PSWG Meeting Minutes March 16-17, 20171
1.Welcome, Call to Order, Introductions
Rich Hyatt,Physical Security Workgroup (PSWG) Chair, called the meeting to order at 8:30 a.m. on March 16, 2017. A quorum was present for the conducting of business. A list of attendees is attached as Exhibit A. Attendees were asked to introduce themselves.
2.Antitrust Policy
Scott Erwin read aloud the WECC Antitrust Policy statement. A link to the posted Policy was provided in the meeting agenda.
3.Approve Agenda
Rich Hyattintroduced the proposed meeting agenda.
On a motion by Doug Williams, the PSWG approved the agenda without discussion.
4.Review July 30-31, 2016 Minutes
Rich Hyatt introduced the minutes from the July 30-31, 2016 meeting.
On a motion by Brady Phelps, the PSWG approved the July 30-31, 2016 minutes.
5.Review of Previous Action Items
Rich Hyatt reviewed action items carried over from the July 30-31, 2016meeting of the PSWG. Action item that was not closed and will be carried forward:
- Closed door sessions, more to come by way of SASMS and WECC board approval
6.WECC Update—Scott Erwin and Tim Reynolds, WECC
Brief update on Closed door information and Freedom for Information Act. New OC committee structure, including PSWG reporting to SASMS.
7.Member Presentation #1 – Brady Phelps, Grant County PUD – Establishing a Physical Security Program
Mr. Phelps gave a presentation regarding his recent experience in establishing a Physical Security Program. Included lessons learned, useful software, tools, methods to encourage management/stakeholder buy-in, etc.
8.CIP-014 Audit Presentation – Gary King, WECC
Mr. King gave an idea of what utilities should expect and how to prepare for CIP-014 facility audits. He made himself available for questions specific to this subject matter.
Email CIP-014 Audit Presentation to PSWG group once Gary King makes it available. Make available to PSWG members information from NATF, E-ISAC, CIPC, regarding how best to meet CIP requirements.
9.Technology Presentation by Craig Park, TrakShield
TrakShield gave a presentation about their technology which can defend critical infrastructure from drone surveillance, attacks, or other drone related incidents, using legal means. This included a functional presentation in which drones were flown and their function was ceased. Additionally, Trak Assets, another portion of the company, was presented. These devices included, GPS location devices, communication tools that use 2-way radio over satellite, emergency switches and more.
Email TrakShield presentation to PSWG group.
10.CIPC Update by Allan Wick
Mr. Wick gave an update to PSWG on the March CIPC meeting and upcoming training events. He mentioned DOE, DHS, E-ISAC, NATF, and NERC Standard updates. Information on upcoming events is on NERC website. Next CIPC is in June. Mr. Wick’s notes are uploaded to the PSWG 3-2017 Meeting on the WECC Website.
11.Technology Presentation by Dale Fortin, Exitus Technologies
Exitus presented a product that can be used from a clickable device or phone application that will declare an emergency or transfer informationrapidly for an individual or organization. Additionally, the app has functions that can send messages, images and other information to first responding individuals. This device will use cell phone network, WI-FI or Bluetooth to dispatch emergency signals.
12.Round-Table Discussion
Mr. Hyatt discussed a couple of Training events put on by third party groups. These events are to evaluate a utilities asset.
A group discussion took place regarding Security Metrics and which specific metrics each utility is tricking. Physical Security metrics such as the length of time a CIP element takes to be repaired, the number of individuals entering facilities, issued badges, access requests, alarms responded to, phone calls and more. Additionally, the specific type of threat is commonly tracked.
Mr. Parrish, APS, shared a breakdown of metrics they are trackingto indicate the health of the organization. APS uses three categories. Each category has many different measures which are weightedand calculated. The list is exhaustive and must be shared by many different parties. Each month the data is reported by responsible parties and year-over-year the expectation is a 3% improvement.
Active Shooter Training was given at Grant PUD to about 80% of the employees. The HR department and directors were given direct training to respond to the effect on an organization after an Active Shooter incident. Mr. Hyatt showed a policy that is in draft for his organization. IID shared that the active shooter exercises were tracked
Mr. Hyatt and Mr. Phelps shared PSWG Survey Results. The group indicated Access Control Platform and Video Management Platform is typically run on two separate platforms. There was discussion about some of the options Genetec provides, as well as some of the limiting elements when it comes to Access and Video. CIP-004 tracking methods were discussed, automated or manual. Workflow methods, rule based vs. entitlement based. The results of the survey will be shared with PSWG.
CIP-003 Low Impact facilities discussion included the minimum requirements for those facilities. The discussion centered around how each organization uses physical keys vs digital access of some kind with or without monitoring. Different key options were discussed, by what methods those keys are updated, alarm coverage, if card keys are used and video cameras for monitoring. Re-keying requirements were discussed, e.g., the number of keys lost prior to re-keying, a length of time, or other measures. Tennessee Valley Authority uses smart key technology and can be contacted as a resource. Neil Arthurs of BPA shared a vendor, United Technologies, that has developed a cell phone and fob application that requires 2 factor authentications, this could be a possible solution to controlling access to all sites. Mr. Arthurs will share this with the PSWG.
A question about the phrase “Control Physical Access based on need, as determined by the entity” was raised, specifically, how is access controlled if an employee is issued a hard key and that employee separates without returning their key, are they still controlling accessbased on need (they no longer have a need)? “How many keys can you lose control of before it is unacceptable, requiring a re-key?” Mr. Parrish will pose this question to WECC Compliance Staff and give the results at the next PSWG meeting.
It was asked how are background checks run for each organization and if they are running an insider threat evaluation. Mr. Hyatt indicated there are some third-party vendors (CERT) that supply training on insider threat identification, this information will be shared with the group.
Mr. Hyatt will put out information regarding vulnerability assessment.
13.Curricula Demonstration – Nick Weber, Grant County PUD
Mr. Weber gave an overview of Curricula program which is a web based training tool for CIP.
14.Presentation & Tour of APS Facilities – Bob Parrish, APS
Bob Parrish, Director of Enterprise Security Operations and staff gave a tour of APS Interoperable Operations Center for lessons learned and benchmarking.
15.Review of New Action Items
- EmailCIP-014 Audit Presentation to PSWG group once Gary King makes it available.
- Assigned to: Richard Hyatt
- Completed: 3/27/2017
- Make available to PSWG members information from NATF, E-ISAC, CIPC, regarding how best to meet CIP requirements.
- Assigned to:Richard Hyatt
- Completed:3/27/2017
- Email TrakShield presentation to PSWG
- Assigned to: Richard Hyatt
- Completed: 3/22/2017
- Email the Low Impact Survey Results to PSWG
- Assigned to: Brady Phelps
- Due Date: 4/14/2017
- Email United Technologies Access Control Information
- Assigned to: Neil Arthurs
- Completed: 3/22/2017
- Pose “Business Need and Least Privilege Access” CIP-003 Questions to NERC, take survey of PSWG regarding CIP-003 practices and share feedback
- Assigned to: Brady Phelps and Bob Parrish
- Due Date: 8/16/2017
- Email CERT Information
- Assigned to: Richard Hyatt
- Completed: 3/27/2017
16.Upcoming Meetings
September13, 2017...... Salt Lake City, UT
March DD, 2018...... Location TBD
October DD, 2018...... Salt Lake City, UT
17.Adjourn
Rich Hyatt adjourned the meeting without objection.
Exhibit A: Attendance List
Name...... Affiliation
Members in Attendance
Steven Lemmer...... Arizona Public Service
John Desimone...... Arizona Public Service
Bob Parrish...... Arizona Public Service
Monte Scribner...... Avista
Neil Arthurs...... Bonneville Power Administration
Craig Rademacher...... Bonneville Power Administration
Matthew Turner...... California ISO
Richard Hyatt (Chair) ...... Chelan Public Utility District
Philip Holmes...... Colorado Springs Utilities
Nathaniel Wahto...... EWEB
Jason Jackson...... EWEB
Brady Phelps (Vice Chair)...... Grant County PUD
Nick Weber...... Grant County PUD
Aaron Vance...... Idaho Power
Seth Ahlstrom...... Idaho Power
Chris Davidson...... Idaho Power
Elizabeth Villa...... Imperial Irrigation District
Theresa Quinn...... Imperial Irrigation District
Justin Allar...... Platte River Authority
Kevin Wright...... Platte River Authority
Aaron Vance...... Idaho Power
Audie Whipple...... Salt River Project
Jay Spradling...... Salt River Project
Chris Francoeur...... Salt River Project
Brad McClennen...... Seattle City Light
Pat Canney...... Sempra Energy
Henry Nembach...... Sempra Energy
Douglas Williams...... Snohomish PUD
Eric Hopley...... Southern California Edison
Robert LeMay...... Southern California Edison
Tony Shapre...... Tacoma Power
Judd Johnson...... Tacoma Power
Kevin Smith...... Tri-State Generation & Transmission
Alan Wick...... Tri-State Generation & Transmission
David Bacon...... Tucson Electric Power
Tyler Hernandez...... Western Area Power Administration
Scott Erwin...... Western Electricity Coordinating Council
Tim Reynolds...... Western Electricity Coordinating Council
Scott Erwin...... Western Electricity Coordinating Council
Others in Attendance
Dale Fortin...... Exitus
Anthony Levrets...... Exitus
Western Electricity Coordinating Council