html5-img
1 / 14

NERC Cyber Security Standard

NERC Cyber Security Standard. Overview of Proposed Cyber Security Standard. AGENDA. Why A Cyber Security Standard Is Needed Why Initiate An Urgent Action Standard Scope Of The Proposed Cyber Security Standard What Is Not In The Scope Compliance

myrrh
Download Presentation

NERC Cyber Security Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NERC Cyber Security Standard Overview of Proposed Cyber Security Standard WebCast 5 May 2003

  2. AGENDA • Why A Cyber Security Standard Is Needed • Why Initiate An Urgent Action Standard • Scope Of The Proposed Cyber Security Standard • What Is Not In The Scope • Compliance • The Future For The Cyber Security Standard • Q&A WebCast 5 May 2003

  3. Why A Cyber Security Standard Is Needed • Due Diligence • Responsibility to Stakeholders • Responsibility to Interdependent Critical Infrastructures • Industry Defined Practices • If the Electricity Sector is not able to self-regulate, the federal government will regulate for us. WebCast 5 May 2003

  4. Why Initiate An Urgent Action Standard • There has been a rapid increase in the number of reported cyber security incidents • January 2003 SQL Slammer Worm • Impacted Electricity Sector organizations • March 2003 Federal Advisory regarding foreign attack scenarios • Weakest Link Principle -The bulk electric system is highly inter-connected, a vulnerability for one can be a vulnerability for all WebCast 5 May 2003

  5. Why Initiate An Urgent Action Standard “A spectrum of malicious actors can and do conduct attacks against our critical information infrastructures. Of primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our Nation’s critical infrastructures, economy, or national security.” The National Strategy to Secure Cyberspace, The President’s Critical Infrastructure Protection Board, February 2003 WebCast 5 May 2003

  6. Scope Of The Proposed Standard • Applies to Reliability Authority, Balancing Authority, Interchange Authority, Transmission Service Provider, Transmission Operator, Generator, or Load-Serving Entity functions that manage Critical Cyber Assets. • Critical Cyber Assets are those computers, including software and data, and communication networks that support, operate, or otherwise interact with the bulk electric system operations. WebCast 5 May 2003

  7. Scope Of The Proposed Standard • Requires: • Establishing a Cyber Security Program • Policy and Procedures • Identify Accountable Management • Identifying/Documenting Critical Cyber Assets • Defining/Implementing Electronic – • Security Perimeters • Access Controls • Monitoring Controls WebCast 5 May 2003

  8. Scope Of The Proposed Standard • Requires: (Cont.) • Defining/Implementing Physical – • Security Perimeters • Access Controls • Monitoring Controls • Defining/Implementing Personnel Authorization Controls • Security Awareness Training • Information Protection Controls WebCast 5 May 2003

  9. Scope Of The Proposed Standard • Requires: (Cont.) • Cyber System Management Controls • Cyber System Test Procedures • Incident Response and Reporting for Cyber and Physical Security • Recovery Planning WebCast 5 May 2003

  10. What Is Not In The Scope • The definition of Critical Cyber Assets currently does not include process control systems, distributed control systems, or electronic relays installed in generating stations, switching stations and substations. • Does not include cyber assets that otherwise support, operate, or interact with market operations. WebCast 5 May 2003

  11. Compliance • Compliance is managed by the Regions • There will be a self-certification process • No financial penalties – letters only • Acknowledgement of partial compliance acceptable for January 2004 • Full compliance by January 2005 WebCast 5 May 2003

  12. The Future • Current review period ends May 11, 23:59 EDT • Voting runs from May 12, 00:01 EDT to May 21, 23:59 EDT • Requires 2/3 majority to pass • If passed, it will be submitted to Board of Trustees at their June 10 meeting • The Urgent Action standard expires after one year – a one year extension is possible WebCast 5 May 2003

  13. The Future • Formal process to develop the permanent standard was initiated by CIPAG on May 2, 2003. • Development will take at least a year • The permanent standard will have two separate review and comment cycles – • One to refine/finalize SAR requirements • One to refine/finalize drafted standard WebCast 5 May 2003

  14. Questions • Please submit questions via the conference line • Questions can also be submitted to timg@nerc.com after the webcast WebCast 5 May 2003

More Related