NERC Cyber Security Standard

1
NERC Cyber Security Standard

• Overview of Proposed
• Cyber Security Standard

2
AGENDA

• Why A Cyber Security Standard Is Needed
• Why Initiate An Urgent Action Standard
• Scope Of The Proposed Cyber Security Standard
• What Is Not In The Scope
• Compliance
• The Future For The Cyber Security Standard
• QA

3
Why A Cyber Security Standard Is Needed

• Due Diligence
• Responsibility to Stakeholders
• Responsibility to Interdependent Critical
  Infrastructures
• Industry Defined Practices
• If the Electricity Sector is not able to
  self-regulate, the federal government will
  regulate for us.

4
Why Initiate An Urgent Action Standard

• There has been a rapid increase in the number of
  reported cyber security incidents
• January 2003 SQL Slammer Worm
• Impacted Electricity Sector organizations
• March 2003 Federal Advisory regarding foreign
  attack scenarios
• Weakest Link Principle -The bulk electric system
  is highly inter-connected, a vulnerability for
  one can be a vulnerability for all

5
Why Initiate An Urgent Action Standard

• A spectrum of malicious actors can and do
  conduct attacks against our critical information
  infrastructures. Of primary concern is the threat
  of organized cyber attacks capable of causing
  debilitating disruption to our Nations critical
  infrastructures, economy, or national security.
•  
• The National Strategy to Secure Cyberspace, The
  Presidents Critical Infrastructure Protection
  Board, February 2003

6
Scope Of The Proposed Standard

• Applies to Reliability Authority, Balancing
  Authority, Interchange Authority, Transmission
  Service Provider, Transmission Operator,
  Generator, or Load-Serving Entity functions that
  manage Critical Cyber Assets.
• Critical Cyber Assets are those computers,
  including software and data, and communication
  networks that support, operate, or otherwise
  interact with the bulk electric system
  operations.

7
Scope Of The Proposed Standard

• Requires
• Establishing a Cyber Security Program
• Policy and Procedures
• Identify Accountable Management
• Identifying/Documenting Critical Cyber Assets
• Defining/Implementing Electronic
• Security Perimeters
• Access Controls
• Monitoring Controls

8
Scope Of The Proposed Standard

• Requires (Cont.)
• Defining/Implementing Physical
• Security Perimeters
• Access Controls
• Monitoring Controls
• Defining/Implementing Personnel Authorization
  Controls
• Security Awareness Training
• Information Protection Controls

9
Scope Of The Proposed Standard

• Requires (Cont.)
• Cyber System Management Controls
• Cyber System Test Procedures
• Incident Response and Reporting for Cyber and
  Physical Security
• Recovery Planning

10
What Is Not In The Scope

• The definition of Critical Cyber Assets currently
  does not include process control systems,
  distributed control systems, or electronic relays
  installed in generating stations, switching
  stations and substations.
• Does not include cyber assets that otherwise
  support, operate, or interact with market
  operations.

11
Compliance

• Compliance is managed by the Regions
• There will be a self-certification process
• No financial penalties letters only
• Acknowledgement of partial compliance acceptable
  for January 2004
• Full compliance by January 2005

12
The Future

• Current review period ends May 11, 2359 EDT
• Voting runs from May 12, 0001 EDT to May 21,
  2359 EDT
• Requires 2/3 majority to pass
• If passed, it will be submitted to Board of
  Trustees at their June 10 meeting
• The Urgent Action standard expires after one year
  a one year extension is possible

13
The Future

• Formal process to develop the permanent standard
  was initiated by CIPAG on May 2, 2003.
• Development will take at least a year
• The permanent standard will have two separate
  review and comment cycles
• One to refine/finalize SAR requirements
• One to refine/finalize drafted standard

14
Questions

• Please submit questions via the conference line
• Questions can also be submitted to timg_at_nerc.com
  after the webcast