CIP Program Prospective

1
CIP Program Prospective

• Ralph Anderson
• Compliance Audit Group

2
Overview

• What this is
• General overview of CIPs, including overall
  observations and statistics based on 12/31/2008
  reported data, and a preview of the intent of the
  Technical Feasibility Exception process (TFE)
• What this is NOT
• Specific information to meet the cyber standards,
  or detailed procedures for TFE

3
Cyber Security Has become VERY High Profile

• 4/8/2009 Wall Street Journal ran a large
  article
• Electricity Grid in U.S. Penetrated by Spies
• WASHINGTON -- Cyber spies have penetrated the
  U.S. electrical grid and left behind software
  programs that could be used to disrupt the
  system, according to current and former
  national-security officials.
• Did anyone notice?

4
Cyber Security 4/9/09 after WSJ Article

• Television
• ABC News (Good Morning America)
• NBC Nightly News
• Radio
• NPR (All Things Considered)
• Print / Online
• Cyberspies have hacked into power grid, officials
  say
• USA Today
• What if Russia or China Cut Off Your Electricity?
• ABC News
• US concerned power grid vulnerable to
  cyber-attack
• Reuters
• Electrical grid's operator tries to stay ahead of
  hackers
• Houston Chronicle
• Utilities on guard against power grid foes
• Kansas City Star

5
Cyber Security 4/9/09 after WSJ Article

• The Feds' Timely Cyber Alarm
• Forbes
• Hackers reportedly have embedded code in power
  grid
• CNN
• AP source Spies compromised US electric grid
• Associated Press
• Spies Penetrate U.S. Electrical Grid
• CBS News
• Cyberspies Penetrate U.S. Power Grid, Leave
  Software That Could Disrupt System
• FOX News
• Will a Smart Grid Repel or Open Doors to a Cyber
  Attack?
• Wall Street Journal Blogs
• Malware Infections Lurk in U.S. Electricity Grid,
  WSJ reports
• PC World
• Report Cybercriminals have penetrated U.S.
  electrical grid
• ComputerWorld
• Put NSA in Charge of Cyber Security, Or the Power
  Grid Gets It
• WiredNews

6
General Information on Data Analysis

• Data for the next two slides on CIPs reporting is
  limited based on available data points at the
  time of the survey
• Overall data was evaluated and extremely
  accurate, but data does not include issues such
  as company size or impact.
• Size of the Company was not an available data
  point (i.e. 100MW BA MAY or may not be
  significant))
• However, overall trends represent an accurate
  picture of December 31st, 2008 reporting
• July 2009 CIPs surveys will add additional
  information to help identify facilities with
  minimal impact

7
Transmission Owners reporting Critical Assets
8
Generation Owners/Operators reporting Critical
Assets
9
Items to Strongly Consider

• How may of us have added new modular
  substations in the last few years?
• What if someone got control of that one PC in
  the substation control house? (I have seen
  instances where it could control all breakers in
  the yard)
• What happened recently when ONE technician
  disable protection in major substation for
  testing (definitely unintentional mistake)? What
  COULD happen if a knowledgeable person had the
  same ability, potentially over multiple
  substations?

10
Excerpt from CSO letter on 4/8/2009

• as we consider cyber security, a host of new
  considerations arise. Rather than considering the
  unexpected failure of a digital protection and
  control device within a substation, for example,
  system planners and operators will need to
  consider the potential for the simultaneous
  manipulation of all devices in the substation or,
  worse yet, across multiple substations. I have
  intentionally used the word manipulate here, as
  it is very important to consider the misuse, not
  just loss or denial, of a cyber asset and the
  resulting consequences, to accurately identify
  CAs under this new cyber security paradigm.

11
Technical Feasibility Exception Process

• IN PROGRESS!!!!!!!
• Proposed Technical Feasibility Exception process
  TFE
• Proposed process is a modification to the NERC
  Rules of Procedure Appendix 4D (compliance
  section)
• Modeled after the Self Report of Non-Compliance
  with Mitigation Plan
• Additional aspects from FERC Order 706
• An Exception not an Exemption

12
TFE Proposal Overview

• Applicable only to specific requirements in
  CIP-002 through CIP-009
• Basis for TFE Approval
• When Strict Compliance of the Applicable
  Requirement
• Is not technically feasible
• Is not operationally feasible
• Is precluded by technical limitations
• Could adversely affect the reliability of the
  Bulk Electric System to an extent that outweighs
  the reliability benefits of Strict Compliance
  with the Applicable Requirement
• Software not yet designed or still in development
• Limited availability of required equipment or
  components
• Would pose safety risks or issues that outweigh
  the reliability benefits of Strict Compliance
• Would conflict with, or cause the Responsible
  Entity to be non-compliant with a separate
  statutory or regulatory requirement that cannot
  be waived

13
Additional Conditions with TFE

• Responsible Entity is required to implement and
  maintain an alternate approach to achieving
  compliance through the use of compensating and/or
  mitigating measures
• TFE will typically be approved for a limited
  duration
• Normally requires expiration date
• Open-ended TFE allowed under limited conditions
  if justified, with periodic review to perpetuate
  TFE

14
TFE Submission

• Separate submission for each TFE request
• Can group multiple, similar Covered Assets into
  one submission
• Same or multiple locations
• Same basis for TFE
• Same compensating and mitigating measures
• Similar proposed Expiration Dates

15
TFE Information (preliminary)

• Responsible Entity name
• Contact information, including how NERC may
  arrange to view confidential information
• Location of Covered Asset
• Applicable Requirement
• Narrative discussion of basis and analysis of
  compensating and mitigating measures, including
  how and to what extent the measures will reduce
  risk
• List of confidential information to be reviewed
  onsite along with criteria to be an Eligible
  Reviewer
• Proposed implementation and reporting schedule
• If Expiration Date is longer than one year,
  proposed schedule for submitting reports to NERC
  on continuing need and justification for TFE with
  Reports must be submitted at least annually
• Statement, signed by the Sr. Manager,
  acknowledging that the Sr. Manager has read and
  understands the TFE request and recommends
  approval

16
TFE Review for Approval (Tentative)

• Substantive Review for Approval/Disapproval
• 60-day review period, can be extended
• If not approved, disapproved, or extended within
  review period, TFE automatically disapproved
• Will include approval or disapproval process with
  appeal

17
Deferred Violations/Penalties

• Findings of Violations and Imposition of
  Penalties will be deferred during TFE Review
• Deferment starts with acceptance as complete
• Deferment ends with notice of approval or
  effective date of disapproval
• Once TFE is approved, deferment continues as long
  as progress to Strict Compliance remains on
  schedule
• Disapproval mitigation plan follows CMEP

18
TFE Revocation

• TFE can be revoked if progress milestones not
  met, mitigation not maintained, or reports not
  submitted
• TFE amendment can be requested if needed
• No guarantee amendment will be accepted
• NERC may initiate Revocation Investigation
• Can revoke TFE may become Alleged Violation
• Can advance Expiration Date
• Can impose additional requirements

19
TFE Completion

• Notice Required to NERC
• At least 30 days prior to Expiration Date
• Signed and dated by Sr. Manager
• Asserts Responsible Entity has or will be able to
  achieve Strict Compliance by Expiration Date
• Audit of Strict Compliance included in next
  Compliance Audit, even if not originally planned
  in the audit program

20
TFE Procedure

• TFE Procedure is proposed addition to NERC Rules
  of Procedure
• Proposal out for industry comment
• Comment period closes April 30, 3009
• Proposal will be modified by NERC staff in
  response to industry comment received
• Modified proposal approved by NERC Board of
  trustees
• Submitted to regulatory authorities for approval

21
TFE Procedure

• Bottom line still under review and development!!
  
• (latest stakeholder comment period recently
  closed, more to come)

22
Questions
22