Embed Size (px)
Citation preview
1
E-ISAC UpdateBill Lawrence, Director of the E-ISACCharlotte de Seibert, Principal Physical Security AnalystPhilip Daigle, Senior Cybersecurity AnalystCritical Infrastructure Protection CommitteeJacksonville, FLMarch 6-7, 2018TLP:WHITE
2
• Long-term Strategic Plan background• 2017 Accomplishments• Strategic plan framework• Key activities• Q1/Q2 2018 Deliverables• GridEx IV update• Physical security update• Cyber security update
Agenda
TLP:WHITE
3
• The E-ISAC underwent a strategic review with the ElectricitySubsector Coordinating Council (ESCC) in 2015
• Under the ESCC, the Member Executive Committee (MEC) wascreated and serves as a CEO-led stakeholder advisory group
• MEC input was used on the E-ISAC Long-term Strategic Plandeveloped in 2017
• The plan was approved by the NERC Board in 2017 and includedin the NERC Business Plan and Budget for implementation in2018
Background
TLP:WHITE
4
2017 Accomplishments
Information Sharing Analysis Engagement
Launched portalLaunched recruiting efforts, hired one cyberanalysis specialist in 2017
Conducted GridEx IV: over 6,500 participants (up 50% fromGridEx III), over 450 organizations (up 30% from GridEx III)
Shared over 210 cyber bulletins (140 member-posted; 71E-ISAC-posted) and 165 physical bulletins (64 member-posted; 101 E-ISAC-posted)
Launched the Embedded IndustryAugmentation program
Conducted GridSecCon 2017 with over 500 participants (anincrease of 20% from GridSecCon 2016)
Provided content to three NERC Alerts on:• Modular Malware Targeting Electric Industry Assets in
Ukraine• Advanced Persistent Threat Actor Targeting Electric
Industry and Other Critical Sectors• Supply Chain Risk
Collaborated with CIPC Security MetricsWorking Group on new security metrics anddata sources
Enhanced CRISP• Participation from 25 to 27 companies• CRISP governance group of 15 companies• Independent audit of PNNL security practices, data
handling
Gathered GridEx IV lessons learned and recommendationsProduced a security risk assessment for theMRO Security Advisory Council
Formalized partnership with Downstream Natural Gas ISAC
Adopted internationally accepted Traffic Light Protocol forinformation handling
Produced 51 Weekly, 12 Monthly, 1 Mid-Year,and 1 End of Year reports
Established MEC user group governance team (UNITE,ISO/RTO Council, Large Public Power Council)
Facilitated 12 monthly E-ISAC and CRISP webinars Produced 12 Monthly CRISP Analysis reportsIncreased active E-ISAC Portal membership from 2,500 toover 3,200 from Q1 to Q3
Facilitated two CRISP member workshops and threatbriefings
Partnered with DARPA on a cyber security program forelectric utilities linked to the GridEx program
Participated in NRECA RC3 Cyber Security Summits forinformation sharing best practices
Partnered with the University of Illinois atUrbana-Champaign and its new Industry – UniversityCooperative Research Center
Discussed “malware solutions pipeline” research effort withDOE and National Laboratory system
Enhanced international engagement:• Performed Cyber Risk Preparedness Assessment in
Mexico• Initiated collaboration with the Japan Electricity ISAC and
European E-ISAC (to be continued in 2018)
TLP:WHITE
5
2017 Accomplishments
Information Sharing Analysis Engagement
Launched portalLaunched recruiting efforts, hired one cyberanalysis specialist in 2017
Conducted GridEx IV: over 6,500 participants (up 50% fromGridEx III), over 450 organizations (up 30% from GridEx III)
Shared over 210 cyber bulletins (140 member-posted; 71E-ISAC-posted) and 165 physical bulletins (64 member-posted; 101 E-ISAC-posted)
Launched the Embedded IndustryAugmentation program
Conducted GridSecCon 2017 with over 500 participants (anincrease of 20% from GridSecCon 2016)
Provided content to three NERC Alerts on:• Modular Malware Targeting Electric Industry Assets in
Ukraine• Advanced Persistent Threat Actor Targeting Electric
Industry and Other Critical Sectors• Supply Chain Risk
Collaborated with CIPC Security MetricsWorking Group on new security metrics anddata sources
Enhanced CRISP• Participation from 25 to 27 companies• CRISP governance group of 15 companies• Independent audit of PNNL security practices, data
handling
Gathered GridEx IV lessons learned and recommendationsProduced a security risk assessment for theMRO Security Advisory Council
Formalized partnership with Downstream Natural Gas ISAC
Adopted internationally accepted Traffic Light Protocol forinformation handling
Produced 51 Weekly, 12 Monthly, 1 Mid-Year,and 1 End of Year reports
Established MEC user group governance team (UNITE,ISO/RTO Council, Large Public Power Council)
Facilitated 12 monthly E-ISAC and CRISP webinars Produced 12 Monthly CRISP Analysis reportsIncreased active E-ISAC Portal membership from 2,500 toover 3,200 from Q1 to Q3
Facilitated two CRISP member workshops and threatbriefings
Partnered with DARPA on a cyber security program forelectric utilities linked to the GridEx program
Participated in NRECA RC3 Cyber Security Summits forinformation sharing best practices
Partnered with the University of Illinois atUrbana-Champaign and its new Industry – UniversityCooperative Research Center
Discussed “malware solutions pipeline” research effort withDOE and National Laboratory system
Enhanced international engagement:• Performed Cyber Risk Preparedness Assessment in
Mexico• Initiated collaboration with the Japan Electricity ISAC and
European E-ISAC (to be continued in 2018)
TLP:WHITE
6
Vision: To be a world class, trusted source of quality analysis and rapid sharing of electricity industry security information
Supported by:• NERC Board of Trustees• Electricity Subsector Coordinating Council (ESCC)• ESCC Members Executive Committee (MEC)
E-ISAC Strategic Plan
EngagementAnalysisInformation Sharing
Accelerate sharing and high priority
notifications
Enhanceportal
Improveinformation flow
and security
CRISP CYOTE CAISS Strategic Vendor
Partnerships
Hire and developexceptional employees
Leverage information sharing
technologies and resources
to enhance analytical capability
Prioritize products and
services
Metricsbenchmarking
Evaluate 24x7
Operations(future)
Build trust and show value
World Class ISAC
TLP:WHITE
Strategic Plan
7
Key Activities Update
E-ISAC Critical Broadcast Program• Operationalized the rapid information sharing capability of the E-ISAC• 1,208 individuals from 245 organizations joined the call
CRISP (CRISP Governance Committee Activities)• Established E-ISAC local access to CRISP data• Governance Committee organized, charter under development• Further expanding Membership Base – target minimum of four companies joining• Identifying and evaluating opportunities to lower cost of participation• Developing Strategic Plan
Portal Launch• Launched December 19, 2017• Providing post-production support• Commence planning for portal enhancements, including potential data
visualization, authentication, user management, and registration
TLP:WHITE
8
Key Activities Update
User Communities• Developing user communities governance and implementation plan• Implementing and testing user community capability
Automated Information Sharing • Developing and piloting CAISS analytic capabilities• Evaluating pros and cons in moving ahead with ThreatConnect platform
Industry Augmentation Program• Completed week with participating analysts from NYPA and SRP• Built trust while exchanging expertise and understanding of threats and
response processes
TLP:WHITE
9
2018 Q1 and Q2 Deliverables
Q1 Q2
30 60 90 30 60 90
Info
rmat
ion
Shar
ing Accelerate sharing and high-priority notifications
Enhance Portal
Improve information accessJoin quarterly DHS secure video teleconference tests with industry clearance holders
Establish and exerciseCritical Broadcast process
Obtain credentials for staff access to DHS National Cybersecurity and Communications Integration Center
Evaluate strategic vendor partnerships
Develop and pilot CAISS information sharing capabilities
Plan and begin implementations of Portal enhancements including potential data visualization, authentication, user management, and registration
Deploy HF capability
Circulate draft GridEx IV reports Release GridEx IV reports
Join quarterly DHS HF radio tests
Build work plan with ESCC and CIPC to accomplish GridEx recommendations and lessons learned
Gather requirements, develop plan, and issue RFP for Event Management tool
TLP:WHITE
10
2018 Q1 and Q2 Deliverables
Q1 Q2
30 60 90 30 60 90
Anal
ysis
Acquire and develop high quality resources
Leverage technology
Evaluate new analytical capabilities
Enhance CRISP data analysis with E-L-K technologies
Evaluate deployment DOE malware forensics tools and dropbox
Metrics benchmarking
Hire cyber analyst #1Hire cyber analyst #2
Hire cyber analyst #3Develop requirements and RFP for contracted analyst supportDevelop embedded industry augmentation program
Develop and pilot CAISS analytic capabilities
Benchmark security metric data
Continue work with CIPC Security Metrics Working Group
Hire cyber analyst #4Hire physical security manager and analyst
Implement embedded industry augmentation program
Gather requirements and develop plan and RFP for data warehouse and analyst workbenchPrioritize products and services
TLP:WHITE
11
2018 Q1 and Q2 Deliverables
Q1 Q2
30 60 90 30 60 90
Enga
gem
ent
Hire Member Services manager
Strengthen private sector relationships (e.g., SANS, CEATI, etc.)
Expand industry relationships and collaboration
Promote unclassified workshopsBuild trust and value via user communities
Strengthen governmental, institutional, and private sector relationshipsEstablish recurring meetings with DOE, DHS, FERC OEIS
Add CRISP participants
Establish MOU with Canadian Cyber Incident Response Centre
User management registration integration
SANS ICS Summit
MEC and CIPC MEC and CIPC
Establish monthly CRISP classified workshops with DOE and Pacific Northwest National Laboratory
Continue work on trilateral MOU with Japan E-ISAC and European Energy ISAC
GridSecCon strategic planning GridSecCon call for presentations and training
Enhance Energy (ONG, DNG) and cross-sector ISAC relationships (FS, Water, Comms, Nuclear)
Define relationship with Cyber Mutual Assistance program
Develop user community governance and additional portal requirements
MEC
TLP:WHITE
12
Mission statement
GridEx is an unclassified public/private exercise designed to simulate a coordinated cyber and physical attack
with operational impactson electric and other critical infrastructures
across North Americato improve security, resiliency, and reliability
TLP:WHITE
13
• Exercise incident response plans• Expand local and regional response• Engage critical interdependencies• Improve communication• Gather lessons learned• Engage senior leadership
GridEx Objectives
TLP:WHITE
14
Players across the stakeholder landscape will participate from
their local geographies
Facilitated discussion engages senior decision
makers in reviewing distributed play and
exploring policy triggers
Executive TabletopUtilities
Reliability Coordinators
E-ISAC and
BPSA
Fed/State/Prov Agencies
Supportand
Vendors
Injects and info
sharing by email
and phone
Identification
Containment
Distributed Play(2 days)
Executive Tabletop (1/2 day)
Move 0Pre-Exercise
Preparation
Operators may participate in Cyber Intrusion detection
activities
Exercise Components
TLP:WHITE
15
Participation
• 6500 Participants• 206 Electric utilities• 452 Organizations• 17 Cross-sector partners• 10 States (2 full-scale)
TLP:WHITE
16
Active and Observing
36
122
209
335
40
109
155
117
0
50
100
150
200
250
300
350
400
450
500
GridEx 2011 (76) GridEx II (231) GridEx III (364) GridEx IV (452)
GridEx Exercise Participation
Active Observing
47%
53% 53%
47%
57%
43%
74%
26%
TLP:WHITE
17
Coordination with
Government
TradeAssociations
Bulk-Power System Entities
Coordinated Operations
Vendor Support
IT, ICS, ISP,Anti-virus
Local, State/Provincial
Government• Governors /
Premiers• Emergency
Management Organizations
• Emergency Operations Centers / Fusion Centers
• Local FBI, PSAs • National Guard• PUCs, PSCs
Reliability Coordinators, Balancing Authorities, Generator Operators,
Transmission Operators, Load Serving Entities, etc.
E-ISACElectricity
Information Sharing &
Analysis Center
Other Federal AgenciesUS: FBI, FERC, DOD
Canada: Public Safety Canada, NRCan, RCMP, CSIS,
CCIRC
NERC
Crisis Action Team
DOEDepartment of Energy
DHSNCCIC
ICS-CERTUS-CERT
NERC Bulk Power
System Awareness (BPSA)
Regional Entities
Executive Coordination
Electricity Subsector Coordinating Council (ESCC)
Other Critical Infrastructures
TelecommunicationsOil & Gas
others
Energy GCCOther SCCs
Unified Coordination Group (UCG) or non-US equiv.
GridEx IV Communications
ExConGridEx IV Exercise Control
NERC staff, GEWG, BAH, Nat’l Labs, SMEs for Sim-cell, et al.
TLP:WHITE
18
• Cyber shares 204
• Physical Security shares 364
• OE-417s submitted 244
• EOP-004s submitted 132
• Utilities participating in Cyber Mutual Assistance 43
Information Sharing with the E-ISAC
TLP:WHITE
19
• Where’s the Cavalry? Relationship building with partners (e.g. cross-sector, law enforcement,
emergency managers, etc.) What is the State/Federal Government’s role during a Grid Emergency?
• E-ISAC Portal improvements• Greater cross-sector participation• Public Affairs and Corporate Communications vs. Incorrect or
Misleading information• Communication resiliency (e.g. WPS, GETS, HF Radio, etc.)• Electric Utility – RC emergency communications• Cyber Mutual Assistance• On-keyboard cyber training • Active Lead Planners
Preliminary Findings –GridEx IV Distributed Play
TLP:WHITE
20
Five-hour Executive Tabletop held on November 16, 2017, the second day of the large-scale GridEx IV security and emergency response exercise. Parallel, separate tabletops were held in Canada and Australia
Objective:Engage senior industry and government leadership in a robustdiscussion of the policy issues, decisions, and actions needed torespond to protect and restore the reliable operation of the grid
Executive Tabletop Overview
TLP:WHITE
21
Executive Tabletop Themes
Extraordinary Measures
TLP:WHITE
22
Phased Scenario Discussion
One Day
After
Three Days After
Two Weeks After
For each phase after attacks begin:• Participants role-play actions and the
decisions needed to respond to the situation, restore power, and secure the grid
• Identify any gaps
Attacks Begin
TLP:WHITE
23
• Situation assessment and initial response by industry and government
• Communications between utilities and with local, state, and federal government Utility liaison with state emergency operations centers
• Immediate government priority: Stop the Attacks Utility liaison with National Guard
• Grid Emergency Operations Utilities have the authority to implement emergency actions (e.g., shed
load) to maintain grid operation Utilities coordinate with local and state government to identify high-
priority customers
Tabletop Discussion
TLP:WHITE
24
• Share sensitive information Need to distribute information quickly and declassify if necessary
• Decide national level priorities When resources are limited, balance local, state, and national interests
• Critical infrastructure interdependencies Communications, financial services, natural gas, and critical manufacturing
sectors as “life-line” sectors
• Utility finances to fund recovery and restoration
Tabletop Discussion
TLP:WHITE
25
• GridEx IV Reports will be complete by end of March, 2018• GridEx V Initial Planning Meeting will be held November 2018
Way Forward
TLP:WHITE
26
E-ISAC Physical Security UpdateCharlotte de Sibert, Principal Physical Security AnalystCIPCMarch 3, 2018TLP: WHITE
27
• Reporting Submit requests for information, incident or trend related questions,
regional analysis requests etc. to [email protected] Continue reporting events via E-ISAC portal, email [email protected]
o When reporting incidents, provide as many details as possible to provide context
‒ Location (city, state, region etc.)‒ Impact (customer outages, financial)‒ Has this type of incident occurred before?‒ Mitigation actions taken
Incident Reporting
TLP:WHITE
28
Incidents by Type Overview
Q1 Incidents of Note • Axe incident in CA• Suspicious Activity Events• Emotionally unstable
individuals inside substation • Drone/UAS events• Security Equipment theft• Copper price
monitoring/theft
TLP:WHITE
29
• Activist/Eco-Terrorist group overview• Foreign Terrorist Organization group overview• Revised Suspicious Activity Bulletin
• 2018 Initiatives Increased voluntary sharing Increased analyst context Industry sourced articles and whitepaper sharing
Items of Interest
TLP:WHITE
30
• Overview of PSAG 2017 Activity• New Members• Plan for 2018
PSAG
TLP:WHITE
31
E-ISAC Cyber Update
Philip Daigle, Senior Cybersecurity Analyst, E-ISACCIPCMarch 6, 2018TLP: WHITE
32
Cyber Topics of Interest
•Malware Targeting Safety Instrumented Systems (SISs)•Spear-phishing of Several members•Generalized phishing of members
Summary of 2018
TLP:WHITE
33
Cryptocurrency Mining
Malicious cryptocurrency mining, or cryptojacking, is becoming more prevalent as the price of Bitcoin and other cryptocurrencies skyrocket.
In the past few months many threat actors have shifted away from ransomware to using cryptocurrency miners. Compared to ransomware, cryptojacking takes little to no interaction and can generate currency over an extended period of time.
Summary of 2018
TLP:WHITE
34 TLP:WHITE
ESCC Update
Kaitlin Brennan, Manager – Cyber and Infrastructure Security, EEICritical Infrastructure Protection Committee Meeting March 6-7, 2018
RELIABILITY | ACCOUNTABILITY2
• 2018 Schedule: May 7, 2018 in Washington, DC July 11-12, 2018 at Idaho National Laboratories October 9-10, 2018 in the Washington, DC / Baltimore, MD area
• Summary of Conclusions – November 2017• Puerto Rico Response• Threat Information Sharing• ESCC-Government Engagement• ESCC Vision and Planning Strategic Committee• Cross-Sector Coordination
ESCC Update
RELIABILITY | ACCOUNTABILITY3
Legislative Update
Kaitlin Brennan, Manager – Cyber and Infrastructure Security, EEICritical Infrastructure Protection Committee Meeting March 6-7, 2018
RELIABILITY | ACCOUNTABILITY2
• S.79 Securing Energy Infrastructure Act – Sens. King (I-ME) & Risch (R-ID)
• S.141/H.R. 3086 Space Weather Research and Forecasting Act• National Defense Authorization Act (H.R. 2810; P.L. 115-91) • Cyber SAFETY Act of 2018 (S.2392) – Sen. Daines• Other possibilities: Expanding background investigations of critical utility personnel Standalone energy bills or as part of an infrastructure package “Active Cyber Defense Act” – Rep. Graves (R-GA) S.536 - Sen. Reed (D-RI) Data breach legislation
Legislative Update
RELIABILITY | ACCOUNTABILITY3
NERC Control Systems Security Working Group
Carter Manucy, FMPAMichael Mertz, PNM ResourcesCritical Infrastructure Protection Committee Meeting March 6-7, 2018
RELIABILITY | ACCOUNTABILITY2
Critical Infrastructure Protection Committee
RELIABILITY | ACCOUNTABILITY3
• Status Update Document review Need for more volunteers Future efforts & projects
CSSWG Update
RELIABILITY | ACCOUNTABILITY4
Security Training Working GroupDavid GodfreyCritical Infrastructure Protection Committee Meeting March 6-7, 2018
RELIABILITY | ACCOUNTABILITY2
Security Training WG
• Charter CIPC will provide meeting attendees with an opportunity to participate in
physical, cyber, and operational security training, as well as, educational outreach opportunities.
• Current Members Tobias Whitney, Ross Johnson, John Breckenridge, Carl Herron, Charlotte
de Sibert, Jake Schmitter, Bill Lawrence, John Gasstrom, Michele Wright, Amelia Sawyer and David Godfrey.
RELIABILITY | ACCOUNTABILITY3
Security Training WG
• Latest Activities Continue to have monthly conference calls.
• March 2018 Training Review March 2018 – Emergency/Incident Response Management - The STWG
had 4 outstanding speakers discussing 3 uniquely different storm events;o Chris Vicino – Los Angeles Dept Water & Power – Corporate Security Response
and Challenges to the Southern California Wildfireso Bert Sausse III – CenterPoint Energy – Corporate Response and Challenges to
Hurricane Harveyo John R. Large & Carlos Morales – Florida Power & Light - Corporate Security
Response and Challenges to Hurricane Irma
RELIABILITY | ACCOUNTABILITY4
Security Training WG
• 2018 Training Schedule June 2018 – Supply Chain Risk Managemento Carl Herron – E-ISAC/NERCo Tobias Whitney – E-ISAC/NERC
September 2018 – Transient Cyber Asset(s) - (Panel Discussion)
• Next Steps The SWTG is looking for training topic recommendations for 2019 CIPC
Meetings, please contact a STWG Member with your ideas We continue to seek and secure volunteer speakers
• CIPC Actions Questions and/or suggestions for today’s discussion
RELIABILITY | ACCOUNTABILITY5
NERC Compliance and Enforcement Input Working Group
Paul Crist, LES Lisa Carrington, APSDamon Ounsworth, SaskPower Critical Infrastructure Protection Committee Meeting March 6-7, 2018
RELIABILITY | ACCOUNTABILITY2
• Update: Held two monthly CEIWG Calls Reviewed the 2018 Work Plans Discussed the CIP Implications of Cloud Computing “Pilot” Developed a proposal for the Cloud Implementation Guidance Project Phased
Approach CIP-004-6 Access Management Phase 1 C(E)IWG Charter Update/Review Implementation Guidance Update Membership Update
RELIABILITY | ACCOUNTABILITY3
• 2018 work plan Development of implementation guidance on cloud computing Other requests for Implementation Guidance development from CIPC Charter Review Annual Updateo New Name – Compliance Input Working Group?o New (Vice)Chair appointed by the Executive Committee (EC)o Participant List Update
RELIABILITY | ACCOUNTABILITY4
Cloud Implementation Guidance Project
RELIABILITY | ACCOUNTABILITY5
CIP -004-6 Access Management Program
RELIABILITY | ACCOUNTABILITY6
CIP -004-6 Access Management Program
RELIABILITY | ACCOUNTABILITY7
CIP -004-6 Access Revocation
RELIABILITY | ACCOUNTABILITY8
Charter Update
• Items of note Propose the new name of Compliance Input Working Group (CIWG) Removed references for anything related to “enforcement” Added a bullet to review Lessons Learned that the CIPC EC deems further
industry follow-up is needed Added a bullet to develop Implementation Guidance where needed under
the direction of the CIPC EC Under Deliverables and Work Schedule o added the work plan is in the CIPC Strategic Plan
Revised the following bulleto Provide CIPC consensus feedback to NERC Compliance Assurance and
Compliance Enforcement on the effectiveness of the CMEP tools and processes when possible
RELIABILITY | ACCOUNTABILITY9
Compliance Guidance Development Update
• Current Status of Documents under Development NEI/NERC PRA Guidanceo NERC- Endorsed
Shared Facilitieso NERC-Endorsed
VoIP in Control Centerso Submitted to NERC for endorsement (Posted on NERC Site)
RELIABILITY | ACCOUNTABILITY10
• NERC CIPC Compliance and Enforcement Input Working Group Update Meetingso Next Conference Call April 12, 2018 at 1:00 p.m. Centralo Subgroup calls as neededo Second Thursday of the Month at 1:00 p.m. Central
Meetings
RELIABILITY | ACCOUNTABILITY11
