November 1, 2018

Adjustments to Tariff to Facilitate Emergency Data Sharing at a

Time of Cyber Attack and Responsiveness to Reliability

Authorities

1

Objectives for today:

• Discuss federal government and electric industry

developments regarding responses to possible

cyber attack

• Highlight MISO proposed adjustments to Tariff

provisions

• Request feedback/comments on MISO proposed

adjustments by November 21, 2018

2

Industry-Government Data Sharing

Backdrop to Proposed Tariff Changes – What is Section 9?

• Presidential Executive Order 13636, Improving Critical

Infrastructure Cybersecurity, is comprised of 12 sections:

o Section 9 covers: Identification of Critical Infrastructure at Greatest Risk

o MISO has been identified as critical infrastructure entity per Department of

Homeland Security (DHS) and Sector Specific Agencies (SSAs)

• Presidential Executive Order 13800, Strengthening the

Cybersecurity of Federal Networks and Critical Infrastructure,

tasked DHS to:

o Identify authorities and capabilities that agencies could employ to support

cybersecurity efforts of “Section 9” critical infrastructure entities.

o Engage “Section 9” entities and solicit input around capabilities

o Provide a report to President on addressing counterterrorism

4

Executive Order 13636 Section 9: “Identification of Critical Infrastructure at Greatest Risk”

Section 9 Engagement

5

5

► Executive Order 13636, Improving

Critical Infrastructure Cybersecurity

(2013)

► Section 9 directs DHS and SSA’s to develop “a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic

regional or national effects…” (2017)

► Requires DHS and the SSAs to identify authorities and capabilities that agencies can employ to support the cybersecurity efforts of Section 9 entities

► DHS, DOE, and interagency partners focus on delivering and enhancing useful capabilities and resources to these entities in the following areas:

► Supply Chain Working Group

► Incident Response Working Group

Section 9 – Cyber Incident Response Working Group

6

6

6

► The private sector and

government agencies have

complementary roles and

capabilities that can all be

brought to bear on cyber

incidents.

► The team developed a

Information Exchange

Checklist that will be used

during a cyber event.

Industry-Government Information Exchange Checklist

Section 9 – Cyber Incident Response Working Group

7

7

7

Industry-Government Information Exchange Checklist

7

► ISSUE: MISO and CAISO,

Working Group members, must

adjust tariffs to permit information

sharing.

► The RTO chooses when to

engage and disengage

► Only for a MAJOR cyber event

– “exigent* circumstances” –

such as blackout.

*Exigent: Urgent & requiring great effort

Section 9 – Cyber Incident Response Working Group

8

8

8

Industry-Government Information Exchange Checklist

8

Shifting Gears: Incident Response per CIP-008

9

9

9 9

• FERC Order 848 - FERC Requires Expanded Cyber Security

Incident Reporting for CIP-008-5

o FERC order requires the reporting of Cyber Security Incidents that

compromise, or attempt to compromise a responsible entity's Electronic

Security Perimeter (ESP) or associated Electronic Access Control or

Monitoring Systems (EACMs).

o FERC order demonstrates the need to report more cyber security attempts to

compromise reliability functions due to increased cyber threats

• MISO has taken an active role to formulate CIP-008-6 Cyber

Security Incident Reporting Standard

o MISO chairing NERC Standard Drafting Team (Dave Rosenthal)

o CIP-008-6 will require additional information sharing with NERC

9

► CIP-008 demonstrates importance of information sharing during a critical cyber event

Shifting Gears: Incident Response per CIP-008

10

10

10 10 10

• FERC Order 848 - FERC Requires Expanded Cyber Security

Incident Reporting for CIP-008-5 to include:

o Attack Vector (e.g. malware and use of stolen credentials)

o Functional Impact (e.g. situational awareness, dynamic response, ability to perform real-

time assessments, or real-time monitoring)

o Level of Intrusion (e.g. whether the compromise or attempt to compromise occurred on

Applicable Systems outside the Electronic Security Perimeter (ESP), at the ESP, or inside the

ESP)

• The new CIP-008-6 will also drive the required Tariff update

o FERC Order 848 requires information sharing to Industrial Control Systems Cyber

Emergency Response Team (ICS-CERT)

• With the addition of ICS-CERT, the Tariff change supports the new CIP-008-6

proposed standard

• Tariff change will ensure CIP-008-6 information sharing requirements will not

violate our Tariff

10

Data Sharing Implementation

11

11

11 11 11

• MISO hopes to never need to use the additional data

sharing practices

• MISO may request help from DHS and/or other

federal agencies with cyber security responsibilities

• Authorized solely by MISO Corporate Information

Officer (CIO) or Corporate Information Security

Officer (CISO)

• Other MISO utilities are engaged with DHS

• MISO can terminate the agreement with DHS at

anytime

11

MISO Proposed Tariff Adjustments

Tariff Adjustment Proposal – A, B, Cs and D

13

13

13 13 13

• Information sharing with federal agencies – “a”

o Primary location of Tariff adjustment is Sec. 38.9.3, which permits

data sharing with:

• FERC (or its staff)

• Commodity Futures Trading Commission (CFTC) (or its staff), which

will both continue (Sec. 38.9.3.a(i))

o MISO proposes to expand the applicability of the existing provision

to include additional entities:

• Federal agencies with responsibilities for cyber security in response to

cyber exigency (Sec. 38.9.3.a(ii))

• Reliability entities (NERC and Regional Entities, Sec. 38.9.3.a(iii))

– Responsive to the proposed CIP-008-6

– Repositions provision for data sharing from Sec. 38.9.1

13

Relevant Tariff Section – Section 38.9.3 (related 38.9.1)

Tariff Adjustment Proposal – A, B, Cs and D

14

14

14 14 14

• Reconciliation Adjustments – “b” and “c”

o Existing provision for requesting confidential treatment for shared

data by FERC and the CFTC – “b”

• Located in Sec. 38.9.1.b

• Generalized to cover added agencies/organizations

• MISO will use any available support for desired confidentiality (federal

rules, but also other authorities such as NERC rules)

o Existing provision for notification of data owner upon request by

FERC or the CFTC to share information with third parties – “c”

• Placed in Sec. 38.9.1.c

• Generalized to cover added agencies/organizations who share

information with third parties other than an agency/organization of the

U.S. Government

14

Relevant Tariff Section – Section 38.9.3

Tariff Adjustment Proposal – A, B, Cs and D

15

15

15 15 15

• Non-Substantive Adjustments (Clean Up) – “d”

o “Electronic Delivery of Confidential and Non-Public Data to the

Commission” repositioned as Sec. 38.9.3.d (Section 38.9.3(A)

deleted) – “d”

o Add titles and other adjustments to Sections 38.9.1, 38.9.2, and

38.9.3 for unified appearance

o Adjustments for readability purposes

15

Relevant Tariff Section – Section 38.9.1 , .2, .3, and .3(A)

Feedback Requested

Feedback Request

17

17

17 17 17

• Interested in feedback regarding proposed Tariff change

o Feedback requested by November 21

o All feedback requests will be posted to the Stakeholder Feedback

Page, and stakeholder comments should be submitted through the

feedback tool

• Remember in your feedback:

o Information on cyber security attacks will only be shared if there is

a significant cyber event affecting MISO and the reliability of grid

operations

o MISO intends to engage DHS, with the engagement managed by

the MISO CIO or CISO

17

Proposed Timeline

18

18

18 18 18

18

November 21, 2018

• Stakeholders submit comments/feedback on the redlines

December 2018

• Review stakeholder feedback on Tariff revisions at Reliability Subcommittee

January 2019

• Tariff Filing during January 2019