1. AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA T&D

2. AREVA T&D Security Focus Group - 09/14/092 Security Focus Group Presentation Overview 1. Background  Formation  Approach  Timeline 2. Role of the Security Focus Group  Help the participants to achieve NERC CIP compliance  Oversee specific security activities  Address security of products and services  A forum to address security issues as they arise 3. Results of the Security Focus Group  Deliverables and Recommendations  Collaborative management and solutions  Raising the quality and visibility bar on security  What’s next ?

3. AREVA T&D Security Focus Group - 09/14/093 Background  Formation of the Security Focus Group  Started after June 2007 AREVA T&D Users Group conference  Initial group of customer volunteers + open invitation process  Mandate to focus on NERC CIP readiness  Approach  Meeting agenda and invitations distributed in advance  1 hour conference call meetings every other week  Detailed meeting summaries published on the web  Use of on-line surveys to clarify interests, priorities of the group “Top 10 Security Concerns” NERC CIPs prioritization Change Management “Significant Change” classification

4. AREVA T&D Security Focus Group - 09/14/094 Background (cont’d) Timeline Q3Q4Q1Q2Q3Q4Q1Q2 200720082009 Commissioned at June 2007 AREVA T&D Users Group conference  Phase I Security Focus Group (25 participants from 13 different companies) Results presented at ‘08 UG conference Meetings from Oct. ’07 – Apr. ’08 Commissioned at June ‘08 AREVA T&D Users Group conference  Phase II Security Focus Group (55 participants from 20 different companies) Results presented at ‘09 UG conference Meetings from Oct. ’08 – May ’09

5. AREVA T&D Security Focus Group - 09/14/095 Presentation Overview 1. Background  Formation  Approach  Timeline 2. Role of the Security Focus Group  Help the participants to achieve NERC CIP compliance  Oversee specific security activities  Address security of products and services  A forum to address security issues as they arise 3. Results of the Security Focus Group  Deliverables and Recommendations  Collaborative management and solutions  Raising the quality and visibility bar on security  What’s Next ?

6. AREVA T&D Security Focus Group - 09/14/096 NERC CIP Compliance Discussions Covered in SFG Phase ICovered in SFG Phase II C = Compliant AC = Auditably Compliant by end of 2 nd Qtr 2009  On-line survey of SFG participants to identify top security concerns, and to prioritize NERC CIPs discussion  Agenda of successive SFG meetings following this priority order

7. AREVA T&D Security Focus Group - 09/14/097 Security Activities Oversight  AREVA T&D Security Activities which the Security Focus Group has assumed oversight for include:  Security Patch Compatibility Testing Services  Independent Security Vulnerability Testing Services  Security Patch Communications and Release Processes AREVA T&D Operating System Vendor Patch Compatibility Testing AREVA T&D Third Party Vendor Patch Compatibility Testing Independent Security Vulnerability Testing Customer Operational system pre-deployment test Business Security Policy / NERC CIP Requirements Customer Patch Management and Significant Change Test

8. AREVA T&D Security Focus Group - 09/14/098 Security of AREVA T&D Products and Services  AREVA T&D Security Documents:  3 rd Party Software Documentation  Security Solutions document developed and published (mapping NERC CIPs to AREVA product features and configurations)  AREVA T&D System and Network Security Guides reviewed and updated.  Review of AREVA T&D Security policies and processes  Security training process  Background checking procedure  Secure management of remote system access

9. AREVA T&D Security Focus Group - 09/14/099 Addressing Security Issues as they Arise  Security audits and assessment findings  Forum for open discussion and sharing of audit experiences  Insights from an auditor  Bandolier templates for AREVA T&D systems  AREVA T&D Security Patch processes  Customer Security Bulletins  Security Patch Release process  Industry / regulatory coordination (US-CERT, NERC)  Discussion of 3 rd party security tools utilization  Tools for security event logging consolidation  Security assessment and scanning tools  Security audit and change management tools

10. AREVA T&D Security Focus Group - 09/14/0910 Presentation Overview 1. Background  Formation  Approach  Timeline 2. Role of the Security Focus Group  Help the participants to achieve NERC CIP compliance  Oversee specific security activities  Address security of products and services  A forum to address security issues as they arise 3. Results of the Security Focus Group  Deliverables and Recommendations  Collaborative management and solutions  Raising the quality and visibility bar on security  What’s Next ?

11. AREVA T&D Security Focus Group - 09/14/0911 Deliverables and Recommendations  Highlights of deliverables and recommendations include:  INL Phase III Independent Vulnerability Test Scope  SFG Significant Change List  CIP-007-1 R1 Significant Change Survey Results  Log Management White Paper  AREVA T&D Personnel Risk Assessment Verification  Third Party Software Document  Security Focus Group Meeting Summaries  Vulnerability assessment and testing methodologies, procedures, and tools document  AREVA Security Patch testing and Product Release testing scope expansion  AREVA project and support personnel change notification policy and procedures

12. AREVA T&D Security Focus Group - 09/14/0912 Collaboration and Quality  Management responsibilities representing the User Community  Independent Vulnerability Testing  Security Patch Compatibility Testing  Raising the quality and visibility bar on security  Focus Group activities and recommendations are high priority to AREVA T&D  Meeting format makes it possible for both vendor and customers to bring their experts together to discuss specific security subjects  Broad and consistent user representation gives the Focus Group good credibility to the user community

13. AREVA T&D Security Focus Group - 09/14/0913 Benefits of the Participants  Helping the user community define a common interpretation of the NERC CIP requirements  Assisting users efforts to achieve NERC CIP compliance  Facilitating sharing of experience and successes among the participants  Providing users an opportunity to influence and improve AREVA T&D’s security features and services  Empowering user representatives to oversee specific AREVA T&D security activities

14. AREVA T&D Security Focus Group - 09/14/0914 What’s Next  The 2009 / 2010 Security Focus Group will hold it’s first meeting on October 1 st  Key subjects the Security Focus Group will concentrate on:  NERC CIPs compliance (audit experiences, best practices, etc..)  Product security testing [including INL, security patch compatibility, other]  Product security features / configuration / documentation  Product security integration [e.g. third-party tools]  Security policies and procedures (disclosure & notification, security tools &best practices, etc..)

15. AREVA T&D Security Focus Group - 09/14/0915