Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Nick Weber, CPP Compliance Auditor, Cyber Security
Salt Lake City, UT
Substation Security: Thinking Outside the Fence
2
• 17 Years first responder, military, and security experience o US Army Reserve Information Operations (Cyber)
Network Defense Team Leader Dynamic Defense Deputy Team Leader
o US Department of Homeland Security Energy Sector Specialist Site Assistance Visit Team Leader
o US Army Cavalry Officer OIF veteran Bronze Star Medal National Training Center (NTC) Opposing Force (OPFOR)
o Account Manager at a security guard provider o Wildland firefighter
Speaker Intro: Nick Weber, CPP
3
CIP-014-1 (Draft) R4 Threat and Vulnerability Assessment CIP-014-1 (Draft) R5 Physical Security Measures
Applicability
5
• Zero tolerance society o It used to be that the power going out was an adventure o Now it’s a national event
• Provide an alternative to the 3G approach (gates, guns, guards)
• Spur discussion to address Beltway concerns
• Spur discussion to shape future physical security standards
Purpose
6
• Metal theft • Vandalism • Cyber • Ballistic Attack • Coordinated Physical Attack • Coordinated Cyber-Physical Attack • Trampolines
Predominant Substation Threats
12
• Cameras • Intrusion Detection
• System redundancy
• Defense in depth for cyber assets
Average Current Substation Defense
13
• Situational Awareness • Vulnerability Assessments
o Terrain Analysis o Methodology o Surveillance Detection
• Solutions o Deterrents o Delay o CPTED o Emerging Technologies o Information Sharing
The Way Ahead
14
• Know your environment
• Know what’s normal for your environment
• Key in on deviations from that norm
• Listen to your “spidey sense”
Situational Awareness
15
• Understand what components or assets are critical to your mission
• Understand the vulnerabilities that could interrupt your mission
• Understand your adversaries
o Who they are o What motivates them o How they prefer to attack
Assessment Objectives
16
• Resources o Physical Security Personnel o Local Law Enforcement o Federal Agencies o State Emergency Management
• Methodologies o ECIP/SAV oCARVER
Assessments
17
• Enhanced Critical Infrastructure Protection o Conducted by a DHS Protective Security Advisor o Somewhat checklist-driven o Finished product is a dashboard
Compares posture to like facilities Allows for temporary adjustments to show security posture
impact from proposed changes • Site Assistance Visit*
o Facilitated by a DHS Protective Security Advisor o Conducted by team of physical security experts o Finished products:
Dashboard Written report
ECIP/SAV
*Likely discontinued in September 2014
18
• Approach combines metrics and subjectives • Scalable • Evaluates:
oCriticality – importance of the target o Accessibility – ease of access to the target oRecuperability – ability to recover o Vulnerability – ease of successful attack o Effect –direct loss from attack oRecognizability – ease of target recognition
CARVER
19
CARVER Value Criticalit
y Accessibility Recuperability Vulnerability Effect Recognizability
9-10 Loss would stop operations
Easily accessible, not secured
Replacement lead time 1 year or more
Attack vector requires no training or special tools
Extreme socioeconomic impact
Easily recognized with no training and no confusion
7-8 Loss would significantly reduce operations
Easily accessible, limited security
Replacement lead time 6-12 months
Attack vector requires little training or special tools
Significant socioeconomic impact
Easily recognized by most with minimal confusion
5-6 Loss would reduce operations
Accessible, but secured
Replacement lead time 2-6 months
Attack vector requires training and special tools
Noticeable socioeconomic impact
Recognized with some training
3-4 Loss may reduce operations
Difficult to access
Replacement lead time 2-8 weeks
Attack vector requires intensive training and special tools
Minimal socioeconomic impact
Difficult to recognize without extensive training
1-2 Loss would not affect operations
Very difficult to access
Replacement lead time less than 2 weeks
Attack vector requires well-trained team with numerous special tools
No noticeable impact
Extremely difficult to recognize without training and surveillance
20
CARVER
Asset C A R V E R Total
Transformer 8 8 10 8 9 5 48 Control House 6 5 5 5 6 7 34 Transmission Tower 5 10 1 9 1 9 35
21
CARVER Possible Threat Values 9-10 – Attack has recently successfully been carried out in close proximity or intelligence warnings specifically mention the asset 7-8 – Attack has recently successfully been carried out in a distant location or intelligence warnings mention the asset type 5-6 – Attack has been unsuccessfully attempted in close proximity or attack has been attempted some time ago or intelligence warnings mention similar facilities 3-4 – Attack has been unsuccessfully attempted in a distant location or attack has been successful some time ago or intelligence warnings mention the sector/industry 1-2 – Attack has not been attempted on a like facility
22
CARVER
• Repeat for all applicable attack vectors • Nick’s suggested attack vectors:
oDirect Fire Ballistic o Indirect Fire o Explosive o Forced Entry o Surreptitious Entry o Vehicular Attack o Incendiary/Arson
23
• Observation • Avenues of Approach • Key Terrain • Obstacles • Cover and Concealment
Terrain Analysis
24
• Where can adversaries observe me? • What can I see? • More importantly, what can’t I see?
Observation
28
• What do I really need to keep adversaries away from?
• Where can adversaries conduct surveillance?
• Where can adversaries launch an attack?
Key Terrain
30
• What do I have available to block adversaries from getting to or seeing me? oNatural Cliffs Ravines Trees Large Rocks
oMan-made Fences Gates Bollards
Obstacles
32
• What is keeping me from seeing adversaries watching me or approaching me? o Vegetation o Structures o Terrain
Cover and Concealment
35
• What is critical? o Low redundancy o Long lead times o Stops operation within a short time oGoing to make your life miserable
Self Assessment
36
• What is vulnerable? o Ballistics paths o Susceptible to blast o Susceptible to sabotage
• How could I be attacked? o Beware a “failure of imagination” oDo not think about the likelihood of an attack
vector at this point
Self Assessment
38
• The following few slides are a very small slice of a free three-day course that DHS provides*
• If interested in the full course contact your DHS Protective Security Advisor
Surveillance Detection
*The presenter is not responsible for curriculum changes over the past four years or the effects of time on memory.
39
Attack Planning Cycle
When can the attacker best be defeated?
Planning Cycle Target Identification Surveillance Target Selection Pre-attack surveillance and planning Rehearsal Attack Escape
40
Types of Surveillance • Fixed • Mobile • Technical • Photographic • Combination
Surveillance Detection
41
Where can an adversary effectively conduct surveillance on your facility?
Hostile Surveillance Points
45
Q: Ok, we’re down to six big areas, that’s still a lot of ground to cover… A: Where will someone look out of place and be easily noticed if they’re conducting surveillance?
Hostile Surveillance Points
47
Q: We’ve identified three areas where adversaries could recon the facility and exploit vulnerabilities. This substation is still remote and I can’t reasonably post a guard there 24/7. A: Great point! Let’s mitigate those without breaking the bank.
Now What?
49
Q: We’ve mitigated all the hostile surveillance points, but what about those ewoks and that storm trooper? A: It depends • Delay • Detect • Deter • Defend
Now What?
51
Q: Why didn’t your last ewok picture have any deter or defend mitigations?
A: There are a number of deterrents available at little or no cost
• Random security measures
• Every visible security control*
• Police patrols
Now What?
*Double-edged sword, showing all controls makes your controls easy to recon.
52
Q: What do you mean by random security measures?
A: Random security measures allow you to implement security controls that wouldn’t be fiscally possible if they were implemented across your facilities 24/7. The key to successful random security measures is to avoid any discernible pattern and to ensure the measures are enough of a departure from your standard security posture that they throw off an adversary. Random security measures are the bane of a recon scout’s existence!
Deterrents
53
Q: What are some examples of random security measures?
A:
• Flexing security guard postings
• Vehicle searches
• Random security patrols
• Additional personnel/vehicle searches
• Temporary vehicle barriers
Deterrents
54
Q: Do random security measures make any difference?
A: When I was in Iraq, my platoon was responsible for operating and defending an entrance control point (ECP)* to the III Corps HQ and was co-located with the entrance to Baghdad International Airport. All 365 days we held that mission we were identified as a high-value target by various insurgent groups. We were successful in our mission largely because of random measures.
Deterrents
*Fancy Army term for a gate
55
Q: How do I get the police to patrol my remote sites?
A: Information sharing!
• Teach your first responders what’s critical
• Invite first responders out for tours/site familiarity
• Where possible offer some desk space and/or a pot of coffee
Deterrents
56
Q: How can I defend my site without hiring a small army?
A: Do you have armed drones available? If not, you’re likely limited to your response plan.
Some questions to address in your response plan:
• Will controls allow for attack intervention or merely forensics?
• Who will respond? o Guard force o LLE o Operations personnel
• How long can you delay vs how long will your response take to get on site?
o 15 minute delay + 30 minute response = problem
Delay
57
• Define your space • Shape your environment • Improve lighting • Observation • Direct foot and vehicle traffic
CPTED Concepts
59
• Put yourself in the attacker’s position, which location would you prefer to attack?
Shape Your Environment
62
• Use barriers and controls to redirect all approaches through highly visible areas.
Control Traffic
63
• Acoustic sensors • Anomaly detection software • Unmanned Aerial Vehicles (UAVs)
Available Technologies
64
• Get to know your neighbors
o Ask them to keep an eye out for things out of the ordinary
o Share your knowledge, experience, and resources when feasible
• Take the full Surveillance Detection class
• Get involved in local and/or industry-based security groups
• Participate in GridEx
• Attend GridSecCon
• Get to know your first responders, state emergency management personnel, and Protective Security Advisor
• Tap into available threat information sources
Other Good Ideas
65
• Interest in a CIP-014-1 Roadshow? o Contact Brent or Laura
• PSWG- Get plugged in! http://www.wecc.biz/committees/StandingCommittees/OC/CIIMS/PSWG/default.aspx
• Phone call away-
We want to help.
• Always willing to provide our audit approach
At Your Service
Nick Weber, CPP Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 386-6288 [email protected]
Questions?