Kurt Forster NERC CIP Cyber Resilience Business Lead

Kurt Forster NERC CIP Cyber Resilience Business Lead September 11, 2019

NERC CIP - Topics of Discussion • Tiers and Requirements • How Tiers are implemented • What is Controlled • How it is Monitored • Action on Events

Who needs to comply • Bulk Power System Owners • Operators • Users Must comply with NERCapproved Reliability Standards.

What is a Bulk Electric System (BES) Cyber System • A BES system is one or more BES cyber assets. A BES cyber asset is a Programmable electronic devices, including hardware, software and data in those devices.

Tiers of Bulk Electric System (BES) Cyber System • High Impact BES Cyber Systems = Most stringent control – Generation equal to or greater than an aggregate of 3000 MW in a single Interconnection • Medium Impact BES Cyber System = Moderate control requirements – Single plant generation units an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. • Low Impact BES Cyber System = Lowest control requirements – BES Cyber Systems not included above that are associated with any assets

How is a BES NERC CIP Program implemented? • Identification of High, Medium and low systems • Physical and Electronic BES Boundaries for High and Medium impact assets • Categorization of cyber assets for: – Electronic Access Control or Monitoring Systems (“EACMS”) – Physical Access Control Systems (“PACS”) – Protected Cyber Assets (“PCA”).

What is controlled? • Cyber assets and Cyber systems inside a BES boundary • Access points Physical and Electronic • Official and Unofficial changes to systems • Authorization and identity for Physical and Electronic acces

How is it monitored? • The standards layout what must be monitored and a reporting time on an incident and who to report it too. • Physical logs are still good • Electronic alerts and notifications • It is important that what is being monitored has an active reviewer and submits it to the CIP manager in time • Types of monitoring • • • Compliance Audits Self-Certifications Spot Checking Compliance Investigations Self-Reporting Complaints

Actions on an event • All high and medium systems require an incident response plan • In most cases the CIP Manager needs to be notified • Cyber Security Incidents and documentation of initial notices need to be sent to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) within an hour of an incident.

Summary NERC-CIP 002 -014 is here to make sure everyone is working at a competent level and to make sure we retain production and security when being compromised.

Questions?