CIPC Executive Committee Update Public Release CIPC Executive Committee Update CIPC Meeting Denver CO September 29, 2005 Stuart Brindley CIPC Chair

CIPC Executive Committee Chair Stuart Brindley (IESO, CEA) Vice-Chair Larry Bugh (ECAR) Vice-Chair Pat Laird (Exelon) Cyber Jamey Sample (Cal-ISO) Physical Bob Canada (Southern Co.) Operations Roger Lampila (NY-ISO) Policy Barry Lawson (NRECA) Secretary Lou Leffler (NERC) Executive Committee 2-year terms end December 2005 Need to “refresh” commitments of all CIPC members - letter to NERC Regional Managers later this year opportunity for greater Owner/Operator involvement

CIPC Executive Committee Activities NERC Board Highlights – Aug 1 Stakeholder meeting and Aug 2 Board of Trustees meeting Electricity Sector Coordinating Council (ESCC) and the Government Coordinating Council (GCC) Sector-Specific NIPP, Electricity Sector goals Legal framework for providing advice to government CIPC membership review by Regional Managers and Associations

Board of Trustees August 2, 2005 NERC Board Highlights Board of Trustees August 2, 2005

NERC Board Highlights CIPC items: No formal CIPC items for approval CIPC Update: Significance of having established the Electricity Sector Coordinating Council with DOE and DHS Key issues: sharing lists of critical assets and vulnerabilities with government Also providing input to Canadian government regarding CIP strategy under development

Other NERC Business Energy Bill and establishing the ERO 2006 Business Plan approved (increase in CIP budget) Status – Aug-03 Blackout recommendations Extension of UA Standard approved Reliability compliance continues to be prominent

ESCC and GCC

DHS Plan for Sector Engagement Electricity

ESCC and GCC Met April 20, June 8, September 7 Topics: ESCC: CIPC Executive Committee GCC: De Alvarez, Friedman, Kenchington, Caverly, Carrier plus ~10 others (DOE is lead) Topics: Provided comments on the National Infrastructure Protection Plan - Energy Sector-Specific plan Developing Goals for the Electricity Sector Developing the legal framework for providing private sector advice to government (recognize Federal Advisory Committee Act) Suggestions to improve cleared briefings

ESCC Comments on the Sector-Specific NIPP July 22/05 letter from Mike Gent to Kevin Kolevar, DOE (ref. CIPC private files on web) Too detailed – needs to be strategic Too much focus on “protect/prevent”, not enough on “mitigate/respond/recover” Clarify government and private sector accountabilities Significant concern with providing lists of critical assets Need to understand government needs for info, how it will be used, shared, protected Concerns with usefulness of lists, adequacy of PCII VA assessments Do not support government performing VAs on private sector or specifying which methodology is best suited

ESCC Goals DHS sponsoring development of Goals, as part of Sector-Specific NIPP (useful for CIPC Business Plan). Some initial ideas: Partnership: Develop clear roles for government and industry Prevention: Secure physical and cyber assets in practical ways recognizing justifiable business case Awareness: Improve industry’s understanding of threats facing the industry Protection: Understand interdependencies with other sectors Response: Provide robust & coordinated response (eg. ESISA) Recovery: Develop restoration strategies under extreme scenarios

Sector Partnership Model WG Working Group under the National Infrastructure Advisory Council Task: Recommend formal, legal framework for how sector coordinating councils provide advice to government. Electricity reps: Stuart Brindley, Pat Laird, Bill Muston (NIAC), Lyman Shaffer (Dams) Should we be subject to Federal Advisory Committee Act? If so, should we seek a FACA exemption from DHS Secretary? Consensus amongst all sectors: “Yes” and “Yes” FOIA still a challenge; need to enhance PCII

Suggestions to Improve Cleared Briefings CIPC Exec Ctee provided input to DHS following June briefing: General threat assessment – physical and cyber Focus on energy and chemical sectors, but include lessons-learned from other sectors if applicable. Minimize information that is otherwise available from open source Greater focus on case studies Nature of incident (without compromising information sources or evidence) Describe actual impact, assessment or potential impact Assess impact on other sectors Describe communications flow - reporting by asset-owner to law enforcement, other government entities, ESISAC, etc Incident timeline Status of investigation Lessons-learned from the incident