LESSONS FROM 2003-04 CIPAG 1 November 2, 2006

Lessons from 2003-04 Critical Infrastructure Group

Bill BojorquezNovember 2, 2006

LESSONS FROM 2003-04 CIPAG 2 November 2, 2006

2003-04 CIP Advisory Group Purpose2003-04 CIP Advisory Group Purpose

Purpose:

A collaborative effort to bring together owners and operators of critical physical and cyber assets for securing the Texas electric sector.

Channel security information from Local authorities Regional authorities Federal authorities

Discuss security solutions

Share information

Communicate and clarify NERC security standards

Assist in security standards implementation

LESSONS FROM 2003-04 CIPAG 3 November 2, 2006

2004 CIPAG Proposed Structure

“ERCOT CIPAG will be sanctioned by the ERCOT board of directors for the purpose of monitoring compliance with defined NERC standards. In addition, the group may offer security advisory services, assist market participants in developing stakeholder standards and will assist in communicating and clarifying critical information from federal and state agencies.”

LESSONS FROM 2003-04 CIPAG 4 November 2, 2006

2004 CIPAG Proposed Structure (cont.)

CIPAG: Will serve as an expert advisory panel to the ERCOT Board of

Directors and subcommittees Will establish security standards for interfacing with ERCOT systems. Will not set stakeholder security standards but can assist in developing

standards.• These security standards may be more stringent or specific than

NERC’s and must be approved through the reliability subcommittee (ROS)

Will establish and maintain an information reporting procedure for critical infrastructure protection among industry segments and with federal and state government agencies.

Will conduct forums and workshops related to the scope of CIPAG. ERCOT staff will lead the CIPAG and manage an open stakeholder

forum.

LESSONS FROM 2003-04 CIPAG 5 November 2, 2006

Department of Energy NERC/

CIPAG

ISO CIO Security Committee

ERCOTERCOT

Members

State Agency

Educate on best practices / standards Coordinate security Incidents Distributing information from federal and state agencies Solicit federal and state funding where appropriate Represent ERCOT market’s interest to federal and state agencies

Issue 1: Reach is too BroadIssue 1: Reach is too Broad

Department of Homeland Security

Federal Bureau of

Investigation

U.S. Secret Service

LESSONS FROM 2003-04 CIPAG 6 November 2, 2006

Issue 2: Significant Resource Burden

CIPAGPhysicalCyber

Operations

SubcommitteesTAC

ReliabilityRMS, WMS

SubcommitteesTAC

ReliabilityRMS, WMS

ERCOT Board of Directors

ERCOT Board of Directors

FederalStateNERC

Agencies

FederalStateNERC

Agencies

MarketParticipants

MarketParticipants

PUCTPUCT

Will establish and maintain an information reporting procedure for critical infrastructure protection among industry segments and with federal and state government agencies.

ERCOT staff will lead the CIPAG and manage an open stakeholder forum.

LESSONS FROM 2003-04 CIPAG 7 November 2, 2006

What Could be Helpful from the 2004 CIPAG?What Could be Helpful from the 2004 CIPAG?

Draft charter Proposed Governance Model

LESSONS FROM 2003-04 CIPAG 8 November 2, 2006

2004 CIPAG Governance2004 CIPAG Governance

Steering Committee

Drafts charter and proposes the governance structure for review and approval by the ERCOT Board of Directors

Companies who volunteer resources to the Steering Group: TXU Reliant BP

Governance Committee

Elected by Market Segments

Proposed Members: Generators (6), Transmission (2), QSE (4), ERCOT (1)

Reports to the Board of Directors

Chaired by ERCOT Director of Security

Vice Chair and Secretary elected by Committee Members

Working task groups created from group membership

CenterPointLCRAERCOT

LESSONS FROM 2003-04 CIPAG 9 November 2, 2006

2004 CIPAG Governance (cont.)2004 CIPAG Governance (cont.)

Communications and Initial Distribution:

All QSEs (65)

All Transmission Service Providers (17)

PGCs with total generation over 800MW (30)

Others can participate by subscribing to open exploder list.