Quarterly Workplan UpdateCritical Infrastructure Protection Committee
Marc Child, CIPC ChairCritical Infrastructure Protection Committee MeetingMarch 8-9, 2017
RELIABILITY | ACCOUNTABILITY2
CIPC Workplan/strategy mapped to RISC recommendations
• Risk profile #8: Physical Security Seven Near-term recommendations (1-2 years) Nine Mid-term recommendations (3-5 years) Two Long-term recommendations (>5 years)
• Risk profile #9: Cybersecurity Eleven Near-term recommendations Four Mid-term recommendations Three Long-term recommendations
CIPC Strategic Plan & Workplan
RELIABILITY | ACCOUNTABILITY3
2017 Activities
CIPC Strategic Plan & Workplan
2017 Task Status
Security Metrics Develop additional context around existing metrics
Report being finalized
Collaboration Regional presentations FRCC & MRO (March meeting)
Logistics for closed meetings when needed
Executive Committee
Joint OC/PC/CIPC project Project identified, assigned to Operating subcommittee
Foster relationships with national labs*
*feedback appreciated
Expand security narrative in the State of Reliability Report*
*feedback appreciated
RELIABILITY | ACCOUNTABILITY4
2017 Activities
CIPC Strategic Plan & Workplan
2017 Task Status
Emerging Technologies Act as a forum for discussions
Standing agenda item
Grid Ex Complete GE3 recommendations
CSSWG assignment
GridEx 4 planning GEWG
Guidance Prioritize emerging technologies guidance
Standing agenda item
Evaluate alternate delivery/develop processes
Executive Committee
Update connecting business networks GL
CSSWG future assignment
RELIABILITY | ACCOUNTABILITY5
2017 Activities
CIPC Strategic Plan & Workplan
2017 Task Status
Guidance Resiliency and vulnerability assessment best practices
Physical Security (RISC item 7a)
Update threat and incident response guideline
Physical Security (RISC item 7b)
Develop vulnerability risk management GL
CSSWG (RISC item 3)
Comment body* Executive Committee to study feasibility and logistics
*feedback appreciated
RELIABILITY | ACCOUNTABILITY6
• 2018 look-ahead One new metric State of security report (notional draft) Supply chain guidance GridEx 4 recommendations, GridEx 5 planning Prioritize RISC 3-5 year recommendations
CIPC Strategic Plan & Workplan
RELIABILITY | ACCOUNTABILITY7
1
E-ISAC Update
Marcus Sachs, Senior VP & Chief Security OfficerCIPCMarch 8, 2017
2
• Sharing and reporting 265 E-ISAC staff posts to the portal (+29% from Q3)
57 member posts to the portal (+20%)
35 calls to the E-ISAC hotline (-17%)
275 new portal accounts (+30%)
• Engagement (monthly average during the quarter) 296 webinar attendees (+12%)
416 downloads of the daily report (+0.4%)
Summary of Q4 2016
3
Sharing by Region – Q4 2016
4
• GridSecCon 2016 (October) Quebec City Over 400 participants
• NERC Level 2 Alert on the Internet of Things (October)• GridEx IV Initial Planning Meeting (November) First opportunity to provide input into scenario development Exercise scheduled for November 15-16, 2017
• Portal improvements (November)• Launched CAISS – the STIX/TAXII pilot (December)• Two cyber events (December) Second Ukraine incident Vermont incident
Significant Activities
5
• Explosive growth of “smart devices” in the past two years Things that can communicate over the Internet Security cameras, digital video recorders, alarms, light switches, coffee
pots, refrigerators
• Most are not designed to be secure against unauthorized access Can be hijacked by malicious actors Are being used to attack other systems
• Three attacks on October 21, 2016, against an Internet service provider Caused hundreds of popular websites to be unavailable
• E-ISAC issued TLP-AMBER, TLP-GREEN, and TLP-WHITE advisories at the end of October
Internet of Things Issue
6
• “Internet of Things (IoT) Used For High Bandwidth Distributed Denial of Service (DDoS) Attacks” Issued on October 11, 2016, with responses due in 90 days
• Seven recommendations and four questions1. Have you used a tool to identify Internet-facing devices within your entity’s
network and performed a risk assessment of discovered devices?2. Have you reviewed the use of default passwords for these types of
devices? 3. Do you implement the Principle of Least Privilege in your Internet-facing
networks to include devices, such as security cameras, DVRs, video monitors, printers, etc.?
4. Do you have a vulnerability management process to ensure a strong security posture is maintained for Internet-facing networks and devices?
NERC Level 2 Recommendation
7
• All CRISP data currently flows to PNNL CRISP participants use Information Sharing Devices to collect and send
data PNNL provides system to “write up” to classified networks for analysis E-ISAC currently relies on PNNL for analysis of CRISP data and reports
• New capability gives E-ISAC analysts the ability to store and analyze unclassified data locally Up to 200 TB storage array installed at the E-ISAC Three stand-alone analyst workstations in place Currently evaluating new analytical tools Initial operating capability reached in January 2017
• At maturity, the E-ISAC will be able to query and analyze unclassified CRISP data with minimal PNNL involvement
CRISP Unclassified Data Center
8
• CAISS is a technology proof-of-concept project Based on STIX/TAXII technology Requested in 2015 ESCC recommendations Results of the pilot will be integrated into future platform Ten initial participants—more have joined since the beginning of 2017
• NERC pays for back-end services Participants pay for any hardware or software needed at users’ sites
• Two complimentary technologies: ThreatConnect – Front-end GUI for analysis and STIX package creation Soltra Edge – Back-end, machine-to-machine communications TAXII server
(Soltra Edge was sold to NC4 in November 2016)
Cyber Automated Information Sharing System (CAISS)
STIX = Structured Threat Information eXpressionTAXII = Trusted Automated Exchange of Indicator Information
9
• STIX is a standardized language for the representation of threat information
• Eight types of items that can be shared: Observable (activity) Indicator (what to watch) Incident (where) Tactics, Techniques, Procedures (how) Exploit Target (victim) Campaign (why) Threat actor (who) Course of action (how to respond)
STIX – How it Works
10
STIX – How it Works
Atomic
Tactical
Operational
Strategic
What threat activity are we seeing?
What threats should I look for on my systems and why?
Where has thisthreat been seen?
What can I doabout it?
What weaknesses doesthis threat exploit?
Who is responsiblefor this threat?
Why do they dothis?
What do they do?
11
• TAXII defines a set of services and message exchanges that enable sharing of actionable information
• Three sharing models: Hub and spoke (central clearinghouse) Source/subscriber (single source) Peer-to-peer (multiple party sharing)
TAXII – How it Works
12
Threat Connect Platform
13
ThreatConnect Dashboard
14
ThreatConnect Analysis
15
ThreatConnect Analysis
16
ThreatConnect Analysis
17
• Sign up online at https://www.eisac.com• Download our “how to” guides Brochure Understanding Your E-ISAC Engaging the E-ISAC
Learn More About Us!
18
19
GridSecCon 2017
Seventh Annual Grid Security ConferenceOctober 17 – 20, 2017Intercontinental St. Paul Riverfront Hotel
20
• Tuesday, October 17 – Free training in physical or cyber security GridEx “Move 0” hands-on training
• Wednesday, October 18 – “Strategy and threat day” -Keynotes and presentations by Senior executives
• Thursday, October 19 – “Solutions day” – Keynotes and panels• Friday, October 20 – Host utility tours and threat briefings at
classified and FOUO levels• For more information, please go here:
http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx Hotel block information and more
GridSecCon 2017 Agenda
21
E-ISAC Cyber Analysis Team UpdateSteve Herrin, Senior Manager, CRISPCIPCMarch 8, 2017
22
• Overall Trends Decrease in exploitation kit activity reported
Scanning for IoT devices continues to create a large amount of traffic
Ukraine incident
DHS release of the Grizzly Steppe Joint Analysis Reporto Vermont incident
Phishing is still the most reported activity (41% of all cyber bulletins)o Large amount of W-2 or tax themed emails (early 2017)
o Multiple instances of macro enabled Word documents to drop malware to download information stealing Trojans
Summary of Q4 2016
23
Attacks on public facing systems, such as websites and Microsoft Office 365 authentication serviceso MS 365 involved brute force login attempts causing account lockouts
o Typically targeting executives accounts
o Microsoft has issued mitigation to prevent this
Ransomware
Summary of Q4 2016
24
Cyber Observations
25
Compromise Breakdown
26
• Reports identified activity indicative of attempted exploitation Download of a malicious .zip file Javascript code found in websites which redirect visitors to malicious URLs HTTP GET requests to download a malicious archive file Specifically targeted spear-phishing emails to company directors that
contained a Word attachment with PowerShell scripts hidden in an OLE object
CRISP in 2016
Product 2016 Total
Cases Opened 1,480
Analyst Generated Reports 179
Site Annexes 412
Automated Reports ~160,000
27
•Continue to grow CRISP participation•Build out of the CRISP Unclassified Data Center•Cyber Automated Information Sharing System (CAISS) Working with PJM to develop scripting for automated sharing for best
practices
•Greater outreach to industry
Cyber Analysis Capabilities
28
29
E-ISAC Physical Security Analysis Team UpdateCIPC
Charlotte de SibertCarl HerronMarch 08, 2017
30
Trend Analysis
27%: Current 2017 Q1 percentage of physical security incidents involving surveillance
31
• Photography/Videography DSLR camera lenses with zoom capabilities Cellular telephone camera capabilities Assessing security posture of an entity
• Unmanned Aircraft System (UAS) flyovers Filming
• Vehicle drive-bys Assessment
• Individuals questioning security personnel Social engineering
Surveillance TTPs
32
Incident Reporting:• Report incidents to local law enforcement, FBI field office, FAA
(UAS), and the E-ISAC Allows analysts to develop an accurate threat picture assess regional and national trends Develop mitigation strategies for emerging TTPs
Why? • Preparation for follow-on criminal activity (ranging from copper
theft to vandalism, or even an attack on the facility itself)• These reports are often provided voluntarily to the E-ISAC
because they do not always meet reporting criteria
Reporting
33
PSAT Roadmap
• 2017 Physical Security Analysis Team Roadmap Analytical Products/Case Studieso Regional trend analysis capability o One each Quarter
- 1st Quarter: Environmental Protest
Training o DBTo National Improvised Explosives Familiarizationo Crime Prevention Through Environmental Design
Topics/Discussions o UASo Insider Threat
Regional Outreach Visits o SERC and RF
34
Project 2016-02 CIP Modifications
David Revill, Georgia Transmission CorporationCritical Infrastructure Protection CommitteeMarch 8-9, 2017
RELIABILITY | ACCOUNTABILITY2
Drafting Team Scope
Issue Area Source Status
LERC definition Order 822 Completed
Transient devices for low impact Order 822 Completed
Communication between BES Control Centers Order 822 Posted for informal comment
Cyber Asset and BES Cyber Asset Definitions V5TAG Development in progress
Network and Externally Accessible Devices V5TAG Development in progress
Transmission Owner (TO) Control Centers V5TAG Development in progress
Virtualization V5TAG Development in progress
CIP Exceptional Circumstances SAR Posted for informal comment
“shared BES Cyber Systems” in CIP-002-5.1a EnergySec RFI Completed
RELIABILITY | ACCOUNTABILITY3
CIP-004 R3, Part 3.5: Process to ensure that individuals with authorized electronic or authorized unescorted physical access have had a personnel risk assessment completed according to Parts 3.1 to 3.4 within the last seven years, except during CIP Exceptional Circumstances.CIP-006 R1, Part 1.8: Log (through automated means or by personnel who control entry) entry of each individual with authorized unescorted physical access into each Physical Security Perimeter, with information to identify the individual and date and time of entry, except during CIP Exceptional Circumstances.CIP-006 R1, Part 1.9: Retain physical access logs of entry of individuals with authorized unescorted physical access into each Physical Security Perimeter for at least ninety calendar days, except during CIP Exceptional Circumstances.
CIP Exceptional Circumstances
RELIABILITY | ACCOUNTABILITY4
CIP-006 R2, Part 2.3: Retain visitor logs for at least ninety calendar days, except during CIP Exceptional Circumstances.CIP-007 R4, Part 4.1: Log events, except during CIP Exceptional Circumstances, at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events:CIP-010 R1, Part 1.4.1: Prior to the change, except during CIP Exceptional Circumstances, determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change.
CIP Exceptional Circumstances
RELIABILITY | ACCOUNTABILITY5
• CIP-010 R1, Part 1.5: Where technically feasible, for each change that deviates from the existing baseline configuration:
• 1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected, except during CIP Exceptional Circumstances; and
• 1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments, except during CIP Exceptional Circumstances.
CIP Exceptional Circumstances
RELIABILITY | ACCOUNTABILITY6
• The Responsible Entity shall implement one or more documented plan(s) that achieve the security objective to protect confidentiality and integrity of data required for reliable operation of the BES. The plan applies to data being transferred across communication networks between Control Centers, both inter-entity and intra-entity and shall include each of the applicable parts below: Procedure(s) to identify the communication networks requiring
protections; Procedure(s) for defining the boundaries of communication networks
transmitting data required for reliable operation identified in 1.1, if applicable;
Method(s) for protecting communication networks between Control Centers identified in 1.1, where technically feasible.
Communication Networks Between Control Centers – Draft Language
RELIABILITY | ACCOUNTABILITY7
•Areas for Focused Review Data at rest Data focused vs. network focused requirements References to IRO-010-2 and TOP-003-3 Availability Requirement Placement
Communication Networks Between Control Centers
RELIABILITY | ACCOUNTABILITY8
• The SDT reviewed a draft of the Considerations for Transmission Owner (TO) Control Centers with Capability to Perform Transmission Operator whitepaper.
• The whitepaper identifies the concerns that have been raised regarding this issue and outlines the historical record from where this issue originated
• Revisions were made to the whitepaper to propose two primary paths forward: 1) Revising CIP-002-5.1a 2) Taking no further action
• Revisions to CIP-002-5.1a could take the form of additional criteria or an alternative method to identify certain BES Cyber Systems associated with Transmission Owner Control Centers as low impact.
Transmission Owner Control Centers
RELIABILITY | ACCOUNTABILITY9
• The SDT discussed eleven topics identified by the virtualization subteam Definition of Cyber Asset should be inclusive of virtual machines Limit the use of virtualization to homogeneous VLANs (Layer 2) provide isolation Definition of EACMS to be inclusive of management consoles Management networks Mixed-mode (in general) Mixed-mode storage BCS, BCA and systems approach Clarification on change management Clarification on information protection Storage arrays as components of Cyber Asset
Virtualization
RELIABILITY | ACCOUNTABILITY10
• The SDT is preparing to seek stakeholder feedback via proposals and draft questions that could be ready for informal comment posting in the near term for several of the virtualization topics Definition of Cyber Asset should be inclusive of virtual machineso Should virtual machines be considered Cyber Assets and should they be distinct
Cyber Assets from their virtual host? Limit the use of virtualization to homogeneous environmentso A homogeneous virtualization environment is one in which all functions and
guests are “within the ESP.” o The SDT will investigate whether non-homogenous or mixed-mode
environments should be addressed.
Virtualization
RELIABILITY | ACCOUNTABILITY11
VLAN (Layer 2) isolationo VLAN isolation is not explicitly addressed in the CIP standards. Should it be
addressed and what controls are necessary to ensure its effectiveness? Definition of EACMS to be inclusive of management consoleso One of the risks associated with virtualization is that they require administration
via management consoles that can affect a large number of systems at single time – a concept the SDT has referred to as “fewer bigger buttons.”
o How should management consoles be identified and protected? Management networkso Another security control appropriate for virtualization is the separation of the
management plane and the data plane. How should this concept be included in CIP standards?
Mixed-mode (in general)o If mixed-mode (multitenant) virtualization is permitted, what controls would be
necessary to properly protect the BES Cyber Systems?
Virtualization
RELIABILITY | ACCOUNTABILITY12
• The SDT considered options to provide clarity to the term “programmable” within the Cyber Asset definition.
• One proposal for clarifying programmable was to replace it with the following phrase: An electronic device “whose operation is controlled by a stored program
that can be changed or replaced by the Responsible Entity…” The SDT will need further discussion and feedback from stakeholders to
ensure that any modification provides the necessary scope and clarity
Cyber Asset Definition
RELIABILITY | ACCOUNTABILITY13
• The SDT reviewed the following topics related to the networking definitions and concepts: Clarify the 4.2.3.2 exemption phrase “between discrete Electronic Security
Perimeters.” The word ‘associated’ in the ERC definition is unclear in that it alludes to some
form of relationship but does not define the relationship between the items. Review of the applicability of ERC including the concept of the term “directly”
used in the phrase “cannot be directly accessed through External Routable Connectivity” within the Applicability section. As well, consider the interplay between IRA and ERC.
Clarify the IRA definition to address the placement of the phrase “using a routable protocol” in the definition and clarity with respect to Dial-up Connectivity.
Address the Guidelines and Technical Basis sentence, “If dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies.”
• The SDT will seek additional clarification from former V5TAG members to ensure a thorough understanding of these issues
Networking Definitions
RELIABILITY | ACCOUNTABILITY14
• Post the TOCC whitepaper for informal comment posting• Post virtualization materials for informal comment posting• Hold webinars on TOCC and virtualization (tentative)• Collect and review stakeholder feedback on the CIP Exceptional
Circumstances and Communication Networks between Control Centers informal postings
Next Steps
RELIABILITY | ACCOUNTABILITY15
Reserved Call Times Tuesdays - Noon – 2 p.m. Eastern o Subteam working sessiono Dial-in: 415-655-0002
Thursdays - Noon – 2 p.m. Easterno Subteam working sessiono Dial-in: 415-655-0002
Fridays - 11 a.m. – 1 p.m. Easterno Full team updateo Dial in: 415.655.0002
• Discussion topics will vary based on the issue area work progress.
• Calls may be cancelled to allow the sub-teams to process input and develop proposals.
• Notifications of the call schedule are sent weekly to the Project Plus List.
Conference Call Schedule
RELIABILITY | ACCOUNTABILITY16
2017 Planned Dates: March 21-23 – Houston, TX - Occidental Energy Ventures April 18-20 – Tampa, FL - FRCC May 23-25 – Columbus, OH - American Electric Power June 20-22 – Montreal, Quebec - Hydro-Québec TransÉnergie July 18-20 August 22-24 September 19-21 October 10-12 November 14-16
SDT Meeting Schedule
RELIABILITY | ACCOUNTABILITY17
• Information relative to the CIP Modifications project and SDT may be found on the Project 2016-02 Project Page under Related Files:
Project 2016-02 Modifications to CIP Standards
Resources
RELIABILITY | ACCOUNTABILITY18
IEC 61850 IOP 2017
UCA 61850 Boot Camp: OCT 13-14IOP Testing: OCT 14-19
New Orleans, Louisiana
©Copyright 2017 UCA International Users Group All Rights Reserved
Purpose of the IOP• To provide an environment that allows for product and standard
improvement as well as learning.
• To look for and cause failures. It is through analysis of the failures that the standard, implementations, and industry will be improved.
• Give a neutral technical snapshot of the products and tools to document (by confirming/informing/extending) the interoperability issues mentioned by some end-users (i.e. ENTSO-E, Entergy, SCE)
• Suggest solutions and coordinated responsibilities (i.e. UCA, IEC)
©Copyright 2017 UCA International Users Group All Rights Reserved
Call to Action: Participation• Companies and individuals both welcome• Two ways to participate:
– Vendor: equipment, software, and applications– Witness: non-vendor or non-vendor rep
• Fees based on participation type• Participants are asked to help develop the test cases
(Planning and test case development has begun)
©Copyright 2017 UCA International Users Group All Rights Reserved
2013 IOP = 90+ Attendees
2015 IOP = 150+ Attendees
New for 2017: Integrated Application
• Multi-Bay– ED.1 and ED.2 Coexistence– SCL Tool Exchanges (SED)
• Testing and Isolation– GOOSE and Sampled Value
• SCADA• NERC CIP• Resiliency
©Copyright 2017 UCA International Users Group All Rights Reserved
General Concept
Breaker Failure Applications*
Transfer Trip*
©Copyright 2017 UCA International Users Group All Rights Reserved
SCADA*
NERC CIP and Security Testing• NERC CIP
– Audit Capability– EAP Control
• L2 GOOSE (whitelist and intruder)
• Client / Server
– EAP Port Scans
• Security– Radius– Syslog– Fuzzing– Penetration Testing*– Standardized MIB
Testing as part of intrusion detection*
©Copyright 2017 UCA International Users Group All Rights Reserved
Network Setup for Station Bus & Process Bus
Testing of:• HSR / PRP• Single Attached Nodes• PTP (IEC 61850-9-3)
• Best Grand Master Selection• Resiliency
• GOOSE• Sampled Value• Client / Server
©Copyright 2017 UCA International Users Group All Rights Reserved
Boot Camp
• Training opportunity for consultants, utilities, academics, and other interested parties
• Hands-on experience to prepare for witness participation
• Agenda:– Project Management– Standard Overview– Designing Resiliency– 61850 Field Testing– NERC CIP and 61850
©Copyright 2017 UCA International Users Group All Rights Reserved
Logistics
©Copyright 2017 UCA International Users Group All Rights Reserved
• New Orleans Downtown Marriott at the Convention Center859 Convention Center BlvdNew Orleans, LA 70130
• Check www.iec61850.ucaiug.org for updates• Contact:
– Kay Clinard:: [email protected]– Herbert Falk:: [email protected]
Security Advisory CouncilMidwest Reliability Organization
Regional Report (MRO)
Mike Kraft, Senior Engineer - Basin Electric Power CooperativeCritical Infrastructure Protection CommitteeMarch 8, 2017
MRO Security Advisory Council
The MRO Security Advisory Council (SAC) provides advice and counsel to the MRO Board of Directors, staff, members, and registered entities regarding
(1) cybersecurity, (2) physical security, and (3) SCADA, EMS, substation and/or generation control systems. The MRO SAC provides outreach and
promotes awareness in these three key areas.
NOTICE
MRO Security Advisory Council
Midwest Reliability Organization
Customers: >20 million people
Geography: Provinces of Saskatchewan and Manitoba, and all or parts of the states of Illinois, Iowa, Minnesota, Michigan, Montana, Nebraska, North Dakota, South Dakota and Wisconsin.
Members include▪ Municipal utilities 19▪ Cooperatives 10▪ Investor-owned utilities 10▪ Transmission system operators 3▪ Federal power marketing agency 1▪ Canadian Utilities 2▪ Generator and/or Power Marketer 8▪ Adjunct, Non-Voting Member 7
https://www.midwestreliability.org
3
MROFootprint
MROCommittees
MRO Security Advisory Council
Security Advisory Council (SAC)
The Midwest Reliability Organization Security Advisory Council (MRO SAC) is an MRO Organizational Group that provides advice and counsel to ▪ MRO's Board of Directors ▪ staff ▪ members▪ registered entities
Regarding ▪ Cybersecurity ▪ Physical security ▪ SCADA, EMS, substation and/or generation control systems.
The MRO SAC provides outreach and promotes awareness in these three key security areas.
6
MRO Security Advisory Council
SAC Structural Elements
Roster
Charter
Goals and Objectives
Guiding Principles
Workplan
7
MRO Security Advisory Council
Roster
8
MRO Security Advisory Council
Charter
Page 1
9
Page 2
MRO Security Advisory Council
Goals and Objectives & Guiding Principles
Goals and Objectives
10
Guiding Principles
MRO Security Advisory Council
Workplan
Meetings
Articles
Webinars
Whitepapers
Reports
Documents
Conferences
11
MRO Security Advisory Council
Topics
Conference Highlights (e.g. S4 and RSA)
Grizzly Steppe Joint Analysis Report (JAR) and Indicators of Compromise (IOCs)
Security Management in the North American Electricity Sub-Sector Guideline
Department of Homeland Security Survey Tool
Threat Intel 101
Ukraine Review and Action
GridEx IV Overview and Preparation
12
MRO Security Advisory Council
CIPC Representation - DRAFT
Board of Directors appoint based on MRO SAC recommendations
Voting Members Expectations: 1. Bring subject matter expertise to the CIPC;2. Be knowledgeable about physical and cyber security practices and challenges in the electricity sector;3. Attend and participate in all CIPC meetings;4. Express their own opinions at committee meetings but also represent the interests of their Regions;5. Discuss and debate interests rather than positions;6. Chair or co-Chair a CIPC Work Group or Task Force at least once within a two-year term7. Complete assigned Committee, Task Force, and Working Group assignments; and,8. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance.9. Act as a conduit of information back to the MRO constituents.
Alternate Members Expectations: 1. Participate as a non-voting alternate in at least 1 CIPC meeting per year.2. Be available to act as a proxy when primary CIPC representative is unavailable.3. Participate in a CIPC Work Group or Task Force at least once within a two-year term.4. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance.5. Act as a conduit of information back to the MRO constituents.
13
MRO Security Advisory Council
CIPC Representatives
Voting Members:▪ Marc Child, Great River Energy - Cyber Security▪ Paul Crist, Lincoln Electric System - Physical Security▪ Damon Ounsworth, SaskPower –Operations Security
Alternate Voting Members:▪ John Hochevar, American Transmission Company, LLC – Cyber Security▪ Mike Kraft, Basin Electric Power Cooperative – Physical Security ▪ Anthony Rowan, MISO - Operations Security ▪ Steen Fjalstad, Midwest Reliability Organization - General Alternate
Communications▪ Quarterly Post-CIPC WebEx▪ Quarterly Board of Directors Report▪ MRO SAC Report
14
MRO Security Advisory Council
Compliance Assistance
MRO - [email protected]
MCCF CIP Working Group
SPP CIPWG
SPP CIP Version 5 Transition Users Group
MRO CIPC Representatives
NATF and NAGF
Trade associations - NRECA, APPA, EEI, etc...
Professional relationships built through other activities
15
MRO Security Advisory Council
Compliance Guidance
MRO Subject Matter Expert Teams (SMET) produced Standard Application Guides (SAG)
SAG for CIP-002-5.1 (revised February 18, 2015)
SAG for CIP-003-6 R2 (January 26, 2017)https://www.midwestreliability.org/committees/standards/SMET/Pages/default.aspx
16
MRO Security Advisory Council
MRO Security Conference
Held annually since 2014
Focus Areas▪ Executive▪ Physical▪ Cyber▪ ICS/SCADA/Insider Threat/Cyber Hunting▪ Intelligence/Government
September 28, 2017 - Saint Paul, MN
17
MRO Security Advisory Council
Risks/Threats/Opportunities
Common Threats▪ Mother Nature (e.g. Ice storms, Tornados, Thunderstorms)▪ Faulty Equipment/Human error▪ Wildlife▪ Gunfire/Vandalism/Copper theft▪ Standardization
Challenges▪ Many shared facilities▪ Rural/Remote facilities▪ Spares/Distance from manufacturers▪ Interwoven ISO/RTO
Opportunities
18
MRO Security Advisory Council
2017 FRCC Region CIPC ReportFRCC Member ServicesFRCC CIP Subcommittee
FRCC CIP Subcommittee
2
• Meets monthly typically with 20-30 participants• Reports to the Operating Committee, a Board Committee• Security and compliance information• Regional Entity discussion• Current project status updates• Review of current Electric Sector security issues• Guest Speakers such as
• E-ISAC (approximately quarterly)• Ross Johnson - Security Management in the Electric Subsector• DOE Argonne National Lab - Natural Gas and Electric Sector security
and resilience• Ollie Gagnon, DHS Protective Security Advisor – Physical Security
Meetings include formal and informal discussions between teams related to physical & cyber security and compliance
CIPS Member Services Workshops
3
• March 2017 • FRCC Workshop at SANS ICS conference on March 22• Providing support for cyber security lessons learned for System Operators Seminars
• September 2016• Incident Response Planning in conjunction with Navigant
• January 2016• Schweitzer Electric Laboratories Security Workshop
• June 2015• Security Workshop held in conjunction with the Florida Center for Cybersecurity at
University of South Florida• September 2014
• Red Blue Team Exercise in conjunction • Provides speakers for the annual FRCC Board of Directors Cyber and Physical
Security Symposiums
Member services workshops focuses on security training
Current Projects
4
• Shared Facilities• Over 50 shared assets• Over 30 years experience working together • May increase response and restoration time due to
multiple entities needed to gain access
• PRC-005 and BES Cyber Asset Applicability • Joint project with FRCC OC System Protection and Control
SubcommitteeThese projects are just a sample of our current work
Current Projects
5
• FRCC State Hotline Replacement• Always on telephone line including all Balancing Authorities
and Transmission Operators • Communication of all RC Directives (also posted to FTMS)• Supports Situational Awareness• Supports Restoration of BES including Blackstart and tie-lines• Improves Inter-Entity Coordination and Information Sharing
• Project over last 18 months to migrate to a new VoIP conference vendor’s tool (who also supports D.O.D.)
• Current telecommunications vendor recently notified us that they will no longer support our current hotline
Current Projects
6
• ICCP Encryption Project• We identified need for additional security• Implementing in conjunction with FRCC OC at 19 entities
covering both primary and backup Control Centers• Separate telecommunications vendors servicing the primary
Control Centers and Backup Control Centers
• Issues seen: • Coordination due to broad range of entities of different sizes• Delivery of service by telecommunication vendors• Implementation coordination with RC, TOPs, and BAs• Technical configuration by entities
Joe Garmon – Seminole Electric CooperativeCarter Manucy – Florida Municipal Power AgencyPat Boody – Tampa Electric Company
How Industry & Government Work Together to Protect Critical Infrastructure
Approach to Grid Security
Standards
Physical
Cyber
Industry-Government Partnership
Electricity Subsector Coordinating Council
(ESCC)
Electricity Information Sharing & Analysis
Center (E-ISAC)
Partnerships with federal, state, & local
governments
Incident Response
Grid Resiliency
Mutual Assistance
Spare Equipment Programs
2
Purpose & Scope
3
Purpose: The ESCC is the principal liaison between the electric sector and the federal government for coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure.
Scope: The ESCC facilitates and supports policy and public affairs-related activities and initiatives designed to enhance the reliability and resilience of the electric grid. The ESCC is not operational.
Key Scenarios
4
ESCC Strategic Coordination Responsibilities
5
Industry• Utilities• Trade Associations• ISOs & RTOs• NERC• E-ISAC• Canadian Utilities External Groups
• Other Critical Sectors• Vendors• Critical Customers• Media
Government• Federal Agencies• Regulators• PMAs• Law Enforcement• State, Local, Tribal, &
Territorial• Canadian Agencies &
Provinces
ESCC Committee StructureLeadership
Threat InformationSharing & Processes
Industry-Government Coordination
Leveraging Infrastructure/
Research & Development
6
Communications
Transportation
Financial Services
Downstream Gas
Water
Cross-SectorCoordination
Committee Missions & ProjectsLeveraging Infrastructure /Research & Development
Mission: Coordinate government and industry efforts on strategic infrastructure investments and R&D for resilience and national security-related products and processes.
Projects: Spare Equipment Strategy, EMP, National Lab & vendor outreach
Industry-GovernmentCoordination
Mission: Establish unity of effort and unity of messaging between industry and government partners to support the missions of the ESCC both during crises and in steady state.
Projects: ESCC Playbook, Public Affairs, Supply Chain, Cyber Mutual Assistance, Exercises
Threat Information Sharing& Processes
Mission: Improve and institutionalize the flow of, and access to, information among public- and private-sector stakeholders.
Projects: Member Executive Committee, CRISP, Clearances
Cross-Sector Coordination
Mission: Develop partnerships between electricity and other critical sectors to prepare for major incidents, better understand and protect mutual dependencies, and share information effectively.
• Communications• Transportation• Financial Services• Downstream Gas• Water / Wastewater
ESCC Leadership
ESCC SupportSecretariat • Administers enabling functions of the ESCC
• Preps executives• Notifies members of crisis activation • Provides coordination and support• Manages Plus 1s and Senior Executive Working Group• Leads education and socialization effort
Plus 1s • Supports the work of their respective ESCC CEOs• Informs ESCC priorities and strategic vision• Leads or participates in ESCC committee deliverables
Senior Executive Working Group (SEWG)
• Consists of experts and executives representing both the industry and government is called on to accomplish the goals and deliverables set by the ESCC committees
• 14 industry and government organizations• 70+ electric power owners and operators
8
9
Industry Organizations Reliability Organizations The Government
Senior Executive Working Group Engagement
Electric Power Sector Owners & Operators (81) AES Alabama Power Alliant Energy American Electric Power Ameren Corp. Arizona Public Service Arkansas Electric Cooperative Corp. AVANGRID Avista Corp. Basin Electric Power Corp. Berkshire Hathaway Energy Bonneville Power Administration CA Independent System Operator CenterPoint Energy City Utilities of Springfield Missouri Colorado Springs Utilities ComEd Consolidated Edison Consumers Energy (MI) Dominion
DTE Energy Duke Energy Edison International ELCON Energy Future Holdings Energy Reliability Council of Texas Enmax Entergy Corp. Eversource Energy Exelon Corp. FirstEnergy Corp. Florida Power & Light Garland Power & Light Georgia Power Georgia Transmission Corp. Great River Energy Hawaiian Electric Company Hydro One IESO InfraREIT
ITC Transmission Co. Kansas City Power & Light LG&E & KU Lincoln Electric Power System MidAmerican Energy MISO NextEra Energy NiSource Norwich Public Utilities NY Independent System Operator NY Power Authority NV Energy Oklahoma Gas & Electric Old Dominion Electric Cooperative Oncor Pacific Gas & Electric Pacificorp Pepco PJM Interconnection PNGC Power
PPL Electric Utilities Public Service Electric & Gas Co. PECO Energy Company PNM Resources Sacramento Municipal Utility District Salt River Project Santee Cooper Sempra Energy Snohomish County Public Utility Southern California Edison Southern Company Tacoma Power TECO Energy Tullahoma Utilities Board TVA TXU Energy United Technologies Corp. Vectren WEC Energy Group Westar Energy Xcel Energy
R&D Committee
• ESCC R&D Committee priorities– EPRI EMP Project – 1st phase report out– Advanced Information Sharing Capabilities– Resilient Grid Operations Communications
• R&D Alignment Workshop: – DOE will convene the national labs, EPRI, trade
associations, electric companies, and other R&D organizations to align priorities for the electricity sector and support commercialization of technologies.
10
Threat Information Sharing Committee
Incident Response & Exercises Discussion• Cyber Mutual Assistance – Push for industry to sign
up. Currently 86 utilities are members.• National Cyber Incident Response Plan
– Series of Webinars March 27-30 • GridEx IV
ESCC meeting and Executive table top at the same timeFuture activities:• CRISP analysis and recruitment• DOE Comparative Risk and Hazard Analysis• Enhanced Background Information Screening
11
Cross-Sector
• Strategic Infrastructure Coordinating Council:The coordination between electricity, telecommunication and finance is still a proposal on the table.
12
Next ESCC Meetings
• Tuesday, June 6, 2017 • Tuesday, November 14, 2017 (in conjunction
with Grid Ex IV on Nov 15-16)• In discussions with DHS/DOE on a virtual
classified briefing. (Logistics are a challenge)
13
Contact Information
Nathan MitchellSr. Director of Electric Reliability Standards and SecurityAmerican Public Power [email protected]
For more information: electricitysubsector.org
14
NERC RISC Update
Nathan Mitchell, American Public Power AssociationCritical Infrastructure Protection CommitteeMarch 8-9, 2017
2 RELIABILITY | ACCOUNTABILITY
RISC Meetings
RISC Committee CallMarch 10, 2017| 1:00 p.m.-2:00p.m.Eastern
Reliability Leadership Summit and RISC Meeting: March 21 – 22, 2017, Mayflower Hotel, Washington DCThe Summit is a key milestone in the strategic planning processes of the Electric Reliability Organization (ERO) and the results and observations from the Summit will be used to identify, assess, and manage reliability priorities across the ERO Enterprise. This year, moderated panels of industry leaders will focus on discussing: (1) challenges in operating the bulk power system (BPS); (2) resiliency and security; and (3) emerging risks to reliability.
3 RELIABILITY | ACCOUNTABILITY
Reliability Leadership Summit
• Welcome Remarks Peter Brandien – RISC Chair; Vice President, System
Operations, ISO New England Mark Lauby – Senior Vice President and Chief Reliability
Officer, NERC
• Keynote Speakers: Cheryl LaFleur – Acting Chairman, Federal Energy
Regulatory Commission Dr. Edmund O. Schweitzer III – President, Chairman of the
Board, Schweitzer Engineering Laboratories
• Closing Remarks Gerry Cauley – President and CEO, NERC
4 RELIABILITY | ACCOUNTABILITY
Reliability Leadership Summit
• Panel 1 – Identification and Mitigation of Significant Risks and Reliability Challenges in Operating the BPS.
• Speakers: Tom Galloway – President and CEO, North American
Transmission Forum. Kyle Thomas – Supervisor, Electric Transmission Operations
Engineering, Dominion Virginia Power, Dr. Bruce Mork – Professor, Electrical and Computer
Engineering, Michigan Technological University Moderator: Brian Slocum – Vice President, Operations, ITC
Holdings
5 RELIABILITY | ACCOUNTABILITY
Reliability Leadership Summit
• Panel 2 – Identification and Mitigation of Significant Risks to Reliability Resiliency and Security
• Speakers: Mark Ruelle – President and CEO, Westar Energy, Duane Highley – President and CEO, Arkansas Electric
Cooperative Corporation, Steven Naumann – Vice President, Transmission and NERC
Policy, Exelon, Sharla Artz – Vice President, Government Affairs, UTC Moderator: Charles King – Vice President and Chief
Information Officer, Kansas City Power & Light
6 RELIABILITY | ACCOUNTABILITY
Reliability Leadership Summit
• Panel 3 – Identification and Assessment of Emerging Risks to Reliability
• Speakers: Gordon van Welie – President and CEO, ISO New England Daniel Brooks – Manager, Power Delivery System Studies,
EPRI Bill Chiu – Director of Engineering, Southern California
Edison Moderator: Nelson Peeler – Senior Vice President and Chief
Transmission Officer, Duke Energy
7 RELIABILITY | ACCOUNTABILITY
Reliability Leadership Summit
• Panel 4 – Round Table Moderators: Daniel Froetscher – Senior Vice President,
Transmission, Distribution, & Customers, Arizona Public Service Company
Peter Brandien – RISC Chair; Vice President, System Operations, ISO New England
8 RELIABILITY | ACCOUNTABILITY
Open Distribution
NATF Update for NERC CIPC MeetingKen Keels
NATF Director, Practices and [email protected]; 704-945-1950
Open DistributionCopyright © 2017 North American Transmission Forum. Not for sale or commercial use. All rights reserved.
March 2017
Open Distribution
Topics
• Cyber and physical security practices activities underway at NATF
• Current and pending reference documents published for open distribution
• May 2017 NATF Security Practices Workshop (Members Only)
2
Open Distribution
Cyber and Physical Security Practices Activities Underway at NATF
• Recent Topics and Monthly Web Meetings and Workshops– CIP-013 Supply Chain Risk Management– Transient Cyber Asset Implementation Guidance– Peer Review results– Physical Security’s Role in Meeting Low and Medium Impact Asset CIP
Compliance Requirements– Patch Management – How Microsoft is rolling out patches now– Joint Security Operations Centers
3
Open Distribution
Active Working Groups
• Physical Security• Tools
– Security information and event management (SIEM)– Structured Threat Information Expression (STIX) and Trusted Automated
Exchange of Indicator Information (TAXII)• White Papers
– Whitelisting– Transient Cyber Devices (TCAs)– Insider Threat
• Other Targeted Activities– CIP-013 Supply Chain Risk Management webinar– Vermont Power “hack” overview webinar
4
Open Distribution
NATF Security Practices Workshop
• When: May 2-4• Planned topics
– Transient Cyber Assets Implementation White Paper– Compliance Culture/Effective Implementation Best Practices– Cyber Security Supply Chain Risk Management– Audit Experience Lessons Learned– Low Impact Assets Implementation Experience– Security Operations Centers– Communications Networks– Cyber, Physical, and CIP Compliance Breakout Sessions
5
Open Distribution
Questions?
6
• The OC requests 2 CIPC representatives to assist with– Develop a preliminary outline for this OC guideline– OC will determine whether to proceed in June– If approved, request to CIPC for assistance in developing the
guideline
• Operating Security Subcommittee requests a chair and vice-chair to assist the OC with this task– If approved, lead the CIPC team supporting OC guideline– Develop charter for approval in June pending OC approval– Guideline will be operator focused
Operating Committee Request to CIPC
NERC CIPC Meeting3/8-3/9/2017
OC Action Item: It is recommended that the ORS develop a scope document for recognition of cyber intrusion into operations systems
and provide input to the OC at the June 2017 OC meeting.
BES Security Metrics WGCIPC Progress Report
David Dunn, Ontario IESOCritical Infrastructure Protection CommitteeMarch 8-9, 2017
2 RELIABILITY | ACCOUNTABILITY
Critical Infrastructure Protection Committee
April 2016
Business Continuity Guideline TF(Darren Myers)
Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(David Godfrey)
Control Systems Security
WG(VACANT)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input
WG(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
Volunteers needed!
3 RELIABILITY | ACCOUNTABILITY
Security Metrics Development Roadmap2015 and Beyond
We are here
4 RELIABILITY | ACCOUNTABILITY
BESSMWG Activities
Activities Since December 2016• Conference call on January 27 to: Review Q4 2016 metrics results with E-ISAC
• Met on March 7 to: Review timeline and activities to complete Security Metrics chapter of
NERC’s 2017 State of Reliability report Discuss status and next steps for metrics under developmento Industrial Control System Vulnerabilitieso NERC Alertso Automated cyber information-sharing methods
– # participants– Trends retypes of malware
5 RELIABILITY | ACCOUNTABILITY
Security Metrics in 2017 State of Reliability Report
Drafted chapter for the NERC State of Reliability 2017 report that:• Includes a high-level description for each of the seven metrics
(includes several refinements based on enhanced E-ISAC reporting processes)
• Deletes 2014 data that have been in prior years’ reports if the metric definitions have been revised so that 2014 data is no longer comparable
• Provides validated E-ISAC data for 2015 and 2016• Discusses apparent trends and rationale
6 RELIABILITY | ACCOUNTABILITY
Next Steps
Communicate and enhance existing metrics• Consider any CIPC feedback from today• Coordinate with the Performance Analysis Subcommittee to
include the chapter in the NERC State of Reliability 2017 report NERC Board approval anticipated May 2017
• Continue to monitor trends for the approved metrics now considered “mature”
• Continue supporting the E-ISAC to review and validate quarterly data
7 RELIABILITY | ACCOUNTABILITY
Next Steps
New metrics development• Complete development of detailed definitions for new metrics Define and implement sub-categories for cyber and physical incidents
consistent with new EOP-004-4 form and OE-417 (currently being revised by DOE with public consultation)
Industrial control system vulnerabilities Extent to which industry uses automated methods to share cyber
information
• Consider new metrics over the longer-term
8 RELIABILITY | ACCOUNTABILITY
The Ask
The BESSMWG requests that CIPC:
• Accept the Security Performance Metrics chapter for inclusion into the NERC State of Reliability 2017 report, subject to non-substantive edits when published.
9 RELIABILITY | ACCOUNTABILITY
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 1 of 11
Chapter X – Security Performance Metrics Background For many years now, NERC and the electricity industry have taken actions to address cyber and physical security risks to the BPS as a result of potential and real threats, vulnerabilities, and events. This chapter provides security performance metrics based on data collected by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC). These metrics help provide answers to important questions often asked by industry executives and government policy-makers such as:
• How often do physical and cyber security incidents occur?
• To what extent do these reported incidents cause a loss of customer load?
• What is the extent of security information-sharing across the industry?
• Are cybersecurity vulnerabilities increasing? These security performance metrics are derived from data collected and validated by the E-ISAC during 2015 and 2016. On a quarterly basis, the E-ISAC collaborates with the BES Security Metrics Working Group (BESSMWG) to review the results and ensure the definitions are being correctly applied to the raw data. In some cases, the BESSMWG has revised the definitions to clarify the metric or make it more meaningful. The E-ISAC and BESSMWG are continuing to consider new security metrics that may be useful to the industry. Purpose These security metrics complement other NERC reliability performance metrics by defining lagging and leading indicators for security performance as they relate to reliable BPS operation. These metrics help inform senior executives in the electricity industry (includinge.g., NERC’s Board of Trustees, management, the Member Representatives Committee, and the Reliability Issues Steering Committee) by providing a global and industryhigh-level view of how security risks are evolving, and indicating the extent to which the electricity industry is successfully managing these risks. Due to the vast array of different operations technology systems used by individual electricity entities, the BESSMWG has not developed cyber security metrics applicable to the day-to-day operation of individual entities. NERC Alert Process and Security Incidents During 2016 One of the responsibilities of NERC’s E-ISAC is to provide subject matter expertise to issue security-related threat alerts, warnings, advisories, notices, and vulnerability assessments to the industry. While these alerts may provide some indication of the relative risks facing the electricity industry, they have so far not occurred frequently enough to indicate trends. All of these incidents are taken seriously and reviewed by the E-ISAC and the following outlines actions taken. During 2016, NERC issued two industry-wide alerts1 and one industry advisory describing large-scale distributed denial-of-service attacks, an increasing presence of ransomware, and the cyber-attack that affected a portion of Ukraine’s electricity system. The following summarizes the three alerts and advisories issued by NERC:
• A series of large-scale denial-of-service attacks affected a wide array of consumer Internet-capable devices. While these attacks did not impact the reliable operation of the grid, they highlighted the
1 Ref. http://www.nerc.com/pa/rrm/bpsa/Pages/Alerts.aspx
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 2 of 11
potential vulnerability of some equipment such as video cameras that are widely used in the electricity industry.
• Ransomware, used to infiltrate networks and deny access to information and systems until the victim meets payment demands, continues to pose a threat as demonstrated by attacks against, for example, hospitals and municipalities. NERC’s industry advisory helped raise awareness across the industry regarding this threat.
• In December 2015, a portion of Ukraine’s electricity distribution system was disrupted by a cyber attack. The E-ISAC was involved in the post-event review and NERC issued an alert to inform the industry and recommended actions to prevent or mitigate such an attack.
Security Performance Metrics and Results The security landscape is dynamic, requiring constant vigilance and agility. NERC and the electricity industry addresses security threats through a comprehensive range of diverse strategies including mandatory standards, situational awareness, information sharing with industry and government, and strong public-private partnerships. This section provides seven security performance metrics that provide an indication of the extent to which NERC and the industry are adequately managing the potential impact of security threats and events on the reliable operation of the bulk power system. The E-ISAC and BESSMWG have developed these metrics, reviewed the results, and where possible have identified trends, recognizing that these metrics are based on only two years of data. Security Metric 1: Reportable Cyber Security Incidents Responsible Entities must report cyber security incidents to the E-ISAC as required by the NERC reliability standard CIP-008-5 Incident Reporting and Response Planning. This metric reports the total number of Reportable Cyber Security Incidents2 that occur over time and identifies how many of these incidents have resulted in a loss of Load. It is important to note that any loss of Load will be counted, regardless of direct cause. For example, if Load was shed as a result of a loss of situation awareness caused by a cyber incident affecting an entity’s energy management system, the incident would be counted even though the cyber incident did not directly cause the loss of Load. This metric provides the number of Reportable Cyber Security Incidents and an indication of the resilience of the BES to operate reliably and continue to serve Load. While there were no reportable cyber security incidents during 2015 and 2016 and therefore none that caused a loss of Load, this does not necessarily suggest that the risk of a cyber security incident is low as the number of cyber security vulnerabilities is continuing to increase (ref. security metric 5).3
Reportable Cyber Security Incidents
Metric 2015 2016
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Total number of Reportable Cyber Security Incidents 0 0 0 0 0 0 0 0
2 Ref. NERC Glossary of Terms: “A Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.” 3 ERO Reliability Risk Priorities, RISC Recommendations to the NERC Board of Trustees, November 2016, p. 9 Risk Mapping chart depicts Cyber Security Risk as having high potential impact and relative likelihood of BPS-wide occurrence.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 3 of 11
Total number of Reportable Cyber Security Incidents resulting in loss of Load 0 0 0 0 0 0 0 0
Security Metric 2: Reportable Physical Security Events Responsible Entities must report physical security events to the E-ISAC as required by the NERC EOP-004-2 Event Reporting reliability standard. This metric reports the total number of physical security reportable events4 that occur over time and identifies how many of these events have resulted in a loss of Load. It is important to note that any loss of Load is counted, regardless of direct cause. For example, if Load was shed as a result of safety concerns due to a break-in at a substation, the event is counted even though no equipment was damaged which directly caused the loss of Load. The metric provides the number of physical security reportable events and an indication of the resilience of the BES to operate reliably and continue to serve Load. Note that this metric does not include physical security events reported to the E-ISAC that do not meet the reporting threshold as defined by the NERC EOP-004-2 standard such as physical threats and damage to substation perimeter fencing. Also, this metric does not include physical security events affecting equipment at the distribution level (i.e., non-BES equipment). Over the past two years, one physical security event occurred in Q1 2015 that caused a loss of Load. This near-zero result does not necessarily suggest that the risk of a physical security event causing a loss of Load is low, as the number of reportable events has not declined over the past two years. Although this metric does not include physical security events affecting equipment at the distribution level (i.e., non-BES equipment), NERC receives information through both mandatory and voluntary reporting that indicates that distribution-level events are more frequent than those affecting BES equipment.
4 Reportable Events are defined in reliability standard EOP-004-2 Event Reporting, Attachment 1.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 4 of 11
Security Metric 3: E-ISAC Membership This metric reports the total number of electricity sector organizations and individuals registered as members of the E-ISAC. E-ISAC members include NERC Registered Entities and others in the electricity sector including distribution utilities (i.e., membership is not limited to BPS organizations). Given today’s rapidly changing threat environment, it is important that entities be able to quickly receive and share security-related information. This metric identifies the number of organizations registered, as well as the number of individuals. Increasing E-ISAC membership should serve to collectively increase awareness of security threats and vulnerabilities, and enhance the sector’s ability to respond quickly and effectively. During the latter half of 2016, the E-ISAC implemented a password reset policy in an effort to enhance the security of its information-sharing portal by requiring members to change their passwords every 90 days and limit access to only members who actively use the portal.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 5 of 11
The data indicates the following:
• As of the end of 2016, all Reliability Coordinators and 91% of Balancing Authorities (an increase from 85% last year) had an active account with the E-ISAC. As defined by the NERC functional model, Reliability Coordinators and Balancing Authorities perform an essential coordinating role in the operation of the BPS within their respective areas and with each other.
• Since 2014, the number of registered organizations has steadily increased. However, additional outreach across the industry is needed to further increase awareness and encourage active use of the E-ISAC portal.
• The number of individual users has increased at a faster rate than the number of registered organizations. Organizations are increasing the number of individuals with access to the E-ISAC portal, likely as part of efforts to increase their security staffing capabilities and capacity.
• The E-ISAC’s new portal password reset policy implemented during 2016 has resulted in a significant decrease in the number of registered organizations and individuals. Going forward, this metric will more accurately reflect the number of members who actively use the portal as a routine part of their job.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 6 of 11
Security Metric 4: Industry-Sourced Information Sharing This metric reports the total number of Incident Bulletins (i.e., Cyber Bulletins and Physical Bulletins) published by the E-ISAC based on information voluntarily submitted by E-ISAC member organizations.5 E-ISAC member organizations include NERC Registered Entities and others in the electricity sector, including distribution utilities (i.e., it is not limited to the BPS). Incident Bulletins describe physical and cyber security incidents and provide timely, relevant, and actionable information of broad interest to the electricity sector. Given today’s complex and rapidly changing threat environment, it is important that electricity sector entities share their own security-related intelligence, as it may help identify emerging trends or provide an early warning to others. This metric provides an indication of the extent to which E-ISAC member organizations are willing and able to share information related to cyber and physical security incidents they experience. As E-ISAC member organizations increase the extent that they share their own information, all member organizations will be able to increase their own awareness and ability to respond quickly and effectively. This should enhance the resilience of the BPS to new and evolving threats and vulnerabilities. The modest but steady increase in the number of bulletins published by the E-ISAC during 2016 compared with 2015 suggests that member organizations are sharing security-related information.
5 In September 2015, the E-ISAC launched its new portal. Watchlist Entries are now called Cyber Bulletins. The category Physical Bulletins is on the portal to share physical security information. Prior to 2015 Q4, physical security reports were shared through the E-ISAC Weekly Report, but not through Watchlist Entries.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 7 of 11
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 8 of 11
Security Metric 5: Global Cyber Vulnerabilities This metric reports the number of global cyber security vulnerabilities considered to be high severity based on data published by the National Institute of Standards and Technology (NIST). NIST defines high severity vulnerabilities as those with a common vulnerability scoring system6 (CVSS) of seven or higher. The term “global” is an important distinction as this metric is not limited to information technology typically used by electricity sector entities. The year-over-year increase in global cyber security vulnerabilities (23%) compared with global cyber security incidents (38%) indicates that vulnerabilities are increasingly being successfully exploited, and reinforces the need for organizations to continue to enhance their cybersecurity capabilities.
6 Ref. NIST http://nvd.nist.gov/cvss.cfm
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 9 of 11
Security Metric 6: Global Cyber Vulnerabilities and Incidents [NTD: Data for 2016 PWC report required] This metric compares the number of annual global cyber security vulnerabilities and incidents in order to identify a possible correlation between vulnerabilities and incidents. While there are a number of different publicly-available sources for this information, the BESSMWG has selected the PWC Global State of Information Security report because it has consistently reported the number of incidents since at least 2013. This metric is based on surveys of chief information technology officers and chief information security officers, and although the survey respondents change from year to year, reports of this nature tend to have consistent results and will continue to be a valid indicator.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 10 of 11
Security Metric 7: GridEx Exercise Participation This metric compares the number of organizations participating in each of the GridEx security and crisis response exercises conducted by NERC every two years. NERC’s large-scale GridEx exercises provide electricity organizations with the opportunity to respond to simulated cyber and physical security attacks affecting the reliable operation of the North American grid. Participation rates indicate the extent to which organizations consider the evolving GridEx program to be a valuable learning opportunity. Increasing participation may indicate the extent to which the electricity industry as a whole is ready to respond to a real cyber or physical attack. The metric distinguishes between “active” and “observing” organizations. Active organizations participate by assigning staff to participate in the exercise from their work locations at control centers or power plants as if it were a real event. Observing organizations participate in a more limited way, typically through an internal tabletop exercise. The metric shows a significant increase in total numbers of participating electricity organizations, and an increasing proportion of active organizations.
Roadmap for Future Metrics Development The BESSMWG and the E-ISAC have developed a roadmap for future metrics development that continues to build upon this foundational set of security metrics, including refining this initial set of metrics based on operational experience. The roadmap BESSMWG acknowledges the challenges associated with collecting security-related data:
• Historically, NERC and the E-ISAC have have received limited data related to cyber and physical security incidents as these incidents these incidents have been relatively rare and have had little or no impact on BPS reliability over the past couple of years.
DRAFT March 3, 2017 Chapter X – Security Performance Metrics Page 11 of 11
• Nobody yet knowsThe metrics over the past couple of years indicate that the magnitude or and number of constantly changing security threats and vulnerabilities with any degree of certaintyare not diminishing, particularly as they relate toand could affect BPS reliability.
• The number and type of cyber systems and equipment used by the industry is vastlarge and doverse, making it difficult to develop metrics that are meaningful directly relevant to the specific technologies and systems used by individual entities across the industry.
• Data that details security threats, vulnerabilities, and real incidents is highly sensitive. Handled inappropriately, this can expose vulnerabilities and encourage adversaries to develop new and more sophisticated exploits.
The BESSMWG has researched security metrics developed by leading experts outside the electricity industry and examined over 150 of these to assess their applicability from a BPS reliability perspective. Out of these 150 metrics, the BESSMWG concluded that only about 30 would be relevant. This assessment underscores the challenges associated with developing relevant and useful security metrics that rely on data willingly and ably provided by individual entities. The BESSMWG will continue to investigate potential new physical and cyber security metrics. Two particular areas stand out for further study during 2017.
• The extent to which the industry uses automated communications methods7 to share cyber security information between individual organizations and the E-ISAC.
• While global cyber security vulnerabilities and incidents provide a very high-level view of threats facing the industry, a more relevant metric for the industry would focus on energy management systems (EMS) and supervisory control and data acquisition systems (SCADA) commonly used by the electricity industry.
7 For example, the Cybersecurity Risk Information Sharing Program (CRISP) uses information sharing devices to collect and transmit security information from electricity operator participant sites. Data is shared with CRISP participants, and unattributed data is shared with the broader E-ISAC membership. For organizations not participating in the CRISP program, TAXII, STIX, and CybOX are community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis. These methodologies are international in scope and free for public use.
NERC CIPC Compliance and Enforcement Input Working Group
Paul Crist, Lincoln Electric SystemLisa Carrington, Arizona Public Service Co.Damon Ounsworth, SaskPowerCritical Infrastructure Protection Committee Meeting March 8-9, 2017
RELIABILITY | ACCOUNTABILITY2
Critical Infrastructure Protection Committee
April 2016
Business Continuity Guideline TF
(Darren Myers)
Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee
(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(David Godfrey)
Control Systems Security
WG(VACANT)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input WG
(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
RELIABILITY | ACCOUNTABILITY3
• CEIWG Co-Vice Chairs Lisa Carrington – Arizona Public Service Damon Ounsworth – SaskPower
RELIABILITY | ACCOUNTABILITY4
Compliance Implementation Guidance Development
March 2017? Deadline for CIPC
RELIABILITY | ACCOUNTABILITY5
• Overall process for developing and submitting Compliance Implementation Guidance: CIPC Lead o Pat Boody, Teco
CEIWG Support o Michael Johnson, Burns and McDonnello Karl Perman, TransAltao Paul Crist, Lincoln Electric System
NERC Staff o Tom Hofstetter, NERC
NERC OC Coordination –o Doug Peterchuck, Omaha Public Power District
– Development of a template.– Vetting of document.– How to submit document.
RELIABILITY | ACCOUNTABILITY6
• VoIP in Control Centers: CIPC Lead o Lisa Carrington, Arizona Public Service
CEIWG Support o John Tracy, Tennessee Valley Authorityo Tom Alrich, Deloitte & Toucheo Amelia Sawyer, CenterPoint Energyo Carter Manucy, Florida Municipal Power Agency
NERC Staff o Tom Hofstetter, NERC
RELIABILITY | ACCOUNTABILITY7
• Shared Facilities: CIPC Lead o Carter Manucy, Florida Municipal Power Agency
CEIWG Support o Pat Boody, TECO Energyo Mike Kraft, Basin Electric Power Cooperativeo Amelia Sawyer, CenterPoint Energyo Tom Alrich, Deloitte & Touche
NERC Staff – Tom Hofstetter, NERC
RELIABILITY | ACCOUNTABILITY8
• NEI/NERC PRA’s CIPC Lead o Damon Ounsworth, SaskPower
CEIWG Support o Paul Crist, Lincoln Electric System
NERC Staff o Tobias Whitney, NERC
RELIABILITY | ACCOUNTABILITY9
Meetings• Second Thursday of each month at 1:00 p.m. Central(Please let me know if you need the call-in information)• Next conference call April 13, 2017 at 1:00 p.m. Central• No call on March 9,2017.
RELIABILITY | ACCOUNTABILITY10
Legislative Update
Nathan Mitchell, American Public Power Association Critical Infrastructure Protection CommitteeMarch 8, 2017
RELIABILITY | ACCOUNTABILITY2
Nominations
• Department of Energy Secretary – Rick Perry Former Governor of Texas Awaiting Sec Perry to nominate his team and set an agenda
• Department of Homeland Security Secretary – John F. Kelly Retired Marine and former commander of SOUTHCOM – focus on FBI and
DEA boarder issues Currently focused on immigration issues
RELIABILITY | ACCOUNTABILITY3
FERC Vacancies
Reps. Walden and Upton Encourage White House to Fill FERC Vacancies
• On Thursday March 2, top Republicans on the House Energy and Commerce (E&C) Committee sent a letter to the White House requesting that the administration nominate “highly qualified, experienced candidates” to fill vacancies on the Federal Energy Regulatory Commission (FERC). Since former Chairman Norman Bay resigned from FERC on February 3, the Commission has lacked a quorum and the ability to take certain actions.
• In the letter E&C Chairman Greg Walden (R-OR) and former chairman Fred Upton (R-MI) urged President Trump “to swiftly nominate commissioners to FERC so that it may execute the authorities granted by Congress and fulfill its mission to assist consumers in obtaining reliable, efficient and sustainable energy services at a reasonable cost through appropriate regulatory and market means.”
RELIABILITY | ACCOUNTABILITY4
Cybersecurity Executive Order
(Draft) White House Cybersecurity Executive Order (EO) Leaked: On February 8, a second draft EO was posted online by Lawfare blog. (Still draft)
Section 2: • Cybersecurity of Critical Infrastructure
Assessment of Electricity Disruption Response Capabilities. completed within 90 days
RELIABILITY | ACCOUNTABILITY5
Cybersecurity Executive Order
(Draft)Assess:1. the potential scope and duration of a significant cyber
incident against the United States electric subsector;2. the readiness of the United States to manage the
consequences of such an incident; and3. any gaps or shortcomings in assets or capabilities required to
mitigate the consequences of such an incident.
RELIABILITY | ACCOUNTABILITY6
Senate Armed Services Committee
• January 5, 2017 hearing on the “Foreign Cyber Threats to the United States.”
• The Director of National Intelligence, Undersecretary of Defense for Intelligence and the Director of the National Security Agency testified.
• Chairman McCain (R-AZ) promised that this hearing would be the first in a series of hearings on foreign cyber threats.
RELIABILITY | ACCOUNTABILITY7
Senate Armed Services Committee
• Senator Inhofe (R-OK) cited a paper published by the EEI on “managing cyber risk” and asked about the ESCC. Clapper stated it was “emblematic of a lot of the work the government has done on engaging the 16 critical infrastructure sectors” and efforts to provide tailored intelligence assessments to each sector
• Senator Nelson (D-FL) asked Clapper how the U.S. would have responded if “the supposed invasion of the Vermont utility last week” had “shut it down,” Clapper responded that their was no invasion.
RELIABILITY | ACCOUNTABILITY8
Senate
• Senators Cory Gardner (R-CO) and Chris Coons (D-DE) introduced legislation to establish a permanent select committee focused on cybersecurity.
• The committee would have broad jurisdiction over “domestic and foreign cybersecurity risks (including state-sponsored threats) to the United States,” including risks to computer systems, infrastructure, citizens, corporations/businesses, commerce, and federal department or agency cybersecurity actions.
• No real support for moving this bill forward.
RELIABILITY | ACCOUNTABILITY9
Senate
• January 10, 2017 Senators Jim Risch (R-ID) and Angus King (I-ME) introduced S.79, “Securing Energy Infrastructure Act”
• Two-year pilot program within the National Laboratories to research ways to defend security vulnerabilities in industrial control systems using:
(A) analog and non-digital control systems; (B) purpose-built control systems; and(C) physical controls.
• The legislation has been billed in the press as a “retro” solution to cybersecurity risks because of its emphasis on human-operated, manual technology.
RELIABILITY | ACCOUNTABILITY10
House of Representatives
• February 1, 2017 The House Energy & Commerce Committee Subcommittee on Energy hearing on electric sector cybersecurity
• The tenor of the hearing was for the most part cautiously positive towards the electric sector’s cybersecurity efforts
• Subcommittee Chairman Upton agreed to hold more hearings on the subject, including classified briefings and one with witnesses from DOE and FERC
• There was one notable exception to the otherwise generally positive tone of the hearing from one member who railed about the threats of EMPs.
RELIABILITY | ACCOUNTABILITY11
EMP
• The purported threat of EMPs continues animate some policymakers.
• February 20, 2017 EPRI released the first of a three-installment study of the effect of an EMP on the grid. This first study found that a small number (3 to 14) of transformers would be at risk for thermal damage.
• This finding is contrary to claims made by some that hundreds or thousands of transformers would fail.
• The report has been shared with relevant committees and Congressional staff and members with a recommendation that EPRI brief them directly.
RELIABILITY | ACCOUNTABILITY12
House of Representatives
• At the request of Representative Don Beyer (D, VA-8), the Government Accountability Office (GAO) has compiled a report on federal efforts to enhance electric grid resilience.
• Beyer serves as Ranking Member on the House Science, Space, and Technology Committee Subcommittee on Oversight.
• The report http://www.gao.gov/products/GAO-17-153 states that DOE, DHS and FERC reported implementing 27 grid resiliency efforts since 2013 and identified a variety of results from these efforts. No recommendations are made in the report.
RELIABILITY | ACCOUNTABILITY13
1
Grid Exercise Working GroupTim Conway
CIPC March 9, 2017
TLP: AMBER – INTERNAL DISTRIBUTION / NEED TO KNOW
2 TLP: AMBER – NOT FOR DISTRIBUTION
The GEWG
60+Members
Physical•John Breckenridge (KCPL)•Carl Herron (E-ISAC)•Susan Mueller (TECO Energy)
Cyber•Steven Briggs (TVA)•Dustin Cornelius (Southern Company)
Operations•Jill Hoyt (Peak Reliability)•John Norden (ISO-NE)
RC-to-RC•Greg Goodrich (NYISO)•Jill Hoyt (Peak Reliability)
Training Task Force•Tim Conway•NERC Training staff
3 TLP: AMBER – NOT FOR DISTRIBUTION
Where we were
Establish the Scope
• NERCleadership and GEWG
• Determine the level and type of impact desired
• Determine what will be targeted
• Determine the attack vectors
Develop a Narrative
• Backstory or ground truth:• Attacker
profile• The Who,
How, and Why of the attack
• Timing of the attack
• Expected Player actions
MSEL Development
• Detailed sequence of exercise events with inject timing
• Expected Player Actions
• Dynamic injectdevelopment
• Custom injects within entitiesand RC areas
4 TLP: AMBER – NOT FOR DISTRIBUTION
Where are we now
Establish the Scope
• NERCleadership and GEWG
• Determine the level and type of impact desired
• Determine what will be targeted
• Determine the attack vectors
Develop a Narrative
• Backstory or ground truth:• Attacker
profile• The Who,
How, and Why of the attack
• Timing of the attack
• Expected Player actions
MSEL Development
• Detailed sequence of exercise events with inject timing
• Expected Player Actions
• Dynamic injectdevelopment
• Custom injects within entitiesand RC areas
5 TLP: AMBER – NOT FOR DISTRIBUTION
Proposed Planning Schedule
WorkingGroup
Initial Planning
Phase
Mid-term Planning
Phase
Final Planning
PhaseConduct After
Action
Establish Working Group members
GridEx IV awareness
Planner outreach
Decide scenario themes
Decide tools
Coordinate with RCs
Finalize scenario
Develop supporting materials
Confirm participation
Distributed Play
Executive Tabletop
After-action survey and lessons learned
Analyze survey results and lessons learned
After Action Report and Briefing
Distribute training materials
Planners begin training
GEWG MeetingJune 2016
InitialNov. 14 2016
MidtermFebruary 2017
FinalMay 2017
Execute GridEx IVNovember 15-16, 2017
ReportQ1 2018
Kick-Off
Confirm goals and objectives
Finalize timeline
Discuss outreach goals/plan
RC MeetingOct 5 2016
More training sessions available for Player prep on tools, GridSecCon
2017, Move Zero
Where we currently are at in the overall schedule
6 TLP: AMBER – INTERNAL DISTRO / NEED TO KNOW
• Face to Face MSEL Sub-Team meeting March 7 – 8• GEWG – Thursday, March 9, 2017. Location: Atlanta• Final Planning Meeting – May-ish, 2017. Location: McLean, VA• Summer meetings and planner/player training presentations• GridSecCon 2017 – October 17-20, 2017. Minneapolis/St. Paul, MN Move Zero training, GridEx IV kickoff
• GridEx IV – November 14-17, 2017 (four days?!?) Warmup ExCon day – Tuesday 14th Main days – Wednesday – Thursday 15-16 Rapid Deployment day – Friday 17
Calendar
7 TLP: AMBER – NOT FOR DISTRIBUTION
TTTL (Tim’s Top Ten List)
What should you be doing?
1. Login to GridEx Portal 2. Identify your internal team of planners that will help you
throughout GridEx3. Identify which parts of your organization will be playing 4. Review scenario narrative with your team 5. Start thinking about and discussing schedules
a) Player (IT, OT, Physical, Operators) schedules for GridEx dates b) Move 0 participation schedule / GridSec con attendance 10/17/17 c) Reserve necessary conference rooms and work areas with phones and
appropriate computers / AVd) Planner participate in GEWG calls and in person Planning meetings
8 TLP: AMBER – NOT FOR DISTRIBUTION
TTTL (Tim’s Top Ten List)
6. Review and comment on the MSEL with your planners next week
7. Identify the injects that your organization will be subscribing to 8. Work with your RC during GridEx planning meetings to discuss
system impacts and injects being selected by organizations within a region
9. Assist in the development of generic inject artifacts for the use by all organizations
10. Work with your internal planners and utilize your systems to develop and create high value custom inject artifacts for your players
9 TLP: AMBER – NOT FOR DISTRIBUTION
Your Next Steps
Portal Log [email protected] Organization
ParticipationConsider
Schedules Inject Planning
Plan with RC
Review MSEL
Identify Planners
Review Scenario
Volunteer
Customize