welcome nerc critical infrastructure protection committee highlights... · 9,000+ miles of...

NERC Steering CommitteeCritical Infrastructure Protection

CIP Version 5 and Beyond

1

September 12, 2014

WelcomeNERC Critical Infrastructure

Protection Committee

Sept 20th 2016

Mike Mertz – Director, NERC Reliability Governance & Operations Technology

Welcome to New Mexico

PNM Resources SnapshotNew Mexico and Texas Service Territories

TNMP Background

~243,000 homes and businesses in

more than 70 communities in

Texas

9,000+ miles of transmission and

distribution lines

Power provider for critical

international petroleum customers

along the Texas Gulf Coast.

516,658 customers;

15,025 miles of transmission and

distribution lines;

2,787 megawatt generation

capacity.

276 Substations

PNM Background

PNM Energy Portfolio (Capacity)

Coal40.3%

Nuclear11.0%

Gas38.2%

Wind8.4%

Solar1.8%

Other0.4%

Industry Challenges

7

Industry Challenges

• Beyond NERC CIP• Compliance vs.

Security• Threat evolution • Ukraine -

Distribution system security

8

Medium Impact

High Impact

Low Impact

Industry Challenges

“At least one user will click on anything…”

Every Security Professional

9

PNM Energy Portfolio (Capacity)

Coal40.3%

Nuclear11.0%

Gas38.2% Wind

8.4%

Solar1.8%

Other0.4%

1

E-ISAC Update

Marcus Sachs, Senior VP & Chief Security OfficerCIPC MeetingSeptember 20, 2016

2

• Sharing and reporting 193 E-ISAC staff posts to the portal 70 member responses to the portal items 71 additional posts to the portal from members 107 calls to the E-ISAC hotline 371 new portal accounts

• Engagement (monthly average during the quarter) 250 webinar attendees 511 downloads of the daily report

• Active portal membership on June 30, 2016 828 NERC registered entities (60% of 1389 registered entities) 335 non-NERC registered entities (17% of estimated 2000 eligible) 58 partners (government, other ISACs, etc.)

Summary of Q2 2016

3

• NERC Advisory Issued in May in response to rise in ransomware attacks Summarized a detailed technical report issued earlier in May Extortion via software that encrypts files may surpass credential harvesting

of financial information

Advisories and Reports

4

• Engaging the E-ISAC and …• Understanding Your E-ISAC Joint effort between the E-ISAC and the

Member Executive Committee Explains how the E-ISAC works and what to share Outlines products and services Explains the NERC – E-ISAC separation protocol

• E-ISAC Brochure Designed as a “take-away” document Summarized products and services Explains how to join and what to share Provides contact information

All About The E-ISAC

5

• Staffing Twenty employees plus two contractors in the Washington, DC office Training and exercises manager opening – currently recruiting Member services manager (ESCC recommendation) hired in August Initiative to integrate DNG-ISAC analyst underway

• Technology Network and email migration nearing completion STIX/TAXII pilot initiated Portal-to-platform project initiated Funding for the portal improvements approved by the Board of Trusteeso Initial improvements now underwayo Major changes coming in 2017

E-ISAC Staffing and Support

6

• 2016 Work Plan approved at the March MEC meeting Publish a “How-To” Guide (“Understanding Your E-ISAC”) Develop E-ISAC Products and Services List Define E-ISAC Role in Classified Briefings Establish User Communities Develop Strawmen for E-ISAC Reports Pilot Automated Information Sharing (Platform) Initiate Improvements to the Portal Develop Plan to Evaluate 24/7 Watch and Notification Capability Conduct Site Pen Testing

• All items on track at end of Q2 Some have been completed

Member Executive Committee

1

E-ISAC Update

Joseph Januszewski, Senior Watch OfficerCIPC MeetingSeptember 20, 2016

2

• Overall Trends Ransomware

Phishing

Suspicious Traffic Reporting

• E-ISAC Cyber Security Capabilities Increased reporting by E-ISAC partners

Focus on obtaining, analyzing, and sharing indicators of compromise and actionable threat information

Enabling electricity companies to identify sector-relevant threats and attacks

Summary of Q2 2016

3

CyberBulletin Topics

4

• Various Forms of Ransomware Reported by Members Teslacrypt Locky Nymaim Trojan Angler EK

• Other Critical Infrastructure Sectors Affected Financial

Healthcare

Retail

Ransomware

5

• Attempts at Social Engineering Dridex malware Typical indicators include email subjects related to “Purchase Orders”

• “Whaling” Catching a “big fish” – typically focused on C-suite employees

Typically requesting funds transfer to another employee

Phishing

6

• A DVD of malware for analysis submitted to E-ISAC An increase in sharing to broaden our dataset further

• CRISP is now attributed in portal postings• The E-ISAC STIX/TAXII service is coming prior to end of the year• Portal improvements will be starting in October/November

Updates

1

Physical Security Analysis Team UpdateCharlotte de SibertCIPC MeetingSeptember 20, 2016

2

CIPC Brief Topics

• “Suspicious Activity” – What is it and why does it matter?• Topic: Insider Threat• Best Practices • Physical Security Advisory Group Update

3

• What is “suspicious activity”? and why do I see so many bulletins about it? E-ISAC analysis team is here to assist in connecting the dots

• Examples Social engineering: information elicitation Break-ins with nothing stolen Surveillance

Suspicious Activity

4

Best Practices

5

On September 6 beginning at 0456 CDT, a member in Arkansas reported beginning at approximately 04:56, three breakers at a substation were tripped. The two 115 kV line trips were restored within minutes, but the distribution load loss caused 1900 customers to lose power for approximately 100 minutes. Customer power was restored at 06:33 CDT. Upon initial investigation at the substation yard, corporate personnel found 4 breaker box cabinets open. Three breakers appeared to have been manually tripped. Local law enforcement investigated and classified the event as a crime and stated they would notify the FBI. There were no signs of theft or damage to any breakers or equipment. Corporate security has initially identified a potential insider threat suspect, due to recent employee termination which is currently under investigation.High security locks were added to each cabinet and any external trip devices were disabled or removed. There were no major impacts to operations or the Bulk Electric System as a result of this event.

Incident Overview

Presenter

Presentation Notes

On September 6 beginning at 0456 CDT, a member in Arkansas reported beginning at approximately 04:56, three breakers at a substation were tripped. The two 115 kV line trips were restored within minutes, but the distribution load loss caused 1900 customers to lose power for approximately 100 minutes. Customer power was restored at 06:33 CDT. Upon initial investigation at the substation yard, corporate personnel found 4 breaker box cabinets open. Three breakers appeared to have been manually tripped. Local law enforcement investigated and classified the event as a crime and stated they would notify the FBI. There were no signs of theft or damage to any breakers or equipment. Corporate security has initially identified a potential insider threat suspect, due to recent employee termination which is currently under investigation. High security locks were added to each cabinet and any external trip devices were disabled or removed. There were no major impacts to operations or the Bulk Electric System as a result of this event.

6

• E-ISAC OPS received reporting (EOP-004)• Follow up with utility security dept.• Portal posting • Follow up questions from another utility • Internal AAR

Information Sharing Process

So I filled out the form…

7

Insider Threat

Definition:

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.

8

Insider Threat

• Different types of insider threats Passive: Inadvertently passes on sensitive information or is a victim of

social engineering. Active Non-Violent: Someone with access to operationally sensitive

materials and willingly leaks confidential information with intent to harm or impact the company and its reputation.

Active Violent: Willing to use force, weapons, and kill or be killed to inflict damage or injury to Company employees or assets.

• Statistics (FEMA): 44% of respondents attributed some loss at their organizations to insiders. 46% said that damage caused by insider attacks were more harmful than

those caused by outsiders.

9

Insider Threat Takeaways

• Insider Threat is a human issue. • Not a new threat, but there are continually evolving TTPs.• A few best practices … Timing employee termination Top-down and lateral “buy-in” for Insider Threat program Liaise with law enforcement prior to an incident

10

• What is the Physical Security Advisory Group? The PSAG provides seasoned expertise to advise the industry on the threat

mitigation strategy to enhance BES physical security and reliability. The industry benefits from advice on security operational plans, policy and procedures, evolving security technology, training, incident response and management. The PSAG consists of 20-25 members of senior industry security leaders, DOE, and informed industry observers.

• Current Efforts DBT (includes updates and applications) Enhanced Background Investigation Screening Effort Whitepapers

PSAG

GridSecCon 2016NERC’s Sixth Annual Grid Security ConferenceOctober 18 – 21, 2016Hilton Quebec, Canada“Northern Lights”

For security professionals interested in threats and policy issues related to the physical and cyber security of the bulk power system

GridSecCon 2016 Agenda

Tuesday, October 18, 2016 – Free training in physical or cyber securityWednesday, October 19, 2016 – “Strategy and threat day” - Keynotes and presentations by Senior executives

Thursday, October 20, 2016 – “Solutions day” – Keynotes and panelsFriday, October 21, 2016 – Host utility tours and threat briefings at classified and FOUO levels

http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx

Quebec City - Martin St-Amant - Wikipedia - CC-BY-SA-3.0

http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx

Project 2016-02CIP ModificationsDavid S. Revill, Georgia Transmission CorporationCIPC MeetingSeptember 20-21, 2016

RELIABILITY | ACCOUNTABILITY2

The CIP Standard Drafting Team

Name Entity

Chair Margaret Powell Exelon

Vice Chair Christine Hasha Electric Reliability Council of Texas

Vice Chair David Revill Georgia Transmission Corporation

Members Steven Brain Dominion

Jay Cribb Southern Company

Jennifer Flandermeyer Kansas City Power and Light

Tom Foster PJM Interconnection

Richard Kinas Orlando Utilities Commission

Forrest Krigbaum Bonneville Power Administration

Philippe Labrosse Hydro-Quebec TransEnergie

Mark Riley Associated Electric Cooperative, Inc.

Zach Trublood * Sacramento Municipal Utility District


• Revisions will cover eight issue areas: LERC definition (Order 822) – deadline of March 31, 2017 Transient devices used at low-impact BES Cyber Systems (Order 822) Communication network components between BES Control Centers (Order

822) Cyber Asset and BES Cyber Asset Definitions (V5TAG) Network and Externally Accessible Devices (V5TAG) Transmission Owner (TO) Control Centers Performing Transmission

Operator (TOP) Obligations (V5TAG) Virtualization (V5TAG) CIP Exceptional Circumstances

• In addition, the SDT will consider one Request for Interpretation concerning shared BES Cyber Systems.

Drafting Team Scope


• Changed Low Impact External Routable Connectivity to Low Impact External Routable Communication (LERC) to focus on the communication that occurs crossing the boundary of the asset containing the low impact BES Cyber Systems to more cleanly align with the output of CIP-002-5.1 R1, Part 1.3.

• Removed from the definition the word ‘direct’ thus expanding the LERC definition to be inclusive of both direct and indirect connections.

• Simplified LERC as an attribute of a BES asset concerning whether there is routable protocol communications across the asset boundary.

• Removed the dependency between the electronic access controls that may be in place and having those controls determine whether LERC exists or not.

LERC Definition


• The changes to LERC changed the focus of the CIP-003 requirements, and no longer emphasized the “interface” that controlled the connectivity. Current Term: Low Impact BES Cyber System Electronic Access Point”

(LEAP): A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.

• As a result, the SDT removed use of the term “LEAP” and proposed its retirement.

Retirement of LEAP


• For those BES assets that have LERC, the SDT changed the requirement to requiring electronic access controls to “permit only necessary electronic access to low impact BES Cyber Systems.”

• The SDT also revised CIP-003-6, Attachment 1, Section 2 to accommodate the retirement of LEAP in the physical security section and to provide for the physical security of the Cyber Assets performing the electronic access controls required in Section 3.

CIP-003-7 Requirements


Section 2. Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity to: (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Cyber Asset(s), as specified by the Responsible Entity that provides electronic access control(s) implemented for Section 3.1, if any.

Section 3. Electronic Access Controls: Each Responsible Entity shall:3.1 Implement electronic access control(s) for LERC, if any, to permit only necessary electronic access to low impact BES Cyber System(s).3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.

CIP-003-7 Requirements


• Ballot period closed September 6, 2016 LERC Definition: 30.63% approval CIP-003-7 Changes: 41.54% approval Implementation Plan: 41.77% approval

• SDT meeting next week (September 27-29, 2016) to discuss comments Response to comments Revisions to definition, requirements language, and implementation plan Post for another 45-day period following that

LERC Revisions Status


• Proposed adding Section 5 to CIP-003, attachment 1 to address TCAs at assets containing low impact BES Cyber Systems in keeping with the stakeholder request to keep requirements on lows in one place.

• Kept the requirement language consistent with that of CIP-010 to minimize inconsistency between lows and highs/mediums.

• Approved requirement language and measures in response to the FERC directive to post for stakeholder comment/ballot.

• Action Items: Draft and propose Guidelines and Technical Basis Discuss Implementation Plan timing Develop associated documents to post for formal stakeholder comment

and ballot (Consideration of Directives; Implementation Plan, VRF/VSL and justification, Comment Form)

Transient Devices at LowsDiscussion Items


• Reviewed the Order 822 Directive language.• Discussed IRO-010 and TOP-003 as a basis for the scope of sensitive bulk

electric system data that needs protection.• Presented three options for discussion: Option 1: Allow the future enforceable IRO-010 R3 and TOP-003 R5 standards to

handle the protections of communication links between Control Centers. Option 2: Develop a CIP requirement, potentially in CIP-005, to set a security

objective for protecting sensitive bulk electric system data between Control Centers.

Option 3: Develop a CIP requirement with parts based on impact level outlining security objectives and potential security controls for data in transit and data at rest.

• Discussed the pros/cons of including these requirements in a new standard.• Identified that coordination is needed between the CIP SDT and the IRO/TOP

SDT.

Control Center Communication Networks Discussion Items


• Action Items Keep developing requirement language. Consider and refine scope. Determine role of data at rest and risk. Clarify what qualifies as Sensitive BES Data. Take the SDT input to flesh out a proposal that:o Uses risk-based impact on asset classification not on the data itself and assigns

risk levels to different impact levels.o Defines scope (that can draw from IRO-010 and TOP-003).o Articulates the security objective. o Sets implementation expectations.o Is written as a separate standard (though can revisit if adjustments for lows-only

is appropriate).

Control Center Communication Networks Discussion Items


• Discussed the problem statements on the following definitions: BES Cyber Asset and the concept of “adverse impact” External Routable Connectivity (ERC) Interactive Remote Access (IRA)

• Considered whether changes to the definition or another approach are appropriate to respond to the problem statement.

• Action Item Continue to assess the issues raised in the Transfer Document and develop

proposed revisions in response to the issues.

Definitions and ConceptsDiscussion Items


• Presented four options considered by the sub-team: Option 1: Revise CIP-002-5 Attachment 1: Criteria 2.1.2. Option 2: Add Exemption process. Option 3: Define Cybersecurity Program for TO with capability to operate

Transmission Facilities. Option 4: No further action by the SDT and refer recommendations for

ERO consideration (recommended).

• Discussed the recommendation of no further action by SDT.• Action Item Sub-team will prepare a discussion document on the research findings, the

recommendation, the reasoning, and the implications. The SDT will review and will consider posting for stakeholder input.

Transmission Owner (TO) Control CentersDiscussion Items


• Robust discussion of virtualization issues• Discussed the defined term “Cyber Asset;” use of the term

“device” within the definition implies a physical system.• NERC shared a presentation outlining its view on currently

permitted virtualization architectures. Introduced terms: o Mixed-trust - including CIP and non-CIP systems within a virtual environmento Mixed-impact - including multiple high, medium, and low impact level BES Cyber

Systems within a virtual environment

• Identified the need for a framework to discuss the additional risks introduced by the use of virtualization technologies.

VirtualizationDiscussion Items


• Action Items Take the SDT input and organize the virtual types, risks of the virtual

environment, and assessment of existing requirement language (including measures, GTB) to provide mitigating controls.

Compare the scenarios for mixed trust and homogenous environments. Be mindful of TCAs impact on virtual system. Review CIP-011 controls for useful language and context.

VirtualizationDiscussion Items


• Reviewed a draft risk matrix template identifying risks specific to virtualization as a framework for determining where controls need to be added or modified to address virtualization implementations.

• Discussed expanding CIP-010 R1 to include configuration elements associated with logical separation as part of the baseline.

• Action Items Continue work refining the virtualization risk matrix with the goal of

identifying requirements to revise any gaps that need requirements. Continue work on definitional aspects of virtualization. Work to formalize a proposal for full team review on mixed trust.

Virtualization Discussion Items


• Presented a list of requirements under consideration.• Discussed options related to CEC. Option 1: Add CEC to appropriate requirements or parts throughout

standards. Option 2: Add requirement in CIP-003 to develop a program for CEC and

remove from requirements or parts throughout standards.o Clearly cover event start and end.o Ensure back out plans are included.

• More analysis and discussion are necessary to review appropriate use of CEC in a program manner.

• Action Item Develop language to describe programmatic language and map the

proposed requirement revisions.

CIP Exceptional Circumstances (CEC)Discussion Items


• Reviewed proposed programmatic requirement language to add to CIP-003: Revised CIP-003, R1.1.9 to remove ‘declaring and responding’ to a CEC. Reviewed and refined a draft new Requirement R5.

• Action Items Confirm with NERC Legal: o Can one requirement suffice to give compliance relief for another standard?o Can it stand-alone and be in the introduction section of each CIP standard?o Can reporting be performed as part of compliance monitoring efforts?

Revise CIP-003-6 to address: o Proposed language in standard format;o Draft and propose Guidelines and Technical Basis;o Address question of reporting or notification obligations (outside of compliance

monitoring efforts).

CIP Exceptional Circumstances (CEC) Discussion Items


• Reviewed the Request: …does the phrase “shared BES Cyber Systems” refer to discrete BES Cyber

Systems that are shared by multiple units, or groups of BES Cyber Systems that could collectively impact multiple units?

• Response (abridged): The Responsible Entity should take into consideration the operational

environment and scope of management when defining the BES Cyber System boundary in order to maximize efficiency in secure operations.

Shared BES Cyber Systems are those that are associated with any combination of units in a single Interconnection, as referenced in CIP-002-5.1, Attachment 1, impact rating criteria 2.1 and 2.2.

The phrase applies to each discrete BES Cyber System.

EnergySec InterpretationApproval and Posting


• Information relative to the CIP Modifications SDT may be found on the Project 2016-02 Project Page under Related Files:

http://www.nerc.com/pa/Stand/Pages/Project%202016-

02%20Modifications%20to%20CIP%20Standards.aspx

• The Project 2015-INT-01 Interpretation of CIP-002-5.1 for Energy

Sector Security Consortium (EnergySec) may be found:http://www.nerc.com/pa/Stand/Pages/Project-2015-INT-01-Interpretation-of-CIP-

002-5-1-for-EnergySec.aspx

Resources

http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx

http://www.nerc.com/pa/Stand/Pages/Project-2015-INT-01-Interpretation-of-CIP-002-5-1-for-EnergySec.aspx


• Notice of Inquiry In response to the Ukraine incident, FERC is seeking comment on

modifications to the CIP standards for cyber systems in Control Centers. FERC is seeking feedback in the following areas:o Isolation from the interneto Application whitelisting

Comments are due September 26th.

FERC NOI – Cyber Systems in Control Centers


• Order 829 Directed the development of a Supply Chain Security Standard. Must be submitted to FERC by September 27, 2017 (Order 829 Effective September 27, 2016)

• The new standard must address the following security objectives: software integrity and authenticity, vendor remote access, information system planning, and vendor risk management and procurement controls.

• Cyber Supply Chain SDT Seated at the 9/14/2016 Standards Committee Meeting

FERC Order 829 - Supply Chain Security Requirements

Name CompanyChair Corey Sellers Southern CompanyVice Chair JoAnn Murphy PJM Interconnection, L.L.C.Members Christina Alston Georgia Transmission Corp.

James W. Chuber Duke Energy

Norm Dang IESO of Ontario

Chris Evans Southwest Power PoolBrian Gatus Southern California Edison CompanyDavid Bryan Gayle Dominion Resources Services, Inc.Thruston J. Griffin CPS EnergySkip Peeples Salt River ProjectJason Witt East Kentucky Power Cooperative

NERC CIPC Compliance and Enforcement Input Working Group

Paul CristCIPC MeetingSeptember 20-21, 2016


Critical Infrastructure Protection Committee

April 2016

Business Continuity Guideline TF

(Darren Myers)

Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee

(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(David Godfrey)

Control Systems Security

WG(VACANT)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input WG

(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


Topics Discussed:• CIP SDT SAR• CEIWG Charter Changes• CIP 003-7 Comments• CIP 002-5.1 Interpretation• CIP V5 Audits/Concerns• April 1, 2017 deadline changes

Agenda


Charter Revisions4


Drivers for Charter Revisions

• From the 2017 NERC Business Plan and Budget Compliance Assurance Departmento Compliance monitoring of the CMEPo CIP Compliance and Transitiono Regional Entity Oversight for Risk-Based Compliance Monitoring

• Compliance Enforcement Department Oversees Enforcement Processes Ensures Consistent and Effective Implementation of risk-based

CMEP with the eight Regional Entities Focus on matters that pose greatest risk to reliability

5


6


7

Mark Lauby

Valerie Agnew Ken McIntyre


8

Charles A. Berardesco

Sonia Mendonca


Charter Revisions9


Compliance Assurance10

• Background and Scope Critical Infrastructure Protection (CIP) Version 5 activities related to education

programs that support industry compliance and the integration of risk assessment and internal controls;

CIP-014-1 training and outreach activities related to effective implementation of the Physical Security Reliability Standard;

Oversight of the use of necessary compliance-related processes, procedures, IT platforms, tools, and templates;

• Stakeholder Engagement and Benefit Compliance Assurance – Collaboration with industry and Standards department

staff will occur early in the standard development process by providing draft compliance monitoring guidance, including information on how compliance with draft standards will be determined, as well as input to the drafting teams on the auditability and enforceability of the draft standards. This will ensure that ERO Enterprise tools used in the auditing process, such as the reliability standards auditing worksheet (RSAW), do not expand or modify standards requirements.


Compliance Enforcement

• Guiding Enforcement Principles Enforcement program promotes culture of reliability excellence through a risk-based

approach. The ERO Enterprise applies a presumption of non-enforcement treatment of minimal

risk noncompliance to entities with demonstrated internal controls who are permitted to self-log such minimal risk issues.

The ERO Enterprise maintains an elevated level of transparency regarding enforcement matters. NERC’s Rules of Procedure (including the CMEP and Sanction Guidelines) and program documents are available to the public.

Noncompliance information is used as an input to other processes. Compliance Exceptions Self-Logging

• 2017 Goals and Deliverables Working closely with NERC’s Compliance Assurance and Information Technology

departments, as well as staff in the Regional Entities, regarding the evaluation of improvements in the existing compliance, reporting, analysis tracking system, and other compliance tools to support risk-based activities.

13


Charter Revisions12


Charter Revisions13


• Meetings 2nd Thursday of the month at 1:00 CST

(Please let me know if you need the call-in information)

Next Conference Call: October 13th, 2016 at 1:00 CST

Critical Infrastructure Protection Cmte

Annual Strategic Planning

Marc Child, ChairCIPC MeetingSeptember 20, 2016

2 RELIABILITY | ACCOUNTABILITY

Annual Planning Goals

• Align CIPC efforts with NERC strategic plan• Review workgroup & task force charters• Retire workgroups & task forces as necessary• Identify new work areas• Modify CIPC work plan• Review CIPC charter• Review quarterly meeting agenda (content)


CIPC Charter

• Advisory Panel to the NERC Board• Coordinate and communicate With trades, E-ISAC, other critical infrastructure sectors

o With government agencies, other technical committees

• Facilitate information sharing• Develop guidelines• Assist in development efforts for CIP standards Provide expert resources to drafting teams Develop guidance Provide a forum for debate Provide workshops & educational opportunities

Source: http://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Charter%20BoT%20approved%205-05-2016.pdf


Workgroups & TF’s


New Work Ideas?

• BES Metrics ERO performance indicators Asset owner threat indicators

• Coordinate and communicate State of security report (compliance + E-ISAC)

• Facilitate information sharing Security clearances, transition to DOE Regional briefings

• Develop guidelines GridEx recommendation Information sharing 101


New Work Ideas?

• Assist in development efforts for CIP standards CIP-003-7 Supply Chain Whitelisting control systems

• Provide workshops & educational opportunities 2017 and beyond

Source: http://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Charter%20BoT%20approved%205-05-2016.pdf


CIPC Meeting Agenda

• Today E-ISAC update NERC compliance update Legislative update Agency updates Subgroup updates

• Ideas? The agenda package includes all slide decks Briefings can be shortened (ex: “You’ve seen my slides, any

questions?”) Add more security contento Technical presentations – vendors, asset ownerso Reports from regional CIPC’s

Legislative Update

Nathan Mitchell, American Public Power AssociationCIPC MeetingSeptember 20-21, 2016


Fixing America's Surface TransportationFAST Act 2015

• Provides the Secretary of Energy with the authority to address grid security emergencies

• DOE should develop a plan to establish a Strategic Transformer Reserve

• The plan should address impacts from: physical attack; cyber-attack; electromagnetic pulse attack; geomagnetic disturbances; severe weather; or seismic events.

• The plan must also include cost estimates and funding options.


Cyber Information Sharing Act 2015

• DHS initiated the automated indicator sharing (“AIS”) program• Sharing of Cyber Threat Indicators and Defensive Measures by

the Federal Government• Guidance to Assist Non-Federal Entities to Share Cyber Threat

Indicators and Defensive Measures with Federal Entities • Interim Procedures Related to the Receipt of Cyber Threat

Indicators and Defensive Measures by the Federal Government • Privacy and Civil Liberties Interim Guidelines


S.2012

S. 2012: North American Energy Security and Infrastructure Act of 2016 (In Conference)• On Thursday, September 15, the House Energy &

Commerce Committee’s Subcommittee on Energy & Power held a hearing entitled “The Department of Energy’s Role in Advancing the National, Economic, and Energy Security of the United States.”

• Department of Energy (DOE) Secretary Ernie Moniz testified about the role of DOE in implementing legislation designed to improve the nation’s energy policy and modernize energy infrastructure.

https://energycommerce.house.gov/hearings-and-votes/hearings/department-energy-s-role-advancing-national-economic-and-energy-security


Secretary Moniz testimony

In his opening statement, Secretary Moniz discussed DOE’s role in establishing energy security • accommodating rapidly changing energy technology, • encouraging participation in international energy markets, • improving energy efficiency, and • hardening infrastructure to ensure resiliency in the face

weather threats, electromagnetic pulse (EMP) threats, cyber threats, outdated infrastructure, and others.

• addressing various threats pursuant to authority granted to DOE in the FAST Act,

• He recognized DOE’s critical role in national security through emergency preparedness.



• has successfully implemented a number of private sector cybersecurity tools to ensure grid security. Among these tools, the Cybersecurity Risk Information Sharing Program (CRISP)

• active collaboration with several key federal agencies in implementing security measures, including FEMA and DHS.

• research efforts to identify EMP threats, in collaboration with the Electric Power Research Institute (EPRI), is ongoing and remains classified.

• discussed options for improving the nation’s international position with respect to energy, encouraging innovation, and maintaining the integrity of our national supply of energy against cyber, physical, and economic threats.



“We know that adversaries and homegrown actors are interested in the vulnerabilities of our critical infrastructures. Challenges like these underscore the need to rethink energy security in light of modern domestic and global energy markets… The goal is to ensure that we are maximizing the prospects for rapid deployment of technologies that can contribute to securing our Nation’s energy infrastructure.”

NERC RISC Update

Nathan Mitchell, American Public Power AssociationCIPC MeetingSeptember 20-21, 2016


RISC Report Objective

• Part of the RISC’s role is to identify trends and evolving issues that have the potential to degrade reliability so that actions based on sound technical judgment can be taken. As the character and reliability behavior of the BPS evolves, a wide range of the reliability or resilience tools should be identified to guide industry, regulators, and the ERO in effectively managing these risks. The industry must improve forward assessments of reliability and identify resilience activities that anticipate changes.


Key points on resiliency and recovery

• In 2015, the top 10 most severe events were related to weather. Industry should perform post-event reviews to capture lessons-learned and how to reduce the impact of future events.

• Identify single-points-of-vulnerability. • Continue to leverage industry-practice-sharing forums to

enhance resilience and recovery. • Leverage data sources to identify patterns and risks. • Highlight applicable metrics in the State of Reliability report as

benchmarks for resilience and recovery.• Continue to include resilience goals in the ERO Enterprise’s

strategic plan.


RISC Priority Profiles

High Risk Profiles• Cybersecurity Vulnerabilities• Changing Resource Mix• BPS Planning• Resource AdequacyModerate Risk Profiles• Loss of Situational Awareness• Physical Security Vulnerabilities• Extreme Natural EventsLow Risk Profiles• Asset Management and Maintenance• Human Performance and Skilled Workforce


Focus Areas and Recommendations

Cybersecurity Vulnerabilities (Risk Profile #9)• The ERO Enterprise and the industry should adopt a nimble,

multipronged approach to address the continually evolving cybersecurity threat. Examples of nimble tools include increased E-ISAC participation and products, peer reviews and assistance visits to move to a best practice model, guides and recommendations for new and less-defined threats.

• Enhance communications among the E-ISAC, the Telecommunications, and Natural Gas Information Sharing and Analysis Centers. Expand the use, availability, and value of cybersecurity threat and vulnerability information sharing, analytics, and analysis.

• Foster development of a security culture among employees at all utilities and across the ERO Enterprise.

•


Medium Priority

• Extreme Natural Events: Severe weather or other natural events (e.g., hurricanes, tornadoes, protracted extreme temperatures, geomagnetic disturbances, floods, earthquakes, etc.) are one of the leading causes of outages, and the industry must remain vigilant in improving preparation and coordination in order to minimize the effect of such events.

• Physical Security Vulnerabilities: Like cybersecurity, there is an increasing and evolving threat profile from physical attacks. The intentional damage, destruction, or disruption to facilities can cause localized to extensive Interconnection-wide BPS disruption potentially for an extended period.


Risk Mapping


Cyber Near term Recommendations

• Address FERC CIP directives on SDT efforts underway and supply chain risk management.

• In collaboration with the CIPC and industry stakeholders, develop a risk process to address the potential impacts of cyber security threats and vulnerabilities.

• Continue information sharing protocols among interdependent ISACs

• The E-ISAC should continue outreach to industry to increase registration and utilization of E-ISAC portal.

• The E-ISAC should mature CRISP and encourage expanded participation.


Cyber Near term Recommendations

• NERC and the CIPC should prioritize lessons learned from regional and national exercises (e.g., GridEx) and publish lessons learned and guidelines as needed.

• Facilitate planning considerations to reduce the number/exposure of critical facilities.

• The industry should encourage the development of a peer review process for emerging risks.

• The industry should create and foster an internal culture of cyber awareness and safety.

• NERC should develop effective metrics formulated to understand the trend of cyber-attacks and potential threats.


Physical Security Recommendations

• Oversee the implementation of CIP-014-1• E-ISAC and industry should expand communications among the

Telecommunications, Water, and Natural Gas ISACs. • The ERO Enterprise should develop effective metrics

formulated to understand the trend of physical attacks and potential threats.

• Assess the risks of physical attack scenarios on midstream or interstate natural gas pipelines

• Promote existing and new efforts to improve a spare equipment strategy and prioritization.

• Develop a catalog of regional/national exercises that incorporate extreme physical events


Physical Security Recommendations

• The forums and trades should perform the following activities: Identify and promote specific resiliency and vulnerability

assessment best practices with planning for extreme events, including good physical security assessment practices.

Develop an event guideline outlining prevention strategies and event response and recovery protocols for sabotage scenarios.

• In collaboration with the CIPC and industry stakeholders, develop a risk process to address the potential impacts of physical security threats and vulnerabilities.

1

GridEx IV Update

Tim Conway, SANS InstituteCIPC MeetingSeptember 20-21, 2016

2

Where Are We Now?

Establish the Scope

• NERCleadership and GEWG

• Determine the level and type of impact desired

• Determine what will be targeted

• Determine the attack vectors

Develop a Narrative

• Backstory or ground truth:• Attacker

profile• The Who,

How, and Why of the attack

• Timing of the attack

• Expected Player actions

MSEL Development

• Detailed sequence of exercise events with inject timing

• Expected Player Actions

• Dynamic injectdevelopment

• Custom injects within entitiesand RC areas

3

GridEx IV Portal

4

Process Flatlined

Preparation Identification Containment Eradication Recovery Lessons Learned

GridEx 2011, GridEx II, GridEx III

GridEx IV

Move 0

5

Scenario Time

GridReliability

Level

Normal

Distributed Play

Move 1 T = 0 to 4 hours

Move 2T = 4 to 8 hours


Real time(Eastern)

Nov 18 9 am – 1 pm

Nov 18 1 pm – 5 pm

Nov 19 9 am – 1 pm

Nov 191 pm - 5 pm


Executive Tabletop

Nov 1911 am - 5 pm

ESCC Calls

GridEx III Scenario Escalation Timeline

6

Scenario Time

GridReliability

Level

Normal

Distributed Play

Move 1 T = 0 to 4 hours



Real time(Eastern)

Nov 15 9 am – 1 pm

Nov 15 1 pm – 5 pm

Nov 16 9 am – 1 pm

Nov 161 pm - 5 pm


Nov 1611 am - 5 pm

GridEx IV Scenario Escalation Consideration

Move 0

Executive TTXDistributed Play

ESCC Calls

?

7

GE4 Conceptually Move 0

Move 0

Adversary Positioning

8


Move 1

OperationalEffects

9


Move 2

Incident Identification & Reporting

10


Move 3

Incident Containment & Eradication

11


Move 4

Incident Recovery & After Action

12

Proposed Planning Schedule

WorkingGroup

Initial Planning

Phase

Mid-term Planning

Phase

Final Planning

PhaseConduct After

Action

Establish Working Group members

GridEx IV awareness

Planner outreach

Decide scenario themes

Decide tools

Coordinate with RCs

Finalize scenario

Develop supporting materials

Confirm participation

Distributed Play

Executive Tabletop

After-action survey and lessons learned

Analyze survey results and lessons learned

After Action Report and Briefing

Distribute training materials

Planners begin training

GEWG MeetingJune 2016

InitialNov. 14 2016

MidtermFebruary 2017

FinalApril 2017

Execute GridEx IVNovember 15-16, 2017

ReportQ1 2018

Kick-Off

Confirm goals and objectives

Finalize timeline

Discuss outreach goals/plan

RC MeetingOct 5 2016

Planning will be about 3 - 4 months earlier for GridEx IV compared with GridEx III

More training sessions available for Player prep on tools, GridSecCon 2017, Move Zero

13

• Wednesday, September 21, 2016 GEWG Meeting: Sheraton Albuquerque Airport Hotel, Albuquerque, NMo Valle Grand II (1st Floor)o Lunch: 12 noon Mountain Timeo Meeting / Call: 1-5 p.m. Mountain Time / 3-7 p.m. Eastern Time

• Wednesday, October 5, 2016 (not a GEWG meeting) ISO/RTO Council (IRC) Security Working Group (SWG) and IT Committee (ITC)

• Thursday, October 20, 2016 GridSecCon 2016 GridEx IV Panel – “preaching to the choir”

• Monday, November 14, 2016 GridEx IV Initial Planning Meetingo Booz Allen, McLean, VAo 10 a.m. – 4 p.m. Eastern Time

• Wednesday, December 14, 2016 GEWG meeting: Ritz-Carlton Buckhead, Atlanta, GA 1 – 5 p.m. Eastern Time

Calendar

14

• Midterm Planning Meeting – February (Day TBD), 2017. Location: McLean, VA

• Grid Exercise Working Group - March 8, 2017. Location: TBD• Final Planning Meeting – April (Day TBD), 2017. Location:

McLean, VA• Summer meetings and planner/player training presentations• GridSecCon 2017 – October 17-20, 2017. Location: TBD

(Minneapolis/St. Paul, MN) Move Zero training, GridEx IV kickoff• GridEx IV – November 14-17, 2017 (four days?!?) Warmup ExCon day Main days Rapid Deployment day?

Other major dates

15

Foundation

Customization

Execution

GEWG Big Picture

-

16

• Facilitated workshop model Instructor-led, walk through of Move 0 Similar to CRPA approach

• Live hands-on environment model Participants compete and score individually or as a team. Objective is to work through all of the Move 0 injects. Intersect with other GridEx tools and simulation technology. Outcome is pre-determined and in line with Move 1 of distributed play. Move 0 will test and prep tools and tech for Move 1.

• Distributed model Remotely accessed Available multiple weeks in prep for Move 1 Performance of some Move 0 tasks

Move 0 Details

BES Security Metrics WGCIPC Update

Larry Bugh, ChairAlbuquerque NMSeptember 20-21, 2016


Critical Infrastructure Protection Committee

April 2016

Business Continuity Guideline TF(Darren Myers)

Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(David Godfrey)

Control Systems Security

WG(VACANT)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


Security Metrics Development Roadmap2015 and Beyond

We are here


BESSMWG Activities

Activities Since June 2016• Met immediately following June CIPC meeting to: Discuss status of draft metrics under development Review and finalize charts for security metrics in NERC’s next State of

Reliability report in 2017

• Met immediately prior to September CIPC meeting to: Review Q2 2016 metrics results Discuss status and next steps for metrics under development Review Roadmap document for longer-term next steps


CIPC Update

BES Security MetricsQ2 2016 Results


Reportable Cyber Security Incidents

Note: Under review to confirm if the incident met the reportable threshold


Reportable Physical Security Incidents


E-ISAC Membership


Industry-Sourced Information Sharing

Note: Physical Bulletins started in Q4 2014.


Global Cyber Vulnerabilities


Global Cyber Vulnerabilities and Incidents

Note: Only annual data available.


Next Steps

• Continue supporting the E-ISAC to review and validate quarterly data Define and implement sub-categories for cyber and physical

incidents

• Complete development of detailed definitions for any new metrics through 2016 Industrial control system vulnerabilities

• Begin drafting the Security Metrics chapter for the 2017 State of Reliability report

• Consider metrics for longer-term development

DOE Report to NERC CIPC

Jim McGloneInfrastructure Security and Energy RestorationSeptember 21, 2016

2

DOE Report to CIPC

• Classified brief – December 13 (NOFORN)• Classified VTC (ODNI document review)

• Successful SVTC pilot in July• DBT refresh, December 2016

• PSAG +intel analysts + UAS expert• Sector clearances transition to DOE• EMP• Strategic Transformer Reserve• FAST ACT• PPD-41

3

PPD-41

• The President issued Presidential Policy Directive 41, United States Cyber Incident Coordination on July 26, 2016

• In the event of a significant cyber incident, a national Cyber Unified Coordination Group (UCG) will be activated.

• DHS/National Cybersecurity Communications and Integration Center (NCCIC) is designated as the Asset Response Lead; and

• DOJ/FBI/National Cyber Investigative Joint Task Force (NCIJTF) is designated as the Threat Response Lead.

• The DOE, as the Sector-Specific Agency (SSA), through its representation in the UCG will be responsible for leading sector coordination.

4

PPD-41: DOE’s role in PPD as the SSA

• The Energy sector is one of the critical lifeline sectors as defined by DHS.

• Under PPD-21: Critical Infrastructure Security and Resilience and legislated in the 2015 FAST Act, DOE is the Sector-Specific Agency (SSA) for the energy sector.

• The SSA role enables us to work closely with electricity, oil, and natural gas partners through the coordinating councils and information sharing and analysis centers (ISACs)• ESCC• ONGSCC• E-ISAC• ONG-ISAC• DNG-ISAC

5

PPD-41: DOE’s role in Cyber UCG

• PPD-41 describes a national Cyber Unified Coordination Group, which includes the FBI, DHS, the Intelligence Community, and affected sectors.

• DOE is included in the Cyber Unified Coordination Group as the SSA for the Energy sector ensuring that particulars of the Energy sector are accounted for in a unified Federal response.

• Along with DHS and the FBI, DOE can use all of our resources and authorities to support response efforts.

6

Next Steps

• DOE held calls soon after the release of the PPD with energy sector owners and operators and SLTT community to help understand the document and describe its relevance to the sector.

• By October 22nd, DOE will develop enhanced cyber coordination procedures for the energy sector, which determine how the Department interacts with the National Unified Coordination group in a significant cyber-attack.

• By the end of January 2017, we will work with ESCC and ONGSCC to synchronize subsector response playbooks to reflect the tenants of PPD-41.

• DOE, along with energy industry participants, have been working to develop the National Cyber Incident Response Plan. The National Cyber Incident Response Plan will soon be finalized into a draft and released to the public for comment.

7

Contact info

Jim McGloneInfrastructure Security and Energy RestorationUS Department of [email protected]

mailto:[email protected]

Technology Roundtable:Technology Impact Assessments

Tobias Whitney, Manager of CIP ComplianceCIPC MeetingSeptember 20-21, 2016


Purpose

• Industry opportunities exist to research and deploy new technologies that could improve the reliable operations of the Grid.

• The mystique of the CIP standards may have discouraged the investment and innovation of BES technologies for fear of compliance risk and cyber exposure.

• NERC’s Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.


Emerging Technologies

• Cloud Computing Big Data analysis for preventive solutions

• Renewables + New Registration Paradigms New Generation Owner/Operators diffuse operations could impact the

BES

• IEC 61850 Substation network solutions

• Remote Access (FERC mandated) Due July 2017

• Virtualization (Standards Development) Server, networks and storage


Emerging Technologies

• Microgrids Risk based analysis of load centers

• Industrial Wireless Network Communications Technologies Point-to-point, local area wireless and unlicensed radio

• Distribution Management Systems GIS, outage mgt and increased operational intelligence for smart

metered load centers

• End of Life Systems Assess the vulnerability unsupported, production cyber assets

• Support Systems Understanding VOIP, UPS and building automation systems


Approach the Topic

Tech Seminar

• Invite vendors and industry stakeholders for a 1 day discussion on the solutions

• Identify volunteers for whitepaper development

CoordinatedWhite Paper

• Coordinate white paper with CIPC (primarily) with support from OC and PC

• Publish draft paper for comments as part of the Section 11 Process• Industry webinar to spotlight results

Call for Pilots

• Link interested stakeholders with research agencies• Publish lessons learned for industry comments


NERC Team

Tech

nolo

gy R

isk

Asse

ssm

ent Security

Operations

Regulatory


Each Topic’s SWOT

Strengths(reliability benefits)

Weaknesses(current

drawbacks)

Opportunities(external factors)

Threats (Security & Regulatory)


Technology Risk

• First Technology Roundtable will be held in Atlanta on November 14th & 15th

• Cloud Computing Operational and reliability improvement case Common Architecture Security and Regulatory Considerations

• IEC 61850 Operational and reliability improvement case Architecture Security and Regulatory Considerations

• Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.

What is the Implementation Timeframe for Low Impact?NERC Small Group Advisory Sessions Low Impact WebinarSeptember 14, 2016


• Implementation Plan Language• Already required as of 7/1/2016• Required on 4/1/17• Required on 9/1/2018

Agenda


Proposed Effective Date for Version 5 CIP Cyber Security Standards Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP-011-1 as follows: 1. 24 Months Minimum – The Version 5 CIP Cyber Security Standards, except for CIP-003-5

R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.2

2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees’ approval, and CIP-003-5 R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees’ approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.

Implementation Plan Language – V5


Effective Dates (for CIP Version 6)The effective dates for each of the proposed Reliability Standards and NERC Glossary terms are provided below. Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The compliance date for those particular sections represents the date that entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date. 1. CIP-003-6 — Cyber Security — Security Management Controls

Reliability Standard CIP-003-6 shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Where approval by an applicable governmental authority is not required, the standard shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date the standard is adopted by the NERC Board of Trustees, or as otherwise provided for in that jurisdiction.



Compliance Date for CIP-003-6, Requirement R1, Part 1.2Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R1, Part 1.2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.

Compliance Date for CIP-003-6, Requirement R2Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.

Compliance Date for CIP-003-6, Attachment 1, Section 1Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 1 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.

Compliance Date for CIP-003-6, Attachment 1, Section 2Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 2 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.



Compliance Date for CIP-003-6, Attachment 1, Section 3Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 3 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.

Compliance Date for CIP-003-6, Attachment 1, Section 4Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 4 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.



• FERC approved CIP V5 on November 22, 2013, with an effective date of the order of February 3, 2014 (based on publication in the Federal Register), making CIP V5 effective April 1, 2016

• FERC approved the CIP V6 changes on January 21, 2016, with an effective date of the order of March 31, 2016 (based on publication in the Federal Register), making the V6 changes effective July 1, 2016

• FERC action on February 25, 2016 aligned all CIP V5 & V6 compliance dates to July 1, 2016

FERC Effective Dates


• CIP-002-5.1• CIP-003-6 Requirement R3• CIP-003-6 Requirement R4

Already Required as of 7/1/2016


• There were no changes to CIP-002-5.1 done as part of the CIP V6 SDT effort The approved CIP V5 Implementation Plan

therefore remained unchanged for CIP-002-5.1



• CIP-002-5.1: CIP-002-5.1 Requirement R1 requires identification

of all high impact BES Cyber Systems, medium impact BES Cyber Systems, and identifying “each asset that contains a low impact BES Cyber System” CIP-002-5.1 Requirement R2 requires the process

be repeated, at least every 15 calendar months, and the CIP Senior Manager approved the identifications in Requirement R1



• CIP-003-6 Requirement R3 Requirement R3 unchanged as part of CIP V6 SDT

effort (not discussed in the CIP V6 Implementation Plan) Requires the identification of a CIP Senior Manager CIP Senior Manager must approve the

identifications made in CIP-002-5.1, Requirement R2



• CIP-003-6 Requirement R4 Requirement R4 unchanged as part of CIP V6 SDT

effort (not discussed in the CIP V6 Implementation Plan) Requires the creation of a documented process to

delegate the approvals of the CIP Senior Manager, unless no delegations are used. CIP-002-5.1 approvals may be delegated



• CIP-003-6 Requirement R1, Part 1.2• CIP-003-6 Requirement R2, Attachment 1, Section 1• CIP-003-6 Requirement R2, Attachment 1, Section 4

Required on 4/1/2017


• CIP-003-6 Requirement R1, Part 1.2 Requires the creation of cyber security policies for:1. Cyber security awareness2. Physical security controls3. Electronic access controls for Low Impact External

Routable Connectivity [Communications] (LERC and Dial-up Connectivity

4. Cyber Security Incident Response Must be approved by the CIP Senior Manager (no

delegation allowed)



• CIP-003-6 Requirement R2, Attachment 1, Section 1 Requires that each Responsible Entity shall

reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).



• CIP-003-6 Requirement R2, Attachment 1, Section 4 Requires that Each Responsible Entity shall have one or more

Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:

4.1 Identification, classification, and response to Cyber Security Incidents;

4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E-ISAC), unless prohibited by law;

4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;



4.4 Incident handling for Cyber Security Incidents;4.5 Testing the Cyber Security Incident response plan(s) at least

once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and

4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.



• Note: In order to properly develop policy (Section 1) and

incident response (Section 4), physical (Section 2) and electronic (Section 3) access control procedures (i.e., the controls to be implemented) need to be initially developed, but they will not themselves be subject to audit



• CIP-003-6 Requirement R2, Attachment 1, Section 2• CIP-003-6 Requirement R2, Attachment 1, Section 3



• CIP-003-6 Requirement R2, Attachment 1, Section 2 (draft language) Physical Security Controls: Each Responsible Entity

shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.



• CIP-003-6 Requirement R2, Attachment 1, Section 3 (draft language) Electronic Access Controls: Each Responsible Entity

shall:3.1 Implement electronic access control(s) for LERC, if

any, to permit only necessary electronic access to low impact BES Cyber System(s).

3.2 Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.



• All physical and electronic access control protections must be in place at all assets containing low impact BES Cyber Assets or BES Cyber Systems by 9/1/2018



CIP Violations (as of July 1, 2016)

welcome nerc critical infrastructure protection committee highlights... · 9,000+ miles of...

Documents