Cri$cal Electrical Infrastructure: Threats, Vulnerabili$es & Regulatory Issues
Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security
Power Grid Resilience Summit San Diego CA – September 18, 2017
Slide 2
Speaker Creden$als • Electrical U$lity Experience (44 years) – Senior Compliance Auditor, Cyber Security – IT Manager & Power Trading/Scheduling Manager – IT Program Manager & Project Manager – NERC Cer$fied System Operator – Barehand Qualified Transmission Lineman
• Educa$onal Experience – Degrees earned: Ph.D., MBA, BS-‐Computer Science – Cer$fica$ons: PMP, CISSP, CISA, CRISC, CISM, NSA-‐IAM/IEM – Academic & Technical Course Teaching Experience (20+ years)
• Business Strategy, Leadership, and Management • Informa$on Technology, IT Security, and Project Management • PMP, CISA, CISSP, CISM, ITIL, & Cisco exam prepara$on • CIP Compliance workshops and outreach sessions
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 3
Agenda • AWARENESS: Increase percep1on of system vulnerabili1es and poten1al regulatory changes – Anecdotal evidence of recent electrical system threats – Poten$al vectors for a`acks and weather related disrup$ons
– Developments on na$onal cybersecurity strategy and Cri$cal Infrastructure Protec$on [CIP] Standards
• Q&A
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 4
Recent Electrical System Threats • The 2015 & 2016 cyber a`acks on the Ukrainian power grid signaled a new era in vulnerability for electrical and other Industrial Control Systems [ICS]: – Stuxnet – BlackEnergy – Havex – Crashoverride Framework – Industroyer – Palme`o Fusion – Dragonfly 2.0
• However, some of the vulnerabili$es exploited by these a`acks have been known since 2009
• What does this say about electrical cybersecurity posture? September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 5
Stuxnet (Ze`er, 2014) • First known ICS malware was iden$fied in 2010, used known Windows print spooler and three zero-‐day OS vulnerabili$es to target Siemens PLC somware at Iranian nuclear facility and modify Programmable Logic Controllers [PLC]
• Ini$ally spread with infected USB drives • Has since infected ICS in other countries, including the U.S. (Kushner, 2013)
• Cyber espionage variants include Flame (iden$fied in 2012, but may predate Stuxnet), Gauss (2011), and Duqu (2011); designed to steal ICS and other informa$on
• Exploit on print spooler vulnerability was published in April 2009, which included source code for exploit
• Microsom patch [MS10-‐61] was available in September 2010; updated patch [MS16-‐087] in July 2016
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 6
BlackEnergy [E-‐ISAC & SANS, 2016) • Implicated in the 2015 Ukrainian power grid a`ack by the
Sandworm team • Primary infec$on used spear phishing a`acks to key engineers and
IT administrators with infected Word and Excel documents • Coordinated a`acks across three power companies • Targeted distribu$on SCADA ICS, but characterized as a test run
– Demonstrated capability to gain a foothold to harvest creden$als and informa$on to gain access to ICS networks
– Demonstrated capability to target Cyber Assets at substa$ons, write custom malicious firmware (KillDisk) to render field devices inoperable and unrecoverable
– BlackEnergy and KillDisk were used to enable the a`ack and delay restora$on efforts, but were not capable of opening field devices
– Outages caused by a`ackers opera$ng HMIs manually • Remote admin access capabili$es, poor VPN prac$ces, and failure
to monitor ICS networks contributed to a`ack reconnaissance months before the actual a`ack September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 7
Havex (Nelson, 2016) • A Remote Access Trojan [RAT] malware used in 2012-‐2013 a`acks against energy sector companies, also aimed at other ICS users (Constan$n, 2014)
• Used by Dragonfly group in spear phishing a`acks to gain remote access control over infected ICS computers
• Scans LANs for devices that respond to OPC requests
• Extracts informa$on on network details and harvest Outlook emails, sends data to Dragonfly servers
• Acts as a conduit for other malware September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 8
Crashoverride Framework (Dragos, 2017) • Fourth ICS tailored malware (amer Stuxnet, BlackEnergy 2, and Havex)
• Serves no cyberespionage purpose, first malware framework specifically designed and deployed to automa$cally a`ack electrical control systems
• Suspected in December 2016 Ukrainian a`ack and may be linked to Sandworm team, perhaps deployed as a proof of concept due to limited impact of a`ack
• Not unique to specific vendors or configura$ons • Purpose built to impact electrical grid opera$ons and facilitate a`acks in other countries
• Uses various Layer 2 and Layer 3 routable and serial protocols to carry out a`acks, including Ethernet, DNP3, IEC 104, IEC 101, and IEC 61850 used to control field devices September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 9
Industroyer (Cherepanov & Lipovsky, 2017) • ESET researchers published a paper on Industroyer and called it “a par%cularly dangerous threat, since it is capable of controlling electricity substa%on switches and circuit breakers directly” (p. 1)
• ESET believes it is highly probable Industroyer was used in the December 2016 Ukrainian power grid a`ack
• Industroyer targets common industrial control system communica$on protocols, including IEC 61850, which were specifically exempted from electronic access control protec$ons included in CIP Standards for many electrical Facili$es [but see CIP-‐012-‐1 slides below]
• Can also target vendor-‐specific industrial power control products September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 10
Palme`o Fusion (Perlroth, 2017) • Palme`o Fusion suspected in Wolf Creek Nuclear sta$on a`ack in Kansas (2017 May): – No indica$on of compromise of opera$onal systems – Opera$onal network is air-‐gapped from corporate network, but may be suscep$ble to infected USB drive
– May have been a mapping a`ack, but inves$gators have not been able to analyze the payload
– Introduced as highly targeted email messages with fake infected resumes to senior industrial control engineers
– Techniques mimicked the Sandworm Russian hacking group that has been $ed to energy sector a`acks since 2012
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 11
Dragonfly 2.0 (Greenberg, 2017) • Symantec recently reported a new series of a`acks beginning in 2015 on non-‐nuclear electrical companies by a group iden$fied as Dragonfly 2.0: – A`acks leveraged phishing a`acks to introduce malware into opera$onal networks
– A`acks were compared to Ukrainian a`acks (2015, 2016) by Sandworm that resulted in widespread power outages
– 2017 targets included dozens of energy companies, with more than 20 successful breaches of target networks
– Of these breaches, several gained successful opera$onal access to control interfaces for electrical equipment such as circuit breakers and took screenshots of control panels
– No control ac$ons were commi`ed by a`ackers, but Symantec reported this may be a pilot test for a larger a`ack at some strategic $me in conjunc$on with geopoli$cal events
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 12
A`ack Vectors • Na$on-‐state actors – Future power grid disrup$ons considered likely in conjunc$on with geopoli$cal events
• Terrorist/ac$vist a`acks – Physical a`acks on electrical facili$es – Cyber a`acks on ICS and associated field devices
• Weather-‐related hazards – Requires power grid resiliency prepara$on instead of cybersecurity countermeasures
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 13
Na$on-‐State Actors (BAE, 2017a) • Provided a “license to hack” by their governments: – Most likely culprits for electrical grid a`acks are Russia, China, Eastern European bloc countries
– Other authors have blamed Stuxnet release on U.S. and Israeli state organiza$ons
– No fear of legal retribu$on by target countries – Omen closely linked to military and intelligence control – Have a high level of technical exper$se – Tasked with stealing industrial secrets, disrup$ng cri$cal infrastructure, eavesdropping on poli$cal discussions, conduc$ng propaganda and disinforma$on campaigns
– Use social engineering, such as highly targeted phishing a`acks, to deliver malware to target systems
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 14
Terrorist/Ac$vist A`acks • Mo$vated by ideological, religious, or personal beliefs • Individuals or small groups that are difficult to defend against • Primary goal to disrupt target’s ac$vi$es, discredit opera$ons, and steal sensi$ve data to further their goals. (BAE, 2017b)
• Physical A`acks – Bombing remote electrical facili$es – Sabotaging transmission lines – Shoo$ng electrical equipment, such as transformers (e.g., Metcalf substa$on in April 2013)
– CIP-‐014-‐2 developed to enhance physical security measures • Cyber A`acks – May use readily available malware source code developed by na$on-‐state actors
– Infect ICS using similar techniques – Require similar protec$ve cybersecurity countermeasures September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 15
Weather Related Hazards • Unavoidable risks that require power grid resiliency prepara$on
instead of cybersecurity countermeasures • Geomagne$c Disturbances [GMD]
– Solar flares can cause geomagne$cally-‐induced currents [GIC] that damage cri$cal transformers, adversely affect Reac$ve Power sources, and cause misopera$ons of electrical protec$ve equipment
– These impacts may result in voltage collapse and blackouts – NERC Reliability Standard TPL-‐007-‐2 addresses GMD planning
• Cold and warm weather storms can cause widespread electrical outages due to downed power lines
• Mi$ga$ng factors to minimize damages and $me to repair: – De-‐energize cri$cal equipment during GMD event – Mutual aid, spare materials, and electrical equipment – Distributed genera$on facili$es – Geographically separated transmission paths from genera$on to loads
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 16
Preven$ng A`acks to the Grid • Companies have been
slow to invest capital funds necessary to update and protect Cyber Assets, with some devices running 30-‐year-‐old Opera$ng Systems on cri$cal infrastructure ICS (Kushner, 2013)
• Electric industry par$cipants must step up pace to improve and enhance overall cybersecurity posture
• Federal and regional efforts currently in place to support cybersecurity September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 17
Preven$ng A`acks to the Grid
September 18, 2017 2017 PGR Summit -‐ San Diego CA
• Suppor$ng cybersecurity measures in the North American electrical grid is a massive undertaking, given its size and complexity, as well as the number and variety of electrical industry par$cipants
Slide 18
Recent Cybersecurity Developments • Na$onal Cyber Security Strategy – NIST Cybersecurity Framework (2014) – Presiden$al Execu$ve Order 13800
• Regulatory Developments [CIPv5 Standards] – Current CIP Standards, including those that directly address cyber or physical a`acks • CIP-‐007-‐6 [System Security Management for Cyber Assets] • CIP-‐014-‐2 [Physical Security for Transmission Facili$es]
– Changes to exis$ng CIPv5 Standards to promote be`er defenses against automated a`acks (pending FERC approval) • CIP-‐003-‐7 [Security Management Controls] • CIP-‐005-‐6 [Electronic Security Perimeters] • CIP-‐010-‐3 [Configura$on Change Management & Vulnerability Assessment]
– New CIP Standards (pending NERC/FERC approval) • CIP-‐012-‐1 [Control Center Communica$on Networks] • CIP-‐013-‐1 [Supply Chain Risk Management]
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 19
NIST Cybersecurity Framework (2014) • Developed in response to Execu$ve Order 13636 (Obama, 2013), which cited the need for improved cybersecurity
• Includes a risk-‐based taxonomy and mechanism to: – Describe current cybersecurity state – Describe desired cybersecurity target state – Iden$fy and priori$ze opportuni$es for improvement – Assess progress toward target state – Communicate with internal and external stakeholders about cybersecurity risk
• Provides a con$nuous improvement framework to reinforce cybersecurity connec$on to business drivers
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 20
NIST Cybersecurity Framework (2014) • Contains five dynamic core func$ons to improve cybersecurity: – Iden$fy – Protect – Detect – Respond – Recover
• Excellent guideline to develop, review, and improve organiza$onal cybersecurity posture (see Sec$on 3.0, pp. 11-‐17)
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 21
Execu$ve Order 13800 • Presiden$al execu$ve order (Trump, 2017 May 11) with three key priori$es to: – Protect federal networks, – Update an$quated and outdated systems, and – Direct department and agency heads to work together
• Requires the Secretary of Energy and Secretary of Homeland Security and others, within 90 days, to jointly – Assess the poten$al for a prolonged power outage associated with a significant cyber incident.
– Evaluate the readiness of the U.S. to manage such an incident, and
– Iden$fy gaps or shortcomings in assets or capabili$es to mi$gate the consequences of such an incident.
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 22
NTIA Comments Example [EEI, 2017] • Na$onal Telecommunica$ons and Informa$on Administra$on [NTIA] issued
a Request for Comments (2017 June 8) for automated threats in response to Execu$ve Order 13800
• Edison Electric Ins$tute [EEI] represent U.S. investor owned u$li$es [IOUs] and affiliates worldwide
• Supports efforts to address threats to cri$cal infrastructure, par$cularly from Internet connected devices [ICD]
• Iden$fied automated machine-‐to-‐machine a`acks as a top threat to the electrical grid
• A good example of common electrical industry cybersecurity concerns • EEI comments addressed (pp. 2-‐4):
– What works – Gaps – Addressing the problem – Governance and collabora$on – Policy and the role of government – Interna$onal issues – The role of users September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 23
EO 13800 -‐ Power Grid Resilience • KPMG (2017) developed a white paper that recognized the threats posed by cybersecurity a`acks on the BES to U.S. na$onal security and summarized key points for developing countermeasures and resiliency, including (pp. 2-‐3): – Build success through business transforma$on – Do not assume technology is the “silver bullet” – Drive transforma$on through senior leaders – Maintain a risk management approach – Con$nually monitor risks and results – Embed good cybersecurity prac$ces in rou$ne management of cri$cal assets and infrastructure
– Align cybersecurity with business priori$es and ini$a$ves – Adopt best prac$ces in cybersecurity – Build a first-‐class cyber workforce September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 24
EO 13800 -‐ Power Grid Resilience • The Department of Energy [DOE] (2017) prepared a staff report in response
to Execu$ve Order 13800 • This report focused primarily on genera$on resource porvolios, the impact
of re$rement of genera$on plants on the U.S. workforce, as well as looked at new workforce needs from Variable Renewable Energy [VRE] sources.
• The report also discussed electrical infrastructure resiliency in terms of hardening against and recovery from cyber a`acks and severe natural events (p. 63): – Hardening refers to physically changing infrastructure to make it less
suscep%ble to damage. – Recovery refers to the ability of an energy facility to recover quickly from
damage to any of its components or to any of the external systems on which it depends – typically through storage and redundancy.
• Recovery measures do not prevent damage, but enable con$nued opera$ons despite damage and a more rapid return to normal opera$ons.
• Electrical en$$es should consider advance planning for con$ngencies, interagency coordina$on, and training exercises to develop an effec$ve restora$on process. [See also CIP-‐008-‐5: R1-‐R3]
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 25
EO 13800 – Workforce Development • NIST held a workshop on cybersecurity workforce development in Chicago (2017 August 2) in response to the EO 13800 direc$ve to assess efforts to educate and train a cybersecurity workforce and provide a report to the President on means to support the growth and sustainment of a cybersecurity workforce
• NIST (Newhouse, et al., 2017) published the NICE Cybersecurity Workforce Framework that establishes a taxonomy and common lexicon to describe all cybersecurity work and workers irrespec$ve of where or for whom the work is performed
• The NICE framework iden$fies tasks in cybersecurity work roles that may help educators prepare students with the skills needed by employers
• NIST also stressed the importance of developing and retaining current skilled talent
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 26
EO 13800 – Workforce Development • BSA and the Somware Alliance (2017) provided comments on the NIST workforce effort and discussed these points: – Over 1.5 MM global cybersecurity jobs are expected to be unfilled by 2020, exposing the public and private sectors to cyber a`acks
– Cybersecurity educa$on must be improved and expanded through investments in new programs to address cri$cal challenges
– Explore alterna$ve pathways to cybersecurity careers that do not require a four-‐year degree in Computer Science: • Appren$ceship programs, • Community colleges, • Cybersecurity “boot camps,” • Short-‐term intensive training academies, and • Relevant government or military service.
– Expand re-‐training opportuni$es for mid-‐career professionals September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 27
CIPv5 Standards [NERC, 2012] • Revised from prior version (CIPv3) to
provide cybersecurity protec$ons to all BES assets in the North American grid
• Approved by FERC in 2012, became effec$ve in 2016
• Key difference in CIPv5 provides cybersecurity protec$ons at the BES Cyber System [BCS] level instead of individual Cri$cal Assets with Cri$cal Cyber Assets [CCA] level, as under CIPv3
• Expanded CIP protec$ons to many more BES Assets
• Apply CIP-‐002-‐5.1a Impact Ra$ng Criteria [IRC] to classify three impact ra$ngs of BES Cyber Systems [BCS] at all BES Assets: – High impact BCS – Medium impact BCS – BCS at Low impact BES Assets [LIBCS]
September 18, 2017 2017 PGR Summit -‐ San Diego CA
IRC 3.6 DP
Assets
Slide 28
List of Current NERC CIPv5 Standards • CIP-‐002-‐5.1a – BES Cyber System Categoriza$on • CIP-‐003-‐6 – Security Management Controls • CIP-‐004-‐6 – Personnel and Training • CIP-‐005-‐5 – Electronic Security Perimeters • CIP-‐006-‐6 – Physical Security of BES Cyber Systems • CIP-‐007-‐6 – System Security Management • CIP-‐008-‐5 – Incident Repor$ng and Response Planning • CIP-‐009-‐6 – Recovery Plans for BES Cyber Systems • CIP-‐010-‐2 – CCM & VA • CIP-‐011-‐2 – Informa$on Protec$on • CIP-‐014-‐2 – Physical Security
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 29
CIP-‐007-‐6 – Current Protec$ons • Operates at the BES Cyber Asset [BCA] level for High and Medium BCS – R1 requires measures to protect the use of network accessible and physical ports
– R2 requires measures to evaluate or mi$gate security patches on a regular interval
– R3 requires cybersecurity methods to mi$gate the threat of malicious code
– R4 requires logs and alerts to monitor and defend against electronic intrusions at the BCS level
– R5 requires access control for individual and shared accounts, including measures to enforce regular password changes and complexity
• Can CIP-‐007-‐6 be strengthened to address automated a`acks? September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 30
CIP-‐014-‐2 – Current Protec$ons
September 18, 2017 2017 PGR Summit -‐ San Diego CA
• Significantly different from the other CIP Standards, including physical security Standard CIP-‐006-‐6
• Focuses on Physical Security at the Cri$cal Transmission BES Asset Facility level instead of BCS – Requires Transmission Owners to iden$fy their BES Assets that meet the Sec$on 4.1.1 criteria to develop a list of candidate BES Assets, if any such exist, then
– Requires a Risk Assessment ([R1] power flow and transient stability studies verified by [R2] unaffiliated third-‐party review) on each candidate BES Asset to iden$fy those Cri$cal Facili$es “that if rendered inoperable or damaged could result in instability, uncontrolled separa%on, or Cascading within an Interconnec%on” must be afforded the full protec$ons of CIP-‐014-‐2 [R3-‐R6] by the TO and TOP Registered func$ons.
Slide 31
CIP-‐003-‐7 – Proposed Changes • R1 -‐ Established required Cybersecurity policies for: – High BCS and Medium BCS [R1.1.1 – R1.1.9: No change] – LIBCS [R1.2.1 – R1.2.4: No change], – Required new cybersecurity policies for LIBCS: • R1.2.5 – Malicious code mi$ga$on for Transient Cyber Assets [TCA], Removable Media [RM]
• R1.2.6 – Declaring and responding to CIP Excep$onal Circumstances
• R2 -‐ Established Cybersecurity plans for LIBCS [see A`achment 1, Sec$ons 1 – 4] – Required new LIBCS cybersecurity plans • Sec$on 5: TCA and RM malicious code risk mi$ga$on plans.
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 32
CIP-‐005-‐6 – Proposed Changes • New Part 2.4 – Have one or more methods for determining ac%ve vendor remote access sessions (including Interac%ve Remote Access and system-‐to-‐system access).
• New Part 2.5 – Have one or more method(s) to disable ac%ve vendor remote access (including Interac%ve Remote Access and system-‐to-‐system remote access).
• Proposed by CIP-‐013-‐1 Standards Draming Team [SDT] to address supply chain risk management concerns rela$ve to vendor access to High BCS and Medium BCS with External Routable Connec$vity [ERC]. September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 33
CIP-‐010-‐3 – Proposed Changes • New Part 1.6: – Prior to a change that deviates from the exis%ng baseline configura%on associated with baseline items in Parts 1.1.1, 1.1.2, and 1.1.5, and when the method to do so is available to the Responsible En%ty from the soMware source: 1.6.1. Verify the iden%ty of the soMware source; and 1.6.2. Verify the integrity of the soMware obtained from the soMware source. (p. 13)
• Proposed by CIP-‐013-‐1 Standards Draming Team [SDT] to address supply chain risk management concerns rela$ve to the integrity of somware and firmware upgrades to High BCS and Medium BCS. September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 34
CIP-‐012-‐1 – New Standard • Addresses cybersecurity protec$ons for data in transit between
key Control Centers • Proposed modifica$ons to Control Center defini$on • [R1] Requires documented plans to mi%gate the risk of
unauthorized disclosure or modifica%on of data used for Opera%onal Planning Analysis, Real-‐%me Assessments, and Real-‐%me monitoring while being transmiTed between Control Centers – Excludes oral communica$ons between Control Centers – [R1.1] Risk mi%ga%on shall be accomplished by one or more of the following ac%ons: • Physically protec%ng the communica%on links transmiUng the data; • Logically protec%ng the data during transmission; or • Using an equally effec%ve method to mi%gate the risk of unauthorized disclosure or modifica%on of the data.
• [R2] The Responsible En%ty shall implement the plan(s) specified in Requirement R1, except under CIP Excep%onal Circumstances
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 35
Scope of CIP-‐012-‐1
September 18, 2017 2017 PGR Summit -‐ San Diego CA
(NERC, 2017 Aug 11, Technical Ra%onale for CIP-‐012-‐1, p. 5)
• Extends cyber security protec$ons to communica$ons networks between key Control Centers
Slide 36
CIP-‐013-‐1 – New Standard • Addresses Cybersecurity risks for Supply Chain Risk Management [SCRM] of High and Medium BCS
• Addresses FERC direc$ves in Order 829 (FERC, 2016, P. 45, p. 49885)
1. Somware integrity and authen$city [see CIP-‐010-‐3 Part 1.6]; 2. Vendor remote access [see CIP-‐005-‐6 Parts 2.4, 2.5]; 3. Informa$on system planning; and 4. Vendor risk management and procurement controls.
• Does not require abroga$on or renego$a$on of exis$ng contracts
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 37
CIP-‐013-‐1 – New Standard • Collec%vely, the provisions of CIP-‐013-‐1 address an en%ty's controls for managing cyber security risks to BES Cyber Systems during the planning, acquisi%on, and deployment phases of the system life cycle, as shown below (p. 6).
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 38
CIP-‐013-‐1 – New Standard • [R1] Each Responsible En$ty shall develop one or more documented SCRM plans for High and Medium BCS that include:
• [R1.1] One or more process(es) used in planning for the procurement of BCS to iden%fy and assess cybersecurity risks to the BES from vendor products or services resul%ng from:
i. Procuring and installing vendor equipment and soMware ii. Transi%ons from one vendor to another
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 39
CIP-‐013-‐1 – R1.2 Con$nued • [R1.2] One or more processes used in procuring BCS that address the following, as applicable: – 1.2.1. No%fica%on by the vendor of vendor-‐iden%fied incidents related to the products or services provided to the Responsible En%ty that pose cyber security risk to the Responsible En$ty;
– 1.2.2. Coordina%on of responses to vendor-‐iden%fied incidents related to the products or services provided to the Responsible En%ty that pose cyber security risk to the Responsible En%ty;
– 1.2.3. No%fica%on by vendors when remote or onsite access should no longer be granted to vendor representa%ves;
– 1.2.4. Disclosure by vendors of known vulnerabili%es related to the products or services provided to the Responsible En%ty;
– 1.2.5. Verifica%on of soMware integrity and authen%city of all soMware and patches provided by the vendor for use in the BES Cyber System; [see also proposed CIP-‐010-‐3 Part 1.6] and
– 1.2.6. Coordina%on of controls for (i) vendor-‐ini%ated Interac%ve Remote Access, and (ii) system-‐to-‐system remote access with a vendor(s). [See also proposed CIP-‐005-‐6 Parts 2.4, 2.5]
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 40
CIP-‐013-‐1 – New Standard • [R2] Each Responsible En%ty shall implement its SCRM plan(s) specified in Requirement R1.
• [R3] Each Responsible En%ty shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months.
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 41
More Changes on the Horizon • Cybersecurity in the Cloud – Very hot topic in compliance and opera$ons circles in the electrical industry
– There is a push to develop a CIP Standard rela$ve to cybersecurity protec$ons for cloud services
• More changes as directed by FERC for exis$ng CIP Standards – FERC has exhibited a tendency in the past to approve submi`ed Standards, but direct NERC to address any residual areas of concern moving forward
– FERC is paying close a`en$on to the issues related to cybersecurity a`acks on the cri$cal electrical infrastructure, including automated a`acks on ICS
– I expect this tendency to direct changes and scru$ny on all things cybersecurity to con$nue and increase in the future
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 42
Speaker Contact Informa$on
Joseph B. Baugh, Ph.D. PMP, CISA, CISSP, CRISC, CISM
Senior Compliance Auditor -‐ Cyber Security
Western Electricity Coordina$ng Council (WECC)
jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 43
References • BAE Systems. (2017a). The na%on state actor: Cyber threats, methods, and
mo%va%ons. Retrieved from h`p://www.baesystems.com/en/cybersecurity/feature/the-‐na$on-‐state-‐actor
• BAE Systems. (2017b). The ac%vist: Cyber threats, methods, and mo%va%ons. Retrieved from h`p://www.baesystems.com/en/cybersecurity/feature/the-‐ac$vist
• BSA & The Somware Alliance (2017). Cybersecurity workforce RFI [Docket Number 170627596-‐7596-‐01]. Retrieved from h`ps://www.nist.gov/sites/default/files/documents/2017/08/04/bsa.pdf
• Cherepanov, A., & Lipovsky, R. (2017 June 12). Industroyer: Biggest threat to industrial control systems since Stuxnet. Retrieved from h`ps://www.welivesecurity.com/2017/06/12/industroyer-‐biggest-‐threat-‐industrial-‐control-‐systems-‐since-‐stuxnet/
• Constan$n, L. (2014 June 24). New Havex malware variant targets industrial control system and SCADA users. PC World. Retrieved from h`ps://www.pcworld.com/ar$cle/2367240/new-‐havex-‐malware-‐variants-‐target-‐industrial-‐control-‐system-‐and-‐scada-‐users.html
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 44
References • Department of Energy.(2017 August). Staff report to the Secretary
on electricity markets and reliability. Retrieved from h`ps://energy.gov/sites/prod/files/2017/08/f36/Staff%20Report%20on%20Electricity%20Markets%20and%20Reliability_0.pdf
• Dragos Inc. (2017 June 12). Crashoverride: Analysis of the threat to electric grid opera%ons [v2.20170613]. Retrieved from h`ps://dragos.com/blog/crashoverride/CrashOverride-‐01.pdf
• Edison Electric Ins$tute [EEI]. (2017 July 28). Response to NTIA request for comments on Botnets. Retrieved from h`ps://www.n$a.doc.gov/files/n$a/publica$ons/eei_comments_-‐_n$a_botnets_rfc_28july2017.pdf
• E-‐ISAC & SANS. (2016 March 18). Analysis of the cyber aTack on the Ukrainian power grid: Defense use case. Retrieved from h`p://www.nerc.com/pa/CI/ESISAC/Documents/E-‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 45
References • FERC. (2016 July 21). Revised Cri%cal Infrastructure Protec%on Reliability
Standards. In Federal Register, 81(146), pp. 49878-‐49894 [2016 July 29]. Retrieved from h`ps://www.gpo.gov/fdsys/pkg/FR-‐2016-‐07-‐29/pdf/2016-‐17842.pdf
• Greenberg, A. (2017 Sept 6). Hackers gain direct access to US power controls. Wired. Retrieved from h`ps://www-‐wired-‐com.cdn.ampproject.org/c/s/www.wired.com/story/hackers-‐gain-‐switch-‐flipping-‐access-‐to-‐us-‐power-‐systems/amp
• KPMG. (2017 August). Strengthening cybersecurity of federal networks and cri%cal infrastructure: Perspec%ves on implementa%on challenges and leading prac%ces. Retrieved from h`p://www.kpmg-‐ins$tutes.com/content/dam/kpmg/governmen$ns$tute/pdf/2017/presiden$al-‐execu$veorder-‐whitepaper.pdf
• Kushner, D. (2013 Feb 26). The real story of Stuxnet: How Kaspersky Labs tracked down the malware that stymied Iran’s nuclear-‐fuel enrichment program. IEEE Spectrum. Retrieved from h`ps://spectrum.ieee.org/telecom/security/the-‐real-‐story-‐of-‐stuxnet
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 46
References • NERC. (2017 Aug 11). Technical Ra%onale and Jus%fica%on for Reliability Standard
CIP-‐012-‐1. Retrieved from h`p://www.nerc.com/pa/Stand/Project%20201602%20Modifica$ons%20to%20CIP%20Standards%20DL/2016-‐02_Technical_Ra$onale_and_Jus$fica$on_CIP-‐012-‐1_08142017.pdf
• NERC. (2017 July). CIP-‐013-‐1 – Cyber security – Supply chain risk management [Dram 1]. Retrieved from h`p://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-‐013-‐1_Clean_071117.pdf
• Nelson, N. (2016 Jan 18). The impact of Dragonfly malware on industrial control systems. SANS Ins$tute InfoSec Reading Room. Retrieved from h`ps://www.sans.org/reading-‐room/whitepapers/ICS/impact-‐dragonfly-‐malware-‐industrial-‐control-‐systems-‐36672
• Newhouse, W., Keith, S., Scribner, B., & Wi`e, G. (2017 August). Na%onal ini%a%ve for cybersecurity educa%on (NICE) Cybersecurity workforce framework [NIST Special Publica$on 800-‐181]. Retrieved from h`p://nvlpubs.nist.gov/nistpubs/SpecialPublica$ons/NIST.SP.800-‐181.pdf
• NIST. (2014 Feb 12). Framework for improving cri%cal infrastructure cybersecurity [v1.0]. Retrieved from h`ps://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-‐framework-‐021214.pdf
September 18, 2017 2017 PGR Summit -‐ San Diego CA
Slide 47
References • Obama, B. H. (2013 Feb 12). Presiden%al Execu%ve Order 13636: Improving
cri%cal infrastructure cybersecurity. In Federal Register, 78(33), pp. 11739-‐11744 [2013 Feb 19]. Retrieved from h`ps://www.gsa.gov/portal/getMediaData?mediaId=176567
• Perlroth, N. (2017 July 6). Hackers are targe%ng nuclear facili%es. NY Times. Retrieved from h`ps://www.ny$mes.com/2017/07/06/technology/nuclear-‐plant-‐hack-‐report.html?rref=collec$on%2F$mestopic%2FStuxnet&ac$on=click&contentCollec$on=$mestopics®ion=stream&module=stream_unit&version=latest&contentPlacement=1&pgtype=collec$on
• Trump, D. J. (2017 May 11). Presiden%al Execu%ve Order 13800: Strengthening the cybersecurity of federal networks and cri%cal infrastructure. In Federal Register, 82(93) pp. 22391-‐22397 [2017 May 16]. Retrieved from h`ps://www.gpo.gov/fdsys/pkg/FR-‐2017-‐05-‐16/pdf/2017-‐10004.pdf
• Ze`er, K. (2014 Nov 3). An unprecedented look at Stuxnet, the world’s first digital weapon. Wired. Retrieved from h`ps://www.wired.com/2014/11/countdown-‐to-‐zero-‐day-‐stuxnet/
September 18, 2017 2017 PGR Summit -‐ San Diego CA