Security Guidelines Workshop Cyber Security Standard

1
Security Guidelines WorkshopCyber Security
Standard

• Kevin B. Perry
• Director, Information Technology
• Southwest Power Pool

2
Cyber Security Standards

• Initially defined in Appendix G to the FERC
  Standard Market Design NOPR
• NERC CIP Advisory Group initiated an Urgent
  Action SAR to establish a NERC cyber security
  standard.
• Will be in effect for one year with possible one
  year extension.
• To be replaced with permanent standard via ANSI
  Standard Authorization process.

3
Cyber Security Standards

• Applies to those computers, including installed
  software and electronic data, and communication
  networks that support, operate, or otherwise
  interact with the bulk electric system
  operations.
• This definition currently does not include
  process control systems, distributed control
  systems, or electronic relays installed in
  generating stations, switching stations and
  substations.

4
Cyber Security Standards

• 1201 Cyber Security Policy
• Written cyber security policy.
• Policy will be reviewed at least annually.
• Senior Management official shall be appointed.
• Identified by name, title, phone, address, and
  date of designation.
• Authorized exemptions or deviations shall be
  documented.

5
Cyber Security Standards

• 1202 Critical Cyber Assets
• Critical cyber assets shall be identified and
  documented.
• Requires update within 90 days of of addition or
  removal of critical cyber assets.
• Requires annual review.

6
Cyber Security Standards

• 1203 Electronic Security Perimeter
• A document shall be maintained, depicting
• the electronic security perimeter(s)
• all interconnected critical cyber assets
• all electronic access points to the
  interconnected environment(s).
• The document must verify all critical cyber
  assets are within the electronic perimeter.
• Requires update within 90 days of network
  modification
• Requires annual review.

7
Cyber Security Standards

• 1204 Electronic Access Controls
• A document shall be maintained identifying the
  access controls and their implementation for each
  electronic access point to the electronic
  security perimeter(s).
• Requires update within 90 days of the
  modification of the electronic security perimeter
  or the electronic access controls.
• Requires annual review.

8
Office LAN
Electronic Security Perimeter
EMS
ICCP
Secure LAN
Comm Front End
Operator Console
Internet
WAN
Electronic Security Perimeter
9
Bulk Power Operations Center
Neighboring Control Area Operations Center
Transmission/Dispatch Center
Access Control Point
Electronic Security Perimeter
10
Cyber Security Standards

• 1205 Physical Security Perimeter
• A document shall be maintained depicting the
  physical security perimeter(s) and all physical
  access points to every such perimeter.
• The document shall verify that all critical cyber
  assets are within the physical security
  perimeter(s).
• Requires update within 90 days of perimeter
  modification.
• Requires annual review.

11
Cyber Security Standards

• 1206 Physical Access Controls
• A document shall be maintained identifying the
  access controls and their implementation for each
  physical access point to the physical security
  perimeter(s).
• Requires update within 90 days of the
  modification of the physical security perimeter
  or the physical access controls.
• Requires annual review.

12
Cyber Security Standards

• 1207 Personnel
• A list shall be maintained of all personnel
  granted access to critical cyber assets,
  including the specific electronic and physical
  access rights to the security perimeter(s).
• Requires update within 24 hours of any change.
• Requires quarterly review.
• Background screening shall be conducted,
  consistent with applicable Federal, State,
  Provincial, and local laws.

13
Cyber Security Standards

• 1208 Monitoring Physical Access
• Tools and procedures for monitoring physical
  access shall be documented.
• The document shall verify that the tools and
  procedures are functioning and are being used as
  planned.
• Physical access will be documented via access
  records (such as electronic logs).
• Access records shall be verified against list of
  access control rights or controlled by video or
  other physical monitoring.

14
Cyber Security Standards

• 1209 Monitoring Electronic Access
• Tools and procedures for monitoring electronic
  access shall be documented.
• The document shall verify that the tools and
  procedures are functioning and are being used as
  planned.
• Electronic access will be documented via access
  records (such as electronic logs).
• Access records shall be verified against list of
  access control rights.

15
Cyber Security Standards

• 1210 Information Protection
• Access limitations to sensitive information
  related to critical cyber assets shall be
  documented.
• Must address access to procedures, critical asset
  inventories, maps, floor plans, equipment layouts
  and configurations.
• Requires documentation to be updated as
  necessary.
• Requires annual review.

16
Cyber Security Standards

• 1211 Training
• A company-specific cyber security training
  program shall be developed that includes
• The cyber security policy.
• Physical and electronic access controls to
  critical cyber assets.
• The release of critical cyber asset information.
• Potential threat incident reporting.
• Action plans and procedures to recover or
  re-establish critical cyber assets following a
  cyber security incident.

17
Cyber Security Standards

• 1211 Training (cont)
• A document shall be maintained identifying all
  personnel who have access to critical cyber
  assets and the date of the successful completion
  of their training.
• Requires annual review.

18
Cyber Security Standards

• 1212 Systems Management
• Systems management policies and procedures for
  configuring and securing critical cyber assets
  shall be developed, addressing
• Effective password management.
• Authorization and periodic review of computer
  accounts and access rights.
• Disable unauthorized, invalidated, expired, or
  unused computer accounts and physical access
  rights.
• Disable unused network services and ports.
• Secure dial-up modem connections.

19
Cyber Security Standards

• 1212 Systems Management (cont)
• Systems management policies and procedures for
  configuring and securing critical cyber assets
  shall be developed, addressing
• Firewall management.
• Intrusion detection processes.
• Security patch management.
• Install and update of anti-virus software.
• Retain and review operator logs, application
  logs, and intrusion detection logs.
• Identify vulnerabilities and responses.

20
Cyber Security Standards

• 1213 Test Procedures
• Test and acceptance criteria for the installation
  or modification of critical cyber assets shall be
  documented.
• A document shall be maintained verifying that the
  test and acceptance criteria has been implemented.

21
Cyber Security Standards

• 1214 Electronic Incident Response Actions
• A document shall be maintained defining the
  electronic incident response action, including
  actions, roles and responsibilities.
• Reporting in accordance with the NERC-NIPC
  Indications, Analysis, Warnings Program Standard
  Operating Procedure is required.

22
Cyber Security Standards

• 1215 Physical Incident Response Actions
• A document shall be maintained defining the
  physical incident response action, including
  actions, roles and responsibilities.
• Reporting in accordance with the NERC-NIPC
  Indications, Analysis, Warnings Program Standard
  Operating Procedure is required.

23
Cyber Security Standards

• 1216 Recovery Plans
• A document shall be maintained defining the
  action plan and procedures used to recover or
  re-establish critical cyber assets following a
  cyber security event, including actions, roles
  and responsibilities.
• Recovery plans shall be exercised at least
  annually.

24
Cyber Security Standards

• Compliance
• Will be effective upon adoption by NERC Board of
  Trustees.
• Specific compliance criteria is defined for each
  section of the standard.
• Substantial compliance with standards by January
  1, 2004.
• Full compliance with standards by January 1, 2005
• Annual self-certification required.
• Periodic field audits expected.

25
Questions?
26
Contact SPP
Kevin B. Perry kperry_at_spp.org
www.spp.org