CI P Cyber Security Update CI P Cyber Security Update John Lim - PowerPoint PPT Presentation

CI P Cyber Security Update CI P Cyber Security Update John Lim John Lim Consolidated Edison Co. of New York, Inc. December 1, 2010 1

Disclaim er Materials presented or discussed here are the presenter’s own and do not necessarily represent th those of Con Edison or NPCC. f C Edi NPCC December 1, 2010 2

Agenda h h  Developm ent Process Changes  CI P-0 0 2 -4 and Version 4 CI P 0 0 2 4 d V i 4  CI P-0 0 5 -4 – Rem ote Access  CI P-0 0 5 -4 – Rem ote Access  CI P-1 0 and CI P-0 1 1 December 1, 2010 3

CIP St CIP Standard Development Process d rd D l p t Pr  Approved by NERC Standards Com m ittee  I nform al Com m ents  Forms  Forms  Webinars  Workshops  Other venues (regional meetings, etc.)  Formal response to each comment not required required December 1, 2010 4

CIP Standard Development Pr Process(2) (2)  Form al Com m ents ( 4 5 days) o a Co e ts ( 5 days)  Concurrent Ballot Pool formation/ Pre-Ballot Review (1st 30 days)  Ballot (Last 15 days) Ballot (Last 15 days)  All comments must be responded to.  Re-ballot  Can make changes to standard between ballots  As many as required for consensus December 1, 2010 5

Wh t H What Has Been Completed B C pl t d  Version 2 ( CI P-0 0 2 -2 – CI P-0 0 9 -2 ) e s o ( C 0 0 C 0 0 9 )  Phase 1  Low Hanging Fruits for FERC 706 Directives  Became Effective 4/ 2010  Version 3 ( CI P-0 0 2 -3 – CI P-0 0 9 -3 )  Version 3 ( CI P 0 0 2 3 CI P 0 0 9 3 )  90 day FERC directed changes to Version 2  Effective 10/ 2010 December 1, 2010 6

What’s In Progress g  CI P-0 0 2 -4  1st formal posting/ concurrent ballot: September 2010 1 t f l ti / t b ll t S t b 2010  Closed Novem ber 3  2 nd Ballot – In Progress  Target: Complete by 12/ 2010 g p y  CI P-0 0 5 -4  Urgent Action: Response to Remote Access Vulnerability  Separate Drafting Team  Intent to File to FERC with CIP-002-4 package  CI P-1 0 & CI P-0 1 1  Concept Paper: July 2009  Informal Posting: CIP-002-4 12/ 2009 (not the same as the current CIP-002-4)  Informal Posting: CIP-010 and CIP-011 07/ 2010  Target: 2011  Target: 2011 December 1, 2010 7

CIP 002 4 CIP-002-4  CI P-0 0 2 -4 – Narrow Scope  Non-uniform application of methodologies for N if li ti f th d l i f identifying Critical Assets, resulting in wide variation in the types and number of critical assets across regions regions.  Replace the Entity defined Risk-Based Methodology requirement with a bright-line based criteria requirement for identifying Critical Assets requirement for identifying Critical Assets.  FERC Order 706 comments and directives regarding oversight of the lists of identified Critical Assets in CIP 002 (Para 329) Requirement for oversight is CIP-002. (Para. 329). Requirement for oversight is significantly mitigated.  External perceptions of insufficiency of the Entity defined methodologies in identification of Critical defined methodologies in identification of Critical Assets. December 1, 2010 8

CIP 002 4 CIP-002-4  Replace Risk-Based Methodology with Bright-line C it Criteria (R1 & Attachment 1) i (R1 & Att h t 1)  Generation  Transmission  Transmission  Control Centers  Minor changes to R2 – Identification of Critical  Minor changes to R2 Identification of Critical Cyber Assets  No changes to CIP-003-CIP-009 except conforming changes f i h  Reference Document and Implementation Plan December 1, 2010 9

CIP 005 4 CIP-005-4  In “expedited revision” Process  In expedited revision Process  Addresses Remote Access vulnerability  Follows Urgent Action Formal comments  Follows Urgent Action Formal comments and Pre-ballot Review: 8/ 18/ 2010 to 9/ 17/ 2010 / /  1 st Ballot: 9/ 18  Currently in 30 day review (November 12 y y ( – December 11)  In expedited revision process  Ballot in last 10 days December 1, 2010 10

CIP 010 CIP-010  Categorized list of BES Cyber Systems  Categorized list of BES Cyber Systems  Based on Impact on Functions  High  High  Medium  Low  Basis for Application of Appropriate Controls (CIP-011)  Formal Comment: 7/ 2011 December 1, 2010 11

CIP 011 CIP-011  Posted for informal comment May 2010 y  SDT reviewed comments and feedback received at the May 2010 workshop in Dallas.  SDT determined it was infeasible to address all of  SDT determined it was infeasible to address all of the concerns and achieve industry consensus on CIP-011 by the initial target date of December 2010 2010.  Efforts on updating CIP-011 have been substantially deferred, with plans to resume in December. Efforts to review and respond to D b Eff t t i d d t comments has continued. December 1, 2010 12

CIP 011 S CIP-011 Scope and Objectives p d Obj ti  Address remaining FERC Order 706  Address remaining FERC Order 706 Directives:  2 or more diverse security measures for defense in depth at the security boundaries  Active vulnerability assessments every 3 years  Incorporate forensic data collection and I t f i d t ll ti d procedures  Consideration of adapting the NIST  Consideration of adapting the NIST Security Risk Management Framework December 1, 2010 13

CIP 011 G idi CIP-011 Guiding Principles Pri ipl  Policy focuses on high-level subject areas.  Policy focuses on high level subject areas.  To draft standards at a higher level to minimize the need for TFEs. e t e eed o s  STD will attempt to preserve the effort invested by Responsible Entities by y p y developing a mapping from the existing standards 003-009 to 011. December 1, 2010 14

15 Questions or Com m ents? Q&A Q&A December 1, 2010