welcome nerc critical infrastructure protection committee highlights... · 9,000+ miles of...
TRANSCRIPT
![Page 1: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/1.jpg)
NERC Steering CommitteeCritical Infrastructure Protection
CIP Version 5 and Beyond
1
September 12, 2014
WelcomeNERC Critical Infrastructure
Protection Committee
Sept 20th 2016
Mike Mertz – Director, NERC Reliability Governance & Operations Technology
![Page 2: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/2.jpg)
Welcome to New Mexico
![Page 3: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/3.jpg)
PNM Resources SnapshotNew Mexico and Texas Service Territories
![Page 4: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/4.jpg)
TNMP Background
~243,000 homes and businesses in
more than 70 communities in
Texas
9,000+ miles of transmission and
distribution lines
Power provider for critical
international petroleum customers
along the Texas Gulf Coast.
![Page 5: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/5.jpg)
516,658 customers;
15,025 miles of transmission and
distribution lines;
2,787 megawatt generation
capacity.
276 Substations
PNM Background
![Page 6: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/6.jpg)
PNM Energy Portfolio (Capacity)
Coal40.3%
Nuclear11.0%
Gas38.2%
Wind8.4%
Solar1.8%
Other0.4%
![Page 7: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/7.jpg)
Industry Challenges
7
![Page 8: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/8.jpg)
Industry Challenges
• Beyond NERC CIP• Compliance vs.
Security• Threat evolution • Ukraine -
Distribution system security
8
Medium Impact
High Impact
Low Impact
![Page 9: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/9.jpg)
Industry Challenges
“At least one user will click on anything…”
Every Security Professional
9
![Page 10: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/10.jpg)
PNM Energy Portfolio (Capacity)
Coal40.3%
Nuclear11.0%
Gas38.2% Wind
8.4%
Solar1.8%
Other0.4%
![Page 11: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/11.jpg)
1
E-ISAC Update
Marcus Sachs, Senior VP & Chief Security OfficerCIPC MeetingSeptember 20, 2016
![Page 12: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/12.jpg)
2
• Sharing and reporting 193 E-ISAC staff posts to the portal 70 member responses to the portal items 71 additional posts to the portal from members 107 calls to the E-ISAC hotline 371 new portal accounts
• Engagement (monthly average during the quarter) 250 webinar attendees 511 downloads of the daily report
• Active portal membership on June 30, 2016 828 NERC registered entities (60% of 1389 registered entities) 335 non-NERC registered entities (17% of estimated 2000 eligible) 58 partners (government, other ISACs, etc.)
Summary of Q2 2016
![Page 13: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/13.jpg)
3
• NERC Advisory Issued in May in response to rise in ransomware attacks Summarized a detailed technical report issued earlier in May Extortion via software that encrypts files may surpass credential harvesting
of financial information
Advisories and Reports
![Page 14: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/14.jpg)
4
• Engaging the E-ISAC and …• Understanding Your E-ISAC Joint effort between the E-ISAC and the
Member Executive Committee Explains how the E-ISAC works and what to share Outlines products and services Explains the NERC – E-ISAC separation protocol
• E-ISAC Brochure Designed as a “take-away” document Summarized products and services Explains how to join and what to share Provides contact information
All About The E-ISAC
![Page 15: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/15.jpg)
5
• Staffing Twenty employees plus two contractors in the Washington, DC office Training and exercises manager opening – currently recruiting Member services manager (ESCC recommendation) hired in August Initiative to integrate DNG-ISAC analyst underway
• Technology Network and email migration nearing completion STIX/TAXII pilot initiated Portal-to-platform project initiated Funding for the portal improvements approved by the Board of Trusteeso Initial improvements now underwayo Major changes coming in 2017
E-ISAC Staffing and Support
![Page 16: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/16.jpg)
6
• 2016 Work Plan approved at the March MEC meeting Publish a “How-To” Guide (“Understanding Your E-ISAC”) Develop E-ISAC Products and Services List Define E-ISAC Role in Classified Briefings Establish User Communities Develop Strawmen for E-ISAC Reports Pilot Automated Information Sharing (Platform) Initiate Improvements to the Portal Develop Plan to Evaluate 24/7 Watch and Notification Capability Conduct Site Pen Testing
• All items on track at end of Q2 Some have been completed
Member Executive Committee
![Page 17: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/17.jpg)
7
![Page 18: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/18.jpg)
1
E-ISAC Update
Joseph Januszewski, Senior Watch OfficerCIPC MeetingSeptember 20, 2016
![Page 19: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/19.jpg)
2
• Overall Trends Ransomware
Phishing
Suspicious Traffic Reporting
• E-ISAC Cyber Security Capabilities Increased reporting by E-ISAC partners
Focus on obtaining, analyzing, and sharing indicators of compromise and actionable threat information
Enabling electricity companies to identify sector-relevant threats and attacks
Summary of Q2 2016
![Page 20: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/20.jpg)
3
CyberBulletin Topics
![Page 21: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/21.jpg)
4
• Various Forms of Ransomware Reported by Members Teslacrypt Locky Nymaim Trojan Angler EK
• Other Critical Infrastructure Sectors Affected Financial
Healthcare
Retail
Ransomware
![Page 22: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/22.jpg)
5
• Attempts at Social Engineering Dridex malware Typical indicators include email subjects related to “Purchase Orders”
• “Whaling” Catching a “big fish” – typically focused on C-suite employees
Typically requesting funds transfer to another employee
Phishing
![Page 23: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/23.jpg)
6
• A DVD of malware for analysis submitted to E-ISAC An increase in sharing to broaden our dataset further
• CRISP is now attributed in portal postings• The E-ISAC STIX/TAXII service is coming prior to end of the year• Portal improvements will be starting in October/November
Updates
![Page 24: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/24.jpg)
7
![Page 25: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/25.jpg)
1
Physical Security Analysis Team UpdateCharlotte de SibertCIPC MeetingSeptember 20, 2016
![Page 26: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/26.jpg)
2
CIPC Brief Topics
• “Suspicious Activity” – What is it and why does it matter?• Topic: Insider Threat• Best Practices • Physical Security Advisory Group Update
![Page 27: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/27.jpg)
3
• What is “suspicious activity”? and why do I see so many bulletins about it? E-ISAC analysis team is here to assist in connecting the dots
• Examples Social engineering: information elicitation Break-ins with nothing stolen Surveillance
Suspicious Activity
![Page 28: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/28.jpg)
4
Best Practices
![Page 29: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/29.jpg)
5
On September 6 beginning at 0456 CDT, a member in Arkansas reported beginning at approximately 04:56, three breakers at a substation were tripped. The two 115 kV line trips were restored within minutes, but the distribution load loss caused 1900 customers to lose power for approximately 100 minutes. Customer power was restored at 06:33 CDT. Upon initial investigation at the substation yard, corporate personnel found 4 breaker box cabinets open. Three breakers appeared to have been manually tripped. Local law enforcement investigated and classified the event as a crime and stated they would notify the FBI. There were no signs of theft or damage to any breakers or equipment. Corporate security has initially identified a potential insider threat suspect, due to recent employee termination which is currently under investigation.High security locks were added to each cabinet and any external trip devices were disabled or removed. There were no major impacts to operations or the Bulk Electric System as a result of this event.
Incident Overview
![Page 30: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/30.jpg)
6
• E-ISAC OPS received reporting (EOP-004)• Follow up with utility security dept.• Portal posting • Follow up questions from another utility • Internal AAR
Information Sharing Process
So I filled out the form…
![Page 31: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/31.jpg)
7
Insider Threat
Definition:
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.
![Page 32: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/32.jpg)
8
Insider Threat
• Different types of insider threats Passive: Inadvertently passes on sensitive information or is a victim of
social engineering. Active Non-Violent: Someone with access to operationally sensitive
materials and willingly leaks confidential information with intent to harm or impact the company and its reputation.
Active Violent: Willing to use force, weapons, and kill or be killed to inflict damage or injury to Company employees or assets.
• Statistics (FEMA): 44% of respondents attributed some loss at their organizations to insiders. 46% said that damage caused by insider attacks were more harmful than
those caused by outsiders.
![Page 33: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/33.jpg)
9
Insider Threat Takeaways
• Insider Threat is a human issue. • Not a new threat, but there are continually evolving TTPs.• A few best practices … Timing employee termination Top-down and lateral “buy-in” for Insider Threat program Liaise with law enforcement prior to an incident
![Page 34: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/34.jpg)
10
• What is the Physical Security Advisory Group? The PSAG provides seasoned expertise to advise the industry on the threat
mitigation strategy to enhance BES physical security and reliability. The industry benefits from advice on security operational plans, policy and procedures, evolving security technology, training, incident response and management. The PSAG consists of 20-25 members of senior industry security leaders, DOE, and informed industry observers.
• Current Efforts DBT (includes updates and applications) Enhanced Background Investigation Screening Effort Whitepapers
PSAG
![Page 35: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/35.jpg)
11
![Page 36: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/36.jpg)
GridSecCon 2016NERC’s Sixth Annual Grid Security ConferenceOctober 18 – 21, 2016Hilton Quebec, Canada“Northern Lights”
For security professionals interested in threats and policy issues related to the physical and cyber security of the bulk power system
![Page 37: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/37.jpg)
GridSecCon 2016 Agenda
Tuesday, October 18, 2016 – Free training in physical or cyber securityWednesday, October 19, 2016 – “Strategy and threat day” - Keynotes and presentations by Senior executives
Thursday, October 20, 2016 – “Solutions day” – Keynotes and panelsFriday, October 21, 2016 – Host utility tours and threat briefings at classified and FOUO levels
http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx
Quebec City - Martin St-Amant - Wikipedia - CC-BY-SA-3.0
![Page 38: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/38.jpg)
Project 2016-02CIP ModificationsDavid S. Revill, Georgia Transmission CorporationCIPC MeetingSeptember 20-21, 2016
![Page 39: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/39.jpg)
RELIABILITY | ACCOUNTABILITY2
The CIP Standard Drafting Team
Name Entity
Chair Margaret Powell Exelon
Vice Chair Christine Hasha Electric Reliability Council of Texas
Vice Chair David Revill Georgia Transmission Corporation
Members Steven Brain Dominion
Jay Cribb Southern Company
Jennifer Flandermeyer Kansas City Power and Light
Tom Foster PJM Interconnection
Richard Kinas Orlando Utilities Commission
Forrest Krigbaum Bonneville Power Administration
Philippe Labrosse Hydro-Quebec TransEnergie
Mark Riley Associated Electric Cooperative, Inc.
Zach Trublood * Sacramento Municipal Utility District
![Page 40: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/40.jpg)
RELIABILITY | ACCOUNTABILITY3
• Revisions will cover eight issue areas: LERC definition (Order 822) – deadline of March 31, 2017 Transient devices used at low-impact BES Cyber Systems (Order 822) Communication network components between BES Control Centers (Order
822) Cyber Asset and BES Cyber Asset Definitions (V5TAG) Network and Externally Accessible Devices (V5TAG) Transmission Owner (TO) Control Centers Performing Transmission
Operator (TOP) Obligations (V5TAG) Virtualization (V5TAG) CIP Exceptional Circumstances
• In addition, the SDT will consider one Request for Interpretation concerning shared BES Cyber Systems.
Drafting Team Scope
![Page 41: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/41.jpg)
RELIABILITY | ACCOUNTABILITY4
• Changed Low Impact External Routable Connectivity to Low Impact External Routable Communication (LERC) to focus on the communication that occurs crossing the boundary of the asset containing the low impact BES Cyber Systems to more cleanly align with the output of CIP-002-5.1 R1, Part 1.3.
• Removed from the definition the word ‘direct’ thus expanding the LERC definition to be inclusive of both direct and indirect connections.
• Simplified LERC as an attribute of a BES asset concerning whether there is routable protocol communications across the asset boundary.
• Removed the dependency between the electronic access controls that may be in place and having those controls determine whether LERC exists or not.
LERC Definition
![Page 42: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/42.jpg)
RELIABILITY | ACCOUNTABILITY5
• The changes to LERC changed the focus of the CIP-003 requirements, and no longer emphasized the “interface” that controlled the connectivity. Current Term: Low Impact BES Cyber System Electronic Access Point”
(LEAP): A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.
• As a result, the SDT removed use of the term “LEAP” and proposed its retirement.
Retirement of LEAP
![Page 43: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/43.jpg)
RELIABILITY | ACCOUNTABILITY6
• For those BES assets that have LERC, the SDT changed the requirement to requiring electronic access controls to “permit only necessary electronic access to low impact BES Cyber Systems.”
• The SDT also revised CIP-003-6, Attachment 1, Section 2 to accommodate the retirement of LEAP in the physical security section and to provide for the physical security of the Cyber Assets performing the electronic access controls required in Section 3.
CIP-003-7 Requirements
![Page 44: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/44.jpg)
RELIABILITY | ACCOUNTABILITY7
Section 2. Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity to: (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Cyber Asset(s), as specified by the Responsible Entity that provides electronic access control(s) implemented for Section 3.1, if any.
Section 3. Electronic Access Controls: Each Responsible Entity shall:3.1 Implement electronic access control(s) for LERC, if any, to permit only necessary electronic access to low impact BES Cyber System(s).3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.
CIP-003-7 Requirements
![Page 45: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/45.jpg)
RELIABILITY | ACCOUNTABILITY8
• Ballot period closed September 6, 2016 LERC Definition: 30.63% approval CIP-003-7 Changes: 41.54% approval Implementation Plan: 41.77% approval
• SDT meeting next week (September 27-29, 2016) to discuss comments Response to comments Revisions to definition, requirements language, and implementation plan Post for another 45-day period following that
LERC Revisions Status
![Page 46: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/46.jpg)
RELIABILITY | ACCOUNTABILITY9
• Proposed adding Section 5 to CIP-003, attachment 1 to address TCAs at assets containing low impact BES Cyber Systems in keeping with the stakeholder request to keep requirements on lows in one place.
• Kept the requirement language consistent with that of CIP-010 to minimize inconsistency between lows and highs/mediums.
• Approved requirement language and measures in response to the FERC directive to post for stakeholder comment/ballot.
• Action Items: Draft and propose Guidelines and Technical Basis Discuss Implementation Plan timing Develop associated documents to post for formal stakeholder comment
and ballot (Consideration of Directives; Implementation Plan, VRF/VSL and justification, Comment Form)
Transient Devices at LowsDiscussion Items
![Page 47: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/47.jpg)
RELIABILITY | ACCOUNTABILITY10
• Reviewed the Order 822 Directive language.• Discussed IRO-010 and TOP-003 as a basis for the scope of sensitive bulk
electric system data that needs protection.• Presented three options for discussion: Option 1: Allow the future enforceable IRO-010 R3 and TOP-003 R5 standards to
handle the protections of communication links between Control Centers. Option 2: Develop a CIP requirement, potentially in CIP-005, to set a security
objective for protecting sensitive bulk electric system data between Control Centers.
Option 3: Develop a CIP requirement with parts based on impact level outlining security objectives and potential security controls for data in transit and data at rest.
• Discussed the pros/cons of including these requirements in a new standard.• Identified that coordination is needed between the CIP SDT and the IRO/TOP
SDT.
Control Center Communication Networks Discussion Items
![Page 48: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/48.jpg)
RELIABILITY | ACCOUNTABILITY11
• Action Items Keep developing requirement language. Consider and refine scope. Determine role of data at rest and risk. Clarify what qualifies as Sensitive BES Data. Take the SDT input to flesh out a proposal that:o Uses risk-based impact on asset classification not on the data itself and assigns
risk levels to different impact levels.o Defines scope (that can draw from IRO-010 and TOP-003).o Articulates the security objective. o Sets implementation expectations.o Is written as a separate standard (though can revisit if adjustments for lows-only
is appropriate).
Control Center Communication Networks Discussion Items
![Page 49: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/49.jpg)
RELIABILITY | ACCOUNTABILITY12
• Discussed the problem statements on the following definitions: BES Cyber Asset and the concept of “adverse impact” External Routable Connectivity (ERC) Interactive Remote Access (IRA)
• Considered whether changes to the definition or another approach are appropriate to respond to the problem statement.
• Action Item Continue to assess the issues raised in the Transfer Document and develop
proposed revisions in response to the issues.
Definitions and ConceptsDiscussion Items
![Page 50: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/50.jpg)
RELIABILITY | ACCOUNTABILITY13
• Presented four options considered by the sub-team: Option 1: Revise CIP-002-5 Attachment 1: Criteria 2.1.2. Option 2: Add Exemption process. Option 3: Define Cybersecurity Program for TO with capability to operate
Transmission Facilities. Option 4: No further action by the SDT and refer recommendations for
ERO consideration (recommended).
• Discussed the recommendation of no further action by SDT.• Action Item Sub-team will prepare a discussion document on the research findings, the
recommendation, the reasoning, and the implications. The SDT will review and will consider posting for stakeholder input.
Transmission Owner (TO) Control CentersDiscussion Items
![Page 51: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/51.jpg)
RELIABILITY | ACCOUNTABILITY14
• Robust discussion of virtualization issues• Discussed the defined term “Cyber Asset;” use of the term
“device” within the definition implies a physical system.• NERC shared a presentation outlining its view on currently
permitted virtualization architectures. Introduced terms: o Mixed-trust - including CIP and non-CIP systems within a virtual environmento Mixed-impact - including multiple high, medium, and low impact level BES Cyber
Systems within a virtual environment
• Identified the need for a framework to discuss the additional risks introduced by the use of virtualization technologies.
VirtualizationDiscussion Items
![Page 52: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/52.jpg)
RELIABILITY | ACCOUNTABILITY15
• Action Items Take the SDT input and organize the virtual types, risks of the virtual
environment, and assessment of existing requirement language (including measures, GTB) to provide mitigating controls.
Compare the scenarios for mixed trust and homogenous environments. Be mindful of TCAs impact on virtual system. Review CIP-011 controls for useful language and context.
VirtualizationDiscussion Items
![Page 53: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/53.jpg)
RELIABILITY | ACCOUNTABILITY16
• Reviewed a draft risk matrix template identifying risks specific to virtualization as a framework for determining where controls need to be added or modified to address virtualization implementations.
• Discussed expanding CIP-010 R1 to include configuration elements associated with logical separation as part of the baseline.
• Action Items Continue work refining the virtualization risk matrix with the goal of
identifying requirements to revise any gaps that need requirements. Continue work on definitional aspects of virtualization. Work to formalize a proposal for full team review on mixed trust.
Virtualization Discussion Items
![Page 54: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/54.jpg)
RELIABILITY | ACCOUNTABILITY17
• Presented a list of requirements under consideration.• Discussed options related to CEC. Option 1: Add CEC to appropriate requirements or parts throughout
standards. Option 2: Add requirement in CIP-003 to develop a program for CEC and
remove from requirements or parts throughout standards.o Clearly cover event start and end.o Ensure back out plans are included.
• More analysis and discussion are necessary to review appropriate use of CEC in a program manner.
• Action Item Develop language to describe programmatic language and map the
proposed requirement revisions.
CIP Exceptional Circumstances (CEC)Discussion Items
![Page 55: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/55.jpg)
RELIABILITY | ACCOUNTABILITY18
• Reviewed proposed programmatic requirement language to add to CIP-003: Revised CIP-003, R1.1.9 to remove ‘declaring and responding’ to a CEC. Reviewed and refined a draft new Requirement R5.
• Action Items Confirm with NERC Legal: o Can one requirement suffice to give compliance relief for another standard?o Can it stand-alone and be in the introduction section of each CIP standard?o Can reporting be performed as part of compliance monitoring efforts?
Revise CIP-003-6 to address: o Proposed language in standard format;o Draft and propose Guidelines and Technical Basis;o Address question of reporting or notification obligations (outside of compliance
monitoring efforts).
CIP Exceptional Circumstances (CEC) Discussion Items
![Page 56: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/56.jpg)
RELIABILITY | ACCOUNTABILITY19
• Reviewed the Request: …does the phrase “shared BES Cyber Systems” refer to discrete BES Cyber
Systems that are shared by multiple units, or groups of BES Cyber Systems that could collectively impact multiple units?
• Response (abridged): The Responsible Entity should take into consideration the operational
environment and scope of management when defining the BES Cyber System boundary in order to maximize efficiency in secure operations.
Shared BES Cyber Systems are those that are associated with any combination of units in a single Interconnection, as referenced in CIP-002-5.1, Attachment 1, impact rating criteria 2.1 and 2.2.
The phrase applies to each discrete BES Cyber System.
EnergySec InterpretationApproval and Posting
![Page 57: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/57.jpg)
RELIABILITY | ACCOUNTABILITY20
• Information relative to the CIP Modifications SDT may be found on the Project 2016-02 Project Page under Related Files:
http://www.nerc.com/pa/Stand/Pages/Project%202016-
02%20Modifications%20to%20CIP%20Standards.aspx
• The Project 2015-INT-01 Interpretation of CIP-002-5.1 for Energy
Sector Security Consortium (EnergySec) may be found:http://www.nerc.com/pa/Stand/Pages/Project-2015-INT-01-Interpretation-of-CIP-
002-5-1-for-EnergySec.aspx
Resources
![Page 58: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/58.jpg)
RELIABILITY | ACCOUNTABILITY21
• Notice of Inquiry In response to the Ukraine incident, FERC is seeking comment on
modifications to the CIP standards for cyber systems in Control Centers. FERC is seeking feedback in the following areas:o Isolation from the interneto Application whitelisting
Comments are due September 26th.
FERC NOI – Cyber Systems in Control Centers
![Page 59: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/59.jpg)
RELIABILITY | ACCOUNTABILITY22
• Order 829 Directed the development of a Supply Chain Security Standard. Must be submitted to FERC by September 27, 2017 (Order 829 Effective September 27, 2016)
• The new standard must address the following security objectives: software integrity and authenticity, vendor remote access, information system planning, and vendor risk management and procurement controls.
• Cyber Supply Chain SDT Seated at the 9/14/2016 Standards Committee Meeting
FERC Order 829 - Supply Chain Security Requirements
Name CompanyChair Corey Sellers Southern CompanyVice Chair JoAnn Murphy PJM Interconnection, L.L.C.Members Christina Alston Georgia Transmission Corp.
James W. Chuber Duke Energy
Norm Dang IESO of Ontario
Chris Evans Southwest Power PoolBrian Gatus Southern California Edison CompanyDavid Bryan Gayle Dominion Resources Services, Inc.Thruston J. Griffin CPS EnergySkip Peeples Salt River ProjectJason Witt East Kentucky Power Cooperative
![Page 60: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/60.jpg)
RELIABILITY | ACCOUNTABILITY23
![Page 61: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/61.jpg)
NERC CIPC Compliance and Enforcement Input Working Group
Paul CristCIPC MeetingSeptember 20-21, 2016
![Page 62: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/62.jpg)
RELIABILITY | ACCOUNTABILITY2
Critical Infrastructure Protection Committee
April 2016
Business Continuity Guideline TF
(Darren Myers)
Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee
(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(David Godfrey)
Control Systems Security
WG(VACANT)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input WG
(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
![Page 63: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/63.jpg)
RELIABILITY | ACCOUNTABILITY3
Topics Discussed:• CIP SDT SAR• CEIWG Charter Changes• CIP 003-7 Comments• CIP 002-5.1 Interpretation• CIP V5 Audits/Concerns• April 1, 2017 deadline changes
Agenda
![Page 64: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/64.jpg)
RELIABILITY | ACCOUNTABILITY4
Charter Revisions4
![Page 65: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/65.jpg)
RELIABILITY | ACCOUNTABILITY5
Drivers for Charter Revisions
• From the 2017 NERC Business Plan and Budget Compliance Assurance Departmento Compliance monitoring of the CMEPo CIP Compliance and Transitiono Regional Entity Oversight for Risk-Based Compliance Monitoring
• Compliance Enforcement Department Oversees Enforcement Processes Ensures Consistent and Effective Implementation of risk-based
CMEP with the eight Regional Entities Focus on matters that pose greatest risk to reliability
5
![Page 66: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/66.jpg)
RELIABILITY | ACCOUNTABILITY6
6
![Page 67: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/67.jpg)
RELIABILITY | ACCOUNTABILITY7
7
Mark Lauby
Valerie Agnew Ken McIntyre
![Page 68: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/68.jpg)
RELIABILITY | ACCOUNTABILITY8
8
Charles A. Berardesco
Sonia Mendonca
![Page 69: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/69.jpg)
RELIABILITY | ACCOUNTABILITY9
Charter Revisions9
![Page 70: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/70.jpg)
RELIABILITY | ACCOUNTABILITY10
Compliance Assurance10
• Background and Scope Critical Infrastructure Protection (CIP) Version 5 activities related to education
programs that support industry compliance and the integration of risk assessment and internal controls;
CIP-014-1 training and outreach activities related to effective implementation of the Physical Security Reliability Standard;
Oversight of the use of necessary compliance-related processes, procedures, IT platforms, tools, and templates;
• Stakeholder Engagement and Benefit Compliance Assurance – Collaboration with industry and Standards department
staff will occur early in the standard development process by providing draft compliance monitoring guidance, including information on how compliance with draft standards will be determined, as well as input to the drafting teams on the auditability and enforceability of the draft standards. This will ensure that ERO Enterprise tools used in the auditing process, such as the reliability standards auditing worksheet (RSAW), do not expand or modify standards requirements.
![Page 71: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/71.jpg)
RELIABILITY | ACCOUNTABILITY11
Compliance Enforcement
• Guiding Enforcement Principles Enforcement program promotes culture of reliability excellence through a risk-based
approach. The ERO Enterprise applies a presumption of non-enforcement treatment of minimal
risk noncompliance to entities with demonstrated internal controls who are permitted to self-log such minimal risk issues.
The ERO Enterprise maintains an elevated level of transparency regarding enforcement matters. NERC’s Rules of Procedure (including the CMEP and Sanction Guidelines) and program documents are available to the public.
Noncompliance information is used as an input to other processes. Compliance Exceptions Self-Logging
• 2017 Goals and Deliverables Working closely with NERC’s Compliance Assurance and Information Technology
departments, as well as staff in the Regional Entities, regarding the evaluation of improvements in the existing compliance, reporting, analysis tracking system, and other compliance tools to support risk-based activities.
13
![Page 72: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/72.jpg)
RELIABILITY | ACCOUNTABILITY12
Charter Revisions12
![Page 73: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/73.jpg)
RELIABILITY | ACCOUNTABILITY13
Charter Revisions13
![Page 74: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/74.jpg)
RELIABILITY | ACCOUNTABILITY14
• Meetings 2nd Thursday of the month at 1:00 CST
(Please let me know if you need the call-in information)
Next Conference Call: October 13th, 2016 at 1:00 CST
![Page 75: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/75.jpg)
RELIABILITY | ACCOUNTABILITY15
![Page 76: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/76.jpg)
Critical Infrastructure Protection Cmte
Annual Strategic Planning
Marc Child, ChairCIPC MeetingSeptember 20, 2016
![Page 77: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/77.jpg)
2 RELIABILITY | ACCOUNTABILITY
Annual Planning Goals
• Align CIPC efforts with NERC strategic plan• Review workgroup & task force charters• Retire workgroups & task forces as necessary• Identify new work areas• Modify CIPC work plan• Review CIPC charter• Review quarterly meeting agenda (content)
![Page 78: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/78.jpg)
3 RELIABILITY | ACCOUNTABILITY
CIPC Charter
• Advisory Panel to the NERC Board• Coordinate and communicate With trades, E-ISAC, other critical infrastructure sectors
o With government agencies, other technical committees
• Facilitate information sharing• Develop guidelines• Assist in development efforts for CIP standards Provide expert resources to drafting teams Develop guidance Provide a forum for debate Provide workshops & educational opportunities
Source: http://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Charter%20BoT%20approved%205-05-2016.pdf
![Page 79: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/79.jpg)
4 RELIABILITY | ACCOUNTABILITY
Workgroups & TF’s
![Page 80: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/80.jpg)
5 RELIABILITY | ACCOUNTABILITY
New Work Ideas?
• BES Metrics ERO performance indicators Asset owner threat indicators
• Coordinate and communicate State of security report (compliance + E-ISAC)
• Facilitate information sharing Security clearances, transition to DOE Regional briefings
• Develop guidelines GridEx recommendation Information sharing 101
![Page 81: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/81.jpg)
6 RELIABILITY | ACCOUNTABILITY
New Work Ideas?
• Assist in development efforts for CIP standards CIP-003-7 Supply Chain Whitelisting control systems
• Provide workshops & educational opportunities 2017 and beyond
Source: http://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Charter%20BoT%20approved%205-05-2016.pdf
![Page 82: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/82.jpg)
7 RELIABILITY | ACCOUNTABILITY
CIPC Meeting Agenda
• Today E-ISAC update NERC compliance update Legislative update Agency updates Subgroup updates
• Ideas? The agenda package includes all slide decks Briefings can be shortened (ex: “You’ve seen my slides, any
questions?”) Add more security contento Technical presentations – vendors, asset ownerso Reports from regional CIPC’s
![Page 83: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/83.jpg)
8 RELIABILITY | ACCOUNTABILITY
![Page 84: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/84.jpg)
Legislative Update
Nathan Mitchell, American Public Power AssociationCIPC MeetingSeptember 20-21, 2016
![Page 85: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/85.jpg)
2 RELIABILITY | ACCOUNTABILITY
Fixing America's Surface TransportationFAST Act 2015
• Provides the Secretary of Energy with the authority to address grid security emergencies
• DOE should develop a plan to establish a Strategic Transformer Reserve
• The plan should address impacts from: physical attack; cyber-attack; electromagnetic pulse attack; geomagnetic disturbances; severe weather; or seismic events.
• The plan must also include cost estimates and funding options.
![Page 86: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/86.jpg)
3 RELIABILITY | ACCOUNTABILITY
Cyber Information Sharing Act 2015
• DHS initiated the automated indicator sharing (“AIS”) program• Sharing of Cyber Threat Indicators and Defensive Measures by
the Federal Government• Guidance to Assist Non-Federal Entities to Share Cyber Threat
Indicators and Defensive Measures with Federal Entities • Interim Procedures Related to the Receipt of Cyber Threat
Indicators and Defensive Measures by the Federal Government • Privacy and Civil Liberties Interim Guidelines
![Page 87: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/87.jpg)
4 RELIABILITY | ACCOUNTABILITY
S.2012
S. 2012: North American Energy Security and Infrastructure Act of 2016 (In Conference)• On Thursday, September 15, the House Energy &
Commerce Committee’s Subcommittee on Energy & Power held a hearing entitled “The Department of Energy’s Role in Advancing the National, Economic, and Energy Security of the United States.”
• Department of Energy (DOE) Secretary Ernie Moniz testified about the role of DOE in implementing legislation designed to improve the nation’s energy policy and modernize energy infrastructure.
![Page 88: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/88.jpg)
5 RELIABILITY | ACCOUNTABILITY
Secretary Moniz testimony
In his opening statement, Secretary Moniz discussed DOE’s role in establishing energy security • accommodating rapidly changing energy technology, • encouraging participation in international energy markets, • improving energy efficiency, and • hardening infrastructure to ensure resiliency in the face
weather threats, electromagnetic pulse (EMP) threats, cyber threats, outdated infrastructure, and others.
• addressing various threats pursuant to authority granted to DOE in the FAST Act,
• He recognized DOE’s critical role in national security through emergency preparedness.
![Page 89: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/89.jpg)
6 RELIABILITY | ACCOUNTABILITY
Secretary Moniz testimony
• has successfully implemented a number of private sector cybersecurity tools to ensure grid security. Among these tools, the Cybersecurity Risk Information Sharing Program (CRISP)
• active collaboration with several key federal agencies in implementing security measures, including FEMA and DHS.
• research efforts to identify EMP threats, in collaboration with the Electric Power Research Institute (EPRI), is ongoing and remains classified.
• discussed options for improving the nation’s international position with respect to energy, encouraging innovation, and maintaining the integrity of our national supply of energy against cyber, physical, and economic threats.
![Page 90: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/90.jpg)
7 RELIABILITY | ACCOUNTABILITY
Secretary Moniz testimony
“We know that adversaries and homegrown actors are interested in the vulnerabilities of our critical infrastructures. Challenges like these underscore the need to rethink energy security in light of modern domestic and global energy markets… The goal is to ensure that we are maximizing the prospects for rapid deployment of technologies that can contribute to securing our Nation’s energy infrastructure.”
![Page 91: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/91.jpg)
8 RELIABILITY | ACCOUNTABILITY
![Page 92: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/92.jpg)
NERC RISC Update
Nathan Mitchell, American Public Power AssociationCIPC MeetingSeptember 20-21, 2016
![Page 93: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/93.jpg)
2 RELIABILITY | ACCOUNTABILITY
RISC Report Objective
• Part of the RISC’s role is to identify trends and evolving issues that have the potential to degrade reliability so that actions based on sound technical judgment can be taken. As the character and reliability behavior of the BPS evolves, a wide range of the reliability or resilience tools should be identified to guide industry, regulators, and the ERO in effectively managing these risks. The industry must improve forward assessments of reliability and identify resilience activities that anticipate changes.
![Page 94: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/94.jpg)
3 RELIABILITY | ACCOUNTABILITY
Key points on resiliency and recovery
• In 2015, the top 10 most severe events were related to weather. Industry should perform post-event reviews to capture lessons-learned and how to reduce the impact of future events.
• Identify single-points-of-vulnerability. • Continue to leverage industry-practice-sharing forums to
enhance resilience and recovery. • Leverage data sources to identify patterns and risks. • Highlight applicable metrics in the State of Reliability report as
benchmarks for resilience and recovery.• Continue to include resilience goals in the ERO Enterprise’s
strategic plan.
![Page 95: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/95.jpg)
4 RELIABILITY | ACCOUNTABILITY
RISC Priority Profiles
High Risk Profiles• Cybersecurity Vulnerabilities• Changing Resource Mix• BPS Planning• Resource AdequacyModerate Risk Profiles• Loss of Situational Awareness• Physical Security Vulnerabilities• Extreme Natural EventsLow Risk Profiles• Asset Management and Maintenance• Human Performance and Skilled Workforce
![Page 96: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/96.jpg)
5 RELIABILITY | ACCOUNTABILITY
Focus Areas and Recommendations
Cybersecurity Vulnerabilities (Risk Profile #9)• The ERO Enterprise and the industry should adopt a nimble,
multipronged approach to address the continually evolving cybersecurity threat. Examples of nimble tools include increased E-ISAC participation and products, peer reviews and assistance visits to move to a best practice model, guides and recommendations for new and less-defined threats.
• Enhance communications among the E-ISAC, the Telecommunications, and Natural Gas Information Sharing and Analysis Centers. Expand the use, availability, and value of cybersecurity threat and vulnerability information sharing, analytics, and analysis.
• Foster development of a security culture among employees at all utilities and across the ERO Enterprise.
•
![Page 97: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/97.jpg)
6 RELIABILITY | ACCOUNTABILITY
Medium Priority
• Extreme Natural Events: Severe weather or other natural events (e.g., hurricanes, tornadoes, protracted extreme temperatures, geomagnetic disturbances, floods, earthquakes, etc.) are one of the leading causes of outages, and the industry must remain vigilant in improving preparation and coordination in order to minimize the effect of such events.
• Physical Security Vulnerabilities: Like cybersecurity, there is an increasing and evolving threat profile from physical attacks. The intentional damage, destruction, or disruption to facilities can cause localized to extensive Interconnection-wide BPS disruption potentially for an extended period.
![Page 98: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/98.jpg)
7 RELIABILITY | ACCOUNTABILITY
Risk Mapping
![Page 99: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/99.jpg)
8 RELIABILITY | ACCOUNTABILITY
Cyber Near term Recommendations
• Address FERC CIP directives on SDT efforts underway and supply chain risk management.
• In collaboration with the CIPC and industry stakeholders, develop a risk process to address the potential impacts of cyber security threats and vulnerabilities.
• Continue information sharing protocols among interdependent ISACs
• The E-ISAC should continue outreach to industry to increase registration and utilization of E-ISAC portal.
• The E-ISAC should mature CRISP and encourage expanded participation.
![Page 100: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/100.jpg)
9 RELIABILITY | ACCOUNTABILITY
Cyber Near term Recommendations
• NERC and the CIPC should prioritize lessons learned from regional and national exercises (e.g., GridEx) and publish lessons learned and guidelines as needed.
• Facilitate planning considerations to reduce the number/exposure of critical facilities.
• The industry should encourage the development of a peer review process for emerging risks.
• The industry should create and foster an internal culture of cyber awareness and safety.
• NERC should develop effective metrics formulated to understand the trend of cyber-attacks and potential threats.
![Page 101: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/101.jpg)
10 RELIABILITY | ACCOUNTABILITY
Physical Security Recommendations
• Oversee the implementation of CIP-014-1• E-ISAC and industry should expand communications among the
Telecommunications, Water, and Natural Gas ISACs. • The ERO Enterprise should develop effective metrics
formulated to understand the trend of physical attacks and potential threats.
• Assess the risks of physical attack scenarios on midstream or interstate natural gas pipelines
• Promote existing and new efforts to improve a spare equipment strategy and prioritization.
• Develop a catalog of regional/national exercises that incorporate extreme physical events
![Page 102: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/102.jpg)
11 RELIABILITY | ACCOUNTABILITY
Physical Security Recommendations
• The forums and trades should perform the following activities: Identify and promote specific resiliency and vulnerability
assessment best practices with planning for extreme events, including good physical security assessment practices.
Develop an event guideline outlining prevention strategies and event response and recovery protocols for sabotage scenarios.
• In collaboration with the CIPC and industry stakeholders, develop a risk process to address the potential impacts of physical security threats and vulnerabilities.
![Page 103: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/103.jpg)
12 RELIABILITY | ACCOUNTABILITY
![Page 104: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/104.jpg)
1
GridEx IV Update
Tim Conway, SANS InstituteCIPC MeetingSeptember 20-21, 2016
![Page 105: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/105.jpg)
2
Where Are We Now?
Establish the Scope
• NERCleadership and GEWG
• Determine the level and type of impact desired
• Determine what will be targeted
• Determine the attack vectors
Develop a Narrative
• Backstory or ground truth:• Attacker
profile• The Who,
How, and Why of the attack
• Timing of the attack
• Expected Player actions
MSEL Development
• Detailed sequence of exercise events with inject timing
• Expected Player Actions
• Dynamic injectdevelopment
• Custom injects within entitiesand RC areas
![Page 106: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/106.jpg)
3
GridEx IV Portal
![Page 107: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/107.jpg)
4
Process Flatlined
Preparation Identification Containment Eradication Recovery Lessons Learned
GridEx 2011, GridEx II, GridEx III
GridEx IV
Move 0
![Page 108: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/108.jpg)
5
Scenario Time
GridReliability
Level
Normal
Distributed Play
Move 1 T = 0 to 4 hours
Move 2T = 4 to 8 hours
Move 3T = 24 to 28 hours
Real time(Eastern)
Nov 18 9 am – 1 pm
Nov 18 1 pm – 5 pm
Nov 19 9 am – 1 pm
Nov 191 pm - 5 pm
Move 4T = 72 to 76 hours
Executive Tabletop
Nov 1911 am - 5 pm
ESCC Calls
GridEx III Scenario Escalation Timeline
![Page 109: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/109.jpg)
6
Scenario Time
GridReliability
Level
Normal
Distributed Play
Move 1 T = 0 to 4 hours
Move 2T = 4 to 8 hours
Move 3T = 24 to 28 hours
Real time(Eastern)
Nov 15 9 am – 1 pm
Nov 15 1 pm – 5 pm
Nov 16 9 am – 1 pm
Nov 161 pm - 5 pm
Move 4T = 72 to 76 hours
Nov 1611 am - 5 pm
GridEx IV Scenario Escalation Consideration
Move 0
Executive TTXDistributed Play
ESCC Calls
?
![Page 110: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/110.jpg)
7
GE4 Conceptually Move 0
Move 0
Adversary Positioning
![Page 111: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/111.jpg)
8
GE4 Conceptually Move 1
Move 1
OperationalEffects
![Page 112: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/112.jpg)
9
GE4 Conceptually Move 2
Move 2
Incident Identification & Reporting
![Page 113: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/113.jpg)
10
GE4 Conceptually Move 3
Move 3
Incident Containment & Eradication
![Page 114: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/114.jpg)
11
GE4 Conceptually Move 4
Move 4
Incident Recovery & After Action
![Page 115: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/115.jpg)
12
Proposed Planning Schedule
WorkingGroup
Initial Planning
Phase
Mid-term Planning
Phase
Final Planning
PhaseConduct After
Action
Establish Working Group members
GridEx IV awareness
Planner outreach
Decide scenario themes
Decide tools
Coordinate with RCs
Finalize scenario
Develop supporting materials
Confirm participation
Distributed Play
Executive Tabletop
After-action survey and lessons learned
Analyze survey results and lessons learned
After Action Report and Briefing
Distribute training materials
Planners begin training
GEWG MeetingJune 2016
InitialNov. 14 2016
MidtermFebruary 2017
FinalApril 2017
Execute GridEx IVNovember 15-16, 2017
ReportQ1 2018
Kick-Off
Confirm goals and objectives
Finalize timeline
Discuss outreach goals/plan
RC MeetingOct 5 2016
Planning will be about 3 - 4 months earlier for GridEx IV compared with GridEx III
More training sessions available for Player prep on tools, GridSecCon 2017, Move Zero
![Page 116: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/116.jpg)
13
• Wednesday, September 21, 2016 GEWG Meeting: Sheraton Albuquerque Airport Hotel, Albuquerque, NMo Valle Grand II (1st Floor)o Lunch: 12 noon Mountain Timeo Meeting / Call: 1-5 p.m. Mountain Time / 3-7 p.m. Eastern Time
• Wednesday, October 5, 2016 (not a GEWG meeting) ISO/RTO Council (IRC) Security Working Group (SWG) and IT Committee (ITC)
• Thursday, October 20, 2016 GridSecCon 2016 GridEx IV Panel – “preaching to the choir”
• Monday, November 14, 2016 GridEx IV Initial Planning Meetingo Booz Allen, McLean, VAo 10 a.m. – 4 p.m. Eastern Time
• Wednesday, December 14, 2016 GEWG meeting: Ritz-Carlton Buckhead, Atlanta, GA 1 – 5 p.m. Eastern Time
Calendar
![Page 117: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/117.jpg)
14
• Midterm Planning Meeting – February (Day TBD), 2017. Location: McLean, VA
• Grid Exercise Working Group - March 8, 2017. Location: TBD• Final Planning Meeting – April (Day TBD), 2017. Location:
McLean, VA• Summer meetings and planner/player training presentations• GridSecCon 2017 – October 17-20, 2017. Location: TBD
(Minneapolis/St. Paul, MN) Move Zero training, GridEx IV kickoff• GridEx IV – November 14-17, 2017 (four days?!?) Warmup ExCon day Main days Rapid Deployment day?
Other major dates
![Page 118: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/118.jpg)
15
Foundation
Customization
Execution
GEWG Big Picture
-
![Page 119: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/119.jpg)
16
• Facilitated workshop model Instructor-led, walk through of Move 0 Similar to CRPA approach
• Live hands-on environment model Participants compete and score individually or as a team. Objective is to work through all of the Move 0 injects. Intersect with other GridEx tools and simulation technology. Outcome is pre-determined and in line with Move 1 of distributed play. Move 0 will test and prep tools and tech for Move 1.
• Distributed model Remotely accessed Available multiple weeks in prep for Move 1 Performance of some Move 0 tasks
Move 0 Details
![Page 120: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/120.jpg)
17
![Page 121: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/121.jpg)
BES Security Metrics WGCIPC Update
Larry Bugh, ChairAlbuquerque NMSeptember 20-21, 2016
![Page 122: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/122.jpg)
2 RELIABILITY | ACCOUNTABILITY
Critical Infrastructure Protection Committee
April 2016
Business Continuity Guideline TF(Darren Myers)
Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(David Godfrey)
Control Systems Security
WG(VACANT)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input
WG(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
![Page 123: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/123.jpg)
3 RELIABILITY | ACCOUNTABILITY
Security Metrics Development Roadmap2015 and Beyond
We are here
![Page 124: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/124.jpg)
4 RELIABILITY | ACCOUNTABILITY
BESSMWG Activities
Activities Since June 2016• Met immediately following June CIPC meeting to: Discuss status of draft metrics under development Review and finalize charts for security metrics in NERC’s next State of
Reliability report in 2017
• Met immediately prior to September CIPC meeting to: Review Q2 2016 metrics results Discuss status and next steps for metrics under development Review Roadmap document for longer-term next steps
![Page 125: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/125.jpg)
5 RELIABILITY | ACCOUNTABILITY
CIPC Update
BES Security MetricsQ2 2016 Results
![Page 126: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/126.jpg)
6 RELIABILITY | ACCOUNTABILITY
Reportable Cyber Security Incidents
Note: Under review to confirm if the incident met the reportable threshold
![Page 127: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/127.jpg)
7 RELIABILITY | ACCOUNTABILITY
Reportable Physical Security Incidents
![Page 128: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/128.jpg)
8 RELIABILITY | ACCOUNTABILITY
E-ISAC Membership
![Page 129: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/129.jpg)
9 RELIABILITY | ACCOUNTABILITY
Industry-Sourced Information Sharing
Note: Physical Bulletins started in Q4 2014.
![Page 130: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/130.jpg)
10 RELIABILITY | ACCOUNTABILITY
Global Cyber Vulnerabilities
![Page 131: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/131.jpg)
11 RELIABILITY | ACCOUNTABILITY
Global Cyber Vulnerabilities and Incidents
Note: Only annual data available.
![Page 132: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/132.jpg)
12 RELIABILITY | ACCOUNTABILITY
Next Steps
• Continue supporting the E-ISAC to review and validate quarterly data Define and implement sub-categories for cyber and physical
incidents
• Complete development of detailed definitions for any new metrics through 2016 Industrial control system vulnerabilities
• Begin drafting the Security Metrics chapter for the 2017 State of Reliability report
• Consider metrics for longer-term development
![Page 133: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/133.jpg)
13 RELIABILITY | ACCOUNTABILITY
![Page 134: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/134.jpg)
DOE Report to NERC CIPC
Jim McGloneInfrastructure Security and Energy RestorationSeptember 21, 2016
![Page 135: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/135.jpg)
2
DOE Report to CIPC
• Classified brief – December 13 (NOFORN)• Classified VTC (ODNI document review)
• Successful SVTC pilot in July• DBT refresh, December 2016
• PSAG +intel analysts + UAS expert• Sector clearances transition to DOE• EMP• Strategic Transformer Reserve• FAST ACT• PPD-41
![Page 136: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/136.jpg)
3
PPD-41
• The President issued Presidential Policy Directive 41, United States Cyber Incident Coordination on July 26, 2016
• In the event of a significant cyber incident, a national Cyber Unified Coordination Group (UCG) will be activated.
• DHS/National Cybersecurity Communications and Integration Center (NCCIC) is designated as the Asset Response Lead; and
• DOJ/FBI/National Cyber Investigative Joint Task Force (NCIJTF) is designated as the Threat Response Lead.
• The DOE, as the Sector-Specific Agency (SSA), through its representation in the UCG will be responsible for leading sector coordination.
![Page 137: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/137.jpg)
4
PPD-41: DOE’s role in PPD as the SSA
• The Energy sector is one of the critical lifeline sectors as defined by DHS.
• Under PPD-21: Critical Infrastructure Security and Resilience and legislated in the 2015 FAST Act, DOE is the Sector-Specific Agency (SSA) for the energy sector.
• The SSA role enables us to work closely with electricity, oil, and natural gas partners through the coordinating councils and information sharing and analysis centers (ISACs)• ESCC• ONGSCC• E-ISAC• ONG-ISAC• DNG-ISAC
![Page 138: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/138.jpg)
5
PPD-41: DOE’s role in Cyber UCG
• PPD-41 describes a national Cyber Unified Coordination Group, which includes the FBI, DHS, the Intelligence Community, and affected sectors.
• DOE is included in the Cyber Unified Coordination Group as the SSA for the Energy sector ensuring that particulars of the Energy sector are accounted for in a unified Federal response.
• Along with DHS and the FBI, DOE can use all of our resources and authorities to support response efforts.
![Page 139: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/139.jpg)
6
Next Steps
• DOE held calls soon after the release of the PPD with energy sector owners and operators and SLTT community to help understand the document and describe its relevance to the sector.
• By October 22nd, DOE will develop enhanced cyber coordination procedures for the energy sector, which determine how the Department interacts with the National Unified Coordination group in a significant cyber-attack.
• By the end of January 2017, we will work with ESCC and ONGSCC to synchronize subsector response playbooks to reflect the tenants of PPD-41.
• DOE, along with energy industry participants, have been working to develop the National Cyber Incident Response Plan. The National Cyber Incident Response Plan will soon be finalized into a draft and released to the public for comment.
![Page 140: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/140.jpg)
7
Contact info
Jim McGloneInfrastructure Security and Energy RestorationUS Department of [email protected]
![Page 141: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/141.jpg)
Technology Roundtable:Technology Impact Assessments
Tobias Whitney, Manager of CIP ComplianceCIPC MeetingSeptember 20-21, 2016
![Page 142: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/142.jpg)
RELIABILITY | ACCOUNTABILITY2
Purpose
• Industry opportunities exist to research and deploy new technologies that could improve the reliable operations of the Grid.
• The mystique of the CIP standards may have discouraged the investment and innovation of BES technologies for fear of compliance risk and cyber exposure.
• NERC’s Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.
![Page 143: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/143.jpg)
RELIABILITY | ACCOUNTABILITY3
Emerging Technologies
• Cloud Computing Big Data analysis for preventive solutions
• Renewables + New Registration Paradigms New Generation Owner/Operators diffuse operations could impact the
BES
• IEC 61850 Substation network solutions
• Remote Access (FERC mandated) Due July 2017
• Virtualization (Standards Development) Server, networks and storage
![Page 144: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/144.jpg)
RELIABILITY | ACCOUNTABILITY4
Emerging Technologies
• Microgrids Risk based analysis of load centers
• Industrial Wireless Network Communications Technologies Point-to-point, local area wireless and unlicensed radio
• Distribution Management Systems GIS, outage mgt and increased operational intelligence for smart
metered load centers
• End of Life Systems Assess the vulnerability unsupported, production cyber assets
• Support Systems Understanding VOIP, UPS and building automation systems
![Page 145: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/145.jpg)
RELIABILITY | ACCOUNTABILITY5
Approach the Topic
Tech Seminar
• Invite vendors and industry stakeholders for a 1 day discussion on the solutions
• Identify volunteers for whitepaper development
CoordinatedWhite Paper
• Coordinate white paper with CIPC (primarily) with support from OC and PC
• Publish draft paper for comments as part of the Section 11 Process• Industry webinar to spotlight results
Call for Pilots
• Link interested stakeholders with research agencies• Publish lessons learned for industry comments
![Page 146: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/146.jpg)
RELIABILITY | ACCOUNTABILITY6
NERC Team
Tech
nolo
gy R
isk
Asse
ssm
ent Security
Operations
Regulatory
![Page 147: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/147.jpg)
RELIABILITY | ACCOUNTABILITY7
Each Topic’s SWOT
Strengths(reliability benefits)
Weaknesses(current
drawbacks)
Opportunities(external factors)
Threats (Security & Regulatory)
![Page 148: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/148.jpg)
RELIABILITY | ACCOUNTABILITY8
Technology Risk
• First Technology Roundtable will be held in Atlanta on November 14th & 15th
• Cloud Computing Operational and reliability improvement case Common Architecture Security and Regulatory Considerations
• IEC 61850 Operational and reliability improvement case Architecture Security and Regulatory Considerations
• Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.
![Page 149: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/149.jpg)
What is the Implementation Timeframe for Low Impact?NERC Small Group Advisory Sessions Low Impact WebinarSeptember 14, 2016
![Page 150: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/150.jpg)
RELIABILITY | ACCOUNTABILITY10
• Implementation Plan Language• Already required as of 7/1/2016• Required on 4/1/17• Required on 9/1/2018
Agenda
![Page 151: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/151.jpg)
RELIABILITY | ACCOUNTABILITY11
Proposed Effective Date for Version 5 CIP Cyber Security Standards Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP-011-1 as follows: 1. 24 Months Minimum – The Version 5 CIP Cyber Security Standards, except for CIP-003-5
R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.2
2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees’ approval, and CIP-003-5 R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees’ approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.
Implementation Plan Language – V5
![Page 152: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/152.jpg)
RELIABILITY | ACCOUNTABILITY12
Effective Dates (for CIP Version 6)The effective dates for each of the proposed Reliability Standards and NERC Glossary terms are provided below. Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The compliance date for those particular sections represents the date that entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date. 1. CIP-003-6 — Cyber Security — Security Management Controls
Reliability Standard CIP-003-6 shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Where approval by an applicable governmental authority is not required, the standard shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date the standard is adopted by the NERC Board of Trustees, or as otherwise provided for in that jurisdiction.
Implementation Plan Language – V6
![Page 153: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/153.jpg)
RELIABILITY | ACCOUNTABILITY13
Compliance Date for CIP-003-6, Requirement R1, Part 1.2Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R1, Part 1.2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Requirement R2Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Attachment 1, Section 1Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 1 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Attachment 1, Section 2Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 2 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Implementation Plan Language – V6
![Page 154: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/154.jpg)
RELIABILITY | ACCOUNTABILITY14
Compliance Date for CIP-003-6, Attachment 1, Section 3Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 3 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Compliance Date for CIP-003-6, Attachment 1, Section 4Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 4 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.
Implementation Plan Language – V6
![Page 155: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/155.jpg)
RELIABILITY | ACCOUNTABILITY15
• FERC approved CIP V5 on November 22, 2013, with an effective date of the order of February 3, 2014 (based on publication in the Federal Register), making CIP V5 effective April 1, 2016
• FERC approved the CIP V6 changes on January 21, 2016, with an effective date of the order of March 31, 2016 (based on publication in the Federal Register), making the V6 changes effective July 1, 2016
• FERC action on February 25, 2016 aligned all CIP V5 & V6 compliance dates to July 1, 2016
FERC Effective Dates
![Page 156: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/156.jpg)
RELIABILITY | ACCOUNTABILITY16
• CIP-002-5.1• CIP-003-6 Requirement R3• CIP-003-6 Requirement R4
Already Required as of 7/1/2016
![Page 157: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/157.jpg)
RELIABILITY | ACCOUNTABILITY17
• There were no changes to CIP-002-5.1 done as part of the CIP V6 SDT effort The approved CIP V5 Implementation Plan
therefore remained unchanged for CIP-002-5.1
Already Required as of 7/1/2016
![Page 158: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/158.jpg)
RELIABILITY | ACCOUNTABILITY18
• CIP-002-5.1: CIP-002-5.1 Requirement R1 requires identification
of all high impact BES Cyber Systems, medium impact BES Cyber Systems, and identifying “each asset that contains a low impact BES Cyber System” CIP-002-5.1 Requirement R2 requires the process
be repeated, at least every 15 calendar months, and the CIP Senior Manager approved the identifications in Requirement R1
Already Required as of 7/1/2016
![Page 159: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/159.jpg)
RELIABILITY | ACCOUNTABILITY19
• CIP-003-6 Requirement R3 Requirement R3 unchanged as part of CIP V6 SDT
effort (not discussed in the CIP V6 Implementation Plan) Requires the identification of a CIP Senior Manager CIP Senior Manager must approve the
identifications made in CIP-002-5.1, Requirement R2
Already Required as of 7/1/2016
![Page 160: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/160.jpg)
RELIABILITY | ACCOUNTABILITY20
• CIP-003-6 Requirement R4 Requirement R4 unchanged as part of CIP V6 SDT
effort (not discussed in the CIP V6 Implementation Plan) Requires the creation of a documented process to
delegate the approvals of the CIP Senior Manager, unless no delegations are used. CIP-002-5.1 approvals may be delegated
Already Required as of 7/1/2016
![Page 161: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/161.jpg)
RELIABILITY | ACCOUNTABILITY21
• CIP-003-6 Requirement R1, Part 1.2• CIP-003-6 Requirement R2, Attachment 1, Section 1• CIP-003-6 Requirement R2, Attachment 1, Section 4
Required on 4/1/2017
![Page 162: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/162.jpg)
RELIABILITY | ACCOUNTABILITY22
• CIP-003-6 Requirement R1, Part 1.2 Requires the creation of cyber security policies for:1. Cyber security awareness2. Physical security controls3. Electronic access controls for Low Impact External
Routable Connectivity [Communications] (LERC and Dial-up Connectivity
4. Cyber Security Incident Response Must be approved by the CIP Senior Manager (no
delegation allowed)
Required on 4/1/2017
![Page 163: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/163.jpg)
RELIABILITY | ACCOUNTABILITY23
• CIP-003-6 Requirement R2, Attachment 1, Section 1 Requires that each Responsible Entity shall
reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).
Required on 4/1/2017
![Page 164: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/164.jpg)
RELIABILITY | ACCOUNTABILITY24
• CIP-003-6 Requirement R2, Attachment 1, Section 4 Requires that Each Responsible Entity shall have one or more
Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:
4.1 Identification, classification, and response to Cyber Security Incidents;
4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E-ISAC), unless prohibited by law;
4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;
Required on 4/1/2017
![Page 165: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/165.jpg)
RELIABILITY | ACCOUNTABILITY25
4.4 Incident handling for Cyber Security Incidents;4.5 Testing the Cyber Security Incident response plan(s) at least
once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and
4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.
Required on 4/1/2017
![Page 166: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/166.jpg)
RELIABILITY | ACCOUNTABILITY26
• Note: In order to properly develop policy (Section 1) and
incident response (Section 4), physical (Section 2) and electronic (Section 3) access control procedures (i.e., the controls to be implemented) need to be initially developed, but they will not themselves be subject to audit
Required on 4/1/2017
![Page 167: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/167.jpg)
RELIABILITY | ACCOUNTABILITY27
• CIP-003-6 Requirement R2, Attachment 1, Section 2• CIP-003-6 Requirement R2, Attachment 1, Section 3
Required on 9/1/2018
![Page 168: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/168.jpg)
RELIABILITY | ACCOUNTABILITY28
• CIP-003-6 Requirement R2, Attachment 1, Section 2 (draft language) Physical Security Controls: Each Responsible Entity
shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.
Required on 9/1/2018
![Page 169: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/169.jpg)
RELIABILITY | ACCOUNTABILITY29
• CIP-003-6 Requirement R2, Attachment 1, Section 3 (draft language) Electronic Access Controls: Each Responsible Entity
shall:3.1 Implement electronic access control(s) for LERC, if
any, to permit only necessary electronic access to low impact BES Cyber System(s).
3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.
Required on 9/1/2018
![Page 170: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/170.jpg)
RELIABILITY | ACCOUNTABILITY30
• All physical and electronic access control protections must be in place at all assets containing low impact BES Cyber Assets or BES Cyber Systems by 9/1/2018
Required on 9/1/2018
![Page 171: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/171.jpg)
RELIABILITY | ACCOUNTABILITY31
CIP Violations (as of July 1, 2016)
![Page 172: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/172.jpg)
RELIABILITY | ACCOUNTABILITY32
CIP Violations (as of July 1, 2016)
![Page 173: Welcome NERC Critical Infrastructure Protection Committee Highlights... · 9,000+ miles of transmission and distribution lines ... Bulk Electric System as a result of this event](https://reader034.vdocuments.mx/reader034/viewer/2022042107/5e86dba2f500d649ac2e2e18/html5/thumbnails/173.jpg)
RELIABILITY | ACCOUNTABILITY33