Michael Espinoza BS Information Systems University of Redlands
Michael Espinoza • BS Information Systems – University of Redlands • AS Electronic Technology • Project Management Certification Program- UCSD • 22 Years SDG&E, • Sr EMS Hardware Analyst • EMS Hardware Supervisor • Infra Project Technical Lead
Agenda • Purpose • NERC CIP Standards • Goals/Challenges • Establishing Project Direction • Project Roadmap • Communication is Essential • Feedback • Disclaimer – This presentation represents my own
Purpose of CIP Cyber Security Standards • Ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems.
North American Electric Systems Overview NERC is made up of eight regions that oversee the reliability and operation of the Bulk Electric System. >All Electric Generation and Transmission agencies report to one of these regions. ØSDG&E reports to the WECC, Western Area reporting agency, >All regions must comply with NERC CIP 002 -009 Standards.
NERC CIP NERC CYBER SECURITY 8 Standards CIP-002 Critical Cyber Asset Identification CIP-003 Security Management Controls CIP-006 Physical Security Of Critical Cyber Assets CIP-004 Personnel & Training CIP-005 Electronic Security Perimeters CIP-008 Incident Reporting And Response Planning CIP-007 Systems Security Management CIP-009 Recovery Plans For Critical Cyber Assets
41 Requirements
Audit Preparation - Compliance Levels 20 0 § Compliant (C) - means the entity meets the full intent of the requirements and is beginning to maintain required “data, ” “documents, ” “documentation, ” “logs, ” and “records” § Auditably Compliant (AC) - means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12 -calendar-months of auditable “data, ” “documents, ” “documentation, ” “logs, ” and “records” 9 20 10
Penalty Matrix* Violation Severity Level Violation Risk Factor Lower Moderate High Severe Range Limits Low High Low it: m i l y r o tut $1, 000 $3, 000 $7, 500 ay$3, 000 a$2, 000 Lower , t s C d R r e FE p , 000 0 , 0 $1, 00 tion a l o i v r pe da Medium $2, 000 $30, 000 $4, 000 $100, 000 ana$6, 000 C n i y l y app a m s ion t s i i v m i e l r r g e Oth rgoin e d n u x atri M * $4, 000 $125, 000 $8, 000 $300, 000 $12, 000 High Low High $15, 000 $25, 000 $200, 000 $10, 000 $335, 000 $625, 000 $20, 000 $1, 000
GOAL • Comply with new NERC CIP 002 -009 Cyber Security Standards in advance of the required deadlines • Obstacles Not Withstanding: - Significant effort is required - Additional funding and / or personnel may be needed
CIP Standards Applicability to the following Functions • Generation Owner • Generator Operator • Transmission Owner • Transmission Operator • Load Serving Entity
STANDARD CIP-001 CIP-002 CIP-003 CIP-004 Grid Operations a a CIP-005 CIP-006 CIP-007 a a CIP-008 CIP-009 a Information Technology Corporate Security Human Resources Regulatory a a a
“The Challenge” Project Links Organizational Links *The key for success -> Ensure all Organizations have the same goal. Internal Auditing Facilities Regulatory Electric Ops IT WECC HR Corp Security NERC & FERC
Acquire Project Teams Inputs 1. Enterprise Environmental factors 2. Organizational Process Assets 3. Roles and Responsibilities Tools & Techniques 1. Pre-assignment 2. Negotiation 3. Acquisition 4. Virtual Teams Outputs 1. Project staff assignments 2. Resource availability 3. Staffing Management plan (updates) 4. Project organization Charts 5. Staffing Mgmnt plan (PMBOK Guide)
NERC CIP PROJECT PYRAMID Audit Attest & Report t. S di u A. 3 Management Sign-off Supporting NERC CIP 002 -009 Reporting/Certification Off n ig al rov p p A t s gm 2. M 1. Processes Data, Documents, Documentation, Logs, Records, P d l i Bu es r ss oce
CONCEPT PROCESS EXAMPLE Populate master CCA access list from existing worksheets Grid Operations, Human Resources, Corporate Security, IT
Establishing Project Direction • Develop a master project plan • Assign qualified members to each • • internal NERC team Use standardized templates for documentation Run an ongoing gap analysis to identify redundant and missed processes
Communications Updates/Feedback • Executive Updates - Monthly – – – CEO/VP Directors Managers • Team Feedback – Monitor Teams for resource requirements – Establish monthly goals for Levels of Compliance – Review Team suggestions • Utilize Tools/Resources – Consultants, wicf · Western Interconnection Compliance Forum, Common Data site (Share. Point), Ticklers
Review • Purpose • NERC CIP Standards • Goals/Challenges • Establishing Project Direction • Project Roadmap • Communication is Essential • Feedback
Feedback
- Slides: 19