Transcript CERT Meeting - Mid-America Regulatory Conference

Federal Energy Regulatory Commission
Cyber Security and Reliability
Standards
Regis F. Binder
Director, Division of Logistics & Security
Federal Energy Regulatory Commission
June 2009
1
Federal Energy Regulatory Commission
Disclaimer
The views expressed in this presentation
do not represent the views of the
Federal Energy Regulatory
Commission or of the United States
June 2009
2
Federal Energy Regulatory Commission
Increased Cyber Security Concerns
• Automation & Data Gathering
• Connectivity of Control Systems
– To Corporate Computers
– To Vendors
– To Internet
– To Remote Maintenance
• Use of Wireless Communications
• Interest of
– Nation States – the equalizer
– Hackers
– Criminals
June 2009
3
Federal Energy Regulatory Commission
Cyber Security and Reliability
Standards
• Historically – Voluntary Standards
• Urgent Action Standard 1200
– Voluntary
– Adopted by NERC Summit 2003
– Replaced by CIP-002-1 thru CIP-009-1, June 2006
June 2009
4
Federal Energy Regulatory Commission
Enforcement of Reliability Standards
NERC has regional delegation agreements with 8
Regional Entities
• Western Electricity
Coordinating Council
• Midwest Reliability
Organization
• Southwest Power Pool
Regional Entity
• Texas Regional Entity
June 2009
• Northeast Power Coordinating
Council
• Reliability First Corp
• SERC Reliability Corp.
• Florida Reliability
Coordinating Council
5
Federal Energy Regulatory Commission
June 2009
6
Federal Energy Regulatory Commission
Standards Development Process
•
•
•
•
•
Standard Authorization Request
Drafting Team Formed
Proposed Standard Developed
Comments Solicited
Ballot
– Quorum: 75% of Ballot Pool
– Approval: 2/3 of Weighted Segment Votes
• Re-ballot?
• Board of Trustees Approval
• FERC & Canadian Approvals (w/ Public Comments)
June 2009
7
Federal Energy Regulatory Commission
Canada & Mexico
• 7 Canadian Provinces Interconnect With U.S.A.
• Different Laws – Information Protection
• NERC Works With Provinces to:
– Establish Standards
– Enforce Standards
• Mexico – Northwest Corner of Mexico
June 2009
8
Federal Energy Regulatory Commission
Users, Owners & Operators of BPS
NERC Compliance Registry
Region
FRCC
MRO
NPCC
RFC
SERC
SPP
TRE
WECC
TOTAL
June 2009
# of Registered Entities
70
117
268
357
226
115
216
473
1842
9
Federal Energy Regulatory Commission
FERC Concerns With Reliability
Standards Development Process
• Emergency & Security Issues
• Process is:
– Public
– Slow
– Uncertain on Outcome
June 2009
10
Federal Energy Regulatory Commission
Areas Addressed by CIP Standards
• Identification of critical assets &
critical cyber assets
– Generating stations
– Transmission stations
– Control Centers
June 2009
11
Federal Energy Regulatory Commission
CIP Standards Continued I.
•
•
•
•
Management involvement
Security of sensitive information
Cyber security training
Personnel risk
June 2009
12
Federal Energy Regulatory Commission
CIP Standards Continued II.
•
•
•
•
June 2009
Physical security of critical cyber assets
Change control
Access control
Electronic security perimeters
13
Federal Energy Regulatory Commission
CIP Standards Continued III.
• Incident response
• Recovery plans
June 2009
14
Federal Energy Regulatory Commission
Critical Assets
• Facilities, systems, and equipment which, if destroyed, degraded, or
otherwise rendered unavailable, would affect the reliability or
operability of the Bulk Electric System.
• NERC April 7, 2009 Letter to Industry
– Self-certification compliance survey
– Results “raise concern” about identifying Critical Assets and
Critical Cyber Assets
– 63% of Transmission Owners had at least one Critical Asset
– Only 29% of Generation Owners and Generation Operators had
at least one
June 2009
15
Federal Energy Regulatory Commission
FERC Approval of CIP Standards
• Order No. 706
• January 18, 2008
• Required many modifications
– Critical Asset identification – required a wide-area oversight
– Exceptions to Compliance – required oversight & approval
mechanism
– Reasonable Business Judgment language – required removal
– Defense in Depth
– Revoke Access Authorization
June 2009
16
Federal Energy Regulatory Commission
Order No. 706 Modifications
• Phase I (Version 2 of CIP Standards)
• Low-hanging fruit
• Reasonable Business Judgment language
removed
• Approved by Ballot Body & NERC BoT
• Filed with FERC May 22
• Expect two more phases
June 2009
17
Federal Energy Regulatory Commission
Compliance & Enforcement
• Regional Entities are front line
• Ways of monitoring
–
–
–
–
–
– Self-Reporting
Compliance Audits
– Periodic Data Submittals
Self-Certifications
– Exception Reporting
Spot Checking
Compliance Violation Investigations
Complaints
• Nuclear Stations – Order No. 706 - B
June 2009
18
Federal Energy Regulatory Commission
Enforcement Actions
• Mitigation Plan
• Remedial Action Directive
• Sanctions
– Monetary
– Other
• FERC Oversight
• FERC Can Originate
June 2009
19
Federal Energy Regulatory Commission
Smart Grid
• A smarter grid would permit two-way
communication between the electric
system and a much larger number of
devices located outside of controlled utility
environments
• Interoperability standards and protocols
leave no gaps in cyber or physical security
June 2009
20