1. CIP Program Highlights Member Representatives Committee October 28, 2008 Michael Assante, CSO michael.assante@nerc.net

2. 2 Monitor reliability Monitor hazards Coordination with government Coordinate with other sectors (PCIS) Support their mission/role Identify, address and monitor security risk to the BPS Provide expertise Support efforts Focused on CIP events & enhancing preparedness Establish a core CIP program, Enhance SA & work across NERC’s programs Support the development of expertise Training Standards Focused on CIP risks Mutually Supporting Constructive Overlap (ES-ISAC) CIPC & EC ESCC engagement Standards Assessments Leadership Support Critical Infrastructure Protection CSO Situational Awareness ComplianceAssessment Events AnalysisTraining RegionsIndustry NERC CEO Board of Trustees ESSG

3. 3 Ensure the Reliability of the Bulk Power System  Trusted within the industry  Recognized for effective leadership NERC Core Programs - CIP Critical Infrastructure Protection CIP Standards Development  9 CIP standards approved  Enhance & update existing standards  Propose new standards to address security concerns CIP Standards Compliance  Enforce compliance (along with regional reliability organizations)  Audits, monitoring & investigations Security Risk Assessment  Assess threats to the Bulk Power System  Identify concerns to be addressed  Cyber risk & preparedness evaluation ES-ISAC Security Leadership Situational Awareness Notifications & alerts Preparedness & response coordination Monitor events impacting the grid Facilitate coordination & reliability tools Chief Security Officer (CSO) ESCC, ESSG, PCIS, NIAC, CSO Council “Ensure threats to the reliability of the BPS, especially cyber, are clearly understood and are sufficiently mitigated”

4. 4 NERC CIP Enhancement Plan  Mobilize executive participation & guidance (e.g. ESSG)  Establish NERC CIP Program (Hire CSO, Strategy, Resources)  Formalize NERC led assessment & initial CRP evaluation  Enhance the ES-ISAC (improve alert reporting, process maturity, lists) Milestones 2HCY08 1HCY09 2HCY09 Executive Engagement  ESSG NERC CIP Program  Portfolio  Resourcing Assessments  Risk Assessment  CRP Evaluation Enhance ES-ISAC Improve. Prjcts Resourcing Order 706 ESSG CEO Briefing Cyber Summit CSO CIP Portfolio Phase I

5. 5 Cyber Risk Preparedness Evaluation  Identify existing capabilities to prevent, detect, respond and limit the potential damage of existing/emerging attack techniques  Objective: Understanding how prepared both individual entities (by type) and existing processes/mechanisms are to ensure reliability of the BPS while under a successful cyber attack  Approach: Devise several realistic but challenging cyber scenarios and conduct a series of table top exercises with volunteer entities CRP team will use a process to evaluate key criteria for determining preparedness  Areas to Evaluate: (The scenarios will be consistently evaluated for all entities for the following capabilities) A. Prevent cyber attacks B. Detect cyber attacks C. Technically respond to cyber attacks D. Manage their systems and electricity assets to minimize potential damage E. Communicate and coordinate effectively with interconnected neighbors and area coordinators to contain effects on the bulk power system

6. 6 ES-ISAC Enhancement

7. 7 ES-ISAC Mission  The ES-ISAC serves the Electricity Sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. Preparedness & response calls (e.g. Hurricane Gustav)  It is the job of the ES-ISAC to promptly disseminate threat indications, analyses, and warnings, together with interpretations, to assist electricity sector participants to take protective actions. As the ES-ISAC, NERC gathers, disseminates and interprets security-related information. FERC has oversight of NERC’s alerting process for U.S. entities Canadian authorities provide guidance for alerting to Canadian entities

8. 8 ERO & ES-ISAC (similar but distinct) Formal effort to involve industry SME’s in the generation of Alerts

9. 9 CIP: ES-ISAC/NERC Alerts  Advisories, Recommendations, and requests for Essential Actions (ERO & ES-ISAC missions)  Issued to relevant industry sectors when a security risk (threat or vulnerability) arises Advises the industry to evaluate the risk and take action to correct issues affecting reliability/CIP  Cyber  Physical  Logical  All Hazards

10. 10 Reporting Concerns & Objectives  Don’t want to numb the sector with too much reporting  Do want to appropriately chose alerting vehicles based on the seriousness of the risk Advisory – Notify the sector of a vulnerability that could be applied in a way that would directly or indirectly impact the BPS Recommendation – Notify the sector and receive replies to appropriately monitor the status of the risk (mitigation efforts) based on the attributes of the vulnerability and potential to cause serious consequence in the BPS Essential Action – Notify the sector so they may take immediate actions and require replies to appropriately monitor the status of the risk (mitigation efforts) based on the attributes of the vulnerability, potential consequences, and indications or the potential that an attacker will exploit the vulnerability  In a perfect world we would like to see the reporting fall into the following buckets over a year ( we will not shape reporting to arbitrarily fit these levels ): Advisories: 80% Recommendations: <20% Essential Actions: <1% (only used for critical & time sensitive risks)

11. 11 Technology Application of Concern (TAC) Technology AreaVulnerability Alerting SCADA EMSYes Field Control & ProtectionYes Plant Control SystemsYes Market SystemsConsider Networking & Telecommunications Consider Business SystemsNo Mobile TechnologyNo

12. 12 SCADA Vulnerability & Exploit Disclosures  Tracking from 2005 to Present (4QTR08) * This captures only publically released vulnerability discoveries and exploit tools/code

13. 13 ES-ISAC “Operational Excellence”  Streamline & exercise NERC notification lists Project underway to address existing problems and establish a sustainable approach to manage the lists Will exercise the notification lists (improve, educate and verify)  Administrative exercise (November) –Addition of an FAQ –Instructions to recipients  Operational exercise (2 tests per year) –Recommendation-level or higher Alert –Instructions & Exercise Replies required  Longer-term: Develop a secure mechanism to receive alert feedback and facilitate effective two-way communication Identify an appropriate mechanism for authenticated (record responses for recipients by entity) and secure feedback & alert responses

14. 14 Communication Coverage Chart 2-way Secure Electronic Communica tions 2-way Secure Paper Private Push (direct e- mail) Public Pull (ES-ISAC web post) BPS EntitiesNO YES Non-BPS Entities NO YES Hawaii, Alaska, & U.S. Possessions NO YES