Critical Infrastructure Protection Committee (CIPC) Highlights...• Transmission & Distribution Utility • Regulatory Entity: Pennsylvania PUC. PPL Electric Utilities ... Completion

Critical Infrastructure Protection Committee (CIPC)

Hyatt Regency LouisvilleLouisville, KY

March 8-9, 2016

2 RELIABILITY | ACCOUNTABILITY

Safety and Security

Hyatt Regency Louisville Staff will provide guidance concerning

Fire and Evacuation Procedures for our safety


CIPC Voting Members and Attendees

• Wireless access is available:

Network: PSAV_Event_Solutions Password: NERC0001

• Please sign and pass the Attendance Sheets


Securing Our Assets

16,000 Transmission Substations7098 Transmission Lines1057 GW of Generation334 million customers


Antitrust Guidelines

I. General It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition.This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service,product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrainscompetition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another.

The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC’s antitrust compliance policy is implicated in any situation should consult NERC’s General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions): • Discussions involving pricing information, especially margin (profit) and internal cost information and participants’ expectations as to their future prices or internal costs. • Discussions of a participant’s marketing strategies. • Discussions regarding how customers and geographical areas are to be divided among competitors. • Discussions concerning the exclusion of competitors from markets. • Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers. • Any other matters that do not clearly fall within these guidelines should be reviewed with NERC’s General Counsel before being discussed.


Membership Expectations

Our CIPC Charter Section 3 states the following –

Voting members of the CIPC are expected to:

1. Bring subject matter expertise to the CIPC2. Be knowledgeable about physical and cyber security practices and challenges

in the electricity sector3. Attend and participate in all CIPC meetings4. Express their own opinions at committee meetings but also represent the

interests of their Regions5. Discuss and debate interests rather than positions6. Complete assigned Committee, Task Force, and Working Group assignments7. Maintain, at a minimum, a Secret Clearance, or to the extent not already

obtained, apply for a Secret Clearance


Conduct of the Meeting

Parliamentary Procedures:In the absence of specific provisions in NERC’s Rules ofProcedure, all committee meetings shall be conducted in accordance with the most recent edition of Robert’s Rules of Order, Newly Revised in all cases to which theyare applicable.


Critical Infrastructure Protection Committee

Business Continuity Guideline TF

(Darren Myers)

Executive CommitteeJoe Garmon, FMPA Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee(David Grubbs)

Cybersecurity Subcommittee(David Revill)

Operating Security Subcommittee(Joe Garmon)

Policy Subcommittee

(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(William Whitney)

Control Systems Security

WG(Mikhail Falkovich)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(VACANT)

Physical Security Standard WG(Allan Wick)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


Org Name Company Discipline

TRE David Grubbs – Executive Committee City of Garland OperationsTRE (vacant) CyberTRE Darrell Klimitchek STEC PhysicalFRCC Paul McClay TECO CyberFRCC Carter Manucy Fla Municipal PhysicalFRCC Joe Garmon – Executive Committee Seminole OperationsMRO Marc Child, Chair Great River Energy CyberMRO Paul Crist Lincoln Electric System PhysicalMRO (vacant) OperationsNPCC John Galloway – Executive Committee ISO-NE OperationsNPCC Greg Goodrich NYISO CyberNPCC David Cadregari Iberdrola USA Networks PhysicalRFC Larry Bugh ReliabilityFirst CyberRFC (vacant) OperationsRFC Jeff Fuller DPL PhysicalSERC Chuck Abell – Executive Committee Ameren OperationsSERC Cynthia Hill-Watson TVA CyberSERC Bruce Martin Duke Energy PhysicalSPP John Breckenridge KCPL PhysicalSPP Allen Klassen Westar OperationsSPP Eric Ervin Westar CyberWECC Allan Wick Tri-State G&T PhysicalWECC Mike Mertz PNM CyberWECC Lisa Carrington Arizona Public Service OperationsAPPA Scott Smith Bryan, TX Utilities PhysicalAPPA Nathan Mitchell, Vice Chair APPA PolicyCEA Francis Bradley CEA PhysicalCEA Ross Johnson – Executive Committee Capital Power PhysicalCEA David Dunn IESO PolicyNRECA Robert Richhart Hoosier PolicyNRECA David Revill, Vice Chair Georgia Transmission Policy

CIPC Primary Voting Members


Proxies Received and Quorum

Thanks to all proxies attending today and serving as a proxy for your primary voting member! Proxies received for this meeting:• FRCC – Rich Kinas representing Paul McClay• MRO – Michael Kraft representing vacancy left by Joe Mayfield• NPCC – John Helme representing Greg Goodrich• NPCC – Yan Hugues Boily representing David Cadregari• RF – Mikhail Falkovich representing vacancy left by Kent Kujala• SERC – Guy Andrews representing Bruce Martin• SPP – Robert H. McClanahan representing Allen Klassen• TRE – Amelia Sawyer representing vacancy left by Jim Brenton


Proxies Received and Quorum

Announcement of CIPC Quorum of Voting Members:• Based on the voting members in attendance, including the

proxies received, we have achieved quorum for conducting CIPC business.


CIPC Roster Changes

New Voting Members• None

Vacancies of Voting Members:• MRO (Operations), vacancy due to departure of Joe Mayfield,

WAPA • RF (Operations), vacancy due to retirement of Kent Kujala, DTE

Energy Mikhail Falkovich, PSE&G, pending NERC Board approval

• TRE (Cyber), vacancy due to retirement of Jim Brenton, ERCOT

Thank you for your service to CIPC!

Chair’s Remarks by Marc Child

Welcome to Louisville

Paul W. ThompsonChief Operating Officer

NERC CIPC Meeting Louisville, Kentucky - March 8, 2016

NERC CIPC Meeting

Welcome to Louisville — LOO-a-vul• Derby City/River City• Gateway to the South• Strategic Central US Location• Key Transportation Hub

— River, Highway, Air Cargo

2

An Active River-Trading Town

3

A Vibrant City . . . .

4

Home to Great Companies, People, Places

5

http://upload.wikimedia.org/wikipedia/commons/7/7b/Central_Park_Sentier.jpg

http://upload.wikimedia.org/wikipedia/commons/7/7b/Central_Park_Sentier.jpg

Company Overview

The Evolution of Our Company

7

PPL Overview

• Customers: 1.4 million Electric • Transmission & Distribution Utility• Regulatory Entity: Pennsylvania PUC

PPL Electric Utilities

• Customers: 0.9 million Electric; 0.3 million Natural Gas• Vertically Integrated Utility• Regulated Capacity: 8.1 GW• Regulatory Entities: Kentucky PSC, Virginia SCC

LG&E and KU Energy

• Customers: 7.8 million Electric• Distribution Utility• Regulatory Entity: Ofgem

Western Power Distribution

8

Number of Customers: Over 10 Million

PPL Electric Utilities 1.4M

Western Power Distribution 7.8M

LG&E and KU 1.2M

9

LG&E and KU: Broadening the Portfolio

800 MW Supercritical Coal (2010)

640MW Natural Gas Combined Cycle (2015

10 MW Solar Array (2016) 10

Addressing Industry Challenges and the

Importance of Physical and Cyber Security

Industry Challenges

• EPA regulations driving retirements of coal-fired base load

• Fleet migration toward gas-fired assets

• Increased regional presence of intermittent and distributed generation resources

• Outcome of the litigation on the Clean Power Plan

12

Physical and Cyber Security

• Changes the way “WE WORK”— Physical Attacks— Ted Kopple – “Lights Out: A Cyberattack,

A nation Unprepared, Surviving the Aftermath”

— Ukraine outage — Drones

13

Good luck with your important meetings!

Enjoy your stay in LOO-a-vul

North American Electric Reliability Corporation Critical Infrastructure Protection Committee Meeting

March 8, 2016, Louisville, Kentucky

Resolution of Appreciation

WHEREAS, Mr. Robert Canada has professionally and skillfully served the needs of electric industry security as a NERC and Electricity Information Sharing and Analysis Center employee since October 2013, and has recently announced his retirement as of April 1, 2016; and

WHEREAS, He served as a voting member of the Critical Infrastructure Protection Committee during his tenure with Southern Company, rising to Vice Chair, and served on the SERC Critical Infrastructure Committee, and twice served as the Chairman of the Edison Electric Institute’s Security Committee; and

WHEREAS, His superb leadership has fostered significant and continuing progress on a broad range of physical security issues, drawing the absolute best technical and organizational focus from the committee members and stakeholders, not allowing less impactful issues to obscure his vision; and

WHEREAS, He continued to progress and enhance security through the targeted development and publication of security guidelines and initiatives that demonstrated the collective experience, expertise and judgment of the industry;

And Now, Therefore, be it

RESOLVED, That the members of the NERC Critical Infrastructure Protection Committee hereby express their sincere thanks, deep appreciation and gratitude to Mr. Canada, a respected colleague and distinguished electric industry security leader, and wish him the best in his future endeavors.

Be it Further

RESOLVED, That a copy of this resolution become part of the official permanent record of the NERC Critical infrastructure Protection Committee Minutes.

1

E-ISAC Update

Marc Sachs, Senior VP & Chief Security OfficerCritical Infrastructure Planning Committee MeetingMarch 8, 2016

2

• Sharing and reporting 129 typosquatting notifications 184 E-ISAC staff posts to the portal 47 member responses to the portal items 46 additional posts to the portal from members 70 calls to the E-ISAC hotline

• Products Weekly reports every Monday afternoon Monthly reports started in October 2015 Daily reports started in January 2016

• Events GridSecCon GridEx III

Summary of Q4 2015

3

• Staffing Finished adding new staff 21 in Washington office, one in Atlanta

• Facility Renovations completed in summer 2015 New information technology equipment installation began in December Completion of separation project expected by March 2016

• Member Executive Committee Established in July 2015 Met by phone each month in fourth quarter Two working groups actively working on strategic review

recommendations

Summary of Q4 2015

4

• Technology Major portal improvements, including new look/feel, chat, ability to

manipulate data, and increased private collaboration space New email server separate from NERC Malware/device lab

• Personnel Formal technical training program for individuals and teams Full-time person on NCCIC floor Industry augmentation on the Watch floor

• Facility Redesign Watch floor TSCM (bug) sweep

2016 Plans

5

• CRISP Additional government analysis capability New types of sensors and data collection

• Products GridEx III Distributed Play lessons learned and Executive Tabletop

recommendation reports New daily one-page summary, and new annual report

• Events Expand GridSecCon Local/regional one-day physical and cyber security seminars

• Cross-sector and external partners Vice-chair of US National Council of ISACs International partners, such as CCIRC, CERT Australia, CERT UK, etc.

2016 Plans

6

• Power engineers at Ukraine’s Prykarpattyaoblenergo electric utility identified “failures in the robot” that provided control of the substation and power equipment.

• Over 225,000 customers throughout the region were without power for up to six hours.

• Once Prykarpattyaoblenergo discovered the effects of the malware; they shifted operations into manual mode to mitigate the outage.

• Investigation is ongoing.

Ukraine Event December 23, 2015

7

1

Enhanced Background Investigation ScreeningTravis MoranCritical Infrastructure Planning Committee MeetingMarch 8, 2016

2

Enhanced

3

ESCC Priority

November 16, 2015From the Electricity Sub-Sector Coordinating Council (ESCC) Meeting Notes:“Action Items and Summary of ConclusionsEnhanced Background Investigation Screening (EBIS) Working Group: Convene a working group that will determine methods for improving background investigations into personnel holding sensitive industry positions; including legal, human resources, and process issues. The Department of Energy (DOE) (Jim McGlone) and the Electricity Information Sharing and Analysis Center (E-ISAC) Bob Canada will co-lead facilitation of this working group. Owners: DOE, FBI, ESCC, and the E-ISAC. DHS participates.Time Frame: “The working group will be stood-up before the end of January 2016, and a representative of the group will provide report at the next ESCC meeting.”

4

Current Background Investigations

Industry Concerns Regarding Hiring Processes • What industry background investigations are and what they are

not: Not a true nationwide check Not comprehensive Not universally required Differ from company to company Often conducted by human resources contractors Often no or infrequent updates (contractor changes complicate updates) No updating if subsequent arrests in between investigation periods

5

What We Know

Through research and collaboration with FBI, DOE and NRC we know the followingThere is currently no national background check system or requirement for private electric sector critical infrastructure workers – NRC and the financial sector have requirements

FDIC – 1000 Section §19 Prohibition For Unauthorized Participation by Convicted Individual - "Except with the written consent of the Corporation no person shall serve as a director, officer, or employee of an insured bank who has been convicted, or who is hereafter convicted of any criminal offense involving dishonesty or breach of trust.”SEC§ 240.17f-2 Fingerprinting of securities industry personnel. (a) Exemptions for the fingerprinting requirement. Except as otherwise provided in paragraph (a)(1) or (a)(2) of this section, every member of a national securities exchange, broker, dealer, registered transfer agent and registered clearing agency shall require that each of its partners, directors, officers and employees be fingerprinted and shall submit, or cause to be submitted, the fingerprints of such persons to the Attorney General of the United States or its designee for identification and appropriate processing.

6

What We Know - Continued

1. FBI has criminal history repository via CJIS/NCIC2. NRC has established procedures and requirements (10 CFR

§73.57)3. Fingerprints required for NRC applicants for unescorted access

to FBI/CJIS4. NRC licensee (entity) receives results and makes employment

and access/denial decisions5. NRC Backgrounds are authorized by legislation6. Electric sector may require separate authorizing legislation7. Legislation needs to be crafted by industry and tailored to

industry’s needs8. Will require a collaborative legislative effort (industry,

FBI/CJIS, DoE)

7

Nuclear Sector vs. Electric Sector

Nuclear Sector Backgrounds• Initial hire background

completed by entity or 3rd party provider then referred to nuclear process.

• Non-Critical Workers (Outside Protected Area): Credit; fingerprints for criminal history;

initial drug test. Non-protected area updates every 5

years.

• Critical Workers (inside Protected Area): Fingerprints for criminal history;

drug test; psychological exam. Updated every 3 Years.

Electricity Sector Backgrounds• Often performed by Human

Resources via private contractors

• Credit and single source (state & surrounding states criminal history if any)

• Not a true nationwide check• Some have further vetting –

most do not

8

FBI

Mission: To equip law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties.

History:• Established in1992 to serve as the focal point and central

repository for criminal justice information services in the FBI. • Largest division in the FBI. • National Crime Information Center (NCIC)• Uniform Crime Reporting (UCR) • Automated Fingerprint Identification System (IAFIS)• National Incident-Based Reporting System (NIBRS).

9

FBI Databases

• Known or Appropriately Suspected Terrorist (KST)

• Sentinel• Foreign Fugitive • Violent Person• National Sex Offender Registry • Gang • Wanted Person & Terrorist Wanted

Persons• Immigration Violator

• Missing Person • Protection Order • Unidentified Person• Protective Interest• Identity Theft • Supervised Release• National Instant Criminal Background

Check System(NICS)• Property: Consists of mostly entered

stolen or suspected stolen property

National Crime Information Center (NCIC) Database An electronic clearinghouse of criminal history/crime data that can be tapped into by virtually every criminal justice agency nationwide, 24 hours a day, 365 days a year.Person (criminal history) and Property Files:

10

Integrated Automated Fingerprint Identification System

What is included in IAFIS?Not only fingerprints:• Corresponding criminal histories• Mug shots• Scars and tattoo photos• Physical characteristics like height, weight, hair and eye color• Aliases• Linkage to Sentinel system• Corresponding reciprocating countries

11

Integrated Automated Fingerprint Identification System

Initial Application

Recertification& Rap-Back Program

IAFIS & NextGen is maintained by the FBI’s Criminal Justice Information Services (CJIS) Division in Clarksburg, WV.

https://www.ncjrs.gov/pdffiles1/nij/225326.pdf

https://www.ncjrs.gov/pdffiles1/nij/225326.pdf

12

Breakout Groups

Operations: NERCDOEDominionCJISFBIExelonEntergySouthern Co.

Legal: NERCDOESouthern Co.NRCDominionCJIS

Legislative/Policy: APPA NERCSouthern Co.EEIDHSDOECJIS

13

Physical Security Program

Bob CanadaAssociate Director, Physical Security and Analysis

2

Topics Covered

• Beyond Mandatory Reporting!• Physical Security & Analysis Team Activities & Projects Reporting

• Physical Security Advisory Group Design Basis Threat (DBT) Enhanced Background Investigation Screening

3

What is the Status of Physical Security for the BES?

Over 55,000 substations over 100kv!

4

BeyondMandatory Reporting for Information Sharing

5

Impacts of Weak Information Sharing

• Greater Risk to BES!• Isolation of Informed Entities!• Lack of Actionable Information!• Redundancies of Information Gathering!• Wasted Resources and Funding!• Delay of Pre-Attack Prevention Opportunities!• Potential loss of life and BES Reliability!

6

Sharing Partnerships

7

• Dynamic sharing among members can mitigate the rise of threats to BES

• Electricity Sector is at forefront vulnerability of U.S. economic stability• Reporting critical and timely information can help protect the BES• Strengthens existing partnership between private and public sector• Question? Have you shared information with the E-ISAC?

Can we agree?

8

PS Bulletins 2015• June – Unmanned Aircraft Systems – Posted• July – Incident Reporting Guide – Posted• Aug - Suspicious Activity and Surveillance Detection - Posted• Aug – Update to June bulletin on Unmanned Aircraft Systems-

Posted• Sept – Suspicious Activity and Surveillance Detection Activity

Reporting – Posted• Oct – Tabletop Exercise Template for Industry to use for Law

Enforcement training-Posted• Nov – Terrorism Trends Overseas - Posted

E-ISAC Projects and Initiatives

9

Design Basis Threat (DBT)• Completed NERC Legal and External Communications reviews• Received NERC CEO Gerry Cauley Review without changes• Announcement & Web Portal Posting – This week!Enhanced Background Investigation Screening• Working Group breakout Meetings Jan 18th and Feb 18th • Recommendations due by April 1st to ESCC Agenda• ESCC Meeting on May 2nd

E-ISAC Projects and Initiatives

10

What we are seeing from your reports sources?

11

Reports to E-ISAC

12

Shooting Incidents• 230kV insulators• 115kV gang switch• Control building• 69/12kV transformer regulatorBreak Ins• Undisclosed facility type. Cut barbed wire, nothing stolen• Substation, cut fences, grounds stolen• Undisclosed facility type. Cut gate lock, tools stolen from pickup

truck.• Substation control house. Lock missing, copper stolen.• Undisclosed facility type. Remote location, video confirmed there

was unauthorized access.

What’s getting reported?

13

Suspicious Activity• Photography of a substation• Photography of a generating station (2 separate incidents)• Photography of an LNG facility• Threatening phone call

What’s getting reported?

14

Reports from Entities

15

End of Year Report Stats:

16

Are you getting our Reports ??If not, have you set your Notifications?

17

International Terrorism Trends

Being able to identify, detect, and respond to terrorism trends and tactics is a crucial piece of the Electricity Subsector security posture. To be able to provide asset owners and operators with a complete picture of current threat trends and tactics, the E-ISAC reviewed relevant international terrorism data and concluded that transmission and distribution towers overseas continue to be a significant attack vector for various governmental and political adversaries.

Overall, the analysis revealed that: • 158 attacks occurred against electricity infrastructure internationally in 2014 • 80 percent of these attacks were against transmission towers or lines • The remaining attacks were against power stations, or administrative buildings • The primary tool of attack was explosives

18

Physical Security Advisory Group

(PSAG)

19

PSAG Members

1. Ross Johnson, Capital Power

2. Allan Wick, Tri-State G & T

3. John Breckenridge, KCP&L

4. David Godfrey, Garland P&L

5. William Whitney III, Garland P&L

6. Jim McGlone, DoE Liaison

7. Bob Canada, Associate Director, Physical Security & Analysis – E-ISAC

8. Travis Moran, Sr. Security Specialist- E-ISAC

9. Max Spector, Security Specialist, E-ISAC

10.Brian Harrell,(Navigant)

10.Dan Jenkins, Dominion

11.Ben Mayo, DHS (ES-Liaison)

12.John Large, FP&L (EEI Security Committee)

13.Mike Hagee, SERC

14.Michael Lynch, DTE

15.Bruce Martin, Duke

16.Jim Spracklen, PNNL

17.Norma Brown, Ameren

18.Barry Page, C4S2 Global

19.Louie Dabdoub, Entergy20.Marc Sachs, Sr. VP and CSO, E-ISAC

20

PSAG Projects

1. Design Basis Threat (DBT)

2. Enhanced Background Investigation Screening

21

Design Basis Threat (DBT)Another Tool for Industry Use!

SAG

PROJECT # 1

22

Project Progress

1. PSAG Initial meeting March 9-10- Pushed as a top priority!

2. DBT Workshop Sept 1st-3rd

3. DBT final research completed with DoE Intelligence- Determine Explosive Amounts?- VBIED inclusion?- Type of Insider Threat?

4. DoE requested our DBT comparison completed5. Final draft to be completed by PSAG this week6. Received NERC CEO approval Feb 23rd

7. Publish on E-ISAC Portal for Members

23

What is a Design Basis Threat?

• The DBT is used to determine the level of appropriate and cost effective physical protection measures required to protect against malicious acts i.e. theft / sabotage

• It is based on conservative assumptions that establish the magnitude of adversary force that the site’s protective systems should be designed to defeat, expressed in terms of numbers of adversaries and their capabilities

24

• Answers the question: “What are we protecting against?”• Development of potential adversary scenarios• Analysis of physical protection system (PPS) to determine

effectiveness • Identifying vulnerabilities of the PPS• Improving the system and prioritizing upgrades• Assessing risk and the cost-benefit tradeoffs

25

The DBT uses a graded threat approach (protect pencils like pencils and gold like gold). This takes into account factors such as:• Attractiveness & Consequence of loss of the asset. • Are there redundancies or ways to work around the loss? • Assets are identified and then prioritized into Asset Protection

Levels• Reach consensus on realistic and credible threats against US

power grid (consistent approach)• Critical HV transformers• Other critical nodes / infrastructure

26

Enhanced Background Investigation Screening

Project # 2

27

Project Progress

1. Born from Initial Discussions with PSAG Members, FBI and E-ISAC’s PSAT.

2. Nov 6th meeting (FBI, DHS, DoE, NRC, Dominion, Entergy, Kansas City Power & Light, and FP&L in attendance).

3. ESCC gave its approval to form a smaller group.4. First meeting in January 2016. Charged to come back with

recommendations and project planning strategy.

28

Possible Impact

1. FBI could conduct additional screening measures against additional terrorism databases

2. Incorporate the enhanced screening of new employees3. Incorporate a refresher background every 3-5 years4. Incorporating an Insider Threat Mitigation strategy across the

industry.5. Incorporating additional screening across other sectors (i.e.

telecommunication, water & finance)

29

What Can YOU Do to Help the Security of the Industry?

30

It’s Your Job too!

1. Inform your company of and acceptance of the NERC Code of Conduct.

2. Moving past corporate fear of regulatory avoidance strategies with regard to voluntary reporting.

3. Get beyond the mandatory reporting paradigm4. Contribute to Bulk Power System situational awareness!5. Understand that every little piece of intelligence helps!6. Entrusting partners to share their resources

ResourceStrengths

KnowledgeOf

Threats

BestInformation

SharingPractices

31

Register a user account on the portal today at:https://www.eisac.com/register.aspx

General Contact: [email protected] hour hotline: (404) 446-9780

Does your company’s Physical and Cyber SMEs have an E-ISAC Membership?

If Not, Why Not?

https://www.eisac.com/register.aspx

mailto:[email protected]

32

33

34 Years!

CIP Compliance Update

CIPC UpdateTobias Whitney, CIP Compliance Manager March 2016

RELIABILITY | ACCOUNTABILITY2

• Issues transferred to the CIP V5 Revisions Standard Drafting Team

• SDT Next Steps Industry issues FERC directives

• Oversight and Outreach• Self-Certs V5 CIP-014

• Next Steps and Q&A

Topics


Compliance

Coordination andOversight

Standards

NERC’s Coordinated Approach

SDT REs

NERC

“aware, informed and engaged”


CIP V5 Transition Advisory Group (V5TAG)

• On November 22, 2013, FERC approved CIP V5• In 2014, NERC initiated a program to help industry transition

from CIP V3 standards to CIP V5• The goal of the transition program is to improve industry’s

understanding of the technical security requirements for CIP V5, as well as the expectations for compliance and enforcement

• CIP V5 Transition Program website: http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx

http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx



• V5TAG’s Role & Composition Regional Entity Participants Registered Entity Participation NERC and FERC

• Consensus building through collaboration Over 40 CIP V5 related topics addressedo Lessons Learnedo Frequently Asked Questionso 4 topics transferred to the SDT



• Recognition that standards development was needed for some issues that could not be resolved through compliance guidance

• Enhanced coordination with compliance and enforcement for topics being addressed via standards development Facts and specific circumstances will dictate if violations will be identified

to address areas of noncompliance for the related topics Regional Entities will use Areas of Concerns and Recommendations to help

identify risks associated with specific implementations Feedback from industry will be used to help guide standard development

activities


• The SDT should consider the definition of Cyber Asset and clarify the intent of “programmable”

• The SDT should consider clarifying and focusing the definition of “BES Cyber Asset” including: Focusing the definition so that it does not subsume all other cyber asset

types Considering if there is a lower bound to the term ‘adverse’ in “adverse

impact” Clarify the double impact criteria (cyber asset affects a facility and that

facility affects the reliable operation of the BES) such that “N-1 contingency” is not a valid methodology that can eliminate an entire site and all of its Cyber Assets from scope

Cyber Asset and BES Cyber Asset Definitions


• The SDT should consider the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including: Clarify the 4.2.3.2 exemption phrase “between discrete Electronic Security

Perimeters.” When there is not an ESP at the location, consider clarity that the communication equipment considered out of scope is the same communication equipment that would be considered out of scope if it were between two ESPs

The word ‘associated’ in the ERC definition is unclear in that it alludes to some form of relationship but does not define the relationship between the items. Striking ‘associated’ and defining the intended relationship would provide much needed clarity

Network and Externally Accessible Devices


• The SDT should consider the concepts and requirements concerning Electronic Security Perimeters (ESP), External Routable Connectivity (ERC), and Interactive Remote Access (IRA) including: Review of the applicability of ERC including the concept of the term

“directly” used in the phrase “cannot be directly accessed through External Routable Connectivity” within the Applicability section. As well, consider the interplay between IRA and ERC

Clarify the IRA definition to address the placement of the phrase “using a routable protocol” in the definition and clarity with respect to Dial-up Connectivity

Address the Guidelines and Technical Basis sentence, “If dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies.”

Network and Externally Accessible Devices (cont.)


• CIP-002-5.1, Attachment 1 Control Center criteria for additional clarity and for possible revisions related to TOs’ Control Centers performing the functional obligations of a TOP, in particular for small or lower-risk entities

• Clarify the applicability of requirements on a TO Control Center that perform the functional obligations of a TOP, particularly if the TO has the ability to operate switches, breakers and relays in the BES

• The definition of Control Center• The language scope of “perform the functional obligations of”

throughout the Attachment 1 criteria

Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP)

Obligations


• CIP V5 standards do not specifically address virtualization • The SDT should consider revisions to CIP-005 and the definitions

of Cyber Asset and Electronic Access Point that make clear the permitted architecture and address the security risks of network, server and storage virtualization technologies

Virtualization


Standards Revisions

Supply Chain

Oversight and

Consistency

NERC Coordination Outreach

FERC-led Audits

V5

ERO Monitoring

CIP-014

Related Parts

ERO Monitoring

V5

FERC Order No. 822 and New

DirectivesStandards

Compliance

FERC-ledAudits

CIP-014


• Approved revisions to seven CIP Reliability Standards• Directed NERC to develop modifications to address: Transient electronic devices Communication network components between control centers Low-impact external routable connectivity

• The effectiveness of remote access controls• Does not address supply chain management

FERC Order No. 822


• Looking for quantities of assets (not cyber assets)• Information will support effective scoping of compliance

monitoring• Do not provide specific location of related sensitive information• Use comment fields to provide additional clarity when needed• CIP-014 Self-Certs are due on May 2nd• V5 Self-Certs are due on July 15th

Self-Cert (V5 and CIP-014)


© 2016 Electric Power Research Institute, Inc. All rights reserved.

Cyber Security Program Overview

March 7, 2016

Jason ChristopherSr. Technical Leader

[email protected]


2© 2016 Electric Power Research Institute, Inc. All rights reserved.

Cyber Security Program Overview


Cyber Security Research Lab

Evaluate security architecturesDevelop new situational awareness capabilities

Test identity and access management technologies

Improve threat management and incident response


Protective Measures Technology

Security & System Monitoring with IEC 62351-7

DNP3 Secure Authentication v5

Cyber Security Technology (P183B)

Threat Management Technology

Integrated Threat Analysis Framework

IDS/IPS for Power Delivery Systems


Information Assurance (P183D)

Security ArchitectureMethodology

Cyber Security MetricMethodology

Cyber Security ComplianceTools and Techniques


P183D – Risk Management Guidance


Security Metrics Methodology

• Corporate risk and business alignment

• “One number,” heat map, infographic, etc.

Strategic

• Programmatic health and progress

• Scorecards and audits

Tactical• Real-time, day-

to-day, measurements

• Logs, rules, signatures, etc.Operational


Together…Shaping the Future of Electricity

Legislative Update

Critical Infrastructure Protection CommitteeMarch 8, 2016

Nathan Mitchell, American Public Power Association


Fixing America's Surface TransportationFAST Act 2015

• Provides the Secretary of Energy with the authority to address grid security emergencies

• DOE should develop a plan to establish a Strategic Transformer Reserve

• The plan should address impacts from: physical attack; cyber-attack; electromagnetic pulse attack; geomagnetic disturbances; severe weather; or seismic events.

• The plan must also include cost estimates and funding options.


Cyber Information Sharing Act 2015

• DHS must certify that the automated indicator sharing (“AIS”) program is in place and running by March 17

• Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government

• Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities

• Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government

• Privacy and Civil Liberties Interim Guidelines


Energy Policy Act Revisited

• Stalled out last month due to Flint Michigan Water disagreement

• Restarted this week with moderate possibility for movement and possible approval this Congress.

• More to come


Electricity Sector Coordinating Council (ESCC)Critical Infrastructure Protection CommitteeMarch 8, 2015

Nathan Mitchell, American Public Power Association

ESCC

ESCC Strategic Committees and SEWG Sub-Team UpdatesESCC Leadership & Secretariat• Ukraine: DHS and E-ISAC worked together to analyze the outage

and provide mitigation strategy for the industry. • ESCC was called in to provide unity of message across the

industry. Raise this to the CEO level and make sure the electricity industry takes notice and takes action.

• In response to Ukraine, DHS NPPD has taken the initiative of drafting a “unity of message” document that highlights industry-government grid security efforts to inform media interviews, speaking engagements, and other public statements.

ESCC

Government-Industry Coordination Committee• Cyber Mutual Assistance: New working group formed• Playbook Working Group: Update after Grid Ex III report• Clear Path IV Exercise: April Exercise in Portland informs the

Cascadia rising exercise in June• Supply Chain Security: Energy Sector and Critical Manufacturers

Working Group (ESCMWG), a joint partnership between the energy sector, critical manufacturing sector.

• Enhanced Background Investigation Services Working Group:Policy paper to the ESCC by May

• DOE Transformer Reserve proposal analysis

ESCC

Threat Information Sharing & Processes Committee• E-ISAC Member Executive Committee: On March 17, the MEC

will hold its next in-person meeting to discuss key findings of E-ISAC products, services, and tools reviews, outline ways for the E-ISAC to continue improving their value to members

Leveraging Infrastructure / Research & Development Committee:• Electromagnetic Pulse (EMP) Taskforce: The taskforce will

develop or build upon existing efforts in the public and private sector to better understand the threat and existing mitigation strategies, identify additional measures that can be developed, tested, and deployed to address the EMP Threat, and inform EMP messages to external stakeholders.

ESCC

Confirmed Calendar of Events / Conference Calls• SEWG Monthly Call: Monday, March 28, at 2-3pm EST.• Enhanced Background Investigation Screening (EBIS) Working Group:

Morning of Thursday, March 17. (NERC DC offices)• E-ISAC Member Executive Committee: Afternoon Thursday, March 17. (NERC

DC offices)• Cybersecurity Mutual Assistance Task Force: Webinars (March 1, 7 & 23). In

person Denver, CO from April 4-5. • ESCC Plus 1 Meeting: Monday, April 11 from 9:30am-3:00pm. (EEI - DC)• ESCC Playbook Working Group Meeting: Tuesday, April 12 from 9am-1pm.

(EEI - DC)• Clear Path IV and Cascadia Rising Exercises: Portland, OR on April 19-20.• Cascadia Rising exercise scheduled for June 7-10 in the Pacific Northwest.

GridEx III Update

Tim Conway, GEWG ChairNERC CIPCLouisville, KentuckyMarch 8, 2016

Agenda

• Distributed Play and Executive Tabletop– Participation– Objectives– Observations– Recommendations

Distributed Play Participation

Coordination with

Government

TradeAssociations

ExConGridEx III Exercise Control

NERC staff, GEWG, Booz Allen, Nat’l Labs, SMEs for Sim-cell, etc.

Bulk-Power System Entities

Coordinated OperationsVendor Support

IT, ICS, ISP,Anti-virus

Local, State/Provincial

Government

• Emergency Management Organizations

• Emergency Operations Centers / Fusion Centers

• Local FBI, PSAs

Reliability Coordinators, Balancing Authorities, Generator Operators,

Transmission Operators, Load Serving Entities, etc.

E-ISACElectricity

Information Sharing &

Analysis Center

Other Federal AgenciesUS: FBI, FERC, DOD

Canada: Public Safety Canada, NRCan, RCMP, CSIS,

CCIRC

NERC

Crisis Action Team

DOEDepartment of Energy

DHSNCCIC

ICS-CERTUS-CERT

NERC Bulk Power

System Awareness (BPSA)

Regional Entities

Executive Coordination

Electricity Sub-sector Coordinating Council (ESCC)

Other Critical Infrastructures

TelecommunicationsOil & Gas

others

Energy GCCOther SCCs

Communications

Communications

Objectives Achieved?

• Exercise crisis response and recovery– 133 organizations and 800+ individuals more than GridEx II– More CEH hours for system operators and others– Increase in exercise response ‘Well and Very Well’: Cyber (84%), physical (92%),

and operational response (98%)

• Improve communications– ‘Very Well’ increased by at least 14% in all areas– Opportunity to increase involvement of other critical infrastructure sectors for

GridEx IV

• Identify lessons learned– Opportunity for improvement, about 22% of active organizations shared lessons

learned with NERC

• Engage senior leadership– Many organizations involved their senior management and crisis teams– Executive tabletop

Observationsand Recommendations

1. Coordinated response and communication– Enhance internal communications procedures documentation– For future exercises, test alternate communications facilities

2. Reporting mechanisms (OE-417, EOP-004, CIP-008, etc.)– Improve reporting efficiency and effectiveness, eliminate redundancies

3. Active participation of system operators– For future exercises, continue to encourage the active participation of

Reliability Coordinators with entities in their area– For future exercises, continue to encourage integration of cyber and

physical security impacts with power system operation


4. E-ISAC information sharing– Continue to enhance E-ISAC portal (e.g., easier user search for urgent

and important information)– Continue to develop Watch Operations Team capabilities– Design next GridEx to include a more credible, limited-scope scenario

to demonstrate E-ISAC analysis capability– Design next GridEx to include a more realistic ‘Move 0’ scenario to

simulate emerging threat, detection, and analysis

5. Introduction of new exercise tools– Improve scenario inject distribution mechanism– Improve volume/capacity and test well in advance of next exercise– Include notification feature to alert users of new postings to social

media tool


6. Advance exercise planning timelines– Begin planning earlier (e.g., September for an exercise in November

the following year)– Continue to encourage participants to customize scenario to meet

local objectives, consistent with baseline scenario and Reliability Coordinator involvement

– Develop player training material earlier for lead planners to deliver to their own players (not NERC)

7. After action survey and lessons learned– Use similar after action survey questions for next GridEx– Determine and address reasons for apparent reluctance of participants

to share lessons learned with NERC

Executive Tabletop Participants

• Participants– Facilitated by a member of the President’s National

Infrastructure Advisory Council– 17 NERC and utility senior executives– 15 senior government officials (from the White House, DOE,

DHS, FEMA, DOD, NSA, FBI, National Guard)

• Observers– About 70 individuals from participating organizations

observed and provided feedback

Executive Tabletop Recommendations

• Three discussion themes in the context of a severe electricity emergency– Unity of messaging – how the industry and government

receives and shares information with each other and the public (7 recommendations)

– Unity of effort – how the industry and government could improve coordination and sharing of resources (6 recommendations)

– Extraordinary measures – how the industry and government could consider regulatory and legislative needs to support timely recovery (10 recommendations)

• Executive Tabletop report by March 2016

A Long-Term View

November 15-16

Tentative Timeline

WorkingGroup

Initial Planning

Phase

Mid-term Planning

Phase

Final Planning

PhaseConduct After

Action

Establish Working Group Members

Establish Mail list

GridEx Awareness

Initiate outreach

Shape scenario themes

Confirm exercise mechanics

Craft scenario narrative

Develop materials

Confirm participation

Oversee distributed play

Facilitate senior TTX

Capture player actions and findings

Analyze findings and lessons learned

Draft After Action Report and Briefing

Finalize MSEL

Conduct training

Distribute player materials

Set up venue and logistics

CIPC Meeting(March 2016)

IPC(September 2016

CIPC)

MPC(March 2017

CIPC)

FPC(June 2017

CIPC)

Execute GridEx IV(November 15-16)

Deliver AAR(Q1 2018)

Kick-Off

Confirm goals & objectives

Finalize timeline

Discuss outreach goals/plan

C&O Meeting(June 2016 CIPC)

Planner logistics and planning 3-4 month

Nomination Form

Self-Nomination and Recommendation Form CIPC Subgroup (TF or WG) Member

Name of the Subgroup: Grid Exercise IV Working Group Information about you, serving as reference (Please skip this section and go to #7 if you are self-nominating)

1. Name Your first and last name. 2. E-mail Address Your email address. 3. Phone Number Your phone number. 4. Employer Who you work for or represent. 5. OC/PC/CIPC Member Are you an OC, PC or CIPC member? __ Yes __ No 6. NERC Membership sector,

if applicable If your employer is a NERC member, select their NERC membership sector. If not, select “Not a NERC member.”

Information about you for self-nomination or the person you are recommending 7. Name Nominee’s name. 8. E-mail Address Nominee’s e-mail address. 9. Title Nominee’s business title. 10. Employer Who the nominee works for or

represents.

11. Mailing Address Nominee’s business address. 12. Phone Nominee’s business phone number. 13. GEWG Alumni Did you participate in the GridEx

Working Group for GridEx II or GridExIII?

__ Yes __ No

14. GridEx Alumni Were you a player / planner in the GridEx I, GridEx II, or GridEx III exercises?

__ Yes __ No

15. OC/PC/CIPC Member Is the nominee an OC, PC or CIPC member?

__ Yes __ No

16. Willingness to Serve The nominee is willing to: a. Bring subject matter expertise

to the subgroup. b. Attend and participate in all

subgroup meetings. c. Express their opinions as well

as the opinions of the sector/subgroup meetings.

d. Discuss and debate interest rather than positions.

e. Complete subgroup assignments.

__ Yes

17. Job Description Explanation of the nominee’s responsibilities and technical qualifications in sufficient details.

18. Reason for joining the subgroup Explanation of why the nominee wants to join the subgroup.

19. Additional Information Additional information about the nominee that would help the committee chair(s) decide to appoint this person.

20. GridEX IV Specific Information Participation level you anticipate your organization will have in GridEx III (None, Monitor / observer, Full Player)

How to Submit this Form E-mail this form as an attachment to the following:

E-mail to: Copy to: Tim Conway – Chair [email protected]

Bill Lawrence ([email protected]) Joe Garmon ( [email protected])

Self Nomination and Recommendation Form 2



Business Continuity Guideline Task Force (BCGTF) Update

Assignment• Guided by the recommendations from the GridEx II Distributed Play Report• Tasked to estimate surge staffing requirements in the event of a nationwide crisis

considering sources of support in a resource-constrained environmentAnalysis• Determining thresholds for surge resources are plan-level details • The context of the existing guideline is intended as a framework for identifying

steps associated with developing operational continuity plansProposed updateSevere events have the potential to interrupt the reliable supply of electricity and cause consequential public safety and national security implications. Utilities should consider surge resource requirements prior to a crisis and consider potential sources of support in a resource-constrained environment. Recommendations from CIPC on next steps?

Business Continuity Guideline Task Force (BCGTF) Team Members

Thanks to:• Jim Brenton – ERCOT (Sponsor)• Darren Myers – Duke Energy (Chair)• Laura Brown – NERC• Mike Elrod - Oglethorpe Power • Dave Francis – MISO Energy• Carter Manucy – Florida Municipal Power Association• Trey Melcher - E.ON Climate & Renewables• Anil Mistry - ERCOT• David Norton – FERC• Laura Ritter – Exelon

Physical Security WG

Ross Johnson, CPP

1

Design Basis Threat Security Management Guideline for the Electricity Sector

Activities

2

Design Basis Threat

A DBT is a comprehensive description of the motivation, intentions and capabilities of potential adversaries against which protection systems are designed and evaluated. Such definitions permit security planning on the basis of risk management. A DBT is derived from credible intelligence information and other data concerning threats, but is not intended to be a statement about actual, prevailing threats

3

Writing has commenced The writing team has been recruited from the

membership of the PSRG The product is one that has been recognized by the

PSAG as needed by industry, and will eventually be released through the E-ISAC

Three sections left to populate, then detailed review will commence

We are at 35 pages so far

Security Management Guideline for the Electricity Sector

4

Sections include:• Introduction• Definitions• External References• Security Management Program• Security Risk Management • Design Basis Threat• Physical Security • Information Security

Security Management Guideline for the Electricity Sector (Continued)

5

Sections include (continued):• Industrial Control Systems Security• Security Information Sharing and Communications• Security Incident Investigation• Training and Awareness• Regulatory Compliance• Change Management• Continuous Improvement

Security Management Guideline for the Electricity Sector (Continued)

6

Questions?

7

Threat & Incident ReportingGuideline (TF)Update - March 2016

John Breckenridge, CPP


How we fit in!

CIP Committee StructureCIPC Executive

Committee

Physical Security SubcommitteeDavid Grubbs

Cyber Security Subcommittee

Mark Child

Operating Security Subcommittee

Carl Eng

Policy SubcommitteeNathan Mitchell

Protecting Sensitive Information TF

Physical Security EvAnalysis WGJoint w/ OC & PC

Physical Security Training WG

Control System Security WG

Cyber Security Analysis WGJoint w/ OC & PC

Cyber Security Training WG

Information Sharing TF

HILF Implementation TF

Grid Exercise WG

Cyber Attack TreeTF


Personnel Security Clearance TF

Compliance & Enforcement WG

Physical Security Guideline TF


Threat & Incident Reporting Guideline TF

Activity HighlightsChanges made reference to E-ISAC Input from Orlando Stephenson( some quick fixes to update links) Sam Chanoski participating w/ comments

Team/Task Force formed Lisa Carrington, APS

Currently assisting with review and revision

Conference Calls/E-mails to team. (Last call was Mar.3rd.) Plan to have finished product (TBD)

Ensure no conflicts w/other reporting requirements OE-417, RCIS, etc.

Any comments or willingness to participateContact Randy Duncan/[email protected]


BES Security Metrics WGCIPC Progress Report

Nathan Mitchell, Interim ChairMarch 8-9, 2016


Business Continuity Guideline TF(Darren Myers)

Executive CommitteeJoe Garmon, FMPA Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(William Whitney)

Control Systems Security

WG(Mikhail Falkovich)

Grid Exercise WG

(Tim Conway)


(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


Security Metrics Development Roadmap2015 and Beyond

We are here


BESSMWG Activites

Activities Since December 2015• Met immediately following December CIPC meeting to discuss

path forward• Nathan Mitchell Interim Chair• February 26-27 face-to-face meeting in Washington DC Reviewed the E-ISAC’s 2015 raw data results Began to develop content for the Security Performance Metrics chapter for

NERC 2016 State of Reliability report

• Drafted the Security Performance Metrics chapter and forwarded the document to CIPC review and feedback


Security Metrics in 2016 State of Reliability Report

Drafted chapter for the NERC State of Reliability 2016 report that:• Provides an update on the 2014 results that appeared in the State

of Reliability report for the first time• Provides a high-level description for each metric (includes two

refinements based on enhanced E-ISAC reporting processes)• Includes validated E-ISAC data for 2014 and 2015 (note that 2015

report indicated that 2014 data was “preliminary”)• Discusses apparent trends and rationale


2014-2015 Data

Table 1: Reportable Cyber Security Incidents

Metric 2014 2015

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Total number of Reportable Cyber Security Incidents 3 0 0 0 0

Total number of Reportable Cyber Security Incidents resulting in loss of Load 0 0 0 0 0

• Zero reportable cyber security incidents • However, the risk of a cyber security incident increases as cyber security

vulnerabilities increase


2014-2015 Data

.Table 2: Reportable Physical Security Events

Metric 2014 2015

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Total

Total number of reportable events as a result of physical security threats to a Facility or BES control center without physical damage or destruction

47 11 15 21 29 76

Total number of reportable events that cause physical damage or destruction to a Facility 9 5 5 2 5 17

Total number of reportable events as a result of physical security threats to a Facility or BES control center, or cause physical damage or destruction to a Facility, that result in a loss of Load

0 1 0 0 0 1

• Although a near-zero result, the number of reportable events has increased by about 50%

• E-ISAC reporting indicates that distribution level (i.e., non-BES equipment) events are more frequent than those affecting BES equipment.


2014-2015 Data

Table 3: E-ISAC Membership

Metric 2014 2015

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Total number of electricity sector organizations registered as members of the E-ISAC

496 557 578 827 840 848 868 898

Total number of individuals in E-ISAC member organizations who have E-ISAC accounts

1,514 1,844 2,010 2,770 2,797 2,949 3,292 3,834

• Increasing E-ISAC membership should increase awareness of security threats and vulnerabilities

• All Reliability Coordinators (RCs) and 85% of Balancing Authorities (BAs) had an active account

• Plateauing of registrations suggests the need to conduct additional outreach.

• Active organizations are increasing the number of individuals with access to the E-ISAC portal


2014-2015 Data

Table 4: Industry-Sourced Information Sharing1

Metric 2014 2015

Q1 Q2 Q3 Q4 Total Q1 Q2 Q3 Q4 Total

Total number of E-ISAC Cyber Bulletins based on information provided by the electricity sector.

18 26 22 14 80 28 87 69 34 218

Total number of E-ISAC Physical Bulletins based on information provided by the electricity sector.

53

• The E-ISAC received almost three times as many reports in 2015 compared with 2014

• More organizations are aware of the value in sharing information with the E-ISAC.


2014-2015 Data

Table 5: Global Cyber Vulnerabilities

Metric 2014 2015

Q1 Q2 Q3 Q4 Total Q1 Q2 Q3 Q4 Total

Number of global cyber vulnerabilities considered to be high severity 446 499 418 557 1,920 535 463 698 672 2,368

Number of global cyber security incidents 18,456 25,469

• Global cyber security vulnerabilities increased (23%) • Global cyber security incidents increased (38%) • Indicates that vulnerabilities are increasingly being successfully exploited• BESSMWG has selected the PWC Global State of Information Security report

for global cyber security incidents because it has consistently reported the number of incidents since at least 2013.


Next Steps

• Consider any CIPC feedback from today• Coordinate with the Performance Analysis Subcommittee to

include the chapter in the NERC State of Reliability 2016 report NERC Board approval May 2016

• Appoint a new BESSMWG Chair• BESSMWG “Phase 2” Work Continue to refine and build-on the 5 approved metrics Develop detailed definitions for additional metrics discussed in 2015


The Ask

The BESSMWG requests that CIPC:• Accept the Security Performance Metrics chapter for inclusion

into the NERC State of Reliability 2016 report


Leadership Change

• Former Chair Rolland Miller – First Energy • Interim Chair Nathan Mitchell – APPA• New Chair Larry Bugh Chief Security Officer / Director, Threats &

Vulnerabilities Reliability First


Office of Electricity Delivery and Energy Reliability

JIM MCGLONESenior Engineer, Infrastructure Security & Energy RestorationOffice of Electricity Delivery and Energy ReliabilityU.S. Department of EnergyEmail: [email protected]: 202-586-1287Cell: 240-252-0337

Office of Electricity Delivery and Energy Reliability (OE)

Department of Energy (DOE)

1


Documents

Critical Infrastructure Protection Committee (CIPC) Highlights...• Transmission & Distribution Utility • Regulatory Entity: Pennsylvania PUC. PPL Electric Utilities ... Completion