Title: Energy Infrastructure Vulnerability Survey and VRAP
1U.S. Department of Homeland Security
Electric Infrastructure Vulnerability Assessment
Methodology by Dave Jones Argonne National
Laboratory djones_at_anl.gov NERC Workshop Meeting
the Security Challenge Activities sponsored by
DHS Information Analysis and Infrastructure
Protection Directorate
2U.S. Department of Homeland Security
Information Analysis and Infrastructure
Protection Directorate web sites
dhs.gov Threats Protection Critical
Infrastructure oea.dis.anl.gov
3VA Program Objectives
- Develop an improved understanding of
- What is critical
- What is vulnerable (physical and cyber)
- How vulnerabilities could be exploited, and the
feasibility - System connectivity, interdependencies, and
impacts of disruptions - from a company, regional, state, system, national
view - Identify problems and desired help in responding
to increased national security threat levels - Green gt Blue gt Yellow gt Orange gt Red
4VA Program Objectives (Contd)
- Broaden awareness and stimulate action to
mitigate significant problems and improve
preparedness - Produce and disseminate survey and assessment
methodologies - Develop general lessons learned and best
practices
5Selected VA Program Publications
6Examples of Infrastructure Assets Examined
- Electric Power
- Substations/transmission corridors
- Operating and control entities
- Distribution systems
- Hydroelectric plants
- Fossil power plants
- Natural Gas
- Transmission pipelines
- Distribution companies
- Other facilities (e.g., LNG facilities, hubs)
- Other Infrastructures
- Ports
- Telecommunications hubs
- Transportation assets (bridges, tunnels)
- Petroleum
- Crude and product pipelines
- Crude tankers
- Refineries
- Terminals
- Other facilities (e.g, storage reserves)
7Primary Guidance Documents
Energy Infrastructure Risk Management Checklists
for Small and Medium Sized Energy Facilities
dated August 19, 2002 Vulnerability Assessment
Methodology, Electric Power Infrastructure
(Draft) dated September 30,
2002 http//oea.dis.anl.gov/documents.htm
8Risk Management Checklist Purpose
- Provide general guidance and starting point
so smaller energy facilities can - Identify critical functions and assets
- Become aware of threats and vulnerabilities
- Evaluate and rank the threats and vulnerabilities
- Initiate a security enhancement program, if
appropriate
9Checklist Concept
- Adapted for use by small and medium sized energy
facilities - municipal utilities, independent
utilities, and rural cooperatives - Includes overview of the concepts of
vulnerability analyses and risk assessments, and
lists of questions and considerations for use
during each major step of risk management process
- Assist operators in identifying priorities for
protecting their local individual portions of the
nations energy infrastructure
10Local and State Governments Role
- Energy facilities are responsible for their
own risk management, but local and state
governments need to take a proactive role to
help these facilities perform the needed risk
assessments, adopt adequate and cost beneficial
methodologies, and take actions to address the
findings
11Outline of Risk Management Steps
- Identify critical assets and the impacts of their
loss - Identify what protects and supports the critical
assets - Identify and characterize the threat
- Identify and analyze vulnerabilities
- Assess risk and determine priorities for asset
protection - Identify mitigation options, costs, and trade-offs
12Survey Elements
- Physical
- Barriers, Intrusion detection, Access control,
Security force - Cyber
- SCADA, Process controls
- Operations Security (OPSEC)
- Assault strategies
- Explosives analysis
- Interdependencies/Systems
- Surveys are Quick Look, 5 member team, 1 ½ days
on-site
13Operations Security (OPSEC) Survey Elements
- Human resources security procedures
- Facility engineering
- Operations
- Telecommunications and information
technology (i.e. web
page) - Publicly released information
- Trash and waste handling
- Government, vendor, other web pages
14Interdependencies Elements
- Internal infrastructures
- Electric power supply and distribution systems
- Internal HVAC systems
- Telephone systems
- Microwave/radio communications
- Intranet and e-mail systems
- Computers and servers
- Fire suppression and fire fighting systems
- SCADA systems
- Domestic water systems
- Industrial water systems
- Physical security system
- Human resources support
- Financial systems
- External infrastructures
- Electric power
- Natural gas
- Petroleum fuels
- Telecommunications
- Water and wastewater
- Road transportation
- Rail transportation
- Air transportation
- Water transportation
15Illustrative Electric Dependencies on Other
Critical Infrastructures
Electric
16VA Program Process
- Pre-Assessment
- Define Objectives and Scope
- Establish Information Protection Procedure
(Non-Disclosure Agreement) - Identify and Rank Critical Assets
- Complete Request for Information (RFI)
17VA Program Process (Contd)
- Assessment
- Subject Matter Experts (SME) review/analyze RFI
and prepare for on-site visit - Team conducts 5 day on-site assessment
- Each SME writes respective report section
- Team Leader completes report and briefs Senior
Management - Selected Experts brief staff
18VA Program Process (Contd)
- Post-Assessment
- Prioritize Recommendations
- Develop Action Plan
- Capture Lessons Learned and Best Practices
- Conduct Training
19Representative Criticality Criteria
- Loss of human life (potential for mass casualties
-- killed,
injured) - Economic impact of destruction/disruption
- Political consequences (public confidence/morale,
national prestige, governability, symbolic
value) - National defense (ability to defend national
sovereignty/territorial integrity or ability to
sustain military power abroad) - Potential for loss of energy supply to large
civilian areas - Potential for environment impacts
- Extended time needed to repair little or no
redundant capacity - Potential for interdependency (cascading) effects
20Critical Asset Identification
- Potential Organization Invitee List
- Physical and Cyber Security
- Operations
- IT and Telecommunications
- Safety
- Facilities
- HR
- Financial, Communications/Public Affairs
- Legal, Audit, Marketing
21VA Elements
- Network Architecture Assess network topology
and connectivity - Threat Environment Assess individual and
organizational threats - Penetration Testing Identify network
vulnerabilities and assess penetration pathways - Physical Security Assess physical security
systems - Physical Asset Analysis Assess vulnerabilities
of operational assets - Operations Security Assess processes and
practices to deny adversary access to information
22VA Elements (Contd)
- Policies and Procedures Assess organizational
policies and procedures - Impact Analysis Quantify disruption impacts
- Infrastructure Interdependencies Identify
physical and cyber dependencies on critical
infrastructures (e.g., electric power,
telecommunications, water, transportation) - Risk Characterization Prioritize
recommendations across all task areas
23Vulnerability Assessment Lessons Learned
- Network Architecture Define network perimeter.
Minimize external connections. Up to date
mapping of network. Enhance security of mission
critical systems. - Threat Environment Background investigations
for new hires and periodic updates for current
employees. Specific threat data rare, maintain
liaison with Federal, State, and local LLEA to
get trend information. - Penetration Testing Traffic filtering,
authentication controls, encryption, and access
controls, minimizing or disabling of unnecessary
services and commands, email filtering, and virus
control. Google search to locate sensitive
information on your company. Modem search.
24Vulnerability Assessment Lessons Learned (Contd)
- Physical Security Restrict access to sensitive
areas, review access control list, inventory
security keys, minimize nuisance alarms, enhance
badge program. - Physical Asset Analysis Compare operating and
maintenance procedures with best practices and
procedures used throughout the industry. - Operations Security Review Web Page(s) for
sensitive information, life cycle of sensitive
information. - Policies and Procedures Formalized policies and
procedures provide a foundation for achieving the
desired level of security.
25Vulnerability Assessment Lessons Learned (Contd)
- Impact Analysis Estimates of the potential
consequences, including economic implications, of
not mitigating identified vulnerabilities or
addressing security concerns are necessary in
order to effectively apply risk management
approaches to evaluate mitigation and security
recommendations. - Infrastructure Interdependencies Evaluate
contingency and response plans from an
infrastructure interdependencies perspective and
enhance coordination with other infrastructure
providers. - Risk Characterization Integrate security risk
management into the corporate risk management
process.
26Best Practices from Surveys and Assessments
- Create senior level security council/committee
- Corporate/company security officer
- Formal security program - include list of
critical assets, a mission statement, threat
definition, acceptable risks, and vulnerability
assessments - Implement structured security requirements for
critical suppliers and partners - Periodically review and update emergency plans to
include newer threats and vulnerabilities test
plans regularly - Implement appropriate configuration management
across all IT systems - Raise employee awareness to be proactive on
security matters
27Observations from VA Program
- Energy industry has taken significant action
since 9/11 - Increased physical security measures (e.g.,
staffing, security check points, manned
facilities, flyovers, cameras, badge enforcement,
escorted visitors) - Increased consideration of interdependencies
- Increased employee awareness and training
- Increased coordination with government
- Local/State - law enforcement and National Guard
- Federal - threat level conditions, surveys,
assessments - Improved coordination with stakeholders
(e.g., customers,
suppliers, infrastructure providers)
28Observations from VA Program (Contd)
- Companies forced to do more with less (fewer
people, spare parts, and equipment) - Contingency plans (business continuity and
emergency response and disaster plans) are
critical for rapid recovery from disruptions - Consistent risk management framework is needed
- Feedback
- Early alerting and detection are critical
(capability varies) - Economics drive focus of quick restoration and
recovery of critical assets - Redundancy is essential
-
29Observations from VA Program (Contd)
- Protecting barriers and access points is
difficult (e.g., large volume of traffic,
multiple access points and modes of transport,
large-scale operation) - Tradeoffs between operations and security are
complex - Maintenance is a key security issue (e.g.,
requires rapid turnaround, large crews for
several weeks) - Safety considerations have important security
benefits
30Risk Management Is the Key to a Comprehensive
Security Program
Physical
Cyber
Protection
Protect
Threats
Complexity
infrastructure
Mitigation
and detect
Mitigate the
intrusions
Interdependencies
effects of
Response
disruptions
(incidents)
Assist in the
management
Recovery
of incidents
Facilitate
recovery from
Risk
incidents
Management
- Each system has unique vulnerabilities
- A one size fits all approach to security is not
appropriate
31Other Selected Reference Documents
James McDonnell John Weidner Alex
DeAlvarez 202-282-8370
http//www.npc.org
Ira Stern 202-287-1808