NERC CIP - Resources for the Future

Download Report

Transcript NERC CIP - Resources for the Future

ELECTRICITY SECTOR

CRITICAL INFRASTRUCTURE PROTECTION Background Materials for Presentation by Lou Leffler North American Electric Reliability Council Forum on U.S. Energy Security Traditional and Emerging Challenges 28 January 2002 Resources for the Future, Washington DC

The Electricity Sector

SECURITY

: Physical, Cyber, Operations Many types of entities own and operate transmission and generation systems Reliability responsibilities are shared across several levels and institutions Multiple regulators (roughly 62)

Critical Infrastructure Interdependencies (A few of the many) FIN SVCS OIL/GAS TELECOM IT ELECTRICITY NS/EP TRANSP

ISAC

WATER EM SVCS

Electric Sector Industry Sector Advisory Committee (ES-ISAC)

Receive incident data from Electric Supply entities Assist the National Infrastructure Protection Center (NIPC) in its analyses Disseminate threat and vulnerability assessments Liaison with other ISACs Share best practices and lessons learned Analyze sector interdependencies Participate in infrastructure exercises

Assessments

Threats, Vulnerabilities, Risk, Plans (Avoidance, Assurance, Detection, Restoration), Risk Management, Review Red, Gray, and Blue: Assessing Threat, Environment, Self Highly formal assessments:  Dams  Professional  Physical and cyber  Transmission National Labs program

Issue: Data Security

System data System plans System Maps Filed reports: FERC, DOE, State/Local Internet sites

Other Critical Infrastructure Protection Issues

Physical security over the long term Process controls Timely and actionable information sharing Common interpretation of Threat Alert Levels Secure and reliable communications Legislation: FOIA, Practices

Additional CIP Info IAW Program Business Cases for Action Approach to Action

< http://www.nerc.com

> < [email protected]

> (609-452-8060)

PCIS

Indications, Analysis and Warnings (IAW) Program: NERC & NIPC

Incident reports   From any verified ES Entities to the NIPC Physical and cyber  Analysis with other information Assessments, Advisories, Alerts   From NIPC to ES Entities Actionable Voluntary NERC = North American Electric Reliability Council NIPC = National Infrastructure Protection Center

Threat Alert Levels - Goals Define   Threat Alert Levels issued by the ES-ISAC: Physical – Cyber – Operational Normal – Low – Medium – High Specificity: Sector, Geographical, Object (eg named facility or type).

Guidelines (non-prescriptive examples) of security measures that ES entities may consider taking, based on Threat Alert Level:  Physical – Cyber – Operational Consistent Threat Alert Levels with the threat information received by the ES-ISAC from Government sources and other ISACs.

Communications

Communications with Organizations:  Variety of channels Communications within Organizations    Operations Physical Security Cyber Security, IT, Telecom

Business Cases for Action

Managing the Business Risks of Information Technology Dependencies

N

orth American

E

lectric

R

eliability

C

ouncil

~~~~~~ What Utility Operations Executives Can Do

T

jfinq j[fj vc jv qero8v v9 Dshjqouhuiqbqeuibqe ohecoiecoic jewhdfh ihoj h vneio h hifihoqernvnv rehiu vhwu v eruirvv np[vhj2[vj v hvhvherhv2er vhvhvhj2 v v vhj2hj982w qoiqev hnvna98rhnvnadiv v v a adhdvdvhv piu n dnuds vhaduasbdv L vcnv879qnbv hfhif89n d8hn hjdha98ph;vu ah fd

What is Changing?

The Emerging Business Risks of IT Technology

h vneio h hifihoqernvnv rehiu vhwu v eruirvv np[vhj2[vj v hvhvherhv2er vhvhvhj2 v v vhj2hj982w qoiqev hnvna98rhnvnadiv v v a adhdvdvhv piu n dnuds vhaduasbdv L vcnv879qnbv hfhif89n d8hn hjdha98ph;vu ahjdui dhjafdp89fhv ajf8gp;fd afjafo8 ajfgjafd

Electricity Transmission and Distribution Systems

j vhqe[vj v hvhvherhv2er vhvhvhj2 v v vhj2hj982w qoiqev hnvna98rhnvnadiv v v a adhdvdvhv piu n dnuds vhaduasbdv L vc

Five targeted audiences

Chief Executive Officer Chief Information Officer Operations Executive NERC Leadership General Industry Reader

Approach to Action (AtA)

What is the AtA?

N

orth American

E

lectric

R

eliability

C

ouncil Working Group Forum on

Critical Infrastructure Protection An Approach to Action for the Electricity Sector

Version 1.0

June 2001

A reference for the Electricity Sector.

Presents a range of actions in response to CIP.

Encourages an organization to size up its own situation and choose appropriate Actions for itself.

A work-in progress…a living document.

National Strategy

N ORTH A MERICAN E LECTRIC R ELIABILITY C OUNCIL Princeton Forrestal Village, 116-390 Village Boulevard, Princeton, New Jersey 08540-5731 The Electricity Sector Response

to the

Critical Infrastructure Protection Challenge National Plan Report

Partnership for Critical Infrastructure Security (PCIS)

PCIS Working Groups

 Interdependencies  Information Sharing  Public Policy and Legislation  Research and Development  National Plan