All Systems Critical
Written by Jennifer Brown May 14, 2007
In 2005, Manitoba Hydro was named Canada’s largest net exporter of electricity to the United States. When you’re that important to the U.S power grid, the pressure to protect that source of energy flowing south looms large. Following the blackout August 14, 2003, which took out power to most of the eastern seaboard leaving 50 million in the dark, for days, it was determined there was a need to establish mandatory and enforceable reliability standards. A U.S.-Canadian task force that investigated the blackout said steps could have been taken to isolate utility failures because data-monitoring and alarm computers weren’t working.
The blackout also drove home the need to improve physical and cyber security for the North American bulk electrical systems.
Following that incident and others, the North American Electrical Reliability Council began developing standards and in June 2006 finalized their recommendations. Manitoba Hydro and other hydro utilities across the country now find themselves immersed in a massive three-year project to get the organization up to the cyber security standards set by NERC. With so many aspects of an electrical utility controlled by computer systems, protection for critical infrastructure stations that serve the power grid must extend not only to physical plant assets as we see them, but also the computer systems that run them.
“It’s the biggest thing on my plate right now. If you look at all the standards and the impact of each one of them, it’s huge,” says Chris McColm, who has been the manager of corporate security at Manitoba Hydro for the last three years. “We supply a lot of power down to Minnesota and they want to be sure we are following the standard.”
All Canadian electrical utilities in Canada will be incorporating the NERC cyber-security standards, and there is also a large physical security component, making this a convergence project that draws in business units from across an organization.
The NERC Cyber Security Project at Manitoba Hydro is developing and implementing a cyber and physical security plan to ensure compliance, which requires the identification and protection of critical cyber assets used to support reliable operation of critical power system equipment. The NERC cyber security standard covers eight separate areas.
Ӣ Critical cyber assets
Ӣ Security management controls
Ӣ Personnel and training
Ӣ Electronic security
Ӣ Physical security
Ӣ Systems security management
Ӣ Incident reporting and response planning
Ӣ Recovery plans
The project will be phased in over the next three years and the list of areas to be covered is extensive. It will require the identification of power system critical assets and associated critical cyber assets; development of policies, governance and information protection for critical cyber assets; personnel risk assessments and annual training for employees and contractors; controls, monitoring and logging for electronic access; controls, monitoring and logging for associated physical access; secure remote access to critical cyber assets; change control and configuration management; systems management processes for power system associated cyber assets, and cyber security incident reporting, response plans and recovery plans for critical cyber assets.
McColm is heading up the Physical Security Planning, Personnel and Training, and Incident Response and Recovery groups. The Personnel Training will include personnel risk assessments, security awareness training and training on cyber security and incident response and recovery from a cyber/physical incident.
The project is a corporate-wide initiative that will include representation from line management, human resources, corporate security, facilities, legal, audit, and executive sponsors.
“It’s going to be a big project and we’re looking forward to implementing it. We have so many different departments that are going to be helping us out,” says McColm.
According to NERC, critical assets are those facilities, systems and equipment which, if destroyed or damaged, would have a significant impact on the ability to serve large quantities of customers for an extended period of time and would have a detrimental impact on the reliability or operability of the electric grid, or would cause significant risk to public health and safety.
One person who sat on the NERC board to write the standard was Greg Fraser who works out of Manitoba Hydro’s system control centre and is the Cyber Security Project Manager, for the project.
Fraser’s team has been formed along with working groups, to develop a plan to implement the requirements of NERC. The full-time project manager, along with part-time project support from other key departments will push the project forward. The project planning and implementation phases are expected to last at least two more years.
For years now, Manitoba Hydro, along with other utilities in Canada and the U.S., have voluntarily planned and operated their power systems in accordance with NERC operating policies and planning standards.
But with new provincial legislative changes, Manitoba Hydro is now legally obliged to comply with the now mandatory NERC standards.
As with many regulation-driven initiatives these days, the U.S.-based standard is jump-starting investment in Manitoba Hydro’s security systems. Over the next five years, the utility will invest $11 million to upgrade its security systems across the board, in part to address the NERC standard.
“Some of it has to do with NERC, but the majority has to do with upgrading security to a reasonable level. We have to come up with a security plan and document it. Then we have to do what we say we’re going to do because they will come in and do a compliance audit. And if we’re not doing what we say we’re doing, we’re not going to pass.”
McColm says the goal is to standardize security equipment so it will work in a centralized system that can be monitored from his office in Winnipeg.
“We control our facilities from Winnipeg, such as the opening and closing of our spillway and water flow and so forth,” explains McColm.
The NERC project has made it an opportune time to evaluate and consider upgrades for all manner of physical security at Manitoba Hydro, making it a more complex task, but one that will ensure that facilities will be state-of-the-art once all system evaluations are complete.
“If there are no cameras in a location, or the cameras are 10 years-old, we will replace it all. We have to get rid of the VCRs because it has to go digital. In the majority of places, we’re still using analogue, but we’re slowly moving to an IP network system so we’ll have our own server and I’ll be able to check the security of that facility from my desk,” he says. “Already we have four or five critical sites on line that were recently upgraded.”
The NERC cyber security standards only apply to critical infrastructure, so the focus is tightly honed on locations that would impact the flow of electricity to users. Of the 570 facilities Manitoba Hydro has located throughout the province, about 40 are deemed critical, most in the northern part of the province.
The first thing that had to be done was to develop a criteria as to how to conduct a threat and risk assessment.
“It’s about being reliable and protecting facilities from any act of violence — and it’s not just about terrorism,” says McColm, noting domestic issues such as unresolved land claim issues could become problematic.
As part of the upgrade process, Manitoba Hydro will be rolling out e-reporting incident management software called Perspective from Edmonton, Alta.-based PPM 2000. Currently, the utility is using an old system developed in-house.
“E-reporting is great for us because we have 570 different facilities throughout the province. Instead of faxing in documentation, employees can go into the corporate security website and hit “e-report/security” and it gets thrown into case management and then we can investigate it. We can keep statistics with respect to dollar value cost and type of incident, location and we can analyze that information and use it for our threat risk assessment.”
Interestingly, even though each province is passing legislation to make the NERC requirements mandatory, the utilities are operating at arms-length from the federal government on the initiative.
McColm also belongs to a critical infrastructure protection working group with the Canadian Electrical Association. They meet every three months to discuss NERC cyber security projects they’re working on.
“The government is very peripheral on this,” says McColm. “If you look at the national security plan, for example, they did the town hall meetings across Canada a couple of summers ago and you’d think they’d put out a report to everybody outlining what everyone else is doing. It’s very secretive from their standpoint and they’re not sharing any information. We look at the industry and say, if they’re not sharing why are we sharing?” ”¢
Last modified on May 14, 2007
Following that incident and others, the North American Electrical Reliability Council began developing standards and in June 2006 finalized their recommendations. Manitoba Hydro and other hydro utilities across the country now find themselves immersed in a massive three-year project to get the organization up to the cyber security standards set by NERC. With so many aspects of an electrical utility controlled by computer systems, protection for critical infrastructure stations that serve the power grid must extend not only to physical plant assets as we see them, but also the computer systems that run them.
“It’s the biggest thing on my plate right now. If you look at all the standards and the impact of each one of them, it’s huge,” says Chris McColm, who has been the manager of corporate security at Manitoba Hydro for the last three years. “We supply a lot of power down to Minnesota and they want to be sure we are following the standard.”
All Canadian electrical utilities in Canada will be incorporating the NERC cyber-security standards, and there is also a large physical security component, making this a convergence project that draws in business units from across an organization.
The NERC Cyber Security Project at Manitoba Hydro is developing and implementing a cyber and physical security plan to ensure compliance, which requires the identification and protection of critical cyber assets used to support reliable operation of critical power system equipment. The NERC cyber security standard covers eight separate areas.
Ӣ Critical cyber assets
Ӣ Security management controls
Ӣ Personnel and training
Ӣ Electronic security
Ӣ Physical security
Ӣ Systems security management
Ӣ Incident reporting and response planning
Ӣ Recovery plans
The project will be phased in over the next three years and the list of areas to be covered is extensive. It will require the identification of power system critical assets and associated critical cyber assets; development of policies, governance and information protection for critical cyber assets; personnel risk assessments and annual training for employees and contractors; controls, monitoring and logging for electronic access; controls, monitoring and logging for associated physical access; secure remote access to critical cyber assets; change control and configuration management; systems management processes for power system associated cyber assets, and cyber security incident reporting, response plans and recovery plans for critical cyber assets.
McColm is heading up the Physical Security Planning, Personnel and Training, and Incident Response and Recovery groups. The Personnel Training will include personnel risk assessments, security awareness training and training on cyber security and incident response and recovery from a cyber/physical incident.
The project is a corporate-wide initiative that will include representation from line management, human resources, corporate security, facilities, legal, audit, and executive sponsors.
“It’s going to be a big project and we’re looking forward to implementing it. We have so many different departments that are going to be helping us out,” says McColm.
According to NERC, critical assets are those facilities, systems and equipment which, if destroyed or damaged, would have a significant impact on the ability to serve large quantities of customers for an extended period of time and would have a detrimental impact on the reliability or operability of the electric grid, or would cause significant risk to public health and safety.
One person who sat on the NERC board to write the standard was Greg Fraser who works out of Manitoba Hydro’s system control centre and is the Cyber Security Project Manager, for the project.
Fraser’s team has been formed along with working groups, to develop a plan to implement the requirements of NERC. The full-time project manager, along with part-time project support from other key departments will push the project forward. The project planning and implementation phases are expected to last at least two more years.
For years now, Manitoba Hydro, along with other utilities in Canada and the U.S., have voluntarily planned and operated their power systems in accordance with NERC operating policies and planning standards.
But with new provincial legislative changes, Manitoba Hydro is now legally obliged to comply with the now mandatory NERC standards.
As with many regulation-driven initiatives these days, the U.S.-based standard is jump-starting investment in Manitoba Hydro’s security systems. Over the next five years, the utility will invest $11 million to upgrade its security systems across the board, in part to address the NERC standard.
“Some of it has to do with NERC, but the majority has to do with upgrading security to a reasonable level. We have to come up with a security plan and document it. Then we have to do what we say we’re going to do because they will come in and do a compliance audit. And if we’re not doing what we say we’re doing, we’re not going to pass.”
McColm says the goal is to standardize security equipment so it will work in a centralized system that can be monitored from his office in Winnipeg.
“We control our facilities from Winnipeg, such as the opening and closing of our spillway and water flow and so forth,” explains McColm.
The NERC project has made it an opportune time to evaluate and consider upgrades for all manner of physical security at Manitoba Hydro, making it a more complex task, but one that will ensure that facilities will be state-of-the-art once all system evaluations are complete.
“If there are no cameras in a location, or the cameras are 10 years-old, we will replace it all. We have to get rid of the VCRs because it has to go digital. In the majority of places, we’re still using analogue, but we’re slowly moving to an IP network system so we’ll have our own server and I’ll be able to check the security of that facility from my desk,” he says. “Already we have four or five critical sites on line that were recently upgraded.”
The NERC cyber security standards only apply to critical infrastructure, so the focus is tightly honed on locations that would impact the flow of electricity to users. Of the 570 facilities Manitoba Hydro has located throughout the province, about 40 are deemed critical, most in the northern part of the province.
The first thing that had to be done was to develop a criteria as to how to conduct a threat and risk assessment.
“It’s about being reliable and protecting facilities from any act of violence — and it’s not just about terrorism,” says McColm, noting domestic issues such as unresolved land claim issues could become problematic.
As part of the upgrade process, Manitoba Hydro will be rolling out e-reporting incident management software called Perspective from Edmonton, Alta.-based PPM 2000. Currently, the utility is using an old system developed in-house.
“E-reporting is great for us because we have 570 different facilities throughout the province. Instead of faxing in documentation, employees can go into the corporate security website and hit “e-report/security” and it gets thrown into case management and then we can investigate it. We can keep statistics with respect to dollar value cost and type of incident, location and we can analyze that information and use it for our threat risk assessment.”
Interestingly, even though each province is passing legislation to make the NERC requirements mandatory, the utilities are operating at arms-length from the federal government on the initiative.
McColm also belongs to a critical infrastructure protection working group with the Canadian Electrical Association. They meet every three months to discuss NERC cyber security projects they’re working on.
“The government is very peripheral on this,” says McColm. “If you look at the national security plan, for example, they did the town hall meetings across Canada a couple of summers ago and you’d think they’d put out a report to everybody outlining what everyone else is doing. It’s very secretive from their standpoint and they’re not sharing any information. We look at the industry and say, if they’re not sharing why are we sharing?” ”¢
Published in
News
-
Nominations now open for 2012 Security Director of the Year
We are now accepting nominations for the 2012 Security Director of the Year. Do you know someone who fits that…
Latest Videos
-
Thomas Gerstenecker was unable to accept the Canadian Security Director of the Year award in person but was able to… -
-
-
