1. NERC �Critical Infrastructure Protection�Advisory Group�(CIP AG)
Electric Industry Initiatives
Reducing
Vulnerability To Terrorism
Add notesAdd notes
2. September 11, 2001 �Industry Implications
3. Post 9/11 Reactions
4. CIP AG Overview
5. Security Guidelines Guiding Principles
Each company defines and identifies its own critical facilities and functions.
Each company assesses the usefulness of the Guidelines individually and adapts them as needed.
The Guidelines are living documents, expected to change.
Implemented and supported by workshops for industry
6. Initiatives CIPAG
Security Guidelines
Threat Conditions and Response
FERC Assist
Spare Parts Database
PKI
7. Security Guidelines Executive Summary
The Guidelines describe
general approaches
considerations
practices
planning philosophies
The Guidelines are NOT a “cookbook” for protection.
8. Security Guidelines Definitions
Critical Facility
Any facility or combination of facilities, if severely damaged or destroyed would:
have a significant impact on the ability to serve large quantities of customers for an extended period of time,
have a detrimental impact to the reliability or operability of the energy grid, or
cause significant risk to National security, National economic security, or public health and safety.
9. Security Guidelines Guideline Topics
Vulnerability and Risk Assessment
Threat Response
Emergency Management
Continuity of Business Processes
Communications
Physical Security
IT/Cyber Security
Employment Screening
Protecting Sensitive Information
10. Security Guidelines Guideline Topics
Vulnerability and Risk Assessment
Helps identify critical facilities, their vulnerabilities, and countermeasures.
Threat Response
Helps in developing plans for enhanced security.
11. Security Guidelines Guideline Topics
Emergency Management
Better prepares companies to respond to a spectrum of threats, both physical and cyber.
Continuity of Business Practices
Reduces the likelihood of prolonged interruptions and enhances prompt resumption of operations after interruptions occur.
12. Security Guidelines Guideline Topics
Communications
Enhances the effectiveness of threat response, emergency management, and business continuity plans.
Physical /Cyber Security
Mitigates the impact of threats through deterrence, prevention, detection, limitation, and corrective action.
13. Security Guidelines Guideline Topics
Employment Screening
Provides strategies to mitigate “insider” threats.
Protecting Sensitive Information
Production, storage, transmission, and disposal of both physical and electronic information
14. Security Guidelines Reference Documents
An Approach to Action for the Electricity Sector (NERC, June 2001)
Threat Alert Levels and Physical Response Guidelines (NERC, November 2001)
Threat Alert Levels and Cyber Response Guidelines (NERC, March 2002)
15. ThreatCon and Response Guidelines The Guidelines
Define Threat Alert Levels for Alerts issued by
ES-ISAC
NIPC
Other government agencies
(Excludes facilities regulated by the NRC)
Ensure that electric Threat Alert Levels are consistent with information from other sources
Provide examples of security measures
Supported with workshops
16. ThreatCon and Response Guidelines Threat Alerts / Threat Conditions
Can be issued
for a specific geographic area
for a specific facility
by category - such as a specific type of facility
17. Threat Alert Level Definitions THREATCON-NORMAL
Applies when no known threat exists.
Is equivalent to normal daily conditions.
Security measures should be maintainable indefinitely.
THREATCON-LOW
Applies when a general threat exists with no specific threat directed against the electric industry.
Additional security measures are recommended.
Added security should be maintainable for an indefinite period with minimum impact on the organization.
18. Threat Alert Level Definitions THREATCON-MEDIUM
Applies with increased or more predictable threat to the electric industry.
Implementation of additional security measures is expected.
Increased measures are anticipated to last for a defined time.
Significant increases in corporate resources will be required.
THREATCON-HIGH
Applies when an incident occurs or a credible threat is imminent.
Maximum security measures are necessary and are expected to:
cause hardships on personnel,
seriously impact normal operations, and
may be economically unsustainable for more than a short time.
19. FERC Request FERC requested NERC to develop security standards for inclusion to Standard Market Design NOPR
CIPAG picked-up the Gauntlet
NERC BoT approved CIPAG participation on June 14, 2002
20. FERC Request
“Minimum Daily Requirements”
Achievable
Granular
Cyber focused
Inter-connection focused
21. FERC Request
Final draft to FERC July 26
SMD NOPR released July 31 for general public review, comment
Final SMD ruling late October or early November
Effective date of compliance 2004
Annual signed self certification
22. FERC Request
All future standards to be developed and maintained by NERC
All future FERC rule making on standards will refer to NERC standards
23. Spare Equipment Database Expanding database created in 1989
Spare EHV transformers in case of national emergencies
Web based on a secure server
Other equipment to be included
24. PKI Needed because of the reliance on computer based systems and applications
Evaluate potential Certificate Authorities
Develop an integrated PKI architecture and deployment strategy
Resolve technical issues
Create web based training materials
25. ES ISAC PDD #63 Identified electricity as on e of the eight critical infrastructures
NERC sector coordinator for electricity
IAW Program
Website
CIPAG oversight body for ISAC
Collect, Analyze and Disseminate information
26. Pulling Together
27. Available on the Web
www.nerc.com� Committees� CIPAG� Related Files
28. One Last Thought! “Security is always excessive until it’s not enough”
