Saturday, March 21, 2009

Assante Pressing NERC Cyber Security Program Forward
-Tim Roxey appointment and NERC Alerts changes

Updated 3/29/2009
Michael Assante continues making program progress at NERC since his appointment in August 2008 into a newly formed Chief Security Officer (CSO) position. His focus- establishing Critical Infrastructure Protection (CIP) as one of the mainstream functions at NERC alongside continuing standards development, compliance and enforcement, and reliability assessment programs. Some notable developments:
  • The recent appointment of Tim Roxey as NERC as Manager of Critical Infrastructure Protection.
    - Mr. Roxey has extensive commercial nuclear power physical and cyber security program experience.
    - He instrumentally promoted and supported the commercial nuclear power industry initiative addressing cyber with NEI 04-04 Cyber Security Program for Power Reactors as a NRC endorsed “acceptable method” - well ahead of related further regulatory framework development and guidance now firming up. I had an excellent learning opportunity working with Tim Roxey and team as an active Computer Security Standing Committee member back in 2006. The focus then was getting NEI 04-04 packaged up into rollout templated, presentation form for the fall 2006 NITSL workshop.
    - He extensively helped assess and address Aurora vulnerability mitigations- working with NEI to help ensure commercial nuclear generation stepped up and robustly addressed the issue. Tim Roxey also effectively provided congressional testimony on actions taken and completion status - a stark contrast to FERC and NERC testimony.
    - Bottom Line: Tim Roxey's solid industry experience, connections, dedication and savvy add up to a very good move for NERC.


  • A new NERC CIP Alert Communication Process.
    - Communication will use specific email subject lines/levels:
    _ ADVISORY: (Title) - No Response Required
    _ RECOMMENDATION: (Title) - Response Required.
    _ ESSENTIAL ACTION: (Title) - Response Required.
    - Entities acknowledgement required in 24 hours if issue rated higher than Advisory. Grace period on this requirement extends to March 31, 2009 after which responses received after the 24-hour acknowledgement period will be noted as late or non-responsive. Additionally, more sensitive acknowledgement response information may need to be sent via paper until more secure electronic communication facilities established.
    - New alert handling signifiers will future clarify distribution restrictions.
    _ PUBLIC (Green): No Restrictions. Will be posted to NERC’s website alert page.
    _ PRIVATE (Yellow): Restrict to Internal Use and Necessary Consultants / Third-Party Providers
    _ SENSITIVE (Red): Internal Use Only (Do Not Distribute Outside Your Company)
    _ CONFIDENTIAL (Black): Limited Internal Distribution Decided Upon by an Officer of the Company
    - An “alerts manual” instructions book will be developed and released by March 31, 2009 to help entities better understand, organize, and train staff to support the alerts process.
    - More background: Alerts Distribution, Reporting & FAQ - Michael Assante & Doug Newbauer Jan 22, 2009

    - Update 3/28- On March 24th, Doug Newbauer, Manager of NERC Alerts, indicated that the deadline for mandatory 24 hours response on alerts will be extended: "In response to feed back from registered entities and because NERC is replacing the current Alerts application, NERC is delaying the 24 hour response requirement scheduled to begin April 1, 2009, until the new application is on line and operational."
    -
    The application is expected to be prepared and released 3Q2009.

No comments: