Critical Energy Infrastructure Protection LLNL CEIP Approach LLNL-PRES-654239 This work was performed under the auspices of the U.S. Department of Energy by under Contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
LLNL CEIP Background The LLNL CEIP team was created to support the Global Critical Energy Infrastructure Protection Program led by the U.S. Department of State and Department of Energy. Assist energy producing countries in securing energy facilities and infrastructure Team members have several decades of experience assessing and enhancing security at facilities of U.S. National Security interest, in high threat environments Electrical Gas Oil Chemical Nuclear Team disciplines include engineering, physical protection, cyber, safety and training personnel 2
LLNL CEIP Approach LLNL uses a performance based approach to assess security effectiveness. The LLNL approach is based on creation of a Design Basis Threat and assessing facility security against the defined threats using realistic scenarios. It is also based on a systematic graded approach. Identification of critical facilities and understanding cascading effects of attacks is key in defining consequences, as is deployment of protection strategies that integrate human and technology elements to mitigate risk. How critical infrastructure protection is viewed and managed, must now evolve to meet evolving threats. Systems approach Technologies and methods to enhance deterrence, detection, assessment, delay, ballistic protection and response Protection strategies Insider protection program Security culture 3
Fundamental Principles (1/7) Protection Planning Security Plan Protection Strategies Operational Protocols Response Plan LLEA Coordination/Liaison Suspicious Activity Reporting Testing & Maintenance Plan 4
Fundamental Principles (2/7) Balanced Protection The three primary PPS functions must work in synergy to be effective in preventing malicious acts Provide timely detection Provide adequate delay Provide effective response Each function must occur prior to the adversary s task completion 5
Fundamental Principles (3/7) Graded Approach Apply security resources in a proportional manner based on the impact of loss or destruction Tier 1 Tier 2 Tier 3 Tier 4 6
Fundamental Principles (4/7) Defense-in-Depth Adversary must defeat or avoid numerous varied types of overlapping protective devices to achieve objective Redundant equipment Complimentary sensors Complimentary barriers Guards and Local Law Enforcement 7
Fundamental Principles (5/7) System Integration All physical protection system elements must work together in a timely fashion in order to interrupt adversary Guards and/or Local law enforcement 8
Fundamental Principles (6/7) Insider Protection Access, Authority, Knowledge Time, Tools, Test, Colluding Group by various operational factors Understand sensitive operations Separation of duties Two person validation Security culture Don t assume, Not in my organization 9
Fundamental Principles (7/7) Human Element Selection Training Knowledge Procedures Trustworthiness Situational awareness 10
Performance Based Analysis 1) Develop Adversary Capabilities List and Design Basis Threat, 2) Characterize Facility, 3) Identify Targets, 4) Develop Attack Scenarios, 5) Validate Attack Scenarios, 6) Identify Mitigation Measures, 7) Validate Measures, 8) Model Attack with Mitigation Measures, 9) Develop Upgrade Cost Benefit Analysis 11
Adversary Capabilities List Separate description of each Adversary Group Type 1) General Characteristics 2) Adversary Size Definitions 3) Objectives 4) Tactical Competency 5) Operational Techniques 6) Knowledge Level 7) Equipment 8) Weaponry The Adversary Capabilities List is a sensitive document and not releasable to public 12
Example Low Threat Vandal Overt No Sensor Knowledge No Target Knowledge 1 Person Small arms Objective Malicious Damage Material theft 13
Example Medium Threat Overt / Covert Standoff attack strategy or site penetration to conduct sabotage Some sensor, target, communications, and control system knowledge Assault rifles Limited night vision capability Limited knowledge of LLEA response tactics 1-4 Attackers Violent Radicals, Saboteurs, Extremists Willing to endanger personnel but not typically prepared to kill Use of flammable liquids or Molotov cocktails Multiple man portable HME charges (10 lbs TNT equivalent) Basic surveillance skills and passive insider information LLEA Diversion Single facility attacks Motivation Facility shutdown or catastrophic damage Rudimentary small unit tactics, command and control capabilities 14
Example High Threat 1 VBIED Up to 1K lbs HE Multiple man portable HE charges (50 lbs TNT equivalent) Detailed sensor and target knowledge Multiple moderately skilled assault teams, coordinated Communication jamming Cyber attacks on control systems LLEA Diversion 2-5 Attackers Terrorists Prepared to kill Motivation System and /or regional grid shutdown 15
Example Generic Design Basis Threat Low Vandal Medium Violent Radicals, Saboteurs, Extremists High Terrorists Overt No Sensor Knowledge No Target Knowledge 1 Person Small arms Objective Malicious Damage Material Theft Overt / Covert Standoff attack strategy or site penetration to conduct sabotage Some sensor, target, communications, and control system knowledge Assault rifles Limited night vision capability Limited knowledge of LLEA response tactics 1-4 Attackers Willing to endanger personnel but not typically prepared to kill Use of flammable liquids or Molotov cocktails Multiple man portable HME charges (10 lbs TNT equivalent) Basic surveillance skills and passive insider information LLEA Diversion Single facility attacks Motivation Facility shutdown or catastrophic damage Rudimentary small unit tactics, command and control capabilities 1 VBIED Up to 1K lbs HE Multiple man portable HE charges (50 lbs TNT equivalent) Detailed sensor and target knowledge Multiple moderately skilled assault teams, coordinated Communication jamming Cyber attacks on control systems LLEA Diversion 2-5 Attackers Prepared to kill Motivation System and /or regional grid shutdown Exponentially increasing security costs 16
Facility / Target Characterization Facility tours Architectural diagrams Management/worker interviews Maintenance and operating procedures Safety analysis reports Previous assessments/audits Prioritize targets based on consequence, most difficult, costly, and time-intensive to replace and adversary s objective and tactical capabilities Consider insider knowledge 17
Scenario / Path Analysis (1/2) Define attack scenarios and task times Scenarios should address major security components Design scenarios that are uniquely different at each threat level, so it is clear which adversary techniques pose the greatest threat to the facility Consider adversaries using a combination of tactics including force, stealth, and deceit, as well as cyber. Pathways may include fences, personnel and vehicle portals, doors, walls, roofs, etc. 18
Scenario / Path Analysis (2/2) Validate that scenarios/pathways are plausible (with utility SMEs Validate timelines for tasks (LLNL data bases or SMEs) 19
Identify Mitigation Measures Deterrence Detection & Assessment Early detection Known detection Command and control system Delay Barriers Ballistic protection Response Guards Local law enforcement Operations Procedures Tactics 20
Validate Measures Model attacks again with measures in place Validate that results of scenarios/pathways are credible (with utility SMEs) Validate that values (detection or delay) for measures are credible (LLNL data bases or SMEs) 21
Refine Upgrades and Costs Upgrades Technologies, People, Operational Procedures Costs Define initial costs Define lifecycle costs Operational considerations 22
Develop Upgrade Packages Determine the base case risk value for each level of threat, using a realistic and plausible worst-case stand-off scenario & worst-case site penetration scenario, for each level of threat. Determine the most efficient and cost-effective set of upgrades (e.g., technologies, people, operational procedures) that would be expected to lower the risk to an acceptable level This may serve as the desired end state if resources permit. Determine sub-sets of these upgrade packages which can serve as practical milestones, while in the process of completing the full set of upgrades. 23
Example Upgrade Cost Benefit Analysis 24
LLNL CEIP Tools PP Software Data Bases Delay, Penetration Values Sensor Detection Probability Values Software Modeling Tools Pathway analysis algorithms 25
Physical-Cyber Security Nexus Physical and cyber protection are often organized as two completely separate areas. In reality, the two must work in synergy. Defense against cyber attack is achievable only if networks are secured and managed through physical means and securely managed through physical and operational controls. Comprehensive security requires continual assessment of all potential adversarial pathways 26
Overall Risk Management Physical and cyber security are both inputs to overall risk management Modeling overall risk utilizing comprehensive risk modeling software enables the organization to identify various sources of risk, "quantify" overall risk, and quantify losses, including: financial losses business operations losses Capital property losses Requires incorporation of the organizations valuation of services and operations Modeling allows measurement of incremental losses/consequences Approach of "buying down risk : creates cost efficiencies unattainable absent this modeling approach in regards to best physical-cyber security control measures extends naturally to include both the physical and cyber domains when evaluating human borne risk and supports integrated training and assessment sessions 27
Points of Contact Contact: Michael O Brien, 925-423-8028, obrien10@llnl.gov or Byron Gardner, 505-550-5348 gardner45@llnl.gov for further information about LLNL CEIP Support 28
Conclusion Questions? 29