Webcast Cyber std Sec prestentation 05-05-03
Download
Report
Transcript Webcast Cyber std Sec prestentation 05-05-03
NERC
Cyber Security Standard
Overview of Proposed
Cyber Security Standard
WebCast 5 May 2003
AGENDA
Why A Cyber Security Standard Is Needed
Why Initiate An Urgent Action Standard
Scope Of The Proposed Cyber Security
Standard
What Is Not In The Scope
Compliance
The Future For The Cyber Security Standard
Q&A
WebCast 5 May 2003
Why A Cyber Security Standard Is Needed
Due Diligence
Responsibility to Stakeholders
Responsibility to Interdependent Critical
Infrastructures
Industry Defined Practices
If the Electricity Sector is not able to self-
regulate, the federal government will regulate
for us.
WebCast 5 May 2003
Why Initiate An Urgent Action Standard
There has been a rapid increase in the
number of reported cyber security incidents
January 2003 SQL Slammer Worm
Impacted Electricity Sector organizations
March 2003 Federal Advisory regarding
foreign attack scenarios
Weakest Link Principle The bulk electric system is highly interconnected, a vulnerability for one can be a
vulnerability for all
WebCast 5 May 2003
Why Initiate An Urgent Action Standard
“A spectrum of malicious actors can and do conduct
attacks against our critical information infrastructures.
Of primary concern is the threat of organized cyber
attacks capable of causing debilitating disruption to
our Nation’s critical infrastructures, economy, or
national security.”
The National Strategy to Secure Cyberspace, The President’s Critical
Infrastructure Protection Board, February 2003
WebCast 5 May 2003
Scope Of The Proposed Standard
Applies to Reliability Authority, Balancing
Authority, Interchange Authority, Transmission
Service Provider, Transmission Operator,
Generator, or Load-Serving Entity functions
that manage Critical Cyber Assets.
Critical Cyber Assets are those computers,
including software and data, and
communication networks that support,
operate, or otherwise interact with the bulk
electric system operations.
WebCast 5 May 2003
Scope Of The Proposed Standard
Requires:
Establishing a Cyber Security Program
Policy and Procedures
Identify Accountable Management
Identifying/Documenting Critical Cyber Assets
Defining/Implementing Electronic –
Security Perimeters
Access Controls
Monitoring Controls
WebCast 5 May 2003
Scope Of The Proposed Standard
Requires: (Cont.)
Defining/Implementing Physical –
Security Perimeters
Access Controls
Monitoring Controls
Defining/Implementing Personnel
Authorization Controls
Security Awareness Training
Information Protection Controls
WebCast 5 May 2003
Scope Of The Proposed Standard
Requires: (Cont.)
Cyber System Management Controls
Cyber System Test Procedures
Incident Response and Reporting for Cyber
and Physical Security
Recovery Planning
WebCast 5 May 2003
What Is Not In The Scope
The definition of Critical Cyber Assets
currently does not include process control
systems, distributed control systems, or
electronic relays installed in generating
stations, switching stations and substations.
Does not include cyber assets that otherwise
support, operate, or interact with market
operations.
WebCast 5 May 2003
Compliance
Compliance is managed by the Regions
There will be a self-certification process
No financial penalties – letters only
Acknowledgement of partial compliance
acceptable for January 2004
Full compliance by January 2005
WebCast 5 May 2003
The Future
Current review period ends May 11, 23:59 EDT
Voting runs from May 12, 00:01 EDT to
May 21, 23:59 EDT
Requires 2/3 majority to pass
If passed, it will be submitted to Board of Trustees at
their June 10 meeting
The Urgent Action standard expires after one year –
a one year extension is possible
WebCast 5 May 2003
The Future
Formal process to develop the permanent
standard was initiated by CIPAG on May 2,
2003.
Development will take at least a year
The permanent standard will have two
separate review and comment cycles –
One to refine/finalize SAR requirements
One to refine/finalize drafted standard
WebCast 5 May 2003
Questions
Please submit questions via the conference
line
Questions can also be submitted to
[email protected] after the webcast
WebCast 5 May 2003