Critical Infrastructure ProtectionTHE ELECTRICITY SECTOR

Presented to

EMERGENCY POWER CONFERENCE

November 2004

2

Topics

● Electricity Sector (ES)

● North American Electric Reliability Council (NERC)

● Critical Infrastructure Protection (CIP) Organization

● ES CIP Initiatives

● ES Information Sharing Analysis Center (ESISAC)

● Interdependencies

● A Path Forward

aGen + bTransm + cLSE + dRC + eCA+ fGov + + +

6 x10

C=1 3I

The Electricity Sector

Organizations: APPA, CEA, EEI, ELCON, EPRI, EPSA, ESISAC & other ISACs, NEI, NERC, NAESB, NRECA

Characteristics: Instantaneous, Interconnected, Interdependent, Reliability, Security

Agencies: DOE, DHS, DOD, FERC, NARUC, NRC, PSEPC, RUS, USSS

Description and Definitions

The equation: Summed over

millions of Customers

Entity types that comprise the ES *

Divided by three Interconnections: Eastern Western Texas

* Generation, Transmission, Load Serving Entities, Purchasing-Selling Entities, Reliability Coordinators, Control Areas, Regional Transmission Organizations, Independent System Operators, Regulators (Canada/US: Federal/State/Provincial/Local)

● APPA: American Public Power Association● CA: Control Area● CEA: Canadian Electricity Association● DOD: Department of Defense● DOE: Department of Energy● DHS: Department of Homeland Security● EEI: Edison Electric Institute● ELCON: Electr Consumers Resource Council● EPRI: Electric Power Research Institute● EPSA: Electric Power Supply Association● ES: Electricity Sector● FERC: Federal Energy Regulatory Commission● IAIP: Info Analysis, Infrastructure Protection● ISAC: Information Sharing and Analysis Center● NAESB: No. Amer. Energy Standards Board● NARUC: Natl Assoc Reg Utility Commissioners● NEI: Nuclear Energy Institute● NERC: North American Electric Reliability Cncl● NRC: Nuclear Regulatory Commission● NRECA: Natl Rural Electric Cooperative Assn● PSEPC: Public Safety and Emergency

Preparedness Canada● RC: Reliability Coordinator● RUS: Rural Utility Services

13 RC

1 RC

3 RC

6

What is NERC?

● NERC was formed in 1968● NERC's mission is to ensure that the bulk

electric system in North America is reliable, adequate and secure.

● NERC operates as a voluntary industry organization, relying on reciprocity, peer pressure and mutual self-interest.

● Energy legislation pending in the House and Senate Energy bills would enable NERC to become an SRO capable of enforcing compliance with its reliability standards.

7

What Does NERC Do?

● Sets reliability standards. ● Ensures compliance with reliability standards. ● Provides education and training resources. ● Conducts assessments, analyses, and reports. ● Facilitates information exchange and coordination

among members and industry organizations. ● Supports reliable system operation and planning. ● Certifies reliability service organizations and

personnel. ● Coordinates critical infrastructure protection

of the bulk electric system (ESISAC). ● Administers procedures for conflict resolution on

reliability issues.

North American Electric Reliability Council Structure

Staff

OperatingCommittee

OperatingCommittee

PlanningCommittee

Board of Trustees● Board of Trustees 9 independent members Plus President

● Standing Committees Broad Sector

representation Subcommittees Working Groups Task Forces

Market Committee

CriticalInfrastructure

ProtectionCommittee

Stakeholders

CIP Committee Structure

CIPCExecutive CommitteeManage policy matters and

provide support to SCs, WGs

Security Planning SubcommitteeImprove ES ability to protect

critical infrastructure

Standards & Guidelines WGRisk Assessment WG

Control Systems Security WGCritical Spares TF

PKI TFHEMP TF

ESISACSubcommittee

Develop & maintain ISAC capability torespond to security threats & incidents

Outreach WGReporting Technologies WG

Indications, Analysis, Warnings WGGrid Monitoring System TF

IDS Pilot TF

September 18, 2004

Physical SecurityCyber SecurityOperationsPolicy

10

Electricity Sector Security Initiatives-1● 14 August 2004 Blackout

Outage investigation 46 Recommendations Standards Readiness audits

● Implement the National Infrastructure Protection Plan for the Electricity Sector

● Indications, Analysis, Warnings program* Data/information exchange between ES and DHS

● Threat Alert Levels: Physical and Cyber* Guidance for ES actions in response to Homeland

Security Alert System*Reference materials available: http://www.esisac.com

11

Electricity Sector Security Initiatives-2

● Cyber Security Standard* 1200 in place; 1300 under development

● 15 Security Guidelines* Physical, Cyber, Data

● Critical Spares Project● Control Systems Security● Other technical studies● Outreach including workshops● Bi-lateral discussions and Urban Utility Center

*Reference materials available: http://www.esisac.com

12

Cyber Security Standard: 1200

Requirements

1. Cyber Security Policy 2. Critical Cyber Assets 3. Electronic Security

Perimeter 4. Electronic Access Controls 5. Physical Security Perimeter 6. Physical Access Controls 7. Personnel 8. Monitoring Physical Access9. Monitoring Electronic

Access

10. Information Protection

11. Training

12. Systems Management

13. Test Procedures

14. Electronic Incident Response Actions

15. Physical Incident Response Actions

16. Recovery Plans

13

Security Guidelines

● Overview● Communications● Emergency Plans● Employment

Background Screen● Physical Security● Threat Response

Physical Cyber

● Vulnerability/Risk Assessment

● Continuity of Business Process

● Cyber Access Control

● Cyber IT Firewalls

● Cyber Intrusion Detection

● Cyber Risk Management

● Protecting Sensitive Info

● Securing Remote Access: Process Control Systems

● Incident Reporting● Physical Security – Substations

Best practices for protecting critical assets

14

ESISAC Electricity Sector

Information Sharing Analysis Center

Share information about real and potential threats and vulnerabilities

Received from DHS and communicated to electricity sector participants

Received from electricity sector participants and communicated to DHS

Analyze information for trends, cross-sector dependencies, specific targets

Coordinate with other ISACs

http://www.esisac.com

Governments – Sectors CoordinationOperations

(ES focus)

DHS DOE PSEPC

ESISAC

… CHEM

FS

TEL

...

------------------ Governments ---------------- Sectors

RC

Electricity Sector

CA TRAN GEN DIST PSE

Electricity Sector

17

Operational ISACs

● Chemical

● Electricity

● Emergency Management and Response

● Energy (Oil and Gas)

● Financial Services

● Health Care

● Highway

● Information Technology

● Multi-State

● Public Transit

● Research and Education Network

● Surface Transportation

● Telecommunications

● Water

Electricity Sector Dependency OnSector Immed

Physical

Immed

Cyber

Long term

Physical

Long term

Cyber

Chemical

Oil

Gas

Financial

IT

Telcom

Surface TX

Trucking

Water

Health Care

19

ES Dependency on the Internet

● Categories Business System Market System Control System Control System Support Security System

20

A Path Forward

● Interdependencies Qualitative Quantitative Secure database

● Plans TESP TSP

● Communication Strategic

Outreach

Tactical

21

Contacts

● Lynn Costantini, CIO, NERClynn.costantini@nerc.net

● Lou Leffler, Manager CIP, NERClou.leffler@nerc.net

NERC: 609-452-8060 ESISAC: 609-452-1422

● Note: Referenced materials and this presentation available at: http://www.esisac.com TY