1 / 20

Cyber Security and Reliability Standards

Cyber Security and Reliability Standards. Regis F. Binder Director, Division of Logistics & Security Federal Energy Regulatory Commission. Disclaimer. The views expressed in this presentation do not represent the views of the Federal Energy Regulatory Commission or of the United States.

randi
Download Presentation

Cyber Security and Reliability Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal Energy Regulatory Commission

  2. Disclaimer The views expressed in this presentation do not represent the views of the Federal Energy Regulatory Commission or of the United States

  3. Automation & Data Gathering Connectivity of Control Systems To Corporate Computers To Vendors Use of Wireless Communications Interest of Nation States – the equalizer Hackers Criminals To Internet To Remote Maintenance Increased Cyber Security Concerns

  4. Cyber Security and Reliability Standards • Historically – Voluntary Standards • Urgent Action Standard 1200 • Voluntary • Adopted by NERC Summit 2003 • Replaced by CIP-002-1 thru CIP-009-1, June 2006

  5. Western Electricity Coordinating Council Midwest Reliability Organization Southwest Power Pool Regional Entity Texas Regional Entity Northeast Power Coordinating Council Reliability First Corp SERC Reliability Corp. Florida Reliability Coordinating Council Enforcement of Reliability Standards NERC has regional delegation agreements with 8 Regional Entities

  6. Standards Development Process • Standard Authorization Request • Drafting Team Formed • Proposed Standard Developed • Comments Solicited • Ballot • Quorum: 75% of Ballot Pool • Approval: 2/3 of Weighted Segment Votes • Re-ballot? • Board of Trustees Approval • FERC & Canadian Approvals (w/ Public Comments)

  7. Canada & Mexico • 7 Canadian Provinces Interconnect With U.S.A. • Different Laws – Information Protection • NERC Works With Provinces to: • Establish Standards • Enforce Standards • Mexico – Northwest Corner of Mexico

  8. Region FRCC MRO NPCC RFC SERC SPP TRE WECC TOTAL # of Registered Entities 70 117 268 357 226 115 216 473 1842 Users, Owners & Operators of BPSNERC Compliance Registry

  9. FERC Concerns With Reliability Standards Development Process • Emergency & Security Issues • Process is: • Public • Slow • Uncertain on Outcome

  10. Areas Addressed by CIP Standards • Identification of critical assets & critical cyber assets • Generating stations • Transmission stations • Control Centers

  11. CIP Standards Continued I. • Management involvement • Security of sensitive information • Cyber security training • Personnel risk

  12. CIP Standards Continued II. • Physical security of critical cyber assets • Change control • Access control • Electronic security perimeters

  13. CIP Standards Continued III. • Incident response • Recovery plans

  14. Critical Assets • Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. • NERC April 7, 2009 Letter to Industry • Self-certification compliance survey • Results “raise concern” about identifying Critical Assets and Critical Cyber Assets • 63% of Transmission Owners had at least one Critical Asset • Only 29% of Generation Owners and Generation Operators had at least one

  15. FERC Approval of CIP Standards • Order No. 706 • January 18, 2008 • Required many modifications • Critical Asset identification – required a wide-area oversight • Exceptions to Compliance – required oversight & approval mechanism • Reasonable Business Judgment language – required removal • Defense in Depth • Revoke Access Authorization

  16. Order No. 706 Modifications • Phase I (Version 2 of CIP Standards) • Low-hanging fruit • Reasonable Business Judgment language removed • Approved by Ballot Body & NERC BoT • Filed with FERC May 22 • Expect two more phases

  17. Regional Entities are front line Ways of monitoring Compliance Audits Self-Certifications Spot Checking Compliance Violation Investigations Complaints Nuclear Stations – Order No. 706 - B Self-Reporting Periodic Data Submittals Exception Reporting Compliance & Enforcement

  18. Enforcement Actions • Mitigation Plan • Remedial Action Directive • Sanctions • Monetary • Other • FERC Oversight • FERC Can Originate

  19. Smart Grid • A smarter grid would permit two-way communication between the electric system and a much larger number of devices located outside of controlled utility environments • Interoperability standards and protocols leave no gaps in cyber or physical security

More Related