NERC CIP Implementation Prepared by David Grubbs City of Garland NERC Critical Infrastructure Protection Committee (CIPC) Municipal Systems are well represented on the NERC CIPC Committee David Grubbs, (Garland) Representing ERCOT David Godfrey, (TMPA) Representing Municipals Nathan Mitchell (APPA) Representing Municipals Rich Powell (JEA) Representing FRCC 1
NERC Critical Infrastructure Protection Standards Compliance with version 1 of the NERC CIP Standards were phased in over the period of June 30, 2008 through December 31, 2009 depending on the registration. On April 1, 2010 version 2 of the NERC CIP Standards replaced version 1. On October 1, 2010 version 3 of the CIP standards replaced version 2. NERC CAN on Remote Access effective October 1, 2010 Future CIP Versions There are currently three new versions of the CIP Standards under development. Version 4 is being developed by the CIP Standards drafting team to replace the current Risk Based Assessment Methodology. Expected to be effective October 1, 2011. NERC Staff is preparing a version to address remote access known as CIP-005-X. Expected to be effective October 1, 2011. The CIP Standards drafting team is developing a complete rewrite of the CIP Standards currently known as CIP-010 and CIP-011 version 1. Identification of assets probably effective in 2012 with an implementation plan of at least 12 months for newly identified assets. 2
Implementation of CIP Standards in Garland Began implementation of initial substation security system in 2004 Most work done by utility personnel rather than contractors. Have changed software vendors for both monitoring and video software since initial system. Lessons Learned Start slowly you will probably change your mind what equipment / software you prefer It requires much longer to install than you will estimate As you add equipment you will eventually have to add staff dedicated to monitoring security equipment and investigating alarms The most utilized security equipment is not that required under CIP 3
Changes to CIP Version 3 Standards Effective October 1. Three changes to requirements in the version 3 CIP Standards CIP-002 R1 added the word its to clarify which assets should be evaluated CIP-006 R 1.6 added the requirement to have a visitor management program including logging g ingress and egress and continuous escort CIP-008 R 1.6 - removal of what FERC thought was not a requirement but an option Version 4 Standards Version 4 of the CIP Standards removes the Risk Based Assessment Methodology and replaces it with bright line criteria. Vote in early November failed. Drafting Team is rewriting prior to the second ballot in December. 4
CIP-005-X NERC is proposing an Urgent Action Standard CIP-005 005-X. Standard addresses all remote access into Critical Cyber Asset networks or devices. The Urgent Action status bypasses most of the Rules of Procedure applicable to Standards d drafting. Standard failed on the first ballot in October. Is being rewritten to be balloted on again in December. NERC CANs-Compliance Compliance Application Notices Clarify the Compliance Committee s interpretation of how auditors should audit Six currently in effect, CAN-0005 is only current one addressing security issues. Effective October 1, 2010. 59 in various stages of drafting. Several address security issues. CAN-0007 draft significantly exceeds existing standards. Read carefully. Many greatly expand beyond the Standards original intent. 5
NERC Alerts Stuxnet Facility Ratings Aurora CIP-010 and CIP-011 All BES facilities are Critical Assets Assets classified into High, Medium and Low criticality Still covers protection of cyber assets only Start preparing paperwork now! Communications diagrams will have to be prepared for all locations. 6
Audits Audits Audits Like many systems we are in a mode of almost continuous audits. Scheduled full audits average every three years. Some are one year, some three, some six years. Because Municipal Utilities remain integrated utilities we are registered for multiple functions (GPL is registered for 8). Larger utilities expect audits every year Self audits are required twice per year for CIP Standards. Once per year for all other Standards. Be Prepared Be prepared to significantly increase your compliance budgets and staff Be prepared to spend more time on documentation and procedures Be prepared to be assessed penalties for NERC and ERCOT violations 7
Questions? 8