members to understand and use the framework by:• Building or mapping their organizations’s specific standards,
guidelines, and best practices to the framework• Developing and sharing examples of how organizations are
using the framework
• NIST is committed to helping organizations understand and use the framework
• The Administration will also look at possible incentives and other policy drivers
10
What’s Next: Areas for Development, Alignment, and Collaboration
• The Executive Order calls for the framework to “identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations”
• High-priority areas for development, alignment, and collaboration were identified based on stakeholder input:• Authentication • Automated Indicator Sharing• Conformity Assessment • Cybersecurity Workforce• Data Analytics• Federal Agency Cybersecurity Alignment• International Aspects, Impacts, and Alignment• Supply Chain Risk Management• Technical Privacy Standards
11
Recapping Key Points about the Framework
• It’s a framework, not a prescription• It provides a common language and systematic methodology for
managing cyber risk • It does not tell a company how much cyber risk is tolerable, nor
does it claim to provide “the one and only” formula for cybersecurity
• Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone, and allow for interoperability
• The framework is a living document• It is intended to be updated over time as stakeholders learn from
implementation, and as technology and risks change• Practices, technology, and standards will change over time—
principals will not
12
Where to Learn More and Stay Current
The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at:
http://www.nist.gov/cyberframework
Material on NIST’s work in cybersecurity can be found at: http://csrc.nist.gov
13
“Repeated cyber intrusions into critical infrastructure demonstrate the need for
improved cybersecurity.”
- The White House, Executive Order 13636
o NIST to develop a Cybersecurity Framework
o A voluntary program for critical infrastructure cybersecurity to promote use of the Framework
o A whole of community approach to risk management, security and resilience.
o Joint action by all levels of government and the owners and operators of critical infrastructure
SOLUTION PROPOSED BY EO 13636
The C3 Voluntary Program is the coordination point within the Federal Government for members of the critical infrastructure community interested in improving their cyber resilience.
R O L E O F T H E C R I T I C A L I N F R A S T R U C T U R E C Y B E R C O M M U N I T Y V O L U N T A R Y P R O G R A M
Administration Policies
Cybersecurity Framework
Critical InfrastructureEO 13636 highlights the need for improved cybersecurity among critical infrastructure. PPD-21 calls for efforts to strengthen the physical and cyber security and resilience of our Nation’s critical infrastructure.
Ranging from emergency services and transportation systems to small and medium sized businesses, the U.S. critical infrastructure provides the essential services that underpin American society.
One of the major components of the EO is the development of the Framework by NIST to help critical infrastructure sectors and organizations reduce and manage their cyber risk as part of their approach to enterprise risk management.
• Framework implementation guidance
• Focal point for resources and tools
• Relationship management• Feedback collection
OUR ROLE
o Support increasing critical infrastructure cyber resilience
o Increase awareness and use of the Framework
o Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management
GOALS
o Converging critical infrastructure community resources to support cybersecurity risk management and resilience through use of the Framework;
o Connecting critical infrastructure stakeholders to the national resilience effort through cybersecurity resilience advocacy, engagement and awareness; and
o Coordinating critical infrastructure cross sector efforts to maximize national cybersecurity resilience.
CONVERGING
CONVERGINGC O N V E R G I N G
C O N N E C T I N G
C O O R D I N A T I N G
There are three key activities the program is supporting, which we emphasize as the Three C’s:
• C3 Voluntary Program website offers an overview of the program, downloadable tools, and outreach materials
• Links to the US-CERT C3 Voluntary Program gateway• Existing programs/resources have been aligned with the Framework
Core Function Areas (Identify, Protect, Detect, Respond, Recover)• Broken out by stakeholder type• Demonstrates offerings to support the Framework’s principles
• As they become available, cross sector, private sector, S/L resources will be referenced
CONVERGING RESOURCES
• DHS will support use of the Cybersecurity Framework primarily through the Cyber Resiliency Review (CRR).
• No-cost, voluntary, non-technical assessment to evaluate an organization’s information technology resilience.
• The CRR may be conducted as a self-assessment or in-person. • To date, DHS has conducted more than 330 CRRs at the request of
critical infrastructure entities nationwide. • The inherent principles and recommended practices within the CRR
align closely with the central tenets of the Cybersecurity Framework.
• Analyzes current practices and how they compare to the principles of the Cybersecurity Framework.
CONVERGING RESOURCES, cont.
Government-to-Business▶ Engage each of the sectors
through the CIPAC Framework to establish sector-specific approaches and guidance, utilizing established partnership mechanisms, models, and approaches
▶ Work directly with organizations interested in receiving information about the Framework, resources, and initiatives
Business-to-Business▶ Encourage organizations to
develop use cases or to work with their industry peers and business partners to promote the Framework (the Framework)
Government-to-Government
▶ Federal – Work with Federal departments and agencies to understand use of the Framework
▶ SLTT outreach – Work with state and local governments to promote government use of the Framework and to reach businesses in their localities
CONNECTING STAKEHOLDERS
Phase 1Momentum DevelopmentFebruary 2014 – February 2015
Phase 2Sector Strategy RolloutFebruary 2015 – February 2016
Phase 3
Ongoing Support for Framework Use based on Lessons LearnedFebruary 2016 – Ongoing
COORDINATING EFFORTS
•Contact us at [email protected]•Contact the C3 Voluntary Program to send feedback or for any questions about what resources DHS is offering or how to engage different programs
NEXT STEPS•Get engaged
•The C3 Voluntary Program will be supporting engagement during the coming year•The program will visit sector by sector events, potentially regional events/workshops utilizing our CSAs, and will potentially look into RFIs for broad public engagement
•Visit us at www.dhs.gov/ccubedvp, or www.us-cert.gov/ccubedvp
•Check out the website, download and use the messaging kit, and reach out to the different programs for support•Try out the CRR and reach out to CSEP if you have questions on the methodology or need assistance
Update on RISC Activities
CIPC Meeting June 10/11, 2014
Jim Brenton CIPC RISC MemberPrincipal, Regional Security Coordinator ERCOT – Electric Reliability Council of Texas
2 RELIABILITY | ACCOUNTABILITY
RISC Mission & Purpose*
• Provides a framework for steering, developing, formalizing, and organizing recommendations to help NERC and the industry effectively focus their resources on the critical issues needed to best improve the reliability of the BPS
• Benefits of the RISC include improved efficiency of the NERC standards program. In some cases, that includes recommending reliability solutions other than the development of new or revised standards and offering high-level stakeholder leadership engagement and input on issues that enter the standards process.
* Per the RISC Charter
3 RELIABILITY | ACCOUNTABILITY
RISC Mission & Purpose*
• Triages and provides front-end, high-level leadership and accountability for nominated issues of strategic importance to bulk power system (BPS) reliability
• Assists the Board, NERC standing committees, NERC staff, regulators, Regional Entities, and industry stakeholders in establishing a common understanding of the scope, priority, and goals for the development of solutions to address these issues
* Per the RISC Charter
4 RELIABILITY | ACCOUNTABILITY
Planned RISC Agenda - June 17
• 2015:2017 Reliability Standards Development Plan, RSDP
• Integration of Variable Generation Task Force (IVGTF) report
• State of Reliability 2014 Report• Emerging Trends in the Long Term Reliability
Assessment, LTRA• Committee Reports: Planning, Operations, Critical Infrastructure Protection and
Standards Compliance and Certification Committee
5 RELIABILITY | ACCOUNTABILITY
Gap Analysis – Prioritization Adjustments
• Review/Analysis of different ERO activities
• Assess risk focus areas as HIGH/Medium/Low
• RISC members to evaluate key areas Impact and probability? Priority? Existing Controls? Gaps? How to address gaps?
!
!
6 RELIABILITY | ACCOUNTABILITYRELIABILITY | ACCOUNTABILITY
High Priority Items – Gap Analysis
• Cyber Attack• Workforce Capability and Human Error• Protection Systems• Monitoring and Situational Awareness
7 RELIABILITY | ACCOUNTABILITY
Cyber Attack - High Priority
• NERC CID monitoring current activities and reports to RISC on those efforts, and their support to address this highest priority item.
• NERC CIPC EC met with NERC RISC Staff to review lessons learned from GridEx-2013 into the RISC Priorities and ensure projects support CID activities.
8 RELIABILITY | ACCOUNTABILITY
Other High Priority Gap Analysis
• Analysis/Review to be presented at June 17th RISC Meeting
Workforce Capability and Human Error
Protection Systems
Monitoring and Situational Awareness
9 RELIABILITY | ACCOUNTABILITY
Coordinated Attack - Multiple Facilities
• Medium Priority Item – Coordinated Physical/Cyber Attack
• NERC CID Staff monitors and reports to RISC on their efforts to address this Medium priority item, and what additional efforts (if any) are recommended.
10 RELIABILITY | ACCOUNTABILITY
Other Medium Priority Gap Analysis
• Operational Modeling and Model Inputs• Equipment Maintenance and Management• Generator Availability• Increased dependence on Natural Gas
Generation
11 RELIABILITY | ACCOUNTABILITYRELIABILITY | ACCOUNTABILITY
Low Strategic Focus Areas
• Generation Resource Adequacy• Transmission Right of Way• Geomagnetic Disturbance (GMD)• Long Term Planning and Modeling• Climate Change, Environmental Regs, Changing
Resource Mix due to Environmental or Other Market Conditions, Integration of Variable Gen
12 RELIABILITY | ACCOUNTABILITYRELIABILITY | ACCOUNTABILITY
• Integration of New Technologies• Extreme Weather/Acts of Nature• Demand Response• Localized Physical Attack• Smart Grid• Electro-Magnetic Pulse (EMP)• Post-Recession Demand Growth• Pandemic
Low Strategic Focus Areas
13 RELIABILITY | ACCOUNTABILITY
Future RISC Meetings
• June 17 – Atlanta, GA• July 10 – Conference Call• August 14 – Post-BOT Meeting, Vancouver, BC• Sept 11/12 – Leadership Summit, Washington, DC• October 7 – Conference Call• November 13 – Post-BOT Meeting, Atlanta GA• December 2 – RISC Meeting, Phoenix, AZ
Legislative Update
Critical Infrastructure Protection CommitteeJune 10, 2014
Nathan Mitchell, American Public Power Association
2 RELIABILITY | ACCOUNTABILITY
• Senate Committee on Intelligence Chair Feinstein and vice chair Chambliss trying to restart
companion bill to House approved Cyber Intelligence Sharing and Protection Act (CISPA)
June 6, 2014 letter from trade associations highlighting the ES-ISAC and ESCC as models for information sharing.
Action needs to be taken by August
• No action expected due to the November elections.
Legislative Update
3 RELIABILITY | ACCOUNTABILITY
• American Public Power Association • Canadian Electricity Association • Edison Electric Institute • Electric Power Supply Association • GridWise Alliance • Large Public Power Council • National Association of Regulatory Utility
Commissioners • National Rural Electric Cooperative Association • Nuclear Energy Institute • Transmission Access Policy Study Group
Legislative Update
4 RELIABILITY | ACCOUNTABILITY
• 2015 Defense Authorization Bill awaiting Senate floor action
• Trade associations are having meetings with Senate staff on impact of the bill on electric utilities.
Legislative Update
RELIABILITY | ACCOUNTABILITY2
CIP V5 Transition Program Elements
• A new transition guidance will be provided in Q2
Periodic Guidance
• 6 entities with strong compliance cultures• 6-8 month implementation of V5 for certain facilities• Lessons learned throughout and after study phase
Implementation Study
• Integration with RAI• Identify means and method to address self-corrective processes and internal
controls
Compliance and Enforcement
• Off-site audits will be replace with outreach and training events• June 19 CIP V5 and RAI Webinar• Transition Guidance Webinar in July
Outreach & Communications
• Quarterly training opportunities will be provided to industry
Training
RELIABILITY | ACCOUNTABILITY3
Responsibilities of the ERO (NERC & Regional Entities)• Monitor the cyber security measures used to protect the
reliable operation of the Bulk Electric System (BES)• Recognize the challenges facing Responsible Entities
Establishing compliance with V5 will be an ongoing process No single point in time when they will move from compliance with V3 to
compliance with V5
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY4
Big Picture• The “Effective Date” of V5 was April 1, 2014
Based on the date that V5 Standards were approved by FERC Beginning of the implementation stage/transition period
• The “Compliance Enforcement Date” of V5 is April 1, 2016 Applies to Responsible Entities with High and Medium Impact Cyber
Systems
• Compliance with V3 remains mandatory and enforceable, and will be assessed until the V5 compliance enforcement date V4 is no longer in the picture (that includes use of V4 “bright-line”
criteria for identifying Critical Cyber Assets)
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY5
Mapping the path• Responsible Entities with High and Medium Impact
Cyber Assets need to prepare for April 1, 2016• ERO focus during transition period is not “gotcha”,
but an effective and successful implementation of V5
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY6
Transition Guidance• Draft of next version is currently being vetted• Supersedes previous versions• Provides guidance and flexibility that will allow
Responsible Entities to focus on implementing changes to achieve compliance with V5
• During the transition period, there will be a flexible approach to the evaluation of V3 compliance
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY7
Next version of Transition Guidance• Narrative – similar to content of current version with
explanations, considerations, and recommendations.• Compatibility table – spreadsheet listing V5
requirements that are “Mostly Compatible” with V3 requirements
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY8
Mostly Compatible?• Many V5 requirements are mostly compatible (MC)
with Version 3• In those cases, processes and documents that
demonstrate compliance are not significantly different from V3 to V5
• Requirement numbers may not always align, but the requirements themselves are considered “MC”
• Not necessarily one to one mapping; e.g., CIP-002-3 R4 and CIP-002-5 R2 both address senior manager approval of the asset list
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY9
Mostly Compatible!• As described in the guidance document, V5
compliance to designated requirements can be considered compliance with the “MC” Version 3 requirement
• For V5 requirements with no V3 counterpart, V5 compliance will not be a factor during the transition period
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY10
Similar V3/V5 requirements• CIP-003 – 90%• CIP-004 – 80 to 90%• CIP-005 – 85%• CIP-006 – 85% (Review required for new Assets)• CIP-007 – 80%• CIP-008 – 95%• CIP-009 – 90% (Review required for new Assets)• CIP-010 – 50% (new to V5)• CIP-011 – 50% (new to V5)
CIP V3 – V5 Transition
RELIABILITY | ACCOUNTABILITY11
CIP V3 – V5 Transition Guidance
Narrative1. Introduction2. Background3. Newly Identified BES Cyber Systems4. Compliance during the Transition Period 5. Transition Period Audits6. V5 Implementation Study7. Technical Feasibility Exceptions (TFEs)
RELIABILITY | ACCOUNTABILITY12
CIP V3 – V5 Transition Guidance
Narrative – Section 1. Introduction• Overarching philosophy: apply the appropriate cyber
security measures to protect the reliable operation of the Bulk Electric System (BES).
• Applies to Regional Entities and Responsible Entities• Provides guidance and flexibility for implementing
changes to achieve compliance with V5 without undue concerns regarding compliance status with V3
• Supersedes previous Cyber Security Standards Transition Guidance
RELIABILITY | ACCOUNTABILITY13
CIP V3 – V5 Transition Guidance
Narrative – Section 2. Background• FERC Order 791 was issued on November 22, 2013• Some directives referred to a specially formed
Standards Drafting Team for resolution• Version 4 CIP Reliability Standards (V4) will never be
mandatory and enforceable
RELIABILITY | ACCOUNTABILITY14
CIP V3 – V5 Transition Guidance
Narrative – Section 3. Newly Identified BES Cyber Systems• When guidance is issued, a Responsible Entity with
newly identified systems and facilities shall begin implementing V5
• Applies to Responsible Entities that previously would have referred to Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities in CIP V3 or used V5 Impact Ratings to identify new assets
RELIABILITY | ACCOUNTABILITY15
CIP V3 – V5 Transition Guidance
Narrative – Section 3. Newly Identified BES Cyber Systems• Responsible Entities that have assets identified by an
acquisition or that receive a Registered Third-Party Designation (i.e., Impact Rating 2.3, 2.6, or 2.8) will be provided the latter of 12 calendar month implementation window from the time
of notification (per the V5 Implementation Plan) or Implementation date of April 1, 2016 for any newly
identified BES Cyber Systems
RELIABILITY | ACCOUNTABILITY16
CIP V3 – V5 Transition Guidance
Narrative – Section 4. Compliance during the Transition Period • Responsible Entities are expected to take the
appropriate actions to become compliant with the V5 Standards by the compliance enforcement date
• Those that previously identified CCAs according to the bright-line criteria in V4 no longer have that approach available
• Regional Entities will exercise discretion when assessing compliance to V3 requirements during the transition period
RELIABILITY | ACCOUNTABILITY17
CIP V3 – V5 Transition Guidance
Narrative – Section 5. Transition Period Audits• Compliance Monitoring and Enforcement Program
(CMEP) will continue to be the guiding directive for the conduct of CIP audits
• Regional Entity may use outreach and annual Self-Certifications in lieu of off-site audits for entities without V3 Critical Assets or Critical Cyber Assets
• Details regarding the scope and performance of audits during the transition period described in the guidance document
RELIABILITY | ACCOUNTABILITY18
CIP V3 – V5 Transition Guidance
Narrative – Section 6. V5 Implementation Study• Six Responsible Entities participated in a study to
voluntarily implement the V5 Standards prior to the enforcement date of April 1, 2016
• Goals of the study include identification of processes, tools, and guidance for achieving V5 compliance
• V5 Implementation Study page at NERC’s website(http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx)
RELIABILITY | ACCOUNTABILITY19
CIP V3 – V5 Transition Guidance
Narrative – Section 7. Technical Feasibility Exceptions (TFEs)• In general, TFEs will align with the overall transition process• They will be considered in context of underlying requirement(s)
V5 TFEs pertinent to V3 TFEsV5 V3
CIP-005-5 R2.3 CIP-005-3 R2.4CIP-007-5 R1.1 CIP-007-3 R2.3CIP-007-5 R4.3 CIP-007-3 R6.4CIP-007-5 R5.6 CIP-007-3 R5.3.3
RELIABILITY | ACCOUNTABILITY20
CIP V3 – V5 Transition Guidance
Narrative – Section 7. Technical Feasibility Exceptions (TFEs)• TFE requests will be needed for systems or devices unable to
meet strict compliance with a V5 requirement that has no associated TFE in V3
V5 TFEs not associated with V3 TFEsCIP-005-5 CIP-006-5 CIP-007-5 CIP-010-1
R1.4 R1.3 R5.1 R1.5R2.1 R5.7 R3.2.R2.2
RELIABILITY | ACCOUNTABILITY21
CIP V3 – V5 Transition Guidance
Narrative – Section 7. Technical Feasibility Exceptions (TFEs)• Existing TFEs that are no longer applicable per V5 requirements
will NOT remain in effect
V3 TFEs superseded when V5 is Implemented CIP-005-3 CIP-006-3 CIP-007-3
R3.1 R1.1 R3.2R4
R5.3R 5.3.1R 5.3.2
R6
RELIABILITY | ACCOUNTABILITY22
Compatibility Tables• Show the requirements from V5 that have been
deemed as “mostly compatible” with a V3 counterpart• Comparison is intended to help Responsible Entities
maintain adequate protection of BES assets as they move from compliance with V3 to compliance with V5 of the CIP Reliability Standards
CIP V3 – V5 Transition Guidance
RELIABILITY | ACCOUNTABILITY25
Underlying philosophy• Still a lot to do, but leveraging appropriate V3 policies,
procedures, and processes will contribute to successful transition to V5
• ERO wants to facilitate the transition
CIP V3 – V5 Transition Guidance
RELIABILITY | ACCOUNTABILITY26
CIP V5 Implementation Study
• Responsible Entity Volunteers Broad Mix Scope of assets is relevant to the industry
• Six to nine months Study period• Provide feedback to industry during the Study
FAQs: http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx
Training Sessions Webinars
• Capture lessons learned http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-
Study.aspx
• Publish a report at the end of the Study
RELIABILITY | ACCOUNTABILITY27
CIP V5 Implementation StudyLL: Generation Disaggregation
• CIP-002-5.1, Attachment 1, criterion 2.1 “Commissioned generation, by each group of generating units at a
single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.”
RELIABILITY | ACCOUNTABILITY28
CIP V5 Implementation StudyLL: Generation Disaggregation
• How do you define 1500 MW?• What is acceptable disaggregation?• What is a “shared” BES Cyber System?• What are “common mode vulnerabilities?”
RELIABILITY | ACCOUNTABILITY29
CIP V5 Implementation StudyLL: Transmission Facility Impact Rating
• CIP-002-5.1, Attachment 1, criterion 2.5 Transmission Facilities operating between 200 and 499 kV at a single
substation Connected to three or more other substations Aggregate weighted value of 3000 or more per weight table
• Facility: “A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.).”
• A “Facility” is a component of a substation not the substation itself.
RELIABILITY | ACCOUNTABILITY30
CIP V5 Implementation StudyLL: Transmission Facility Impact Rating
• If the convergence of Transmission Facilities at a single substation meets criterion 2.5, then each BES Cyber System associated with the Transmission Facility is rated Medium Impact.
• NERC’s Current Position: Physical location IS a determinant factor for impact classification. Therefore the far-end relay is not in scope of Medium Impact.
RELIABILITY | ACCOUNTABILITY32
CIP V5 Implementation StudyLL: Virtualization
• Virtualized servers may run multiple operating systems or application software within a single physical server, as opposed to conventional servers that may operate a single operating system and a dedicated suite of application software.
• VLANs are networks that operate multiple logically-separated networks by sharing common hardware devices such as switches and routers.
RELIABILITY | ACCOUNTABILITY33
CIP V5 Implementation StudyLL: Virtualization
• Definition of Cyber Assets: “Programmable electronic devices, including the hardware, software, and data in those devices.”
• CIP-005-5 R1, Part 1.1: “All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.”
RELIABILITY | ACCOUNTABILITY34
CIP V5 Implementation StudyLL: Virtualization
• Virtualization technologies present security challenges if different levels of protection are provided to different systems within the same virtual environment.
• Virtual Servers and VLANs cannot/may have mixed-trust usage.
RELIABILITY | ACCOUNTABILITY35
CIP V5 Implementation StudyLL: Programmable Electronic Devices
• BES Cyber Asset: “A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.”
• Cyber Assets: “Programmable electronic devices, including the hardware, software, and data in those devices.”
RELIABILITY | ACCOUNTABILITY36
CIP V5 Implementation StudyLL: Programmable Electronic Devices
• What makes something “programmable”? Contains firmware Firmware is modifiable via device interface (Ethernet, serial, parallel,
USB, etc.)
• Configurable is not programmable? Electro-mechanical relays Dip switches If physical removal of chip is required to program device (EPROM etc.)
• The NERC Survey or 15-minute Impact will ask questions to address this issue
BES Security Metrics WGProgress Report
James W. Sample, ChairRoland Miller, Vice-ChairJune 11-12, 2014
2 RELIABILITY | ACCOUNTABILITY
CIP Committee StructureCIPC Executive
Committee
Physical Security SubcommitteeDavid Grubbs
Cyber Security Subcommittee
Mark Child
Operating Security Subcommittee
Carl Eng
Policy SubcommitteeNathan Mitchell
Protecting Sensitive Information TF
Physical Security EvAnalysis WGJoint w/ OC & PC
Physical Security Training WG
Control System Security WG
Cyber Security Analysis WGJoint w/ OC & PC
Cyber Security Training WG
Information Sharing TF
HILF Implementation TF
Grid Exercise WG
Cyber Attack TreeTF
BES Security Metrics WG
Jamey Sample
Personnel Security Clearance TF
Compliance & Enforcement WG
Physical Security Guideline TF
2012
2013
Existing
How we fit in!
3 RELIABILITY | ACCOUNTABILITY
Previous Update
• Security Metrics Workshop was held at NERC
• Determine what a Strong Security Posture looks like for the sector
Define those attributes (Potential Metrics)o Information Sharingo Program Maturityo Situational Awarenesso Compliance Program
Evaluate existing ALRs for incorporation of security measures
Develop new security ALRs where needed
6 RELIABILITY | ACCOUNTABILITY
Micro Metric:ES-ISAC (Leading)
02468
101214
Aug Sep Oct Nov Dec Jan Feb Mar Apr May
2013 2013 2013 2013 2013 2014 2014 2014 2014 2014
# Shares
02468
10121416
Aug Sep Oct Nov Dec Jan Feb Mar Apr May
2013 2013 2013 2013 2013 2014 2014 2014 2014 2014
Top 4 Types of Threats
Phishing SSL DDOS Waterhole
7 RELIABILITY | ACCOUNTABILITY
Challenges
WG Challenge Areas
Expertise on WG
Recruit Additional CIO/SMEs
Cause Coding Lacks Security Issue Identification
Engage Event Analysis on Cause Coding
Develop Proposed Cause Codes
Evaluate Existing Cause Codes
[Change Mgmt LTA]
EST and ISAC Info Shares is still Low
Develop Reporting Dashboard
Provide sample Dashboard at CIPC
ISAC Lacks Formal Tracking Process
Work with ISAC to Develop Process for Logging
Engagments
Develop Technologies to Support Uniform Cataloging
Explore Additional ways to Ensure Separation from
Compliance
Sustained Resourcing needed to Support Capturing
and Measuring Metrics
Support from Event Analysis and Risk Performance
Groups Needed
Recommended Actions
More Engagement from Industry needed – work
through CIPC
NERC SupportISAC Internal OpsIndustry Driven
8 RELIABILITY | ACCOUNTABILITY
Workshop
• August 6-8, 2014
• Atlanta, GA
• Purpose: identify Macro Metrics and ALR criteria
• Show of hands on who would be interested in attending or sending someone
• Logistics to be distributed June 13, 2014
9 RELIABILITY | ACCOUNTABILITY
Next Steps
• Continue to build out Macro and Micro Metrics ALR’s, ES-ISAC, etc.
• Increase sharing Develop guidance on what/how to submit info to the ISAC More industry info shared with ISAC
• Continue to work with Events Analysis to develop cause codes
• Industry Workshop in August (Date TBD)
NERC CIPC Compliance and Enforcement Input Working Group
NERC CIPC Update
June 10-11, 2014
Paul Crist
Member List
Amelia Sawyer James Boone Michael Nickels Scott Harris
Andrew Jurbergs Jeff Mantong Mike Mertz Steen Fjalstad
Ben Miller Joe Bucciero Mike Welch Steve J Knaebel
Brenda Davis John Galloway Nathan Mitchell Summer C. Esquerre
Brian Evans-Mongeon Karen Demos Nick Santora Tim Johnson
Charles F. Abell Ken Burruss Paul Crist Tobias Whitney
Daniel Shaffer Kent Kujala Paul F. McClay Travis Borrini
David Gordon Marc A. Child Robert D. Canada Trey Cross
David Thorne Martin Collin Ron Harrod Wes Davis
Eric Ervin Matt Stryker Ryan Carlson
NERC CIPC Compliance and Enforcement Input Working Group Update
• Conference Calls
March 13, 2014
April 11, 2014
NERC CIPC Compliance and Enforcement Input Working Group Update
• March 13 Conference Call− Follow-up from CIPC Meeting− Transition Guidance Review− Physical Security FERC Order− Virtualization Whitepaper Update− CIP Version 5 Revisions Standard
Drafting Team Update
NERC CIPC Compliance and Enforcement Input Working Group Update
• April 11 Conference Call– Transition Guidance Review
Study ends on June 30, 2014– Physical Security FERC Order– Virtualization Whitepaper Update– CIP Version 5 Revisions Standard Drafting Team Update
CIP Version 5 webinar April 22 2014 CIP Version 5 revisions calendar
NERC CIPC Compliance and Enforcement Input Working Group Update• NERC “Virtualization Lessons
Learned” Conference Calls (John Galloway, ISO-NE)
– May 5 – May 7 – May 16
Future Virtualization Whitepaper
NERC CIPC Compliance and Enforcement Input Working Group Update
• Future Work• Transition Guidance Review• Virtualization Whitepaper
NERC CIPC Compliance and Enforcement Input Working Group Update
Meetings• 2nd Thursday of the month• 1:00 p.m. CST
Questions?
2 RELIABILITY | ACCOUNTABILITY
Objective: Determine the DNP3 vulnerability status of DNP3 Masters used in Energy Management Systems
1) List all of the DNP3 Masters used in North American EMSs, with their DNP3 vulnerability status
2) Fuzz test any equipment which hasn’t been tested• May need to develop standard testing script/process• We will originally focus on Project Robus’ free tools, but are open to other suggestions
3) Inform ICS-CERT of any vulnerable mastersICS-CERT is proficient in vulnerability disclosures
4) Post our results on the ES-ISAC Asset Owner PortalDo we post all results, or only non-vulnerable/ones with patches?
DNP3 Hydra
3 RELIABILITY | ACCOUNTABILITY
Portal Project- Lookingglass Pilot
• Platform Migration and Upgrade Completed (Jan-April 2014)– Task Force / Workgroup areas issues remain, resolution in progress
• Developing pipeline of continuing enhancements – Value focus near-term: improving user access, threat collaboration,
and Lookingglass “Lite” cyber awareness monitoring “widget”
• Our Ask: Lookingglass-Lite Pilot Volunteers (5-10, July-Sep)– Goal centers on providing useful reputation cyber-hygiene check– Enter your AOO Internet facing profile information (IP ranges, etc.) – Each organization has it’s own view of profile and status.– Pilot provide feedback, help ensure value, prepare for broader rollout– Please let us know if your organization would like to assist !
4 RELIABILITY | ACCOUNTABILITY
CRPA
• CRPA is a customized GridEx for your organization Use LoftyPerch to support scenario development Min 6 weeks planning needed
• Completely voluntary with no attribution to participants• A subset of practices from ES-C2M2 have been incorporated into the
After Action Report to frame lessons learned
• Status: 6 CRPAs performed last year 1 occurring in a few weeks Looking for more participants [Spring/Fall]
5 RELIABILITY | ACCOUNTABILITY
CRISP
Cybersecurity Risk Information Sharing Program (CRISP)• Operating under direction of the ESCC About 20 companies identified for 2014 2 companies deployed CRISP in Jan 2014 3 companies deploying in the next month
• NERC/ES-ISAC will be managing CRISP Determined an LLC was not the best way for the companies to implement CRISP NERC/ES-ISAC is working with PNNL and first set of sites to establish contracts
• Outreach and communication to the sector Expect outreach in the near future Comprehensive program plan is under development
3 RELIABILITY | ACCOUNTABILITY
CAP – HILF TF Recommendations
1. Geomagnetic Disturbance Task Forcea. Work Product: Interim Report: Effects of Geomagnetic Disturbances in the Bulk Power Systemb. No CIPC Cyber Security Subcommittee items
2. Spare Equipment Database Task Forcea. Work Product: Spare Equipment Database report b. No CIPC Cyber Security Subcommittee items
3. Severe Impact Resilience Task Forcea. Work Product: Severe Impact Resilience: Considerations and Recommendationsb. No CIPC Cyber Security Subcommittee items
4. Cyber Attack Task Forcea. Work Product: Cyber Attack Task Force – Final Reportb. Item 15: Continue developing Attack Tree methodologyc. Item 16: Continue to develop security and operations staff skills to
address increasingly sophisticated cyber threats.d. Item 17: Augment operator training with cyber attack scenarios.
5 RELIABILITY | ACCOUNTABILITY
Attack Tree Task Force (ATTF)
Upcoming Activities
• Solicit more SMEs to review what has been done so far.• Continue working on the document to support the actual attack
trees. Will contain the assumptions and methods used by the team
• Augment the attack trees to incorporate more mitigations and reflect that in the findings to see what changed.
Chair: Mark Engels
7 RELIABILITY | ACCOUNTABILITY
Cyber Security Events Analysis WG
1. Next Stepsa. Obtain a Chair for the working groupb. Continue to liaise with the ES-ISAC, EAS & STWGc. Begin scheduling quarterly calls, emails or portal postings with liaisons d. Continue to develop priorities and establish work plans:
i. Research and recommend activities to improve the security of Bulk Electric System facilities;ii. Develop expertise to liaise and coordinate with the Events Analysis WG;iii. Develop procedures for evaluating malicious events while maintaining entity security; andiv. Work with the CIP Training WG to assist in developing training products that are relevant to
current threat tactics and techniques.
e. Creation of, and approval for, the cyber events analysis process document
Chair: <open>
9 RELIABILITY | ACCOUNTABILITY
CSSWG
Status
New Chair Charter under review and
development Solicitation of additional volunteers First assignment: Business Network
connectivity guidelineo Due Date: 12/31/2014
GridEx II
Lesson Learned #4 Recommendations SummaryAssess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis.
10 RELIABILITY | ACCOUNTABILITY
CSSWG
NIST Mapping Project
Requested by the ESCC Map the NIST CSF to CIP v5 and CIP v3
Asked of CSSWG: Complete by August
11 RELIABILITY | ACCOUNTABILITY
CSSWG
Task Force Members
Mark Morgan (PNNL) Nadya Bartol (UTC)Cynthia Hill-Watson (TVA) Bill Noto (GE)Christine Hasha (ERCOT) Beth Lemke (WPS)Cliff Glantz (PNNL) Jarrid Hall (CSGI)
NERC Staff: Laura Brown
14 RELIABILITY | ACCOUNTABILITY
CSSWG
Remaining Tasks
Complete CIP v5 mapping Write guidance where mapping is not
obvious Write guidance where no mapping exists Convert to CIP v3
3 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
FERC Order issued 7 March with 90-day completion window SDT included four physical security professionals: myself, John
Breckenridge, Alan Wick, and Kathleen Judge Additional input from Bob Canada and Brian Harrell
One technical conference, two face-to-face meetings, one teleconference, two webinars, and two ballots
Proposed Standard approved by NERC BOT, and filed with FERC on 23 May
4 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• First three requirements deal with a risk assessment to identify in-scope assets, a review of the risk assessment by an unaffiliated third-party reviewer, and sharing of information with affected entities
• Three subsequent requirements dealing specifically with physical security issues: R4 - … evaluate potential threats and vulnerabilities… R5 - … develop and implement a documented physical
security plan… R6 – … unaffiliated third-party review the evaluation of
threats and vulnerabilities, and the corresponding security plan…
5 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• R4… The evaluation shall consider the following: 4.1. Unique characteristics of the identified and verified
Transmission station(s), Transmission substation(s), and primary control center(s);
4.2. Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and
4.3. Intelligence or threat warnings received from sources such as law enforcement, the Electric Reliability Organization (ERO), the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), U.S. federal and/or Canadian governmental agencies, or their successors.
6 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• R5 … The physical security plan(s) shall include the following attributes: Resiliency or security measures designed collectively to deter, detect,
delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4
Law enforcement contact and coordination information A timeline for executing the physical security enhancements and
modifications specified in the physical security plan Provisions to evaluate evolving physical threats, and their corresponding
security measures, to the Transmission station(s), Transmission substation(s), or
primary control center(s).
7 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• R6 … shall have an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5 Each Transmission Owner and Transmission Operator shall
select an unaffiliated third party reviewer from the following: o An entity or organization with electric industry physical security
experience and whose review staff has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification
o An entity or organization approved by the EROo A governmental agency with physical security expertiseo An entity or organization with demonstrated law enforcement,
government, or military physical security expertise.
8 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• 6.2 The Transmission Owner or Transmission Operator, respectively, shall ensure that the unaffiliated third party review is completed within 90 calendar days of completing the security plan(s) developed in Requirement R5. The unaffiliated third party review may, but is not required to, include recommended changes to the evaluation performed under Requirement R4 or the security plan(s) developed under Requirement R5
9 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• 6.3 If the unaffiliated third party reviewer recommends changes to the evaluation performed under Requirement R4 or security plan(s) developed under Requirement R5, the Transmission Owner or Transmission Operator shall, within 60 calendar days of the completion of the unaffiliated third party review, for each recommendation: Modify its evaluation or security plan(s) consistent with the
recommendation; or Document the reason(s) for not modifying the evaluation or
security plan(s) consistent with the recommendation
10 RELIABILITY | ACCOUNTABILITY
CIP-014-1 Physical Security
• 6.4 Each Transmission Owner and Transmission Operator shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party reviewer and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure
11 RELIABILITY | ACCOUNTABILITY
PSRG
• Physical Security Roundtable Group now has 122 members
• Held several calls in preceding months on: March and April calls cancelled because of CIPC travel
(March) and Physical Security Standard drafting team meeting
May meeting on CIP-014 Physical Security Standard
• Would appreciate more input from members on issues they would like to discuss
12 RELIABILITY | ACCOUNTABILITY
STWG
• PSWG contributed to training on: April - physical security program management May - physical security design (Lawrence Livermore National
Labs) June – Advanced Laser Detection System July – active shooter
13 RELIABILITY | ACCOUNTABILITY
Fun Fact
As of 1 June 2014 there were still hundreds of homes in Winnipeg, Manitoba whose water pipes are still frozen. (CTV News)
Canada/US Border Crossing (between North Dakota and Manitoba)
2 RELIABILITY | ACCOUNTABILITY
Security Training WG
1. Chartera. CIPC will provide meeting attendees with an opportunity to participate in
physical, cyber, and operational security training, as well as, educational outreach opportunities.
2. Current Members1. Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross
Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, and William Whitney III
4 RELIABILITY | ACCOUNTABILITY
Security Training WG
3. Latest Activitiesa. Conference calls to discuss goals and actions – 2nd Friday each monthb. Working on HILF recommendation to raise operator awareness about cyber
attacks on the grid with SOS and SANS. We are in the final stages and should have news shortly after SOS and SANS work out their contracts.
c. Provided 2 successful security training webinars to the industrya. 4/16 – Physical Security Management and Programs – 174 Registered, 104 Attendedb. 5/14 – Physical Security Assessments, Design, and Protection Strategies – 277 registered,
135 attended
d. Working on tasks assigned to us from the GridEx II Lessons Learnede. Continuing to compile a list of free training resources available to entities
5 RELIABILITY | ACCOUNTABILITY
Security Training WG
1. Webinar Schedule 2014a. April 16 – Physical Security Programs Panel Webinarb. May – National Labs Physical Security – Risk vs Protection/Costs Webinarc. June – Orlando Pre-CIPC BC Hydro presentation on laser intrusion
detectiond. July – Active Shooter webinar with Danny O. Coulsone. August – TBDf. September – Vancouver “Train the Trainer – Preparation for a Cyber Event” g. October- TBDh. November- TBDi. December- TBD
7 RELIABILITY | ACCOUNTABILITY
Security Training WG
1. Training Linksa. TEEX - http://www.teex.org/
b. DHS - http://www.dhs.gov/training-programs-infrastructure-partners
c. DOD - http://iase.disa.mil/eta/online-catalog.html
d. FEMA - https://training.fema.gov/IS/
e. DOE - https://ntc.doe.gov/
Have a link for free, quality, training? Please share with us to add to the list.
8 RELIABILITY | ACCOUNTABILITY
Security Training WG
4. Next Stepsa. Continue to expand the list of free on demand training from reputable
agencies and vendorsb. Schedule and prepare future Pre-CIPC training sessions and webinarsc. Work with vendors and/or individuals in the industry to provide specific
training to industrya. This means you and/or your co-workers that have information to share
with the industryd. Continue work with SOS and SANS to compile operator training with cyber
attack scenarios per the HILF recommendationse. Work on GridEx II Lessons Learned assignments
5. CIPC Actionsa. Concerns and/or suggestions for today’s discussion
Ed Goff, CISSPDuke Energy, Energy Sector Control Systems Working Group
Cybersecurity Procurement Language for Energy Delivery Systems
June 11, 2014
Agenda
• Background• Managing the Cyber Supply
Chain Risks• Approach• Behind the scenes• The Differences – the update• ESCSWG Roadmap• Next Steps
2
Background on Procurement Language• In 2009, DHS worked with control
system security experts, asset owners and operators, suppliers, state and federal governments, international stakeholders
• Covers control systems across several sectors, including electricity, oil and natural gas, water, transportation, chemical
• Summarizes security principles and controls
• Provides example language
3
→ Since 2009, the energy sector continues to evolve:– New cybersecurity threats– Changes in security practices and requirements– Advancing technologies
→ Asset owners, operators, and suppliers are experiencing increased pressure for meeting stringent regulatory requirements
→ Procurement can help manage risks resulting from extended and geographically dispersed supply chains– Need to build cybersecurity into solutions from the
beginning→ Acquirers, integrators, and suppliers need to communicate
expectations and requirements in a clear and repeatable manner
Why Update Procurement Language for the Energy Sector?
4
• Procurement is part of the overall supply chain program– Dialogue before contract to communicate
expectations
• Embedding cybersecurity in procurement process helps manage supply chain risks and reduce risk of compromise:– Request cybersecurity from the beginning
Managing Cyber Supply Chain Risks
– Request transparent security practices from the beginning– Encourage transparency on where sub-suppliers are located (and any changes)– Agreement on appropriate time for notification of breaches/mitigating measures
• Transparency can help improve supply chain risk management practices• Preserves system integrity; trust that only intended functions are performed
and control is not lost
5
• Provides baseline cybersecurity procurement language for the acquisition of:
What is the Cybersecurity Procurement Language for Energy Delivery Systems?
This document seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector
— Individual components of energy delivery systems (e.g., PLCs, relays, RTUs)
— Individual energy delivery systems (SCADA, EMS, DCS)— Network of energy delivery systems (e.g., substation)
• Helps to address some of the energy sectors evolving challenges
• Ensures cybersecurity is considered starting with design phase (continuing through testing, manufacturing, delivery, installation, and support)
• Focused on “what to do ”, not “how to do it”
6
• ESCSWG: Leading this effort, spearheaded by Ed Goff (Duke Energy)• Pacific Northwest National Laboratory (PNNL): Facilitation and writing• Energetics Incorporated: Facilitation, coordination, and outreach• U.S. Department of Energy Office of Electricity Delivery and Energy Reliability:
Leadership, guidance, funding, and support• Core Team of Technical Advisors: Volunteered significant time and expertise in
advising the development of this document. Core team includes representatives from:
Behind the Scenes
– U.S. Department of Homeland Security, Edison Electric Institute, Electric Power Research Institute, Independent Electricity System Operator Ontario, Utilities Telecom Council, American Public Power Association, American Gas Association
7
• Developed over the last year by core team of experts and stakeholders
• Built on DHS (2009) to tailor guidance to the specific needs of the energy sector
Development Approach
• Reviewed other documents and approaches• Talked with other energy sector stakeholders to understand
their needs• Held open, transparent, public review cycles to guide
direction of document
8
• Two open, transparent, and formal public review cycles (November 2013 & February 2014)
— Engaged energy sector stakeholders from acquirer, integrator, and supplier communities
• 308 specific comments from 23 entities during comment periods — Utility— Vendor— Consultant/Other
• Lots of support for this effort, demonstrating the need in this sector• Some feedback beyond scope and tracked for future revisions
Public Review Cycles
— Government— Standards Body— Public/Private WG
9
Procurement Aligns with Energy Sector Cybersecurity Initiatives
• Cybersecurity Capability Maturity Model (C2M2):Consideration of supply chain issues and cybersecurity procurement are elements of the maturity model, which procurement language helps to address.
• Electricity Subsector Cybersecurity Risk Management Process (RMP): Procurement language can help asset owners with their risk management process by requesting cybersecurity features prior to acquisition.
• NIST’s Framework for Improving Critical Infrastructure Cybersecurity: Procurement language can help to identify the different categories of users and their roles in the procurement process, which is one element of this NIST framework.
10
• Intended to:— Help all energy sector stakeholders more clearly
communicate expectations and requirements
How Can This Be Used in the Procurement Process?
— Can help inform acquirers in RFP/RFI process— Provide a starting point for the procurement process— Users can select areas that are most applicable to their procurements Menu of options
• Not intended to:— Be inserted verbatim into procurement contracts— Replace or specify applicable IT or OT standards Document suggests some standards to consider, but not all
11
Key Sections: General Cybersecurity Procurement Language
Language that is more generally applicable across energy delivery systems and components:
2.1 Software and Services2.2 Access Control2.3 Account Management2.4 Session Management2.5 Authentication/Password Policy and Management2.6 Logging and Auditing2.7 Communication Restrictions2.8 Malware Detection and Protection2.9 Heartbeat Signals2.10 Reliability and Adherence to Standards
12
Key Sections: The Supplier’s Life Cycle Program
Covers the product design, development, manufacturing, storage, delivery, implementation, maintenance, and disposal:
3.1 Secure Development Practices3.2 Documentation and Tracking of Vulnerabilities3.3 Problem Reporting3.4 Patch Management and Updates3.5 Supplier Personnel Management3.6 Secure Hardware and Software Delivery
13
Technology Specific Sections• Other technology specific sections in the document, include:
— Intrusion detections systems (IDS)— Physical security— Wireless technologies— Cryptographic system management
• “How to Use this Document” section provides:— Examples for adding, modifying, or negotiating
procurement language between Acquirers and Suppliers (or Integrators)
— Examples of procurements with multiple Suppliers/Integrators
14
What Is Different? • The new document is 30% the size of the DHS
(2009) document, with a specific focus on the energy sector– Easier to navigate and read
• Accounts for the differences in acquiring entire energy delivery systems and system components
How?• Minimized redundancies
– Near identical requirements that were presented in multiple sections are reduced
• Reduced explanation of technologies– More general for future applicability
vs.
15
Differences (cont.)• Laser focused on procurement language
– Removed detailed Factory and Site Acceptance Testing and Maintenance Guidance
• Updated for new approaches and technologies• Similar concepts are grouped together in only a few sections
DHS (2009)• System Hardening (with 6 sections)• Perimeter Protection (3 sections)• Account Management (7 sections)• Coding Practices (1 section)• Flaw Remediation (2 sections)• Malware Detection and Protection (1 section)• Host Name Resolution (1 section)• End Devices (4 sections)• Remote Access (6 sections)• Physical Security (4 sections)• Network Partitioning (2 sections)• Wireless Technologies (11 sections)
ESCSWG (2014)• General Procurement Language (10 sections)• Supplier’s Lifecycle Security Program (6 sections)• Intrusion Detection (2 sections)• Physical Security (3 sections)• Wireless Security (1 section)• Cryptographic System Management (2 sections)
16
Sample Update: Wireless Technologies• DHS (2009) has 27 pages devoted to this
topic and 105 procurement language items
• EDS PL has one page and only 8 procurement language items
DHS (2009) WIRELESS TECHNOLOGIES1. Bluetooth 2. Wireless Closed Circuit TV3. Radio Frequency Identification4. 802.115. ZigBee6. WirelessHART7. Mobile Radios8. Wireless Mesh Networks9. Cellular10. WiMAX11. Microwave12. Satellite
EDS PLWIRELESS TECHNOLOGIES1. General Wireless
17
– Does provide sample procurement language for » Cryptographic system documentation (e.g., crypto methods used,
phases of key management)» Variable “Cryptoperiods” so crypto keys don’t stay the same forever» Remote crypto key update capability (to avoid truck rolls)
• Cryptographic-based security systems more widely used today
• New section to address basic cryptographic system documentation and management capabilities– Does not prescribe which type of
cryptographic-based security systems are appropriate for any particular environment
Cryptographic System Management
18
• Encourage robust products with fewer weaknesses and vulnerabilities• Secure development practices include:
– Quality assurance, quality control, testing, code reviews, timely communication– Specifying country of origin
The Supplier’s Life Cycle Program
Design
Develop
Produce
StoreDeliver
Implement
Maintain/ Retire
Development Life Cycle
• Timely notification of vulnerabilities or breaches, with accompanying mitigating measures (testing/validation of patches and updates)
• Managing access to sensitive information• Ensuring that the product is implemented as
specified
19
Sample LanguageExample Sample Language
Documentation/ Verification
2.73 The Supplier shall provide a method to restrict communication traffic between different network security zones. The Supplier shall provide documentation on any method or equipment used to restrict communication traffic.
Not Applicable Language
2.9.1 The Supplier shall identify heartbeat signals or protocols and recommend which should be included in network monitoring. At a minimum, a last gasp report from a dying component or equivalent shall be included in network monitoring.
Period of Applicability
3.3.2 Upon the Acquirer submitting a problem report to the Supplier, the Supplier shall review the report, develop an initial action plan within [a negotiated time period], and provide status reports of the problem resolution to the Acquirer within [a negotiated time period].
• Developed by the Energy Sector Control Systems Working Group (ESCSWG) for asset owners, operators, government, regulators, standards bodies, researchers, academia, vendors and other solution providers
• Synthesis of energy delivery systems security challenges, R&D needs, and implementation milestones
• Provides strategic framework to– align activities to sector needs– coordinate public and private programs– stimulate investments in energy delivery systems
security
Roadmap VisionBy 2020, resilient energy delivery systems are designed, installed, operated, and
maintained to survive a cyber incident while sustaining critical functions.
For more information visit: www.controlsystemsroadmap.net
Meeting the Vision of the Roadmap to Achieve Energy Delivery Systems Cybersecurity
2121
1. Build a Culture of Security 2. Assess and Monitor Risk 3. Develop and Implement
New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements
Nea
r-te
rm(0
–3 y
rs)
1.1
1.2
Executive engagement and support of cyber resilience effortsIndustry-driven safe code development and software assurance awareness workforce training campaign launched
2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings
3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes commercially available
4.1
4.2
Tools to identify cyber events across all levels of energy delivery system networks commercially availableTools to support and implement cyber attack response decision making for the human operator commercially available
5.1
5.2
Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholdersFederal and state incentives available to accelerate investment in resilient energy delivery systems
Mid
-ter
m(4
-7 y
ears
)
1.3
1.4
1.5
Vendor systems and components using sophisticated secure coding and software assurance practices widely availableField-proven best practices for energy delivery systems security widely employed Compelling business case developed for investment in energy delivery systems security
2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics
3.2
3.3
Scalable access control for all energy delivery system devices availableNext-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented
4.3
4.4
4.5
Incident reporting guidelines accepted and implemented by each energy subsectorReal-time forensics capabilities commercially availableCyber event detection tools that evolve with the dynamic threat landscape commercially available
5.3
5.4
Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining
Long
-ter
m
(8-1
0 ye
ars)
1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry
2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains commercially available
3.4
3.5
3.6
Self-configuring energy delivery system network architectures widely availableCapabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutionsNext-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented
4.6
4.7
Lessons learned from cyber incidents shared and implemented throughout the energy sectorCapabilities for automated response to cyber incidents, including best practices for implementing these capabilities available
5.5
5.6
Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systemsMature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector
Alignment with Roadmap Strategies
1. Build a Culture of Security 2. Assess and Monitor Risk 3. Develop and Implement
New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements
Nea
r-te
rm(0
–3 y
rs)
1.1
1.2
Executive engagement and support of cyber resilience effortsIndustry-driven safe code development and software assurance awareness workforce training campaign launched
2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings
3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes commercially available
4.1
4.2
Tools to identify cyber events across all levels of energy delivery system networks commercially availableTools to support and implement cyber attack response decision making for the human operator commercially available
5.1
5.2
Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholdersFederal and state incentives available to accelerate investment in resilient energy delivery systems
Mid
-ter
m(4
-7 y
ears
)
1.3
1.4
1.5
Vendor systems and components using sophisticated secure coding and software assurance practices widely availableField-proven best practices for energy delivery systems security widely employed Compelling business case developed for investment in energy delivery systems security
2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics
3.2
3.3
Scalable access control for all energy delivery system devices availableNext-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented
4.3
4.4
4.5
Incident reporting guidelines accepted and implemented by each energy subsectorReal-time forensics capabilities commercially availableCyber event detection tools that evolve with the dynamic threat landscape commercially available
5.3
5.4
Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining
Long
-ter
m
(8-1
0 ye
ars)
1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry
2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains commercially available
3.4
3.5
3.6
Self-configuring energy delivery system network architectures widely availableCapabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutionsNext-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented
4.6
4.7
Lessons learned from cyber incidents shared and implemented throughout the energy sectorCapabilities for automated response to cyber incidents, including best practices for implementing these capabilities available
5.5
5.6
Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systemsMature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector
Building a Culture of Security1. Build a Culture of Security
Nea
r-te
rm(0
–3 y
rs) 1.1
1.2
Executive engagement and support of cyber resilience effortsIndustry-driven safe code development and software assurance awareness workforce training campaign launched
Mid
-ter
m(4
-7 y
ears
)
1.3
1.4
1.5
Vendor systems and components using sophisticated secure coding and software assurance practices widely availableField-proven best practices for energy delivery systems security widely employed Compelling business case developed for investment in energy delivery systems security
Long
-ter
m
(8-1
0 ye
ars)
1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry
• Communication and rollout– Spread the word– Solicit endorsement from
different trade organizations
• Recommended Future Activities:– Expand on implementation guidance– Continue coordination and communication with
stakeholder groups– Account for feedback not addressed in this version
Next Steps
24
We need your help!• Tell your friends and colleagues• Use the document to mature your
procurement process • Provide feedback:
– What works well– What doesn’t work– What is missing
Email comments to: [email protected]
25
Questions?For more information visit: https://www.controlsystemsroadmap.net/Efforts/Pages/es-pl.aspx
Email questions to: [email protected]
26
ReferencesRoadmap to Achieve Energy Delivery Systems Cybersecurity: https://www.controlsystemsroadmap.net/ieRoadmap%20Documents/roadmap.pdf
Cybersecurity Capability Maturity Model (C2M2)http://energy.gov/oe/cybersecurity-capability-maturity-modelc2m2-program
Electricity Subsector Cybersecurity Risk Management Process (RMP)http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf
NIST’s Framework for Improving Critical Infrastructure Cybersecurity:www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
27
NATF Security Practices Group Activity Update
Ken Keels, NATF Program Manager - Practices
NERC CIPC MeetingJune 10-11, 2014
2
Discussion Topics
• Brief NATF Overview• Security Practices Group CIP-002 V5 Guide
Update• Physical Security Work Group Update
NATF Membership
Organization types (75 Members)– Investor-owned– State/Municipal– Cooperative– Federal/Provincial– ISO/RTO
Expertise– 3600 subject-matter experts
Coverage (North America Wide)– 85% Peak Demand– 75% 100kV and higher circuits• Membership open to companies that
own/operate 50 circuit miles 100 kV transmission or, operate 24/7 control center
3
NATF Mission, Vision, Approach
Mission Promote excellence in the reliable operation of the electric transmission system
Vision Continuously improve the reliability of the electric transmission system
Approach Pursue reliability and security excellence via: Constructive peer challenge Effective, relevant information sharing
o lessons learned, superior practices, etc.
4
Guiding Principles
Community The complex, interconnected grid requires active collaboration to promote higher levels of reliability, security, and resiliency
Confidentiality Confidentiality promotes open, candid intra-membership dialogue
Candor Direct, objective performance feedback is delivered as a membership norm
Commitment Members’ senior leaders commit to the NATF’s mission of promoting excellence
5
Value Add and Strategic Goals
Value Proposition(s)• Improve transmission
reliability, security, and resilience
• Increase member compliance margin
• Promote efficient use of resources
Strategic Goals1. Increase Industry Impact2. Achieve Results3. Manage Knowledge
Effectively4. Continuously Improve5. Proactively identify and
address emerging issues
6
8
CIP-002 V5 Project Purpose and Deliverables
Other Items Noted:• Scope currently limited to transmission
control centers and substations
• The project team recognizes the changing environment / pending decisions on the CIP standards
• The product will be updated throughout the year by adding attachments and / or addendums as Industry and Regulator determinations are made
Purpose: • The purpose is to develop a NERC CIP-002 Version 5
Guide containing agreed upon approaches and / or descriptions of common understanding used for identifying Cyber Assets and defining corresponding BES Cyber Systems for transmission facilities and assets.
Deliverables:• CIP-002 V5 Guide containing descriptions of approaches
and / or common understanding used for identifying Cyber Assets and defining corresponding BES Cyber Systems.
• In addition, the subject matter expert team is to develop a recommended format for documenting a program, such as diagrams / flow charts, that will assist with standardizing CIP-002 documentation across the NATF membership.
9
Recent / Current Activities and Next Steps
• Draft CIP-002 V5 Guide presented to Security Practices Group at its May 15-16 Workshop – discussion and initial feedback– understanding that the Guide will be a “living document”
• Currently collecting feedback from NATF Members
• Control Center Pilots Currently Underway at three Member Companies– feedback from pilots will be incorporated into the document
• Project team to continue to meet through June to refine document
• Release to Security Practices Group as an “approved practices guide” in July 2014
• Plan is to maintain the project team through 2014
11
Physical Security Initiatives
• CIP-014-1 Standard– Held weekly joint Security / Compliance Practice Group web meetings during
the 90-day Standard development period– Weekly calls included members of the Standard Drafting Team – NATF plans to conduct a second series of calls for members to discuss how they
plan to implement the Standard (probably starting in July)
• NATF Physical Security Work Group – Monthly web meetings initiated earlier this year– Monthly meeting includes members reporting-out on practices they use and
issues they’re confronting– Initiating a project associated with the development of a library of “physical
security monitoring systems” used by NATF members
12
Physical Security Initiatives (Cont'd)
• NATF 2014 Peer Review Process– Added a separate physical security component to augment the cyber security
review– Peer Review Security Team includes cyber and physical security subject matter
experts
• NATF / EPRI Memorandum of Understanding initiated in 2013– Held joint physical security summit in August 2013– The two organizations collaborate on continuous basis– EPRI Guest Speaker at the May Security Practices Group Workshop– EPRI R&D department interested in joint project pertaining to physical security