All Systems Critical

The blackout also drove home the need to improve physical and cyber security for the North American bulk electrical systems.

Following that incident and others, the North American Electrical
Reliability Council began developing standards and in June 2006
finalized their recommendations. Manitoba Hydro and other hydro
utilities across the country now find themselves immersed in a massive
three-year project to get the organization up to the cyber security
standards set by NERC. With so many aspects of an electrical utility
controlled by computer systems, protection for critical infrastructure
stations that serve the power grid must extend not only to physical
plant assets as we see them, but also the computer systems that run
them.

“It’s the biggest thing on my plate right now. If you look at all the
standards and the impact of each one of them, it’s huge,” says Chris
McColm, who has been the manager of corporate security at Manitoba
Hydro for the last three years. “We supply a lot of power down to
Minnesota and they want to be sure we are following the standard.”

All Canadian electrical utilities in Canada will be incorporating the
NERC cyber-security standards, and there is also a large physical
security component, making this a convergence project that draws in
business units from across an organization.

The NERC Cyber Security Project at Manitoba Hydro is developing and
implementing a cyber and physical security plan to ensure compliance,
which requires the identification and protection of critical cyber
assets used to support reliable operation of critical power system
equipment. The NERC cyber security standard covers eight separate areas.

”¢  Critical cyber assets
”¢  Security management controls
”¢  Personnel and training
”¢  Electronic security
”¢  Physical security
”¢  Systems security management
”¢  Incident reporting and response planning
”¢  Recovery plans

The project will be phased in over the next three years and the list of
areas to be covered is extensive. It will require the identification of
power system critical assets and associated critical cyber assets;
development of policies, governance and information protection for
critical cyber assets; personnel risk assessments and annual training
for employees and contractors; controls, monitoring and logging for
electronic access; controls, monitoring and logging for associated
physical access; secure remote access to critical cyber assets; change
control and configuration management; systems management processes for
power system associated cyber assets, and cyber security incident
reporting, response plans and recovery plans for critical cyber assets.

McColm is heading up the Physical Security Planning, Personnel and
Training, and Incident Response and Recovery groups. The Personnel
Training will  include personnel risk assessments, security awareness
training and training on cyber security and incident response and
recovery from a cyber/physical incident.
The project is a corporate-wide initiative that will include
representation from line management, human resources, corporate
security, facilities, legal, audit, and executive sponsors.

“It’s going to be a big project and we’re looking forward to
implementing it. We have so many different departments that are going
to be helping us out,” says McColm.

According to NERC, critical assets are those facilities, systems and
equipment which, if destroyed or damaged, would have a significant
impact on the ability to serve large quantities of customers for an
extended period of time and would have a detrimental impact on the
reliability or operability of the electric grid, or would cause
significant risk to public health and safety.

One person who sat on the NERC board to write the standard was Greg
Fraser who works out of Manitoba Hydro’s system control centre and is
the Cyber Security Project Manager, for the project.

Fraser’s team has been formed along with working groups, to develop a
plan to implement the requirements of NERC. The full-time project
manager, along with part-time project support from other key
departments will push the project forward. The project planning and
implementation phases are expected to last at least two more years.

For years now, Manitoba Hydro, along with other utilities in Canada and
the U.S., have voluntarily planned and operated their power systems in
accordance with NERC operating policies and planning standards.  
But with new provincial legislative changes, Manitoba Hydro is now
legally obliged to comply with the now mandatory NERC standards.

As with many regulation-driven initiatives these days, the U.S.-based
standard is jump-starting investment in Manitoba Hydro’s security
systems. Over the next five years, the utility will invest $11 million
to upgrade its security systems across the board, in part to address
the NERC standard.

“Some of it has to do with NERC, but the majority has to do with
upgrading security to a reasonable level. We have to come up with a
security plan and document it. Then we have to do what we say we’re
going to do because they will come in and do a compliance audit. And if
we’re not doing what we say we’re doing, we’re not going to pass.”

McColm says the goal is to standardize security equipment so it will
work in a centralized system that can be monitored from his office in
Winnipeg.

“We control our facilities from Winnipeg, such as the opening and
closing of our spillway and water flow and so forth,” explains McColm.

The NERC project has made it an opportune time to evaluate and consider
upgrades for all manner of physical security at Manitoba Hydro, making
it a more complex task, but one that will ensure that facilities will
be state-of-the-art once all system evaluations are complete.

“If there are no cameras in a location, or the cameras are 10
years-old, we will replace it all. We have to get rid of the VCRs
because it has to go digital. In the majority of places, we’re still
using analogue, but we’re slowly moving to an IP network system so
we’ll have our own server and I’ll be able to check the security of
that facility from my desk,” he says. “Already we have four or five
critical sites on line that were recently upgraded.”

The NERC cyber security standards only apply to critical
infrastructure, so the focus is tightly honed on locations that would
impact the flow of electricity to users. Of the 570 facilities Manitoba
Hydro has located throughout the province, about 40 are deemed
critical, most in the northern part of the province.

The first thing that had to be done was to develop a criteria as to how to conduct a threat and risk assessment.
“It’s about being reliable and protecting facilities from any act of
violence — and it’s not just about terrorism,” says McColm, noting
domestic issues such as unresolved land claim issues could become
problematic.
As part of the upgrade process, Manitoba Hydro will be rolling out
e-reporting incident management software called Perspective from
Edmonton, Alta.-based PPM 2000. Currently, the utility is using an old
system developed in-house.

“E-reporting is great for us because we have 570 different facilities
throughout the province. Instead of faxing in documentation, employees
can go into the corporate security website and hit “e-report/security”
and it gets thrown into case management and then we can investigate it.
We can keep statistics with respect to dollar value cost and type of
incident, location and we can analyze that information and use it for
our threat risk assessment.”

Interestingly, even though each province is passing legislation to make
the NERC requirements mandatory, the utilities are operating at
arms-length from the federal government on the initiative.

McColm also belongs to a critical infrastructure protection working
group with the Canadian Electrical Association. They meet every three
months to discuss NERC cyber security projects they’re working on.

“The government is very peripheral on this,” says McColm. “If you look
at the national security plan, for example, they did the town hall
meetings across Canada a couple of summers ago and you’d think they’d
put out a report to everybody outlining what everyone else is doing.
It’s very secretive from their standpoint and they’re not sharing any
information. We look at the industry and say, if they’re not sharing
why are we sharing?” ”¢