Standards Information session January 15, 2015 Direction Contrle - PowerPoint PPT Presentation

Project QC-2014-02 Public consultation on CIP Version 5 Standards Information session January 15, 2015 Direction – Contrôle des mouvements d'énergie

Webinar Outline (instructions) Please mute your telephone during the entire • webinar. To ask a question: • – Press the “ Lever la main ” (EN: Raise hand ) button in the toolbar. – The presenter will give you the floor during the question period. After the webinar, a summary transcription of • questions and answers will be published on the Reliability Coordinator consultation Web site. The PowerPoint presentation will also be available on • the same site in both French and English. 2

Presentation Overview Introduction • – Meeting Objectives – Files Currently Before the Régie – Consultation Process Project QC-2014-02 • – Introduction to Cyber Security – Applicability of Version 5 CIP Standards – Proposed Standards (CIP-002 to CIP-011) – Effective Dates – Assessing Impact Next Steps • Q & A • 3

Meeting Objectives Review reliability standards in Québec • Present the proposed standards • Provide information on the consultation process • Respond to your questions • Present the next steps • Not covered: • Issues affecting files currently before the Régie de l’énergie 4

Files Currently Before the Régie File R-3699-2009 (Phase I) : • – 43 standards adopted to date (effective date TBD) – 12 standards come into force April 1, 2015 (only apply to the Coordinator and not sanctionable) – Awaiting final decision File R-3699-2009 (Phase II) • – The second agreement between the Régie, NPCC and NERC; signed September 24, 2014 – RPCQ and PSCQ were merged into a single document, the PSCAQ, pubished October 10 by the Régie – The updated Sanction Guide was filed on November 24 File R-3906-2014 (Project QC-2014-01) • – New request for adoption of 6 standards filed in August in accordance with decision D-2014-048 5

Consultation Process Consultation process approved by the Régie de • l’énergie in decision D-2011-139 Prior to submitting new reliability standards, the • Coordinator must: – Advise registered entities of the reliability standards – Gather feedback from registered entities and respond to them, whenever possible – Assess impact of the standards on the entities 6

Consultation Process (cont’d) Main Steps: Send consultation notice • Publish proposed standards and supporting documents • Hold period for feedback during which the entities may: • – Comment on the standards and supporting documents – Submit assessment of financial impact of proposed standards on their activities Answer feedback • Hold additional periods for feedback, as needed • File with the Régie • 7

Projet QC-2014-02 Critical Infrastructure Protection Standards – CIP Version 5 8 Direction – Contrôle des mouvements d'énergie

Energy sector: Critical infrastructure IT and Telecom Government Finance Water Food Health Safety Energy and Manufacturing utilities Transport 9 Hydro-Québec 9

Threats 4 Components Actor Motive Vectors Targets > Activists > Greed or profit > Social engineering > Confidential information > Criminals or organized > Vengeance, anger or > Malware, pirating, > Intellectual property crime rage botnets > Goods or revenue > Disgruntled employees > Coercion (blackmail) > Pressure tactics > Strategic assets > Radicalized individuals > Pride > Break-in > Reputation > Lone wolves > Ideology or patriotism > Weapons, explosives, > Power system tools, vehicles > Terrorist organizations > Personal safety > Civil disobedience > Countries, states and > Network or ICT systems companies

Increased exposure Technological Physical Exposure security risks security risks Time 11 Hydro-Québec

Introduction to cyber security and physical protection of infrastructure Relevance • Technical evolution • Computer components • Interconnected smart devices • Next-generation telecommunications networks • Increased risk • New attack vectors • Larger attack surface • Increasingly sophisticated adversaries • Greater potential impact • Interconnected cyber assets • Use of control and protection systems • Coordinated attacks that target multiple vulnerabilities • Event at Metcalf substation in California 12

Introduction to cyber security and physical protection of infrastructure (cont’d) Version 5 CIP Standards • Based on best practices and increased experience in computer security – NIST – ISO27002 – Evolution of previous versions (CIP v1 to v3) • Categorizes impact of electronic systems on the power generation and transmission system (“Low”, “Medium” or “High”) • Allows systems to be properly secured based on actual impact • Includes classes of administrative, logical and physical controls for prevention, detection and correction 13

Proposed Reliability Standards CIP-002-5.1 – BES Cyber System Categorization • CIP-003-5 – Security Management Controls • CIP-004-5.1 – Personnel and Training • CIP-005-5 – Electronic Security Perimeters • CIP-006-5 – Physical Security of BES Cyber Systems • CIP-007-5 – Systems Security Management • CIP-008-5 – Incident Reporting and Response Planning • CIP-009-5 – Recovery Plans for BES Cyber Systems • CIP-010-1 – Configuration Change Management and Vulnerability • Assessments CIP-011-1 – Information Protection • 14

New Terms Definitions to add to glossary • – Interactive Remote Access – Electronic Access Point – BES Cyber Asset – BES Cyber System – Intermediate System – Protected Cyber Assets (PCA) – CIP Senior Manager – Physical Access Control Systems (PACS) – Control Center – Electronic Access Control or – CIP Exceptional Circumstance Monitoring Systems (EACMS) – External Routable Connectivity – Dial-up Connectivity – Reportable Cyber Security Incident – BES Cyber System Information 15

Applicability of Version 5 CIP Standards • Applicability section shared across the 10 Version 5 CIP standards (except exemptions) • Functions: – Balancing Authority (BA) – Distribution Provider (DP)* – Generator Operator (GOP) – Generator Owner (GO) – Interchange Authority (IA) – Reliability Coordinator (RC) – Transmission Operator (TOP) – Transmission Owner (TO) * Reduced applicability for distributors 16

Applicability of Version 5 CIP Standards (cont’d) • Québec facilities: – Main transmission system facilities (RTP) – Facilities of Distribution Providers specified in the standards – Control Centers that meet the definition • RTP applicability (instead of BES) shown in the Québec Appendix to each standard 17

Applicability of Version 5 CIP Standards (cont’d) • Only Distributors that own the following facility types: – Load-shedding system that is part of a load- shedding program subject to a NERC or NPCC standard AND with a load-shedding capacity of 300 MW or more – Special Protection System (SPS) or Remedial Action Scheme (RAS) subject to a NERC or NPCC standard – Transmission protection system subject to a NERC or NPCC standard – Components of cranking path for system restoration 18

Applicability of Version 5 CIP Standards (cont’d) • Exemptions: – Facilities regulated by the CNSC 1 – Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters (ESP) – Entities that identify that they have no BES Cyber Systems according to CIP-002 are exempted from application of the CIP-004 and CIP-011 standards. 1: Canadian Nuclear Safety Commission 19

CIP-002-5.1 BES Cyber System Categorization • BES Cyber System categorization by facility impact • Each entity subject to the Applicability section must meet the following requirements: – Requirement 1: • System identification and categorization process according to Appendix 1 of the standard – Requirement 2: • Review the list at least once every 15 calendar months and have it approved 20

CIP-002-5.1 BES Cyber System Categorization Summary of Appendix 1 criteria for identifying applicable assets • High Impact (1.1 to 1.4): BES Cyber Systems used and located at any of the following – RC Control Center – BA Control Center HQT only – TOP Control Center – GOP Control Center associated with a Medium Impact asset 21

CIP-002-5.1 BES Cyber System Categorization • Medium Impact (2.1 to 2.13): BES Cyber System associated with any of the following – Generation resources of 1500 MW or more – Reactive resources of 1000 Mvar – Generation Facilities designated by the PC – Transmission Facilities operated at 500 kV or higher – Transmission Facilities operated between 200 kV and 500 kV – Generation or Transmission Facilities designated by the RC, PC or TP for derivation of IROLs – Transmission Facilities that connect the output of a generating station identified in 2.1 or 2.3 22