NERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum

Transcription

1 NERC CIP Compliance Dave Powell Plant Engineering and Environmental Performance Presentation to 2009 BRO Forum August 12,

2 NERC CIP 101 What is NERC CIP? CIP Terminology CIP compliance overview CIP compliance deadlines Goals for today: Increase awareness of NERC CIP requirements and implementation status August 12,

3 What is NERC CIP? NERC has issued about 100 Electric Reliability Standards, governing the reliability of the Bulk Electric System CIP = Critical Infrastructure Protection 9 of NERC s CIP Standards address Physical and Cyber Security Standards are enforceable by FERC, through NERC FERC Federal Energy Regulatory Commission NERC North American Electric Reliability Corporation FERC Order 706 approved 8 of the CIP Standards They are now law, effective 3/17/2008 Compliance is enforceable by financial penalties August 12,

4 What is Cyber Security? Protection of computers, software & applications: Any microprocessor-based device, or operating system or application that runs on that device E.g., DCS, PLCs, HMIs, EWS Protection from: Remote hackers attack using the network connection Local hackers attack at the keyboard Viruses, Spyware, Trojans, etc loaded unsuspectingly or maliciously Cyber Security includes a range of techniques: Policy and procedures, documented and enforced Screening and training personnel Passwords, SecurID tokens, biometric authentication, firewalls August 12,

5 NERC Cyber Security Standards 8 Standards Standards // Requirements Requirements // Sub-requirements Sub-requirements CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 CRITICAL CRITICAL CYBER CYBER ASSETS ASSETS CONTROLS CONTROLS PERSONNEL PERSONNEL AND AND TRAINING TRAINING ELECTRONIC ELECTRONIC PERIMETER PERIMETER PHYSICAL PHYSICAL OF OF CCAs CCAs SYSTEMS SYSTEMS INCIDENT INCIDENT REPORTING & REPORTING & RESPONSE RESPONSE PLANNING PLANNING RECOVERY RECOVERY PLANS FOR PLANS FOR CCAs CCAs 1. CRITICAL 1. CRITICAL ASSETS ASSETS 2. CRITICAL 2. CRITICAL CYBER CYBER ASSETS ASSETS 3. ANNUAL 3. ANNUAL REVIEW REVIEW 4. ANNUAL 4. ANNUAL APPROVAL APPROVAL 1. CYBER 1. CYBER POLICY POLICY 2. LEADERSHIP 2. LEADERSHIP 3. EXCEPTIONS 3. EXCEPTIONS 4. INFORMATION 4. INFORMATION PROTECTION PROTECTION CONTROL CONTROL 6. CHANGE 6. CHANGE CONTROL CONTROL 1. AWARENESS 1. AWARENESS 2. TRAINING 2. TRAINING 3. PERSONNEL 3. PERSONNEL RISK RISK ASSESSMENT ASSESSMENT ELECTRONIC 1. ELECTRONIC PERIMETER PERIMETER 2. ELECTRONIC 2. ELECTRONIC CONTROLS CONTROLS 3. MONITORING 3. MONITORING ELECTRONIC ELECTRONIC 4. CYBER 4. CYBER VULNER- VULNER- ABILITY ABILITY ASSESSMENT ASSESSMENT 5. DOCUMEN- 5. DOCUMEN- TATION TATION 1. PLAN 1. PLAN 2. PHYSICAL 2. PHYSICAL CONTROLS CONTROLS 3. MONITORING 3. MONITORING PHYSICAL PHYSICAL 4. LOGGING 4. LOGGING PHYSICAL PHYSICAL LOG LOG RETENTION RETENTION 6. MAINTE- 6. MAINTE- NANCE & NANCE & TESTING TESTING 1. TEST 1. TEST PROCEDURES PROCEDURES 2. PORTS & 2. PORTS & SERVICES SERVICES 3. PATCH 3. PATCH 4. MALICIOUS 4. MALICIOUS SOFTWARE SOFTWARE PREVENTION PREVENTION 5. ACCOUNT 5. ACCOUNT STATUS STATUS MONITORING MONITORING 7. DISPOSAL OR 7. DISPOSAL OR REDEPLOYMENT REDEPLOYMENT 8. CYBER 8. CYBER VULNERABILITY VULNERABILITY ASSESSMENT ASSESSMENT 9. DOCUMEN- 9. DOCUMEN- TATION TATION 1. CYBER 1. CYBER INCIDENT INCIDENT RESPONSE RESPONSE PLAN PLAN 2. DOCUMEN- 2. DOCUMEN- TATION TATION 1. RECOVERY 1. RECOVERY PLANS PLANS 2. EXERCISES 2. EXERCISES 3. CHANGE 3. CHANGE CONTROL CONTROL 4. BACKUP & 4. BACKUP & RESTORE RESTORE 5. TESTING 5. TESTING BACKUP BACKUP MEDIA MEDIA August 12,

6 NERC CIP Terminology Critical Assets: Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. Cyber Assets: Programmable electronic devices and communication networks including hardware, software, and data. Critical Cyber Assets: Cyber Assets essential to the reliable operation of Critical Assets. Electronic Security Perimeter: The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. Physical Security Perimeter: The physical, completely enclosed ( sixwall ) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled. Cyber Security Incident: Any malicious act or suspicious event that: Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or, Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset. August 12,

7 NERC CIP Standards are Security Best Practices 1. Identify the most important Bulk Electric System facilities and the Critical Cyber Assets (computers, PLCs, etc.) that operate them (CIP-002) 2. Assign policies & responsibilities for protecting the computers in these facilities (CIP-003) 3. Decide who can access the computers in these facilities & ensure those persons are background checked & trained (CIP-004) 4. Construct perimeters to protect the computers: 1. Electronic Security Perimeter e.g., firewall (CIP-005) 2. Physical Security Perimeter e.g., card access (CIP-006) 5. Implement anti-virus, patch management and other security controls to protect each individual computer (CIP-007) 6. Plan what to do if there is a cyber security incident (CIP-008) 7. Plan and prepare for recovery of critical cyber assets (CIP-009) August 12,

8 AEP s CIP Compliance Deadlines Deadlines are established in the NERC CIP Implementation Plan CIP-003, R2 Leadership The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity s implementation of, and adherence to, Standards CIP-002 through CIP-009. AEP Senior Managers : Generation: Mark McCullough Transmission: Mike Heyeck Commercial Ops: Barbara Radous (delegate Bob Bradish) Shared Services: Kevin Walker August 12,

9 Generation CIP Compliance Deadlines December 31, 2008 Be Substantially Compliant with all 41 requirements: Approved plan in place and well along in implementation Self-certify to RFC & SPP AEP did NOT meet this NERC milestone for all requirements December 31, 2009: Be Compliant with all requirements: Meeting the full intent of the requirement and beginning to maintain records to prove compliance Self-certify to RFC & SPP AEP Generation is committed to meeting this milestone December 31, 2010: Be Auditably Compliant with all requirements: Demonstrate compliance to an auditor including 12 calendar months of auditable records August 12,

10 Day-to-day NERC CIP Implications 1. Decide who can access the computers in these facilities & ensure those persons are background checked & trained (CIP-004) Hiring, termination or transfer 7 day or 24 hour action required How to treat control rooms during an outage? 2. Construct perimeters to protect the computers: Electronic Security Perimeter e.g., firewall (CIP-005) Physical Security Perimeter e.g., card access (CIP-006) Tailgating Escorting contractors into the control room August 12,

11 Generation NERC CIP Contacts Name Jim Rappach Dan Makelki Plant NERC Coordinators John Mazzone Plant Physical Security Coordinators Dave McCammon Jim Fletcher Sal Piazza Role Project Manager F&HO NERC Compliance Manager Critical Asset Cyber Security F&HO Physical Security Manager Critical Asset Physical Security ES&EE Manager UI&C manager Change Management, Communication Plan August 12,

12 Cyber Security Contacts IT Security Engineering is coordinating AEP s NERC CIP compliance: Name Phone Jerry Freese, Director gsfreese@aep.com Brian Lee btlee@aep.com Patti Meara plmeara@aep.com Nick Lauriat nalauriat@aep.com William Rhodes (AEP West) werhodes@aep.com IT Security Operations offer several services to assist in AEP s compliance, especially with CIP-007 R2, R3, R4, R6, R8: Name Phone Steve Swick, Manager slswick@aep.com Shawn Null sanull@aep.com Erik Diekmeyer ecdiekmeyer@aep.com August 12,

13 Physical Security Contacts Physical Security is leading AEP s NERC CIP-006 compliance efforts: Name Phone Stan Partlow, Director separtlow@aep.com Mike Dunn, Security Manager gmdunn@aep.com Kim Campbell: OH, IN, MI kkcampbell@aep.com Gary McGraw: VA, WV, KY, TN glmcgraw@aep.com Bill Kerr: OK, LA, east TX wdkerr@aep.com Lou Villagomez: TX lavillagomez@aep.com Shannon Dunaway, Access Control smdunaway@aep.com August 12,