CIP Physical Security. Nate Roberts CIP Security Auditor I

Transcription

1 CIP Physical Security Nate Roberts CIP Security Auditor I

2 Notes Critical Infrastructure Protection (CIP) Standard CIP is currently pending approval by the Federal Energy Regulatory Commission (FERC). This presentation contains tips which are meant to be helpful suggestions to guide an organization through the implementation process for CIP Examples used in this presentation are not all-inclusive or binding. 2

3 FERC Directive Directed North American Electric Reliability Corporation (NERC) to address physical security risks to the Bulk-Power System (BPS) in one or more Reliability Standards Standards should require owners and operators to address the risk of a physical attack on BPS reliability in three steps: Identify critical facilities Evaluate potential threats and vulnerabilities Develop/implement a security plan to protect against identified threats Periodic re-evaluation of all steps 3

4 CIP Physical Security Purpose To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. General Applicability Transmission Owners (TO) Transmission Operators (TOP) Implementation CIP is effective the first day of the first calendar quarter that is six months beyond the date the standard is approved by FERC. 4

5 Key Dates Event Date Federal Energy Regulatory Commission (FERC) Directive March 7, 2014 Approved by Industry May 5, 2014 Adopted by North American Electric Reliability Corporation (NERC) Board of Trustees Compliance Committee (BOTCC) May 13, 2014 Filed with FERC May 23, 2014 FERC Notice of Proposed Rulemaking (NOPR) July 17, 2014 NOPR comments due September 8, 2014 NOPR reply comments due September 22,

6 CIP It may be helpful to view and manage CIP as two major components. Applicability R1: Applicability and Risk Assessment R2: Unaffiliated Review R3: Control Center Notification Security R4: Threat and Vulnerability Assessment R5: Security Plan R6: Unaffiliated Review 6

7 CIP R1: Applicability and Risk Assessment Create a Candidate List Transmission stations/substations operating at or above 200kV Transmission stations/substations critical to the derivation of an Interconnection Reliability Operating Limits (IROL) and their associated contingencies Transmission stations/substations critical to operation of nuclear facilities Apply criteria listed in R4.1.1 of CIP Operating at or above 500kV, or Identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of IROLs and their associated contingencies, or Essential to meeting Nuclear Plant Interface Requirements, or (see next slide) 7

8 CIP R1 (continued) Apply criteria listed in of CIP (continued) Operating between 200 kv and 499 kv at a single station or substation, where the station or substation is connected at 200 kv or higher voltages to three or more other Transmission stations or substations and has an "aggregate weighted value" exceeding 3,000 according to the table below. Voltage Value of a Line Weight Value per Line Less than 200 kv (not applicable) (not applicable) 200 kv to 299 kv kv to 499 kv kv and above 0 8

9 CIP R2: Unaffiliated Review of R1 Assessment Must be completed within 90 calendar days of R1 assessment and may be conducted concurrently with R1. Unaffiliated third party must be: A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator, or An entity that has transmission planning or analysis experience The Standards Drafting Team interprets unaffiliated as external to the corporate structure. Auditors may review the credentials of the third party when evaluating compliance with R2. 9

10 CIP R2: Unaffiliated Review of R1 Assessment Unaffiliated reviewer recommendations must be addressed within 60 calendar days of review. Modify the identification under R1 consistent with the recommendation, or Document the technical basis for not modifying the identification in accordance with the recommendation This language is NOT intended to trigger Technical Feasibility Exceptions (TFEs) Implement procedures to protect sensitive information throughout the review process. 10

11 CIP R3: Notify Control Center Operators The entity has seven calendar days following the completion of R2 to notify control center operators for primary control centers associated with stations/substations identified in R1 assessment. The entity has seven calendar days following the completion of R2 to notify control center operators for primary control centers associated with stations/substations removed in subsequent in R1 assessments. Compliance tips: Use read receipts Implement three-part communications Receive and document confirmation of notification from control center operators 11

12 CIP R4: Threat and Vulnerability Assessment Conduct a threat and vulnerability assessment that considers: Unique characteristics of each station/substation/control center identified in R1 Attack history, attacks on similar facilities Frequency Geographic proximity Severity Intelligence or threat warnings 12

13 CIP R4: Threat and Vulnerability Assessment Unique Characteristics may include: Terrain Rural Urban High ground Vegetation Highly populated Vicinity to high-speed ingress/egress Equipment/ Facility Array Are mission critical assets on the perimeter or are they shielded from view or attack by less critical components of the facility? Existing protections Facility size and shape Crime statistics Weather 13

14 CIP R4: Threat and Vulnerability Assessment Tips When/where possible, do a full physical security survey Identify what components of the facility are critical to the mission Evaluate your facility from the perspective of an adversary that is: Targeting you Targeting your customer Targeting the grid Extend the assessment beyond the fence line Understand the advantages and disadvantages afforded by surrounding terrain Understand your threat environment Evaluate attacks on similar facilities globally Evaluate attacks in your geographic area even if the target facility is unlike yours 14

15 CIP R4: Threat and Vulnerability Assessment Indirect Fire Can an adversary fire a weapon on an arc trajectory and damage a critical component? Explosive Can an adversary place an explosive device such that it will damage a critical component? Vehicular Attack Can a vehicle drive into my facility to damage a critical component? Forced Entry Can an adversary force his or her way into my facility to damage a critical component? Surreptitious Entry Can an adversary sneak into the facility to damage a critical component? Direct Fire Can an adversary fire a line-of-sight weapon and damage a critical component? Suggested threat vectors to consider Arson Can an adversary damage critical components with fire? 15

16 CIP R5: Security Plan Should Include Resilience or security measures Verify the measures address vulnerabilities identified in R4 Law enforcement contact and coordination information, which may include: Simply a name and phone number Meetings to discuss security concerns, site-specific hazards, etc. Site-specific training for law enforcement Hosting law enforcement exercises Timeline for implementing physical security projects No specific dates or time frames required in this timeline, but it should pass the common sense test Provision to evaluate evolving threats Should include a process or mechanism to receive threat information Should include a process to evaluate threat information as it is received 16

17 CIP R5: Security Plan Tips Conduct a second assessment including the new measures Provides valuable metrics to stakeholders and regulators If conducted in the planning phase, may prevent costly but minimally effective security enhancements Does the plan makes sense? A reasonably-informed person should be able to follow the plan without extensive knowledge of the site or entity Is there a link between the security plan and the disaster recovery and/or business continuity plan(s) Law enforcement Coordinate early and often to verify all parties understand facility nuances and specific hazards/concerns Verify mutual understanding of law enforcement response procedures and capabilities 17

18 CIP R6: Unaffiliated Review of Assessment and Plan R6: Unaffiliated Review of R4 Assessment and R5 Plan An organization with industry physical security experience AND a Certified Protection Professional (CPP) or Physical Security Professional (PSP) on staff -or- An organization approved by the Electric Reliability Organization (ERO) -or- A government agency with physical security expertise -or- An organization with demonstrated law enforcement, government or military physical security expertise 18

19 CIP Implementation R1 R2.1, R2.2, and R2.4 R2.3 R3 Complete on or before the effective date of CIP Complete no later than 90 calendar days from the effective date of CIP Complete within 60 calendar days after completing R2.2 Complete within seven calendar days after the completion of R2 19

20 CIP Implementation R4 R5 R6.1, R6.2, & R6.4 R6.3 Complete within 120 calendar days after completion of R2 Complete within 120 calendar days after completion of R2 Complete within 90 calendar days after completion of R5 Complete within 60 calendar days after completion of R6.2 20

21 CIP Implementation Risk assessments must be completed once every 30 calendar months for a TO that had previously identified transmission stations/substations in its risk assessment for CIP R1. Risk assessments must be completed once every 60 calendar months for a TO that had not previously identified transmission stations/substations in its risk assessment for CIP R1. 21

22 Maximum Timeline R1: Complete Day R2: R1 Verification 3 rd Party Verification R3: TOP Communication R4: Threat Evaluation R5: Physical Security Plan Identification Modification Notify TOP Threat Evaluation Physical Security Plan R6: 3 rd Party Review 3 rd Party Review Modify evaluation/ security plan R2 R6 must be completed within 420 calendar days after completion of the risk assessment process in R1. 22

23 CIP Notice of Proposed Rulemaking (NOPR) Notice of Proposed Rulemaking (NOPR) issued by FERC July 17, 2014 Proposed to approve CIP-014-1, implementation plan, and VRF/VSL Proposed modifications Proposed informational filings Sought comments Comments were due September 8, 2014 Reply comments were due September 22,

24 CIP NOPR Proposed Modifications Allow Governmental Authorities (i.e., FERC and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity s list of critical facilities under R1. Remove the term widespread as it appears in the proposed Reliability Standard in the phrase widespread instability. 24

25 CIP NOPR FERC desired comments on: Providing for applicable governmental authorities to add or subtract facilities from an entity s list of critical facilities The standard for identifying critical facilities Control centers Exclusion of generators from the applicability section of the proposed Reliability Standard Third-party recommendations Resiliency Violation risk factors and violation severity levels Implementation plan and effective date 25

26 CIP NOPR Proposed Informational Filings Within six months of the effective date of a final rule addressing the possibility that CIP may not provide physical security for all High Impact control centers as defined in CIP Within one year of the effective date of a final rule addressing possible resiliency measures that can be taken to maintain reliable operation of the Bulk Electric System following the loss of critical facilities. 26

27 Questions? 27