August 02, 20122012 Technologies for Security & Compliance SummitAustin, Texas

1. Page 1
Integration of
Technology &
Compliance
August 02, 2012
2012 Technologies for Security &
Compliance Summit
Austin, Texas

2. Page 2
John Heintz, CISSP, CISM,
CRISC
Senior Manager,
Enterprise IT Security

3. Page 3
• The city of San Antonio out bid
other entities to purchase the
SAPs Co for $34 million.
• The city sold off the street car
business and retained the power
generation, distribution and gas
network.
• Changed the name to City
Public Service and changed
through out the years to CPS
Energy.
• Oldest utility in Texas. Gas light system started in 1860’s.
• In 1917, San Antonio Public Service Company (SAPs CO), under the
ownership of American Light and Traction company ran the city’s power
plants, gas network and street car lines.
• In 1942, Anti-trust laws required American Light and Traction company to
sell some of it’s assets.
CPS Energy History (The early days)

4. Page 4
CPS Energy (Current)
• Based in San Antonio (7th largest city in the nation)
• Largest Municipally owned energy utility that provides both natural gas
and electric service
• Serve over 717,000 electric customers
• Over 325,000 gas customers
• 1,514 square mile service area.
• Over 3,600 employees
• $2 Billion in annual revenues
• $9.7 Billion in assets
• Provide roughly $250 - $280 million annual revenue to the City of San
Antonio.

5. Page 5
Generation
• Generation Assets
 Own and operate 4 major generation facilities in the San Antonio
area (Gas and Coal).
 Generates approximately 7000 Megawatts of power
 Own 40% of South Texas Project (STP) units 1 and 2.
 Provides 1088 megawatts of power for CPS Energy customers
 Has invested additional 7.625 % into additional units at STP.
 Would generate additional 200 megawatts of power for our customers.
• Fuel Mix
 Coal - 32%
 Nuclear - 16%
 Natural gas and purchased power -
39%
 Renewable (Wind, solar and landfill
methane gas) - 13%
 To increase to 20% by 2020.

6. Page 6
Transmission & Distribution
• Transmission & Distribution Assets
 Own and maintain 1400 Miles of transmission lines.
 Own and maintain 7600 miles of overhead distribution lines.
Over 408,000 poles
 Own and maintain additional 4300 miles of underground distribution lines.

7. Page 7
Enterprise IT Security Organization
• Enterprise IT Security Organization (EITS)
 Formed in May of 2007
 John Heintz began with CPS Energy almost 2 years ago
• EITS moved to Legal Department under General Council in 2009
 Provides true segregation of duties
 Reports to Senior Council and Director of Compliance.
• Baseline the EITS security program utilizing the Forrester
Information Security Maturity Model.
 Benchmarking tool to access the information security program.
 Provides framework that describes all of the required functions and
components of a comprehensive information security program.
 Forrester model is objective, prescriptive, process oriented, modular and
uncomplicated.

8. Page 8
Forrester Information Security Maturity Model
Oversight
• Strategy
• Governance
• Risk Management
• Compliance
Management
• Audit and Assurance
People
• Security Services
• Communication
• Security Organization
• Business Relationship
• Roles/Responsibilities
Technology
• Network
• Databases
• Systems
• Endpoints
• Application
Infrastructure
• Messaging and content
• Data
Process
• Identity and Access
Management
• Threat and vulnerability
management
• Investigations and
records management
• Incident management
• Sourcing and vendor
management
• Information Asset
Management
• Application/systems
development
• Business Continuity
and Disaster Recovery

9. Page 9
Maturity Model Self Assessment
0-
Nonexistent
•Not understood
•Not formalized
•Need is not
recognized
1-Ad Hoc
•Occasional
•Not Consistent
•Not Planned
•Disorganized
2-
Repeatable
•Intuitive
•Not
documented
•Occurs only
when necessary
3-Defined
•Documented
•Predictable
•Evaluated
occasionally
•Understood
4-Measured
•Well managed
•Formal
•Often
Automated
•Evaluated
Frequently
5-Optimized
•Continuous and
effective
•Integrated
•Proactive
•Usually
Automated
Most mature
companies are at
this stage.
Our corporate
network results

10. Page 10
Doing Well and What has already improved
• EITS - What are we doing well
– Endpoint Anti-Malware
– Network Intrusion Detection
– Anti-spam
– Policy Creation
– Security Event Management
• Other improvements already made
– Security Metrics
– Endpoint Protection
– Network Vulnerability
– Application Developer Security Awareness
– Vulnerability Management
– Security Testing
– Forensics and e-Discovery
– Threat Modeling
– Threat Research
– Client Encryption
– Project Integration

11. Page 11
Key Security / Compliance Challenges
• Technology
– Databases
• Encryption is ad hoc
– Systems
• Host based Firewalls and IPS
– Application Infrastructure
• XML gateway
• Application Firewall
– Messaging and Content
• Message Encryption
• Instant Message Filtering
• Anti-Malware
– Data
• Digital Rights Management
• Process
– Identity and Access
Management
• Web SSO
• Access Control
• Enterprise SSO
• People
– Security Organization
• Staffing

12. Page 12
Corporate Information Security Goal
0-
Nonexistent
•Not understood
•Not formalized
•Need is not
recognized
1-Ad Hoc
•Occasional
•Not Consistent
•Not Planned
•Disorganized
2-
Repeatable
•Intuitive
•Not
documented
•Occurs only
when necessary
3-Defined
•Documented
•Predictable
•Evaluated
occasionally
•Understood
4-Measured
•Well managed
•Formal
•Often
Automated
•Evaluated
Frequently
5-Optimized
•Continuous and
effective
•Integrated
•Proactive
•Usually
Automated
Key Security issues
are addressed, could
move here…

13. Page 13
James Grimshaw
Critical Cyber Infrastructure Manager,
Transmission Compliance

14. Page 14
Control Systems Cyber Security (or Compliance?)
• NERC Compliance Events
 January 2009 – One year to be fully compliant
 January 2010 - Fully compliant date
 October 2010 – TOP CFR Certification
 November 2011 – 1st Full TO/TOP/LSE CIP Audit
 2012 – Documented lessons learned (LL) and begin to implement LL during
annual updates
1. Manage and Communicate Compliance Activities
2. CIP-004 -3, R4 – Access Program
3. Management Dashboard

15. Page 15
Manage and Communicate Compliance Activities
• Annual reviews (Policies, Programs, Procedures etc…)
• Create compliance periodic reports
• Where to file (sensitive) associated reports and evidence
• Complete Reliability Standards Audit Worksheets (RSAWs)
• Create workflows for accountability, accuracy, & oversight
• Risk management – Escalation of non-completed workflows,
security trends
• Manage Technical Feasibility Exceptions, Mitigation Plans etc.
• Decrease interruption to Subject Matter Expert daily work
schedule

16. Page 16
Physical & Cyber Access Program
• Automate performance reviews and system generated reports
• Integrate systems to decrease risk & increase efficiency
• Physical Security Perimeter & Electronic Security Perimeter
• PSP Area Owners & Cyber System Owners
• Corporate Enterprise Resource Planning program for PRAs
• Corporate learning management system for NERC training records
• Weekly access report fed into management dashboard
• Automate position organizational changes, terminations and new
hires
• CIP Version 5 – Role based access (and other changes)

17. Page 17
Management Compliance Dashboard
• One of top ranked challenges is getting management support
 NERC Committee (Steering Group)
 Provide senior management with high level insight (drill down)
• Properly prioritize projects vs. compliance
• Properly prioritize funding
• Corporate level risk mitigation

18. Page 18
The Future for Control Systems Environments
• Working together with other Utilities
 CIP Working Group
• Continuous Process Improvement
 Invest to automate processes
 Integrate systems to decrease risk
• Stay informed and utilize resources
 NERC and ICSJWG Workshops
 Keep up with NERC & TxRE communications
 DOE/DHS

19. Page 19
Questions