Critical Infrastructure Protection THE ELECTRICITY SECTOR Security Initiatives

1
Critical Infrastructure ProtectionTHE
ELECTRICITY SECTOR Security Initiatives

• Presented to
• The Association of Edison Illuminating Companies
• Committee on Power Delivery
• April 2006

2
Topics

• Bulk Electric System
• NERC and the ERO
• CIP initiatives for the Electricity Sector
• Electricity Sector Information Sharing and
  Analysis Center
• Communications
• Some things to think about

3
(No Transcript)
4
13 RC
3 RC
1 RC
5
(No Transcript)
6
Electric Reliability Organization
Canada Alberta, British Columbia, Manitoba,
Ontario, New Brunswick, Nova Scotia, Quebec, and
Saskatchewan
United States Federal Energy Regulatory Commission
Mexico Comision Reguladora de Energia
Reliability Standards
Compliance Enforcement
Electric Reliability Organization
Regional Entities
Reliability Assessment
Other ERO Members
Bulk Electric System Owners, Operators,
Users
7
Bulk Power System User

• User of the bulk power system means any entity
  that sells, purchases, or transmits electric
  power directly over the bulk power system, or
  that maintains facilities or control systems that
  are part of or directly connected to the bulk
  power system, or that is a system operator. The
  term excludes customers that receive service at
  retail that do not otherwise sell, purchase, or
  transmit power over the bulk power system or own,
  operate, control, or maintain facilities or
  systems that are part of or directly connected to
  the bulk power system.
• Exclusions noted in each standard
• Upward delegation allowed
• Distribution providers are bulk power system
  users only to extent they own, operate, control
  or maintain bulk power system facilities
• For funding allocation purposes, all LSEs are
  bulk power system users, subject to upward
  delegation

8
ERO Application Timeline (Approx.)

• 03/28/06
• 04/04/06
• TBD
• 08/02/06
• 10/06
• 10/06
• 10/06
• 11/15/06
• 01/01/07

• Board approves ERO application
• NERC files ERO application (U.S. Can.)
• FERC conditionally names ERO
• Board approves 2007 ERO budget
• Regional delegation agreements complete
• Canadian regulators recognize ERO
• Regulators approve 2007 ERO budget
• NERC meets all ERO requirements
• ERO implementation

9
Whats Really, Really Important

• Strong and competent ERO
• Clear, consistent, enforceable, and technically
  sound reliability standards
• Consistent, firm compliance enforcement
• Effective relationships with regulators, regions
  and stakeholders
• Technical excellence
• Continuous reliability improvement
• Performance monitoring

10
Reliability Standards

• Retain ANSI-accredited process and RBB
• Retain SAC elected by segments
• Revise standards manual
• Pro rata segment votes
• Risk factors and compliance elements
• Editorial changes for ERO
• File existing 104 standards
• Key issue enforceability
• Standards roadmap
• Coordinate annual work plan with regulators
• Remands/directives through regular process

11
Standard Categories
12
Compliance Enforcement

• Strong ERO oversight of regional compliance
  programs
• Retain existing compliance disclosure principles
• Compliance authority applies to bulk power system
  owners, operators, and users

13
Additional ERO Programs

• Reliability assessments
• Reliability readiness and improvement
• Training and education
• System personnel certification
• Situation awareness and infrastructure security
• Event analysis and benchmarking

14
(No Transcript)
15
(No Transcript)
16
NERC Critical Infrastructure Protection Committee
(CIPC) Structure
Executive Committee Manage policy matters
regarding physical security, cyber security,
security operations provide support to working
groups and task forces serve as Electricity
Sector Coordinating Council with Pres/CEO NERC
Security Planning Improve the Electricity
Sectors ability to protect critical
infrastructure Security Guidelines WG Risk
Assessment WG Control Systems Security
WG Critical Spares TF PKI TF HEMP TF
Security Operations Develop maintain
Electricity Sector Information Sharing and
Analysis Center (ESISAC) capability to respond
to security threats incidents Outreach
WG Reporting Technologies WG Indications,
Analysis, Warnings WG IDS Pilot TF Grid
Monitoring TF
October 19, 2005
17
Electricity Sector Security Initiatives-1

• Government Private Sectors partnership model
• Electricity Sector Coordinating Council
• Government Energy Coordinating Council
• Critical Infrastructure Partnership Advisory
  Council
• National Infrastructure Advisory Council
• National Infrastructure Protection Plan
• Protection and Resiliency

18
Electricity Sector Security Initiatives-2

• Cyber Security Standard (mdl)
• Security Guidelines (mdl)
• Control Systems Security (mdl)
• Critical Spares Project
• ElectroMagnetic Pulse
• Intelligence coordination
• Biological, Chemical, Radiological response
• Pandemic response
• Telecommunications Electric Power
  Interdependencies
• Exercises (TOPOFF, Cyber Storm)
• Reference materials available
  http//www.esisac.com

19
Electricity Sector Security Initiatives-3

• Electricity Sector Information Sharing and
  Analysis Center (ESISAC) (mdl)
• Information Sharing and Analysis Centers Council
  (mdl)
• Indications, Analysis, Warnings program
• Data/information exchange between ES and DHS
• Threat Alert Levels Physical and Cyber (mdl)
• Outreach including workshops
• Planning workshops to assist with the Cyber
  Security Standards
• Reference materials available
  http//www.esisac.com

20
Critical Assets

• Critical Assets Facilities, systems, and
  equipment which, if destroyed, degraded, or
  otherwise rendered unavailable, would affect the
  reliability or operability of the Bulk Electric
  System.
• Cyber Assets Those programmable electronic
  devices and communication networks including
  hardware, software, and data.
• Critical Cyber Assets Those Cyber Assets
  essential to the reliable operation of Critical
  Assets

21
Permanent Cyber Security Standard

• Requires Critical Cyber Assets related to the
  reliable operation of the bulk electric systems
  be identified and protected
• Builds upon the concepts and requirements in
  Urgent Action Cyber Security Standard 1200
• Includes process control and SCADA assets
  critical to grid reliability
• Provides additional detail to clarify technical
  requirements and compliance measures
• Cyber Security Standard status
• Implementation Plan

22
Responsible Entities

• Reliability Coordinator.
• Balancing Authority.
• Interchange Authority.
• Transmission Service Provider.
• Transmission Owner.
• Transmission Operator.
• Generator Owner.
• Generator Operator.
• Load Serving Entity.
• NERC.
• Regional Reliability Organizations.

23
Security Standards 1

• CIP-001 Sabotage Reporting
• Awareness, communications, response (4
  requirements)
• CIP-002 Critical Cyber Asset Identification
• Risk based assessment (4 req)
• CIP-003 Security Management Controls
• Policy, information protection, access control,
  change control (6 req)
• CIP-004 Personnel and Training
• Training, personnel risk assessment (4 req)
• CIP-005 Electronic Security Perimeters
• Identify perimeter, assess, monitor, control (5
  req)

24
Security Standards 2

• CIP-006 Physical Security
• Physical access controls and monitoring (6 req)
• CIP-007 Systems Security Management
• Test procedures, patch management, malicious
  software protection, account management, security
  status monitor (9 req)
• CIP-008 Incident Reporting and Response Planning
  
• Cyber security incident response, reporting,
  documentation (2 req)
• CIP-009 Recovery Plans
• Plan, exercise, backup, test (5 req)

25
Security Guidelines
(17 recommended practices to mitigate risk)

• Cyber Access Control
• Cyber IT Firewalls
• Cyber Intrusion Detection
• Cyber Risk Management
• Protecting Sensitive Info
• Securing Remote Access Process Control Systems
• Incident Reporting
• Physical Security Substations
• Patch Management for Control Systems
• Control System Business Network Electronic
  Connectivity

• Communications
• Emergency Plans
• Employment Background Screen
• Physical Security
• Threat Response
• Physical
• Cyber
• Vulnerability/Risk Assessment
• Continuity of Business Process

http//www.esisac.com
26
Control Systems in Electricity Sector
System Operations Center
EMS
ICCP
Interconnected System Operations Center
SCADA
Telecom
Generating or Transmission Station
RTU
Protective Relays
BTG
Transmission Control
Data Sensors
DCS and PLC
27
Securing Control Systems 1

• NERC is working with the electricity sector,
  governments, other critical infrastructure
  sectors, control system vendors, and others to
• Evaluate vulnerabilities and solutions
• Top 10 Vulnerabilities and Mitigations
• Assess risk (ground truth study)
• New systems
• Legacy systems
• Recognize a potential or actual attack
• Mitigate an attack on control systems

28
Securing Control Systems 2

• Support the DOE Roadmap to Secure Control Systems
  in the Energy Sector
• http//www.controlsystemsroadmap.net
• Support the DHS Process Control Systems Forum
• https//www.pcsforum.org/
• Crisis Management Interest Group

29
ESISAC

• Electricity SectorInformation Sharing and
  Analysis Center
• Share information about real and potential
  threats and vulnerabilities
• Received from DHS and communicated to
  electricity sector participants
• Received from electricity sector participants and
  communicated to DHS
• Analyze information for trends, cross-sector
  dependencies, specific targets
• Coordinate with other ISACs

30
Governments Sectors CoordinationOperations
(ES focus)
------------------ Governments ----------------
Sectors

DHS
DOE
PSEPC
FERC
Comm
FS
ESISAC
. . .
O/G
Electricity Sector
Electricity Sector
RC
BA
TNS
GEN
LSE
PSE
Water
31
Operational ISACs

• Chemical
• Communications
• Electricity
• Emergency Management and Response
• Energy (Oil and Gas)
• Financial Services
• Health Care

• Highway
• Information Technology
• Multi-State
• Public Transit
• Research and Education Network
• Surface Transportation
• Water

32
ISACCouncil Activities

• Discussion papers
• Government-Private Sector Relations
• HSPD-7 Issues and Metrics
• Information Sharing and Analysis
• Integration of ISACs into Exercises
• ISAC Analytical Efforts
• Policy Framework for the ISAC Community
• Reach of the Major ISACs
• Vetting and Trust
• http//www.isaccouncil.org

33
Threat Alert System

• Homeland Security Alert System
• Low, Guarded, Elevated, High, Severe
• Electricity Sector coordinated systems
• Physical
• Cyber
• With expected actions by Electricity Sector
  entities at each level

http//www.esisac.com
34
Report

• Malicious physical events that cause transmission
  outages, loss of generation, loss of load, damage
  to facilities
• Malicious physical events that cause damage to
  facilities, breach of security
• Malicious cyber events that result in actual or
  potential intrusion to a critical computer or
  utility telecom system
• Threats received (eg bomb, mail, tel)
• Surveillance (pics, questions)

35
Possible Steps Toward A Terrorist Attack
Target Selection
Surveillance (first level, non professional)
Planning (weapons, location, etc)
Final Selection (target)
Deployment (equipment, people)
Final Surveillance (professional)
ATTACK!
36
Reports

• From the ES,
• Together with other critical infrastructures,
• And intelligence sources
• May help the DHS to

37
Communications

• Secure messaging system
• Critical Infrastr Protection Information System
  (CIPIS)
• US-CERT cyber portal
• Homeland Security Information Network (HSIN)
• Incorporates CIPIS
• Cross-critical infrastructure capability
• Communicate with other agencies
• Additional features to support coordination
• ESISAC Internet site
• Email listservs (eg tal)
• Gov Emerg Telecom Service (GETS) and WPS
• Critical infrastructure Warning Information
  Network (CWIN)
• Communications tips

38

• REPORT INCIDENTS TO
• LOCAL LAW ENFORCEMENT
• (Establish and maintain relationship.)
• LOCAL FBI
• (Establish and maintain relationship.)
• National Infrastructure Coordination Center
• (DHS IAIP)
• secure messaging CIPIS
• email nicc_at_dhs.gov
• tel 202-282-9201
• fax 703-607-4998
• ESISAC
• secure messaging CIPIS
• email esisac_at_nerc.com
• tel 609-452-1422 (anytime)

39
Some Things to Think About

• Does the ESISAC have your 24x7 contact? Are there
  multiple contact points and communications
  available?
• Is a security decision-making process in place?
• How will your organizations physical and cyber
  security decision-makers get notified? Are there
  backup communications?
• Is there a means in place to communicate
  decisions to action-takers? A backup?
• Consider responses in accordance with the Threat
  Alert Systems and Physical / Cyber Response
  Guidelines for the Electricity Sector.

40
http//www.esisac.com
41
http//www.nerc.com
42
Contacts

• NERC 609-452-8060
• ESISAC 609-452-1422
• esisac_at_nerc.com
• Note Referenced materials and this
• presentation available at
• http//www.esisac.com

TY