Cybersecurity for the Electric Grid Electric System Regulation, CIP and the Evolution of Transition to a Secure State A presentation for the National Association of Regulatory Utility Commissioners March 7, 2016
Table of Contents Introduction Cyber Security and Critical Infrastructure Critical Infrastructure Who to Regulate? Bulk Electric System Cyber Regulation Governance Structure Bulk Electric System Cyber Regulation Critical Infrastructure Protection Standards Overview Power & Utility Legislation Cyber vs. Non-cyber Legislation
Shari Gribbin Senior Manager Deloitte & Touche LLP Email: sgribbin@deloitte.com Office: 571.766.7708 / Mobile: 202.207.6465 Shari is a senior manager in the Regulatory & Compliance market offering based in Washington, D.C. She specializes in compliance, governance, oversight, regulatory analysis and operational risk; cyber security regulatory analysis and program development; as well as compliance audit and investigation. Shari has more than 15 years of experience as both a regulatory lawyer and compliance leader across energy generation, transmission and distribution as well as wholesale power marketing and retail commodity businesses. Prior to joining Deloitte, Shari worked at Exelon Corporation and held a dual role as the enterprise-wide FERC Compliance Manager and lead counsel for FERC/NERC enforcement issues. She has led more than 45 FERC, NERC and state- level enforcement actions as well as hundreds of internal investigations and audits. She was also responsible for the development and implementation of corporate and business unit level compliance programs. - 3 -
Importance of Cyber Security: Why do we care? Executive Order Improving Critical Infrastructure Cyber security Incapacity or destruction of critical infrastructural assets or systems would have a debilitating impact on national economic security, public health, and safety. Directed NIST to work with industry leaders to develop Version 1.0 of the NIST Cybersecurity Framework. It is the policy of the U.S. to enhance the security and resilience of the Nation s critical infrastructure...through a partnership with the owners and operators of critical infrastructure -Executive Order Historic Blackouts Blackout of 2003, northeast US and Central Canada 50 million affected Cost of >$4 billion Hacking Cyber attacks against Saudi and Qatari energy companies Shamoon virus 30,000 computers destroyed Source: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity - 4 -
Importance of Cyber Security: Critical Infrastructure Based on Industrial Control Systems Cyber Emergency Response Team s (ICS-CERT) recent report on incidence response activity, the energy sector reported the highest percentage of incidents reported (53%). The image below graphically depicts the most targeted critical infrastructure sectors. You are here Source: ICS-CERT Incidents October 2012 to May 2013-5 -
Importance of Cyber Security: Critical Infrastructure Complex interconnections between systems (SCADA, Industrial Control Systems (ICS), smart grid, intelligent substations, and new customer systems) are dramatically reshaping the cyber threat landscape for the Power and Utilities Sector. 82 Percent of Energy Sector IT Pros Say a Cyber Attack Could Cause Physical Damage esecurity Planet, February, 2016 Attackers hacked Department of Energy 159 times in 4 years Computerworld.com, September, 2015 Energy Sector Beware: Cybersecurity Now Top Security Threat thelegalintelligencer.com, October, 2015 Utilities rank highest for risk of data breaches SmartGridNews, April 2015 If not acted upon, threats to the security and stability of the Power and Utility grid are expected to grow. - 6 -
Importance of Cyber Security: Motivated Threat Actors The cyber threat landscape is continually evolving and the impact of successful attacks on the Electrical grid is heightened. Threat actors are amassing individual footprints to target their attacks. Target External threats Power Grid Cyber criminals Hacktivists Organized crime Social media/ underground chatter Nation states Critical Infrastructure & Resources Data Center Network Infrastructure Nuclear Facility Employee Data Now more than ever, we need to be Cyber Aware! - 7 -
Critical Infrastructure Cyber Security: Who to regulate? Cyber Security Frameworks: The Voluntary/Mandatory Solution National Institute of Standards and Technology (NIST) Version 1.0 NIST Cybersecurity Framework - Issued February 2014 Voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk Other Frameworks and Standards ETSI Cyber Security Technical Committee Standards to increase privacy and security for organizations and citizens across Europe ISO 27001 - provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system ISO 27002 -a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management. ISA/IEC-62443 - is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS) - 8 -
Critical Infrastructure Cyber Security: Who to regulate? Bulk Electric System: NERC CIP Mandatory Regulatory scheme for Bulk Electric System (BES) or The Grid is full suite of operationalized cyber security requirements designed to assure the reliability of the electric grid BES defined - fundamental to compliance, complicated NERC (North American Electric Reliability Corporation) is a nonprofit corporation whose mission is to ensure reliability of the Bulk-Power System in North America, responsible for developing, promulgating and enforcing BES cyber regulations As the electric reliability organization (ERO), NERC is subject to oversight by the Federal Energy Regulatory Commission (FERC) Develops and enforces reliability standards for planning and operating the collective bulk-power system Cyber Security suite of regulations focus on the cyber assets that are critical to operation and capable of impacting Bulk Electric System reliability - 9 -
Critical Infrastructure Cyber Security: Who to regulate? Energy Industry Readiness State regulatory focus on distribution level regulation of smart grid and similar customer facing technologies. Replacement of aging infrastructure and dated systems will result in a technology transformation that requires a new approach to cyber security. P&U is the tip of the spear for other Industrial Control System (ICS) driven businesses (Natural Gas, Oil & Gas, Water Utilities, and manufacturing / processing). Coordination of agencies, regulators, industry, private sector is essential. Security + IT + Compliance = Cyber Security The CIP Transition - Lessons Learned Transition to CIP shows building formal compliance structures around NIST and other frameworks can mitigate risks and failures. Consider the IT organization and their role in cyber security and compliance programs. Assess how to integrate and formalize cyber frameworks for the implementation of programs applicable to regulated and non-regulated assets to improve cyber security posture. - 10 -
BES Cyber Regulation: NERC Critical Infrastructure Protection (CIP) Standards NERC CIP (the cyber rules) focuses on protecting BES Cyber Systems and support systems used in the Bulk Electric System (BES) Urgent Action Standard (2003) responsive to increasing concerns around physical and cyber security out of 9/11 Evolved from UA 1200 to formal suite of enforceable regulation in parallel with NERC s journey to certified ERO Currently effective version, NERC CIP Version 3, which was effective for most entities in January 2010. Version 5 will take effect in July 2016 first major overhaul and biggest impact since Version 3 initial implementation Industry in process of transitioning to Version 5 and now Version 6. Consists standards covering the security of electronic perimeters, physical security of BES Cyber Systems, personnel and training, security management, disaster recovery, and more Source: http://www.nerc.com/aboutnerc/pages/default.aspx - 11 -
BES Cyber Regulation: NERC CIP Updates to Version 5 from Version 3 The v3/v4 to v5 facilities comparison Significant NERC CIP V5/V6 Updates NERC CIP covered systems and assets have become more explicit in their classification such as classifying Operations Technology (OT) Cyber Assets and systems at Generation plants, Utility substations, and Transmission facilities. Changes in language and terminology: The terms Critical Assets and Critical Cyber Assets are no longer used. BES Cyber Systems and BES Cyber Assets are new definitions. V5 BES Cyber Systems are now classified by their impact to the Bulk Electric System as High, Medium, or Low. Source for diagram: - 12 - https://rfirst.org/compliance/documents/rf%20cipv5%20workshop%20cip%20v5v6 Implementation Plan.pdf?Mobile=1
BES Cyber Regulation - Terminology: Commonly Used NERC CIP Terms See NERC s Glossary of Terms used in NERC Reliability Standards, for a complete listing. Terminology CIP Senior Manager Cyber Asset BES Cyber System Electronic Security Perimeter (ESP) Physical Security Perimeter (PSP) Definition A single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011. A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol. The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled. - 13 -
BES Cyber Regulation: NERC CIPv5 Standards Overview CIP-002-5.1: BES Cyber System Categorization CIP-003-5: Security Management Controls CIP-004-5.1: Personnel & Training CIP-005-5: Electronic Security Perimeter CIP-006-5: Physical Security of BES Cyber Systems CIP-007-5: Systems Security Management CIP-008-5: Incident Reporting & Response Planning CIP-009-5: Recovery Plans for BES Cyber Systems CIP-010-1: Configuration Change Management & Vulnerability Assessments CIP-011-1: Information Protection Identifies all BES Cyber Systems as having a High, Medium, or Low Impact on the reliability of the Bulk Electric System. Establishes consistent and sustainable security management controls to protect the Bulk Electric System. Requires documented processes or programs for security awareness, cyber security training, personnel risk assessment, and access management. Ensures High Impact and Medium Impact with ERC BES Cyber Systems are maintained within an Electronic Security Perimeter (ESP). Requires implementation of one or more documented physical security plans, and one or more documented visitor control programs. Addresses system security by specifying technical, operational, and procedural requirements in support of BES Cyber Systems. Requires documentation of one or more Cyber Security Incident response plans for BES Cyber Systems. Specifies the controls needed to protect data and implement a plan to recover reliability functions of BES Cyber Systems. Ensures configurations are monitored, changes are approved, and adverse impact is avoided to BES Cyber Systems. Requires the implementation of one or more documented information protection programs for BES Cyber Systems. - 14 -
Power & Utility Legislation Challenges (Illustrative) 14 Energy Legislation Status 12 10 Number of Energy Bills/Laws 8 6 4 2 0 Failed to pass over veto Introduced Passed House Resolving Differences Coordination is critical to success Status of Energy Bills/Laws - 15 -
Cyber vs. Non-cyber Legislation Challenges (Illustrative) 7 Cyber Legislation Status 6 5 Number of Energy Bills/Laws 4 3 2 1 0 Introduced Passed House Coordination is critical to success Status of Energy Bills/Laws - 16 -
Questions/Comments - 17 -
Copyright 2016 Deloitte & Touche, LLC. All rights reserved. 36 USC 220506 Member of Deloitte Touche Tohmatsu Limited