190 likes | 362 Views
Michael Espinoza. BS Information Systems – University of Redlands AS Electronic Technology Project Management Certification Program- UCSD. 22 Years SDG&E, Sr EMS Hardware Analyst EMS Hardware Supervisor Infra Project Technical Lead. Agenda. Purpose NERC CIP Standards Standards
E N D
Michael Espinoza • BS Information Systems – University of Redlands • AS Electronic Technology • Project Management Certification Program- UCSD • 22 Years SDG&E, • Sr EMS Hardware Analyst • EMS Hardware Supervisor • Infra Project Technical Lead
Agenda • Purpose • NERC CIP Standards • Standards • Goals/Challenges • Establishing Project Direction • Project Roadmap • Communication is Essential • Feedback • Disclaimer – This presentation represents my own personal interpretation.
Purpose of CIP Cyber Security Standards • Ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems.
North American Electric SystemsOverview • NERC is made up of eight regions that oversee the reliability and operation of the Bulk Electric System. • >All Electric Generation and Transmission agencies report to one of these regions. • SDG&E reports to the WECC, Western Area reporting agency, • >All regions must comply with NERC CIP 002-009 Standards.
NERC CYBER SECURITY NERC CIP 8 Standards CIP-002 Critical Cyber Asset Identification CIP-004 Personnel & Training CIP-006 Physical Security Of Critical Cyber Assets CIP-008 Incident Reporting And Response Planning CIP-003 Security Management Controls CIP-005 Electronic Security Perimeters CIP-007 Systems Security Management CIP-009 Recovery Plans For Critical Cyber Assets
Audit Preparation - Compliance Levels • Compliant (C) - means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records” • Auditably Compliant (AC) - means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12-calendar-months of auditable “data,” “documents,” “documentation,” “logs,” and “records” 2009 2010
Penalty Matrix* FERC statutory limit: $1,000,000,000 per day, per violation Other limits may apply in Canada *Matrix undergoing revision
GOAL • Comply with new NERC CIP002-009 Cyber Security Standards in advance of the required deadlines • Obstacles Not Withstanding: • - Significant effort is required • - Additional funding and / or personnel • may be needed
CIP Standards Applicability to the following Functions • Generation Owner • Generator Operator • Transmission Owner • Transmission Operator • Load Serving Entity
STANDARD Grid Operations Information Technology Corporate Security Human Resources Regulatory a a CIP-001 CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 a a a a a a a a a a a a a a a a a
“The Challenge” Organizational Links Project Links Internal Auditing Facilities *The key for success -> Ensure all Organizations have the same goal. Regulatory NERC & FERC Electric Ops IT WECC Corp Security HR
Acquire Project Teams Inputs Tools & Techniques Outputs 1.Enterprise Environmental factors 2.Organizational Process Assets 3.Roles and Responsibilities 4.Project organization Charts 5.Staffing Mgmnt plan 1.Pre-assignment 2.Negotiation 3.Acquisition 4.Virtual Teams 1.Project staff assignments 2.Resource availability 3.Staffing Management plan (updates) (PMBOK Guide)
NERC CIPPROJECT PYRAMID 2. Mgmt Approvals
CONCEPT PROCESS EXAMPLE Populate master CCA access list from existing worksheets Grid Operations, Human Resources, Corporate Security, IT
Establishing Project Direction • Develop a master project plan • Assign qualified members to each internal NERC team • Use standardized templates for documentation • Run an ongoing gap analysis to identify redundant and missed processes
CommunicationsUpdates/Feedback Communications • Executive Updates - Monthly • CEO/VP • Directors • Managers • Team Feedback • Monitor Teams for resource requirements • Establish monthly goals for Levels of Compliance • Review Team suggestions • Utilize Tools/Resources • Consultants, wicf · Western Interconnection Compliance Forum, Common Data site (SharePoint), Ticklers Communications
Review • Purpose • NERC CIP Standards • Standards • Goals/Challenges • Establishing Project Direction • Project Roadmap • Communication is Essential • Feedback