Energy Infrastructure Vulnerability Survey and VRAP

1
U.S. Department of Homeland Security
Electric Infrastructure Vulnerability Assessment
Methodology by Dave Jones Argonne National
Laboratory djones_at_anl.gov NERC Workshop Meeting
the Security Challenge Activities sponsored by
DHS Information Analysis and Infrastructure
Protection Directorate
2
U.S. Department of Homeland Security
Information Analysis and Infrastructure
Protection Directorate web sites
dhs.gov Threats Protection Critical
Infrastructure oea.dis.anl.gov
3
VA Program Objectives

• Develop an improved understanding of
• What is critical
• What is vulnerable (physical and cyber)
• How vulnerabilities could be exploited, and the
  feasibility
• System connectivity, interdependencies, and
  impacts of disruptions
• from a company, regional, state, system, national
  view
• Identify problems and desired help in responding
  to increased national security threat levels
• Green gt Blue gt Yellow gt Orange gt Red

4
VA Program Objectives (Contd)

• Broaden awareness and stimulate action to
  mitigate significant problems and improve
  preparedness
• Produce and disseminate survey and assessment
  methodologies
• Develop general lessons learned and best
  practices

5
Selected VA Program Publications
6
Examples of Infrastructure Assets Examined

• Electric Power
• Substations/transmission corridors
• Operating and control entities
• Distribution systems
• Hydroelectric plants
• Fossil power plants

• Natural Gas
• Transmission pipelines
• Distribution companies
• Other facilities (e.g., LNG facilities, hubs)
• Other Infrastructures
• Ports
• Telecommunications hubs
• Transportation assets (bridges, tunnels)

• Petroleum
• Crude and product pipelines
• Crude tankers
• Refineries
• Terminals
• Other facilities (e.g, storage reserves)

7
Primary Guidance Documents
Energy Infrastructure Risk Management Checklists
for Small and Medium Sized Energy Facilities
dated August 19, 2002 Vulnerability Assessment
Methodology, Electric Power Infrastructure
(Draft) dated September 30,
2002 http//oea.dis.anl.gov/documents.htm

8
Risk Management Checklist Purpose

• Provide general guidance and starting point
  so smaller energy facilities can
• Identify critical functions and assets
• Become aware of threats and vulnerabilities
• Evaluate and rank the threats and vulnerabilities
• Initiate a security enhancement program, if
  appropriate

9
Checklist Concept

• Adapted for use by small and medium sized energy
  facilities - municipal utilities, independent
  utilities, and rural cooperatives
• Includes overview of the concepts of
  vulnerability analyses and risk assessments, and
  lists of questions and considerations for use
  during each major step of risk management process
  
• Assist operators in identifying priorities for
  protecting their local individual portions of the
  nations energy infrastructure

10
Local and State Governments Role

• Energy facilities are responsible for their
  own risk management, but local and state
  governments need to take a proactive role to
  help these facilities perform the needed risk
  assessments, adopt adequate and cost beneficial
  methodologies, and take actions to address the
  findings

11
Outline of Risk Management Steps

• Identify critical assets and the impacts of their
  loss
• Identify what protects and supports the critical
  assets
• Identify and characterize the threat
• Identify and analyze vulnerabilities
• Assess risk and determine priorities for asset
  protection
• Identify mitigation options, costs, and trade-offs

12
Survey Elements

• Physical
• Barriers, Intrusion detection, Access control,
  Security force
• Cyber
• SCADA, Process controls
• Operations Security (OPSEC)
• Assault strategies
• Explosives analysis
• Interdependencies/Systems
• Surveys are Quick Look, 5 member team, 1 ½ days
  on-site

13
Operations Security (OPSEC) Survey Elements

• Human resources security procedures
• Facility engineering
• Operations
• Telecommunications and information
  technology (i.e. web
  page)
• Publicly released information
• Trash and waste handling
• Government, vendor, other web pages

14
Interdependencies Elements

• Internal infrastructures
• Electric power supply and distribution systems
• Internal HVAC systems
• Telephone systems
• Microwave/radio communications
• Intranet and e-mail systems
• Computers and servers
• Fire suppression and fire fighting systems
• SCADA systems
• Domestic water systems
• Industrial water systems
• Physical security system
• Human resources support
• Financial systems

• External infrastructures
• Electric power
• Natural gas
• Petroleum fuels
• Telecommunications
• Water and wastewater
• Road transportation
• Rail transportation
• Air transportation
• Water transportation

15
Illustrative Electric Dependencies on Other
Critical Infrastructures
Electric
16
VA Program Process

• Pre-Assessment
• Define Objectives and Scope
• Establish Information Protection Procedure
  (Non-Disclosure Agreement)
• Identify and Rank Critical Assets
• Complete Request for Information (RFI)

17
VA Program Process (Contd)

• Assessment
• Subject Matter Experts (SME) review/analyze RFI
  and prepare for on-site visit
• Team conducts 5 day on-site assessment
• Each SME writes respective report section
• Team Leader completes report and briefs Senior
  Management
• Selected Experts brief staff

18
VA Program Process (Contd)

• Post-Assessment
• Prioritize Recommendations
• Develop Action Plan
• Capture Lessons Learned and Best Practices
• Conduct Training

19
Representative Criticality Criteria

• Loss of human life (potential for mass casualties
  -- killed,
  injured)
• Economic impact of destruction/disruption
• Political consequences (public confidence/morale,
  national prestige, governability, symbolic
  value) 
• National defense (ability to defend national
  sovereignty/territorial integrity or ability to
  sustain military power abroad)
• Potential for loss of energy supply to large
  civilian areas
• Potential for environment impacts
• Extended time needed to repair little or no
  redundant capacity
• Potential for interdependency (cascading) effects
   

20
Critical Asset Identification

• Potential Organization Invitee List
• Physical and Cyber Security
• Operations
• IT and Telecommunications
• Safety
• Facilities
• HR
• Financial, Communications/Public Affairs
• Legal, Audit, Marketing

21
VA Elements

• Network Architecture Assess network topology
  and connectivity
• Threat Environment Assess individual and
  organizational threats
• Penetration Testing Identify network
  vulnerabilities and assess penetration pathways
• Physical Security Assess physical security
  systems
• Physical Asset Analysis Assess vulnerabilities
  of operational assets
• Operations Security Assess processes and
  practices to deny adversary access to information

22
VA Elements (Contd)

• Policies and Procedures Assess organizational
  policies and procedures
• Impact Analysis Quantify disruption impacts
• Infrastructure Interdependencies Identify
  physical and cyber dependencies on critical
  infrastructures (e.g., electric power,
  telecommunications, water, transportation)
• Risk Characterization Prioritize
  recommendations across all task areas

23
Vulnerability Assessment Lessons Learned

• Network Architecture Define network perimeter.
  Minimize external connections. Up to date
  mapping of network. Enhance security of mission
  critical systems.
• Threat Environment Background investigations
  for new hires and periodic updates for current
  employees. Specific threat data rare, maintain
  liaison with Federal, State, and local LLEA to
  get trend information.
• Penetration Testing Traffic filtering,
  authentication controls, encryption, and access
  controls, minimizing or disabling of unnecessary
  services and commands, email filtering, and virus
  control. Google search to locate sensitive
  information on your company. Modem search.

24
Vulnerability Assessment Lessons Learned (Contd)

• Physical Security Restrict access to sensitive
  areas, review access control list, inventory
  security keys, minimize nuisance alarms, enhance
  badge program.
• Physical Asset Analysis Compare operating and
  maintenance procedures with best practices and
  procedures used throughout the industry.
• Operations Security Review Web Page(s) for
  sensitive information, life cycle of sensitive
  information.
• Policies and Procedures Formalized policies and
  procedures provide a foundation for achieving the
  desired level of security.

25
Vulnerability Assessment Lessons Learned (Contd)

• Impact Analysis Estimates of the potential
  consequences, including economic implications, of
  not mitigating identified vulnerabilities or
  addressing security concerns are necessary in
  order to effectively apply risk management
  approaches to evaluate mitigation and security
  recommendations.
• Infrastructure Interdependencies Evaluate
  contingency and response plans from an
  infrastructure interdependencies perspective and
  enhance coordination with other infrastructure
  providers.
• Risk Characterization Integrate security risk
  management into the corporate risk management
  process.

26
Best Practices from Surveys and Assessments

• Create senior level security council/committee
• Corporate/company security officer
• Formal security program - include list of
  critical assets, a mission statement, threat
  definition, acceptable risks, and vulnerability
  assessments
• Implement structured security requirements for
  critical suppliers and partners
• Periodically review and update emergency plans to
  include newer threats and vulnerabilities test
  plans regularly
• Implement appropriate configuration management
  across all IT systems
• Raise employee awareness to be proactive on
  security matters

27
Observations from VA Program

• Energy industry has taken significant action
  since 9/11
• Increased physical security measures (e.g.,
  staffing, security check points, manned
  facilities, flyovers, cameras, badge enforcement,
  escorted visitors)
• Increased consideration of interdependencies
• Increased employee awareness and training
• Increased coordination with government
• Local/State - law enforcement and National Guard
• Federal - threat level conditions, surveys,
  assessments
• Improved coordination with stakeholders
  (e.g., customers,
  suppliers, infrastructure providers)

28
Observations from VA Program (Contd)

• Companies forced to do more with less (fewer
  people, spare parts, and equipment)
• Contingency plans (business continuity and
  emergency response and disaster plans) are
  critical for rapid recovery from disruptions
• Consistent risk management framework is needed
• Feedback
• Early alerting and detection are critical
  (capability varies)
• Economics drive focus of quick restoration and
  recovery of critical assets
• Redundancy is essential

29
Observations from VA Program (Contd)

• Protecting barriers and access points is
  difficult (e.g., large volume of traffic,
  multiple access points and modes of transport,
  large-scale operation)
• Tradeoffs between operations and security are
  complex
• Maintenance is a key security issue (e.g.,
  requires rapid turnaround, large crews for
  several weeks)
• Safety considerations have important security
  benefits

30
Risk Management Is the Key to a Comprehensive
Security Program
Physical
Cyber

Protection
Protect
Threats
Complexity
infrastructure

Mitigation
and detect
Mitigate the
intrusions
Interdependencies
effects of
Response
disruptions
(incidents)
Assist in the
management
Recovery
of incidents
Facilitate
recovery from
Risk
incidents
Management

• Each system has unique vulnerabilities
• A one size fits all approach to security is not
  appropriate

31
Other Selected Reference Documents
James McDonnell John Weidner Alex
DeAlvarez 202-282-8370
http//www.npc.org
Ira Stern 202-287-1808