Critical Infrastructure Protection Committee (CIPC)
Hyatt Regency LouisvilleLouisville, KY
March 8-9, 2016
2 RELIABILITY | ACCOUNTABILITY
Safety and Security
Hyatt Regency Louisville Staff will provide guidance concerning
Fire and Evacuation Procedures for our safety
3 RELIABILITY | ACCOUNTABILITY
CIPC Voting Members and Attendees
• Wireless access is available:
Network: PSAV_Event_Solutions Password: NERC0001
• Please sign and pass the Attendance Sheets
4 RELIABILITY | ACCOUNTABILITY
Securing Our Assets
16,000 Transmission Substations7098 Transmission Lines1057 GW of Generation334 million customers
5 RELIABILITY | ACCOUNTABILITY
Antitrust Guidelines
I. General It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition.This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service,product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrainscompetition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another.
The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC’s antitrust compliance policy is implicated in any situation should consult NERC’s General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions): • Discussions involving pricing information, especially margin (profit) and internal cost information and participants’ expectations as to their future prices or internal costs. • Discussions of a participant’s marketing strategies. • Discussions regarding how customers and geographical areas are to be divided among competitors. • Discussions concerning the exclusion of competitors from markets. • Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers. • Any other matters that do not clearly fall within these guidelines should be reviewed with NERC’s General Counsel before being discussed.
6 RELIABILITY | ACCOUNTABILITY
Membership Expectations
Our CIPC Charter Section 3 states the following –
Voting members of the CIPC are expected to:
1. Bring subject matter expertise to the CIPC2. Be knowledgeable about physical and cyber security practices and challenges
in the electricity sector3. Attend and participate in all CIPC meetings4. Express their own opinions at committee meetings but also represent the
interests of their Regions5. Discuss and debate interests rather than positions6. Complete assigned Committee, Task Force, and Working Group assignments7. Maintain, at a minimum, a Secret Clearance, or to the extent not already
obtained, apply for a Secret Clearance
7 RELIABILITY | ACCOUNTABILITY
Conduct of the Meeting
Parliamentary Procedures:In the absence of specific provisions in NERC’s Rules ofProcedure, all committee meetings shall be conducted in accordance with the most recent edition of Robert’s Rules of Order, Newly Revised in all cases to which theyare applicable.
8 RELIABILITY | ACCOUNTABILITY
Critical Infrastructure Protection Committee
Business Continuity Guideline TF
(Darren Myers)
Executive CommitteeJoe Garmon, FMPA Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee(David Grubbs)
Cybersecurity Subcommittee(David Revill)
Operating Security Subcommittee(Joe Garmon)
Policy Subcommittee
(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(William Whitney)
Control Systems Security
WG(Mikhail Falkovich)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(VACANT)
Physical Security Standard WG(Allan Wick)
Compliance and Enforcement Input
WG(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
9 RELIABILITY | ACCOUNTABILITY
Org Name Company Discipline
TRE David Grubbs – Executive Committee City of Garland OperationsTRE (vacant) CyberTRE Darrell Klimitchek STEC PhysicalFRCC Paul McClay TECO CyberFRCC Carter Manucy Fla Municipal PhysicalFRCC Joe Garmon – Executive Committee Seminole OperationsMRO Marc Child, Chair Great River Energy CyberMRO Paul Crist Lincoln Electric System PhysicalMRO (vacant) OperationsNPCC John Galloway – Executive Committee ISO-NE OperationsNPCC Greg Goodrich NYISO CyberNPCC David Cadregari Iberdrola USA Networks PhysicalRFC Larry Bugh ReliabilityFirst CyberRFC (vacant) OperationsRFC Jeff Fuller DPL PhysicalSERC Chuck Abell – Executive Committee Ameren OperationsSERC Cynthia Hill-Watson TVA CyberSERC Bruce Martin Duke Energy PhysicalSPP John Breckenridge KCPL PhysicalSPP Allen Klassen Westar OperationsSPP Eric Ervin Westar CyberWECC Allan Wick Tri-State G&T PhysicalWECC Mike Mertz PNM CyberWECC Lisa Carrington Arizona Public Service OperationsAPPA Scott Smith Bryan, TX Utilities PhysicalAPPA Nathan Mitchell, Vice Chair APPA PolicyCEA Francis Bradley CEA PhysicalCEA Ross Johnson – Executive Committee Capital Power PhysicalCEA David Dunn IESO PolicyNRECA Robert Richhart Hoosier PolicyNRECA David Revill, Vice Chair Georgia Transmission Policy
CIPC Primary Voting Members
10 RELIABILITY | ACCOUNTABILITY
Proxies Received and Quorum
Thanks to all proxies attending today and serving as a proxy for your primary voting member! Proxies received for this meeting:• FRCC – Rich Kinas representing Paul McClay• MRO – Michael Kraft representing vacancy left by Joe Mayfield• NPCC – John Helme representing Greg Goodrich• NPCC – Yan Hugues Boily representing David Cadregari• RF – Mikhail Falkovich representing vacancy left by Kent Kujala• SERC – Guy Andrews representing Bruce Martin• SPP – Robert H. McClanahan representing Allen Klassen• TRE – Amelia Sawyer representing vacancy left by Jim Brenton
11 RELIABILITY | ACCOUNTABILITY
Proxies Received and Quorum
Announcement of CIPC Quorum of Voting Members:• Based on the voting members in attendance, including the
proxies received, we have achieved quorum for conducting CIPC business.
12 RELIABILITY | ACCOUNTABILITY
CIPC Roster Changes
New Voting Members• None
Vacancies of Voting Members:• MRO (Operations), vacancy due to departure of Joe Mayfield,
WAPA • RF (Operations), vacancy due to retirement of Kent Kujala, DTE
Energy Mikhail Falkovich, PSE&G, pending NERC Board approval
• TRE (Cyber), vacancy due to retirement of Jim Brenton, ERCOT
Thank you for your service to CIPC!
Chair’s Remarks by Marc Child
Welcome to Louisville
Paul W. ThompsonChief Operating Officer
NERC CIPC Meeting Louisville, Kentucky - March 8, 2016
NERC CIPC Meeting
Welcome to Louisville — LOO-a-vul• Derby City/River City• Gateway to the South• Strategic Central US Location• Key Transportation Hub
— River, Highway, Air Cargo
2
An Active River-Trading Town
3
A Vibrant City . . . .
4
Home to Great Companies, People, Places
5
Company Overview
The Evolution of Our Company
7
PPL Overview
• Customers: 1.4 million Electric • Transmission & Distribution Utility• Regulatory Entity: Pennsylvania PUC
PPL Electric Utilities
• Customers: 0.9 million Electric; 0.3 million Natural Gas• Vertically Integrated Utility• Regulated Capacity: 8.1 GW• Regulatory Entities: Kentucky PSC, Virginia SCC
LG&E and KU Energy
• Customers: 7.8 million Electric• Distribution Utility• Regulatory Entity: Ofgem
Western Power Distribution
8
Number of Customers: Over 10 Million
PPL Electric Utilities 1.4M
Western Power Distribution 7.8M
LG&E and KU 1.2M
9
LG&E and KU: Broadening the Portfolio
800 MW Supercritical Coal (2010)
640MW Natural Gas Combined Cycle (2015
10 MW Solar Array (2016) 10
Addressing Industry Challenges and the
Importance of Physical and Cyber Security
Industry Challenges
• EPA regulations driving retirements of coal-fired base load
• Fleet migration toward gas-fired assets
• Increased regional presence of intermittent and distributed generation resources
• Outcome of the litigation on the Clean Power Plan
12
Physical and Cyber Security
• Changes the way “WE WORK”— Physical Attacks— Ted Kopple – “Lights Out: A Cyberattack,
A nation Unprepared, Surviving the Aftermath”
— Ukraine outage — Drones
13
Good luck with your important meetings!
Enjoy your stay in LOO-a-vul
North American Electric Reliability Corporation Critical Infrastructure Protection Committee Meeting
March 8, 2016, Louisville, Kentucky
Resolution of Appreciation
WHEREAS, Mr. Robert Canada has professionally and skillfully served the needs of electric industry security as a NERC and Electricity Information Sharing and Analysis Center employee since October 2013, and has recently announced his retirement as of April 1, 2016; and
WHEREAS, He served as a voting member of the Critical Infrastructure Protection Committee during his tenure with Southern Company, rising to Vice Chair, and served on the SERC Critical Infrastructure Committee, and twice served as the Chairman of the Edison Electric Institute’s Security Committee; and
WHEREAS, His superb leadership has fostered significant and continuing progress on a broad range of physical security issues, drawing the absolute best technical and organizational focus from the committee members and stakeholders, not allowing less impactful issues to obscure his vision; and
WHEREAS, He continued to progress and enhance security through the targeted development and publication of security guidelines and initiatives that demonstrated the collective experience, expertise and judgment of the industry;
And Now, Therefore, be it
RESOLVED, That the members of the NERC Critical Infrastructure Protection Committee hereby express their sincere thanks, deep appreciation and gratitude to Mr. Canada, a respected colleague and distinguished electric industry security leader, and wish him the best in his future endeavors.
Be it Further
RESOLVED, That a copy of this resolution become part of the official permanent record of the NERC Critical infrastructure Protection Committee Minutes.
1
E-ISAC Update
Marc Sachs, Senior VP & Chief Security OfficerCritical Infrastructure Planning Committee MeetingMarch 8, 2016
2
• Sharing and reporting 129 typosquatting notifications 184 E-ISAC staff posts to the portal 47 member responses to the portal items 46 additional posts to the portal from members 70 calls to the E-ISAC hotline
• Products Weekly reports every Monday afternoon Monthly reports started in October 2015 Daily reports started in January 2016
• Events GridSecCon GridEx III
Summary of Q4 2015
3
• Staffing Finished adding new staff 21 in Washington office, one in Atlanta
• Facility Renovations completed in summer 2015 New information technology equipment installation began in December Completion of separation project expected by March 2016
• Member Executive Committee Established in July 2015 Met by phone each month in fourth quarter Two working groups actively working on strategic review
recommendations
Summary of Q4 2015
4
• Technology Major portal improvements, including new look/feel, chat, ability to
manipulate data, and increased private collaboration space New email server separate from NERC Malware/device lab
• Personnel Formal technical training program for individuals and teams Full-time person on NCCIC floor Industry augmentation on the Watch floor
• Facility Redesign Watch floor TSCM (bug) sweep
2016 Plans
5
• CRISP Additional government analysis capability New types of sensors and data collection
• Products GridEx III Distributed Play lessons learned and Executive Tabletop
recommendation reports New daily one-page summary, and new annual report
• Events Expand GridSecCon Local/regional one-day physical and cyber security seminars
• Cross-sector and external partners Vice-chair of US National Council of ISACs International partners, such as CCIRC, CERT Australia, CERT UK, etc.
2016 Plans
6
• Power engineers at Ukraine’s Prykarpattyaoblenergo electric utility identified “failures in the robot” that provided control of the substation and power equipment.
• Over 225,000 customers throughout the region were without power for up to six hours.
• Once Prykarpattyaoblenergo discovered the effects of the malware; they shifted operations into manual mode to mitigate the outage.
• Investigation is ongoing.
Ukraine Event December 23, 2015
7
1
Enhanced Background Investigation ScreeningTravis MoranCritical Infrastructure Planning Committee MeetingMarch 8, 2016
2
Enhanced
3
ESCC Priority
November 16, 2015From the Electricity Sub-Sector Coordinating Council (ESCC) Meeting Notes:“Action Items and Summary of ConclusionsEnhanced Background Investigation Screening (EBIS) Working Group: Convene a working group that will determine methods for improving background investigations into personnel holding sensitive industry positions; including legal, human resources, and process issues. The Department of Energy (DOE) (Jim McGlone) and the Electricity Information Sharing and Analysis Center (E-ISAC) Bob Canada will co-lead facilitation of this working group. Owners: DOE, FBI, ESCC, and the E-ISAC. DHS participates.Time Frame: “The working group will be stood-up before the end of January 2016, and a representative of the group will provide report at the next ESCC meeting.”
4
Current Background Investigations
Industry Concerns Regarding Hiring Processes • What industry background investigations are and what they are
not: Not a true nationwide check Not comprehensive Not universally required Differ from company to company Often conducted by human resources contractors Often no or infrequent updates (contractor changes complicate updates) No updating if subsequent arrests in between investigation periods
5
What We Know
Through research and collaboration with FBI, DOE and NRC we know the followingThere is currently no national background check system or requirement for private electric sector critical infrastructure workers – NRC and the financial sector have requirements
FDIC – 1000 Section §19 Prohibition For Unauthorized Participation by Convicted Individual - "Except with the written consent of the Corporation no person shall serve as a director, officer, or employee of an insured bank who has been convicted, or who is hereafter convicted of any criminal offense involving dishonesty or breach of trust.”SEC§ 240.17f-2 Fingerprinting of securities industry personnel. (a) Exemptions for the fingerprinting requirement. Except as otherwise provided in paragraph (a)(1) or (a)(2) of this section, every member of a national securities exchange, broker, dealer, registered transfer agent and registered clearing agency shall require that each of its partners, directors, officers and employees be fingerprinted and shall submit, or cause to be submitted, the fingerprints of such persons to the Attorney General of the United States or its designee for identification and appropriate processing.
6
What We Know - Continued
1. FBI has criminal history repository via CJIS/NCIC2. NRC has established procedures and requirements (10 CFR
§73.57)3. Fingerprints required for NRC applicants for unescorted access
to FBI/CJIS4. NRC licensee (entity) receives results and makes employment
and access/denial decisions5. NRC Backgrounds are authorized by legislation6. Electric sector may require separate authorizing legislation7. Legislation needs to be crafted by industry and tailored to
industry’s needs8. Will require a collaborative legislative effort (industry,
FBI/CJIS, DoE)
7
Nuclear Sector vs. Electric Sector
Nuclear Sector Backgrounds• Initial hire background
completed by entity or 3rd party provider then referred to nuclear process.
• Non-Critical Workers (Outside Protected Area): Credit; fingerprints for criminal history;
initial drug test. Non-protected area updates every 5
years.
• Critical Workers (inside Protected Area): Fingerprints for criminal history;
drug test; psychological exam. Updated every 3 Years.
Electricity Sector Backgrounds• Often performed by Human
Resources via private contractors
• Credit and single source (state & surrounding states criminal history if any)
• Not a true nationwide check• Some have further vetting –
most do not
8
FBI
Mission: To equip law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties.
History:• Established in1992 to serve as the focal point and central
repository for criminal justice information services in the FBI. • Largest division in the FBI. • National Crime Information Center (NCIC)• Uniform Crime Reporting (UCR) • Automated Fingerprint Identification System (IAFIS)• National Incident-Based Reporting System (NIBRS).
9
FBI Databases
• Known or Appropriately Suspected Terrorist (KST)
• Sentinel• Foreign Fugitive • Violent Person• National Sex Offender Registry • Gang • Wanted Person & Terrorist Wanted
Persons• Immigration Violator
• Missing Person • Protection Order • Unidentified Person• Protective Interest• Identity Theft • Supervised Release• National Instant Criminal Background
Check System(NICS)• Property: Consists of mostly entered
stolen or suspected stolen property
National Crime Information Center (NCIC) Database An electronic clearinghouse of criminal history/crime data that can be tapped into by virtually every criminal justice agency nationwide, 24 hours a day, 365 days a year.Person (criminal history) and Property Files:
10
Integrated Automated Fingerprint Identification System
What is included in IAFIS?Not only fingerprints:• Corresponding criminal histories• Mug shots• Scars and tattoo photos• Physical characteristics like height, weight, hair and eye color• Aliases• Linkage to Sentinel system• Corresponding reciprocating countries
11
Integrated Automated Fingerprint Identification System
Initial Application
Recertification& Rap-Back Program
IAFIS & NextGen is maintained by the FBI’s Criminal Justice Information Services (CJIS) Division in Clarksburg, WV.
https://www.ncjrs.gov/pdffiles1/nij/225326.pdf
12
Breakout Groups
Operations: NERCDOEDominionCJISFBIExelonEntergySouthern Co.
Legal: NERCDOESouthern Co.NRCDominionCJIS
Legislative/Policy: APPA NERCSouthern Co.EEIDHSDOECJIS
13
Physical Security Program
Bob CanadaAssociate Director, Physical Security and Analysis
2
Topics Covered
• Beyond Mandatory Reporting!• Physical Security & Analysis Team Activities & Projects Reporting
• Physical Security Advisory Group Design Basis Threat (DBT) Enhanced Background Investigation Screening
3
What is the Status of Physical Security for the BES?
Over 55,000 substations over 100kv!
4
BeyondMandatory Reporting for Information Sharing
5
Impacts of Weak Information Sharing
• Greater Risk to BES!• Isolation of Informed Entities!• Lack of Actionable Information!• Redundancies of Information Gathering!• Wasted Resources and Funding!• Delay of Pre-Attack Prevention Opportunities!• Potential loss of life and BES Reliability!
6
Sharing Partnerships
7
• Dynamic sharing among members can mitigate the rise of threats to BES
• Electricity Sector is at forefront vulnerability of U.S. economic stability• Reporting critical and timely information can help protect the BES• Strengthens existing partnership between private and public sector• Question? Have you shared information with the E-ISAC?
Can we agree?
8
PS Bulletins 2015• June – Unmanned Aircraft Systems – Posted• July – Incident Reporting Guide – Posted• Aug - Suspicious Activity and Surveillance Detection - Posted• Aug – Update to June bulletin on Unmanned Aircraft Systems-
Posted• Sept – Suspicious Activity and Surveillance Detection Activity
Reporting – Posted• Oct – Tabletop Exercise Template for Industry to use for Law
Enforcement training-Posted• Nov – Terrorism Trends Overseas - Posted
E-ISAC Projects and Initiatives
9
Design Basis Threat (DBT)• Completed NERC Legal and External Communications reviews• Received NERC CEO Gerry Cauley Review without changes• Announcement & Web Portal Posting – This week!Enhanced Background Investigation Screening• Working Group breakout Meetings Jan 18th and Feb 18th • Recommendations due by April 1st to ESCC Agenda• ESCC Meeting on May 2nd
E-ISAC Projects and Initiatives
10
What we are seeing from your reports sources?
11
Reports to E-ISAC
12
Shooting Incidents• 230kV insulators• 115kV gang switch• Control building• 69/12kV transformer regulatorBreak Ins• Undisclosed facility type. Cut barbed wire, nothing stolen• Substation, cut fences, grounds stolen• Undisclosed facility type. Cut gate lock, tools stolen from pickup
truck.• Substation control house. Lock missing, copper stolen.• Undisclosed facility type. Remote location, video confirmed there
was unauthorized access.
What’s getting reported?
13
Suspicious Activity• Photography of a substation• Photography of a generating station (2 separate incidents)• Photography of an LNG facility• Threatening phone call
What’s getting reported?
14
Reports from Entities
15
End of Year Report Stats:
16
Are you getting our Reports ??If not, have you set your Notifications?
17
International Terrorism Trends
Being able to identify, detect, and respond to terrorism trends and tactics is a crucial piece of the Electricity Subsector security posture. To be able to provide asset owners and operators with a complete picture of current threat trends and tactics, the E-ISAC reviewed relevant international terrorism data and concluded that transmission and distribution towers overseas continue to be a significant attack vector for various governmental and political adversaries.
Overall, the analysis revealed that: • 158 attacks occurred against electricity infrastructure internationally in 2014 • 80 percent of these attacks were against transmission towers or lines • The remaining attacks were against power stations, or administrative buildings • The primary tool of attack was explosives
18
Physical Security Advisory Group
(PSAG)
19
PSAG Members
1. Ross Johnson, Capital Power
2. Allan Wick, Tri-State G & T
3. John Breckenridge, KCP&L
4. David Godfrey, Garland P&L
5. William Whitney III, Garland P&L
6. Jim McGlone, DoE Liaison
7. Bob Canada, Associate Director, Physical Security & Analysis – E-ISAC
8. Travis Moran, Sr. Security Specialist- E-ISAC
9. Max Spector, Security Specialist, E-ISAC
10.Brian Harrell,(Navigant)
10.Dan Jenkins, Dominion
11.Ben Mayo, DHS (ES-Liaison)
12.John Large, FP&L (EEI Security Committee)
13.Mike Hagee, SERC
14.Michael Lynch, DTE
15.Bruce Martin, Duke
16.Jim Spracklen, PNNL
17.Norma Brown, Ameren
18.Barry Page, C4S2 Global
19.Louie Dabdoub, Entergy20.Marc Sachs, Sr. VP and CSO, E-ISAC
20
PSAG Projects
1. Design Basis Threat (DBT)
2. Enhanced Background Investigation Screening
21
Design Basis Threat (DBT)Another Tool for Industry Use!
SAG
PROJECT # 1
22
Project Progress
1. PSAG Initial meeting March 9-10- Pushed as a top priority!
2. DBT Workshop Sept 1st-3rd
3. DBT final research completed with DoE Intelligence- Determine Explosive Amounts?- VBIED inclusion?- Type of Insider Threat?
4. DoE requested our DBT comparison completed5. Final draft to be completed by PSAG this week6. Received NERC CEO approval Feb 23rd
7. Publish on E-ISAC Portal for Members
23
What is a Design Basis Threat?
• The DBT is used to determine the level of appropriate and cost effective physical protection measures required to protect against malicious acts i.e. theft / sabotage
• It is based on conservative assumptions that establish the magnitude of adversary force that the site’s protective systems should be designed to defeat, expressed in terms of numbers of adversaries and their capabilities
24
• Answers the question: “What are we protecting against?”• Development of potential adversary scenarios• Analysis of physical protection system (PPS) to determine
effectiveness • Identifying vulnerabilities of the PPS• Improving the system and prioritizing upgrades• Assessing risk and the cost-benefit tradeoffs
25
The DBT uses a graded threat approach (protect pencils like pencils and gold like gold). This takes into account factors such as:• Attractiveness & Consequence of loss of the asset. • Are there redundancies or ways to work around the loss? • Assets are identified and then prioritized into Asset Protection
Levels• Reach consensus on realistic and credible threats against US
power grid (consistent approach)• Critical HV transformers• Other critical nodes / infrastructure
26
Enhanced Background Investigation Screening
Project # 2
27
Project Progress
1. Born from Initial Discussions with PSAG Members, FBI and E-ISAC’s PSAT.
2. Nov 6th meeting (FBI, DHS, DoE, NRC, Dominion, Entergy, Kansas City Power & Light, and FP&L in attendance).
3. ESCC gave its approval to form a smaller group.4. First meeting in January 2016. Charged to come back with
recommendations and project planning strategy.
28
Possible Impact
1. FBI could conduct additional screening measures against additional terrorism databases
2. Incorporate the enhanced screening of new employees3. Incorporate a refresher background every 3-5 years4. Incorporating an Insider Threat Mitigation strategy across the
industry.5. Incorporating additional screening across other sectors (i.e.
telecommunication, water & finance)
29
What Can YOU Do to Help the Security of the Industry?
30
It’s Your Job too!
1. Inform your company of and acceptance of the NERC Code of Conduct.
2. Moving past corporate fear of regulatory avoidance strategies with regard to voluntary reporting.
3. Get beyond the mandatory reporting paradigm4. Contribute to Bulk Power System situational awareness!5. Understand that every little piece of intelligence helps!6. Entrusting partners to share their resources
ResourceStrengths
KnowledgeOf
Threats
BestInformation
SharingPractices
31
Register a user account on the portal today at:https://www.eisac.com/register.aspx
General Contact: [email protected] hour hotline: (404) 446-9780
Does your company’s Physical and Cyber SMEs have an E-ISAC Membership?
If Not, Why Not?
32
33
34 Years!
CIP Compliance Update
CIPC UpdateTobias Whitney, CIP Compliance Manager March 2016
RELIABILITY | ACCOUNTABILITY2
• Issues transferred to the CIP V5 Revisions Standard Drafting Team
• SDT Next Steps Industry issues FERC directives
• Oversight and Outreach• Self-Certs V5 CIP-014
• Next Steps and Q&A
Topics
RELIABILITY | ACCOUNTABILITY3
Compliance
Coordination andOversight
Standards
NERC’s Coordinated Approach
SDT REs
NERC
“aware, informed and engaged”
RELIABILITY | ACCOUNTABILITY4
CIP V5 Transition Advisory Group (V5TAG)
• On November 22, 2013, FERC approved CIP V5• In 2014, NERC initiated a program to help industry transition
from CIP V3 standards to CIP V5• The goal of the transition program is to improve industry’s
understanding of the technical security requirements for CIP V5, as well as the expectations for compliance and enforcement
• CIP V5 Transition Program website: http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx
RELIABILITY | ACCOUNTABILITY5
CIP V5 Transition Advisory Group (V5TAG)
• V5TAG’s Role & Composition Regional Entity Participants Registered Entity Participation NERC and FERC
• Consensus building through collaboration Over 40 CIP V5 related topics addressedo Lessons Learnedo Frequently Asked Questionso 4 topics transferred to the SDT
RELIABILITY | ACCOUNTABILITY6
CIP V5 Transition Advisory Group (V5TAG)
• Recognition that standards development was needed for some issues that could not be resolved through compliance guidance
• Enhanced coordination with compliance and enforcement for topics being addressed via standards development Facts and specific circumstances will dictate if violations will be identified
to address areas of noncompliance for the related topics Regional Entities will use Areas of Concerns and Recommendations to help
identify risks associated with specific implementations Feedback from industry will be used to help guide standard development
activities
RELIABILITY | ACCOUNTABILITY7
• The SDT should consider the definition of Cyber Asset and clarify the intent of “programmable”
• The SDT should consider clarifying and focusing the definition of “BES Cyber Asset” including: Focusing the definition so that it does not subsume all other cyber asset
types Considering if there is a lower bound to the term ‘adverse’ in “adverse
impact” Clarify the double impact criteria (cyber asset affects a facility and that
facility affects the reliable operation of the BES) such that “N-1 contingency” is not a valid methodology that can eliminate an entire site and all of its Cyber Assets from scope
Cyber Asset and BES Cyber Asset Definitions
RELIABILITY | ACCOUNTABILITY8
• The SDT should consider the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including: Clarify the 4.2.3.2 exemption phrase “between discrete Electronic Security
Perimeters.” When there is not an ESP at the location, consider clarity that the communication equipment considered out of scope is the same communication equipment that would be considered out of scope if it were between two ESPs
The word ‘associated’ in the ERC definition is unclear in that it alludes to some form of relationship but does not define the relationship between the items. Striking ‘associated’ and defining the intended relationship would provide much needed clarity
Network and Externally Accessible Devices
RELIABILITY | ACCOUNTABILITY9
• The SDT should consider the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including: Review of the applicability of ERC including the concept of the term
“directly” used in the phrase “cannot be directly accessed through External Routable Connectivity” within the Applicability section. As well, consider the interplay between IRA and ERC
Clarify the IRA definition to address the placement of the phrase “using a routable protocol” in the definition and clarity with respect to Dial-up Connectivity
Address the Guidelines and Technical Basis sentence, “If dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies.”
Network and Externally Accessible Devices (cont.)
RELIABILITY | ACCOUNTABILITY10
• CIP-002-5.1, Attachment 1 Control Center criteria for additional clarity and for possible revisions related to TOs’ Control Centers performing the functional obligations of a TOP, in particular for small or lower-risk entities
• Clarify the applicability of requirements on a TO Control Center that perform the functional obligations of a TOP, particularly if the TO has the ability to operate switches, breakers and relays in the BES
• The definition of Control Center• The language scope of “perform the functional obligations of”
throughout the Attachment 1 criteria
Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP)
Obligations
RELIABILITY | ACCOUNTABILITY11
• CIP V5 standards do not specifically address virtualization • The SDT should consider revisions to CIP-005 and the definitions
of Cyber Asset and Electronic Access Point that make clear the permitted architecture and address the security risks of network, server and storage virtualization technologies
Virtualization
RELIABILITY | ACCOUNTABILITY12
Standards Revisions
Supply Chain
Oversight and
Consistency
NERC Coordination Outreach
FERC-led Audits
V5
ERO Monitoring
CIP-014
Related Parts
ERO Monitoring
V5
FERC Order No. 822 and New
DirectivesStandards
Compliance
FERC-ledAudits
CIP-014
RELIABILITY | ACCOUNTABILITY13
• Approved revisions to seven CIP Reliability Standards• Directed NERC to develop modifications to address: Transient electronic devices Communication network components between control centers Low-impact external routable connectivity
• The effectiveness of remote access controls• Does not address supply chain management
FERC Order No. 822
RELIABILITY | ACCOUNTABILITY14
• Looking for quantities of assets (not cyber assets)• Information will support effective scoping of compliance
monitoring• Do not provide specific location of related sensitive information• Use comment fields to provide additional clarity when needed• CIP-014 Self-Certs are due on May 2nd• V5 Self-Certs are due on July 15th
Self-Cert (V5 and CIP-014)
RELIABILITY | ACCOUNTABILITY15
© 2016 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Program Overview
March 7, 2016
Jason ChristopherSr. Technical Leader
2© 2016 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Program Overview
3© 2016 Electric Power Research Institute, Inc. All rights reserved.
Cyber Security Research Lab
Evaluate security architecturesDevelop new situational awareness capabilities
Test identity and access management technologies
Improve threat management and incident response
4© 2016 Electric Power Research Institute, Inc. All rights reserved.
Protective Measures Technology
Security & System Monitoring with IEC 62351-7
DNP3 Secure Authentication v5
Cyber Security Technology (P183B)
Threat Management Technology
Integrated Threat Analysis Framework
IDS/IPS for Power Delivery Systems
5© 2016 Electric Power Research Institute, Inc. All rights reserved.
Information Assurance (P183D)
Security ArchitectureMethodology
Cyber Security MetricMethodology
Cyber Security ComplianceTools and Techniques
6© 2016 Electric Power Research Institute, Inc. All rights reserved.
P183D – Risk Management Guidance
7© 2016 Electric Power Research Institute, Inc. All rights reserved.
Security Metrics Methodology
• Corporate risk and business alignment
• “One number,” heat map, infographic, etc.
Strategic
• Programmatic health and progress
• Scorecards and audits
Tactical• Real-time, day-
to-day, measurements
• Logs, rules, signatures, etc.Operational
8© 2016 Electric Power Research Institute, Inc. All rights reserved.
Together…Shaping the Future of Electricity
Legislative Update
Critical Infrastructure Protection CommitteeMarch 8, 2016
Nathan Mitchell, American Public Power Association
RELIABILITY | ACCOUNTABILITY2
Fixing America's Surface TransportationFAST Act 2015
• Provides the Secretary of Energy with the authority to address grid security emergencies
• DOE should develop a plan to establish a Strategic Transformer Reserve
• The plan should address impacts from: physical attack; cyber-attack; electromagnetic pulse attack; geomagnetic disturbances; severe weather; or seismic events.
• The plan must also include cost estimates and funding options.
RELIABILITY | ACCOUNTABILITY3
Cyber Information Sharing Act 2015
• DHS must certify that the automated indicator sharing (“AIS”) program is in place and running by March 17
• Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government
• Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities
• Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government
• Privacy and Civil Liberties Interim Guidelines
RELIABILITY | ACCOUNTABILITY4
Energy Policy Act Revisited
• Stalled out last month due to Flint Michigan Water disagreement
• Restarted this week with moderate possibility for movement and possible approval this Congress.
• More to come
RELIABILITY | ACCOUNTABILITY5
Electricity Sector Coordinating Council (ESCC)Critical Infrastructure Protection CommitteeMarch 8, 2015
Nathan Mitchell, American Public Power Association
ESCC
ESCC Strategic Committees and SEWG Sub-Team UpdatesESCC Leadership & Secretariat• Ukraine: DHS and E-ISAC worked together to analyze the outage
and provide mitigation strategy for the industry. • ESCC was called in to provide unity of message across the
industry. Raise this to the CEO level and make sure the electricity industry takes notice and takes action.
• In response to Ukraine, DHS NPPD has taken the initiative of drafting a “unity of message” document that highlights industry-government grid security efforts to inform media interviews, speaking engagements, and other public statements.
ESCC
Government-Industry Coordination Committee• Cyber Mutual Assistance: New working group formed• Playbook Working Group: Update after Grid Ex III report• Clear Path IV Exercise: April Exercise in Portland informs the
Cascadia rising exercise in June• Supply Chain Security: Energy Sector and Critical Manufacturers
Working Group (ESCMWG), a joint partnership between the energy sector, critical manufacturing sector.
• Enhanced Background Investigation Services Working Group:Policy paper to the ESCC by May
• DOE Transformer Reserve proposal analysis
ESCC
Threat Information Sharing & Processes Committee• E-ISAC Member Executive Committee: On March 17, the MEC
will hold its next in-person meeting to discuss key findings of E-ISAC products, services, and tools reviews, outline ways for the E-ISAC to continue improving their value to members
Leveraging Infrastructure / Research & Development Committee:• Electromagnetic Pulse (EMP) Taskforce: The taskforce will
develop or build upon existing efforts in the public and private sector to better understand the threat and existing mitigation strategies, identify additional measures that can be developed, tested, and deployed to address the EMP Threat, and inform EMP messages to external stakeholders.
ESCC
Confirmed Calendar of Events / Conference Calls• SEWG Monthly Call: Monday, March 28, at 2-3pm EST.• Enhanced Background Investigation Screening (EBIS) Working Group:
Morning of Thursday, March 17. (NERC DC offices)• E-ISAC Member Executive Committee: Afternoon Thursday, March 17. (NERC
DC offices)• Cybersecurity Mutual Assistance Task Force: Webinars (March 1, 7 & 23). In
person Denver, CO from April 4-5. • ESCC Plus 1 Meeting: Monday, April 11 from 9:30am-3:00pm. (EEI - DC)• ESCC Playbook Working Group Meeting: Tuesday, April 12 from 9am-1pm.
(EEI - DC)• Clear Path IV and Cascadia Rising Exercises: Portland, OR on April 19-20.• Cascadia Rising exercise scheduled for June 7-10 in the Pacific Northwest.
GridEx III Update
Tim Conway, GEWG ChairNERC CIPCLouisville, KentuckyMarch 8, 2016
Agenda
• Distributed Play and Executive Tabletop– Participation– Objectives– Observations– Recommendations
Distributed Play Participation
Coordination with
Government
TradeAssociations
ExConGridEx III Exercise Control
NERC staff, GEWG, Booz Allen, Nat’l Labs, SMEs for Sim-cell, etc.
Bulk-Power System Entities
Coordinated OperationsVendor Support
IT, ICS, ISP,Anti-virus
Local, State/Provincial
Government
• Emergency Management Organizations
• Emergency Operations Centers / Fusion Centers
• Local FBI, PSAs
Reliability Coordinators, Balancing Authorities, Generator Operators,
Transmission Operators, Load Serving Entities, etc.
E-ISACElectricity
Information Sharing &
Analysis Center
Other Federal AgenciesUS: FBI, FERC, DOD
Canada: Public Safety Canada, NRCan, RCMP, CSIS,
CCIRC
NERC
Crisis Action Team
DOEDepartment of Energy
DHSNCCIC
ICS-CERTUS-CERT
NERC Bulk Power
System Awareness (BPSA)
Regional Entities
Executive Coordination
Electricity Sub-sector Coordinating Council (ESCC)
Other Critical Infrastructures
TelecommunicationsOil & Gas
others
Energy GCCOther SCCs
Communications
Communications
Objectives Achieved?
• Exercise crisis response and recovery– 133 organizations and 800+ individuals more than GridEx II– More CEH hours for system operators and others– Increase in exercise response ‘Well and Very Well’: Cyber (84%), physical (92%),
and operational response (98%)
• Improve communications– ‘Very Well’ increased by at least 14% in all areas– Opportunity to increase involvement of other critical infrastructure sectors for
GridEx IV
• Identify lessons learned– Opportunity for improvement, about 22% of active organizations shared lessons
learned with NERC
• Engage senior leadership– Many organizations involved their senior management and crisis teams– Executive tabletop
Observationsand Recommendations
1. Coordinated response and communication– Enhance internal communications procedures documentation– For future exercises, test alternate communications facilities
2. Reporting mechanisms (OE-417, EOP-004, CIP-008, etc.)– Improve reporting efficiency and effectiveness, eliminate redundancies
3. Active participation of system operators– For future exercises, continue to encourage the active participation of
Reliability Coordinators with entities in their area– For future exercises, continue to encourage integration of cyber and
physical security impacts with power system operation
Observationsand Recommendations
4. E-ISAC information sharing– Continue to enhance E-ISAC portal (e.g., easier user search for urgent
and important information)– Continue to develop Watch Operations Team capabilities– Design next GridEx to include a more credible, limited-scope scenario
to demonstrate E-ISAC analysis capability– Design next GridEx to include a more realistic ‘Move 0’ scenario to
simulate emerging threat, detection, and analysis
5. Introduction of new exercise tools– Improve scenario inject distribution mechanism– Improve volume/capacity and test well in advance of next exercise– Include notification feature to alert users of new postings to social
media tool
Observationsand Recommendations
6. Advance exercise planning timelines– Begin planning earlier (e.g., September for an exercise in November
the following year)– Continue to encourage participants to customize scenario to meet
local objectives, consistent with baseline scenario and Reliability Coordinator involvement
– Develop player training material earlier for lead planners to deliver to their own players (not NERC)
7. After action survey and lessons learned– Use similar after action survey questions for next GridEx– Determine and address reasons for apparent reluctance of participants
to share lessons learned with NERC
Executive Tabletop Participants
• Participants– Facilitated by a member of the President’s National
Infrastructure Advisory Council– 17 NERC and utility senior executives– 15 senior government officials (from the White House, DOE,
DHS, FEMA, DOD, NSA, FBI, National Guard)
• Observers– About 70 individuals from participating organizations
observed and provided feedback
Executive Tabletop Recommendations
• Three discussion themes in the context of a severe electricity emergency– Unity of messaging – how the industry and government
receives and shares information with each other and the public (7 recommendations)
– Unity of effort – how the industry and government could improve coordination and sharing of resources (6 recommendations)
– Extraordinary measures – how the industry and government could consider regulatory and legislative needs to support timely recovery (10 recommendations)
• Executive Tabletop report by March 2016
A Long-Term View
November 15-16
Tentative Timeline
WorkingGroup
Initial Planning
Phase
Mid-term Planning
Phase
Final Planning
PhaseConduct After
Action
Establish Working Group Members
Establish Mail list
GridEx Awareness
Initiate outreach
Shape scenario themes
Confirm exercise mechanics
Craft scenario narrative
Develop materials
Confirm participation
Oversee distributed play
Facilitate senior TTX
Capture player actions and findings
Analyze findings and lessons learned
Draft After Action Report and Briefing
Finalize MSEL
Conduct training
Distribute player materials
Set up venue and logistics
CIPC Meeting(March 2016)
IPC(September 2016
CIPC)
MPC(March 2017
CIPC)
FPC(June 2017
CIPC)
Execute GridEx IV(November 15-16)
Deliver AAR(Q1 2018)
Kick-Off
Confirm goals & objectives
Finalize timeline
Discuss outreach goals/plan
C&O Meeting(June 2016 CIPC)
Planner logistics and planning 3-4 month
Nomination Form
Self-Nomination and Recommendation Form CIPC Subgroup (TF or WG) Member
Name of the Subgroup: Grid Exercise IV Working Group Information about you, serving as reference (Please skip this section and go to #7 if you are self-nominating)
1. Name Your first and last name. 2. E-mail Address Your email address. 3. Phone Number Your phone number. 4. Employer Who you work for or represent. 5. OC/PC/CIPC Member Are you an OC, PC or CIPC member? __ Yes __ No 6. NERC Membership sector,
if applicable If your employer is a NERC member, select their NERC membership sector. If not, select “Not a NERC member.”
Information about you for self-nomination or the person you are recommending 7. Name Nominee’s name. 8. E-mail Address Nominee’s e-mail address. 9. Title Nominee’s business title. 10. Employer Who the nominee works for or
represents.
11. Mailing Address Nominee’s business address. 12. Phone Nominee’s business phone number. 13. GEWG Alumni Did you participate in the GridEx
Working Group for GridEx II or GridExIII?
__ Yes __ No
14. GridEx Alumni Were you a player / planner in the GridEx I, GridEx II, or GridEx III exercises?
__ Yes __ No
15. OC/PC/CIPC Member Is the nominee an OC, PC or CIPC member?
__ Yes __ No
16. Willingness to Serve The nominee is willing to: a. Bring subject matter expertise
to the subgroup. b. Attend and participate in all
subgroup meetings. c. Express their opinions as well
as the opinions of the sector/subgroup meetings.
d. Discuss and debate interest rather than positions.
e. Complete subgroup assignments.
__ Yes
17. Job Description Explanation of the nominee’s responsibilities and technical qualifications in sufficient details.
18. Reason for joining the subgroup Explanation of why the nominee wants to join the subgroup.
19. Additional Information Additional information about the nominee that would help the committee chair(s) decide to appoint this person.
20. GridEX IV Specific Information Participation level you anticipate your organization will have in GridEx III (None, Monitor / observer, Full Player)
How to Submit this Form E-mail this form as an attachment to the following:
E-mail to: Copy to: Tim Conway – Chair [email protected]
Bill Lawrence ([email protected]) Joe Garmon ( [email protected])
Self Nomination and Recommendation Form 2
Business Continuity Guideline Task Force (BCGTF) Update
Assignment• Guided by the recommendations from the GridEx II Distributed Play Report• Tasked to estimate surge staffing requirements in the event of a nationwide crisis
considering sources of support in a resource-constrained environmentAnalysis• Determining thresholds for surge resources are plan-level details • The context of the existing guideline is intended as a framework for identifying
steps associated with developing operational continuity plansProposed updateSevere events have the potential to interrupt the reliable supply of electricity and cause consequential public safety and national security implications. Utilities should consider surge resource requirements prior to a crisis and consider potential sources of support in a resource-constrained environment. Recommendations from CIPC on next steps?
Business Continuity Guideline Task Force (BCGTF) Team Members
Thanks to:• Jim Brenton – ERCOT (Sponsor)• Darren Myers – Duke Energy (Chair)• Laura Brown – NERC• Mike Elrod - Oglethorpe Power • Dave Francis – MISO Energy• Carter Manucy – Florida Municipal Power Association• Trey Melcher - E.ON Climate & Renewables• Anil Mistry - ERCOT• David Norton – FERC• Laura Ritter – Exelon
Physical Security WG
Ross Johnson, CPP
1
Design Basis Threat Security Management Guideline for the Electricity Sector
Activities
2
Design Basis Threat
A DBT is a comprehensive description of the motivation, intentions and capabilities of potential adversaries against which protection systems are designed and evaluated. Such definitions permit security planning on the basis of risk management. A DBT is derived from credible intelligence information and other data concerning threats, but is not intended to be a statement about actual, prevailing threats
3
Writing has commenced The writing team has been recruited from the
membership of the PSRG The product is one that has been recognized by the
PSAG as needed by industry, and will eventually be released through the E-ISAC
Three sections left to populate, then detailed review will commence
We are at 35 pages so far
Security Management Guideline for the Electricity Sector
4
Sections include:• Introduction• Definitions• External References• Security Management Program• Security Risk Management • Design Basis Threat• Physical Security • Information Security
Security Management Guideline for the Electricity Sector (Continued)
5
Sections include (continued):• Industrial Control Systems Security• Security Information Sharing and Communications• Security Incident Investigation• Training and Awareness• Regulatory Compliance• Change Management• Continuous Improvement
Security Management Guideline for the Electricity Sector (Continued)
6
Questions?
7
Threat & Incident ReportingGuideline (TF)Update - March 2016
John Breckenridge, CPP
RELIABILITY | ACCOUNTABILITY2
How we fit in!
CIP Committee StructureCIPC Executive
Committee
Physical Security SubcommitteeDavid Grubbs
Cyber Security Subcommittee
Mark Child
Operating Security Subcommittee
Carl Eng
Policy SubcommitteeNathan Mitchell
Protecting Sensitive Information TF
Physical Security EvAnalysis WGJoint w/ OC & PC
Physical Security Training WG
Control System Security WG
Cyber Security Analysis WGJoint w/ OC & PC
Cyber Security Training WG
Information Sharing TF
HILF Implementation TF
Grid Exercise WG
Cyber Attack TreeTF
BES Security Metrics WG
Personnel Security Clearance TF
Compliance & Enforcement WG
Physical Security Guideline TF
RELIABILITY | ACCOUNTABILITY3
Threat & Incident Reporting Guideline TF
Activity HighlightsChanges made reference to E-ISAC Input from Orlando Stephenson( some quick fixes to update links) Sam Chanoski participating w/ comments
Team/Task Force formed Lisa Carrington, APS
Currently assisting with review and revision
Conference Calls/E-mails to team. (Last call was Mar.3rd.) Plan to have finished product (TBD)
Ensure no conflicts w/other reporting requirements OE-417, RCIS, etc.
Any comments or willingness to participateContact Randy Duncan/[email protected]
RELIABILITY | ACCOUNTABILITY4
BES Security Metrics WGCIPC Progress Report
Nathan Mitchell, Interim ChairMarch 8-9, 2016
RELIABILITY | ACCOUNTABILITY2
Business Continuity Guideline TF(Darren Myers)
Executive CommitteeJoe Garmon, FMPA Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(William Whitney)
Control Systems Security
WG(Mikhail Falkovich)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input
WG(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
RELIABILITY | ACCOUNTABILITY3
Security Metrics Development Roadmap2015 and Beyond
We are here
RELIABILITY | ACCOUNTABILITY4
BESSMWG Activites
Activities Since December 2015• Met immediately following December CIPC meeting to discuss
path forward• Nathan Mitchell Interim Chair• February 26-27 face-to-face meeting in Washington DC Reviewed the E-ISAC’s 2015 raw data results Began to develop content for the Security Performance Metrics chapter for
NERC 2016 State of Reliability report
• Drafted the Security Performance Metrics chapter and forwarded the document to CIPC review and feedback
RELIABILITY | ACCOUNTABILITY5
Security Metrics in 2016 State of Reliability Report
Drafted chapter for the NERC State of Reliability 2016 report that:• Provides an update on the 2014 results that appeared in the State
of Reliability report for the first time• Provides a high-level description for each metric (includes two
refinements based on enhanced E-ISAC reporting processes)• Includes validated E-ISAC data for 2014 and 2015 (note that 2015
report indicated that 2014 data was “preliminary”)• Discusses apparent trends and rationale
RELIABILITY | ACCOUNTABILITY6
2014-2015 Data
Table 1: Reportable Cyber Security Incidents
Metric 2014 2015
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Total number of Reportable Cyber Security Incidents 3 0 0 0 0
Total number of Reportable Cyber Security Incidents resulting in loss of Load 0 0 0 0 0
• Zero reportable cyber security incidents • However, the risk of a cyber security incident increases as cyber security
vulnerabilities increase
RELIABILITY | ACCOUNTABILITY7
2014-2015 Data
.Table 2: Reportable Physical Security Events
Metric 2014 2015
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Total
Total number of reportable events as a result of physical security threats to a Facility or BES control center without physical damage or destruction
47 11 15 21 29 76
Total number of reportable events that cause physical damage or destruction to a Facility 9 5 5 2 5 17
Total number of reportable events as a result of physical security threats to a Facility or BES control center, or cause physical damage or destruction to a Facility, that result in a loss of Load
0 1 0 0 0 1
• Although a near-zero result, the number of reportable events has increased by about 50%
• E-ISAC reporting indicates that distribution level (i.e., non-BES equipment) events are more frequent than those affecting BES equipment.
RELIABILITY | ACCOUNTABILITY8
2014-2015 Data
Table 3: E-ISAC Membership
Metric 2014 2015
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Total number of electricity sector organizations registered as members of the E-ISAC
496 557 578 827 840 848 868 898
Total number of individuals in E-ISAC member organizations who have E-ISAC accounts
1,514 1,844 2,010 2,770 2,797 2,949 3,292 3,834
• Increasing E-ISAC membership should increase awareness of security threats and vulnerabilities
• All Reliability Coordinators (RCs) and 85% of Balancing Authorities (BAs) had an active account
• Plateauing of registrations suggests the need to conduct additional outreach.
• Active organizations are increasing the number of individuals with access to the E-ISAC portal
RELIABILITY | ACCOUNTABILITY9
2014-2015 Data
Table 4: Industry-Sourced Information Sharing1
Metric 2014 2015
Q1 Q2 Q3 Q4 Total Q1 Q2 Q3 Q4 Total
Total number of E-ISAC Cyber Bulletins based on information provided by the electricity sector.
18 26 22 14 80 28 87 69 34 218
Total number of E-ISAC Physical Bulletins based on information provided by the electricity sector.
53
• The E-ISAC received almost three times as many reports in 2015 compared with 2014
• More organizations are aware of the value in sharing information with the E-ISAC.
RELIABILITY | ACCOUNTABILITY10
2014-2015 Data
Table 5: Global Cyber Vulnerabilities
Metric 2014 2015
Q1 Q2 Q3 Q4 Total Q1 Q2 Q3 Q4 Total
Number of global cyber vulnerabilities considered to be high severity 446 499 418 557 1,920 535 463 698 672 2,368
Number of global cyber security incidents 18,456 25,469
• Global cyber security vulnerabilities increased (23%) • Global cyber security incidents increased (38%) • Indicates that vulnerabilities are increasingly being successfully exploited• BESSMWG has selected the PWC Global State of Information Security report
for global cyber security incidents because it has consistently reported the number of incidents since at least 2013.
RELIABILITY | ACCOUNTABILITY11
Next Steps
• Consider any CIPC feedback from today• Coordinate with the Performance Analysis Subcommittee to
include the chapter in the NERC State of Reliability 2016 report NERC Board approval May 2016
• Appoint a new BESSMWG Chair• BESSMWG “Phase 2” Work Continue to refine and build-on the 5 approved metrics Develop detailed definitions for additional metrics discussed in 2015
RELIABILITY | ACCOUNTABILITY12
The Ask
The BESSMWG requests that CIPC:• Accept the Security Performance Metrics chapter for inclusion
into the NERC State of Reliability 2016 report
RELIABILITY | ACCOUNTABILITY13
Leadership Change
• Former Chair Rolland Miller – First Energy • Interim Chair Nathan Mitchell – APPA• New Chair Larry Bugh Chief Security Officer / Director, Threats &
Vulnerabilities Reliability First
RELIABILITY | ACCOUNTABILITY14
Office of Electricity Delivery and Energy Reliability
JIM MCGLONESenior Engineer, Infrastructure Security & Energy RestorationOffice of Electricity Delivery and Energy ReliabilityU.S. Department of EnergyEmail: [email protected]: 202-586-1287Cell: 240-252-0337
Office of Electricity Delivery and Energy Reliability (OE)
Department of Energy (DOE)
1