Physical Security Reliability Standard Implementation

Physical Security Reliability

Standard Implementation

Tobias Whitney, Manager of CIP Compliance (NERC) Carl Herron, Physical Security Leader (NERC)

NERC Sub-Committee Meeting New Orleans, Louisiana

CIP-014 Implementation Program

Implementation

Readiness

Clarify

Compliance

Expectations

Understanding

scoping and 3

party reliance

Consistent

Enforcement

Increased Industry

Awareness

Key Dates

CIP-014-2 Implementation Timeline

Activity Implementation Not Later Than Days after 10/1/15

R1 Assessment Effective Date 10/1/2015 0 days

R2 Verification Effective + 90 12/30/2015 90 days

R2.3 Address Discrepancies R2.2 + 60 2/28/2016 150 days

R3 Notify Control Center R2 +7 1/6/2016 97 days

R4 Threat & Vulnerability Evaluation R2 + 120 6/27/2016 270 days

•

Industry must assess the loss of certain substations (R1)

o Transmission Facilities at 500 kv or higher

o Substations exceeding the “aggregate weighted value” of 3000

o Substations identified by RCs, PCs or TP that are critical to IROL derivations

o Essential to meeting Nuclear Plant Interface Requirements

 From there, various processes can be used to determine the list:

o Entities may reference the NATF R1 approach

o Entities may reference the method in the Guidelines and Technical Basis

o Entities may use the process described in TPL-001-4 R4 and R6

•

To be compliant, the industry must demonstrate:

 A transparent process that can be validated by their CEA

•

February guidance memo references the North American

Transmission Forum Guidance as a means to perform R1:

1. Identify stations to analyzed based on 4.1.1

2. TO identifies cases/system conditions to be analyzed

o summer peak vs. winter peak load levels

o shoulder peak load levels with system transfers

o alternative generation dispatch assumptions

o alternative load models (i.e., different penetration of inductive load)

3. Define the nature of initiating event and how it will be modeled in assessment.

o Event over several minutes

o Instantaneous event (such as an explosion)

•

Requirement R2 mandates that an unaffiliated third-party verify

the result of the risk assessment performed under Requirement

R1. The third-party for Requirement R2 must be either:

 A registered Planning Coordinator, Transmission Planner, or Reliability Coordinator; or

 An entity that has transmission planning or analysis experience.

•

Pages 26-28 of the Guidelines and Technical Basis section

(Section 4) of the standard provides additional guidance on

selecting a third-party verifier, stating that entities should

consider the following characteristics:

•

Registered entity with applicable planning and reliability

functions.

•

Experience in power system studies and planning.

•

The third-party’s understanding of the MOD standards, TPL

standards, and facility ratings as they pertain to planning

studies.

•

The third-party’s familiarity with the Interconnection within

which the Transmission Owner is located.

•

TO’s must demonstrate the appropriate rigor and analysis when

performing R1 and R2. Consider how the following questions

can be answered:

 Why certain stations or substations are identified to meet the criteria in Requirement R1

 Similarly, why certain stations or substations were not identified by Requirement R1

 What are defining characteristics of stations and substations identified by Requirement R1

 How the third party verifying the risk assessment meets the qualifications in Requirement R2 and the means the third party used to ensure effective verification

•

Each TO that identified a Transmission station(s), Transmission

substation(s), or a primary control center(s) in R1 and verified

according to R2, and each Transmission Operator notified by a

TO according to R3.

 Shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s),

Transmission substation(s), and primary control center(s) identified in R1 and verified according to R2.

 Unique characteristics

 History of security events

 Intelligence or Threat Warnings

R4 Threat and Vulnerabilities

Assessment

•

R4 – practices containing an approach, common practices and

understanding evaluations of the potential vulnerabilities and

threats of a physical attack of facilities.

•

Site Specific vulnerability considerations

 No protection of facility (fencing, locks, or monitoring)

 Gaps in or lack of security mitigation(physical and human)

 Gaps in or lack of physical security policies and procedures, failure to enforce controls for vehicle and security equipment testing.

 Access control – how is it granted, what is the process.

•

Physical Security evaluation checklist. (The physical security

evaluation checklist is a format that can be used to provide self

assessment of security program).

 Facility Information: address, contact numbers Executive Management, Security Management, Maintenance and First Responders

 Perimeter: Fence(type, height, anchored and enhancements)crash gate, lighting, surrounding area and landscape

 Security Systems(CCTV, Intrusion detection, fire alarms and locks & doors) Information Technology Systems and Sensitive Information storage

 Security and Response Plans

•

CIP-014 Questionnaire – Threat Assessment

 List all of facility history of sabotage, vandalism, physical attack and Law Enforcement response

 List all historical criminal incidents to similar sites within the U. S.

 Threat Assessment, Intelligence Bulletins or Threat Warnings prepared by State Fusion Centers, Local Law Enforcement, DHS or FBI

•

Resiliency Measures – measures already existing to prevent a

physical attack

 Existing physical security measures to deter such as: Perimeter signage, fencing, gates, lighting, locks and security officers/roving patrols

 Existing physical security measures to detect such as: CCTV, Intrusion Detection and alarms

 Existing physical security measures to delay such as: Vehicle barriers, crash gates, fencing and security officers

 Existing physical security measures to assess such as: Video surveillance, video analytics and security command centers

•

Resiliency Measures – continued

 Existing physical security measures to communicate such as: Security Operations Center(SOC) initiates response, protection of communication transmission to the SOC, alarm systems and Intercom system.

 Existing physical security measures to respond such as: Documented procedures, responses to alarms, State or local Law Enforcement and armed security officers deployment.

•

Each TO that identified a Transmission station(s), Transmission

substation(s), or a primary control center(s) in R1 and verified

according to R2, and each Transmission Operator notified by a

TO according to R3.

 Shall develop and implement a documented physical security plan(s) that cover their Transmission station(s), Transmission substation(s), and

primary control center(s). The physical security plan(s) shall be developed within 120 calendar days following the completion of R2 and executed according to the timeline specified in the physical security plans.

 The security plan should address the mitigation and response to the threats and vulnerabilities identified.

 A measureable timeline of executing the physical security enhancements

•

R5 – provides an approach for development and

implementation of Physical Security Plans. Areas for

consideration:

 Deterrence Measures – Visible physical security measures installed to persuade individuals to seek other, less secure targets.

 Detection Measures – Physical security measures installed to detect unauthorized intrusion and provide local and/ or remote intruder notification.

 Delay Measures – Physical security measures installed to delay an intruder’s access to a physical asset and provide time for incident assessment and response.

•

Assessment Measures – The process of evaluating the legitimacy

of an alarm and determining the procedural steps required to

respond.

•

Communicate – Systems used to send and receive alarm/video

signals, audio, and data.

•

Respond – The immediate measures taken to assess, deploy,

interrupt, to an incident.

•

Physical Security Plan Template.

•

R6 - Each Transmission Owner and Transmission Operator shall

select an unaffiliated third party reviewer from the following:

 An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a

Certified Protection Professional(CPP) or Physical Security Professional(PSP) certification.

 An entity or organization approved by the ERO.

 A government agency with physical security expertise.

 An entity or organization with demonstrated law enforcement, government, or military physical security expertise.

•

CIPC has developed guidance to support industry’s

implementation of Requirement R6.

 Provides examples of experience/documentation for third party reviewer with electric industry

o Proof of past or current employment as an employee(s) or contractor(s) in the electric industry;

o Proof of past or current employment as an employee(s) or contractor(s) as an ERO regional entity auditor; or

o Documented experience in threat vulnerability assessments or development of security plans in the electric industry.

Critical Infrastructure Protection

Committee (CIPC) R6

•

Provides examples of government agencies that might be

selected

•

Provides skill sets/activities for demonstrated law enforcement,

government, or military physical security expertise.

•

Provides skill sets/activities for demonstrated law enforcement,

government, or military physical security expertise.

 Conducting and/or evaluating threat and vulnerability analysis of physical attack

 Designing and/or evaluating physical security plans

 Third party review of threat and vulnerability analyses or physical security plans

 Designing, implementing, or evaluating asset protection plans, specifically those related to facilities with special emphasis on industrial complexes

ERO approval process guidance (September 2015)

•

This process will be applied when registered entity has a third

party that does not meet one of the other three criteria.

•

Candidate 3

_{parties shall work through their Registered Entity}

to obtain certification.

•

The ERO will review the qualifications against industry-vetted

criteria, which is included in the Appendix A.

•

Appendix A - request third party reviewer must have at least

one criteria from the physical security experience plus one from

electric sector experience.

•

Physical Security experience(at least one):

 Certified Critical Infrastructure Protection Specialist (CCIPS) and ten (10) years.

 Certified Homeland Protection Professional (CHPP) and ten (10) years’

 Professional in Critical Infrastructure Protection (PCIP) and ten (10) years’

 Certified Security Consultant (CSC) and ten (10) years’ experience as a physical security professional.

 Ten (10) years employment in a physical security department with responsibilities in facility protection.

 Physical security subject matter expert.

 Ten (10) years of experience in physical security program development, risk assessments, and threat assessment.

ERO approval process guidance

(September 2015) Appendix – A

•

Electric Sector Experience(at least one):

 Ten (10) years employment with an electric utility transmission organization.

 Three (3) years employment as an ERO regional entity auditor

 Ten (10) assignments as a physical security consultant for a North American electric utility transmission organization

 Five (5) years military service with training in critical infrastructure interdiction.

ERO approval process guidance

(September 2015) Appendix – A

•

Number of assets critical under the standard

 Q4 2015 – Q1 2016

•

Defining characteristics of the assets identified as critical

 Q4 2015 – Q1 2016

•

Scope of security plans

 Information obtained Guided Self-Certs, Off-site Audits, Audits

 Consider compliance monitoring schedule

•

Timelines for implementing security and resiliency measures

implementation schedule and progress

 NERC will aggregate results

•

Industry’s progress in implementing the standard

•

Reliability Standard Audit Worksheet for CIP-014-2, will be sent

to drafting team(September 2015).