nerc physical security standard cip-014-1

12
1 VP Western Division of G4S Secure Solutions regional conference NERC Physical Security Standard CIP-014-1 Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014

Upload: cally-rosales

Post on 30-Dec-2015

303 views

Category:

Documents


1 download

DESCRIPTION

NERC Physical Security Standard CIP-014-1. Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014. Agenda. Project Overview Drafting Team members Standard Highlights Implementation Plan Timeline. Project Overview. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: NERC Physical Security Standard CIP-014-1

NERC Physical SecurityStandard CIP-014-1

Allan Wick, CFE, CPP, PSP, PCI, CBCP

Chief Security Officer

WECC Joint Meeting October 8, 2014

Page 2: NERC Physical Security Standard CIP-014-1

Agenda

Project OverviewDrafting Team members

Standard Highlights Implementation Plan Timeline

Page 3: NERC Physical Security Standard CIP-014-1

Project Overview

The FERC directed NERC to submit proposed physical security reliability standards to the Commission within 90 days of the date of the March 7, 2014 order.

Only a relatively small number of Transmission Owners and Transmission Operators will need to comply with the entire Standard (25).

Includes confidentiality requirements. Three step process.

Page 4: NERC Physical Security Standard CIP-014-1

Standard Highlights

Background• The Reliability Standard addresses the directives from the

FERC order issued March 7, 2014, Reliability Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014), which required NERC to develop a physical security reliability standard(s) to identify and protect facilities that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

• Drafted as Critical Infrastructure Protection (CIP) family of standards.

Page 5: NERC Physical Security Standard CIP-014-1

Standard Highlights

Requirements R1-R3• Perform risk assessments to identify Transmission stations and Transmission

substations that meet the “medium impact” criteria from CIP-002-5.1, and their associated primary control centers, then

• Arrange for a third party verification of the identifications; and• Notify Transmission Operators of identified primary control centers that

operationally control the verified Transmission stations and Transmission substations.

• The requirements provide the periodicity for satisfying these obligations. Only an entity that owns or operates one or more of the identified facilities has further obligations in Requirements R4 through R6. If an entity identifies a null set after applying Requirements R1 through R2, the rest of the standard does not apply.

• Transmission Owner shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.

Page 6: NERC Physical Security Standard CIP-014-1

Standard Highlights

Requirements R4-R6• The evaluation of potential threats and vulnerabilities of a

physical attack to the facilities identified and verified according to the earlier requirements,

• The development and implementation of a security plan(s) designed in response to the evaluation, and

• A third party review of the evaluation and security plan(s).• Transmission Owner shall implement procedures, such as the

use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.

Page 7: NERC Physical Security Standard CIP-014-1

Key Dates

Final Ballot Closed May 5 – Passed 85% NERC BOT Adopted May 13, 2014 FERC BOD Proposed Approved July 17, 2014

Two directives, FERC add/delete & instability vs. widespread instability

45 day comment period, September 8, 2014

Effective the first day of the first calendar quarter that is six months beyond the date that the standard is approved by applicable regulatory authorities, ….

Page 8: NERC Physical Security Standard CIP-014-1

Implementation Plan

Page 9: NERC Physical Security Standard CIP-014-1

Implementation Plan

The initial performance of CIP 014 1, Requirements R2 ‐ ‐through R6, must be completed according to the timelines specified in those requirements after the effective date of the proposed Reliability Standard, as follows:

Requirement R2 shall be completed as follows:Parts 2.1, 2.2, and 2.4 shall be completed within 90

calendar days of the effective date of the proposed Reliability Standard.

Part 2.3 shall be completed within 60 calendar days of the completion of performance under Requirement R2 part 2.2.

Page 10: NERC Physical Security Standard CIP-014-1

Implementation Plan

Requirement R3 shall be completed within 7 calendar days of completion of performance under Requirement R2.

Requirements R4 and R5 shall be completed within 120 calendar days of completion of performance under Requirement R2.

Requirement R6 shall be completed as follows:Parts 6.1, 6.2, and 6.4 shall be completed within 90

calendar days of completion of performance under Requirement R5.

Part 6.3 shall be completed within 60 calendar days of Requirement R6 part 6.

Page 11: NERC Physical Security Standard CIP-014-1

Timeline

Page 12: NERC Physical Security Standard CIP-014-1

12VP Western Division of G4S Secure Solutions regional conference