CRITICAL INFRASTRUCTURE PROTECTION. CRITICAL INFRASTRUCTURE PROTECTION. NERC 1200 CIP 002 - 009. NERC 1200 CIP 002 - 009. Shared rights and responsibilities for transmission planning and operations, transmission service Payments in kind Loose coordination agreements
CRITICAL INFRASTRUCTURE PROTECTION
CRITICAL INFRASTRUCTURE PROTECTION
NERC 1200 CIP 002 - 009
NERC 1200 CIP 002 - 009
Shared rights and responsibilities for transmission planning and operations, transmission service
Payments in kind
Loose coordination agreements
No third-party transmission access
Costs of service allocated broadly
Federal and state rate regulation
North American Electric Reliability Council (NERC) sets voluntary operating policies
Membership comprised of eight regional reliability councils
Regional councils set broad range of requirements to implement operating policies
Once Upon a Time
Following 1979-81 severe economic dislocations, broad-based initiatives to bring market discipline to business sectors
Intense debates produced Energy Policy Act of 1992
Authorizes FERC to set rules for third-party access to high-voltage transmission to make sales for resale
Order 888 that eventually lead to Order 2003 standards for generation interconnection.
“…over the ERO,…any regional entities, and all users, owners, and operators of the bulk-power system,…” and any entities included in the ERO rules.
“…for purposes of approving standards …and enforcing compliance.”
“Bulk power system”
“…facilities and control systems necessary for operating an interconnected electric energy transmission network, and electric energy from generation…needed to maintain reliability,…” excluding local distribution facilities.
Natural evolution to seek clarification of roles, rights, and responsibilities for physical system planning and operations
Call begins for federal legislation requiring creation of organization to set and enforce mandatory standards
Energy Policy Act of 2005 (EPAct) creates Section 215 of the Federal Power Act
Expands FERC regulatory authority to reliability
Defines Electric Reliability Organization (ERO)
E R O
Assigns ownership of the issue of bulk power system reliability to FERC in the US
Applies to all users, owners, and operators of the bulk power system
Create an Electric Reliability Organization
NERC named ERO in July 2006
Creates reliability standards
Sets reliability standards for bulk power system
Monitors & enforces compliance with standards
RO - Reliability Coordinator
TO -Transmission Owner
GO - Generation Owner
LSE - Load Serving Entity
BA -Balancing Authority
TSP -Transmission Service Provider
TO -Transmission Operator
GO - Generation Operator
RRO - Regional Reliability Organization
Who Does What?
CIP002 - Critical Cyber Asset Identification
Controls and Documentation
The Big Picture
Applies to these bulk power system entities:
Within the entities
CIP002: Critical Cyber Asset Identification
CIP003: Security Management Controls
CIP004: Personnel and Training
CIP005: Electronic Security Perimeter(s)
CIP006: Physical Security
CIP007: Systems Security Management
CIP008: Incident Reporting and Response Planning
CIP009: Recovery Plans for Critical Cyber Assets
Cyber Security Standards
As defined by the Regional Reliability Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included.
Identifying Critical Assets
list of CCAs
If the asset were to be compromised or removed from service, what would be the impact, either direct or indirect to transmission grid reliability or operatability.’
A four (4) step process.
Task 1: Assemble team of SMEs (Subject Mater Experts) to list electric assets by both physical and calculated means using power flow models and system simulations.
Task 2: Eliminate non critical assets and list in ‘Null List’; remaining are Critical Electrical Assets.
Task 3: Select Cyber Assets supporting Critical Electric Assets.
Task 4: Determine Critical Cyber Assets.
Essential to operation
of critical asset
Critical cyber assets are assets that meet at least one of the following requirements:
the cyber asset uses a routable protocol to communicate outside the electronic security perimeter; or,
the cyber asset uses a routable protocol within a control center; or,
the cyber asset is dial-up accessible.
RAM-DSM was the first RAM developed at Sandia for critical infrastructures. Bonneville Power Administration commissioned Sandia National Laboratories to develop the Risk Assessment Methodology for Transmissions (RAM-TSM) based on RAM-DSM.
RAM-TSM is a way to analyze the current security risks and systematically characterize and assess the security requirements of the nation's electrical transmission system facilities to deter, prevent, and mitigate malevolent attacks.
The methodology and training has been made available to owners, operators, managers, and others responsible for transmitting electrical power.
Attend one of the NERC regional workshops on cyber security standards
Get involved in NERC standards process
Registered Ballot Body
Standards drafting teams
Comment of proposed standards
Get involved in your regions standards process
Find out about compliance assurance within your organization
Some companies building formal internal compliance programs
How to make an Asset Inventory
Set up Change Management
Physical and Electronic Access Control and Monitoring
Documentation, Classification & Control
Personnel Risk Assessment
Performing Vulnerability Assessments
Prepare for a Compliance Audit.
Help entity identify steps needed to determine if it has critical assets and critical cyber assets under CIP standards.
To be held in 9 remaining cities through January 2007
For information and registration go to:
Marty Sidor – NERC Director of Education
Mark Kuras – NERC – Standards Education Team
Dave Dworzak – Edison Electric Institute