@RFirst_Corp Follow us on LinkedIn and Twitter Forward Together - - PowerPoint PPT Presentation

Forward Together • ReliabilityFirst

Follow us on LinkedIn and Twitter @RFirst_Corp

Enforcement Trends & Addressing Silos

Patrick O’Connor, Counsel Kristen Senk, Senior Counsel

Forward Together • ReliabilityFirst

Agenda Topics

• Update on enforcement

trend data

• Overview of CIP

themes

• Panel discussion on

addressing

• rganizational silos

3

Forward Together • ReliabilityFirst

Most Violated Standards

4 132 90 63 31 23 17 17 16 13 12 CIP-007 CIP-010 CIP-004 CIP-006 PRC-024 CIP-005 MOD-025PRC-005 PRC-019 CIP-011 Number of Violations

12 Month Rolling Count

Forward Together • ReliabilityFirst

Disposition Method

111 316 16 26 16 4 11 37 62 50 100 150 200 250 300 350 2016 2017 2018 Dismissal/CE FFT Settlement 5

Forward Together • ReliabilityFirst

Detective Controls

746 671 293 329 310 100 200 300 400 500 600 700 800 2014 2015 2016 2017 2018 By Date Reported Average Days from Start Date to Report Date 6

Forward Together • ReliabilityFirst

2018 CIP Themes Report

• Purpose
• Identify themes in violations

with the CIP Standards

• Suggest potential resolutions
• Collaboration
• RF, WECC, and SERC

worked with Registered Entities to identify the themes and resolutions.

• Second Edition
• First edition in 2015

7

Forward Together • ReliabilityFirst

CIP Themes

8

* The graph

represents the violations that concern the more significant CIP compliance deficiencies. 45% 29% 11% 15%

Disassociation Organizational Silos Inadequate Tools Lack of Awareness

Forward Together • ReliabilityFirst

Theme - Organizational Silos

9

Generation

• Lack of coordination between departments, business

units, and different levels of management

Vertical Silos

(Between Business Units or Departments)

Horizontal Silos

(Between Layers from the Top Down)

Forward Together • ReliabilityFirst

Organizational Silos

10

Panel Discussion

Bill Edwards

Assistant General Counsel Exelon Corporation

Thomas Breene

Manager FERC/NERC Compliance WEC Energy Group Business Services

Kristina Pacovsky

Managing Senior Corporate Counsel Midcontinent Independent System Operator

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

11

GridEx IV Exercise Overview

April 26, 2018 Columbus, OH

Forward Together • ReliabilityFirst

Slide 1 of 237

13

Forward Together • ReliabilityFirst

GridEx IV Exercise - 2017

• NERC conducted its fourth biennial grid security

and emergency response exercise, GridEx IV, on November 15–16, 2017

• GridEx IV consisted of a two-day distributed play

exercise and a separate executive tabletop on the second day

• The exercise provided an opportunity for

stakeholders in the electricity sector to respond to simulated cyber and physical attacks affecting the reliable operation of the grid

14

Forward Together • ReliabilityFirst

Cyber Attack Scenario

• Cyber-attacks targeted corporate networks and industrial control systems

(ICS) such as process control systems, energy management systems, distribution management systems, and supervisory control and data acquisition systems (SCADA) used to operate generating units, transmission substations, and control centers. The attacks disrupt the ability of power system operators to monitor and control the reliability of the bulk power system (BPS)

15

Forward Together • ReliabilityFirst

Physical Attack Scenario

• Simultaneous physical attacks against certain generation, transmission, and control center facilities

cause large-scale power outages, while avoiding immediate and deliberate degradation to the level that would move the exercise into black start restoration plan scenarios. Voice and data communications systems used by BPS operations and security personnel are also affected by physical attack, hindering their ability to respond to the situation

16

Forward Together • ReliabilityFirst

Communications Challenges

• GridEx IV also provided participating organizations with the opportunity to

exercise how they receive and share information with external stakeholders, including customers, local government officials, and the general public

17

Forward Together • ReliabilityFirst

GridEx IV Exercise - Objectives

• Exercise incident response plans
• Expand local and regional

response

• Engage critical interdependencies
• Improve communication
• Gather lessons learned
• Engage senior leadership

18

Forward Together • ReliabilityFirst

GridEx IV Exercise - Participation

19

Forward Together • ReliabilityFirst

GridEx Exercise – Lessons Learned

• Some exercise scenarios or “moves”

require more integration into the master scenario

• More active Lead Planners
• Greater Cross-Sector Participation
• E-ISAC Portal Improvements
• EEI and the E-ISAC should work

together to further operationalize the Cyber Mutual Assistance (CMA) Program

20

Forward Together • ReliabilityFirst

GridEx IV Exercise – RF Participation

• Engaged the EASA, IT, and

Corporate Communications Teams, and the CSO

• EASA “played” in our normal roles

following the master scenario events as played out by electric utilities in

• ur footprint
• IT “played” by responding to a

custom scenario which was created and played out simulating an RF data breach event

21

Forward Together • ReliabilityFirst

GridEx IV Exercise – RF Participation (cont.)

• Corporate Communications “played”

following the exercise master scenario events as played out by electric utilities and also responding to the RF data breach event coordinating with IT, the CSO, and Executives

• The CSO “played” by responding to and

interacting with EASA, IT, Corporate Communications, and Executives for both the master scenario events and the custom RF data breach scenario

• Support was provided by the Enforcement

Team acting as RF users affected by the RF Data Breach event

22

Forward Together • ReliabilityFirst

GridEx IV Exercise – RF Lessons Learned

• Procedure and Process updates
• Tools updates and training
• Communication protocol updates

(internal & external)

• Emergency response action updates
• Increase RF IT involvement in future

exercises to test our response capabilities more completely

23

Forward Together • ReliabilityFirst

GridEx IV Exercise – Follow on Activities

• Review and comment on the

GridEx IV After Action Report

• Review and implement

Lessons Learned

• Planning for GridEx V in 2019
• FERC Cyber Planning for

Response and Recovery (CyPReS) Study

24

Forward Together • ReliabilityFirst

Why participate in GridEx Exercises?

• It’s fun! Just ask your Lead Planner…
• It’s customizable!
• Industry participants take part from their regular work locations
• Provides an opportunity for utilities to demonstrate how they would respond to and

recover from simulated coordinated cyber and physical security threats and incidents

• Strengthen your crisis communications relationships

25

Forward Together • ReliabilityFirst

Slide 237 of 237

26

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

Project 2016-02 CI P Modifications

Standard Drafting Team Outreach Slides

RELI ABI LI TY | ACCOUNTABI LI TY 29

• Project 2016-02 Scope
• CIP-002
• Modifications
• Planned and Unplanned Changes
• CIP-012
• Modifications
• Control Center Definition
• V5TAG Transition Document
• Definitions
• Virtualization

Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 30

• Per paragraph 53, “…the Commission concludes that modifications to CIP-006-6 to

provide controls to protect, at a minimum, communication links and data communicated between bulk electric system Control Centers are necessary in light of the critical role Control Center communications play in maintaining bulk electric system

• reliability. Therefore, we adopt the NOPR proposal and direct that NERC, pursuant to

section 215(d)(5) of the FPA, develop modifications to the CIP Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).” SAR – FERC Directives

RELI ABI LI TY | ACCOUNTABI LI TY 31

• Cyber Asset and BES Cyber Asset (BCA) Definitions
• Clarify the intent of “programmable” in Cyber Asset.
• Clarify and focus the definition of “BES Cyber Asset”
• Network and Externally Accessible Devices
• improving clarity within the concepts and requirements
• Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP)

Obligations

• Clarify:
• the applicability of requirements on a TO Control Center that performs the functional obligations of a TOP,

particularly if the TO has the ability to operate switches, breakers and relays in the BES.

• The definition of Control Center.
• The language scope of “perform the functional obligations of” throughout the Attachment 1 criteria.

SAR – V5TAG I tems

RELI ABI LI TY | ACCOUNTABI LI TY 32

• The SDT identified the following areas that it intends to address as part of its work on

virtualization:

• Determine the level to which mixing Cyber Asset classes is permitted (CIP-applicable with non-CIP

applicable, EACMS/PACS with BCS, Low/Medium/High BCS, EACMS/PACS with non-CIP applicable, etc.). Clarify in requirements/definitions/guidance the permitted architectures and control necessary to permit them.

• Address the treatment of components typically associated with virtualization - hypervisor,

management control, and physical hardware

• Address treatment of each class of virtualization (server, network including SDN, and storage)

including identifying any differences in treatment between classes.

• Address VLANs, particularly the scenario in which there is a switch that has at least one VLAN inside

the ESP and one VLAN outside the ESP.

• Address monitoring-only EACMS and whether the risk profile of these systems is such that they should

be treated differently than other EACMS

SAR - Virtualization

RELI ABI LI TY | ACCOUNTABI LI TY 33

• The first ballot received 66.78% approval.
• Based on comments and voting:
• The SDT did not modify criterion 2.12 for the second ballot.
• The SDT modified the Background section of the Standard to remove information related CIP version

4.

• The SDT extended the implementation timeline to be effective on the first day of the first calendar

quarter that is three (3) calendar months after the effective date.

• The SDT updated the Guideline and Technical Basis document.
• The SDT updated the Implementation Guidance document.
• The SDT added the Planned and Unplanned Change language to the Standard.

CI P-002-6a Modifications

RELI ABI LI TY | ACCOUNTABI LI TY 34

2.12. Control Centers or backup Control Centers, not included in High Impact Rating above, that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below. The "aggregate weighted value" for a Control Center or backup Control Center is determined by summing the "weight value per line" shown in the table below for each BES Transmission Line monitored and controlled by the Control Center or backup Control Center.

CI P-002-6a Modifications

Voltage Value of a Line Weight Value per Line less than 100 kV (not applicable) (not applicable) 100 kV to 199 kV 250 200 kV to 299 kV 700 300 kV to 499 kV 1300 500 kV and above

RELI ABI LI TY | ACCOUNTABI LI TY 35

• The SDT held a webinar on February 14, 2018 to discuss changes to the standard

related to Planned and Unplanned Changes language that was previously found in the Implementation Plan

• The SDT used a polling feature to gather feedback from industry on the changes
• The feedback from industry was extremely positive
• 97% of respondents agreed with moving the language to the standard
• 86% of respondents agreed with the potential language
• 94% of respondents agreed with not including the language in CIP-012
• The Planned and Unplanned Change language is being moved from the

implementation plan to the standard.

• Implementation Plan will continue to cover timelines based on changes to a standard,

a new section in the standard will be added to identify timelines based on changes to a BES asset or Cyber Asset Planned/ Unplanned Changes

RELI ABI LI TY | ACCOUNTABI LI TY 36

• Planned Changes refer to changes to the Bulk Electric System or Cyber Asset(s) that

were planned and implemented by the Responsible Entity or with the Responsible Entity’s awareness. Planned Changes typically involve a change to a Bulk Electric System asset (e.g., substation, generating resource, Control Center) or a change to a Cyber Asset that was foreseen by the Responsible Entity. Examples of Planned Changes include: (1) placing a new transmission substation into service or adding a new line to an existing substation; (2) placing a new BES generation resource into service or adding a generation resource to an existing plant; (3) placing a new primary or backup Control Center or associated data center into service or implementing a new supervisory control and data acquisition (SCADA) system or energy management system (EMS) or an upgrade to an existing SCADA system or EMS; (4) implementing a project for substation automation where Cyber Assets are installed, upgraded, or replaced such as electromechanical relays being replaced with digital relays; or (5) implementing a control system upgrade at a generating resource. Planned/ Unplanned Changes

RELI ABI LI TY | ACCOUNTABI LI TY 37

• Unplanned Changes refer to (i) any changes to the Bulk Electric System or a Cyber

Asset that occur without the entity’s awareness or (ii) changes to the categorization of a Cyber Asset caused by a notification from another entity or the output of a planning

• study. Examples of Unplanned Changes include: (1) when a Responsible Entity is

notified (internally or externally) that a generation Facility has been designated as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than

• ne year (CIP-002, Attachment 1, Criterion 2.3); (2) when a Responsible Entity is

notified (internally or externally) that a generation or Transmission Facility has been identified as critical to the derivation of an IROL and their associated contingencies (CIP-002, Attachment 1, Criterion 2.6); (3) when a generating resource that is connected at less than 100kV is designated as a new Blackstart Resource along with its Cranking Path (CIP-002, Attachment 1, Criterion 3.4); or (4) when a system study that shows changes in customer load have resulted in crossing the 300 MW threshold of a load shedding system as described in Criterion 2.10 of CIP-002, Attachment 1. Planned/ Unplanned Changes

RELI ABI LI TY | ACCOUNTABI LI TY 38

Planned and Unplanned Changes: If a Responsible Entity has a Planned Change or Unplanned Change, the Responsible Entity shall comply with the requirements in this Reliability Standard in accordance with the following: For Planned Changes resulting in a new BES Cyber System or a change in categorization for an existing BES Cyber System, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard upon the commissioned date of the Planned Change. For this provision, the commissioned date is the date a new or modified Bulk Electric System asset or Cyber Asset is capable of impacting the BES. For requirements that contain periodic obligations, initial performance of those obligations following a Planned Change shall occur within the first period following the commissioned date of the Planned Change. Planned/ Unplanned Changes

RELI ABI LI TY | ACCOUNTABI LI TY 39

For Unplanned Changes, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard according to the timelines in the table below. As used in the table, the phrase “BES asset type” refers to the following BES asset types listed in Requirement R1 of CIP-002: (i) Control Centers or backup Control Centers; (ii) Transmission stations or substations; (iii) generation resources; (iv) systems and facilities critical to system restoration including Blackstart Resources and Cranking Paths and initial switching requirements; (v) Special Protection Systems that support the reliable

• peration of the Bulk Electric System; and (vi) the Distribution Provider Protection

Systems specified in Applicability section 4.2.1. Planned/ Unplanned Changes

RELI ABI LI TY | ACCOUNTABI LI TY 40

Scenario of Unplanned Change Implementation Period New high impact BES Cyber System associated with a BES asset type where the Responsible Entity has previously identified a medium or high impact BES Cyber System associated with that same BES asset type 12 calendar months from the date of notification or detection of the Unplanned Change. New high impact BES Cyber System associated with a BES asset type where the Responsible Entity has not previously identified a medium or high impact BES Cyber System associated with that same BES asset type 24 calendar months from the date of notification or detection of the Unplanned Change. New medium impact BES Cyber System associated with a BES asset type where the Responsible Entity has previously identified a medium or high impact BES Cyber System associated with that same BES asset type 12 calendar months from the date of notification or detection of the Unplanned Change.

Planned/ Unplanned Change (Part 1 of 2)

RELI ABI LI TY | ACCOUNTABI LI TY 41

Planned/ Unplanned Changes (Part 2 of 2)

New medium impact BES Cyber System associated with a BES asset type where the Responsible Entity has not previously identified a medium or high impact BES Cyber System associated with that same BES asset type 24 calendar months from the date of notification

• r detection of the

Unplanned Change. New low impact BES Cyber System associated with a BES asset type where the Responsible Entity has previously identified a low, medium, or high impact BES Cyber Systems associated with that same BES asset type 12 calendar months from the date of notification or detection of the Unplanned Change. New low impact BES Cyber System associated with a BES asset type where the Responsible Entity has not previously identified a low, medium, or high impact BES Cyber systems associated with that same BES asset type 24 calendar months from the date of notification or detection of the Unplanned Change.

RELI ABI LI TY | ACCOUNTABI LI TY 42

For requirements that contain periodic obligations, initial performance of those

• bligations following an Unplanned Change shall occur within the first period following

the date that the Implementation Period ends, as defined in the table above. For Unplanned Changes resulting in a higher categorization for an existing BES Cyber System, the Responsible Entity shall continue to comply with the applicable requirements of the prior categorization during the Implementation Period defined above. Planned/ Unplanned Changes

RELI ABI LI TY | ACCOUNTABI LI TY 43

• The second ballot received 63.91% approval.
• Based on comments and voting:
• The SDT combined Requirements R1 and R2.
• Removed “and control” from Requirement R1.
• Removed “demarcation” from Requirement part 1.2.
• Removed “roles” from Requirement part 1.3.
• The SDT updated the Technical Rationale and Justification document.
• The SDT updated the Implementation Guidance document.
• The SDT did not add the Planned and Unplanned Change language to the Standard.

CI P-012-1 Modifications

RELI ABI LI TY | ACCOUNTABI LI TY 44

• R1. The Responsible Entity shall implement one or more documented plan(s) to mitigate the risk of unauthorized

disclosure or modification of Real-time Assessment and Real-time monitoring data, while being transmitted between any Control Centers. This requirement excludes oral communications. The plan shall include: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] 1.1 Identification of security protection used to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers; 1.2 Identification of where the Responsible Entity applies security protection is applied for transmitting Real- time Assessment and Real-time monitoring data between Control Centers; and 1.3 When the by different Responsible Entities own or operate Control Centers identify the responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between those Control Centers.

CI P-012-1 Modifications

RELI ABI LI TY | ACCOUNTABI LI TY 45

• The team reviewed several scenarios that could be identified as meeting the current

definition of Control Center, but that the team thought were not consistent with the spirit of the definition Control Center Definition

RELI ABI LI TY | ACCOUNTABI LI TY 46

• SDT Discussion:
• “Operating personnel” is undefined and could be interpreted to mean anyone who could operate the BES

including field switching personnel

• “Two or more locations” may be too broad without further context and does not reflect the realities of how

today’s renewable generation is built

• “Monitor and control” could have multiple interpretations and needs to tie to the functions performed by

the registered entities. Control should include the concept of jurisdictional authority and the ability to issue directives such as in the case of an RC control system that may not have the capability to open and close breakers directly

• Use of the defined term “Real-time” or undefined term “real-time” – the team expressed concerns with the

definition of Real-time, but ultimately weighed in favor of consistency with the use of the term based on its inclusion in the PER-005-2 standard

• In response to the concerns discussed, the SDT developed modifications to the Control Center

definition to make specific inclusions and exclusions. This model was based on the BES definition which also has specific inclusions and exclusions as part of the definition.

Control Center Definition

RELI ABI LI TY | ACCOUNTABI LI TY 47

One or more facilities, including their associated data centers, that monitor and control the Bulk Electric System (BES) and also host operating personnel who: 1) perform the Real-time reliability-related tasks of a Reliability Coordinator; or 2) perform the Real-time reliability-related tasks of a Balancing Authority; or 3) perform the Real-time reliability-related tasks of a Transmission Operator for Transmission Facilities at two or more locations; or 4) can act independently as the Generator Operator to develop specific dispatch instructions for generation Facilities at two or more locations; or 5) can operate or direct the operation of a Transmission Owner’s Bulk Electric System Transmission Facilities in Real-time. Operating personnel do not include: 1) plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications; or 2) Transmission Owner or Transmission Operator field switching personnel.

Control Center Definition

RELI ABI LI TY | ACCOUNTABI LI TY 48

• Assessed body of CIP requirements
• Virtualization focus assessment
• Reviewed requirements against the issue areas identified in the V5TAG transfer document
• SDT discussion of next steps
• Implementation guidance
• Modify requirements to address virtualization
• Develop new requirements as appropriate
• No Modifications needed

Virtualization

RELI ABI LI TY | ACCOUNTABI LI TY 49

• Post CIP-002, CIP-012 and Control Center 45-day Comment and Ballot Period March 16 – April 30, 2018
• Continue Virtualization and other V5TAG Transition document discussion

Next Steps

RELI ABI LI TY | ACCOUNTABI LI TY 50

Conference Dial-in

• See NERC calendar for WebEx info

Reserved Call Times

• Fridays - 11 a.m. – 1 p.m. (ET)
• Full team update
• Discussion topics will vary based
• n the issue area work progress.
• Check the NERC Standards

calendar of events for the most updated information. Issue Area Working Calls--Scheduled if needed on the NERC Standards Calendar

• Tuesdays - Noon – 2 p.m. (ET)
• Issue area working session
• Thursdays - Noon – 2 p.m. (ET)
• Issue area working session
• Issue area working calls will be scheduled as

needed to allow the sub-teams to process input and develop proposals.

Conference Call Schedule

RELI ABI LI TY | ACCOUNTABI LI TY 51

2018 Planned Dates:

• March 27-29, 2018 (NERC - Atlanta, GA)
• May 8-10, 2018 (Texas Reliability Entity, TX)
• June 19-21, 2018 (NERC – Atlanta, GA)
• July 10-12, 2018 (WECC, Salt Lake City, UT)
• September 4-6, 2018 (BPA – Portland, OR)

SDT Meeting Schedule

RELI ABI LI TY | ACCOUNTABI LI TY 52

• Information relative to the CIP Modifications project and SDT may be found on the Project 2016-02

Project Page under Related Files: Project 2016-02 Modifications to CIP Standards

• Jordan Mallory, NERC Standards Developer

Jordan.Mallory@nerc.net 404.446.2589 (Office)

Resources

RELI ABI LI TY | ACCOUNTABI LI TY 53

Sergio Caltagirone @cnoanalysis

Forward Together • ReliabilityFirst

We can’t know all the threats or the capabilities of the adversary We can’t know all the vulnerabilities of our software, hardware, or the people who use it We can’t determine which assets have value to the adversary

• @peteherzog

Forward Together • ReliabilityFirst

*Everyday in Information Security

“The adversary needs to be right once, the defender needs to be right every time”

The Defenders Advantage

The threat environment demands a new approach – a new dedication – to be present and active in our defense.

Forward Together • ReliabilityFirst

Threat Intelligence

Why

Threat intelligence reduces harm by improving decision making before, during, and after cybersecurity incidents reducing operational mean time to recovery and reducing adversary dwell time

What

Threat intelligence is previously unknown knowledge of malicious cyber activity enabling better decision making in network protection and response

Forward Together • ReliabilityFirst

Wha What adversaries use, including their capabilities and infrastructure Who Who adversaries are, comprising the actors, sponsors, and employers Wher Where adversaries target, detailing industries, verticals and geographic regions When When adversaries act, identifying timelines and patterns of life Why Why adversaries attack, including their motives and intent Ho How adversaries operate, focused on their behaviors and patterns

What is the threat? Addressing who, what, where, when, why, and how.

Threat Intelligence “3 Question Rule”

All threat intelligence should answer three questions enabling the audience to quickly identify the relevance and impact to their organization followed by immediate action if necessary.

Threat Impact Action

What is the impact to an organization if the threat were realized? Which actions mitigate the threat in both the near and mid-term?

Context describes the threat and proves or disproves the relevance and impact to the audience. “Context is king” helping organizations properly prioritize their action and response when overwhelmed with alerts & alarms.

Threat Intelligence: A Composite of Two Elements

Threat intelligence is comprised of two elements: context and action. Without either intelligence is neither actionable nor understandable.

Context Action

Action provides technical and policy recommendations customized for the threat, its behavior, and impact.

Detect

• Identify active

threats using threat behavior analytics

Respond

• Mitigate detected

threats through incident response

Prevent

• Proactively

prevent through policy, education, and technology

Integrating Threat Intelligence Across the Security Process

Tactical Operational Strategic

Security Operations Network Defenders Incident Response Technical indicators and behaviors to inform network- level action and remediation

Threat Intelligence Type Audience Description

Threat Hunters Incident Response Security Leadership Security Leadership Organizational Leadership Intelligence on adversary behavior informing: holistic remediation, threat hunting, behavioral detection, purchasing decisions, and data collection Places threat into a business context and describes strategic impact informing risk management and

• rganizational direction

Intelligence on activities of adversaries known to have an interest in control systems and operational networks

ICS Threat Intelligence Categories

ICS threat intelligence falls into three categories – intelligence not conforming to these categories generally does not support industrial control security demands.

Interested Adversaries Direct ICS Impact Indirect ICS Impact

Example: DRAGONFLY compromises victim networks to gather information on their industrial control system and related operations but have not yet been identified as disrupting or directly interfacing with industrial control systems Intelligence on threats directly affecting the operation of industrial control systems Example: CRASHOVERRIDE is a malware framework designed and deployed to disrupt electric power transmission Intelligence on threats not associated with industrial control systems but have a high likelihood of disrupting their operation Example: WANNACRY ransomware does not target industrial control systems but it’s capability has shown to be debilitating to organizations when it can access

• perational networks

2017 I 2017 ICS Vul ulnerab ability ty Adv dvisories

Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities:

• 64% of all vulns didn’t eliminate the risk
• 72% provided no alternate mitigation to the patch
• Only 15% could be leveraged to gain initial access

A short and easily-understood description of the vulnerability accessible to most security professionals

Vulnerability Description Elements

Vulnerability analysis is necessary for complete threat intelligence. Threat intelligence producers must include four elements of information about a vulnerability to ensure good decision-making.

Description Impact Mitigation Threat Awareness

Understanding the vulnerability in the threat environment, including active exploitation and the scope and scale of such use The potential impact of the vulnerability when leveraged by an adversary The actions available to defenders to prevent or reduce the risk of the vulnerability impacting operations

A producer must have the data sources and visibility into the threats affecting the customer’s environment. Without the proper data there can be no relevant intelligence.

Distinguishing Threat Intelligence Products

Three elements clearly distinguish threat intelligence products. An evaluation of any threat intelligence product and producer should examine these elements which will help a customer select the best ones for their business.

Data Sources and Visibility Contextual Awareness Action Relevance

A producer must have an understanding of the customer’s business in

• rder to make intelligence immediately relevant. Otherwise, the customer

must translate all intelligence into their domain themselves. A producer must understand the customer’s operations so that they may recommend proper actions without causing undue harm or simply stating generic best practices.

Threat intelligence must provide sufficient detail to enable a proper response

CART: Identifying Good Threat Intelligence

Completeness Relevance Timeliness Accuracy

Inaccurate threat intelligence is worse than no threat intelligence and any quality threat intelligence must be accurate Threat intelligence must address only relevant threats to the organization and be delivered in a method that allows for effective action Threat intelligence must be produced and delivered quickly so that it can be and used fast enough to make a difference

Threat Intelligence: Measuring Return on Investment (ROI)

Mean Adversary Dwell Time

The time measured between when an adversary first gained unauthorized access to a network/system and when incident response successfully severed adversary access and control

Mean Time to Recovery

The time from when an adversary first causes an operational disruption to when

• perations return to normal

Attacks in Context

5

ICS tailored malware families

3

• Stuxnet
• Havex
• Blackenergy2
• CRASHOVERRID

E

• TRISIS
• Stuxnet
• CRASHOVERRIDE
• TRISIS

Intent to disrupt industrial processes

2

Identified in 2017

• CRASHOVERRIDE:

First malware to target grid operations

• TRISIS: First malware to

target SIS

CHRYSENE

Links OilRig, Greenbug

IT compromise, information gathering and recon against industrial orgs

Victimology Oil & Gas, Manufacturing, Europe, MENA,

• N. America

Capabilities Watering holes, 64- bit malware, covert C2 via IPv6 DNS, ISMDOOR

COVELLITE

Links Lazarus, Hidden Cobra

IT compromise with hardened anti-analysis malware against industrial orgs

Victimology Electric Utilities, US Capabilities Encoded binaries in documents, evasion techniques

DYMALLOY

Links Dragonfly2, Berserker Bear

Deep ICS environment information gathering,

• perator credentials,

industrial process details

Victimology Turkey, Europe, US Capabilities COODOR, DORSHEL, KARAGANY, Mimikatz

ELECTRUM

Links Sandworm

Electric grid disruption and long-term persistence

Victimology Ukraine, Electric Utilities Capabilities CRASHOVERRIDE

MAGNALLIUM

Links APT33

IT network limited, information gathering against industrial orgs

Victimology Petrochemical, Aerospace, Saudi Arabia Capabilities STONEDRILL wiper, variants of TURNEDUP malware

ALLANITE

Links Palmetto Fusion

Watering-hole and phishing leading to ICS recon and screenshot collection

Victimology Electric utilities, US & UK Capabilities Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec

XENOTIME

Links None

Focused on physical destruction and long-term persistence

Victimology Oil & Gas, Middle East Capabilities TRISIS, custom credential harvesting

XT AL MG CV DY EL CR

Since 2014 Since 2017 Since 2016 Since 2016 Since 2016 Since 2017 Since 2017

Penetrate ICS Network Establish Foothold Enumerate Systems & Protocols Deliver Attack

Takes time, access, and work

• First grid-focused ICS attack via malware
• Extensible framework for launching attacks requiring protocol

knowledge

• Wiper function specifically designed to impede ICS recovery
• Attack required widespread, persistent access to target network

ELECTRUM: Disrupting Electric Power Transmission

Establish Access

• n SIS-Connecting

System Transfer TRISIS Base Module to System Use TRISIS Base Module to Compromise SIS Upload Follow-On Payloads

XENOTIME: Attacking Safety Systems and a Threat to Life

• Safety now a target for ICS operations
• Greater possibility for physically-destructive events
• Attack narrow but methodology may be replayed

What Can You Do?

1

Enable two-factor (not phone factor) authentication across internal assets and services

2

Control IT-OT boundary

3

Audit and secure safety systems

4

Add OT monitoring, look for behaviors, not indicators

5

Get ICS threat intelligence

Defenders expect adversaries – time for the adversaries to expect defenders. Sergio Caltagirone sergio@dragos.com @cnoanalysis

NERC CI PC Workplan Update

Larry Bugh, Chief Security Officer & Director EASA April 26, 2018

Forward Together • ReliabilityFirst

CIPC Organizational Chart

78

Executive Committee

Ross Johnson, Phys SME, Capital Power Marc Child, Chair, Great River Energy Melanie Seader, EEI Brenda Davis, Cyber SME, CPS Energy David Grubbs, Vice Chair, City of Garland (vacant) APPA Lisa Carrington, Ops SME, Ariz Public Svc David Revill, Vice Chair, NRECA (vacant) EPSA Jeff Fuller, Policy SME, AES (vacant), Secretary, NERC (vacant) IPC

Physical Security Subcommittee

(Ross Johnson)

Cybersecurity Subcommittee

(Brenda Davis)

Operating Security Subcommittee

(Lisa Carrington)

Policy Subcommittee

(Jeff Fuller) Physical Security WG (PSAG)

(Ross Johnson)

Control Systems Security WG

(Mike Mertz) (Carter Manucy)

Grid Exercise WG

(Tim Conway)

Security Metrics WG

(Larry Bugh)

Compliance and Enforcement Input WG

(Paul Crist)

Physical Security Guidelines TF

(Darrell Klimitchek)

Security Training WG

(David Godfrey) (Amelia Sawyer)

Planning Committee Joint Project

Criticality Reduction

(Vacant)

Supply Chain Working Group

(Vacant)

Forward Together • ReliabilityFirst

CIPC Charter

Key updates to CIPC Charter:

• Minor verbiage update to acknowledge security guidelines and standards implementation guidance are key

deliverables of CIPC

• Added IEEE to the list of key collaborative organizations
• Added new non-voting member class: Partner Members
• Federal Energy Regulatory Commission
• US Department of Homeland Security
• US Department of Energy
• US Department of Energy Laboratories
• Public Safety Canada
• Natural Resources Canada
• Oil & Natural Gas subsector
• Telecomm sector
• Financial Services sector
• Critical Manufacturing sector
• Water sector

79

Forward Together • ReliabilityFirst

CIPC Strategic Plan and Workplan

2018 – 2019 Strategic Plan & Work Plan

• Change in format to better align with the Electric Reliability Organization (ERO) strategic goals
• ERO Enterprise Long-Term Strategy
• ERO Reliability Risk Priorities (“RISC Report”)
• E-ISAC Long Term Strategic Plan
• Appendix removed to reduce redundancy and enhance readability
• Organized into six major activities
• Advisory panel to the NERC Board of Trustees (Board)
• Cyber security risk management
• Physical security risk management
• NERC standards implementation input
• BES security metrics
• Training, outreach, and industry communications

80

Plan available at https://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Strategic%20Plan%202018-2019.pdf

Forward Together • ReliabilityFirst

Advisory Panel to the NERC Board

• Reports to the Board - will become more strategic to address

emerging risks and issues pertinent to the security of BES

• Solicit Board input regarding priorities and new challenges
• Identify opportunities for collaboration with other

subcommittees

• Decrease focus on status reporting and increase focus on the

proactive resolution of issues

81

Forward Together • ReliabilityFirst

Cyber Security Risk Management

• Cyber security program efforts:
• Identification and reduction of cyber risks
• Cyber security risk of Fuel Handling SCADA systems for Generation
• Updated guidance in relation to NERC’s Remote Access Study
• GridEx planning and preparation
• Supply Chain (vendor security controls and legacy systems testing)
• All designed to address the RISC, E-ISAC Long Term Strategic Plan, and the ERO

Enterprise Long Term Strategy

82

Forward Together • ReliabilityFirst

Physical Security Risk Management

• Physical security program efforts:
• Identification and reduction of physical risks
• Security practices for High Impact Control Centers
• Security implications of drones on electric power
• Key management security for physical access
• All designed to address the RISC, E-ISAC Long Term Strategic Plan, and the ERO

Enterprise Long Term Strategy

83

Forward Together • ReliabilityFirst

NERC Standards Implementation Input

• Compliance and Enforcement Input Working Group (CEIWG)
• Established to solicit industry stakeholders for input to assist NERC staff with

clarification on compliance monitoring or enforcement with the following documents:

• Implications of Cloud Services for CIP Assets (Pilot/Study)
• Implementation Guidance for Voice-over-IP services
• Implementation Guidance for Shared Transmission Facilities

84

Forward Together • ReliabilityFirst

BES Security Metrics

• CIPC will utilize the expertise of its members, NERC staff, and others to provide

direction, technical oversight, feedback on the collection of industry metrics, and reporting of BES security performance metrics.

• Security Metrics derived from E-ISAC, compliance data, or other sources of periodic reporting
• Annual security assessment of the BES (NERC State of Reliability Report)

85

Forward Together • ReliabilityFirst

Training, Outreach, and Communications

• CIPC will provide training, coordination, and communication with those responsible

for both physical and cyber security to various industry segments.

• Reorganize information on NERC.com
• Industry facing collaboration site to maximize joint project activities
• Publish annual training plan

86

Forward Together • ReliabilityFirst

Timeline of Activities

87

# CIPC Deliverable (non-ongoing projects) Estimated Completion Date 1 Implications of Voice-over-IP and the CIP Standards Q1 2018 2 Develop CIPC Collaboration Site on NERC.com Q2 2018 3 CIP Implications of Shared Transmission Facilities Q2 2018 4 Key management security guideline Q2 2018 5 Vendor Essential Security Practices Model Q3 2018 6 Security implications of UAVs Q3 2018 7 Update CIPC Website on NERC.com Q3 2018 8 Implications of Cloud Services for CIP Assets Q4 2018 9 Assess the cyber security risk of Fuel Handling SCADA systems for Generation Q1 2019 10 Address Remote Access Security Findings #1-#18 Q3 2019 11 Identification and Reduction of Cyber and Physical Security Risks Q4 2019 12 Legacy system testing coordination with National Labs Q4 2019 13 Annual Security Assessment of the BES Q4 2019

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

88