Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 1

Cyber Security and Reliability Standards

Regis F. Binder

Director, Division of Logistics & Security

Federal Energy Regulatory Commission

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 2

The views expressed in this presentation do not represent the views of the Federal Energy Regulatory Commission or of the United States

Disclaimer

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 3

Increased Cyber Security Concerns

• Automation & Data Gathering• Connectivity of Control

Systems– To Corporate Computers– To Vendors

• Use of Wireless Communications

• Interest of– Nation States – the equalizer– Hackers– Criminals

– To Internet

– To Remote Maintenance

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 4

Cyber Security and Reliability Standards

• Historically – Voluntary Standards• Urgent Action Standard 1200

– Voluntary

– Adopted by NERC Summit 2003

– Replaced by CIP-002-1 thru CIP-009-1, June 2006

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 5

Enforcement of Reliability Standards

• Western Electricity Coordinating Council

• Midwest Reliability Organization

• Southwest Power Pool Regional Entity

• Texas Regional Entity

• Northeast Power Coordinating Council

• Reliability First Corp

• SERC Reliability Corp.

• Florida Reliability Coordinating Council

NERC has regional delegation agreements with 8 Regional Entities

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 6

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 7

Standards Development Process• Standard Authorization Request• Drafting Team Formed• Proposed Standard Developed• Comments Solicited• Ballot

– Quorum: 75% of Ballot Pool– Approval: 2/3 of Weighted Segment Votes

• Re-ballot?• Board of Trustees Approval• FERC & Canadian Approvals (w/ Public Comments)

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 8

Canada & Mexico

• 7 Canadian Provinces Interconnect With U.S.A.• Different Laws – Information Protection• NERC Works With Provinces to:

– Establish Standards– Enforce Standards

• Mexico – Northwest Corner of Mexico

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 9

Users, Owners & Operators of BPSNERC Compliance Registry

RegionFRCCMRONPCCRFC

SERCSPPTRE

WECCTOTAL

# of Registered Entities70

117268357226115216473

1842

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 10

FERC Concerns With Reliability Standards Development Process

• Emergency & Security Issues• Process is:

– Public– Slow– Uncertain on Outcome

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 11

Areas Addressed by CIP Standards

• Identification of critical assets & critical cyber assets– Generating stations– Transmission stations– Control Centers

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 12

CIP Standards Continued I.

• Management involvement

• Security of sensitive information

• Cyber security training

• Personnel risk

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 13

CIP Standards Continued II.

• Physical security of critical cyber assets

• Change control

• Access control

• Electronic security perimeters

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 14

CIP Standards Continued III.

• Incident response

• Recovery plans

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 15

Critical Assets• Facilities, systems, and equipment which, if destroyed, degraded, or

otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.

• NERC April 7, 2009 Letter to Industry– Self-certification compliance survey– Results “raise concern” about identifying Critical Assets and

Critical Cyber Assets– 63% of Transmission Owners had at least one Critical Asset– Only 29% of Generation Owners and Generation Operators had

at least one

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 16

FERC Approval of CIP Standards• Order No. 706• January 18, 2008• Required many modifications

– Critical Asset identification – required a wide-area oversight– Exceptions to Compliance – required oversight & approval

mechanism– Reasonable Business Judgment language – required removal– Defense in Depth– Revoke Access Authorization

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 17

Order No. 706 Modifications

• Phase I (Version 2 of CIP Standards)• Low-hanging fruit• Reasonable Business Judgment language

removed• Approved by Ballot Body & NERC BoT• Filed with FERC May 22• Expect two more phases

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 18

Compliance & Enforcement• Regional Entities are front

line• Ways of monitoring

– Compliance Audits– Self-Certifications– Spot Checking– Compliance Violation

Investigations– Complaints

• Nuclear Stations – Order No. 706 - B

– Self-Reporting– Periodic Data

Submittals– Exception Reporting

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 19

Enforcement Actions• Mitigation Plan• Remedial Action Directive• Sanctions

– Monetary– Other

• FERC Oversight• FERC Can Originate

Federal Energy Regulatory CommissionFederal Energy Regulatory Commission

June 2009 20

Smart Grid

• A smarter grid would permit two-way communication between the electric system and a much larger number of devices located outside of controlled utility environments

• Interoperability standards and protocols leave no gaps in cyber or physical security