BS Information Systems – University of Redlands AS Electronic Technology
description
Transcript of BS Information Systems – University of Redlands AS Electronic Technology
![Page 1: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/1.jpg)
• BS Information Systems – BS Information Systems – University of RedlandsUniversity of Redlands
• AS Electronic TechnologyAS Electronic Technology
• Project Management Project Management Certification Program- Certification Program- UCSDUCSD
Michael EspinozaMichael Espinoza
• 22 Years SDG&E, 22 Years SDG&E,
• Sr EMS Hardware AnalystSr EMS Hardware Analyst
• EMS Hardware Supervisor EMS Hardware Supervisor
• Infra Project Technical LeadInfra Project Technical Lead
![Page 2: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/2.jpg)
AgendaAgenda
• PurposePurpose
• NERC CIP Standards NERC CIP Standards
• StandardsStandards
• Goals/ChallengesGoals/Challenges
• Establishing Project DirectionEstablishing Project Direction
• Project RoadmapProject Roadmap
• Communication is Essential Communication is Essential
• FeedbackFeedback
• Disclaimer – This presentation represents my own personal Disclaimer – This presentation represents my own personal interpretation.interpretation.
![Page 3: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/3.jpg)
Purpose of CIP Cyber Security Purpose of CIP Cyber Security StandardsStandards
•Ensure that all entities responsible for Ensure that all entities responsible for the reliability of the Bulk Electric the reliability of the Bulk Electric Systems in North America identify and Systems in North America identify and protect Critical Cyber Assets that protect Critical Cyber Assets that control or could impact the reliability control or could impact the reliability of the Bulk Electric Systems.of the Bulk Electric Systems.
![Page 4: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/4.jpg)
NERC is made up of eight regions that oversee the reliability and operation of the Bulk Electric System.
>All Electric Generation and Transmission agencies report to one of these regions.
SDG&E reports to the WECC, Western Area reporting agency,
>All regions must comply with NERC CIP 002-009 Standards.
North American Electric SystemsOverview
![Page 5: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/5.jpg)
CIP-002Critical Cyber
AssetIdentification
CIP-003Security
ManagementControls
CIP-004Personnel
& Training
CIP-005ElectronicSecurity
Perimeters
CIP-006Physical Security
OfCritical Cyber Assets
CIP-007Systems Security
Management
CIP-008Incident
Reporting And
Response Planning
CIP-009Recovery
PlansFor
Critical CyberAssets
NERC CYBER SECURITY8
Standards
NERC CIP
![Page 6: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/6.jpg)
NERC CIPCYBER SECURITY REQUIREMENTS
0123456789
10
CIP002
CIP003
CIP004
CIP005
CIP006
CIP007
CIP008
CIP009
41 REQUIREMENTS
41 Requirements41 Requirements
![Page 7: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/7.jpg)
Compliant (C) - means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records”
Auditably Compliant (AC) - means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12-calendar-months of auditable “data,” “documents,” “documentation,” “logs,” and “records”
2009
Audit Preparation - Compliance Levels
2010
![Page 8: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/8.jpg)
Penalty Matrix*
Violation Severity Level
ViolationRisk
Factor
Lower Moderate High Severe
Range Limits Range Limits Range Limits Range Limits
Low High Low High Low High Low High
Lower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $5,000 $25,000
Medium $2,000 $30,000 $4,000 $100,000 $6,000 $200,000 $10,000 $335,000
High $4,000 $125,000 $8,000 $300,000 $12,000 $625,000 $20,000 $1,000,000
FERC statutory limit:
$1,000,000,000 per day,
per violation
Other limits may apply in Canada
*Matrix undergoing revision
![Page 9: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/9.jpg)
• Comply with new NERC CIP002-009 Comply with new NERC CIP002-009 Cyber Security Standards in advance of Cyber Security Standards in advance of the required deadlinesthe required deadlines
GOAL
• Obstacles Not Withstanding:Obstacles Not Withstanding: - Significant effort is required- Significant effort is required - Additional funding and / or personnel- Additional funding and / or personnel may be neededmay be needed
![Page 10: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/10.jpg)
CIP Standards Applicability CIP Standards Applicability to the following Functionsto the following Functions
•Generation OwnerGeneration Owner
•Generator OperatorGenerator Operator
•Transmission OwnerTransmission Owner
•Transmission OperatorTransmission Operator
•Load Serving EntityLoad Serving Entity
![Page 11: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/11.jpg)
STANDARD
CIP-001
CIP-002
CIP-003
CIP-004
CIP-005
CIP-006
CIP-007
CIP-008
CIP-009
Corporate Security
InformationTechnology
Grid Operations Human Resources
Regulatory
![Page 12: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/12.jpg)
WECC
NERC
&FERC
Corp Security
IT
Regulatory
Electric Ops
HR
Facilities
Project Links“The Challenge”
Organizational Links Internal
Auditing
*The key for success -> Ensure allOrganizations have the same goal.
![Page 13: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/13.jpg)
1.Enterprise Environmental factors
2.OrganizationalProcess Assets
3.Roles and Responsibilities
4.Project organization Charts
5.Staffing Mgmnt plan
1.Pre-assignment
2.Negotiation
3.Acquisition
4.Virtual Teams
Tools & TechniquesInputs Outputs
1.Project staff assignments
2.Resource availability
3.StaffingManagement plan(updates)
Acquire Project Teams
(PMBOK Guide)
![Page 14: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/14.jpg)
AuditAttest & Report
Management Sign-off
Supporting NERC CIP002-009Reporting/Certification
ProcessesData, Documents, Documentation, Logs, Records,
1. Build Processes
3. Audit Sign Off
NERC CIPPROJECT PYRAMID
2. Mgmt Approvals
![Page 15: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/15.jpg)
Physical Access Specifics
Cyber Access Specifics
Training Completion Date
Background Check Date
Name
Employee ID
FIELDS
Process #6 CXxxx System – Physical security access
CCAsystem
Cyber Access Specifics
Employee ID or Name
Physical Access Specifics
Employee ID or Name
EMPLOYEE SYSTEM(S)
Process #1 – Employee Training
Process #3 – Employee Background checks
Non-EMPLOYEE SYSTEM(S)
Process #2 – non-Employee Training
Process #4 – non-Employee Background checks
Process #5 – Hardware cyber access
CONCEPTUAL DATA FLOW DIAGRAM CIP-004-1 R2, R3, R4
1. AUTHORIZED CYBER ACCESSOR
2. AUTHORIZED UNESCORTED PHYSICAL ACCESS
Populate master CCA access list
from existing worksheets
Database
QUERIES
CONCEPT PROCESS EXAMPLE
Grid Operations, Human Resources, Corporate Security, IT
![Page 16: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/16.jpg)
Establishing Project Establishing Project DirectionDirection
• Develop a master project planDevelop a master project plan
• Assign qualified members to each Assign qualified members to each internal NERC teaminternal NERC team
• Use standardized templates for Use standardized templates for documentationdocumentation
• Run an ongoing gap analysis to identify Run an ongoing gap analysis to identify redundant and missed processes redundant and missed processes
![Page 17: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/17.jpg)
CommunicationsCommunicationsUpdates/FeedbackUpdates/Feedback
• Executive Updates - MonthlyExecutive Updates - Monthly– CEO/VPCEO/VP– DirectorsDirectors– ManagersManagers
• Team FeedbackTeam Feedback– Monitor Teams for resource requirementsMonitor Teams for resource requirements– Establish monthly goals for Levels of ComplianceEstablish monthly goals for Levels of Compliance– Review Team suggestions Review Team suggestions
• Utilize Tools/ResourcesUtilize Tools/Resources– Consultants, wicf · Western Interconnection Consultants, wicf · Western Interconnection
Compliance Forum, Common Data site (SharePoint), Compliance Forum, Common Data site (SharePoint), TicklersTicklers
![Page 18: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/18.jpg)
• PurposePurpose
• NERC CIP Standards NERC CIP Standards
• StandardsStandards
• Goals/ChallengesGoals/Challenges
• Establishing Project DirectionEstablishing Project Direction
• Project RoadmapProject Roadmap
• Communication is Essential Communication is Essential
• FeedbackFeedback
ReviewReview
![Page 19: BS Information Systems – University of Redlands AS Electronic Technology](https://reader035.fdocuments.us/reader035/viewer/2022070411/568148f0550346895db60ecd/html5/thumbnails/19.jpg)
FeedbackFeedback