nerc cipc chair report highlights... · nerc presented draft rsaws for cip -002, cip -007, and cip...

NERC CIPC Chair ReportChuck Abell

June 10, 2014

2 RELIABILITY | ACCOUNTABILITY

2014 Efforts & Activities

• Security Technology Awareness Workshop

• CIP-014-1 Physical Security Standard

• CIP V5 “791” Standards Drafting Team

• CIP V5 Transition Program

• Scenario Planning for GridEx III

• Continuation of CRISP Program

• Heartbleed Vulnerability Response


2014 Efforts & Activities

• Continued EO/PPD Efforts

• David Revill Approved by Board to CIPC EC

• CIPC Executive Committee Annual Planning

• Grid Security Conference 2014

• Reactivation of the CSSWG

• Business Continuity Guideline Task Force


GridEx II Assignments

Security Training Working Group (w/ ESISTF)

Develop a training module to help individual entities

understand when, how, and what information should

be shared or reported, and how it is used by the

receiving organizations.



Control System Security Working Group (CSSWG)

Complete Business Networks Guideline work begun in

2011 by the CSSWG to specifically address separation

of business networks and control networks during an

emergency.



Electricity Subsector Information Sharing TF (ESISTF)

While the ES-ISAC has the responsibility for this item,

the ESISTF will assist by providing early input

regarding priorities & options, and help develop

mechanisms to communicate these processes to

stakeholders.



Business Continuity Guideline TF

Complete Business Continuity guideline work to

specifically address preservation of forensic data

following a physical or cyber attack.


CIP Committee Structure

Physical Security Subcommittee(David Grubbs)

Cyber Security Subcommittee

(Marc Child)

Operating Security Subcommittee

(Jim Brenton)

Policy Subcommittee(Nathan Mitchell)

Physical Security WG

(Ross Johnson)

CIPC Executive CommitteeMarc Child Chuck Abell, Chair Melanie SeaderDavid Grubbs Nathan Mitchell, Vice Chair Jack CashinRoss Johnson Jim Brenton, Vice Chair Barry Lawson David Revill Bob Canada, Secretary

Security Training WG

(William Whitney)

Control System Security WG

(Mikhail Flakovich)

Cyber Security AnalysisWG

(Vacant)

ES Information Sharing TF

(Stephen Diebold)

Grid Exercise WG

(Tim Conway)

Cyber Attack Tree TF

(Mark Engels)

BES Security Metrics WG

(James Sample)

Personnel Security Clearance TF

(Nathan Mitchell)

Compliance & Enforcement Input WG

(Paul Crist)

Physical Security Guidelines

WG(John Breckenridge)

Business Continuity Guideline TF

(Darren Meyers)

Critical Infrastructure Protection

Matt Blizard, PEDirector, Critical Infrastructure ProtectionCIPC, OrlandoJune 10th, 2014


CIP Updates and Activities

• NERC Updates: o ESISAC – (CRISP, CRAPA, Aurora, Threats & Vulnerabilities…)o CIP v5 transition – Effective and Efficient Roll Outo CIP v5 revisions, FERC Order 791o Physical Security – CIP-014-1o Physical Security Managero Security Reliability Program (SRP)o GridEx II Lessons Learned – Distributed Play and Executive Table Topo Executive Order – NIPP, NIST Cybersecurity Frameworko CIPC – Work Groups and Task Forces

• Activities: GridSecCon 14-16 October 2014, Hyatt Regency, San Antonio, Tx GridEx III 18-19 November 2015

CIP Version 5 RevisionsStandard Drafting Team Update

Ryan Stewart, NERC Standards DeveloperJune 11, 2014CIPC

RELIABILITY | ACCOUNTABILITY2

• Overview of FERC Directives• Overview of Development Activities• Overview of Revisions• Identify, Assess, and Correct – struck from 17 Requirements• Low Impact Assets – revised CIP-003• Communication Networks – revised CIP-006 & CIP-007• Transient Devices – revised CIP-004 & CIP-010• Implementation Plan• Next Steps

Agenda


• FERC approved CIP standards in January 2013.• FERC directed NERC to modify certain aspects.

Identify, Assess, and Correct language. Communication Networks. Low Impact assets protections Transient Devices.

• Identify, Assess, and Correct and Communication Networks modifications must be filed at FERC by February 3, 2015.

Overview of FERC Directives


• SDT and observers participated in aggressive development schedule from February to May Ten hours of conference calls per week, including subgroup calls

focused on each directive area Four face-to-face SDT meetings

• Participation from variety of stakeholders ensured that the SDT considered different perspectives from industry, government, and NERC

Overview of Development Activities


• Address all four directive areas by the filing deadline• Outreach crucial during development and during comment

period• Observer engagement critical to success

Key Objectives


• Identify, Assess, Correct language struck from all 17 requirements SDT determined that the requirements should state the performance

expectation and compliance language should be removed

• Substantive requirements remain the same• Violation Severity Levels revised accordingly

Identify, Assess, Correct


• SDT continues coordination with NERC Compliance and Enforcement Staff on supporting documents NERC presented draft RSAWs for CIP-002, CIP-007, and CIP-009 to the

SDT at its last meeting RSAW development team continuing to modify drafts to prepare for

concurrent posting with standards SDT suggested scenarios for NERC to address under RAI FAQ document on IAC and RAI

• NERC staff will offer a more comprehensive view of RAI beyond CIP standards in a June 19 webinar (following SDT webinar)



• SDT posed questions to NERC Enforcement and Compliance regarding Reliability Assurance Initiative (RAI)

• Questions are included in a Frequently Asked Questions document posted as a supplement to the revised standards

• Document focuses on how the RAI will handle high frequency low risk security obligations in the compliance and enforcement domains once IAC is removed



• CIP-003-6 Requirement R2 now in table format SDT kept all requirements applicable to low impact assets in this

requirement Technical areas same as CIP-003-5 passed by industry but with more

specificity to meet FERC directive Proposed requirement language borrowed from existing, FERC- and

industry-approved V5 standards but tailored to low impact

• Parent requirement above table parts is as follows:

Low Impact Assets


• CIP-003-6 Requirement R2 now in table format Part 2.1 – CIP Senior Manager review and approval Part 2.2 – Operational or procedural control(s) to restrict physical access Part 2.3 – Physical access controls at Control Centers Part 2.4 – Electronic access controls Part 2.5 – Cyber Security Incident response plan(s) Part 2.6 – Reinforcing of security awareness

Low Impact Assets


• CIP-006-6 Requirement R1, new Part 1.10 Restrict physical access to cabling and other nonprogrammable

communication components used for connection between applicable Cyber Assets within the same ESP in those instances when such cabling and components are located outside of a PSP.

Where physical access restrictions are not implemented, entity shall document and implement:o Encryption of datao Monitoring the status of the communication link and issuing an alarmo Equally effective logical protection

Applicable to High Impact BES Cyber Systems and PCAs and Medium BES Cyber Systems at Control Centers and PCAs

Communication Networks


• CIP-007-6 Requirement R1, Part 1.2: new applicability and incorporated new glossary term

Communication Networks


• Transient Cyber Asset - A Cyber Asset directly connected for 30 consecutive calendar days or less, to: (1) a BES Cyber Asset, (2) a network within an ESP, or (3) a Protected Cyber Asset. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

• Removable Media - Portable media, connected for 30 consecutive calendar days or less, that can be used to copy, move and/or access data. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. A Cyber Asset is not Removable Media.

• 30-day exemption removed from BES Cyber Asset and Protected Cyber Asset definitions

Transient Devices –New and Modified Definitions


• CIP-004-6 modified Requirement R2, Part 2.1.9 Adds Transient Cyber Assets and Removable Media to cybersecurity

training program requirement

• CIP-010-2 new Requirement R4 4.1- authorize the usage of Transient Cyber Assets prior to initial use 4.2- use method(s) to deter, detect, or prevent malicious code on

Transient Cyber Assets 4.3- use method(s) to detect malicious code on Removable Media 4.4- mitigate the threat of detected malicious code 4.5- update signatures or patterns for methods in 4.2 and 4.3 4.6- evaluate Transient Cyber Assets for deviations 4.7- evaluate Transient Cyber Assets to ensure patches are up-to-date

Transient Devices


• CIP-004-6 – Adds Transient Cyber Assets and Removable Media to cybersecurity training program in Requirement R2, Part 2.1.

• CIP-007-6 – Added clarifying language in guidance for Requirement R3 (malware protection) to remind entities of the Transient Device Protections in CIP-010-2, Requirement R4.

• CIP-011-2 – Added qualifiers to guidance for entities to include Transient Cyber Assets and Removable Media in their information protection programs.

Transient Device Protection –Modification to Other Standards


• Builds from April 1, 2016 effective date of V5• While the standard has an effective date, a compliance date

may differ for Requirements• Do not expect IAC language from V5 to go into effect• The following from V5 implementation remains the same:

Initial performance of certain periodic requirements Previous identity verification Planned or unplanned changes resulting in a higher categorization

Implementation Plan


• For those requirements and parts not listed below, compliance date would be effective date of standard, which is proposed to be later of April 1, 2016 or 3 months following govt. approval.

Implementation Plan


• NERC Standards Committee authorized posting for 45-day comment and ballot on May 30

• Comment period open June 2-July 16• Join the ballot pool from June 2-July 2• Reliability Standards Audit Worksheets (RSAWs) will be posted

by June 17 Not a part of the record for standards development.

• Ballot period open July 7-16 Will use the current ballot and commenting system.

Posting Schedule


• Industry SDT webinar June 19: 1-3pm ET Followed by RAI webinar from 3-5 pm ET

• SDT will consider all comments and make appropriate revisions• SDT meeting week of July 28 in St. Paul, MN• SDT meeting week of August 19 in San Francisco, CA

Next Steps


[email protected]

mailto:[email protected]

National Infrastructure Protection Plan (NIPP) UpdatesLaura BrownCritical Infrastructure Protection Committee MeetingJune 10, 2014


NIPP Overview

• The revised NIPP was completed in 2013.• Greater focus on integrating cybersecurity

and physical security efforts.• More closely aligned with national

preparedness efforts.• Increased focus on cross-sector and cross-jurisdictional

coordination.• Integrates information sharing as an essential

component of the risk management framework.• Drives action toward long-term improvement.


Joint National Priorities

• Section 6 “Call to Action” includes setting national focus through jointly developed priorities.

• The Department of Homeland Security (DHS) worked with government and industry to identify priorities and submitted the following: Integrating Cyber and Physical Risk Management Improving Resilience Decision Making Strengthening Risk Management Partnerships to Enhance

National Capacity Executing Enhanced Incident Response and Recovery


Next Steps

• The priorities are generally consistent with the Energy Sector-Specific Plan and Electricity Sub-sector Coordinating Council activities.

• As the Sector-Specific Agency, the Department of Energy submitted comments to DHS on the joint national priorities.

• DHS is holding a meeting Thursday to discuss the latest version of the joint national priorities.

Framework for Improving Critical Infrastructure Cybersecurity

Overview and StatusExecutive Order 13636

“Improving Critical Infrastructure Cybersecurity”

May 2014

• The National Institute of Standards and Technology’s mission is to stimulate innovation, foster industrial competitiveness, and improve the quality of life.

• Role in Cyber security began in 1972 with the development of the Data Encryption Standard – began when commercial sector also has a legitimate need for cryptography, including in ATMs.

• Responsibilities were strengthened through the Computer Security Act of 1987 and reaffirmed through the Federal Information Security Management Act of 2002.

Role of the National Institute of Standards and Technology in Cybersecurity

2

Improving Critical Infrastructure CybersecurityExecutive Order

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber

environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality,

privacy, and civil liberties”

President Barack Obama Executive Order 13636, Feb. 12, 2013

• The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure

• Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work

3

Based on the Executive Order, the Cybersecurity Framework Must...

• Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks

• Incorporate international voluntary consensus standards and industry best practices to the fullest extent possible

• Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk

• Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations

4

Development of the Cybersecurity Framework

Engage the Framework

Stakeholders

Analyze RFI Responses

Identify Framework Elements

Prepare and Publish

Preliminary Framework

Final Framework

EO 13636 Issued – February 12, 2013NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013

2nd Framework Workshop at CMU – May 29-31, 2013Draft Outline of Preliminary Framework – June 2013

3rd Framework Workshop at UCSD – July 10-12, 2013Discussion Draft of the Preliminary Framework - August 28, 2013

5th Framework Workshop at NCSU –Nov 14-15, 2013Publish Final Framework – February 13, 2014

Ongoing Engagement:

Open public comment and review

encouraged and promoted throughout

the process

4th Framework Workshop at UT Dallas – September 11-13, 2013Publish Preliminary Framework – October 29, 2013

5

Framework ComponentsFramework Core

• Cybersecurity activities common across critical infrastructure sectors and organized around particular outcomes

• Enables communication of cyber risk across an organization

Framework Profile• Aligns industry standards and best practices to a particular

implementation scenario • Supports prioritization and measurement of progress toward the

Target Profile, while factoring in other business needs— including cost-effectiveness and innovation

Framework Implementation Tiers• Describes how cybersecurity risk is managed by an organization• Describes degree to which an organization’s cybersecurity risk

management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive)

6

Framework Core

7

Framework Core - Sample

8

How to Use the Cybersecurity FrameworkThe Framework is designed to complement existing business and cybersecurity operations, and can be used to:

• Understand security status• Establish / Improve a cybersecurity program• Communicate cybersecurity requirements with stakeholders,

including partners and suppliers• Identify opportunities for new or revised standards• Identify tools and technologies to help organizations use the

Framework• Integrate privacy and civil liberties considerations into a

cybersecurity program

What’s Next: Using the Cybersecurity Framework

• Organizations—led by their senior executives—should use the framework now, and provide feedback to NIST

• Industry groups, associations, and non-profits can play key roles in assisting their members to understand and use the framework by:• Building or mapping their organizations’s specific standards,

guidelines, and best practices to the framework• Developing and sharing examples of how organizations are

using the framework

• NIST is committed to helping organizations understand and use the framework

• The Administration will also look at possible incentives and other policy drivers

10

What’s Next: Areas for Development, Alignment, and Collaboration

• The Executive Order calls for the framework to “identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations”

• High-priority areas for development, alignment, and collaboration were identified based on stakeholder input:• Authentication • Automated Indicator Sharing• Conformity Assessment • Cybersecurity Workforce• Data Analytics• Federal Agency Cybersecurity Alignment• International Aspects, Impacts, and Alignment• Supply Chain Risk Management• Technical Privacy Standards

11

Recapping Key Points about the Framework

• It’s a framework, not a prescription• It provides a common language and systematic methodology for

managing cyber risk • It does not tell a company how much cyber risk is tolerable, nor

does it claim to provide “the one and only” formula for cybersecurity

• Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone, and allow for interoperability

• The framework is a living document• It is intended to be updated over time as stakeholders learn from

implementation, and as technology and risks change• Practices, technology, and standards will change over time—

principals will not

12

Where to Learn More and Stay Current

The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at:

http://www.nist.gov/cyberframework

Material on NIST’s work in cybersecurity can be found at: http://csrc.nist.gov

13

http://www.nist.gov/itl/cyberframework.cfm

http://csrc.nist.gov

P R O G R A M O V E R V I E W Welcome to the community.

“Repeated cyber intrusions into critical infrastructure demonstrate the need for

improved cybersecurity.”

- The White House, Executive Order 13636

o NIST to develop a Cybersecurity Framework

o A voluntary program for critical infrastructure cybersecurity to promote use of the Framework

o A whole of community approach to risk management, security and resilience.

o Joint action by all levels of government and the owners and operators of critical infrastructure

SOLUTION PROPOSED BY EO 13636

The C3 Voluntary Program is the coordination point within the Federal Government for members of the critical infrastructure community interested in improving their cyber resilience.

R O L E O F T H E C R I T I C A L I N F R A S T R U C T U R E C Y B E R C O M M U N I T Y V O L U N T A R Y P R O G R A M

Administration Policies

Cybersecurity Framework

Critical InfrastructureEO 13636 highlights the need for improved cybersecurity among critical infrastructure. PPD-21 calls for efforts to strengthen the physical and cyber security and resilience of our Nation’s critical infrastructure.

Ranging from emergency services and transportation systems to small and medium sized businesses, the U.S. critical infrastructure provides the essential services that underpin American society.

One of the major components of the EO is the development of the Framework by NIST to help critical infrastructure sectors and organizations reduce and manage their cyber risk as part of their approach to enterprise risk management.

• Framework implementation guidance

• Focal point for resources and tools

• Relationship management• Feedback collection

OUR ROLE

o Support increasing critical infrastructure cyber resilience

o Increase awareness and use of the Framework

o Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management

GOALS

o Converging critical infrastructure community resources to support cybersecurity risk management and resilience through use of the Framework;

o Connecting critical infrastructure stakeholders to the national resilience effort through cybersecurity resilience advocacy, engagement and awareness; and

o Coordinating critical infrastructure cross sector efforts to maximize national cybersecurity resilience.

CONVERGING

CONVERGINGC O N V E R G I N G

C O N N E C T I N G

C O O R D I N A T I N G

There are three key activities the program is supporting, which we emphasize as the Three C’s:

• C3 Voluntary Program website offers an overview of the program, downloadable tools, and outreach materials

• Links to the US-CERT C3 Voluntary Program gateway• Existing programs/resources have been aligned with the Framework

Core Function Areas (Identify, Protect, Detect, Respond, Recover)• Broken out by stakeholder type• Demonstrates offerings to support the Framework’s principles

• As they become available, cross sector, private sector, S/L resources will be referenced

CONVERGING RESOURCES

• DHS will support use of the Cybersecurity Framework primarily through the Cyber Resiliency Review (CRR).

• No-cost, voluntary, non-technical assessment to evaluate an organization’s information technology resilience.

• The CRR may be conducted as a self-assessment or in-person. • To date, DHS has conducted more than 330 CRRs at the request of

critical infrastructure entities nationwide. • The inherent principles and recommended practices within the CRR

align closely with the central tenets of the Cybersecurity Framework.

• Analyzes current practices and how they compare to the principles of the Cybersecurity Framework.

CONVERGING RESOURCES, cont.

Government-to-Business▶ Engage each of the sectors

through the CIPAC Framework to establish sector-specific approaches and guidance, utilizing established partnership mechanisms, models, and approaches

▶ Work directly with organizations interested in receiving information about the Framework, resources, and initiatives

Business-to-Business▶ Encourage organizations to

develop use cases or to work with their industry peers and business partners to promote the Framework (the Framework)

Government-to-Government

▶ Federal – Work with Federal departments and agencies to understand use of the Framework

▶ SLTT outreach – Work with state and local governments to promote government use of the Framework and to reach businesses in their localities

CONNECTING STAKEHOLDERS

Phase 1Momentum DevelopmentFebruary 2014 – February 2015

Phase 2Sector Strategy RolloutFebruary 2015 – February 2016

Phase 3

Ongoing Support for Framework Use based on Lessons LearnedFebruary 2016 – Ongoing

COORDINATING EFFORTS

•Contact us at [email protected]•Contact the C3 Voluntary Program to send feedback or for any questions about what resources DHS is offering or how to engage different programs

NEXT STEPS•Get engaged

•The C3 Voluntary Program will be supporting engagement during the coming year•The program will visit sector by sector events, potentially regional events/workshops utilizing our CSAs, and will potentially look into RFIs for broad public engagement

•Visit us at www.dhs.gov/ccubedvp, or www.us-cert.gov/ccubedvp

•Check out the website, download and use the messaging kit, and reach out to the different programs for support•Try out the CRR and reach out to CSEP if you have questions on the methodology or need assistance


http://www.dhs.gov/ccubedvp

http://www.us-cert.gov/ccubedvp

#ccubedvpdhs.gov/ccubedvp

Welcome to the community.

Update on RISC Activities

CIPC Meeting June 10/11, 2014

Jim Brenton CIPC RISC MemberPrincipal, Regional Security Coordinator ERCOT – Electric Reliability Council of Texas


RISC Mission & Purpose*

• Provides a framework for steering, developing, formalizing, and organizing recommendations to help NERC and the industry effectively focus their resources on the critical issues needed to best improve the reliability of the BPS

• Benefits of the RISC include improved efficiency of the NERC standards program. In some cases, that includes recommending reliability solutions other than the development of new or revised standards and offering high-level stakeholder leadership engagement and input on issues that enter the standards process.

* Per the RISC Charter


RISC Mission & Purpose*

• Triages and provides front-end, high-level leadership and accountability for nominated issues of strategic importance to bulk power system (BPS) reliability

• Assists the Board, NERC standing committees, NERC staff, regulators, Regional Entities, and industry stakeholders in establishing a common understanding of the scope, priority, and goals for the development of solutions to address these issues

* Per the RISC Charter


Planned RISC Agenda - June 17

• 2015:2017 Reliability Standards Development Plan, RSDP

• Integration of Variable Generation Task Force (IVGTF) report

• State of Reliability 2014 Report• Emerging Trends in the Long Term Reliability

Assessment, LTRA• Committee Reports: Planning, Operations, Critical Infrastructure Protection and

Standards Compliance and Certification Committee


Gap Analysis – Prioritization Adjustments

• Review/Analysis of different ERO activities

• Assess risk focus areas as HIGH/Medium/Low

• RISC members to evaluate key areas Impact and probability? Priority? Existing Controls? Gaps? How to address gaps?

!

!

6 RELIABILITY | ACCOUNTABILITYRELIABILITY | ACCOUNTABILITY

High Priority Items – Gap Analysis

• Cyber Attack• Workforce Capability and Human Error• Protection Systems• Monitoring and Situational Awareness


Cyber Attack - High Priority

• NERC CID monitoring current activities and reports to RISC on those efforts, and their support to address this highest priority item.

• NERC CIPC EC met with NERC RISC Staff to review lessons learned from GridEx-2013 into the RISC Priorities and ensure projects support CID activities.


Other High Priority Gap Analysis

• Analysis/Review to be presented at June 17th RISC Meeting

Workforce Capability and Human Error

Protection Systems

Monitoring and Situational Awareness


Coordinated Attack - Multiple Facilities

• Medium Priority Item – Coordinated Physical/Cyber Attack

• NERC CID Staff monitors and reports to RISC on their efforts to address this Medium priority item, and what additional efforts (if any) are recommended.


Other Medium Priority Gap Analysis

• Operational Modeling and Model Inputs• Equipment Maintenance and Management• Generator Availability• Increased dependence on Natural Gas

Generation


Low Strategic Focus Areas

• Generation Resource Adequacy• Transmission Right of Way• Geomagnetic Disturbance (GMD)• Long Term Planning and Modeling• Climate Change, Environmental Regs, Changing

Resource Mix due to Environmental or Other Market Conditions, Integration of Variable Gen


• Integration of New Technologies• Extreme Weather/Acts of Nature• Demand Response• Localized Physical Attack• Smart Grid• Electro-Magnetic Pulse (EMP)• Post-Recession Demand Growth• Pandemic

Low Strategic Focus Areas


Future RISC Meetings

• June 17 – Atlanta, GA• July 10 – Conference Call• August 14 – Post-BOT Meeting, Vancouver, BC• Sept 11/12 – Leadership Summit, Washington, DC• October 7 – Conference Call• November 13 – Post-BOT Meeting, Atlanta GA• December 2 – RISC Meeting, Phoenix, AZ


Questions ?

Legislative Update

Critical Infrastructure Protection CommitteeJune 10, 2014

Nathan Mitchell, American Public Power Association


• Senate Committee on Intelligence Chair Feinstein and vice chair Chambliss trying to restart

companion bill to House approved Cyber Intelligence Sharing and Protection Act (CISPA)

June 6, 2014 letter from trade associations highlighting the ES-ISAC and ESCC as models for information sharing.

Action needs to be taken by August

• No action expected due to the November elections.

Legislative Update


• American Public Power Association • Canadian Electricity Association • Edison Electric Institute • Electric Power Supply Association • GridWise Alliance • Large Public Power Council • National Association of Regulatory Utility

Commissioners • National Rural Electric Cooperative Association • Nuclear Energy Institute • Transmission Access Policy Study Group

Legislative Update


• 2015 Defense Authorization Bill awaiting Senate floor action

• Trade associations are having meetings with Senate staff on impact of the bill on electric utilities.

Legislative Update

CIP V3-V5 Transition

Tobias Whitney, NERC – Manager of CIP ComplianceNERC CIPCJune 2014


CIP V5 Transition Program Elements

• A new transition guidance will be provided in Q2

Periodic Guidance

• 6 entities with strong compliance cultures• 6-8 month implementation of V5 for certain facilities• Lessons learned throughout and after study phase

Implementation Study

• Integration with RAI• Identify means and method to address self-corrective processes and internal

controls

Compliance and Enforcement

• Off-site audits will be replace with outreach and training events• June 19 CIP V5 and RAI Webinar• Transition Guidance Webinar in July

Outreach & Communications

• Quarterly training opportunities will be provided to industry

Training


Responsibilities of the ERO (NERC & Regional Entities)• Monitor the cyber security measures used to protect the

reliable operation of the Bulk Electric System (BES)• Recognize the challenges facing Responsible Entities

Establishing compliance with V5 will be an ongoing process No single point in time when they will move from compliance with V3 to

compliance with V5

CIP V3 – V5 Transition


Big Picture• The “Effective Date” of V5 was April 1, 2014

Based on the date that V5 Standards were approved by FERC Beginning of the implementation stage/transition period

• The “Compliance Enforcement Date” of V5 is April 1, 2016 Applies to Responsible Entities with High and Medium Impact Cyber

Systems

• Compliance with V3 remains mandatory and enforceable, and will be assessed until the V5 compliance enforcement date V4 is no longer in the picture (that includes use of V4 “bright-line”

criteria for identifying Critical Cyber Assets)



Mapping the path• Responsible Entities with High and Medium Impact

Cyber Assets need to prepare for April 1, 2016• ERO focus during transition period is not “gotcha”,

but an effective and successful implementation of V5



Transition Guidance• Draft of next version is currently being vetted• Supersedes previous versions• Provides guidance and flexibility that will allow

Responsible Entities to focus on implementing changes to achieve compliance with V5

• During the transition period, there will be a flexible approach to the evaluation of V3 compliance



Next version of Transition Guidance• Narrative – similar to content of current version with

explanations, considerations, and recommendations.• Compatibility table – spreadsheet listing V5

requirements that are “Mostly Compatible” with V3 requirements



Mostly Compatible?• Many V5 requirements are mostly compatible (MC)

with Version 3• In those cases, processes and documents that

demonstrate compliance are not significantly different from V3 to V5

• Requirement numbers may not always align, but the requirements themselves are considered “MC”

• Not necessarily one to one mapping; e.g., CIP-002-3 R4 and CIP-002-5 R2 both address senior manager approval of the asset list



Mostly Compatible!• As described in the guidance document, V5

compliance to designated requirements can be considered compliance with the “MC” Version 3 requirement

• For V5 requirements with no V3 counterpart, V5 compliance will not be a factor during the transition period



Similar V3/V5 requirements• CIP-003 – 90%• CIP-004 – 80 to 90%• CIP-005 – 85%• CIP-006 – 85% (Review required for new Assets)• CIP-007 – 80%• CIP-008 – 95%• CIP-009 – 90% (Review required for new Assets)• CIP-010 – 50% (new to V5)• CIP-011 – 50% (new to V5)



CIP V3 – V5 Transition Guidance

Narrative1. Introduction2. Background3. Newly Identified BES Cyber Systems4. Compliance during the Transition Period 5. Transition Period Audits6. V5 Implementation Study7. Technical Feasibility Exceptions (TFEs)



Narrative – Section 1. Introduction• Overarching philosophy: apply the appropriate cyber

security measures to protect the reliable operation of the Bulk Electric System (BES).

• Applies to Regional Entities and Responsible Entities• Provides guidance and flexibility for implementing

changes to achieve compliance with V5 without undue concerns regarding compliance status with V3

• Supersedes previous Cyber Security Standards Transition Guidance



Narrative – Section 2. Background• FERC Order 791 was issued on November 22, 2013• Some directives referred to a specially formed

Standards Drafting Team for resolution• Version 4 CIP Reliability Standards (V4) will never be

mandatory and enforceable



Narrative – Section 3. Newly Identified BES Cyber Systems• When guidance is issued, a Responsible Entity with

newly identified systems and facilities shall begin implementing V5

• Applies to Responsible Entities that previously would have referred to Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities in CIP V3 or used V5 Impact Ratings to identify new assets



Narrative – Section 3. Newly Identified BES Cyber Systems• Responsible Entities that have assets identified by an

acquisition or that receive a Registered Third-Party Designation (i.e., Impact Rating 2.3, 2.6, or 2.8) will be provided the latter of 12 calendar month implementation window from the time

of notification (per the V5 Implementation Plan) or Implementation date of April 1, 2016 for any newly

identified BES Cyber Systems



Narrative – Section 4. Compliance during the Transition Period • Responsible Entities are expected to take the

appropriate actions to become compliant with the V5 Standards by the compliance enforcement date

• Those that previously identified CCAs according to the bright-line criteria in V4 no longer have that approach available

• Regional Entities will exercise discretion when assessing compliance to V3 requirements during the transition period



Narrative – Section 5. Transition Period Audits• Compliance Monitoring and Enforcement Program

(CMEP) will continue to be the guiding directive for the conduct of CIP audits

• Regional Entity may use outreach and annual Self-Certifications in lieu of off-site audits for entities without V3 Critical Assets or Critical Cyber Assets

• Details regarding the scope and performance of audits during the transition period described in the guidance document



Narrative – Section 6. V5 Implementation Study• Six Responsible Entities participated in a study to

voluntarily implement the V5 Standards prior to the enforcement date of April 1, 2016

• Goals of the study include identification of processes, tools, and guidance for achieving V5 compliance

• V5 Implementation Study page at NERC’s website(http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx)

http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx



Narrative – Section 7. Technical Feasibility Exceptions (TFEs)• In general, TFEs will align with the overall transition process• They will be considered in context of underlying requirement(s)

V5 TFEs pertinent to V3 TFEsV5 V3

CIP-005-5 R2.3 CIP-005-3 R2.4CIP-007-5 R1.1 CIP-007-3 R2.3CIP-007-5 R4.3 CIP-007-3 R6.4CIP-007-5 R5.6 CIP-007-3 R5.3.3



Narrative – Section 7. Technical Feasibility Exceptions (TFEs)• TFE requests will be needed for systems or devices unable to

meet strict compliance with a V5 requirement that has no associated TFE in V3

V5 TFEs not associated with V3 TFEsCIP-005-5 CIP-006-5 CIP-007-5 CIP-010-1

R1.4 R1.3 R5.1 R1.5R2.1 R5.7 R3.2.R2.2



Narrative – Section 7. Technical Feasibility Exceptions (TFEs)• Existing TFEs that are no longer applicable per V5 requirements

will NOT remain in effect

V3 TFEs superseded when V5 is Implemented CIP-005-3 CIP-006-3 CIP-007-3

R3.1 R1.1 R3.2R4

R5.3R 5.3.1R 5.3.2

R6


Compatibility Tables• Show the requirements from V5 that have been

deemed as “mostly compatible” with a V3 counterpart• Comparison is intended to help Responsible Entities

maintain adequate protection of BES assets as they move from compliance with V3 to compliance with V5 of the CIP Reliability Standards




Compatibility Tables


Underlying philosophy• Still a lot to do, but leveraging appropriate V3 policies,

procedures, and processes will contribute to successful transition to V5

• ERO wants to facilitate the transition



CIP V5 Implementation Study

• Responsible Entity Volunteers Broad Mix Scope of assets is relevant to the industry

• Six to nine months Study period• Provide feedback to industry during the Study

FAQs: http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

Training Sessions Webinars

• Capture lessons learned http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-

Study.aspx

• Publish a report at the end of the Study

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

http://www.nerc.com/pa/CI/Pages/Transition-Program-V5-Implementation-Study.aspx


CIP V5 Implementation StudyLL: Generation Disaggregation

• CIP-002-5.1, Attachment 1, criterion 2.1 “Commissioned generation, by each group of generating units at a

single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.”


CIP V5 Implementation StudyLL: Generation Disaggregation

• How do you define 1500 MW?• What is acceptable disaggregation?• What is a “shared” BES Cyber System?• What are “common mode vulnerabilities?”


CIP V5 Implementation StudyLL: Transmission Facility Impact Rating

• CIP-002-5.1, Attachment 1, criterion 2.5 Transmission Facilities operating between 200 and 499 kV at a single

substation Connected to three or more other substations Aggregate weighted value of 3000 or more per weight table

• Facility: “A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.).”

• A “Facility” is a component of a substation not the substation itself.



• If the convergence of Transmission Facilities at a single substation meets criterion 2.5, then each BES Cyber System associated with the Transmission Facility is rated Medium Impact.

• NERC’s Current Position: Physical location IS a determinant factor for impact classification. Therefore the far-end relay is not in scope of Medium Impact.


CIP V5 Implementation StudyLL: Virtualization

• Virtualized servers may run multiple operating systems or application software within a single physical server, as opposed to conventional servers that may operate a single operating system and a dedicated suite of application software.

• VLANs are networks that operate multiple logically-separated networks by sharing common hardware devices such as switches and routers.



• Definition of Cyber Assets: “Programmable electronic devices, including the hardware, software, and data in those devices.”

• CIP-005-5 R1, Part 1.1: “All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.”



• Virtualization technologies present security challenges if different levels of protection are provided to different systems within the same virtual environment.

• Virtual Servers and VLANs cannot/may have mixed-trust usage.


CIP V5 Implementation StudyLL: Programmable Electronic Devices

• BES Cyber Asset: “A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.”

• Cyber Assets: “Programmable electronic devices, including the hardware, software, and data in those devices.”


CIP V5 Implementation StudyLL: Programmable Electronic Devices

• What makes something “programmable”? Contains firmware Firmware is modifiable via device interface (Ethernet, serial, parallel,

USB, etc.)

• Configurable is not programmable? Electro-mechanical relays Dip switches If physical removal of chip is required to program device (EPROM etc.)

• The NERC Survey or 15-minute Impact will ask questions to address this issue

BES Security Metrics WGProgress Report

James W. Sample, ChairRoland Miller, Vice-ChairJune 11-12, 2014


CIP Committee StructureCIPC Executive

Committee

Physical Security SubcommitteeDavid Grubbs


Mark Child

Operating Security Subcommittee

Carl Eng

Policy SubcommitteeNathan Mitchell

Protecting Sensitive Information TF

Physical Security EvAnalysis WGJoint w/ OC & PC

Physical Security Training WG

Control System Security WG

Cyber Security Analysis WGJoint w/ OC & PC

Cyber Security Training WG

Information Sharing TF

HILF Implementation TF

Grid Exercise WG

Cyber Attack TreeTF

BES Security Metrics WG

Jamey Sample

Personnel Security Clearance TF

Compliance & Enforcement WG

Physical Security Guideline TF

2012

2013

Existing

How we fit in!


Previous Update

• Security Metrics Workshop was held at NERC

• Determine what a Strong Security Posture looks like for the sector

Define those attributes (Potential Metrics)o Information Sharingo Program Maturityo Situational Awarenesso Compliance Program

Evaluate existing ALRs for incorporation of security measures

Develop new security ALRs where needed


Strong Security Posture: Macro Metrics


Micro Metric:ALR Framework (Lagging)


Micro Metric:ES-ISAC (Leading)

02468

101214

Aug Sep Oct Nov Dec Jan Feb Mar Apr May

2013 2013 2013 2013 2013 2014 2014 2014 2014 2014

# Shares

02468

10121416

Aug Sep Oct Nov Dec Jan Feb Mar Apr May

2013 2013 2013 2013 2013 2014 2014 2014 2014 2014

Top 4 Types of Threats

Phishing SSL DDOS Waterhole


Challenges

WG Challenge Areas

Expertise on WG

Recruit Additional CIO/SMEs

Cause Coding Lacks Security Issue Identification

Engage Event Analysis on Cause Coding

Develop Proposed Cause Codes

Evaluate Existing Cause Codes

[Change Mgmt LTA]

EST and ISAC Info Shares is still Low

Develop Reporting Dashboard

Provide sample Dashboard at CIPC

ISAC Lacks Formal Tracking Process

Work with ISAC to Develop Process for Logging

Engagments

Develop Technologies to Support Uniform Cataloging

Explore Additional ways to Ensure Separation from

Compliance

Sustained Resourcing needed to Support Capturing

and Measuring Metrics

Support from Event Analysis and Risk Performance

Groups Needed

Recommended Actions

More Engagement from Industry needed – work

through CIPC

NERC SupportISAC Internal OpsIndustry Driven


Workshop

• August 6-8, 2014

• Atlanta, GA

• Purpose: identify Macro Metrics and ALR criteria

• Show of hands on who would be interested in attending or sending someone

• Logistics to be distributed June 13, 2014


Next Steps

• Continue to build out Macro and Micro Metrics ALR’s, ES-ISAC, etc.

• Increase sharing Develop guidance on what/how to submit info to the ISAC More industry info shared with ISAC

• Continue to work with Events Analysis to develop cause codes

• Industry Workshop in August (Date TBD)

NERC CIPC Compliance and Enforcement Input Working Group

NERC CIPC Update

June 10-11, 2014

Paul Crist

Member List

Amelia Sawyer James Boone Michael Nickels Scott Harris

Andrew Jurbergs Jeff Mantong Mike Mertz Steen Fjalstad

Ben Miller Joe Bucciero Mike Welch Steve J Knaebel

Brenda Davis John Galloway Nathan Mitchell Summer C. Esquerre

Brian Evans-Mongeon Karen Demos Nick Santora Tim Johnson

Charles F. Abell Ken Burruss Paul Crist Tobias Whitney

Daniel Shaffer Kent Kujala Paul F. McClay Travis Borrini

David Gordon Marc A. Child Robert D. Canada Trey Cross

David Thorne Martin Collin Ron Harrod Wes Davis

Eric Ervin Matt Stryker Ryan Carlson

NERC CIPC Compliance and Enforcement Input Working Group Update

• Conference Calls

March 13, 2014

April 11, 2014


• March 13 Conference Call− Follow-up from CIPC Meeting− Transition Guidance Review− Physical Security FERC Order− Virtualization Whitepaper Update− CIP Version 5 Revisions Standard

Drafting Team Update


• April 11 Conference Call– Transition Guidance Review

Study ends on June 30, 2014– Physical Security FERC Order– Virtualization Whitepaper Update– CIP Version 5 Revisions Standard Drafting Team Update

CIP Version 5 webinar April 22 2014 CIP Version 5 revisions calendar

NERC CIPC Compliance and Enforcement Input Working Group Update• NERC “Virtualization Lessons

Learned” Conference Calls (John Galloway, ISO-NE)

– May 5 – May 7 – May 16

Future Virtualization Whitepaper


• Future Work• Transition Guidance Review• Virtualization Whitepaper


Meetings• 2nd Thursday of the month• 1:00 p.m. CST

Questions?

ES-ISAC UpdateNERC CIPC

Matt Light, ES-ISACJune 10-11, 2014


Objective: Determine the DNP3 vulnerability status of DNP3 Masters used in Energy Management Systems

1) List all of the DNP3 Masters used in North American EMSs, with their DNP3 vulnerability status

2) Fuzz test any equipment which hasn’t been tested• May need to develop standard testing script/process• We will originally focus on Project Robus’ free tools, but are open to other suggestions

3) Inform ICS-CERT of any vulnerable mastersICS-CERT is proficient in vulnerability disclosures

4) Post our results on the ES-ISAC Asset Owner PortalDo we post all results, or only non-vulnerable/ones with patches?

DNP3 Hydra


Portal Project- Lookingglass Pilot

• Platform Migration and Upgrade Completed (Jan-April 2014)– Task Force / Workgroup areas issues remain, resolution in progress

• Developing pipeline of continuing enhancements – Value focus near-term: improving user access, threat collaboration,

and Lookingglass “Lite” cyber awareness monitoring “widget”

• Our Ask: Lookingglass-Lite Pilot Volunteers (5-10, July-Sep)– Goal centers on providing useful reputation cyber-hygiene check– Enter your AOO Internet facing profile information (IP ranges, etc.) – Each organization has it’s own view of profile and status.– Pilot provide feedback, help ensure value, prepare for broader rollout– Please let us know if your organization would like to assist !


CRPA

• CRPA is a customized GridEx for your organization Use LoftyPerch to support scenario development Min 6 weeks planning needed

• Completely voluntary with no attribution to participants• A subset of practices from ES-C2M2 have been incorporated into the

After Action Report to frame lessons learned

• Status: 6 CRPAs performed last year 1 occurring in a few weeks Looking for more participants [Spring/Fall]


CRISP

Cybersecurity Risk Information Sharing Program (CRISP)• Operating under direction of the ESCC About 20 companies identified for 2014 2 companies deployed CRISP in Jan 2014 3 companies deploying in the next month

• NERC/ES-ISAC will be managing CRISP Determined an LLC was not the best way for the companies to implement CRISP NERC/ES-ISAC is working with PNNL and first set of sites to establish contracts

• Outreach and communication to the sector Expect outreach in the near future Comprehensive program plan is under development

Cyber Security Sub-cmteProgress Report

Marc Child, Chair

2 RELIABILITY | ACCOUNTABILITYJune 2013


CAP – HILF TF Recommendations

1. Geomagnetic Disturbance Task Forcea. Work Product: Interim Report: Effects of Geomagnetic Disturbances in the Bulk Power Systemb. No CIPC Cyber Security Subcommittee items

2. Spare Equipment Database Task Forcea. Work Product: Spare Equipment Database report b. No CIPC Cyber Security Subcommittee items

3. Severe Impact Resilience Task Forcea. Work Product: Severe Impact Resilience: Considerations and Recommendationsb. No CIPC Cyber Security Subcommittee items

4. Cyber Attack Task Forcea. Work Product: Cyber Attack Task Force – Final Reportb. Item 15: Continue developing Attack Tree methodologyc. Item 16: Continue to develop security and operations staff skills to

address increasingly sophisticated cyber threats.d. Item 17: Augment operator training with cyber attack scenarios.

NERC Attack Tree Task Force

June 2014


Attack Tree Task Force (ATTF)

Upcoming Activities

• Solicit more SMEs to review what has been done so far.• Continue working on the document to support the actual attack

trees. Will contain the assumptions and methods used by the team

• Augment the attack trees to incorporate more mitigations and reflect that in the findings to see what changed.

Chair: Mark Engels


Cyber Security Events Analysis WG

Chair: <open>


Cyber Security Events Analysis WG

1. Next Stepsa. Obtain a Chair for the working groupb. Continue to liaise with the ES-ISAC, EAS & STWGc. Begin scheduling quarterly calls, emails or portal postings with liaisons d. Continue to develop priorities and establish work plans:

i. Research and recommend activities to improve the security of Bulk Electric System facilities;ii. Develop expertise to liaise and coordinate with the Events Analysis WG;iii. Develop procedures for evaluating malicious events while maintaining entity security; andiv. Work with the CIP Training WG to assist in developing training products that are relevant to

current threat tactics and techniques.

e. Creation of, and approval for, the cyber events analysis process document

Chair: <open>


Control Systems Security WGChair: Mikhail Falkovich


CSSWG

Status

New Chair Charter under review and

development Solicitation of additional volunteers First assignment: Business Network

connectivity guidelineo Due Date: 12/31/2014

GridEx II

Lesson Learned #4 Recommendations SummaryAssess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis.


CSSWG

NIST Mapping Project

Requested by the ESCC Map the NIST CSF to CIP v5 and CIP v3

Asked of CSSWG: Complete by August


CSSWG

Task Force Members

Mark Morgan (PNNL) Nadya Bartol (UTC)Cynthia Hill-Watson (TVA) Bill Noto (GE)Christine Hasha (ERCOT) Beth Lemke (WPS)Cliff Glantz (PNNL) Jarrid Hall (CSGI)

NERC Staff: Laura Brown


CSSWG


CSSWG

Remaining Tasks

Complete CIP v5 mapping Write guidance where mapping is not

obvious Write guidance where no mapping exists Convert to CIP v3


Questions?

Physical Security WGProgress Report

Ross Johnson, CPPJune 11-12, 2014


How we fit in!


CIP-014-1 Physical Security

FERC Order issued 7 March with 90-day completion window SDT included four physical security professionals: myself, John

Breckenridge, Alan Wick, and Kathleen Judge Additional input from Bob Canada and Brian Harrell

One technical conference, two face-to-face meetings, one teleconference, two webinars, and two ballots

Proposed Standard approved by NERC BOT, and filed with FERC on 23 May



• First three requirements deal with a risk assessment to identify in-scope assets, a review of the risk assessment by an unaffiliated third-party reviewer, and sharing of information with affected entities

• Three subsequent requirements dealing specifically with physical security issues: R4 - … evaluate potential threats and vulnerabilities… R5 - … develop and implement a documented physical

security plan… R6 – … unaffiliated third-party review the evaluation of

threats and vulnerabilities, and the corresponding security plan…



• R4… The evaluation shall consider the following: 4.1. Unique characteristics of the identified and verified

Transmission station(s), Transmission substation(s), and primary control center(s);

4.2. Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and

4.3. Intelligence or threat warnings received from sources such as law enforcement, the Electric Reliability Organization (ERO), the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), U.S. federal and/or Canadian governmental agencies, or their successors.



• R5 … The physical security plan(s) shall include the following attributes: Resiliency or security measures designed collectively to deter, detect,

delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4

Law enforcement contact and coordination information A timeline for executing the physical security enhancements and

modifications specified in the physical security plan Provisions to evaluate evolving physical threats, and their corresponding

security measures, to the Transmission station(s), Transmission substation(s), or

primary control center(s).



• R6 … shall have an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5 Each Transmission Owner and Transmission Operator shall

select an unaffiliated third party reviewer from the following: o An entity or organization with electric industry physical security

experience and whose review staff has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification

o An entity or organization approved by the EROo A governmental agency with physical security expertiseo An entity or organization with demonstrated law enforcement,

government, or military physical security expertise.



• 6.2 The Transmission Owner or Transmission Operator, respectively, shall ensure that the unaffiliated third party review is completed within 90 calendar days of completing the security plan(s) developed in Requirement R5. The unaffiliated third party review may, but is not required to, include recommended changes to the evaluation performed under Requirement R4 or the security plan(s) developed under Requirement R5



• 6.3 If the unaffiliated third party reviewer recommends changes to the evaluation performed under Requirement R4 or security plan(s) developed under Requirement R5, the Transmission Owner or Transmission Operator shall, within 60 calendar days of the completion of the unaffiliated third party review, for each recommendation: Modify its evaluation or security plan(s) consistent with the

recommendation; or Document the reason(s) for not modifying the evaluation or

security plan(s) consistent with the recommendation



• 6.4 Each Transmission Owner and Transmission Operator shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party reviewer and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure


PSRG

• Physical Security Roundtable Group now has 122 members

• Held several calls in preceding months on: March and April calls cancelled because of CIPC travel

(March) and Physical Security Standard drafting team meeting

May meeting on CIP-014 Physical Security Standard

• Would appreciate more input from members on issues they would like to discuss


STWG

• PSWG contributed to training on: April - physical security program management May - physical security design (Lawrence Livermore National

Labs) June – Advanced Laser Detection System July – active shooter


Fun Fact

As of 1 June 2014 there were still hundreds of homes in Winnipeg, Manitoba whose water pipes are still frozen. (CTV News)

Canada/US Border Crossing (between North Dakota and Manitoba)

Security Training WGProgress Report

William Whitney III, ChairDavid Godfrey, Vice Chair



1. Chartera. CIPC will provide meeting attendees with an opportunity to participate in

physical, cyber, and operational security training, as well as, educational outreach opportunities.

2. Current Members1. Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross

Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, and William Whitney III


How We Fit in



3. Latest Activitiesa. Conference calls to discuss goals and actions – 2nd Friday each monthb. Working on HILF recommendation to raise operator awareness about cyber

attacks on the grid with SOS and SANS. We are in the final stages and should have news shortly after SOS and SANS work out their contracts.

c. Provided 2 successful security training webinars to the industrya. 4/16 – Physical Security Management and Programs – 174 Registered, 104 Attendedb. 5/14 – Physical Security Assessments, Design, and Protection Strategies – 277 registered,

135 attended

d. Working on tasks assigned to us from the GridEx II Lessons Learnede. Continuing to compile a list of free training resources available to entities



1. Webinar Schedule 2014a. April 16 – Physical Security Programs Panel Webinarb. May – National Labs Physical Security – Risk vs Protection/Costs Webinarc. June – Orlando Pre-CIPC BC Hydro presentation on laser intrusion

detectiond. July – Active Shooter webinar with Danny O. Coulsone. August – TBDf. September – Vancouver “Train the Trainer – Preparation for a Cyber Event” g. October- TBDh. November- TBDi. December- TBD



July 17th Active Shooter Webinar



1. Training Linksa. TEEX - http://www.teex.org/

b. DHS - http://www.dhs.gov/training-programs-infrastructure-partners

c. DOD - http://iase.disa.mil/eta/online-catalog.html

d. FEMA - https://training.fema.gov/IS/

e. DOE - https://ntc.doe.gov/

Have a link for free, quality, training? Please share with us to add to the list.

http://www.teex.org/

http://www.dhs.gov/training-programs-infrastructure-partners

http://iase.disa.mil/eta/online-catalog.html

https://training.fema.gov/IS/

https://ntc.doe.gov/



4. Next Stepsa. Continue to expand the list of free on demand training from reputable

agencies and vendorsb. Schedule and prepare future Pre-CIPC training sessions and webinarsc. Work with vendors and/or individuals in the industry to provide specific

training to industrya. This means you and/or your co-workers that have information to share

with the industryd. Continue work with SOS and SANS to compile operator training with cyber

attack scenarios per the HILF recommendationse. Work on GridEx II Lessons Learned assignments

5. CIPC Actionsa. Concerns and/or suggestions for today’s discussion

[email protected]

Or [email protected]

Ed Goff, CISSPDuke Energy, Energy Sector Control Systems Working Group

Cybersecurity Procurement Language for Energy Delivery Systems

June 11, 2014

Agenda

• Background• Managing the Cyber Supply

Chain Risks• Approach• Behind the scenes• The Differences – the update• ESCSWG Roadmap• Next Steps

2

Background on Procurement Language• In 2009, DHS worked with control

system security experts, asset owners and operators, suppliers, state and federal governments, international stakeholders

• Covers control systems across several sectors, including electricity, oil and natural gas, water, transportation, chemical

• Summarizes security principles and controls

• Provides example language

3

→ Since 2009, the energy sector continues to evolve:– New cybersecurity threats– Changes in security practices and requirements– Advancing technologies

→ Asset owners, operators, and suppliers are experiencing increased pressure for meeting stringent regulatory requirements

→ Procurement can help manage risks resulting from extended and geographically dispersed supply chains– Need to build cybersecurity into solutions from the

beginning→ Acquirers, integrators, and suppliers need to communicate

expectations and requirements in a clear and repeatable manner

Why Update Procurement Language for the Energy Sector?

4

• Procurement is part of the overall supply chain program– Dialogue before contract to communicate

expectations

• Embedding cybersecurity in procurement process helps manage supply chain risks and reduce risk of compromise:– Request cybersecurity from the beginning

Managing Cyber Supply Chain Risks

– Request transparent security practices from the beginning– Encourage transparency on where sub-suppliers are located (and any changes)– Agreement on appropriate time for notification of breaches/mitigating measures

• Transparency can help improve supply chain risk management practices• Preserves system integrity; trust that only intended functions are performed

and control is not lost

5

• Provides baseline cybersecurity procurement language for the acquisition of:

What is the Cybersecurity Procurement Language for Energy Delivery Systems?

This document seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector

— Individual components of energy delivery systems (e.g., PLCs, relays, RTUs)

— Individual energy delivery systems (SCADA, EMS, DCS)— Network of energy delivery systems (e.g., substation)

• Helps to address some of the energy sectors evolving challenges

• Ensures cybersecurity is considered starting with design phase (continuing through testing, manufacturing, delivery, installation, and support)

• Focused on “what to do ”, not “how to do it”

6

• ESCSWG: Leading this effort, spearheaded by Ed Goff (Duke Energy)• Pacific Northwest National Laboratory (PNNL): Facilitation and writing• Energetics Incorporated: Facilitation, coordination, and outreach• U.S. Department of Energy Office of Electricity Delivery and Energy Reliability:

Leadership, guidance, funding, and support• Core Team of Technical Advisors: Volunteered significant time and expertise in

advising the development of this document. Core team includes representatives from:

Behind the Scenes

– U.S. Department of Homeland Security, Edison Electric Institute, Electric Power Research Institute, Independent Electricity System Operator Ontario, Utilities Telecom Council, American Public Power Association, American Gas Association

7

• Developed over the last year by core team of experts and stakeholders

• Built on DHS (2009) to tailor guidance to the specific needs of the energy sector

Development Approach

• Reviewed other documents and approaches• Talked with other energy sector stakeholders to understand

their needs• Held open, transparent, public review cycles to guide

direction of document

8

• Two open, transparent, and formal public review cycles (November 2013 & February 2014)

— Engaged energy sector stakeholders from acquirer, integrator, and supplier communities

• 308 specific comments from 23 entities during comment periods — Utility— Vendor— Consultant/Other

• Lots of support for this effort, demonstrating the need in this sector• Some feedback beyond scope and tracked for future revisions

Public Review Cycles

— Government— Standards Body— Public/Private WG

9

Procurement Aligns with Energy Sector Cybersecurity Initiatives

• Cybersecurity Capability Maturity Model (C2M2):Consideration of supply chain issues and cybersecurity procurement are elements of the maturity model, which procurement language helps to address.

• Electricity Subsector Cybersecurity Risk Management Process (RMP): Procurement language can help asset owners with their risk management process by requesting cybersecurity features prior to acquisition.

• NIST’s Framework for Improving Critical Infrastructure Cybersecurity: Procurement language can help to identify the different categories of users and their roles in the procurement process, which is one element of this NIST framework.

10

• Intended to:— Help all energy sector stakeholders more clearly

communicate expectations and requirements

How Can This Be Used in the Procurement Process?

— Can help inform acquirers in RFP/RFI process— Provide a starting point for the procurement process— Users can select areas that are most applicable to their procurements Menu of options

• Not intended to:— Be inserted verbatim into procurement contracts— Replace or specify applicable IT or OT standards Document suggests some standards to consider, but not all

11

Key Sections: General Cybersecurity Procurement Language

Language that is more generally applicable across energy delivery systems and components:

2.1 Software and Services2.2 Access Control2.3 Account Management2.4 Session Management2.5 Authentication/Password Policy and Management2.6 Logging and Auditing2.7 Communication Restrictions2.8 Malware Detection and Protection2.9 Heartbeat Signals2.10 Reliability and Adherence to Standards

12

Key Sections: The Supplier’s Life Cycle Program

Covers the product design, development, manufacturing, storage, delivery, implementation, maintenance, and disposal:

3.1 Secure Development Practices3.2 Documentation and Tracking of Vulnerabilities3.3 Problem Reporting3.4 Patch Management and Updates3.5 Supplier Personnel Management3.6 Secure Hardware and Software Delivery

13

Technology Specific Sections• Other technology specific sections in the document, include:

— Intrusion detections systems (IDS)— Physical security— Wireless technologies— Cryptographic system management

• “How to Use this Document” section provides:— Examples for adding, modifying, or negotiating

procurement language between Acquirers and Suppliers (or Integrators)

— Examples of procurements with multiple Suppliers/Integrators

14

What Is Different? • The new document is 30% the size of the DHS

(2009) document, with a specific focus on the energy sector– Easier to navigate and read

• Accounts for the differences in acquiring entire energy delivery systems and system components

How?• Minimized redundancies

– Near identical requirements that were presented in multiple sections are reduced

• Reduced explanation of technologies– More general for future applicability

vs.

15

Differences (cont.)• Laser focused on procurement language

– Removed detailed Factory and Site Acceptance Testing and Maintenance Guidance

• Updated for new approaches and technologies• Similar concepts are grouped together in only a few sections

DHS (2009)• System Hardening (with 6 sections)• Perimeter Protection (3 sections)• Account Management (7 sections)• Coding Practices (1 section)• Flaw Remediation (2 sections)• Malware Detection and Protection (1 section)• Host Name Resolution (1 section)• End Devices (4 sections)• Remote Access (6 sections)• Physical Security (4 sections)• Network Partitioning (2 sections)• Wireless Technologies (11 sections)

ESCSWG (2014)• General Procurement Language (10 sections)• Supplier’s Lifecycle Security Program (6 sections)• Intrusion Detection (2 sections)• Physical Security (3 sections)• Wireless Security (1 section)• Cryptographic System Management (2 sections)

16

Sample Update: Wireless Technologies• DHS (2009) has 27 pages devoted to this

topic and 105 procurement language items

• EDS PL has one page and only 8 procurement language items

DHS (2009) WIRELESS TECHNOLOGIES1. Bluetooth 2. Wireless Closed Circuit TV3. Radio Frequency Identification4. 802.115. ZigBee6. WirelessHART7. Mobile Radios8. Wireless Mesh Networks9. Cellular10. WiMAX11. Microwave12. Satellite

EDS PLWIRELESS TECHNOLOGIES1. General Wireless

17

– Does provide sample procurement language for » Cryptographic system documentation (e.g., crypto methods used,

phases of key management)» Variable “Cryptoperiods” so crypto keys don’t stay the same forever» Remote crypto key update capability (to avoid truck rolls)

• Cryptographic-based security systems more widely used today

• New section to address basic cryptographic system documentation and management capabilities– Does not prescribe which type of

cryptographic-based security systems are appropriate for any particular environment

Cryptographic System Management

18

• Encourage robust products with fewer weaknesses and vulnerabilities• Secure development practices include:

– Quality assurance, quality control, testing, code reviews, timely communication– Specifying country of origin

The Supplier’s Life Cycle Program

Design

Develop

Produce

StoreDeliver

Implement

Maintain/ Retire

Development Life Cycle

• Timely notification of vulnerabilities or breaches, with accompanying mitigating measures (testing/validation of patches and updates)

• Managing access to sensitive information• Ensuring that the product is implemented as

specified

19

Sample LanguageExample Sample Language

Documentation/ Verification

2.73 The Supplier shall provide a method to restrict communication traffic between different network security zones. The Supplier shall provide documentation on any method or equipment used to restrict communication traffic.

Not Applicable Language

2.9.1 The Supplier shall identify heartbeat signals or protocols and recommend which should be included in network monitoring. At a minimum, a last gasp report from a dying component or equivalent shall be included in network monitoring.

Period of Applicability

3.3.2 Upon the Acquirer submitting a problem report to the Supplier, the Supplier shall review the report, develop an initial action plan within [a negotiated time period], and provide status reports of the problem resolution to the Acquirer within [a negotiated time period].

• Developed by the Energy Sector Control Systems Working Group (ESCSWG) for asset owners, operators, government, regulators, standards bodies, researchers, academia, vendors and other solution providers

• Synthesis of energy delivery systems security challenges, R&D needs, and implementation milestones

• Provides strategic framework to– align activities to sector needs– coordinate public and private programs– stimulate investments in energy delivery systems

security

Roadmap VisionBy 2020, resilient energy delivery systems are designed, installed, operated, and

maintained to survive a cyber incident while sustaining critical functions.

For more information visit: www.controlsystemsroadmap.net

Meeting the Vision of the Roadmap to Achieve Energy Delivery Systems Cybersecurity

2121

1. Build a Culture of Security 2. Assess and Monitor Risk 3. Develop and Implement

New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements

Nea

r-te

rm(0

–3 y

rs)

1.1

1.2

Executive engagement and support of cyber resilience effortsIndustry-driven safe code development and software assurance awareness workforce training campaign launched

2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings

3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes commercially available

4.1

4.2

Tools to identify cyber events across all levels of energy delivery system networks commercially availableTools to support and implement cyber attack response decision making for the human operator commercially available

5.1

5.2

Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholdersFederal and state incentives available to accelerate investment in resilient energy delivery systems

Mid

-ter

m(4

-7 y

ears

)

1.3

1.4

1.5

Vendor systems and components using sophisticated secure coding and software assurance practices widely availableField-proven best practices for energy delivery systems security widely employed Compelling business case developed for investment in energy delivery systems security

2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics

3.2

3.3

Scalable access control for all energy delivery system devices availableNext-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented

4.3

4.4

4.5

Incident reporting guidelines accepted and implemented by each energy subsectorReal-time forensics capabilities commercially availableCyber event detection tools that evolve with the dynamic threat landscape commercially available

5.3

5.4

Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining

Long

-ter

m

(8-1

0 ye

ars)

1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry

2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains commercially available

3.4

3.5

3.6

Self-configuring energy delivery system network architectures widely availableCapabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutionsNext-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented

4.6

4.7

Lessons learned from cyber incidents shared and implemented throughout the energy sectorCapabilities for automated response to cyber incidents, including best practices for implementing these capabilities available

5.5

5.6

Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systemsMature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector

Alignment with Roadmap Strategies

1. Build a Culture of Security 2. Assess and Monitor Risk 3. Develop and Implement

New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements

Nea

r-te

rm(0

–3 y

rs)

1.1

1.2


2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings

3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes commercially available

4.1

4.2

Tools to identify cyber events across all levels of energy delivery system networks commercially availableTools to support and implement cyber attack response decision making for the human operator commercially available

5.1

5.2

Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholdersFederal and state incentives available to accelerate investment in resilient energy delivery systems

Mid

-ter

m(4

-7 y

ears

)

1.3

1.4

1.5


2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics

3.2

3.3

Scalable access control for all energy delivery system devices availableNext-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented

4.3

4.4

4.5

Incident reporting guidelines accepted and implemented by each energy subsectorReal-time forensics capabilities commercially availableCyber event detection tools that evolve with the dynamic threat landscape commercially available

5.3

5.4

Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining

Long

-ter

m

(8-1

0 ye

ars)


2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains commercially available

3.4

3.5

3.6

Self-configuring energy delivery system network architectures widely availableCapabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutionsNext-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented

4.6

4.7

Lessons learned from cyber incidents shared and implemented throughout the energy sectorCapabilities for automated response to cyber incidents, including best practices for implementing these capabilities available

5.5

5.6

Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systemsMature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector

Building a Culture of Security1. Build a Culture of Security

Nea

r-te

rm(0

–3 y

rs) 1.1

1.2


Mid

-ter

m(4

-7 y

ears

)

1.3

1.4

1.5


Long

-ter

m

(8-1

0 ye

ars)


• Communication and rollout– Spread the word– Solicit endorsement from

different trade organizations

• Recommended Future Activities:– Expand on implementation guidance– Continue coordination and communication with

stakeholder groups– Account for feedback not addressed in this version

Next Steps

24

We need your help!• Tell your friends and colleagues• Use the document to mature your

procurement process • Provide feedback:

– What works well– What doesn’t work– What is missing

Email comments to: [email protected]

25


Questions?For more information visit: https://www.controlsystemsroadmap.net/Efforts/Pages/es-pl.aspx

Email questions to: [email protected]

26

https://www.controlsystemsroadmap.net/Efforts/Pages/es-pl.aspx


ReferencesRoadmap to Achieve Energy Delivery Systems Cybersecurity: https://www.controlsystemsroadmap.net/ieRoadmap%20Documents/roadmap.pdf

Cybersecurity Capability Maturity Model (C2M2)http://energy.gov/oe/cybersecurity-capability-maturity-modelc2m2-program

Electricity Subsector Cybersecurity Risk Management Process (RMP)http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf

NIST’s Framework for Improving Critical Infrastructure Cybersecurity:www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

27

https://www.controlsystemsroadmap.net/ieRoadmap%20Documents/roadmap.pdf

http://energy.gov/oe/cybersecurity-capability-maturity-modelc2m2-program

http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

NATF Security Practices Group Activity Update

Ken Keels, NATF Program Manager - Practices

NERC CIPC MeetingJune 10-11, 2014

2

Discussion Topics

• Brief NATF Overview• Security Practices Group CIP-002 V5 Guide

Update• Physical Security Work Group Update

NATF Membership

Organization types (75 Members)– Investor-owned– State/Municipal– Cooperative– Federal/Provincial– ISO/RTO

Expertise– 3600 subject-matter experts

Coverage (North America Wide)– 85% Peak Demand– 75% 100kV and higher circuits• Membership open to companies that

own/operate 50 circuit miles 100 kV transmission or, operate 24/7 control center

3

NATF Mission, Vision, Approach

Mission Promote excellence in the reliable operation of the electric transmission system

Vision Continuously improve the reliability of the electric transmission system

Approach Pursue reliability and security excellence via: Constructive peer challenge Effective, relevant information sharing

o lessons learned, superior practices, etc.

4

Guiding Principles

Community The complex, interconnected grid requires active collaboration to promote higher levels of reliability, security, and resiliency

Confidentiality Confidentiality promotes open, candid intra-membership dialogue

Candor Direct, objective performance feedback is delivered as a membership norm

Commitment Members’ senior leaders commit to the NATF’s mission of promoting excellence

5

Value Add and Strategic Goals

Value Proposition(s)• Improve transmission

reliability, security, and resilience

• Increase member compliance margin

• Promote efficient use of resources

Strategic Goals1. Increase Industry Impact2. Achieve Results3. Manage Knowledge

Effectively4. Continuously Improve5. Proactively identify and

address emerging issues

6

7

Security Practices Group

CIP-002 V5 Guide Update

8

CIP-002 V5 Project Purpose and Deliverables

Other Items Noted:• Scope currently limited to transmission

control centers and substations

• The project team recognizes the changing environment / pending decisions on the CIP standards

• The product will be updated throughout the year by adding attachments and / or addendums as Industry and Regulator determinations are made

Purpose: • The purpose is to develop a NERC CIP-002 Version 5

Guide containing agreed upon approaches and / or descriptions of common understanding used for identifying Cyber Assets and defining corresponding BES Cyber Systems for transmission facilities and assets.

Deliverables:• CIP-002 V5 Guide containing descriptions of approaches

and / or common understanding used for identifying Cyber Assets and defining corresponding BES Cyber Systems.

• In addition, the subject matter expert team is to develop a recommended format for documenting a program, such as diagrams / flow charts, that will assist with standardizing CIP-002 documentation across the NATF membership.

9

Recent / Current Activities and Next Steps

• Draft CIP-002 V5 Guide presented to Security Practices Group at its May 15-16 Workshop – discussion and initial feedback– understanding that the Guide will be a “living document”

• Currently collecting feedback from NATF Members

• Control Center Pilots Currently Underway at three Member Companies– feedback from pilots will be incorporated into the document

• Project team to continue to meet through June to refine document

• Release to Security Practices Group as an “approved practices guide” in July 2014

• Plan is to maintain the project team through 2014

Security Practices Group

Physical Security Update

11

Physical Security Initiatives

• CIP-014-1 Standard– Held weekly joint Security / Compliance Practice Group web meetings during

the 90-day Standard development period– Weekly calls included members of the Standard Drafting Team – NATF plans to conduct a second series of calls for members to discuss how they

plan to implement the Standard (probably starting in July)

• NATF Physical Security Work Group – Monthly web meetings initiated earlier this year– Monthly meeting includes members reporting-out on practices they use and

issues they’re confronting– Initiating a project associated with the development of a library of “physical

security monitoring systems” used by NATF members

12

Physical Security Initiatives (Cont'd)

• NATF 2014 Peer Review Process– Added a separate physical security component to augment the cyber security

review– Peer Review Security Team includes cyber and physical security subject matter

experts

• NATF / EPRI Memorandum of Understanding initiated in 2013– Held joint physical security summit in August 2013– The two organizations collaborate on continuous basis– EPRI Guest Speaker at the May Security Practices Group Workshop– EPRI R&D department interested in joint project pertaining to physical security

Thank you!

• Questions?