Standards Information session January 15, 2015 Direction Contrle - - PowerPoint PPT Presentation

Project QC-2014-02 Public consultation on CIP Version 5 Standards

Information session

January 15, 2015

Direction – Contrôle des mouvements d'énergie

Webinar Outline (instructions)

• Please mute your telephone during the entire

webinar.

• To ask a question:

– Press the “Lever la main” (EN: Raise hand) button in the toolbar. – The presenter will give you the floor during the question period.

• After the webinar, a summary transcription of

questions and answers will be published on the Reliability Coordinator consultation Web site.

• The PowerPoint presentation will also be available on

the same site in both French and English.

2

3

Presentation Overview

• Introduction

– Meeting Objectives – Files Currently Before the Régie – Consultation Process

• Project QC-2014-02

– Introduction to Cyber Security – Applicability of Version 5 CIP Standards – Proposed Standards (CIP-002 to CIP-011) – Effective Dates – Assessing Impact

• Next Steps
• Q & A

Meeting Objectives

• Review reliability standards in Québec
• Present the proposed standards
• Provide information on the consultation process
• Respond to your questions
• Present the next steps

4

Not covered:

• Issues affecting files currently before the Régie de l’énergie

Files Currently Before the Régie

• File R-3699-2009 (Phase I):

– 43 standards adopted to date (effective date TBD) – 12 standards come into force April 1, 2015 (only apply to the Coordinator and not sanctionable) – Awaiting final decision

• File R-3699-2009 (Phase II)

– The second agreement between the Régie, NPCC and NERC; signed September 24, 2014 – RPCQ and PSCQ were merged into a single document, the PSCAQ, pubished October 10 by the Régie – The updated Sanction Guide was filed on November 24

• File R-3906-2014 (Project QC-2014-01)

– New request for adoption of 6 standards filed in August in accordance with decision D-2014-048

5

Consultation Process

• Consultation process approved by the Régie de

l’énergie in decision D-2011-139

• Prior to submitting new reliability standards, the

Coordinator must:

– Advise registered entities of the reliability standards – Gather feedback from registered entities and respond to them, whenever possible – Assess impact of the standards on the entities

6

Consultation Process (cont’d)

Main Steps:

• Send consultation notice
• Publish proposed standards and supporting documents
• Hold period for feedback during which the entities may:

– Comment on the standards and supporting documents – Submit assessment of financial impact of proposed standards

• n their activities
• Answer feedback
• Hold additional periods for feedback, as needed
• File with the Régie

7

Projet QC-2014-02

Critical Infrastructure Protection Standards – CIP Version 5

8 Direction – Contrôle des mouvements d'énergie

Energy sector: Critical infrastructure

Health Food Finance Water IT and Telecom Safety Energy and utilities Manufacturing Government Transport

9

9

Hydro-Québec

Threats 4 Components

Actor Motive Vectors Targets

> Activists > Criminals or organized crime > Disgruntled employees > Radicalized individuals > Lone wolves > Terrorist organizations > Countries, states and companies > Greed or profit > Vengeance, anger or rage > Coercion (blackmail) > Pride > Ideology or patriotism > Social engineering > Malware, pirating, botnets > Pressure tactics > Break-in > Weapons, explosives, tools, vehicles > Civil disobedience > Confidential information > Intellectual property > Goods or revenue > Strategic assets > Reputation > Power system > Personal safety > Network or ICT systems

Increased exposure

Technological security risks Physical security risks

Exposure

Time

11 Hydro-Québec

Introduction to cyber security and physical protection of infrastructure

Relevance

• Technical evolution
• Computer components
• Interconnected smart devices
• Next-generation telecommunications networks
• Increased risk
• New attack vectors
• Larger attack surface
• Increasingly sophisticated adversaries
• Greater potential impact
• Interconnected cyber assets
• Use of control and protection systems
• Coordinated attacks that target multiple vulnerabilities
• Event at Metcalf substation in California

12

Introduction to cyber security and physical protection of infrastructure (cont’d)

Version 5 CIP Standards

• Based on best practices and increased experience in

computer security

– NIST – ISO27002 – Evolution of previous versions (CIP v1 to v3)

• Categorizes impact of electronic systems on the power

generation and transmission system (“Low”, “Medium” or “High”)

• Allows systems to be properly secured based on actual

impact

• Includes classes of administrative, logical and physical

controls for prevention, detection and correction

13

Proposed Reliability Standards

• CIP-002-5.1 – BES Cyber System Categorization
• CIP-003-5 – Security Management Controls
• CIP-004-5.1 – Personnel and Training
• CIP-005-5 – Electronic Security Perimeters
• CIP-006-5 – Physical Security of BES Cyber Systems
• CIP-007-5 – Systems Security Management
• CIP-008-5 – Incident Reporting and Response Planning
• CIP-009-5 – Recovery Plans for BES Cyber Systems
• CIP-010-1 – Configuration Change Management and Vulnerability

Assessments

• CIP-011-1 – Information Protection

14

New Terms

• Definitions to add to glossary

– Interactive Remote Access – BES Cyber Asset – Protected Cyber Assets (PCA) – CIP Senior Manager – Control Center – CIP Exceptional Circumstance – External Routable Connectivity – Dial-up Connectivity – Reportable Cyber Security Incident – BES Cyber System Information

15

– Electronic Access Point – BES Cyber System – Intermediate System – Physical Access Control Systems (PACS) – Electronic Access Control or Monitoring Systems (EACMS)

Applicability of Version 5 CIP Standards

• Applicability section shared across the 10 Version 5

CIP standards(except exemptions)

• Functions:

– Balancing Authority (BA) – Distribution Provider (DP)* – Generator Operator (GOP) – Generator Owner (GO) – Interchange Authority (IA) – Reliability Coordinator (RC) – Transmission Operator (TOP) – Transmission Owner (TO)

* Reduced applicability for distributors

16

Applicability of Version 5 CIP Standards

(cont’d)

• Québec facilities:

– Main transmission system facilities (RTP) – Facilities of Distribution Providers specified in the standards – Control Centers that meet the definition

• RTP applicability (instead of BES) shown in the

Québec Appendix to each standard

17

Applicability of Version 5 CIP Standards

(cont’d)

• Only Distributors that own the following facility

types:

– Load-shedding system that is part of a load- shedding program subject to a NERC or NPCC standard AND with a load-shedding capacity of 300 MW or more – Special Protection System (SPS) or Remedial Action Scheme (RAS) subject to a NERC or NPCC standard – Transmission protection system subject to a NERC or NPCC standard – Components of cranking path for system restoration

18

Applicability of Version 5 CIP Standards

(cont’d)

• Exemptions:

– Facilities regulated by the CNSC1 – Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters (ESP) – Entities that identify that they have no BES Cyber Systems according to CIP-002 are exempted from application of the CIP-004 and CIP-011 standards.

19

1: Canadian Nuclear Safety Commission

CIP-002-5.1

BES Cyber System Categorization

• BES Cyber System categorization by facility impact
• Each entity subject to the Applicability section

must meet the following requirements:

– Requirement 1:

• System identification and categorization process

according to Appendix 1 of the standard

– Requirement 2:

• Review the list at least once every 15 calendar

months and have it approved

20

CIP-002-5.1

BES Cyber System Categorization

Summary of Appendix 1 criteria for identifying applicable assets

• High Impact (1.1 to 1.4): BES Cyber Systems

used and located at any of the following

– RC Control Center – BA Control Center – TOP Control Center – GOP Control Center associated with a Medium Impact asset

21

HQT only

CIP-002-5.1

BES Cyber System Categorization

• Medium Impact (2.1 to 2.13): BES Cyber System

associated with any of the following

– Generation resources of 1500 MW or more – Reactive resources of 1000 Mvar – Generation Facilities designated by the PC – Transmission Facilities operated at 500 kV or higher – Transmission Facilities operated between 200 kV and 500 kV – Generation or Transmission Facilities designated by the RC, PC or TP for derivation of IROLs – Transmission Facilities that connect the output of a generating station identified in 2.1 or 2.3

22

CIP-002-5.1

BES Cyber System Categorization

– SPSs that could cause IROL violations – Systems or components associated with load shedding of 300 MW or more – GOP Control Center not included in the High Impact category that operates at a total capacity of 1500 MW or more – TOP or BA Control Center not included in the High Impact category

23

CIP-002-5.1

BES Cyber System Categorization

• Low Impact (3.1 to 3.6): BES Cyber System

associated with any of the following assets (that do

not fall into a preceding category)

– Control Centre – RTP transmission substation – RTP generating station – Systems and facilities critical to system restoration – Special Protection Systems (SPS) – Protection systems of the Distribution Providers identified in the Applicability section

24

CIP-002-5.1

BES Cyber System Categorization

25

Simplified process example

List of applicable assets and impact

Systems Substations and Generating Stations Control Centers

Assets identified in the Applicability section Assets considered E1 (i. to vi.) Assessment using impact level criteria (Appendix 1) Cyber Assets

Lists of BES Cyber Assets Access point

Digital relays

Servers

Assessment using the definition of BES Cyber Asset (negative impact on facility within 15 minutes) Aggregation of BES Cyber System assets BES Cyber System categorization (High, Medium or Low Impact)

CIP-003-5

Security Management Controls

Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-003-5 Security Management Controls R1 Cyber security Policies (E, M) R2 Cyber security Policies (F) R3 Senior Manager CIP R4 Delegation of Powers

CIP-004-5.1 Personnel and Training R1 Security Awareness Program R2 Cyber Security Training Program R3 Personnel Risk Assessment Program R4 Access Management Program R5 Revocation of Access Program

Minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.

CIP-004-5.1

Personnel and Training

CIP-005-5 Electronic Security Perimeters R1 Electronic Security Perimeters R2 Interactive Remote Access

Manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter (ESP) in support of protecting BES Cyber Systems against compromise that could lead to misoperation

• r instability in the BES.

CIP-005-5

Electronic Security Perimeters

CIP-006-5 Physical Security of BES Cyber Systems R1 Physical Security Plans R2 Visitor Control Program R3 Physical Access Control System Maintenance and Testing Program

Manage electronic access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-006-5

Physical Security of BES Cyber Systems

Manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-007-5

Systems Security Management

CIP-007-5 Systems Security Management R1 Ports and services R2 Security Patch Management R3 Malicious Software Prevention R4 Security Event Monitoring R5 System Access Control

Mitigate the risk to the reliable operation of the BES of a Cyber Security incident by specifying incident response requirements.

CIP-008-5

Incident Reporting and Response Planning

CIP-008-5 Incident Reporting and Response Planning R1 Cyber Security Incident Response Plan R2 Cyber Security Incident Response Plan Implementation and Testing R3 Cyber Security Incident Response Plan Review, Update and Communication

Recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.

CIP-009-5

Recovery Plans for BES Cyber Systems

CIP-009-5 Recovery Plans for BES Cyber Systems R1 Recovery Plans R2 Recovery Plan Implementation and Testing R3 Recovery Plan Review, Update and Communication

Prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.

CIP-010-1

Configuration Change Management and Vulnerability Assessments

CIP-010-1 Configuration Change Management and Vulnerability Assessments R1 Configuration Change Management R2 Configuration Monitoring R3 Vulnerability Assessments

Prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-011-1

Information Protection

CIP-011-1 Information Protection R1 Information Protection R2 BES Cyber Asset Reuse and Disposal

35

Cyber System Impact Levels

LOW Impact

MEDIUM Impact

HIGH Impact

Policies and leadership Awareness and training, criminal record check and access control Flow and interactive access controls and electronic security perimeter monitoring Physical perimeter Ports (logical and physical), malicious code, cyber asset monitoring and account management Security incidents Backup plan and tests* Changes and configuration, vulnerability management Information protection

Policies and leadership Awareness and training, criminal record check and access control Flow and interactive access controls and electronic security perimeter monitoring Physical perimeter Ports (logical and physical), malicious code, cyber asset monitoring and account management Security incidents Backup plan and tests Changes and configuration, vulnerability management Information protection

Policies Awareness and training Flow control Physical perimeter Account managmenet Security incidents

Proposed Effective Dates

Entity Effective date in the United States Proposed effective date in Québec Reason Medium and High Impact Low Impact Medium and High Impact Low Impact Entities governed by Version 1 CIP Standards approved by the Régie 2016-04-01 2017-04-01 2016-04-01 2017-04-01 Standardize practices with the other jurisdictions Entities exempted from Version 1 CIP Standards under the specific provisions of those standards The first day

• f the first

calendar quarter that is 24 months following the adoption of the standards by the Régie de l’énergie The first day

• f the first

calendar quarter that is 24 months following the adoption of the standards by the Régie de l’énergie Provide the time needed to implement Version 5 CIP Standards to entities that were exempt under Version 1

36

Preliminary Impact Assessment

Overview of impact of standards

CIP-002-5.1 to CIP-011-1 Low Moderate High Standard name X Maintaining the standard X Compliance monitoring X

37

Legend: Low: Normal industry practice that only requires minor adjustments to existing processes or practices. Moderate: Change that requires allocation of some physical, human or financial resources to implement, maintain or monitor compliance with the proposed standard. High: Change that requires allocation of significant physical, human or financial resources to plan, implement, maintain or monitor compliance with the proposed standard.

Comments

• Two forms are available:

– Standards and supplementary documents – Evaluation of the impacts of proposed standards

• The following information must be clearly indicated:

– Name of person submitting the comments – Name of entity represented – Document and section to which the comment applies – Impact the proposed standard will have on the entity (human, material and financial resources—be as specific as possible)

38

Send comments to: fiabilite@hydro.qc.ca

Next Steps

• Study feedback
• Publish responses to feedback
• Hold a technical meeting (as required)
• Revise text in standards and support documents
• Compile the financial impact assessments
• File with the Régie de l’énergie for adoption

39

Q & A

40