Physical Security Reliability Standard Implementation

Physical Security Reliability Standard Implementation Tobias Whitney, Manager of CIP Compliance (NERC) Carl Herron, Physical Security Leader (NERC) NERC Sub-Committee Meeting New Orleans, Louisiana

CIP-014 Implementation Program Implementation Readiness Clarify Compliance Expectations Increased Industry Awareness Understanding scoping and 3 rd party reliance Consistent Enforcement Support all entities in the timely, effective, and efficient implementation of CIP-014 2

Key Dates CIP-014-2 Implementation Timeline Activity Implementation Not Later Than Days after 10/1/15 R1 Assessment Effective Date 10/1/2015 0 days R2 Verification Effective + 90 12/30/2015 90 days R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 days R3 Notify Control Center R2 +7 1/6/2016 97 days R4 Threat & Vulnerability Evaluation R2 + 120 6/27/2016 270 days R5 Security Plan R2 + 120 6/27/2016 270 days 3

Risk Assessment Guidance Industry must assess the loss of certain substations (R1) To start, entities must identify in-scope substations. Assess: o Transmission Facilities at 500 kv or higher o Substations exceeding the aggregate weighted value of 3000 o Substations identified by RCs, PCs or TP that are critical to IROL derivations o Essential to meeting Nuclear Plant Interface Requirements From there, various processes can be used to determine the list: o Entities may reference the NATF R1 approach o Entities may reference the method in the Guidelines and Technical Basis o Entities may use the process described in TPL-001-4 R4 and R6 To be compliant, the industry must demonstrate: A transparent process that can be validated by their CEA The resulting list is commensurate with their process and BES risks 4

NATF Guidance February guidance memo references the North American Transmission Forum Guidance as a means to perform R1: 1. Identify stations to analyzed based on 4.1.1 2. TO identifies cases/system conditions to be analyzed o summer peak vs. winter peak load levels o shoulder peak load levels with system transfers o alternative generation dispatch assumptions o alternative load models (i.e., different penetration of inductive load) 3. Define the nature of initiating event and how it will be modeled in assessment. o Event over several minutes o Instantaneous event (such as an explosion) 4. TO is responsible for documenting the criteria for instability, uncontrolled separation or Cascading, based on engineering knowledge or judgment. 5. TO performs steady-state power flow or stability analysis. 5

R2 3 rd Party Verification Requirement R2 mandates that an unaffiliated third-party verify the result of the risk assessment performed under Requirement R1. The third-party for Requirement R2 must be either: A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator; or An entity that has transmission planning or analysis experience. Pages 26-28 of the Guidelines and Technical Basis section (Section 4) of the standard provides additional guidance on selecting a third-party verifier, stating that entities should consider the following characteristics: 6

R2 3 rd Party Verifier Characteristics Registered entity with applicable planning and reliability functions. Experience in power system studies and planning. The third-party s understanding of the MOD standards, TPL standards, and facility ratings as they pertain to planning studies. The third-party s familiarity with the Interconnection within which the Transmission Owner is located. 7

Compliance Expectations TO s must demonstrate the appropriate rigor and analysis when performing R1 and R2. Consider how the following questions can be answered: Why certain stations or substations are identified to meet the criteria in Requirement R1 Similarly, why certain stations or substations were not identified by Requirement R1 What are defining characteristics of stations and substations identified by Requirement R1 How the third party verifying the risk assessment meets the qualifications in Requirement R2 and the means the third party used to ensure effective verification 8

R4 Threat and Vulnerabilities Assessment Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3. Shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified in R1 and verified according to R2. Unique characteristics History of security events Intelligence or Threat Warnings 9

NATF R4 Guidance Memo June 2015 R4 practices containing an approach, common practices and understanding evaluations of the potential vulnerabilities and threats of a physical attack of facilities. Site Specific vulnerability considerations No protection of facility (fencing, locks, or monitoring) Gaps in or lack of security mitigation(physical and human) Gaps in or lack of physical security policies and procedures, failure to enforce controls for vehicle and security equipment testing. Access control how is it granted, what is the process. 10

NATF - R4 Guidance memo June 2015 Physical Security evaluation checklist. (The physical security evaluation checklist is a format that can be used to provide self assessment of security program). Facility Information: address, contact numbers Executive Management, Security Management, Maintenance and First Responders Perimeter: Fence(type, height, anchored and enhancements)crash gate, lighting, surrounding area and landscape Security Systems(CCTV, Intrusion detection, fire alarms and locks & doors) Information Technology Systems and Sensitive Information storage Security and Response Plans 11

NATF - R4 Guidance memo June 2015 CIP-014 Questionnaire Threat Assessment List all of facility history of sabotage, vandalism, physical attack and Law Enforcement response List all historical criminal incidents to similar sites within the U. S. Threat Assessment, Intelligence Bulletins or Threat Warnings prepared by State Fusion Centers, Local Law Enforcement, DHS or FBI 12

NATF - R4 Guidance memo June 2015 Resiliency Measures measures already existing to prevent a physical attack Existing physical security measures to deter such as: Perimeter signage, fencing, gates, lighting, locks and security officers/roving patrols Existing physical security measures to detect such as: CCTV, Intrusion Detection and alarms Existing physical security measures to delay such as: Vehicle barriers, crash gates, fencing and security officers Existing physical security measures to assess such as: Video surveillance, video analytics and security command centers 13

NATF - R4 Guidance memo June 2015 Resiliency Measures continued Existing physical security measures to communicate such as: Security Operations Center(SOC) initiates response, protection of communication transmission to the SOC, alarm systems and Intercom system. Existing physical security measures to respond such as: Documented procedures, responses to alarms, State or local Law Enforcement and armed security officers deployment. 14

R5 Security Plan Each TO that identified a Transmission station(s), Transmission substation(s), or a primary control center(s) in R1 and verified according to R2, and each Transmission Operator notified by a TO according to R3. Shall develop and implement a documented physical security plan(s) that cover their Transmission station(s), Transmission substation(s), and primary control center(s). The physical security plan(s) shall be developed within 120 calendar days following the completion of R2 and executed according to the timeline specified in the physical security plans. The security plan should address the mitigation and response to the threats and vulnerabilities identified. A measureable timeline of executing the physical security enhancements and modifications should be included in the security plan. The timeline should include a project plan on how security enhancements and modifications will be implemented. 15

NATF - R5 Guidance memo June 2015 R5 provides an approach for development and implementation of Physical Security Plans. Areas for consideration: Deterrence Measures Visible physical security measures installed to persuade individuals to seek other, less secure targets. Detection Measures Physical security measures installed to detect unauthorized intrusion and provide local and/ or remote intruder notification. Delay Measures Physical security measures installed to delay an intruder s access to a physical asset and provide time for incident assessment and response. 16

NATF - R5 Guidance memo June 2015 Assessment Measures The process of evaluating the legitimacy of an alarm and determining the procedural steps required to respond. Communicate Systems used to send and receive alarm/video signals, audio, and data. Respond The immediate measures taken to assess, deploy, interrupt, to an incident. Physical Security Plan Template. 17

R6 R6 - Each Transmission Owner and Transmission Operator shall select an unaffiliated third party reviewer from the following: An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional(CPP) or Physical Security Professional(PSP) certification. An entity or organization approved by the ERO. A government agency with physical security expertise. An entity or organization with demonstrated law enforcement, government, or military physical security expertise. 18

Critical Infrastructure Protection Committee (CIPC) R6 CIPC has developed guidance to support industry s implementation of Requirement R6. Provides examples of experience/documentation for third party reviewer with electric industry o Proof of past or current employment as an employee(s) or contractor(s) in the electric industry; o Proof of past or current employment as an employee(s) or contractor(s) as an ERO regional entity auditor; or o Documented experience in threat vulnerability assessments or development of security plans in the electric industry. 19

CIPC R6 Guidance Provides examples of government agencies that might be selected Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise. 20

CIPC R6 Guidance Provides skill sets/activities for demonstrated law enforcement, government, or military physical security expertise. Conducting and/or evaluating threat and vulnerability analysis of physical attack Designing and/or evaluating physical security plans Third party review of threat and vulnerability analyses or physical security plans Designing, implementing, or evaluating asset protection plans, specifically those related to facilities with special emphasis on industrial complexes 21

R6 Guidance ERO approval process guidance (September 2015) This process will be applied when registered entity has a third party that does not meet one of the other three criteria. Candidate 3 rd parties shall work through their Registered Entity to obtain certification. The ERO will review the qualifications against industry-vetted criteria, which is included in the Appendix A. Appendix A - request third party reviewer must have at least one criteria from the physical security experience plus one from electric sector experience. 22

ERO approval process guidance (September 2015) Appendix A Physical Security experience(at least one): Certified Critical Infrastructure Protection Specialist (CCIPS) and ten (10) years. Certified Homeland Protection Professional (CHPP) and ten (10) years Professional in Critical Infrastructure Protection (PCIP) and ten (10) years Certified Security Consultant (CSC) and ten (10) years experience as a physical security professional. Ten (10) years employment in a physical security department with responsibilities in facility protection. Physical security subject matter expert. Ten (10) years of experience in physical security program development, risk assessments, and threat assessment. Twenty (20) engagements as a security consultant for facility physical security assessments or security program design. 23

ERO approval process guidance (September 2015) Appendix A Electric Sector Experience(at least one): Ten (10) years employment with an electric utility transmission organization. Three (3) years employment as an ERO regional entity auditor Ten (10) assignments as a physical security consultant for a North American electric utility transmission organization Five (5) years military service with training in critical infrastructure interdiction. 24

ERO to Monitor Implementation Number of assets critical under the standard Per Region Q4 2015 Q1 2016 Defining characteristics of the assets identified as critical Per Region Q4 2015 Q1 2016 Scope of security plans By Q4 2016 Information obtained Guided Self-Certs, Off-site Audits, Audits Consider compliance monitoring schedule 25

ERO to Monitor Implementation Timelines for implementing security and resiliency measures Regions: Periodic Guided Self-Certs, Off-site Audits, Audits to determine implementation schedule and progress NERC will aggregate results Industry s progress in implementing the standard Beginning in Q4, Quarterly NERC Board Updates Reliability Standard Audit Worksheet for CIP-014-2, will be sent to drafting team(september 2015). 26

27