NERC Critical Infrastructure Protection

Advisory Group(CIP AG)

Electric Industry Initiatives

Reducing

Vulnerability To Terrorism

September 11, 2001 Industry Implications

Significant change to the Security Environment Increased Security focus and costs

Threat of imposed Federal and State legislation

Company over-reaction

Company under-reaction

Post 9/11 Reactions

CIP AG Overview

Security Guidelines

Guiding Principles

Each company defines and identifies its own critical facilities and functions.

Each company assesses the usefulness of the Guidelines individually and adapts them as needed.

The Guidelines are living documents, expected to change.

Implemented and supported by workshops for industry

Initiatives

CIPAG Security Guidelines Threat Conditions and Response FERC Assist Spare Parts Database PKI

Security Guidelines

Executive Summary

The Guidelines describe general approaches considerations practices planning philosophies

The Guidelines are NOT a “cookbook” for protection.

Security Guidelines

Definitions Critical Facility

Any facility or combination of facilities, if severely damaged or destroyed would:

have a significant impact on the ability to serve large quantities of customers for an extended period of time,

have a detrimental impact to the reliability or operability of the energy grid, or

cause significant risk to National security, National economic security, or public health and safety.

Security Guidelines

Guideline TopicsVulnerability and Risk AssessmentThreat ResponseEmergency ManagementContinuity of Business ProcessesCommunicationsPhysical Security IT/Cyber SecurityEmployment ScreeningProtecting Sensitive Information

Security Guidelines

Guideline Topics

Vulnerability and Risk AssessmentHelps identify critical facilities, their vulnerabilities, and countermeasures.

Threat ResponseHelps in developing plans for enhanced security.

Security Guidelines

Guideline Topics

Emergency ManagementBetter prepares companies to respond to a spectrum of threats, both physical and cyber.

Continuity of Business PracticesReduces the likelihood of prolonged interruptions and enhances prompt resumption of operations after interruptions occur.

Security Guidelines

Guideline Topics

CommunicationsEnhances the effectiveness of threat response, emergency management, and business continuity plans.

Physical /Cyber SecurityMitigates the impact of threats through deterrence, prevention, detection, limitation, and corrective action.

Security Guidelines Guideline Topics

Employment ScreeningProvides strategies to mitigate “insider” threats.

Protecting Sensitive Information

Production, storage, transmission, and disposal

of both physical and electronic information

Security Guidelines

Reference Documents

An Approach to Action for the Electricity Sector (NERC, June 2001)

Threat Alert Levels and Physical Response Guidelines (NERC, November 2001)

Threat Alert Levels and Cyber Response Guidelines (NERC, March 2002)

ThreatCon and Response Guidelines

The Guidelines

Define Threat Alert Levels for Alerts issued by

ES-ISAC NIPC Other government agencies(Excludes facilities regulated by the NRC)

Ensure that electric Threat Alert Levels are consistent with information from other sources

Provide examples of security measures Supported with workshops

ThreatCon and Response Guidelines

Threat Alerts / Threat Conditions

Can be issued for a specific geographic area for a specific facility by category - such as a specific type of facility

Threat Alert Level Definitions

THREATCON-NORMAL Applies when no known threat exists. Is equivalent to normal daily conditions. Security measures should be maintainable indefinitely.

THREATCON-LOW Applies when a general threat exists with no specific threat directed

against the electric industry. Additional security measures are recommended. Added security should be maintainable for an indefinite period with

minimum impact on the organization.

Threat Alert Level Definitions

THREATCON-MEDIUM Applies with increased or more predictable threat to the electric

industry. Implementation of additional security measures is expected. Increased measures are anticipated to last for a defined time. Significant increases in corporate resources will be required.

THREATCON-HIGH Applies when an incident occurs or a credible threat is imminent. Maximum security measures are necessary and are expected to:

cause hardships on personnel, seriously impact normal operations, and may be economically unsustainable for more than a short time.

FERC Request

FERC requested NERC to develop security standards for inclusion to Standard Market Design NOPR

CIPAG picked-up the Gauntlet

NERC BoT approved CIPAG participation on June 14, 2002

FERC Request

“Minimum Daily Requirements” Achievable Granular Cyber focused Inter-connection focused

FERC Request

Final draft to FERC July 26

SMD NOPR released July 31 for general public review, comment

Final SMD ruling late October or early November

Effective date of compliance 2004 Annual signed self certification

FERC Request

All future standards to be developed and maintained by NERC

All future FERC rule making on standards will refer to NERC standards

Spare Equipment Database

Expanding database created in 1989

Spare EHV transformers in case of national emergencies

Web based on a secure server

Other equipment to be included

PKI

Needed because of the reliance on computer based systems and applications

Evaluate potential Certificate Authorities Develop an integrated PKI architecture

and deployment strategy Resolve technical issues Create web based training materials

ES ISAC

PDD #63 Identified electricity as on e of the eight critical infrastructures

NERC sector coordinator for electricity IAW Program Website CIPAG oversight body for ISAC Collect, Analyze and Disseminate

information

Pulling Together

Available on the Web

www.nerc.comCommittees

CIPAGRelated Files

One Last Thought!

“Security is always excessive until it’s not enough”