Critical Infrastructure Protection THE ELECTRICITY SECTOR Security Communications

1
Critical Infrastructure ProtectionTHE
ELECTRICITY SECTOR Security Communications

• Presented to
• SERC CONFERENCE
• October 2004

2
Topics

• Electricity Sector (ES) Critical Infrastructure
  Protection (CIP)
• Organization
• Initiatives for the ES
• ES Information Sharing Analysis Center (ESISAC)
• Communications

3
The Electricity Sector
6 x10? C1
aGen bTransm cLSE dRC eCA fGov
3I
Characteristics Instantaneous, Interconnected,
Interdependent,
Reliability, Security
Organizations APPA, CEA, EEI, ELCON, EPRI,
EPSA, ESISAC other
ISACs, NEI, NERC, NAESB,
NRECA
Agencies DOE, DHS, DOD, FERC, NARUC, NRC,
PSEPC, RUS, USSS
4
Description and Definitions

• APPA American Public Power Association
• CA Control Area
• CEA Canadian Electricity Association
• DOD Department of Defense
• DOE Department of Energy
• DHS Department of Homeland Security
• EEI Edison Electric Institute
• ELCON Electr Consumers Resource Council
• EPRI Electric Power Research Institute
• EPSA Electric Power Supply Association
• ES Electricity Sector
• FERC Federal Energy Regulatory Commission
• IAIP Info Analysis, Infrastructure Protection
• ISAC Information Sharing and Analysis Center
• NAESB No. Amer. Energy Standards Board
• NARUC Natl Assoc Reg Utility Commissioners
• NEI Nuclear Energy Institute
• NERC North American Electric Reliability Cncl
• NRC Nuclear Regulatory Commission

• The equation
• Summed over millions of Customers
• Entity types that comprise the ES
• Divided by three Interconnections
• Eastern
• Western
• Texas
• Generation, Transmission, Load Serving
  Entities, Purchasing-Selling Entities,
  Reliability Coordinators, Control Areas, Regional
  Transmission Organizations, Independent System
  Operators, Regulators (Canada/US
  Federal/State/Provincial/Local)

5
13 RC
3 RC
1 RC
6
CIP Committee Structure
Physical Security Cyber Security Operations Policy
September 18, 2004
7
Electricity Sector Security Initiatives-1

• Responses to 14 August 2004 Blackout
  Recommendations physical and cyber security
• Implement the National Infrastructure Protection
  Plan for the Electricity Sector
• Indications, Analysis, Warnings (IAW) program
• Data/information exchange between ES and DHS
• Threat Alert Levels Physical and Cyber
• Guidance for ES actions in response to Homeland
  Security Alert System
• Reference materials available
  http//www.esisac.com

8
Electricity Sector Security Initiatives-2

• Cyber Security Standard
• 1200 in place 1300 under development
• 15 Security Guidelines
• Physical, Cyber, Data
• Critical Spares Project
• Control Systems Security
• High Altitude Electromagnetic Pulse
• Outreach including workshops
• Bi-lateral discussions and Urban Utility Center
• Reference materials available
  http//www.esisac.com

9
Critical Assets

• Those facilities, systems, and equipment
  which, if destroyed, damaged, degraded, or
  otherwise rendered unavailable, would have a
  significant impact on the ability to serve large
  quantities of customers for an extended period of
  time, would have a detrimental impact on the
  reliability or operability of the electric grid,
  or would cause significant risk to public health
  and safety.

10
Security Guidelines
Best practices for protecting critical
assets

• Cyber Access Control
• Cyber IT Firewalls
• Cyber Intrusion Detection
• Cyber Risk Management
• Protecting Sensitive Info
• Securing Remote Access Process Control Systems
• Incident Reporting
• Physical Security Substations

• Overview
• Communications
• Emergency Plans
• Employment Background Screen
• Physical Security
• Threat Response
• Physical
• Cyber
• Vulnerability/Risk Assessment
• Continuity of Business Process

11
Spare Equipment Project

• NERC maintains a database of spare transformers
  and is planning expansion to include other
  critical spare equipment.
• Establishing spare equipment requirements,
  sharing protocols, acquisition, spares
  repositories.
• Collaborating with EPRI, Government Agencies

12
Control Systems in Electricity Sector
System Operations Center
EMS
ICCP
Interconnected System Operations Center
SCADA
Telecom
Generating or Transmission Station
RTU
Protective Relays
BTG
Transmission Control
Data Sensors
DCS and PLC
13
Securing Control Systems

• CIPC is working with electricity sector
  participants, governments, other critical
  infrastructure sectors, and control system
  vendors to
• Evaluate vulnerabilities and solutions in a test
  bed environment
• Assess risk
• Create plans to secure new systems
• Create plans to secure old systems
• Recognize a potential or actual attack
• Mitigate an attack on control systems

14
Communications
15
ESISAC

• Electricity SectorInformation Sharing Analysis
  Center
• Share information about real and potential
  threats and vulnerabilities
• Received from DHS and communicated to
  electricity sector participants
• Received from electricity sector participants and
  communicated to DHS
• Analyze information for trends, cross-sector
  dependencies, specific targets
• Coordinate with other ISACs

16
http//www.esisac.com
17
Governments Sectors CoordinationOperations
(ES focus)
------------------ Governments ----------------
Sectors

DHS
DOE
PSEPC
CHEM
FS
ESISAC
. . .
TEL
Electricity Sector
Electricity Sector
RC
CA
TRAN
GEN
DIST
PSE
18
Operational ISACs

• Chemical
• Electricity
• Emergency Management and Response
• Energy (Oil and Gas)
• Financial Services
• Health Care
• Highway

• Information Technology
• Multi-State
• Public Transit
• Research and Education Network
• Surface Transportation
• Telecommunications
• Water

19
ISACCouncil Activities

• Discussion papers
• Government-Private Sector Relations
• HSPD-7 Issues and Metrics
• Information Sharing and Analysis
• Integration of ISACs into Exercises
• ISAC Analytical Efforts
• Policy Framework for the ISAC Community
• Reach of the Major ISACs
• Vetting and Trust
• Operational Clarity Matrix

20

• REPORT INCIDENTS TO
• LOCAL LAW ENFORCEMENT
• (Establish and maintain relationship.)
• LOCAL FBI
• (Establish and maintain relationship.)
• ESISAC
• secure messaging CIPIS
• email esisac_at_nerc.com
• tel 609-452-1422 (anytime)
• 609-452-8060 (day)
• fax 609-452-9550
• National Infrastructure Coordination Center
• (DHS IAIP)
• secure messaging CIPIS
• email nicc_at_dhs.gov

21
Communications Mechanics-1

• Available at no cost from the ESISAC to ES owners
  and operators involved in physical or cyber
  security or operations
• Threat Advisory List (TAL) email of alerts,
  advisories, warnings focused on ES or of general
  interest to the Nations security
• This can be text device enabled, eg pager
• Critical Infrastructure Protection Information
  System (CIPIS) secure Internet messaging system
  between ES and DHS

22
Communications Mechanics-2

• US-CERT Portal for (primarily) cyber security
• Reliability Coordinator hotline
• Group conference calls
• Other systems under design to assure
  communications
• Homeland Security Information System (DHS and
  ESISAC)
• Reach communications to assure notification via
  several diverse means
• To participate
• Send email to lou.leffler_at_nerc.net
• Include the name of your Security or Operations
  Manager to facilitate authorization

23
CIPIS / RCIS
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
IAW Program Reporting Events

• Loss of Generation
• Loss HV Transmission
• Loss of Distribution (NS/EP)
• Loss of Distribution (EPS)
• Loss of Load Center
• Loss of Telecom for System operator
• Loss of Control
• Loss of or Degraded Market Functionality
• Anomalous Non-character System Behavior

• Announced Credible Threats
• Intelligence Gathering Physical Surveillance
• Intelligence Gathering and Operations Cyber
  Surveillance
• Intelligence Gathering Social Engineering
• Security Breaches Affecting IT
• Planting/Pre-Positioning Malicious Code

30
Report

• Malicious physical events that cause transmission
  outages, loss of generation, loss of load, damage
  to facilities
• Malicious physical events that cause damage to
  facilities, breach of security
• Malicious cyber events that result in actual or
  potential intrusion to a critical computer or
  utility telecom system
• Threats received (eg bomb, mail, tel)
• Surveillance

31
Possible Steps Toward A Terrorist Attack
Target Selection
Surveillance (first level, non professional)
Planning (weapons, location, etc)
Final Selection (target)
Deployment (equipment, people)
Final Surveillance (professional)
ATTACK!
32
Reports

• From the ES,
• Together with other critical infrastructures,
• And intelligence sources
• May help the DHS to

33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
Threat Alert Levels
38
Some Things to Think About

• Does the ESISAC have your 24x7 contact? Are there
  multiple contact points and communications
  available?
• Is a security decision-making process in place?
• How will your organizations physical and cyber
  security decision-makers get notified? Are there
  backup communications?
• Is there a means in place to communicate
  decisions to action-takers? A backup?
• Consider responses in accordance with the Threat
  Alert Systems and Physical / Cyber Response
  Guidelines for the Electricity Sector.

READY Business http//www.ready.gov/business/
39
Contacts

• Lynn Costantini, CIO, NERC
• lynn.costantini_at_nerc.net
• Lou Leffler, CIP Project Manager, NERC
• lou.leffler_at_nerc.net
• NERC 609-452-8060
• ESISAC 609-452-1422
• Note Referenced materials and this
• presentation available at
• http//www.esisac.com

• For access to communications
• CIPIS
• TAL
• See sheet with details
• Provide info to Ken Keels

TY