Energy Infrastructure Vulnerability Survey and VRAP - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Energy Infrastructure Vulnerability Survey and VRAP

Description:

Telecommunications and information technology (i.e. web page) Publicly released ... Rail. Oil. Road. Telecom. Water. Information. Technology. Banking & Finance ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 32
Provided by: jimpeer
Category:

less

Transcript and Presenter's Notes

Title: Energy Infrastructure Vulnerability Survey and VRAP


1
U.S. Department of Homeland Security
Electric Infrastructure Vulnerability Assessment
Methodology by Dave Jones Argonne National
Laboratory djones_at_anl.gov NERC Workshop Meeting
the Security Challenge Activities sponsored by
DHS Information Analysis and Infrastructure
Protection Directorate
2
U.S. Department of Homeland Security
Information Analysis and Infrastructure
Protection Directorate web sites
dhs.gov Threats Protection Critical
Infrastructure oea.dis.anl.gov
3
VA Program Objectives
  • Develop an improved understanding of
  • What is critical
  • What is vulnerable (physical and cyber)
  • How vulnerabilities could be exploited, and the
    feasibility
  • System connectivity, interdependencies, and
    impacts of disruptions
  • from a company, regional, state, system, national
    view
  • Identify problems and desired help in responding
    to increased national security threat levels
  • Green gt Blue gt Yellow gt Orange gt Red

4
VA Program Objectives (Contd)
  • Broaden awareness and stimulate action to
    mitigate significant problems and improve
    preparedness
  • Produce and disseminate survey and assessment
    methodologies
  • Develop general lessons learned and best
    practices

5
Selected VA Program Publications
6
Examples of Infrastructure Assets Examined
  • Electric Power
  • Substations/transmission corridors
  • Operating and control entities
  • Distribution systems
  • Hydroelectric plants
  • Fossil power plants
  • Natural Gas
  • Transmission pipelines
  • Distribution companies
  • Other facilities (e.g., LNG facilities, hubs)
  • Other Infrastructures
  • Ports
  • Telecommunications hubs
  • Transportation assets (bridges, tunnels)
  • Petroleum
  • Crude and product pipelines
  • Crude tankers
  • Refineries
  • Terminals
  • Other facilities (e.g, storage reserves)

7
Primary Guidance Documents
Energy Infrastructure Risk Management Checklists
for Small and Medium Sized Energy Facilities
dated August 19, 2002 Vulnerability Assessment
Methodology, Electric Power Infrastructure
(Draft) dated September 30,
2002 http//oea.dis.anl.gov/documents.htm

8
Risk Management Checklist Purpose
  • Provide general guidance and starting point
    so smaller energy facilities can
  • Identify critical functions and assets
  • Become aware of threats and vulnerabilities
  • Evaluate and rank the threats and vulnerabilities
  • Initiate a security enhancement program, if
    appropriate

9
Checklist Concept
  • Adapted for use by small and medium sized energy
    facilities - municipal utilities, independent
    utilities, and rural cooperatives
  • Includes overview of the concepts of
    vulnerability analyses and risk assessments, and
    lists of questions and considerations for use
    during each major step of risk management process
  • Assist operators in identifying priorities for
    protecting their local individual portions of the
    nations energy infrastructure

10
Local and State Governments Role
  • Energy facilities are responsible for their
    own risk management, but local and state
    governments need to take a proactive role to
    help these facilities perform the needed risk
    assessments, adopt adequate and cost beneficial
    methodologies, and take actions to address the
    findings

11
Outline of Risk Management Steps
  • Identify critical assets and the impacts of their
    loss
  • Identify what protects and supports the critical
    assets
  • Identify and characterize the threat
  • Identify and analyze vulnerabilities
  • Assess risk and determine priorities for asset
    protection
  • Identify mitigation options, costs, and trade-offs

12
Survey Elements
  • Physical
  • Barriers, Intrusion detection, Access control,
    Security force
  • Cyber
  • SCADA, Process controls
  • Operations Security (OPSEC)
  • Assault strategies
  • Explosives analysis
  • Interdependencies/Systems
  • Surveys are Quick Look, 5 member team, 1 ½ days
    on-site

13
Operations Security (OPSEC) Survey Elements
  • Human resources security procedures
  • Facility engineering
  • Operations
  • Telecommunications and information
    technology (i.e. web
    page)
  • Publicly released information
  • Trash and waste handling
  • Government, vendor, other web pages

14
Interdependencies Elements
  • Internal infrastructures
  • Electric power supply and distribution systems
  • Internal HVAC systems
  • Telephone systems
  • Microwave/radio communications
  • Intranet and e-mail systems
  • Computers and servers
  • Fire suppression and fire fighting systems
  • SCADA systems
  • Domestic water systems
  • Industrial water systems
  • Physical security system
  • Human resources support
  • Financial systems
  • External infrastructures
  • Electric power
  • Natural gas
  • Petroleum fuels
  • Telecommunications
  • Water and wastewater
  • Road transportation
  • Rail transportation
  • Air transportation
  • Water transportation

15
Illustrative Electric Dependencies on Other
Critical Infrastructures
Electric
16
VA Program Process
  • Pre-Assessment
  • Define Objectives and Scope
  • Establish Information Protection Procedure
    (Non-Disclosure Agreement)
  • Identify and Rank Critical Assets
  • Complete Request for Information (RFI)

17
VA Program Process (Contd)
  • Assessment
  • Subject Matter Experts (SME) review/analyze RFI
    and prepare for on-site visit
  • Team conducts 5 day on-site assessment
  • Each SME writes respective report section
  • Team Leader completes report and briefs Senior
    Management
  • Selected Experts brief staff

18
VA Program Process (Contd)
  • Post-Assessment
  • Prioritize Recommendations
  • Develop Action Plan
  • Capture Lessons Learned and Best Practices
  • Conduct Training

19
Representative Criticality Criteria
  • Loss of human life (potential for mass casualties
    -- killed,
    injured)
  • Economic impact of destruction/disruption
  • Political consequences (public confidence/morale,
    national prestige, governability, symbolic
    value) 
  • National defense (ability to defend national
    sovereignty/territorial integrity or ability to
    sustain military power abroad)
  • Potential for loss of energy supply to large
    civilian areas
  • Potential for environment impacts
  • Extended time needed to repair little or no
    redundant capacity
  • Potential for interdependency (cascading) effects
     

20
Critical Asset Identification
  • Potential Organization Invitee List
  • Physical and Cyber Security
  • Operations
  • IT and Telecommunications
  • Safety
  • Facilities
  • HR
  • Financial, Communications/Public Affairs
  • Legal, Audit, Marketing

21
VA Elements
  • Network Architecture Assess network topology
    and connectivity
  • Threat Environment Assess individual and
    organizational threats
  • Penetration Testing Identify network
    vulnerabilities and assess penetration pathways
  • Physical Security Assess physical security
    systems
  • Physical Asset Analysis Assess vulnerabilities
    of operational assets
  • Operations Security Assess processes and
    practices to deny adversary access to information

22
VA Elements (Contd)
  • Policies and Procedures Assess organizational
    policies and procedures
  • Impact Analysis Quantify disruption impacts
  • Infrastructure Interdependencies Identify
    physical and cyber dependencies on critical
    infrastructures (e.g., electric power,
    telecommunications, water, transportation)
  • Risk Characterization Prioritize
    recommendations across all task areas

23
Vulnerability Assessment Lessons Learned
  • Network Architecture Define network perimeter.
    Minimize external connections. Up to date
    mapping of network. Enhance security of mission
    critical systems.
  • Threat Environment Background investigations
    for new hires and periodic updates for current
    employees. Specific threat data rare, maintain
    liaison with Federal, State, and local LLEA to
    get trend information.
  • Penetration Testing Traffic filtering,
    authentication controls, encryption, and access
    controls, minimizing or disabling of unnecessary
    services and commands, email filtering, and virus
    control. Google search to locate sensitive
    information on your company. Modem search.

24
Vulnerability Assessment Lessons Learned (Contd)
  • Physical Security Restrict access to sensitive
    areas, review access control list, inventory
    security keys, minimize nuisance alarms, enhance
    badge program.
  • Physical Asset Analysis Compare operating and
    maintenance procedures with best practices and
    procedures used throughout the industry.
  • Operations Security Review Web Page(s) for
    sensitive information, life cycle of sensitive
    information.
  • Policies and Procedures Formalized policies and
    procedures provide a foundation for achieving the
    desired level of security.

25
Vulnerability Assessment Lessons Learned (Contd)
  • Impact Analysis Estimates of the potential
    consequences, including economic implications, of
    not mitigating identified vulnerabilities or
    addressing security concerns are necessary in
    order to effectively apply risk management
    approaches to evaluate mitigation and security
    recommendations.
  • Infrastructure Interdependencies Evaluate
    contingency and response plans from an
    infrastructure interdependencies perspective and
    enhance coordination with other infrastructure
    providers.
  • Risk Characterization Integrate security risk
    management into the corporate risk management
    process.

26
Best Practices from Surveys and Assessments
  • Create senior level security council/committee
  • Corporate/company security officer
  • Formal security program - include list of
    critical assets, a mission statement, threat
    definition, acceptable risks, and vulnerability
    assessments
  • Implement structured security requirements for
    critical suppliers and partners
  • Periodically review and update emergency plans to
    include newer threats and vulnerabilities test
    plans regularly
  • Implement appropriate configuration management
    across all IT systems
  • Raise employee awareness to be proactive on
    security matters

27
Observations from VA Program
  • Energy industry has taken significant action
    since 9/11
  • Increased physical security measures (e.g.,
    staffing, security check points, manned
    facilities, flyovers, cameras, badge enforcement,
    escorted visitors)
  • Increased consideration of interdependencies
  • Increased employee awareness and training
  • Increased coordination with government
  • Local/State - law enforcement and National Guard
  • Federal - threat level conditions, surveys,
    assessments
  • Improved coordination with stakeholders
    (e.g., customers,
    suppliers, infrastructure providers)

28
Observations from VA Program (Contd)
  • Companies forced to do more with less (fewer
    people, spare parts, and equipment)
  • Contingency plans (business continuity and
    emergency response and disaster plans) are
    critical for rapid recovery from disruptions
  • Consistent risk management framework is needed
  • Feedback
  • Early alerting and detection are critical
    (capability varies)
  • Economics drive focus of quick restoration and
    recovery of critical assets
  • Redundancy is essential

29
Observations from VA Program (Contd)
  • Protecting barriers and access points is
    difficult (e.g., large volume of traffic,
    multiple access points and modes of transport,
    large-scale operation)
  • Tradeoffs between operations and security are
    complex
  • Maintenance is a key security issue (e.g.,
    requires rapid turnaround, large crews for
    several weeks)
  • Safety considerations have important security
    benefits

30
Risk Management Is the Key to a Comprehensive
Security Program
Physical
Cyber

Protection
Protect
Threats
Complexity
infrastructure

Mitigation
and detect
Mitigate the
intrusions
Interdependencies
effects of
Response
disruptions
(incidents)
Assist in the
management
Recovery
of incidents
Facilitate
recovery from
Risk
incidents
Management
  • Each system has unique vulnerabilities
  • A one size fits all approach to security is not
    appropriate

31
Other Selected Reference Documents
James McDonnell John Weidner Alex
DeAlvarez 202-282-8370
http//www.npc.org
Ira Stern 202-287-1808
Write a Comment
User Comments (0)
About PowerShow.com