NERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum



Similar documents
TASK TDSP Web Portal Project Cyber Security Standards Best Practices

NERC Cyber Security Standards

NERC CIP Tools and Techniques

Cyber Security Compliance (NERC CIP V5)

Information Shield Solution Matrix for CIP Security Standards

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Standard CIP 007 3a Cyber Security Systems Security Management

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Summary of CIP Version 5 Standards

Standard CIP Cyber Security Systems Security Management

Verve Security Center

LogRhythm and NERC CIP Compliance

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Lessons Learned CIP Reliability Standards

Reclamation Manual Directives and Standards

NERC CIP Compliance with Security Professional Services

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Implementation Plan for Version 5 CIP Cyber Security Standards

Data Management Policies. Sage ERP Online

Plans for CIP Compliance

Security Regulations and Standards for SCADA and Industrial Controls

Decision on adequate information system management. (Official Gazette 37/2010)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

CIP Cyber Security Security Management Controls

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Standard CIP Cyber Security Security Management Controls

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

TRIPWIRE NERC SOLUTION SUITE

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Voluntary Cyber Security Standards for Industrial Control Systems v

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

Ovation Security Center Data Sheet

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Common Cyber Threats. Common cyber threats include:

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

BPA Policy Cyber Security Program

Top 10 Compliance Issues for Implementing Security Programs

Innovative Defense Strategies for Securing SCADA & Control Systems

Technology Solutions for NERC CIP Compliance June 25, 2015

FERC, NERC and Emerging CIP Standards

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Supplier IT Security Guide

North American Electric Reliability Corporation (NERC) Cyber Security Standard

CYBER SECURITY POLICY For Managers of Drinking Water Systems

PCI DSS Requirements - Security Controls and Processes

1B1 SECURITY RESPONSIBILITY

How ByStorm Software enables NERC-CIP Compliance

Ovation Security Center Data Sheet

F G F O A A N N U A L C O N F E R E N C E

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Cyber Self Assessment

StratusLIVE for Fundraisers Cloud Operations

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Autodesk PLM 360 Security Whitepaper

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

BSM for IT Governance, Risk and Compliance: NERC CIP

Security Controls What Works. Southside Virginia Community College: Security Awareness

Healthcare and IT Working Together KY HFMA Spring Institute

Zurich Security And Privacy Protection Policy Application

Energy Cybersecurity Regulatory Brief

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Secondary DMZ: DMZ (2)

WHITE PAPER CYBER SECURITY AND ELECTRIC UTILITY COMMUNICATIONS WHAT NERC/CIP MEANS FOR YOUR MICROWAVE

Supplier Information Security Addendum for GE Restricted Data

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Becoming PCI Compliant

Overcoming PCI Compliance Challenges

SUPPLIER SECURITY STANDARD

74% 96 Action Items. Compliance

External Supplier Control Requirements

Cyber Security Response to Physical Security Breaches

Best Practices For Department Server and Enterprise System Checklist

Transcription:

NERC CIP Compliance Dave Powell Plant Engineering and Environmental Performance Presentation to 2009 BRO Forum August 12, 2009 1

NERC CIP 101 What is NERC CIP? CIP Terminology CIP compliance overview CIP compliance deadlines Goals for today: Increase awareness of NERC CIP requirements and implementation status August 12, 2009 2

What is NERC CIP? NERC has issued about 100 Electric Reliability Standards, governing the reliability of the Bulk Electric System CIP = Critical Infrastructure Protection 9 of NERC s CIP Standards address Physical and Cyber Security Standards are enforceable by FERC, through NERC FERC Federal Energy Regulatory Commission NERC North American Electric Reliability Corporation FERC Order 706 approved 8 of the CIP Standards They are now law, effective 3/17/2008 Compliance is enforceable by financial penalties August 12, 2009 3

What is Cyber Security? Protection of computers, software & applications: Any microprocessor-based device, or operating system or application that runs on that device E.g., DCS, PLCs, HMIs, EWS Protection from: Remote hackers attack using the network connection Local hackers attack at the keyboard Viruses, Spyware, Trojans, etc loaded unsuspectingly or maliciously Cyber Security includes a range of techniques: Policy and procedures, documented and enforced Screening and training personnel Passwords, SecurID tokens, biometric authentication, firewalls August 12, 2009 4

NERC Cyber Security Standards 8 Standards Standards // 41 41 Requirements Requirements // 164 164 Sub-requirements Sub-requirements CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 CRITICAL CRITICAL CYBER CYBER ASSETS ASSETS CONTROLS CONTROLS PERSONNEL PERSONNEL AND AND TRAINING TRAINING ELECTRONIC ELECTRONIC PERIMETER PERIMETER PHYSICAL PHYSICAL OF OF CCAs CCAs SYSTEMS SYSTEMS INCIDENT INCIDENT REPORTING & REPORTING & RESPONSE RESPONSE PLANNING PLANNING RECOVERY RECOVERY PLANS FOR PLANS FOR CCAs CCAs 1. CRITICAL 1. CRITICAL ASSETS ASSETS 2. CRITICAL 2. CRITICAL CYBER CYBER ASSETS ASSETS 3. ANNUAL 3. ANNUAL REVIEW REVIEW 4. ANNUAL 4. ANNUAL APPROVAL APPROVAL 1. CYBER 1. CYBER POLICY POLICY 2. LEADERSHIP 2. LEADERSHIP 3. EXCEPTIONS 3. EXCEPTIONS 4. INFORMATION 4. INFORMATION PROTECTION PROTECTION 5. 5. CONTROL CONTROL 6. CHANGE 6. CHANGE CONTROL CONTROL 1. AWARENESS 1. AWARENESS 2. TRAINING 2. TRAINING 3. PERSONNEL 3. PERSONNEL RISK RISK ASSESSMENT ASSESSMENT 4. 4. 1. ELECTRONIC 1. ELECTRONIC PERIMETER PERIMETER 2. ELECTRONIC 2. ELECTRONIC CONTROLS CONTROLS 3. MONITORING 3. MONITORING ELECTRONIC ELECTRONIC 4. CYBER 4. CYBER VULNER- VULNER- ABILITY ABILITY ASSESSMENT ASSESSMENT 5. DOCUMEN- 5. DOCUMEN- TATION TATION 1. PLAN 1. PLAN 2. PHYSICAL 2. PHYSICAL CONTROLS CONTROLS 3. MONITORING 3. MONITORING PHYSICAL PHYSICAL 4. LOGGING 4. LOGGING PHYSICAL PHYSICAL 5. 5. LOG LOG RETENTION RETENTION 6. MAINTE- 6. MAINTE- NANCE & NANCE & TESTING TESTING 1. TEST 1. TEST PROCEDURES PROCEDURES 2. PORTS & 2. PORTS & SERVICES SERVICES 3. PATCH 3. PATCH 4. MALICIOUS 4. MALICIOUS SOFTWARE SOFTWARE PREVENTION PREVENTION 5. ACCOUNT 5. ACCOUNT 6. 6. STATUS STATUS MONITORING MONITORING 7. DISPOSAL OR 7. DISPOSAL OR REDEPLOYMENT REDEPLOYMENT 8. CYBER 8. CYBER VULNERABILITY VULNERABILITY ASSESSMENT ASSESSMENT 9. DOCUMEN- 9. DOCUMEN- TATION TATION 1. CYBER 1. CYBER INCIDENT INCIDENT RESPONSE RESPONSE PLAN PLAN 2. DOCUMEN- 2. DOCUMEN- TATION TATION 1. RECOVERY 1. RECOVERY PLANS PLANS 2. EXERCISES 2. EXERCISES 3. CHANGE 3. CHANGE CONTROL CONTROL 4. BACKUP & 4. BACKUP & RESTORE RESTORE 5. TESTING 5. TESTING BACKUP BACKUP MEDIA MEDIA August 12, 2009 5

NERC CIP Terminology Critical Assets: Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. Cyber Assets: Programmable electronic devices and communication networks including hardware, software, and data. Critical Cyber Assets: Cyber Assets essential to the reliable operation of Critical Assets. Electronic Security Perimeter: The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. Physical Security Perimeter: The physical, completely enclosed ( sixwall ) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled. Cyber Security Incident: Any malicious act or suspicious event that: Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter of a Critical Cyber Asset, or, Disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset. August 12, 2009 6

NERC CIP Standards are Security Best Practices 1. Identify the most important Bulk Electric System facilities and the Critical Cyber Assets (computers, PLCs, etc.) that operate them (CIP-002) 2. Assign policies & responsibilities for protecting the computers in these facilities (CIP-003) 3. Decide who can access the computers in these facilities & ensure those persons are background checked & trained (CIP-004) 4. Construct perimeters to protect the computers: 1. Electronic Security Perimeter e.g., firewall (CIP-005) 2. Physical Security Perimeter e.g., card access (CIP-006) 5. Implement anti-virus, patch management and other security controls to protect each individual computer (CIP-007) 6. Plan what to do if there is a cyber security incident (CIP-008) 7. Plan and prepare for recovery of critical cyber assets (CIP-009) August 12, 2009 7

AEP s CIP Compliance Deadlines Deadlines are established in the NERC CIP Implementation Plan CIP-003, R2 Leadership The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity s implementation of, and adherence to, Standards CIP-002 through CIP-009. AEP Senior Managers : Generation: Mark McCullough Transmission: Mike Heyeck Commercial Ops: Barbara Radous (delegate Bob Bradish) Shared Services: Kevin Walker August 12, 2009 8

Generation CIP Compliance Deadlines December 31, 2008 Be Substantially Compliant with all 41 requirements: Approved plan in place and well along in implementation Self-certify to RFC & SPP AEP did NOT meet this NERC milestone for all requirements December 31, 2009: Be Compliant with all requirements: Meeting the full intent of the requirement and beginning to maintain records to prove compliance Self-certify to RFC & SPP AEP Generation is committed to meeting this milestone December 31, 2010: Be Auditably Compliant with all requirements: Demonstrate compliance to an auditor including 12 calendar months of auditable records August 12, 2009 9

Day-to-day NERC CIP Implications 1. Decide who can access the computers in these facilities & ensure those persons are background checked & trained (CIP-004) Hiring, termination or transfer 7 day or 24 hour action required How to treat control rooms during an outage? 2. Construct perimeters to protect the computers: Electronic Security Perimeter e.g., firewall (CIP-005) Physical Security Perimeter e.g., card access (CIP-006) Tailgating Escorting contractors into the control room August 12, 2009 10

Generation NERC CIP Contacts Name Jim Rappach Dan Makelki Plant NERC Coordinators John Mazzone Plant Physical Security Coordinators Dave McCammon Jim Fletcher Sal Piazza Role Project Manager F&HO NERC Compliance Manager Critical Asset Cyber Security F&HO Physical Security Manager Critical Asset Physical Security ES&EE Manager UI&C manager Change Management, Communication Plan August 12, 2009 11

Cyber Security Contacts IT Security Engineering is coordinating AEP s NERC CIP compliance: Name Phone Email Jerry Freese, Director 614-716-2351 gsfreese@aep.com Brian Lee 614-716-3604 btlee@aep.com Patti Meara 978-835-3375 plmeara@aep.com Nick Lauriat 781-572-1400 nalauriat@aep.com William Rhodes (AEP West) 713-806-5930 werhodes@aep.com IT Security Operations offer several services to assist in AEP s compliance, especially with CIP-007 R2, R3, R4, R6, R8: Name Phone Email Steve Swick, Manager 614-716-3929 slswick@aep.com Shawn Null 614-716-1328 sanull@aep.com Erik Diekmeyer 614-716-2667 ecdiekmeyer@aep.com August 12, 2009 12

Physical Security Contacts Physical Security is leading AEP s NERC CIP-006 compliance efforts: Name Phone Email Stan Partlow, Director 614-716-3020 separtlow@aep.com Mike Dunn, Security Manager 361-881-5307 gmdunn@aep.com Kim Campbell: OH, IN, MI 614-716-2973 kkcampbell@aep.com Gary McGraw: VA, WV, KY, TN 304-256-2707 glmcgraw@aep.com Bill Kerr: OK, LA, east TX 918-599-2187 wdkerr@aep.com Lou Villagomez: TX 361-881-5318 lavillagomez@aep.com Shannon Dunaway, Access Control 614-716-1413 smdunaway@aep.com August 12, 2009 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information