Ross Johnson, CPP

Capital Power

Edmonton, Alberta

Security Management

Seminar

SSID PSAV_Event_SolutionsPasscode NERC0001

•Security Management Programs

•Security Risk Management

•Design Basis Threat

•Security Measures Selection

•Threat Response Planning

Agenda

Security Management Programs

3

• Sets organization-wide policies and procedures that define how the program integrates into the company’s overall management system

• Includes management commitment and accountability

• Includes:

• Accountability

• Implementation

• Competence

• External Practices

• Internal Practices4

Security Management Program

• Ensures that all aspects of security are considered

• Provides 'best practice' guidance

• Developed by a large group of security practitioners, ensuring that it is based on a broad base of experience

• Provides guidance on requirements, objectives, and metrics

• Demonstrates professionalism to senior management and external stakeholders

• Tells you what to do, not how to do it5

Advantages

1. Security Management Program

2. Security Risk Management

3. Information Security Management

4. Information Technology/Control Systems Security

5. Personnel Security

6. Physical Security Measures

7. Security Incident Management

8. Contingency Planning

9. Threat Response Planning

10. Change Management Process

11. Evaluation & Review

12. Continuous Improvement6

Security Management Program Elements

Based on the Canadian StandardAssociation’s Z246.1-09 Security Management for Petroleum and Natural Gas Industry Systems

• Identify and classify security risks

• Develop and implement strategies and security controls to eliminate or mitigate risks

• Security risk management activities must consider asset:

• Type

• Size

• Location

• Criticality

• Risk should be continually assessed across the organization by determining the likelihood and impact of potential threats

7

Security Risk Management

• Policies and procedures for protecting both hard-copy and digital information from the time of conception through to its final disposition

• Should include documented policies and procedures

• Areas to consider include classification and labelling, handling, destruction, training, incident reporting and investigation, and audit, compliance, and disaster recovery

• Determination of what to protect is done by risk assessment: what information could hurt the company if it got into the wrong hands, either accidently or on purpose?

8

Information Security Management

• Information technology is protected by a combination of controls, processes, procedures, organizational structures, software, and hardware

• The aim is to protect data confidentiality, integrity, and availability

• ISO 27002 provides best practice recommendations on information security management

9

Information Technology Security

• Control systems run industrial production equipment, and are heavily used in the energy industry

• Often targeted by hackers or other threat actors

• NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security is an excellent resource on this subject

• NERC CIP standards might have a thing or two to say on this

10

Industrial Control Systems Security

11

Personnel Security

• Protection of personnel

• Workplace Violence Assessment & Prevention

• Security Training and Awareness

• Personnel Screening

• Personnel Termination

• Employee Travel

• Minimum physical security guidelines

• Vehicle searches

• Signage standards

• Chain-link fencing standards

• CCTV cameras

• Copper/metal theft prevention

• Guard force management

12

Physical Security Measures

FacilityType

AccessControl

FencewithTopGuard

FencelineIntrusionDetection

CCTV/Lighting ElectronicCardAccess

InteriorIntrusionDetection

LockedFenceGateswithCCTV

LockedExteriorAccessDoors

VisitorManagement

BackgroundChecksforallUnescortedPersonnel

Signage

CriticalAssetMannedPowerPlant ● ● ● ● ● DuringSilentHours ● ● ●

UnmannedPowerPlant ● ● ● ● ● ● ● ● ● ●

ControlRoom ● ● ● ● ● ●

PEECC ● ● ● ● ● ● ●Switchyard ● ● ● ● ● ● ● ● ●

Non-CriticalAssetThermalPowerPlant ● ● SeeNote1. ● DuringSilentHours ● ● ●

WindFacility ● ● ● ● ●

SolarFacility ● ● ● ● ●

ControlRoom ● ● ● ● ●

PEECC Optional ● ● ●

Switchyard ● ● ● ● ●

OfficeBuilding/DataCentre ● ● ● ● ● ●

ConstructionSite ● ● ● ● ●

13

14

FacilityTypeGuards Regulatory

Requirements

FixedPost MobilePatrols SafeWalkProgram SecurityShuttle NERCEOP

004/ARSCIP-001NERC/ARSCIP-002toCIP-014

CriticalAsset

MannedPowerPlant ● ● ● ●

UnmannedPowerPlant ● ● ●

ControlRoom ● ● ● ●PEECC ● ● ●Switchyard ● ● ●Non-CriticalAssetControlRoom ● ●PEECC ●

ThermalPowerPlant ● ●

Switchyard ● ●WindFacility ● ●SolarFacility ● ●

OfficeBuilding/DataCentre Guardsmaybeusedifdeemednecessarybecauseoflocalsecurityconditions

ConstructionSite ●

• Incident reporting

• Investigations

• Workplace violence incident management

• Lessons Learned

• Security Management Program upgrades

15

Security Incident Management

5 Oct 2014 23:27

Investigations

Investigations

6 Oct 2014 05:27

7 Oct 2014 23:28

Investigations

• Business Continuity Management

• Emergency Response Program

• Crisis Management Planning

19

Contingency Planning

• Business Continuity Management

• Emergency Response Program

• Crisis Management Planning

20

Contingency Planning

§ Includes loss of:§ People§ Office space§ Critical IT systems

• Business Continuity Management

• Emergency Response Program

• Crisis Management Planning

21

Contingency Planning

o Used at the production facility level

o Includes communications, equipment, and tactical response plans for all the scenarios deemed of concern during a Hazard Risk Vulnerability Assessment

• Business Continuity Management

• Emergency Response Program

Ø Crisis Management Planning

22

Contingency Planning

o Used at the corporate level to marshal resources and senior executive leadership to solve problems that threaten the company's people, assets, or reputation

o Part of the emergency response program

• Threat and vulnerability assessment

• Security measures

• Observation plan

• Random security measures

• Response plan

• Communications

• Training and review23

Threat Response Planning

TRPs bring together a number of elements of the security management program: they are not part of the CSA standard

• Use of a standardized security management program template can help you to ensure that all elements of security are considered in your security plan

• They add dignity to what would otherwise be a vulgar brawl

• We are trying to develop an security management program template in the electricity sector, and we could use your help

24

Conclusion

25

Questions?