Critical Infrastructure Protection Committee Draft Minutes March 4-5, 2014 Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO 63102 The Critical Infrastructure Protection Committee (CIPC) Chair Chuck Abell called the meeting to order and being duly noticed, the regular meeting of CIPC on March 4, 2014 began at 1:00 p.m. (CST). Mr. Bob Canada, CIPC Secretary declared a quorum to conduct business with 33 members present. The meeting announcement, agenda, and a list of attendees are attached as Exhibits A, B, and C respectively. Note: Slides presentations from this meeting are available at: Meeting Presentations Secretary Canada announced a quorum achieved with 33 of the 33 members present which includes the following proxies:

1. CEA – Mr. Ron Gentle proxy for Mr. David Dunn

2. MRO – Mr. Joe Mayfield, WAPA filling the vacancy as an Alternate until NERC Board approval

3. FRCC – Mr. Carlos Maldonado proxy for Mr. Paul McClay

4. NPCC – Mr. John Helme proxy for NPCC

5. SERC – Ms. Cynthia Hill-Watson proxy for Mr. Tommy Clark

6. SERC – Mr. Ed Goff, Duke filling the vacancy as an Alternate until NERC Board approval

7. WECC – Mr. Jon Aust proxy for Mr. James Sample

Opening Remarks from Ms. Maureen Borkowski, Ameren President and CEO

Meeting Safety Briefing – Hyatt Regency at the Arch

The security and safety staff briefed CIPC and attendees on safety and emergency evacuations procedures to include rally points outside the hotel. NERC Antitrust Compliance Guidelines

Secretary Canada called attention to the NERC Antitrust Compliance Guidelines distributed with the agenda and read the statement concerning publicly announced meetings.

Introductions of Members, Proxies, Alternates, Associates, and Others

Chair Abell called for introductions of CIPC members and other attendees and also requested all present to sign the meeting attendance sheets being passed around the room. Consent Agenda Upon motion by Chair Abell to approve the Consent Agenda including the posted CIPC Agenda for the December 10-11, 2013 meeting. The Consent Agenda was approved by CIPC without any corrections edits or modifications. CIPC Chair’s Report

Mr. Abell provided CIPC with a report, covering CIPC’s past, present, and future actions. Mr. Abell placed special emphasis upon the reports made on behalf of CIPC to the NERC Board of Trustees and the Electricity Sub-sector Coordinating Council (ESCC) meeting. (Presentation 1) Nomination Subcommittee Report

Chair Robert McClanahan presented the recommendation of Mr. David Revill, Georgia Transmission for the Operations Security Subject Matter Expert (SME) replacing Carl Eng, Dominion on the CIPC Executive Committee. Upon motion by Mr. David Grubbs was made to close the nomination process and approve Mr. Revill by acclamation. CIPC voted unanimously to approve the motion. (Presentation 2) Critical Infrastructure Protection Director’s Remarks

Mr. Matt Blizard, Director of Critical Infrastructure Protection briefed CIPC on the following topics: GridEx II, GridSecCon, Critical Infrastructure Protection Transition Guidance, and the Transition Implementation Study. (Presentations 3) Cybersecurity Executive Order and Presidential Policy Directive Update

Ms. Laura Brown, NERC staff briefed CIPC on the progress of the National Infrastructure Protection Plan (NIPP). Ms. Brown also briefed on the Presidential Policy Directive-21. DHS rolled out the new NIPP and established a new working group, the NIPP Implementation Working Group. This working group will:

Set joint national priorities to facilitate joint planning

Establish a process to annually validate priorities

Develop guidance on updating the Sector-Specific Plans (SSP)

Work to update the SSPs will begin around summertime

Department of Homeland Security (DHS) will stand up a separate working group in early-March (kickoff meeting TBD) focused on developing guidance for the SSPs

The SSP guidance developed by that working group will be incorporated into the overall NIPP implementation guidance

The National Institute of Standards and Technology released the Cybersecurity Framework in February. The framework overlaps considerably with both NERC CIP standards and the Electricity Sub-sector Cybersecurity Capability Maturity Model (ES-C2M2). DHS began initial implementation activities in November by establishing the Voluntary Program Development Working Group, now called the Critical Infrastructure Cyber Community Voluntary Program, or the C Cubed Voluntary Program. (Presentation 4) Electricity Sector Information Sharing and Analysis Center (ES-ISAC) Update

Mr. Matt Light, ES-ISAC briefed CIPC on the ES-ISAC portal support, information sharing, and various other ongoing activities including new personnel, operations, SANS event dates, DHS/DOE physical security campaign, Cyber Risk Preparedness Assessment (CRPAs) status, and Cybersecurity Risk Information Sharing Program (CRISP). (Presentation 5) Legislative Update

Mr. Nathan Mitchell, American Public Power Association briefed CIPC on current legislation pending or contemplated as well as the impact upon the industry through the U.S. House and Senate. (Presentation 6) Critical Infrastructure Protection (CIP) Transition Program Update

Mr. Tobias Whitney, NERC staff briefed CIPC on the purpose of the Transition Program, program elements, study approach, scope of study, key themes, and lessons-learned. He also briefed on the purpose and goals of the Reliability Assurance Initiative (RAI) program, and year-end progress report. Also covered was the V3–V5 compatibility and a CIP Version 5 Revisions and RAI Timeline. (Presentation 7) Version 5 Revisions Drafting Team Activities

Mr. Ryan Stewart and Ms. Marisa Hecht briefed on the Standards (SDT) kickoff, subgroup structure, key messages, and the project schedule. (Presentation 8) Sufficiency Review Program (SRP)

Mr. Scott Mix, NERC staff briefed CIPC on the 2013 SRP overview, program status, preliminary lessons-learned, best practices, and other observations. (Presentation 9) Reliability Issues Steering Committee (RISC) Update and the Reliability Risk Control Process

Mr. Jim Brenton briefed CIPC on the RISC status and progress to include a process overview, suggested RISC and Committee timeline for 2014, electricity reliability organization (ERO) top priority risks 2014-2017 and alignment with RISC priorities. (Presentation 10)

Operating Security Subcommittee – Chair Jim Brenton (No presentation) Electricity Sector Information Sharing Task Force (ESISTF) Chair Stephen Diebold briefed CIPC on the ESISTF status of work completed. The presentation briefed on the progress and accomplishments under the charter for the task forces. The EISTF prepared an outreach campaign presentation to promote the use of the ES-ISAC as the central hub of information sharing by the industry and government partners. (Presentation 11)

Grid Exercise Working Group (GEWG) Mr. Bill Lawrence, NERC staff briefed CIPC on behalf of Chair Tim Conway, on the success of the exercise, the number of entities participating and his personal observations. He also advised the CIPC that the CIPC Executive Committee convened and were mapping the recommendations for CIPC tasking of existing or new task forces and working groups for continued work. (Presentation 12)

Policy Subcommittee – Chair Nathan Mitchell (No Presentation) Personnel Security Clearance Task Force (PSCTF) Chair Nathan Mitchell mentioned that the report was approved by CIPC on June 11, 2013, accepted by the ESCC on July 11, 2013, and accepted by the NERC Board of Trustees on August 15, 2013. The PSCTF is awaiting for ES-ISAC’s collaboration to process and track industry clearance applications. He briefed on next steps including ESCC coordinating with DHS to develop a series of playbooks on who should apply for clearances, expectations of holders and a process for prioritizing, and monitoring nominations. (Presentation 13) Bulk Electric System Security Metrics Working Group (BESSMWG) Mr. Matt Light, NERC staff support to the working group briefed on behalf of Chair James Sample, on the ongoing progress to include the ES-ISAC activities, workshop held with Reliability Assessments and Performance Analysis (RAPA) to discuss their Adequate Level of Reliability framework. The outcomes included a better understanding of potential metrics and next steps. (Presentation 14) Compliance and Enforcement Input Working Group (CEIWG) Chair Paul Crist gave a progress report on the working group. Mr. Crist covered discussions on future work including: guidelines, process for Compliance Analysis Report (CAR) development, RAI support, and virtualization of the whitepaper review. (Presentation 15)

Cyber Security Subcommittee – Chair Mr. Marc Child Mr. Child gave an overview of the subcommittee’s activities including: recent activities, next steps, and requested CIPC actions. (Presentation 15)

Control Systems Security Working Group (CSSWG) Update and a RISC Technical Project Mr. Child reported on the analysis of the RISC nomination for digital certificate management. (Presentation 16) Cyber Attack Tree Task Force (CATTF) Chair Mark Engels gave an update on the activities which included: key assumptions, process of creating the attack trees, overview of the software, behavioral indicators, characteristics of an attacker, and characteristics of a victim. (Presentation 17)

The CIPC Meeting on March 4th was concluded for the day at 5:36 p.m. (CST) and was reconvened on March 5th at 8:00 a.m. (CST)

Cyber Security Analysis Working Group (CSAWG) Mr. Marc Child, on behalf of Chair Eric Warakomski gave an update on recent activities and

existing liaisons with the ES-ISAC, Cyber Security Training Working Group, and Events Analysis Subcommittee. Mr. Warakomski submitted his resignation since he could not continue as his duties have changed and could not continue to chair the working group. (Presentation 18; included in Cyber Subcommittee report)

Physical Security Subcommittee – Chair Mr. David Grubbs (No Presentation)

Physical Security Guideline Task Force (PSGTF) (No Presentation) Physical Security Working Group (PSWG) Chair Ross Johnson briefed CIPC on activities contemplated. The PSWG through the Physical Security Roundtable Group (PSRG) has conducted three conference calls. A total of 35 participants have been included in the current security practices and investigations of impact to the industry and their companies. The PSWG will evaluate the effectiveness of technology and develop a survey for determining the needs of physical security across the NERC Regions. Additionally, Mr. Johnson introduced Mr. Ben Langhorst of the Idaho National Laboratory (INL) who briefed CIPC on ballistic protection for critical electrical infrastructure. The INL conceptual solution was introduced which included prototype for ballistic panel shielding and cost feasibility. The working group has pushed ahead in several areas physical security training sessions using webinars and CIPC workshops. (Presentation 19) Security Training Working Group (STWG) Chair William Whitney, on the latest activities, including the announcement of additional training opportunities using CIPC workshops and webinars. The June CIPC workshops will include a panel on physical security programs on April 16, 2014 from 1-3 p.m. (EST). (Presentation 20) Also listed were the following:

April 16 – Physical Security Programs Panel Webinar May – National Labs Physical Security: Risk vs. Protection/Costs Webinar June – Orlando Pre-CIPC BC Hydro presentation on laser intrusion detection July – Active Shooter Webinar with Danny O. Coulson August – TBD September – Vancouver “Train the Trainer – Preparation for a Cyber Event” October – TBD November – TBD December – TBD

Cybersecurity Procurement Language Update for Energy Delivery Systems

Mr. Ed Goff, Duke Energy, updated CIPC concerning the progress for establishing procurement language tailored to the specific needs of the energy sector, why it is necessary, phases for development, timeline, and meeting the Department of Energy Roadmap mission. (Presentation 21)

North American Transmission Forum (NATF) Security Practices Group Activity Update

Mr. Wayne VanOsdol, NATF staff briefed CIPC on CIP V5 Implementation activities, Physical Security Work Group activities and 2014 projects. (Presentation 22) Agency Updates Federal Energy Regulatory Commission (FERC) – No one in attendance. Department of Homeland Security (DHS) – No one in attendance. Department of Energy (DOE) – No one in attendance. Adjournment There being no further business and upon motion to adjourn by Chair Abell. The motion approved by CIPC with adjournment at 12:03 p.m. (CST).

Submitted by,

R.D. Canada Bob Canada CIPC Secretary

2014 Future Meetings

Dates Time Type Location Hotel

April 3, 2014 April 4, 2014

8:00 a.m.–5:00 p.m. (EST)

8:00 a.m.–Noon (EST)

Energy Sector Classified Briefing

DOE HQ 1000 Independence

Ave Washington, DC

Per your travel arrangements

June 10, 2014 7:30 a.m.–Noon (EDT)

CIPC Physical Security

Workshop

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

June 10, 2014 1:00–5:00 p.m. (EDT) CIPC Meeting

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

June 11, 2014 8:00 a.m.–Noon (EDT) CIPC Meeting

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

September 16, 2014 7:30 a.m.–Noon

CIPC Cyber Security

Workshop

Vancouver BC, Canada

Hyatt Regency Vancouver 655 Burrard Street

Vancouver, BC, Canada, V6C2R7

604.683.1234

September 16, 2014 1:00–5:00 p.m. CIPC Meeting

Vancouver BC, Canada

Hyatt Regency Vancouver 655 Burrard Street

Vancouver, BC, Canada, V6C2R7

604.683.1234

September 17, 2014 8:00 a.m.–Noon CIPC Meeting

Vancouver BC, Canada

Hyatt Regency Vancouver 655 Burrard Street

Vancouver, BC, Canada, V6C2R7

604.683.1234

September 17, 2014 September 18, 2014

Noon–5:00 p.m. 8:00 a.m.–Noon

CIPC Executive Committee

Annual Planning Meeting

Vancouver BC, Canada

Hyatt Regency Vancouver 655 Burrard Street

Vancouver, BC, Canada, V6C2R7

604.683.1234

October 14-16, 2014 8:00 a.m.–5:00 p.m. GridSecCon 2014 San Antonio, Texas

Hyatt Regency San Antonio Riverwalk 123 Losoya Street

San Antonio, Texas 78205

December 9, 2014 8:00 a.m.–Noon (EST)

Energy Sector Classified Briefing

(No CIPC Workshop)

Atlanta, GA Westin Buckhead

December 9, 2014 1:00–5:00 p.m. (EST) CIPC Meeting Atlanta, GA

Westin Buckhead

December 10, 2014

8:00 a.m.–Noon (EST) CIPC Meeting

Atlanta, GA

Westin Buckhead

Agenda Critical Infrastructure Protection Committee March 4, 2014 | 1:00–5:00 p.m. (CST) March 5, 2014 | 8:00 a.m.–Noon (CST)

Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO 63102 (314) 655-1234

CIP Technical Workshop Hyatt Regency at the Arch 315 Chestnut Street St. Louis, MO 63102 March 4, 2014 | 7:30 a.m.–Noon (CST) Room: Park View

Critical Infrastructure Protection Committee Meeting Hyatt Regency at the Arch CIPC Working Lunch: Regency AB | March 4, 2014 | Noon–1:00 p.m. (CST) March 4, 2014 | 1:00–5:00 p.m. (CST) March 5, 2014 | 8:00 a.m.–Noon (CST) Room: Regency EF

Welcome and Introductions – Chair Chuck Abell

NERC Antitrust Compliance Guidelines and Public Meeting Announcement

Agenda

1. Remarks by Ms. Maureen Borkowski – Chairman, President, and CEO, Ameren Transmission Co.

2. Administrative – CIPC Secretary Bob Canada

a. Safety Briefing and Emergency Precautions – Hyatt at the Arch Staff

b. Declaration of Quorum

c. CIPC Roster – Page 13

d. Parliamentary Procedures – In the absence of specific provisions in the CIPC charter, the Committee shall conduct its meetings guided by the most recent edition of Robert’s Rules of Order, Newly Revised.

e. Introductions

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 2

3. Consent Agenda – Chair Chuck Abell

a. December 10-11, 2013 Draft Minutes for CIPC Approval

b. March CIPC Agenda

c. Committee Membership Appointments and Changes: TRE David Grubbs City of Garland Operations TRE Jim Brenton ERCOT Cyber TRE Darrell Klimitcheck STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Great River Cyber MRO Paul Crist LES Physical MRO Vacant TBD Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC Vacant TBD Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell Ameren Cyber SERC Vacant TBD Operations SERC Tommy Clark SMEPA Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Robert McClanahan AECC Cyber WECC Allen Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Jamey Sample PGE Operations APPA David Godfrey TMPA Physical APPA Nathan Mitchell APPA Policy CEA Chris McColm Manitoba Physical CEA Ross Johnson Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Georgia Trans Policy

4. Chair’s Remarks – Chair Chuck Abell

a. NERC Meetings Update and Other Items of CIPC Interest

5. CIPC Nominations Subcommittee Report – Chair Robert McClanahan

a. Recommendation for Subject Matter Expert (SME) member to replace Carl Eng on the CIPC Executive Committee

b. Election of an SME to CIPC Executive Committee

6. CID Director Remarks – Matt Blizard, Director of Critical Infrastructure Protection

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 3

7. ES-ISAC Update and Cyber Risk Preparedness Assessment (CRPA) Program Update – Matt Light, NERC Staff

8. CIP Transition Update – Tobias Whitney, NERC Staff

9. Version 5 Revisions Drafting Team Activities – Ryan Stewart and Marisa Hecht, NERC Staff

10. 2014 Sufficiency Review Program and Directions – Scott Mix, NERC Staff

11. Executive Order and Presidential Policy Directive Update – Laura Brown, NERC Staff

12. RISC Update and Reliability Risk Control Process – Jim Brenton, CIPC Representative to RISC

13. Legislative Update – Nathan Mitchell, American Public Power Association

14. Subcommittee Chairs, Subgroups, Progress, and Remarks – Chair Chuck Abell

15. Operating Security Subcommittee – Subcommittee Chair Jim Brenton

a. Electricity Sector Information Sharing Task Force (ESISTF) – Chair Stephen Diebold will report on activities, second phase, and outreach efforts.

ESISTF Charter

ESISTF Report: Approved by CIPC – June 11, 2013 Accepted by ESCC – July 11, 2013 Accepted by NERC BOT – August 15, 2013

b. Grid Exercise Working Group (GEWG) – Chair Tim Conway

GEWG Charter

Briefing on GridEx II Report – Bill Lawrence, NERC Staff

16. Policy Subcommittee – Subcommittee Chair Nathan Mitchell

a. Personnel Security Clearance Task Force (PSCTF) – Chair Nathan Mitchell will report on the

progress of the work completed and contemplated.

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 4

Recommendation #3: Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. Next step includes ES-ISAC process development collaboration with the PSCTF.

PSCTF Charter

PSCTF Report: Approved by CIPC – June 11, 2013 Accepted by ESCC – July 11, 2013 Accepted by NERC BOT – August 15, 2013

b. Bulk Electric System Security Metrics Working Group (BESSMWG) – Chair James Sample will report on the progress of work completed and contemplated.

BESSMWG Charter

BESSMWG Report – was endorsed by CIPC June 11, 2013.

c. Compliance Enforcement and Input Working Group (CEIWG) – Chair Paul Crist will report on the progress of the work completed and contemplated.

CEIWG Charter

17. Cyber Security Subcommittee – Subcommittee Chair Marc Child

a. RISC Technical Project and CSSWG Update – Marc Child will report on the review for the RISC.

b. Cyber Attack Tree Task Force (CATTF) – Chair Mark Engels will report on the progress of the work

completed and contemplated.

CATTF Charter

c. Cyber Security Analysis Working Group (CSAWG) – Chair Eric Warakomski will report on the progress of the work completed and contemplated.

CSAWG Charter

18. Physical Security Subcommittee – Subcommittee Chair David Grubbs

a. Electricity Sector: Physical Response Guideline Task Force (PSGTF) – Chair John Breckenridge

PSGTF Charter

Electricity Sector: Physical Security Response Guideline – CIPC approved by email ballot on October 25, 2013.

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 5

b. Physical Security Working Group (PSWG) – Chair Ross Johnson will report on the progress of work completed and contemplated.

PSWG Charter

c. Security Training Working Group (STWG) – Chair William Whitney III will report on progress of work completed and contemplated.

STWG Charter

19. Cybersecurity Procurement Language Update for Energy Delivery Systems – Ed Goff, Duke

20. North American Transmission Forum (NATF)

a. Security Practices Group Activity Update – Wayne VanOsdol, Program Manager

21. Agency Updates

a. Federal Energy Regulatory Commission (FERC) – Cathy Eade, Office of Energy Infrastructure Security

b. Department of Homeland Security (DHS) – Richard Alt, Sector Outreach and Programs

c. Department of Energy (DOE) – Ken Friedman, Senior Policy Advisor

Critical Infrastructure Protection Committee Agenda March 4-5, 2014 6

22. 2014 Schedule of Important Dates:

23. Closing Remarks and Action Items

24. Adjournment

Dates Time Type Location Hotel

April 3, 2014 April 4, 2014

8:00 a.m.–5:00 p.m. (EST)

8:00 a.m.–Noon (EST)

Energy Sector Classified Briefing

DOE HQ 1000 Independence

Ave, SW Washington, DC

Per your travel arrangements

June 10, 2014 7:30 a.m.–Noon (EDT) CIPC Physical Security

Workshop

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

June 10, 2014 1:00–5:00 p.m. (EDT) CIPC Meeting

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

June 11, 2014 8:00 a.m.–Noon (EDT) CIPC Meeting

Orlando, FL

Hyatt Regency Orlando Int’l Airport

9300 Jeff Fuqua Blvd Orlando, FL 32827

September 16, 2014 7:30 a.m.–Noon CIPC Cyber Security

Workshop

Vancouver BC, Canada TBD

September 16, 2014 1:00–5:00 p.m. CIPC Meeting Vancouver BC,

Canada TBD

September 17, 2014 8:00 a.m.–Noon CIPC Meeting Vancouver BC,

Canada TBD

September 17, 2014 September 18, 2014

Noon – 5:00 p.m. 8:00 a.m. – Noon

CIPC EC Annual Planning Meeting

Vancouver BC, Canada

TBD

October 14-16, 2014 8:00 a.m.–5:00 p.m. GridSecCon 2014 San Antonio, Texas

Hyatt Regency San Antonio Riverwalk 123 Losoya Street

San Antonio, Texas 78205

December 9, 2014 8:00 a.m.–Noon (EST)

Energy Sector Classified Briefing

(No CIPC Workshop)

Atlanta, GA TBD

December 9, 2014 1:00–5:00 p.m. (EST) CIPC Meeting Atlanta, GA TBD

December 10, 2014 8:00 a.m.–Noon (EST) CIPC Meeting Atlanta, GA TBD

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) Analysis of the RISC nomination for digital certificate management (Venafi, Inc – 7/29/2013) February 1, 2014 Background In July 2013, technology vendor Venafi, Inc submitted to the Reliability Issues Steering Committee a Reliablity Issues Nomination Form related to the use of digital keys and digital certificates. These technologies are used by machines as a trust mechanism to ensure privacy and non-repudiation of data passed between them. The basis of their concerns (discussed in the Technical Details below) is that poorly managed or implemented digital keys introduce risk to the bulk electric system, and Venafi’s recommendations are to make specific language changes in the CIP version 5 standards to include requirements for full life-cycle management of keys, and digital certificate security. In its NOPR for CIP version 5, FERC sought comments as to whether “…the adoption of communications security protections, such as cryptography and protections for non-routable protocol, would improve the CIP Standards…”. (Ref: Docket No. RM13-5-000, page 116). In response, the Commission received comments from vendors (including Venafi) and others that supported the inclusion of such cryptography requirements; while multiple other organizations such as trade groups and individual utilities disagreed, stating “…the deployment of cryptographic protocols may: (1) prohibitively increase latency in communications; (2) obfuscate data needed for testing and problem diagnosis; and (3) introduce communication errors from complex key management across organizations.” (Ref: Docket No. RM13-5-000, page 116). Version 5 of the NERC CIP standards was approved by FERC in late November 2013, and, while the Final Rule (Order 791) included directives to strengthen the physical protection of communications networks, it did not include any specific instructions for NERC to introduce cryptography requirements into the CIP standards.

Recommendations On behalf of the NERC Critical Infrastructure Protection Committee (CIPC), the Control Systems Security Working Group (CSSWG) reviewed the Venafi nomination form for technical accuracy and evaluated the merits of their recommendations.

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 2

Specifically CSSWG reviewed the FERC NOPR and Final Rule for the CIP version 5 reliability standards, and examined the scope of the newly-formed Order 791 standards drafting team. Finally, the CSSWG contacted the Events Analysis team at NERC to study incidents related to Bulk Electric System outages where digital certificates may have been a contributing factor. The CSSWG found:

There have been no Energy Management System (EMS) outages reported to NERC where digital certicates or digital keys were deemed to be a causal or contributing factor.

Venafi is correct in stating that entities may have a higher susceptibility to intrusions due to poorly managed keys and certificates. However, poor engineering or poor implementation of technology cannot (and should not be in the opinion of the CSSWG) mitigated through the NERC standards process by use of prescriptive controls. The CIP standards, in particular, focus on ‘what’ should be protected and not ‘how’.

The CIPC committee has long recognized the value in providing utilities best practice guidance in the form of technical guidelines published on the ES-ISAC website. Technical subjects such as ‘Connectivity to Business Networks’, ‘Identity and Access Management’, ‘Intrusion Detection’, and ‘Firewalls’ – security topics categorically similar to digital certificate management – are areas where the committee has provided guidance and technical resources to help entities design effective solutions and avoid the risk of poorly designed or incomplete security implementations.

The CSSWG recommends:

Short of any regulatory directives by FERC, no additional modifications to the CIP version 5 standards is planned that would include specific technical requirements for digital certicate management.

The CIPC committee should direct the CSSWG to develop a guideline for digital certificate management and encryption to assist entities in choosing and implementing such technologies in a manner consistent with BES reliability.

The RISC committee committee shall thank Venafi, Inc as the author of the RISC Nomination Form for volunteering their expert knowledge and bringing this issue to the attention of NERC.

Technical Details

In response to the four specific recommendations & comments made by Venafi, the CSSWG offers the following technical feedback. Comment #1 CIP Version 5 & FERC NOPR: The use of encryption alone is inadequate to provide secure and trusted data communications. Within the proposed CIP version 5 standards, there are multiple references to authenticated, secure, or encrypted data communications but fall short of clearly prescribing the adoption of communications security protections. FERC's suggestion for the use of cryptography for

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 3

encryption should not only be mandatory but should also include provisions for the management of the encryption assets known as keys and certificates. Many organizations - both inside and outside of the bulk electric system - have adopted encryption to secure and trust data communications but are still susceptible to intrusions and attacks due to the theft of poorly managed keys and certificates. The threat posed by the theft of these trust assets is increasing exponentially; if the intruder is trusted, the security defenses in place will be ineffectual to attack or theft. We propose that encryption and the management of authentication/encryption assets to secure data communications be made a part of the CIP version 5 standards.

The CSSWG agrees with the statement in general, although we’re not as convinced that encryption is adopted in the control systems world as much as was suggested. In our opinion there is still a great deal of misunderstanding about what an IPsec tunnel can and can not do. There is a very great appeal to the use of digital certificates to manage machine to machine (and human to machine) connections. There is general perception that rolling out a large certificate based system is not for the faint of heart. For smaller entities especially, this is a very large technical step to take and requires a great deal of subject matter expertise to get it right. It would be advisable for entities wishing to embark on such a project to visit some companies who are using certificates based encryption and see how well it was rolled out. It would also be equally helpful to visit a company that abandoned the effort as well.

Comment #2 CIP-002-5: Certificate Authorities are incorrectly identified as an example of an authentication server under the definition of an Electronic Access Control or Monitoring Systems (EACMS). A Certificate Authority is not in itself an authentication server but is an integral part of a Public Key Infrastructure (PKI). A Certificate Authority (CA) does not provide active authentication, rather it relies on components of the PKI such as Certificate Revocation Lists (CRL), Online Certificate Status Protocol responders (OCSP) to validate/authenticate trust. CA's issue Root Certificates that are part of a “trust store” to ensure the validity of the trust chain provides authentication. As it serves as the basis to ensure the integrity of the authentication functions of keys and certificates, we propose that PKI be included as a separate category example of an EACMS. Our proposed language is more precise to what we interpret as the intent of the inclusion of Certificate Authorities in the EACMS examples: “Electronic Access Points, Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, LDAP Servers), Public Key Infrastructure technologies such as but not limited to (Certificate Authorities, OCSP Responders, CRLs, Registration Authorities, certificates, RSA and DSA keys, self signed certificates, CRLs and Trust Stores)”.

Agree with the knowledge that there is OCSP already and to our knowledge it is considered a best practice and should be encouraged, but this suggestion crosses over into the ‘how’.

Comment #3 CIP-002-5: Without the expansion of the EACMS definition to include PKI, the BES lowers its availability/reliability and adds significant risk to the ability to prevent or respond to a key/ certificate incident. An unavailable, degraded, or misused unmanaged key or certificate in the BES would not be remediated within 15 minutes of the compromise or outage. Venafi's extensive experience in this field indicates that in unmanaged environments with manual processes, the average recovery time to (a) diagnose the issue; (b) request a new certificate; and (c) approve and install is typically two to four hours. We believe that there is intent in the proposed CIP version 5 standards to prevent key and certificate

CIPC Report to the NERC Reliability Issues Steering Committee (RISC) 4

incidents from having a negative impact on the availability/reliability of the BES. To prevent this from being overlooked, we again propose specific language be added to include PKI as an example of EACMS.

There are certainly safety and reliability concerns about keeping a process control or SCADA system up at all costs, and the entity choosing to use a PKI will need to determine what to do if and when a cert is untrusted or becomes untrusted. This must be accounted for in the functional design of the system.

Comment #4 CIP-007-5: By limiting the focus to human interaction/authentication with cyber systems, the System Access Controls fail to account for, or place controls on, the majority authentication credentials (machine-to-machine) used in the BES. In this context, authentication falls into user credentials (User ID/Password, One-Time Password (OTP), smartcards and tokens) and machine credentials (the most common form of which are keys and certificates). Within the bulk electric system, machine credentials are used far more often to authenticate than user credentials and the gulf between the two continues to grow wider. By focusing only on User ID/Password credentials for humans, the proposed CIP version 5 standards do not adequately protect the majority of the authentication credentials or the auditability of all access within the bulk electrical system. We propose that “CIP-007-5 Table R5 - System Access Control” be expanded to include the active management of keys and certificate credentials in line with User ID/Password credentials. Machine-to-machine credentials are important, but considering current intrusion/infection scenarios, are arguably not the most urgent problem to be addressed by NERC CIP controls. The current standard's concentration on human accounts, authentication, and remote access sets proper and realistic goals. The entity has the ultimate authority to design and implement the level and type of encryption and authorization levels to mitigate the risks identified in their own risk management programs.