ELECTRICITY SECTOR CRITICAL INFRASTRUCTURE PROTECTION and ESISAC

1
ELECTRICITY SECTORCRITICAL INFRASTRUCTURE
PROTECTIONand ESISAC

• Presentation to
• EDISON ELECTRIC INSTITUTE
• SECURITY COMMITTEE
• 24 September 2003

2
Topics

• Electricity Sector
• NERC, CIPAG, ESISAC
• Communications
• Security Guidelines
• Cyber Security Standard
• Process Control Systems Security
• Other Projects
• 14 August 2003

3
The Electricity Sector
6 x10? C1
aGen bTrans cLSE dPSE eRC fCA gGov

3I
Instantaneous, Interconnected, Interdependent
Reliability, Security Guidelines, Standards
Orgs APPA, CEA, EEI, ELCON, EPRI, EPSA, ESISAC
other ISACs, NEI, NERC, NAERO, NAESB, NRECA
Agencies DOE, DHS, DOD, FERC, NARUC, NRC,
OCIPEP, RUS, USSS
4
Definitions and Description

• APPA American Public Power Association
• CEA Canadian Electricity Association
• DOD Department of Defense
• DOE Department of Energy
• DHS Department of Homeland Security
• EEI Edison Electric Institute
• ELCON Electricity Consumers Resource Cncl
• EPRI Electric Power Research Institute
• EPSA Electric Power Supply Association
• ES Electricity Sector
• FERC Federal Energy Regulatory Commission
• IAIP Info Analysis, Infrastructure Protection
• ISAC Information Sharing and Analysis Cente
• NAERO No. Amer. Electric Reliability Cncl
• NAESB No. Amer. Energy Standards Board
• NARUC Natl Assoc Reg Utility Commissioners
• NEI Nuclear Energy Institute
• NERC North American Electric Reliability Cncl
• NIPC Natl Infrastructure Protection Center

• The equation
• Summed over millions of Customers
• Entity types that comprise the ES
• Divided by three Interconnections
• Eastern
• Western
• Texas
• Generation, Transmission, Load Serving Entities,
  Purchasing-Selling Entities, Reliability
  Coordinators, Control Areas, Regional
  Transmission Organizations, Independent System
  Operators, Regulators (Canada/US
  Federal/State/Provincial/Local)

5
14 RC
3 RC
1 RC
6
CRITICAL INFRASTRUCTURE PROTECTION ADVISORY GROUP
Board of Trustees
NERC Stndg Cmtes MC, OC, PC
US CAN Gov
APPA
CIPAG Physical Security Cyber Security Operations
Policy Development Needs Peer Review
CEA  
EEI  
ESISAC Analysis Communications
NRECA
Subcommittee Task Forces Processes and
Practices Development
Professional Review Recommendations Practices
24 Sep 2003
7
ESISAC Communications
RA
BA
IA
TSP
TOw
TOp
DP
GEN
LSE
PA
PSE
ESISAC
DHS-IAIP
Law Enforce
Other ISACs
ISACCncl
RA
BA
IA
TSP
TOw
TOp
DP
GEN
LSE
PA
PSE
Other Federal, State, Provincial Agencies
8
ESISAC Mission

• Receive electricity sector security data
• Analyze security data
• With DHS, other agencies, other ISACs
• Disseminate threat indications, .analyses,
  warnings with interpretations

9
http//www.esisac.com
10

• REPORT INCIDENTS TO
• LOCAL LAW ENFORCEMENT
• Establish and maintain relationship
• LOCAL FBI
• Establish and maintain relationship
• DHS-IAIP IAW Program
• InfraGard CIPIS nipc.watch_at_fbi.gov
• 202-323-3204,5,6
• 888-585-9078
• ESISAC
• CIPIS https//www.nerc.net/registration/
  esisac_at_nerc.com
• 609-452-8060 day
• 609-452-1422 anytime

11
DHSHomeland Security Operations Center

• Senior Watch Officer 202-282-8101
• E-mail HSCenter_at_dhs.gov
• Matthew Broderick, Director, HSOC

12
Communication Types

• Incident data for analysis
• From Electricity Sector (ES) entities
• To DHS-IAIP, ESISAC, ES entities as determined by
  inputting entity
• Threat Alerts, Advisories, Warnings, other
  information
• From DHS-IAIP and ESISAC
• To ES entities
• Sector, Area, Type facility, Specific facility

13
Communications Mechanisms

• Critical Infrastructure Protection Information
  System (CIPIS) (register)
• Email listservers
• ES Threat Advisory List (TAL) (request)
• Edison Electric Institute Security Committee
• Critical Infrastructure Protection Advisory Group
  and Forum
• Lists with pager and text cell phones included
• Conference calls
• Bi-monthly
• On demand
• Direct contact

14
IAW Program Reporting Events(Indications,
Analysis, Warnings)

• Loss of Generation
• Loss HV Transmission
• Loss of Distribution (NS/EP)
• Loss of Distribution (EPS)
• Loss of Load Center
• Loss of Telecom for System operator
• Loss of Control
• Loss of or Degraded Market Functionality
• Anomalous Non-character System Behavior

• Announced Credible Threats
• Intelligence Gathering Physical Surveillance
• Intelligence Gathering and Operations Cyber
  Surveillance
• Intelligence Gathering Social Engineering
• Security Breaches Affecting IT
• Planting/Pre-Positioning Malicious Code

15
Threat Alert Levels
16
Security Guidelines

• Cyber Access Control
• Cyber IT Firewalls
• Cyber Intrusion Detection
• Cyber Risk Management
• Protecting Sensitive Info
• Securing Remote Access Process Control Systems
• Incident Reporting

• Overview
• Communications
• Emergency Plans
• Employment Background Screen
• Physical Security
• Threat Response
• Physical
• Cyber
• Vulnerability/Risk Assessment
• Continuity of Business Process

17
Cyber Security Standard

• FERC Proposed Cyber Security Standards July
  2002
• SQL Slammer Worm January 2003
• NERC Urgent Action Cyber Security Standard
• NERC Permanent Cyber Security Standard

18
Cyber Security Standard

• To whom does it apply?
• To what does it apply?
• What are the requirements?
• How will compliance be measured?

19
Cyber Security Standard

• To whom does it apply?
• Entities performing critical functions that
  impact the operation of the electric grid.

20
Cyber Security Standard

• To what does it apply?
• Critical Cyber Assets computers, installed
  software and electronic data, and communication
  networks that support, operate, or otherwise
  interact with the bulk electric system
  operations. This definition currently does not
  include process control systems, distributed
  control systems, or electronic relays installed
  in generating stations, switching stations and
  substations.

21
Cyber Security Standard

• Requirements
• Cyber Security Policy
• Critical Cyber Assets
• Electronic Security Perimeter
• Electronic Access Controls
• Physical Security Perimeter
• Physical Access Controls
• Personnel
• Monitoring Physical Access
• Monitoring Electronic Access

• Information Protection
• Training
• Systems Management
• Test Procedures
• Electronic Incident Response Actions
• Physical Incident Response Actions
• Recovery Plans

22
Cyber Security Standard

• Compliance
• Control Areas and Reliability Coordinators, as
  defined by NERC
• Self-certification by 1Q 2004
• Permanent standard will specify new compliance
  requirements

23
Process Control Systems (PCS) Security

• What are PCS (aka Electronic Control and
  Protection Systems)?
• The Security Challenge
• Securing PCS
• NERC Guideline
• Next Steps

24
PCS in Electricity Sector
System Operations Center
EMS
ICCP
Interconnected System Operations Center
SCADA
RA
Telecom
Generating or Transmission Station
RTU
Protective Relays
BTG
DCS
Data Sensors
PLC
RA
25
The Security Challenge

• PCS are ubiquitous and universal
• PCS operate in real-time
• PCS may not have built-in security features
• Reality of security concern
• Some testing
• Electronic access beyond physical security
  perimeter
• Access within physical security perimeter

26
Securing PCS A First Step

• NERC Guideline - Securing Remote Access to
  Electronic Control and Protection Systems
• Recommends establishing policies and procedures
  for controlling remote access.
• Disable remote access when not in use
• Approve remote access users
• Authenticate users prior to each session
• Manage passwords
• Manage remote access hardware and software
• Use encryption

27
Securing PCS Next Steps

• CIPAG PCS Task Force is working with electricity
  sector participants, other critical
  infrastructure sectors, and PCS vendors to
• Evaluate vulnerabilities and solutions in a test
  bed environment
• Assess risk
• Create plans to secure old and new systems,
  recognize a potential or actual attack, and
  mitigate an attack on PCS

28
Other ES Activities

• High Altitude Electromagnetic Pulse
• Congressional Commission and CIP TF
• Radio Frequency Warfare
• Dependence of the ES on Internet
• Critical Infrastructure Interdependencies
• ISACCouncil
• NIAC
• Critical assets
• DHS
• System data and analysis
• DHS

29
Public Key Infrastructure (PKI)

• Creating a secure, trusted environment to conduct
  electricity sector business and share information
  across the Internet.
• Transactions will have
• Privacy
• Authenticatication
• Integrity
• Non-repudiation

30
Spare Equipment Database

• NERC maintains a database of spare transformers
  and is expanding it to include other critical
  spare equipment
• Ongoing activities include
• Creating equipment sharing protocols
• Developing recovery response strategy for
  terrorist attacks of differing magnitudes
• Standardizing equipment design (Recovery
  Transformer Project)

31
CIP Workshops Agendas

• Security Guidelines (14)
• Cyber Security Standard
• Vulnerability Assessment Methodologies
• Communications

32
Meeting The Security Challenge Workshops
33
Contacts

• Lou Leffler, CIP Program Manager
• lou.leffler_at_nerc.net
• Lynn Costantini, CIO
• lynn.costantini_at_nerc.net

TY