Follow us on LinkedIn and @RFirst Corp onTwitter #RFWorkshop...Generator Owner and Generator Operator located in 7 of the 8 NERC Regional Entities with RF as ... • First Project

Forward Together • ReliabilityFirst

Follow us on LinkedIn and @RFirst_Corp onTwitter

#RFWorkshop

2017 CIP Monitoring Plan

Ray Sefchik- Manager, CIP Compliance Monitoring, RF

CISA, CISM, CISSP


2017 ERO Enterprise CIP V5 and CIP-014

For 2017, the ERO Enterprise will continue a

focused approach to monitoring initial compliance

with CIP Version 5 and CIP-014

The goals of the 2017 monitoring approach include

understanding program effectiveness,

supporting CIP Version 5 transition and CIP-014

implementation, identifying successes and

challenges, and tailoring monitoring to

appropriate risks

3


CIP V5 and CIP-014 Areas of Focus

On July 1, 2016, the high and medium impact requirements for CIP

Version 5 went into effect. The results of the 2016 CIP-002-5.1 Self-

Certification have revealed that the scope of the CIP standards has

greatly increased the number of substations and generation facilities with

BES Cyber Assets

Entity Inherent Risk Assessments (IRAs) and Compliance Monitoring

Plans have helped to identify key risk for a given entity, however the ERO

Enterprise will continue to focus on certain elements of cybersecurity for

higher risk entities. The 2017 priorities will continue to address the Areas

of Focus (as described on slide 4) that were introduced in 2016. The

2017 priorities are further described below:

• Generation facilities greater than 1500MW

• Medium Impact BES Cyber Assets at Substations

• Network Architecture

4


2017 ERO IP - Areas of Focus

5

Standard Requirements Entities for Attention Asset Types

CIP-002-5.1 R1, R2

Balancing AuthorityGenerator OperatorGenerator OwnerReliability CoordinatorTransmission OperatorTransmission Owner

Control CentersBackup Control CentersData CentersSubstationsGeneration Facilities

CIP-005-5 R1, R2



CIP-006-6 R1, R2, R3

Balancing AuthorityReliability CoordinatorTransmission OperatorTransmission Owner

Control CentersBackup Control CentersData CentersSubstations

CIP-007-6 R1, R2, R3, R5


Control CentersBackup Control CentersData Centers

CIP-014-2 R1, R2, R3 Transmission Owner Transmission Stations and Substations


CIPV5 & CIP-014 ERO Other Considerations

Oversight of the CIP V5 and CIP-014 Standards and

Requirements will also involve direct oversight of the

Responsible Entities’ CIP programs by NERC and, in some

cases, with staff from Applicable Governmental Agencies

(AGA)

• For example, Federal Energy Regulatory Commission (FERC) staff

and NERC staff have been coordinating in support of joint compliance

monitoring of registered entities in 2016. While specific entities and the

scope of 2017 activities have not been fully determined, NERC

anticipates continued coordination with FERC staff to minimize any

duplication of effort, with emphasis given to ensure that Responsible

Entity resources are not unnecessarily impacted

6


2017 RF CIP Compliance Monitoring

ReliabilityFirst performs IRAs for each Registered Entity

based upon the audit schedule

This schedule and the IRAs themselves may be revised

based on emerging risks, a Registered Entity’s

performance that requires Regional attention, or any

other changes to a Registered Entity or otherwise that

may impact a Registered Entity’s risk to the Bulk Power

System

The Entity specific IRAs are performed using both the

ERO and Regional Risk Elements and the unique Bulk

Power System characteristics of each entity

7


2017 RF IP – Areas of Focus


CIP-002-5.1 R1, R2



CIP-003-6 R1, Part 1.1



CIP-004-6 R1, R2, R3, R4, R5



CIP-005-5 R1, R2



CIP-006-6 R1, R2, R3


Control CentersBackup Control CentersData CentersSubstations

CIP-007-6 R1, R2, R3, R4, R5


Control CentersBackup Control CentersData Centers

8

.


2017 RF IP – Areas of Focus (cont.)


CIP-008-5 R1, R2, R3,



CIP-009-6 R1, R2, R3



CIP-010-2 R1, R2



CIP-011-2 R1, R2, R3, R4



CIP-014-2 R1, R2, R3, R4, R5, R6 Transmission Owner Transmission Stations and Substations

9


RF CIP Monitoring Audit Plan

CIP Compliance Monitoring Audit Plan

• ReliabilityFirst will conduct eleven (11) on-site CIP Audits

in 2017, and may conduct additional audits as necessary

• Five of the eleven audits are Multi-Region Registered

Entity (MRRE) engagements, and ReliabilityFirst is the

Lead Regional Entity for four of these audits

• ReliabilityFirst is developing the scope for these audits

through its IRA process

• ReliabilityFirst has already contacted the Registered

Entities being audited in 2017 to arrange schedules and

confirm the audit engagements

10


RF CIP Monitoring Guided Self-Certification Plan

CIP Compliance Monitoring Audit Plan

• ReliabilityFirst will perform a guided self-certification of CIP

Low Impact only Registered Entities in 2017.

‒ The guided self-certification will be based upon the results of the

2016 CIP Self-Certification which identified Registered Entities with

only Low Impact BES Assets determined through assessment

using the CIP V5 Impact Rating Criteria

‒ This guided self-certification will be focused on all CIP V5 Low

Impact Standards and Requirements in effect as of April 1, 2017

‒ Each Registered Entity will be required to submit substantiating

evidence to support its determination of compliance for those

applicable requirements

11


RF CIP “Other” Monitoring Methods and Schedule

RF reserves the right to add monitoring efforts to

our 2017 schedule based on:• Emerging Cyber and Physical Risks

• A Registered Entity’s performance that requires Regional attention

• Other changes to a Registered Entity or otherwise that may impact a

Registered Entity’s risk to the Bulk Power System

• Changes to the ERO and/or Regional Risk Elements

• Monitoring will be conducted by any of the following CMEP methods:

‒ Audit

‒ Spot Check

‒ Guided Self-Certification

‒ Data Submittal

12


Questions & Answers

Forward Together ReliabilityFirst

13



#RFWorkshop

Keep Calm and CIP On

EDP Renewables North America’s Experience with NERC CIP Medium and Low Impact Requirements

Andy Schiefelbein, IT NERC Security Manager

16

• EDPR NA Overview

• Transition Timeline

• CIP 3

• CIP 4

• CIP 5

• CIP Program Overview

• Implementation – Successes and Challenges

• Recommendations and Lessons Learned

• Questions

Agenda

Who is EDPR NA?

EDP Renewables North America LLC developed, constructed, owns and operates 39 wind and two solar power plants throughout North America with installed capability exceeding 4,600 MW

Employs over 380 people

Ranked fourth in the U.S. in terms of total installed wind capacity

Headquartered in Houston with regional and development offices across the country

Remote Operations Control Center located in Houston, TX

Generator Owner and Generator Operator located in 7 of the 8 NERC Regional Entities with RF as Lead Regional Entity (LRE)

Owned by EDP Renewables, a leading renewable energy company that is present in the United States, Spain, Belgium, Brazil, Canada, France, Italy, Mexico, Poland, Portugal, Romania and the United Kingdom

17

Elkhorn Valley – 101 MW

Wheat Field – 97 MW

Rattlesnake Road – 103 MW

Lone Star I & II – 400 MW

Blue Canyon I & II – 225 MWBlue Canyon V – 99 MW

Meridian Way I & II – 201 MW

Lost Lakes – 101 MW

Prairie Star – 101 MW

Headwaters – 200 MW

Rail Splitter – 101 MWTwin Groves I & II – 396 MW

Top Crop I – 102 MW

Meadow Lake I – 200 MW

Madison – 12 MW

Maple Ridge I & II – 322 MW

Kittitas Valley – 101 MW

Top Crop II – 198 MW

Meadow Lake II – 99 MWMeadow Lake III & IV – 202 MW

Houston, TXU.S. Headquarters

California

Arizona

Texas

Minnesota

Wisconsin

Illinois

Ohio

Marble River – 215 MWToronto, ONCanada Headquarters

Operational

South Branch – 30 MW

Rising Tree I, II & III – 198 MW

Lone Valley I & II Solar – 30 MW

Blue Canyon VI – 100 MW

Timber Road II – 99 MW

Ontario

Maine

Arbuckle Mountain– 100 MW

Ad Astra– 200 MW

Pioneer Prairie I and II – 300 MW

18

Portland, ORWestern Region Office

EDP Renewables North America – Geographical Presence

Office

CIP-002 Critical Cyber Asset Identification

R1. Critical Asset Identification Method

RBAM

R2. Critical Asset Identification

X Critical Assets = No

R3. Critical Cyber Asset Identification

X Critical Cyber Assets = No

R4. Annual Approval

Reviewed & approved annually

19

CIP-003 Security Management Controls

R2. Leadership

Designation of CIP Senior Manager

Delegated Authority by CIP Senior Manager

Document changes within 30 calendar days

EDPR NA Under CIP v3 Requirements

20

NERC CIP Transition Timeline v3 to v4 to v5

CIP Version 4 – Due April 1, 2014

Why start here?

• As stated earlier, EDPRNA had no Assets defined as critical under version 3 requirements.

• So, the genesis of our Version 5 program started with the need to adopt CIP version 4

• First Action – Gather the Steering Committee for a New Full CIP Program.

• Members – EVP Asset Operations, General Counsel, Director of IT, Director of Control Center Ops, Director of Remote Operations

21



First Actions – Q4 2012 and Q1 2013

• Steering Committee Creates the CIP Working Group

• Members – Sr. Manager Regulatory Compliance, SCADA Manager, Sr. Manager ROCC operations, Manager Operations Compliance, IT Consultants

• First Project of the Program – GAP Analysis v3 to v4

• Findings – CIP-002 v4 Attachment 1 – 1.15 “Each Control Center used to Control Generation at Multiple Locations that exceeds 1500MW in a single interconnection…..













Madison – 12 MW






California

Arizona

Texas

Minnesota

Wisconsin

Illinois

Ohio


Operational






Ontario

Maine


Ad Astra– 200 MW


22



Office

23



…. EDPRNA now operates Critical Assets

• Next step – CIP Working Group defines objectives• Full CIP Program CIP-002 to CIP-009 by 12/31/13

• Divide program into four major project groups

• Policy and Procedures

• Infrastructure

• Security – Cyber and Physical

• Training

24


Project Breakdowns

Who is responsible for what?

• Steering Committee – CIP-002

• Policy and Procedure Project – CIP-003, CIP-008

• Infrastructure – CIP 005, CIP-006, CIP-007, CIP-009

• Security – CIP-005, CIP-006, CIP-008

• Training – CIP 004 Primarily, but all CIP Standards Required Training

25


Ready, Set, Go!

Begin Program Build Out Q2 2013

• Team consisted of nearly 30 members between FTEs (partial time requirements) and Consultants – 11 tasked only to CIP with others as needed

• 4 Projects working at the same time with joint meetings to define workflows, documentation needs, architecture, and compliance requirements

• Program management is key – Many moving parts, this is not a task that can be given to a current employee who has a few extra minutes every week.

26


Advantages

No Prior CIP v3 Environment to Adapt

• With no Critical Assets in version 3, EDPRNA had no systems to adapt to the new version

• Instead, on the recommendation of IT, a new Protected CIP environment was built from the ground up, with the requirements in hand

• Once the Infrastructure was built, tested, and approved; migrate the Identified CCA’s into the new environment

27


Disadvantages

No Prior CIP v3 Experience to Lean on

• No “real” CIP audit experience, EDPRNA had no experience with the system, and no past results to review

• Internal resources were far more familiar with the Reliability Standards (693) and CIP was a new world – from a remain online and ready mindset to a remain safe and secure mindset

• Led to a few disagreements on some back up systems

• Everything is new, training is not only needed but mandatory

28


A Hard Decision

Interactive Remote Access

EDPRNA found that the language for CIP v4 concerning interactive remote access was not defined well enough to be comfortable with providing remote access in a method that would ensure compliance. Our needs for interactive access were off hours support only. The team decision was to allow only READ access for non working hours support.

This did place more burden on our operators, as they would have to function as our remote hands for both IT and SCADA support. This determination was not made lightly, and we understood the amount of cross training required. Ultimately, it was determined that this represented less compliance and operational risk than poorly implementing interactive access.

29


A short interlude – Q4 2013

Version 4 is dead, Long live Version 5!

• Before we leave Version 4 to the recycle bin of history, a few takeaways

• Engage NERC and your EROs early and often: Compliance Conferences, Forums, and Small Group Advisory Sessions

• Training! I cannot stress enough, work with your Corporate training group as soon as you have material to train on.

• Give yourself time, do not short change how long you think this will take, if you are becoming a CIP auditable entity plan some extra time in, changes will occur

• Train some more!

30


CIP Version 5 – Due July 1, 2016

Here we go again.

• Where to begin? GAP analysis!

• This time it was quick (relatively) and involved the whole project team

• What did we find?

• Clarified Language

• Impact levels

• New Standards – CIP-010, CIP-011 – The requirements were there, just buried in other standards

CIP-002 BES Cyber System Categorization

R1. Identify High, Medium and Low Impact BCS

X High Impact BCS = No

Medium Impact BCS = Yes

Assets containing Low Impact BCS = Yes

R2. Annual Approval

Reviewed & approved annually

31

CIP-003 Security Management Controls

R1. Cyber Security Policies Reviewed/Approved Annually by CIP Senior Manager

For High and Medium Impact BCS

For Assets Containing Low Impact BCS

R2. Cyber Security Plans for Low Impact BCS (Attachment 1)

Cyber Security Awareness

Physical Security Controls

Electronic Access Controls for LERC & Dial-up Connectivity

Cyber Security Incident Response

R3. Designation of CIP Senior Manager

No process change

R4. Delegated Authority by CIP Senior Manager

No process change

EDPR NA Transitions to CIP v5

32

EDPRNA under CIP – 002-5.1

• CIP – 002-5.1 Attachment 1 2.11 - Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection.

• EDPRNA exceeds the 1500MW of generation in the Eastern Interconnect

• 1 Medium Impact Location with its supporting infrastructure

• Remote Operations Control Center in Houston

• Back Up Control Center

• CIP Protected environment in Data Center

• IT Support Office

• 30 Low Impact locations nationwide in all three interconnects and 7 of the 8 Regional Entities, sorry FRCC

CIP 002













Madison – 12 MW






California

Arizona

Texas

Minnesota

Wisconsin

Illinois

Ohio


Operational






Ontario

Maine


Ad Astra– 200 MW


33



Office

34

Security Management Controls

• Policies – Review v4 policies and update for the language change

• Low Impact – Add to the Medium Impact policies statements pertaining to low impact sites in the areas of Cyber Security Awareness, Physical Security, Electronic Security, Cyber Security Incident Response

CIP-003

New Full Time Employee #1

• Process to delegate authority

• CIP program has grown large enough that it requires a number of new FTE positions

• First identified need – NERC CIP Sr. Manager – Has the Delegated authority from EDPRNA’s named CIP Senior Manager to run the program on a day to day basis.

35

Personnel and Training

• One program for both Medium and Low Impact sites

• SME training is targeted to those employees in Operations, HR, SCADA, Regulatory Compliance, and IT.

• Cyber Security Awareness is company wide for all employees

• Annual Cyber Security Awareness Course

• Develop training that keys to real world events – Ukraine 2015

• Cyber Security Awareness Month - October

• Engaging with HR early is critical to ensure that workflows are adjusted to meet Compliance Requirements

• Complete Training before granting electronic or unescorted physical access

• Ensure Corporate Personal Risk Assessments meet NERC requirements

• Add dates for completion of the PRAs and confirm annually that all employees and contractors are current

• Notifications from HR to IT when employment separation events occur to ensure 24 hour requirement is met

CIP 004

36

Cyber Security Awareness

Monthly “Security Bulletin” Emails

• Sent to all EDPR NA employees & IT contractors

• Covers both cyber and physical security topics

Quarterly Posters

• Posters are placed throughout the Houston office

• Site Admins display posters at the sites

National Cyber Security Awareness Month – October

• Designated month to raise awareness

• Various activities facilitated by members of the CIP Working Group

Annual Training

• Cyber Security Training for all employees & IT contractors

• SME Workshops for specific individuals based on job role/responsibility

Same material and delivery as our Medium Impact BCS

37

Electronic Security Perimeter

• Internal CIP only authentication • Heavily segmented network – divide systems by need and use – IT support, Remote

desktop, SCADA control, and device management• Separate domain and network systems – mixed mode is accepted, but is difficult to easily

provide audit evidence. There is cost associated with implementation and maintenance of separate systems but EDPR deemed the cost manageable to provide a smooth audit

• Documentation is key – by building a new CIP only network segment, discovery was limited, build out documents became ongoing evergreen documentation

• Each system as it was stood up or migrated in was heavily tested to narrow the needed network traffic to known ports and services

• Interactive Remote Access• With the v5 revision interactive access was deemed to be manageable• CIP only VPN hardware, two factor system, and remote desktop environment

CIP-005


• NERC IT Security Manager

• There is a lot of audit evidence to generate and maintain

• Second identified need – NERC IT Security Manager – Primary Technical SME for architecture, implementation, and CIP audits

38

Low Impact Site

Segmentation:

Adapt and adjust current site topology to meat new LEAP requirements. EDPRNA was in a good position when the Low Impact requirement were released. The Wind Power Plants were already designed and delivered with separation of duties in mind. One segment for corporate systems and one segment for SCADA systems. We had two tasks to complete, rework vendor access for warranty and system maintenance and a narrowing down of the access lists to meet the “necessary inbound and outbound bi-directional routable protocol access” requirement.

Low-impact Electronic Access Point (LEAP) Implementation

User SCADA/ControlTerminal

Low ImpactBES Asset

Offsite Office BES Asset Location

Other CorporateDevice

39

Physical Security of BES Cyber systems

• EDPRNA had a badge system in place to manage physical access to the office space at the corporate headquarters

• The CIP critical areas were decoupled from the now ‘Corporate’ Badge system and migrate to a ‘CIP’ badge system that resides within the ESP.

• The data center racks with the CIP systems had mag locks deployed, and were modified to pass wires between them without exposing them to the outside world

• All physical control devices reside within the space they are protecting

• The ROCC had a visitor control procedure in place for escorting guests without approved access. This was modified to meet CIP requirements and rolled out to all PSPs

• Train all employees with unescorted access privileges on visitor access procedures.

• Tie into the maintenance schedule of the corporate badge system, meets both State/Local and CIP requirements

CIP-006

40

System Security Management

• Linear migration of applications into the new CIP protected allowed for ports and service review

• Start with the end in mind – Deny all traffic and open only what is needed for operation

• EDPRNA built the Test CIP segment first, this allowed the project team to Break applications in a sand box without risking operational assets

• Patch Management

• Engage Vendors early to work out patch procedures – They are the experts for their solutions, cyber security must work with operational reliability not against it. Ensure that all information for interaction with AV, IDS/IPS, and anti Malware solutions is gathered.

CIP-007

41

Incident Reporting and Response

• Leverage same procedures for all impact levels

• Conduct SME training with cross-functional teams of personnel at our Medium and Low Impact Sites

CIP-008

Event Evaluation Board

(EOP-004-2)

Cyber Security Incident Response Team

(CIP-008-5)• Team Members -Operations &

Regulatory Compliance Personnel

• Responsible for initial evaluation and determines if a cyber related event.

• Determines whether or not an event is reportable.

• Team Members – IT NERC Security Mgr, NERC IT Team, Operations & Regulatory Compliance Personnel

• Responsible for identifying, classifying, and responding to Cyber Security Incidents.

• Determines whether or not an incident is reportable.

42

Recovery Plans for BES Cyber Assets

• Straight forward

• Adapted Corporate Recovery plans already present in the IT group

• Flesh out the who, what, and why

• Train SMEs

• Practice…but only in Test

• Build Redundancy to prevent outages

• All network devices, servers and storage were built in redundant pairs

• Utilize Virtual Technology to build further tenacity into the environment

• Additionally, to comply with other requirements we built an nearly exact replica of the environment for testing purposes –Gives IT, SCADA, and Operations groups a sandbox to test and stress the environment

• Redundancy does not replace the need for recovery but considerably reduces the possibility of a loss of function

CIP-009

43

Configuration Change Management

• Utilize existing ticket management system, deploy Operational Change Control module – work with vendor to adapt workflows – add audit step

• Build System Baseline document as environment is developed

• Begin Change Control process well before compliance date

• Drill scenarios

CIP-010


• IT Configuration Manager

• This is the most paperwork intensive of the requirements

• Third Identified need – Someone to maintain all EDPRNA configurations not just CIP

44

Information Protection

• Identify all documentation, architecture, and configuration documents that meet the information protection requirement

• Leverage existing document management

• Create new security groups – tie to electronic access workflow

• Train all employees that handle CIP restricted documents

• Ensure that all electronic copies reside in the secure repository

• If physical copies are required, keep them with you, lock them up, leave them in a PSP

• Provide to all employees access to the CIP related policies, restrict access to procedures to only those roles identified within them.

CIP-011

45

Change is Hard –

• Moving from a non critical status to a critical status, and then to multiple Impact ratings is a huge culture shift.

• Asset Operations and SCADA teams are concerned primarily with the reliable operation of power plants, it is the job of IT and Compliance to stress the need for Security

• EDPRNA had time, which was a good thing, it allowed for measured changes:

• Process

• Training

• Practice and drills of the new procedures

• Vendor Contracts

Challenges

46

• Leverage your existing programs and procedures

• Engage remote sites early on in process

• Train!

• Prepare Management for a realistic timetable

• Prepare Management for realistic cost projections

• Engage with NERC and your Regional Entities early and often… They can help, lots!

• Train some more!

Lessons Learned

47


Break

The 2016 Fall Workshop Survey link will be sent via email upon

completion of the workshop.


#RFWorkshop

/ ©2016 NAVIGANT CONSULTING, INC. ALL RIGHTS RESERVED49

BRIAN HARRELL, CPP

DIRECTOR - RISK MANAGEMENT,

COMPLIANCE, AND SECURITY

CIP-014 PHYSICAL SECURITY

TRENDS AND BEST

PRACTICES

RELIABILITYFIRST FALL CIP WORKSHOP


IT’S AN ISSUE OF

MAGNITUDE


Over 55,000

Substations

over 100 Kv in

size!


SECURING A REMOTE OR URBAN

ASSET!

The Real Challenge…


CRITICAL TRANSFORMERS


NERC CIP-014

PHYSICAL SECURITY


CIP-014 PHYSICAL SECURITY

STANDARD

• Purpose:

- To identify and protect transmission stations and

transmission substations, their associated primary

control centers, that if rendered inoperable or damaged

as a result of physical attack could result in widespread

instability, uncontrolled separation, or cascading within

an interconnection.

• Applicability:

- Transmission Owners (TO)

- Transmission Operators (TOP)


KEY DATES

CIP-014-2 Implementation Timeline

Activity Implementation Not Later Than Days after 10/1/15

R1 Assessment Effective Date 10/1/2015 0 days

R2 Verification Effective + 90 12/30/2015 90 days

R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 days

R3 Notify Control Center R2 +7 1/6/2016 97 days

R4 Threat & Vulnerability Evaluation R2 + 120 6/27/2016 270 days

R5 Security Plan R2 + 120 6/27/2016 270 days


• Critical facility identification (R1) complete before effective date (six months following publication in the Federal Registry)

Standard approved November 20, 2014

Mandatory and Enforceable October 1, 2015

• Third party verification (R2) complete within 90 days of completion of R1.

• Notification of other parties (R3) complete within 7 days of completion of R2.

• Evaluate threats and vulnerabilities (R4) and develop security plans (R5) within 120 days of completion of Requirement R2.

• Third party review of threats and vulnerabilities and security plans (R6) within 90 days of completion of R4/R5.

IMPLEMENTATION


REQUIREMENT 4

• Advising utilities without a robust security departments to use the

NATF CIP-014 R4 Guideline

• Provide all documentation of prior attacks, break-ins, sabotage

incidents

• OE-417, RCIS, E-ISAC reports, LEO Reports

• Seek outside threat information:

• E-ISAC

• Fusion Center

• Local, State, and Federal Law Enforcement

• Has DHS identified you as “critical”?

• Design Basis Threat (DBT)

• Accurate scenarios for potential attack

• Outside firearms attack

• “Suspicious” device left behind or thrown over perimeter fence

• Vehicle-borne Improvised Explosive Device

• Breached control/station house


REQUIREMENT 5

• Physical Security Plan (R5) should map directly to T&V

Assessment (R4)

• Are you hardening the entire facility or specific critical assets and

infrastructure within the facility?

• Discuss security measures designed to deter, detect, delay,

assess, communicate, and respond to potential physical threats

• What is the response time of security staff? Local Law

Enforcement?

• If you commit to paper, you are now obligated

• Highlight mitigation measures that have been put in place as a

result of the attack scenarios

• Remove line of sight to critical transformers

• Suspicious package procedures and response plan

• How are you slowing, checking, screening, and controlling

access to your facility?

• How are you monitoring the station house? Patrols? Procedures

for reporting a breach? Cyber!!


PHYSICAL-TECHNOLOGY

INTEGRATION

Site Specific Layered Approaches To:

Deter potential adversaries from considering the

facilities in their pre-operational planning

Detect adversaries in their planning, surveillance,

or approach stages

Delay adversaries from gaining access to critical

facilities and equipment

Minimize the impact of any intrusions or attacks

on BPS reliability

Rapidly respond to any attacks or intrusions

Preserve and assist law enforcement in evidence

recovery for potential apprehension


INDUSTRY BEST PRACTICES

Site Specific Layered Approaches To:

Deter potential adversaries from considering the facilities in their

pre-operational planning

Detect adversaries in their planning, surveillance, or approach

stages

Delay adversaries from gaining access to critical facilities and

equipment

Minimize the impact of any intrusions or attacks on BPS reliability

Rapidly respond to any attacks or intrusions

Preserve and assist law enforcement in evidence recovery for

potential apprehension


DETERRENCE

Current systems and technologies used by industry security professionals:

• Motion activated video surveillance with intrusion deterrence technologies

• Limited access smart locks and access card systems/readers

• Employee screening (insider threat)

• Security fencing to include solutions with blast and ballistic resistance

• Environmental and physical vehicle barriers

• Security lighting to include motion activated strobe illumination

• Security signage

• Prohibit non-critical storage and staging to reduce criminal draw

• Annual security program and vulnerability assessment reviews

• Security guards

• Neighbor awareness security program


DETECTION

• External/internal video analytic systems

• External/internal motion sensing systems

• External seismic detection systems

• External/internal gunshot detection systems

• UAV detection systems


DELAY

• Environmental barriers

• Access barriers

• Perimeter fencing


REQUIREMENT 6

• Consultant? DHS? Law Enforcement?

• Many government agencies do not want to sign off on

“compliance”

• Avoid overnight firms that have recently boarded the “CIP-014

train”

• Use a firm with proven experience in the electricity sector AND

doing physical security

• Client expectations:

• Proposal response

• Initial kick-off meeting to discuss timeline (R2, R4/R5 Dates?)

and milestones

• Time to review R4 and R5 documentation ahead of site visits

• On-site review of all CIP-014 sites to verify identified

vulnerabilities and mitigation measures

• Informal exit presentation

• Compliance documentation


REQUIREMENT 6 CONTINUED…

• Final document:

• Identified facility

• Unaffiliated 3rd Party statement

• Statement suggesting that security measures “mitigate the

threats identified in the R4 threat assessment”

• A determination that “the physical security plan is achievable”

• Provide security suggestions, if applicable

• Provide evidence of consultants expertise and certification(s)

▫ Do not tell me, show me

• Official company letterhead with full contact details


BRIAN HARRELL, CPPDirector of Security and Risk Management

703.965.7474

[email protected]

navigant.com

CONTACT


68


#RFWorkshop

Overview of NP-View

Scott Pelfrey – Senior Technical Auditor, RF


Objectives

• Answer the following questions

• What is NP-View?

• Why is RF using NP-View?

70


Software from Network Perception (University of

Illinois)

Performs automated network path analysis from

raw configs

Works offline (no online or real-time)

Tool used ERO-wide – All regions

71

What is NP-View?


Supported Manufacturers

72

NP-View – Supported Manufacturers

Forward Together • ReliabilityFirst 73

NP-View – Getting Started


NP-View – Establishing Perimeters


NP-View – Path Overview


NP-View – Baseline Analysis


Why is RF Using NP-View?

Facts

• Used to help Audit Team “visualize” entity Network

• Helps Audit Team learn network topology (both logical &

physical)

• Helps Audit Team locate EAPs

• Reduces questions concerning firewall rulesets

• Helps entity identify data flows and look for issues

• Myths‒ RF is NOT looking for PVs with NP-View

‒ RF is NOT looking for holes, issues, or poor firewall configurations

77


NP-View Tutorials


Questions & Answers


79



#RFWorkshop

Exelon NERC CIP Program

September 29, 2016

Lois Buwalda

Agenda

• About Me, Exelon, and our V5 Implementation Program

• Exelon’s NERC CIP Program Mission & Vision– People

– Tools

– Governance

• Deeper Dive in 3 Areas– Culture

– Controls Framework & Automation

– Access Control Automation System

82 Exelon Proprietary and Confidential

My Background

B.S., M.S. Computer Science

B.A. English

Non-profit healthcare research agency

6+ years as application developer / PM

Exelon IT – 18+ years

Utilities: PECO, ComEd, Energy Delivery

Generation: Trading, Retail, Power

Enterprise: Architecture & Planning; IT

Management Model, Compliance

NERC CIP since ~2009

Exelon Proprietary and Confidential83

/sites/ASBPI/Application Support/TED-CEGIS/

/sites/ASBPI/Application Support/TED-CEGIS/

About Exelon

We are a FORTUNE 100 company that works in every stage of the energy

business: power generation, competitive energy sales, transmission and

delivery. As the nation's leading competitive energy provider, Exelon does

business in 48 states, D.C., and Canada and had 2015 revenues of $34.5

billion. We employ approximately 34,000 people nationwide.

• Six utilities deliver electricity and natural gas to approximately 10 million

customers in Delaware, the District of Columbia, Illinois, Maryland, New

Jersey and Pennsylvania through its Atlantic City Electric, BGE, ComEd,

Delmarva Power, PECO and Pepco subsidiaries.

• More than 32,000 megawatts of owned capacity comprising one of the

nation’s cleanest and lowest-cost power generation fleets.

• The company’s Constellation business unit provides energy products and

services to approximately 2 million residential, public sector and business

customers, including more than two-thirds of the Fortune 100.

This presentation focuses on Exelon’s V5 implementation which preceded the

merger with Pepco Holdings.


Challenges Circa 2014

• V5 represented a big increase in scope for Exelon

• We did not have the Program or the Technology to scale for this size scope


NERC CIP 2014 NERC CIP 2016

Sco

pe

~300 Critical Cyber Assets

IT supported mainly at Control

Centers and Data Centers

>3,900 Medium or High Impact BES

Cyber Assets

~270 CIP-002 Assets that contain

Low impact BES Cyber Systems

Includes assets at Substations and

Generating Plants

Imp

acte

d

Po

pu

lati

on

Performers primarily IT

Performers both IT and OT

~2,500 users with Physical,

Electronic, or Information access

V3 V5

Exelon’s NERC CIP V5 Implementation Program (VIP)

• Comprised of 14 projects plus program-wide teams under a single leader

• Reorganized later in December 2015 to combine some functions and add a

Readiness tower


NERC CIP Version 5 Co-Sponsors

CIP Senior Manager + IT VP

PMO

Finance

Architecture

Communications

& Change

Management

Foundation

• Cyber Asset Identification & Tracking

• Controls Framework & Automation

• Policy, Processes, Procedures

Access

• Information Protection Program

• Physical Security

• Electronic Security Perimeter

• Personnel Risk Assessment

• Access Controls and Automation

NERC CIP Program Leader

Lois Buwalda

NERC CIP VIP

Steering Committee

NERC CIP VIP

Executive Council

Program

IntegrationPeople

• Training

• Culture of Compliance

• Org Design

Systems

• Systems Management

• Cyber Security Monitoring and

Reporting

• Patching and Malicious Code

Prevention

CIP QA

Exelon’s NERC CIP Mission

• Focused not only on achieving the 4/1 date, but on ensuring we could

sustain that compliance moving forward. We aligned to a mission and vision

for sustained compliance success.

• Our Mission is the Security and Reliability of the BES. Compliance is enabler

of this mission. It sets a bar for performance, and provides a mechanism to

measure yourself and drive improvements


Slogan contest – 86

participants submitted

190 slogans.

Additional winners:

• It starts with me

• You’re the most

critical asset in

compliance

Vision: Ensuring a Sustainable Compliance Program

Controls

Framework

Documented

Positions

Comms &

Change

Management

Training

Culture

Structured

Management

Processes

Program

Strategy &

Architecture

Quality

Assurance,

Metrics, &

Investigation

Relationship

Management

Communications & Change Management ensures personnel are

informed and prepared as changes occur, and facilitates

enterprise-wide collaboration and information sharing

Training addresses mandated compliance

training and instills employees with the

skillsets to perform their daily compliance

roles and responsibilities

Culture drives and reinforces desired

employee behaviors in order to

achieve compliance goals

Controls Framework defines controls, evidence quality standards,

and testing procedures for each requirement and implements

controls using an automated solution to support compliance

monitoring and reporting

Automation & Workflows reduces

manual efforts through technology,

driving efficiency and decreasing

potential for errors

Program Strategy & Architecture drives

strategy and a common Integrated Model

supported by a robust Technical

Architecture to achieve compliance in an

integrated, cost effective, reliable,

and scalable manner

Relationship Management develops new and

enhances existing relationships with vendors,

regulators, and industry peers

Structured Management Processes ensure

successful program outcomes through

disciplined decision making and

management of projects, risks and issues,

resources, and information

Quality Assurance, Metrics & Investigation performs

quality assurance and monitoring of the program to

proactively identify potential risk areas and ensure

program compliance

Documented Positions documents,

researches, and defends Exelon’s positions

on standards and effectively disseminates

this information across the enterprise

Governance

A sustainable compliance program enables our mission of the reliability and security of the BES. Sustainability requires three critical

components: People, Tools, and Governance. We keep it strong via benchmarking, best practices, and continuous improvement.

Policies,

Processes, &

Procedures

Automation &

Workflows

Organization

Design

Organization Design provides clear

accountability and authority, enables

consistency, and avoids single points

of failure

Policies, Processes, & Procedures

tailored for CIP, defines what work is

performed, how, and by whom.

Provides consistency at enterprise

level while equipping performers via

job aidsSustainable

Compliance

Program


Sustainability: People Component














of failure


Sustainability: Tools Component





Automation & Workflows reduces manual

efforts through technology, driving efficiency

and decreasing potential for errors

Documented Positions documents, researches,

and defends Exelon’s positions on standards and

effectively disseminates this information across

the enterprise

Policies, Processes, & Procedures tailored

for CIP, defines what work is performed,

how, and by whom. Provides consistency

at enterprise level while equipping

performers via job aids


Sustainability: Governance Component

Program Strategy & Architecture drives

strategy and a common Integrated Model

supported by a robust Technical Architecture

to achieve compliance in an integrated, cost

effective, reliable, and scalable manner

Relationship Management develops

new and enhances existing

relationships with vendors, regulators,

and industry peers

Structured Management Processes

ensure successful program outcomes

through disciplined decision making

and management of projects, risks and

issues, resources, and information

Quality Assurance, Metrics & Investigation

performs quality assurance and monitoring

to proactively identify potential risk areas

and ensure program compliance


Sustainability: People Component














of failure


Deep Dive

How We Approached Culture


Adjust levers that drive and

reinforce desired compliance

behaviors

Established Exelon’s compliance strategic

objectives/prioritiesStrategic

Objectives

Culture Vision

Desired Behaviors

Culture Reinforcement Activities

(Culture Roadmap)

Defined Exelon‘s ideal NERC compliance

culture

Identified desired behaviors to support

the culture vision

Sustainable culture change involves the alignment of strategic objectives, a culture

vision and desired behaviors that are reinforced through culture-strengthening

activities, referred to as a culture roadmap.

NERC Culture of Compliance Vision

1. We prioritize reliability, security and compliance, from leadership to staff,

and embed them into our everyday business operations to protect the

Bulk Electric System

2. We act with integrity and take individual and collective accountability for

establishing, maintaining and demonstrating compliance with NERC

standards

3. We enable clear understanding of our compliance responsibilities through

open communication, and pursuing learning opportunities

4. We pursue excellence, monitor performance and drive continuous

improvement of our compliance program

5. We collaborate, share best practices and seek diverse perspectives, both

externally (with industry and regulators) and internally (across business

units and functions)

6. We recognize compliance efforts and celebrate outstanding compliance

achievements


Culture of Compliance Prioritization


Compared Exelon’s current NERC CIP compliance culture to its desired future

state, uncovering strengths and areas of improvement. Based on the

analysis, the following three areas were identified as high priority focus areas

for the VIP Culture of Compliance Roadmap.

The VIP Culture of Compliance Roadmap activities have been designed to align with

and help address the prioritized focus areas

CIP Awareness & Understanding

Need to drive better understanding of standards & linkage to BES security & reliability

Accountability & Empowerment

Need to cultivate critical thinking, questioning attitudes and continuous improvement

among personnel

Compliance Reinforcement

Need for visible leadership support, recognition of accomplishments, stronger

measures & reinforcement of compliance in performance management structure

1

2

3

VIP Culture of Compliance Roadmap Timeline


Activity

2015 2016J A S O N D J F

Build Deliver Operate

NERC CIP Overview

Telestration*

NERC CIP Slogan Contest*

VIP Roadshows

NERC CIP Portal/ Resource

Consolidation

Virtual Scavenger Hunt

NERC CIP Compliance

Achievement Award*

NERC CIP Leadership

Toolkit

Leadership Video

Thank You App

NERC CIP Performer

Summit

Manager Webinar

Print/Digital Awareness

Campaign

VIP Change Agent Network*

VIP OT Weekly Communications

NERC CIP Compliance Outlook Mailbox*

CIP

Aw

are

ne

ss/

Un

de

rsta

nd

ing

Co

mp

lia

nce

Re

info

rce

me

nt

Acco

un

tab

ilit

y/

Em

po

we

rme

nt

Mu

lti A

rea

Cu

ltu

re o

f C

om

plia

nce

Ga

ps

Develop

Submission / Selection

Nomination

Rollout

Rollout

Select / Announce

Rollout

Develop

Phase 2** Update**

Develop

Develop*** Rollout

Rollout

12

3

Transition Period

Rollout

Develop

Develop Deliver

Phase 1 Launch

Rollout & UpdateDevelop

Rollout

As illustrated below, we implemented a number of culture building activities

during Project and turned over to the Sustain organization.

NERC Leadership Toolkit Overview


4

31

2

Compliance

Fundamentals

•NERC CoC Vision

•Desired NERC

Compliance Behaviors

•NERC Behavior

Demonstration &

Reinforcement

•Leadership Reference

Materials

Additional Resources

•CIP Portal Overview

•NERC Compliance Graphics

•Key NERC Compliance

Contacts

Leadership Toolkit

Team Tools

•NERC CIP Overview

Telestration Video

•NERC CIP Leadership

Video(s)

•NERC Compliance Culture

Assessment Exercise

•NERC Moment Samples &

Template

•NERC Compliance Pledge

Recognition Resources

•NERC CIP Compliance

Achievement Award

Overview

•Thank You App Overview

•Recognition Moments &

Appreciation IdeasGreen font indicates NERC CIP-specific material

Created a toolkit to promote Exelon’s desired NERC compliance behaviors and reinforce NERC

compliance expectations. The toolkit’s four folders and the materials in each are outlined below:

Toolkit Deep Dive: Compliance Fundamentals


Toolkit Deep Dive: Recognition Resources


Recognition: NERC CIP Compliance Achievement Award


Award

Details

Award

Purpose

The NERC CIP Compliance Achievement Award was established to recognize and

celebrate individuals and teams that have made outstanding contributions to the CIP

compliance program across the enterprise

• Celebrate the achievements of those who have gone above and beyond to

safeguard the integrity of our business and position it for continued growth and

success

• Encourage innovations that support the seamless incorporation of CIP

compliance into everyday work and that reduce costs, enhance security or

decrease risk of compliance failures

• Align with Exelon core values: integrity, accountability and continuous

improvement

Three award cycles completed to date. Averaging 22 nominations per cycle. Winners

personally recognized by Exelon Utilities CEO / Chief NERC Compliance Officer

• All NERC CIP program participants are eligible

• Awarded every six months.

• Up to three NERC CIP individuals or small teams will be selected

• Award recipients will be publicly recognized as well as receive a trophy and

monetary gift to thank them for their contributions

Toolkit Deep Dive: Team Tools


Toolkit Deep Dive: Team Tools


Team Tools: Pledge Poster from a BGE Location


Team Tools: The NERC CIP Overview Telestration

The NERC CIP Overview Telestration is a short animated video that reinforces

the importance of NERC CIP compliance and each individual’s contribution to

protecting the Bulk Electric System by adhering to processes and procedures,

seeking help when unsure of CIP responsibilities, delivering quality evidence

and raising security concerns


Team Tools: NERC CIP Leadership Videos

In two short NERC CIP Leadership Videos, Denis O’Brien and Sue Ivey discuss

the importance of NERC CIP compliance and their compliance expectations.

These videos cascade leadership’s message that NERC compliance is a key

priority for Exelon.


Video 1:

Everyone’s Role in NERC CIP Compliance

Video 2:

Striving for Compliance Excellence

1 2

Sustainability: Tools Component





Automation & Workflows reduces manual

efforts through technology, driving efficiency

and decreasing potential for errors

Documented Positions documents, researches,

and defends Exelon’s positions on standards and

effectively disseminates this information across

the enterprise

Policies, Processes, & Procedures tailored

for CIP, defines what work is performed,

how, and by whom. Provides consistency

at enterprise level while equipping

performers via job aids


Deep Dive

Deep Dive

Two of Exelon’s Major Technology Investments

• AssurX

– Controls framework, assessments, formal evidence

– Master Asset list and drives assessment / categorization

– Patch Management (software list, discovery, applicability, installation / mitigation)

– IT Production Change Control

– Interfaces with our asset management systems, configuration control systems, and

a patch discovery service

• Access Control & Automation System (ACAS)

– Oracle’s IAM Solution

– Enforces authorization process for all access (electronic, physical, information,

shared accounts), including business need, validation of PRA and training, and

approvals

– Includes a mixture of role-based access with individual entitlements

– Automates provisioning and de-provisioning for connected systems. Uses workflows

for disconnected systems.

– Automates access certification process, identifying discrepancies between actual

and authorized lists, and on a quarterly basis confirming business need• Near real time discrepancies for connected systems. Monthly process target for

disconnected systems


AssurX Compliance Automation Solution


While the Controls Framework is the foundation upon which the Compliance Automation Solution functions, Exelon will rely on automation technology to bring the Controls Framework to life.

Exelon implemented AssurX, a Compliance Automation Solution, that provides monitoring, controls and safety nets to ensure sustained NERC CIP compliance at Exelon

AssurX

• Leverages native workflow capabilities,

dashboards, and metrics to improve

compliance monitoring capability

• Co-locates data with the controls

framework and master asset list

• Enables full traceability to the solution

implementing the controls for each

specific asset or asset type

• Links data directly to the assets they

affect (e.g., patches or change tickets

linked to assets)

• Automatically evidences data in a

central repository

• Reduces number of enterprise systems

WHY are we using Controls Framework?


Control definitions are established to provide traceability to authoritative requirements so that proper context of the requirement is retained and to provide a common control definitions that can be recognized by an organization’s various risk and compliance functions.

A process or procedure that is used to determine that a control is in place

and functioning properly

A practice, procedure, process or mechanism that treats risk and addresses

management directives

A statement of the desired result or purpose to be achieved by

implementing control procedures in a particular process

Control Definitions

Control

Objective

Control

Activities

Control

Assessment

Procedures

NERC Requirement Control Objective Control Activity Control Assessment Procedures

Example

Verify at least once each

calendar quarter that

individuals with active

electronic access or

unescorted physical access

have authorization records.

Verify authorization records

at least once every calendar

quarter.

1. Implement alert notifications in

ACAS that enables Compliance

Group to initiate quarterly review.

1. Generate a sample of quarterly

reviews.

2. Verify if an alert notification is initiated

every quarter by the compliance group.

3. Document results of the Control

Assessment.

Control Assessment


• One or many controls are defined for each NERC Requirement

• Defines control activities, assessment procedures, evidence to be collected, location of the evidence

Control Schedule Assessment TasksAssessable

Unit

• For each control, one schedule is created per business Unit.

• Schedule defines whenthe assessment needs to be performed and howfrequently it should be conducted

• Instance of an assessment is generated as defined in the schedule

• Assessment Owner has the ability to modify the scope of assessment by identifying the evidence owners and approvers

• Tasks are assigned to individuals to provide evidence of compliance

• Uploaded evidence and narratives undergo an approval cycle

• Facility, Devices, Systems, Process, People under the scope of CIP compliance

• Evidence is produced to show the assessable units are in compliance

Is tested bycreates an instance of

generates and assigns

collects evidence of

compliance for

Controls Assessment Example


SSM-PASP-02

[CIP-007_Part1.1]

Schedule Owner?

Assessment Owner?

Schedule Type?

Frequency?

Due Date?

Business Unit(s)?

Q1Task

Assignee?

Approver?

T1Evidence

Narratives

T2Evidence

Narratives

T3Evidence

Narratives

T1Evidence

Narratives

T2Evidence

Narratives

T3Evidence

Narratives

T1Evidence

Narratives

T2Evidence

Narratives

T3Evidence

Narratives

T1Evidence

Narratives

T2Evidence

Narratives

T3Evidence

Narratives

Control

Schedule

AssessmentsQ2Task

Assignee?

Approver?

Q3Task

Assignee?

Approver?

Q4Task

Assignee?

Approver?

Tasks

Information

Flow

Evidence Folders

Two of Exelon’s Major Technology Investments

• AssurX

– Controls framework, assessments, formal evidence

– Master Asset list and drives assessment / categorization

– Patch Management (software list, discovery, applicability, installation / mitigation)

– IT Production Change Control

– Interfaces with our asset management systems, configuration control systems, and

a patch discovery service

• Access Control & Automation System (ACAS)

– Oracle’s IAM Solution

– Enforces authorization process for all access (electronic, physical, information,

shared accounts), including business need, validation of PRA and training, and

approvals

– Includes a mixture of role-based access with individual entitlements

– Automates provisioning and de-provisioning for connected systems. Uses workflows

for disconnected systems.

– Automates access certification process, identifying discrepancies between actual

and authorized lists, and on a quarterly basis confirming business need• Near real time discrepancies for connected systems. Monthly process target for

disconnected systems


Protected Zones

ACAS Conceptual Design

Corporate Network

Learning Management

System

Human Resources System

Corporate Active Directory

Training Data

User Data

Authenticates

Provisions CIRs

Actual Rights

RPN

RPN Assets / Services, e.g. Antivirus,

Backup

Provision / De-Provision Electronic & Physical

Each

BU

BU ACAS

Connector

Server

BU Network AD

AD Connected Assets

Connected BU NERC CIP Assets, e.g.

SCADA servers, apps, database

Disconnected

BU Assets,

e.g. RTUs


Key Takeaways

• The mission is the Reliability and Security of the BES. Compliance is an

enabler of this mission.

• Individuals have the best of intentions to comply, but need the structures

and tools to equip them to be successful and effective.

• A compliance program itself can have vulnerabilities, and applying layers of

protections to strengthen it and the people who execute it is key.


Thank You!


Appendix


CIP Road Shows

• Interactive sessions in Exelon’s major cities to engage CIP stakeholders in

sharing information and best practices.

• Culture building with stakeholders who walked the red carpet and hung their

star in the hall of fame.


Innovation Expo Culture Dialog

• Expanded the program’s dialog on culture to an Exelon-wide event called the

Innovation Expo.

• Included a free-standing wall that asks each attendee to add one thought or

idea to the dialog on driving culture


Strong Focus on Communications and Change Management


• Regular communications

vehicles:

– Weekly Spotlight

Newsletter (250+

audience)

– Weekly CIP of Compliance

focused on the OT

Community (2,500+

audience)

– Weekly Execution Digest

(4,500+ audience) during

the final 5 weeks

• Change Agent Network with

30+ participants

• Change Impact Summaries

and Responsibility Guides

for change impacts

Internal Controls: A Case Study

Erik Johnson – Manager Entity Development, RF


Internal Controls: Processes that provide assurance that

objectives are achieved Enables Issue Spotting for Individual Standards

Management Practices: Groupings of common functional

activities Enables Issue Spotting Across Multiple Standards

Facilitates Continuous Improvement

Sustainability

Maturity Models: Tools that assess process and

implementation effectiveness

Sustainability

Forward-Looking and Big Picture

‒ “Journey not a destination”

Enables Issue Spotting

Facilitates Continuous

Improvement

What Are We Talking About?

121


RF Did Not Invent the Wheel

RF Utilizes a Maturity Model Approach to Its Evaluations

Common Groupings of commonly recognized Management Practices

Facilitates transparency and repeatability

Pragmatic and simple

Indoctrinate organizational practices for continuous improvement,

efficiency and sustained success

RF’s Approach is Nothing New

• ES-C2M2: Cybersecurity Capability Maturity Model utilized by the DoE

• CERT-RMM: CERT Resilience Management Model utilized by the

Software Engineering Institute and Carnegie Mellon University

• CMMI: Capability Maturity Model Integration used across various

industries within organizations (NASA, Lockheed Martin, Microsoft,

Motorola, etc.)

122

Maturity Models regularly utilized to help drive Operational Excellence


RF’s Approach

123


Types of Evaluations

124

Image from: http://www.raps.org/Regulatory-Focus/News/2015/03/23/21786/The-Tip-of-the-Iceberg-What-Lurks-Beneath-the-483/

Compliance Focus

– NERC ICE guide

– Short time horizon

audit to audit focusIdentified Risk

Focus – ERO

identified or Entity

identified – medium

time horizon

Continuous

Improvement +

Operational

Excellence Focus –

long time horizon

focus


EVALUATION OF ARTIFACTS PROVIDED

BY AN ENTITY AGAINST MANAGEMENT

PRACTICES AND THERMOMETERS

125


ICE Principles

ICE PRINCIPLES - The acceptance and adoption of the ICE process in

organizations making up the BES is highly dependent upon each

Registered Entities’ perception of the value and importance of the ICE

program. To accomplish this goal Internal Control Evaluations need to be

conducted with integrity and consistency, and produce high-value results

for the evaluated RE. For this reason, ICE Evaluation teams incorporate

and uphold these evaluation principles:

1. Focus on the RE’s business objectives

2. ICE Evaluation environment

3. Collaborative learning environment

4. Evaluation team decisions

5. Evaluations are a “snap-shot” of the current state

6. Artifact-based objectivity

126


Interview Process

Transparent Process

• Instant feedback

‒ Genuine interest

• No private notes

• No secret caucuses

Interview

• Sub Team

• Full Team (as necessary)

127


Sharing Results for Consideration

The Evaluation team reviews artifacts, practices, and

procedures to estimate the implementation level (%) of

identified internal controls.

128


Implementation Levels

129

Maturity levels are based predetermined levels in C2M2 and CERT-RMM


It’s your turn

Management Practice Information

Management

130


IMPLEMENTATION

BREAKOUT SESSION

20 MINUTES

131


Examples of Risks not covered in Standards

Catastrophic Weather Response

• Outside of existing black start standards

Patch Risk implications to implementation

schedule

• No determination of vulnerability severity in implementation plan

132


Value Statement

The Engagement will identify preventive, detective, and

corrective controls around standards, risks, or operations (as

elected)

All Engagements will answer:

How well are those controls documented, trained, and

implemented? (Implementation Level)

Are you only successful because of individual high-performers?

Is your success sustainable?

Engagements around risks and operations will facilitate:

Roadmap on opportunities for improvement (what processes to mature; controls to

further develop or add)

Effective management of workforce and work across business units

Motivated workforce and operational efficiencies

Elevate focus from compliance to Operational Excellence

Not rate making, or market development excellence…. it is ensuring a

secure, reliable, resilient BES !!!

133


What Drives You?

134


Questions & Answers


135



#RFWorkshop

Technology Roundtable,

Low Impact &

V5 Compliance Metrics

Tobias Whitney, Manager of CIP Compliance

Reliability First Fall V5 Workshop

RELIABILITY | ACCOUNTABILITY138

Purpose

• Industry opportunities exist to research and deploy new technologies that could improve the reliable operations of the Grid.

• The mystique of the CIP standards may have discouraged the investment and innovation of BES technologies for fear of compliance risk and cyber exposure.

• NERC’s Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.


Emerging Technologies

• Cloud Computing

Big Data analysis for preventive solutions

• Renewables + New Registration Paradigms

New Generation Owner/Operators diffuse operations could impact the BES

• IEC 61850

Substation network solutions

• Remote Access (FERC mandated)

Due July 2017

• Virtualization (Standards Development)

Server, networks and storage


Emerging Technologies

• Microgrids

Risk based analysis of load centers

• Industrial Wireless Network Communications Technologies

Point-to-point, local area wireless and unlicensed radio

• Distribution Management Systems

GIS, outage mgt and increased operational intelligence for smart metered load centers

• End of Life Systems

Assess the vulnerability unsupported, production cyber assets

• Support Systems

Understanding VOIP, UPS and building automation systems


Approach the Topic

Tech Seminar

• Invite vendors and industry stakeholders for a 1 day discussion on the solutions

• Identify volunteers for whitepaper development

Coordinated

White Paper

• Coordinate white paper with CIPC (primarily) with support from OC and PC

• Publish draft paper for comments as part of the Section 11 Process

• Industry webinar to spotlight results

Call for Pilots

• Link interested stakeholders with research agencies

• Publish lessons learned for industry comments


NERC Team

Techn

olo

gy R

isk

Asse

ssm

en

t Security

Operations

Regulatory


Each Topic’s SWOT

Strengths

(reliability benefits)

Weaknesses

(current drawbacks)

Opportunities

(external factors)

Threats (Security & Regulatory)


Technology Risk

• First Technology Roundtable will be held in Atlanta on November 14th & 15th

• Cloud Computing

Operational and reliability improvement case

Common Architecture

Security and Regulatory Considerations

• IEC 61850

Operational and reliability improvement case

Architecture

Security and Regulatory Considerations

• Opportunity: to provide technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.

What is the Implementation

Timeframe for Low Impact?

NERC Small Group Advisory Sessions Low Impact Webinar

September 14, 2016


• Implementation Plan Language

• Already required as of 7/1/2016

• Required on 4/1/17

• Required on 9/1/2018

Agenda


Proposed Effective Date for Version 5 CIP Cyber Security Standards

Responsible entities shall comply with all requirements in CIP-002-5, CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-1, and CIP-011-1 as follows:

1. 24 Months Minimum – The Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval. CIP-003-5, Requirement R2, shall become effective on the later of July 1, 2016, or the first calendar day of the 13th calendar quarter after the effective date of the order providing applicable regulatory approval. Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.2

2. In those jurisdictions where no regulatory approval is required, the Version 5 CIP Cyber Security Standards, except for CIP-003-5 R2, shall become effective on the first day of the ninth calendar quarter following Board of Trustees’ approval, and CIP-003-5 R2 shall become effective on the first day of the 13th calendar quarter following Board of Trustees’ approval, or as otherwise made effective pursuant to the laws applicable to such ERO governmental authorities.

Implementation Plan Language – V5


Effective Dates (for CIP Version 6)

The effective dates for each of the proposed Reliability Standards and NERC Glossary terms are provided below. Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The compliance date for those particular sections represents the date that entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date.

1. CIP-003-6 — Cyber Security — Security Management Controls

Reliability Standard CIP-003-6 shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority, or as otherwise provided for in a jurisdiction where approval by an applicable governmental authority is required for a standard to go into effect. Where approval by an applicable governmental authority is not required, the standard shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date the standard is adopted by the NERC Board of Trustees, or as otherwise provided for in that jurisdiction.



Compliance Date for CIP-003-6, Requirement R1, Part 1.2

Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R1, Part 1.2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.

Compliance Date for CIP-003-6, Requirement R2

Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Requirement R2 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.

Compliance Date for CIP-003-6, Attachment 1, Section 1

Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 1 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.


Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 2 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.




Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 3 until the later of September 1, 2018 or nine calendar months after the effective date of Reliability Standard CIP-003-6.


Registered Entities shall not be required to comply with Reliability Standard CIP-003-6, Attachment 1, Section 4 until the later of April 1, 2017 or nine calendar months after the effective date of Reliability Standard CIP-003-6.



• FERC approved CIP V5 on November 22, 2013, with an effective date of the order of February 3, 2014 (based on publication in the Federal Register), making CIP V5 effective April 1, 2016

• FERC approved the CIP V6 changes on January 21, 2016, with an effective date of the order of March 31, 2016 (based on publication in the Federal Register), making the V6 changes effective July 1, 2016

• FERC action on February 25, 2016 aligned all CIP V5 & V6 compliance dates to July 1, 2016

FERC Effective Dates


• CIP-002-5.1

• CIP-003-6 Requirement R3


Already Required as of 7/1/2016


• There were no changes to CIP-002-5.1 done as part of the CIP V6 SDT effort

The approved CIP V5 Implementation Plan therefore remained unchanged for CIP-002-5.1



• CIP-002-5.1:

CIP-002-5.1 Requirement R1 requires identification of all high impact BES Cyber Systems, medium impact BES Cyber Systems, and identifying “each asset that contains a low impact BES Cyber System”

CIP-002-5.1 Requirement R2 requires the process be repeated, at least every 15 calendar months, and the CIP Senior Manager approved the identifications in Requirement R1




Requirement R3 unchanged as part of CIP V6 SDT effort (not discussed in the CIP V6 Implementation Plan)

Requires the identification of a CIP Senior Manager

CIP Senior Manager must approve the identifications made in CIP-002-5.1, Requirement R2




Requirement R4 unchanged as part of CIP V6 SDT effort (not discussed in the CIP V6 Implementation Plan)

Requires the creation of a documented process to delegate the approvals of the CIP Senior Manager, unless no delegations are used.

CIP-002-5.1 approvals may be delegated



• CIP-003-6 Requirement R1, Part 1.2

• CIP-003-6 Requirement R2, Attachment 1, Section 1


Required on 4/1/2017


• CIP-003-6 Requirement R1, Part 1.2

Requires the creation of cyber security policies for:

1. Cyber security awareness

2. Physical security controls

3. Electronic access controls for Low Impact External Routable Connectivity [Communications] (LERC and Dial-up Connectivity

4. Cyber Security Incident Response

Must be approved by the CIP Senior Manager (no delegation allowed)




Requires that each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).




Requires that Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:

4.1 Identification, classification, and response to Cyber Security Incidents;

4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Information Sharing and Analysis Center (E-ISAC), unless prohibited by law;

4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;



4.4 Incident handling for Cyber Security Incidents;

4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and

4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.



• Note:

In order to properly develop policy (Section 1) and incident response (Section 4), physical (Section 2) and electronic (Section 3) access control procedures (i.e., the controls to be implemented) need to be initially developed, but they will not themselves be subject to audit







• CIP-003-6 Requirement R2, Attachment 1, Section 2 (draft language)

Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.



• CIP-003-6 Requirement R2, Attachment 1, Section 3 (draft language)

Electronic Access Controls: Each Responsible Entity shall:

3.1 Implement electronic access control(s) for LERC, if any, to permit only necessary electronic access to low impact BES Cyber System(s).

3.2 Implement authentication for all Dial‐up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability.



• All physical and electronic access control protections must be in place at all assets containing low impact BES Cyber Assets or BES Cyber Systems by 9/1/2018



CIP Violations (as of July 1, 2016)


CIP Violations (as of July 1, 2016)




#RFWorkshop

Follow us on LinkedIn and @RFirst Corp onTwitter #RFWorkshop...Generator Owner and Generator Operator located in 7 of the 8 NERC Regional Entities with RF as ... • First Project

Documents