Welcome Mike Kraft, MRO SAC Member

Transcription

1 11/16/2016

2 Welcome Mike Kraft, MRO SAC Member Basin Electric Power Cooperative Please submit questions to the meeting moderator. Questions will be answered at the end of the webinar.

3 NOTICE The is an industry stakeholder committee that includes subject matter experts from MRO member organizations in various technical areas. Any materials, guidance, and views from stakeholder committees are meant to be helpful to industry participants, but should not be considered approved or endorsed by MRO staff or its board of directors unless specified. Reminder: For the duration of this webinar, the MRO Standards of Conduct Policy and MRO Anti-Trust policy are in effect. If you have any questions please refer to the policy document on the MRO website or contact MRO staff.

4 Today s Presenters Eric Ruskamp Manager of Regulatory Compliance at Lincoln Electric System Darin Hanson Critical Infrastructure Program and Security Manager at North Dakota Department of Emergency Services Lisa Beury-Russo Section Chief, National Cyber Exercise and Planning Program for the U.S. Department of Homeland Security Sherry Farrow Senior Operations Trainer for Southwest Power Pool

5 GridEx Lessons Learned Southwest Power Pool Sherry Farrow Senior Operations Trainer Midwest Reliability Organization Security Advisory Council

6 Focus Area Breakdown Management ICS Ops IT Oversight for success included top-down support Tabletop Exercise, limited functional interactions Tabletop Exercise, limited functional interactions Tabletop Exercise, limited functional interactions Chief Security Officer Business Owner Project Manager Focused on Emergency Management and Business Continuity Plans Players were upper management comprising the ICS and ICT Focused on Ops procedures Procedure specialist was scribe Players were Ops Crew on training shift Focused on IT and Cyber procedures Players were IT personnel from Markets, Reliability, Cyber Security, and IT Supporting Departments

7 Lessons Learned Learned From GridEx III Lessons from GridEx III that improved GridEx IV Upper management support and involvement GridEx leadership team Amber Wallace, Senior EMBC Coordinator Responsible for Incident Command Structure Injects and Exercise Control Room coordination Sherry Farrow, Senior Operations Trainer Responsible for Operations injects and coordination JJ Weaver, Supervisor Architecture and Integration Team Responsible for IT injects and coordination Dedicated GridEx link on SPP website Learned From GridEx IV Lessons learned for future GridEx V Business continuity Establish 30 minute status updates between rooms Operations IT Were receiving info but not as fast as they wanted Allow additional member call-in and inject interactions Since the call center was new, we limited number of incoming calls First team was split between rooms First team management was in IT room First team shift personnel was in Ops room Virtually-connected rooms on day of exercise Call center for active participating members

8 SPP Employees in GridEx IV Role breakdown Players Evals/Scribes Observers Facilitators

9 GridEx Lessons Learned Lincoln Electric System s Perspective Eric Ruskamp Manager of Regulatory Compliance Midwest Reliability Organization Security Advisory Council

10 Lincoln Electric System (LES) Overview Serve approximately 200 square miles, including the city of Lincoln 136,000 customers 479 employees Peak demand 786 MW NERC Registration: Generation Owner Generation Operator Transmission Owner Transmission Operator Transmission Planner Distribution Provider Resource Planner

11 Lincoln Electric System (LES) Participation Active Player (2017), Observer (2015, 2013) Exercise Involvement: 32 LES players participated 3 Executives 1 LES board member observed 4 State of Nebraska observed Senator and the Lt. Governor 3 Law enforcement participated FBI, NE State Patrol, Lancaster County Sheriff 2 Nebraska Energy Office observed Player Roles: Transmission, Generation, Cyber-Security, Physical Security, Telecommunications, Substation, Corporate Communications, Energy Marketing, SCADA Support, IT Support & Executives

12 Lincoln Electric System (LES) Suggestions Emphasize that players will not have all of the answers Collect observations and lessons learned Force communication, look for breakdowns Customize injects

13 Lincoln Electric System (LES) Lessons Learned Start planning early Joint injects with neighbor-tops and RC Involve non-player SMEs in inject development Involve Transmission Operators (not just management) Work with E-ISAC on use of SimDeck

14 Lincoln Electric System (LES) Lessons Learned Corporate communication Go Kit Review 24-hour coverage plans Investigate unexpected losses when corporate network is down, PA system Streamline purchasing process in an emergency Sufficient number of Government Emergency Telecommunications Service (GETS) cards and Wireless Priority Service (WPS) cards Process to quickly suspend controls from SCADA while maintaining RTU scanning

15 GridEx Lessons Learned North Dakota Department of Emergency Management and the North Dakota State & Local Intelligence Center (Fusion Center) Darin Hanson Critical Infrastructure Program & Security Manager Midwest Reliability Organization Security Advisory Council

16 Partnership Both Emergency Management and Fusion Centers want to be partners Planning for Emergencies Emergency Management at the local or state levels can provide assistance with creating and reviewing emergency plans We don t know what we don t know Exercising plans Partnering with Emergency Management and Fusion Centers on exercises can help to work out the bugs Particularly in communication A plan that has not been tested is just a theory

17 Fusion Center Reporting Every Fusion Center is different Get to know what your center s capabilities are Every center should have a list of information requirements Often called Priority Intelligence Requirements or Standing Information Needs This will help to determine the thresholds for reporting In general Fusion Centers have strict limits on what information they can collect as it relates to U.S. citizens Any adversarial incident, whether confirmed or suspected, should be reported

18 Information Sharing Private Sector Pre-identify points of contact (POCs) What are their information requirements? Don t assume someone else is providing the information Government would rather hear it twice than not at all Plan for periodic updates Government Pre-identify points of contact (POCs) Are they authorized to share? If there isn t a relationship built in advance, sharing is unlikely What s in it for them? What do they need? What can we provide? Government is interested in impacted people more than load

19 Incident Command System Emergency Management recommends private sector stakeholders become trained in the Incident Command System (ICS) Ensures a common terminology can be used between agencies Formalizes hierarchy within organizations during an incident Ensures that workload gets distributed more evenly Clarifies who can make decisions Allows for non-essential staff to be folded into other response roles

20 GridEx Lessons Learned Department of Homeland Security, National Cybersecurity and Communications Integration Center Lisa Beury-Russo Section Chief, National Cyber Exercise and Planning Program Midwest Reliability Organization Security Advisory Council

21 DHS Participation in GridEx Participated in both physical and cyber elements of GridEx play, primarily through: National Infrastructure Coordination Center (NICC) National Cybersecurity and Communications Integration Center (NCCIC) NCCIC play included: Service desk NCCIC Duty Officers (NDOs) Hunt and Incident Response Team (HIRT) Operations Planning and Coordination (OPC) Cyber Threat Detection and Analysis (CTDA) National Coordinating Center for Communications (NCC) Liaison officers Seniors participated in the ESCC call and Executive TTX

22 Key NCCIC Exercise Activities Received reports from E-ISAC and DOE Submitted requests for information (RFIs) to E-ISAC and other partners Produced Situational Awareness Reports and Current Situation Report Assigned a Mission Manager Increased Operations Tempo and established an Incident Response Battle Rhythm Implemented Enhanced Coordination Procedures (ECP) with cyber center partners (notional) Initiated a Cyber Unified Coordination Group (UCG) call in coordination with FBI and DOE (notional) Contacted international partners for any additional insights and indicators of this activity (notional) Queried EINSTEIN-related traffic for the phishing IOCs (notional)

23 Exercise Findings Overall Entities did not report incidents directly to the NCCIC There were some misunderstandings of DHS organization, roles and responsibilities Players needed a better understanding of the level of participation of other players More robust simulation of non-playing entities Better coordination from Exercise Control Internal Reliance upon for incident coordination and communications is inefficient Exercise highlighted improvements in NCCIC and NICC coordination, and areas for continued growth Coordination and collaboration with state, local, tribal, and territorial (SLTT) partners can be improved

24

25 Additional Questions Asked via WebEx Chat Question 1: Sherry mentioned the First Team. Does this team always exist or was it specific to the exercise? Question: Eric, have you considered players staying at their normal work location versus all coming to a central place? Answer: We have not considered that at this time, the pod room layout was intended to mimic the groups being isolated at their normal working locations. We believe there are several advantages to having all of the players in one location, namely the observation/evaluation component, performed by the exercise controllers, and the ability to answer questions and lead the exercise for the entire group in an efficient manner. We did require all players to bring a laptop to the exercise and did inform them that they could do their normal work, like they would in a real event, if nothing needed their attention within the exercise. Players were interrupted throughout the day through ed injects or face to face interactions, which were used in lieu of phones. Question: Darin, how do I know who my Fusion Center is? How do I establish contact? Answer: The National Fusion Center Association has a good listing of Fusion Centers by state, with and phone contact information at If you are unable to make contact with that information, please feel free to contact me at dthanson@nd.gov as I am a member of a national subcommittee on private sector outreach for fusion centers and I ll get you a good POC. Question 4: Lisa, you noted that was an inefficient method of communications during incident. What have you identified as a replacement? (from Kirby Kugler)