Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F....
-
Upload
myron-blankenship -
Category
Documents
-
view
215 -
download
0
Transcript of Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F....
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 1
Cyber Security and Reliability Standards
Regis F. Binder
Director, Division of Logistics & Security
Federal Energy Regulatory Commission
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 2
The views expressed in this presentation do not represent the views of the Federal Energy Regulatory Commission or of the United States
Disclaimer
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 3
Increased Cyber Security Concerns
• Automation & Data Gathering• Connectivity of Control
Systems– To Corporate Computers– To Vendors
• Use of Wireless Communications
• Interest of– Nation States – the equalizer– Hackers– Criminals
– To Internet
– To Remote Maintenance
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 4
Cyber Security and Reliability Standards
• Historically – Voluntary Standards• Urgent Action Standard 1200
– Voluntary
– Adopted by NERC Summit 2003
– Replaced by CIP-002-1 thru CIP-009-1, June 2006
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 5
Enforcement of Reliability Standards
• Western Electricity Coordinating Council
• Midwest Reliability Organization
• Southwest Power Pool Regional Entity
• Texas Regional Entity
• Northeast Power Coordinating Council
• Reliability First Corp
• SERC Reliability Corp.
• Florida Reliability Coordinating Council
NERC has regional delegation agreements with 8 Regional Entities
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 6
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 7
Standards Development Process• Standard Authorization Request• Drafting Team Formed• Proposed Standard Developed• Comments Solicited• Ballot
– Quorum: 75% of Ballot Pool– Approval: 2/3 of Weighted Segment Votes
• Re-ballot?• Board of Trustees Approval• FERC & Canadian Approvals (w/ Public Comments)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 8
Canada & Mexico
• 7 Canadian Provinces Interconnect With U.S.A.• Different Laws – Information Protection• NERC Works With Provinces to:
– Establish Standards– Enforce Standards
• Mexico – Northwest Corner of Mexico
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 9
Users, Owners & Operators of BPSNERC Compliance Registry
RegionFRCCMRONPCCRFC
SERCSPPTRE
WECCTOTAL
# of Registered Entities70
117268357226115216473
1842
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 10
FERC Concerns With Reliability Standards Development Process
• Emergency & Security Issues• Process is:
– Public– Slow– Uncertain on Outcome
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 11
Areas Addressed by CIP Standards
• Identification of critical assets & critical cyber assets– Generating stations– Transmission stations– Control Centers
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 12
CIP Standards Continued I.
• Management involvement
• Security of sensitive information
• Cyber security training
• Personnel risk
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 13
CIP Standards Continued II.
• Physical security of critical cyber assets
• Change control
• Access control
• Electronic security perimeters
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 14
CIP Standards Continued III.
• Incident response
• Recovery plans
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 15
Critical Assets• Facilities, systems, and equipment which, if destroyed, degraded, or
otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.
• NERC April 7, 2009 Letter to Industry– Self-certification compliance survey– Results “raise concern” about identifying Critical Assets and
Critical Cyber Assets– 63% of Transmission Owners had at least one Critical Asset– Only 29% of Generation Owners and Generation Operators had
at least one
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 16
FERC Approval of CIP Standards• Order No. 706• January 18, 2008• Required many modifications
– Critical Asset identification – required a wide-area oversight– Exceptions to Compliance – required oversight & approval
mechanism– Reasonable Business Judgment language – required removal– Defense in Depth– Revoke Access Authorization
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 17
Order No. 706 Modifications
• Phase I (Version 2 of CIP Standards)• Low-hanging fruit• Reasonable Business Judgment language
removed• Approved by Ballot Body & NERC BoT• Filed with FERC May 22• Expect two more phases
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 18
Compliance & Enforcement• Regional Entities are front
line• Ways of monitoring
– Compliance Audits– Self-Certifications– Spot Checking– Compliance Violation
Investigations– Complaints
• Nuclear Stations – Order No. 706 - B
– Self-Reporting– Periodic Data
Submittals– Exception Reporting
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 19
Enforcement Actions• Mitigation Plan• Remedial Action Directive• Sanctions
– Monetary– Other
• FERC Oversight• FERC Can Originate
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 20
Smart Grid
• A smarter grid would permit two-way communication between the electric system and a much larger number of devices located outside of controlled utility environments
• Interoperability standards and protocols leave no gaps in cyber or physical security