Compliance Monitoring and Enforcement Program Technology Project UpdateStan Hoptroff, Vice President, Chief Technology Officer and Director of Information TechnologyTechnology and Security Committee MeetingFebruary 7, 2018

RELIABILITY | ACCOUNTABILITY2

Current Status

• Vendor references completed (Freddie MAC, Fannie MAE, SCANA, SunPower)

• Selections narrowed down to two vendors • Vendor product briefings conducted for ERO Technology

Leadership Team• Detailed technical evaluations in progress• Focused on understanding vendor “cautions and concerns,” e.g.,

"stay in the box,” strong governance, teamwork, trust, and transparency

RELIABILITY | ACCOUNTABILITY3

Top Steering Committee Issues

• Storage of CEII data within the new system• Treatment of International Entities• Management of historical data• Interface with FERC• Software licensing terms and conditions

RELIABILITY | ACCOUNTABILITY4

Upcoming Milestones

• Complete technical evaluation of vendor finalists – February 16• Steering Committee final vendor selection – February 26• Contracting and launch of Phase 2 work – April 1

RELIABILITY | ACCOUNTABILITY5

Registered Entities and ERO Enterprise IT Applications UpdateStan Hoptroff, Vice President, Chief Technology Officer and Director of Information TechnologyTechnology and Security Committee MeetingFebruary 7, 2018

RELIABILITY | ACCOUNTABILITY2

Agenda

• Misoperations data management portal • Entity Registration – Joint Registration Organization (JRO)• Electricity Information Sharing and Analysis Center (E-ISAC)

Technology Update• Priorities Looking Ahead

RELIABILITY | ACCOUNTABILITY3

• Greatly improved user experience Provides users access to their entity’s data as it appears in the database Users are able to update and edit previous submissions, if necessary Users can review and export various reports creating consistency in

calculations done by industry By improving user experience we aim to increase data quality and

decrease industry burden

• Users can submit for multiple entities for which they are authorized

Misoperations Portal Benefits to Registered Entities

RELIABILITY | ACCOUNTABILITY4

• Regional Entities have access to same reports as user, at the Regional level Includes Submission Status Reporto Provides a comprehensive one-stop check to determine what entities haven’t

submitted and what they still need to submit Misoperations Rate Report with consistent calculationso Can identify entities performing well or poorly relative to others in the Region or

compared to NERC aggregated value

• Entities required to submit waiver Acts as attestation that they have no Protection System Operations and/or

Misoperations to report Shows Regions which entities haven’t performed their submissions versus

which entities just didn’t have anything to submit

Portal Benefits to Regional Entity Users

RELIABILITY | ACCOUNTABILITY5

• Improvement of validations More comprehensive validations have been implemented Method of application greatly improved User receives immediate feedback on any errors in their spreadsheet

• Portal required initial development of security and permissions model Model has already been used as baseline for registration project

Portal Benefits to NERC

RELIABILITY | ACCOUNTABILITY6

Entity Registration – JRO

• Benefits to Registered Entities: Provides a portal to submit JRO requests electronically, replacing manual

email submissions Data access: Ability to see other requests associated to them Data management: Update, cancel, or terminate requests

• Benefits to Regions and NERC: Improved reporting Eliminates the need to publish on NERC.com Single data source for all JRO requests Data management: Update, cancel or terminate requests

RELIABILITY | ACCOUNTABILITY7

E-ISAC Technology Update

• New portal enabled on December 19, 2017• Provisioned over 6000 User IDs for access to the portal• Portal improvements include content organization, usability,

performance, and security enhancements

RELIABILITY | ACCOUNTABILITY8

Priorities Looking Ahead

• Southwest Power Pool Regional Entity Dissolution – Information Technology system modifications

• Public-facing website search, security, software upgrades, and publication improvements

• New functionality for the E-ISAC portal including User Communities and machine-to-machine automation

• New analytical capabilities for the E-ISAC include data warehousing and the delivery of an “analyst workbench”

RELIABILITY | ACCOUNTABILITY9

Information Technology Cost Optimization UpdateStan Hoptroff, Vice President, Chief Technology Officer and Director of Information TechnologyTechnology and Security Committee MeetingFebruary 7, 2018

RELIABILITY | ACCOUNTABILITY2

• Supports ERO Enterprise strategy to improve enterprise-wide efficiency and effectiveness

• Eleven cost categories compatible with benchmarking studies• Researched how NERC compares to other similar organizations –

ERO Enterprise combined 11.8 percent ratio of revenue to Information Technology (IT) spend; similar organizations at 12 percent

• Next steps Report Regional IT budgets using the newly created cost categories Examine consolidation of ERO Enterprise IT purchasing power

IT Cost Optimization

RELIABILITY | ACCOUNTABILITY3

Additional Information

RELIABILITY | ACCOUNTABILITY4

IT Cost Types

• Network• Storage and servers• Cyber security solutions• Desktops and client peripherals• Application support and enhancements• Software support agreements• Microsoft Enterprise Agreement• New capabilities

RELIABILITY | ACCOUNTABILITY5

1

E-ISAC Quarterly Update

Bill LawrenceDirector of the Electricity Information Sharing and Analysis CenterTechnology and Security Committee MeetingFebruary 7, 2018

2

• Long-Term Strategic Plan Background• 2017 Accomplishments• Strategic Plan Framework• Key Activities• GridEx IV Update

Agenda

3

• The E-ISAC underwent a strategic review with the Electricity Subsector Coordinating Council (ESCC) in 2015

• Under the ESCC, the Member Executive Committee (MEC) was created and serves as a CEO-led stakeholder advisory group

• MEC input was used on the E-ISAC Long-Term Strategic Plan developed in 2017

• The plan was approved by the NERC Board of Trustees (Board) in 2017 and included in the NERC Business Plan and Budget for implementation in 2018

Background

4

• Information Sharing: provided subject matter expert content to three NERC Alerts

• Analysis: launched the Embedded Industry Augmentation program

• Engagement: conducted GridEx IV with over 6,500 participants (up 50% from GridEx III), over 450 organizations (up 30% from GridEx III)

2017 Major Accomplishments

5

Vision: To be a world class, trusted source of quality analysis and rapid sharing of electricity industry security information

Supported by:• NERC Board of Trustees• Electricity Subsector Coordinating Council (ESCC)• ESCC Members Executive Committee (MEC)

E-ISAC Strategic Plan

EngagementAnalysisInformation Sharing

Accelerate sharing and high priority

notifications

Enhanceportal

Improveinformation flow

and security

CRISP CYOTE CAISS Strategic Vendor

Partnerships

Hire and developexceptional employees

Leverage information sharing

technologies and resources

to enhance analytical capability

Prioritize products and

services

Metricsbenchmarking

Evaluate 24x7

Operations(future)

Build trust and show value

World Class ISAC

Strategic Plan

6

Key Activities Update

E-ISAC Critical Broadcast Notifications• Procedures established and prepping for exercise in Q1

CRISP Program and CRISP Governance Committee Activities• Established E-ISAC local access to CRISP data• Governance Committee organized, charter under development• Further expanding Membership Base – target minimum of four companies joining• Identifying and evaluating opportunities to lower cost of participation• Developing Strategic Plan

Portal Launch• Launched December 19, 2017• Providing post-production support• Commence planning for portal enhancements, including potential data

visualization, authentication, user management, and registration

7

Key Activities Update

MEC Working Group• Ongoing stakeholder feedback on enhancement activities with pilot program

support and feedback

User Communities• Developing user communities governance and implementation plan• Implementing and testing user community capability

Automated Information Sharing • Developing and piloting CAISS analytic capabilities• Evaluating pros and cons in moving ahead with ThreatConnect platform

Products and Services• Gathering requirements, developing plan, and issuing RFP for data

warehouse, analyst workbench, and event management tool• Evaluating deployment of DOE malware forensics tools and dropbox

8

• Exercise incident response plans• Expand local and regional response• Engage critical interdependencies• Improve communication• Gather lessons learned• Engage senior leadership

GridEx Objectives

9

GridEx IV Participation Map

10

Coordination with

Government

TradeAssociations

Bulk-Power System Entities

Coordinated Operations

Vendor Support

IT, ICS, ISP,Anti-virus

Local, State/Provincial

Government• Emergency

Management Organizations

• Emergency Operations Centers / Fusion Centers

• Local FBI, PSAs • National Guard• PUCs, PSCs

Reliability Coordinators, Balancing Authorities, Generator Operators,

Transmission Operators, Load Serving Entities, etc.

E-ISACElectricity

Information Sharing &

Analysis Center

Other Federal AgenciesUS: FBI, FERC, DOD

Canada: Public Safety Canada, NRCan, RCMP, CSIS,

CCIRC

NERC

Crisis Action Team

DOEDepartment of Energy

DHSNCCIC

ICS-CERTUS-CERT

NERC Bulk Power

System Awareness (BPSA)

Regional Entities

Executive Coordination

Electricity Subsector Coordinating Council (ESCC)

Other Critical Infrastructures

TelecommunicationsOil & Gas

others

Energy GCCOther SCCs

Unified Coordination Group (UCG) or non-US equiv.

GridEx IV Communications

ExConGridEx IV Exercise Control

NERC staff, GEWG, Booz Allen, Nat’l Labs, SMEs for Sim-cell, etc.

11

GridEx Participation

36

122

209

335

40

109

155

117

0

50

100

150

200

250

300

350

400

450

500

GridEx I GridEx II GridEx III GridEx IV

GridEx Exercise Participation

Active Observing

47%

53% 53%

47%

57%

43%

74%

26%

12

• GridEx IV Executive tabletop events with senior industry and government participants were held in parallel in the U.S., Canada, and Australia

• The tabletops engaged senior leaders in a robust discussion of the policy issues, decisions, and actions needed to respond to a grid security emergency caused by severe coordinated cyber and physical attacks

• Participants discussed security and electricity reliability challenges, cross-sector interdependencies, and the decisions needed to support timely response and recovery of the grid

Executive Tabletop

13

• Three reports are under construction: Distributed play lessons learned (limited release) Executive tabletop recommendations (limited release) Public report

• Reports will be out for comment and edits in February• Reports issued in March

GridEx IV Reports

14

15

Backups

16

2017 Accomplishments

Information Sharing Analysis Engagement

Launched portalLaunched recruiting efforts, hired one cyberanalysis specialist in 2017

Conducted GridEx IV: over 6,500 participants (up 50% fromGridEx III), over 450 organizations (up 30% from GridEx III)

Shared over 210 cyber bulletins (140 member-posted; 71E-ISAC-posted) and 165 physical bulletins (64 member-posted; 101 E-ISAC-posted)

Launched the Embedded IndustryAugmentation program

Conducted GridSecCon 2017 with over 500 participants (anincrease of 20% from GridSecCon 2016)

Provided content to three NERC Alerts on:• Modular Malware Targeting Electric Industry Assets in

Ukraine• Advanced Persistent Threat Actor Targeting Electric

Industry and Other Critical Sectors• Supply Chain Risk

Collaborated with CIPC Security MetricsWorking Group on new security metrics anddata sources

Enhanced CRISP• Participation from 25 to 27 companies• CRISP governance group of 15 companies• Independent audit of PNNL security practices, data

handling

Gathered GridEx IV lessons learned and recommendationsProduced a security risk assessment for theMRO Security Advisory Council

Formalized partnership with Downstream Natural Gas ISAC

Adopted internationally accepted Traffic Light Protocol forinformation handling

Produced 51 Weekly, 12 Monthly, 1 Mid-Year,and 1 End of Year reports

Established MEC user group governance team (UNITE,ISO/RTO Council, Large Public Power Council)

Facilitated 12 monthly E-ISAC and CRISP webinars Produced 12 Monthly CRISP Analysis reportsIncreased active E-ISAC Portal membership from 2,500 toover 3,200 from Q1 to Q3

Facilitated two CRISP member workshops and threatbriefings

Partnered with DARPA on a cyber security program forelectric utilities linked to the GridEx program

Participated in NRECA RC3 Cyber Security Summits forinformation sharing best practices

Partnered with the University of Illinois atUrbana-Champaign and its new Industry – UniversityCooperative Research Center

Discussed “malware solutions pipeline” research effort withDOE and National Laboratory system

Enhanced international engagement:• Performed Cyber Risk Preparedness Assessment in

Mexico• Initiated collaboration with the Japan Electricity ISAC and

European E-ISAC (to be continued in 2018)