Page 1

Integration of Technology & Compliance

August 02, 20122012 Technologies for Security &

Compliance SummitAustin, Texas

Page 2

John Heintz, CISSP, CISM, CRISCSenior Manager, Enterprise IT Security

Page 3

• The city of San Antonio out bid other entities to purchase the SAPs Co for $34 million.

• The city sold off the street car business and retained the power generation, distribution and gas network.

• Changed the name to City Public Service and changed through out the years to CPS Energy.

• Oldest utility in Texas. Gas light system started in 1860’s.

• In 1917, San Antonio Public Service Company (SAPs CO), under the ownership of American Light and Traction company ran the city’s power plants, gas network and street car lines.

• In 1942, Anti-trust laws required American Light and Traction company to sell some of it’s assets.

CPS Energy History (The early days)

Page 4

CPS Energy (Current)

• Based in San Antonio (7th largest city in the nation)

• Largest Municipally owned energy utility that provides both natural gas and electric service

• Serve over 717,000 electric customers

• Over 325,000 gas customers

• 1,514 square mile service area.

• Over 3,600 employees

• $2 Billion in annual revenues

• $9.7 Billion in assets

• Provide roughly $250 - $280 million annual revenue to the City of San Antonio.

Page 5

Generation

• Generation Assets

Own and operate 4 major generation facilities in the San Antonio area (Gas and Coal). Generates approximately 7000 Megawatts of power

Own 40% of South Texas Project (STP) units 1 and 2. Provides 1088 megawatts of power for CPS Energy customers

Has invested additional 7.625 % into additional units at STP. Would generate additional 200 megawatts of power for our customers.

• Fuel Mix

Coal - 32%

Nuclear - 16%

Natural gas and purchased power - 39%

Renewable (Wind, solar and landfill methane gas) - 13% To increase to 20% by 2020.

Page 6

Transmission & Distribution

• Transmission & Distribution Assets

Own and maintain 1400 Miles of transmission lines.

Own and maintain 7600 miles of overhead distribution lines.Over 408,000 poles

Own and maintain additional 4300 miles of underground distribution lines.

Page 7

Enterprise IT Security Organization

• Enterprise IT Security Organization (EITS) Formed in May of 2007

John Heintz began with CPS Energy almost 2 years ago

• EITS moved to Legal Department under General Council in 2009 Provides true segregation of duties

Reports to Senior Council and Director of Compliance.

• Baseline the EITS security program utilizing the Forrester Information Security Maturity Model. Benchmarking tool to access the information security program.

Provides framework that describes all of the required functions and components of a comprehensive information security program.

Forrester model is objective, prescriptive, process oriented, modular and uncomplicated.

Page 8

Forrester Information Security Maturity Model

Oversight

• Strategy• Governance• Risk Management• Compliance

Management• Audit and Assurance

People

• Security Services• Communication• Security Organization• Business Relationship• Roles/Responsibilities

Technology

• Network• Databases• Systems• Endpoints• Application

Infrastructure• Messaging and content• Data

Process

• Identity and Access Management

• Threat and vulnerability management

• Investigations and records management

• Incident management• Sourcing and vendor

management• Information Asset

Management• Application/systems

development• Business Continuity

and Disaster Recovery

Page 9

Maturity Model Self Assessment

0- Nonexistent

•Not understood•Not formalized•Need is not recognized

1-Ad Hoc•Occasional•Not Consistent•Not Planned•Disorganized

2-Repeatable•Intuitive•Not documented•Occurs only when necessary

3-Defined•Documented•Predictable•Evaluated occasionally

•Understood

4-Measured•Well managed•Formal•Often Automated•Evaluated Frequently

5-Optimized•Continuous and effective

•Integrated•Proactive•Usually Automated

Most mature companies are at

this stage.

Our corporate network results

Page 10

Doing Well and What has already improved

• EITS - What are we doing well– Endpoint Anti-Malware – Network Intrusion Detection – Anti-spam – Policy Creation – Security Event Management

• Other improvements already made– Security Metrics – Endpoint Protection – Network Vulnerability– Application Developer Security Awareness – Vulnerability Management – Security Testing – Forensics and e-Discovery – Threat Modeling – Threat Research – Client Encryption – Project Integration

Page 11

Key Security / Compliance Challenges

• Technology– Databases

• Encryption is ad hoc

– Systems • Host based Firewalls and IPS

– Application Infrastructure • XML gateway • Application Firewall

– Messaging and Content • Message Encryption • Instant Message Filtering• Anti-Malware

– Data • Digital Rights Management

• Process– Identity and Access

Management • Web SSO • Access Control • Enterprise SSO

• People– Security Organization

• Staffing

Page 12

Corporate Information Security Goal

0- Nonexistent

•Not understood•Not formalized•Need is not recognized

1-Ad Hoc•Occasional•Not Consistent•Not Planned•Disorganized

2-Repeatable•Intuitive•Not documented•Occurs only when necessary

3-Defined•Documented•Predictable•Evaluated occasionally

•Understood

4-Measured•Well managed•Formal•Often Automated•Evaluated Frequently

5-Optimized•Continuous and effective

•Integrated•Proactive•Usually Automated

Key Security issues are addressed, could

move here…

Page 13

James GrimshawCritical Cyber Infrastructure Manager,Transmission Compliance

Page 14

Control Systems Cyber Security (or Compliance?)

• NERC Compliance Events January 2009 – One year to be fully compliant

January 2010 - Fully compliant date

October 2010 – TOP CFR Certification

November 2011 – 1st Full TO/TOP/LSE CIP Audit

2012 – Documented lessons learned (LL) and begin to implement LL during annual updates

1. Manage and Communicate Compliance Activities

2. CIP-004 -3, R4 – Access Program

3. Management Dashboard

Page 15

Manage and Communicate Compliance Activities

• Annual reviews (Policies, Programs, Procedures etc…)

• Create compliance periodic reports

• Where to file (sensitive) associated reports and evidence

• Complete Reliability Standards Audit Worksheets (RSAWs)

• Create workflows for accountability, accuracy, & oversight

• Risk management – Escalation of non-completed workflows, security

trends

• Manage Technical Feasibility Exceptions, Mitigation Plans etc.

• Decrease interruption to Subject Matter Expert daily work schedule

Page 16

Physical & Cyber Access Program

• Automate performance reviews and system generated reports

• Integrate systems to decrease risk & increase efficiency

• Physical Security Perimeter & Electronic Security Perimeter

• PSP Area Owners & Cyber System Owners

• Corporate Enterprise Resource Planning program for PRAs

• Corporate learning management system for NERC training records

• Weekly access report fed into management dashboard

• Automate position organizational changes, terminations and new hires

• CIP Version 5 – Role based access (and other changes)

Page 17

Management Compliance Dashboard

• One of top ranked challenges is getting management support NERC Committee (Steering Group)

Provide senior management with high level insight (drill down)

• Properly prioritize projects vs. compliance

• Properly prioritize funding

• Corporate level risk mitigation

Page 18

The Future for Control Systems Environments

• Working together with other Utilities CIP Working Group

• Continuous Process Improvement Invest to automate processes

Integrate systems to decrease risk

• Stay informed and utilize resources NERC and ICSJWG Workshops

Keep up with NERC & TxRE communications

DOE/DHS

Page 19

Questions