160 likes | 1.04k Views
NERC Physical Security Standard CIP-014-1. Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014. Agenda. Project Overview Drafting Team members Standard Highlights Implementation Plan Timeline. Project Overview.
E N D
NERC Physical SecurityStandard CIP-014-1 Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014
Agenda • Project Overview • Drafting Team members • Standard Highlights • Implementation Plan • Timeline
Project Overview • The FERC directed NERC to submit proposed physical security reliability standards to the Commission within 90 days of the date of the March 7, 2014 order. • Only a relatively small number of Transmission Owners and Transmission Operators will need to comply with the entire Standard (25). • Includes confidentiality requirements. • Three step process.
Standard Highlights • Background • The Reliability Standard addresses the directives from the FERC order issued March 7, 2014, Reliability Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014), which required NERC to develop a physical security reliability standard(s) to identify and protect facilities that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection. • Drafted as Critical Infrastructure Protection (CIP) family of standards.
Standard Highlights • Requirements R1-R3 • Perform risk assessments to identify Transmission stations and Transmission substations that meet the “medium impact” criteria from CIP-002-5.1, and their associated primary control centers, then • Arrange for a third party verification of the identifications; and • Notify Transmission Operators of identified primary control centers that operationally control the verified Transmission stations and Transmission substations. • The requirements provide the periodicity for satisfying these obligations. Only an entity that owns or operates one or more of the identified facilities has further obligations in Requirements R4 through R6. If an entity identifies a null set after applying Requirements R1 through R2, the rest of the standard does not apply. • Transmission Owner shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.
Standard Highlights • Requirements R4-R6 • The evaluation of potential threats and vulnerabilities of a physical attack to the facilities identified and verified according to the earlier requirements, • The development and implementation of a security plan(s) designed in response to the evaluation, and • A third party review of the evaluation and security plan(s). • Transmission Owner shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.
Key Dates • Final Ballot Closed May 5 – Passed 85% • NERC BOT Adopted May 13, 2014 • FERC BOD Proposed Approved July 17, 2014 • Two directives, FERC add/delete & instability vs. widespread instability • 45 day comment period, September 8, 2014 • Effective the first day of the first calendar quarter that is six months beyond the date that the standard is approved by applicable regulatory authorities, ….
Implementation Plan • The initial performance of CIP‐014‐1, Requirements R2 through R6, must be completed according to the timelines specified in those requirements after the effective date of the proposed Reliability Standard, as follows: • Requirement R2 shall be completed as follows: • Parts 2.1, 2.2, and 2.4 shall be completed within 90 calendar days of the effective date of the proposed Reliability Standard. • Part 2.3 shall be completed within 60 calendar days of the completion of performance under Requirement R2 part 2.2.
Implementation Plan • Requirement R3 shall be completed within 7 calendar days of completion of performance under Requirement R2. • Requirements R4 and R5 shall be completed within 120 calendar days of completion of performance under Requirement R2. • Requirement R6 shall be completed as follows: • Parts 6.1, 6.2, and 6.4 shall be completed within 90 calendar days of completion of performance under Requirement R5. • Part 6.3 shall be completed within 60 calendar days of Requirement R6 part 6.