For everyone from Texas please be patient while I take a few slides to describe CPS Energy. This is a brief Mr. Heintz uses a various forums.
Tag-line for our Customers!
The Forrester Information Security Maturity Model details 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains (sometimes referred to as categories): Oversight, People, Technology and Process, with subcategories under each.
The Forrester Information Security Maturity Model
We need to ensure our security system integration is where we want it to ensure CPS Energy reduces our security risk.
Coordinated Functional Registration Agreement for the Transmission Operator Function - Electric Reliability Council of Texas, Inc. (ERCOT ISO), which is the independent system operator for the ERCOT Interconnection, and below-signed Local Control Center (LCC), which operates a control center for a discrete portion of the bulk-power system within the ERCOT Interconnection
Looking for cyber solutions to assist us with these compliance activities
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
August 02, 2012
2012 Technologies for Security &
John Heintz, CISSP, CISM,
Enterprise IT Security
• The city of San Antonio out bid
other entities to purchase the
SAPs Co for $34 million.
• The city sold off the street car
business and retained the power
generation, distribution and gas
• Changed the name to City
Public Service and changed
through out the years to CPS
• Oldest utility in Texas. Gas light system started in 1860’s.
• In 1917, San Antonio Public Service Company (SAPs CO), under the
ownership of American Light and Traction company ran the city’s power
plants, gas network and street car lines.
• In 1942, Anti-trust laws required American Light and Traction company to
sell some of it’s assets.
CPS Energy History (The early days)
CPS Energy (Current)
• Based in San Antonio (7th largest city in the nation)
• Largest Municipally owned energy utility that provides both natural gas
and electric service
• Serve over 717,000 electric customers
• Over 325,000 gas customers
• 1,514 square mile service area.
• Over 3,600 employees
• $2 Billion in annual revenues
• $9.7 Billion in assets
• Provide roughly $250 - $280 million annual revenue to the City of San
• Generation Assets
Own and operate 4 major generation facilities in the San Antonio
area (Gas and Coal).
Generates approximately 7000 Megawatts of power
Own 40% of South Texas Project (STP) units 1 and 2.
Provides 1088 megawatts of power for CPS Energy customers
Has invested additional 7.625 % into additional units at STP.
Would generate additional 200 megawatts of power for our customers.
• Fuel Mix
Coal - 32%
Nuclear - 16%
Natural gas and purchased power -
Renewable (Wind, solar and landfill
methane gas) - 13%
To increase to 20% by 2020.
Transmission & Distribution
• Transmission & Distribution Assets
Own and maintain 1400 Miles of transmission lines.
Own and maintain 7600 miles of overhead distribution lines.
Over 408,000 poles
Own and maintain additional 4300 miles of underground distribution lines.
Enterprise IT Security Organization
• Enterprise IT Security Organization (EITS)
Formed in May of 2007
John Heintz began with CPS Energy almost 2 years ago
• EITS moved to Legal Department under General Council in 2009
Provides true segregation of duties
Reports to Senior Council and Director of Compliance.
• Baseline the EITS security program utilizing the Forrester
Information Security Maturity Model.
Benchmarking tool to access the information security program.
Provides framework that describes all of the required functions and
components of a comprehensive information security program.
Forrester model is objective, prescriptive, process oriented, modular and
Forrester Information Security Maturity Model
• Risk Management
• Audit and Assurance
• Security Services
• Security Organization
• Business Relationship
• Messaging and content
• Identity and Access
• Threat and vulnerability
• Investigations and
• Incident management
• Sourcing and vendor
• Information Asset
• Business Continuity
and Disaster Recovery
Maturity Model Self Assessment
•Need is not
companies are at
Doing Well and What has already improved
• EITS - What are we doing well
– Endpoint Anti-Malware
– Network Intrusion Detection
– Policy Creation
– Security Event Management
• Other improvements already made
– Security Metrics
– Endpoint Protection
– Network Vulnerability
– Application Developer Security Awareness
– Vulnerability Management
– Security Testing
– Forensics and e-Discovery
– Threat Modeling
– Threat Research
– Client Encryption
– Project Integration
Key Security / Compliance Challenges
• Encryption is ad hoc
• Host based Firewalls and IPS
– Application Infrastructure
• XML gateway
• Application Firewall
– Messaging and Content
• Message Encryption
• Instant Message Filtering
• Digital Rights Management
– Identity and Access
• Web SSO
• Access Control
• Enterprise SSO
– Security Organization
Corporate Information Security Goal
•Need is not
Key Security issues
are addressed, could
Control Systems Cyber Security (or Compliance?)
• NERC Compliance Events
January 2009 – One year to be fully compliant
January 2010 - Fully compliant date
October 2010 – TOP CFR Certification
November 2011 – 1st Full TO/TOP/LSE CIP Audit
2012 – Documented lessons learned (LL) and begin to implement LL during
1. Manage and Communicate Compliance Activities
2. CIP-004 -3, R4 – Access Program
3. Management Dashboard
Manage and Communicate Compliance Activities
• Annual reviews (Policies, Programs, Procedures etc…)
• Create compliance periodic reports
• Where to file (sensitive) associated reports and evidence
• Complete Reliability Standards Audit Worksheets (RSAWs)
• Create workflows for accountability, accuracy, & oversight
• Risk management – Escalation of non-completed workflows,
• Manage Technical Feasibility Exceptions, Mitigation Plans etc.
• Decrease interruption to Subject Matter Expert daily work
Physical & Cyber Access Program
• Automate performance reviews and system generated reports
• Integrate systems to decrease risk & increase efficiency
• Physical Security Perimeter & Electronic Security Perimeter
• PSP Area Owners & Cyber System Owners
• Corporate Enterprise Resource Planning program for PRAs
• Corporate learning management system for NERC training records
• Weekly access report fed into management dashboard
• Automate position organizational changes, terminations and new
• CIP Version 5 – Role based access (and other changes)
Management Compliance Dashboard
• One of top ranked challenges is getting management support
NERC Committee (Steering Group)
Provide senior management with high level insight (drill down)
• Properly prioritize projects vs. compliance
• Properly prioritize funding
• Corporate level risk mitigation
The Future for Control Systems Environments
• Working together with other Utilities
CIP Working Group
• Continuous Process Improvement
Invest to automate processes
Integrate systems to decrease risk
• Stay informed and utilize resources
NERC and ICSJWG Workshops
Keep up with NERC & TxRE communications