Bill Lawrence, Director of the E-ISAC Charlotte de Seibert ... Highlights and Minutes 20… · Charlotte de Seibert, Principal Physical Security Analyst. ... Produced 12 Monthly CRISP

1

E-ISAC UpdateBill Lawrence, Director of the E-ISACCharlotte de Seibert, Principal Physical Security AnalystPhilip Daigle, Senior Cybersecurity AnalystCritical Infrastructure Protection CommitteeJacksonville, FLMarch 6-7, 2018TLP:WHITE

2

• Long-term Strategic Plan background• 2017 Accomplishments• Strategic plan framework• Key activities• Q1/Q2 2018 Deliverables• GridEx IV update• Physical security update• Cyber security update

Agenda

TLP:WHITE

3

• The E-ISAC underwent a strategic review with the ElectricitySubsector Coordinating Council (ESCC) in 2015

• Under the ESCC, the Member Executive Committee (MEC) wascreated and serves as a CEO-led stakeholder advisory group

• MEC input was used on the E-ISAC Long-term Strategic Plandeveloped in 2017

• The plan was approved by the NERC Board in 2017 and includedin the NERC Business Plan and Budget for implementation in2018

Background

TLP:WHITE

4

2017 Accomplishments

Information Sharing Analysis Engagement

Launched portalLaunched recruiting efforts, hired one cyberanalysis specialist in 2017

Conducted GridEx IV: over 6,500 participants (up 50% fromGridEx III), over 450 organizations (up 30% from GridEx III)

Shared over 210 cyber bulletins (140 member-posted; 71E-ISAC-posted) and 165 physical bulletins (64 member-posted; 101 E-ISAC-posted)

Launched the Embedded IndustryAugmentation program

Conducted GridSecCon 2017 with over 500 participants (anincrease of 20% from GridSecCon 2016)

Provided content to three NERC Alerts on:• Modular Malware Targeting Electric Industry Assets in

Ukraine• Advanced Persistent Threat Actor Targeting Electric

Industry and Other Critical Sectors• Supply Chain Risk

Collaborated with CIPC Security MetricsWorking Group on new security metrics anddata sources

Enhanced CRISP• Participation from 25 to 27 companies• CRISP governance group of 15 companies• Independent audit of PNNL security practices, data

handling

Gathered GridEx IV lessons learned and recommendationsProduced a security risk assessment for theMRO Security Advisory Council

Formalized partnership with Downstream Natural Gas ISAC

Adopted internationally accepted Traffic Light Protocol forinformation handling

Produced 51 Weekly, 12 Monthly, 1 Mid-Year,and 1 End of Year reports

Established MEC user group governance team (UNITE,ISO/RTO Council, Large Public Power Council)

Facilitated 12 monthly E-ISAC and CRISP webinars Produced 12 Monthly CRISP Analysis reportsIncreased active E-ISAC Portal membership from 2,500 toover 3,200 from Q1 to Q3

Facilitated two CRISP member workshops and threatbriefings

Partnered with DARPA on a cyber security program forelectric utilities linked to the GridEx program

Participated in NRECA RC3 Cyber Security Summits forinformation sharing best practices

Partnered with the University of Illinois atUrbana-Champaign and its new Industry – UniversityCooperative Research Center

Discussed “malware solutions pipeline” research effort withDOE and National Laboratory system

Enhanced international engagement:• Performed Cyber Risk Preparedness Assessment in

Mexico• Initiated collaboration with the Japan Electricity ISAC and

European E-ISAC (to be continued in 2018)

TLP:WHITE

5

2017 Accomplishments

Information Sharing Analysis Engagement

Launched portalLaunched recruiting efforts, hired one cyberanalysis specialist in 2017

Conducted GridEx IV: over 6,500 participants (up 50% fromGridEx III), over 450 organizations (up 30% from GridEx III)

Shared over 210 cyber bulletins (140 member-posted; 71E-ISAC-posted) and 165 physical bulletins (64 member-posted; 101 E-ISAC-posted)

Launched the Embedded IndustryAugmentation program

Conducted GridSecCon 2017 with over 500 participants (anincrease of 20% from GridSecCon 2016)

Provided content to three NERC Alerts on:• Modular Malware Targeting Electric Industry Assets in

Ukraine• Advanced Persistent Threat Actor Targeting Electric

Industry and Other Critical Sectors• Supply Chain Risk

Collaborated with CIPC Security MetricsWorking Group on new security metrics anddata sources

Enhanced CRISP• Participation from 25 to 27 companies• CRISP governance group of 15 companies• Independent audit of PNNL security practices, data

handling

Gathered GridEx IV lessons learned and recommendationsProduced a security risk assessment for theMRO Security Advisory Council

Formalized partnership with Downstream Natural Gas ISAC

Adopted internationally accepted Traffic Light Protocol forinformation handling

Produced 51 Weekly, 12 Monthly, 1 Mid-Year,and 1 End of Year reports

Established MEC user group governance team (UNITE,ISO/RTO Council, Large Public Power Council)

Facilitated 12 monthly E-ISAC and CRISP webinars Produced 12 Monthly CRISP Analysis reportsIncreased active E-ISAC Portal membership from 2,500 toover 3,200 from Q1 to Q3

Facilitated two CRISP member workshops and threatbriefings

Partnered with DARPA on a cyber security program forelectric utilities linked to the GridEx program

Participated in NRECA RC3 Cyber Security Summits forinformation sharing best practices

Partnered with the University of Illinois atUrbana-Champaign and its new Industry – UniversityCooperative Research Center

Discussed “malware solutions pipeline” research effort withDOE and National Laboratory system

Enhanced international engagement:• Performed Cyber Risk Preparedness Assessment in

Mexico• Initiated collaboration with the Japan Electricity ISAC and

European E-ISAC (to be continued in 2018)

TLP:WHITE

6

Vision: To be a world class, trusted source of quality analysis and rapid sharing of electricity industry security information

Supported by:• NERC Board of Trustees• Electricity Subsector Coordinating Council (ESCC)• ESCC Members Executive Committee (MEC)

E-ISAC Strategic Plan

EngagementAnalysisInformation Sharing

Accelerate sharing and high priority

notifications

Enhanceportal

Improveinformation flow

and security

CRISP CYOTE CAISS Strategic Vendor

Partnerships

Hire and developexceptional employees

Leverage information sharing

technologies and resources

to enhance analytical capability

Prioritize products and

services

Metricsbenchmarking

Evaluate 24x7

Operations(future)

Build trust and show value

World Class ISAC

TLP:WHITE

Strategic Plan

7

Key Activities Update

E-ISAC Critical Broadcast Program• Operationalized the rapid information sharing capability of the E-ISAC• 1,208 individuals from 245 organizations joined the call

CRISP (CRISP Governance Committee Activities)• Established E-ISAC local access to CRISP data• Governance Committee organized, charter under development• Further expanding Membership Base – target minimum of four companies joining• Identifying and evaluating opportunities to lower cost of participation• Developing Strategic Plan

Portal Launch• Launched December 19, 2017• Providing post-production support• Commence planning for portal enhancements, including potential data

visualization, authentication, user management, and registration

TLP:WHITE

8

Key Activities Update

User Communities• Developing user communities governance and implementation plan• Implementing and testing user community capability

Automated Information Sharing • Developing and piloting CAISS analytic capabilities• Evaluating pros and cons in moving ahead with ThreatConnect platform

Industry Augmentation Program• Completed week with participating analysts from NYPA and SRP• Built trust while exchanging expertise and understanding of threats and

response processes

TLP:WHITE

9

2018 Q1 and Q2 Deliverables

Q1 Q2

30 60 90 30 60 90

Info

rmat

ion

Shar

ing Accelerate sharing and high-priority notifications

Enhance Portal

Improve information accessJoin quarterly DHS secure video teleconference tests with industry clearance holders

Establish and exerciseCritical Broadcast process

Obtain credentials for staff access to DHS National Cybersecurity and Communications Integration Center

Evaluate strategic vendor partnerships

Develop and pilot CAISS information sharing capabilities

Plan and begin implementations of Portal enhancements including potential data visualization, authentication, user management, and registration

Deploy HF capability

Circulate draft GridEx IV reports Release GridEx IV reports

Join quarterly DHS HF radio tests

Build work plan with ESCC and CIPC to accomplish GridEx recommendations and lessons learned

Gather requirements, develop plan, and issue RFP for Event Management tool

TLP:WHITE

10


Q1 Q2

30 60 90 30 60 90

Anal

ysis

Acquire and develop high quality resources

Leverage technology

Evaluate new analytical capabilities

Enhance CRISP data analysis with E-L-K technologies

Evaluate deployment DOE malware forensics tools and dropbox

Metrics benchmarking

Hire cyber analyst #1Hire cyber analyst #2

Hire cyber analyst #3Develop requirements and RFP for contracted analyst supportDevelop embedded industry augmentation program

Develop and pilot CAISS analytic capabilities

Benchmark security metric data

Continue work with CIPC Security Metrics Working Group

Hire cyber analyst #4Hire physical security manager and analyst

Implement embedded industry augmentation program

Gather requirements and develop plan and RFP for data warehouse and analyst workbenchPrioritize products and services

TLP:WHITE

11


Q1 Q2

30 60 90 30 60 90

Enga

gem

ent

Hire Member Services manager

Strengthen private sector relationships (e.g., SANS, CEATI, etc.)

Expand industry relationships and collaboration

Promote unclassified workshopsBuild trust and value via user communities

Strengthen governmental, institutional, and private sector relationshipsEstablish recurring meetings with DOE, DHS, FERC OEIS

Add CRISP participants

Establish MOU with Canadian Cyber Incident Response Centre

User management registration integration

SANS ICS Summit

MEC and CIPC MEC and CIPC

Establish monthly CRISP classified workshops with DOE and Pacific Northwest National Laboratory

Continue work on trilateral MOU with Japan E-ISAC and European Energy ISAC

GridSecCon strategic planning GridSecCon call for presentations and training

Enhance Energy (ONG, DNG) and cross-sector ISAC relationships (FS, Water, Comms, Nuclear)

Define relationship with Cyber Mutual Assistance program

Develop user community governance and additional portal requirements

MEC

TLP:WHITE

12

Mission statement

GridEx is an unclassified public/private exercise designed to simulate a coordinated cyber and physical attack

with operational impactson electric and other critical infrastructures

across North Americato improve security, resiliency, and reliability

TLP:WHITE

13

• Exercise incident response plans• Expand local and regional response• Engage critical interdependencies• Improve communication• Gather lessons learned• Engage senior leadership

GridEx Objectives

TLP:WHITE

14

Players across the stakeholder landscape will participate from

their local geographies

Facilitated discussion engages senior decision

makers in reviewing distributed play and

exploring policy triggers

Executive TabletopUtilities

Reliability Coordinators

E-ISAC and

BPSA

Fed/State/Prov Agencies

Supportand

Vendors

Injects and info

sharing by email

and phone

Identification

Containment

Distributed Play(2 days)

Executive Tabletop (1/2 day)

Move 0Pre-Exercise

Preparation

Operators may participate in Cyber Intrusion detection

activities

Exercise Components

TLP:WHITE

15

Participation

• 6500 Participants• 206 Electric utilities• 452 Organizations• 17 Cross-sector partners• 10 States (2 full-scale)

TLP:WHITE

16

Active and Observing

36

122

209

335

40

109

155

117

0

50

100

150

200

250

300

350

400

450

500

GridEx 2011 (76) GridEx II (231) GridEx III (364) GridEx IV (452)

GridEx Exercise Participation

Active Observing

47%

53% 53%

47%

57%

43%

74%

26%

TLP:WHITE

17

Coordination with

Government

TradeAssociations

Bulk-Power System Entities

Coordinated Operations

Vendor Support

IT, ICS, ISP,Anti-virus

Local, State/Provincial

Government• Governors /

Premiers• Emergency

Management Organizations

• Emergency Operations Centers / Fusion Centers

• Local FBI, PSAs • National Guard• PUCs, PSCs

Reliability Coordinators, Balancing Authorities, Generator Operators,

Transmission Operators, Load Serving Entities, etc.

E-ISACElectricity

Information Sharing &

Analysis Center

Other Federal AgenciesUS: FBI, FERC, DOD

Canada: Public Safety Canada, NRCan, RCMP, CSIS,

CCIRC

NERC

Crisis Action Team

DOEDepartment of Energy

DHSNCCIC

ICS-CERTUS-CERT

NERC Bulk Power

System Awareness (BPSA)

Regional Entities

Executive Coordination

Electricity Subsector Coordinating Council (ESCC)

Other Critical Infrastructures

TelecommunicationsOil & Gas

others

Energy GCCOther SCCs

Unified Coordination Group (UCG) or non-US equiv.

GridEx IV Communications

ExConGridEx IV Exercise Control

NERC staff, GEWG, BAH, Nat’l Labs, SMEs for Sim-cell, et al.

TLP:WHITE

18

• Cyber shares 204

• Physical Security shares 364

• OE-417s submitted 244

• EOP-004s submitted 132

• Utilities participating in Cyber Mutual Assistance 43

Information Sharing with the E-ISAC

TLP:WHITE

19

• Where’s the Cavalry? Relationship building with partners (e.g. cross-sector, law enforcement,

emergency managers, etc.) What is the State/Federal Government’s role during a Grid Emergency?

• E-ISAC Portal improvements• Greater cross-sector participation• Public Affairs and Corporate Communications vs. Incorrect or

Misleading information• Communication resiliency (e.g. WPS, GETS, HF Radio, etc.)• Electric Utility – RC emergency communications• Cyber Mutual Assistance• On-keyboard cyber training • Active Lead Planners

Preliminary Findings –GridEx IV Distributed Play

TLP:WHITE

20

Five-hour Executive Tabletop held on November 16, 2017, the second day of the large-scale GridEx IV security and emergency response exercise. Parallel, separate tabletops were held in Canada and Australia

Objective:Engage senior industry and government leadership in a robustdiscussion of the policy issues, decisions, and actions needed torespond to protect and restore the reliable operation of the grid

Executive Tabletop Overview

TLP:WHITE

21

Executive Tabletop Themes

Extraordinary Measures

TLP:WHITE

22

Phased Scenario Discussion

One Day

After

Three Days After

Two Weeks After

For each phase after attacks begin:• Participants role-play actions and the

decisions needed to respond to the situation, restore power, and secure the grid

• Identify any gaps

Attacks Begin

TLP:WHITE

23

• Situation assessment and initial response by industry and government

• Communications between utilities and with local, state, and federal government Utility liaison with state emergency operations centers

• Immediate government priority: Stop the Attacks Utility liaison with National Guard

• Grid Emergency Operations Utilities have the authority to implement emergency actions (e.g., shed

load) to maintain grid operation Utilities coordinate with local and state government to identify high-

priority customers

Tabletop Discussion

TLP:WHITE

24

• Share sensitive information Need to distribute information quickly and declassify if necessary

• Decide national level priorities When resources are limited, balance local, state, and national interests

• Critical infrastructure interdependencies Communications, financial services, natural gas, and critical manufacturing

sectors as “life-line” sectors

• Utility finances to fund recovery and restoration

Tabletop Discussion

TLP:WHITE

25

• GridEx IV Reports will be complete by end of March, 2018• GridEx V Initial Planning Meeting will be held November 2018

Way Forward

TLP:WHITE

26

E-ISAC Physical Security UpdateCharlotte de Sibert, Principal Physical Security AnalystCIPCMarch 3, 2018TLP: WHITE

27

• Reporting Submit requests for information, incident or trend related questions,

regional analysis requests etc. to [email protected] Continue reporting events via E-ISAC portal, email [email protected]

o When reporting incidents, provide as many details as possible to provide context

‒ Location (city, state, region etc.)‒ Impact (customer outages, financial)‒ Has this type of incident occurred before?‒ Mitigation actions taken

Incident Reporting

TLP:WHITE

mailto:[email protected]

mailto:[email protected]

28

Incidents by Type Overview

Q1 Incidents of Note • Axe incident in CA• Suspicious Activity Events• Emotionally unstable

individuals inside substation • Drone/UAS events• Security Equipment theft• Copper price

monitoring/theft

TLP:WHITE

29

• Activist/Eco-Terrorist group overview• Foreign Terrorist Organization group overview• Revised Suspicious Activity Bulletin

• 2018 Initiatives Increased voluntary sharing Increased analyst context Industry sourced articles and whitepaper sharing

Items of Interest

TLP:WHITE

30

• Overview of PSAG 2017 Activity• New Members• Plan for 2018

PSAG

TLP:WHITE

31

E-ISAC Cyber Update

Philip Daigle, Senior Cybersecurity Analyst, E-ISACCIPCMarch 6, 2018TLP: WHITE

32

Cyber Topics of Interest

•Malware Targeting Safety Instrumented Systems (SISs)•Spear-phishing of Several members•Generalized phishing of members

Summary of 2018

TLP:WHITE

33

Cryptocurrency Mining

Malicious cryptocurrency mining, or cryptojacking, is becoming more prevalent as the price of Bitcoin and other cryptocurrencies skyrocket.

In the past few months many threat actors have shifted away from ransomware to using cryptocurrency miners. Compared to ransomware, cryptojacking takes little to no interaction and can generate currency over an extended period of time.

Summary of 2018

TLP:WHITE

34 TLP:WHITE

ESCC Update

Kaitlin Brennan, Manager – Cyber and Infrastructure Security, EEICritical Infrastructure Protection Committee Meeting March 6-7, 2018

RELIABILITY | ACCOUNTABILITY2

• 2018 Schedule: May 7, 2018 in Washington, DC July 11-12, 2018 at Idaho National Laboratories October 9-10, 2018 in the Washington, DC / Baltimore, MD area

• Summary of Conclusions – November 2017• Puerto Rico Response• Threat Information Sharing• ESCC-Government Engagement• ESCC Vision and Planning Strategic Committee• Cross-Sector Coordination

ESCC Update


Legislative Update

Kaitlin Brennan, Manager – Cyber and Infrastructure Security, EEICritical Infrastructure Protection Committee Meeting March 6-7, 2018


• S.79 Securing Energy Infrastructure Act – Sens. King (I-ME) & Risch (R-ID)

• S.141/H.R. 3086 Space Weather Research and Forecasting Act• National Defense Authorization Act (H.R. 2810; P.L. 115-91) • Cyber SAFETY Act of 2018 (S.2392) – Sen. Daines• Other possibilities: Expanding background investigations of critical utility personnel Standalone energy bills or as part of an infrastructure package “Active Cyber Defense Act” – Rep. Graves (R-GA) S.536 - Sen. Reed (D-RI) Data breach legislation

Legislative Update


NERC Control Systems Security Working Group

Carter Manucy, FMPAMichael Mertz, PNM ResourcesCritical Infrastructure Protection Committee Meeting March 6-7, 2018


Critical Infrastructure Protection Committee


• Status Update Document review Need for more volunteers Future efforts & projects

CSSWG Update


Security Training Working GroupDavid GodfreyCritical Infrastructure Protection Committee Meeting March 6-7, 2018


Security Training WG

• Charter CIPC will provide meeting attendees with an opportunity to participate in

physical, cyber, and operational security training, as well as, educational outreach opportunities.

• Current Members Tobias Whitney, Ross Johnson, John Breckenridge, Carl Herron, Charlotte

de Sibert, Jake Schmitter, Bill Lawrence, John Gasstrom, Michele Wright, Amelia Sawyer and David Godfrey.



• Latest Activities Continue to have monthly conference calls.

• March 2018 Training Review March 2018 – Emergency/Incident Response Management - The STWG

had 4 outstanding speakers discussing 3 uniquely different storm events;o Chris Vicino – Los Angeles Dept Water & Power – Corporate Security Response

and Challenges to the Southern California Wildfireso Bert Sausse III – CenterPoint Energy – Corporate Response and Challenges to

Hurricane Harveyo John R. Large & Carlos Morales – Florida Power & Light - Corporate Security

Response and Challenges to Hurricane Irma



• 2018 Training Schedule June 2018 – Supply Chain Risk Managemento Carl Herron – E-ISAC/NERCo Tobias Whitney – E-ISAC/NERC

September 2018 – Transient Cyber Asset(s) - (Panel Discussion)

• Next Steps The SWTG is looking for training topic recommendations for 2019 CIPC

Meetings, please contact a STWG Member with your ideas We continue to seek and secure volunteer speakers

• CIPC Actions Questions and/or suggestions for today’s discussion


NERC Compliance and Enforcement Input Working Group

Paul Crist, LES Lisa Carrington, APSDamon Ounsworth, SaskPower Critical Infrastructure Protection Committee Meeting March 6-7, 2018


• Update: Held two monthly CEIWG Calls Reviewed the 2018 Work Plans Discussed the CIP Implications of Cloud Computing “Pilot” Developed a proposal for the Cloud Implementation Guidance Project Phased

Approach CIP-004-6 Access Management Phase 1 C(E)IWG Charter Update/Review Implementation Guidance Update Membership Update


• 2018 work plan Development of implementation guidance on cloud computing Other requests for Implementation Guidance development from CIPC Charter Review Annual Updateo New Name – Compliance Input Working Group?o New (Vice)Chair appointed by the Executive Committee (EC)o Participant List Update


Cloud Implementation Guidance Project


CIP -004-6 Access Management Program


CIP -004-6 Access Management Program


CIP -004-6 Access Revocation


Charter Update

• Items of note Propose the new name of Compliance Input Working Group (CIWG) Removed references for anything related to “enforcement” Added a bullet to review Lessons Learned that the CIPC EC deems further

industry follow-up is needed Added a bullet to develop Implementation Guidance where needed under

the direction of the CIPC EC Under Deliverables and Work Schedule o added the work plan is in the CIPC Strategic Plan

Revised the following bulleto Provide CIPC consensus feedback to NERC Compliance Assurance and

Compliance Enforcement on the effectiveness of the CMEP tools and processes when possible


Compliance Guidance Development Update

• Current Status of Documents under Development NEI/NERC PRA Guidanceo NERC- Endorsed

Shared Facilitieso NERC-Endorsed

VoIP in Control Centerso Submitted to NERC for endorsement (Posted on NERC Site)


• NERC CIPC Compliance and Enforcement Input Working Group Update Meetingso Next Conference Call April 12, 2018 at 1:00 p.m. Centralo Subgroup calls as neededo Second Thursday of the Month at 1:00 p.m. Central

Meetings
