U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY



Similar documents
ISO/RTO Council Comments on National Institute of Standards and Technology Proposed Smart Grid Interoperability Standards

Performance Metrics. For Independent System Operators And Regional Transmission Organizations

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. ) Southwest Power Pool, Inc. ) Docket No.

INDEPENDENT SYSTEM OPERATORS (VI + Access Rules vs. ISO vs. ITSO)

Securities and Exchange Commission 100 F Street, NE Washington, DC Release No ; File No. S ; RIN 3235-AL07

Re: Request for Comments on the Preliminary Cybersecurity Framework

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. California Independent System ) Docket No. ER Operator Corporation )

June 22, Via Electronic Submission

124 FERC 61,317 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Communication Protocols for Public Utilities ORDER NO.

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

Governance. What s a Governance?

JOHN H. STOUT PRESIDENT, MARINER CONSULTING SERVICES, INC LAKEWAY DRIVE TAYLOR LAKE VILLAGE, TEXAS

Midcontinent Independent System Operator, Inc. FERC Docket No. ER Notice of Termination of Generator Interconnection Agreement

Transmission Grid Reliability And Performance Monitoring

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Rock Island Clean Line LLC ) Docket No. ER

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

America s New Cybersecurity Framework: Help or New Source of Exposure?

April 28, Dear Mr. Chairman:

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

U.S. COMMODITY FUTURES TRADING COMMISSION

Assessment of. Demand Response and Advanced Metering. Staff Report

A Regional Comparison of Smart Grids

Nodal Exchange Contract Specifications

Renewable Energy on Regional Power Grids Can Help States Meet Federal Carbon Standards

Rich Dewey Vice President, Information Technology & CIO New York Independent System Operator Budget and Priorities Working Group August 25, 2009

ELECTRIC POWER SECTOR COALITION Response to NIST RFI

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE AMERICAN PUBLIC POWER ASSOCIATION

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Billing Code: 3510-EA

Risk Management in Practice A Guide for the Electric Sector

Informational Report of the California Independent System Operator Corporation

151 FERC 61,046 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

September 29, Docket No. ER Amendment to CAISO FERC Electric Tariff to Eliminate Annual External Operations Review

Wind Power and Electricity Markets

122 FERC 61,040 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ; Order No.

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

ISACA North Dallas Chapter

PROTIVITI FLASH REPORT

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

Why you should adopt the NIST Cybersecurity Framework

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

/s/ Sidney Mannheim Davies Sidney Mannheim Davies Assistant General Counsel Counsel for the California Independent System Operator Corporation

Presentation for The National Commission for Energy State Regulation of Ukraine

AAPG 2011 Annual Convention & Exhibition April 10, 2011

San Diego Gas & Electric Company ) Docket No. ER MOTION TO INTERVENE AND PROTEST OF THE CALIFORNIA INDEPENDENT SYSTEM OPERATOR CORPORATION

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. ) Southwest Power Pool, Inc. ) Docket No. ER )

Retail Electric Rates in Deregulated and Regulated States: A Ten Year Comparison

2015 CYBERSECURITY CAMPAIGN. Improving Today. Protecting Tomorrow. Page 1

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

TRANSMISSION OPERATIONS (August 5, 2010)

Assessment of. Demand Response and Advanced Metering. Staff Report

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 101. (Docket No. RM ; Order No. 668)

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

U.S. Department of Energy Benefits of Demand Response and Recommendations

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions. Electric Grid Operations

How PURPA is driving utility scale solar in North Carolina By QF Solutions April 7, 2015

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. PJM Interconnection, L.L.C. ) Docket No. ER14-

On-Site vs. Off-Site Electric Power Supply in Refineries in the USA: The Use of Cogeneration in Texas and Louisiana

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Before the Federal Communications Commission Washington, D.C ) ) ) ) ) ) COMMENTS OF THE SATELLITE INDUSTRY ASSOCIATION

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

OEB Smart Grid Advisory Committee

Preliminary Results of Analysis of the Broader Regional Markets Initiatives

154 FERC 61,020 FEDERAL ENERGY REGULATORY COMMISSION WASHINGTON, DC January 19, 2016

Trends in Data Breach and CybersecurityRegulation, Legislation and Litigation. Part I

IEEE-Northwest Energy Systems Symposium (NWESS)

New York State of the Market System - NYISO Success Project

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C Comments of CTIA The Wireless Association

Maturation of a Cyber Security Incident Prevention and Compliance Program

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

146 FERC 61,166 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

The North American Electric Reliability Corporation ( NERC ) hereby submits

Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010

STATEMENT OF NATURE, REASONS AND BASIS

Energy Ventures Analysis 1901 N. Moore St. Arlington, VA (703)

June 2016 Commission Meeting Summaries

Closing the Gap Between Wholesale and Retail

Midcontinent Independent System Operator, Inc. FERC Docket No. ER Notice of Termination of Multi-Party Facilities Construction Agreement

Paul R. Peterson, Principal Associate

Staff Report on Gas-Electric Coordination Technical Conferences (Docket No. AD ) November 15, 2012

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION WRITTEN STATEMENT OF JOHN HOUSTON OF CENTERPOINT ENERGY HOUSTON ELECTRIC, LLC

Why you should adopt the NIST Cybersecurity Framework

151 FERC 62,145 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

This document provides a summary of the major

Bridging the Missing Money Gap Solutions for competitive power cash flow shortfalls

process is usually performed with an additional SCUC and has been the natural fit for the use of wind power forecasts. Currently, however, since this

Transcontinental Gas Pipe Line Company, LLC Rate Schedule S-2 Tracking Filing

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

Ohio Energy. Workshop HH. Understanding & Managing Your Risks A Real Time Approach for Long-Term Power Purchases

PROPOSED INTERPRETIVE NOTICE

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Protect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies

Transcription:

U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ) Developing a Framework ) To Improve ) Docket No. 130208119-3119-01 Critical Infrastructure Cybersecurity ) ) RESPONSE OF THE ISO/RTO COUNCIL TO NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S OCTOBER 29, 2013 REQUEST FOR COMMENTS The ISO/RTO Council ( IRC ) submits these comments in response to the National Institute of Standards and Technology s ( NIST ) October 29, 2013, Request for Comments on the preliminary version of its voluntary Cybersecurity Framework (hereinafter, the Framework ). The IRC is composed of nine Independent System Operators ( ISOs ) and Regional Transmission Organizations ( RTOs ) in North America. 1 The following U.S. ISOs and RTOs are providing these comments: the California Independent System Operator ( CAISO ), Electric Reliability Council of Texas ( ERCOT ), ISO New England, Inc. ( ISO-NE ), Midcontinent Independent System Operator, Inc. ( MISO ), New York Independent System Operator, Inc. ( NYISO ), PJM Interconnection L.L.C. ( PJM ), and Southwest Power Pool ( SPP ) (collectively, the ISOs/RTOs ). These comments address the Framework and its overarching objectives and approach as a whole. The IRC appreciates the continued opportunity to participate in NIST s work to improve critical infrastructure cybersecurity and applauds the efforts that led to the 1 The ISOs/RTOs include: Alberta Electric System Operator ( AESO ), the California Independent System Operator ( CAISO ), Electric Reliability Council of Texas ( ERCOT ), the Independent Electric System Operator of Ontario, Inc. ( IESO ), ISO New England, Inc. ( ISO-NE ), Midcontinent Independent System Operator, Inc. ( MISO ), New York Independent System Operator, Inc. ( NYISO ), PJM Interconnection L.L.C. ( PJM ), and Southwest Power Pool ( SPP ). AESO and IESO are not participating in these comments. -1-

creation of the Framework. We believe that the Framework provides a good foundation for structuring an effective and holistic cybersecurity program. The IRC observed in its February 26, 2013 Response to NIST s Initial Request for Information that each ISO/RTO has a risk management program that includes a comprehensive program for addressing cybersecurity risks that draws from both the mandatory and enforceable NERC CIP reliability standards 2 and other industry standards and guidelines. Importantly, each ISO/RTO organizes its program differently based on its specific structure, operating characteristics, responsibilities, and risk assessments. As is noted in Section 1.2 of the Framework, organizations vary widely in their business models, resources, risk tolerance, approaches to risk management, and effects on security, national economic security, and national public health or safety. For this reason, each organization must employ a comprehensive risk management approach [that] provides the ability to identify, assess, respond to, and monitor cybersecurity-related risks and provide organizations with the information to make ongoing risk-based decisions. The IRC fully supports this manner of risk-driven cybersecurity. A risk-based methodology such as Identify, Protect, Detect, Respond, and Recover provides the best means for organizations to appropriately deploy resources for cybersecurity purposes. The IRC believes that the Framework s use of the Identity, Protect, Detect, Respond, and Recover approach is consistent with and complementary to the bestpractices and mandatory standards adopted by the ISOs/RTOs and electricity subsector. This approach is consistent with the increasing emphasis placed by the 2 The NERC CIP standards include requirements regarding the physical security of critical cyber assets and senior management s roles and responsibilities with regard to cyber security practices. -2-

Federal Energy Regulatory Commission ( FERC ) and North American Energy Reliability Corporation ( NERC ) on developing cybersecurity programs that identify, manage, and mitigate entity-specific risks. As is noted in the prior IRC comments on the Framework, the electricity subsector oversees significant critical infrastructure and, for that reason, has been at the forefront of addressing cybersecurity for years. ISOs/RTOs have a long history of developing and complying with reliability standards, including cybersecurity requirements. Given the collective experience of both ISOs/RTOs and the electricity subsector as a whole, the IRC previously encouraged NIST to establish an overarching framework that recognizes, accommodates and complements the extensive cybersecurity standards in use within this and other industry sectors. The IRC believes that the Framework has effectively recognized and responded to that concern by acknowledging that, while the Framework may represent a starting point for some in developing a cybersecurity program, for other industries it will complement, and does not replace, an organization s existing business or cybersecurity risk management process and cybersecurity program. To that end, as NIST moves toward finalizing the Framework, the IRC urges that the Framework maintain its current, flexible approach that can be further developed and enhanced, as appropriate, on an entity or sector level. The IRC, for instance, has successfully collaborated with the Department of Energy, its Sector Specific Agency, on initiatives like developing best practices for securing smart grid technologies, participating in federally-funded research projects to develop advanced cybersecurity technologies for the energy sector, and conducting training exercises for advanced -3-

techniques in computer network defense. These projects represent a successful sectorspecific approach to cybersecurity that NIST should encourage. The Framework, as presently drafted, avoids prescriptive, one-size-fits-all solutions to cybersecurity challenges. In this way, the Framework will permit and encourage risk-driven, industryappropriate cybersecurity that will best enable the efficient use of cybersecurity resources. The IRC urges NIST to maintain this approach as the Framework is finalized, implemented, and reviewed for later updates. In sum, the IRC believes that the Preliminary Framework provides a strong approach for effective cybersecurity, and for the electricity subsector an additional opportunity to, in the Framework s own words, use its current processes and leverage the Framework to identify opportunities to improve [ISO/RTO] management of cybersecurity. The IRC looks forward to additional opportunities to support the development and enactment of the Framework. Respectfully submitted, /s/ Nancy Saracino Nancy Saracino General Counsel Roger Collanton Deputy General Counsel Anna McKenna Assistant General Counsel, Regulatory California Independent System Operator Corporation 250 Outcropping Way Folsom, California 95630 amckenna@caiso.com /s/ Carl F. Patka Carl F. Patka Assistant General Counsel Christopher Sharp Compliance Attorney Raymond Stalter Director of Regulatory Affairs New York Independent System Operator, Inc. 10 Krey Blvd. Rensselaer, New York csharp@nyiso.com -4-

/s/ Matthew Morais /s/ Paul Suskie Matthew Morais Paul Suskie Assistant General Counsel Senior Vice President, Regulatory Policy Electric Reliability Council of and General Counsel Texas, Inc. Southwest Power Pool 2705 West Lake Drive 201 Worthen Drive Taylor, Texas 76574 Little Rock, Arkansas 72223-4936 mmorais@ercot.com (501) 688-2535 psuskie@spp.org /s/ Theodore J. Paradise /s/ Stephen G. Kozey Theodore J. Paradise Stephen G. Kozey Assistant General Counsel, Operations Vice President, General Counsel, and And Planning Secretary John Galloway Midcontinent Independent Manager, Cybersecurity System Operator, Inc. ISO New England Inc. P.O. Box 4202 One Sullivan Road Carmel, Indiana 46082-4202 Holyoke, Massachusetts 01040 skozey@midwestiso.org tparadise@ise-ne.com /s/ Craig Glazer Craig Glazer Vice President-Federal Government Policy PJM Interconnection, L.L.C. Suite 600 1200 G Street, N.W. Washington, D.C. 20005 202-423-4743 glazec@pjm.com -5-

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information