Critical Infrastructure Protection Committee Meeting Presentations

Transcription

1 Critical Infrastructure Protection Committee Meeting Presentations Atlanta, GA December 9-10, 2014 *All presentations are posted with the consent of the presenters.

2 Chief Security Officer Remarks Tim Roxey Senior Director, ES-ISAC, CSO Atlanta, GA December 9-10, 2014

3 NERC and Department Updates Department Updates: Critical Infrastructure Department/ES-ISAC restructuring Open Positions at the ES-ISAC NERC Updates: ES-ISAC updates (CRISP, portal, etc.) Security Reliability Program CIP v5 Transition and Revisions Physical Security CIP Implementation GridEx III Planning for November 18-19, 2015 CIPC Working Groups and Task Forces 2 RELIABILITY ACCOUNTABILITY

4 ES-ISAC Organization 3 RELIABILITY ACCOUNTABILITY

5 Open Positions Cybersecurity Threat Analyst CRISP (two positions) Threat and Vulnerability Manager Threat and Vulnerability Specialist Senior Cybersecurity Specialist Cybersecurity Specialist Physical Security Specialist CIP Awareness Specialist Policy and Coordination Specialist 4 RELIABILITY ACCOUNTABILITY

6 5 RELIABILITY ACCOUNTABILITY

7 NERC CIPC Chair Report Chuck Abell December 09, 2014

8 December 2014 Update Grid Security Conference San Antonio, TX DHS Classified Briefing CIPC Strategic Plan Bi-annual Update Re-alignment w/ updated ERO Strategic Plan Updated to reflect current CIPC efforts Removed references to the ESCC Added accountability to RISC Updated organizational charts CIPC structure unchanged Ballot by vote Submission to NERC Board of Trustees Feb, RELIABILITY ACCOUNTABILITY

9 CIP Committee Structure Executive Committee David Revill, NRECA Chuck Abell, Chair, Ameren Melanie Seader, EEI David Grubbs, ERCOT Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSA Ross Johnson, CEA Jim Brenton, Vice Chair, ERCOT Marc Child, Great River Laura Brown, Secretary Physical Security Subcommittee (David Grubbs) Cyber Security Subcommittee (Marc Child) Operating Security Subcommittee (Jim Brenton) Policy Subcommittee (Nathan Mitchell) Physical Security WG (Ross Johnson) Control System Security WG (Mikhail Falkovich) ES Information Sharing TF (Stephen Diebold) BES Security Metrics WG (James Sample) Physical Security Guidelines WG (John Breckenridge) Cyber Attack Tree TF (Mark Engels) Grid Exercise WG (Tim Conway) Physical Security Standard WG (Alan Wick) Security Training WG (William Whitney) Cybersecurity Analysis WG (TBD) Business Continuity Guideline TF (Darren Meyers) Compliance and Enforcement Input WG (Paul Crist) 3 RELIABILITY ACCOUNTABILITY

10

11 UPDATE 2 RELIABILITY ACCOUNTABILITY

12 ES-ISAC shares SEPTEMBER Shellshock scanning activity was seen by several members and partners ( ) Ransomware Reports spiked in September 3 RELIABILITY ACCOUNTABILITY

13 ES-ISAC shares October Shodan Google for routers, servers, ICS HART Improved results on DNP3 Project SHINE using Shodan BlackEnergy - Sophisticated Malware Campaign on ICS ICS-CERT Alert released on 17 October (1671) The ES-ISAC first reported on Blackenergy in late September Proof of Concept vulnerability of Smart Meters in Spain Vulnerable credentials can lead to underreporting of energy use 4 RELIABILITY ACCOUNTABILITY

14 ES-ISAC shares NOVEMBER WinCC unauthenticated remote code execution ICS MS Kerberos escalation of privileges from unprivileged domain-user to full domain administrator Regin highly sophisticate cyberespionage tool APT28 highly sophisticated Russian cyberespionage OP Cleaver sophisticated Iranian cyberespionage 5 RELIABILITY ACCOUNTABILITY

15 ES-ISAC shares PHISHING Targeted Phishing Attack (1658) Changes in Profit shares" theme. MS Word document with malicious macros. Domain and cloud infrastructure appeared to originate from target company! Wire Transfer Phishing Targeting Senior finance department staff requesting fraudulent wire transfer. Has been seen since and reported on since November Phishing Untargeted phishing attacks with malicious links and payloads. 6 RELIABILITY ACCOUNTABILITY

16 ES-ISAC Update CRISP Infrastructure purchased Site visits Deploying additional Information Sharing Devices Information from CRISP will be shared in the portal Program Lead: Matthew Light 7 RELIABILITY ACCOUNTABILITY

17 CRISP Share CRISP Information Shared SQL injection (SQLi): drop/delete table commands. Remote file disclosure: known vulnerability in HttpCombiner Same IP. Active since September (1707) 8 RELIABILITY ACCOUNTABILITY

18 Continue the discussion by engaging the team: 9 RELIABILITY ACCOUNTABILITY

19 ES-ISAC contact info. Register at ESISAC.com 24 hour hotline: CONTACT US 10 RELIABILITY ACCOUNTABILITY

20 Relevant industry dataset may provide us answers Assess our risks Understand our threats Improve our posture to those threats 11 RELIABILITY ACCOUNTABILITY

21 Legislative Update Critical Infrastructure Protection Committee December 9, 2014 Nathan Mitchell, American Public Power Association

22 HR 3410 The House on Monday passed a bill to require the Department of Homeland Security to include the threat of electromagnetic pulse events in national planning scenarios. Passed by voice vote, H.R would direct the agency to conduct a public education campaign about the threat of electromagnetic pulse (EMP) events and authorize research into its prevention and mitigation. Rep. Trent Franks (R-Ariz.) 2 RELIABILITY ACCOUNTABILITY

23 Cybersecurity Information Sharing Act of 2014 To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats. Introduced to Senate Select Committee on Intelligence 7/10/2014 Diane Feinstein (D-CA) S RELIABILITY ACCOUNTABILITY

24 Industry Urges the Senate to Pass CISA S. 2588, the Cybersecurity Information Sharing Act of 2014 (CISA) CISA passed the Senate Intelligence committee in July with broad support from both Democrats and Republicans. The bill would help businesses achieve timely and actionable situational awareness to improve theirs and the nation s detection, mitigation, and response capabilities against cyber threats. The bipartisan bill safeguards privacy and civil liberties, preserves the roles of civilian and intelligence agencies, and incentivizes sharing with narrow liability protections. CISA represents a workable compromise among many stakeholders. 4 RELIABILITY ACCOUNTABILITY

25 HR 3696 National Cybersecurity and Critical Infrastructure Protection Act of 2014 To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastructure protection. Passed House on 7/28/2014; Referred to Senate Committee on Homeland Security and Governmental Affairs Michael McCaul (R-TX), Bennie Thompson (D-MS) 5 RELIABILITY ACCOUNTABILITY

26 S 1353 Cybersecurity Act of 2014 To provide for an ongoing, voluntary publicprivate partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness. Introduced to Senate Committee on Commerce, Science, and Transportation 7/24/2014 John Rockefeller (D-WV), John Thune (R-SD) 6 RELIABILITY ACCOUNTABILITY

27 HR 624 Cyber Intelligence and Protection Act (CISPA) To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities. Passed House on 4/18/2013; Referred to Senate Select Committee on Intelligence Mike Rogers (R-MI), Dutch Ruppersberger (D-MD) 7 RELIABILITY ACCOUNTABILITY

28 S 2521 The Federal Information Modernization Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Referred to Senate Committee on Homeland Security and governmental Affairs 6/24/2014 Thomas Carper (D-DE), Tom Coburn (R-OK) 8 RELIABILITY ACCOUNTABILITY

29 S 2519 National Cybersecurity and Communications Integration Act of 2014 To codify an existing operations center for cybersecurity. Referred to Senate Committee on Homeland Security and Governmental Affairs 6/25/2014 Thomas Carper (D-DE), Tom Coburn (R-OK) 9 RELIABILITY ACCOUNTABILITY

30 HR 2952 Critical Infrastructure Research and Development Advancement Act of 2014 (CIRDA Act of 2014) To authorize the Secretary of Education to make grants for the establishment of State Networks on Science, Technology, Engineering, and Mathematics Education. Passed House 7/28/2014; Referred to Senate Committee on Homeland Security and Governmental Affairs Patrick Meehan (R-PA) 10 RELIABILITY ACCOUNTABILITY

31 Questions? 11 RELIABILITY ACCOUNTABILITY

32 New York State Cybersecurity Exercise 2014 Greg Goodrich Principal, Security and Compliance Coordination New York Independent System Operator NERC CIPC December 10, 2014 The Westin Buckhead Atlanta, GA 2014 New York Independent System Operator, Inc. All Rights Reserved.

33 Exercise Overview The New York State Cyber Security Exercise: Sponsored by Department of Energy; organized by DOE, NYISO, NYPA, ConEd Operations Exercise and Workshop (10/22) Executive Level Exercise and Workshop (10/23) Scenario Cyber attack on critical infrastructure that has physical consequences for energy delivery systems Participants >120 participants from 13 electric and gas utilities that own and operate facilities within New York Statet Partners from energy industry organizations; ISACs; and Federal, State, local, tribal, and territorial government agencies 2014 New York Independent System Operator, Inc. All Rights Reserved. 2

34 Participating Organizations Electricity Gas Energy Partners Federal, State & Local Partners Con Edison National Fuel Gas ES-ISAC DOE New York Power Spectra Energy NERC DHS Authority St. Lawrence Gas NPCC FERC New York Independent d Con Edison APPA NYS PSC System Operator National Grid ESCC/EEI NYS Governor s Office National Grid Iberdrola USA - ISO/RTO NYS Fusion Center Iberdrola USA - Rochester Gas and Council NYS DHSES Rochester Gas and Electric NYS ITS Electric Iberdrola USA - MS-ISAC Iberdrola USA - New York State Electric and New York State Electric and Gas US Congress Representative Paul Gas Central Hudson Tonko s Office Central Hudson Orange and Orange and Rockland Rockland Long Island Power Authority Massena Electric 2014 New York Independent System Operator, Inc. All Rights Reserved. 3

35 Scenario Summary Spearfishing attack targets energy companies and installs zero day malware exploiting multiple vulnerabilities in Windows, UNIX, and Linux based systems and a common chip set used in control devices from multiple vendors. Malware triggers a logic time bomb in chip technology that: Infects PMUs, PLCs, RTUs, relays, and meters and compromises integrity of information between control centers and remote equipment Deploys a coordinated Distributed Denial of Service (DDoS) attack on energy sector, financial sector, and state government websites Malware compromises the integrity of information between control centers and remote equipment. Malware triggers equipment malfunction that creates an explosion, which injures people in the immediate area New York Independent System Operator, Inc. All Rights Reserved. 4

36 Scenario Impacts Multiple New York State organizations lose and account access services % of energy company business IT systems are incapacitated % of energy delivery equipment is incapacitated. Impacted systems must be taken offline to replace damaged equipment, requiring manual processes for up to a month. Limited information is initially disseminated because it is classified or sensitive. Energy companies are inundated with requests for information by both the public and the media. Social media escalates initial public concern into a frenzy, and protests begin. Damaged meters disrupt customer billing and end of month processes New York Independent System Operator, Inc. All Rights Reserved. 5

37 Workshop Insights Peer to peer communication among operational and IT personnel during cyber incidents is essential. OT and IT personnel receive an overwhelming number of cyber alerts / information overload. Cyber incidents can last for weeks. Cyber incident response is very different than traditional restoration activities. Cyber attacks stress different types of personnel and resources. Incident command roles during a major cyber event are unclear. Public communication and messaging for cyber incidents is challenging New York Independent System Operator, Inc. All Rights Reserved. 6

38 Opportunities for Improvement Develop and formalize cyber mutual aid agreements. Train and exercise on manual system operations. Develop a New York/regional decision tree for incident response and information sharing. Formalize current cyber security collaboration among participants and consider establishing a security and resilience working group. Emphasize cyber resilience in future system designs and architectures. Examine alternate communication options New York Independent System Operator, Inc. All Rights Reserved. 7

39 Regional Exercise Planning Overview: Plan for a plan Scope Scenarios Engagement Stake holders Partners Execution Local/Remote After Action What we learned about: Project Planning Resource planning Processes and tools Outreach Socialization Partnerships Forged new Strengthened existing 2014 New York Independent System Operator, Inc. All Rights Reserved. 8

40 Future Regional Exercises New York State: Going forward NYS plans to coordinate alternate year (opposite GridEx) exercises Cross Sector additions Others: 2014 New York Independent System Operator, Inc. All Rights Reserved. 9

41 2014 New York Independent System Operator, Inc. All Rights Reserved. 10

42 NATF Security Practices Group Activity Update Wayne VanOsdol, NATF Program Manager - Practices NERC CIPC Meeting December 9-10, 2014

43 Discussion Topics Brief NATF Overview Cyber Security Project Update: CIP-002 V5 Guide Physical Security Project Update: CIP R4 & R5 Modeling / Planning Project Update: CIP R1 2

44 NATF Membership Membership open to companies that own/operate 50 circuit miles 100 kv transmission or, operate 24/7 control center Organization types (75 Members) Investor-owned State/Municipal Cooperative Federal/Provincial ISO/RTO Expertise 3600 subject-matter experts Coverage (North America Wide) 85% Peak Demand 75% 100kV and higher circuits 3

45 NATF Mission, Vision, Approach Mission Vision Approach Promote excellence in the reliable operation of the electric transmission system Continuously improve the reliability of the electric transmission system Pursue reliability and security excellence via: Constructive peer challenge Effective, relevant information sharing o lessons learned, superior practices, etc. 4

46 Guiding Principles Community The complex, interconnected grid requires active collaboration to promote higher levels of reliability, security, and resiliency Confidentiality Confidentiality promotes open, candid intramembership dialogue Candor Commitment Direct, objective performance feedback is delivered as a membership norm Members senior leaders commit to the NATF s mission of promoting excellence 5

47 Cyber Security Project Update CIP-002 V5 Practices Guide 6

48 CIP-002 V5 Project Update Purpose: The purpose was to develop a NERC CIP-002 Version 5 Guide for identifying Cyber Assets and defining corresponding BES Cyber Systems for transmission facilities and assets. Deliverable: Security CIP-002 V5 Guide and various assessment tools and spreadsheets were approved for use on July 1, New product includes recommendations, examples, and templates for documenting a program, and includes diagrams / flow charts that will assist in standardizing CIP-002 documentation across the NATF membership. Product Maintenance: The CIP-002 V5 Guide Maintenance Oversight Team was created in July Team meeting twice per monthly from August December Team is responsible for obtaining Use Cases from NATF members, logging information pertaining to any Industry or Regulatory decisions associated with CIP-002 V5, and developing an attachment or addendum to the guide at the end of 2014 Some type of team will most likely be needed in 2015 as well 7

49 Physical Security Project Update CIP R4 & R5 Practices Guide

50 Physical Security Work Group Project: CIP R4 and R5 Guide Deliverable: The purpose is to develop a NERC CIP R4 and R5 Reliability Standard guide that is defensible (but not prescriptive) for conducting evaluations as required in requirement 4, and for developing and implementing a physical security plan as required in requirement 5. NERC CIP R4 & R5: R4 - Conduct evaluation of potential threats and vulnerabilities of a physical attack to stations and primary control centers identified under R1 and verified under R2, and R5- Develop and implement a documented physical security plan.

51 Physical Security Work Group Project: CIP R4 and R5 Guide Project Scope / Process: The project teams will; 1. Work with Members to develop a Best Practices document on how to go about performing the threat analysis. 2. Work with Members to develop a Best Practices document on how to go about developing a physical security plan. Project Timeline: August-October (steps completed): Created project scope and timeline, discussed project with the Security Practices Group Core Team and Physical Security Work Group, identified project team participants and leaders, held initial meeting to create an R4 and R5 team and determine how work will be performed (in progress): The two teams (R4 and R5) holding twice-per-month WebEx meetings from November through February, 2015 (final products): Completion of products expected by end of 1 st quarter in 2015

52 Modeling / Planning Project Update CIP R1 Assessment Guide

53 Modeling / Planning Project: CIP R1 Guide Deliverable: The purpose is to develop a general guideline to be used for the risk assessment identified in CIP R1. NERC CIP R1: Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

54 Modeling / Planning Project: CIP R1 Guide Project Scope / Process: The project consists of three basic activities; 1. Develop an R1 assessment guide to aid Members in performing the transmission risk assessment 2. Develop a process, structure and timeline for Members to review their R1 processes, methodologies and results against similarly-situated Members 3. Poll Members to assess their plans for the R2 3rd party assessment Project Timeline: Implemented R1 project in late June with initial draft guide developed in September Currently, the team is developing a process for surveying the results of Members R1 risk assessment and initiating opportunities for Members to compare their results against similarly-situated Members Expected completion date of the survey is December 2014 Sent latest version of draft R1 Guide to NERC on November 25 for review Expected completion for R1 Guide is January / February 2015

55 Thank you! Questions?

56 GridEx III Grid Security Exercise NERC CIPC December 9-10, 2014

57 December Update GridEx III Dates Outreach Working Group Formed Meeting schedule Considerations 2 RELIABILITY ACCOUNTABILITY

58 Calendar and Entity Prep November 18 19, 2015 Leadership Buy In Identify Level of Play Capability Obtain Internal Player / Planer Commitments Identify Training Needs CEH Participate in GridEx Planner / Player Calls Lead Planner Registration will open early next year - 3 RELIABILITY ACCOUNTABILITY

59 GridEx III Working Group Operations Cybersecurity Physical Security 4 RELIABILITY ACCOUNTABILITY

60 Outreach Activities FRCC Spring Workshop May BPA Cybersecurity Resilience May NERC CIPC Vancouver Sept NERC OC Vancouver Sept SERC CIP Workshop October 7 NERC GridSec Conference Oct NERC Operating Reliability Subcommittee (ORS) Sept ISO / RTO Council (IRC) Operations Committee Oct 29 Various entity specific outreach calls random 5 RELIABILITY ACCOUNTABILITY

61 GridEx Working Group Reliability Coordinators Entities NERC, Regions, Org 8 5 Gov, Mil, Labs Vendors, Partners 6 RELIABILITY ACCOUNTABILITY

62 Scenario Development Establish the Scope Develop a Narrative MSEL Development NERC leadership and GEWG Determine the level and type of impact desired Determine what will be targeted Determine the attack vectors Backstory or ground truth: Attacker profile The Who, How, and Why of the attack Timing of the attack Expected Player actions Detailed sequence of exercise events with inject timing Expected Player Actions Dynamic inject development Custom injects within entities and RC areas 10 RELIABILITY ACCOUNTABILITY

63 2105 Conference Dates Timeline December 10 Jan / Feb 2014 March June Sept Nov Q GridEx Working Group Kick Off Initial Planning Phase Mid term Planning Phase Final Planning Phase GridEx III After Action Establish Working Group Members Establish Mail list GridEx Awareness Confirm objectives Establish boundaries Confirm tools Confirm exercise infrastructure Finalize attack vectors and impacts Work on scenario narrative Finalize baseline MSEL Develop Controller and Player materials Draft After Action Survey Finalize custom injects with RCs Distribute materials Conduct training Set up venue and logistics Send injects and oversee player actions Capture player actions and findings Facilitate Executive Tabletop Distribute survey Analyze findings and lessons learned Draft Final Report Reliability Coordinator Planning Activities RCs identify Active Organizations in their control area RCs establish and participate in RC to RC and RC to Entity coordination calls RCs and entities understand and develop customized injects 11 RELIABILITY ACCOUNTABILITY

64 Prep Work Tools and Technology Use Collaboration site for GEWG and Lead Planners Registration site for Planners and Players Improved Player Directory capability Various Exercise Tools being evaluated Scoring and Simulation Tool trial Improved generic inject quality Improved Social Media Delivery of Training and Exercise Videos Many other possibilities. 12 RELIABILITY ACCOUNTABILITY

65 Summary GridEx Working Group members NERC investment Time De confliction with other Exercises In the News 13 RELIABILITY ACCOUNTABILITY

66 - 17 RELIABILITY ACCOUNTABILITY

67 Electricity Sector Information Sharing Task ForceF Progress Report Stephen Diebold, Chairman Joe Doetzl, Vice Chairman December 2014

68 Contents Task Force Members Mission Statement Timeline Outreach 5 RELIABILITY ACCOUNTABILITY

69 Task Force Members Stephen Diebold Joe Doetzl Donald Roberts Fred Hintermister Orlando Stevenson Laura Brown John Breckenridge Brian Harrell Jim Brenton Chair Vice Chair Core Team Core Team Core Team Core Team Secondary Reviewer Secondary Reviewer Final Reviewer 7 RELIABILITY ACCOUNTABILITY

70 Mission Statement Develop a presentation to be used for communicating across industry, especially to cybersecurity and operations personnel, Hydra Team roles and functions. Develop a presentation to be used for outreach promoting the ES-ISAC portal use as a central coordination point and reporting tool in crisis. 8 RELIABILITY ACCOUNTABILITY

71 Timeline September CIPC June CIPC March CIPC December CIPC September CIPC -- Sep Jun Mar Dec Sep Begin Outreach Program Approval of ES-ISAC and Hydra Presentation Finalize Hydra Presentation Finalize ES-ISAC Presentation CIPC Status Report Draft of Hydra Presentation CIPC Status Report Draft of ES-ISAC Presentation CIPC Status Report Begin Work on Hydra Presentation CIPC Status Report Begin Work on ES-ISAC Presentation Select Task Force Members Aug Charter Approved 11 RELIABILITY ACCOUNTABILITY

72 Outreach The ESISTF will schedule a webinar for disseminating the information Would like to present at NERC Region meetings Looking for other opportunities at relevant electricity sector conferences 12 RELIABILITY ACCOUNTABILITY

73 ESISTF

74 Cyber Security Sub-cmte Progress Report Jim Brenton

75 2 RELIABILITY ACCOUNTABILITY

76 NERC Attack Tree Task Force December 9-10, 2014

77 Generic Model Each BA/company has different configurations - Operational, IT and Physical 4 RELIABILITY ACCOUNTABILITY

78 Goals and Modeling Software Attack Tree Task Force (ATTF) Goals a. Fully populated set of attack trees, with meaningful data (classified and unclassified) informing key stakeholders in offsetting vulnerabilities in the North American bulk electric system. b. Establish ownership and location of the attack trees, and document the roles and responsibilities of the data custodians 5 RELIABILITY ACCOUNTABILITY

79 Attacker Goal Situational Awareness Balancing Authority - Collection of generation, transmission, and loads within metered boundaries maintaining load-resource balance Generation Load *PJM NERC Primer (June 10, 2013) Transmission Does not have to be a complete blackout to have an impact! 6 RELIABILITY ACCOUNTABILITY

80 Attack Scenarios 3 Attack Scenarios Attack Scenario Each minimal combination of leaf level events is known as an attack scenario. 7 RELIABILITY ACCOUNTABILITY

81 Behavioral Indicators Definition: Behavioral Indicators describe the resources that are need to be expended by the attacker in order to reach a particular state or node in the tree. Behavioral Indicators Breach of Trust Cost of Attack (What not Who) o Technical Training o Special Equipment, Hardware or Software o Insider Knowledge o Other Defender Error Noticeability Physical Presence Technical Ability (Who not What) 8 RELIABILITY ACCOUNTABILITY

82 Overall Process Attacker Goal Define Nodes in Tree Define Behavioral Indicators (BI) Analysis Define Attacker Profiles Define Victim Profile Reduction Subset of Attack Scenarios Level 1 Attacker Profile Level 2 Attacker Profile Pruning Level 1 Successful Attack Scenarios Level 2 Successful Attack Scenarios Total Population of Attack Scenarios Level 3 Attacker Profile Level 3 Successful Attack Scenarios 9 RELIABILITY ACCOUNTABILITY

83 Questions Questions 10 RELIABILITY ACCOUNTABILITY

84 Cyber Security Subcommittee Cyber Security Events Analysis WG Chair: <open>

85 Cyber Security Events Analysis WG 1. CIPC EC reviewing charter 2. Will recruit a new Chair if/when needed 3. Update at March CIPC meeting Chair: <open> 12 RELIABILITY ACCOUNTABILITY

86 Cyber Security Subcommittee Control Systems Security WG Chair: Mikhail Falkovich

87 CSSWG Status Charter has been approved Core contributors have been identified and work is proceeding GridEx II Lesson Learned #4 Recommendations Summary Assess the business and operational implications of isolating IT assets during a cyber-event to ensure critical functions can be maintained during a crisis. Outline completed 14 RELIABILITY ACCOUNTABILITY

88 CSSWG Control System Electronic Connectivity: Draft Outline Executive Summary/Introduction/Scope General Principles Network Design Considerations Security Mechanisms Disconnecting and Reconnecting Appendices/Use Cases and Examples 15 RELIABILITY ACCOUNTABILITY

89 CSSWG Control System Electronic Connectivity: Executive Summary/Introduction/Scope The guideline is being written to provide a general overview of connectivity and security topics while giving the option for deep dives within the Examples appendix This guideline is focused on the electric sector and will avoid duplicating existing industry documents References to existing frameworks and guidelines will be used when appropriate. 16 RELIABILITY ACCOUNTABILITY

90 CSSWG Control System Electronic Connectivity: General Principles Compartmentalization/Scoping/Segmentation Monitoring Functionality vs. Security vs. Compliance Data Connection Flows Defense in Depth Programmatic vs. User Access 17 RELIABILITY ACCOUNTABILITY

91 CSSWG Control System Electronic Connectivity: Network Design Considerations Virtualization Remote Access/Intermediate Systems Data Diodes Complete Segregation 4 Legged Firewall Connecting OT-OT and OT-IT systems 18 RELIABILITY ACCOUNTABILITY

92 CSSWG Control System Electronic Connectivity: Security Mechanisms Access Controls User Access & Configuration Management 19 RELIABILITY ACCOUNTABILITY

93 CSSWG Control System Electronic Connectivity: Disconnecting and Reconnecting When to disconnect Where to disconnect How to disconnect and how to reconnect 20 RELIABILITY ACCOUNTABILITY

94 CSSWG Control System Electronic Connectivity: Appendices: Pointers and References Bibliography Glossary Use Cases and Examples 21 RELIABILITY ACCOUNTABILITY

95 Examples & Use Cases 22 RELIABILITY ACCOUNTABILITY

96 CSSWG Core Contributors Nadya Bartol Larry Bugh Frances Cleveland Tim Conway Dustin Cornelius Mikhail Falkovich Cynthia Hill-Watson Michael Johnson Carter Manucy Paul Skare Cyber Subcommittee Chair: Marc Child NERC Staff: Laura Brown 23 RELIABILITY ACCOUNTABILITY

97 CSSWG Remaining Tasks Continue to work on the guideline language Hold two in-person meetings to finalize the drafts (December and February) Distribute the draft guideline to stakeholders (TBD) 24 RELIABILITY ACCOUNTABILITY

98 Cyber Security Subcommittee Questions?

99 CIP Version 5 Revisions Standards Development Update Marisa Hecht, Standards Developer CIPC December 10, 2014

100 Topics Development History CIP Version 5 Revisions Directives FERC Order No. 791 How the Standard Drafting Team (SDT) responded Postings Versioning Current Comment Period & Ballot Next Steps 2 RELIABILITY ACCOUNTABILITY

101 Development History FERC Order No. 791 issued November 2013 Two technical conferences SDT meetings SDT conference calls Extensive outreach throughout development 3 RELIABILITY ACCOUNTABILITY

102 CIP Version 5 Revisions - Directives Identify, Assess, Correct (IAC) Directive: remove or modify the IAC language, retain the requirement provisions, and clarify the obligations for compliance SDT removed IAC language, revised the VSLs Communication Networks (CN) Directive: define communication networks and write standard to protect the nonprogrammable components of communication networks SDT revised CIP-006 and CIP-007, no glossary definition 4 RELIABILITY ACCOUNTABILITY

103 CIP Version 5 Revisions - Directives Low Impact Directive: add objective criteria from which to judge the sufficiency of controls Revised CIP Requirement R2 and developed attachment to add detail to the four subject matter areas; created two new definitions Transient Devices Directive: develop new or modified standards for transient devices SDT drafted new requirement and attachment for CIP-010-3; reference in CIP-007-7; added language to CIP and CIP Guidance; revised two definitions and created two new definitions 5 RELIABILITY ACCOUNTABILITY

104 Postings Initial Comment Period and Ballot June 2-July 16 Additional Comment Period and Ballot September 3-October 17 Version X IAC and Communication Networks -6 and -3 Lows and Transient Devices Additional Comment Period and Ballot November 25-January 9 6 RELIABILITY ACCOUNTABILITY

105 Versioning CIP-003-6/CIP July Additional Ballot Version X IAC/CN Only CIP-003-X/CIP-010-X October Additional Ballot CIP-003-6/CIP Lows/Transients CIP-003-6/CIP October Final Ballot CIP-003-6/CIP November Board Adoption January Additional Ballot CIP-003-7/CIP directives January Final Ballot 7 RELIABILITY ACCOUNTABILITY

106 Current Additional Comment Period & Ballot SDT determined additional work was needed in response to comments and posted the following documents: CIP-003-7, CIP-004-7, CIP-007-7, CIP-010-3, and CIP Definitions Implementation Plan Includes language adopted by NERC Board in November IAC removal Communication networks revisions Revisions addressed transient devices and lows directives Focused on clarifying language and intent 8 RELIABILITY ACCOUNTABILITY

107 Next Steps Additional Ballot concludes January 9 SDT will meet January at NERC in Atlanta Final ballot will be conducted soon after SDT meeting Request NERC Board adoption Filed at FERC upon NERC Board adoption 9 RELIABILITY ACCOUNTABILITY

108 RELIABILITY ACCOUNTABILITY

109 CIP Version 5 Transition NERC CIPC December Meeting Tobias Whitney, Manager of CIP Assurance Tobias.Whitney@nerc.net

110 Transition Elements Continuous Outreach Training Compliance and Enforcement Periodic Guidance 2 RELIABILITY ACCOUNTABILITY

111 V5 Transition Advisory Group NERC, Regions, and stakeholder group Topics to support confidence in implementing Version 5 Partner with regions and stakeholders Meets approximately monthly Team composition: Implementation study participants Standard Drafting Team representation NERC and Regional Entity staff Role Prioritizes and supports unity of approach on references to enhance stakeholder understanding and implementation of the standards Additional topics for enhanced training/guidance 3 RELIABILITY ACCOUNTABILITY

112 Lesson Learned Status Far-end Relay * Programmable Devices Generation Segmentation * Virtualization (Networks and Servers) Serial Devices that are accessed remotely Control Centers operated by TOs and non-registered BAs Interactive Remote Access (Scripts and Mgt consoles) Non-routable infrastructure components Shared Substations Mixed Trust EACMs * General FAQs* 4 RELIABILITY ACCOUNTABILITY

113 Key Next Steps Implementation Study Report (October 2014) CIP Program Management Level Feedback Identification of Lesson Learned Monthly Lesson Learned Comment Posting Period Far-end Relay (October) Generation Segmentation (October) CIP Version 5 FAQs 3-5 posted per month Final Version 5 RSAWs (Q4) RAI CIP V5 Program Document (Q4) 5 RELIABILITY ACCOUNTABILITY

114 6 RELIABILITY ACCOUNTABILITY

115 Physical Security CIP NERC Standing Committees December 9-10, 2014

116 Agenda FERC Order Summary Standard Drafting Team activities Guidance Development Activities Implementation Timeline 2 RELIABILITY ACCOUNTABILITY

117 FERC Order November 20, 2014, FERC Order: The Commission approved the standard and directed directs NERC to remove the term widespread from Reliability Standard CIP or to propose modifications to the Reliability Standard that address the Commission s concerns within 6 months of the effective date of the order. Directed NERC to make an informational filing addressing whether CIP provides physical security for all High Impact control centers necessary for the reliable operation of the Bulk-Power System. The Commission directed NERC to submit this filing within two years after the effective date of the standard. 3 RELIABILITY ACCOUNTABILITY

118 Standard Drafting Team Activities Revised SAR to address use of widespread was approved for posting by the NERC SC on December 9, SAR will be posted for 30 days. Standard Drafting Team will address any comments received on the SAR and begin standard development process in January RELIABILITY ACCOUNTABILITY

119 Guidance Development Activities NERC will work with NATF and other industry groups to develop guidance. The guidance will address: Best practices and effective approaches to meet each requirement Compliance-oriented communication for common regional compliance and enforcement Stakeholder groups will be formed to field industry FAQs. The group will include: Industry groups Regional Compliance and Enforcement staff NERC Subcommittee o PC o CIPC 5 RELIABILITY ACCOUNTABILITY

120 CIP Implementation Transmission Owner to identify critical facilities on or before the effective date of CIP (6 months following FERC approval) Tiered implementation timeline for balance of requirements (within15 months) Security Plan implementation may specify timelines for completion of security measures ERO to monitor implementation 6 RELIABILITY ACCOUNTABILITY

121 Implementation Critical facility identification (R1) complete before effective date (six months following publication in the Federal Registry) Standard approved November 20, 2014 Mandatory and Enforceable October 1, 2015 Third party verification (R2) complete within 90 days of completion of R1: Mandatory and Enforceable no later than December 30, 2015 Part revisions to list could add 60 days Notification of other parties (R3) complete within 7 days of completion of R2. 7 RELIABILITY ACCOUNTABILITY

122 Implementation Evaluate threats and vulnerabilities (R4) and develop security plans (R5). Mandatory and Enforceable 120 days after completion of R2. Third party review of threats and vulnerabilities and security plans (R6). Mandatory and Enforceable 90 days after completion of R4/R5 Part 6.3 revisions to threats, vulnerabilities and plans could add 60 days 8 RELIABILITY ACCOUNTABILITY

123 CIP Implementation Timeline R1, R2 & R3 Risk Assessment & Verification Guidance Review NATF Guidance (R1) and provide any substantive edits Develop Compliance and Enforcement Letter to the ERO (R1, R2, R3) Publish Guidance January 2015 Mandatory Enforcement Oct 1, 2015 R4 & R5 Threat Evaluation / Physical Security Plans Develop Compliance and Enforcement Letter to the ERO (R4, R5) April 2015 May 1, 2016 R6 Physical Security Plan Verifications Develop Compliance and Enforcement Letter to the ERO (R6) July 2015 Aug 1, RELIABILITY ACCOUNTABILITY

124 ERO to Monitor Implementation Number of assets critical under the standard Defining characteristics of the assets identified as critical Scope of security plans (types of security and resiliency contemplated) Timelines included for implementing security and resiliency measures Industry s progress in implementing the standard 10 RELIABILITY ACCOUNTABILITY

125 Information NERC Standards Developer, Stephen Crutchfield NERC CIP Compliance Mgr, Tobias Whitney at or Project Web Page is: Security.aspx CIP Standard may be found here: r=cip-014-1&title=physical%20security&jurisdiction=united%20states 11 RELIABILITY ACCOUNTABILITY

126 12 RELIABILITY ACCOUNTABILITY

127 Security Training WG Progress Report William Whitney III, Chair David Godfrey, Vice Chair

128 Security Training WG 1. Charter a. CIPC will provide meeting attendees with an opportunity to participate in physical, cyber, and operational security training, as well as, educational outreach opportunities. 2. Current Members Bob Canada, David Grubbs, John Breckenridge, David Godfrey, Ross Johnson, Chantel Haswell, Rick Carter, James McQuiggan, Jason Phillips, Nick Santora, David Scott, Ronald Keen, Tim Conway, Steen Fjalstad, Daniel Moore, Jason Phillips, Nick Rasey, and William Whitney III 2 RELIABILITY ACCOUNTABILITY

129 Security Training WG 3. Latest Activities a. Monthly conference calls to discuss goals and actions b. Finalizing HILF recommendation to raise operator awareness about cyber attacks on the grid with SOS and SANS. SANS is currently developing the Operator training. c. Provided a successful security training opportunities to the industry d. Finalizing tasks assigned to us from the GridEx II Lessons Learned e. Now recording webinars and CIPC training events. Working on online content availability. f. Continuing to compile a list of free training resources available to entities 3 RELIABILITY ACCOUNTABILITY

130 Security Training WG 2014 Progress Date Name Registered Attended 4/16/2014 Physical Security Management and Programs Web 5/14/2014 Physical Security Assessments, Design, and Protection Stategies Web 6/10/2014 Security Technology Awareness Workshop In Person 7/17/2014 Active Shooter with Danny Coulson Web Active Shooter playbacks post webinar Web 9/16/2014 Cyber Incident Response Planning Workshop In Person 11/18/2014 Private Sector Clearance Program Web Totals RELIABILITY ACCOUNTABILITY

131 Security Training WG 2015 Training Schedule We plan to provide 12 webinars, 1 each month NEW!!! We plan to expand the workshops prior to CIPC meetings with 2 tracks, one for cyber and one for physical, for a total of 6 in person training opportunities. Please let us know what training you and/or your fellow colleagues would like to see in 2015 so we can secure the speakers for that topic. If you or someone you know would like to present on a topic let us know because we would enjoy the information sharing. Remember, what you may think is common knowledge others might not know! 5 RELIABILITY ACCOUNTABILITY

132 Security Training WG 1. Training Links a. TEEX - b. DHS - c. DOD - d. FEMA - e. DOE - f. MS-ISAC - Have a link for free, quality, training? Please share with us to add to the list. 6 RELIABILITY ACCOUNTABILITY

133 4. Next Steps Security Training WG a. Continue to expand the list of free on demand training from reputable agencies and vendors b. Schedule and prepare future Pre-CIPC training sessions and webinars c. Work with vendors and/or individuals in the industry to provide specific training to industry a. This means you and/or your co-workers that have information to share with the industry d. Continue work with SOS and SANS to compile operator training with cyber attack scenarios per the HILF recommendations and plan a training date. e. Complete GridEx II Lessons Learned assignments from EC 5. CIPC Actions a. Concerns and/or suggestions for today s discussion 7 RELIABILITY ACCOUNTABILITY

134 Questions? Or

135 Personnel Security Clearance Task Force (PSCTF) Critical Infrastructure Protection Committee December 9, 2014 Nathan Mitchell, Chair Policy Subcommittee

136 Recommendations Inform government of the value that industry SMEs bring to classified discussions. Use the clearance model outlined in this report to identify and validate industry nominees on a functional basis. Submit clearance nominees through the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to facilitate the selection process. (ESCC Liaison facilitates clearance nominations) Encourage clearance nominees to use the guidance in this report during the PSCP application process. Advocate for TS-SCI clearances for ES-ISAC staff. 2 RELIABILITY ACCOUNTABILITY

137 Work is complete With the completion of all the recommendations the CIPC-EC proposes to dissolve the PSCTF 3 RELIABILITY ACCOUNTABILITY

138 Thank you PSCTF members!

139 BES Security Metrics WG Progress Report James W. Sample, Chair Roland Miller, Vice-Chair December 10, 2014

140 How we fit in! 2 RELIABILITY ACCOUNTABILITY

141 Activities Previous Update: Drafted Macro metrics focused primarily on what a Strong Security Posture looks like for the sector Discussed concept of Micro metrics focused primarily on evidence supporting the macro metrics Discussed we were looking into how to leverage ALR by adding security attributes Activity Since Previous Update: Applied the SMART criteria to a number of the more quantifiable Macro metrics Prioritized these Macro metrics for detailed development Proposed including new section for 2014 State of Reliability Report to introduce the what and how for these security metrics 3 RELIABILITY ACCOUNTABILITY

142 Strong Security Posture: Macro Metrics ,9 4 RELIABILITY ACCOUNTABILITY

143 SMART Criteria 5 RELIABILITY ACCOUNTABILITY

144 SMART Scores Metric 1. Number of entities using C2M2 methodology to assess the maturity of their cyber security program 2. Number of entities using the NERC Cyber Risk Preparedness Assessment (CRPA) program 3. Number and frequency of government-sponsored classified briefings attended by entities 4. ES-ISAC portal being used by entities voluntarily to share information with industry (e.g., average number of portal accesses per quarter per registrant, or participation rate in ES- ISAC conference calls) SMART Rating (maximum of 15) TOTAL Number of entities registered to access ES-ISAC portal to 12 share information (e.g., number of registrants, measured quarterly) 6. Number of ES-ISAC Advisories and Alerts issued per quarter Number of industry entities participating as Active Organizations in GridEx security exercise 8. Frequency of Reportable Cyber Security Incidents reported by entities 9. Frequency of failure or compromise of cyber security controls (voluntary reporting) RELIABILITY ACCOUNTABILITY

145 Define Metric in Detail Name and definition Relevance to reliable BES operations Mathematical formula Data source and collection process Need for pilot Metric Number Submittal Date Sponsor Group (OC, PC or subgroup name) Short Title Metric Description Purpose How will it be suited to indicate performance? Formula Metric Start Time or Baseline Time Horizon Data Collection Interval and Roll Up Ease of Collection Aggregation Linkage to NERC Standard Linkage to Data Source Need for Validation or Pilot Data Submitting Entity ALR4-2 (M17) ALR4-2 (M17) CIPC BES Security Metrics Working Group SMART Rating Total Score Specific/ Simple Measurable Attainable Relevant Tangible/ Timely Reporting 7 RELIABILITY ACCOUNTABILITY

146 Next Steps Prioritize metrics and proceed with detailed development Coordinate with the PC s Performance Analysis Subcommittee and draft new Security Metrics section for 2015 State of Reliability Report Less than 1 page Developing Security Metrics Goals for developing security metrics (i.e., why would this be helpful to the industry) Challenges associated with collecting security metrics (to recognize why this won t be quick or easy) Status of BESSMWG efforts, plan for 2015 (high level) 8 RELIABILITY ACCOUNTABILITY

147 NERC CIPC Compliance and Enforcement Input Working Group NERC CIPC Update December 9-10th, 2014 Paul Crist

148 NERC CIPC Compliance and Enforcement Input Working Group Update CEIWG Conference Calls - October 9th, November 13 th, 2014

149 NERC CIPC Compliance and Enforcement Input Working Group Update Agenda Items 1. Update on Lessons Learned 1. Far End Relays Impact Rating 2. Generation Segmentation 2. CIP V3 to V5 Transition Updates/Schedule 3. ES-ISAC CEIWG Working Page 4. RAI Process 5. Virtualization

150 NERC CIPC Compliance and Enforcement Input Working Group Update Far End Relays Impact Rating Comments Submitted 1. Provides clarification for Criterion Additional guidance still needed 1. Criterion 2.4 and collector bus 2. Criterion 2.6 with derivation of IROL and associated contingencies 3. Criterion 2.7 with Transmission Facilities for NUC Interface Requirements 4. Criterion 2.8 with interconnection Facilities 5. Criterion 2.9 with SPS, RAS, or automated switching Systems for IROL s. 3. Suggested an additional Lesson Learned for guidance on scoping.

151 Future Work Participation in Lessons Learned Document Reviews Participation in the RAI Advisory Group Participation in the V3-V5 Transition Advisory Group

152 Virtualization Update

153

154 NERC CIPC Compliance and Enforcement Input Working Group Update Meetings 2 nd Thursday of the Month at 1:00 CST (Let me know if you need the call-in information) Questions?