1 / 22

Roger Williams University Cyber Threats and Cyber Realities Jonathan Schneider June 18, 2013

Cybersecurity and the Electric Grid Fun with the EO, PD, DHS, NIST, NERC, ESCC, ES-ISAC, DOE, and FERC. Roger Williams University Cyber Threats and Cyber Realities Jonathan Schneider June 18, 2013. Background.

urbano
Download Presentation

Roger Williams University Cyber Threats and Cyber Realities Jonathan Schneider June 18, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity and the Electric Grid Fun with theEO, PD, DHS, NIST, NERC, ESCC, ES-ISAC, DOE, and FERC Roger Williams University Cyber Threats and Cyber Realities Jonathan Schneider June 18, 2013

  2. Background • Evidence of the nation’s cyber vulnerability has increased geometrically over the past five years. • Mandiant report of the concerted effort apparently mounted by China’s military is only the latest installment • High profile incidents pointing to potential destructive potential include: • Shamoon attack on Saudi Aramco disabled 30,000 computers • 23 attacks on US Pipeline systems in 2012 • Dozens of attacks on financial institutions in 2012 (DHS report) • 82 intrusions that targeted energy companies in the 6 months preceding October, 2012 (DHS report) • Major Denial of Service attack successfully brought down internet service to Jacksonville Electric Authority (LPPC member) last week. • Soviet Invasion of Georgia - Potential for full-out cyber warfare demonstrated • Former Secretary of Defense Leon Panetta warned of potential for a cyber 9/11

  3. Department of Homeland Security - Industrial Control SystemsCyber Emergency Response Team (ICS-CERT)10/2012 Report – Energy sector has been a focal point - 40% of all cyber attacks in 2012

  4. Framework for Understanding Cyber Vulnerabilities • Attack Vectors • Internet access • Inserted malware (Stuxnet and reversed engineered versions) • Internal exposure • Electric Sector Vulnerabilities • Operations/Control Systems • Idaho Labs Aurora Test – Industry wake-up call • (Televant (SCADA systems) • Communications and Informations Systems • Communications: JEA Denial of Internet Service • Theft (proprietary data – Nortel, banking)

  5. Legislative Gridlock • At least half-dozen bills introduced in Congress over the past five years, and dozens of amendments • Most legislative activity targeted energy industry • Ironically, energy industry may be better protected through NERC standards than any other sector • Focus now encompasses other major economic, physical infrastructure and manufacturing sectors. • Electric Industry Supported: • Information Sharing – Govt. to Industry • Emergency Directives • Liability Protection • Electric Industry Opposed: • Disruption of Industry-based (NERC) Standards Development Process

  6. Legislative Gridlock – White House Response • White House stepped into the breach on February 12, 2013 with its Executive Order • Executive Order sets up a broad program: • Information sharing by federal agencies w/owners of critical assets • Creation of a “voluntary framework” for managing cyber vulnerabilities

  7. Existing Protection: Critical Infrastructure Protection under North American Electric Reliability Corporation (NERC) Standards • What is NERC? - Energy Policy Act of 2005 authorized FERC to certify and oversee an Electric Reliability Organization (ERO) • FERC Certified NERC – Mission: develop and enforce reliability standards governing the electric grid • By June, 2007, NERC had implemented mandatory, enforceable standards governing the ‘Bulk Electric System ’ • BES - Generally defined as transmission operated at 100 kV and above • Distribution is excluded by Federal Power Act Section 215 (Think NYC) • Standards: (1) Communications; (2) Critical Infrastructure; (3) Emergency Preparedness; (4) Facilities Design; (5) Interchange coordination; (6)Modeling; (7) Protection and Control; (8) System Balancing; (9) Transmission Operations; (10) Transmission Planning; (11) Voltage and Reactive Control

  8. Existing Protection: Critical Infrastructure Protection (“CIP”) under North American Electric Reliability Corporation (NERC) Standards • NERC’s Suite of CIP Standards • CIP-001 – Sabotage Reporting • CIP-002-3 – Critical Cyber Asset Identification • Risk-based identification of ‘critical asssets ‘ (control centers, transmission, generation) and identification of associated critical cyber assets key to operation of Critical Assets. • CIP Version 5 (leap-frogs Version 4 per April 18, 2013 FERC Order: • Calls for the identification and risk-based ranking of « BES Cyber Assets » • Cyber assets are those that « if rendered unavailable, degraded or misused would, within 15 minutes of requried operation….adversely impact one or more facilities….which if …unavailable, would affect the reliable operation of the Bule Electric System.

  9. Existing Protection: Critical Infrastructure Protection under North American Electric Reliability Corporation (NERC) Standards • CIP-003-3 – Security Management Controls • Utilities must maintain/implement/document a cybersecurity policy addressing requirements CIP 2 - 9 • CIP-004-3 – Personnel & Training • CIP-005-3 – Electronic Security Perimeters • All critical cyber assets must reside within an “electronic security perimeter” (secure access) • Includes extermally connected (remote) access

  10. Existing Protection: Critical Infrastructure Protection under North American Electric Reliability Corporation (NERC) Standards • CIP-006-3 – Physical Security of Critical Cyber Assets • All critical cyber assets must reside behind “six all” border • CIP-007-3 – Systems Security Management • Manage secuirity of new cyber assets and changes • Security Patch Management • Malicious Software Prevention • Account management (authorized access) • Security status monitoring • CIP-008-3 – Incident Reporting and Response Planning • Reporting to NERC’s ES-ISAC (Electric Sector Information Sharing and Analysis Center) • CIP-009-3 – Recovery Plans for Critical Cyber Assets • Responsible entiteis must devise, document , implement and test recover (full operational exrercise) recovery plans.

  11. Existing Protection – DOE’s Cybersecurity Capability Maturity Model (ES – C2M2) (May, 2012) • Ten Core Domains (Competencies) (1) Risk Management; (2) Asset, Change, and Configuration Management; (3) Identity and Access Management; (4) Threat and Vulnerability Management; (5) Situational Awareness; (6) Information Sharing and Communications; (7) Event and Incident Response, Continuity of Operations; (8) Supply Chain and External Dependencies Management; (9) Workforce Management; and (10) Cybersecurity Program Management • Levels of Accomplishment: (1) Initiation; (2) certain degree of performance including program documentation, stakeholder involvement, resource commitment and reliance on standards or guidelines; and (3) a fully managed program

  12. Other Mandatory Rules • Nuclear Regulatory Commission • Regulations • Critical digital asset identification • Requires cybersecurity protective strategy • NRC Guidance: • Best Practices (NIST) • International Society of Automation • Institute of Electric and Electronic Engineers • DHS

  13. 2/12/13 Executive Order “Improving Critical Infrastructure Cybersecurity” • Headline News: Without legislation, the White House has directed the Secretary of Homeland Security, the Attorney General, DOD, and the NIST (National Institute of Standards and Technology) to implement a broad program ensuring: • Information Sharing by Governmental Agencies with private sector regarding cyber threats • The identification of Critical Infrastructure at risk • The creation of a “voluntary” Critical Infrastructure Cybersecurity baseline program by NIST

  14. Application to Industries and Responsible Sector-Specific Agencies • Chemical: Department of Homeland Security • Commercial Facilities: Department of Homeland Security • Communications: Department of Homeland Security • Critical Manufacturing: Department of Homeland Security • Dams: Department of Homeland Security • Defense Industrial Base: Department of Defense • Emergency Services: Department of Homeland Security • Energy: Department of Energy • Financial Services: Department of the Treasury • Food and Agriculture: U.S. Department of Agriculture and Department of Health and Human Services • Government Facilities: Department of Homeland Security and General Services Administration • Healthcare and Public Health: Department of Health and Human Services • Information Technology: Department of Homeland Security • Nuclear Reactors, Materials, and Waste: Department of Homeland Security • Transportation Systems: Department of Homeland Security and Department of Transportation • Water and Wastewater Systems: Environmental Protection Agency

  15. What is Critical Infrastructure? • Executive Order: Critical Infrastructure “means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” • Identification of Assets: • Within 150 days of the date of this order (mid-July, 2013), the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. • Components of electrical distribution systems almost surely implicated, broadening NERC’s BES focus • A “consultative process” will be used by the Secretary of Homeland Security to identify critical infrastructure. Owners and operators will be included, along with sector specific agencies, independent agencies and local governments.

  16. 2/12/13 Executive Order Cybersecurity Information Sharing • Within 6 months (mid-August, 2013), instructions will be issued by the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence ensuring the timely production of unclassified reports of cyber threats to identified targets. • Classified reports will be made to owners of critical infrastructure to critical infrastructure entities authorized to receive them. • Within 6 months, Sec’y of Homeland Security, in collaboration with the Sec’y of Defense will establish procedures to expand the “Enhanced Cybersecurity Services” program to provide classified cyber threat and technical information to eligible critical infrastructure asset companies and service providers that offer security services to critical infrastructure.

  17. 2/12/13 Executive Order “Improving Critical Infrastructure Cybersecurity” • Cybersecurity Baseline Program (“The Framework”) • To be created by NIST in order to establish a baseline set of guidelines and objectives for critical infrastructure owners to follow in order to guard against cyber threats. • Preliminary Framework will be published within 8 months (October, 2013) and finalized in one year (February, 2014) • Industry input was filed April 8, 2013.

  18. NIST Cybersecurity Baseline Program (“The Framework”) • Goals of The Framework (from draft RFI): • “(i) to identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; • (ii) to specify high-priority gaps for which new or revised standards are needed; and • (iii) to collaboratively develop action plans by which these gaps can be addressed.”

  19. NIST Framework - Expected Elements (Draft RFI) • A consultative process to assess the cybersecurity-related risks to organizational missions and business functions; • A menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats and protect privacy and civil liberties; • A consultative process to identify the security controls that would adequately address risks that have been assessed and to protect data and information being processed, stored, and transmitted by organizational information systems; • Metrics, methods, and procedures that can be used to assess and monitor, on an ongoing or continuous basis, the effectiveness of security controls that are selected and deployed in organizational information systems and environments in which those systems operate and available processes that can be used to facilitate continuous improvement in such controls; • A comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide senior leaders/executives with the kinds of necessary information sets that help them to make ongoing risk-based decisions; • A menu of privacy controls necessary to protect privacy and civil liberties.

  20. Electric Industry Input • NERC Standards should be rolled-into the Framework, not contradicted. • Framework should be consistent with DOE’s ES-C2M2 • Must be flexible, process oriented in order to apply across sectors, and allow entities to respond flexibly to emerging threats.

  21. Managing the “Voluntary” Framework • Secretary of Homeland Security, in coordination with Sector-Specific Agencies, will notify owners/operators of designated critical infrastructure confidentially. Reconsideration possible. • Sector-specific agencies will report annually to the President (through Secretary of Homeland Security) whether critical infrastructure owners/operators are participating in the Framework. • Incentives for compliance discussed, but not yet developed

  22. What May Owners/Operators of Critical Infrastructure Do and What Must They Do? • CI Owners may: • Participate in determination on Critical Infrastructure through consultative process • Participate in development of cybersecurity baseline framework • CI owners must: • Determine whether to participate in baseline framework • Weigh risks of non-compliance • Potential liability in not meeting benchmark • Possible Disclosure Issue • CI owners must consider good cyber “hygiene” to be a good business practice • Organization and Planning • Internal Standards and Systems • Link to alert systems (ISC-CERT, ES-ISAC, Cross-Sector Cyber Working Group) • Physical and electronic walls, passcodes, electronic access rules) • Consider link between business and operational control systems • Management of Remote Access • Procurement Practices (vendor exposure) • Personnel and Internal Policies

More Related