Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F....
-
Upload
myron-blankenship -
Category
Documents
-
view
213 -
download
0
Transcript of Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F....
![Page 1: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/1.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 1
Cyber Security and Reliability Standards
Regis F. Binder
Director, Division of Logistics & Security
Federal Energy Regulatory Commission
![Page 2: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/2.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 2
The views expressed in this presentation do not represent the views of the Federal Energy Regulatory Commission or of the United States
Disclaimer
![Page 3: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/3.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 3
Increased Cyber Security Concerns
• Automation & Data Gathering• Connectivity of Control
Systems– To Corporate Computers– To Vendors
• Use of Wireless Communications
• Interest of– Nation States – the equalizer– Hackers– Criminals
– To Internet
– To Remote Maintenance
![Page 4: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/4.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 4
Cyber Security and Reliability Standards
• Historically – Voluntary Standards• Urgent Action Standard 1200
– Voluntary
– Adopted by NERC Summit 2003
– Replaced by CIP-002-1 thru CIP-009-1, June 2006
![Page 5: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/5.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 5
Enforcement of Reliability Standards
• Western Electricity Coordinating Council
• Midwest Reliability Organization
• Southwest Power Pool Regional Entity
• Texas Regional Entity
• Northeast Power Coordinating Council
• Reliability First Corp
• SERC Reliability Corp.
• Florida Reliability Coordinating Council
NERC has regional delegation agreements with 8 Regional Entities
![Page 6: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/6.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 6
![Page 7: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/7.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 7
Standards Development Process• Standard Authorization Request• Drafting Team Formed• Proposed Standard Developed• Comments Solicited• Ballot
– Quorum: 75% of Ballot Pool– Approval: 2/3 of Weighted Segment Votes
• Re-ballot?• Board of Trustees Approval• FERC & Canadian Approvals (w/ Public Comments)
![Page 8: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/8.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 8
Canada & Mexico
• 7 Canadian Provinces Interconnect With U.S.A.• Different Laws – Information Protection• NERC Works With Provinces to:
– Establish Standards– Enforce Standards
• Mexico – Northwest Corner of Mexico
![Page 9: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/9.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 9
Users, Owners & Operators of BPSNERC Compliance Registry
RegionFRCCMRONPCCRFC
SERCSPPTRE
WECCTOTAL
# of Registered Entities70
117268357226115216473
1842
![Page 10: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/10.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 10
FERC Concerns With Reliability Standards Development Process
• Emergency & Security Issues• Process is:
– Public– Slow– Uncertain on Outcome
![Page 11: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/11.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 11
Areas Addressed by CIP Standards
• Identification of critical assets & critical cyber assets– Generating stations– Transmission stations– Control Centers
![Page 12: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/12.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 12
CIP Standards Continued I.
• Management involvement
• Security of sensitive information
• Cyber security training
• Personnel risk
![Page 13: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/13.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 13
CIP Standards Continued II.
• Physical security of critical cyber assets
• Change control
• Access control
• Electronic security perimeters
![Page 14: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/14.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 14
CIP Standards Continued III.
• Incident response
• Recovery plans
![Page 15: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/15.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 15
Critical Assets• Facilities, systems, and equipment which, if destroyed, degraded, or
otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.
• NERC April 7, 2009 Letter to Industry– Self-certification compliance survey– Results “raise concern” about identifying Critical Assets and
Critical Cyber Assets– 63% of Transmission Owners had at least one Critical Asset– Only 29% of Generation Owners and Generation Operators had
at least one
![Page 16: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/16.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 16
FERC Approval of CIP Standards• Order No. 706• January 18, 2008• Required many modifications
– Critical Asset identification – required a wide-area oversight– Exceptions to Compliance – required oversight & approval
mechanism– Reasonable Business Judgment language – required removal– Defense in Depth– Revoke Access Authorization
![Page 17: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/17.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 17
Order No. 706 Modifications
• Phase I (Version 2 of CIP Standards)• Low-hanging fruit• Reasonable Business Judgment language
removed• Approved by Ballot Body & NERC BoT• Filed with FERC May 22• Expect two more phases
![Page 18: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/18.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 18
Compliance & Enforcement• Regional Entities are front
line• Ways of monitoring
– Compliance Audits– Self-Certifications– Spot Checking– Compliance Violation
Investigations– Complaints
• Nuclear Stations – Order No. 706 - B
– Self-Reporting– Periodic Data
Submittals– Exception Reporting
![Page 19: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/19.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 19
Enforcement Actions• Mitigation Plan• Remedial Action Directive• Sanctions
– Monetary– Other
• FERC Oversight• FERC Can Originate
![Page 20: Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.](https://reader031.fdocuments.us/reader031/viewer/2022032803/56649e415503460f94b33147/html5/thumbnails/20.jpg)
Federal Energy Regulatory CommissionFederal Energy Regulatory Commission
June 2009 20
Smart Grid
• A smarter grid would permit two-way communication between the electric system and a much larger number of devices located outside of controlled utility environments
• Interoperability standards and protocols leave no gaps in cyber or physical security