PGR Summit SanDiegoCA 18Sept2017 JBaugh...Slide4 RecentElectrical(System(Threats(•...

Cri$cal Electrical Infrastructure: Threats, Vulnerabili$es & Regulatory Issues

Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security

Power Grid Resilience Summit San Diego CA – September 18, 2017

Slide 2

Speaker Creden$als •  Electrical U$lity Experience (44 years) –  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  NERC Cer$fied System Operator –  Barehand Qualified Transmission Lineman

•  Educa$onal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  Cer$fica$ons: PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM –  Academic & Technical Course Teaching Experience (20+ years)

•  Business Strategy, Leadership, and Management •  Informa$on Technology, IT Security, and Project Management •  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara$on •  CIP Compliance workshops and outreach sessions

September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 3

Agenda •  AWARENESS: Increase percep1on of system vulnerabili1es and poten1al regulatory changes – Anecdotal evidence of recent electrical system threats – Poten$al vectors for aàcks and weather related disrup$ons

– Developments on na$onal cybersecurity strategy and Cri$cal Infrastructure Protec$on [CIP] Standards

•  Q&A


Slide 4

Recent Electrical System Threats •  The 2015 & 2016 cyber aàcks on the Ukrainian power grid signaled a new era in vulnerability for electrical and other Industrial Control Systems [ICS]: –  Stuxnet –  BlackEnergy – Havex –  Crashoverride Framework –  Industroyer –  Palmeò Fusion – Dragonfly 2.0

•  However, some of the vulnerabili$es exploited by these aàcks have been known since 2009

•  What does this say about electrical cybersecurity posture? September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 5

Stuxnet (Zeèr, 2014) •  First known ICS malware was iden$fied in 2010, used known Windows print spooler and three zero-‐day OS vulnerabili$es to target Siemens PLC somware at Iranian nuclear facility and modify Programmable Logic Controllers [PLC]

•  Ini$ally spread with infected USB drives •  Has since infected ICS in other countries, including the U.S. (Kushner, 2013)

•  Cyber espionage variants include Flame (iden$fied in 2012, but may predate Stuxnet), Gauss (2011), and Duqu (2011); designed to steal ICS and other informa$on

•  Exploit on print spooler vulnerability was published in April 2009, which included source code for exploit

•  Microsom patch [MS10-‐61] was available in September 2010; updated patch [MS16-‐087] in July 2016


Slide 6

BlackEnergy [E-‐ISAC & SANS, 2016) •  Implicated in the 2015 Ukrainian power grid aàck by the

Sandworm team •  Primary infec$on used spear phishing aàcks to key engineers and

IT administrators with infected Word and Excel documents •  Coordinated aàcks across three power companies •  Targeted distribu$on SCADA ICS, but characterized as a test run

–  Demonstrated capability to gain a foothold to harvest creden$als and informa$on to gain access to ICS networks

–  Demonstrated capability to target Cyber Assets at substa$ons, write custom malicious firmware (KillDisk) to render field devices inoperable and unrecoverable

–  BlackEnergy and KillDisk were used to enable the aàck and delay restora$on efforts, but were not capable of opening field devices

–  Outages caused by aàckers opera$ng HMIs manually •  Remote admin access capabili$es, poor VPN prac$ces, and failure

to monitor ICS networks contributed to aàck reconnaissance months before the actual aàck September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 7

Havex (Nelson, 2016) •  A Remote Access Trojan [RAT] malware used in 2012-‐2013 aàcks against energy sector companies, also aimed at other ICS users (Constan$n, 2014)

•  Used by Dragonfly group in spear phishing aàcks to gain remote access control over infected ICS computers

•  Scans LANs for devices that respond to OPC requests

•  Extracts informa$on on network details and harvest Outlook emails, sends data to Dragonfly servers

•  Acts as a conduit for other malware September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 8

Crashoverride Framework (Dragos, 2017) •  Fourth ICS tailored malware (amer Stuxnet, BlackEnergy 2, and Havex)

•  Serves no cyberespionage purpose, first malware framework specifically designed and deployed to automa$cally aàck electrical control systems

•  Suspected in December 2016 Ukrainian aàck and may be linked to Sandworm team, perhaps deployed as a proof of concept due to limited impact of aàck

•  Not unique to specific vendors or configura$ons •  Purpose built to impact electrical grid opera$ons and facilitate aàcks in other countries

•  Uses various Layer 2 and Layer 3 routable and serial protocols to carry out aàcks, including Ethernet, DNP3, IEC 104, IEC 101, and IEC 61850 used to control field devices September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 9

Industroyer (Cherepanov & Lipovsky, 2017) •  ESET researchers published a paper on Industroyer and called it “a par%cularly dangerous threat, since it is capable of controlling electricity substa%on switches and circuit breakers directly” (p. 1)

•  ESET believes it is highly probable Industroyer was used in the December 2016 Ukrainian power grid aàck

•  Industroyer targets common industrial control system communica$on protocols, including IEC 61850, which were specifically exempted from electronic access control protec$ons included in CIP Standards for many electrical Facili$es [but see CIP-‐012-‐1 slides below]

•  Can also target vendor-‐specific industrial power control products September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 10

Palmeò Fusion (Perlroth, 2017) •  Palmeò Fusion suspected in Wolf Creek Nuclear sta$on aàck in Kansas (2017 May): – No indica$on of compromise of opera$onal systems – Opera$onal network is air-‐gapped from corporate network, but may be suscep$ble to infected USB drive

– May have been a mapping aàck, but inves$gators have not been able to analyze the payload

–  Introduced as highly targeted email messages with fake infected resumes to senior industrial control engineers

– Techniques mimicked the Sandworm Russian hacking group that has been $ed to energy sector aàcks since 2012


Slide 11

Dragonfly 2.0 (Greenberg, 2017) •  Symantec recently reported a new series of aàcks beginning in 2015 on non-‐nuclear electrical companies by a group iden$fied as Dragonfly 2.0: – Aàcks leveraged phishing aàcks to introduce malware into opera$onal networks

– Aàcks were compared to Ukrainian aàcks (2015, 2016) by Sandworm that resulted in widespread power outages

–  2017 targets included dozens of energy companies, with more than 20 successful breaches of target networks

– Of these breaches, several gained successful opera$onal access to control interfaces for electrical equipment such as circuit breakers and took screenshots of control panels

– No control ac$ons were commièd by aàckers, but Symantec reported this may be a pilot test for a larger aàck at some strategic $me in conjunc$on with geopoli$cal events


Slide 12

Aàck Vectors •  Na$on-‐state actors – Future power grid disrup$ons considered likely in conjunc$on with geopoli$cal events

•  Terrorist/ac$vist aàcks – Physical aàcks on electrical facili$es – Cyber aàcks on ICS and associated field devices

•  Weather-‐related hazards – Requires power grid resiliency prepara$on instead of cybersecurity countermeasures


Slide 13

Na$on-‐State Actors (BAE, 2017a) •  Provided a “license to hack” by their governments: – Most likely culprits for electrical grid aàcks are Russia, China, Eastern European bloc countries

– Other authors have blamed Stuxnet release on U.S. and Israeli state organiza$ons

– No fear of legal retribu$on by target countries – Omen closely linked to military and intelligence control – Have a high level of technical exper$se –  Tasked with stealing industrial secrets, disrup$ng cri$cal infrastructure, eavesdropping on poli$cal discussions, conduc$ng propaganda and disinforma$on campaigns

– Use social engineering, such as highly targeted phishing aàcks, to deliver malware to target systems


Slide 14

Terrorist/Ac$vist Aàcks •  Mo$vated by ideological, religious, or personal beliefs •  Individuals or small groups that are difficult to defend against •  Primary goal to disrupt target’s ac$vi$es, discredit opera$ons, and steal sensi$ve data to further their goals. (BAE, 2017b)

•  Physical Aàcks –  Bombing remote electrical facili$es –  Sabotaging transmission lines –  Shoo$ng electrical equipment, such as transformers (e.g., Metcalf substa$on in April 2013)

–  CIP-‐014-‐2 developed to enhance physical security measures •  Cyber Aàcks – May use readily available malware source code developed by na$on-‐state actors

–  Infect ICS using similar techniques –  Require similar protec$ve cybersecurity countermeasures September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 15

Weather Related Hazards •  Unavoidable risks that require power grid resiliency prepara$on

instead of cybersecurity countermeasures •  Geomagne$c Disturbances [GMD]

–  Solar flares can cause geomagne$cally-‐induced currents [GIC] that damage cri$cal transformers, adversely affect Reac$ve Power sources, and cause misopera$ons of electrical protec$ve equipment

–  These impacts may result in voltage collapse and blackouts –  NERC Reliability Standard TPL-‐007-‐2 addresses GMD planning

•  Cold and warm weather storms can cause widespread electrical outages due to downed power lines

•  Mi$ga$ng factors to minimize damages and $me to repair: –  De-‐energize cri$cal equipment during GMD event –  Mutual aid, spare materials, and electrical equipment –  Distributed genera$on facili$es –  Geographically separated transmission paths from genera$on to loads


Slide 16

Preven$ng Aàcks to the Grid •  Companies have been

slow to invest capital funds necessary to update and protect Cyber Assets, with some devices running 30-‐year-‐old Opera$ng Systems on cri$cal infrastructure ICS (Kushner, 2013)

•  Electric industry par$cipants must step up pace to improve and enhance overall cybersecurity posture

•  Federal and regional efforts currently in place to support cybersecurity September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 17

Preven$ng Aàcks to the Grid


•  Suppor$ng cybersecurity measures in the North American electrical grid is a massive undertaking, given its size and complexity, as well as the number and variety of electrical industry par$cipants

Slide 18

Recent Cybersecurity Developments •  Na$onal Cyber Security Strategy –  NIST Cybersecurity Framework (2014) –  Presiden$al Execu$ve Order 13800

•  Regulatory Developments [CIPv5 Standards] –  Current CIP Standards, including those that directly address cyber or physical aàcks •  CIP-‐007-‐6 [System Security Management for Cyber Assets] •  CIP-‐014-‐2 [Physical Security for Transmission Facili$es]

–  Changes to exis$ng CIPv5 Standards to promote beèr defenses against automated aàcks (pending FERC approval) •  CIP-‐003-‐7 [Security Management Controls] •  CIP-‐005-‐6 [Electronic Security Perimeters] •  CIP-‐010-‐3 [Configura$on Change Management & Vulnerability Assessment]

–  New CIP Standards (pending NERC/FERC approval) •  CIP-‐012-‐1 [Control Center Communica$on Networks] •  CIP-‐013-‐1 [Supply Chain Risk Management]


Slide 19

NIST Cybersecurity Framework (2014) •  Developed in response to Execu$ve Order 13636 (Obama, 2013), which cited the need for improved cybersecurity

•  Includes a risk-‐based taxonomy and mechanism to: – Describe current cybersecurity state – Describe desired cybersecurity target state –  Iden$fy and priori$ze opportuni$es for improvement – Assess progress toward target state –  Communicate with internal and external stakeholders about cybersecurity risk

•  Provides a con$nuous improvement framework to reinforce cybersecurity connec$on to business drivers


Slide 20

NIST Cybersecurity Framework (2014) •  Contains five dynamic core func$ons to improve cybersecurity: –  Iden$fy – Protect – Detect – Respond – Recover

•  Excellent guideline to develop, review, and improve organiza$onal cybersecurity posture (see Sec$on 3.0, pp. 11-‐17)


Slide 21

Execu$ve Order 13800 •  Presiden$al execu$ve order (Trump, 2017 May 11) with three key priori$es to: –  Protect federal networks, – Update an$quated and outdated systems, and – Direct department and agency heads to work together

•  Requires the Secretary of Energy and Secretary of Homeland Security and others, within 90 days, to jointly – Assess the poten$al for a prolonged power outage associated with a significant cyber incident.

–  Evaluate the readiness of the U.S. to manage such an incident, and

–  Iden$fy gaps or shortcomings in assets or capabili$es to mi$gate the consequences of such an incident.


Slide 22

NTIA Comments Example [EEI, 2017] •  Na$onal Telecommunica$ons and Informa$on Administra$on [NTIA] issued

a Request for Comments (2017 June 8) for automated threats in response to Execu$ve Order 13800

•  Edison Electric Ins$tute [EEI] represent U.S. investor owned u$li$es [IOUs] and affiliates worldwide

•  Supports efforts to address threats to cri$cal infrastructure, par$cularly from Internet connected devices [ICD]

•  Iden$fied automated machine-‐to-‐machine aàcks as a top threat to the electrical grid

•  A good example of common electrical industry cybersecurity concerns •  EEI comments addressed (pp. 2-‐4):

–  What works –  Gaps –  Addressing the problem –  Governance and collabora$on –  Policy and the role of government –  Interna$onal issues –  The role of users September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 23

EO 13800 -‐ Power Grid Resilience •  KPMG (2017) developed a white paper that recognized the threats posed by cybersecurity aàcks on the BES to U.S. na$onal security and summarized key points for developing countermeasures and resiliency, including (pp. 2-‐3): –  Build success through business transforma$on –  Do not assume technology is the “silver bullet” –  Drive transforma$on through senior leaders – Maintain a risk management approach –  Con$nually monitor risks and results –  Embed good cybersecurity prac$ces in rou$ne management of cri$cal assets and infrastructure

–  Align cybersecurity with business priori$es and ini$a$ves –  Adopt best prac$ces in cybersecurity –  Build a first-‐class cyber workforce September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 24

EO 13800 -‐ Power Grid Resilience •  The Department of Energy [DOE] (2017) prepared a staff report in response

to Execu$ve Order 13800 •  This report focused primarily on genera$on resource porvolios, the impact

of re$rement of genera$on plants on the U.S. workforce, as well as looked at new workforce needs from Variable Renewable Energy [VRE] sources.

•  The report also discussed electrical infrastructure resiliency in terms of hardening against and recovery from cyber aàcks and severe natural events (p. 63): –  Hardening refers to physically changing infrastructure to make it less

suscep%ble to damage. –  Recovery refers to the ability of an energy facility to recover quickly from

damage to any of its components or to any of the external systems on which it depends – typically through storage and redundancy.

•  Recovery measures do not prevent damage, but enable con$nued opera$ons despite damage and a more rapid return to normal opera$ons.

•  Electrical en$$es should consider advance planning for con$ngencies, interagency coordina$on, and training exercises to develop an effec$ve restora$on process. [See also CIP-‐008-‐5: R1-‐R3]


Slide 25

EO 13800 – Workforce Development •  NIST held a workshop on cybersecurity workforce development in Chicago (2017 August 2) in response to the EO 13800 direc$ve to assess efforts to educate and train a cybersecurity workforce and provide a report to the President on means to support the growth and sustainment of a cybersecurity workforce

•  NIST (Newhouse, et al., 2017) published the NICE Cybersecurity Workforce Framework that establishes a taxonomy and common lexicon to describe all cybersecurity work and workers irrespec$ve of where or for whom the work is performed

•  The NICE framework iden$fies tasks in cybersecurity work roles that may help educators prepare students with the skills needed by employers

•  NIST also stressed the importance of developing and retaining current skilled talent


Slide 26

EO 13800 – Workforce Development •  BSA and the Somware Alliance (2017) provided comments on the NIST workforce effort and discussed these points: –  Over 1.5 MM global cybersecurity jobs are expected to be unfilled by 2020, exposing the public and private sectors to cyber aàcks

–  Cybersecurity educa$on must be improved and expanded through investments in new programs to address cri$cal challenges

–  Explore alterna$ve pathways to cybersecurity careers that do not require a four-‐year degree in Computer Science: •  Appren$ceship programs, •  Community colleges, •  Cybersecurity “boot camps,” •  Short-‐term intensive training academies, and •  Relevant government or military service.

–  Expand re-‐training opportuni$es for mid-‐career professionals September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 27

CIPv5 Standards [NERC, 2012] •  Revised from prior version (CIPv3) to

provide cybersecurity protec$ons to all BES assets in the North American grid

•  Approved by FERC in 2012, became effec$ve in 2016

•  Key difference in CIPv5 provides cybersecurity protec$ons at the BES Cyber System [BCS] level instead of individual Cri$cal Assets with Cri$cal Cyber Assets [CCA] level, as under CIPv3

•  Expanded CIP protec$ons to many more BES Assets

•  Apply CIP-‐002-‐5.1a Impact Ra$ng Criteria [IRC] to classify three impact ra$ngs of BES Cyber Systems [BCS] at all BES Assets: –  High impact BCS –  Medium impact BCS –  BCS at Low impact BES Assets [LIBCS]


IRC 3.6 DP

Assets

Slide 28

List of Current NERC CIPv5 Standards •  CIP-‐002-‐5.1a – BES Cyber System Categoriza$on •  CIP-‐003-‐6 – Security Management Controls •  CIP-‐004-‐6 – Personnel and Training •  CIP-‐005-‐5 – Electronic Security Perimeters •  CIP-‐006-‐6 – Physical Security of BES Cyber Systems •  CIP-‐007-‐6 – System Security Management •  CIP-‐008-‐5 – Incident Repor$ng and Response Planning •  CIP-‐009-‐6 – Recovery Plans for BES Cyber Systems •  CIP-‐010-‐2 – CCM & VA •  CIP-‐011-‐2 – Informa$on Protec$on •  CIP-‐014-‐2 – Physical Security


Slide 29

CIP-‐007-‐6 – Current Protec$ons •  Operates at the BES Cyber Asset [BCA] level for High and Medium BCS –  R1 requires measures to protect the use of network accessible and physical ports

–  R2 requires measures to evaluate or mi$gate security patches on a regular interval

–  R3 requires cybersecurity methods to mi$gate the threat of malicious code

–  R4 requires logs and alerts to monitor and defend against electronic intrusions at the BCS level

–  R5 requires access control for individual and shared accounts, including measures to enforce regular password changes and complexity

•  Can CIP-‐007-‐6 be strengthened to address automated aàcks? September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 30

CIP-‐014-‐2 – Current Protec$ons


•  Significantly different from the other CIP Standards, including physical security Standard CIP-‐006-‐6

•  Focuses on Physical Security at the Cri$cal Transmission BES Asset Facility level instead of BCS –  Requires Transmission Owners to iden$fy their BES Assets that meet the Sec$on 4.1.1 criteria to develop a list of candidate BES Assets, if any such exist, then

–  Requires a Risk Assessment ([R1] power flow and transient stability studies verified by [R2] unaffiliated third-‐party review) on each candidate BES Asset to iden$fy those Cri$cal Facili$es “that if rendered inoperable or damaged could result in instability, uncontrolled separa%on, or Cascading within an Interconnec%on” must be afforded the full protec$ons of CIP-‐014-‐2 [R3-‐R6] by the TO and TOP Registered func$ons.

Slide 31

CIP-‐003-‐7 – Proposed Changes •  R1 -‐ Established required Cybersecurity policies for: – High BCS and Medium BCS [R1.1.1 – R1.1.9: No change] – LIBCS [R1.2.1 – R1.2.4: No change], – Required new cybersecurity policies for LIBCS: •  R1.2.5 – Malicious code mi$ga$on for Transient Cyber Assets [TCA], Removable Media [RM]

•  R1.2.6 – Declaring and responding to CIP Excep$onal Circumstances

•  R2 -‐ Established Cybersecurity plans for LIBCS [see Aàchment 1, Sec$ons 1 – 4] – Required new LIBCS cybersecurity plans •  Sec$on 5: TCA and RM malicious code risk mi$ga$on plans.


Slide 32

CIP-‐005-‐6 – Proposed Changes •  New Part 2.4 – Have one or more methods for determining ac%ve vendor remote access sessions (including Interac%ve Remote Access and system-‐to-‐system access).

•  New Part 2.5 – Have one or more method(s) to disable ac%ve vendor remote access (including Interac%ve Remote Access and system-‐to-‐system remote access).

•  Proposed by CIP-‐013-‐1 Standards Draming Team [SDT] to address supply chain risk management concerns rela$ve to vendor access to High BCS and Medium BCS with External Routable Connec$vity [ERC]. September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 33

CIP-‐010-‐3 – Proposed Changes •  New Part 1.6: – Prior to a change that deviates from the exis%ng baseline configura%on associated with baseline items in Parts 1.1.1, 1.1.2, and 1.1.5, and when the method to do so is available to the Responsible En%ty from the soMware source: 1.6.1. Verify the iden%ty of the soMware source; and 1.6.2. Verify the integrity of the soMware obtained from the soMware source. (p. 13)

•  Proposed by CIP-‐013-‐1 Standards Draming Team [SDT] to address supply chain risk management concerns rela$ve to the integrity of somware and firmware upgrades to High BCS and Medium BCS. September 18, 2017 2017 PGR Summit -‐ San Diego CA

Slide 34

CIP-‐012-‐1 – New Standard •  Addresses cybersecurity protec$ons for data in transit between

key Control Centers •  Proposed modifica$ons to Control Center defini$on •  [R1] Requires documented plans to mi%gate the risk of

unauthorized disclosure or modifica%on of data used for Opera%onal Planning Analysis, Real-‐%me Assessments, and Real-‐%me monitoring while being transmiTed between Control Centers –  Excludes oral communica$ons between Control Centers –  [R1.1] Risk mi%ga%on shall be accomplished by one or more of the following ac%ons: •  Physically protec%ng the communica%on links transmiUng the data; •  Logically protec%ng the data during transmission; or •  Using an equally effec%ve method to mi%gate the risk of unauthorized disclosure or modifica%on of the data.

•  [R2] The Responsible En%ty shall implement the plan(s) specified in Requirement R1, except under CIP Excep%onal Circumstances


Slide 35

Scope of CIP-‐012-‐1


(NERC, 2017 Aug 11, Technical Ra%onale for CIP-‐012-‐1, p. 5)

•  Extends cyber security protec$ons to communica$ons networks between key Control Centers

Slide 36

CIP-‐013-‐1 – New Standard •  Addresses Cybersecurity risks for Supply Chain Risk Management [SCRM] of High and Medium BCS

•  Addresses FERC direc$ves in Order 829 (FERC, 2016, P. 45, p. 49885)

1.  Somware integrity and authen$city [see CIP-‐010-‐3 Part 1.6]; 2.  Vendor remote access [see CIP-‐005-‐6 Parts 2.4, 2.5]; 3.  Informa$on system planning; and 4.  Vendor risk management and procurement controls.

•  Does not require abroga$on or renego$a$on of exis$ng contracts


Slide 37

CIP-‐013-‐1 – New Standard •  Collec%vely, the provisions of CIP-‐013-‐1 address an en%ty's controls for managing cyber security risks to BES Cyber Systems during the planning, acquisi%on, and deployment phases of the system life cycle, as shown below (p. 6).


Slide 38

CIP-‐013-‐1 – New Standard •  [R1] Each Responsible En$ty shall develop one or more documented SCRM plans for High and Medium BCS that include:

•  [R1.1] One or more process(es) used in planning for the procurement of BCS to iden%fy and assess cybersecurity risks to the BES from vendor products or services resul%ng from:

i.  Procuring and installing vendor equipment and soMware ii.  Transi%ons from one vendor to another


Slide 39

CIP-‐013-‐1 – R1.2 Con$nued •  [R1.2] One or more processes used in procuring BCS that address the following, as applicable: –  1.2.1. No%fica%on by the vendor of vendor-‐iden%fied incidents related to the products or services provided to the Responsible En%ty that pose cyber security risk to the Responsible En$ty;

–  1.2.2. Coordina%on of responses to vendor-‐iden%fied incidents related to the products or services provided to the Responsible En%ty that pose cyber security risk to the Responsible En%ty;

–  1.2.3. No%fica%on by vendors when remote or onsite access should no longer be granted to vendor representa%ves;

–  1.2.4. Disclosure by vendors of known vulnerabili%es related to the products or services provided to the Responsible En%ty;

–  1.2.5. Verifica%on of soMware integrity and authen%city of all soMware and patches provided by the vendor for use in the BES Cyber System; [see also proposed CIP-‐010-‐3 Part 1.6] and

–  1.2.6. Coordina%on of controls for (i) vendor-‐ini%ated Interac%ve Remote Access, and (ii) system-‐to-‐system remote access with a vendor(s). [See also proposed CIP-‐005-‐6 Parts 2.4, 2.5]


Slide 40

CIP-‐013-‐1 – New Standard •  [R2] Each Responsible En%ty shall implement its SCRM plan(s) specified in Requirement R1.

•  [R3] Each Responsible En%ty shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months.


Slide 41

More Changes on the Horizon •  Cybersecurity in the Cloud –  Very hot topic in compliance and opera$ons circles in the electrical industry

–  There is a push to develop a CIP Standard rela$ve to cybersecurity protec$ons for cloud services

•  More changes as directed by FERC for exis$ng CIP Standards –  FERC has exhibited a tendency in the past to approve submièd Standards, but direct NERC to address any residual areas of concern moving forward

–  FERC is paying close aèn$on to the issues related to cybersecurity aàcks on the cri$cal electrical infrastructure, including automated aàcks on ICS

–  I expect this tendency to direct changes and scru$ny on all things cybersecurity to con$nue and increase in the future


Slide 42

Speaker Contact Informa$on

Joseph B. Baugh, Ph.D. PMP, CISA, CISSP, CRISC, CISM

Senior Compliance Auditor -‐ Cyber Security

Western Electricity Coordina$ng Council (WECC)

jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631


Slide 43

References •  BAE Systems. (2017a). The na%on state actor: Cyber threats, methods, and

mo%va%ons. Retrieved from h`p://www.baesystems.com/en/cybersecurity/feature/the-‐na$on-‐state-‐actor

•  BAE Systems. (2017b). The ac%vist: Cyber threats, methods, and mo%va%ons. Retrieved from h`p://www.baesystems.com/en/cybersecurity/feature/the-‐ac$vist

•  BSA & The Somware Alliance (2017). Cybersecurity workforce RFI [Docket Number 170627596-‐7596-‐01]. Retrieved from h`ps://www.nist.gov/sites/default/files/documents/2017/08/04/bsa.pdf

•  Cherepanov, A., & Lipovsky, R. (2017 June 12). Industroyer: Biggest threat to industrial control systems since Stuxnet. Retrieved from h`ps://www.welivesecurity.com/2017/06/12/industroyer-‐biggest-‐threat-‐industrial-‐control-‐systems-‐since-‐stuxnet/

•  Constan$n, L. (2014 June 24). New Havex malware variant targets industrial control system and SCADA users. PC World. Retrieved from h`ps://www.pcworld.com/ar$cle/2367240/new-‐havex-‐malware-‐variants-‐target-‐industrial-‐control-‐system-‐and-‐scada-‐users.html


Slide 44

References •  Department of Energy.(2017 August). Staff report to the Secretary

on electricity markets and reliability. Retrieved from h`ps://energy.gov/sites/prod/files/2017/08/f36/Staff%20Report%20on%20Electricity%20Markets%20and%20Reliability_0.pdf

•  Dragos Inc. (2017 June 12). Crashoverride: Analysis of the threat to electric grid opera%ons [v2.20170613]. Retrieved from h`ps://dragos.com/blog/crashoverride/CrashOverride-‐01.pdf

•  Edison Electric Ins$tute [EEI]. (2017 July 28). Response to NTIA request for comments on Botnets. Retrieved from h`ps://www.n$a.doc.gov/files/n$a/publica$ons/eei_comments_-‐_n$a_botnets_rfc_28july2017.pdf

•  E-‐ISAC & SANS. (2016 March 18). Analysis of the cyber aTack on the Ukrainian power grid: Defense use case. Retrieved from h`p://www.nerc.com/pa/CI/ESISAC/Documents/E-‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf


Slide 45

References •  FERC. (2016 July 21). Revised Cri%cal Infrastructure Protec%on Reliability

Standards. In Federal Register, 81(146), pp. 49878-‐49894 [2016 July 29]. Retrieved from h`ps://www.gpo.gov/fdsys/pkg/FR-‐2016-‐07-‐29/pdf/2016-‐17842.pdf

•  Greenberg, A. (2017 Sept 6). Hackers gain direct access to US power controls. Wired. Retrieved from h`ps://www-‐wired-‐com.cdn.ampproject.org/c/s/www.wired.com/story/hackers-‐gain-‐switch-‐flipping-‐access-‐to-‐us-‐power-‐systems/amp

•  KPMG. (2017 August). Strengthening cybersecurity of federal networks and cri%cal infrastructure: Perspec%ves on implementa%on challenges and leading prac%ces. Retrieved from h`p://www.kpmg-‐ins$tutes.com/content/dam/kpmg/governmen$ns$tute/pdf/2017/presiden$al-‐execu$veorder-‐whitepaper.pdf

•  Kushner, D. (2013 Feb 26). The real story of Stuxnet: How Kaspersky Labs tracked down the malware that stymied Iran’s nuclear-‐fuel enrichment program. IEEE Spectrum. Retrieved from h`ps://spectrum.ieee.org/telecom/security/the-‐real-‐story-‐of-‐stuxnet


Slide 46

References •  NERC. (2017 Aug 11). Technical Ra%onale and Jus%fica%on for Reliability Standard

CIP-‐012-‐1. Retrieved from h`p://www.nerc.com/pa/Stand/Project%20201602%20Modifica$ons%20to%20CIP%20Standards%20DL/2016-‐02_Technical_Ra$onale_and_Jus$fica$on_CIP-‐012-‐1_08142017.pdf

•  NERC. (2017 July). CIP-‐013-‐1 – Cyber security – Supply chain risk management [Dram 1]. Retrieved from h`p://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-‐013-‐1_Clean_071117.pdf

•  Nelson, N. (2016 Jan 18). The impact of Dragonfly malware on industrial control systems. SANS Ins$tute InfoSec Reading Room. Retrieved from h`ps://www.sans.org/reading-‐room/whitepapers/ICS/impact-‐dragonfly-‐malware-‐industrial-‐control-‐systems-‐36672

•  Newhouse, W., Keith, S., Scribner, B., & Wiè, G. (2017 August). Na%onal ini%a%ve for cybersecurity educa%on (NICE) Cybersecurity workforce framework [NIST Special Publica$on 800-‐181]. Retrieved from h`p://nvlpubs.nist.gov/nistpubs/SpecialPublica$ons/NIST.SP.800-‐181.pdf

•  NIST. (2014 Feb 12). Framework for improving cri%cal infrastructure cybersecurity [v1.0]. Retrieved from h`ps://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-‐framework-‐021214.pdf


Slide 47

References •  Obama, B. H. (2013 Feb 12). Presiden%al Execu%ve Order 13636: Improving

cri%cal infrastructure cybersecurity. In Federal Register, 78(33), pp. 11739-‐11744 [2013 Feb 19]. Retrieved from h`ps://www.gsa.gov/portal/getMediaData?mediaId=176567

•  Perlroth, N. (2017 July 6). Hackers are targe%ng nuclear facili%es. NY Times. Retrieved from h`ps://www.ny$mes.com/2017/07/06/technology/nuclear-‐plant-‐hack-‐report.html?rref=collec$on%2F$mestopic%2FStuxnet&ac$on=click&contentCollec$on=$mestopics&region=stream&module=stream_unit&version=latest&contentPlacement=1&pgtype=collec$on

•  Trump, D. J. (2017 May 11). Presiden%al Execu%ve Order 13800: Strengthening the cybersecurity of federal networks and cri%cal infrastructure. In Federal Register, 82(93) pp. 22391-‐22397 [2017 May 16]. Retrieved from h`ps://www.gpo.gov/fdsys/pkg/FR-‐2017-‐05-‐16/pdf/2017-‐10004.pdf

•  Zeèr, K. (2014 Nov 3). An unprecedented look at Stuxnet, the world’s first digital weapon. Wired. Retrieved from h`ps://www.wired.com/2014/11/countdown-‐to-‐zero-‐day-‐stuxnet/


Date post:	19-Apr-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times