It Takes a Village: Why Community Based Compliance Works - Josh Sandler EnergySec Security Summit – Denver, CO 9/18/13

Agenda

§  Who am I? §  NERC CIP Violation Statistics §  Is there help? §  What can we do? §  What else needs to be done? §  Questions

2

Who Am I?

§  10 years of experience in the utility industry with Duke Energy §  Electrical Engineer §  Controls Engineer §  Generation CIP Program Lead §  Internal CIP Consultant and Subject Matter Expert

§  North American Generator Forum §  Steering Committee §  Advisory Committee §  Security Practices Working Group Lead

§  Regular participant in many community-based compliance groups

3

NERC CIP Violation Statistics

4

Source: http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Key%20Compliance%20Trend%20for%20May%20BOTCC-%20FINAL.pdf

NERC CIP Violation Statistics

5

Source: http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Key%20Compliance%20Trend%20for%20May%20BOTCC-%20FINAL.pdf

NERC CIP Violation Statistics

6

Source: http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Key%20Compliance%20Trend%20for%20May%20BOTCC-%20FINAL.pdf

NERC CIP Violation Statistics

7

Source: http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Dec%20Key%20Compliance%20Trends.pdf

IS THERE HELP?!?

8

Is there help?

YES 9

Is there help?

§  Regional Groups (not inclusive) §  WECC

§  Critical Infrastructure & Information Management Subcommittee (CIIMS) §  Compliance Users Group (CUG) §  Critical Infrastructure Protection Users Group (CIPUG) §  Western Interconnection Compliance Forum (WICF)

§  SPP §  Critical Infrastructure Protection Working Group (CIPWG)

§  RFC §  Critical Infrastructure Protection Committee (CIPC) §  Compliance Users Group (CUG)

§  SERC §  Critical Infrastructure Protection Committee (CIPC)

§  NPCC §  Task Force on Infrastructure Security and Technology (TFIST)

§  FRCC §  Critical Infrastructure Protection Subcommittee (CIPS)

§  MISO §  Critical Infrastructure Protection Users Group (CIPUG)

10

Is there help?

§  National Groups (not inclusive) §  NERC CIPC §  North American Transmission Forum (NATF)

§  Security Practices Group §  Compliance Group

§  North American Generator Forum (NAGF) §  Standards Review Team (SRT) §  Security Practices Working Group

§  UNITE CIP §  UTC Cybersecurity §  Trade Organization’s Security Groups (EEI, EPSA, APPA, etc)

11

What can we do?

12

What can we do?

§  PARTICIPATE! §  Not about finding a way to participate in all communities, but finding the best fit for you.

§  SHARE! §  One thing all these communities have in common is that they thrive off of information sharing.

§  LEARN! §  Take away lessons-learned, best practice techniques and deliver to others within your organization.

§  ACT! §  Use the influence of the communities to drive change.

13

What else needs to be done?

14

§  Join a community §  Form a new community §  FERC and NERC are reaching out to the larger communities…shouldn’t you be too? §  Use communities to drive positive change

§  Be a voice in the writing of NERC CIP Version 6, Version 7, Version 8, etc… §  Assist in the shift from compliance-based security to security-based compliance.

§  You tell me…

15

What else needs to be done?

Questions?

Josh Sandler NERC CIP Standards SME – Duke Energy

Office: 704-382-4504 E-mail: josh.sandler@duke-energy.com

16

17