Intro to the NERC/NIPC Indications, Analysis & Warnings Program

Transcription

1 Intro to the NERC/NIPC Indications, Analysis & Warnings Program (IAW Program - Electric Power Sector) Before Seeing this Presentation, Make Sure Everyone Has a Copy of Each of the Following: Job Aid (NIPC Electric Utility Reporting for Unknown/Malicious Acts Impacting Operations) NIPC Electric Utility Incident Report NIPC Contact Information Sheet Participant Responsibilities 1

2 At the End of This Session, You Will: Know what the IAW Program is Have information needed to ensure your company is set up to participate in this program Have information needed to recognize & report applicable cyber/physical threats and incidents Know how to get additional information about this program What Do You Want to See? Part 1 - What is the IAW - EPS Part 2 - How do you Recognize & Respond to Cyber & Physical Acts of Sabotage Part 3 - How to get started in your company - and where to get more information about the NIPC IAW EPS 2

3 What is the IAW Program? A program developed because Industry & Government recognized the increased risk of physical & cyber threats Working independently, neither the government nor industries have enough financial or human resources to deal with the growing threat of physical/cyber attack The Electric Power participants are the most critical because all other industries and government rely upon electricity! Electric Utilities Are CRITICAL to Government and Other Critical Industries Telecom Gov t Electricity Transportation Banking & Finance Water Emergency Services 3

4 How Does the Program Work A company agrees to participate and distributes job aids and forms so employees know how to recognize & report incidents When there is an incident, you fill out a report, and send it to NIPC and NERC At the same time, NIPC is collecting data from numerous other organizations Industry experts review the data and look for trends - and send out warnings if warranted #1 NIPC Incident Report Report Incident InfraGard- - FAX- voice- Other Industries #2 NERC -SCIS posting - Incident Report - -auto page NERC Post on InfraGard - Warning Products NIPC Watch When You Recognize an Incident Draft warning product Coordinate w/industry Clear final final product (with NERC & Govt) Analysis & Warning Section FUSION Government Agencies Law Enforcement Internal NIPC 4

5 Utilities are Being Targeted! Deliberate cut of fiber optic line supporting SCADA control and other essential utility communications Alleged sabotage-improper mix of pellets in fuels fabricated for commercial nuclear plants Around 230,000 unauthorized attempts during one month to connect to company computers via the Internet Over 86,000 attempts from China! This is Just an Extension of Existing NERC Policy 5G - Reporting Acts of Sabotage Existing Policy 5G Criteria: Disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, government agencies and regulatory bodies Existing Policy 5G Requirements: Recognizing Sabotage Reporting Guidelines Contact with FBI and/or Royal Canadian Mounted Police 5

6 What are Benefits of IAW Program? Information sharing - you get more than just warnings Security trends & techniques Timely, accurate & actionable warnings Training tools to improve security & response to security violations Updates on new/revised programs and activities to minimize the impact of sabotage What Do You Want to See Next? Return to Part 1 - What is the IAW EPS Go to Part 2 - How to Recognize & Respond to Cyber & Physical Acts of Sabotage Go to Part 3 - How to get started in your company - and where to get more information about the NIPC IAW EPS 6

7 How do You Recognize Acts of Sabotage? Sabotage can look just like everyday abnormal operations - anything abnormal! Loss of a line or major piece of equipment Trip of a major unit Loss of EMS functionality Relay mis-operations Loss of RTU communication circuitry Incident Reporting Job Aid The Job Aid lists 15 different types of incidents and associated reporting thresholds Additional copies of the Job Aid are available from the NERC IAW EPS Web Page Ideally, you would have someone in your company ready to recognize and respond to each of these incidents - physical, cyber and operational - however don t wait for this before moving forward - start reporting operational incidents right now! 7

8 Job Aid for Recognizing Reportable Incidents NIPC Electric Utility Reporting for Unknown/Malicious Acts Impacting Operations Incident Incident Criteria Threshold 1 Loss of 500 MW of Generation 30 Min or Longer 2 Loss of 230 kv or Larger: Substation Transmission Line HV Tie Line Loss of any operationally essential line 60 Min or Longer What Kinds of Things Do You Report? If it impacts the electric system for the time period specified and: You know it is an act of sabotage OR You suspect it is an act of sabotage OR It might be an act of sabotage - but you don t have enough information to be sure 8

9 What Kinds of Things Should be Reported from Others in Your Company? Intelligence Gathering (People asking explicit questions about operations, software, telecommunications, etc.) Unauthorized physical surveillance Planting code in software used for your operating systems or market operations Intrusions into computer systems used to operate the electric system or markets Threats to security, software, operations, physical facilities There are Several Reporting Methods Security Coordinators can make their initial report through SCIS Members of InfraGard can report using the form resident on the electric power sector s portion of their web site The easiest is to use the Word Form from the NERC IAW Web page Fill in the applicable data and fax the form to NIPC AND NERC (Details on all reporting methods are available through the NERC IAW Web Page) 9

10 No Matter Which Reporting Method You Use - Both NIPC and NERC Need to Know... When you first become aware of the incident (Stage 1 Report - usually done by the System Operator) When you have more information (Stage 2 Report - usually done by someone other than the System Operator) When you resolve the incident (Stage 3 Report - usually done by someone other than the System Operator) (Sometimes the situation is resolved with the 2nd report - then you don t need to file a Stage 3 Report) How Long Does it Take to Fill Out a Report? Different reports at different stages of the process The biggest report probably doesn t take 3 minutes to complete! NIPC doesn t care if it isn t pretty - all they care about is receiving the data in the shortest time frame possible -the sooner they get the data, the better the chances they can fuse it with other data to prevent or minimize a disaster 10

11 NIPC Has 24/7 Desk NIPC has a 24/7 desk - like firefighters or system operators - just sitting there waiting for the fax machine to shoot out a new report It is better to make a timely report of an incident that MIGHT be caused by sabotage than to wait until you have all the facts - the information you provide could help one of your neighbor utilities! Which Reporting Method do You Want to Review? Return to Part 1 - What is the IAW EPS How to File a Report via SCIS How to File a Report via InfraGard How to File a Report via Fax or See Part 3 - How do you get started in your company - and where to get more information about the NIPC IAW EPS 11

12 What is the NERC SCIS? Security Coordinator Information System This "messaging" site is used by Security Coordinators to share information in a near-real-time environment. This includes TLR events, transmission and generation outages, Control Area ACE and Frequency, weather advisories, and known or suspected acts of physical or cyber sabotage. Access is login/password controlled and limited to Security Coordinators To File a CIP Incident Report

13

14 What Do You Want to See Next? Go Back to Part 1 - What is the IAW - EPS Go Back to Review Reporting Via SCIS See How to Report Via InfraGard See How to Report Via or Fax Part 3 - How do you get started in your company - and where to get more information about the NIPC IAW EPS What is InfraGard? Local Groups of Companies Working with the FBI, Committed to Sharing Security Information Locally as Well as Nationally via a Secure Link Local InfraGard: - ACE Bank - Ryder Trucking - E-biz - ABC Elec Co - Local FBI 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

22 22

23 23

24 24

25 What do You Want to See Next Go Back to Part 1 - What is the IAW - EPS Review Reporting Via SCIS Review Reporting Via InfraGard See How to Report Via or Fax Part 3 - How do you get started in your company - and where to get more information about the NIPC IAW EPS 25

26 File a NIPC Electric Utility Incident Report via Fax or Download or copy an incident report and have it partially completed before any incident occurs Faxing a report may be the quickest way to submit a report, because you don t have to sign onto a computer system to NIPC address on Incident Job Aid ( If your fax isn t working, or if you are stressed for time - or don t have an incident report form available - just call one of the NIPC voice mail numbers on the bottom of your Job Aid - there is always someone in the NIPC office! ACE Power Co John Smith Jsmith@acepower.com

27 ? Loss of Greene Sub supplying FEMA Seamus MD DC, MD Seamus Train Station 1 Gov t 27

28 NIPC Electric Utility Incident Report for Unknown/Malicious Acts Impacting Operations Section 3 Cyber Incident Data Obtains System/User Information Through Random Probes /Scans/Sniffers Identify Probe/Exploit by Name (if known if unknown, enter Unknown ) Date/time of occurrence Time Zone Network Address/Source Name (Only if external) # of Hits/period Target System Name/Platform: Target system Function Within Power Operations (Enter all that apply) EMS SCADA Substation Other Impact on Target System & Power Operations (Actual or Potential) Obtains Root, User or Mixed Access Causes Denial of Service Theft of Service/Theft of Information NIPC Electric Utility Incident Report for Unknown/Malicious Acts Impacting Operations Section 3 Cyber Incident Data, Continued Identify Probe/Exploit by Name (if known if unknown, enter Unknown Tool ) Date/time of occurrence Time Zone Network Address/Source Name (Only if external) # of hits/period Target System Name/Platform: Target system Function Within Power Operations (Enter all that apply) EMS SCADA Substation Other Impact on Target System & Power Operations (Actual or Potential) Removal/Modification /Corruption of System, User Data System Modification /Augmentation (malicious code insert, etc.) Identifies Critical System Supporting Power Operations 28

29 What Do You Want to See Now? Go Back to Part 1 - What is the IAW - EPS Review Reporting Via SCIS Review Reporting Via InfraGard Review Reporting Via or Fax Part 3 - How do you get started in your company - and where to get more information about the NIPC IAW EPS What you Need to Get Started in Your Company Contact Form for IAW - EPS (So NERC/NIPC know how to send you updates) Job Aid for Recognizing Reportable Incidents (So your employees know how to recognize Incidents ) NIPC Electric Utility Incident Report (So you have a form ready to fax to NIPC) Participant Responsibilities (To give to people in your organization) 29

30 Step 1 - Complete the NERC/NIPC Contact Information Form! Contact your Control Center Manager/Security Coordinator and see who will serve as your company s Main contact (usually Control Center Manager or Security Coordinator) Find out who else in your organization is willing to report cyber and physical threats Contact for IT Contact for Physical Security Send your contact information form to NERC Step 2 - Get Your Employees Ready to Recognize & Report Incidents! Let your employees see this PPT presentation Hand out copies of: Job Aid for Recognizing NIPC Reportable Incidents NIPC Incident Report Participant Responsibilities 30

31 Step 3 - Decide How to Communicate Incidents Within Your Company Who needs to recognize Incidents? Cyber, Physical, Operational Who will report Incidents? Cyber Contact, Physical Security Contact, System Operations Contact Who should receive notices from NIPC? Cyber Contact, Physical Security Contact, System Operations Contact When a message is received from NIPC, who should be notified? A Model for Internal Communications An An Incident Occurs: Notify: Cyber -Operators Event -Physical Sec Sec How would this work best for my company? Respond IAW Threshold? Yes Notify: -NIPC -NERC 31

32 A Model for Internal Communications An An Incident Occurs: How would this work best for my company? Physical Event Notify: -Operators -Cyber -Police/FBI Respond IAW Threshold? Yes Notify: -NIPC -NERC A Model for Internal Communications An An Incident Occurs: How would this work best for my company? Respond Operational Event Notify: -Security Coor Coor -Cyber -Physical IAW Threshold? Yes Notify: -NIPC -NERC 32

33 A Model for Internal Communications How would this work best for my company? Cyber Event Physical Event Operational Event Notify: -Operators -Physical Sec Sec Notify: -Operators -Cyber -Police/FBI Notify: -Security Coor Coor -Cyber -Physical Respond IAW Threshold? Yes Notify: -NIPC -NERC A Model for Internal Communications NIPC Issues a Warning: How would this work best for my company? Cyber Event Physical Event Notify: -Operators -Physical Sec Sec Notify: -Operators -Cyber -Police/FBI Respond Operational Event Notify: -Security Coor Coor -Cyber -Physical 33

34 More Info Available Through NERC Web Site Documents Providing Background on the IAW-EPS Details on all reporting methods Reports to distribute to other members of your company Forms to formally sign up to participate in the IAW-EPS Etc, Etc, Etc Review of Objectives Know what the IAW Program is Have information needed to ensure your company is set up to participate in this program Have information needed to recognize & report applicable cyber/physical threats and incidents Know how to get additional information about this program 34

35 Questions? 35