Cyber Security for PUC’s

Jeffrey R. PillonMichigan Public Service CommissionMid-America Regulatory Conference

June 17, 2009Traverse City, Michigan

2

Cyber Security Threats are IncreasingThe significant increase in new threats over the past year is indicative of the work of specialized malicious code authors and the existence of organizations that employ programmers dedicated to the production of these threats.

Cyber Security Threats• In 2001, hackers penetrated the California Independent System

Operator which oversees most of the state's electricity transmission grid; attacks were routed through California, Oklahoma, and China.

• Ohio Davis-Besse nuclear power plant safety monitoring system was offline for 5 hours due to Slammer worm in January 2003.

• Aaron Caffrey, 19, brought down the Port of Houston in October, 2003. This is thought to be the first well-documented attack on critical U.S. infrastructure.

• In March 2005, security consultants within the electric industry reported that hackers were targeting the U.S. electric power grid and had gained access to U.S. utilities electronic control systems. In a few cases, these intrusions had “caused an impact.”

• In April 2009, the Wall Street Journal stated spies hacked into the U.S. electric grid and left behind computer programs that could allow them to disrupt service.

A tornado near a state data center

Picture from a Security Camera Near Lansing , MI

It’s not only hackers that you need to be concerned about.

Roles for Public Utility Commissions1. Assuring that cyber security requirements that

utilities are subject to are being met, and PUC oversight as appropriate exercised.

– PUC Staff need to be up-to-date on cyber security requirements and potential threats.

2. Assuring that the PUC’s computer systems and operations are subject to on-going cyber security reviews and remediation, and that disaster recovery plans are in place and tested.

– This also included cyber security awareness for agency employees.

3. Understand the National Strategy for Critical Infrastructure

Cyber Security Requirements & Resources

• The North American Electric Reliability Corporation -- Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection standards)

• The National Institute of Standards and Technology (NIST) is developing set of smart grid interoperability standards and specifications for inclusion in the Smart Grid Interoperability Standards Framework, Release 1.0.

• The Transportation Security Administration is partnering with Gas Technology Institute to develop training and presentation materials to illustrate existing SCADA vulnerabilities and consequently increase the cyber security awareness of pipeline companies.

• The U. S. Computer Emergency Readiness Team (US-CERT) • Multi-State Information Sharing and Analysis Center (MS-ISAC)• FBI’s Infragard Program: http://www.infragard.net/

1. Utility Oversight

Benefits of the Smart Grid

Source: “San Diego Smart Grid Study”, October 2006

Power outages cost between $80 billion and $150 billion every year.

Smart Grid Matching Grant Program

From: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009

i. A description of the cyber security risks at each stage of the system deployment lifecycle,

ii. Cyber security criteria used for vendor and device selection,iii. Cyber security control strategies,iv. Descriptions of residual cyber security risks,v. Relevant cyber security standards and best practices, andvi. Descriptions of how the project will support/adopt/implement

emerging smart grid security standards.

Requires a description of how cyber security concerns will be addressed with respect to the use of best available equipment and the application of procedures and practices involving system design, testing, deployment, operations and decommissioning, including at a minimum:

Cost Recovery

• Are the costs prudent?• Will the resulting system be more secure and the

power grid less vulnerable to outages and allow for faster recovery when outages occur?

• To what degree have the cyber security requirements been met?

• Are PUC’s staff knowledgeable about cyber security and know the questions that need to be asked?

Investments in Smart Grid 50/50 Matching Grants

Security of PUC’s computer systems

• Assuring that the computer systems that the PUC relies have on-going cyber security reviews and remediation of identified vulnerabilities.

• Disaster recovery plans are in place and tested and Continuity of Operation Plans have been developed.

• Cyber security awareness for agency employees including social engineering and insider threats.

This may be the responsibility of another state agency or office, but the implication of a failure will impact the business operation of the Commission

2. PUC Internal Operations

Continuity of Operation Plans (COOP)• Internal contingency plans of government and business to

assure the rapid resumption of essential functions as soon as possible if they are disrupted for any reason: e.g., fire, tornado, hurricanes, wildfires, earthquakes, terrorism, pandemics, etc. – Build Self-reliance and Resiliency

• Helps assure that critical/essential functions can quickly resume operations

• Addresses key or essential employees, required facilities, computer system records and back-up data systems, etc.

• Minimize damage & losses

• Management succession & emergency powers

On what cyber systems do you rely?• What IT systems support

critical PUC functions?• What are the backed up

systems?• What systems are needed to

support restoration?• What systems are needed

operationally?• In what sequence should

systems be restored?• What are the

telecommunication needs and requirements?

Hourly Loss from Downtime in the Information Technology Sector $1.3 million/hr

What if this happen to your agency

Employee Education

http://www.michigan.gov/cybersecurity

NIPP 2009 Update– Incorporates extensive State, local, and

private sector input– Expands risk management framework:

• Risk framework is based on threat, vulnerability, and consequences

• Focuses on assets, systems, networks, and functions

– Strengthens information sharing and protection to include the “information sharing life-cycle”

– Represents an “All Hazards” approach– Establishes a “steady-state” of security across

critical infrastructure/key resource (CI/KR) sectors

www.dhs.gov/nipp

3. The National Strategy for Critical Infrastructure

The NIPP and Sector-Specific Plans Set Security Goals Identify Assets, Systems, Networks, and Functions Assess Risk (Consequences, Vulnerabilities, and Threats Prioritize Implement Protective Programs Measure Effectiveness

Sector Specific Plan

http://www.dhs.gov/xlibrary/assets/nipp-ssp-information-tech.pdf

IT Sector Goals

• Prevention and Protection Through Risk Management

• Situational Awareness

• Response, Recovery, and Reconstitution

“Public and private sector security partners have an enduring interest in assuring the availability of the infrastructure and promoting its resilience.”

Defining Resilience

The loss of resilience, R, can be measured as the expected loss in quality (probability of failure) over the time to recovery, t1 – t0. Thus, mathematically, R is defined as:  

Source: Multidisciplinary Center for Earthquake Engineering Research framework for defining resilience (Bruneau and Reinhorn, 2007; Bruneau et al., 2003)

Resilience has four factors• Robustness

– The ability to operate or stay standing in the face of disaster

• Resourcefulness– skillfully managing a disaster once it unfolds

• Rapid Recovery– The capacity to get things back to normal as quickly as

possible after a disaster• Learning lessons

– Having the means to absorb the new lessons that can be drawn from a catastrophe

Flynn, S. (2008) America the Resilient: Defying Terrorism and Mitigating Natural Disasters. Foreign Affairs, 87 (2), 2-8.

Intersecting Stakeholder Interest

State & Local

Federal Private Sector

Source: Homeland Security Advisory Council, Critical Infrastructure Task Force Report, January 2006

• Infrastructure Protection• Governance• Planning• Information Sharing Technologies

• Government Continuity & Resiliency • Safety, Protection & Response

• Business Continuity & Resilience• Innovation & Quality • Shareholder Value

Resiliency

In 2004 Osama bin Laden enunciated a policy of “bleeding America to the point of bankruptcy.”

Public/Private Sector Partnerships

Questions?

Jeffrey R. Pillon, Manager Energy Data & SecurityMichigan Public Service CommissionE-mail: pillonj@michigan.govPhone (517) 241-6171