Information Sharing Analysis Engagement. Launched recruiting efforts, hired one cyber analysis specialist in 2017

Transcription

1 E-ISAC Update Bill Lawrence, Director of the E-ISAC Charlotte de Seibert, Principal Physical Security Analyst Philip Daigle, Senior Cybersecurity Analyst Critical Infrastructure Protection Committee Jacksonville, FL March 6-7,

2 Agenda Long-term Strategic Plan background 2017 Accomplishments Strategic plan framework Key activities Q1/Q Deliverables GridEx IV update Physical security update Cyber security update 2

3 Background The E-ISAC underwent a strategic review with the Electricity Subsector Coordinating Council (ESCC) in 2015 Under the ESCC, the Member Executive Committee (MEC) was created and serves as a CEO-led stakeholder advisory group MEC input was used on the E-ISAC Long-term Strategic Plan developed in 2017 The plan was approved by the NERC Board in 2017 and included in the NERC Business Plan and Budget for implementation in

4 2017 Accomplishments Launched portal Information Sharing Analysis Engagement Shared over 210 cyber bulletins (140 member-posted; 71 E-ISAC-posted) and 165 physical bulletins (64 memberposted; 101 E-ISAC-posted) Provided content to three NERC Alerts on: Modular Malware Targeting Electric Industry Assets in Ukraine Advanced Persistent Threat Actor Targeting Electric Industry and Other Critical Sectors Supply Chain Risk Gathered GridEx IV lessons learned and recommendations Adopted internationally accepted Traffic Light Protocol for information handling Facilitated 12 monthly E-ISAC and CRISP webinars Facilitated two CRISP member workshops and threat briefings Participated in NRECA RC3 Cyber Security Summits for information sharing best practices Launched recruiting efforts, hired one cyber analysis specialist in 2017 Launched the Embedded Industry Augmentation program Collaborated with CIPC Security Metrics Working Group on new security metrics and data sources Produced a security risk assessment for the MRO Security Advisory Council Produced 51 Weekly, 12 Monthly, 1 Mid-Year, and 1 End of Year reports Produced 12 MonthlyCRISP Analysis reports Conducted GridEx IV: over 6,500 participants (up 50% from GridEx III), over 450 organizations (up 30% from GridEx III) Conducted GridSecCon 2017 with over 500 participants (an increase of 20% from GridSecCon 2016) Enhanced CRISP Participation from 25 to 27 companies CRISP governance group of 15 companies Independent audit of PNNL security practices, data handling Formalized partnership with Downstream Natural Gas ISAC Established MEC user group governance team (UNITE, ISO/RTO Council, Large Public Power Council) Increased active E-ISAC Portal membership from 2,500 to over 3,200 from Q1 to Q3 Partnered with DARPA on a cyber security program for electric utilities linked to the GridEx program Partnered with the University of Illinois at Urbana-Champaign and its new Industry University Cooperative Research Center Discussed malware solutions pipeline research effort with DOE and National Laboratory system Enhanced international engagement: Performed Cyber Risk Preparedness Assessment in Mexico Initiated collaboration with the Japan Electricity ISAC and European E-ISAC (to be continued in 2018) 4

5 2017 Accomplishments Launched portal Information Sharing Analysis Engagement Shared over 210 cyber bulletins (140 member-posted; 71 E-ISAC-posted) and 165 physical bulletins (64 memberposted; 101 E-ISAC-posted) Provided content to three NERC Alerts on: Modular Malware Targeting Electric Industry Assets in Ukraine Advanced Persistent Threat Actor Targeting Electric Industry and Other Critical Sectors Supply Chain Risk Gathered GridEx IV lessons learned and recommendations Adopted internationally accepted Traffic Light Protocol for information handling Facilitated 12 monthly E-ISAC and CRISP webinars Facilitated two CRISP member workshops and threat briefings Participated in NRECA RC3 Cyber Security Summits for information sharing best practices Launched recruiting efforts, hired one cyber analysis specialist in 2017 Launched the Embedded Industry Augmentation program Collaborated with CIPC Security Metrics Working Group on new security metrics and data sources Produced a security risk assessment for the MRO Security Advisory Council Produced 51 Weekly, 12 Monthly, 1 Mid-Year, and 1 End of Year reports Produced 12 MonthlyCRISP Analysis reports Conducted GridEx IV: over 6,500 participants (up 50% from GridEx III), over 450 organizations (up 30% from GridEx III) Conducted GridSecCon 2017 with over 500 participants (an increase of 20% from GridSecCon 2016) Enhanced CRISP Participation from 25 to 27 companies CRISP governance group of 15 companies Independent audit of PNNL security practices, data handling Formalized partnership with Downstream Natural Gas ISAC Established MEC user group governance team (UNITE, ISO/RTO Council, Large Public Power Council) Increased active E-ISAC Portal membership from 2,500 to over 3,200 from Q1 to Q3 Partnered with DARPA on a cyber security program for electric utilities linked to the GridEx program Partnered with the University of Illinois at Urbana-Champaign and its new Industry University Cooperative Research Center Discussed malware solutions pipeline research effort with DOE and National Laboratory system Enhanced international engagement: Performed Cyber Risk Preparedness Assessment in Mexico Initiated collaboration with the Japan Electricity ISAC and European E-ISAC (to be continued in 2018) 5

6 Strategic Plan E-ISAC Strategic Plan Vision: To be a world class, trusted source of quality analysis and rapid sharing of electricity industry security information Supported by: NERC Board of Trustees Electricity Subsector Coordinating Council (ESCC) ESCC Members Executive Committee (MEC) Information Sharing Analysis Engagement Accelerate sharing and high priority notifications Enhance portal Improve information flow and security Build trust and show value CRISP CYOTE CAISS Strategic Vendor Partnerships Hire and develop exceptional employees Leverage information sharing technologies and resources to enhance analytical capability Prioritize products and services Metrics benchmarking Evaluate 24x7 Operations (future) World Class ISAC 6

7 Key Activities Update E-ISAC Critical Broadcast Program Operationalized the rapid information sharing capability of the E-ISAC 1,208 individuals from 245 organizations joined the call CRISP (CRISP Governance Committee Activities) Established E-ISAC local access to CRISP data Governance Committee organized, charter under development Further expanding Membership Base target minimum of four companies joining Identifying and evaluating opportunities to lower cost of participation Developing Strategic Plan Portal Launch Launched December 19, 2017 Providing post-production support Commence planning for portal enhancements, including potential data visualization, authentication, user management, and registration 7

8 Key Activities Update User Communities Developing user communities governance and implementation plan Implementing and testing user community capability Automated Information Sharing Developing and piloting CAISS analytic capabilities Evaluating pros and cons in moving ahead with ThreatConnect platform Industry Augmentation Program Completed week with participating analysts from NYPA and SRP Built trust while exchanging expertise and understanding of threats and response processes 8

9 2018 Q1 and Q2 Deliverables Q1 Q Information Sharing Accelerate sharing and high-priority notifications Establish and exercise Deploy HF capability Join quarterly DHS HF radio tests Critical Broadcast process Gather requirements, develop plan, and issue RFP for Event Management tool Develop and pilot CAISS information sharing capabilities Obtain credentials for staff access to DHS National Cybersecurity and Communications Integration Center Evaluate strategic vendor partnerships Enhance Portal Plan and begin implementations of Portal enhancements including potential data visualization, authentication, user management, and registration Circulate draft GridEx IV reports Improve information access Release GridEx IV reports Join quarterly DHS secure video teleconference tests with industry clearance holders Build work plan with ESCC and CIPC to accomplish GridEx recommendations and lessons learned 9

10 2018 Q1 and Q2 Deliverables Q1 Q Analysis Hire cyber analyst #1 Hire physical security manager and analyst Enhance CRISP data analysis with E-L-K technologies Acquire and develop high quality resources Hire cyber analyst #2 Develop requirements and RFP for contracted analyst support Develop embedded industry augmentation program Develop and pilot CAISS analytic capabilities Leverage technology Evaluate new analytical capabilities Evaluate deployment DOE malware forensics tools and dropbox Prioritize products and services Hire cyber analyst #3 Metrics benchmarking Hire cyber analyst #4 Implement embedded industry augmentation program Gather requirements and develop plan and RFP for data warehouse and analyst workbench Benchmark security metric data Continue work with CIPC Security Metrics Working Group 10

11 2018 Q1 and Q2 Deliverables Q Q2 Engagement Add CRISP participants Hire Member Services manager Expand industry relationships and collaboration SANS ICS Summit Enhance Energy (ONG, DNG) and cross-sector ISAC relationships (FS, Water, Comms, Nuclear) MEC MEC and CIPC GridSecCon strategic planning Build trust and value via user communities Promote unclassified workshops Establish monthly CRISP classified workshops with DOE and Pacific Northwest National Laboratory Develop user community governance and User management registration integration additional portal requirements Define relationship with Cyber Mutual Assistance program Strengthen governmental, institutional, and private sector relationships Establish recurring meetings with DOE, DHS, FERC OEIS Establish MOU with Canadian Cyber Incident Response Centre Strengthen private sector relationships (e.g., SANS, CEATI, etc.) Continue work on trilateral MOU with Japan E-ISAC and European Energy ISAC GridSecCon call for presentations and training MEC and CIPC 11

12 Mission statement GridEx is an unclassified public/private exercise designed to simulate a coordinated cyber and physical attack with operational impacts on electric and other critical infrastructures across North America to improve security, resiliency, and reliability 12

13 GridEx Objectives Exercise incident response plans Expand local and regional response Engage critical interdependencies Improve communication Gather lessons learned Engage senior leadership 13

14 Exercise Components Move 0 Pre-Exercise Distributed Play (2 days) Executive Tabletop (1/2 day) Preparation Identification Containment Reliability Coordinators Support and Vendors Utilities Injects and info sharing by and phone E-ISAC and BPSA Fed/State/Prov Agencies Executive Tabletop Operators may participate in Cyber Intrusion detection activities Players across the stakeholder landscape will participate from their local geographies Facilitated discussion engages senior decision makers in reviewing distributed play and exploring policy triggers 14

15 Participation 6500 Participants 206 Electric utilities 452 Organizations 17 Cross-sector partners 10 States (2 full-scale) 15

16 Active and Observing GridEx Exercise Participation % % % % % % 57% 36 47% GridEx 2011 (76) GridEx II (231) GridEx III (364) GridEx IV (452) Active Observing 16

17 GridEx IV Communications NERC Crisis Action Team Electricity Subsector Coordinating Council (ESCC) Regional Entities Trade Associations Energy GCC Other SCCs Unified Coordination Group (UCG) or non-us equiv. Executive Coordination NERC Bulk Power System Awareness (BPSA) E-ISAC Electricity Information Sharing & Analysis Center DOE Department of Energy DHS NCCIC ICS-CERT US-CERT Other Federal Agencies US: FBI, FERC, DOD Canada: Public Safety Canada, NRCan, RCMP, CSIS, CCIRC Vendor Support IT, ICS, ISP, Anti-virus Other Critical Infrastructures Telecommunications Oil & Gas others Bulk-Power System Entities Coordinated Operations Reliability Coordinators, Balancing Authorities, Generator Operators, Transmission Operators, Load Serving Entities, etc. ExCon GridEx IV Exercise Control NERC staff, GEWG, BAH, Nat l Labs, SMEs for Sim-cell, et al. Coordination with Government Local, State/Provincial Government Governors / Premiers Emergency Management Organizations Emergency Operations Centers / Fusion Centers Local FBI, PSAs National Guard PUCs, PSCs 17

18 Cyber shares 204 Physical Security shares 364 OE-417s submitted 244 EOP-004s submitted 132 Utilities participating in Cyber Mutual Assistance 43 Information Sharing with the E-ISAC 18

19 Where s the Cavalry? Relationship building with partners (e.g. cross-sector, law enforcement, emergency managers, etc.) What is the State/Federal Government s role during a Grid Emergency? E-ISAC Portal improvements Greater cross-sector participation Preliminary Findings GridEx IV Distributed Play Public Affairs and Corporate Communications vs. Incorrect or Misleading information Communication resiliency (e.g. WPS, GETS, HF Radio, etc.) Electric Utility RC emergency communications Cyber Mutual Assistance On-keyboard cyber training Active Lead Planners 19

20 Executive Tabletop Overview Five-hour Executive Tabletop held on November 16, 2017, the second day of the large-scale GridEx IV security and emergency response exercise. Parallel, separate tabletops were held in Canada and Australia Objective: Engage senior industry and government leadership in a robust discussion of the policy issues, decisions, and actions needed to respond to protect and restore the reliable operation of the grid 20

21 Executive Tabletop Themes Extraordinary Measures 21

22 Phased Scenario Discussion One Day After Three Days After Two Weeks After Attacks Begin For each phase after attacks begin: Participants role-play actions and the decisions needed to respond to the situation, restore power, and secure the grid Identify any gaps 22

23 Tabletop Discussion Situation assessment and initial response by industry and government Communications between utilities and with local, state, and federal government Utility liaison with state emergency operations centers Immediate government priority: Stop the Attacks Utility liaison with National Guard Grid Emergency Operations Utilities have the authority to implement emergency actions (e.g., shed load) to maintain grid operation Utilities coordinate with local and state government to identify highpriority customers 23

24 Tabletop Discussion Share sensitive information Need to distribute information quickly and declassify if necessary Decide national level priorities When resources are limited, balance local, state, and national interests Critical infrastructure interdependencies Communications, financial services, natural gas, and critical manufacturing sectors as life-line sectors Utility finances to fund recovery and restoration 24

25 Way Forward GridEx IV Reports will be complete by end of March, 2018 GridEx V Initial Planning Meeting will be held November

26 E-ISAC Physical Security Update Charlotte de Sibert, Principal Physical Security Analyst CIPC March 3, 2018 TLP: WHITE 26

27 Incident Reporting Reporting Submit requests for information, incident or trend related questions, regional analysis requests etc. to Continue reporting events via E-ISAC portal, o When reporting incidents, provide as many details as possible to provide context Location (city, state, region etc.) Impact (customer outages, financial) Has this type of incident occurred before? Mitigation actions taken 27

28 Incidents by Type Overview Q1 Incidents of Note Axe incident in CA Suspicious Activity Events Emotionally unstable individuals inside substation Drone/UAS events Security Equipment theft Copper price monitoring/theft 28

29 Items of Interest Activist/Eco-Terrorist group overview Foreign Terrorist Organization group overview Revised Suspicious Activity Bulletin 2018 Initiatives Increased voluntary sharing Increased analyst context Industry sourced articles and whitepaper sharing 29

30 PSAG Overview of PSAG 2017 Activity New Members Plan for

31 E-ISAC Cyber Update Philip Daigle, Senior Cybersecurity Analyst, E-ISAC CIPC March 6, 2018 TLP: WHITE 31

32 Summary of 2018 Cyber Topics of Interest Malware Targeting Safety Instrumented Systems (SISs) Spear-phishing of Several members Generalized phishing of members 32

33 Summary of 2018 Cryptocurrency Mining Malicious cryptocurrency mining, or cryptojacking, is becoming more prevalent as the price of Bitcoin and other cryptocurrencies skyrocket. In the past few months many threat actors have shifted away from ransomware to using cryptocurrency miners. Compared to ransomware, cryptojacking takes little to no interaction and can generate currency over an extended period of time. 33

34 34

35 ESCC Update Kaitlin Brennan, Manager Cyber and Infrastructure Security, EEI Critical Infrastructure Protection Committee Meeting March 6-7, 2018

36 ESCC Update 2018 Schedule: May 7, 2018 in Washington, DC July 11-12, 2018 at Idaho National Laboratories October 9-10, 2018 in the Washington, DC / Baltimore, MD area Summary of Conclusions November 2017 Puerto Rico Response Threat Information Sharing ESCC-Government Engagement ESCC Vision and Planning Strategic Committee Cross-Sector Coordination 2 RELIABILITY ACCOUNTABILITY

37 3 RELIABILITY ACCOUNTABILITY

38 Legislative Update Kaitlin Brennan, Manager Cyber and Infrastructure Security, EEI Critical Infrastructure Protection Committee Meeting March 6-7, 2018

39 Legislative Update S.79 Securing Energy Infrastructure Act Sens. King (I-ME) & Risch (R-ID) S.141/H.R Space Weather Research and Forecasting Act National Defense Authorization Act (H.R. 2810; P.L ) Cyber SAFETY Act of 2018 (S.2392) Sen. Daines Other possibilities: Expanding background investigations of critical utility personnel Standalone energy bills or as part of an infrastructure package Active Cyber Defense Act Rep. Graves (R-GA) S Sen. Reed (D-RI) Data breach legislation 2 RELIABILITY ACCOUNTABILITY

40 3 RELIABILITY ACCOUNTABILITY

41 NERC Control Systems Security Working Group Carter Manucy, FMPA Michael Mertz, PNM Resources Critical Infrastructure Protection Committee Meeting March 6-7, 2018

42 Critical Infrastructure Protection Committee 2 RELIABILITY ACCOUNTABILITY

43 CSSWG Update Status Update Document review Need for more volunteers Future efforts & projects 3 RELIABILITY ACCOUNTABILITY

44 4 RELIABILITY ACCOUNTABILITY

45 Security Training Working Group David Godfrey Critical Infrastructure Protection Committee Meeting March 6-7, 2018

46 Security Training WG Charter CIPC will provide meeting attendees with an opportunity to participate in physical, cyber, and operational security training, as well as, educational outreach opportunities. Current Members Tobias Whitney, Ross Johnson, John Breckenridge, Carl Herron, Charlotte de Sibert, Jake Schmitter, Bill Lawrence, John Gasstrom, Michele Wright, Amelia Sawyer and David Godfrey. 2 RELIABILITY ACCOUNTABILITY

47 Security Training WG Latest Activities Continue to have monthly conference calls. March 2018 Training Review March 2018 Emergency/Incident Response Management - The STWG had 4 outstanding speakers discussing 3 uniquely different storm events; o Chris Vicino Los Angeles Dept Water & Power Corporate Security Response and Challenges to the Southern California Wildfires o Bert Sausse III CenterPoint Energy Corporate Response and Challenges to Hurricane Harvey o John R. Large & Carlos Morales Florida Power & Light - Corporate Security Response and Challenges to Hurricane Irma 3 RELIABILITY ACCOUNTABILITY

48 Security Training WG 2018 Training Schedule June 2018 Supply Chain Risk Management o Carl Herron E-ISAC/NERC o Tobias Whitney E-ISAC/NERC September 2018 Transient Cyber Asset(s) - (Panel Discussion) Next Steps The SWTG is looking for training topic recommendations for 2019 CIPC Meetings, please contact a STWG Member with your ideas We continue to seek and secure volunteer speakers CIPC Actions Questions and/or suggestions for today s discussion 4 RELIABILITY ACCOUNTABILITY

49 5 RELIABILITY ACCOUNTABILITY

50 NERC Compliance and Enforcement Input Working Group Paul Crist, LES Lisa Carrington, APS Damon Ounsworth, SaskPower Critical Infrastructure Protection Committee Meeting March 6-7, 2018

51 Update: Held two monthly CEIWG Calls Reviewed the 2018 Work Plans Discussed the CIP Implications of Cloud Computing Pilot Developed a proposal for the Cloud Implementation Guidance Project Phased Approach CIP Access Management Phase 1 C(E)IWG Charter Update/Review Implementation Guidance Update Membership Update 2 RELIABILITY ACCOUNTABILITY

52 2018 work plan Development of implementation guidance on cloud computing Other requests for Implementation Guidance development from CIPC Charter Review Annual Update o New Name Compliance Input Working Group? o New (Vice)Chair appointed by the Executive Committee (EC) o Participant List Update 3 RELIABILITY ACCOUNTABILITY

53 Cloud Implementation Guidance Project 4 RELIABILITY ACCOUNTABILITY

54 CIP Access Management Program 5 RELIABILITY ACCOUNTABILITY

55 CIP Access Management Program 6 RELIABILITY ACCOUNTABILITY

56 CIP Access Revocation 7 RELIABILITY ACCOUNTABILITY

57 Charter Update Items of note Propose the new name of Compliance Input Working Group (CIWG) Removed references for anything related to enforcement Added a bullet to review Lessons Learned that the CIPC EC deems further industry follow-up is needed Added a bullet to develop Implementation Guidance where needed under the direction of the CIPC EC Under Deliverables and Work Schedule o added the work plan is in the CIPC Strategic Plan Revised the following bullet o Provide CIPC consensus feedback to NERC Compliance Assurance and Compliance Enforcement on the effectiveness of the CMEP tools and processes when possible 8 RELIABILITY ACCOUNTABILITY

58 Compliance Guidance Development Update Current Status of Documents under Development NEI/NERC PRA Guidance o NERC- Endorsed Shared Facilities o NERC-Endorsed VoIP in Control Centers o Submitted to NERC for endorsement (Posted on NERC Site) 9 RELIABILITY ACCOUNTABILITY

59 Meetings NERC CIPC Compliance and Enforcement Input Working Group Update Meetings o Next Conference Call April 12, 2018 at 1:00 p.m. Central o Subgroup calls as needed o Second Thursday of the Month at 1:00 p.m. Central 10 RELIABILITY ACCOUNTABILITY

60 11 RELIABILITY ACCOUNTABILITY