CIPC Executive Committee Update CIPC Meeting Washington DC June 9, 2005 Stuart Brindley CIPC Chair Public Release

CIPC Executive Committee ChairStuart Brindley (IESO, CEA) Vice-ChairLarry Bugh (ECAR) Vice-ChairPat Laird (Exelon) CyberJamey Sample (Cal-ISO) PhysicalBob Canada (Southern Co.) OperationsRoger Lampila (NY-ISO) PolicyBarry Lawson (NRECA) SecretaryLou Leffler (NERC) ● Executive Committee 2-year terms end December 2005 ● Need to “refresh” commitments of all CIPC members - letter to NERC Regional Managers later this year  opportunity for greater Owner/Operator involvement

CIPC Nominating TF Bob CanadaSERC Larry Dolci SPP Tom GlockWECC Mike HylandAPPA Roger LampilaNPCC

CIPC Executive Committee Activities ● NERC Board  Highlights - May 2 Stakeholder meeting and May 3 Board of Trustees meeting ● US/Canada Outage TF Recommendations ● Established the Electricity Sector Coordinating Council (ESCC) and the Government Coordinating Council (GCC)  ESCC = NERC President & CEO plus CIPC Executive Committee  GCC = DoE lead, plus DHS, FERC ● Public messaging

Critical Infrastructure Protection Committee Update Stakeholders Committee May 2, 2005

Key CIPC Initiatives ● Complete actions to address the US-Canada Outage TF Recommendations by end-2005 ● Continue to support the development of the Permanent cyber security standard  Plan to support implementation ● New and revised Security Guidelines and White Papers ● Contribute to DHS’ National Infrastructure Protection Plan ● Reach-out within our industry, and to other sectors

● DHS Plan for Sector Engagement  NERC is the Electricity Sector Coordinating Council  CIPC’s Executive Committee  President/CEO NERC  Government Energy Coordinating Council  DOE, DHS, FERC, possibly others  April 20, 2005 inaugural meeting  “One-stop shop” to address strategic issues Key CIPC Initiatives (cont’d)

DHS Plan for Sector Engagement Electricity

Electricity and Telecommunications Interdependencies ● Engaged with Telecom and Electric Power Interdependency Task Force  Task force reports to the President’s National Security Telecom Advisory Committee ● Topics include  Situational awareness  Incident management  Restoration priorities - electricity and telecom  Well-established local relationships  Inter-sector exercises ● Paper by late Summer 2005

New Security Guidelines Critical Infrastructure Protection Committee Board of Trustees May 3, 2005

Control Systems Security ● New guidelines for BoT approval  Patch Management for Control Systems  Control Systems to Business Network Electronic Connectivity ● Why are they necessary?  US - Canada Outage TF Recommendations related to cyber security  White paper prepared by CIPC’s Control Systems Security Working Group - “Common Vulnerabilities of Control Systems ”  Increased industry and government awareness to control systems security; DOE Lab demos  Support the U rgent A ction and P ermanent cyber security standards

Development Process ● Development began Q by CIPC’s Control Systems Security Working Group ● March 2005, agreed to fast-track ● During April  final draft to CIPC members  conducted Webex conference call to review  conducted vote

Patch Management for Control Systems How to keep control systems software current and secure ● Complexities associated with maintaining high availability required of control systems ● Key steps  Maintain asset inventory  Notification of new vulnerabilities  Assess risks of new vulnerabilities  Test and implement

Control Systems to Business Network Electronic Connectivity How to secure control systems from the vulnerabilities introduced when connected to business systems Key steps  Identify inventory and information flows  User authentication  Defence in depth  Control and monitor access

Results of Vote ● Quorum established, both passed  Patch Management for Control Systems (85.1%)  Control Systems to Business Network Electronic Connectivity (74.0%) ● Reasons for “no” votes:  Generally, “more time to get it right”  Some concerns with “the speeded-up process”, rather than “content”  Language needs even further emphasis of non- mandatory nature  Definitions presume those in latest draft of Permanent Cyber Security Standard

US/Canada Outage TF Recommendations ● Final Task Force report expected June-05 (Canadian government assigned task of coordinating response to Security-related recommendations) ● Since Jan-05, several conference calls:  CIPC EC and government (DOE, DHS, NRCan, PSEPC)  CEA and Canadian government ● mid-Jan-05, provided CIPC members with a table of security recommendations and actions ● Table has since been updated to reflect recent CIPC Work Plan accomplishments ● CIPC commitments compete, or on-target

ESCC and GCC

● “Inaugural” meeting April 20  ESCC: Gent, Brindley, Leffler, Canada, Lampila, Lawson (Johnson, Hyland, Brown invited as observers)  GCC: De Alvarez, Friedman, Kenchington, Caverley, Carrier plus ~10 others Topics: ● Interim NIPP: Energy Sector-Specific plan provided to ESCC  Targeting to provide comments by Jul-05  Don’t forget value of response/recovery ● Protecting information (CEII, PCII) ● National Asset Database  ESCC position: Continue to question the need for government to have a list of infrastructure assets.

ESCC and GCC (cont’d) ● FACA requirements (Federal Advisory Committee Act)  Formal recognition that ESCC provides advice to government  But FACA requires open and public disclosure  Brindley, Laird participating in Sector Partnership Model Working Group, reporting to NIAC…lawyers deliberating… ● HSIN Status  Need to map information flows - who gets what ● Technology Roadmap

Public Messaging Our industry is doing a lot to manage threats to our critical infrastructure. Are we getting that message out to help manage public perceptions?

Key Messages - Readiness ● We take an all-hazards, all-threats approach to security and emergency preparedness  Natural threats  Man-made threats (cyber & physical attacks) ● Not just recovery, but mitigation and prevention  Tested through drills and exercises ● Keep government informed - recovery ● Key Messages - Experience  During the [Blackout]…draw on local experiences

Key Messages - US/Canada Blackout TF Recommendations ● Identify those systems critical to supporting the reliability of the grid ● Secure the perimeter to those systems ● Manage and monitor access to those systems ● Screen and train staff ● Conducting vulnerability assessments to ensure appropriate measures are in-place ● … and we were already meeting many of these ●... and we’re working to improve and exceed

Key Messages - Our Biggest Challenge? ● Maintaining and raising awareness  Address today’s threats  Keeping aware of emerging threats  Fill in the blanks: oWhat are your vulnerabilities? oWhat are you doing about them?

Key Messages - the Stump Question The Question: ● “So what about all those people saying how vulnerable the grid is?” The Answer: ● From my own experience…  We have taken action  The industry is taking action ● … but “never say never”

Public Messaging: Go-Forward ● Public statements need to be situation- dependent ● CIPC Exec Ctee and NERC staff as resources  Brindley/Laird/Bugh/Leffler  Ellen Vancko, NERC Director - Communications & Government Affairs