1 E-ISAC Update Marcus Sachs, Senior VP & Chief Security Officer CIPC Meeting December 12, 2016
1
E-ISAC Update
Marcus Sachs, Senior VP & Chief Security OfficerCIPC MeetingDecember 12, 2016
2
• Sharing and reporting 198 E-ISAC staff posts to the portal 33 member responses to the portal items 17 additional posts to the portal from members 42 calls to the E-ISAC hotline 211 new portal accounts
• Engagement (monthly average during the quarter) 263 webinar attendees 414 downloads of the daily report
• Active portal membership on September 30, 2016 1201 NERC registered entities (86% of 1389 registered entities) 366 non-NERC registered entities (18% of estimated 2000 eligible) 114 partners (government, other ISACs, etc.)
Summary of Q3 2016
3
• Mid-year Report (July)• Engaging the E-ISAC (August) Second publication on how to use the E-ISAC’s products and services Produce with input from the Member Executive Committee
• Security Management in the North American Electricity Sub-Sector (September) Framework for comprehensive physical security of electricity assets
• Recommendations to Oblenergoes (September) Timeline of issues in 2015 that led to the December incident Assessment of the problem and detailed list of recommendations Checklist of actions that should be immediately implemented
Advisories and Reports
4
• Explosive growth of “smart devices” in the past two years Things that can communicate over the Internet Security cameras, digital video recorders, alarms, light switches, coffee
pots, refrigerators
• Most are not designed to be secure against unauthorized access Can be hijacked by malicious actors Are being used to attack other systems
• Three attacks on October 21, 2016 against an Internet service provider Caused hundreds of popular web sites to be unavailable
• E-ISAC issued TLP-AMBER, TLP-GREEN, and TLP-WHITE advisories at the end of October
Internet of Things Issue
5
• Staffing 17 employees plus three contractors in the Washington, DC office Physical security manager transferred internally Member services manager (ESCC recommendation) hired in August Active search for a new Watch Operations Team director
• Technology Web portal upgrade project initiated in June, will finish in November New platform project RFP issued in late October STIX/TAXII pilot in final stages of vendor procurement CRISP unclassified data center initiative started
E-ISAC Staffing and Support
6
• 2016 work plan execution is on track Publish a “How-To” Guide (“Understanding Your E-ISAC”) Develop E-ISAC Products and Services List Define E-ISAC Role in Classified Briefings Establish User Communities Develop Strawmen for E-ISAC Reports Pilot Automated Information Sharing (Platform) Initiate Improvements to the Portal Develop Plan to Evaluate 24/7 Watch and Notification Capability Conduct Site Pen Testing
• MEC face-to-face meeting in September Discussed Board’s request for a strategic plan
Member Executive Committee
7
• Sign up online at https://www.eisac.com• Download our “how to” guides Brochure Understanding Your E-ISAC Engaging the E-ISAC
Learn More About Us!
8
1
GridSecCon
Review and UpdateCIPC
Bill Lawrence, Director, Programs and Engagement,
E-ISAC
December 14, 2016
2
•Great:
Location!
Attendance!
Training!
Summit sessions!
Networking!
Tours / threat briefs!
GridSecCon 2016
http://www.nerc.com/pa/CI/CIPOutreach/Pages/GridSecCon.aspx
GridSecCon 2017
October
17-20
2017
1
E-ISAC Cyber Update
Steve Herrin, CRISP ManagerCIPC MeetingDecember 13, 2016
2
• Overall Trends Internet of Things (IoT) DDoS attacks – Mirai Botnet Redirect to compromised websites Phishing Suspicious Traffic Reporting Trojanized software/hardware (Supply Chain Issues)
• E-ISAC Cyber Security Capabilities Increased reporting by E-ISAC partners
Focus on obtaining, analyzing, and sharing indicators of compromise and actionable threat information
Enabling electricity companies to identify sector-relevant threats and attacks
Summary of Q3 2016
3
Cyber Observations
Reconnaissance only15%
Attempts to compromise65%
Compromised hosts20%
Reconnaissance only
Attempts to compromise
Compromised hosts
4
Cyber Bulletin Topics
Trojan24%
Botnet24%
Ransom/scam-ware14%
VPN/SSH session14%
Browser Hijacker9%
Exploit Kit10%
Unknown5%
Trojan
Botnet
Ransom/scam-ware
VPN/SSH session
Browser Hijacker
Exploit Kit
Unknown
5
• DDoS attack against Electric Utility ISP recorded 30-35 GBPS against outside IP ranges DDoS was sourced from millions of spoofed IP addresses and
came in as an ACK attack vs the typical SYN DDoS
• Source code for Mirai Botnet released
• Threat actors continue to use internet-enabled devices to conduct small scale DDoS attacks
Internet of Things Scanning
6
• Attempts at Social Engineering Redirect to compromised websites that contain malware Dridex malware Typical indicators include email subjects related to “Purchase
Orders”
• “Whaling” Catching a “big fish” – typically focused on C-suite employees
Typically requesting funds transfer to another employee
Phishing
7
• E-ISAC Implementing Elasticsearch, Logstash and Kibana (ELK) Platform for enhanced analytic capability
• CRISP is now attributed in portal postings
• The E-ISAC STIX/TAXII pilot with 7-10 companies is in progress
• Portal improvements continue to be implemented
Updates
8
1
STIX/TAXII and CRISP ProjectsStatus of information sharing projects
Marc Sachs, Senior VP & Chief Security Officer, NERCCIPC MeetingDecember 13, 2016
TLP GREEN
2
• STIX/TAXII pilot is a technology proof-of-concept project Called for in 2015 ESCC recommendations Results of the pilot will be integrated into future platform 7-10 pilot participants needed, more are welcome
• NERC pays for back-end services Participants pay for any hardware or software needed at user’s sites
• RFP sent to selected vendors end of Q2, selection made in Q3• Two complimentary solutions chosen: ThreatConnect – Front end GUI for analysis and STIX package creation Soltra Edge – Back end machine-to-machine communications TAXII server
(Soltra Edge was sold to NC4 in November)
STIX / TAXII Pilot
STIX = Structured Threat Information eXpressionTAXII = Trusted Automated Exchange of Indicator Information
TLP GREEN
3
• 2016: October – Budget validation and contract negotiations November – Product installation and internal user acceptance testing Early December – Participant beta testing (3-4 participants) Mid-December – Participant pilot testing (remaining participants)
• 2017: Integrate STIX / TAXII technology into Portal Platform Ecosystem Pilot and test STIX / TAXII technology with additional participants Continue to seek membership feedback and determine long term viability
STIX / TAXII Implementation Timeline
TLP GREEN
4
• All CRISP data currently flows to PNNL CRISP participants use Information Sharing Devices (ISDs) to collect and send
data PNNL provides system to “write up” to classified networks for analysis E-ISAC currently relies on PNNL for analysis of CRISP data and reports
• New capability will give E-ISAC analysts the ability to store and analyze unclassified data locally Up to 200 TB storage array to be installed at the E-ISAC Three stand-alone analyst workstations in place now Currently evaluating equipment quotes and new analytical tools Plan to have capability functional by December 2016
• Once complete the E-ISAC will be able to query and analyze unclassified CRISP data with minimal PNNL involvement
CRISP Unclassified Data Center
TLP GREEN
5
Program Title Description Number of Participants Start Date End Date
CRISP • ISDs in front of corporate perimeters collect data for analysis 75% of US based customers Oct 2014 Ongoing
Enhanced Analytics
• Partnership with INL, ANL, ORNL, PNNL• Enhance the classified enrichment
process with new tools and analytic capabilities
• Augment services to CRISP industry participants
Subset of CRISP participants Oct 2016 Ongoing
Operational Technology Pilot
• INL led with ANL, ORNL support• Industry participants• Project in requirements development
stage
4 industry participants 2016 2017
Operational Technology Sensor
Project
• INL led with ANL, ORNL support• Industry participants• Project in requirements development
stage
4 industry participants 2017 2018
Improved Cyber and Physical
Security Culture for APPA and
NRECA
• $15 million funding subject to appropriations - $5 million in 2016
• Develop security tools• Educational resources• Updated guidelines• Training
APPA and NRECA members 2016 2018
DoE and E-ISAC Initiatives
TLP GREEN
6
Program Title Description Number of Participants Start Date End Date
STIX/TAXII Pilot• E-ISAC led with support from DoE• Limited deployment of automated
information sharing system8-10 industry participants 2016 2018
Portal Improvements
• Three development sprints, incremental members capability improvements
• Also addressing issues with M&S • Priority focus recognizing platform
initiative delivery and migration
ESCC MECAll E-ISAC Members June 2016 December 2017
Platform Initiative • Platform selection criterial and RFP development in progress All E-ISAC Members June 2016 2017
CRISP Data Repository
• E-ISAC Elastic Search, Logstash and Kibana (ELK) platform for unclassified CRISP analysis
• Future growth to allow participant access for further analysis
All CRISP participants November 2016 2017
Virtual Forensics (Malware Analysis
Dropbox)
• DOE Funded Automated Malware Analysis Facility
• Use case and requirements development in progress
• To support portal platform integration for submissions, results dashboard
TBD industry participants Oct 2016(kickoff) 2017
DoE and E-ISAC Initiatives
TLP GREEN
7
Supply Chain Risk Management StandardsMark Olson, Senior Standards DeveloperCIPC MeetingDecember 13, 2016
RELIABILITY | ACCOUNTABILITY2
[the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.
- July 2016
• Standards must be filed by September 2017
FERC Order No. 829
RELIABILITY | ACCOUNTABILITY3
• Plans must address four objectives as they relate to security of BES Cyber Systems: Software integrity and authenticity Vendor remote access including machine-to-machine Including security considerations during information system planning Vendor risk management and procurement controls
“Responsible entities should be required to achieve these four objectives but have the flexibility as to how to reach the objective…”
Security Objectives
RELIABILITY | ACCOUNTABILITY4
• Drafting team appointed September 2016
• Standards Authorization Request (SAR) posted October 2016
• Technical conference November 2016
• September 2017 filing deadline will limit ballot opportunities
Standards Development Process
October – December 2016
Initial drafting Technical Conference
January 2017 -Formal Comment and
Balloting
August 2017NERC Board Adoption
September 2017Deadline for filing
RELIABILITY | ACCOUNTABILITY5
• New standard v. revisions to approved standards• Scope of cyber systems High, Medium, Low BES Cyber Systems BES Cyber Systems and associated Electronic Access Control or Monitoring
Systems, Physical Access Control Systems, and Protected Cyber Assets
• Combination of procurement controls and technical controls needed to satisfy directives
• Technical and compliance guidance to support understanding of results-based standards
Issues
RELIABILITY | ACCOUNTABILITY6
Assess / Plan
Procure / Acquire
Deploy / Implement
Operate / Maintain
Notional BES Cyber System Life Cycle
R1 and R2 are meant to address “procurement” activities
performed during these phases of the life cycle
R3, R4, and R5 are meant to address “operational”
activities performed during this phase of the life cycle
*Note: Plans developed in R1 should “identify and assess risk(s) during the procurement and deployment of vendor products and services” (R1 1.1.1) thus addressing risks during these three life cycle phases
RELIABILITY | ACCOUNTABILITY7
• Title: Cyber Security – Supply Chain Risk Management• Purpose: To mitigate risks of cyber security incidents
affecting the reliable operation of the Bulk Electric System (BES) by implementing security controls in the supply chain for the protection of BES Cyber Systems.
Draft CIP-013-1
RELIABILITY | ACCOUNTABILITY8
• Requires entities to implement a supply chain risk management plan(s) for mitigating risks to BES Cyber Systems and associated cyber systems
• Plans must include: Controls for BES Cyber System planning and development:o Assess risk(s) during the procurement and deployment of vendor products and
services; ando Evaluate methods to address identified risk(s)
Controls for procuring vendor products and services
Requirement R1
RELIABILITY | ACCOUNTABILITY9
• Plans must include procurement controls for notifications or coordination: Vendor security events Vendor employee access termination Vulnerability disclosure Response to vendor-related cyber incidents Verification of software integrity and authenticity Vendor remote access coordination including machine-to-machine
Requirement R1
RELIABILITY | ACCOUNTABILITY10
• Implementation of the cyber security risk management plan(s) does not require the Responsible Entity to renegotiate or abrogate existing contracts (P 36)
• Plans should address all BES Cyber Systems (high, medium, and low) but can do so with a risk-based approach “…flexibility as to how to reach the objective…” (see Order No. 829 P. 13)
Notes on Requirement R1
RELIABILITY | ACCOUNTABILITY11
• Requires entities to review the plan every 15 calendar months and address new risks or mitigation measures, if any
Requirement R2
RELIABILITY | ACCOUNTABILITY12
• Requires entities to implement a process for verifying the integrity and authenticity of software and firmware and any upgrades to software and firmware before being placed in operation on high and medium impact BES Cyber Systems
Requirement R3
RELIABILITY | ACCOUNTABILITY13
• Requires entities to implement a process for controlling vendor remote access to high and medium impact BES Cyber Systems Authorization by the entity; Logging and monitoring of remote access; and Disabling or otherwise responding to unauthorized remote access.
• Applies to vendor-initiated Interactive Remote Access and machine-to-machine remote access
Requirement R4
RELIABILITY | ACCOUNTABILITY14
• Require entities to have documented cyber security policies that address software integrity and vendor remote access as they apply to low impact BES Cyber Systems
• Similar to approved CIP-003-6 Requirement R1 Part 1.2
• Consistent with approved standards in not requiring inventory of low impact BES Cyber Systems or lists of authorized users
Requirement R5
RELIABILITY | ACCOUNTABILITY15
• Preparing for formal comment period in early 2017
• Development of technical guidance continues
Standards Development Process
October – December 2016
Initial drafting Technical Conference
January 2017 -Formal Comment and
Balloting
August 2017NERC Board Adoption
September 2017Deadline for filing
RELIABILITY | ACCOUNTABILITY16
Contact Information
• Refer to the Project 2016-03 page for more information• Email [email protected] to join the email list• Corey Sellers, Southern Company, SDT Chair Email at [email protected]
• JoAnn Murphy, PJM Interconnection, SDT Vice Chair Email at [email protected]
RELIABILITY | ACCOUNTABILITY17
Project 2016-02CIP ModificationsNERC CIPC MeetingDecember 13-14, 2016
RELIABILITY | ACCOUNTABILITY2
2016-02 CIP Standards Drafting Team
Name Entity
Co-Chair Christine Hasha Electric Reliability Council of Texas
Co-Chair David Revill Georgia Transmission Corporation
Members Steven Brain Dominion
Jay Cribb Southern Company
Jennifer Flandermeyer Kansas City Power and Light
Tom Foster PJM Interconnection
Richard Kinas Orlando Utilities Commission
Forrest Krigbaum Bonneville Power Administration
Philippe Labrosse Hydro-Quebec TransEnergie
Mark Riley Associated Electric Cooperative, Inc.
RELIABILITY | ACCOUNTABILITY3
Drafting Team Scope
• Revisions will cover eight issue areas: – FERC Order 822
• LERC definition (deadline of March 31, 2017)• Transient devices used at low-impact BES Cyber Systems• Communication network components between BES Control Centers
– NERC CIP V5 Transition Advisory Guidance Team• Cyber Asset and BES Cyber Asset Definitions• Network and Externally Accessible Devices• Transmission Owner (TO) Control Centers Performing Transmission Operator
(TOP) Obligations• Virtualization
– New• CIP Exceptional Circumstances
• SDT also served as an IDT– Consider Request for Interpretation concerning shared BES Cyber
Systems from EnergySec over the term “shared BES Cyber Systems” in CIP-002-5.1
RELIABILITY | ACCOUNTABILITY4
• The latest ballot on LERC closed December 5, 2016. The ballot received strong support from stakeholders. CIP-003-7: 85.56% Implementation Plan for CIP-003-7: 75.54%
• While some stakeholders expressed support for retaining the definition of LERC including aligning it with language used in medium and high impact, the SDT decided to move forward with the retirement of the terms There was strong stakeholder support for the retirement of LERC and LEAP. The SDT determined that the new criteria developed for CIP-003-7,
Attachment 1, Section 3.1 provided additional clarity needed for low impact over the language which exists at high or medium impact.
Low Impact Electronic Access Controls
RELIABILITY | ACCOUNTABILITY5
• Additionally, while there was stakeholder support for the implementation plan, stakeholders provided comments requesting 18 months following regulatory approval rather than the proposed 12 months. Examples of justifications for the 18 month implementation timeline
included budget cycles, additional effort required to demonstrate electronic access controls for indirect access, and operational efficiencies created by implementing electronic access controls and TCA requirements together
• The SDT approved modifying the implementation plan for low impact electronic access controls to 18 months.
• CIP-003-7 and the associated implementation plan has been posted for final ballot.
Low Impact Electronic Access Controls
RELIABILITY | ACCOUNTABILITY6
• CIP-003-TCA with a new Section 5 in Attachment 1 was posted for informal comment
• Stakeholders provided generally positive feedback on the draft standard. Comments included the following themes: Request modifications to the specified security objective to address the
“risk” of the introduction of malicious code Modify Removable Media definition to be consistent with the changes to
the Transient Cyber Asset definition Include the option for CIP Exceptional Circumstances consistent with CIP-
010 Extend the implementation plan Request updates to the Guideline & Technical Basis section
Transient Cyber Assets & Removable Media at Low Impact
RELIABILITY | ACCOUNTABILITY7
• The modified definition of Removable Media is as follows:Storage media that:1. are not Cyber Assets,2. are capable of transferring executable code,3. can be used to store, copy, move, or access data, and4. are directly connected for 30 consecutive calendar days or less to a:
• BES Cyber Asset, a
• network within an Electronic Security Perimeter (ESP), containing high or medium impact BES Cyber Systems, or a
• Protected Cyber Asset associated with high or medium impact BES Cyber Systems.
Examples of Removable Media include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.
Transient Cyber Assets at Lows –Definition of Removable Media
RELIABILITY | ACCOUNTABILITY8
CIP-003-7(i) Proposed Implementation Plan Milestones
Revised CIP-003-7 (i) Implementation Plan (LERC and TCA at Lows) - Worksheetas proposed December 2016
Order 822 Effective Date:March 31, 2016
Standard/RequirementCompliance Deadline
2Q17 3Q17 4Q17 1Q18
CIP-002-5 1-Jul-16CIP-003-6 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16CIP-003-6, R1, part 1.1* 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16 1-Jul-16
CIP-003-6, R1, part 1.2 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-6, R2 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-6, Att 1, Sect. 1 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-7, Att 1, Sect. 2 1-Sep-18 1-Jan-19 1-Apr-19 1-Jul-19 1-Oct-19CIP-003-7, Att 1, Sect. 3 1-Sep-18 1-Jan-19 1-Apr-19 1-Jul-19 1-Oct-19CIP-003-6, Att 1, Sect. 4 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17 1-Apr-17CIP-003-7(i), Att 1, Sect. 5 NA 1-Jan-19 1-Apr-19 1-Jul-19 1-Oct-19CIP-004-6 1-Jul-16
CIP-005-5 1-Jul-16CIP-006-6 1-Jul-16CIP-006-6, R1, part 1.10** 1-Apr-17CIP-007-6 1-Jul-16CIP-007-6, R1, part 1.2** 1-Apr-17CIP-008-5 1-Jul-16CIP-009-6 1-Jul-16
CIP-010-2 1-Jul-16
CIP-010-2, R4 1-Apr-17CIP-011-2 1-Jul-16
TCA, RM Glossary Terms 1-Apr-17BCA, PCA Glossary Terms 1-Apr-17LERC, LEAP Glossary Terms 1-Apr-17
V5 Enforcement
Date***
NERC Board Adoption
IAC, CN revisions - N
ovember 13, 2014
LI, TD revisions - February 12, 2015
July 1, 2016 - CIP V5 Approved Compliance Date
If effective date of the FERC approval, then LERC revisions become effective:
All dates and deadlines remain active under CIP V6 implementation plan
Retirement of Terms
RELIABILITY | ACCOUNTABILITY9
The LERC only version of CIP-003-7 moved to final ballot concurrent with an additional ballot of CIP-003-7(i) containing modifications for both LERC and TCA. If the LERC and TCA revisions pass stakeholder ballot and final ballot, all revisions could be presented to the Board in February for adoption.
Potential Posting Schedule
TCA Comment
Nov 1 Nov 18
TCA Comment/Ballot
Dec 12 Jan 25
LERC+TCA Final Ballot
Jan 30 Feb 8
NERC Board
Meeting
Feb 8-9
LERC Comment/Ballot
Oct 21 Dec 5
LERC Final Ballot
Dec 9 Dec 18
RELIABILITY | ACCOUNTABILITY10
• Implementation plan for LERC revised to make the effective date of CIP-003-7 18 months following regulatory approval.
• CIP-003-7 moved forward to final ballot on Friday, December 9th
following the SDT’s meeting.• The SDT also received positive feedback on the informal
comment period for TCAs/RM @ Lows.• Standards Committee authorized posting CIP-003-7(i) for
comment and ballot which contains the modifications for both LERC and TCA/RM.
• CIP-003-7(i) posted for formal comment and ballot on Monday, December 12th. The ballot closes on Wednesday, January 25th.
Key Messages
RELIABILITY | ACCOUNTABILITY11
2017 Planned Dates : January 24-26 – New Orleans, LA - Entergy February 21-23 – St. Petersburg, FL – Duke Energy March 21-23 – Houston, TX - Occidental Energy Ventures April 18-20 – Tampa, FRCC May 23-25 – Columbus, OH - American Electric Power June 20-22 July 18-20 August 22-24 September 19-21 October 10-12 November 14-16
SDT Meeting Schedule
RELIABILITY | ACCOUNTABILITY12
• This slide deck and other information relative to the CIP Modifications SDT may be found on the Project 2016-02 Project Page under Related Files:
Project 2016-02 Modifications to CIP Standards
Resources
RELIABILITY | ACCOUNTABILITY13
Emerging Technologies Roundtable UpdateTobias Whitney, Senior Manager of CIP Compliance, NERC Reliability AssuranceCIPC MeetingDecember 13-14, 2016
RELIABILITY | ACCOUNTABILITY2
• Opportunities exist to research and deploy new technologies that could improve the reliable operations of the Grid.
• The mystique of the CIP standards may have challenged the investment and innovation of BES technologies based on compliance risk and cyber exposure.
• Opportunities exist to foster coordinated technology assessments designed to “spotlight” the effective implementation of innovative solutions that support the reliable operations of the BES.
Technology Risk
RELIABILITY | ACCOUNTABILITY3
11/15 & 11/16 Roundtable
Roundtable Day 1: IEC 61850
Click here for: Slide Presentations
Click here for Recordings: Morning Afternoon
Click here for: Detailed Agenda
Roundtable Day 2: Cloud Computing
Click here for: Slide Presentations
Click here for Recordings: Morning Afternoon
Click here for: Detailed Agenda
RELIABILITY | ACCOUNTABILITY4
• Opening remarksGerry Cauley, President and CEO, NERC
• Overview of IEC 61850Deepak Maragal, Senior Protection & Control Engineer, New York Power Authority (NYPA)Herb Falk, Senior Solutions Architect, Systems Integration Specialists Company (SISCO)
• Building the business case for automationJeff Gooding, IT Principal Manager, Enterprise Architecture & Strategy, Southern California Edison (SCE)
IEC-61850: Day 1
RELIABILITY | ACCOUNTABILITY5
• Describing the Architecture of IEC 61850 and Generic Object Oriented Substation Event (GOOSE) MessagingCraig Preuss, Engineering Manager, Black and VeatchEric Stranz, Business Development Manager, Siemens
• Security and CIP compliance considerations during deploymentScott Mix, CIP Technical Manager, NERC
• Roundtable discussion, Industry and Vendor Experiences
IEC-61850: Day 1
RELIABILITY | ACCOUNTABILITY6
EX
AM
PLE
LA
N A
RC
HIT
EC
TU
RE
S61850-90-4-2013 EXAMPLE LAN
ARCHITECTURES
6
Drawing Provided by: Craig Preuss, Black & Veatch
RELIABILITY | ACCOUNTABILITY7
• Value-Add Paper Describes operational and reliability benefits of IEC 61850 Industry examples of the use of the technology
• Implementation Guide: CIPCV and IEC-61850 Deployments Describes common methods to comply with standards Address common substation network design concerns regarding layer-2,
layer-3 networks and VLANs
Outcome and Next Steps
RELIABILITY | ACCOUNTABILITY8
• Opening remarksMark Lauby, Senior Vice President and Chief Reliability Officer, NERC
• Overview of IEC 61850Jianhui Wang, Ph.D., Section Manager, Advanced Power Grid Modeling, Energy Systems Division, Argonne National Laboratory
• Building the business case for automationJeff Gooding, IT Principal Manager, Enterprise Architecture & Strategy, Southern California Edison (SCE)Xiaochuan Luo, Technical Manager, Business Architecture & Technology, ISO New England
Cloud Computing: Day 2
RELIABILITY | ACCOUNTABILITY9
• Describing the Architecture of IEC 61850 and Generic Object Oriented Substation Event (GOOSE) MessagingStevan Vidich, Ph.D., Principal Program Manager, Azure Global Ecosystem engineering team, Microsoft
• Security and CIP compliance considerations during deploymentTobias Whitney, Senior Manager of CIP Compliance, NERC
• Roundtable discussion, Industry and Vendor ExperiencesAlan Boissy, Director of Security Assurance, Amazon Web Services (and panelists)
Cloud Computing
RELIABILITY | ACCOUNTABILITY10
3rd Parties & CIP Applicability
Information Access•Data classification• Information
Protection
Temporary Access• Escorted Access• Periodic On-site
Operational Support•Decision Support•Data Analytics•Remote Access to Cyber Assets•Access to CEII
Real-time Operations•Dedicated Interface to BES Cyber Assets•Operations & Maintenance of EACMS•Cloud Control Center Operations
CIP-004 – Training and AwarenessCIP-005 – Interactive Remote AccessCIP-006 – Escorted Access
All applicable standards and requirements associated with the Cyber Assets used to:- perform the Registered
Entity’s reliability tasks
- Manage or operate the Registered Entities applicable systems.
CIP-004 – Training and AwarenessCIP-004 – Personnel Risk AssessmentCIP-005 – Interactive Remote AccessCIP-011 – Information Protection
CIP-011 – Information Protection
RELIABILITY | ACCOUNTABILITY11
Physical vs. Virtual
X = BCA, O = PCA X = BCA, O = PCA
Hypervisor
X XXX X
XX
ESPESP
RELIABILITY | ACCOUNTABILITY12
Physical vs. Virtual
X = BCA, O = PCA X = BCA, O = CAs
Can other Cyber Assets (O) be securely operated within one logically separated virtual environment? Is this concept supported by the standard? No it is not.
Hypervisor
X XXX X
XX
ESP
RELIABILITY | ACCOUNTABILITY13
• Value-Add Paper Describes operational and reliability benefits of Cloud Industry examples of the use of the technology
• Implementation Guide: CIPV5 Cloud Deployments Describes common methods to comply with standards Address common concerns regarding 3rd party operations and how to
obtain compliance evidence from cloud providers
Outcome and Next Steps
RELIABILITY | ACCOUNTABILITY14
Emerging Technologies
Cloud Computing Big Data analysis for preventive solutions
Renewables + New Registration Paradigms New Generation Owner/Operators diffuse operations could impact the BES
IEC 61850 Substation network solutions
Remote Access (FERC mandated) Due July 2017
Virtualization (Standards Development) Server, networks and storage
RELIABILITY | ACCOUNTABILITY15
Emerging Technologies
Microgrids Risk based analysis of load centers
Industrial Network Communications Technologies Point-to-point, local area wireless and unlicensed radio
Distribution Management Systems GIS, outage mgt and increased operational intelligence for smart metered
load centers
End of Life Systems Assess the vulnerability unsupported, production cyber assets
Support Systems Understanding VOIP, UPS and building automation systems
RELIABILITY | ACCOUNTABILITY16
NERC Team
Tech
nolo
gy R
isk A
sses
smen
t
Security
Operations
Regulatory
RELIABILITY | ACCOUNTABILITY17
Approach the Topic
Tech Seminar
• Invite Vendors and industry stakeholders for a 1 day discussion on the solutions
• Identify volunteers for whitepaper development
CoordinatedWhite Paper
•Coordinate white paper with CIPC (primarily) with support from OC and PC
•Publish draft paper for comments as part guidance documents• Industry webinar to spotlight results
Call for Pilots
• Link interested stakeholders with research agencies•Publish lessons learned for industry comments
RELIABILITY | ACCOUNTABILITY18
Each Topic’s SWOT
Strengths(reliability benefits)
Weaknesses(current
drawbacks)
Opportunities(external factors)
Threats (Security & Regulatory)
RELIABILITY | ACCOUNTABILITY19
• Which deliverables would best address the need? Implementation guide Whitepaper Reliability Guideline
Questions
RELIABILITY | ACCOUNTABILITY20
Annual Strategic PlanningCritical Infrastructure Protection Committee
Marc Child, CIPC ChairCIPC MeetingDecember 13-14, 2016
RELIABILITY | ACCOUNTABILITY2
• Align CIPC efforts with NERC strategic plan• Review workgroup & task force charters• Retire workgroups & task forces as necessary• Identify new work areas• Modify CIPC work plan• Review CIPC Charter• Review quarterly meeting agenda (content)
Annual Planning Goals
EC Meeting – September - Albuquerque
RELIABILITY | ACCOUNTABILITY3
• Changes CIPC voting members are asked to chair or co-chair a working group or task
force at least once within a two-year term Clarifications on what level of expertise is requested for a cyber, physical,
or operations voting member Executive committee (EC) has responsibility for ensuring adequate
technical representation and level of participation Clarification on handling of committee and EC vacancies Clarify that CIPC and EC meetings are open unless specifically declared as
confidential Removed option to vote via facsimile Guideline approval process updated to reflect NERC’s new processes for
implementation guidance
CIPC Charter
RELIABILITY | ACCOUNTABILITY4
Workgroups & Task Forces
RELIABILITY | ACCOUNTABILITY5
• Changes Remains mapped to NERC Strategic Plan (strategic) Workplan now mapped to RISC priorities (tactical)
• Risk profile #8: Physical Security Seven Near-term recommendations (1-2 years) Nine Mid-term recommendations (3-5 years) Two Long-term recommendations (>5 years)
• Risk profile #9: Cybersecurity Eleven Near-term recommendations Four Mid-term recommendations Three Long-term recommendations
CIPC Strategic Plan & Workplan
RELIABILITY | ACCOUNTABILITY6
• Today E-ISAC update Presentations provided with the agenda packet
• Future? More content heavy Working Group and Task Force updates to be more interactive Regional CIPC updates Listen to feedback
What do YOU want for your investment in time/effort?
CIPC Meeting Agenda
RELIABILITY | ACCOUNTABILITY7
Legislative Update
Critical Infrastructure Protection CommitteeDecember 13, 2016
Nathan Mitchell, American Public Power Association
2 RELIABILITY | ACCOUNTABILITY
Fixing America's Surface TransportationFAST Act 2015
• The new Section 215A(a) defines, among other terms, a ‘‘grid security emergency” and Section 215A(b) authorizes the Secretary of Energy to order emergency measures after the President declares a grid security emergency
• Grid Security Emergency Orders: Procedures for Issuance was posted in the Federal Register (FR DOC# 2016-28974, Pages 88136-88143).
• https://www.federalregister.gov/documents/2016/12/07/2016-28974/grid-security-emergency-orders-procedures-for-issuance
3 RELIABILITY | ACCOUNTABILITY
Fixing America's Surface TransportationFAST Act 2015
• Application of emergency order: An order for emergency measures under section FPA 215A(b)
may apply to the Electric Reliability Organization, a regional entity, or any owner, user, or operator of critical electric infrastructure or of defense critical electric infrastructure within the US.
• Outreach & consultation: To the extent practicable, prior to issuance of an emergency
order DOE will alert stakeholders of the grid security emergency through existing alert mechanisms, such as the NERC alert system and ESCC communication coordination processes. All reasonable efforts will be made to consult with stakeholders and appropriate government authorities prior to the issuance of an emergency order.
4 RELIABILITY | ACCOUNTABILITY
National Defense Authorization Act
• The National Defense Authorization Act was sent to the President December 8, 2016.
• Sec. 1913 directs the Department of Homeland Security (DHS) to “…conduct an intelligence-based review and comparison of the risks and consequences of EMP [electromagnetic pulses] and GMD [geomagnetic disturbances] facing critical infrastructure…” and to prepare a “recommended strategy to protect and prepare the critical infrastructure of the homeland against the threats of EMP and GMD.”
5 RELIABILITY | ACCOUNTABILITY
Other Activity
• Senator Susan Collins (R-ME) was working to insert language into the Intelligence Authorization Bill to increase intelligence community assistance to the critical infrastructure community. The bill stalled in the Senate.
• Congressman Ami Bera (D-CA) is planning to re-introduce H.R. 6227, the "Grid Cybersecurity Research and Development Act," in the next Congress.
6 RELIABILITY | ACCOUNTABILITY
Enhance Background Investigation Screening (EBIS)
Initial evaluation areas of concern:• It is unclear whether the FBI will inform a utility if an applicant is on
the Known or Suspected Terrorist (KST) list. • Requests for FBI background checks must be submitted to a
designated state or federal agency; utilities cannot make a direct request to the FBI. It is unclear whether state legislation is necessary or required to
authorize a state-level agency in each state to perform this intermediary role.
• The utility industry must agree on and define what offenses would disqualify an individual from working in a position with access to critical infrastructure.
• With ESCC concurrence the trade associations will proceed to develop legislative language to propose in the 115th Congress
7 RELIABILITY | ACCOUNTABILITY
Questions?
How Industry & Government Work Together to Protect Critical Infrastructure
LOCATION, DATE
Approach to Grid Security
Standards
Physical
Cyber
Industry-Government Partnership
Electricity Subsector Coordinating Council
(ESCC)
Electricity Information Sharing & Analysis
Center (E-ISAC)
Partnerships with federal, state, & local
governments
Incident Response
Grid Resiliency
Mutual Assistance
Spare Equipment Programs
2
Purpose & Scope
3
Purpose: The ESCC is the principal liaison between the electric sector and the federal government for coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure.
Scope: The ESCC facilitates and supports policy and public affairs-related activities and initiatives designed to enhance the reliability and resilience of the electric grid. The ESCC is not operational.
Key Scenarios
4
ESCC Strategic Coordination Responsibilities
5
Industry• Utilities• Trade Associations• ISOs & RTOs• NERC• E-ISAC• Canadian Utilities External Groups
• Other Critical Sectors• Vendors• Critical Customers• Media
Government• Federal Agencies• Regulators• PMAs• Law Enforcement• State, Local, Tribal, &
Territorial• Canadian Agencies &
Provinces
ESCC Committee StructureLeadership
Threat InformationSharing & Processes
Industry-Government Coordination
Leveraging Infrastructure/
Research & Development
6
Communications
Transportation
Financial Services
Downstream Gas
Water
Cross-SectorCoordination
Committee Missions & ProjectsLeveraging Infrastructure /Research & Development
Mission: Coordinate government and industry efforts on strategic infrastructure investments and R&D for resilience and national security-related products and processes.
Projects: Spare Equipment Strategy, EMP, National Lab & vendor outreach
Industry-GovernmentCoordination
Mission: Establish unity of effort and unity of messaging between industry and government partners to support the missions of the ESCC both during crises and in steady state.
Projects: ESCC Playbook, Public Affairs, Supply Chain, Cyber Mutual Assistance, Exercises
Threat Information Sharing& Processes
Mission: Improve and institutionalize the flow of, and access to, information among public- and private-sector stakeholders.
Projects: Member Executive Committee, CRISP, Clearances
Cross-Sector Coordination
Mission: Develop partnerships between electricity and other critical sectors to prepare for major incidents, better understand and protect mutual dependencies, and share information effectively.
• Communications• Transportation• Financial Services• Downstream Gas• Water / Wastewater
ESCC Leadership
ESCC SupportSecretariat • Administers enabling functions of the ESCC
• Preps executives• Notifies members of crisis activation • Provides coordination and support• Manages Plus 1s and Senior Executive Working Group• Leads education and socialization effort
Plus 1s • Supports the work of their respective ESCC CEOs• Informs ESCC priorities and strategic vision• Leads or participates in ESCC committee deliverables
Senior Executive Working Group (SEWG)
• Consists of experts and executives representing both the industry and government is called on to accomplish the goals and deliverables set by the ESCC committees
• 14 industry and government organizations• 70+ electric power owners and operators
8
9
Industry Organizations Reliability Organizations The Government
Senior Executive Working Group Engagement
Electric Power Sector Owners & Operators (81) AES Alabama Power Alliant Energy American Electric Power Ameren Corp. Arizona Public Service Arkansas Electric Cooperative Corp. AVANGRID Avista Corp. Basin Electric Power Corp. Berkshire Hathaway Energy Bonneville Power Administration CA Independent System Operator CenterPoint Energy City Utilities of Springfield Missouri Colorado Springs Utilities ComEd Consolidated Edison Consumers Energy (MI) Dominion
DTE Energy Duke Energy Edison International ELCON Energy Future Holdings Energy Reliability Council of Texas Enmax Entergy Corp. Eversource Energy Exelon Corp. FirstEnergy Corp. Florida Power & Light Garland Power & Light Georgia Power Georgia Transmission Corp. Great River Energy Hawaiian Electric Company Hydro One IESO InfraREIT
ITC Transmission Co. Kansas City Power & Light LG&E & KU Lincoln Electric Power System MidAmerican Energy MISO NextEra Energy NiSource Norwich Public Utilities NY Independent System Operator NY Power Authority NV Energy Oklahoma Gas & Electric Old Dominion Electric Cooperative Oncor Pacific Gas & Electric Pacificorp Pepco PJM Interconnection PNGC Power
PPL Electric Utilities Public Service Electric & Gas Co. PECO Energy Company PNM Resources Sacramento Municipal Utility District Salt River Project Santee Cooper Sempra Energy Snohomish County Public Utility Southern California Edison Southern Company Tacoma Power TECO Energy Tullahoma Utilities Board TVA TXU Energy United Technologies Corp. Vectren WEC Energy Group Westar Energy Xcel Energy
Recent Meeting
• November 29, 2016 – Washington DC– Threat Briefing– Morning meeting industry only– Afternoon session with Government Coordinating
Council and one representative from the Trump transition team
– ESCC will continue to function as before to show the value of the public/private partnership in the new administration.
10
R&D Committee
• ESCC R&D Committee priorities– EPRI EMP Project – Advanced Information Sharing Capabilities– Resilient Grid Operations Communications
• R&D Alignment Workshop: – DOE will convene the national labs, EPRI, trade
associations, electric companies, and other R&D organizations to align priorities for the electricity sector and support commercialization of technologies.
11
Threat Information Sharing Committee
Incident Response & Exercises Discussion• Cyber Mutual Assistance • IoT Cyber Threat• National Cyber Incident Response Plan• GridEx IV
Future activities:• CRISP analysis and recruitment• DOE Comparative Risk and Hazard Analysis• E-ISAC redistribute Ransomware Best Practices• Enhanced Background Information Screening
12
Cross-Sector
• Procurement Best Practices: DOE and DHS will provide the ESCC an update on foreign and domestic procurement best practices, particularly as it relates to critical infrastructure equipment. The ESCC will organize industry, critical manufacturing, and the government to create a voluntary framework that addresses supply chain issues.
• Strategic Infrastructure Coordinating Council: The coordination between electricity, telecommunication and finance to start.
13
Next ESCC Meetings
May 2017 July 2017 November 2017 – coordination with Grid Ex IVFocus areas:• Transition to new Administration• Industry Government Coordination• Leveraging Infrastructure/R&D• Threat Information Sharing & Processes• Cross Sector Coordination
14
Contact Information
Nathan MitchellSr. Director of Electric Reliability Standards and SecurityAmerican Public Power [email protected]
For more information: electricitysubsector.org
15
NERC RISC Update
Critical Infrastructure Protection CommitteeDecember 13, 2016
Nathan Mitchell, American Public Power Association
2 RELIABILITY | ACCOUNTABILITY
RISC Report
ERO Reliability Risk PrioritiesRISC Recommendations to the NERC Board of Trusteeshttp://www.nerc.com/comm/RISC/Related%20Files%20DL/ERO_Reliability_Risk_Priorities_RISC_Reccommendations_Board_Approved_Nov_2016.pdf
3 RELIABILITY | ACCOUNTABILITY
RISC Meetings
• Future Meeting Dates• RISC Committee Call• December 16, 2016 | 9:00 a.m. – 10:00 a.m. Eastern• Dial-in: 1-866-740-1260 | Access Code: 5247071 |
Security Code: 486651
• March 21, 2017 – Reliability Leadership Summit • March 22, 2017 – RISC In-person meeting
4 RELIABILITY | ACCOUNTABILITY
Questions?
1
Grid Exercise
Working GroupCIPC
Bill Lawrence, Director, Programs and Engagement,
E-ISAC
December 14, 2016
2
Where we were
Establish the Scope
• NERCleadership and GEWG
• Determine the level and type of impact desired
• Determine what will be targeted
• Determine the attack vectors
Develop a Narrative
• Backstory or ground truth:• Attacker
profile
• The Who, How, and Why of the attack
• Timing of the attack
• Expected Player actions
MSEL Development
• Detailed sequence of exercise events with inject timing
• Expected Player Actions
• Dynamic injectdevelopment
• Custom injects within entitiesand RC areas
3
Where are we now
Establish the Scope
• NERCleadership and GEWG
• Determine the level and type of impact desired
• Determine what will be targeted
• Determine the attack vectors
Develop a Narrative
• Backstory or ground truth:• Attacker
profile
• The Who, How, and Why of the attack
• Timing of the attack
• Expected Player actions
MSEL Development
• Detailed sequence of exercise events with inject timing
• Expected Player Actions
• Dynamic injectdevelopment
• Custom injects within entitiesand RC areas
4
• Wednesday, December 14, 2016 GEWG meeting: Ritz-Carlton Buckhead, Atlanta, GA, 1 – 5 p.m. Eastern
https://decgewg.eventbrite.com
• Midterm Planning Meeting – Friday, February 10, 2017. Location: McLean, VA
• GEWG – Thursday, March 9, 2017. Location: Atlanta
• Final Planning Meeting – May 1, 2017. Location: McLean, VA
• Summer meetings and planner/player training presentations
• GridSecCon 2017 – October 17-20, 2017. Location: TBD (Minneapolis/St. Paul, MN) Move Zero training, GridEx IV kickoff
• GridEx IV – November 14-17, 2017 (four days?!?) Warmup ExCon day
Main days / Rapid Deployment day?
Calendar
5
TTTL (Tim’s Top Ten List)
What should you be doing?
1. Login to GridEx Portal2. Identify your internal team of planners that will help you
throughout GridEx3. Identify which parts of your organization will be playing4. Download draft Scenario Narrative with your team5. Start thinking about and discussing schedules
a) Player (IT, OT, Physical, Operators) schedules for GridEx dates b) Move 0 participation schedule / GridSec con attendance 10/17/17 c) Reserve necessary conference rooms and work areas with phones
and appropriate computers / AVd) Planner participate in GEWG calls and in person Planning meetings
6
TTTL (Tim’s Top Ten List)
What should you be getting ready to do?
6. Review and comment on the MSEL with your planners7. Identify the injects that your organization will be
subscribing to8. Work with your RC during GridEx planning meetings to
discuss system impacts and injects being selected by organizations within a region
9. Assist in the development of generic inject artifacts for the use by all organizations
10. Work with your internal planners and utilize your systems to develop and create high value custom inject artifacts for your players
7
• Register your organization for GridEx IV by identifying your Lead Planner to get GridEx IV Portal access ([email protected]) Look for updates on the GridEx Portal’s calendar or Lead Planner folders regularly
(weekly)
Update notifications will be transmitted to Lead Planners only
• Begin Player identification and block off GridEx IV dates for their training (November 15-16, 2017)
• Download and review exercise Scenario Narrative
• Attend Planning Meetings (on February 10 and May 1, 2017) and be aware of follow-on Planner and Player training opportunities
Next Steps
Security Training Working GroupDavid Godfrey, STWG Co-chair, City of Garland Power and LightCritical Infrastructure Protection CommitteeDecember 13-14, 2016
RELIABILITY | ACCOUNTABILITY2
• Charter CIPC will provide meeting attendees with an opportunity to participate in
physical, cyber, and operational security training, as well as, educational outreach opportunities.
• Current Members Tobias Whitney, John Breckenridge, Ross Johnson, Tim Conway and David
Godfrey
STWG Update
RELIABILITY | ACCOUNTABILITY3
• Latest Activities Working with NERC to re-establish monthly conference calls Working with SANS for pre CIPC meeting training opportunities.
• 2017 Training Schedule and Opportunities March 9 – 10, 2017 - Physical Security Training Course – This course has
been designed with CIP-014 in mind and to assist in understanding and helping to prepare for the comprehensive ASIS International Physical Security Professional Certification Exam. Currently the course is open to ERO folks unless the class is not filled.
June 2017 – TBA September 2017 – TBA December 2017 – Annual Classified Electricity Sector Threat Briefing
STWG Update
RELIABILITY | ACCOUNTABILITY4
• Next Steps Continue to expand the list of free on demand training from reputable
agencies and vendors Secure volunteers to join the group Schedule and prepare future Pre-CIPC training sessions and webinars Work with vendors and/or individuals in the industry to provide specific
training to industry.
• CIPC Actions Concerns and/or suggestions for today’s discussion
STWG Update
RELIABILITY | ACCOUNTABILITY5
BES Security Metrics WGCIPC Update
Larry Bugh, ChairAtlanta GADecember 13-14, 2016
2 RELIABILITY | ACCOUNTABILITY
Critical Infrastructure Protection Committee
April 2016
Business Continuity Guideline TF(Darren Myers)
Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(David Godfrey)
Control Systems Security
WG(VACANT)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input
WG(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
3 RELIABILITY | ACCOUNTABILITY
Security Metrics Development Roadmap2015 and Beyond
We are here
4 RELIABILITY | ACCOUNTABILITY
BESSMWG Activities
Activities Since September 2016• Conference call on November 6 to:
• Review Q3 2016 metrics results• Discuss status of draft metrics under development
• Met on December 12 to:• Discuss status and next steps for metrics under development
• Industrial Control System Vulnerabilities• NERC Alerts
• Review timeline and activities to prepare Security Metrics chapter of NERC’s 2017 State of Reliability report
• Review Roadmap document for longer-term next steps
5 RELIABILITY | ACCOUNTABILITY
CIPC Update
BES Security MetricsQ3 2016 Results
6 RELIABILITY | ACCOUNTABILITY
Reportable Cyber Security Incidents
7 RELIABILITY | ACCOUNTABILITY
Reportable Physical Security Incidents
8 RELIABILITY | ACCOUNTABILITY
E-ISAC Membership
9 RELIABILITY | ACCOUNTABILITY
Industry-Sourced Information Sharing
Note: Physical Bulletins started in Q4 2014.
10 RELIABILITY | ACCOUNTABILITY
Global Cyber Vulnerabilities
11 RELIABILITY | ACCOUNTABILITY
Global Cyber Vulnerabilities and Incidents
Note: Only annual data available.
12 RELIABILITY | ACCOUNTABILITY
GridEx Exercise Participation
Electricity industry participating organizations(i.e., utilities, independent system operators, E-ISAC, NERC, regional entities)• “Active” organizations participate similar to a real event• “Observing” organizations participate in a more limited fashion (e.g., tabletop exercise)
13 RELIABILITY | ACCOUNTABILITY
Next Steps
• Continue supporting the E-ISAC to review and validate quarterly data Define and implement sub-categories for cyber and physical
incidents
• Complete development of detailed definitions for new metrics Industrial control system vulnerabilities Frequency of NERC Alerts (Industry Advisory,
Recommendation to Industry, Essential Action)
• Begin drafting the Security Metrics chapter for the 2017 State of Reliability report
• Consider metrics for longer-term development
14 RELIABILITY | ACCOUNTABILITY
Compliance and Enforcement Input Working Group
Paul Crist, CEIWG Chair, Lincoln Electric SystemCIPC MeetingDecember 13-14, 2016
RELIABILITY | ACCOUNTABILITY2
Critical Infrastructure Protection Committee
April 2016
Business Continuity Guideline TF
(Darren Myers)
Executive CommitteeJoe Garmon, Seminole Marc Child, Chair, Great River Energy Melanie Seader, EEIDavid Grubbs, City of Garland Nathan Mitchell, Vice Chair, APPA Jack Cashin, EPSARoss Johnson, CEA David Revill, Vice Chair, NRECA Chuck Abell, AmerenJohn Galloway, ISO-NE Sam Chanoski, Secretary, NERC
Physical Security Subcommittee
(David Grubbs)
Cybersecurity Subcommittee
(David Revill)
Operating Security Subcommittee
(Joe Garmon)
Policy Subcommittee(John Galloway)
Physical SecurityWG
(Ross Johnson)
Security Training WG
(David Godfrey)
Control Systems Security
WG(VACANT)
Grid Exercise WG
(Tim Conway)
BES Security Metrics WG
(Larry Bugh)
Physical Security Standard WG
(Allan Wick)
Compliance and Enforcement Input WG
(Paul Crist)
Physical Security Guidelines WG
(John Breckenridge)
RELIABILITY | ACCOUNTABILITY3
• Follow-up from NERC Alert Review
• Update on CEIWG providing implementation guidance and industry concerns on CIP Standards – Tobias Whitney, NERC
• NEI/NERC Unescorted Access Privileges • VoIP for BES Operations (BCS?)• TO/TOP Control Centers (waiting for SDT)
• CIP-002 Criteria 2.6 and the implementation schedule
Agenda Items
RELIABILITY | ACCOUNTABILITY4
Implementation Guidance?
RELIABILITY | ACCOUNTABILITY5
Implementation Guidance?
RELIABILITY | ACCOUNTABILITY6
Implementation Guidance?
Is CIPC in agreement with the CEIWG developing the proposed implementation guidance documents?
RELIABILITY | ACCOUNTABILITY7
• Meetings– 2nd Thursday of the month at 1:00 CST
(Please let me know if you need the call-in information)
Next Conference Call: January 12th, 2017 at 1:00 CST
RELIABILITY | ACCOUNTABILITY8
LEVERA G ING EXISTING NRC BA CKG ROUND CHECKS TO SA TISFY
NERC CIP CYBER SECURITY PERSONA L RISK A SSESSMENTS
Nuclear GO/GOP Security Background Checks
WENDI CROFT, EXELON NUCLEARNEI NUCLEAR ISSUES TASK FORCE MEMBER
DECEMBER 14, 2016
1
The NEI NERC Issues Task Force
• To represent licensees on NERC issues that have a unique impact on Nuclear GO/GOPs, specifically addressing those issues that conflict with or duplicate existing regulations or present a potential challenge to nuclear safety or security
Purpose
• Represents 100 nuclear generating units in the United States (66 PWRs and 34 BWRs) which generate about 20% of our nation's electrical use.
• Affiliated with the North American Generator Forum (NAGF).Membership
• NEI-NITF White Papers• NEI-NITF Interface with NERC, FERC and the Regions• NEI Web Board for sharing information securely• Benchmarking, Lessons Learned, and Audit Support
Products
The Nuclear Energy Institute (NEI) –NERC Issues Task Force (NITF) is a NEI-sponsored Task Force established in 2012.
2
Issue, Recommendations, and Benefits
Issue: NERC Critical Infrastructure Protection (CIP) Standards require
Transmission Owners (TOs) to perform cyber security Personal Risk Assessments (PRAs) prior to providing personnel unescorted access to TO-owned assets. For Nuclear workers , the NERC CIP PRA duplicates the existing Nuclear Regulatory Commission (NRC) required security background checks performed by the licensee for unescorted access to the Nuclear Power Plant.
Recommendations: Gain approval from NERC for TOs to use the existing NRC security
background checks and a GO/GOP attestation to satisfy NERC CIP PRAs.
Benefits: Eliminates the inefficiency of repeating equivalent background checks Maintains the privacy of the Nuclear workers’ information. Provides an effective and timely alternate access solution to escorted access.
3
Background: NERC Access Requirements
NERC Reliability Standard CIP-004 “Cyber Security -Personnel & Training” requires that: R3. Each Responsible Entity shall implement one or more documented
personnel risk assessment program(s) to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively include each of the applicable requirement parts in CIP-004-6 Table R3 – Personnel Risk Assessment Program.
4
Background: NRC Access Regulations
Background checks are required for ALL individuals at a Nuclear Power Plant with unescorted access 10CFR73.56 “Personnel access authorization requirements for nuclear power
plants” 10CFR73.57 “Requirements for criminal history records checks of
individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information” also have background check requirements
5
Background: NRC Access Authorization6
NRC Access Authorization (AA) Program and Inspection The licensee1 for each nuclear power plant licensed under 10 CFR Part 50 is
required to develop, implement, and maintain an program to protect against an insider threat at the plant.
The requirements for an AA program apply to each nuclear power plant licensee including their contractors, subcontractors and vendors.
These regulations require the licensee to: Perform reviews and screenings of each person granted unescorted access. Ensure that each person granted unescorted access be observed by a supervisor
trained to detect, at a minimum, changes in behavior that could indicate degraded or impaired performance.
Perform initial, follow-up and random drug testing of each person granted unescorted access.
The NRC conducts inspections of licensees' security programs on a continuing, regular basis and requires licensee to report quarterly on associated Performance Indicators.
1. Licensee, as defined by the NRC, is “a company, organization, institution, or other entity to which the NRC or an Agreement State has granted a general license or specific license to construct or operate a nuclear facility, or to receive, possess, use, transfer, or dispose of source material, byproduct material, or special nuclear material.”
Background: Access for Nuclear Workers
1. Unescorted Access for Nuclear workers1. Perform both NERC and NRC required background checks independently
PROs: No TO concerns related to audit evidence for background check/personnel information
CONs: Duplicative background checks for both the TO and Nuclear workers costing time, money, and resources.
2. Use of existing NRC required security background checks performed by the licensee to satisfy requirements for NERC CIP PRAs. PROs: One background check that satisfies both CIP Standards and NRC
requirements for Nuclear workers
2. Escorted Access by TO personnel PROs: No background checks under the CIP Standards CONs: Time consuming and ineffective for both the TO and Nuclear workers.
7
Preferred Option and Barriers
Preferred Option TO granted unescorted access for nuclear workers by use of existing NRC
required security background checks performed by the licensee to satisfy requirements for NERC CIP PRAs.
Barriers to Implementation1. Validate the equivalency of NERC CIP PRA / NRC-required background
checks2. Verify the acceptability of a signed attestation letter stating the individual
Nuclear worker has been granted and continues to maintain unescorted access to a nuclear power facility in accordance with the requirements set forth in 10CFR73.56 and 10CFR73.57
8
CIP-004 Required
10CFR73.56/57 Required
NERC / NRC Access Comparison
Positive social security number id FBI fingerprint analysisEntire criminal history record check7 year criminal history record Check
Positive Social Security Number ID Yes Yes
FBI Fingerprint Analysis No Yes
Criminal History Record Check 7 Years Entire History 1
Employment History Evaluation No Yes
Credit History Evaluation No Yes
Character and Reputation Evaluation No Yes
Psychological Assessment No Yes
Ongoing Behavioral Observation Program No Yes
Criminal History Update 7 Years 5 Years (max)
Self-Reporting of Legal Actions No Yes
1. As a matter of practice, Nuclear workers’ background checks go back to the 18th birthday when conducting the first criminal record check.
9
Precedent: 2010 “Bright Line” Discussions
Discussions between FERC, NERC, and NRC to identify NERC and NRC authority.
FERC requested and finalized a gap analysis between NERC and NRC requirements .
10
TO Documentation for Compliance
Nuclear GO/GOPs cannot provide detailed personnel information used for Access Authorization 10CFR73.56 (m), “Protection of information” requires the personnel
information used to determine access authorization at Nuclear site be held confidential except in particular circumstances which include “(m)(iv) A licensee’s, applicant’s, or contractor’s or vendor’s representatives who have a need to have access to the information in performing assigned duties, including determinations of trustworthiness and reliability and audits of access authorization programs.”
Nuclear GO/GOPs can provide TOs an attestation Attestation from the Nuclear GO/GOP would state the individuals
requesting access to TO-owned switchyards and associated relay houses have been granted and continue to maintain unescorted access to a nuclear power facility in accordance with the requirements set forth in 10CFR73.56 and 10CFR73.57.
11
Precedent: NERC March 10, 2016 Letter12
Letter from NERC Senior Director of Reliability Assurance (V. Agnew) to Director, Division of Engineering, NRC Office of Reactor Regulation (J. Lubinski), dated March 10, 2016 “For purposes of a licensee’s compliance with Reliability Standard CIP-004,
Requirement R3, the licensee shall not be required to perform a PRA for NRC employee(s) prior to granting unescorted access per CIP-004-6 Requirement R3, nor shall the licensee be required to maintain records of PRA details for those NRC employees, provided that the licensee has verified that the NRC employee for which unescorted access would be granted (i) holds valid, current NRC credentials, (ii) holds an “L” or “Q” level clearance, and (iii) has successfully undergone an NRC background check. Consistent with Federal Energy Regulatory Commission precedent, the NRC background checks for NRC inspectors are at least equal to those required by the CIP standards and, in turn, may be accepted in lieu of a separate PRA.”
Only Applies to NRC Employees NOT Nuclear Workers
Precedent: NRC RIS-2016-12
NRC RIS-2016-12, “NRC Employee Access to Switchyards at Licensee Facilities,” dated November 22, 2016 The RIS reiterated the March 10, 2016 NERC letter and was directed
towards those Nuclear licensees that also own their switchyard and would potentially have CIP obligations.
“In 2015, several NRC resident inspectors informed NRC management that they were having issues with gaining unescorted access to the switchyard at their plants. NRC licensees cited NERC Reliability Standard CIP-004 as their basis to deny unescorted access to the switchyard.”
“The NRC staff communicated with NERC staff to clarify this matter.” “…NERC has stated that, consistent with FERC precedent, NRC background
checks and security clearances for NRC inspectors are at least equal to those required by CIP standards and may, in turn, be accepted in lieu of a separate PRA.”
13
Going Forward
Request for NERC acknowledgement of the equivalency of the CIP-004 PRA / 10CFR73.56/57 Background Check Requirements and the Nuclear GO/GOP attestation as acceptable evidence to satisfy the TO CIP-004 Standard obligations.
Considerations: Revision to the CIP-004 Standard Issuance of a NERC Guideline Issuance of a letter to Nuclear
GO/GOPs and affected TOs similar to the March 10, 2016 NERC letter to NRC Employees
14
References15
CIP-004-3 “Cyber Security - Personnel & Training,: retrieved from http://www.nerc.com/files/cip-004-3.pdf
CIP-004-6 “Cyber Security - Personnel & Training,” , retrieved from http://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-004-6.pdf
10CFR73.56 “Personnel access authorization requirements for nuclear power plants.” , retrieved from http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0056.html
10CFR 73.57 “Requirements for criminal history records checks of individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information.” , retrieved from http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0057.html
Status Report of the North American Electric Reliability Corporation in Response to the Federal Energy Regulatory Commission’s March 19, 2009 Order No. 706-B, Docket No. RM06-22-000, October 15, 2010, retrieved from http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/Final_Final_Oct_15_Bright-Line_Filing.pdf
Letter from NERC Senior Director of Reliability Assurance (V. Agnew) to the Director, Division of Engineering, NRC Office of Reactor Regulation (J. Lubinski), dated March 10, 2016; retrieved fromhttp://pbadupws.nrc.gov/docs/ML1608/ML16084A070.pdf
NRC RIS-2016-12, “NRC Employee Access to Switchyards at Licensee Facilities,” dated November 22, 2016; retrieved from http://www.nrc.gov/docs/ML1615/ML16154A034.pdf
Questions?16