The document discusses the implementation of CIP-014 from an auditor's perspective, including an overview of the requirements for conducting risk assessments of transmission stations and developing security plans, and tips for entities in complying with the standard within the required timeframe of less than one year. It also summarizes the FERC's proposed modifications to CIP-014 and requests for additional filings on physical security.

1. Darren T. Nielsen, M.Ad., CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Salt Lake City, UT Office
CIP-014- Next Steps from an Auditors Perspective
August 21, 2014
Austin, Texas

2. 2
• Where are you heading?
• Is it the right direction?
• Do you have help in charting the course?
Set your Compass!

3. 3
• What it is:
o Physical security of Transmission stations and Transmission
substations, and their associated primary control centers, that if
rendered inoperable or damaged as a result of a physical attack
could result in “widespread” instability, uncontrolled separation, or
Cascading within an Interconnection.
*FERC directed “widepsread” to be removed on July 17, 2014.
• What it is not:
o An extension of, or related to CIP-006
o Critical Cyber Asset/Protected Cyber Asset based
o A limit to physical security measures
o A one-size-fits all approach to physical security
CIP-014-1 Introduction

4. 4
• It may be helpful to view and manage CIP-014-1 as two
major components.
CIP-014-1 Introduction
R1: Applicability and Risk
Assessment
R2: Unaffiliated Review
R3: Control Center Notification
R4: Threat and Vulnerability
Assessment
R5: Security Plan
R6: Unaffiliated Review

5. 5
• Must be completed by the effective date of CIP-014-1
• Subsequent applications must be completed:
o 30 months for entities who identified applicable
Stations/Substations on the previous assessment
o 60 months for entities who identified null lists on the previous
assessment
CIP-014-1 R1: Applicability and Risk
Assessment

6. 6
• Create a Candidate List
o Substations/Stations operating at or above 200kV
o Substations/Stations identified in an IROL
o Substations/Stations critical to operation of nuclear facilities
• Apply criteria listed in 4.1.1 of CIP-014-1
o Operating at or above 500kV
-or-
o Identified by its Reliability Coordinator, Planning Coordinator, or
Transmission Planner as critical to the derivation of Interconnection
Reliability Operating Limits (IROLs) and their associated contingencies.
-or-
o Essential to meeting Nuclear Plant Interface Requirements
-or-
CIP-014-1 R1: Applicability and Risk
Assessment

7. 7
• Apply criteria listed in 4.1.1 of CIP-014-1 (continued)
o Operating between 200 kV and 499 kV at a single station or
substation, where the station or substation is connected at 200 kV
or higher voltages to three or more other Transmission stations or
substations and has an "aggregate weighted value" exceeding
3000 according to the table below.
CIP-014-1 R1: Applicability and Risk
Assessment

8. 8
• Must be completed within 90 days of R1 Assessment and
may be conducted concurrently
• Unaffiliated third party must be:
o A registered Planning Coordinator, Transmission Planner, or
Reliability Coordinator
-or-
o An entity that has transmission planning or analysis experience
• The SDT interprets “unaffiliated” as external to the
corporate structure
• The credentials of the third party will be assessed and
may impact the audit risk and subsequent rigor for R1
CIP-014-1 R2: Unaffiliated Review of R1
Assessment

9. 9
• Unaffiliated reviewer recommendations must be
addressed within 60 days of review
o Modify its identification under Requirement R1 consistent with the
recommendation
-or-
o Document the technical basis for not modifying the identification in
accordance with the recommendation
 This language is NOT intended to trigger TFEs
• Implement procedures to protect sensitive information
throughout the review process
CIP-014-1 R2: Unaffiliated Review of R1
Assessment

10. 10
• The entity has 7 days to notify control center operators for
primary control centers associated with
Stations/Substations identified in R1 assessment
• The entity has 7 days to notify control center operators for
primary control centers associated with
Stations/Substations removed in subsequent in R1
assessments
• Compliance tips:
o Use email read receipts
o Implement three part communications
o Receive and document confirmation of notification from control
center operators
CIP-014-1 R3: Notify Control Center Owners

11. 11
• Conduct a threat and vulnerability assessment that
considers:
o Unique characteristics
o Attack history, attacks on similar facilities
 Frequency
 Geographic Proximity
 Severity
o Intelligence or threat warnings
CIP-014-1 R4: Threat and Vulnerability
Assessment

12. 12
• Unique Characteristics may include:
o Terrain
 Rural
 Urban
o Equipment/Facility Array
 Are critical vulnerable assets on the perimeter or are they shielded from view or
attack by less critical components of the facility?
o Existing Protections
o Facility size and shape
 A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple
corners, alcoves, and salient points.
o Crime statistics
o Weather
CIP-014-1 R4: Threat and Vulnerability
Assessment

13. 13
• Assessment Tips
o Identify what components of the facility are critical to the mission
o Evaluate your facility from an adversary’s perspective
o Extend the assessment beyond the fence line
o Understand the advantages and disadvantages afforded by surrounding terrain
o Understand your threat environment
 Evaluate attacks on similar facilities globally
 Evaluate attacks in your geographic area even if the target facility is unlike yours
• Some Existing Assessment Methodologies
o CARVER
o DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool
(ECIP/IST)
o Attack Tree Modeling
CIP-014-1 R4: Threat and Vulnerability
Assessment

14. 14
• Suggested threat vectors to consider
o Direct Fire
 Can an adversary fire a line-of-sight weapon and damage a critical component?
o Indirect Fire
 Can an adversary fire a weapon on an arc trajectory and damage a critical
component?
o Explosive
 Can an adversary place an explosive device such that it will damage a critical
component?
o Vehicular Attack
 Can an adversary drive a vehicle into my facility to damage a critical
component?
o Forced Entry
 Can an adversary force his way into my facility to damage a critical component?
o Surreptitious Entry
 Can an adversary sneak into the facility to damage a critical component?
o Arson
 Can an adversary damage critical components with fire?
CIP-014-1 R4: Threat and Vulnerability
Assessment

15. 15
• Resources
o Physical Security Personnel
o Local Law Enforcement
o Federal Agencies
o State Emergency Management
• Methodologies
o ECIP/SAV
o CARVER
Assessment Resources

16. 16
• Observation
• Avenues of Approach
• Key Terrain
• Obstacles
• Cover and Concealment
Terrain Analysis

17. 17
• Where can bad guys see me?
• What can I see?
• More importantly, what can’t I see?
Observation

18. 18
Observation
Hill
Hill

19. 19
• How can bad guys get to me?
o Vehicle
o Foot
Avenues of Approach

20. 20
Avenues of Approach
Hill
Hill

21. 21
• What do I really need to keep bad guys
away from?
• What areas can bad guys conduct
surveillance from?
• What areas can bad guys launch an attack
from?
Key Terrain

22. 22
Key Terrain
Hill
Hill

23. 23
• What do I have available to block bad guys from
getting to or seeing me?
o Natural
 Cliffs
 Ravines
 Trees
 BFRs
o Man-made
 Fences
 Gates
 Bollards
Obstacles

24. 24
Obstacles
Hill
Hill

25. 25
• What is keeping me from seeing bad guys
watching me or approaching me?
o Vegetation
o Structures
o Terrain
Cover and Concealment

26. 26
Cover and Concealment
Hill
Hill

27. 27
• What is vulnerable?
o Ballistics paths
o Susceptible to blast
o Susceptible to sabotage
• How could I be attacked?
o Beware a “failure of imagination”
o Do not think about the likelihood of an attack
vector at this point
Self Assessment

28. 28
• The following few slides are a very small
slice of a free three-day course that DHS
provides*
• If interested in the full course contact your
DHS Protective Security Advisor
Surveillance Detection
*The presenter is not responsible for curriculum
changes over the past four years or the effects of
time on memory.

29. 29
Attack Planning Cycle
When can the attacker best be
defeated?
Planning Cycle
Target
Identification
Surveillance
Target Selection
Pre-attack
surveillance and
planning
Rehearsal
Attack
Escape

30. 30
Types of Surveillance
• Fixed
• Mobile
• Technical
• Photographic
• Combination
Surveillance Detection

31. 31
Where can an adversary effectively conduct
surveillance on your facility?
Hostile Surveillance Points

32. 32
Hostile Surveillance Points
Hill
Hill

33. 33
Addressing Hostile Surveillance Points
Hill
Hill

34. 34
Q: We’ve mitigated all the hostile
surveillance points, whats next?
A: It depends
• Delay
• Detect
• Deter
• Defend
Now What?

35. 35
Q: Why didn’t your last picture have any deter or defend
mitigations?
A: There are a number of deterrents available at little or no
cost
• Random security measures
• Every visible security control*
• Police patrols
Now What?
*Double-edged sword, showing all controls makes
your controls easy to recon.

36. 36
Q: What do you mean by random security measures?
A: Random security measures allow you to implement
security controls that wouldn’t be fiscally possible if they
were implemented across your facilities 24/7. The key to
successful random security measures is to avoid any
discernible pattern and to ensure the measures are enough
of a departure from your standard security posture that they
throw off an adversary. Random security measures are the
bane of a recon scout’s existence!
Deterrents

37. 37
Q: What are some examples of random security
measures?
A:
• Flexing security guard postings
• Vehicle searches
• Random security patrols
• Additional personnel/vehicle searches
• Temporary vehicle barriers
Deterrents

38. 38
Q: How do I get the police to patrol my remote sites?
A: Information sharing!
• Teach your first responders what’s critical
• Invite first responders out for tours/site familiarity
• Where possible offer some desk space and/or a pot of
coffee
Deterrents

39. 39
Q: How can I defend my site without hiring a small army?
A: Do you have armed drones available? If not, you’re likely limited to
your response plan.
Some questions to address in your response plan:
• Will controls allow for attack intervention or merely forensics?
• Who will respond?
o Guard force
o LLE
o Operations personnel
• How long can you delay vs how long will your response take to get
on site?
o 15 minute delay + 30 minute response = problem
Delay

40. 40
• Define your space
• Shape your environment
• Improve lighting
• Observation
• Direct foot and vehicle traffic
CPTED Concepts

41. 41
• Put yourself in the attacker’s position, which
location would you prefer to attack?
Shape Your Environment

42. 42
• Put yourself in the attacker’s position, which
location would you prefer to attack?
Lighting

43. 43
• Remove areas of concealment and visual
barriers.
Observation

44. 44
• Security by obscurity
Average Current Substation Defense

45. 45
• Single high
speed avenue
of approach
Average Current Substation Defense

46. 46
• Chain link fence with barbed wire topper
Average Current Substation Defense

47. 47
• Cameras
• Intrusion Detection
• System redundancy
• Defense in depth for cyber assets
Average Current Substation Defense

48. 48
• Develop a security plan including
o Resilience or security measures
 Ensure the measures address vulnerabilities identified in R4
o Law enforcement contact and coordination may include:
 Simply a name and phone number
 Meetings to discuss security concerns, site-specific hazards, etc
 Site-specific training for law enforcement
 Hosting law enforcement exercises
o Timeline for implementing physical security projects
 No specific dates or time frames required in this timeline, but it must pass the
common sense test
o Provision to evaluate evolving threats
 Should include a process or mechanism to receive threat information
 Should include a process to evaluate threat information as it is received
CIP-014-1 R5: Security Plan

49. 49
• Security Plan Tips
o Conduct a second assessment including the new measures
 Provides valuable metrics to stakeholders and regulators
 If conducted in the planning phase, may prevent costly but minimally effective
security enhancements
o Ensure the plan makes sense
 A reasonably-informed person should be able to follow and implement the plan
without extensive knowledge of the site or entity
o Law enforcement is your friend
 Coordinate early and often to ensure all parties understand facility nuances and
specific hazards/concerns
 Law enforcement training on site = free security
 Ensure mutual understanding of law enforcement response procedures and
capabilities
o Consider developing a threat/risk assessment function
 May require additional human capital
 Can be achieved through vendor solutions
CIP-014-1 R5: Security Plan

50. 50
• R6: Unaffiliated Review of R4 Assessment and R5 Plan
o An organization with industry physical security experience AND a
Certified Protection Professional (CPP) or Physical Security
Professional (PSP) on staff.*
-or-
o An organization approved by the ERO.*
-or-
o A government agency with physical security expertise.
-or-
o An organization with demonstrated law enforcement or military
physical security expertise.*
*WECC staff meet these criteria
CIP-014-1 R6: Unaffiliated Review of
Assessment and Plan

51. 51
• R1 Risk Assessment must be completed on or before
the effective date
• R2
o 2.1, 2.2, and 2.4 must be completed within 90 calendar days of
R1 assessment
o 2.3 must be completed within 60 calendar days of 2.2
verification
• R3 must be completed within 7 calendar days of R2
completion
• R4 must be completed within 120 calendar days of R2
completion
CIP-014-1 Implementation

52. 52
• R5 must be completed within 120 days of R2
completion
• R6
o 6.1, 6.2, and 6.4 must be completed within 90 days of R5
completion
o 6.3 must be completed within 60 days of 6.2 review
CIP-014-1 Implementation

53. 53
CIP-014-1 Implementation
CIP-014-1 Implementation Timeline
R1 Assessment Effective Date 0 Days
R2 Verification Effective + 90 90 Days
R2.3 Address Discrepancies R2.2 + 60 150 Days
R3 Notify Control Center R2 + 7 157 Days
R4 Threat and Vulnerability Evaluation R2 + 120 270 Days
R5 Security Plan R2 + 120 270 Days
R6 Review R5 + 90 360 Days
R6.3 Address Discrepancies R6.2 + 60 420 Days
Less than nine months from effective date to Security Plan completion

54. 54
• R2 – R6 must be completed within 420 calendar days after
completing the risk assessment process in R1.
Maximum Timeline

55. 55
• Notice of Proposed Rulemaking (NOPR) issued by FERC
July 17, 2014.
o Proposes to approve CIP-014-1, implementation plan,
and VRF/VSL
o Proposes modifications
o Proposes informational filing
o Seeks comments
• Comments due 45 days after NOPR published in the
Federal Register. Reply comments due 60 days after
NOPR published in the Federal Register.
CIP-014 (Physical Security) NOPR

56. 56
• Proposed Modifications:
o Allow Governmental Authorities (i.e., FERC and
any other appropriate federal or provincial
authorities) to add or subtract facilities from an
applicable entity’s list of critical facilities under
Requirement R1.
o Remove the term “widespread” as it appears in
the proposed Reliability Standard in the phrase
“widespread instability.”
CIP-014 (Physical Security) NOPR

57. 57
• Proposed Informational Filings:
o Within six months of the effective date of a final rule
addressing the possibility that CIP-014-1 may not
provide physical security for all “High Impact” control
centers as defined in CIP-002-5.1.
o Within one year of the effective date of a final rule
addressing possible resiliency measures that can be
taken to maintain reliable operation of the Bulk Electric
System following the loss of critical facilities.
CIP-014 (Physical Security) NOPR

58. 58
• Comments desired on:
o Providing for applicable governmental authorities to add or
subtract facilities from an entity’s list of critical facilities
o The standard for identifying critical facilities
o Control centers
o Exclusion of generators from the applicability section of the
proposed Reliability Standard
o Third-party recommendations
o Resiliency
o Violation risk factors and violation severity levels
o Implementation plan and effective date
CIP-014 (Physical Security) NOPR

59. 59
• PSWG- Get plugged in!
• http://www.wecc.biz/committees/StandingCommittees/OC/
CIIMS/PSWG/default.aspx
• Phone call away
 We want to help.
• Always willing to provide our audit approach
At Your Service

60. Darren T. Nielsen, M.Ad, CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
155 North 400 West, Suite 200
Salt Lake City, UT 84103
(801) 857-9134
dnielsen@wecc.biz
Questions?