11/16/2016 Welcome Mike Kraft, MRO SAC Member Basin Electric Power - - PowerPoint PPT Presentation

11/16/2016

MRO Security Advisory Council

Welcome Mike Kraft, MRO SAC Member Basin Electric Power Cooperative

Please submit questions to the meeting moderator. Questions will be answered at the end of the webinar.

MRO Security Advisory Council

The MRO Security Advisory Council is an industry stakeholder committee that includes subject matter experts from MRO member organizations in various technical areas. Any materials, guidance, and views from stakeholder committees are meant to be helpful to industry participants, but should not be considered approved or endorsed by MRO staff or its board of directors unless specified.

Reminder: For the duration of this webinar, the MRO Standards of Conduct Policy and MRO Anti-Trust policy are in effect. If you have any questions please refer to the policy document on the MRO website or contact MRO staff.

NOTICE

MRO Security Advisory Council

Eric Ruskamp Manager of Regulatory Compliance at Lincoln Electric System Darin Hanson Critical Infrastructure Program and Security Manager at North Dakota Department of Emergency Services Lisa Beury-Russo Section Chief, National Cyber Exercise and Planning Program for the U.S. Department of Homeland Security Sherry Farrow Senior Operations Trainer for Southwest Power Pool

Today’s Presenters

Security Advisory Council

Midwest Reliability Organization

GridEx Lessons Learned

Southwest Power Pool

Sherry Farrow Senior Operations Trainer

MRO Security Advisory Council

Focus Area Breakdown

Management

• Oversight for success

included top-down support

• Chief Security Officer
• Business Owner
• Project Manager

ICS

• Tabletop Exercise,

limited functional interactions

• Focused on Emergency

Management and Business Continuity Plans

• Players were upper

management comprising the ICS and ICT

Ops

• Tabletop Exercise,

limited functional interactions

• Focused on Ops

procedures

• Procedure specialist

was scribe

• Players were Ops Crew
• n training shift

IT

• Tabletop Exercise,

limited functional interactions

• Focused on IT and

Cyber procedures

• Players were IT

personnel from Markets, Reliability, Cyber Security, and IT Supporting Departments

MRO Security Advisory Council

Lessons Learned

Learned From GridEx III

 Lessons from GridEx III that improved GridEx IV

▪ Upper management support and involvement ▪ GridEx leadership team

 Amber Wallace, Senior EMBC Coordinator

• Responsible for Incident Command Structure Injects and

Exercise Control Room coordination

 Sherry Farrow, Senior Operations Trainer

• Responsible for Operations injects and coordination

 JJ Weaver, Supervisor Architecture and Integration Team

• Responsible for IT injects and coordination

▪ Dedicated GridEx link on SPP website ▪ Virtually-connected rooms on day of exercise ▪ Call center for active participating members

Learned From GridEx IV

 Lessons learned for future GridEx V

▪ Business continuity

 Establish 30 minute status updates between rooms

• Were receiving info but not as fast as they wanted

▪ Operations

 Allow additional member call-in and inject interactions

• Since the call center was new, we limited number
• f incoming calls

▪ IT

 First team was split between rooms

• First team management was in IT room
• First team shift personnel was in Ops room

MRO Security Advisory Council

SPP Employees in GridEx IV

85 85 20 20 38 38 7

Role e breakd akdown

Players Evals/Scribes Observers Facilitators

Security Advisory Council

Midwest Reliability Organization

GridEx Lessons Learned

Lincoln Electric System’s Perspective

Eric Ruskamp Manager of Regulatory Compliance

MRO Security Advisory Council

Lincoln Electric System (LES) | Overview

 Serve approximately 200 square miles, including the city of Lincoln  136,000 customers  479 employees  Peak demand 786 MW  NERC Registration:

▪ Generation Owner ▪ Generation Operator ▪ Transmission Owner ▪ Transmission Operator ▪ Transmission Planner ▪ Distribution Provider ▪ Resource Planner

MRO Security Advisory Council

Lincoln Electric System (LES) | Participation

 Active Player (2017), Observer (2015, 2013)  Exercise Involvement:

▪ 32 LES players participated

 3 Executives

▪ 1 LES board member observed ▪ 4 State of Nebraska observed

 Senator and the Lt. Governor

▪ 3 Law enforcement participated

 FBI, NE State Patrol, Lancaster County Sheriff

▪ 2 Nebraska Energy Office observed

 Player Roles: Transmission, Generation, Cyber-Security, Physical Security, Telecommunications, Substation, Corporate Communications, Energy Marketing, SCADA Support, IT Support & Executives

MRO Security Advisory Council

Lincoln Electric System (LES) | Suggestions

 Emphasize that players will not have all of

the answers

 Collect observations and lessons learned  Force communication, look for

breakdowns

 Customize injects

MRO Security Advisory Council

Lincoln Electric System (LES) | Lessons Learned

 Start planning early

▪ Joint injects with neighbor-TOPs and RC

 Involve non-player SMEs in inject development  Involve Transmission Operators (not just management)  Work with E-ISAC on use of SimDeck

MRO Security Advisory Council

Lincoln Electric System (LES) | Lessons Learned

 Corporate communication Go Kit  Review 24-hour coverage plans  Investigate unexpected losses when corporate network is down, PA

system

 Streamline purchasing process in an emergency  Sufficient number of Government Emergency Telecommunications

Service (GETS) cards and Wireless Priority Service (WPS) cards

 Process to quickly suspend controls from SCADA while maintaining

RTU scanning

Security Advisory Council

Midwest Reliability Organization

GridEx Lessons Learned

North Dakota Department of Emergency Management and the North Dakota State & Local Intelligence Center (Fusion Center)

Darin Hanson Critical Infrastructure Program & Security Manager

MRO Security Advisory Council

Partnership

 Both Emergency Management and Fusion Centers want to be partners

▪ Planning for Emergencies

 Emergency Management at the local or state levels can provide assistance with creating and reviewing emergency plans  We don’t know what we don’t know

▪ Exercising plans

 Partnering with Emergency Management and Fusion Centers on exercises can help to work

• ut the bugs

▪ Particularly in communication

 “A plan that has not been tested is just a theory”

MRO Security Advisory Council

Fusion Center Reporting

 Every Fusion Center is different

▪ Get to know what your center’s capabilities are ▪ Every center should have a list of information requirements

 Often called Priority Intelligence Requirements or Standing Information Needs  This will help to determine the thresholds for reporting

 In general

▪ Fusion Centers have strict limits on what information they can collect as it relates to U.S. citizens ▪ Any adversarial incident, whether confirmed or suspected, should be reported

MRO Security Advisory Council

Information Sharing

Private Sector

 Pre-identify points of contact (POCs)

▪ What are their information requirements? ▪ Don’t assume someone else is providing the information

 Government would rather hear it twice than not at all  Plan for periodic updates  Government is interested in impacted people more than load

Government

 Pre-identify points of contact (POCs)

▪ Are they authorized to share?

 If there isn’t a relationship built in advance, sharing is unlikely

▪ What’s in it for them?

 What do they need?  What can we provide?

MRO Security Advisory Council

Incident Command System

 Emergency Management recommends private sector stakeholders

become trained in the Incident Command System (ICS)

▪ Ensures a common terminology can be used between agencies ▪ Formalizes hierarchy within organizations during an incident

 Ensures that workload gets distributed more evenly  Clarifies who can make decisions  Allows for “non-essential” staff to be folded into other response roles

Security Advisory Council

Midwest Reliability Organization

GridEx Lessons Learned

Department of Homeland Security, National Cybersecurity and Communications Integration Center

Lisa Beury-Russo Section Chief, National Cyber Exercise and Planning Program

MRO Security Advisory Council

DHS Participation in GridEx

 Participated in both physical and cyber elements of GridEx play,

primarily through:

▪ National Infrastructure Coordination Center (NICC) ▪ National Cybersecurity and Communications Integration Center (NCCIC)

 NCCIC play included:

▪ Service desk ▪ NCCIC Duty Officers (NDOs) ▪ Hunt and Incident Response Team (HIRT) ▪ Operations Planning and Coordination (OPC) ▪ Cyber Threat Detection and Analysis (CTDA) ▪ National Coordinating Center for Communications (NCC) ▪ Liaison officers

 Seniors participated in the ESCC call and Executive TTX

MRO Security Advisory Council

Key NCCIC Exercise Activities

 Received reports from E-ISAC and DOE  Submitted requests for information (RFIs) to E-ISAC and other partners  Produced Situational Awareness Reports and Current Situation Report  Assigned a Mission Manager  Increased Operations Tempo and established an Incident Response Battle Rhythm  Implemented Enhanced Coordination Procedures (ECP) with cyber center partners (notional)  Initiated a Cyber Unified Coordination Group (UCG) call in coordination with FBI and DOE (notional)  Contacted international partners for any additional insights and indicators of this activity

(notional)

 Queried EINSTEIN-related traffic for the phishing IOCs (notional)

MRO Security Advisory Council

Exercise Findings

Overall

 Entities did not report incidents directly to the

NCCIC

 There were some misunderstandings of DHS

• rganization, roles and responsibilities

 Players needed a better understanding of the

level of participation of other players

▪ More robust simulation of non-playing entities ▪ Better coordination from Exercise Control

Internal

 Reliance upon email for incident coordination

and communications is inefficient

 Exercise highlighted improvements in NCCIC

and NICC coordination, and areas for continued growth

 Coordination and collaboration with state, local,

tribal, and territorial (SLTT) partners can be improved

MRO Security Advisory Council

MRO Security Advisory Council



Question 1: Sherry mentioned the “First Team.” Does this team always exist or was it specific to the exercise?



Question: Eric, have you considered players staying at their normal work location versus all coming to a central place?

Answer: We have not considered that at this time, the ‘pod’ room layout was intended to mimic the groups being isolated at their normal working locations. We believe there are several advantages to having all of the players in one location, namely the observation/evaluation component, performed by the exercise controllers, and the ability to answer questions and lead the exercise for the entire group in an efficient manner. We did require all players to bring a laptop to the exercise and did inform them that they could do their normal work, like they would in a real event, if nothing needed their attention within the exercise. Players were ‘interrupted’ throughout the day through emailed injects or face to face interactions, which were used in lieu of phones.



Question: Darin, how do I know who my Fusion Center is? How do I establish contact?

Answer: The National Fusion Center Association has a good listing of Fusion Centers by state, with email and phone contact information at www.nfcausa.org. If you are unable to make contact with that information, please feel free to contact me at dthanson@nd.gov as I am a member of a national subcommittee on private sector outreach for fusion centers and I’ll get you a good POC.



Question 4: Lisa, you noted that email was an inefficient method of communications during incident. What have you identified as a replacement? (from Kirby Kugler)

Additional Questions Asked via WebEx Chat