Embed Size (px)
Citation preview
CIP Program HighlightsCIP Program Highlights
Member Representatives Committee
October 28, 2008
Michael Assante, CSO [email protected]
2
• Monitor reliability• Monitor hazards• Coordination with
government • Coordinate with other
sectors (PCIS)
• Support their mission/role
• Identify, address and monitor security risk to the BPS
• Provide expertise• Support efforts
• Focused on CIP events & enhancing preparedness
Establish a core CIP program, Enhance SA & work across NERC’s programs
• Support the development of expertise
• Training
Standards
• Focused on CIP risks
MutuallySupportingConstructive
Overlap(ES-ISAC) • CIPC & EC
• ESCC engagement• Standards• Assessments• Leadership• Support
Critical Infrastructure
Protection
CSO
SituationalAwareness
Compliance Assessment Events Analysis Training
Regions Industry
NERC CEO
Board of Trustees ESSG
3
Ensure the Reliability of the Bulk Power System Trusted within the industry Recognized for effective leadership
NERC Core Programs - CIP NERC Core Programs - CIP
Critical Infrastructure
Protection
CIP Standards Development 9 CIP standards approved Enhance & update existing
standards Propose new standards to
address security concerns
CIP Standards Compliance Enforce compliance (along with
regional reliability organizations) Audits, monitoring & investigations
Security Risk Assessment Assess threats to the Bulk Power
System Identify concerns to be addressed Cyber risk & preparedness
evaluation
ES-ISAC Security Leadership Situational Awareness• Notifications & alerts• Preparedness & response coordination
• Monitor events impacting the grid• Facilitate coordination & reliability tools
Chief Security Officer (CSO)ESCC, ESSG, PCIS, NIAC,
CSO Council
“Ensure threats to the reliability of the BPS, especially cyber, are clearly understood and
are sufficiently mitigated”
4NERC CIP Enhancement PlanNERC CIP Enhancement Plan
Mobilize executive participation & guidance (e.g. ESSG)
Establish NERC CIP Program (Hire CSO, Strategy, Resources)
Formalize NERC led assessment & initial CRP evaluation
Enhance the ES-ISAC (improve alert reporting, process maturity, lists)
Milestones 2HCY08 1HCY09 2HCY09
Executive Engagement
ESSG
NERC CIP Program Portfolio
Resourcing
Assessments
Risk Assessment
CRP Evaluation
Enhance ES-ISAC Improve. Prjcts
ResourcingOrder 706
ESSG
CEO Briefing
Cyber Summit
CSO CIP Portfolio
Phase I
5Cyber Risk Preparedness EvaluationCyber Risk Preparedness Evaluation
Identify existing capabilities to prevent, detect, respond and limit the potential damage of existing/emerging attack techniques
Objective: Understanding how prepared both individual entities (by type) and existing processes/mechanisms are to ensure reliability of the BPS while under a successful cyber attack
Approach: Devise several realistic but challenging cyber scenarios and conduct a series of table top exercises with volunteer entities
• CRP team will use a process to evaluate key criteria for determining preparedness
Areas to Evaluate: (The scenarios will be consistently evaluated for all entities for the following capabilities)
• A. Prevent cyber attacks
• B. Detect cyber attacks
• C. Technically respond to cyber attacks
• D. Manage their systems and electricity assets to minimize potential damage
• E. Communicate and coordinate effectively with interconnected neighbors and area coordinators to contain effects on the bulk power system
6
ES-ISAC Enhancement
7ES-ISAC MissionES-ISAC Mission
The ES-ISAC serves the Electricity Sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures.
• Preparedness & response calls (e.g. Hurricane Gustav)
It is the job of the ES-ISAC to promptly disseminate threat indications, analyses, and warnings, together with interpretations, to assist electricity sector participants to take protective actions.
• As the ES-ISAC, NERC gathers, disseminates and interprets security-related information.
• FERC has oversight of NERC’s alerting process for U.S. entities
• Canadian authorities provide guidance for alerting to Canadian entities
8ERO & ES-ISAC (similar but distinct)ERO & ES-ISAC (similar but distinct)
text
text
Remainder of U.S. Electric Sector Entities
ERO
NERC CSO & Staff
ES-ISAC
Bulk Power System EntitiesNorth America
NERC Board of TrusteesElectric Sector Steering
Group
NERC Critical Infrastructure Protection
Committee
Industry Involvement: Expertise &Feedback
ERO & ES-ISAC Operations, Risk Monitoring and CIP Alert Notification
Provides ES-
ISAC governance
& guidance
Provides advice
& support to the
ES-ISAC
Operates the ES-
ISAC & performs
ERO CIP risk
monitoring
functions
Approx: 1,847 Entities in North America (as of Oct 2008)
3,170 traditional electric utilities in the United States (DOE provided
information -not current)
Formal effort to involve industry SME’s in the generation of Alerts
9CIP: ES-ISAC/NERC AlertsCIP: ES-ISAC/NERC Alerts
Advisories, Recommendations, and requests for Essential Actions (ERO & ES-ISAC missions)
Issued to relevant industry sectors when a security risk (threat or vulnerability) arises
• Advises the industry to evaluate the risk and take action to correct issues affecting reliability/CIP
Cyber
Physical
Logical
All Hazards
10Reporting Concerns & ObjectivesReporting Concerns & Objectives
Don’t want to numb the sector with too much reporting
Do want to appropriately chose alerting vehicles based on the seriousness of the risk
• Advisory – Notify the sector of a vulnerability that could be applied in a way that would directly or indirectly impact the BPS
• Recommendation – Notify the sector and receive replies to appropriately monitor the status of the risk (mitigation efforts) based on the attributes of the vulnerability and potential to cause serious consequence in the BPS
• Essential Action – Notify the sector so they may take immediate actions and require replies to appropriately monitor the status of the risk (mitigation efforts) based on the attributes of the vulnerability, potential consequences, and indications or the potential that an attacker will exploit the vulnerability
In a perfect world we would like to see the reporting fall into the following buckets over a year (we will not shape reporting to arbitrarily fit these levels):
• Advisories: 80%
• Recommendations: <20%
• Essential Actions: <1% (only used for critical & time sensitive risks)
11Technology Application of Concern (TAC)Technology Application of Concern (TAC)
Technology Area Vulnerability Alerting
SCADA EMS Yes
Field Control & Protection Yes
Plant Control Systems Yes
Market Systems Consider
Networking & Telecommunications
Consider
Business Systems No
Mobile Technology No
12SCADA Vulnerability & Exploit DisclosuresSCADA Vulnerability & Exploit Disclosures
Tracking from 2005 to Present (4QTR08)
* This captures only publically released vulnerability discoveries and exploit tools/code
0
2
4
6
8
10
12
2005 2006 2007 2008
Control Systems Vulnerability & Exploit Disclosures
Available exploits
Disclosed Vuls
13ES-ISAC “Operational Excellence”ES-ISAC “Operational Excellence”
Streamline & exercise NERC notification lists• Project underway to address existing problems and establish a sustainable
approach to manage the lists
• Will exercise the notification lists (improve, educate and verify) Administrative exercise (November)
– Addition of an FAQ
– Instructions to recipients
Operational exercise (2 tests per year)
– Recommendation-level or higher Alert
– Instructions & Exercise Replies required
Longer-term: Develop a secure mechanism to receive alert feedback and facilitate effective two-way communication
• Identify an appropriate mechanism for authenticated (record responses for recipients by entity) and secure feedback & alert responses
14Communication Coverage ChartCommunication Coverage Chart
2-way Secure
Electronic Communica
tions
2-way Secure Paper
Private Push (direct e-
mail)
Public Pull (ES-ISAC web post)
BPS Entities NO YES YES YES
Non-BPS Entities
NO NO NO YES
Hawaii, Alaska, & U.S.
PossessionsNO NO NO YES
