BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project Management Certification Program- UCSD Project Management Certification Program- UCSD Michael Espinoza 22 Years SDG&E, 22 Years SDG&E, Sr EMS Hardware Analyst Sr EMS Hardware Analyst EMS Hardware Supervisor EMS Hardware Supervisor Infra Project Technical Lead Infra Project Technical Lead

Agenda Purpose Purpose NERC CIP Standards NERC CIP Standards Standards Standards Goals/Challenges Goals/Challenges Establishing Project Direction Establishing Project Direction Project Roadmap Project Roadmap Communication is Essential Communication is Essential Feedback Feedback Disclaimer – This presentation represents my own personal interpretation. Disclaimer – This presentation represents my own personal interpretation.

Purpose of CIP Cyber Security Standards Ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems. Ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems.

NERC is made up of eight regions that oversee the reliability and operation of the Bulk Electric System. >All Electric Generation and Transmission agencies report to one of these regions.  SDG&E reports to the WECC, Western Area reporting agency, > All regions must comply with NERC CIP Standards. North American Electric Systems Overview

CIP-002 Critical Cyber Asset Identification CIP-003 Security Management Controls CIP-004 Personnel & Training CIP-005 Electronic Security Perimeters CIP-006 Physical Security Of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting And Response Planning CIP-009 Recovery Plans For Critical Cyber Assets NERC CYBER SECURITY 8 Standards NERC CIP

41 Requirements

 Compliant (C) - means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records”  Auditably Compliant (AC) - means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12-calendar-months of auditable “data,” “documents,” “documentation,” “logs,” and “records” 2009 Audit Preparation - Compliance Levels 2010

Penalty Matrix* Violation Severity Level Violation Risk Factor LowerModerateHighSevere Range Limits LowHighLowHighLowHighLowHigh Lower $1,000 $3,000 $2,000 $7,500 $3,000 $15,000 $5,000 $25,000 Medium $2,000 $30,000 $4,000 $100,000$6,000 $200,000$10,000$335,000 High $4,000$125,000$8,000$300,000$12,000$625,000$20,000$1,000,000 FERC statutory limit: $1,000,000,000 per day, per violation Other limits may apply in Canada *Matrix undergoing revision

Comply with new NERC CIP Cyber Security Standards in advance of the required deadlines Comply with new NERC CIP Cyber Security Standards in advance of the required deadlines GOAL Obstacles Not Withstanding: Obstacles Not Withstanding: - Significant effort is required - Significant effort is required - Additional funding and / or personnel - Additional funding and / or personnel may be needed may be needed

CIP Standards Applicability to the following Functions Generation Owner Generation Owner Generator Operator Generator Operator Transmission Owner Transmission Owner Transmission Operator Transmission Operator Load Serving Entity Load Serving Entity

STANDARD CIP-001 CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Corporate Security Information Technology Grid OperationsHuman Resources Regulatory                   

WECC NERC & FERC Corp Security IT Regulatory Electric Ops HR Facilities Project Links “The Challenge” Organizational Links Internal Auditing *The key for success -> Ensure all Organizations have the same goal.

1.Enterprise Environmental factors 2.Organizational Process Assets 3.Roles and Responsibilities 4.Project organization Charts 5.Staffing Mgmnt plan 1.Pre-assignment 2.Negotiation 3.Acquisition 4.Virtual Teams Tools & TechniquesInputsOutputs 1.Project staff assignments 2.Resource availability 3.Staffing Management plan (updates) Acquire Project Teams (PMBOK  Guide)

1. Build Processes 3. Audit Sign Off NERC CIP PROJECT PYRAMID 2. Mgmt Approvals

Populate master CCA access list from existing worksheets CONCEPT PROCESS EXAMPLE Grid Operations, Human Resources, Corporate Security, IT

Establishing Project Direction Develop a master project plan Develop a master project plan Assign qualified members to each internal NERC team Assign qualified members to each internal NERC team Use standardized templates for documentation Use standardized templates for documentation Run an ongoing gap analysis to identify redundant and missed processes Run an ongoing gap analysis to identify redundant and missed processes

Communications Updates/Feedback Executive Updates - Monthly Executive Updates - Monthly –CEO/VP –Directors –Managers Team Feedback Team Feedback –Monitor Teams for resource requirements –Establish monthly goals for Levels of Compliance –Review Team suggestions Utilize Tools/Resources Utilize Tools/Resources –Consultants, wicf · Western Interconnection Compliance Forum, Common Data site (SharePoint), Ticklers

Purpose Purpose NERC CIP Standards NERC CIP Standards Standards Standards Goals/Challenges Goals/Challenges Establishing Project Direction Establishing Project Direction Project Roadmap Project Roadmap Communication is Essential Communication is Essential Feedback Feedback Review

Feedback