Critical Infrastructure Protection Committee Draft Minutes Highlights and...Draft Minutes June 9-10, 2015 The Westin Buckhead Atlanta 3391 Peachtree Road NE Atlanta, GA 30326 The Critical

Critical Infrastructure Protection Committee Draft Minutes June 9-10, 2015

The Westin Buckhead Atlanta 3391 Peachtree Road NE Atlanta, GA 30326

The Critical Infrastructure Protection Committee (CIPC) Chair Chuck Abell called the meeting to order and, being duly noticed, the regular meeting of CIPC on June 9, 2015, began at 1:00 p.m. (EDT). Ms. Laura Brown, CIPC Secretary, declared a quorum to conduct business with 30 members present. The meeting announcement and agenda are attached as Exhibits A and B, respectively.

Note: Slide presentations from this meeting are available at: Meeting Presentations.

Secretary Brown announced a quorum achieved with 30 of the 31 members present which includes the following proxies:

1. TRE – Amelia Sawyer representing Darrell Klimitcheck2. FRCC – Pat Boody representing Paul McClay3. NPCC – Brian Hogue for Rick Twigg4. SERC – Jack Paul representing Bruce Martin5. WECC – Jay Spradling representing Allan Wick6. CEA – Francis Bradley representing Chris McColm7. NRECA – Brian Gardner representing Robert Richhart

Meeting Safety Briefing – Westin Buckhead staff The security and safety staff briefed CIPC and attendees on safety and emergency evacuations procedures to include rally points outside the hotel.

Opening Remarks from Mr. Marc Sachs, Chief Security Officer (CSO), Electricity Sector Information Sharing and Analysis Center (ES-ISAC), North American Electric Reliability Corporation (NERC)

As the new Senior Vice President and CSO at NERC, Marc Sachs introduced himself to attendees, providing a brief background about his work experience, as well as the ES-ISAC’s role. (Presentation 1)

NERC Antitrust Compliance Guidelines Secretary Brown called attention to the NERC Antitrust Compliance Guidelines and read the statement concerning publicly-announced meetings. (Presentation 2)

http://www.nerc.com/comm/CIPC/Pages/AgendasHighlightsandMinutes.aspx

Attendance Chair Abell requested that all present in the meeting introduce themselves and sign the attendance sheets. Consent Agenda Upon motion by Chair Abell to approve the Consent Agenda, including the posted CIPC Agenda for the March 10-11, 2015 meeting, CIPC approved the Consent Agenda without corrections, edits, or modifications. CIPC Chair’s Report Chair Abell delivered a report to CIPC, starting with an overview of dates and locations for future CIPC meetings, NERC’s Grid Security Conference (GridSecCon), and NERC’s Grid Security Exercise (GridEx) III. He then discussed items raised during the May NERC Board of Trustees meeting, including: updates accepted to the CIP-014-2 Standard; CIPC Vice Chair Nathan Mitchell elected as CIPC representative to the Reliability Issues Steering Committee (RISC); standards and compliance items listed in the Policy Input letter; and the Bulk Electric System Security Metrics Working Group’s chapter within the 2015 State of Reliability Report. Finally, Chair Abell reviewed changes to the CIPC committee structure, which included: standing down the Cyber Attack Tree Task Force following work completion; removing the Cybersecurity Analysis Working Group, due to activities duplicated by another working group; and moving the Security Training Working Group from the Physical Security Subcommittee to the Cybersecurity Subcommittee, to better balance the workload. (Presentation 3) Electricity Sector Information Sharing and Analysis Center (ES-ISAC) Update Mr. Ben Miller, NERC, provided an update about the physical separation occurring at the NERC DC office, walling off the ES-ISAC from the rest of the NERC staff. He then provided an update on the ES-ISAC portal and the upgrades that will be in place by the Grid Security Exercise (GridEx) III, occurring in November 2015. (Presentation 4) Security Reliability Program (SRP) Mr. Scott Mix, NERC, briefed CIPC on the status of the SRP, including the number of SRPs scheduled for 2015 (14), and a new program based on the SRPs, Small Group Advisory Sessions, which are brief SRPs occurring between the Electric Reliability Organization and individual entities. Mr. Mix provided an overview of a typical three-day SRP visit, and mentioned that, in 2016, the program will transition to a region-led program. (Presentation 5) Physical Security Advisory Group (PSAG) Update Mr. Bob Canada and Mr. Travis Moran, NERC, provided updates on physical security initiatives in general that are underway at the ES-ISAC, including: sector outreach and training, direct industry outreach, suspicious activity reporting, nationwide linkage through the nationwide Suspicious Activity Reporting initiative, and critical equipment testing and training initiative. Mr. Moran discussed the new Physical Security Incident Reporting Guide and the Physical Security Bulletins that the ES-ISAC will be releasing. Finally, Mr. Canada provided an update on the PSAG, including a prioritization of issues and activities for the group to address, the PSAG’s upcoming meeting on June 10-11, and access to physical security information on the ES-ISAC portal. (Presentation 6)

CIP V5 Transition and CIP V5 Revisions Mr. Tobias Whitney, NERC, discussed CIP V5 transition activities and revisions, providing an overview of lessons learned and frequently asked questions (FAQ), including next steps on the FAQs. He then discussed the Section 11 Guidance Development Process and different elements of the NERC Compliance Assurance Memo, followed by guidance on virtualization. Mr. Whitney concluded his presentation with dates and locations of upcoming Small Group Advisory Sessions, and discussed transition guidance, stating that NERC is in the early stages of developing an updated Transition Guidance communication. Mr. Whitney was asked about the Regional Entity management group of NERC approving vendors for third party reviews; he responded that nothing was determined at this point, and that senior executives will be making those decisions. Regarding the NERC Compliance Assurance Memo, Mr. Whitney was asked if it is mandatory or auditable. He responded that the memo is a regurgitation of the Version 5 record. A follow-up question asked if industry decides not to comply; Mr. Whitney responded that the issue is about auditor consistency, which is a separate issue. Chair Abell commented that, while that may be true, it is also indicative of problems with the current process. (Presentation 7) Reliability Issues Steering Committee (RISC) Update CIPC Vice Chair Nathan Mitchell, American Public Power Association, announced that he is the new CIPC representative to RISC, replacing CIPC Vice Chair Jim Brenton. He will be attending the meetings and providing updates to CIPC. (No Presentation) Legislative Update CIPC Vice Chair Mitchell briefed CIPC on pending legislation and executive branch activities. Regarding energy legislation, Mr. Mitchell reported that the House and Senate are attempting to move comprehensive, bipartisan energy legislation. The House Energy & Power Subcommittee released eight discussion drafts and held six hearings; the full House may consider legislation in July. In the Senate, ENR Committee members have introduced bills they want considered for inclusion in comprehensive energy legislation. They have introduced 114 bills and address a broad range of issues: grid security, oil and gas production and processing, pipeline permitting, energy efficiency, distributed generation, transmission, smart grid, hydro, reliability, capacity markets, workforce development, research and development (R&D)/labs, electric vehicles, nuclear, and energy storage. The Committee has held four hearings; mark-up is expected in July and consideration by the full Senate is likely to occur in September. Regarding Grid Security, the House passed information sharing/liability protection in April 2015 (H.R. 1560, the Protecting Cyber Networks Act; H.R. 1731, the National Cybersecurity Advancement Act of 2015). In March, the Senate Intelligence Committee approved S. 754, the Cybersecurity Information Sharing Act of 2015, and may be considered in July. (Presentation 8) Electricity Sub-sector Coordinating Council (ESCC) Update CIPC Vice Chair Mitchell, as the Secretary to the ESCC, briefed CIPC on ESCC activities by topic. The Government-Industry Coordination group is focused on public affairs coordination, Grid Ex III, and Fusion Centers. The Threat Information Sharing and Processes group is addressing the ES-ISAC Strategic Review Project, and also stays informed on the Cybersecurity Risk Information Sharing Program. The Leveraging Infrastructure / R&D group is geared toward Government R&D efforts, partnerships with EPRI, and other outreach initiatives. Finally, the Long-term Planning and Strategic Vision group is reviewing the National Infrastructure Advisory Council recommendation for cross-sector Strategic Infrastructure Executive Council. (Presentation 9)

North American Transmission Forum (NATF) Security Practices Group Activity Update Mr. Jim Rowan, NATF, updated CIPC members on the CIP-002 v5 Guide and the Physical Security Project on CIP-014-1 R4 and R5. The purpose of the CIP-002 v5 Guide was to identify Cyber Assets and define corresponding BES Cyber Systems for transmission facilities and assets. The guide, which includes recommendations, examples, and templates for documenting a program, was approved on July 1, 2014. The purpose of the Physical Security Project on CIP-014-1 R4 and R5 was to develop a guide that was defensible (but not prescriptive) for conducting evaluations as required in Requirement 4 and for developing and implementing a physical security plan as required in Requirement 5. CIP-014 R4 and R5 Practice Documents are completed and will be available for public release soon. (Presentation 10) Canadian Electricity Association Trip Report Mr. Ross Johnson, Capital Power and Mr. Francis Bradley, Canadian Electricity Association (CEA), provided a brief-out of the CEA delegation to Israel. The team met with representatives from different Israeli organizations, including the Ministry of National Infrastructure, the National Cyber Bureau, and the Israel Electric Company. Separate from the trip report, Mr. Johnson and Mr. Bradley provided a brief overview of the Hydro-Québec incident that occurred several months ago. (Presentation 11) The CIPC Meeting on June 9 concluded for the day at 5:00 p.m. (EDT) and reconvened on June 10 at 8:00 a.m. (EDT) Policy Subcommittee – Chair Mr. Nathan Mitchell (No Presentation)

Bulk Electric System Security Metrics Working Group (BESSMWG) Mr. Roland Miller, Chair, notified the group that, since the March CIPC meeting, CIPC members approved the BESSMWG’s draft security metrics and chapter for the 2015 NERC State of Reliability Report. The NERC Board of Trustees also approved the report on May 14, 2015. Since that time, the BESSMWG drafted a strawman Security Metrics Development Roadmap to plan future BESSMWG activities, and the team met on June 9 to review roadmap and define future direction. Chair Miller provided initial data on the metrics, discussed the development approach and roadmap in more detail, and provided a proposed timeline for the BESSMWG that extends to March 2016. (Presentation 12) Compliance and Enforcement Input Working Group (CEIWG) Mr. Paul Crist, Chair, discussed the group’s activities, including a discussion of NERC Postings of “Topics Not Pursued as Lessons Learned or FAQs,” (specifically the Network and Externally Accessible Devices), a review of posted Lessons Learned/FAQs for comment, and an advisory group for NERC. Regarding lessons learned, Chair Crist identified two questions: Can network devices be considered BCA/BCS? And what is the line of demarcation between an ESP and non-routable BCS? (Presentation 13) Physical Security Standard Working Group (PSSWG) Mr. Matt Stryker, Georgia Transmission Corporation, on behalf of Alan Wick, Chair, provided an update on the PSSWG’s activities to date. The PSSWG’s activities were divided among four teams to address different issues; the teams met weekly to review content; and once a draft guidance

document was available, the PSSWG presented it to the Standards Drafting Team and NERC Legal for review. The guidance document has been made available for CIPC voting members to review and is currently up for CIPC vote. If approved, the document is then presented to industry for a 45-day comment period. (Presentation 14)

Operating Security Subcommittee – Chair Jim Brenton (No Presentation)

Business Continuity Guideline Task Force (BCGTF) Mr. Darren Myers, Chair, said he was gathering additional members to support the BCGTF, and that he was scheduling weekly meetings for the team. The BCGTF will start its work by reviewing the existing guideline and determining updates. Mr. Myers asked that anyone interested in joining the group contact him. (No Presentation)

GridEx Working Group (GEWG) Mr. Tim Conway, Chair, updated the group on the GEWG’s activities since the last CIPC meeting, including finalizing the scenario narrative, developing and opening the GridEx registration site, and developing and implementing the player directory. He provided detail on the exercise scenario, and directed Lead Planners to the GridEx III portal, where they can find resources. Mr. Conway provided an overview of activities that would be completed before the Final Planning Conference, including finalizing inject samples, holding Reliability Coordinator planning meetings, and developing exercise news stories. (Presentation 15) Electricity Sector Information Sharing Task Force (ESISTF) Mr. Stephen Diebold, Chair, briefed CIPC on the ESISTF status of work completed. His presentation discussed the group’s tasks and timeline, and Chair Diebold mentioned that draft presentations have been developed and approved. Vice Chair Brenton mentioned that the outreach activities will be postponed until the ESCC Strategic Review is completed and information can be updated on the slides with respect to the ES-ISAC portal. The ESISTF will stand down until these activities occur, and at that point, the CIPC Executive Committee will determine next steps for the ESISTF. (Presentation 16)

Cybersecurity Subcommittee – Mr. Marc Child, Subcommittee Chair, Great River Energy (Presentation 12)

Cyber Attack Tree Task Force (CATTF) Subcommittee Chair Child, on behalf of Mark Engels, Chair, stated that the CATTF’s work is completed and will be turned over to the ES-ISAC. The CATTF will stand down. (Presentation 12)

Control Systems Security Working Group WG (CSSWG) Mr. Mikhail Falkovich, Chair, reported that the CSSWG continues to hold bi-weekly working conference calls, held three in-person meetings, and during these meetings, the group completed 100% of use case diagrams and 100% of the guideline draft. Chair Falkovich talked about the CSSWG’s close coordination with the GEWG on the guideline efforts. In addition, the CSSWG is working closely with the Lessons Learned effort to ensure that the guideline is correlating with NERC Recommendations. Next steps are to distribute the draft guideline to CIPC

voting members for review, comment, and vote, and if approved, the guideline will be presented to industry for a 45-day comment period. (Presentation 12)

Physical Security Subcommittee – Chair Mr. David Grubbs (No Presentation) Physical Security Guideline Task Force (PSGTF) Mr. John Breckenridge, Chair, accepted a tasking to update the Threat and Incident Reporting Guideline, a document that was drafted in 2008. Chair Breckenridge will work with a team to review the document and provide updates. Physical Security Working Group (PSWG) Mr. Ross Johnson, Chair, provided an update on the PSWG’s work since the March CIPC meeting and upcoming activities. (No Presentation) Security Training Working Group (STWG) Mr. William Whitney, Chair, said the group holds monthly calls to discuss long-term goals and short-term actions, as well as coordinate presentations. He provided an overview of past and upcoming training, including a session on the changing threat landscape, to occur in July. Chair Whitney concluded by saying the group will continue to expand the list of free on-demand training from reputable agencies and vendors; secure volunteers to join the group; schedule and prepare future pre-CIPC training sessions and webinars; and work with vendors and individuals in the industry to provide specific training to industry. (Presentation 13)

Agency Updates Department of Energy – Mr. Jim McGlone Mr. McGlone provided updates on several activities at DOE, including: staff changes; the Grid Security Report for Congress; the Physical Security version of the C2M2; transformer strategy; PowerSurge; the Energy Sector-Specific Plan; the ESCC meeting on June 15 at the Department of Homeland Security; and the classified briefing during the December meeting in Atlanta, GA. (Presentation 14) Adjournment There being no further business, and upon motion to adjourn by Chair Abell, the motion was approved by CIPC with adjournment on June 10 at 11:00 a.m. (EDT). Submitted by, Laura K. Brown CIPC Secretary

CIPC Opening Remarks

Marc SachsSenior Vice President and Chief Security Officer, ES-ISACJune 9-10, 2015Atlanta, GA

2 RELIABILITY | ACCOUNTABILITY

NERC’s New CSO – Marcus Sachs, P.E.

• Retired US Army Officer– XVIII Airborne Corps AMO– 4th Infantry Division AMO– JTF-CND/CNO Senior Operations Analyst

• White House National Security Council– Proposed “US-CERT” in 2002

• Department of Homeland Security– First Cyber Program Director

• SRI International– Computer Science Lab Deputy Director

• Verizon Communications– VP of National Security Policy– Comm-ISAC Vice Chair– Comm-SCC Vice Chair– CSIS Commission on Cyber Security for

the 44th Presidency• SANS Internet Storm Center

– Director 2003 - 2010

[email protected]


CIP Relationships

Strategic

Policy Coordination

Operational Coordination

Sector Coordinating Councils

Information Sharing and

Analysis Centers/ Organizations

Federal Advisory Committees NIAC

ES-ISAC

ESCC

Critical Infrastructure Protection Committee (CIPC)Westin Buckhead AtlantaAtlanta, GA

June 9-10, 2015


Safety and Security

• Westin Buckhead Staff will inform the CIPC concerning Fire and Evacuation Procedures for your safety


CIPC Voting Members and Attendees

1. Wireless access is available:

Network: Westin MeetingPassword: NERCWB

2. Please sign and pass the Attendance Sheets.


Securing Our Assets

Over 55,000 Substations over 100Kv


Antitrust GuidelinesI. General It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another.

The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC’s antitrust compliance policy is implicated in any situation should consult NERC’s General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions): • Discussions involving pricing information, especially margin (profit) and internal cost information and participants’ expectations as to their future prices or internal costs. • Discussions of a participant’s marketing strategies. • Discussions regarding how customers and geographical areas are to be divided among competitors. • Discussions concerning the exclusion of competitors from markets. • Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers. • Any other matters that do not clearly fall within these guidelines should be reviewed with NERC’s General Counsel before being discussed.


Membership Expectations

Our CIPC Charter Section 3 states the following –

"Voting members of the CIPC are expected to:

i. Bring subject matter expertise to the CIPC; ii. Be knowledgeable about physical and cyber security practices and challenges in the electricity sector; iii. Attend and participate in all CIPC meetings; iv. Express their own opinions at committee meetings but also represent the

interests of their Regions; v. Discuss and debate interests rather than positions; vi. Complete assigned Committee, Task Force, and Working Group assignments;vii. Maintain, at a minimum, a Secret Clearance, or to the extent not already

obtained, apply for a Secret Clearance.


Conduct of the Meeting

Parliamentary Procedures:In the absence of specific provisions in NERC’s Rules ofProcedure, all committee meetings shall be conducted in accordance with the most recent edition of Robert’s Rules of Order, Newly Revised in all cases to which theyare applicable.


Critical Infrastructure Protection Committee

June 2015

Business Continuity Guideline TF(Darren Myers)

Executive CommitteeDavid Revill, NRECA Chuck Abell, Chair, Ameren Melanie Seader, EEIDavid Grubbs, ERCOT Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA Jim Brenton, Vice Chair, ERCOT Marc Child, Great River

Laura Brown, Secretary

Physical Security Subcommittee(David Grubbs)

Cybersecurity Subcommittee

(Marc Child)

Operating Security Subcommittee

(Jim Brenton)

Policy Subcommittee(Nathan Mitchell)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(William Whitney)

Control System Security

WG(Mikhail Falkovich)

ES Information Sharing

TF(Stephen Diebold)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Roland Miller)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


Org Name Company DisciplineTRE David Grubbs – Executive Committee City of Garland OperationsTRE Jim Brenton, Vice Chair ERCOT CyberTRE Darrell Klimitchek STEC PhysicalFRCC Paul McClay TECO CyberFRCC Carter Manucy Fla Municipal PhysicalFRCC Joe Garmon Seminole OperationsMRO Marc Child – Executive Committee Great River CyberMRO Paul Crist LES PhysicalMRO Joe Mayfield WAPA OperationsNPCC John Galloway ISO-NE OperationsNPCC Greg Goodrich NYISO CyberNPCC Rick Twigg Velco PhysicalRFC Larry Bugh RFC CyberRFC Kent Kujala Detroit OperationsRFC Jeff Fuller DPL PhysicalSERC Chuck Abell, Chair Ameren OperationsSERC Cynthia Hill-Watson TVA CyberSERC Bruce Martin Duke Energy PhysicalSPP John Breckenridge KCPL PhysicalSPP Allen Klassen Westar OperationsSPP Eric Ervin Westar CyberWECC Allan Wick Tri-State PhysicalWECC Mike Mertz PNM CyberWECC Vacant Vacant OperationsAPPA Scott Smith Bryan TX Utilities PhysicalAPPA Nathan Mitchell, Vice Chair APPA PolicyCEA Chris McColm Manitoba PhysicalCEA Ross Johnson – Executive Committee Capital Power PhysicalCEA David Dunn IESO PolicyNRECA Robert Richhart Hoosier PolicyNRECA David Revill – Executive Committee Georgia Trans Policy

CIPC Primary Voting Members


Proxies Received and Quorum

• Thanks to all proxies attending today and serving as a proxy for your primary voting member! Proxies received for this meeting: TRE – Amelia Sawyer representing Darrell Klimitcheck FRCC – Pat Boody representing Paul McClay NPCC – Brian Hogue for Rick Twigg SERC – Jack Paul representing Bruce Martin WECC – Jay Spradling representing Allan Wick WECC – Vacant CEA – Francis Bradley representing Chris McColm NRECA – Brian Gardner representing Robert Richhart


Proxies Received and Quorum

• Announcement of CIPC Quorum of Voting Members: Based on the voting members in attendance, including the proxies

received, we have achieved quorum for conducting CIPC business.


CIPC Roster Changes

New Voting MembersSPP – Eric Ervin – Westar EnergyNomination was approved by NERC Board of Trustees

Vacancies of Voting Members:WECC vacancy is due to Jamey Sample’s departure from PG&E

Thank you for your service to CIPC!

Chair’s Remarks by Chuck Abell

NERC CIPC Chair ReportChuck Abell

June 9, 2015


June 2015 Update

• Security Workshop – ES-ISAC Portal 2.0

• CIPC WG/TF Meetings• GridEx Working Group • BES Security Metrics Working Group• Control System Security Working Group

• Next CIPC Meetings:• Sept 15-16: J. W. Marriott – New Orleans, LA• Dec 15-16: Westin Buckhead – Atlanta, GA

• Physical Security Advisory Group (PSAG)

• Grid Security Conference Oct 13-16 – Philadelphia, PA

• GridEx III – Nov 18-19


June 2015 Update (Cont.)

• May NERC Board of Trustees Meeting Adopted update CIP-014-2 Standard Nathan Mitchell elected as CIPC representative to the RISC Policy Input

o Future of Standards Developmento Critical Infrastructure Protection (CIP) Version 5 Transition Programo Physical Security Reliability Standard Implementationo Compliance Guidance

o Quickly address remaining CIP technical issueso Compliance guidance study – report back to BOT later this year

BES Security Metrics in 2015 State of Reliability Report


CIP Committee Structure

June 2015






(Marc Child)


(Jim Brenton)


Physical SecurityWG

(Ross Johnson)


(William Whitney)




TF(Stephen Diebold)

Grid Exercise WG

(Tim Conway)


(Roland Miller)


(Allan Wick)


WG(Paul Crist)


(John Breckenridge)

E S – I S A CU P D A T E

CIPC, June 9 2015Ben Miller

GridEx II Lessons Learned

Recommendation: Continue refinement and promotion of the ES-ISAC portal as a central coordination point and reporting tool in crisis.

“Despite these advances, many utilities were still unclear on proper reporting thresholds and formats or how to enroll in the ES-ISAC portal and configure the system to receive Watch List entries according to individual needs. Those who did not use the ES-ISAC portal reported a lack of standardized reporting protocols and minimal visibility into how these reports were aggregated to relay situational awareness back to stakeholders. Some participants expressed the need for greater understanding of how mandatory reporting and voluntary information sharing are captured and used by NERC during an incident. “

“While acknowledging the importance of information sharing, some participants noted that the reporting effort can absorb key resources. Entities should streamline reporting by ensuring the appropriate reporting thresholds and requirements are clearly documented and integrated into incident response plans. “

“Better consolidation and coordination when releasing similar information could reduce the amount of resources entities need “

Portal Timeline

Future releases pending prioritization / scheduling

Release 1 Work on Hold

Contract finalized!

R2

GridEXInstance

TLP LevelsColor When should it be used? How may it be shared?

RED

Sources may use TLP: RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.

Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed.

AMBER

Sources may use TLP: AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information. ES-ISAC Members Only.

GREEN

Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.

Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. ES-ISAC Members and Partners

WHITE

Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.

TLP: WHITE information may be distributed without restriction, subject to copyright controls.

https://www.us-cert.gov/tlp

0

5

10

15

20

25

May Apr Mar

ELECTRICITY SUBSECTOR SOURCED SHARESCyber Physical

Security Reliability Program (SRP):Current 2015 Status

CIPCJune 9-10, 2015


• Status of the SRP• Typical Agenda• Visit schedule for 2015• Future Directions

Overview


• 14 SRP visits scheduled for 2015 4 large-format workshops (region sponsored) 10 single entity visits 2 additional visits in January 2016 (2015 program)

• Program content continues to be flexible and adapted to entity needs

• Spin-off program – Small Group Advisory Session (SGAS) 1-2-hour mini-SRP sit-down with ERO & individual entity

Status


SRP Visit Agenda

• Typical SRP visit is 3 days – Tuesday - Thursday Can be as short as 2 days or as long as 4 days Site visits may require additional travel time

• Default agenda published in overview document Entity customizations welcomed and encouraged


Typical Agenda

• Day 18:00 – 9:00 Setup9:00 – 10:00 Opening presentation (including registered

entity overview)10:00 – 12:00 CIP standards history, overview, format,

CIP-00212:00 – 1:00 Lunch1:00 – 3:00 CIP standards history, overview, format,

CIP-002 (continued)3:00 – 5:00 CIP-003 & CIP-004 (excluding low impact

BES Cyber Systems requirements)


Typical Agenda

• Day 28:00 – 12:00 CIP-005 through CIP-01112:00 – 1:00 Lunch1:00 – 5:00 CIP-005 through CIP-011 (continued)


Typical Agenda

• Day 38:00 – 10:00 Tour (or Patching / Firewall presentations)10:00 – 12:00 V5 Implementation Study, lessons learned,

risk-based compliance approach to CIP 12:00 – 1:00 Lunch1:00 – 2:00 CIP V5 revisions status (including low-impact

BES Cyber System requirements)2:00 – 3:00 CIP-0143:00 – 4:00 BES Cyber System identification and grouping

(discussion)4:00 – 4:30 Open Q&A4:30 – 5:00 Closing presentation


Visit Schedule for 2015

• February – SGAS • March – SGAS • April – RF Workshop & SGAS• May – FRCC Workshop • July – TRE Workshop with SGAS & 3 entity• August – 3 entity & SGAS• September – SERC Workshop, SGAS & 1 entity• November – 1 entity• December – 2 entity • January – 2 entities


Future Directions

• Complete 2015 scheduled visits• Slight “spill-over” into 2016• Transition to region-lead program in 2016

Questions

Scott Mix, [email protected]

ES-ISAC Physical SecurityCIPC Update

Bob Canada, ManagerCIPCJune 9 2015

RELIABILITY | ACCOUNTABILITY2

• Sector Outreach & Training Fusion Center Concepto Leveraging Fusion Centers for mapping and networking o Contact with a national SAR initiative

• Direct Industry Outreach Assist members for the true threats facing them (UAS) Continue working with the CIPC Training WG for webinars

• Suspicious Activity Reporting Direct through the ES-ISAC Portal Direct contact with industry, webinars and weekly reports

• Nationwide Linkage through Nationwide SAR Initiative Sponsored by DOJ and Fusion Centers

Physical Security Initiatives Under Development


• Critical Equipment Testing and Training Initiative ATF receptive to training of industry Will create equipment, distance, and barrier base lines for industry

Continued


Summary The ES-ISAC Physical Security Team (PST) is charged with capturing, understanding, reporting and disseminating physical security incidents that occur to sector members during their operations to fellow ES-ISAC members, law enforcement, and other governmental and regulatory bodies. This information, when captured, is only disseminated in a non-attributed format both internally and externally and can be extremely valuable in situational awareness, detection, and prevention of future incidents. In response to our increased physical security reporting activities, the PST is providing members with this guidance document to assist them in their reporting of physical security incidents. Physical Security Incident Reporting Guide Incident Type: Although the EOP-04-2 and OE-417 specifies categories for their physical security incident reporting i.e., physical attack or vandalism, clearly identifying the type of event is very helpful in order to share accurate information across the industry. Moreover, as currently captured, a gunfire incident could be reported as either a physical attack or vandalism. However, it would be helpful to understand the totality of the incident in the title, for example:

• Gunfire damage to a 69 kV transformer • Break-in and $23,000 worth of copper theft at a 500kV substation • Shooting of a 345 kV transmission line insulator(s) • UAS intrusion at coal-fired generation station • Potential surveillance of a 230kV substation

Incident Reporting Guide


Physical Security Bulletins

UAS Incident Guide

Definit ion:

A UAS is defined by the Federal Aviation Administration (FAA) as an “aircraft” under the auspices of U.S. Code, Title 49, Section 40102 (a) (6) which defines an “aircraft” as “any contrivance invented, used, or designed to navigate or fly in the air.” Due to the fact that a UAS is designed to be used for flight (regardless of height), the FAA has designated UAS as “aircraft” within the meaning of the statute.

Under current regulation, the FAA only recognizes three types of UAS: those that are operated for recreation, those that are operated for commercial purposes, and those operated by governmental entities. As such, UAS that are operated solely recreationally do not fall under any specific federal flight guidelines. However, for UAS that are being operated for commercial or governmental purposes, the FAA requires an application and approval process.

For UAS that are strictly being used for recreational purposes, these UAS fall under the FAA’s “Model Aircraft” distinction and are subject to the following rules:

1) UAS solely for recreational use2) UAS is operated within the framework of the safety guidelines of the specific communities and localities that they

are being operated in and should stay away from people and stadiums3) UAS is 55 pounds or less4) UAS operation does not impede any manned aircraft5) UAS operator must communicate with the air traffic control tower prior to operation if within 5 miles of an

airport6) UAS operator should maintain visual line of sight at all times7) UAS should be flown under 400 feet


Physical Security Advisory Group(PSAG)


PSAG Charter Objectives

• Advise the ES-ISAC, CIPC and industry on physical security incidents with the potential of impacting the security and reliability of the Bulk Power System of North America

• Advise the ES-ISAC on a physical security portal build out and suggest information content to share timely threat or suspicious incidents to enhance information sharing within the industry;

• Assist the Department of Energy (DOE) in development of the Physical Security Capability Maturity Model (PSCM2);

• Advise the CIPC Executive Committee and CIPC Physical Security Subcommittee with advice on initiatives, projects and on physical security guidelines, roundtable topics and training needed by the industry;

• Liaison with physical security technology providers and government to enhance their understanding of evolving and “state of art” technologies;

• Create and publish whitepapers and opinions through the ES-ISAC to the Electricity Sub-sector, as needed, related to physical security programs, incident response, technology reviews, training and periodic exercises and/or testing;

• Volunteer physical security expertise to liaise, advise and coordinate with the industry to conduct, upon request, on-site peer to peer confidential reviews and provide feedback on observations for improving security at the entity.


PSAG Membership

Members of the PSAG were selected by the ES-ISAC and are recognized expertise from the following:

• Physical security operations• Physical security technology• Security training, drills and testing• Security programs • Vulnerability assessments• Threat assessments• Intelligence gathering and analysis


1. Bob Canada (ES-ISAC Physical Security Manager)

2. Brian Harrell,(ES-ISAC Director ES-ISAC)

3. Ross Johnson, (Chair, Physical Security Roundtable Group)

4. Allan Wick, (Chair, PSSWG)

5. John Breckenridge, KCP&L (Chair, PSGWG)

6. David Godfrey, Garland P&L (CIPC Physical Security Subcommittee)

7. William Whitney III, Garland P&L (Chair, Security Training WG)

8. Jim McGlone, DoE and PSCM2

9. Dan Jenkins, Dominion

10.Adria Martinez, DHS (ES-Liaison)

11.John Large, FP&L (EEI Security)

12.Mike Hagee (SERC)

13.Michael Lynch, DTE

14.Darren Myers, Duke

15.Jim Spracklen, PNNL – Physical Security

16.Tim Reagan, Ameren

17.Richard Hyatt, Tucson Electric & Power

18.Barry Page, C4S2 Global

PSAG Members


PSAG Survey Results

1. Recommendation of one threat/vulnerability methodology for the electricity subsector.

2. Physical Security Training on evolving needs of the industry.

3. Templates or redacted of facility security programs and threat response plans.

4. Building out the ES-ISAC’s Physical Security Dashboard for evolving information on

physical security events and situation awareness.

5. Information sharing on incidents through the ES-ISAC.

6. Physical security guidelines - What should be developed to assist the industry?

7. Security Intelligence gathering guideline and trusted sources.

8. Performance testing of technology i.e. cameras, intrusion detection others?

9. Collaboration on Insider Threats (Review the Secret Service best practices)

10. Industry-wide security performance measures.

11. Physical security whitepapers (exp. substation and control center security).


CIPC Executive CommitteeDavid Revill Chuck Abell, Chair Melanie SeaderDavid Grubbs Nathan Mitchell, Vice Chair Jack CashinRoss Johnson Jim Brenton, Vice Chair Marc Child



Cyber Security Subcommittee

(Marc Child)


(Jim Brenton)


Physical SecurityWG

(Ross Johnson)


(William Whitney)

Control System Security WG

(Mikhail Falkovich)

Cyber Security AnalysisWG

(Vacant)

ES Information Sharing TF

(Stephen Diebold)

Grid Exercise WG

(Tim Conway)

Cyber Attack Tree TF

(Mark Engels)


(Roland Miller)

Personnel Security Clearance TF

(Nathan Mitchell)

Compliance & Enforcement Input WG

(Paul Crist)

Physical Security Guidelines

WG(John Breckenridge)

Business Continuity Guideline TF

(Darren Meyers)

Critical Infrastructure Protection Committee


James Spracklen, PNNL, Sr. Technical Advisor for National Securityo "What are protecting ourselves against, and how do we know we are protected?"

Jim McGlone, DoE – DoE Initiatives and Assistance Craig Stiegemeir, ABB, Resiliency Considerations of Large Transformers Barry Page, C4S2 Global– Security Technology Observations and Testing Bradley S. Earman USDOJ-ATF, Chief of Explosives Training -

Critical infrastructure evidence collection and recovery coordination Norma Brown, Ameren, Ballistics testing conducted by Ameren David Beall, FBI Unit Chief, WMD Directorate, Infrastructure

Countermeasures UnitFBI Perspectives on the Current Threat Picture and Coordination with the Industry

Charles Phillips, Special Agent- Liaison Officer, Federal Aviation Administration, Law Enforcement – Unmanned Aircraft Systems; Threats and Legalities for Electric Utilities

Presentations by PSAG Members and Invited Speakers


You can register a user account on the portal by visitinghttps://www.esisac.com/register.aspx

General Contact: [email protected]

24 hour hotline: (404) 446-9780

ES-ISAC Membership & Notifications

Little things can turn into big things!

https://www.esisac.com/register.aspx

mailto:[email protected]


CIP Version 5 Transition Program Update

CIPC MeetingTobias Whitney, Manager of CIP ComplianceJune 9, 2015


Topic Lesson Learned or FAQ Date Posted for Stakeholder Comment

Generation Segmentation Lesson Learned October 23, 2014

Far-End Relay Lesson Learned October 23, 2014BES Impact of Transmission Scheduling Systems

FAQ April 24, 2015

Grouping of BES Cyber Systems Lesson Learned March 2, 2015

Shared Equipment at a Substation

FAQ April 1, 2015

Virtualization Lesson Learned TBDIntrusion Detection Systems FAQ April 30, 2015

Interactive Remote Access Lesson Learned January 8, 2015

Mixed Trust EACMS Lesson Learned January 8, 2015Multiple Physical Access Controls

FAQ April 1, 2015

Protecting Physical Ports FAQ April 1, 2015

Identifying Sources of Patch Management

FAQ April 30, 2015

Mitigating Threat of Detected Malicious Code

FAQ November 25, 2014

Vulnerability Testing of Physical Access Controls

FAQ April 1, 2015

Lessons Learned and FAQs

At a glance:• 23 original

topics• 50 FAQs• 7 LLs• 57 topics via

Section 11• 5 issues

addressed by NERC


Guidance: Effective Approaches to Comply

Section 11 Guidance Development Process


NERC Compliance Assurance Memo

• 3rd Party Notifications of medium impact assets

– For IRC 2.3 and 2.6 Reliability Coordinator, Planning Coordinator, or Transmission Planner addresses the facility (generation or transmission)

– The asset owning registered entity must then determine which BES Cyber Assets or BES Cyber Systems support the identified generation Facility or the identified generation at a single plant location or transmission Facility at a single station or substation location.



• Generation Interconnection (IRC 2.5)– The question is whether the line (sometimes referred to as the generator

lead line) operated at transmission voltages between a generating plant and a transmission substation is a Transmission Facility for the purposes of the CIP-002-5 Impact Rating Criteria.

– Position is for transmission line to be considered a Transmission Facility and included in the Criterion 2.5 calculation, the line must be used for network flow of the Bulk Electric System and connected to another Transmission station or substation.



• Programmable Electronic Devices (PED)– Went back to the official record of the Standard Drafting Team and

determined that questions raised were already addressed

– Programmable Electronic Device (PED) – A Programmable Electronic Device (PED) has a microprocessor and field-updateable firmware, software or logic.

“Is an electronic device which can execute a sequence of instructions loaded to it through software or firmware, and configuration of an electronic device is included in programmable.” - SDT Considerations of for V5 Posting



• Serial Devices that are accessed remotely– The position is that terminal server/converters that are connected

using external routable connectivity with serial devices on the back end are external routable connectivity all the way to the serial device. They must be within an ESP and have protection of an Electronic Access Point.

converter SerialBCA

1 2

WAN

WAN

EACMs

converter SerialBCA

7



• Network Devices and BES Cyber Systems

– Exclusion: Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.

– Network devices can be considered BCAs based on the BCA definition

– ERO will use discretion to exempt any Cyber Assets associated with non-routable communication networks/links that would be exempt if they were routable communication between discrete ESPs



• Control Centers operated by TOs and non-registered BAs– High Impact Rating (H)

o 1.3 Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator for one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10.

– Medium Impact Rating (M)

o 2.12. Each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above.

– Went back to the official record of the Standard Drafting Team and determined it was clearly addressed that the SDT intent was the functions you are performing and not how you are registered.


FAQ next steps

• General Frequently Asked Questions (FAQs)

– 3 are already posted on the V5 Transition Program page on the NERC web site as “Technical FAQs”

– 34 FAQs were posted for industry comment April 2 with comments due by May 15.

– 14 FAQs posted on May 1, comment period closes June 15th.


Other Guidance

• Virtualization (Networks and Servers)– The concern with virtualization is when there is a mixed trust environment

– The standards do not due a good job of addressing the technology

– For virtual servers where a mixed trust environment is being used there will be a lot of scrutiny of security controls in place

– For networks using mixed trust will need to see that the appropriate Electronic Access Point Controls are in place for the device


Small Group Advisory Sessions

Click here to: Register for July 8–10, 2015 Sessions at Texas RE in AustinClick here for: Texas RE Office InformationRegister by June 26, 2015

Click here to: Register for August 4–6, 2015 Sessions at NERC HQ in AtlantaClick here for: NERC HQ Office Fact SheetRegister by July 24, 2015

Click here to: Register for September 1–3, 2015 Sessions at NERC HQ in Atlanta

Click here for: NERC HQ Office Fact SheetRegister by August 21, 2015

https://www.eventbrite.com/e/cip-version-5-small-group-advisory-sessions-sgas-july-8-10-2015-registration-17137521789

http://www.texasre.org/CPDL/Hotels%20near%20Texas%20RE%20Offices.pdf

https://www.eventbrite.com/e/cip-version-5-small-group-advisory-sessions-sgas-august-4-6-2015-registration-17137793602

http://www.nerc.com/AboutNERC/Resource%20Documents/Atlanta_Office_Fact_Sheet.pdf

https://www.eventbrite.com/e/cip-version-5-small-group-advisory-sessions-sgas-september-1-3-2015-registration-17137850773

http://www.nerc.com/AboutNERC/Resource%20Documents/Atlanta_Office_Fact_Sheet.pdf


Transition Guidance

• NERC is in the early stages of developing an updated Transition Guidance communication.

• Initial focus is on TFE procedural updates• Evidence retention requirements for V3 after

enforcement date of V5• Re-cap mandatory and enforceable dates


Legislative Update

Critical Infrastructure Protection CommitteeJune 9, 2015

Nathan Mitchell, American Public Power Association


Legislative Update

• 114th Congress Senate – Now Republican Majority House – Increased previous Republic Seats and Majority

• President – Democrat, still has strong veto (not enough Republicans in Senate to overturn a veto)


Energy Legislation

• Efforts underway in the House and Senate to move comprehensive, bipartisan energy legislation.

• Senate efforts an outgrowth of Energy & Natural Resources (ENR) Committee Chairman Lisa Murkowski’s (R-AK) Energy 20/20 white paper.

• House efforts an outgrowth of Energy & Commerce (E&C) Committee Chairman Fred Upton’s (R-MI) Architecture of Abundance paper.


Energy Legislation - House

• Eight discussion drafts released by House Energy & Power Subcommittee: Energy Efficiency (Title IV, Subtitle A) Strategic Petroleum Reserve Mission Readiness Plan (later

folded into Title III) 21st Century Workforce (Title II) Hydropower Regulatory Modernization (Title I) FERC Process Coordination Energy Reliability and Security (Title I) Energy Diplomacy (Title III) Accountability (Title IV, Subtitle B)


Energy Legislation - House

• The committee has held six hearings: 21st Century Workforce – April 23 SPR and Energy Efficiency – April 30 Hydro and FERC Process Coordination – May 13 Energy Reliability and Security – May 19 QER and Related Discussion Drafts – June 2 Accountability and DOE Perspectives on Title IV: Energy

Efficiency – June 3 and 4 Mark up expected in Subcommittee week of June 15

• Full House may consider in July


Energy Legislation - Senate

• The process in the Senate is different than in the House.

• Members of ENR Committee have introduced bills they want considered for inclusion in comprehensive energy legislation.

• 114 bills have been introduced as of May 21– of those, 112 have had or will have legislative hearings on them.

• Broad range of issues addressed – grid security, oil and gas production and processing, pipeline permitting, energy efficiency, distributed generation, transmission, smart grid, hydro, reliability, capacity markets, CCS technology, workforce development, R&D/Labs, electric vehicles, nuclear, and energy storage.



• Comprehensive energy bill will have four titles: Energy Efficiency Energy Infrastructure Energy Supply Energy Accountability and Reform



• The Committee has held three hearings with a fourth one scheduled for this week: Energy efficiency bills – April 30 Energy infrastructure bills – May 14 Energy supply bills – May 19 Energy accountability and reform bills – June 9

• Mark up expected in July• Consideration by full Senate likely in September


Grid Security

• Information sharing/liability protection legislation passed in House in April 2015: H.R. 1560, the Protecting Cyber Networks Act (Intel) H.R. 1731, the National Cybersecurity Advancement Act

of 2015 (Homeland Security Committee bill)• S. 754, the Cybersecurity Information Sharing Act of

2015, was approved by Senate Intelligence Committee in March; floor consideration likely in July.


Questions?

Electricity Sector Coordinating Council (ESCC)Critical Infrastructure Protection CommitteeJune 9, 2015

Nathan Mitchell, American Public Power Association


ESCC

Principal liaison between Electricity Sector and Federal Govt.

“Unity of Effort” and “Unity of Message” Facilitates policy and public affairs related activities All Hazards Steady-State Emergency preparedness/response for national

events 30 Industry CEOs National Level Coordination Responsibilities


• Government-Industry Coordinationo Public Affairs Coordination o Grid Ex III, Fusion Centers

• Threat Information Sharing and Processeso ES-ISAC Review Projecto CRISP Update (Gerry Cauley)

• Leveraging Infrastructure / R&D o Government R&Do Partnerships with EPRI and other outreach

• Long-term Planning and Strategic Vision o National Infrastructure Advisory Council (NIAC) recommendation for

cross-sector Strategic Infrastructure Executive Council


Questions?

NATF Security Practices Group Activity Update

Jim Rowan, NATF Program Program Manager - Security

NERC CIPC MeetingJune 9-10, 2015

2

Discussion Topics

• Brief NATF Overview

• Cyber Security Project Update: CIP-002 V5 Guide

• Physical Security Project Update: CIP-014-1 R4 & R5

NATF Membership

Organization types (75 Members)– Investor-owned– State/Municipal– Cooperative– Federal/Provincial– ISO/RTO

Expertise– 3600 subject-matter experts

Coverage (North America Wide)– 85% Peak Demand– 75% 100kV and higher circuits• Membership open to companies that

own/operate 50 circuit miles 100 kV transmission or, operate 24/7 control center

3

4

Cyber Security Project Update

CIP-002 V5 Practices Guide

5

CIP-002 V5 Project Update

Purpose: • The purpose was to develop a NERC CIP-002 Version 5 Guide for identifying Cyber Assets

and defining corresponding BES Cyber Systems for transmission facilities and assets.

Deliverable:• Security CIP-002 V5 Practices Guide and various assessment tools and spreadsheets

were approved for use on July 1, 2014. – New product includes recommendations, examples, and templates for documenting

a program, and includes diagrams / flow charts that assist in standardizing CIP-002 documentation across the NATF membership.

Product Maintenance:– Project is in dynamic maintenance mode

Physical Security Project Update

CIP-014-1 R4 & R5 Practices Guide

Physical Security Work Group Project: CIP-014-1 R4 and R5 Practice Guides

Deliverable: • The purpose was to develop a NERC CIP-014-1 R4 and R5

Reliability Standard guide that was defensible (but not prescriptive) for conducting evaluations as required in Requirement 4 and for developing and implementing a physical security plan as required in Requirement 5.– CIP-014 R4 & R5 Practice Documents are completed and will be

decided upon for public release in very near future

May 2015 Compliance/Security Workshop

• May 12 – 14 in Kansas City hosted by KCP&L• Topic areas

– Risk Assessment/Internal Controls Application Guide for Security Practices

– Synchronization of Security and Compliance Risks to Maximize Efficiency and Benefits

– CIP-014 R4 & R5 Document Presentations– Ameren Workshop Highlights– Break-out Sessions

May 2015 EPRI/NATF Nuclear Plant Offsite Power Reliability Summit

• May 27 - 28 in Charlotte hosted by EPRI• Topic areas

– Discreet operational, performance and resiliency challenges

– Threat– EPRI and INPO Event Analysis– Break-out Sessions

2015 Projects (to Date)

Projects Planned for 2015

• Practices for Cyber Asset Categorization• Practices for Protecting Unused Physical Ports

Against Use• Tools/Technology Sharing Platform• Practices for Security Metrics

Thank you!

• Questions?

BES Security Metrics WGCIPC Progress Report

Roland Miller, ChairJune 9-10, 2015


How we fit in!

June 2015

Business Continuity Guideline TF

(Darren Meyers)





(Marc Child)


(Jim Brenton)


Physical SecurityWG

(Ross Johnson)


(William Whitney)



Cybersecurity Analysis WG

(TBD)


TF(Stephen Diebold)

Grid Exercise WG

(Tim Conway)

Cyber Attack Tree TF

(Mark Engels)


(Roland Miller)


(Alan Wick)


WG(Paul Crist)


(John Breckenridge)


BESSMWG Activities

March 2015 CIPC Update• Drafted new chapter for 2015 NERC State of Reliability Report to

introduce five new Security Metrics• Five security metrics approved and report accepted by CIPC on

March 20, 2015

Activities Since March 2015• NERC State of Reliability Report (including new Security Metrics

chapter) approved by NERC Board of Trustees on May 14, 2015• Drafted “strawman” Security Metrics Development Roadmap to

plan future BESSMWG activities• June 9, 2015, BESSMWG met to review roadmap and define

future direction


Q1 2015 Security Metrics**values subject to revision

• Reportable Cyber Security Incidents – 0 2014 Average – <1

• Reportable Physical Security Incidents resulting in load loss – 0 2014 Average – 0

• Total ISAC Bulletins sourced from the sector – 28 2014 Average – 20

• Number of Global High Severity IT Vulnerabilities – 535 2014 Average – 480

• Participation in the ES-ISAC - TBD


Security Metrics Development Roadmap2015 and Beyond

We are here


Development Approach

• Consistent with planning and operations reliability metrics in place since 2008

• Validate 2014 and track 2015 results for the five metrics already developed

• Finish developing two drafted, but not complete metrics

• Review opportunities to further develop preliminary metrics developed in 2014

• Consider the “Universe” of security metrics – over 150 metrics developed by experts in the field


Proposed Draft Timeline

• Establish Roadmap direction and timeline (June 2015)• Present Roadmap to CIPC (September 2015)• Prioritize and draft definitions for proposed new metrics

(December 2015)• Refine the five approved metrics, if necessary (February 2016)• Develop detailed definitions for new metrics, including data

sources (February 2016) Consider pilot program to field test new metrics (TBD) If necessary, prepare NERC data request to collect data for new metrics,

(TBD)

• Obtain approval and roll-out new/updated metrics and security chapter (March 2016)


NERC CIPC Compliance and Enforcement Input Working

Group

NERC CIPC Update

June 9-10th, 2015

Paul Crist

NERC CIPC Compliance and Enforcement Input Working Group Update

• CEIWG Conference Calls- May 14th, 2015


Agenda Items

• Discussion of NERC Postings of “Topics Not Pursued as Lessons Learned or FAQ’s”

• -Specifically the Network and Externally Accessible Devices

• Review of Posted Lessons Learned/FAQ’s for comment

• Advisory Group for NERC – Nathan Mitchell, APPA

Development of the CEIWG Lesson Learned• Need to answer the questions:

Can network devices be considered BCA/BCS? What is the line of demarcation between an ESP and

non-routable BCS?• Communication/Networking Equipment can be PED’s and

thus Cyber Assets• Exception 4.2.3.2. Cyber Assets associated… can have

multiple interpretations• Need to only provide guidance and not a new

interpretation of the CIP Standards


•Meetings• 2nd Thursday of the Month at 1:00 CST(Let me know if you need the call-in information)

Questions?

Physical Security Standard WGProgress Report

Matt Stryker, PresenterAllan Wick, ChairJune 10, 2015


• The PSSWG will develop a roster of technical experts from the CIPC voting members, alternate members, and other willing observers and conduct the following activities: Develop a process for handling requests from NERC staff. Provide guidance to NERC on prioritizing CIP-014 products under

development. Develop guidance documents for CIP-014 for NERC. Specifically, draft

guidance documents for R4, R5, and R6. Provide timely technical reports, if requested by NERC, on technical

matters related to physical security. Collaborate with other CIPC Working Groups and Task Forces regarding the

implementation of the PSSWG deliverables.

• Provide CIPC updates on progress at the CIPC face-to-face meetings.

Objectives/Duties


Current Team Members

Chair Allan WickVice-Chair OpenEC Sponsor Nathan MitchellNERC staff Laura BrownPhysical Kurt Aikman

Bruce W. BarnesTim BaschRichard BoucheyJohn BreckenridgeBob CanadaMark L. ComerSteen J. FjalstadMike HageeRoss JohnsonMike KetchensCraig P. LawrenceChris McColmLeslie (Les) MortonPeter ScaliciMatt Stryker

Government/Others

Toni LinenbergerBarry PageDouglas G. Williams


• Charter approved 2/9/15• Kick-off call held 2/13/15• First F2F meeting held 3/11/15• CIP-014 R6 guidance document highest priority Organized into 4 teams Weekly calls SDT reviewed NERC legal reviewed Posted for CIPC review and approval 5/22/15 Next step – if CIPC approves, 45 day industry comment

Status


GridEx IIIGrid Security Exercise

NERC CIPCJune 10-11, 2015


GridEx III Registrants

Number of registered participants: 321Number of registered organizations: 139

SimulationDeck Metrics (mid-June):

39

50

8082

9292

7 99

18 2024

1212 13 14

3 4 7 7 9 90

10

20

30

40

50

60

70

80

90

100

5-May-15 21-May-15 27-May-15 1-Jun-15 5-Jun-15 9-Jun-15

Utilities Government/Academia/Other RC/Independent System Operator NERC Regional Entity


GridEx III Map


Since Your Last Brief

• Weekly Core Planning Team Calls

• Bi-Weekly GEWG Calls

• Scenario Narrative work during IPC

• On site visit with Sub-Team leads and INL staff

• Scenario Narrative document finalized

• Work on Scenario MSEL (Master Scenario Event List)

• Scenario Move 1 through 4, inject development

• Training task force developed for NERC CEH

• Registration site developed and opened

• Player directory developed and implemented

• Exercise portal training videos available for planners and players


Scenario Development

Establish the Scope

• NERCleadership and GEWG

• Determine the level and type of impact desired

• Determine what will be targeted

• Determine the attack vectors

Develop a Narrative

• Backstory or ground truth:• Attacker

profile

• The Who, How, and Why of the attack

• Timing of the attack

• Expected Player actions

MSEL Development

• Detailed sequence of exercise events with inject timing

• Expected Player Actions

• Dynamic injectdevelopment

• Custom injects within entitiesand RC areas


There now

Coming soon

• Lead Planner Checklist SimulationDeck videos

• IPC Recording and Presentation Materials

• Recruitment Materials

• Scenario Materials

Scenario Narrative

MSEL Draft

• Planner / Controller / Evaluator Handbook

• After-action Survey

• “Generic” inject materials with customization guidance

• Fact sheet

• FAQs

GridEx III PortalLead Planner Resources


• Finalize the GridEx III Metrics work

• Finalize Generic Inject samples to use for customization

• Develop NERC CEH template

• Finalize plan on non-NERC Operator CEH training hours

• Work communication and inject deliver mechanisms

• Numerous RC to RC planning meetings

• Numerous RC to entity planning meetings

• Develop exercise news stories, and training items

• Conduct FPC

Before Your Next Brief


GridEx III Success Dashboard

• Address GridEx II lessons learned

• Planning milestones on-track

Are We Ready for GridEx III?

• Observations during GridEx III

• After-action survey

Did We Meet the GridEx III

Objectives?

• Purpose:

Ensure sufficient and timely preparation

Assess the extent to which GridEx III objectives are achieved

• 4 metrics areas

Are we ready?

Did we meet GridEx III objectives?

1

2

3

4

1 2

3 4


1. Core Scenario MSEL will be hosted within SimulationDeck(InjectDeck)

Inject Distribution Process

Core Scenario MSEL InjectDeck


2. ExCon will release injects via InjectDeck to Lead Planners

3. Lead Planner receives email notification that Inject has been published and link to Inject


Lead Planners


4b. Tailored Scenario Stakeholder Lead Planner retrieves

Corresponding Tailored Inject and distributes to Player set


4a. Core Scenario Stakeholder Lead Planner retrieves Inject from

InjectDeck

Generic Core Scenario Inject is provided to Player set

RELIABILITY | ACCOUNTABILITY12E

xe

cu

tive

Ta

ble

top

GridEx III by Calendar Date

November 2015

Exe

rcis

e C

on

tro

l

Pre

para

tion

Hot Wash

Planner Prep

Eastern

Move

1

Move

2

Move

3

Move

4

Hot Wash

Move

3

Move

4ESCC

Calls

4 hrs

17 18 19Tuesday Wednesday Thursday


Foundation

Customization

Execution

GEWG Big Picture

-


Timeline

GridEx Working

Group

Initial Planning

Phase

Mid-term Planning

Phase

Final Planning

Phase

GridEx III

After Action

Confirm exercise infrastructure

Finalize attack vectors and impacts

Work on scenario narrative

Finalize baseline MSEL

Develop Controller and Player materials

Draft After Action Survey

Send injects and oversee player actions

Capture player actions and findings

Facilitate Executive Tabletop

Distribute survey

Analyze findings and lessons learned

Draft Final Report

Finalize custom injects with RCs

Distribute materials

Conduct training

Set up venue and logistics

December 10 2014 March 11-12 June 10-11 Sept 3 Nov 18-19 Q1 2016January 23

Establish Working Group Members

Establish Mail list

GridEx Awareness

Confirm objectives

Establish boundaries

Confirm tools

2015 Conference Dates

GEWGReform

Jax Atlanta DC

RCs identify Active Organizations in their control area

RCs establish and participate in RC-to-RC and RC-to-Entity coordination calls

RCs and entities understand and develop customized injects

Reliability Coordinator Planning Activities


Lead Planners -

Contact Bill Lawrence

Electricity Sector Information Sharing Task ForceE

FS

TSIProgress Report

June 2015Stephen Diebold, ChairmanJoe Doetzl, Vice Chairman


Contents

Task Force Members Mission Statement Task Force History Timeline Approval Outreach


Task Force Members

• Stephen Diebold Chair• Joe Doetzl Vice Chair

• Donald Roberts Core Team• Fred Hintermister Core Team• Orlando Stevenson Core Team• Laura Brown Core Team

• John Breckenridge Secondary Reviewer• Brian Harrell Secondary Reviewer• Marcus Sachs Secondary Reviewer

• Jim Brenton Final Reviewer


Mission Statement

• Develop a presentation to be used for communicating across industry, especially to cybersecurity and operations personnel, Hydra Team roles and functions.

• Develop a presentation to be used for outreach promoting the ES-ISAC portal use as a central coordination point and reporting tool during crisis.


Task Force History

• CIPC approved the ESISTF Charter on August 21, 2014

• ESISTF members recruited August 2014

• ESISTF began work on its deliverables in September 2014


TimelineBegin Outreach Program

June CIPC

Select Task Force Members

Approval of ES-ISAC and Hydra Presentation

March CIPC

December CIPC

Charter Approved

September CIPC

CIPC Status Report

September CIPC

Aug ------- 2014

CIPC Status Report

Finalize ES-ISAC Presentation

Finalize Hydra Presentation

Draft of Hydra Presentation

Draft of ES-ISAC Presentation

CIPC Status Report

Begin Work on ES-ISAC Presentation

CIPC Status Report

Begin Work on Hydra Presentation

--

Sep ------- 2015

--

--

Jun ------- 2015

--

--

Mar ------- 2015

--

--

Dec ------ 2014

--

--

Sep ------- 2014


Timeline


Approval

• 32 slides in ES-ISAC presentation

• 25 slides in Hydra presentation

• Presentations include a speakers script

Approval of ES-ISAC and Hydra Presentation


Outreach

• The ESISTF will schedule a webinar for disseminating the information

• Would like to present at NERC Region meetings• Looking for other opportunities at relevant

electricity sector conferences

ESISTF

ESISTF

[email protected]

Cyber Security Sub-cmteProgress Report

Marc Child, Chair


June 2015






(Marc Child)


(Jim Brenton)


Physical SecurityWG

(Ross Johnson)


(William Whitney)



Cybersecurity Analysis WG

(TBD)


TF(Stephen Diebold)

Grid Exercise WG

(Tim Conway)


(Roland Miller)


(Allan Wick)


WG(Paul Crist)


(John Breckenridge)

NERC Attack Tree Task Force


ATTF

Status Framework – complete Tuning – complete* Final report to CIPC – complete

Turnover to ES-ISAC – in progress

* …by the task force

Cyber Attack Task Force (2012)

Recommendation #1Continue Work on Attack Trees – A separate working group under NERC’s Critical Infrastructure Protection Committee (CIPC) should be established to further develop attack trees with the goal of populating the nodes, performing detailed analysis, and providing recommendations to industry from this analysis


Control Systems Security WGChair: Mikhail Falkovich


CSSWG

Status Continuing bi-weekly working

conference calls Held three in-person meetings Completed 100% of use case

diagrams Completed 100% of the guideline

draft

GridEx II

Lesson Learned #4 Recommendations SummaryAssess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis.


CSSWG

Coordination Efforts Continued coordination of the guideline efforts

with the Grid Ex Working Group Continued coordination with the Lessons Learned

effort to ensure that the guideline is correlating with NERC Recommendations


CSSWG

Core ContributorsNadya Bartol Mikhail FalkovichLarry Bugh Cynthia Hill-WatsonMarc Child Michael JohnsonFrances Cleveland Carter ManucyTim Conway Paul SkareDustin CorneliusNERC Staff: Laura Brown


CSSWG

Next Steps Distribute the draft guideline to a subset of

stakeholders Submit the guideline for industry comment Review and Respond to Comments Submit the guideline to CIPC for approval

CSSWG – next assignment…


ATTF

ES-ISAC.com Security Guidelines Annual ReviewJanuary, 2014

Name of Guideline Version Version Date Notes - Recommendations

_Security Guideline- Best Practice References 1.0 March 2013Review this document and update links and content every three years

Communications 1.0 June 2002Needs a complete refresh, especially in light of CIP-001 retirement and the new EOP-004-2

Continuity of Business Processes 1.0 June 2002

Some redundancy with the Continuity of Operations guideline.

This guideline could be retired with minor changes to the the Continuity of Operations guideline.

Continuity of Operations 2.0 May 2007

Several reference hyperlinks are bad and need refreshing. Combine this document with the Continuity of Business Processes to form a new BCP guideline.

Control System Cyber Security Incident Response Planning 1.0 May 2007

Needs minor updates (ex references to CIP-008 version 1) to content and references. Should probably add a section on contacting the ES-ISAC (when, how, EST instructions, etc).

Emergency Plans 1.0 June 2002

Needs many updates, and perhaps an analysis to determine if it can be retired in favor of the existing Continuity of Operations guideline.

Employment Background Screening 1.0 June 2002 Needs minor updating to content and references

Physical Response 3.0 November 2005Updates were completed in 2013. New version needs to be published on the ES-ISAC website.

Physical Security 2.0 May 2007Version 3.0 updates were approved in 2012. New version needs to be published on the ES-ISAC website.

Protecting Potentially Sensitive Information 1.0 June 2002Version 2.7 was approved in 2012. New version needs to be published on the ES-ISAC website.

Vulnerability and Risk Assessment 1.0 June 2002Review this document and update links and content every three years


Questions?

Security Training WGProgress Report

William Whitney III, ChairDavid Godfrey, Vice ChairBob Canada, NERC Rep.



1. Chartera. CIPC will provide meeting attendees with an opportunity to participate in

physical, cyber, and operational security training, as well as, educational outreach opportunities.

2. Current MembersBob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Rick Carter, James McQuiggan, Jason Phillips, David Scott, Ronald Keen, Tim Conway, Steen Fjalstad, Daniel Moore, Jason Phillips, Nick Rasey, and William Whitney III



3. Latest Activitiesa. Monthly conference calls to discuss long term goals and short term actionsb. Coordinate and provide platform for presentations (webinars and in-person)



2015 Training Schedule• April – Shodan – Conversations with Your Control System• May – Insider Protection• June – ES-ISAC Portal Training• June/July – Changing Threat Landscape

Please let us know what training you and/or your fellow colleagues would like to see so we can secure the speakers for that topic.If you or someone you know would like to present on a topic let us know because we would enjoy the information sharing. Remember, what you may think is common knowledge others might not know!



Recorded Training, Slides, and Documents

1. Go to nerc.com2. Hover over “Program Areas & Departments”3. Click “Critical Infrastructure”4. Click “CIP Training” on the left of the page

*We are still working on loading up the webinars



1. Training Linksa. TEEX - http://www.teex.org/

b. DHS - http://www.dhs.gov/training-programs-infrastructure-partners

c. DOD - http://iase.disa.mil/eta/online-catalog.html

d. FEMA - https://training.fema.gov/IS/

e. DOE - https://ntc.doe.gov/

f. MS-ISAC - https://msisac.cisecurity.org/resources/videos/free-training.cfm

Have a link for free, quality, training? Please share with us to add to the list.

http://www.teex.org/

http://www.dhs.gov/training-programs-infrastructure-partners

http://iase.disa.mil/eta/online-catalog.html

https://training.fema.gov/IS/

https://ntc.doe.gov/

https://msisac.cisecurity.org/resources/videos/free-training.cfm



4. Next Stepsa. Continue to expand the list of free on demand training from reputable

agencies and vendorsb. Secure volunteers to join the groupc. Schedule and prepare future Pre-CIPC training sessions and webinarsd. Work with vendors and/or individuals in the industry to provide specific

training to industrya. This means you and/or your co-workers that have information to share

with the industry

5. CIPC Actionsa. Concerns and/or suggestions for today’s discussion

[email protected]

Or [email protected]

Office of Electricity Delivery and Energy Reliability (OE)

Department of Energy (DOE)

North American Electric Reliability Corporation (NERC)

Critical Infrastructure Protection Committee (CIPC)

Office of Electricity Delivery and Energy Reliability

USDOE

• Changes at DOE• Grid Security Report for Congress – Physical Security

path forward• Physical security version of the C2M2• Transformer Strategy• PowerSurge• Energy SSP• ESCC meeting June 15 at DHS• Classified brief in Atlanta, Dec 2015

2


Questions?

JIM MCGLONESenior Engineer, Infrastructure Security & Energy RestorationOffice of Electricity Delivery and Energy ReliabilityU.S. Department of EnergyEmail: [email protected]: 202-586-1287

3

mailto:[email protected]


DOE Cybersecurity Priorities

Protecting the DOE Enterprise from Cyber Threats

Bolstering U.S. Government

Capabilities to Address Cyber

Threats

Improving Cybersecurity in

the Energy Sector

Build robust information sharing and situational awareness

architecture

Provide tools and technology for

owners and operators to strengthen

security and resilience

Develop a robust incident response capability in the

energy sector

OE Focus Areas

4


OE Activities Energy sector cybersecurity collaboration resulting in:

Identification and dissemination of sector specific best practices for secure and resilient business and control systems

Increase and integration of cybersecurity awareness, education, and outreach programs into energy sector and vendor operations

Improved information sharing mechanisms and strengthened incident response capabilities

Enhancement of security and resilience focused technology development efforts and commercialization of innovative solutions

5


Energy Sector Cybersecurity Considerations

Energy DeliveryControl

Systems

BusinessIT

Systems

Different Priorities

6


Energy Sector’s synthesis of energy delivery systems security challenges, Research and Development (R&D) needs, and implementation milestones

Provides strategic framework to:

o align activities to sector needs

o coordinate public and private programs

o stimulate investments in energy delivery systems security

Energy Sector Cybersecurity Roadmap

For more information go to: www.controlsystemsroadmap.net

7

http://www.controlsystemsroadmap.net/


DOE Activities Align with the Roadmap

Build a Culture of Security

Training

Education

Improved communication within industry

Assess and Monitor Risk

Electricity Subsector

Cybersecurity Capability

Maturity Model

Situational Awareness

Tools

Common Vulnerability

Analysis

Threat Assessments

Consequence Assessments

Develop and Implement New

Protective Measures to Reduce Risk

Support Cybersecurity

Standards Development

Near-term Industry-led

R&D projects

Mid-term Laboratory Academia

R&D projects

Long-term Laboratory Academia

R&D projects

Manage Incidents

NSTB (National SCADA Test

Bed)

Outreach

Cyber Exercises

Sustain Security Improvements

Product upgrades to

address evolving threats

Collaboration among all

stakeholders to identify needs and implement

solutions

8


Higher Risk, Longer Term Projects → Core and Frontier National Laboratory Research Program→ Academia Projects→ Minimum Cost Share

Medium Risk, Mid Term Projects → National Laboratory

Led Projects→ Lower Cost Share

Lower Risk, Shorter Term Projects → Energy Sector Led Projects→ Higher Cost Share

Path to CommercializationPartnering

CEDS R&D Program Structure

The CEDS program emphasizes collaboration among the government, industry, universities, national laboratories, and end users to advance research and development in cybersecurity that is tailored to the unique performance requirements, design and operational environment of energy delivery systems.

The aim of the program is to reduce the risk of energy disruptions due to cyber incidents as well as survive an intentional cyber assault with no loss of critical function. This program has resulted in increased security of energy delivery systems around the country.

9


Collaboration Transitions R&D to Practice

Applied ResearchOpen Process Control System (PCS) Security Architecture for Interoperable Design, known as OPSAID provides vendors of supervisory control and data acquisition/energy management systems (SCADA/EMS) with the capability to retrofit secure communications for legacy devices, and to design-in interoperable security for future energy delivery control systems Sandia National Laboratories

Field DemonstrationLemnos has become a broad industry partnership for secure, interoperable communicationsIncreasing numbers of energy delivery system vendors have demonstrated Lemnos, today at least ten

Open Source Solution Broad energy sector partnership uses

Lemnos Interoperable, secure routable energy sector communications

Commercial ProductSchweitzer Engineering Laboratories Ethernet Security Gateway SEL-3620

implements Lemnos

CEDS projects engage national labs, vendors, asset owners, and academia throughout the project lifecycle to deliver relevant projects with clear commercialization paths.

Prototype Development

Commercial prototype and open source configuration profile for interoperable secure routable energy sector communicationsEnerNex Corporation, Sandia National Laboratories, Schweitzer Engineering Laboratories, Tennessee Valley Authority, 7 Network Security Vendors

10


C2M2 Program

ES-C2M2 Public-private

collaborative effort Sector specific subject

matter expertise Pilot evaluations

ONG-C2M2 Tested and refined for

ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies.

C2M2 Without sector-specific

references or terms of art

Refined through the ONG pilots, and also via cross-sector outreach

11


Strengthen cybersecurity capabilities Enable consistent evaluation and benchmarking of cybersecurity

capabilities Share knowledge and best practices Enable prioritized actions and cybersecurity investments

If requested, DOE facilitates voluntary self-evaluations free of cost. DOE also plans to work with private sector stakeholders to develop energy sector benchmarking based on non-attributable data

C2M2 Goals

12


Cybersecurity Framework Implementation Guidance

13

The Energy Sector Cybersecurity Framework Implementation Guidance Document was developed with extensive public and private sector collaboration.

The Guidance was published on January 8th, 2015.

DOE will continue engagement with energy sector to encourage Framework adoption.

Guidance outlines a general approach to Framework implementation, followed by an example of a tool-specific approach to implementing the Framework.


In 2012, former Deputy Secretary of Energy Poneman directed senior staff at DOE to develop a Cyber Incident Response Plan for integrated national response for the Energy Community.

This kicked off a multi-year effort to organize internally and externally to develop a timely, coordinated, effective, and efficient Cyber Incident Management Capability for integrated national response.

The capability will utilize governmental and non-governmental resources to prevent, protect, mitigate, respond, and recover from a high-impact cyber incident.

Integrated National Response to a Cyber Incident

12


Electricity Subsector Playbook to address a cyber attack: Part of a larger DHS-led effort to identify incident response processes in critical

infrastructure sectors Collaboration between government and industry to identify responsibilities and

activities Specific types of attack addressed

Government and Industry Capabilities in the Electricity Subsector: Part of a larger DHS-led effort to identify incident response capabilities in critical

infrastructure sectors Collaboration between government and industry to identify existing capabilities

Executive-level Playbooks: ESCC directed a Senior Executive Industry Playbook that addresses all-hazards Government entities have similar playbooks for executive communications and

alert levels

Building Incident Management Capacity“Playbooks” & Capabilities

1515


Sector Cyber Exercises

16

DOE has collaborated with industry for participation in both national and regional preparedness projects including cyber exercises.

Examples of the cybersecurity exercises DOE has developed or participated in are:

• Cyber Incident Management Capabilities (CIMC) Exercise Series

• North American Electric Reliability Corporation (NERC) Grid Security Exercise (GridEx)

• Dams Sector Information Sharing Drill

16


Mission: Utilizing advanced technologies and innovative analytical capabilities, establish and maintain effective collaboration with energy sector partners through robust bi-directional information sharing, providing them with targeted, actionable information to enable requirement setting, detection, prevention, mitigation, and rapid response to emerging threats.

Vision: By 2019, an enduring, trusted bi-directional information sharing partnership between the Department of Energy and its energy sector partners significantly enhances the security of energy sector infrastructure systems while also improving the U.S. Government’s near real-time situational awareness.

Cybersecurity Risk Information Sharing Program

17


Why Machine-Machine Information Exchange?

Mitigate risks

Facilitate defense ofboth Information and Operations Technologynetworks

Support Governmentenrichment efforts

Support broadsituational awarenessof cyber threats

18


Supporting Coordinated Cyber Threat Defense

Local Threat Detection

Near real-time information

exchange (CFM)

Global Threat Protection

Situational Awareness /

Data Analytics

19

1

Tracy Ruffin

From: Tracy RuffinSent: Wednesday, April 15, 2015 11:47 AMTo: Tracy RuffinSubject: NERC Announcement -- Critical Infrastructure Protection Committee Meeting

Follow Up Flag: Follow upDue By: Wednesday, June 17, 2015 1:00 PMFlag Status: Flagged

Meeting AnnouncementCritical Infrastructure Protection Committee June 9‐10, 2015 | Atlanta, GA

The Westin Buckhead Atlanta 3391 Peachtree Road NE Atlanta, GA 30326 404‐365‐0065

Click here for: Meeting Registration Click here for: Hotel Reservations

For more information or assistance, please contact Tracy Ruffin (via email).

3353 Peachtree Road NE Suite 600, North Tower

Atlanta, GA 30326 404‐446‐2560 | www.nerc.com

____________________________ Tracy Ruffin Executive Assistant Electricity Sector Information Sharing and Analysis Center North American Electric Reliability Corporation 1325 G Street NW, Suite 600 Washington, DC 20005 202-644-8084 office | 202-604-8398 cell

Exhibit A

2

[email protected] Notary Public of the District of Columbia

Reliability | Accountability

--- You are currently subscribed to cipc as: [email protected] To unsubscribe send a blank email to leave-1378485-706554.60c46c33a71b3f7477e51180ac3f7400@listserv.nerc.com --- You are currently subscribed to cipforum as: [email protected] To unsubscribe send a blank email to leave-1378488-706556.563d7a4f943f018bb557e04a4475271d@listserv.nerc.com

Agenda Critical Infrastructure Protection Committee June 9, 2015 | 1:00–5:00 p.m. (EDT) June 10, 2015 | 8:00 a.m.–Noon (EDT)

The Westin Buckhead Atlanta 3391 Peachtree Road NE Atlanta, GA 30326 404-365-0065

Critical Infrastructure Protection Committee (CIPC) Workshop: ES-ISAC Portal 2.0 – Overview and Training of the new ES-ISAC website NERC Headquarters 3353 Peachtree Road, NE Suite 600, North Tower Atlanta, GA 30326 (404) 446-2650 June 9, 2015 | 8:00 a.m.–Noon (EDT)

CIPC Meeting The Westin Buckhead Atlanta CIPC Working Lunch | June 9, 2015 | Noon–1:00 p.m. (EDT) Room: TBD June 9, 2015 | 1:00 p.m.–5:00 p.m. (EDT) June 10, 2015 | 8:00 a.m.–Noon (EDT) Room: TBD

Introductions and Welcome – Mr. Chuck Abell, CIPC Chair, Ameren Services

NERC Antitrust Compliance Guidelines and Public Announcement – Ms. Laura Brown, CIPC Secretary, NERC Staff

Agenda Items

1. Opening Remarks – Mr. Marc Sachs, Chief Security Office, ES-ISAC, NERC Staff

2. Administrative – Ms. Laura Brown, CIPC Secretary, NERC Staff

a. Safety Briefing and Emergency Precautions, Westin Staff

Exhibit B

b. Declaration of CIPC Quorum

c. CIPC Roster

d. Parliamentary Procedures – In the absence of specific provisions in the CIPC charter, the committee shall conduct its meetings guided by the most recent edition of Robert’s Rules of Order, Newly Revised.

3. Consent Agenda – Mr. Chuck Abell, CIPC Chair, Ameren Services

a. Draft December CIPC Minutes

b. Committee Membership Appointments and Changes: TRE David Grubbs City of Garland Operations TRE Jim Brenton ERCOT Cyber TRE Darrell Klimitcheck STEC Physical FRCC Paul McClay TECO Cyber FRCC Carter Manucy Fla Municipal Physical FRCC Joe Garmon Seminole Operations MRO Marc Child Great River Cyber MRO Paul Crist LES Physical MRO Joe Mayfield WAPA Operations NPCC John Galloway ISO-NE Operations NPCC Greg Goodrich NYISO Cyber NPCC Rick Twigg Velco Physical RFC Larry Bugh RFC Cyber RFC Kent Kujala Detroit Operations RFC Jeff Fuller DPL Physical SERC Chuck Abell Ameren Operations SERC Cynthia Hill-Watson TVA Cyber SERC Bruce Martin Duke Energy Physical SPP John Breckenridge KCPL Physical SPP Allen Klassen Westar Operations SPP Eric Ervin Westar Cyber WECC Allan Wick Tri-State Physical WECC Mike Mertz PNM Cyber WECC Vacant Operations APPA Scott Smith Bryan TX Utilities Physical APPA Nathan Mitchell APPA Policy CEA Chris McColm Manitoba Physical CEA Ross Johnson Capital Power Physical CEA David Dunn IESO Policy NRECA Robert Richhart Hoosier Policy NRECA David Revill Georgia Trans Policy

4. Chair’s Remarks – Mr. Chuck Abell, CIPC Chair, Ameren Services

Critical Infrastructure Protection Committee Agenda--June 9-10, 2015 2

http://www.nerc.com/files/roster.pdf

http://www.nerc.com/comm/CIPC/Agendas%20Highlights%20and%20Minutes%202013/DRAFT_CIPC_Minutes_December_9-10_2014.pdf

5. ES-ISAC Update – Mr. Ben Miller, NERC Staff

6. Security Reliability Program and Directions for 2015 – Mr. Scott Mix, NERC Staff

7. Physical Security Advisory Group Update – Mr. Bob Canada, NERC Staff

8. Development of Additional Guidance for CIP-014-1. Physical Security – Mr. Tobias Whitney, NERC Staff

9. CIP V5 Transition and CIP V5 Revisions – Mr. Tobias Whitney, NERC Staff

10. Reliability Issues Steering Committee (RISC) Update and the Reliability Risk Control Process – Mr. Nathan Mitchell, CIPC Vice Chair and representative to RISC, American Public Power Association (APPA)

11. Legislative Update – Mr. Nathan Mitchell, CIPC Vice Chair, APPA

12. Electricity Sub-sector Coordinating Council Update – Mr. Nathan Mitchell, CIPC Vice Chair and representative to RISC, APPA

13. North American Transmission Forum (NATF) - Security Practices Group Activity Update – Mr. Jim Rowan, NATF

14. Canadian Electricity Association Trip Report – Mr. Ross Johnson, Capital Power

15. Subcommittee Chairs, Subgroups, Progress, and Remarks – Mr. Chuck Abell, CIPC Chair, Ameren Services

16. Operating Security Subcommittee – Mr. Jim Brenton, CIPC Vice Chair and Subcommittee Chair, ERCOT

a. Business Continuity Guideline Task Force (BCGTF) – Mr. Darren Myers, BCGTF Chair, Duke Energy, will report on GridEx II assignments to the BCGTF.

BCGTF Charter – approved by CIPC through email ballot on August 22, 2014.

b. Grid Exercise Working Group (GEWG) – Mr. Tim Conway, GEWG Chair, SANS, will report on GridEx III preparations for this year’s exercise.

GEWG Charter

c. Electricity Sector Information Sharing Task Force (ESISTF) – Mr. Stephen Diebold, ESISTF Chair, ABB, will report on the ESISTF’s recent activities.

ESISTF Charter – approved by CIPC through email ballot on August 20, 2014.

ESISTF Report

Approved by CIPC – June 11, 2013 Accepted by ESCC – July 11, 2013 Accepted by NERC BOT – August 15, 2013

17. Cybersecurity Subcommittee – Mr. Marc Child, Subcommittee Chair, Great River Energy

a. Control Systems Security Working Group (CSSWG) – Mr. Mikhail Falkovich, CSSWG Chair, PSEG, will report on the progress of the work completed and contemplated.


http://www.nerc.com/comm/CIPC/BCGTF/Business%20Continuity%20Guideline%20Task%20Force%20Charter.pdf

http://www.nerc.com/comm/CIPC/Grid%20Exercise%20Working%20Group%20GEWG%202013/Grid%20Exercise%20Working%20Group%20(GEWG)%20Charter.pdf

http://www.nerc.com/comm/CIPC/Electricity%20Sector%20Information%20Sharing%20Task%20For1/Electricity%20Sector%20Information%20Sharing%20Task%20Force%20(ESISTF)%20Charter.pdf

http://www.nerc.com/comm/CIPC/Electricity%20Sector%20Information%20Sharing%20Task%20For1/Electricity%20Sector%20Information%20Sharing%20Task%20Force%20Report.pdf

CSSWG Charter – approved by CIPC through email ballot on August 18, 2014.

b. Cyber Attack Tree Task Force (CATTF) – Mr. Marc Child, Subcommittee Chair, Great River Energy, will provide an update on the status of the CATTF.

CATTF Charter

18. Physical Security Subcommittee – Mr. David Grubbs, Subcommittee Chair, City of Garland Power and Light

a. Physical Security Guideline Task Force (PSGTF) – Mr. John Breckenridge, PSGTF Chair, Kansas City Power and Light, is awaiting new assignment(s).

PRGTF Charter

Electricity Sector: Physical Security Response Guideline

b. Physical Security Working Group (PSWG) – Mr. Ross Johnson, PSWG Chair, Capital Power will report on the progress of work completed and contemplated.

PSWG Charter c. Security Training Working Group (STWG) – Mr. William Whitney III, STWG Chair, City of Garland

Power and Light, will report on the STWG progress, scheduled training, and contemplated webinars.

STWG Charter

19. Policy Subcommittee – Mr. Nathan Mitchell, CIPC Vice Chair, APPA

a. Bulk Electric System Security Metrics Working Group (BESSMWG) – Mr. Roland Miller, BESSMWG Chair, NextEra Energy, will report on the progress of work completed and contemplated.

BESSMWG Charter

State of Reliability 2015

b. Compliance Enforcement and Input Working Group (CEIWG) – Mr. Paul Crist, CEIWG Chair, Lincoln Electric System, will report on the progress of the work completed and contemplated.

CEIWG Charter

c. Physical Security Standard Working Group (PSSWG) – Mr. Matt Stryker, on behalf of Mr. Alan Wick, PSSWG Chair, Tri-State G&T, will report on the progress of the work completed and contemplated.

PSSWG Charter - approved by CIPC through email ballot on February 9, 2015.

20. Agency Updates

a. Federal Energy Regulatory Commission – Mr. David Norton

b. Department of Energy – Mr. Jim McGlone


http://www.nerc.com/comm/CIPC/Control%20Systems%20Security%20Working%20Group%20CSSWG%202013/2014%20CSSWG%20Draft%20Charter%2020140725%20JG%20Final%20Version%20for%20Posting%20v2.pdf

http://www.nerc.com/comm/CIPC/Cyber%20Attack%20Task%20Force%20CATF%202013/Cyber%20Attack%20Tree%20Task%20Force%20(CATTF)%20Charter.pdf

http://www.nerc.com/comm/CIPC/Physical%20Security%20Guideline%20Task%20Force%20PSGTF%202013/Physical%20Response%20Guideline%20Task%20Force%20Charter.pdf

http://www.nerc.com/comm/CIPC/SecurityGuidelinesCurrent/Electricity%20Sector%20Physical%20Security%20Guideline%20(Approved%20by%20CIPC%20-%20October%2028,%202013).pdf

http://www.nerc.com/comm/CIPC/Physical%20Security%20Analysis%20Working%20Group%20PSAWG%20201/Physical%20Security%20Working%20Group%20Draft%20Charter.pdf

http://www.nerc.com/comm/CIPC/Physical%20Security%20Training%20Working%20Group%20PSTWG%20201/Physical%20Security%20Training%20Working%20Group%20(PSTWG)%20Draft%20Charter.pdf

http://www.nerc.com/comm/CIPC/Bulk%20Electric%20System%20Security%20Metrics%20Working%20Grou/BES_Security_Metrics_Charter_3272012v2.pdf

http://www.nerc.com/pa/RAPA/PA/Performance%20Analysis%20DL/2015%20State%20of%20Reliability.pdf

http://www.nerc.com/comm/CIPC/Compliance%20Enforcement%20and%20Input%20Working%20Group%20CEI/Compliance_and_Enforcement_WG_Charter_Draft_6_20_12_Update2.pdf

http://www.nerc.com/comm/CIPC/Related%20Files%20DL/PSSWG_Charter_January_23_2015.pdf

21. Schedule of Important Dates:

Dates Time Type Location Hotel

June 9, 2015 8:00 a.m.–Noon (EDT) Cybersecurity

CIPC Workshop Atlanta, GA

Westin Buckhead Hotel 3391 Peachtree Rd N.E.

Atlanta, GA 30326 (404) 365-0065

June 9, 2015 Noon–5:00 p.m. (EDT) CIPC Meeting Atlanta, GA


Atlanta, GA 30326 (404) 365-0065

June 10, 2015 8:00 a.m.–Noon (EDT) CIPC Meeting Atlanta, GA


Atlanta, GA 30326 (404) 365-0065

September 15, 2015 8:00 a.m.–Noon Physical Security CIPC Workshop New Orleans, LA

JW Marriott New Orleans 614 Canal Street

New Orleans, LA 70130 (504) 525-6500

September 15, 2015 Noon–5:00 p.m. CIPC Meeting

New Orleans, LA JW Marriott New Orleans 614 Canal Street

New Orleans, LA 70130 (504) 525-6500

September 16, 2015 8:00 a.m.–Noon CIPC Meeting


New Orleans, LA 70130 (504) 525-6500

September 16, 2015 September 17, 2015

Noon–5:00 p.m. 8:00 a.m.–Noon

CIPC Executive Committee Annual Planning Meeting


New Orleans, LA 70130 (504) 525-6500

October 13-16, 2015 8:00 a.m.–5:00 p.m. GridSecCon 2015 Philadelphia, PA

Hyatt Regency Philadelphia at Penn’s Landing

201 South Columbus Boulevard

Philadelphia, PA 19106 (215) 521-6553

November 18-19, 2015 8:00 a.m.–5:00 p.m. GridEx III Remote Play NA

December 15, 2015 8:00 a.m.–Noon (EST) DHS/DOE Energy Sector

Classified Briefing (No CIPC Workshop)

TBD

FBI Training Room, 3rd floor FBI Atlanta

2635 Century Parkway, N.E. Atlanta, GA 30345

December 15, 2015 Noon–5:00 p.m. (EST) CIPC Meeting Atlanta, GA


Atlanta, GA 30326 (404) 365-0065

December 16, 2015 8:00 a.m.–Noon (EST) CIPC Meeting Atlanta, GA


Atlanta, GA 30326 (404) 365-0065

22. Closing Remarks and Action Items

23. Adjournment
