Critical Infrastructure Protection Committee Meeting Presentations

Critical Infrastructure Protection Committee Meeting Presentations Atlanta, GA | December 9-10, 2014 *All presentations are posted with the consent of the presenters.

Chief Security Officer Remarks Tim Roxey Senior Director, ES-ISAC, CSO Atlanta, GA December 9-10, 2014

NERC and Department Updates • Department Updates:  Critical Infrastructure Department/ES-ISAC restructuring  Open Positions at the ES-ISAC

• NERC Updates:       2

ES-ISAC updates – (CRISP, portal, etc.) Security Reliability Program CIP v5 Transition and Revisions Physical Security – CIP-014-1 Implementation GridEx III – Planning for November 18-19, 2015 CIPC – Working Groups and Task Forces RELIABILITY | ACCOUNTABILITY

ES-ISAC Organization

3

RELIABILITY | ACCOUNTABILITY

Open Positions • • • • • • • •

4

Cybersecurity Threat Analyst – CRISP (two positions) Threat and Vulnerability Manager Threat and Vulnerability Specialist Senior Cybersecurity Specialist Cybersecurity Specialist Physical Security Specialist CIP Awareness Specialist Policy and Coordination Specialist

RELIABILITY | ACCOUNTABILITY

5

RELIABILITY | ACCOUNTABILITY

NERC CIPC Chair Report Chuck Abell December 09, 2014

December 2014 Update • Grid Security Conference – San Antonio, TX • DHS Classified Briefing • CIPC Strategic Plan Bi-annual Update         2

Re-alignment w/ updated ERO Strategic Plan Updated to reflect current CIPC efforts Removed references to the ESCC Added accountability to RISC Updated organizational charts CIPC structure unchanged Ballot by e-mail vote Submission to NERC Board of Trustees – Feb, 2015 RELIABILITY | ACCOUNTABILITY

CIP Committee Structure Executive Committee David Revill, NRECA David Grubbs, ERCOT Ross Johnson, CEA

Melanie Seader, EEI Jack Cashin, EPSA Marc Child, Great River

Physical Security Subcommittee

Cyber Security Subcommittee

Operating Security Subcommittee

Policy Subcommittee

(David Grubbs)

(Marc Child)

(Jim Brenton)

(Nathan Mitchell)

Physical Security WG (Ross Johnson)

Physical Security Guidelines WG (John Breckenridge)

Security Training WG (William Whitney)

3

Chuck Abell, Chair, Ameren Nathan Mitchell, Vice Chair, APPA Jim Brenton, Vice Chair, ERCOT Laura Brown, Secretary

Control System Security WG

ES Information Sharing TF

(Mikhail Falkovich)

(Stephen Diebold)

Cyber Attack Tree TF

Grid Exercise WG

Physical Security Standard WG

(Mark Engels)

(Tim Conway)

(Alan Wick)

Cybersecurity Analysis WG

Business Continuity Guideline TF

Compliance and Enforcement Input WG

(TBD)

(Darren Meyers)

BES Security Metrics WG (James Sample)

(Paul Crist)

RELIABILITY | ACCOUNTABILITY

UPDATE

2

RELIABILITY | ACCOUNTABILITY

ES-ISAC shares

SEPTEMBER • Shellshock – scanning activity was seen by several members and partners (1647-1653) • Ransomware – Reports spiked in September

3

RELIABILITY | ACCOUNTABILITY

ES-ISAC shares

October • Shodan – Google for routers, servers, ICS  HART  Improved results on DNP3  Project SHINE using Shodan

• BlackEnergy - Sophisticated Malware Campaign on ICS  ICS-CERT Alert released on 17 October (1671)  The ES-ISAC first reported on Blackenergy in late September

• Proof of Concept vulnerability of Smart Meters in Spain  Vulnerable credentials can lead to underreporting of energy use

4

RELIABILITY | ACCOUNTABILITY

ES-ISAC shares

NOVEMBER • WinCC – unauthenticated remote code execution ICS • MS14-068 – Kerberos –escalation of privileges from unprivileged domain-user to full domain administrator • Regin – highly sophisticate cyberespionage tool • APT28 – highly sophisticated Russian cyberespionage • OP Cleaver – sophisticated Iranian cyberespionage

5

RELIABILITY | ACCOUNTABILITY

ES-ISAC shares

PHISHING • Targeted Phishing Attack (1658)  “Changes in Profit shares" theme.  MS Word document with malicious macros.  Domain and cloud infrastructure appeared to originate from target company!

• Wire Transfer Phishing  Targeting Senior finance department staff requesting fraudulent “wire transfer.” Has been seen since and reported on since November 2013.

• Phishing  Untargeted phishing attacks with malicious links and payloads. 6

RELIABILITY | ACCOUNTABILITY

ES-ISAC Update

CRISP • • • •

Infrastructure purchased Site visits Deploying additional Information Sharing Devices Information from CRISP will be shared in the portal

Program Lead: Matthew Light ([email protected])

7

RELIABILITY | ACCOUNTABILITY

CRISP Share

CRISP Information Shared • SQL injection (SQLi): “drop/delete” table commands. • Remote file disclosure: known vulnerability in HttpCombiner • Same IP. Active since September (1707)

8

RELIABILITY | ACCOUNTABILITY

Continue the discussion by engaging the team: [email protected] 9

RELIABILITY | ACCOUNTABILITY

ES-ISAC contact info.

CONTACT US • Register at ESISAC.com • Email: [email protected] • 24 hour hotline: 404-446-9780

10

RELIABILITY | ACCOUNTABILITY

Relevant industry dataset may provide us answers • Assess our risks • Understand our threats • Improve our posture to those threats

11

RELIABILITY | ACCOUNTABILITY

Legislative Update Critical Infrastructure Protection Committee December 9, 2014 Nathan Mitchell, American Public Power Association

HR 3410 • The House on Monday passed a bill to require the Department of Homeland Security to include the threat of electromagnetic pulse events in national planning scenarios. • Passed by voice vote, H.R. 3410 would direct the agency to conduct a public education campaign about the threat of electromagnetic pulse (EMP) events and authorize research into its prevention and mitigation. • Rep. Trent Franks (R-Ariz.) 2

RELIABILITY | ACCOUNTABILITY

S 2588 • Cybersecurity Information Sharing Act of 2014 • To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats. • Introduced to Senate Select Committee on Intelligence 7/10/2014 • Diane Feinstein (D-CA)

3

RELIABILITY | ACCOUNTABILITY

Industry Urges the Senate to Pass CISA • S. 2588, the Cybersecurity Information Sharing Act of 2014 (CISA) • CISA passed the Senate Intelligence committee in July with broad support from both Democrats and Republicans. • The bill would help businesses achieve timely and actionable situational awareness to improve theirs and the nation’s detection, mitigation, and response capabilities against cyber threats. • The bipartisan bill safeguards privacy and civil liberties, preserves the roles of civilian and intelligence agencies, and incentivizes sharing with narrow liability protections. • CISA represents a workable compromise among many stakeholders. 4

RELIABILITY | ACCOUNTABILITY

HR 3696 • National Cybersecurity and Critical Infrastructure Protection Act of 2014 • To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastructure protection. • Passed House on 7/28/2014; Referred to Senate Committee on Homeland Security and Governmental Affairs • Michael McCaul (R-TX), Bennie Thompson (D-MS) 5

RELIABILITY | ACCOUNTABILITY

S 1353 • Cybersecurity Act of 2014 • To provide for an ongoing, voluntary publicprivate partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness. • Introduced to Senate Committee on Commerce, Science, and Transportation 7/24/2014 • John Rockefeller (D-WV), John Thune (R-SD) 6

RELIABILITY | ACCOUNTABILITY

HR 624 • Cyber Intelligence and Protection Act (CISPA) • To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities. • Passed House on 4/18/2013; Referred to Senate Select Committee on Intelligence • Mike Rogers (R-MI), Dutch Ruppersberger (D-MD)

7

RELIABILITY | ACCOUNTABILITY

S 2521 • The Federal Information Modernization Act • To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. • Referred to Senate Committee on Homeland Security and governmental Affairs 6/24/2014 • Thomas Carper (D-DE), Tom Coburn (R-OK)

8

RELIABILITY | ACCOUNTABILITY

S 2519 • National Cybersecurity and Communications Integration Act of 2014 • To codify an existing operations center for cybersecurity. • Referred to Senate Committee on Homeland Security and Governmental Affairs 6/25/2014 • Thomas Carper (D-DE), Tom Coburn (R-OK)

9

RELIABILITY | ACCOUNTABILITY

HR 2952 • Critical Infrastructure Research and Development Advancement Act of 2014 (CIRDA Act of 2014) • To authorize the Secretary of Education to make grants for the establishment of State Networks on Science, Technology, Engineering, and Mathematics Education. • Passed House 7/28/2014; Referred to Senate Committee on Homeland Security and Governmental Affairs • Patrick Meehan (R-PA) 10

RELIABILITY | ACCOUNTABILITY

Questions? 11

RELIABILITY | ACCOUNTABILITY

New York State Cybersecurity Exercise 2014 Greg Goodrich Principal, Security and Compliance Coordination New York Independent System Operator

NERC CIPC December 10, 2014 The Westin Buckhead Atlanta, GA

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

Exercise Overview 



The New York State Cyber Security Exercise: 

Sponsored by Department of Energy; organized by DOE, NYISO, NYPA, ConEd



Operations Exercise and Workshop (10/22)



Executive Level Exercise and Workshop (10/23)

Scenario 



Cyber attack on critical infrastructure that has physical consequences for energy delivery systems

Participants 

>120 participants from 13 electric and gas utilities that own and operate facilities within ithi N New Y York k St State t



Partners from energy industry organizations; ISACs; and Federal, State, local, tribal, and territorial government agencies

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

2

Participating Organizations Electricity

Gas





   



   

Con Edison New York Power Authority N New Y k IIndependent York d d t System Operator National Grid Iberdrola USA Rochester Gas and Electric Iberdrola USA - New York State Electric and Gas Central Hudson Orange and Rockland Long Island Power Authority Massena Electric

    



 

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

National Fuel Gas Spectra Energy St. Lawrence Gas C Edi Con Edison National Grid Iberdrola USA Rochester Gas and Electric Iberdrola USA New York State Electric and Gas Central Hudson Orange and Rockland

Energy Partners

Federal, State & Local Partners





    

ES-ISAC NERC NPCC APPA ESCC/EEI ISO/RTO Council

        

DOE DHS FERC NYS PSC NYS Governor’s Office NYS Fusion Center NYS DHSES NYS ITS MS-ISAC US Congress Representative Paul Tonko’s Office

3

Scenario Summary 

Spearfishing attack targets energy companies and installs zero‐day malware exploiting multiple vulnerabilities in Windows, UNIX, and Linux‐based systems and a common chip set used in control devices from multiple vendors.  Malware triggers a logic time bomb in chip technology that:  

Infects PMUs, PLCs, RTUs, relays, and meters and compromises integrity of information between control centers and remote equipment Deploys a coordinated Distributed Denial of Service (DDoS) attack on energy sector, financial sector, and state government websites



Malware compromises the integrity of information between control centers and remote equipment.  Malware triggers equipment malfunction that creates an explosion, which injures people in the immediate area.

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

4

Scenario Impacts     

 

Multiple New York State organizations lose email and account access services. 20‐40% of energy company business IT systems are incapacitated. 10‐20% of energy delivery equipment is incapacitated. Impacted systems must be taken offline to replace damaged equipment, q p , requiring q g manual p processes for up p to a month. Limited information is initially disseminated because it is classified or sensitive. Energy companies are inundated with requests q for information by y both the p public and the media. Social media escalates initial public concern into a frenzy, and protests begin. Damaged meters disrupt customer billing and end‐of‐month end of month processes.

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

5

Workshop Insights       

Peer‐to‐peer communication among operational and IT personnel during cyber incidents is essential. OT and IT personnel receive an overwhelming number of cyber alerts / information overload. Cyber incidents can last for weeks. Cyber incident response is very different than traditional restoration activities. Cyber attacks stress different types of personnel and resources. Incident command roles during a major cyber event are unclear. Public communication and messaging for cyber incidents is challenging.

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

6

O Opportunities t iti for f IImprovementt    

 

Develop and formalize cyber mutual aid agreements. Train and exercise on manual system operations. Develop a New York/regional “decision tree” for incident response p and information sharing. g Formalize current cyber security collaboration among participants and consider establishing a security and resilience working g p group. Emphasize cyber resilience in future system designs and architectures. Examine alternate communication options options.

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

7

R i Regional l Exercise E i Pl Planning i Overview:  Plan for a plan  

Scope p Scenarios

 Engagement  Stake St k holders h ld  Partners  Execution  Local/Remote

What we learned about:  Project Planning  

Resource p planning g Processes and tools

 Outreach  Socialization S i li ti  Partnerships  Forged g new  Strengthened existing

 After Action

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

8

F t Future Regional R i lE Exercises i New York State:  Going forward NYS plans to coordinate alternate year (opposite GridEx) exercises  Cross Sector additions

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

Others:

9

© 2014 New York Independent System Operator, Inc. All Rights Reserved.

10

NATF Security Practices Group Activity Update

Wayne VanOsdol, NATF Program Manager - Practices

NERC CIPC Meeting December 9-10, 2014

Discussion Topics • Brief NATF Overview • Cyber Security Project Update: CIP-002 V5 Guide

• Physical Security Project Update: CIP-014-1 R4 & R5 • Modeling / Planning Project Update: CIP-014-1 R1

2

NATF Membership Organization types (75 Members) – – – – –

Investor-owned State/Municipal Cooperative Federal/Provincial ISO/RTO

Expertise – 3600 subject-matter experts

Coverage (North America Wide) • Membership open to companies that own/operate 50 circuit miles 100 kV transmission or, operate 24/7 control center

– 85% Peak Demand – 75% 100kV and higher circuits

3

NATF Mission, Vision, Approach Mission

Promote excellence in the reliable operation of the electric transmission system

Vision

Continuously improve the reliability of the electric transmission system

Approach Pursue reliability and security excellence via:  Constructive peer challenge  Effective, relevant information sharing o lessons learned, superior practices, etc. 4

Guiding Principles Community

The complex, interconnected grid requires active collaboration to promote higher levels of reliability, security, and resiliency

Confidentiality Confidentiality promotes open, candid intramembership dialogue

Candor

Direct, objective performance feedback is delivered as a membership norm

Commitment

Members’ senior leaders commit to the NATF’s mission of promoting excellence 5

Cyber Security Project Update CIP-002 V5 Practices Guide

6

CIP-002 V5 Project Update Purpose: • The purpose was to develop a NERC CIP-002 Version 5 Guide for identifying Cyber Assets and defining corresponding BES Cyber Systems for transmission facilities and assets.

Deliverable: • Security CIP-002 V5 Guide and various assessment tools and spreadsheets were approved for use on July 1, 2014. – New product includes recommendations, examples, and templates for documenting a program, and includes diagrams / flow charts that will assist in standardizing CIP-002 documentation across the NATF membership. Product Maintenance: • The CIP-002 V5 Guide Maintenance Oversight Team was created in July – Team meeting twice per monthly from August – December – Team is responsible for obtaining Use Cases from NATF members, logging information pertaining to any Industry or Regulatory decisions associated with CIP-002 V5, and developing an attachment or addendum to the guide at the end of 2014 – Some type of team will most likely be needed in 2015 as well

7

Physical Security Project Update

CIP-014-1 R4 & R5 Practices Guide

Physical Security Work Group Project: CIP-014-1 R4 and R5 Guide Deliverable: • The purpose is to develop a NERC CIP-014-1 R4 and R5 Reliability Standard guide that is defensible (but not prescriptive) for conducting evaluations as required in requirement 4, and for developing and implementing a physical security plan as required in requirement 5.

•

NERC CIP-014-1 R4 & R5: R4 - Conduct evaluation of potential threats and vulnerabilities of a physical attack to stations and primary control centers identified under R1 and verified under R2, and R5- Develop and implement a documented physical security plan.

Physical Security Work Group Project: CIP-014-1 R4 and R5 Guide Project Scope / Process: • The project teams will; 1. Work with Members to develop a Best Practices document on how to go about performing the threat analysis. 2. Work with Members to develop a Best Practices document on how to go about developing a physical security plan. •

Project Timeline: – August-October (steps completed): Created project scope and timeline, discussed project with the Security Practices Group Core Team and Physical Security Work Group, identified project team participants and leaders, held initial meeting to create an R4 and R5 team and determine how work will be performed – (in progress): The two teams (R4 and R5) holding twice-per-month WebEx meetings from November through February, 2015 – (final products): Completion of products expected by end of 1st quarter in 2015

Modeling / Planning Project Update

CIP-014-1 R1 Assessment Guide

Modeling / Planning Project: CIP-014-1 R1 Guide Deliverable: • The purpose is to develop a general guideline to be used for the risk assessment identified in CIP-014-1 R1. • NERC CIP-014-1 R1: Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

Modeling / Planning Project: CIP-014-1 R1 Guide Project Scope / Process: • The project consists of three basic activities; 1. Develop an R1 assessment guide to aid Members in performing the transmission risk assessment 2. Develop a process, structure and timeline for Members to review their R1 processes, methodologies and results against similarly-situated Members 3. Poll Members to assess their plans for the R2 3rd party assessment

Project Timeline: – Implemented R1 project in late June with initial draft guide developed in September – Currently, the team is developing a process for surveying the results of Members’ R1 risk assessment and initiating opportunities for Members to compare their results against similarly-situated Members – Expected completion date of the survey is December 2014 – Sent latest version of draft R1 Guide to NERC on November 25 for review – Expected completion for R1 Guide is January / February 2015

Thank you!

• Questions?

GridEx III

Grid Security Exercise NERC CIPC

December 9-10, 2014

December Update

GridEx III Dates Outreach Working Group Formed Meeting schedule Considerations

2

RELIABILITY | ACCOUNTABILITY

Calendar and Entity Prep

November 18 – 19, 2015 Leadership Buy In Identify Level of Play Capability Obtain Internal Player / Planer  Commitments Identify Training Needs ‐ CEH Participate in GridEx Planner /  Player Calls Lead Planner Registration will     open early next year

3

RELIABILITY | ACCOUNTABILITY

GridEx III Working Group

• Operations

• Physical Security • Cybersecurity

4

RELIABILITY | ACCOUNTABILITY

Outreach Activities

• FRCC Spring Workshop – May 13 – 15 • BPA Cybersecurity Resilience – May 20‐21 • NERC CIPC Vancouver – Sept 16‐17 • NERC OC Vancouver – Sept 16‐17 • SERC CIP Workshop – October 7 • NERC GridSec Conference – Oct 14 ‐ 17 • NERC Operating Reliability Subcommittee (ORS) – Sept  • ISO / RTO Council (IRC) Operations Committee – Oct 29 • Various entity specific outreach calls – random 

5

RELIABILITY | ACCOUNTABILITY

GridEx Working Group

9

15

Reliability Coordinators

8

Entities

NERC, Regions, Org

5 Gov, Mil, Labs

6

4

Vendors, Partners

RELIABILITY | ACCOUNTABILITY

Scenario Development

Establish the  Scope • NERC leadership and  GEWG • Determine the  level and type  of impact  desired • Determine  what will be  targeted • Determine the  attack vectors

10

Develop a  Narrative • Backstory or  ground truth: • Attacker  profile • The Who,  How, and  Why of the  attack • Timing of the  attack  • Expected  Player  actions

MSEL  Development • Detailed  sequence of  exercise events  with inject  timing • Expected  Player Actions • Dynamic inject development • Custom injects  within entities and RC areas

RELIABILITY | ACCOUNTABILITY

Timeline 2105 Conference Dates December 10  2014

GridEx  Working Group    Establish  Working  Group  Members  Establish Mail  list  GridEx  Awareness

Jan / Feb

Kick‐Off

 Confirm  objectives  Establish  boundaries  Confirm tools

March 11‐12

Initial  Planning  Phase  Confirm  exercise  infrastructure  Finalize attack  vectors and  impacts  Work on  scenario  narrative

June 10‐11

Mid‐term  Planning  Phase  Finalize  baseline MSEL  Develop  Controller and  Player  materials   Draft After  Action Survey

Sept 16‐17

Final  Planning  Phase

Nov 18‐19

GridEx  III

 Finalize   Send  injects  custom injects  and oversee  with RCs player actions  Distribute   Capture  materials player actions  and findings  Conduct  training  Facilitate  Executive   Set up venue  Tabletop and logistics

Q1 2016

After  Action   Distribute  survey  Analyze  findings and  lessons  learned  Draft Final  Report

Reliability Coordinator Planning Activities RCs identify Active  RCs establish and  Organizations in their  participate in RC‐to‐ control area RC and RC‐to‐Entity  coordination calls 11

RCs and entities  understand and  develop  customized injects RELIABILITY | ACCOUNTABILITY

Prep Work

• Tools and Technology Use  Collaboration site for GEWG and Lead Planners  Registration site for Planners and Players  Improved Player Directory capability  Various Exercise Tools being evaluated  Scoring and Simulation Tool trial  Improved generic inject quality  Improved Social Media  Delivery of Training and Exercise Videos  Many other possibilities………. 12

RELIABILITY | ACCOUNTABILITY

Summary

•GridEx Working Group members •NERC investment •Time •De‐confliction with other Exercises •In the News

13

RELIABILITY | ACCOUNTABILITY

17

RELIABILITY | ACCOUNTABILITY

Electricity S Sector E Task Force IInformation Sharing S T F Progress Report Stephen Diebold, Chairman Joe Doetzl, Vice Chairman

December 2014

Contents

   

5

Task Force Members Mission Statement Timeline Outreach

RELIABILITY | ACCOUNTABILITY

Task Force Members • Stephen Diebold • Joe Doetzl • • • •

Donald Roberts Fred Hintermister Orlando Stevenson Laura Brown

Core Team Core Team Core Team Core Team

• John Breckenridge • Brian Harrell

Secondary Reviewer Secondary Reviewer

• Jim Brenton 7

Chair Vice Chair

Final Reviewer RELIABILITY | ACCOUNTABILITY

Mission Statement

• Develop a presentation to be used for communicating across industry, especially to cybersecurity and operations personnel, Hydra Team roles and functions. • Develop a presentation to be used for outreach promoting the ES-ISAC portal use as a central coordination point and reporting tool in crisis. 8

RELIABILITY | ACCOUNTABILITY

Timeline -September CIPC

Sep ------- 2015

--June CIPC

Jun ------- 2015

Begin Outreach Program Approval of ES-ISAC and Hydra Presentation Finalize Hydra Presentation Finalize ES-ISAC Presentation CIPC Status Report

-Draft of Hydra Presentation

-CIPC Status Report

March CIPC

Mar ------- 2015 Draft of ES-ISAC Presentation

-December CIPC

--

CIPC Status Report

Dec ------ 2014

-September CIPC

-Sep ------- 2014

Begin Work on Hydra Presentation

CIPC Status Report Begin Work on ES-ISAC Presentation Select Task Force Members Charter Approved

Aug ------- 2014

11

RELIABILITY | ACCOUNTABILITY

Outreach

• The ESISTF will schedule a webinar for disseminating the information • Would like to present at NERC Region meetings

• Looking for other opportunities at relevant electricity sector conferences 12

RELIABILITY | ACCOUNTABILITY

ESISTF

[email protected]

Cyber Security Sub-cmte Progress Report Jim Brenton

2

RELIABILITY | ACCOUNTABILITY

NERC Attack Tree Task Force December 9-10, 2014

Generic Model

Each BA/company has different configurations - Operational, IT and Physical 4

RELIABILITY | ACCOUNTABILITY

Goals and Modeling Software

Attack Tree Task Force (ATTF) Goals a. Fully populated set of attack trees, with meaningful data (classified and unclassified) informing key stakeholders in offsetting vulnerabilities in the North American bulk electric system. b. Establish ownership and location of the attack trees, and document the roles and responsibilities of the data custodians

5

RELIABILITY | ACCOUNTABILITY

Attacker Goal Situational Awareness

Balancing Authority Collection of generation, transmission, and loads within metered boundaries maintaining load-resource balance

Generation

Load

*PJM NERC Primer (June 10, 2013)

Transmission Does not have to be a complete blackout to have an impact! 6

RELIABILITY | ACCOUNTABILITY

Attack Scenarios 3 Attack Scenarios

Attack Scenario – Each minimal combination of leaf level events is known as an attack scenario.

7

RELIABILITY | ACCOUNTABILITY

Behavioral Indicators • Definition: Behavioral Indicators describe the resources that are need to be expended by the attacker in order to reach a particular state or node in the tree. • Behavioral Indicators  Breach of Trust  Cost of Attack (What not Who) o o o o

    8

Technical Training Special Equipment, Hardware or Software Insider Knowledge Other

Defender Error Noticeability Physical Presence Technical Ability (Who not What) RELIABILITY | ACCOUNTABILITY

Overall Process

Attacker Goal

Level 1 Successful Attack Scenarios

Level 1 Attacker Profile

Define Nodes in Tree Define Behavioral Indicators (BI) Analysis

Reduction Define Attacker Profiles

Subset of Attack Scenarios

Level 2 Attacker Profile

Pruning

Level 2 Successful Attack Scenarios

Define Victim Profile

Total Population of Attack Scenarios

9

Level 3 Attacker Profile

Level 3 Successful Attack Scenarios

RELIABILITY | ACCOUNTABILITY

Questions

Questions

10

RELIABILITY | ACCOUNTABILITY

Cyber Security Subcommittee

Cyber Security Events Analysis WG Chair:

Cyber Security Events Analysis WG

Chair:

1. CIPC EC reviewing charter 2. Will recruit a new Chair if/when needed 3. Update at March CIPC meeting

12

RELIABILITY | ACCOUNTABILITY

Cyber Security Subcommittee

Control Systems Security WG Chair: Mikhail Falkovich

CSSWG Status  Charter has been approved  Core contributors have been identified and work is proceeding

GridEx II Lesson Learned #4 Recommendations Summary Assess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis.

 Outline completed

14

RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: Draft Outline       15

Executive Summary/Introduction/Scope General Principles Network Design Considerations Security Mechanisms Disconnecting and Reconnecting Appendices/Use Cases and Examples RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: Executive Summary/Introduction/Scope  The guideline is being written to provide a general overview of connectivity and security topics while giving the option for deep dives within the Examples appendix  This guideline is focused on the electric sector and will avoid duplicating existing industry documents  References to existing frameworks and guidelines will be used when appropriate. 16

RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: General Principles       17

Compartmentalization/Scoping/Segmentation Monitoring Functionality vs. Security vs. Compliance Data Connection Flows Defense in Depth Programmatic vs. User Access RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: Network Design Considerations       18

Virtualization Remote Access/Intermediate Systems Data Diodes Complete Segregation 4 Legged Firewall Connecting OT-OT and OT-IT systems RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: Security Mechanisms  Access Controls  User Access & Configuration Management

19

RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: Disconnecting and Reconnecting  When to disconnect  Where to disconnect  How to disconnect and how to reconnect

20

RELIABILITY | ACCOUNTABILITY

CSSWG Control System Electronic Connectivity: Appendices:    

21

Pointers and References Bibliography Glossary Use Cases and Examples

RELIABILITY | ACCOUNTABILITY

Examples & Use Cases

22

RELIABILITY | ACCOUNTABILITY

CSSWG Core Contributors Nadya Bartol Larry Bugh Frances Cleveland Tim Conway Dustin Cornelius

Mikhail Falkovich Cynthia Hill-Watson Michael Johnson Carter Manucy Paul Skare

Cyber Subcommittee Chair: Marc Child NERC Staff: Laura Brown 23

RELIABILITY | ACCOUNTABILITY

CSSWG Remaining Tasks  Continue to work on the guideline language  Hold two in-person meetings to finalize the drafts (December and February)  Distribute the draft guideline to stakeholders (TBD)

24

RELIABILITY | ACCOUNTABILITY

Cyber Security Subcommittee

Questions?

CIP Version 5 Revisions Standards Development Update Marisa Hecht, Standards Developer CIPC December 10, 2014

Topics

• Development History • CIP Version 5 Revisions Directives  FERC Order No. 791  How the Standard Drafting Team (SDT) responded

• Postings • Versioning • Current Comment Period & Ballot • Next Steps

2

RELIABILITY | ACCOUNTABILITY

Development History

• FERC Order No. 791 issued November 2013 • Two technical conferences • SDT meetings • SDT conference calls • Extensive outreach throughout development

3

RELIABILITY | ACCOUNTABILITY

CIP Version 5 Revisions - Directives

• Identify, Assess, Correct (IAC)  Directive: remove or modify the IAC language, retain the requirement provisions, and clarify the obligations for compliance  SDT removed IAC language, revised the VSLs

• Communication Networks (CN)  Directive: define communication networks and write standard to protect the nonprogrammable components of communication networks  SDT revised CIP-006 and CIP-007, no glossary definition

4

RELIABILITY | ACCOUNTABILITY

CIP Version 5 Revisions - Directives

• Low Impact  Directive: add objective criteria from which to judge the sufficiency of controls  Revised CIP-003-7 Requirement R2 and developed attachment to add detail to the four subject matter areas; created two new definitions

• Transient Devices  Directive: develop new or modified standards for transient devices  SDT drafted new requirement and attachment for CIP-010-3; reference in CIP-007-7; added language to CIP-004-7 and CIP-011-3 Guidance; revised two definitions and created two new definitions

5

RELIABILITY | ACCOUNTABILITY

Postings

• Initial Comment Period and Ballot June 2-July 16 • Additional Comment Period and Ballot September 3-October 17  Version X – IAC and Communication Networks  -6 and -3 – Lows and Transient Devices

• Additional Comment Period and Ballot November 25-January 9

6

RELIABILITY | ACCOUNTABILITY

Versioning CIP-003-6/CIP-010-2 July Additional Ballot

Version X IAC/CN Only CIP-003-X/CIP-010-X

October Additional Ballot

CIP-003-6/CIP-010-2

October Final Ballot

CIP-003-6/CIP-010-2

November Board Adoption

January Additional Ballot

CIP-003-6/CIP-010-2 Lows/Transients

CIP-003-7/CIP-010-3 4 directives January Final Ballot

7

RELIABILITY | ACCOUNTABILITY

Current Additional Comment Period & Ballot • SDT determined additional work was needed in response to comments and posted the following documents:  CIP-003-7, CIP-004-7, CIP-007-7, CIP-010-3, and CIP-011-3  Definitions  Implementation Plan

• Includes language adopted by NERC Board in November  IAC removal  Communication networks revisions

• Revisions addressed transient devices and lows directives  Focused on clarifying language and intent

8

RELIABILITY | ACCOUNTABILITY

Next Steps

• Additional Ballot concludes January 9 • SDT will meet January 13-14 at NERC in Atlanta • Final ballot will be conducted soon after SDT meeting • Request NERC Board adoption • Filed at FERC upon NERC Board adoption

9

RELIABILITY | ACCOUNTABILITY

[email protected] 404.446.9620

10

RELIABILITY | ACCOUNTABILITY

CIP Version 5 Transition NERC CIPC December Meeting Tobias Whitney, Manager of CIP Assurance [email protected]

Transition Elements

Continuous Outreach

Compliance and Enforcement

Training

Periodic Guidance 2

RELIABILITY | ACCOUNTABILITY

V5 Transition Advisory Group

• NERC, Regions, and stakeholder group  Topics to support confidence in implementing Version 5  Partner with regions and stakeholders  Meets approximately monthly

• Team composition:  Implementation study participants  Standard Drafting Team representation  NERC and Regional Entity staff

• Role  Prioritizes and supports unity of approach on references to enhance stakeholder understanding and implementation of the standards  Additional topics for enhanced training/guidance

3

RELIABILITY | ACCOUNTABILITY

Lesson Learned Status

• • • • • • • • • • • 4

Far-end Relay * Programmable Devices Generation Segmentation * Virtualization (Networks and Servers) Serial Devices that are accessed remotely Control Centers operated by TOs and non-registered BAs Interactive Remote Access (Scripts and Mgt consoles) Non-routable infrastructure components Shared Substations Mixed Trust EACMs * General FAQs* RELIABILITY | ACCOUNTABILITY

Key Next Steps • Implementation Study Report (October 2014)  CIP Program Management Level Feedback  Identification of Lesson Learned

• Monthly Lesson Learned Comment Posting Period  Far-end Relay (October)  Generation Segmentation (October)

• CIP Version 5 FAQs  3-5 posted per month

• Final Version 5 RSAWs (Q4) • RAI – CIP V5 Program Document (Q4)

5

RELIABILITY | ACCOUNTABILITY

6

RELIABILITY | ACCOUNTABILITY

Physical Security CIP-014-1 NERC Standing Committees December 9-10, 2014

Agenda

• FERC Order Summary • Standard Drafting Team activities • Guidance Development Activities • Implementation Timeline

2

RELIABILITY | ACCOUNTABILITY

FERC Order

• November 20, 2014, FERC Order:  The Commission approved the standard and directed directs NERC to remove the term “widespread” from Reliability Standard CIP-014-1 or to propose modifications to the Reliability Standard that address the Commission’s concerns within 6 months of the effective date of the order.  Directed NERC to make an informational filing addressing whether CIP014-1 provides physical security for all “High Impact” control centers necessary for the reliable operation of the Bulk-Power System. The Commission directed NERC to submit this filing within two years after the effective date of the standard.

3

RELIABILITY | ACCOUNTABILITY

Standard Drafting Team Activities

• Revised SAR to address use of “widespread” was approved for posting by the NERC SC on December 9, 2014. • SAR will be posted for 30 days. • Standard Drafting Team will address any comments received on the SAR and begin standard development process in January 2015.

4

RELIABILITY | ACCOUNTABILITY

Guidance Development Activities

• NERC will work with NATF and other industry groups to develop guidance. The guidance will address:  Best practices and effective approaches to meet each requirement  Compliance-oriented communication for common regional compliance and enforcement

• Stakeholder groups will be formed to field industry FAQs. The group will include:  Industry groups  Regional Compliance and Enforcement staff  NERC Subcommittee o PC o CIPC 5

RELIABILITY | ACCOUNTABILITY

CIP-014-1 Implementation

• Transmission Owner to identify critical facilities on or before the effective date of CIP-014-1 (6 months following FERC approval) • Tiered implementation timeline for balance of requirements (within15 months) • Security Plan implementation may specify timelines for completion of security measures • ERO to monitor implementation

6

RELIABILITY | ACCOUNTABILITY

Implementation

• Critical facility identification (R1) complete before effective date (six months following publication in the Federal Registry)  Standard approved November 20, 2014  Mandatory and Enforceable October 1, 2015

• Third party verification (R2) complete within 90 days of completion of R1:  Mandatory and Enforceable no later than December 30, 2015  Part 2.3 - revisions to list could add 60 days

• Notification of other parties (R3) complete within 7 days of completion of R2.

7

RELIABILITY | ACCOUNTABILITY

Implementation

• Evaluate threats and vulnerabilities (R4) and develop security plans (R5).  Mandatory and Enforceable 120 days after completion of R2.

• Third party review of threats and vulnerabilities and security plans (R6).  Mandatory and Enforceable 90 days after completion of R4/R5  Part 6.3 – revisions to threats, vulnerabilities and plans could add 60 days

8

RELIABILITY | ACCOUNTABILITY

CIP-014-1 Implementation Timeline

R1, R2 & R3 Risk Assessment & Verification Guidance Review NATF Guidance (R1) and provide any substantive edits Develop Compliance and Enforcement Letter to the ERO (R1, R2, R3)

Publish Guidance

Mandatory Enforcement

January 2015

Oct 1, 2015

April 2015

May 1, 2016

July 2015

Aug 1, 2016

R4 & R5 Threat Evaluation / Physical Security Plans Develop Compliance and Enforcement Letter to the ERO (R4, R5)

R6 Physical Security Plan Verifications Develop Compliance and Enforcement Letter to the ERO (R6)

9

RELIABILITY | ACCOUNTABILITY

ERO to Monitor Implementation

• Number of assets critical under the standard • Defining characteristics of the assets identified as critical • Scope of security plans (types of security and resiliency contemplated) • Timelines included for implementing security and resiliency measures • Industry’s progress in implementing the standard

10

RELIABILITY | ACCOUNTABILITY

Information • NERC Standards Developer, Stephen Crutchfield • NERC CIP Compliance Mgr, Tobias Whitney  Email at [email protected] or [email protected]

 Project Web Page is: http://www.nerc.com/pa/Stand/Pages/Project-2014-04-PhysicalSecurity.aspx  CIP-014-1 Standard may be found here: http://www.nerc.com/_layouts/PrintStandard.aspx?standardnumbe r=CIP-0141&title=Physical%20Security&jurisdiction=United%20States

11

RELIABILITY | ACCOUNTABILITY

12

RELIABILITY | ACCOUNTABILITY

Security Training WG Progress Report William Whitney III, Chair David Godfrey, Vice Chair

Security Training WG 1. Charter a. CIPC will provide meeting attendees with an opportunity to participate in physical, cyber, and operational security training, as well as, educational outreach opportunities.

2. Current Members Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, Steen Fjalstad, Daniel Moore, Jason Phillips, Nick Rasey, and William Whitney III

2

RELIABILITY | ACCOUNTABILITY

Security Training WG 3. Latest Activities a. Monthly conference calls to discuss goals and actions b. Finalizing HILF recommendation to raise operator awareness about cyber attacks on the grid with SOS and SANS. SANS is currently developing the Operator training. c. Provided a successful security training opportunities to the industry d. Finalizing tasks assigned to us from the GridEx II Lessons Learned e. Now recording webinars and CIPC training events. Working on online content availability. f. Continuing to compile a list of free training resources available to entities

3

RELIABILITY | ACCOUNTABILITY

Security Training WG 2014 Progress Date

Name

Registered

Attended

4/16/2014 Physical Security Management and Programs

174

104

Web

5/14/2014 Physical Security Assessments, Design, and Protection Stategies

277

135

Web

6/10/2014 Security Technology Awareness Workshop

110

110

In Person

7/17/2014 Active Shooter with Danny Coulson

161

87

Web

80

80

Web

75

75

In Person

60

42

Web

937

633

Active Shooter playbacks post webinar 9/16/2014 Cyber Incident Response Planning Workshop 11/18/2014 Private Sector Clearance Program Totals

4

RELIABILITY | ACCOUNTABILITY

Security Training WG 2015 Training Schedule • We plan to provide 12 webinars, 1 each month • NEW!!! – We plan to expand the workshops prior to CIPC meetings with 2 tracks, one for cyber and one for physical, for a total of 6 in person training opportunities. Please let us know what training you and/or your fellow colleagues would like to see in 2015 so we can secure the speakers for that topic. If you or someone you know would like to present on a topic let us know because we would enjoy the information sharing. Remember, what you may think is common knowledge others might not know!

5

RELIABILITY | ACCOUNTABILITY

Security Training WG 1. Training Links a. b. c. d. e. f.

TEEX - http://www.teex.org/ DHS - http://www.dhs.gov/training-programs-infrastructure-partners DOD - http://iase.disa.mil/eta/online-catalog.html FEMA - https://training.fema.gov/IS/ DOE - https://ntc.doe.gov/ MS-ISAC - https://msisac.cisecurity.org/resources/videos/free-training.cfm

Have a link for free, quality, training? Please share with us to add to the list.

6

RELIABILITY | ACCOUNTABILITY

Security Training WG 4. Next Steps a. Continue to expand the list of free on demand training from reputable agencies and vendors b. Schedule and prepare future Pre-CIPC training sessions and webinars c. Work with vendors and/or individuals in the industry to provide specific training to industry a. This means you and/or your co-workers that have information to share with the industry d. Continue work with SOS and SANS to compile operator training with cyber attack scenarios per the HILF recommendations and plan a training date. e. Complete GridEx II Lessons Learned assignments from EC

5. CIPC Actions a. Concerns and/or suggestions for today’s discussion

7

RELIABILITY | ACCOUNTABILITY

Questions? [email protected] Or [email protected]

Personnel Security Clearance Task Force (PSCTF) Critical Infrastructure Protection Committee December 9, 2014 Nathan Mitchell, Chair – Policy Subcommittee

Recommendations • Inform government of the value that industry SMEs bring to classified discussions. • Use the clearance model outlined in this report to identify and validate industry nominees on a functional basis. • Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. • (ESCC Liaison facilitates clearance nominations) • Encourage clearance nominees to use the guidance in this report during the PSCP application process. • Advocate for TS-SCI clearances for ES-ISAC staff. 2

RELIABILITY | ACCOUNTABILITY

Work is complete

• With the completion of all the recommendations the CIPC-EC proposes to dissolve the PSCTF

3

RELIABILITY | ACCOUNTABILITY

Thank you PSCTF members!

BES Security Metrics WG Progress Report James W. Sample, Chair Roland Miller, Vice-Chair December 10, 2014

How we fit in!

2

RELIABILITY | ACCOUNTABILITY

Activities Previous Update: • Drafted “Macro” metrics focused primarily on what a Strong Security Posture looks like for the sector • Discussed concept of “Micro” metrics focused primarily on evidence supporting the macro metrics • Discussed we were looking into how to leverage ALR by adding security attributes

Activity Since Previous Update: • Applied the SMART criteria to a number of the “more quantifiable” Macro metrics • Prioritized these Macro metrics for detailed development • Proposed including new section for 2014 State of Reliability Report to introduce the what and how for these security metrics

3

RELIABILITY | ACCOUNTABILITY

Strong Security Posture: Macro Metrics 1 2 3 4 5 6 7

8,9

4

RELIABILITY | ACCOUNTABILITY

SMART Criteria

5

RELIABILITY | ACCOUNTABILITY

SMART Scores Metric

6

SMART Rating (maximum of 15) TOTAL

1. Number of entities using C2M2 methodology to assess the maturity of their cyber security program

8

2. Number of entities using the NERC Cyber Risk Preparedness Assessment (CRPA) program 3. Number and frequency of government-sponsored classified briefings attended by entities

8

4. ES-ISAC portal being used by entities voluntarily to share information with industry (e.g., average number of portal accesses per quarter per registrant, or participation rate in ESISAC conference calls)

14

5. Number of entities registered to access ES-ISAC portal to share information (e.g., number of registrants, measured quarterly) 6. Number of ES-ISAC Advisories and Alerts issued per quarter

12

7. Number of industry entities participating as Active Organizations in GridEx security exercise

11

8. Frequency of Reportable Cyber Security Incidents reported by entities 9. Frequency of failure or compromise of cyber security controls (voluntary reporting)

15

8

15

13

RELIABILITY | ACCOUNTABILITY

Define Metric in Detail ALR4-2 (M17)

• Name and definition • Relevance to reliable BES operations • Mathematical formula • Data source and collection process • Need for pilot

Metric Number

ALR4-2 (M17)

Submittal Date Sponsor Group (OC, PC or subgroup name) Short Title

CIPC BES Security Metrics Working Group

Metric Description

Purpose

How will it be suited to indicate performance?

Formula Metric Start Time or Baseline Time Horizon

Data Collection Interval and Roll Up

Ease of Collection Aggregation Linkage to NERC Standard Linkage to Data Source Need for Validation or Pilot Data Submitting Entity

SMART Rating

Total Score

Specific/ Simple

Measurable

Attainable

Relevant

Tangible/ Timely

Reporting

7

RELIABILITY | ACCOUNTABILITY

Next Steps • Prioritize metrics and proceed with detailed development • Coordinate with the PC’s Performance Analysis Subcommittee and draft new Security Metrics section for 2015 State of Reliability Report  Less than 1 page – “Developing Security Metrics”  Goals for developing security metrics (i.e., why would this be helpful to the industry)  Challenges associated with collecting security metrics (to recognize why this won’t be quick or easy)  Status of BESSMWG efforts, plan for 2015 (high level) 8

RELIABILITY | ACCOUNTABILITY

NERC CIPC Compliance and Enforcement Input Working Group NERC CIPC Update December 9-10th, 2014

Paul Crist

NERC CIPC Compliance and Enforcement Input Working Group Update

• CEIWG Conference Calls - October 9th, 2014 - November 13th, 2014

NERC CIPC Compliance and Enforcement Input Working Group Update Agenda Items 1. Update on Lessons Learned 1. 2.

2. 3. 4. 5.

Far End Relays Impact Rating Generation Segmentation

CIP V3 to V5 Transition Updates/Schedule ES-ISAC CEIWG Working Page RAI Process Virtualization

NERC CIPC Compliance and Enforcement Input Working Group Update Far End Relays Impact Rating Comments Submitted 1. Provides clarification for Criterion 2.5 2. Additional guidance still needed 1. Criterion 2.4 and “collector bus” 2. Criterion 2.6 with derivation of IROL and “associated contingencies” 3. Criterion 2.7 with Transmission Facilities for NUC Interface Requirements 4. Criterion 2.8 with interconnection Facilities 5. Criterion 2.9 with SPS, RAS, or automated switching Systems for IROL’s. 3. Suggested an additional Lesson Learned for guidance on scoping.

Future Work • Participation in Lessons Learned Document Reviews • Participation in the RAI Advisory Group • Participation in the V3-V5 Transition Advisory Group

Virtualization Update

NERC CIPC Compliance and Enforcement Input Working Group Update

•Meetings • 2nd Thursday of the Month at 1:00 CST (Let me know if you need the call-in information)

Questions?