nerc situation awareness and cyber security update...nerc situation awareness and cyber security...

NERC Situation Awareness and Cyber Security Update

NPCC General MeetingSeptember 24, 2009

Stan Johnson

609-524-7012

Stan.Johnson@nerc.net

Situation Awareness History

August 14, 2003 Blackout Report• Electric Reliability Organization (ERO) Filing

• Energy Policy Act of 2005

• Established as ERO Program Area

Presidential Decision Directive 63-1998• Created Information Sharing and Analysis Centers

(ISAC)

Situation Awareness Definition

Definition relates to the goals and objectives of a specific job or function• Different for Reliability Coordinator than for Region

than for NERC than for FERC

“The perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future”

» Dr. Mica Endsley, 1988

NERC Situation Awareness Activities

Operate Electric Sector ISAC• Bulk Power System Disturbances

• Situation Awareness for FERC, NERC, Regions-SAFNR

• North American Synchro Phasor Initiative

• Typical Events-Share Information with Governments Hurricanes, Ice Storms, Earthquakes

Wildfires

Fuel Supply issues

NERC Situation Awareness Information Sources

Reliability Coordinators

Regions

Ace-Frequency Tool

F-Net

SAFNR

RTDMS

HSIN (DHS)

Media

OE-417

EOP-004

CIP-001

CIP-008

E-Mail

NICC, NCC (DHS)

NOAA

Other sector ISAC’s

NERC Situation Awareness Activities

Monday Morning Briefing-NERC SA/EA Team• On Duty Officer briefs SA/EA Team on week past

Bi-weekly FERC-NERC-Region Call• Every other Tuesday

• Review events of last two weeks and any carry over

North American Bulk Power System Log• New initiative-started 9/14/09-working out kinks

SAFNR Project Summary

June 1, 2009 Target Date-Start Date September, 2008

Revised Operating Reliability Data Non-Disclosure Agreement to NERC Trustees 5/6/09

Support Documents Completed

Displays Finalized-East, West, ERCOT

Reliability Coordinators to be Commended

Next Steps• Review summer 09

• Meet with FERC, NERC, Regions next week

SAFNR Display-NPCC

SAFNR Display-ReliabilityFirst-PJM

Southeastern

MISO

NERC Situation Awareness Room-Purpose

Manage major emergencies to the bulk power system• Specifically physical and cyber infrastructure

• Other major catastrophes or attacks involving North America

Serve as a central and secure communications command center• Tactical and strategic planning room

• Daily briefing room

NERC Situation Awareness Room-Layout

800 Sq. Ft.

Three interconnected offices• Situation Awareness Supervisor (20’ x 11’) Small conference table

• Conference Area (20’ x 20’)

• Situation Awareness Team (20’ x 10’) Two Workstations

Two satellite TV feeds

Travel desk for telecommuters

NERC Situation Awareness Center at a Glance

NERC Situation Awareness Center at a Glance

NERC Situation Awareness Center at a Glance

NERC Situation Awareness Center at a Glance

NERC Alerts

Have been operating with E-mail based system

Primarily Cyber based alerts but some equipment related

Moving rapidly to implement new secure, smarter system

Message sent to log in and look

Training in progress via webex-9/22, 29/09

Elephant in Room-Compliance

Key Question-How does NERC Situation Awareness interact with NERC Compliance?

As required by Rules of Procedure, but….

Current process is supposed to be serial• Situation Awareness, then

• Events Analysis, then

• Compliance, but…. are involved throughout process

NERC Cyber Update

History

Current activities, including standards

Hot topic, all sectors, U.S. Congress proposed legislation for increased FERC role

Material from Mike Assante, Tim Roxey, Scott Mix

Cyber Security History

Initial Cyber Standards-Urgent Action post 9/11

Participated in U.S. DOE Cyber Security Roadmap

Worked with Pacific Northwest Lab to identify top 10 vulnerabilities

Participated in development of SCADA Test Bed at Idaho National Lab

Participation in numerous exercises-Cyber Storm

NERC Cyber Security Activities

ES-ISAC Activity• Aurora

• Boreas

• Microsoft RPC

• Conficker

• Hydra Team formed for industry subject matter expertise

• NERC Alerts

NERC Cyber Security Current Activities

Cyber Readiness Preparedness Assessment

FERC Order 706B-Nuclear Plants

Technical Feasibility Exception Process

Congressional Testimony

CIP Education-Table 3 Entities

NERC Alerts

CIP Standard Revisions-Recap of Activities

Drafting Team 1st meeting – October, 2008 Version 2 standards approved by Board of Trustees

May, 2009 • Awaiting FERC action

Version 1 VSL / VRF Approved by Board of Trustees• Submitted to FERC following 1st round ballot

Version 2 VSL / VRF in initial ballot Concept Paper Published July 2009 Webinar on Concept Paper – August 25, 2009 Order 706-B (Nuclear Plant implementation) –

approved by industry September 10, 2009

NERC CIP Standards Revision-Concept Paper

Describes a new approach to identifying the “scope of applicability” for the CIP Cyber Security Standards – a replacement for the current CIP-002• Moves away from “Critical” vs. “Non-Critical”

• Provides a multi-level graded approach, based on impact to BES reliability

• A “decoupled” approach independently assessing both “BES impact” and “cyber impact”; then combining assessments into a final impact categorization

NERC CIP Standards Revision-Concept Paper

Posted for 45-day comment period

Comment Period closed September 4• 52 sets of comments

• 137 pages of comments Responses to 11 specific questions

Page/Line comments

Individual responses to comments will not be developed• Comments will be used in further refinement of concepts and

development of Requirements

• We’ll hear about any remaining or open issues during the official comment period

Development Schedule

Proposed development schedule:• Now through December, 2009 – develop CIP-002-3

• December 2009 – post Draft 1 of CIP-002

• January 2010 – April 2010 – develop “CIP-003 through CIP-009”

• February 2010 – April 2010 – Respond to comments on CIP-002-3

• April 2010 – Post Draft 2 CIP-002-3 and Draft 1 “CIP-003-3 through CIP-003-9”

• Remainder of 2010 – Revise and post CIP-002-3 through CIP-009-3 (multiple draft cycles)

• December 2010 – Ballot CIP-002-3 through CIP-009-3 with implementation plan

Development Schedule

Graphically:

Web Resources

CIP Standards Activities overview page:

• http://www.nerc.com/filez/standards/Cyber-Security-Activities.html

CIP Standards Project page:

• http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security.html

CIP Standards Version 1 VSL page:

• http://www.nerc.com/filez/standards/Project2008-14_Cyber_Security_VSLDT.html

Web Resources

Phase II Activities

• Concept Paper & Webinar slides

• http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html

Identifying Critical Assets Guideline

• http://www.nerc.com/filez/sgwg.html

Identifying Critical Cyber Assets Guideline

• http://www.nerc.com/filez/sgwg.html

Questions

stan.johnson@nerc.net 609-524-7012