cipc executive committee update cipc meeting washington dc june 9, 2005 stuart brindley cipc chair...
TRANSCRIPT
CIPC Executive Committee Update
CIPC MeetingWashington DC
June 9, 2005
Stuart Brindley
CIPC Chair
Public Release
CIPC Executive CommitteeChair Stuart Brindley (IESO, CEA)
Vice-Chair Larry Bugh (ECAR)
Vice-Chair Pat Laird (Exelon)
Cyber Jamey Sample (Cal-ISO)
Physical Bob Canada (Southern Co.)
Operations Roger Lampila (NY-ISO)
Policy Barry Lawson (NRECA)
Secretary Lou Leffler (NERC)
● Executive Committee 2-year terms end December 2005
● Need to “refresh” commitments of all CIPC members - letter to NERC Regional Managers later this year opportunity for greater Owner/Operator involvement
CIPC Nominating TF
Bob Canada SERC
Larry Dolci SPP
Tom Glock WECC
Mike Hyland APPA
Roger Lampila NPCC
CIPC Executive Committee Activities
● NERC Board Highlights - May 2 Stakeholder meeting and May 3
Board of Trustees meeting
● US/Canada Outage TF Recommendations
● Established the Electricity Sector Coordinating Council (ESCC) and the Government Coordinating Council (GCC) ESCC = NERC President & CEO plus CIPC
Executive Committee GCC = DoE lead, plus DHS, FERC
● Public messaging
Key CIPC Initiatives
● Complete actions to address the US-Canada Outage TF Recommendations by end-2005
● Continue to support the development of the Permanent cyber security standard Plan to support implementation
● New and revised Security Guidelines and White Papers
● Contribute to DHS’ National Infrastructure Protection Plan
● Reach-out within our industry, and to other sectors
● DHS Plan for Sector Engagement NERC is the Electricity Sector Coordinating
Council CIPC’s Executive Committee President/CEO NERC
Government Energy Coordinating Council DOE, DHS, FERC, possibly others
April 20, 2005 inaugural meeting “One-stop shop” to address strategic issues
Key CIPC Initiatives (cont’d)
NIPP Leadership Council
Government
Cross-Sector Council
GovernmentCoordinating Council
SectorCoordinating Council
Private Sector
Cross-Sector Council
Sector 16
Sector 1
Sector 2
Sector 3
Sector 17
etc
State Homeland Security Advisors
(HSAs)
Sector 16
Sector 1
Sector 2
Sector 3
Sector 17
etc
GovernmentCoordinating Council
GovernmentCoordinating Council
GovernmentCoordinating Council
GovernmentCoordinating Council
GovernmentCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
NIPP Leadership Council
Government
Cross-Sector Council
GovernmentCoordinating Council
SectorCoordinating Council
Private Sector
Cross-Sector Council
Sector 16
Sector 1
Sector 2
Sector 3
Sector 17
etc
State Homeland Security Advisors
(HSAs)
Sector 16
Sector 1
Sector 2
Sector 3
Sector 17
etc
GovernmentCoordinating Council
GovernmentCoordinating Council
GovernmentCoordinating Council
GovernmentCoordinating Council
GovernmentCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
SectorCoordinating Council
DHS Plan for Sector Engagement
Electricity
Electricity and TelecommunicationsInterdependencies
● Engaged with Telecom and Electric Power Interdependency Task Force Task force reports to the President’s National Security
Telecom Advisory Committee
● Topics include Situational awareness Incident management Restoration priorities - electricity and telecom Well-established local relationships Inter-sector exercises
● Paper by late Summer 2005
Control Systems Security
● New guidelines for BoT approval Patch Management for Control Systems Control Systems to Business Network Electronic Connectivity
● Why are they necessary? US-Canada Outage TF Recommendations related to
cyber security White paper prepared by CIPC’s Control Systems
Security Working Group - “Common Vulnerabilities of Control Systems”
Increased industry and government awareness to control systems security; DOE Lab demos
Support the Urgent Action and Permanent cyber security standards
Development Process
● Development began Q2 2004 by CIPC’s Control Systems Security Working Group
● March 2005, agreed to fast-track
● During April final draft to CIPC members conducted Webex conference call to review conducted vote
Patch Management for Control Systems
How to keep control systems software current and secure
● Complexities associated with maintaining high availability required of control systems
● Key steps Maintain asset inventory Notification of new vulnerabilities Assess risks of new vulnerabilities Test and implement
Control Systems to Business Network Electronic Connectivity
How to secure control systems from the vulnerabilities introduced when connected to business systems
Key steps Identify inventory and information flows User authentication Defence in depth Control and monitor access
Results of Vote
● Quorum established, both passed Patch Management for Control Systems (85.1%) Control Systems to Business Network Electronic
Connectivity (74.0%)
● Reasons for “no” votes: Generally, “more time to get it right” Some concerns with “the speeded-up process”, rather
than “content” Language needs even further emphasis of non-
mandatory nature Definitions presume those in latest draft of Permanent
Cyber Security Standard
US/Canada Outage TF Recommendations
● Final Task Force report expected June-05 (Canadian government assigned task of coordinating response to Security-related recommendations)
● Since Jan-05, several conference calls: CIPC EC and government (DOE, DHS, NRCan, PSEPC) CEA and Canadian government
● mid-Jan-05, provided CIPC members with a table of security recommendations and actions
● Table has since been updated to reflect recent CIPC Work Plan accomplishments
● CIPC commitments compete, or on-target
ESCC and GCC● “Inaugural” meeting April 20
ESCC: Gent, Brindley, Leffler, Canada, Lampila, Lawson (Johnson, Hyland, Brown invited as observers)
GCC: De Alvarez, Friedman, Kenchington, Caverley, Carrier plus ~10 others
Topics:
● Interim NIPP: Energy Sector-Specific plan provided to ESCC Targeting to provide comments by Jul-05 Don’t forget value of response/recovery
● Protecting information (CEII, PCII)
● National Asset Database ESCC position: Continue to question the need for government to
have a list of infrastructure assets.
ESCC and GCC (cont’d)
● FACA requirements (Federal Advisory Committee Act) Formal recognition that ESCC provides advice to government But FACA requires open and public disclosure Brindley, Laird participating in Sector Partnership Model Working
Group, reporting to NIAC…lawyers deliberating…
● HSIN Status Need to map information flows - who gets what
● Technology Roadmap
Public Messaging
Our industry is doing a lot to manage threats to our critical infrastructure.
Are we getting that message out to help manage public perceptions?
Key Messages - Readiness
● We take an all-hazards, all-threats approach to security and emergency preparedness Natural threats Man-made threats (cyber & physical attacks)
● Not just recovery, but mitigation and prevention Tested through drills and exercises
● Keep government informed - recovery
● Key Messages - Experience During the [Blackout]…draw on local experiences
Key Messages - US/Canada Blackout TF Recommendations
● Identify those systems critical to supporting the reliability of the grid
● Secure the perimeter to those systems
● Manage and monitor access to those systems
● Screen and train staff
● Conducting vulnerability assessments to ensure appropriate measures are in-place
● … and we were already meeting many of these
● ... and we’re working to improve and exceed
Key Messages - Our Biggest Challenge?
● Maintaining and raising awareness Address today’s threats Keeping aware of emerging threats
Fill in the blanks:o What are your vulnerabilities?o What are you doing about them?
Key Messages - the Stump Question
The Question:
● “So what about all those people saying how vulnerable the grid is?”
The Answer:
● From my own experience… We have taken action The industry is taking action
● … but “never say never”