CIP vs Non-CIP - Entergy - SERC Home Page

SERC/EntergyGaps in performance - CIP vs Non-CIPGreg Pierce, Director Transmission ComplianceChris Peters, VP Critical Infrastructure ProtectionNew Orleans, LAApril 13, 20111

Non-CIP[Transmission]2

In the beginning . . . (prior to June, 2007)• Transmission personnel had familiarity with thereliability standards at the time they becamemandatory– Many had worked on standards development– Many had used earlier versions of the standards– Many had and continue to participate in SERC committees– There was a strong, knowledge-based culture surrounding coreactivities– Existing baseline of core operational practices and procedures• Enhanced by importing nuclear compliance experiencewas directly applicable

Evolving . . . (after June, 2007)• Integrated CIP implementation with current resources& knowledge– Not all the knowledge based activities supported the changingcompliance focus– Previous experience that supported previous activitiesfrequently resulted in challenges– Appointed a CIP Senior Manager within each Business Unit• The level of complexity in cyber and informationtechnology was (and is) a significant challenge• The workforce and management team requiredadaptation to the specialized, changing cyber securityenvironment

Continuous Improvement . . .• Transitioned to a single Senior CIP Manager withstrong management experience in cyber security• Integrated enterprise based program structure• Established governance management manual withfull authority• Broad-based action plan and restructured CIPorganization• Results had to be forthcoming and timely

CIP Program Review6

CIP Objective Rule #1: Take Action

CIP Objective Rule #2: Operate in the FogRegulatory Fog

2011 NERC CIP Program StructureSingle View• Technology• Finance• Awareness• Compliance• Policies andProcedures• Laws andRegulationsROC/EROCNERC CIP SeniorManagerBU Compliance• Energy Delivery• SPO• Fossil• Nuclear• EAMEntergy CIODirectorCorporateSecurityDirectorCorporate ITSecurityEnergy Delivery, SPO, Fossil Generation, EAM, NuclearReliability Oversight Committee (ROC); Electric Reliability Organization Committee (EROC)9

Summary of Major Actions TakenActionEstablished a single NERC CIP Senior Manager RoleBriefed EROC/ROC on NERC CIP Strategic PlanImplemented Enterprise NERC CIP Governance StructureImproved NERC CIP ImplementationStrengthened the NERC CIP WorkforceImplemented NERC CIP Program Controls (NIST)Implemented Continuous MonitoringImproved Cyber InfrastructureImproved CIP Culture10

Governance• Firmly established the NERC CIP Senior Manager Role– Operations Management Manual (OMM) PL-007 “Entergy NERC CIPSenior Manager and Program Governance”• Exercised Corporate Governance Structures– Reliability Oversight Committee– Electric Reliability Oversight Committee– Information Technology Advisory Council– Entergy Cyber Peer Group• Proactive Planning– NERC CIP v4 Fossil Generation and Energy Delivery– Annual Cyber Vulnerability Assessment– 3 Year Self-Assessment Plan 11

Governance• Centralized Business Unit IT to improve CIP implementationacross Entergy Business Units– Directed by the Entergy Chief Operating Officer– Led by the Entergy Chief Information Officer– Identified Proven Entergy IT Leader for CIP Execution– Improve IT Management practices– Strategic Approach– Centralized Resource Management– Centralized IT Management Practices• Enterprise Physical Security Planning being led by theCorporate Security Manager– Consistent application of physical security tools12

Governance• NERC CIP Centralization Initiatives– Technical Feasibility Exceptions– Single Entergy NERC CIP Cyber Security Policy– Awareness and Training– Control Effectiveness Testing– Annual Risk-Based Assessment and CCA Reviews– Compliance Reference Manual– NERC Alerts– Information Protection– Capital Planning Approval– NERC CIP Interpretation13

Strengthen the Culture• Culture of Compliance Improvements– VP, Energy Delivery Memo Reinforcing CIP Compliance– VP, CIP Memo on CIP Interpretations and PCRS– Cross-Business Unit Awareness Webinars– Fossil Generation Leadership CIP Awareness Briefings– Monthly 1:1 CIP Briefings with the Entergy Chief Operating Officer– Department of Homeland Security Public/Private Partnership– NERC CIP Cyber Task Force Participation– Individual Recognition for Outstanding Compliance Actions– Inside Entergy Articles– Compliance Stand Downs– Regional Outreach Program– NERC RBA Sufficiency Review and Cyber Review Participation14

Strengthen the IT/CIP/Compliance Workforce• New Personnel– Dedicated Corporate CIP Group positions– Corporate Business Unit CIO of Operations– Specialized Vendor Support personnel• New Capabilities– Executive leadership and direction– Operational IT management– Internal / External IT Audit and Advisory experience– Broad-based industry experience• Utilities, Oil and Gas, Healthcare, Department of Defense, Fortune 500Manufacturing, Banking, Telecommunications– Multiple Frameworks• COBIT, COSO, NIST, HIPAA, ITIL, ISO, GAAP15

Improve IT Management Practices• Improvements– Long-term Strategic Planning by Entergy CIO– Daily Operational Meetings– Resource Planning and IT Project Management– Electronic Security Perimeter (ESP) Cyber Asset Reduction– TOC/DOC Network Validation Team Project– Standardized Corporate Network Drawings– Automated Enterprise Solutions16

Continuous Monitoring• Methodology– Aligns with NIST Risk Management Framework and FERCPolicy Statement on Compliance– Repeatable CIP-002 through CIP-009 Requirement testingmethods– Biannual Assessment Cycle– Identifying and Mitigating Program Weaknesses– Assessment Results Communicated to Key Stakeholders– Plan of Actions and Milestones17

Improving Situational Awareness• Situational Awareness Improvement– Weekly Program Dashboard Reporting– Weekly Condition Reporting Analysis– Weekly CIP Program Meeting– Cyber Peer Group and Sub Team Meetings/Reporting– Cross Business Unit Information Sharing– Oversight Committee Visibility18

Cause Analysis (I)• Program– Time, resources, and complexities necessary toimplement CIP across the Energy Delivery function inmultiple geographically dispersed locations– Cyber Asset Inventory Challenges– Control Systems Cyber Security Expertise– Enterprise Security Program Management– Policy and Procedure Maturity– Change Management and Configuration Control– Over-reliance on Vendors– Lack of Situational Awareness– Misinterpretations19

Root Cause Analysis• Change Management• Configuration Control• Human Performance– Work practices– Attention to detail– Coordination/communication– Training - Identifying the impact of new procedures– Specific cyber SME expertise• Improving Procedure/Program Design– e.g. adding detail; verifying completeness• Equipment Issues• Misinterpretations20

CIP Priorities• Leverage Entergy CIPGovernance Structure• Continuous Monitoring• Improving our Physical andCyber Infrastructures• Continue Technology andAutomation Investments• Proactive Planning• Participate in Industry andRegional Entity Forums• Continue CIP v4 StrategicPlanning Efforts• Continuous Improvement• Participate in NERCSufficiency and CyberReviews

Questions?