CIP Physical Security. Nate Roberts CIP Security Auditor I

Size: px
Start display at page:

Download "CIP-014-1 Physical Security. Nate Roberts CIP Security Auditor I"

Transcription

1 CIP Physical Security Nate Roberts CIP Security Auditor I

2 Notes Critical Infrastructure Protection (CIP) Standard CIP is currently pending approval by the Federal Energy Regulatory Commission (FERC). This presentation contains tips which are meant to be helpful suggestions to guide an organization through the implementation process for CIP Examples used in this presentation are not all-inclusive or binding. 2

3 FERC Directive Directed North American Electric Reliability Corporation (NERC) to address physical security risks to the Bulk-Power System (BPS) in one or more Reliability Standards Standards should require owners and operators to address the risk of a physical attack on BPS reliability in three steps: Identify critical facilities Evaluate potential threats and vulnerabilities Develop/implement a security plan to protect against identified threats Periodic re-evaluation of all steps 3

4 CIP Physical Security Purpose To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. General Applicability Transmission Owners (TO) Transmission Operators (TOP) Implementation CIP is effective the first day of the first calendar quarter that is six months beyond the date the standard is approved by FERC. 4

5 Key Dates Event Date Federal Energy Regulatory Commission (FERC) Directive March 7, 2014 Approved by Industry May 5, 2014 Adopted by North American Electric Reliability Corporation (NERC) Board of Trustees Compliance Committee (BOTCC) May 13, 2014 Filed with FERC May 23, 2014 FERC Notice of Proposed Rulemaking (NOPR) July 17, 2014 NOPR comments due September 8, 2014 NOPR reply comments due September 22,

6 CIP It may be helpful to view and manage CIP as two major components. Applicability R1: Applicability and Risk Assessment R2: Unaffiliated Review R3: Control Center Notification Security R4: Threat and Vulnerability Assessment R5: Security Plan R6: Unaffiliated Review 6

7 CIP R1: Applicability and Risk Assessment Create a Candidate List Transmission stations/substations operating at or above 200kV Transmission stations/substations critical to the derivation of an Interconnection Reliability Operating Limits (IROL) and their associated contingencies Transmission stations/substations critical to operation of nuclear facilities Apply criteria listed in R4.1.1 of CIP Operating at or above 500kV, or Identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of IROLs and their associated contingencies, or Essential to meeting Nuclear Plant Interface Requirements, or (see next slide) 7

8 CIP R1 (continued) Apply criteria listed in of CIP (continued) Operating between 200 kv and 499 kv at a single station or substation, where the station or substation is connected at 200 kv or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3,000 according to the table below. Voltage Value of a Line Weight Value per Line Less than 200 kv (not applicable) (not applicable) 200 kv to 299 kv kv to 499 kv kv and above 0 8

9 CIP R2: Unaffiliated Review of R1 Assessment Must be completed within 90 calendar days of R1 assessment and may be conducted concurrently with R1. Unaffiliated third party must be: A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator, or An entity that has transmission planning or analysis experience The Standards Drafting Team interprets unaffiliated as external to the corporate structure. Auditors may review the credentials of the third party when evaluating compliance with R2. 9

10 CIP R2: Unaffiliated Review of R1 Assessment Unaffiliated reviewer recommendations must be addressed within 60 calendar days of review. Modify the identification under R1 consistent with the recommendation, or Document the technical basis for not modifying the identification in accordance with the recommendation This language is NOT intended to trigger Technical Feasibility Exceptions (TFEs) Implement procedures to protect sensitive information throughout the review process. 10

11 CIP R3: Notify Control Center Operators The entity has seven calendar days following the completion of R2 to notify control center operators for primary control centers associated with stations/substations identified in R1 assessment. The entity has seven calendar days following the completion of R2 to notify control center operators for primary control centers associated with stations/substations removed in subsequent in R1 assessments. Compliance tips: Use read receipts Implement three-part communications Receive and document confirmation of notification from control center operators 11

12 CIP R4: Threat and Vulnerability Assessment Conduct a threat and vulnerability assessment that considers: Unique characteristics of each station/substation/control center identified in R1 Attack history, attacks on similar facilities Frequency Geographic proximity Severity Intelligence or threat warnings 12

13 CIP R4: Threat and Vulnerability Assessment Unique Characteristics may include: Terrain Rural Urban High ground Vegetation Highly populated Vicinity to high-speed ingress/egress Equipment/ Facility Array Are mission critical assets on the perimeter or are they shielded from view or attack by less critical components of the facility? Existing protections Facility size and shape Crime statistics Weather 13

14 CIP R4: Threat and Vulnerability Assessment Tips When/where possible, do a full physical security survey Identify what components of the facility are critical to the mission Evaluate your facility from the perspective of an adversary that is: Targeting you Targeting your customer Targeting the grid Extend the assessment beyond the fence line Understand the advantages and disadvantages afforded by surrounding terrain Understand your threat environment Evaluate attacks on similar facilities globally Evaluate attacks in your geographic area even if the target facility is unlike yours 14

15 CIP R4: Threat and Vulnerability Assessment Indirect Fire Can an adversary fire a weapon on an arc trajectory and damage a critical component? Explosive Can an adversary place an explosive device such that it will damage a critical component? Vehicular Attack Can a vehicle drive into my facility to damage a critical component? Forced Entry Can an adversary force his or her way into my facility to damage a critical component? Surreptitious Entry Can an adversary sneak into the facility to damage a critical component? Direct Fire Can an adversary fire a line-of-sight weapon and damage a critical component? Suggested threat vectors to consider Arson Can an adversary damage critical components with fire? 15

16 CIP R5: Security Plan Should Include Resilience or security measures Verify the measures address vulnerabilities identified in R4 Law enforcement contact and coordination information, which may include: Simply a name and phone number Meetings to discuss security concerns, site-specific hazards, etc. Site-specific training for law enforcement Hosting law enforcement exercises Timeline for implementing physical security projects No specific dates or time frames required in this timeline, but it should pass the common sense test Provision to evaluate evolving threats Should include a process or mechanism to receive threat information Should include a process to evaluate threat information as it is received 16

17 CIP R5: Security Plan Tips Conduct a second assessment including the new measures Provides valuable metrics to stakeholders and regulators If conducted in the planning phase, may prevent costly but minimally effective security enhancements Does the plan makes sense? A reasonably-informed person should be able to follow the plan without extensive knowledge of the site or entity Is there a link between the security plan and the disaster recovery and/or business continuity plan(s) Law enforcement Coordinate early and often to verify all parties understand facility nuances and specific hazards/concerns Verify mutual understanding of law enforcement response procedures and capabilities 17

18 CIP R6: Unaffiliated Review of Assessment and Plan R6: Unaffiliated Review of R4 Assessment and R5 Plan An organization with industry physical security experience AND a Certified Protection Professional (CPP) or Physical Security Professional (PSP) on staff -or- An organization approved by the Electric Reliability Organization (ERO) -or- A government agency with physical security expertise -or- An organization with demonstrated law enforcement, government or military physical security expertise 18

19 CIP Implementation R1 R2.1, R2.2, and R2.4 R2.3 R3 Complete on or before the effective date of CIP Complete no later than 90 calendar days from the effective date of CIP Complete within 60 calendar days after completing R2.2 Complete within seven calendar days after the completion of R2 19

20 CIP Implementation R4 R5 R6.1, R6.2, & R6.4 R6.3 Complete within 120 calendar days after completion of R2 Complete within 120 calendar days after completion of R2 Complete within 90 calendar days after completion of R5 Complete within 60 calendar days after completion of R6.2 20

21 CIP Implementation Risk assessments must be completed once every 30 calendar months for a TO that had previously identified transmission stations/substations in its risk assessment for CIP R1. Risk assessments must be completed once every 60 calendar months for a TO that had not previously identified transmission stations/substations in its risk assessment for CIP R1. 21

22 Maximum Timeline R1: Complete Day R2: R1 Verification 3 rd Party Verification R3: TOP Communication R4: Threat Evaluation R5: Physical Security Plan Identification Modification Notify TOP Threat Evaluation Physical Security Plan R6: 3 rd Party Review 3 rd Party Review Modify evaluation/ security plan R2 R6 must be completed within 420 calendar days after completion of the risk assessment process in R1. 22

23 CIP Notice of Proposed Rulemaking (NOPR) Notice of Proposed Rulemaking (NOPR) issued by FERC July 17, 2014 Proposed to approve CIP-014-1, implementation plan, and VRF/VSL Proposed modifications Proposed informational filings Sought comments Comments were due September 8, 2014 Reply comments were due September 22,

24 CIP NOPR Proposed Modifications Allow Governmental Authorities (i.e., FERC and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity s list of critical facilities under R1. Remove the term widespread as it appears in the proposed Reliability Standard in the phrase widespread instability. 24

25 CIP NOPR FERC desired comments on: Providing for applicable governmental authorities to add or subtract facilities from an entity s list of critical facilities The standard for identifying critical facilities Control centers Exclusion of generators from the applicability section of the proposed Reliability Standard Third-party recommendations Resiliency Violation risk factors and violation severity levels Implementation plan and effective date 25

26 CIP NOPR Proposed Informational Filings Within six months of the effective date of a final rule addressing the possibility that CIP may not provide physical security for all High Impact control centers as defined in CIP Within one year of the effective date of a final rule addressing possible resiliency measures that can be taken to maintain reliable operation of the Bulk Electric System following the loss of critical facilities. 26

27 Questions? 27

Physical Security Reliability Standard Implementation

Physical Security Reliability Standard Implementation Physical Security Reliability Standard Implementation Tobias Whitney, Manager of CIP Compliance (NERC) Carl Herron, Physical Security Leader (NERC) NERC Sub-Committee Meeting New Orleans, Louisiana CIP-014

More information

149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM14-15-000; Order No.

149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM14-15-000; Order No. 149 FERC 61,140 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM14-15-000; Order No. 802] Physical Security Reliability Standard (Issued November 20, 2014) AGENCY:

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

NERC Cyber Security Standards

NERC Cyber Security Standards SANS January, 2008 Stan Johnson Manager of Situation Awareness and Infrastructure Security Stan.johnson@NERC.net 609-452-8060 Agenda History and Status of Applicable Entities Definitions High Level of

More information

146 FERC 61,166 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

146 FERC 61,166 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 146 FERC 61,166 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Before Commissioners: Cheryl A. LaFleur, Acting Chairman; Philip D. Moeller, John R. Norris, and Tony Clark. Reliability Standards

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

Implementation Plan for Version 5 CIP Cyber Security Standards

Implementation Plan for Version 5 CIP Cyber Security Standards Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 11, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and

More information

Cyber Security Standards Update: Version 5

Cyber Security Standards Update: Version 5 Cyber Security Standards Update: Version 5 January 17, 2013 Scott Mix, CISSP CIP Technical Manager Agenda Version 5 Impact Levels Format Features 2 RELIABILITY ACCOUNTABILITY CIP Standards Version 5 CIP

More information

Federal Energy Regulatory Commission. Small Entity Compliance Guide Mandatory Reliability Standards (Order No. 693)

Federal Energy Regulatory Commission. Small Entity Compliance Guide Mandatory Reliability Standards (Order No. 693) Federal Energy Regulatory Commission Small Entity Compliance Guide Mandatory Reliability Standards (Order No. 693) This Guide is prepared in accordance with the requirements of section 212 of the Small

More information

CIP-003-5 Cyber Security Security Management Controls

CIP-003-5 Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-5 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and

More information

3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities.

3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities. A. Introduction 1. Title: Event Reporting 2. Number: EOP-004-2 3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities. 4. Applicability:

More information

CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments

CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

A. Introduction. B. Requirements. Standard PER-005-1 System Personnel Training

A. Introduction. B. Requirements. Standard PER-005-1 System Personnel Training A. Introduction 1. Title: System Personnel Training 2. Number: PER-005-1 3. Purpose: To ensure that System Operators performing real-time, reliability-related tasks on the North American Bulk Electric

More information

Standard CIP 004 3a Cyber Security Personnel and Training

Standard CIP 004 3a Cyber Security Personnel and Training A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access

More information

CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments

CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

Standard FAC-010-2.1 System Operating Limits Methodology for the Planning Horizon

Standard FAC-010-2.1 System Operating Limits Methodology for the Planning Horizon A. Introduction 1. Title: System Operating Limits Methodology for the Planning Horizon 2. Number: FAC-010-2.1 3. Purpose: To ensure that System Operating Limits (SOLs) used in the reliable planning of

More information

Standard FAC-011-3 System Operating Limits Methodology for the Operations Horizon

Standard FAC-011-3 System Operating Limits Methodology for the Operations Horizon A. Introduction 1. Title: System Operating Limits Methodology for the Operations Horizon 2. Number: FAC-011-3 3. Purpose: To ensure that System Operating Limits (SOLs) used in the reliable operation of

More information

Standard FAC-010-3 System Operating Limits Methodology for the Planning Horizon

Standard FAC-010-3 System Operating Limits Methodology for the Planning Horizon A. Introduction 1. Title: System Operating Limits Methodology for the Planning Horizon 2. Number: FAC-010-3 3. Purpose: To ensure that System Operating Limits (SOLs) used in the reliable planning of the

More information

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a

More information

4.1.1 Generator Owner 4.1.2 Transmission Owner that owns synchronous condenser(s)

4.1.1 Generator Owner 4.1.2 Transmission Owner that owns synchronous condenser(s) A. Introduction 1. Title: Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability 2. Number: MOD-025-2 3. Purpose: To ensure

More information

April 28, 2009. Dear Mr. Chairman:

April 28, 2009. Dear Mr. Chairman: April 28, 2009 The Honorable Edward J. Markey Chairman Subcommittee on Energy and Environment Committee on Energy and Commerce U.S. House of Representatives Washington, D.C. 20515 Dear Mr. Chairman: I

More information

ISACA North Dallas Chapter

ISACA North Dallas Chapter ISACA rth Dallas Chapter Business Continuity Planning Observations of Critical Infrastructure Environments Ron Blume, P.E. Ron.blume@dyonyx.com 214-280-8925 Focus of Discussion Business Impact Analysis

More information

152 FERC 61,198 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-4-000; Order No.

152 FERC 61,198 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-4-000; Order No. 152 FERC 61,198 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM15-4-000; Order No. 814] Disturbance Monitoring and Reporting Requirements Reliability Standard

More information

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP-006-3c Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security

More information

Hearing on Oversight of Federal Efforts to Address Electromagnetic Risks. May 17, 2016

Hearing on Oversight of Federal Efforts to Address Electromagnetic Risks. May 17, 2016 Testimony of Joseph McClelland Director, Office of Energy Infrastructure Security Federal Energy Regulatory Commission Before the Committee on Homeland Security Subcommittee on Oversight and Management

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Designing Compliant and Sustainable Security Programs 1 Introduction

Designing Compliant and Sustainable Security Programs 1 Introduction Designing Compliant and Sustainable Security Programs 1 Introduction The subject of this White Paper addresses several methods that have been successfully employed by DYONYX to efficiently design, and

More information

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1 External Consultation Draft Version 1.0 December 12, 2013 1. Purpose The purpose of this reliability standard is to set the effective dates for the Version 5 CIP Cyber Security reliability standards and

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Cyber Security Standards Update: Version 5 with Revisions

Cyber Security Standards Update: Version 5 with Revisions Cyber Security Standards Update: Version 5 with Revisions Security Reliability Program 2015 Agenda CIP Standards History Version 5 Format Impact Levels NOPR Final Rule References 2 RELIABILITY ACCOUNTABILITY

More information

Meeting NERC CIP Access Control Standards. Presented on February 12, 2014

Meeting NERC CIP Access Control Standards. Presented on February 12, 2014 Meeting NERC CIP Access Control Standards Presented on February 12, 2014 Presented By: CyberLock The leading supplier of key-centric access control systems Based in Corvallis, Oregon James T. McGowan Technology

More information

Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010

Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010 Smart Grid America: Securing your network and customer data Michael Assante Vice President and Chief Security Officer March 9, 2010 About NERC The electric industry s self-regulatory organization for reliability

More information

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard. CIP-002-5 Cyber Security BES Cyber System Categorization When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard. A.

More information

CIP-003-6 R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

CIP-003-6 R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security CIP-003-6 R2 BES Assets Containing Low Impact BCS Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security Slide 2 About Me Been with WECC for 5 years 1 ½ years as a Compliance Program Coordinator

More information

121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 121 FERC 61,143 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.

More information

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Panel Session: Lessons Learned in Smart Grid Cybersecurity PNNL-SA-91587 Panel Session: Lessons Learned in Smart Grid Cybersecurity TCIPG Industry Workshop Jeff Dagle, PE Chief Electrical Engineer Advanced Power and Energy Systems Pacific Northwest National Laboratory

More information

GRADUATE RELIABILITY TRAINING PROGRAM. Initiation Date: September 2012

GRADUATE RELIABILITY TRAINING PROGRAM. Initiation Date: September 2012 GRADUATE RELIABILITY TRAINING PROGRAM Initiation Date: September 2012 Board Approved Date: May 2012 GRADUATE RELIABILITY TRAINING PROGRAM Program Description This program is intended for recent college

More information

NB Appendix CIP-004-5.1-NB-1 - Cyber Security Personnel & Training

NB Appendix CIP-004-5.1-NB-1 - Cyber Security Personnel & Training This appendix establishes modifications to the FERC approved NERC standard CIP-004-5.1 for its specific application in New Brunswick. This appendix must be read with CIP-004-5.1 to determine a full understanding

More information

Top 10 Compliance Issues for Implementing Security Programs

Top 10 Compliance Issues for Implementing Security Programs www.dyonyx.com Top 10 Compliance Issues for Implementing Security Programs This White Paper articulates the top ten issues that we have encountered in the design and implementation of comprehensive Security

More information

NERC CIP Compliance with Security Professional Services

NERC CIP Compliance with Security Professional Services NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is

More information

FRCC Coordination Procedure. Title: FRCC Reliability Coordinator Contingency Analysis Monitoring Criteria

FRCC Coordination Procedure. Title: FRCC Reliability Coordinator Contingency Analysis Monitoring Criteria A. Purpose: The FRCC Reliability Coordinator (RC) Contingency Analysis (CA) application is essential to maintaining the reliability of the FRCC Bulk Electric System. The application has the capability

More information

NERC-CIP S MOST WANTED

NERC-CIP S MOST WANTED WHITE PAPER NERC-CIP S MOST WANTED The Top Three Most Violated NERC-CIP Standards What you need to know to stay off the list. www.alertenterprise.com NERC-CIP s Most Wanted AlertEnterprise, Inc. White

More information

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014 CIP v5/v6 Implementation Plan CIP v5 Workshop Tony Purgar October 2-3, 2014 Revision History CIP v5/v6 Implementation Plan Change History Date Description Initial Release July 25, 2014 Revision V0.1 August-2014

More information

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES Definitions 1. In these requirements: C-NLOPB means the Canada-Newfoundland and Labrador Offshore Petroleum Board; Chief Safety Officer means

More information

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems GE Intelligent Platforms Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems Overview There is a lot of

More information

Standard PRC-024-1 Generator Frequency and Voltage Protective Relay Settings. A. Introduction

Standard PRC-024-1 Generator Frequency and Voltage Protective Relay Settings. A. Introduction A. Introduction 1. Title: Generator Frequency and Voltage Protective Relay Settings 2. Number: PRC-024-1 3. Purpose: Ensure Generator Owners set their generator protective relays such that generating units

More information

This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high

This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high priority, active initiative within the utility industry.

More information

PHYSICAL SECURITY RISK ASSESSMENT VERIFICATION AGREEMENT

PHYSICAL SECURITY RISK ASSESSMENT VERIFICATION AGREEMENT PHYSICAL SECURITY RISK ASSESSMENT VERIFICATION AGREEMENT This Physical Security Risk Assessment Verification Agreement (the "Agreement"), dated as of DATE, 2015 (the "Effective Date"), is by and between

More information

Cyber Security & State Energy Assurance Plans

Cyber Security & State Energy Assurance Plans Cyber Security & State Energy Assurance Plans Michigan Cyber Summit 2011 Friday, October 7, 2011 Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials What is Energy

More information

Standard EOP-002-3.1 Capacity and Energy Emergencies

Standard EOP-002-3.1 Capacity and Energy Emergencies A. Introduction 1. Title: Capacity and Energy Emergencies 2. Number: EOP-002-3.1 3. Purpose: To ensure Reliability Coordinators and Balancing Authorities are prepared for capacity and energy emergencies.

More information

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard The North American Electric Reliability Corporation 1 s (NERC) CIP Reliability Standard is the most comprehensive and pervasive

More information

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and

More information

The North American Electric Reliability Corporation ( NERC ) hereby submits

The North American Electric Reliability Corporation ( NERC ) hereby submits December 8, 2009 VIA ELECTRONIC FILING Kirsten Walli, Board Secretary Ontario Energy Board P.O Box 2319 2300 Yonge Street Toronto, Ontario, Canada M4P 1E4 Re: North American Electric Reliability Corporation

More information

Reclamation Manual Directives and Standards

Reclamation Manual Directives and Standards Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American

More information

Master/Local Control Center Procedure No. 13 (M/LCC 13) Communications Between the ISO and Local Control Centers

Master/Local Control Center Procedure No. 13 (M/LCC 13) Communications Between the ISO and Local Control Centers Master/LCC Procedure No. 13 - Communications Master/Local Control Center Procedure No. 13 (M/LCC 13) Communications 1. References... 2 2. Background... 3 3. Responsibilities... 3 4. Procedure... 4 4.1

More information

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator Written Statement of Richard Dewey Executive Vice President New York Independent System Operator Senate Standing Committee on Veterans, Homeland Security and Military Affairs Senator Thomas D. Croci, Chairman

More information

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process. CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with

More information

Site Security Standards and Strategy

Site Security Standards and Strategy Site Security Standards and Strategy I. Background and Overview A. The City s Program Standards and Procedures (PSP) are intended to be used in conjunction with the data contained in related standards

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Standard CIP 003 1 Cyber Security Security Management Controls

Standard CIP 003 1 Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-1 3. Purpose: Standard CIP-003 requires that Responsible Entities have minimum security management controls in place

More information

April 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

April 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,

More information

North American Electric Reliability Corporation. Compliance Monitoring and Enforcement Program. December 19, 2008

North American Electric Reliability Corporation. Compliance Monitoring and Enforcement Program. December 19, 2008 116-390 Village Boulevard Princeton, New Jersey 08540-5721 North American Electric Reliability Corporation Compliance Monitoring and Enforcement Program December 19, 2008 APPENDIX 4C TO THE RULES OF PROCEDURE

More information

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, 2015. Electric Grid Operations

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, 2015. Electric Grid Operations San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, 2015 Electric Grid Operations Director Electric Grid Operations: Responsible for overall transmission

More information

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1 Alberta Reliability Stard A. Introduction 1. Title: 2. Number: 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the bulk electric system from individuals

More information

Relationship to National Response Plan Emergency Support Function (ESF)/Annex

Relationship to National Response Plan Emergency Support Function (ESF)/Annex RISK MANAGEMENT Capability Definition Risk Management is defined by the Government Accountability Office (GAO) as A continuous process of managing through a series of mitigating actions that permeate an

More information

PROJECT NO. 40269 ORDER ADOPTING AMENDMENTS TO 25.52 AS APPROVED AT THE OCTOBER 12, 2012 OPEN MEETING

PROJECT NO. 40269 ORDER ADOPTING AMENDMENTS TO 25.52 AS APPROVED AT THE OCTOBER 12, 2012 OPEN MEETING PROJECT NO. 40269 PRIORITIES FOR POWER RESTORATION TO CERTAIN MEDICAL FACILITIES PUBLIC UTILITY COMMISSION OF TEXAS ORDER ADOPTING AMENDMENTS TO 25.52 AS APPROVED AT THE OCTOBER 12, 2012 OPEN MEETING The

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security DOE/IG-0846 January 2011

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport Commercial Nuclear Power Plants Stan Blanton Nuclear Power Subcommittee The Regulatory Landscape NRC

More information

122 FERC 61,040 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM06-22-000; Order No.

122 FERC 61,040 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM06-22-000; Order No. 122 FERC 61,040 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM06-22-000; Order No. 706] Mandatory Reliability Standards for Critical Infrastructure Protection

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

August 24, 2015. Comments of Grid Assurance LLC on Request for Information on National Power Transformer Reserve, 80 Fed. Reg. 39,422 (July 9, 2015)

August 24, 2015. Comments of Grid Assurance LLC on Request for Information on National Power Transformer Reserve, 80 Fed. Reg. 39,422 (July 9, 2015) VIA EMAIL TO: LPT.RFI.2015@hq.doe.gov August 24, 2015 Ms. Alice Lippert Office of Electricity Delivery and Energy Reliability U.S. Department of Energy 1000 Independence Avenue, SW Washington, DC 20585

More information

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1 A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements

More information

Electric Field Operations Organization

Electric Field Operations Organization NSTAR Electric Transmission Function Job Summaries Electric Field Operations Organization Vice President, Electric Field Operations (Transmission) This position has primary responsibility for the planning,

More information

Opportunities to Overcome Key Challenges

Opportunities to Overcome Key Challenges The Electricity Transmission System Opportunities to Overcome Key Challenges Summary Results of Breakout Group Discussions Electricity Transmission Workshop Double Tree Crystal City, Arlington, Virginia

More information

POLICY ISSUE INFORMATION

POLICY ISSUE INFORMATION POLICY ISSUE INFORMATION November 19, 2010 SECY-10-0153 FOR: FROM: SUBJECT: The Commissioners R. W. Borchardt Executive Director for Operations CYBER SECURITY IMPLEMENTATION OF THE COMMISSION S DETERMINATION

More information

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, 2015. Electric Grid Operations

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, 2015. Electric Grid Operations San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, 2015 Electric Grid Operations Director Electric Grid Operations: Responsible for overall transmission

More information

HOSPITALS STATUTE RULE CRITERIA. Current until changed by State Legislature or AHCA

HOSPITALS STATUTE RULE CRITERIA. Current until changed by State Legislature or AHCA HOSPITALS STATUTE RULE CRITERIA Current until changed by State Legislature or AHCA Hospitals and Ambulatory Surgical Centers Statutory Reference' 395.1055 (1)(c), Florida Statutes Rules and Enforcement.

More information

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY JANUARY 2012 Table of Contents Executive Summary 1 Introduction 2 Our Strategic Goals 2 Our Strategic Approach 3 The Path Forward 5 Conclusion 6 Executive

More information

Performs the Federal coordination role for supporting the energy requirements associated with National Special Security Events.

Performs the Federal coordination role for supporting the energy requirements associated with National Special Security Events. ESF Coordinator: Energy Primary Agency: Energy Support Agencies: Agriculture Commerce Defense Homeland Security the Interior Labor State Transportation Environmental Protection Agency Nuclear Regulatory

More information

RE: Notice of Proposed Rulemaking, Request for Comments: Operation and Certification of Small Unmanned Aircraft Systems [Docket No.

RE: Notice of Proposed Rulemaking, Request for Comments: Operation and Certification of Small Unmanned Aircraft Systems [Docket No. April 24, 2015 Docket Management Facility (M-30) U. S. Department of Transportation West Building Ground Floor Room W12-140 1200 New Jersey Ave. Washington, DC 20590-0001 RE: Notice of Proposed Rulemaking,

More information

NERC S DEFINITION OF THE BULK ELECTRIC SYSTEM

NERC S DEFINITION OF THE BULK ELECTRIC SYSTEM NERC S DEFINITION OF THE BULK ELECTRIC SYSTEM WHY THE DEFINITION MATTERS, WHY IT S CHANGING, AND WHERE WE STAND AT NERC AND FERC CYNTHIA S. BOGORAD cynthia.bogorad@spiegelmcd.com LATIF M. NURANI latif.nurani@spiegelmcd.com

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

Title 20 PUBLIC SERVICE COMMISSION. Subtitle 50 SERVICE SUPPLIED BY ELECTRIC COMPANIES. Chapter 02 Engineering

Title 20 PUBLIC SERVICE COMMISSION. Subtitle 50 SERVICE SUPPLIED BY ELECTRIC COMPANIES. Chapter 02 Engineering Title 20 PUBLIC SERVICE COMMISSION Subtitle 50 SERVICE SUPPLIED BY ELECTRIC COMPANIES Chapter 02 Engineering Authority: Public Utility Companies Article, 2-121, 5-101 and 5-303, Annotated Code of Maryland.

More information

Lisa Wood, Compliance Auditor, Cyber Security, CISA, CBRM, CBRA. CIP R2 Low Impact Assets (LIA) Update January 29, 2015

Lisa Wood, Compliance Auditor, Cyber Security, CISA, CBRM, CBRA. CIP R2 Low Impact Assets (LIA) Update January 29, 2015 Lisa Wood, Compliance Auditor, Cyber Security, CISA, CBRM, CBRA CIP-003-7 R2 Low Impact Assets (LIA) Update January 29, 2015 Agenda Low Impact Progress Anticipated Dates Low Impact Requirement and Implementation

More information

Cyber Security and Privacy - Program 183

Cyber Security and Privacy - Program 183 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

More information

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-14-000]

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM15-14-000] 152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION 18 CFR Part 40 [Docket No. RM15-14-000] Revised Critical Infrastructure Protection Reliability Standards (July 16, 2015) AGENCY:

More information

AMBULATORY SURGICAL CENTERS

AMBULATORY SURGICAL CENTERS AMBULATORY SURGICAL CENTERS STATUTE RULE CRITERIA Current until changed by State Legislature or AHCA Hospitals and Ambulatory Surgical Centers Statutory Reference 3 395.1055 (1)(c), Florida Statutes Rules

More information

Security Management Program Development:

Security Management Program Development: Security Management Program Development: A Critical Infrastructure Protection Model July 15 16, 2015 Earn up to 15 CPEs EXPERIE NCE, DED IC ON AT I D, AN LEA DE RS HIP IN SE R CU ITY E C DU AT IO N Are

More information

CIP-005-5 Cyber Security Electronic Security Perimeter(s)

CIP-005-5 Cyber Security Electronic Security Perimeter(s) A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-5 3. Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security

More information

Addressing Dynamic Threats to the Electric Power Grid Through Resilience

Addressing Dynamic Threats to the Electric Power Grid Through Resilience Addressing Dynamic Threats to the Electric Power Grid Through Resilience NOVEMBER 2014 INTRODUCTION The U.S. electric power grid is an interconnected system made up of power generation, transmission, and

More information

Last revised: September 1, 2014 TRANSMISSION FUNCTION TITLES AND JOB DESCRIPTIONS

Last revised: September 1, 2014 TRANSMISSION FUNCTION TITLES AND JOB DESCRIPTIONS Last revised: September 1, 2014 TRANSMISSION FUNCTION TITLES AND JOB DESCRIPTIONS EVP, Chief Operations Officer, has primary responsibility for the overall planning, operations and control of the transmission

More information

Southwest Power Pool SPP REGIONAL COMPLIANCE WORKING GROUP (RCWG) CONFERENCE CALL. August 7, 2015 MINUTES

Southwest Power Pool SPP REGIONAL COMPLIANCE WORKING GROUP (RCWG) CONFERENCE CALL. August 7, 2015 MINUTES Southwest Power Pool SPP REGIONAL COMPLIANCE WORKING GROUP (RCWG) CONFERENCE CALL Agenda Item 1 Administrative Items August 7, 2015 MINUTES Chair Jennifer Flandermeyer called the meeting to order at 2:00

More information

AURORA Vulnerability Background

AURORA Vulnerability Background AURORA Vulnerability Background Southern California Edison (SCE) September 2011-1- Outline What is AURORA? Your Responsibility as a Customer Sectors Impacted by AURORA Review of Regulatory Agencies History

More information

POWER MARKETING ADMINISTRATION EMERGENCY MANAGEMENT PROGRAM MANUAL

POWER MARKETING ADMINISTRATION EMERGENCY MANAGEMENT PROGRAM MANUAL MANUAL DOE M 151.1-1 Approved: POWER MARKETING ADMINISTRATION EMERGENCY MANAGEMENT PROGRAM MANUAL U.S. DEPARTMENT OF ENERGY Office of Emergency Operations AVAILABLE ONLINE AT: www.directives.doe.gov INITIATED

More information

CHANGING THE UTILITY WAY OF DOING BUSINESS. AN UPDATE ON THE UPCOMING CHANGES OF NERC PRC-005.

CHANGING THE UTILITY WAY OF DOING BUSINESS. AN UPDATE ON THE UPCOMING CHANGES OF NERC PRC-005. CHANGING THE UTILITY WAY OF DOING BUSINESS. AN UPDATE ON THE UPCOMING CHANGES OF NERC PRC-005. Terry Chapman Technical Specialist of DC Systems Southern California Edison Pomona, CA 91768 ABSTRACT Anyone

More information

8.0 ENVIRONMENTAL PROTECTION MONITORING AND FOLLOW-UP

8.0 ENVIRONMENTAL PROTECTION MONITORING AND FOLLOW-UP 8.0 ENVIRONMENTAL PROTECTION MONITORING AND FOLLOW-UP 8.1 INTRODUCTION Mitigation measures, monitoring and other follow-up actions identified in Chapter 7 (Environmental Effects Assessment and Mitigation)

More information

U.S. Department of Energy Office of Inspector General Office of Audit Services

U.S. Department of Energy Office of Inspector General Office of Audit Services U.S. Department of Energy Office of Inspector General Office of Audit Services Audit Report Report on Critical Asset Vulnerability and Risk Assessments at the Power Marketing Administrations--Followup

More information