Grid Security & NERCCouncil of State GovernmentsThe Future of American Electricity Policy Academy

Janet Sena, Senior Vice President, Policy and External AffairsSeptember 22, 2016

RELIABILITY | ACCOUNTABILITY2

1965 – Northeast blackout

1968 – NERC voluntary organization formed

1997 – Electric Reliability Panel and Department of Energy Electric System Reliability Task Force agree that legislation needed to assure reliability standards are mandatory and enforceable

August 14, 2003

RELIABILITY | ACCOUNTABILITY4

Recent NERC History

Energy Policy Act of 2005 – Section 215 Federal Power Act• Authorized Creation of Electric Reliability Organization Interconnected grid called for North American approach Reliability standards developed by ERO Oversight by U.S and Canadian Authorities Mandatory and enforceable by all users, owners and operators of the bulk

power system – includes cybersecurity protection Regional entities with delegated responsibility Mandate to assess reliability

• 2006 – NERC Certified by FERC as the ERO• 2007 – First standards become mandatory and enforceable• 2009 – Initial CIP Standards approved by NERC Board Of Trustees

RELIABILITY | ACCOUNTABILITY5

Unique Form of Regulation

• Interconnected grid with Canada; oversight by U.S. and Canadian authorities

• Roughly 1900 owners, operators, and users of the BPS Focus on reliable operation of the BPS Standards cannot require construction of new transmission or generation

capacity

• Independent Board of Trustees• All entities with a material interest in the reliability of the BPS

can be NERC members • Member Representative Committee reports to the Board

• Eight Regional Entities at the front line, performing delegated functions

RELIABILITY | ACCOUNTABILITY6

NERC Regions

FRCC Florida Reliability Coordinating Council MRO Midwest Reliability Organization NPCC Northeast Power Coordinating Council RF ReliabilityFirst SERC SERC Reliability Corporation SPP-RE Southwest Power Pool Regional Entity TRE Texas Reliability Entity WECC Western Electric Coordinating Council

RELIABILITY | ACCOUNTABILITY7

NERC CIP Relationships

Strategic

Policy Coordination

Operational Coordination

Information Sharing and

Analysis Centers/ Organizations

Sector Coordinating Councils

Federal Advisory Committees

National Infrastructure Advisory Council (NIAC)

Electricity Information Sharing and Analysis Center

(E-ISAC) and

NERC Standards

Electricity Sub-sector Coordinating Council

(ESCC)

Electricity Advisory Committee (EAC)

RELIABILITY | ACCOUNTABILITY8

Cybersecurity Standards

• Designed to provide a foundation of sound security practices across the BPS

• Mandatory cyber standards cover numerous security aspects Critical assets identified Critical control centers and facilities secured Operations cyber assets fire walled and well-patched

• Industry is audited for compliance with the standards• Now on CIP Version V

RELIABILITY | ACCOUNTABILITY9

Physical Security Standards

CIP-014 Purpose• To identify and protect transmission stations and transmission

substations, their associated primary control centers, that if rendered inoperable or damaged as a result of physical attack could result in widespread instability, uncontrolled separation, or cascading within an interconnection

• Applicability: Transmission Owners (TO) Transmission Operators (TOP)

• Effective Date – October 1, 2015

RELIABILITY | ACCOUNTABILITY10

• ISAC concept introduced in Presidential Decision Document 63, published in 1998 Electric power was identified as a critical sector along with 14 others Homeland Security Presidential Directive 7 (2003) Presidential Policy Directive 21 (2013)

•Electricity sector’s ISAC has been hosted by NERC since 1999 Recent concerns about sensitive information shared with the ISAC Could “leak” to NERC compliance and enforcement groups Caused a rethinking about the proper relationship

•ESCC identified strategic review of the ES-ISAC as a priority national security issue for 2015 Strategic review initiated in January 2015, completed in June 2015

•ES-ISAC renamed to E-ISAC in September 2015

E-ISAC: Not Every Vulnerability Requires a Standard

RELIABILITY | ACCOUNTABILITY11

• Products NERC Alerts Incident (cyber and physical) bulletins Daily, weekly, and monthly summary reports Issue-specific reports

• Programs and Services Monthly briefing series, first Tuesday of the month Training at quarterly CIPC meetings Grid Security Conference (GridSecCon) Grid Exercise (GridEx) Cyber Risk Information Sharing Program (CRISP) Physical security outreach visits

• Tools E-ISAC portal (www.eisac.com) Emergency notifications STIX/TAXII automated information sharing

E-ISAC Products and Services

RELIABILITY | ACCOUNTABILITY12

E-ISAC and NCCIC

• The E-ISAC maintains a presence at the National Cybersecurity and Communications Integration Center (NCCIC), a DHS-operated 24/7 watch floor near Washington, D.C. Top Secret, real-time, operations center Hub for classified threat and vulnerability work

• E-ISAC cleared personnel analyze the threat and vulnerability components seen by the intelligence community and make an initial determination of potential impacts on the BPS

RELIABILITY | ACCOUNTABILITY13

•Energy DNG-ISAC ONG-ISAC

•WaterWater-ISAC

•Communications Comm-ISAC

•Financial Services FS-ISAC

•Transportation Aviation-ISAC

Cross-Sector Integration

The E-ISAC maintains a close working relationship with other ISACs and information sharing organizations

• Healthcare NH-ISAC

• Information Technology IT-ISAC

• Government MS-ISAC ICS-CERT US-CERT National Coordinating Center for

Telecommunications

RELIABILITY | ACCOUNTABILITY14

Examples of Phishing Themes/Subjects:•Order delivery•Fwd: (blank)•General Liability and

Workers Compensation Insurance

E-ISAC Activities – Cyber

RELIABILITY | ACCOUNTABILITY15

Data Exfil Events

RELIABILITY | ACCOUNTABILITY16

Data Exfil Events – Energy

RELIABILITY | ACCOUNTABILITY17

•The majority of events involved incidents of Intrusion (36%) Suspicious Activity (29%)

E-ISAC Activities – Physical

RELIABILITY | ACCOUNTABILITY18

•Grid Security Conference (GridSecCon) 2016 October 18-21, 2016 Quebec City

•Grid Security Exercise (GridEx) IV November 15-16, 2017 Two days of distributed play Executive TabletopMultiple ways to participate Builds on GridEx III lessons learned

•Secure The Grid (STG) Series – classified one-day sessions

Exercises and Events

RELIABILITY | ACCOUNTABILITY19

•Sign up online at https://www.eisac.com•Download our “how to” guides Brochure Understanding Your E-ISAC Engaging the E-ISAC

Learn More About Us!

RELIABILITY | ACCOUNTABILITY20

Security Challenges

• Cyber-attack vectors are multiplying: System and network intrusions Complex supply chain Increased use of wireless communication and reliance on the Internet

• Physical security• Increased Information sharing between public/private sector• Security Clearances• Limited access to classified information• Diverse regulatory oversight: federal, state, provincial

RELIABILITY | ACCOUNTABILITY21

Tip of the Iceberg

RELIABILITY | ACCOUNTABILITY22

Questions?