Quarterly Workplan Update Highlights and Minutes … · 08/03/2017 · 3.Do you implement the...

Quarterly Workplan UpdateCritical Infrastructure Protection Committee

Marc Child, CIPC ChairCritical Infrastructure Protection Committee MeetingMarch 8-9, 2017

RELIABILITY | ACCOUNTABILITY2

CIPC Workplan/strategy mapped to RISC recommendations

• Risk profile #8: Physical Security Seven Near-term recommendations (1-2 years) Nine Mid-term recommendations (3-5 years) Two Long-term recommendations (>5 years)

• Risk profile #9: Cybersecurity Eleven Near-term recommendations Four Mid-term recommendations Three Long-term recommendations

CIPC Strategic Plan & Workplan


2017 Activities


2017 Task Status

Security Metrics Develop additional context around existing metrics

Report being finalized

Collaboration Regional presentations FRCC & MRO (March meeting)

Logistics for closed meetings when needed

Executive Committee

Joint OC/PC/CIPC project Project identified, assigned to Operating subcommittee

Foster relationships with national labs*

*feedback appreciated

Expand security narrative in the State of Reliability Report*



2017 Activities


2017 Task Status

Emerging Technologies Act as a forum for discussions

Standing agenda item

Grid Ex Complete GE3 recommendations

CSSWG assignment

GridEx 4 planning GEWG

Guidance Prioritize emerging technologies guidance

Standing agenda item

Evaluate alternate delivery/develop processes

Executive Committee

Update connecting business networks GL

CSSWG future assignment


2017 Activities


2017 Task Status

Guidance Resiliency and vulnerability assessment best practices

Physical Security (RISC item 7a)

Update threat and incident response guideline

Physical Security (RISC item 7b)

Develop vulnerability risk management GL

CSSWG (RISC item 3)

Comment body* Executive Committee to study feasibility and logistics



• 2018 look-ahead One new metric State of security report (notional draft) Supply chain guidance GridEx 4 recommendations, GridEx 5 planning Prioritize RISC 3-5 year recommendations



1

E-ISAC Update

Marcus Sachs, Senior VP & Chief Security OfficerCIPCMarch 8, 2017

2

• Sharing and reporting 265 E-ISAC staff posts to the portal (+29% from Q3)

57 member posts to the portal (+20%)

35 calls to the E-ISAC hotline (-17%)

275 new portal accounts (+30%)

• Engagement (monthly average during the quarter) 296 webinar attendees (+12%)

416 downloads of the daily report (+0.4%)

Summary of Q4 2016

3

Sharing by Region – Q4 2016

4

• GridSecCon 2016 (October) Quebec City Over 400 participants

• NERC Level 2 Alert on the Internet of Things (October)• GridEx IV Initial Planning Meeting (November) First opportunity to provide input into scenario development Exercise scheduled for November 15-16, 2017

• Portal improvements (November)• Launched CAISS – the STIX/TAXII pilot (December)• Two cyber events (December) Second Ukraine incident Vermont incident

Significant Activities

5

• Explosive growth of “smart devices” in the past two years Things that can communicate over the Internet Security cameras, digital video recorders, alarms, light switches, coffee

pots, refrigerators

• Most are not designed to be secure against unauthorized access Can be hijacked by malicious actors Are being used to attack other systems

• Three attacks on October 21, 2016, against an Internet service provider Caused hundreds of popular websites to be unavailable

• E-ISAC issued TLP-AMBER, TLP-GREEN, and TLP-WHITE advisories at the end of October

Internet of Things Issue

6

• “Internet of Things (IoT) Used For High Bandwidth Distributed Denial of Service (DDoS) Attacks” Issued on October 11, 2016, with responses due in 90 days

• Seven recommendations and four questions1. Have you used a tool to identify Internet-facing devices within your entity’s

network and performed a risk assessment of discovered devices?2. Have you reviewed the use of default passwords for these types of

devices? 3. Do you implement the Principle of Least Privilege in your Internet-facing

networks to include devices, such as security cameras, DVRs, video monitors, printers, etc.?

4. Do you have a vulnerability management process to ensure a strong security posture is maintained for Internet-facing networks and devices?

NERC Level 2 Recommendation

7

• All CRISP data currently flows to PNNL CRISP participants use Information Sharing Devices to collect and send

data PNNL provides system to “write up” to classified networks for analysis E-ISAC currently relies on PNNL for analysis of CRISP data and reports

• New capability gives E-ISAC analysts the ability to store and analyze unclassified data locally Up to 200 TB storage array installed at the E-ISAC Three stand-alone analyst workstations in place Currently evaluating new analytical tools Initial operating capability reached in January 2017

• At maturity, the E-ISAC will be able to query and analyze unclassified CRISP data with minimal PNNL involvement

CRISP Unclassified Data Center

8

• CAISS is a technology proof-of-concept project Based on STIX/TAXII technology Requested in 2015 ESCC recommendations Results of the pilot will be integrated into future platform Ten initial participants—more have joined since the beginning of 2017

• NERC pays for back-end services Participants pay for any hardware or software needed at users’ sites

• Two complimentary technologies: ThreatConnect – Front-end GUI for analysis and STIX package creation Soltra Edge – Back-end, machine-to-machine communications TAXII server

(Soltra Edge was sold to NC4 in November 2016)

Cyber Automated Information Sharing System (CAISS)

STIX = Structured Threat Information eXpressionTAXII = Trusted Automated Exchange of Indicator Information

9

• STIX is a standardized language for the representation of threat information

• Eight types of items that can be shared: Observable (activity) Indicator (what to watch) Incident (where) Tactics, Techniques, Procedures (how) Exploit Target (victim) Campaign (why) Threat actor (who) Course of action (how to respond)

STIX – How it Works

10

STIX – How it Works

Atomic

Tactical

Operational

Strategic

What threat activity are we seeing?

What threats should I look for on my systems and why?

Where has thisthreat been seen?

What can I doabout it?

What weaknesses doesthis threat exploit?

Who is responsiblefor this threat?

Why do they dothis?

What do they do?

11

• TAXII defines a set of services and message exchanges that enable sharing of actionable information

• Three sharing models: Hub and spoke (central clearinghouse) Source/subscriber (single source) Peer-to-peer (multiple party sharing)

TAXII – How it Works

12

Threat Connect Platform

13

ThreatConnect Dashboard

14

ThreatConnect Analysis

15


16


17

• Sign up online at https://www.eisac.com• Download our “how to” guides Brochure Understanding Your E-ISAC Engaging the E-ISAC

Learn More About Us!

https://www.eisac.com/

18

19

GridSecCon 2017

Seventh Annual Grid Security ConferenceOctober 17 – 20, 2017Intercontinental St. Paul Riverfront Hotel

20

• Tuesday, October 17 – Free training in physical or cyber security GridEx “Move 0” hands-on training

• Wednesday, October 18 – “Strategy and threat day” -Keynotes and presentations by Senior executives

• Thursday, October 19 – “Solutions day” – Keynotes and panels• Friday, October 20 – Host utility tours and threat briefings at

classified and FOUO levels• For more information, please go here:

http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx Hotel block information and more

GridSecCon 2017 Agenda

http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx

21

E-ISAC Cyber Analysis Team UpdateSteve Herrin, Senior Manager, CRISPCIPCMarch 8, 2017

22

• Overall Trends Decrease in exploitation kit activity reported

Scanning for IoT devices continues to create a large amount of traffic

Ukraine incident

DHS release of the Grizzly Steppe Joint Analysis Reporto Vermont incident

Phishing is still the most reported activity (41% of all cyber bulletins)o Large amount of W-2 or tax themed emails (early 2017)

o Multiple instances of macro enabled Word documents to drop malware to download information stealing Trojans

Summary of Q4 2016

23

Attacks on public facing systems, such as websites and Microsoft Office 365 authentication serviceso MS 365 involved brute force login attempts causing account lockouts

o Typically targeting executives accounts

o Microsoft has issued mitigation to prevent this

Ransomware

Summary of Q4 2016

24

Cyber Observations

25

Compromise Breakdown

26

• Reports identified activity indicative of attempted exploitation Download of a malicious .zip file Javascript code found in websites which redirect visitors to malicious URLs HTTP GET requests to download a malicious archive file Specifically targeted spear-phishing emails to company directors that

contained a Word attachment with PowerShell scripts hidden in an OLE object

CRISP in 2016

Product 2016 Total

Cases Opened 1,480

Analyst Generated Reports 179

Site Annexes 412

Automated Reports ~160,000

27

•Continue to grow CRISP participation•Build out of the CRISP Unclassified Data Center•Cyber Automated Information Sharing System (CAISS) Working with PJM to develop scripting for automated sharing for best

practices

•Greater outreach to industry

Cyber Analysis Capabilities

28

29

E-ISAC Physical Security Analysis Team UpdateCIPC

Charlotte de SibertCarl HerronMarch 08, 2017

30

Trend Analysis

27%: Current 2017 Q1 percentage of physical security incidents involving surveillance

31

• Photography/Videography DSLR camera lenses with zoom capabilities Cellular telephone camera capabilities Assessing security posture of an entity

• Unmanned Aircraft System (UAS) flyovers Filming

• Vehicle drive-bys Assessment

• Individuals questioning security personnel Social engineering

Surveillance TTPs

32

Incident Reporting:• Report incidents to local law enforcement, FBI field office, FAA

(UAS), and the E-ISAC Allows analysts to develop an accurate threat picture assess regional and national trends Develop mitigation strategies for emerging TTPs

Why? • Preparation for follow-on criminal activity (ranging from copper

theft to vandalism, or even an attack on the facility itself)• These reports are often provided voluntarily to the E-ISAC

because they do not always meet reporting criteria

Reporting

33

PSAT Roadmap

• 2017 Physical Security Analysis Team Roadmap Analytical Products/Case Studieso Regional trend analysis capability o One each Quarter

- 1st Quarter: Environmental Protest

Training o DBTo National Improvised Explosives Familiarizationo Crime Prevention Through Environmental Design

Topics/Discussions o UASo Insider Threat

Regional Outreach Visits o SERC and RF

34

Project 2016-02 CIP Modifications

David Revill, Georgia Transmission CorporationCritical Infrastructure Protection CommitteeMarch 8-9, 2017


Drafting Team Scope

Issue Area Source Status

LERC definition Order 822 Completed

Transient devices for low impact Order 822 Completed

Communication between BES Control Centers Order 822 Posted for informal comment

Cyber Asset and BES Cyber Asset Definitions V5TAG Development in progress

Network and Externally Accessible Devices V5TAG Development in progress

Transmission Owner (TO) Control Centers V5TAG Development in progress

Virtualization V5TAG Development in progress

CIP Exceptional Circumstances SAR Posted for informal comment

“shared BES Cyber Systems” in CIP-002-5.1a EnergySec RFI Completed


CIP-004 R3, Part 3.5: Process to ensure that individuals with authorized electronic or authorized unescorted physical access have had a personnel risk assessment completed according to Parts 3.1 to 3.4 within the last seven years, except during CIP Exceptional Circumstances.CIP-006 R1, Part 1.8: Log (through automated means or by personnel who control entry) entry of each individual with authorized unescorted physical access into each Physical Security Perimeter, with information to identify the individual and date and time of entry, except during CIP Exceptional Circumstances.CIP-006 R1, Part 1.9: Retain physical access logs of entry of individuals with authorized unescorted physical access into each Physical Security Perimeter for at least ninety calendar days, except during CIP Exceptional Circumstances.

CIP Exceptional Circumstances


CIP-006 R2, Part 2.3: Retain visitor logs for at least ninety calendar days, except during CIP Exceptional Circumstances.CIP-007 R4, Part 4.1: Log events, except during CIP Exceptional Circumstances, at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events:CIP-010 R1, Part 1.4.1: Prior to the change, except during CIP Exceptional Circumstances, determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change.



• CIP-010 R1, Part 1.5: Where technically feasible, for each change that deviates from the existing baseline configuration:

• 1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected, except during CIP Exceptional Circumstances; and

• 1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments, except during CIP Exceptional Circumstances.



• The Responsible Entity shall implement one or more documented plan(s) that achieve the security objective to protect confidentiality and integrity of data required for reliable operation of the BES. The plan applies to data being transferred across communication networks between Control Centers, both inter-entity and intra-entity and shall include each of the applicable parts below: Procedure(s) to identify the communication networks requiring

protections; Procedure(s) for defining the boundaries of communication networks

transmitting data required for reliable operation identified in 1.1, if applicable;

Method(s) for protecting communication networks between Control Centers identified in 1.1, where technically feasible.

Communication Networks Between Control Centers – Draft Language


•Areas for Focused Review Data at rest Data focused vs. network focused requirements References to IRO-010-2 and TOP-003-3 Availability Requirement Placement

Communication Networks Between Control Centers


• The SDT reviewed a draft of the Considerations for Transmission Owner (TO) Control Centers with Capability to Perform Transmission Operator whitepaper.

• The whitepaper identifies the concerns that have been raised regarding this issue and outlines the historical record from where this issue originated

• Revisions were made to the whitepaper to propose two primary paths forward: 1) Revising CIP-002-5.1a 2) Taking no further action

• Revisions to CIP-002-5.1a could take the form of additional criteria or an alternative method to identify certain BES Cyber Systems associated with Transmission Owner Control Centers as low impact.

Transmission Owner Control Centers


• The SDT discussed eleven topics identified by the virtualization subteam Definition of Cyber Asset should be inclusive of virtual machines Limit the use of virtualization to homogeneous VLANs (Layer 2) provide isolation Definition of EACMS to be inclusive of management consoles Management networks Mixed-mode (in general) Mixed-mode storage BCS, BCA and systems approach Clarification on change management Clarification on information protection Storage arrays as components of Cyber Asset

Virtualization


• The SDT is preparing to seek stakeholder feedback via proposals and draft questions that could be ready for informal comment posting in the near term for several of the virtualization topics Definition of Cyber Asset should be inclusive of virtual machineso Should virtual machines be considered Cyber Assets and should they be distinct

Cyber Assets from their virtual host? Limit the use of virtualization to homogeneous environmentso A homogeneous virtualization environment is one in which all functions and

guests are “within the ESP.” o The SDT will investigate whether non-homogenous or mixed-mode

environments should be addressed.

Virtualization


VLAN (Layer 2) isolationo VLAN isolation is not explicitly addressed in the CIP standards. Should it be

addressed and what controls are necessary to ensure its effectiveness? Definition of EACMS to be inclusive of management consoleso One of the risks associated with virtualization is that they require administration

via management consoles that can affect a large number of systems at single time – a concept the SDT has referred to as “fewer bigger buttons.”

o How should management consoles be identified and protected? Management networkso Another security control appropriate for virtualization is the separation of the

management plane and the data plane. How should this concept be included in CIP standards?

Mixed-mode (in general)o If mixed-mode (multitenant) virtualization is permitted, what controls would be

necessary to properly protect the BES Cyber Systems?

Virtualization


• The SDT considered options to provide clarity to the term “programmable” within the Cyber Asset definition.

• One proposal for clarifying programmable was to replace it with the following phrase: An electronic device “whose operation is controlled by a stored program

that can be changed or replaced by the Responsible Entity…” The SDT will need further discussion and feedback from stakeholders to

ensure that any modification provides the necessary scope and clarity

Cyber Asset Definition


• The SDT reviewed the following topics related to the networking definitions and concepts: Clarify the 4.2.3.2 exemption phrase “between discrete Electronic Security

Perimeters.” The word ‘associated’ in the ERC definition is unclear in that it alludes to some

form of relationship but does not define the relationship between the items. Review of the applicability of ERC including the concept of the term “directly”

used in the phrase “cannot be directly accessed through External Routable Connectivity” within the Applicability section. As well, consider the interplay between IRA and ERC.

Clarify the IRA definition to address the placement of the phrase “using a routable protocol” in the definition and clarity with respect to Dial-up Connectivity.

Address the Guidelines and Technical Basis sentence, “If dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies.”

• The SDT will seek additional clarification from former V5TAG members to ensure a thorough understanding of these issues

Networking Definitions


• Post the TOCC whitepaper for informal comment posting• Post virtualization materials for informal comment posting• Hold webinars on TOCC and virtualization (tentative)• Collect and review stakeholder feedback on the CIP Exceptional

Circumstances and Communication Networks between Control Centers informal postings

Next Steps


Reserved Call Times Tuesdays - Noon – 2 p.m. Eastern o Subteam working sessiono Dial-in: 415-655-0002

Thursdays - Noon – 2 p.m. Easterno Subteam working sessiono Dial-in: 415-655-0002

Fridays - 11 a.m. – 1 p.m. Easterno Full team updateo Dial in: 415.655.0002

• Discussion topics will vary based on the issue area work progress.

• Calls may be cancelled to allow the sub-teams to process input and develop proposals.

• Notifications of the call schedule are sent weekly to the Project Plus List.

Conference Call Schedule


2017 Planned Dates: March 21-23 – Houston, TX - Occidental Energy Ventures April 18-20 – Tampa, FL - FRCC May 23-25 – Columbus, OH - American Electric Power June 20-22 – Montreal, Quebec - Hydro-Québec TransÉnergie July 18-20 August 22-24 September 19-21 October 10-12 November 14-16

SDT Meeting Schedule


• Information relative to the CIP Modifications project and SDT may be found on the Project 2016-02 Project Page under Related Files:

Project 2016-02 Modifications to CIP Standards

Resources

http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx


IEC 61850 IOP 2017

UCA 61850 Boot Camp: OCT 13-14IOP Testing: OCT 14-19

New Orleans, Louisiana

©Copyright 2017 UCA International Users Group All Rights Reserved

Purpose of the IOP• To provide an environment that allows for product and standard

improvement as well as learning.

• To look for and cause failures. It is through analysis of the failures that the standard, implementations, and industry will be improved.

• Give a neutral technical snapshot of the products and tools to document (by confirming/informing/extending) the interoperability issues mentioned by some end-users (i.e. ENTSO-E, Entergy, SCE)

• Suggest solutions and coordinated responsibilities (i.e. UCA, IEC)


Call to Action: Participation• Companies and individuals both welcome• Two ways to participate:

– Vendor: equipment, software, and applications– Witness: non-vendor or non-vendor rep

• Fees based on participation type• Participants are asked to help develop the test cases

(Planning and test case development has begun)


2013 IOP = 90+ Attendees

2015 IOP = 150+ Attendees

New for 2017: Integrated Application

• Multi-Bay– ED.1 and ED.2 Coexistence– SCL Tool Exchanges (SED)

• Testing and Isolation– GOOSE and Sampled Value

• SCADA• NERC CIP• Resiliency


General Concept

Breaker Failure Applications*

Transfer Trip*


SCADA*

NERC CIP and Security Testing• NERC CIP

– Audit Capability– EAP Control

• L2 GOOSE (whitelist and intruder)

• Client / Server

– EAP Port Scans

• Security– Radius– Syslog– Fuzzing– Penetration Testing*– Standardized MIB

Testing as part of intrusion detection*


Network Setup for Station Bus & Process Bus

Testing of:• HSR / PRP• Single Attached Nodes• PTP (IEC 61850-9-3)

• Best Grand Master Selection• Resiliency

• GOOSE• Sampled Value• Client / Server


Boot Camp

• Training opportunity for consultants, utilities, academics, and other interested parties

• Hands-on experience to prepare for witness participation

• Agenda:– Project Management– Standard Overview– Designing Resiliency– 61850 Field Testing– NERC CIP and 61850


Logistics


• New Orleans Downtown Marriott at the Convention Center859 Convention Center BlvdNew Orleans, LA 70130

• Check www.iec61850.ucaiug.org for updates• Contact:

– Kay Clinard:: [email protected]– Herbert Falk:: [email protected]

http://www.marriott.com/hotels/travel/msymc-new-orleans-downtown-marriott-at-the-convention-center/

http://www.iec61850.ucaiug.org/

mailto:[email protected]


Security Advisory CouncilMidwest Reliability Organization

Regional Report (MRO)

Mike Kraft, Senior Engineer - Basin Electric Power CooperativeCritical Infrastructure Protection CommitteeMarch 8, 2017

MRO Security Advisory Council

The MRO Security Advisory Council (SAC) provides advice and counsel to the MRO Board of Directors, staff, members, and registered entities regarding

(1) cybersecurity, (2) physical security, and (3) SCADA, EMS, substation and/or generation control systems. The MRO SAC provides outreach and

promotes awareness in these three key areas.

NOTICE


Midwest Reliability Organization

Customers: >20 million people

Geography: Provinces of Saskatchewan and Manitoba, and all or parts of the states of Illinois, Iowa, Minnesota, Michigan, Montana, Nebraska, North Dakota, South Dakota and Wisconsin.

Members include▪ Municipal utilities 19▪ Cooperatives 10▪ Investor-owned utilities 10▪ Transmission system operators 3▪ Federal power marketing agency 1▪ Canadian Utilities 2▪ Generator and/or Power Marketer 8▪ Adjunct, Non-Voting Member 7

https://www.midwestreliability.org

3

https://www.midwestreliability.org/

MROFootprint

MROCommittees


Security Advisory Council (SAC)

The Midwest Reliability Organization Security Advisory Council (MRO SAC) is an MRO Organizational Group that provides advice and counsel to ▪ MRO's Board of Directors ▪ staff ▪ members▪ registered entities

Regarding ▪ Cybersecurity ▪ Physical security ▪ SCADA, EMS, substation and/or generation control systems.

The MRO SAC provides outreach and promotes awareness in these three key security areas.

6


SAC Structural Elements

Roster

Charter

Goals and Objectives

Guiding Principles

Workplan

7


Roster

8


Charter

Page 1

9

Page 2


Goals and Objectives & Guiding Principles

Goals and Objectives

10

Guiding Principles


Workplan

Meetings

Articles

Webinars

Whitepapers

Reports

Documents

Conferences

11


Topics

Conference Highlights (e.g. S4 and RSA)

Grizzly Steppe Joint Analysis Report (JAR) and Indicators of Compromise (IOCs)

Security Management in the North American Electricity Sub-Sector Guideline

Department of Homeland Security Survey Tool

Threat Intel 101

Ukraine Review and Action

GridEx IV Overview and Preparation

12


CIPC Representation - DRAFT

Board of Directors appoint based on MRO SAC recommendations

Voting Members Expectations: 1. Bring subject matter expertise to the CIPC;2. Be knowledgeable about physical and cyber security practices and challenges in the electricity sector;3. Attend and participate in all CIPC meetings;4. Express their own opinions at committee meetings but also represent the interests of their Regions;5. Discuss and debate interests rather than positions;6. Chair or co-Chair a CIPC Work Group or Task Force at least once within a two-year term7. Complete assigned Committee, Task Force, and Working Group assignments; and,8. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance.9. Act as a conduit of information back to the MRO constituents.

Alternate Members Expectations: 1. Participate as a non-voting alternate in at least 1 CIPC meeting per year.2. Be available to act as a proxy when primary CIPC representative is unavailable.3. Participate in a CIPC Work Group or Task Force at least once within a two-year term.4. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance.5. Act as a conduit of information back to the MRO constituents.

13


CIPC Representatives

Voting Members:▪ Marc Child, Great River Energy - Cyber Security▪ Paul Crist, Lincoln Electric System - Physical Security▪ Damon Ounsworth, SaskPower –Operations Security

Alternate Voting Members:▪ John Hochevar, American Transmission Company, LLC – Cyber Security▪ Mike Kraft, Basin Electric Power Cooperative – Physical Security ▪ Anthony Rowan, MISO - Operations Security ▪ Steen Fjalstad, Midwest Reliability Organization - General Alternate

Communications▪ Quarterly Post-CIPC WebEx▪ Quarterly Board of Directors Report▪ MRO SAC Report

14


Compliance Assistance

MRO - [email protected]

MCCF CIP Working Group

SPP CIPWG

SPP CIP Version 5 Transition Users Group

MRO CIPC Representatives

NATF and NAGF

Trade associations - NRECA, APPA, EEI, etc...

Professional relationships built through other activities

15



Compliance Guidance

MRO Subject Matter Expert Teams (SMET) produced Standard Application Guides (SAG)

SAG for CIP-002-5.1 (revised February 18, 2015)

SAG for CIP-003-6 R2 (January 26, 2017)https://www.midwestreliability.org/committees/standards/SMET/Pages/default.aspx

16

https://www.midwestreliability.org/committees/standards/SMET/Pages/default.aspx


MRO Security Conference

Held annually since 2014

Focus Areas▪ Executive▪ Physical▪ Cyber▪ ICS/SCADA/Insider Threat/Cyber Hunting▪ Intelligence/Government

September 28, 2017 - Saint Paul, MN

17


Risks/Threats/Opportunities

Common Threats▪ Mother Nature (e.g. Ice storms, Tornados, Thunderstorms)▪ Faulty Equipment/Human error▪ Wildlife▪ Gunfire/Vandalism/Copper theft▪ Standardization

Challenges▪ Many shared facilities▪ Rural/Remote facilities▪ Spares/Distance from manufacturers▪ Interwoven ISO/RTO

Opportunities

18


2017 FRCC Region CIPC ReportFRCC Member ServicesFRCC CIP Subcommittee

FRCC CIP Subcommittee

2

• Meets monthly typically with 20-30 participants• Reports to the Operating Committee, a Board Committee• Security and compliance information• Regional Entity discussion• Current project status updates• Review of current Electric Sector security issues• Guest Speakers such as

• E-ISAC (approximately quarterly)• Ross Johnson - Security Management in the Electric Subsector• DOE Argonne National Lab - Natural Gas and Electric Sector security

and resilience• Ollie Gagnon, DHS Protective Security Advisor – Physical Security

Meetings include formal and informal discussions between teams related to physical & cyber security and compliance

CIPS Member Services Workshops

3

• March 2017 • FRCC Workshop at SANS ICS conference on March 22• Providing support for cyber security lessons learned for System Operators Seminars

• September 2016• Incident Response Planning in conjunction with Navigant

• January 2016• Schweitzer Electric Laboratories Security Workshop

• June 2015• Security Workshop held in conjunction with the Florida Center for Cybersecurity at

University of South Florida• September 2014

• Red Blue Team Exercise in conjunction • Provides speakers for the annual FRCC Board of Directors Cyber and Physical

Security Symposiums

Member services workshops focuses on security training

Current Projects

4

• Shared Facilities• Over 50 shared assets• Over 30 years experience working together • May increase response and restoration time due to

multiple entities needed to gain access

• PRC-005 and BES Cyber Asset Applicability • Joint project with FRCC OC System Protection and Control

SubcommitteeThese projects are just a sample of our current work

Current Projects

5

• FRCC State Hotline Replacement• Always on telephone line including all Balancing Authorities

and Transmission Operators • Communication of all RC Directives (also posted to FTMS)• Supports Situational Awareness• Supports Restoration of BES including Blackstart and tie-lines• Improves Inter-Entity Coordination and Information Sharing

• Project over last 18 months to migrate to a new VoIP conference vendor’s tool (who also supports D.O.D.)

• Current telecommunications vendor recently notified us that they will no longer support our current hotline

Current Projects

6

• ICCP Encryption Project• We identified need for additional security• Implementing in conjunction with FRCC OC at 19 entities

covering both primary and backup Control Centers• Separate telecommunications vendors servicing the primary

Control Centers and Backup Control Centers

• Issues seen: • Coordination due to broad range of entities of different sizes• Delivery of service by telecommunication vendors• Implementation coordination with RC, TOPs, and BAs• Technical configuration by entities

Joe Garmon – Seminole Electric CooperativeCarter Manucy – Florida Municipal Power AgencyPat Boody – Tampa Electric Company

How Industry & Government Work Together to Protect Critical Infrastructure

Approach to Grid Security

Standards

Physical

Cyber

Industry-Government Partnership

Electricity Subsector Coordinating Council

(ESCC)

Electricity Information Sharing & Analysis

Center (E-ISAC)

Partnerships with federal, state, & local

governments

Incident Response

Grid Resiliency

Mutual Assistance

Spare Equipment Programs

2

Purpose & Scope

3

Purpose: The ESCC is the principal liaison between the electric sector and the federal government for coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure.

Scope: The ESCC facilitates and supports policy and public affairs-related activities and initiatives designed to enhance the reliability and resilience of the electric grid. The ESCC is not operational.

Key Scenarios

4

ESCC Strategic Coordination Responsibilities

5

Industry• Utilities• Trade Associations• ISOs & RTOs• NERC• E-ISAC• Canadian Utilities External Groups

• Other Critical Sectors• Vendors• Critical Customers• Media

Government• Federal Agencies• Regulators• PMAs• Law Enforcement• State, Local, Tribal, &

Territorial• Canadian Agencies &

Provinces

ESCC Committee StructureLeadership

Threat InformationSharing & Processes

Industry-Government Coordination

Leveraging Infrastructure/

Research & Development

6

Communications

Transportation

Financial Services

Downstream Gas

Water

Cross-SectorCoordination

Committee Missions & ProjectsLeveraging Infrastructure /Research & Development

Mission: Coordinate government and industry efforts on strategic infrastructure investments and R&D for resilience and national security-related products and processes.

Projects: Spare Equipment Strategy, EMP, National Lab & vendor outreach

Industry-GovernmentCoordination

Mission: Establish unity of effort and unity of messaging between industry and government partners to support the missions of the ESCC both during crises and in steady state.

Projects: ESCC Playbook, Public Affairs, Supply Chain, Cyber Mutual Assistance, Exercises

Threat Information Sharing& Processes

Mission: Improve and institutionalize the flow of, and access to, information among public- and private-sector stakeholders.

Projects: Member Executive Committee, CRISP, Clearances

Cross-Sector Coordination

Mission: Develop partnerships between electricity and other critical sectors to prepare for major incidents, better understand and protect mutual dependencies, and share information effectively.

• Communications• Transportation• Financial Services• Downstream Gas• Water / Wastewater

ESCC Leadership

ESCC SupportSecretariat • Administers enabling functions of the ESCC

• Preps executives• Notifies members of crisis activation • Provides coordination and support• Manages Plus 1s and Senior Executive Working Group• Leads education and socialization effort

Plus 1s • Supports the work of their respective ESCC CEOs• Informs ESCC priorities and strategic vision• Leads or participates in ESCC committee deliverables

Senior Executive Working Group (SEWG)

• Consists of experts and executives representing both the industry and government is called on to accomplish the goals and deliverables set by the ESCC committees

• 14 industry and government organizations• 70+ electric power owners and operators

8

9

Industry Organizations Reliability Organizations The Government

Senior Executive Working Group Engagement

Electric Power Sector Owners & Operators (81) AES Alabama Power Alliant Energy American Electric Power Ameren Corp. Arizona Public Service Arkansas Electric Cooperative Corp. AVANGRID Avista Corp. Basin Electric Power Corp. Berkshire Hathaway Energy Bonneville Power Administration CA Independent System Operator CenterPoint Energy City Utilities of Springfield Missouri Colorado Springs Utilities ComEd Consolidated Edison Consumers Energy (MI) Dominion

DTE Energy Duke Energy Edison International ELCON Energy Future Holdings Energy Reliability Council of Texas Enmax Entergy Corp. Eversource Energy Exelon Corp. FirstEnergy Corp. Florida Power & Light Garland Power & Light Georgia Power Georgia Transmission Corp. Great River Energy Hawaiian Electric Company Hydro One IESO InfraREIT

ITC Transmission Co. Kansas City Power & Light LG&E & KU Lincoln Electric Power System MidAmerican Energy MISO NextEra Energy NiSource Norwich Public Utilities NY Independent System Operator NY Power Authority NV Energy Oklahoma Gas & Electric Old Dominion Electric Cooperative Oncor Pacific Gas & Electric Pacificorp Pepco PJM Interconnection PNGC Power

PPL Electric Utilities Public Service Electric & Gas Co. PECO Energy Company PNM Resources Sacramento Municipal Utility District Salt River Project Santee Cooper Sempra Energy Snohomish County Public Utility Southern California Edison Southern Company Tacoma Power TECO Energy Tullahoma Utilities Board TVA TXU Energy United Technologies Corp. Vectren WEC Energy Group Westar Energy Xcel Energy

R&D Committee

• ESCC R&D Committee priorities– EPRI EMP Project – 1st phase report out– Advanced Information Sharing Capabilities– Resilient Grid Operations Communications

• R&D Alignment Workshop: – DOE will convene the national labs, EPRI, trade

associations, electric companies, and other R&D organizations to align priorities for the electricity sector and support commercialization of technologies.

10

Threat Information Sharing Committee

Incident Response & Exercises Discussion• Cyber Mutual Assistance – Push for industry to sign

up. Currently 86 utilities are members.• National Cyber Incident Response Plan

– Series of Webinars March 27-30 • GridEx IV

ESCC meeting and Executive table top at the same timeFuture activities:• CRISP analysis and recruitment• DOE Comparative Risk and Hazard Analysis• Enhanced Background Information Screening

11

Cross-Sector

• Strategic Infrastructure Coordinating Council:The coordination between electricity, telecommunication and finance is still a proposal on the table.

12

Next ESCC Meetings

• Tuesday, June 6, 2017 • Tuesday, November 14, 2017 (in conjunction

with Grid Ex IV on Nov 15-16)• In discussions with DHS/DOE on a virtual

classified briefing. (Logistics are a challenge)

13

Contact Information

Nathan MitchellSr. Director of Electric Reliability Standards and SecurityAmerican Public Power [email protected]

For more information: electricitysubsector.org

14

http://www.electricitysubsector.org/

NERC RISC Update

Nathan Mitchell, American Public Power AssociationCritical Infrastructure Protection CommitteeMarch 8-9, 2017

2 RELIABILITY | ACCOUNTABILITY

RISC Meetings

RISC Committee CallMarch 10, 2017| 1:00 p.m.-2:00p.m.Eastern

Reliability Leadership Summit and RISC Meeting: March 21 – 22, 2017, Mayflower Hotel, Washington DCThe Summit is a key milestone in the strategic planning processes of the Electric Reliability Organization (ERO) and the results and observations from the Summit will be used to identify, assess, and manage reliability priorities across the ERO Enterprise. This year, moderated panels of industry leaders will focus on discussing: (1) challenges in operating the bulk power system (BPS); (2) resiliency and security; and (3) emerging risks to reliability.


Reliability Leadership Summit

• Welcome Remarks Peter Brandien – RISC Chair; Vice President, System

Operations, ISO New England Mark Lauby – Senior Vice President and Chief Reliability

Officer, NERC

• Keynote Speakers: Cheryl LaFleur – Acting Chairman, Federal Energy

Regulatory Commission Dr. Edmund O. Schweitzer III – President, Chairman of the

Board, Schweitzer Engineering Laboratories

• Closing Remarks Gerry Cauley – President and CEO, NERC



• Panel 1 – Identification and Mitigation of Significant Risks and Reliability Challenges in Operating the BPS.

• Speakers: Tom Galloway – President and CEO, North American

Transmission Forum. Kyle Thomas – Supervisor, Electric Transmission Operations

Engineering, Dominion Virginia Power, Dr. Bruce Mork – Professor, Electrical and Computer

Engineering, Michigan Technological University Moderator: Brian Slocum – Vice President, Operations, ITC

Holdings



• Panel 2 – Identification and Mitigation of Significant Risks to Reliability Resiliency and Security

• Speakers: Mark Ruelle – President and CEO, Westar Energy, Duane Highley – President and CEO, Arkansas Electric

Cooperative Corporation, Steven Naumann – Vice President, Transmission and NERC

Policy, Exelon, Sharla Artz – Vice President, Government Affairs, UTC Moderator: Charles King – Vice President and Chief

Information Officer, Kansas City Power & Light



• Panel 3 – Identification and Assessment of Emerging Risks to Reliability

• Speakers: Gordon van Welie – President and CEO, ISO New England Daniel Brooks – Manager, Power Delivery System Studies,

EPRI Bill Chiu – Director of Engineering, Southern California

Edison Moderator: Nelson Peeler – Senior Vice President and Chief

Transmission Officer, Duke Energy



• Panel 4 – Round Table Moderators: Daniel Froetscher – Senior Vice President,

Transmission, Distribution, & Customers, Arizona Public Service Company

Peter Brandien – RISC Chair; Vice President, System Operations, ISO New England


Open Distribution

NATF Update for NERC CIPC MeetingKen Keels

NATF Director, Practices and [email protected]; 704-945-1950

Open DistributionCopyright © 2017 North American Transmission Forum. Not for sale or commercial use. All rights reserved.

March 2017


Open Distribution

Topics

• Cyber and physical security practices activities underway at NATF

• Current and pending reference documents published for open distribution

• May 2017 NATF Security Practices Workshop (Members Only)

2

Open Distribution

Cyber and Physical Security Practices Activities Underway at NATF

• Recent Topics and Monthly Web Meetings and Workshops– CIP-013 Supply Chain Risk Management– Transient Cyber Asset Implementation Guidance– Peer Review results– Physical Security’s Role in Meeting Low and Medium Impact Asset CIP

Compliance Requirements– Patch Management – How Microsoft is rolling out patches now– Joint Security Operations Centers

3

Open Distribution

Active Working Groups

• Physical Security• Tools

– Security information and event management (SIEM)– Structured Threat Information Expression (STIX) and Trusted Automated

Exchange of Indicator Information (TAXII)• White Papers

– Whitelisting– Transient Cyber Devices (TCAs)– Insider Threat

• Other Targeted Activities– CIP-013 Supply Chain Risk Management webinar– Vermont Power “hack” overview webinar

4

Open Distribution

NATF Security Practices Workshop

• When: May 2-4• Planned topics

– Transient Cyber Assets Implementation White Paper– Compliance Culture/Effective Implementation Best Practices– Cyber Security Supply Chain Risk Management– Audit Experience Lessons Learned– Low Impact Assets Implementation Experience– Security Operations Centers– Communications Networks– Cyber, Physical, and CIP Compliance Breakout Sessions

5

Open Distribution

Questions?

6

• The OC requests 2 CIPC representatives to assist with– Develop a preliminary outline for this OC guideline– OC will determine whether to proceed in June– If approved, request to CIPC for assistance in developing the

guideline

• Operating Security Subcommittee requests a chair and vice-chair to assist the OC with this task– If approved, lead the CIPC team supporting OC guideline– Develop charter for approval in June pending OC approval– Guideline will be operator focused

Operating Committee Request to CIPC

NERC CIPC Meeting3/8-3/9/2017

OC Action Item: It is recommended that the ORS develop a scope document for recognition of cyber intrusion into operations systems

and provide input to the OC at the June 2017 OC meeting.

BES Security Metrics WGCIPC Progress Report

David Dunn, Ontario IESOCritical Infrastructure Protection CommitteeMarch 8-9, 2017


Critical Infrastructure Protection Committee

April 2016

Business Continuity Guideline TF(Darren Myers)

Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(David Godfrey)

Control Systems Security

WG(VACANT)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)

Volunteers needed!


Security Metrics Development Roadmap2015 and Beyond

We are here


BESSMWG Activities

Activities Since December 2016• Conference call on January 27 to: Review Q4 2016 metrics results with E-ISAC

• Met on March 7 to: Review timeline and activities to complete Security Metrics chapter of

NERC’s 2017 State of Reliability report Discuss status and next steps for metrics under developmento Industrial Control System Vulnerabilitieso NERC Alertso Automated cyber information-sharing methods

– # participants– Trends retypes of malware


Security Metrics in 2017 State of Reliability Report

Drafted chapter for the NERC State of Reliability 2017 report that:• Includes a high-level description for each of the seven metrics

(includes several refinements based on enhanced E-ISAC reporting processes)

• Deletes 2014 data that have been in prior years’ reports if the metric definitions have been revised so that 2014 data is no longer comparable

• Provides validated E-ISAC data for 2015 and 2016• Discusses apparent trends and rationale


Next Steps

Communicate and enhance existing metrics• Consider any CIPC feedback from today• Coordinate with the Performance Analysis Subcommittee to

include the chapter in the NERC State of Reliability 2017 report NERC Board approval anticipated May 2017

• Continue to monitor trends for the approved metrics now considered “mature”

• Continue supporting the E-ISAC to review and validate quarterly data


Next Steps

New metrics development• Complete development of detailed definitions for new metrics Define and implement sub-categories for cyber and physical incidents

consistent with new EOP-004-4 form and OE-417 (currently being revised by DOE with public consultation)

Industrial control system vulnerabilities Extent to which industry uses automated methods to share cyber

information

• Consider new metrics over the longer-term


The Ask

The BESSMWG requests that CIPC:

• Accept the Security Performance Metrics chapter for inclusion into the NERC State of Reliability 2017 report, subject to non-substantive edits when published.


DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 1 of 11

Chapter X – Security Performance Metrics Background For many years now, NERC and the electricity industry have taken actions to address cyber and physical security risks to the BPS as a result of potential and real threats, vulnerabilities, and events. This chapter provides security performance metrics based on data collected by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC). These metrics help provide answers to important questions often asked by industry executives and government policy-makers such as:

• How often do physical and cyber security incidents occur?

• To what extent do these reported incidents cause a loss of customer load?

• What is the extent of security information-sharing across the industry?

• Are cybersecurity vulnerabilities increasing? These security performance metrics are derived from data collected and validated by the E-ISAC during 2015 and 2016. On a quarterly basis, the E-ISAC collaborates with the BES Security Metrics Working Group (BESSMWG) to review the results and ensure the definitions are being correctly applied to the raw data. In some cases, the BESSMWG has revised the definitions to clarify the metric or make it more meaningful. The E-ISAC and BESSMWG are continuing to consider new security metrics that may be useful to the industry. Purpose These security metrics complement other NERC reliability performance metrics by defining lagging and leading indicators for security performance as they relate to reliable BPS operation. These metrics help inform senior executives in the electricity industry (includinge.g., NERC’s Board of Trustees, management, the Member Representatives Committee, and the Reliability Issues Steering Committee) by providing a global and industryhigh-level view of how security risks are evolving, and indicating the extent to which the electricity industry is successfully managing these risks. Due to the vast array of different operations technology systems used by individual electricity entities, the BESSMWG has not developed cyber security metrics applicable to the day-to-day operation of individual entities. NERC Alert Process and Security Incidents During 2016 One of the responsibilities of NERC’s E-ISAC is to provide subject matter expertise to issue security-related threat alerts, warnings, advisories, notices, and vulnerability assessments to the industry. While these alerts may provide some indication of the relative risks facing the electricity industry, they have so far not occurred frequently enough to indicate trends. All of these incidents are taken seriously and reviewed by the E-ISAC and the following outlines actions taken. During 2016, NERC issued two industry-wide alerts1 and one industry advisory describing large-scale distributed denial-of-service attacks, an increasing presence of ransomware, and the cyber-attack that affected a portion of Ukraine’s electricity system. The following summarizes the three alerts and advisories issued by NERC:

• A series of large-scale denial-of-service attacks affected a wide array of consumer Internet-capable devices. While these attacks did not impact the reliable operation of the grid, they highlighted the

1 Ref. http://www.nerc.com/pa/rrm/bpsa/Pages/Alerts.aspx

http://www.nerc.com/pa/rrm/bpsa/Pages/Alerts.aspx


potential vulnerability of some equipment such as video cameras that are widely used in the electricity industry.

• Ransomware, used to infiltrate networks and deny access to information and systems until the victim meets payment demands, continues to pose a threat as demonstrated by attacks against, for example, hospitals and municipalities. NERC’s industry advisory helped raise awareness across the industry regarding this threat.

• In December 2015, a portion of Ukraine’s electricity distribution system was disrupted by a cyber attack. The E-ISAC was involved in the post-event review and NERC issued an alert to inform the industry and recommended actions to prevent or mitigate such an attack.

Security Performance Metrics and Results The security landscape is dynamic, requiring constant vigilance and agility. NERC and the electricity industry addresses security threats through a comprehensive range of diverse strategies including mandatory standards, situational awareness, information sharing with industry and government, and strong public-private partnerships. This section provides seven security performance metrics that provide an indication of the extent to which NERC and the industry are adequately managing the potential impact of security threats and events on the reliable operation of the bulk power system. The E-ISAC and BESSMWG have developed these metrics, reviewed the results, and where possible have identified trends, recognizing that these metrics are based on only two years of data. Security Metric 1: Reportable Cyber Security Incidents Responsible Entities must report cyber security incidents to the E-ISAC as required by the NERC reliability standard CIP-008-5 Incident Reporting and Response Planning. This metric reports the total number of Reportable Cyber Security Incidents2 that occur over time and identifies how many of these incidents have resulted in a loss of Load. It is important to note that any loss of Load will be counted, regardless of direct cause. For example, if Load was shed as a result of a loss of situation awareness caused by a cyber incident affecting an entity’s energy management system, the incident would be counted even though the cyber incident did not directly cause the loss of Load. This metric provides the number of Reportable Cyber Security Incidents and an indication of the resilience of the BES to operate reliably and continue to serve Load. While there were no reportable cyber security incidents during 2015 and 2016 and therefore none that caused a loss of Load, this does not necessarily suggest that the risk of a cyber security incident is low as the number of cyber security vulnerabilities is continuing to increase (ref. security metric 5).3

Reportable Cyber Security Incidents

Metric 2015 2016

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Total number of Reportable Cyber Security Incidents 0 0 0 0 0 0 0 0

2 Ref. NERC Glossary of Terms: “A Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.” 3 ERO Reliability Risk Priorities, RISC Recommendations to the NERC Board of Trustees, November 2016, p. 9 Risk Mapping chart depicts Cyber Security Risk as having high potential impact and relative likelihood of BPS-wide occurrence.

http://www.nerc.com/comm/RISC/Related%20Files%20DL/ERO_Reliability_Risk_Priorities_RISC_Reccommendations_Board_Approved_Nov_2016.pdf


Total number of Reportable Cyber Security Incidents resulting in loss of Load 0 0 0 0 0 0 0 0

Security Metric 2: Reportable Physical Security Events Responsible Entities must report physical security events to the E-ISAC as required by the NERC EOP-004-2 Event Reporting reliability standard. This metric reports the total number of physical security reportable events4 that occur over time and identifies how many of these events have resulted in a loss of Load. It is important to note that any loss of Load is counted, regardless of direct cause. For example, if Load was shed as a result of safety concerns due to a break-in at a substation, the event is counted even though no equipment was damaged which directly caused the loss of Load. The metric provides the number of physical security reportable events and an indication of the resilience of the BES to operate reliably and continue to serve Load. Note that this metric does not include physical security events reported to the E-ISAC that do not meet the reporting threshold as defined by the NERC EOP-004-2 standard such as physical threats and damage to substation perimeter fencing. Also, this metric does not include physical security events affecting equipment at the distribution level (i.e., non-BES equipment). Over the past two years, one physical security event occurred in Q1 2015 that caused a loss of Load. This near-zero result does not necessarily suggest that the risk of a physical security event causing a loss of Load is low, as the number of reportable events has not declined over the past two years. Although this metric does not include physical security events affecting equipment at the distribution level (i.e., non-BES equipment), NERC receives information through both mandatory and voluntary reporting that indicates that distribution-level events are more frequent than those affecting BES equipment.

4 Reportable Events are defined in reliability standard EOP-004-2 Event Reporting, Attachment 1.


Security Metric 3: E-ISAC Membership This metric reports the total number of electricity sector organizations and individuals registered as members of the E-ISAC. E-ISAC members include NERC Registered Entities and others in the electricity sector including distribution utilities (i.e., membership is not limited to BPS organizations). Given today’s rapidly changing threat environment, it is important that entities be able to quickly receive and share security-related information. This metric identifies the number of organizations registered, as well as the number of individuals. Increasing E-ISAC membership should serve to collectively increase awareness of security threats and vulnerabilities, and enhance the sector’s ability to respond quickly and effectively. During the latter half of 2016, the E-ISAC implemented a password reset policy in an effort to enhance the security of its information-sharing portal by requiring members to change their passwords every 90 days and limit access to only members who actively use the portal.


The data indicates the following:

• As of the end of 2016, all Reliability Coordinators and 91% of Balancing Authorities (an increase from 85% last year) had an active account with the E-ISAC. As defined by the NERC functional model, Reliability Coordinators and Balancing Authorities perform an essential coordinating role in the operation of the BPS within their respective areas and with each other.

• Since 2014, the number of registered organizations has steadily increased. However, additional outreach across the industry is needed to further increase awareness and encourage active use of the E-ISAC portal.

• The number of individual users has increased at a faster rate than the number of registered organizations. Organizations are increasing the number of individuals with access to the E-ISAC portal, likely as part of efforts to increase their security staffing capabilities and capacity.

• The E-ISAC’s new portal password reset policy implemented during 2016 has resulted in a significant decrease in the number of registered organizations and individuals. Going forward, this metric will more accurately reflect the number of members who actively use the portal as a routine part of their job.


Security Metric 4: Industry-Sourced Information Sharing This metric reports the total number of Incident Bulletins (i.e., Cyber Bulletins and Physical Bulletins) published by the E-ISAC based on information voluntarily submitted by E-ISAC member organizations.5 E-ISAC member organizations include NERC Registered Entities and others in the electricity sector, including distribution utilities (i.e., it is not limited to the BPS). Incident Bulletins describe physical and cyber security incidents and provide timely, relevant, and actionable information of broad interest to the electricity sector. Given today’s complex and rapidly changing threat environment, it is important that electricity sector entities share their own security-related intelligence, as it may help identify emerging trends or provide an early warning to others. This metric provides an indication of the extent to which E-ISAC member organizations are willing and able to share information related to cyber and physical security incidents they experience. As E-ISAC member organizations increase the extent that they share their own information, all member organizations will be able to increase their own awareness and ability to respond quickly and effectively. This should enhance the resilience of the BPS to new and evolving threats and vulnerabilities. The modest but steady increase in the number of bulletins published by the E-ISAC during 2016 compared with 2015 suggests that member organizations are sharing security-related information.

5 In September 2015, the E-ISAC launched its new portal. Watchlist Entries are now called Cyber Bulletins. The category Physical Bulletins is on the portal to share physical security information. Prior to 2015 Q4, physical security reports were shared through the E-ISAC Weekly Report, but not through Watchlist Entries.



Security Metric 5: Global Cyber Vulnerabilities This metric reports the number of global cyber security vulnerabilities considered to be high severity based on data published by the National Institute of Standards and Technology (NIST). NIST defines high severity vulnerabilities as those with a common vulnerability scoring system6 (CVSS) of seven or higher. The term “global” is an important distinction as this metric is not limited to information technology typically used by electricity sector entities. The year-over-year increase in global cyber security vulnerabilities (23%) compared with global cyber security incidents (38%) indicates that vulnerabilities are increasingly being successfully exploited, and reinforces the need for organizations to continue to enhance their cybersecurity capabilities.

6 Ref. NIST http://nvd.nist.gov/cvss.cfm

http://nvd.nist.gov/cvss.cfm


Security Metric 6: Global Cyber Vulnerabilities and Incidents [NTD: Data for 2016 PWC report required] This metric compares the number of annual global cyber security vulnerabilities and incidents in order to identify a possible correlation between vulnerabilities and incidents. While there are a number of different publicly-available sources for this information, the BESSMWG has selected the PWC Global State of Information Security report because it has consistently reported the number of incidents since at least 2013. This metric is based on surveys of chief information technology officers and chief information security officers, and although the survey respondents change from year to year, reports of this nature tend to have consistent results and will continue to be a valid indicator.


Security Metric 7: GridEx Exercise Participation This metric compares the number of organizations participating in each of the GridEx security and crisis response exercises conducted by NERC every two years. NERC’s large-scale GridEx exercises provide electricity organizations with the opportunity to respond to simulated cyber and physical security attacks affecting the reliable operation of the North American grid. Participation rates indicate the extent to which organizations consider the evolving GridEx program to be a valuable learning opportunity. Increasing participation may indicate the extent to which the electricity industry as a whole is ready to respond to a real cyber or physical attack. The metric distinguishes between “active” and “observing” organizations. Active organizations participate by assigning staff to participate in the exercise from their work locations at control centers or power plants as if it were a real event. Observing organizations participate in a more limited way, typically through an internal tabletop exercise. The metric shows a significant increase in total numbers of participating electricity organizations, and an increasing proportion of active organizations.

Roadmap for Future Metrics Development The BESSMWG and the E-ISAC have developed a roadmap for future metrics development that continues to build upon this foundational set of security metrics, including refining this initial set of metrics based on operational experience. The roadmap BESSMWG acknowledges the challenges associated with collecting security-related data:

• Historically, NERC and the E-ISAC have have received limited data related to cyber and physical security incidents as these incidents these incidents have been relatively rare and have had little or no impact on BPS reliability over the past couple of years.


• Nobody yet knowsThe metrics over the past couple of years indicate that the magnitude or and number of constantly changing security threats and vulnerabilities with any degree of certaintyare not diminishing, particularly as they relate toand could affect BPS reliability.

• The number and type of cyber systems and equipment used by the industry is vastlarge and doverse, making it difficult to develop metrics that are meaningful directly relevant to the specific technologies and systems used by individual entities across the industry.

• Data that details security threats, vulnerabilities, and real incidents is highly sensitive. Handled inappropriately, this can expose vulnerabilities and encourage adversaries to develop new and more sophisticated exploits.

The BESSMWG has researched security metrics developed by leading experts outside the electricity industry and examined over 150 of these to assess their applicability from a BPS reliability perspective. Out of these 150 metrics, the BESSMWG concluded that only about 30 would be relevant. This assessment underscores the challenges associated with developing relevant and useful security metrics that rely on data willingly and ably provided by individual entities. The BESSMWG will continue to investigate potential new physical and cyber security metrics. Two particular areas stand out for further study during 2017.

• The extent to which the industry uses automated communications methods7 to share cyber security information between individual organizations and the E-ISAC.

• While global cyber security vulnerabilities and incidents provide a very high-level view of threats facing the industry, a more relevant metric for the industry would focus on energy management systems (EMS) and supervisory control and data acquisition systems (SCADA) commonly used by the electricity industry.

7 For example, the Cybersecurity Risk Information Sharing Program (CRISP) uses information sharing devices to collect and transmit security information from electricity operator participant sites. Data is shared with CRISP participants, and unattributed data is shared with the broader E-ISAC membership. For organizations not participating in the CRISP program, TAXII, STIX, and CybOX are community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis. These methodologies are international in scope and free for public use.

NERC CIPC Compliance and Enforcement Input Working Group

Paul Crist, Lincoln Electric SystemLisa Carrington, Arizona Public Service Co.Damon Ounsworth, SaskPowerCritical Infrastructure Protection Committee Meeting March 8-9, 2017


Critical Infrastructure Protection Committee

April 2016

Business Continuity Guideline TF

(Darren Myers)

Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC

Physical Security Subcommittee

(David Grubbs)

Cybersecurity Subcommittee

(David Revill)

Operating Security Subcommittee

(Joe Garmon)

Policy Subcommittee(John Galloway)

Physical SecurityWG

(Ross Johnson)

Security Training WG

(David Godfrey)

Control Systems Security

WG(VACANT)

Grid Exercise WG

(Tim Conway)

BES Security Metrics WG

(Larry Bugh)

Physical Security Standard WG

(Allan Wick)

Compliance and Enforcement Input WG

(Paul Crist)

Physical Security Guidelines WG

(John Breckenridge)


• CEIWG Co-Vice Chairs Lisa Carrington – Arizona Public Service Damon Ounsworth – SaskPower


Compliance Implementation Guidance Development

March 2017? Deadline for CIPC


• Overall process for developing and submitting Compliance Implementation Guidance: CIPC Lead o Pat Boody, Teco

CEIWG Support o Michael Johnson, Burns and McDonnello Karl Perman, TransAltao Paul Crist, Lincoln Electric System

NERC Staff o Tom Hofstetter, NERC

NERC OC Coordination –o Doug Peterchuck, Omaha Public Power District

– Development of a template.– Vetting of document.– How to submit document.


• VoIP in Control Centers: CIPC Lead o Lisa Carrington, Arizona Public Service

CEIWG Support o John Tracy, Tennessee Valley Authorityo Tom Alrich, Deloitte & Toucheo Amelia Sawyer, CenterPoint Energyo Carter Manucy, Florida Municipal Power Agency

NERC Staff o Tom Hofstetter, NERC


• Shared Facilities: CIPC Lead o Carter Manucy, Florida Municipal Power Agency

CEIWG Support o Pat Boody, TECO Energyo Mike Kraft, Basin Electric Power Cooperativeo Amelia Sawyer, CenterPoint Energyo Tom Alrich, Deloitte & Touche

NERC Staff – Tom Hofstetter, NERC


• NEI/NERC PRA’s CIPC Lead o Damon Ounsworth, SaskPower

CEIWG Support o Paul Crist, Lincoln Electric System

NERC Staff o Tobias Whitney, NERC


Meetings• Second Thursday of each month at 1:00 p.m. Central(Please let me know if you need the call-in information)• Next conference call April 13, 2017 at 1:00 p.m. Central• No call on March 9,2017.


Legislative Update

Nathan Mitchell, American Public Power Association Critical Infrastructure Protection CommitteeMarch 8, 2017


Nominations

• Department of Energy Secretary – Rick Perry Former Governor of Texas Awaiting Sec Perry to nominate his team and set an agenda

• Department of Homeland Security Secretary – John F. Kelly Retired Marine and former commander of SOUTHCOM – focus on FBI and

DEA boarder issues Currently focused on immigration issues


FERC Vacancies

Reps. Walden and Upton Encourage White House to Fill FERC Vacancies

• On Thursday March 2, top Republicans on the House Energy and Commerce (E&C) Committee sent a letter to the White House requesting that the administration nominate “highly qualified, experienced candidates” to fill vacancies on the Federal Energy Regulatory Commission (FERC). Since former Chairman Norman Bay resigned from FERC on February 3, the Commission has lacked a quorum and the ability to take certain actions.

• In the letter E&C Chairman Greg Walden (R-OR) and former chairman Fred Upton (R-MI) urged President Trump “to swiftly nominate commissioners to FERC so that it may execute the authorities granted by Congress and fulfill its mission to assist consumers in obtaining reliable, efficient and sustainable energy services at a reasonable cost through appropriate regulatory and market means.”


Cybersecurity Executive Order

(Draft) White House Cybersecurity Executive Order (EO) Leaked: On February 8, a second draft EO was posted online by Lawfare blog. (Still draft)

Section 2: • Cybersecurity of Critical Infrastructure

Assessment of Electricity Disruption Response Capabilities. completed within 90 days

https://www.lawfareblog.com/revised-draft-trump-eo-cybersecurity


Cybersecurity Executive Order

(Draft)Assess:1. the potential scope and duration of a significant cyber

incident against the United States electric subsector;2. the readiness of the United States to manage the

consequences of such an incident; and3. any gaps or shortcomings in assets or capabilities required to

mitigate the consequences of such an incident.


Senate Armed Services Committee

• January 5, 2017 hearing on the “Foreign Cyber Threats to the United States.”

• The Director of National Intelligence, Undersecretary of Defense for Intelligence and the Director of the National Security Agency testified.

• Chairman McCain (R-AZ) promised that this hearing would be the first in a series of hearings on foreign cyber threats.


Senate Armed Services Committee

• Senator Inhofe (R-OK) cited a paper published by the EEI on “managing cyber risk” and asked about the ESCC. Clapper stated it was “emblematic of a lot of the work the government has done on engaging the 16 critical infrastructure sectors” and efforts to provide tailored intelligence assessments to each sector

• Senator Nelson (D-FL) asked Clapper how the U.S. would have responded if “the supposed invasion of the Vermont utility last week” had “shut it down,” Clapper responded that their was no invasion.


Senate

• Senators Cory Gardner (R-CO) and Chris Coons (D-DE) introduced legislation to establish a permanent select committee focused on cybersecurity.

• The committee would have broad jurisdiction over “domestic and foreign cybersecurity risks (including state-sponsored threats) to the United States,” including risks to computer systems, infrastructure, citizens, corporations/businesses, commerce, and federal department or agency cybersecurity actions.

• No real support for moving this bill forward.


Senate

• January 10, 2017 Senators Jim Risch (R-ID) and Angus King (I-ME) introduced S.79, “Securing Energy Infrastructure Act”

• Two-year pilot program within the National Laboratories to research ways to defend security vulnerabilities in industrial control systems using:

(A) analog and non-digital control systems; (B) purpose-built control systems; and(C) physical controls.

• The legislation has been billed in the press as a “retro” solution to cybersecurity risks because of its emphasis on human-operated, manual technology.


House of Representatives

• February 1, 2017 The House Energy & Commerce Committee Subcommittee on Energy hearing on electric sector cybersecurity

• The tenor of the hearing was for the most part cautiously positive towards the electric sector’s cybersecurity efforts

• Subcommittee Chairman Upton agreed to hold more hearings on the subject, including classified briefings and one with witnesses from DOE and FERC

• There was one notable exception to the otherwise generally positive tone of the hearing from one member who railed about the threats of EMPs.


EMP

• The purported threat of EMPs continues animate some policymakers.

• February 20, 2017 EPRI released the first of a three-installment study of the effect of an EMP on the grid. This first study found that a small number (3 to 14) of transformers would be at risk for thermal damage.

• This finding is contrary to claims made by some that hundreds or thousands of transformers would fail.

• The report has been shared with relevant committees and Congressional staff and members with a recommendation that EPRI brief them directly.


House of Representatives

• At the request of Representative Don Beyer (D, VA-8), the Government Accountability Office (GAO) has compiled a report on federal efforts to enhance electric grid resilience.

• Beyer serves as Ranking Member on the House Science, Space, and Technology Committee Subcommittee on Oversight.

• The report http://www.gao.gov/products/GAO-17-153 states that DOE, DHS and FERC reported implementing 27 grid resiliency efforts since 2013 and identified a variety of results from these efforts. No recommendations are made in the report.

http://www.gao.gov/products/GAO-17-153


1

Grid Exercise Working GroupTim Conway

CIPC March 9, 2017

TLP: AMBER – INTERNAL DISTRIBUTION / NEED TO KNOW

2 TLP: AMBER – NOT FOR DISTRIBUTION

The GEWG

60+Members

Physical•John Breckenridge (KCPL)•Carl Herron (E-ISAC)•Susan Mueller (TECO Energy)

Cyber•Steven Briggs (TVA)•Dustin Cornelius (Southern Company)

Operations•Jill Hoyt (Peak Reliability)•John Norden (ISO-NE)

RC-to-RC•Greg Goodrich (NYISO)•Jill Hoyt (Peak Reliability)

Training Task Force•Tim Conway•NERC Training staff


Where we were

Establish the Scope

• NERCleadership and GEWG

• Determine the level and type of impact desired

• Determine what will be targeted

• Determine the attack vectors

Develop a Narrative

• Backstory or ground truth:• Attacker

profile• The Who,

How, and Why of the attack

• Timing of the attack

• Expected Player actions

MSEL Development

• Detailed sequence of exercise events with inject timing

• Expected Player Actions

• Dynamic injectdevelopment

• Custom injects within entitiesand RC areas


Where are we now

Establish the Scope

• NERCleadership and GEWG

• Determine the level and type of impact desired

• Determine what will be targeted

• Determine the attack vectors

Develop a Narrative

• Backstory or ground truth:• Attacker

profile• The Who,

How, and Why of the attack

• Timing of the attack

• Expected Player actions

MSEL Development

• Detailed sequence of exercise events with inject timing

• Expected Player Actions

• Dynamic injectdevelopment

• Custom injects within entitiesand RC areas


Proposed Planning Schedule

WorkingGroup

Initial Planning

Phase

Mid-term Planning

Phase

Final Planning

PhaseConduct After

Action

Establish Working Group members

GridEx IV awareness

Planner outreach

Decide scenario themes

Decide tools

Coordinate with RCs

Finalize scenario

Develop supporting materials

Confirm participation

Distributed Play

Executive Tabletop

After-action survey and lessons learned

Analyze survey results and lessons learned

After Action Report and Briefing

Distribute training materials

Planners begin training

GEWG MeetingJune 2016

InitialNov. 14 2016

MidtermFebruary 2017

FinalMay 2017

Execute GridEx IVNovember 15-16, 2017

ReportQ1 2018

Kick-Off

Confirm goals and objectives

Finalize timeline

Discuss outreach goals/plan

RC MeetingOct 5 2016

More training sessions available for Player prep on tools, GridSecCon

2017, Move Zero

Where we currently are at in the overall schedule

6 TLP: AMBER – INTERNAL DISTRO / NEED TO KNOW

• Face to Face MSEL Sub-Team meeting March 7 – 8• GEWG – Thursday, March 9, 2017. Location: Atlanta• Final Planning Meeting – May-ish, 2017. Location: McLean, VA• Summer meetings and planner/player training presentations• GridSecCon 2017 – October 17-20, 2017. Minneapolis/St. Paul, MN Move Zero training, GridEx IV kickoff

• GridEx IV – November 14-17, 2017 (four days?!?) Warmup ExCon day – Tuesday 14th Main days – Wednesday – Thursday 15-16 Rapid Deployment day – Friday 17

Calendar


TTTL (Tim’s Top Ten List)

What should you be doing?

1. Login to GridEx Portal 2. Identify your internal team of planners that will help you

throughout GridEx3. Identify which parts of your organization will be playing 4. Review scenario narrative with your team 5. Start thinking about and discussing schedules

a) Player (IT, OT, Physical, Operators) schedules for GridEx dates b) Move 0 participation schedule / GridSec con attendance 10/17/17 c) Reserve necessary conference rooms and work areas with phones and

appropriate computers / AVd) Planner participate in GEWG calls and in person Planning meetings


TTTL (Tim’s Top Ten List)

6. Review and comment on the MSEL with your planners next week

7. Identify the injects that your organization will be subscribing to 8. Work with your RC during GridEx planning meetings to discuss

system impacts and injects being selected by organizations within a region

9. Assist in the development of generic inject artifacts for the use by all organizations

10. Work with your internal planners and utilize your systems to develop and create high value custom inject artifacts for your players


Your Next Steps

Portal Log [email protected] Organization

ParticipationConsider

Schedules Inject Planning

Plan with RC

Review MSEL

Identify Planners

Review Scenario

Volunteer

Customize

[email protected]


Date post:	14-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times