Transcript Document

Critical Infrastructure Protection
THE ELECTRICITY SECTOR
Presented to
EMERGENCY POWER
CONFERENCE
November 2004
Topics
●
●
●
●
●
●
●
Electricity Sector (ES)
North American Electric Reliability Council (NERC)
Critical Infrastructure Protection (CIP) Organization
ES CIP Initiatives
ES Information Sharing Analysis Center (ESISAC)
Interdependencies
A Path Forward
2
The Electricity Sector
6
x10
aGen + bTransm + cLSE + dRC + eCA
+ fGov + + +
C=1
3I

Characteristics: Instantaneous, Interconnected,
Interdependent, Reliability, Security
Organizations: APPA, CEA, EEI, ELCON, EPRI, EPSA,
ESISAC & other ISACs, NEI,
NERC, NAESB, NRECA
Agencies: DOE, DHS, DOD, FERC, NARUC, NRC,
PSEPC, RUS, USSS
● APPA: American Public Power Association
Description and Definitions ●
The equation:
 Summed over
millions of Customers
 Entity types that
comprise the ES *
 Divided by three
Interconnections:
 Eastern
 Western
 Texas
* Generation, Transmission, Load
Serving Entities, Purchasing-Selling
Entities, Reliability Coordinators,
Control Areas, Regional Transmission
Organizations, Independent System
Operators, Regulators (Canada/US:
Federal/State/Provincial/Local)
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
CA: Control Area
CEA: Canadian Electricity Association
DOD: Department of Defense
DOE: Department of Energy
DHS: Department of Homeland Security
EEI: Edison Electric Institute
ELCON: Electr Consumers Resource Council
EPRI: Electric Power Research Institute
EPSA: Electric Power Supply Association
ES: Electricity Sector
FERC: Federal Energy Regulatory Commission
IAIP: Info Analysis, Infrastructure Protection
ISAC: Information Sharing and Analysis Center
NAESB: No. Amer. Energy Standards Board
NARUC: Natl Assoc Reg Utility Commissioners
NEI: Nuclear Energy Institute
NERC: North American Electric Reliability Cncl
NRC: Nuclear Regulatory Commission
NRECA: Natl Rural Electric Cooperative Assn
PSEPC: Public Safety and Emergency
Preparedness Canada
RC: Reliability Coordinator
RUS: Rural Utility Services
3 RC
13 RC
1 RC
What is NERC?
● NERC was formed in 1968
● NERC's mission is to ensure that the bulk electric
system in North America is reliable, adequate
and secure.
● NERC operates as a voluntary industry
organization, relying on reciprocity, peer
pressure and mutual self-interest.
● Energy legislation pending in the House and
Senate Energy bills would enable NERC to
become an SRO capable of enforcing compliance
with its reliability standards.
6
What Does NERC Do?
●
●
●
●
●
●
●
●
●
7
Sets reliability standards.
Ensures compliance with reliability standards.
Provides education and training resources.
Conducts assessments, analyses, and reports.
Facilitates information exchange and coordination among
members and industry organizations.
Supports reliable system operation and planning.
Certifies reliability service organizations and personnel.
Coordinates critical infrastructure protection of
the bulk electric system (ESISAC).
Administers procedures for conflict resolution on
reliability issues.
North American Electric Reliability Council Structure
● Board of Trustees
Board of Trustees
 9 independent members
Staff
 Plus President
Stakeholders
● Standing Committees
 Broad Sector
representation
 Subcommittees
 Working Groups
 Task Forces
Operating
Operating
Committee
Committee
Critical
Infrastructure
Protection
Committee
Planning
Committee
Market
Committee
CIP Committee Structure
CIPC
Executive Committee
Physical Security
Cyber Security
Operations
Policy
Manage policy matters and
provide support to SCs, WGs
ESISAC
Subcommittee
Security Planning
Subcommittee
Develop & maintain ISAC capability to
respond to security threats & incidents
Improve ES ability to protect
critical infrastructure
Outreach WG
Reporting Technologies WG
Indications, Analysis, Warnings WG
Grid Monitoring System TF
IDS Pilot TF
Standards & Guidelines WG
Risk Assessment WG
Control Systems Security WG
Critical Spares TF
PKI TF
HEMP TF
September 18, 2004
Electricity Sector Security Initiatives-1
● 14 August 2004 Blackout




Outage investigation
46 Recommendations
Standards
Readiness audits
● Implement the National Infrastructure Protection
Plan for the Electricity Sector
● Indications, Analysis, Warnings program*
 Data/information exchange between ES and DHS
● Threat Alert Levels: Physical and Cyber*
 Guidance for ES actions in response to Homeland
Security Alert System
*Reference materials available: http://www.esisac.com
10
Electricity Sector Security Initiatives-2
● Cyber Security Standard*
 1200 in place; 1300 under development
● 15 Security Guidelines*
 Physical, Cyber, Data
●
●
●
●
●
Critical Spares Project
Control Systems Security
Other technical studies
Outreach including workshops
Bi-lateral discussions and Urban Utility Center
*Reference materials available: http://www.esisac.com
11
Cyber Security Standard: 1200
Requirements
1. Cyber Security Policy
2. Critical Cyber Assets
3. Electronic Security
Perimeter
4. Electronic Access Controls
5. Physical Security Perimeter
6. Physical Access Controls
7. Personnel
8. Monitoring Physical Access
9. Monitoring Electronic
Access
12
10.
11.
12.
13.
14.
Information Protection
Training
Systems Management
Test Procedures
Electronic Incident
Response Actions
15. Physical Incident
Response Actions
16. Recovery Plans
Security Guidelines
●
●
●
●
●
●
Best practices for
Overview
Communications
Emergency Plans
Employment
Background Screen
Physical Security
Threat Response
 Physical
 Cyber
● Vulnerability/Risk
Assessment
● Continuity of Business
Process
13
protecting critical assets
● Cyber Access Control
● Cyber IT Firewalls
● Cyber Intrusion Detection
● Cyber Risk Management
● Protecting Sensitive Info
● Securing Remote Access:
Process Control Systems
● Incident Reporting
● Physical Security – Substations
ESISAC
 Electricity Sector
Information Sharing Analysis Center
 Share information about real and potential
threats and vulnerabilities
 Received from DHS and communicated to
electricity sector participants
 Received from electricity sector participants
and communicated to DHS
 Analyze information for trends, cross-sector
dependencies, specific targets
 Coordinate with other ISACs
14
http://www.esisac.com
Governments – Sectors Coordination
Operations
(ES focus)
------------------ Governments ----------------
DHS
DOE
PSEPC
Sectors
…
CHEM
FS
ESISAC
TEL
Electricity Sector
RC
CA
TRAN GEN DIST
..
.
PSE
Operational ISACs
● Chemical
● Electricity
● Emergency
Management and
Response
● Energy (Oil and Gas)
● Financial Services
● Health Care
● Highway
17
●
●
●
●
Information Technology
Multi-State
Public Transit
Research and
Education Network
● Surface Transportation
● Telecommunications
● Water
Electricity Sector Dependency On
Sector
Chemical
Oil
Gas
Financial
IT
Telcom
Surface TX
Trucking
Water
Health Care
Immed
Physical
Immed
Cyber
Long term Long term
Physical
Cyber
ES Dependency on the Internet
● Categories
 Business System
 Market System
 Control System
 Control System Support
 Security System
19
A Path Forward
● Interdependencies
 Qualitative
 Quantitative
 Secure database
● Plans
 TESP
 TSP
● Communication
 Strategic
 Outreach
 Tactical
20
Contacts
● Lynn Costantini, CIO, NERC
[email protected]
● Lou Leffler, Manager CIP, NERC
[email protected]
NERC: 609-452-8060
ESISAC: 609-452-1422
● Note: Referenced materials and this
presentation available at:
http://www.esisac.com
21
TY