NERC CIP Standards and NIST Smart Grid Update

Similar documents
NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

NIST Coordination and Acceleration of Smart Grid Standards. Tom Nelson National Institute of Standards and Technology 8 December, 2010

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

4.1.1 Generator Owner Transmission Owner that owns synchronous condenser(s)

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Consulting International

Cyber Security and Privacy - Program 183

A. Introduction. B. Requirements. Standard PER System Personnel Training

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP 007 3a Cyber Security Systems Security Management

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

CIP Cyber Security Security Management Controls

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

NERC Cyber Security Standards

Cyber Security Working Group

National Institute of Standards and Technology Smart Grid Cybersecurity

Grid Modernization and Smart Grid

NERC-CIP S MOST WANTED

3. Purpose: To improve the reliability of the Bulk Electric System by requiring the reporting of events by Responsible Entities.

Implementation Plan for Version 5 CIP Cyber Security Standards

CIP Cyber Security Electronic Security Perimeter(s)

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

CIP Physical Security. Nate Roberts CIP Security Auditor I

Standard CIP 004 3a Cyber Security Personnel and Training

Development of a Conceptual Reference Model for Micro Energy Grid

NIST Cybersecurity Framework Manufacturing Implementation

Standard CIP Cyber Security Systems Security Management

Summary of CIP Version 5 Standards

Industrial Control Systems Security Guide

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

IEEE-Northwest Energy Systems Symposium (NWESS)

Cyber Security Working Group

ISO/RTO Council Comments on National Institute of Standards and Technology Proposed Smart Grid Interoperability Standards

Testimony of Patrick D. Gallagher, Ph.D. Deputy Director

STATEMENT OF PATRICIA HOFFMAN ACTING ASSISTANT SECRETARY FOR ELECTRICITY DELIVERY AND ENERGY RELIABILITY U.S. DEPARTMENT OF ENERGY BEFORE THE

Securing Distribution Automation

Cyber Security Seminar KTH

Cyber Security Standards Update: Version 5

Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

How To Protect Your Network From Attack

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

Top 10 Compliance Issues for Implementing Security Programs

future data and infrastructure

What Risk Managers need to know about ICS Cyber Security

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Demand Response Management System Smart systems for Consumer engagement By Vikram Gandotra Siemens Smart Grid

SCADA Security Training

Cyber Security Compliance (NERC CIP V5)

Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

ISA-99 Industrial Automation & Control Systems Security

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

NERC s New BES Definition: How Many CHP Units Will It Impact?

IEEE Standards Activities in the Smart Grid Space (ICT Focus)

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard

Agenda do Mini-Curso. Sérgio Yoshio Fujii. Ethan Boardman.

ZigBee IP Stack Overview Don Sturek Pacific Gas and Electric (PG&E) 2009 ZigBee Alliance. All rights reserved. 1

ENGINEERING COMPETENCIES ENTRY LEVEL ENGINEER. Occupation Specific Technical Requirements

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

ISACA rudens konference

Risk Management in Practice A Guide for the Electric Sector

State of the State of Control System Cyber Security

Smart Grid Information Security

Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Redefining MDM for a Smart Grid Enabled

Secure Remote Substation Access Solutions

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

BPA Policy Cyber Security Program

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

Help for the Developers of Control System Cyber Security Standards

Transactive Energy. A Sustainable Business and Regulatory Model for Electricity. Arizona Corporation Commission

NERC CIP Tools and Techniques

Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Transcription:

NERC CIP Standards and NIST Smart Grid Update Keith Stouffer Program Manager National Institute of Standards and Technology Keith.stouffer@nist.gov

Topics NERC Critical Infrastructure Protection (CIP) Standards Updates Where the standards are headed NIST Framework and Roadmap for Smart Grid Interoperability Updates Industrial to Grid (I2G) Domain Expert Working Group (DEWG) Cyber Security Coordination Task Group (CSCTG) 2

NERC CIP Standards Revision Overview January 18, 2008 - FERC Order 706 approves CIP-002 CIP-009 with direction to make additional modifications to the Standards. August 7, 2008 Standards Drafting Team appointed to review CIP Cyber Security Standards Address directed d modifications in FERC Order 706 Conform to current ERO Rules of Procedure Consider other cyber security standards and guidelines (e.g., NIST, ISO, ISA, IEC, DOE, CIPC) Consider stakeholder issues identified in the SAR comment process 3

NERC CIP Standards, Version 2 22 members in the Standards Drafting Team (SDT) Kick-off meeting held at NIST on October 6-8, 2008 7 additional, 2-3 day, face-to-face meetings of the NERC CIP SDT held over the next 6 months to develop Revision 2 of the cyber security standards and address the 100+ pages of comments received during the comment period. NERC CIP, Version 2 cyber security standards, CIP 002-2 CIP 009-2, were approved by the NERC Board of Trustees on May 6, 2009 after passage by the electric industry with a quorum of 94.37% and an 88.32% approval rating. Approved by FERC on September 30, 2009. Very fast revision of the NERC CIP Standards 4

NERC CIP Standards, Version 4 First step was to develop CIP 002-4 Defines the scope for the CIP standards Cover all(?) Bulk Electric System assets (control centers, substations, plants, etc) Cover all relevant Cyber Systems (EMS, SCADA, protection, automation, plant control, etc) Approach by reliability function More encompassing scope than previous Versions 5

NERC CIP Standards, Version 4 Apply multiple levels of security controls based on impact to BES referencing the NIST SP 800-53 and ISA99 models Low Impact Moderate Impact High Impact Draft CIP 002-4 was released for informal industry comment on December 29, 2009 comments due by February 12, 2010 SDT currently working on the revisions to CIP 002-4 CIP 009-4 security requirements Not a one size fits all solution 6

Low Impact System 7

Possible ICS Impact Level Definitions Low Impact ICS Product Examples: Non hazardous materials or products, Non-ingested consumer products Industry Examples: Plastic Injection Molding, Warehouse Applications Security Concerns: Protecting gpeople, p Capital investment, Ensuring uptime NERC CIP Standards EXAMPLE ONLY Generation Below Mod threshold but part of BES Transmission Below Mod threshold but part of BES Control Centers Below Mod threshold h but part of BES 8

Moderate Impact Systems 9 9

Possible ICS Impact Level Definitions Moderate Impact ICS Product Examples: Some hazardous products and/or steps during production, High amount of proprietary information Industry Examples: Automotive Metal Industries, Pulp & Paper, Semi-conductors Security Concerns: Protecting people, Trade secrets, Capital investment, Ensuring uptime NERC CIP Standards EXAMPLE ONLY Generation Aggregate name-plate 1000 MW 2000 MW Transmission 200 kv 300 kv Control Centers Load and generation 1000 MW 2000 MW 10

High Impact System 11

High Impact System!!! 12

Possible ICS Impact Level Definitions High Impact ICS Product Examples: Critical Infrastructure, Hazardous Materials, Ingested Products Industry Examples: Utilities, PetroChemical, Food & Beverage, Pharmaceutical Security Concerns: Protecting human life, Ensuring basic social services, Protecting environment NERC CIP Standards EXAMPLE ONLY Generation Aggregate name-plate > 2000 MW Transmission > 300 kv Control Centers Load and generation > 2000 MW 13

World Record High Impact System 14 14

Effective Date for Standards Effective Date Language: The first day of the third calendar quarter (i.e., a minimum of two full calendar quarters, and not more than three calendar quarters) after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required). For example, if regulatory approval is granted in June, the standards would become effective January 1 of the following year. If regulatory approval is granted in July, the standards would become effective April 1 of the following year. FERC approved CIP 002-2 2 - CIP 009-2 on September 30, 2009, therefore the effective date is April 1, 2010. 15

Penalties and Sanctions Example Violation Risk Factor Violation Severity Level Lower Moderate High Severe Range Limits Range Limits Range Limits Range Limits Low High Low High Low High Low High Lower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $5,000 $25,000 Statutory limit: $1,000,000 per violation per day in the U.S. Non-financial sanctions allowed Medium $2,000 $30,000 $4,000 $100,000 $6,000 $200,000 $10,000 $335,000 Penalty funds apply High to marginal cost of $4,000 $125,000 $8,000 $300,000 $12,000 $625,000 $20,000 $1,000,000 enforcement and Other qualitative factors for consideration: reconciled in budget Repeat infractions (-) Prior warnings (-) Deliberate violations (-) (-) Negative influence Self-reporting and self-correction (+) (+) Positive influence Quality of entity compliance program (+/-) (+/-) Positive or Overall performance (+/-) negative http://www.nerc.com/files/appendix4b_sanctions_guidelines_effective_20080115.pdf 16

The NIST Smart Grid Role Energy Independence and Security Act (EISA) of 2007 Title XIII, Section 1305. Smart Grid Interoperability Framework In cooperation with the DoE, NEMA, IEEE, GWAC, and other stakeholders, NIST has primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems http://www.nist.gov/smartgrid/ 17

NIST Three Phase Plan PHASE 1 Identify an initial set of existing consensus standards and develop a roadmap to fill gaps PHASE 2 Establish public/private Standards Panel to provide ongoing recommendations for new/revised standards PHASE 3 Testing and Certification Framework March 2009 2010 September 18

Inputs Executives meeting with Secretaries Locke and Chu Workshops with more than 1500 participants November 11-13, 13, 2008 April 28-29, 2009 May 19-20, 2009 SDO Workshop, August 3-4, 2009 EPRI Report Comments through two Federal Register Notices 19

Interoperability Framework Elements Testing and Certification Standards Security Architecture and Requirements Conceptual Reference Model Business and Public Policy Requirements 20

Smart Grid Domains 21

I2G Domain Expert Working Group i2g_interop@nist.gov Scope: Interoperability and interaction between the electric grid and industrial facilities, including electric power generation http://collaborate.nist.gov/twiki-sggrid/bin/view/smartgrid/i2g 22

We Need A Standards Roadmap Capabilities Priorities Reference Model Standards Release Plan Responsibilities Governance Testing and Certification I2G Roadmap http://collaborate.nist.gov/twiki-sggrid/pub/smartgrid/i2groadmap/ 23

Cyber Security Coordination Task Group Over 300 participants within 7 Working Groups Objective is to assess standards d for applicability and interoperability across the domains of the Smart Grid, rather than develop a single set of cyber security requirements that are applicable to all elements of the Smart Grid. Standards will be assessed within an overall risk management framework that focuses on cyber security within the Smart Grid. http://collaborate.nist.gov/twiki-sggrid/bin/view/smartgrid/cybersecurityctg 24

Cyber Security Requirements Document NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements First draft released September 2009; Second draft released January 2010; Final in spring 2010 Overall cyber security strategy for the Smart Grid Privacy and the Smart Grid Logical interface analysis initial analysis Specification of confidentiality, integrity, and availability impact levels l (low, moderate, high) h) Advanced Metering Infrastructure (AMI) security requirements Crosswalk of cyber security documents 25

Thank You. Keith Stouffer National Institute of Standards and Technology Keith.stouffer@nist.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information