1 / 15

INF MP Identity Management

INF MP Identity Management. May 7 th 2008. Agenda. NERC Standard Background Standard requirements Market Participant Identity Management (MIPM) Phase 2.0 Summary NERC Requirements Enforced through MPIM Requirements NERC Checkboxes Compliance Notifications Reporting

Anita
Download Presentation

INF MP Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INF MP Identity Management May 7th 2008 ERCOT Public

  2. Agenda • NERC Standard • Background • Standard requirements • Market Participant Identity Management (MIPM) Phase 2.0 • Summary • NERC Requirements Enforced through MPIM • Requirements • NERC • Checkboxes • Compliance Notifications • Reporting • Compliance Bulk Load Process • Feedback on v3.2 of MPIM requirements ERCOT Public

  3. NERC Standard: Background • ERCOT is subject to and bound by CIP 004-1 • Requirements R2 (Training) and R3 (Personnel Risk Assessment) are described on following pages • ERCOT to have compliant system in place early June • MPIM Phase 2.0 deployment contains the mechanism of compliance • MP USA (User Security Administrator) attestation is key component • ERCOT required to be compliant July 1 • Users with access to Critical Cyber Assets (CCA) systems must have attestations in place • Bulk load process will be available enabling MPs to attest for current Outage Scheduler compliance ERCOT Public

  4. NERC Reliability Standard: CIP-004-1 Requirements (R2) R2.2    Training shall cover the policies, access controls, and procedures as developed for the Critical Cyber Assets covered by CIP-004, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: R2.2.1. The proper use of Critical Cyber Assets; R2.2.2. Physical and electronic access controls to Critical Cyber Assets; R2.2.3. The proper handling of Critical Cyber Asset information; and, R2.2.4. Action plans and procedures to recover or re-establish Critical Cyber Assets and access thereto following a Cyber Security Incident. ERCOT Public

  5. NERC Reliability Standard: CIP-004-1 Requirements (R3) R3  Personnel Risk Assessment —The Responsible Entity shall have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access. A personnel risk assessment shall be conducted pursuant to that program within thirty days of such personnel being granted such access. Such program shall at a minimum include: R3.1. The Responsible Entity shall ensure that each assessment conducted include, at least, identity verification (e.g., Social Security Number verification in the U.S.) and seven year criminal check. The Responsible Entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending upon the criticality of the position. R3.2. The Responsible Entity shall update each personnel risk assessment at least every seven years after the initial personnel risk assessment or for cause. R3.3. The Responsible Entity shall document the results of personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, and that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004. ERCOT Public

  6. MPIM Phase 2.0: Summary • MPIM Deployment date of early June into Production (Zonal) and enabling support of EDS (Nodal) • Scope of June deployment: • NERC Certification • Integration with MIS • Integration with NMMS • Minor Enhancements from Phase 1.5 ERCOT Public

  7. MPIM Phase 2.0: NERC Requirements Enforced through MPIM According to the North American Electric Reliability Corporation, Responsible Entities with access to “Critical Cyber Assets” must comply with CIP 004-1. The users are required to meet only the requirements of CIP 004-1 as specifically stated in the standard. At ERCOT, the following market-facing applications are “Critical Cyber Assets:” • Systems list removed for security reasons Access to these applications is controlled through “roles” in MPIM; therefore, the Market Participant User Security Administrator (USA) must attest (on behalf of the Digital Certificate User) to the following requirements: • I hereby certify that the Market Participant User has completed Cyber Security Training for the appropriate use of Critical Cyber Assets in accordance with all requirements of North American Electric Reliability Corporation Reliability Standard CIP 004-1, Requirement 2 • I hereby certify that the Market Participant has fulfilled all of the requirements regarding Critical Cyber Assets in accordance with North American Electric Reliability Corporation Reliability Standard CIP 004-1 or any revision thereof. ERCOT Public

  8. MPIM Phase 2.0: Requirements • The following requirements were added in Phase 2.0: • MPIM is supporting them through: • NERC Checkboxes • NERC Compliance Notifications • NERC Reporting ERCOT Public

  9. NERC: Checkboxes • MP USA completes fields (existing functionality) • MP USA selects roles (existing functionality) • If NERC role selected, NERC Certification checkboxes appear unchecked. • MP USA certifies the user complies by checking checkboxes • MP USA clicks “Submit” button, request processed. ERCOT Public

  10. NERC: Compliance Notifications • MPIM system to send User and MP USA receive reminder notification (e-mail): • NERC Attestation Date + 11 months • NERC Attestation Date + 11 months + 1 week • NERC Attestation Date + 11 months + 2 weeks • NERC Attestation Date + 11 months + 3 weeks • As of the NERC Attestation Date + 1 year, if the user has not re-certified, his/her NERC roles will be removed. • The MP USA and user will receive an e-mail when the roles are removed ERCOT Public

  11. NERC: Reporting • Using MPIM, MP USA will have the ability to run a report of all users with NERC roles assigned • Report will list: • Certification Date • NERC Roles Assigned ERCOT Public

  12. NERC: Compliance Bulk Load process • ERCOT is developing a bulk load mechanism which will set correct attributes for current users with a CCA role allowing continued un-interrupted operation. • Preliminary approach description • Excel spreadsheet sent to MP USA with current users of Zonal CCA systems • MP USA will fill in information fields in the spreadsheet • Officer of MP signs a letter attesting to the accuracy of the data • ERCOT imports information into MPIM setting attestation date to the date of import • Those MP users with CCA accounts and proper attestation information continue to access and use outage scheduler as they do today. ERCOT Public

  13. Understanding the Feedback Template • Text in Black is from the original requirement document (v3_2). • Text in Blue is the comment provided or the text added to reflect feedback received. • If text has been removed, it will be shown in the feedback spreadsheet as strikethrough ERCOT Public

  14. Requirement Feedback #1 ERCOT Public

  15. Requirement Feedback #2 ERCOT Public

More Related