Transcript Event Analysis and Protection

CIP Program Highlights
Member Representatives Committee
October 28, 2008
Michael Assante, CSO
[email protected]
Establish a core CIP program, Enhance SA
& work across NERC’s programs
2
ESSG
Board of Trustees
NERC CEO
Standards Compliance Assessment
• Focused on CIP risks
Regions
• Support their
mission/role
• Support the
development of
expertise
• Training
Critical
Infrastructure
Protection
CSO
Events Analysis
Mutually
Supporting
Constructive
Overlap
(ES-ISAC)
• Identify, address and
monitor security risk to
the BPS
• Provide expertise
• Support efforts
Training
• Focused on CIP events &
enhancing preparedness
Industry
• CIPC & EC
Situational
• ESCC
Awareness
engagement
• Monitor reliability
• Monitor hazards
• Coordination with
government
• Coordinate with other
sectors (PCIS)
• Standards
• Assessments
• Leadership
• Support
NERC Core Programs - CIP
3
Ensure the Reliability of the Bulk Power System
 Trusted within the industry
 Recognized for effective leadership
“Ensure threats to the reliability of the BPS,
especially cyber, are clearly understood and
are sufficiently mitigated”
Critical
Infrastructure
Protection
CIP Standards Development
CIP Standards Compliance
Security Risk Assessment
 9 CIP standards approved
 Enhance & update existing
standards
 Propose new standards to address
security concerns
 Enforce compliance (along with
regional reliability organizations)
 Audits, monitoring & investigations
 Assess threats to the Bulk Power
System
 Identify concerns to be addressed
 Cyber risk & preparedness
evaluation
ES-ISAC
• Notifications & alerts
• Preparedness & response coordination
Security Leadership
Chief Security Officer (CSO)
ESCC, ESSG, PCIS, NIAC,
CSO Council
Situational Awareness
• Monitor events impacting the grid
• Facilitate coordination & reliability tools
NERC CIP Enhancement Plan
4
 Mobilize executive participation & guidance (e.g. ESSG)
 Establish NERC CIP Program (Hire CSO, Strategy, Resources)
 Formalize NERC led assessment & initial CRP evaluation
 Enhance the ES-ISAC (improve alert reporting, process maturity, lists)
Milestones
Executive Engagement
ESSG
NERC CIP Program
Portfolio
Resourcing
Assessments
2HCY08
ESSG
CSO
CIP Portfolio
Resourcing
Order 706
CRP Evaluation
Improve. Prjcts
2HCY09
CEO Briefing
Cyber Summit
Risk Assessment
Enhance ES-ISAC
1HCY09
Phase I
Cyber Risk Preparedness Evaluation
5

Identify existing capabilities to prevent, detect, respond and limit the
potential damage of existing/emerging attack techniques

Objective: Understanding how prepared both individual entities (by
type) and existing processes/mechanisms are to ensure reliability of
the BPS while under a successful cyber attack

Approach: Devise several realistic but challenging cyber scenarios
and conduct a series of table top exercises with volunteer entities
• CRP team will use a process to evaluate key criteria for
determining preparedness

Areas to Evaluate:
(The scenarios will be consistently evaluated for all entities for the
following capabilities)
•
A. Prevent cyber attacks
•
B. Detect cyber attacks
•
C. Technically respond to cyber attacks
•
D. Manage their systems and electricity assets to minimize potential damage
•
E. Communicate and coordinate effectively with interconnected neighbors and area
coordinators to contain effects on the bulk power system
6
ES-ISAC Enhancement
ES-ISAC Mission
7
 The ES-ISAC serves the Electricity Sector by facilitating
communications between electricity sector participants,
federal governments, and other critical infrastructures.
• Preparedness & response calls (e.g. Hurricane Gustav)
 It is the job of the ES-ISAC to promptly disseminate
threat indications, analyses, and warnings, together with
interpretations, to assist electricity sector participants to
take protective actions.
• As the ES-ISAC, NERC gathers, disseminates and interprets
security-related information.
• FERC has oversight of NERC’s alerting process for U.S. entities
• Canadian authorities provide guidance for alerting to Canadian
entities
ERO & ES-ISAC (similar but distinct)
8
ERO & ES-ISAC Operations, Risk
Monitoring and CIP Alert Notification
NERC Board of Trustees
Electric Sector Steering
Group
Provides ESISAC governance
& guidance
Provides advice
& support to the
ES-ISAC
NERC CSO & Staff
Operates the ESISAC & performs
ERO CIP risk
monitoring
functions
NERC Critical
Infrastructure Protection
Committee
ERO
text
ES-ISAC
Industry Involvement:
Expertise &
Feedback
Bulk Power System Entities
North America
Approx: 1,847 Entities in North
America (as of Oct 2008)
text
Remainder of U.S. Electric
Sector Entities
3,170 traditional electric utilities in the
United States (DOE provided
information -not current)
Formal effort to
involve industry
SME’s in the
generation of
Alerts
CIP: ES-ISAC/NERC Alerts
9
 Advisories, Recommendations, and requests for
Essential Actions (ERO & ES-ISAC missions)
 Issued to relevant industry sectors when a security risk
(threat or vulnerability) arises
• Advises the industry to evaluate the risk and take
action to correct issues affecting reliability/CIP
 Cyber
 Physical
 Logical
 All Hazards
Reporting Concerns & Objectives
10

Don’t want to numb the sector with too much reporting

Do want to appropriately chose alerting vehicles based on the seriousness
of the risk

•
Advisory – Notify the sector of a vulnerability that could be applied in a way that
would directly or indirectly impact the BPS
•
Recommendation – Notify the sector and receive replies to appropriately monitor
the status of the risk (mitigation efforts) based on the attributes of the
vulnerability and potential to cause serious consequence in the BPS
•
Essential Action – Notify the sector so they may take immediate actions and
require replies to appropriately monitor the status of the risk (mitigation efforts)
based on the attributes of the vulnerability, potential consequences, and
indications or the potential that an attacker will exploit the vulnerability
In a perfect world we would like to see the reporting fall into the following
buckets over a year (we will not shape reporting to arbitrarily fit these levels):
•
Advisories: 80%
•
Recommendations: <20%
•
Essential Actions: <1% (only used for critical & time sensitive risks)
Technology Application of Concern (TAC)
11
Technology Area
Vulnerability Alerting
SCADA EMS
Yes
Field Control & Protection
Yes
Plant Control Systems
Yes
Market Systems
Networking &
Telecommunications
Business Systems
Mobile Technology
Consider
Consider
No
No
SCADA Vulnerability & Exploit Disclosures
12
 Tracking from 2005 to Present (4QTR08)
Control Systems Vulnerability & Exploit Disclosures
12
10
8
Available exploits
6
Disclosed Vuls
4
2
0
2005
2006
2007
2008
* This captures only publically released vulnerability discoveries and exploit tools/code
ES-ISAC “Operational Excellence”
13

Streamline & exercise NERC notification lists
•
Project underway to address existing problems and establish a sustainable
approach to manage the lists
•
Will exercise the notification lists (improve, educate and verify)
 Administrative exercise (November)
– Addition of an FAQ
– Instructions to recipients
 Operational exercise (2 tests per year)
– Recommendation-level or higher Alert
– Instructions & Exercise Replies required

Longer-term: Develop a secure mechanism to receive alert feedback and
facilitate effective two-way communication
•
Identify an appropriate mechanism for authenticated (record responses for
recipients by entity) and secure feedback & alert responses
Communication Coverage Chart
14
2-way
Secure
Electronic
Communica
tions
2-way
Secure
Paper
Private Push
(direct email)
Public Pull
(ES-ISAC
web post)
BPS Entities
NO
YES
YES
YES
Non-BPS
Entities
NO
NO
NO
YES
Hawaii, Alaska,
& U.S.
Possessions
NO
NO
NO
YES