CIP Compliance Training Workshop

1. CIP Compliance Training Workshop

2. Workshop Introduction

3. CIP Background The NERC CIP Standards are nine sets of requirements for protecting the reliability of the bulk electric system. This workshop focuses on CIP standards -002 through -009. We are required to comply with these standards as of 12/31/2009.

4. CIP-001 - Sabotage Reporting CIP-001 requires we to provide: • Guidelines for employees on indications of possible sabotage. • Procedures for reporting incidents to specific authorities. Our compliance with CIP-001 was established as of June 2007. Printed procedures for reporting incidents should be present in plant control rooms. CIP-001 is outside the scope of this workshop.

5. Where we are: 2009 accomplishments • Defined risk-based methodology and used it to identify our critical assets (CAs) and critical cyber assets (CCAs) • Enclosed CCAs within required physical security perimeters • Inventoried components of critical cyber assets and established electronic security perimeters to protect them • Identified and certified employees who have unescorted access to CCAs • Delivered training and initiated awareness program • Created policies and program documents as required by CIP-002 through CIP-009

6. Purpose of this workshop • Explain required CIP policies, programs, and procedures • Identify the Intranet NERC CIP page as the source of published documents • Discuss details of implementing standards CIP-002 through -009 at your facility • Describe each of your roles and responsibilities for compliance • Identify the kinds of evidence you need to save to be prepared for NERC audits • Show the CIP SharePoint Evidence Repository that you will use for posting evidence • Answer questions and discuss procedures as needed

7. Compliance roles for plant staff Plant Managers – responsible for overall CIP compliance at their facilities CIP coordinators – coordinate compliance activities and participate in annual reviews of policies and programs Critical cyber asset administrators – ensure compliance with CIP standards in operation of CCAs 7

8. CIP-002 – CIP-009 framework CIP-002 – Identify CAs and CCAs CIP-003– Establish security plans for CCAs CIP-004 – Identify and train the people with access to CCAs CIP-005 – Protect CCAs with electronic security perimeters Conduct reviews and updates CIP-006 – Protect CCAs with physical security perimeters CIP-007 – Protect CCAs with security procedures CIP-008 – Respond to and report CCA security incidents CIP-009 –Back up CCAs and recover from security incidents

9. Q&A

10. Policies, Programs, and Procedures Policies Programs Procedures • Policies affirm that we will comply with the CIP Standards. • Programs explain—at an enterprise level—how we will comply with the CIP requirements. • Procedures provide details on the steps employees must follow to conform with the programs. 10

11. Example: Critical Cyber Asset Information • The CIP Cyber Security Policy simply states that in accordance with CIP-003, we will identify, classify, and protect information associated with its critical cyber assets. • The Critical Cyber Asset Information Protection Program defines CCAI, explains how it should be identified and collected, and states that a checkout procedure must be in place for employees to access that information. • Within that program is a CCAI Checkout Procedure. Additional procedures could be developed at each location to further spell out the steps required to conform to the Critical Cyber Asset Information Protection Program. Policies Programs Procedures 11

12. NERC CIP Compliance Monitoring • NERC uses these processes to monitor and enforce compliance with CIP through the Regional Entities (RFC, NPCC, WECC): • Self certification • Self reporting • Spot checks • Compliance audits 12

13. Q&A