Transcript CERT Meeting

Federal Energy Regulatory Commission
Cyber Security and Reliability
Standards
Regis F. Binder
Director, Division of Logistics & Security
Federal Energy Regulatory Commission
July 2009
1
Federal Energy Regulatory Commission
Disclaimer
The views expressed in this presentation
do not represent the views of the
Federal Energy Regulatory
Commission or of the United States
July 2009
2
Federal Energy Regulatory Commission
Increased Cyber Security Concerns
• Automation & Data Gathering
• Connectivity of Control Systems
– To Corporate Computers
– To Vendors
– To Internet
– To Remote Maintenance
• Use of Wireless Communications
• Interest of
– Nation States – the equalizer
– Hackers
– Criminals
July 2009
3
Federal Energy Regulatory Commission
Cyber Security and Reliability
Standards
• Historically – Voluntary Standards
• Urgent Action Standard 1200
– Voluntary
– Adopted by NERC Summit 2003
– Replaced by CIP-002-1 thru CIP-009-1, June 2006
July 2009
4
Federal Energy Regulatory Commission
Enforcement of Reliability Standards
NERC has regional delegation agreements with 8
Regional Entities
• Western Electricity
Coordinating Council
• Midwest Reliability
Organization
• Southwest Power Pool, Inc
• Electric Reliability Council of
Texas
July 2009
• Northeast Power Coordinating
Council
• Reliability First Corp
• SERC Reliability Corp.
• Florida Reliability
Coordination Council
5
Federal Energy Regulatory Commission
Standards Development Process
•
•
•
•
•
Standard Authorization Request
Drafting Team Formed
Proposed Standard Developed
Comments Solicited
Ballot
– Quorum: 75% of Ballot Pool
– Approval: 2/3 of Weighted Segment Votes
• Re-ballot?
• Board of Trustees Approval
• FERC & Canadian Approvals (w/ Public Comments)
July 2009
6
Federal Energy Regulatory Commission
CIP Standards Continued I.
•
•
•
•
Management involvement
Security of sensitive information
Cyber security training
Personnel risk
July 2009
7
Federal Energy Regulatory Commission
CIP Standards Continued II.
•
•
•
•
Physical security of critical cyber assets
Change control
Access control
Electronic security perimeters
Critical Assets - Facilities, systems, and equipment which, if
destroyed, degraded, or otherwise rendered unavailable, would
affect the reliability or operability of the Bulk Electric System.
July 2009
8
Federal Energy Regulatory Commission
FERC Approval of CIP Standards
• Order No. 706
• January 18, 2008
• Required many modifications
– Critical Asset identification – required a wide-area oversight
– Exceptions to Compliance – required oversight & approval
mechanism
– Reasonable Business Judgment language – required removal
– Defense in Depth
– Revoke Access Authorization
July 2009
9
Federal Energy Regulatory Commission
Order No. 706 Modifications
• Phase I (Version 2 of CIP Standards)
• Low-hanging fruit
• Reasonable Business Judgment language
removed
• Approved by Ballot Body & NERC BoT
• Filed with FERC May 22
• Expect two more phases
July 2009
10
Federal Energy Regulatory Commission
Proposed Policy Statement and
Action Plan
March 19, 2009 Docket No. PL09-4-000
Ultimately:
• Prioritize development of key
interoperability standards
• Provide guidance on cyber security
• Provide interim rate policy
July 2009
11
Federal Energy Regulatory Commission
Proposed Smart Grid Policy
• A smarter grid would permit two-way
communication between the electric
system and a much larger number of
devices located outside of controlled utility
environments
• Interoperability standards and protocols
leave no gaps in cyber or physical security
July 2009
12
Federal Energy Regulatory Commission
Proposed Smart Grid Policy
• Maintain compliance with Commission-approved
Reliability Standards
• Technologies must address:
–
–
–
–
–
July 2009
Integrity of data
Authentication of communications
Logging of all modifications – none unauthorized
Physical protection of devices
Potential impact of unauthorized use of devices
13