Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011

Forward Together • ReliabilityFirst

Follow us on LinkedIn and Twitter @RFirst_Corp

Enforcement Trends & Addressing Silos

Patrick O’Connor, CounselKristen Senk, Senior Counsel


Agenda Topics

Update on enforcement trend data

Overview of CIP themes

Panel discussion on addressing organizational silos

3


Most Violated Standards

4

132

90

63

3123

17 17 16 13 12

CIP-007 CIP-010 CIP-004 CIP-006 PRC-024 CIP-005 MOD-025 PRC-005 PRC-019 CIP-011

Num

ber o

f Vio

latio

ns

12 Month Rolling Count


Disposition Method

111

316

1626

16411

37

62

0

50

100

150

200

250

300

350

2016 2017 2018

Dismissal/CE FFT Settlement

5


Detective Controls

746

671

293

329

310

0 100 200 300 400 500 600 700 800

2014

2015

2016

2017

2018

By

Dat

e R

epor

ted

Average Days from Start Date to Report Date

6


2018 CIP Themes Report

Purpose• Identify themes in violations

with the CIP Standards• Suggest potential resolutions

Collaboration• RF, WECC, and SERC

worked with Registered Entities to identify the themes and resolutions.

Second Edition• First edition in 2015

7


CIP Themes

8

* The graph represents the violations that concern the more significant CIP compliance deficiencies.

45%

29%

11%15%

Disassociation

Organizational Silos

Inadequate Tools

Lack of Awareness


Theme - Organizational Silos

9

Gen

erat

ion

Lack of coordination between departments, business units, and different levels of management

Vertical Silos

(Between Business

Units or Departments)

Horizontal Silos

(Between Layers from

the Top Down)


Organizational Silos

10

Panel Discussion

Bill EdwardsAssistant General

CounselExelon Corporation

Thomas BreeneManager FERC/NERC

ComplianceWEC Energy Group Business Services

Kristina PacovskyManaging Senior

Corporate Counsel Midcontinent

Independent System Operator


Questions & AnswersForward Together ReliabilityFirst

11

GridEx IV ExerciseOverviewApril 26, 2018Columbus, OH


Slide 1 of 237

13


GridEx IV Exercise - 2017

NERC conducted its fourth biennial grid security and emergency response exercise, GridEx IV, on November 15–16, 2017

GridEx IV consisted of a two-day distributed play exercise and a separate executive tabletop on the second day

The exercise provided an opportunity for stakeholders in the electricity sector to respond to simulated cyber and physical attacks affecting the reliable operation of the grid

14


Cyber Attack Scenario

Cyber-attacks targeted corporate networks and industrial control systems (ICS) such as process control systems, energy management systems, distribution management systems, and supervisory control and data acquisition systems (SCADA) used to operate generating units, transmission substations, and control centers. The attacks disrupt the ability of power system operators to monitor and control the reliability of the bulk power system (BPS)

15


Physical Attack Scenario

Simultaneous physical attacks against certain generation, transmission, and control center facilities cause large-scale power outages, while avoiding immediate and deliberate degradation to the level that would move the exercise into black start restoration plan scenarios. Voice and data communications systems used by BPS operations and security personnel are also affected by physical attack, hindering their ability to respond to the situation

16


Communications Challenges

GridEx IV also provided participating organizations with the opportunity to exercise how they receive and share information with external stakeholders, including customers, local government officials, and the general public

17


GridEx IV Exercise - Objectives

Exercise incident response plans

Expand local and regional response

Engage critical interdependencies

Improve communication

Gather lessons learned

Engage senior leadership

18


GridEx IV Exercise - Participation

19


GridEx Exercise – Lessons Learned

Some exercise scenarios or “moves” require more integration into the master scenario

More active Lead Planners

Greater Cross-Sector Participation

E-ISAC Portal Improvements

EEI and the E-ISAC should work together to further operationalize the Cyber Mutual Assistance (CMA) Program

20


GridEx IV Exercise – RF Participation

Engaged the EASA, IT, and Corporate Communications Teams, and the CSO

EASA “played” in our normal roles following the master scenario events as played out by electric utilities in our footprint

IT “played” by responding to a custom scenario which was created and played out simulating an RF data breach event

21


GridEx IV Exercise – RF Participation (cont.)

Corporate Communications “played” following the exercise master scenario events as played out by electric utilities and also responding to the RF data breach event coordinating with IT, the CSO, and Executives

The CSO “played” by responding to and interacting with EASA, IT, Corporate Communications, and Executives for both the master scenario events and the custom RF data breach scenario

Support was provided by the Enforcement Team acting as RF users affected by the RF Data Breach event

22


GridEx IV Exercise – RF Lessons Learned

Procedure and Process updates

Tools updates and training

Communication protocol updates (internal & external)

Emergency response action updates

Increase RF IT involvement in future exercises to test our response capabilities more completely

23


GridEx IV Exercise – Follow on Activities

Review and comment on the GridEx IV After Action Report

Review and implement Lessons Learned

Planning for GridEx V in 2019

FERC Cyber Planning for Response and Recovery (CyPReS) Study

24


Why participate in GridEx Exercises?

It’s fun! Just ask your Lead Planner…

It’s customizable!

Industry participants take part from their regular work locations

Provides an opportunity for utilities to demonstrate how they would respond to and recover from simulated coordinated cyber and physical security threats and incidents

Strengthen your crisis communications relationships

25


Slide 237 of 237

26



Project 2016-02CIP ModificationsStandard Drafting Team Outreach Slides

RELIABILITY | ACCOUNTABILITY29

• Project 2016-02 Scope• CIP-002 Modifications Planned and Unplanned Changes

• CIP-012 Modifications

• Control Center Definition • V5TAG Transition Document Definitions Virtualization

Agenda


• Per paragraph 53, “…the Commission concludes that modifications to CIP-006-6 to provide controls to protect, at a minimum, communication links and data communicated between bulk electric system Control Centers are necessary in light of the critical role Control Center communications play in maintaining bulk electric system reliability. Therefore, we adopt the NOPR proposal and direct that NERC, pursuant to section 215(d)(5) of the FPA, develop modifications to the CIP Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).”

SAR – FERC Directives


• Cyber Asset and BES Cyber Asset (BCA) Definitions Clarify the intent of “programmable” in Cyber Asset. Clarify and focus the definition of “BES Cyber Asset”

• Network and Externally Accessible Devices improving clarity within the concepts and requirements

• Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations Clarify:o the applicability of requirements on a TO Control Center that performs the functional obligations of a TOP,

particularly if the TO has the ability to operate switches, breakers and relays in the BES. o The definition of Control Center. o The language scope of “perform the functional obligations of” throughout the Attachment 1 criteria.

SAR – V5TAG Items


• The SDT identified the following areas that it intends to address as part of its work on virtualization: Determine the level to which mixing Cyber Asset classes is permitted (CIP-applicable with non-CIP

applicable, EACMS/PACS with BCS, Low/Medium/High BCS, EACMS/PACS with non-CIP applicable, etc.). Clarify in requirements/definitions/guidance the permitted architectures and control necessary to permit them.

Address the treatment of components typically associated with virtualization - hypervisor, management control, and physical hardware

Address treatment of each class of virtualization (server, network including SDN, and storage) including identifying any differences in treatment between classes.

Address VLANs, particularly the scenario in which there is a switch that has at least one VLAN inside the ESP and one VLAN outside the ESP.

Address monitoring-only EACMS and whether the risk profile of these systems is such that they should be treated differently than other EACMS

SAR - Virtualization


• The first ballot received 66.78% approval.• Based on comments and voting: The SDT did not modify criterion 2.12 for the second ballot. The SDT modified the Background section of the Standard to remove information related CIP version

4. The SDT extended the implementation timeline to be effective on the first day of the first calendar

quarter that is three (3) calendar months after the effective date. The SDT updated the Guideline and Technical Basis document. The SDT updated the Implementation Guidance document.

• The SDT added the Planned and Unplanned Change language to the Standard.

CIP-002-6a Modifications


2.12. Control Centers or backup Control Centers, not included in High Impact Rating above, that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below. The "aggregate weighted value" for a Control Center or backup Control Center is determined by summing the "weight value per line" shown in the table below for each BES Transmission Line monitored and controlled by the Control Center or backup Control Center.

CIP-002-6a Modifications

Voltage Value of a Line Weight Value per Lineless than 100 kV (not applicable) (not applicable)

100 kV to 199 kV 250200 kV to 299 kV 700300 kV to 499 kV 1300500 kV and above 0


• The SDT held a webinar on February 14, 2018 to discuss changes to the standard related to Planned and Unplanned Changes language that was previously found in the Implementation Plan

• The SDT used a polling feature to gather feedback from industry on the changes The feedback from industry was extremely positiveo 97% of respondents agreed with moving the language to the standardo 86% of respondents agreed with the potential languageo 94% of respondents agreed with not including the language in CIP-012

• The Planned and Unplanned Change language is being moved from the implementation plan to the standard.

• Implementation Plan will continue to cover timelines based on changes to a standard, a new section in the standard will be added to identify timelines based on changes to a BES asset or Cyber Asset

Planned/Unplanned Changes


• Planned Changes refer to changes to the Bulk Electric System or Cyber Asset(s) that were planned and implemented by the Responsible Entity or with the Responsible Entity’s awareness. Planned Changes typically involve a change to a Bulk Electric System asset (e.g., substation, generating resource, Control Center) or a change to a Cyber Asset that was foreseen by the Responsible Entity. Examples of Planned Changes include: (1) placing a new transmission substation into service or adding a new line to an existing substation; (2) placing a new BES generation resource into service or adding a generation resource to an existing plant; (3) placing a new primary or backup Control Center or associated data center into service or implementing a new supervisory control and data acquisition (SCADA) system or energy management system (EMS) or an upgrade to an existing SCADA system or EMS; (4) implementing a project for substation automation where Cyber Assets are installed, upgraded, or replaced such as electromechanical relays being replaced with digital relays; or (5) implementing a control system upgrade at a generating resource.



• Unplanned Changes refer to (i) any changes to the Bulk Electric System or a Cyber Asset that occur without the entity’s awareness or (ii) changes to the categorization of a Cyber Asset caused by a notification from another entity or the output of a planning study. Examples of Unplanned Changes include: (1) when a Responsible Entity is notified (internally or externally) that a generation Facility has been designated as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year (CIP-002, Attachment 1, Criterion 2.3); (2) when a Responsible Entity is notified (internally or externally) that a generation or Transmission Facility has been identified as critical to the derivation of an IROL and their associated contingencies (CIP-002, Attachment 1, Criterion 2.6); (3) when a generating resource that is connected at less than 100kV is designated as a new Blackstart Resource along with its Cranking Path (CIP-002, Attachment 1, Criterion 3.4); or (4) when a system study that shows changes in customer load have resulted in crossing the 300 MW threshold of a load shedding system as described in Criterion 2.10 of CIP-002, Attachment 1.



Planned and Unplanned Changes: If a Responsible Entity has a Planned Change or Unplanned Change, the Responsible Entity shall comply with the requirements in this Reliability Standard in accordance with the following:For Planned Changes resulting in a new BES Cyber System or a change in categorization for an existing BES Cyber System, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard upon the commissioned date of the Planned Change. For this provision, the commissioned date is the date a new or modified Bulk Electric System asset or Cyber Asset is capable of impacting the BES. For requirements that contain periodic obligations, initial performance of those obligations following a Planned Change shall occur within the first period following the commissioned date of the Planned Change.



For Unplanned Changes, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard according to the timelines in the table below. As used in the table, the phrase “BES asset type” refers to the following BES asset types listed in Requirement R1 of CIP-002: (i) Control Centers or backup Control Centers; (ii) Transmission stations or substations; (iii) generation resources; (iv) systems and facilities critical to system restoration including Blackstart Resources and Cranking Paths and initial switching requirements; (v) Special Protection Systems that support the reliable operation of the Bulk Electric System; and (vi) the Distribution Provider Protection Systems specified in Applicability section 4.2.1.



Scenario of Unplanned Change Implementation PeriodNew high impact BES Cyber Systemassociated with a BES asset type where theResponsible Entity has previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type

12 calendar months from the date of notification or detection of the Unplanned Change.

New high impact BES Cyber Systemassociated with a BES asset type where theResponsible Entity has not previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type


New medium impact BES Cyber Systemassociated with a BES asset type where theResponsible Entity has previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type


Planned/Unplanned Change (Part 1 of 2)


Planned/Unplanned Changes (Part 2 of 2)

New medium impact BES Cyber Systemassociated with a BES asset type wherethe Responsible Entity has not previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type


New low impact BES Cyber Systemassociated with a BES asset type wherethe Responsible Entity has previouslyidentified a low, medium, or high impactBES Cyber Systems associated with thatsame BES asset type


New low impact BES Cyber Systemassociated with a BES asset type wherethe Responsible Entity has not previouslyidentified a low, medium, or high impactBES Cyber systems associated with thatsame BES asset type



For requirements that contain periodic obligations, initial performance of those obligations following an Unplanned Change shall occur within the first period following the date that the Implementation Period ends, as defined in the table above.For Unplanned Changes resulting in a higher categorization for an existing BES Cyber System, the Responsible Entity shall continue to comply with the applicable requirements of the prior categorization during the Implementation Period defined above.



• The second ballot received 63.91% approval.• Based on comments and voting: The SDT combined Requirements R1 and R2. Removed “and control” from Requirement R1. Removed “demarcation” from Requirement part 1.2. Removed “roles” from Requirement part 1.3. The SDT updated the Technical Rationale and Justification document. The SDT updated the Implementation Guidance document.

• The SDT did not add the Planned and Unplanned Change language to the Standard.

CIP-012-1 Modifications


R1. The Responsible Entity shall implement one or more documented plan(s) to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data, while being transmitted between any Control Centers. This requirement excludes oral communications. The plan shall include: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]1.1 Identification of security protection used to mitigate the risk of unauthorized disclosure or modification of

Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers;1.2 Identification of where the Responsible Entity applies security protection is applied for transmitting Real-

time Assessment and Real-time monitoring data between Control Centers; and1.3 When the by different Responsible Entities own or operate Control Centers identify the responsibilities of

each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between those Control Centers.

CIP-012-1 Modifications


• The team reviewed several scenarios that could be identified as meeting the current definition of Control Center, but that the team thought were not consistent with the spirit of the definition

Control Center Definition


• SDT Discussion: “Operating personnel” is undefined and could be interpreted to mean anyone who could operate the BES

including field switching personnel “Two or more locations” may be too broad without further context and does not reflect the realities of how

today’s renewable generation is built “Monitor and control” could have multiple interpretations and needs to tie to the functions performed by

the registered entities. Control should include the concept of jurisdictional authority and the ability to issue directives such as in the case of an RC control system that may not have the capability to open and close breakers directly

Use of the defined term “Real-time” or undefined term “real-time” – the team expressed concerns with the definition of Real-time, but ultimately weighed in favor of consistency with the use of the term based on its inclusion in the PER-005-2 standard

• In response to the concerns discussed, the SDT developed modifications to the Control Center definition to make specific inclusions and exclusions. This model was based on the BES definition which also has specific inclusions and exclusions as part of the definition.



One or more facilities, including their associated data centers, that monitor and control the Bulk Electric System (BES) and also host operating personnel who:

1) perform the Real-time reliability-related tasks of a Reliability Coordinator; or 2) perform the Real-time reliability-related tasks of a Balancing Authority; or 3) perform the Real-time reliability-related tasks of a Transmission Operator for Transmission Facilities at two or more locations; or 4) can act independently as the Generator Operator to develop specific dispatch instructions for generation Facilities at two or more locations; or 5) can operate or direct the operation of a Transmission Owner’s Bulk Electric System Transmission Facilities in Real-time.

Operating personnel do not include: 1) plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications; or 2) Transmission Owner or Transmission Operator field switching personnel.



• Assessed body of CIP requirementso Virtualization focus assessmento Reviewed requirements against the issue areas identified in the V5TAG transfer document

SDT discussion of next steps o Implementation guidanceo Modify requirements to address virtualization o Develop new requirements as appropriate o No Modifications needed

Virtualization


• Post CIP-002, CIP-012 and Control Center 45-day Comment and Ballot Period March 16 – April 30, 2018

• Continue Virtualization and other V5TAG Transition document discussion

Next Steps


Conference Dial-in See NERC calendar for WebEx info

Reserved Call Times Fridays - 11 a.m. – 1 p.m. (ET)o Full team update

• Discussion topics will vary based on the issue area work progress.

• Check the NERC Standards calendar of events for the most updated information.

Issue Area Working Calls--Scheduled if needed on the NERC Standards Calendar Tuesdays - Noon – 2 p.m. (ET)o Issue area working session

Thursdays - Noon – 2 p.m. (ET)o Issue area working session

• Issue area working calls will be scheduled as needed to allow the sub-teams to process input and develop proposals.

Conference Call Schedule


2018 Planned Dates: March 27-29, 2018 (NERC - Atlanta, GA) May 8-10, 2018 (Texas Reliability Entity, TX) June 19-21, 2018 (NERC – Atlanta, GA) July 10-12, 2018 (WECC, Salt Lake City, UT) September 4-6, 2018 (BPA – Portland, OR)

SDT Meeting Schedule


• Information relative to the CIP Modifications project and SDT may be found on the Project 2016-02 Project Page under Related Files: Project 2016-02 Modifications to CIP Standards

• Jordan Mallory, NERC Standards Developer [email protected] (Office)

Resources

http://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx

mailto:[email protected]


Sergio Caltagirone@cnoanalysis


We can’t know all the threats or the capabilities of the adversary

We can’t know all the vulnerabilities of our software, hardware, or the people who use it

We can’t determine which assets have value to the adversary

- @peteherzog


*Everyday in Information Security

“The adversary needs to be right once, the defender needs to be right every time”

The Defenders AdvantageThe threat environment demands a new approach – anew dedication – to be present and active in our defense.


Threat Intelligence

WhyThreat intelligence reduces harm by improving decision making before,during, and after cybersecurity incidents reducing operational meantime to recovery and reducing adversary dwell time

WhatThreat intelligence is previously unknown knowledge of malicious cyberactivity enabling better decision making in network protection andresponse


What adversaries use, including their capabilities and infrastructure

Who adversaries are, comprising the actors, sponsors, and employers

Where adversaries target, detailing industries, verticals and geographic regions

When adversaries act, identifying timelines and patterns of life

Why adversaries attack, including their motives and intent

How adversaries operate, focused on their behaviors and patterns

What is the threat? Addressing who, what, where, when, why, and how.

Threat Intelligence “3 Question Rule”

All threat intelligence should answer three questions enabling the audience to quickly identify the relevance and impact to their organization followed by immediate action if necessary.

Threat

Impact

Action

What is the impact to an organization if the threat were realized?

Which actions mitigate the threat in both the near and mid-term?

Context describes the threat and proves or disproves the relevance and impact to the audience.

“Context is king” helping organizations properly prioritize their action and response when overwhelmed with alerts & alarms.

Threat Intelligence: A Composite of Two Elements

Threat intelligence is comprised of two elements: context and action. Without either intelligence is neither actionable nor understandable.

Context

Action Action provides technical and policy recommendations customized for the threat, its behavior, and impact.

Detect

• Identify active threats using threat behavior analytics

Respond

• Mitigate detected threats through incident response

Prevent• Proactively

prevent through policy, education, and technology

Integrating Threat Intelligence Across the Security Process

Tactical

Operational

Strategic

Security OperationsNetwork DefendersIncident Response

Technical indicators and behaviors to inform network-level action and remediation

Threat Intelligence Type Audience Description

Threat HuntersIncident ResponseSecurity Leadership

Security LeadershipOrganizational Leadership

Intelligence on adversary behavior informing: holistic remediation, threat hunting, behavioral detection, purchasing decisions, and data collection

Places threat into a business context and describes strategic impact informing risk management and organizational direction

Intelligence on activities of adversaries known to have an interest in control systems and operational networks

ICS Threat Intelligence CategoriesICS threat intelligence falls into three categories – intelligence not conforming to these categories generally does not support industrial control security demands.

Interested Adversaries

Direct ICS Impact

Indirect ICS Impact

Example: DRAGONFLY compromises victim networks to gather information on their industrial control system and related operations but have not yet been identified as disrupting or directly interfacing with industrial control systems

Intelligence on threats directly affecting the operation of industrial control systems

Example: CRASHOVERRIDE is a malware framework designed and deployed to disrupt electric power transmission

Intelligence on threats not associated with industrial control systems but have a high likelihood of disrupting their operation

Example: WANNACRY ransomware does not target industrial control systems but it’s capability has shown to be debilitating to organizations when it can access operational networks

2017 ICS Vulnerability Advisories

Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities:• 64% of all vulns didn’t eliminate the risk• 72% provided no alternate mitigation to the patch• Only 15% could be leveraged to gain initial access

A short and easily-understood description of the vulnerability accessible to most security professionals

Vulnerability Description Elements

Vulnerability analysis is necessary for complete threat intelligence. Threat intelligence producers must include four elements of information about a vulnerability to ensure good decision-making.

Description

Impact

Mitigation

Threat Awareness

Understanding the vulnerability in the threat environment, including active exploitation and the scope and scale of such use

The potential impact of the vulnerability when leveraged by an adversary

The actions available to defenders to prevent or reduce the risk of the vulnerability impacting operations

A producer must have the data sources and visibility into the threats affecting the customer’s environment. Without the proper data there can be no relevant intelligence.

Distinguishing Threat Intelligence Products

Three elements clearly distinguish threat intelligence products. An evaluation of any threat intelligence product and producer should examine these elements which will help a customer select the best ones for their business.

Data Sources and Visibility

Contextual Awareness

Action Relevance

A producer must have an understanding of the customer’s business in order to make intelligence immediately relevant. Otherwise, the customer must translate all intelligence into their domain themselves.

A producer must understand the customer’s operations so that they may recommend proper actions without causing undue harm or simply stating generic best practices.

Threat intelligence must provide sufficient detail to enable a proper response

CART: Identifying Good Threat Intelligence

Completeness

Relevance

Timeliness

Accuracy Inaccurate threat intelligence is worse than no threat intelligence and any quality threat intelligence must be accurate

Threat intelligence must address only relevant threats to the organization and be delivered in a method that allows for effective action

Threat intelligence must be produced and delivered quickly so that it can be and used fast enough to make a difference

Threat Intelligence: Measuring Return on Investment (ROI)

Mean Adversary Dwell TimeThe time measured between when an adversary first gained unauthorized access to a network/system and when incident response successfully severed adversary access and control

Mean Time to Recovery The time from when an adversary first causes an operational disruption to when operations return to normal

Attacks in Context

5ICS tailored malware

families

3

• Stuxnet• Havex• Blackenergy2• CRASHOVERRID

E• TRISIS

• Stuxnet• CRASHOVERRIDE• TRISIS

Intent to disrupt industrial processes

2Identified in 2017

• CRASHOVERRIDE: First malware to target grid operations

• TRISIS: First malware to target SIS

CHRYSENE

Links OilRig, Greenbug

IT compromise, information gathering and recon against industrial orgs

Victimology Oil & Gas, Manufacturing, Europe, MENA, N. America

Capabilities Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR

COVELLITE

Links Lazarus, Hidden Cobra

IT compromise with hardened anti-analysis malware against industrial orgs

Victimology Electric Utilities, US

Capabilities Encoded binaries in documents, evasion techniques

DYMALLOY

Links Dragonfly2, Berserker Bear

Deep ICS environment information gathering, operator credentials, industrial process details

Victimology Turkey, Europe, US

Capabilities COODOR, DORSHEL, KARAGANY, Mimikatz

ELECTRUM

Links Sandworm

Electric grid disruption and long-term persistence

Victimology Ukraine, Electric Utilities

Capabilities CRASHOVERRIDE

MAGNALLIUM

Links APT33

IT network limited, information gathering against industrial orgs

Victimology Petrochemical, Aerospace, Saudi Arabia

Capabilities STONEDRILL wiper, variants of TURNEDUP malware

ALLANITE

Links Palmetto Fusion

Watering-hole and phishing leading to ICS recon and screenshot collection

Victimology Electric utilities, US & UK

Capabilities Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec

XENOTIME

Links None

Focused on physical destruction and long-term persistence

Victimology Oil & Gas, Middle East

Capabilities TRISIS, custom credential harvesting

XTALMG

CV DY ELCR

Since 2014Since 2017Since 2016

Since 2016Since 2016Since 2017Since 2017

Penetrate ICS Network

Establish Foothold

Enumerate Systems & Protocols

Deliver Attack

Takes time, access, and work

• First grid-focused ICS attack via malware• Extensible framework for launching attacks requiring protocol

knowledge• Wiper function specifically designed to impede ICS recovery• Attack required widespread, persistent access to target network

ELECTRUM: Disrupting Electric Power Transmission

Establish Access on SIS-Connecting

System

Transfer TRISIS Base Module to

System

Use TRISIS Base Module to

Compromise SISUpload Follow-On

Payloads

XENOTIME: Attacking Safety Systems and a Threat to Life

• Safety now a target for ICS operations• Greater possibility for physically-destructive events• Attack narrow but methodology may be replayed

What Can You Do?

1 Enable two-factor (not phone factor) authentication across internal assets and services

2 Control IT-OT boundary

3 Audit and secure safety systems

4 Add OT monitoring, look for behaviors, not indicators

5 Get ICS threat intelligence

Defenders expect adversaries – time for the adversaries to expect defenders.

Sergio [email protected]

@cnoanalysis

NERC CIPC WorkplanUpdate

Larry Bugh, Chief Security Officer & Director EASAApril 26, 2018


CIPC Organizational Chart

78

Executive CommitteeRoss Johnson, Phys SME, Capital Power Marc Child, Chair, Great River Energy Melanie Seader, EEIBrenda Davis, Cyber SME, CPS Energy David Grubbs, Vice Chair, City of Garland (vacant) APPALisa Carrington, Ops SME, Ariz Public Svc David Revill, Vice Chair, NRECA (vacant) EPSAJeff Fuller, Policy SME, AES (vacant), Secretary, NERC (vacant) IPC

Physical Security Subcommittee(Ross Johnson)

Cybersecurity Subcommittee(Brenda Davis)

Operating Security Subcommittee(Lisa Carrington)

Policy Subcommittee

(Jeff Fuller)

Physical SecurityWG (PSAG)

(Ross Johnson)

Control Systems Security

WG(Mike Mertz)

(Carter Manucy)

Grid Exercise WG

(Tim Conway)

Security Metrics WG

(Larry Bugh)

Compliance and Enforcement Input

WG(Paul Crist)

Physical Security Guidelines TF

(Darrell Klimitchek)

Security Training WG

(David Godfrey)(Amelia Sawyer)

Planning Committee Joint Project

Criticality Reduction (Vacant)

Supply Chain Working Group

(Vacant)


CIPC Charter

Key updates to CIPC Charter: Minor verbiage update to acknowledge security guidelines and standards implementation guidance are key

deliverables of CIPC Added IEEE to the list of key collaborative organizations Added new non-voting member class: Partner Members

• Federal Energy Regulatory Commission• US Department of Homeland Security• US Department of Energy• US Department of Energy Laboratories• Public Safety Canada• Natural Resources Canada• Oil & Natural Gas subsector• Telecomm sector• Financial Services sector• Critical Manufacturing sector• Water sector

79


CIPC Strategic Plan and Workplan

2018 – 2019 Strategic Plan & Work Plan Change in format to better align with the Electric Reliability Organization (ERO) strategic goals

• ERO Enterprise Long-Term Strategy• ERO Reliability Risk Priorities (“RISC Report”)• E-ISAC Long Term Strategic Plan

Appendix removed to reduce redundancy and enhance readability Organized into six major activities

• Advisory panel to the NERC Board of Trustees (Board)• Cyber security risk management• Physical security risk management• NERC standards implementation input• BES security metrics• Training, outreach, and industry communications

80

Plan available at https://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Strategic%20Plan%202018-2019.pdf


Advisory Panel to the NERC Board

Reports to the Board - will become more strategic to address emerging risks and issues pertinent to the security of BES

Solicit Board input regarding priorities and new challenges Identify opportunities for collaboration with other

subcommittees Decrease focus on status reporting and increase focus on the

proactive resolution of issues

81


Cyber Security Risk Management

Cyber security program efforts:• Identification and reduction of cyber risks• Cyber security risk of Fuel Handling SCADA systems for Generation• Updated guidance in relation to NERC’s Remote Access Study• GridEx planning and preparation• Supply Chain (vendor security controls and legacy systems testing)

All designed to address the RISC, E-ISAC Long Term Strategic Plan, and the ERO Enterprise Long Term Strategy

82


Physical Security Risk Management

Physical security program efforts: • Identification and reduction of physical risks• Security practices for High Impact Control Centers• Security implications of drones on electric power• Key management security for physical access

All designed to address the RISC, E-ISAC Long Term Strategic Plan, and the ERO Enterprise Long Term Strategy

83


NERC Standards Implementation Input

Compliance and Enforcement Input Working Group (CEIWG)

Established to solicit industry stakeholders for input to assist NERC staff with clarification on compliance monitoring or enforcement with the following documents:• Implications of Cloud Services for CIP Assets (Pilot/Study)• Implementation Guidance for Voice-over-IP services• Implementation Guidance for Shared Transmission Facilities

84


BES Security Metrics

CIPC will utilize the expertise of its members, NERC staff, and others to provide direction, technical oversight, feedback on the collection of industry metrics, and reporting of BES security performance metrics.• Security Metrics derived from E-ISAC, compliance data, or other sources of periodic reporting• Annual security assessment of the BES (NERC State of Reliability Report)

85


Training, Outreach, and Communications

CIPC will provide training, coordination, and communication with those responsible for both physical and cyber security to various industry segments.• Reorganize information on NERC.com• Industry facing collaboration site to maximize joint project activities• Publish annual training plan

86


Timeline of Activities

87

# CIPC Deliverable (non-ongoing projects) Estimated

Completion Date

1 Implications of Voice-over-IP and the CIP Standards Q1 2018

2 Develop CIPC Collaboration Site on NERC.com Q2 2018

3 CIP Implications of Shared Transmission Facilities Q2 2018

4 Key management security guideline Q2 2018

5 Vendor Essential Security Practices Model Q3 2018

6 Security implications of UAVs Q3 2018

7 Update CIPC Website on NERC.com Q3 2018

8 Implications of Cloud Services for CIP Assets Q4 2018

9 Assess the cyber security risk of Fuel Handling SCADA systems for Generation Q1 2019

10 Address Remote Access Security Findings #1-#18 Q3 2019

11 Identification and Reduction of Cyber and Physical Security Risks Q4 2019

12 Legacy system testing coordination with National Labs Q4 2019

13 Annual Security Assessment of the BES Q4 2019



88

Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011

Documents