Security Guidelines Workshop Cyber Security Breakout Session April 10, 2003 Washington, DC

1
Security Guidelines WorkshopCyber Security
Breakout SessionApril 10, 2003 Washington, DC

• Kevin B. Perry
• Director, Information Technology
• Southwest Power Pool

2
A Statement of Fact

• Thousands of attempts are made daily to intrude
  into computer systems
• Key government and industry networks
• Defense facilities
• Power grids
• Banks
• Government agencies
• Telephone systems
• Transportation systems

3
Some Statistics

• In the second half of 2002
• Average attacks per company
• Power and Energy Sector 987
• Non-profit companies 869
• Telecommunications companies 845
• High tech companies 753
• Banking and finance 689
• 70 percent of attacks against Power and Energy
  Sector rated as severe.

Source Symantec, February 2003
4
You May Be A Target

• Recent data mining of multiple ES corporations
  cyber logs shows a recurring many-to-one
  pattern of distributed reconnaissance (scans /
  attempted connection signatures) against specific
  ES members (i.e., A, B, C) emanating from the
  same IP addresses (i.e., 1, 2, 3)
• Peoples Republic of China
• Hong Kong
• South Korea
• Source Critical Infrastructure Assurance
  Program, April 2002

5
You May Be A Target

• Are smaller companies a target for hackers?  Yes!
  You could be
• Intermediate path to access a connected network.
• Vector for attacking a dependent critical sector.
• Platform used to initiate a cyber attack.
• Why?  Because you may be convenient and possibly
  less protected.

6
How Did Your Company Do?

• Did you experience problems due to
• SQL/Slammer
• Nimda
• Code Red
• I Love You
• If you did, what have you done to fix the
  problem?
• The NERC Security Guidelines can help.

7
Todays Discussion Topics

• Security Guidelines
• Risk Management
• Access Controls
• IT Firewalls
• Intrusion Detection
• Employment Background Screening
• Protecting Potentially Sensitive Information
• Remote Access

8
Risk Management

• Who here has performed a cyber risk management
  assessment?
• What are the characteristics of a cyber risk
  management program?

9
Risk Management

• Characteristics of a risk management program
• Proactive
• Ongoing
• Identifies and assesses risk
• Weighs business tradeoffs
• Acceptable levels of risk
• Changing technologies and solutions

10
Risk Management

• Risk management programs should address
• System characterization
• Threat identification
• Vulnerability identification
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

11
Risk Management

• References
• Risk Management Guide for Information Technology
  Systems, National Institute of Standards and
  Technology, Special Publication 800-30, January
  2002
• http//csrc.nist.gov/publications/nistpubs/800-30
  /sp800-30.pdf
• Security Self-Assessment Guide for Information
  Technology Systems, National Institute of
  Standards and Technology, Special Publication
  800-26, November 2001
• http//csrc.nist.gov/publications/nistpubs/800-26
  /sp800-26.pdf
• NIST Special Publications, NIST documents of
  general interest to the computer security
  community
• http//csrc.nist.gov/publications/nistpubs/index.
  html

12
Risk Management

• References
• Information Security Primer, Electric Power
  Research Institute, April 2001
• http//www.nerc.com/filez/cipfiles.html
• Security Guidelines for the Electricity Sector
• http//www.esisac.com/library.htm

13
Access Controls

• What are access controls used for?
• Authorization, Authentication, and Monitoring
• What access controls do you use in your company?
• Can you get around your companys access controls?

14
Access Controls

• Authorization
• Signed user agreement to abide by all policies
• User role description and access justification
• Specific systems to be accessed
• Access constraints or limitations
• Owner of system or restricted access area
• Signed approval by owner
• Authorization termination / renewal date

15
Access Controls

• Authentication
• Authenticate before granting access
• Authentication factors
• Something you know
• Something you have
• Something you are
• Location information
• Use multiple factors in combination
• Something you know and something you have

16
Access Controls

• Authentication techniques
• Basic lock and key
• Simple passwords
• Electronic badges / smart card
• Cryptography (handheld, digital keys, etc.)
• Biometrics

17
Access Controls

• Monitoring
• Need a good audit trail
• Date / time access was authenticated
• User that was authenticated
• User initiated events
• Date / time of events
• Date / time access was terminated
• Audit trail enforces user accountability
• Audit trail helps establish trust in user

18
Access Controls

• References
• Information Security Primer, Electric Power
  Research Institute, April 2001
• http//www.nerc.com/filez/cipfiles.html
• An Introduction to Computer Security The NIST
  Handbook, National Institute of Standards and
  Technology, October 1995
• http//csrc.nist.gov/publications/nistpubs/800-12
  
• NIST Special Publications, NIST documents of
  general interest to the computer security
  community
• http//csrc.nist.gov/publications/nistpubs/index.
  html

19
Access Controls

• References
• Security Guidelines for the Electricity Sector
• http//www.esisac.com/library.htm
• An Approach to Action for the Electricity Sector,
  Version 1, NERC, June 2001
• http//www.esisac.com/library.htm
• THREAT Alert System and Physical Response
  Guidelines for the Electricity Sector, Version
  2.0 October 08, 2002
• http//www.esisac.com/library.htm
• THREAT Alert System and Cyber Response Guidelines
  for the Electricity Sector, Version 2.0 October
  08, 2002
• http//www.esisac.com/library.htm

20
IT Firewalls

• Do you use network firewalls at your site?
• Do you use personal firewall software on your
  laptops and home PCs
• Are there any holes in your firewall
  implementation plan?

21
In The Beginning
22
Todays Networks
23
Firewalls, Anyone?
24
What About Small Companies?
You Still Need To Protect Yourself
25
IT Firewalls

• A successful firewall program
• Is proactive
• Is ongoing
• Is layered per the NIST recommendations
• Is frequently updated to counter new attack
  methods and tools
• Is supported by a dedicated staff who manage the
  firewall rules and evaluate logs for suspicious
  activity

26
Layered Defense
Back Office
DMZ
27
IT Firewalls

• References
• Guidelines on Firewalls and Firewall Policy,
  National Institute of Standards and Technology,
  Special Publication 800-41, January 2002
• http//csrc.nist.gov/publications/nistpubs/800-41
  /sp800-41.pdf
• NIST Special Publications, NIST documents of
  general interest to the computer security
  community
• http//csrc.nist.gov/publications/nistpubs/index.
  html
• Information Security Primer, Electric Power
  Research Institute, April 2001
• http//www.nerc.com/filez/cipfiles.html

28
IT Firewalls

• References
• Security Guidelines for the Electricity Sector
• http//www.esisac.com/library.htm
• An Approach to Action for the Electricity Sector,
  Version 1, NERC, June 2001
• http//www.esisac.com/library.htm
• THREAT Alert System and Physical Response
  Guidelines for the Electricity Sector, Version
  2.0 October 08, 2002
• http//www.esisac.com/library.htm
• THREAT Alert System and Cyber Response Guidelines
  for the Electricity Sector, Version 2.0 October
  08, 2002
• http//www.esisac.com/library.htm

29
Intrusion Detection

• Who here has installed either a Network Intrusion
  Detection System or a Host Intrusion Detection
  System?
• Do you respond to the alerts, or do you ignore
  them?

30
Intrusion Detection

• A successful IDS program
• Is proactive
• Is ongoing
• Is implemented per the NIST recommendations
• Is frequently updated to counter new attack
  methods and tools
• Has automated alerts (pager, voice message, etc.)
• Is supported by a dedicated staff who manage the
  IDS sensor filters and immediately respond to
  suspicious activity

31
IDS Sensor Placement
Back Office
DMZ
32
Intrusion Detection

• References
• Intrusion Detection Systems, National Institute
  of Standards and Technology, Special Publication
  800-41, November 2001
• http//csrc.nist.gov/publications/nistpubs/800-31
  /sp800-31.pdf
• NIST Special Publications, NIST documents of
  general interest to the computer security
  community
• http//csrc.nist.gov/publications/nistpubs/index.
  html
• Information Security Primer, Electric Power
  Research Institute, April 2001
• http//www.nerc.com/filez/cipfiles.html

33
Intrusion Detection

• References
• Security Guidelines for the Electricity Sector
• http//www.esisac.com/library.htm
• An Approach to Action for the Electricity Sector,
  Version 1, NERC, June 2001
• http//www.esisac.com/library.htm
• THREAT Alert System and Physical Response
  Guidelines for the Electricity Sector, Version
  2.0 October 08, 2002
• http//www.esisac.com/library.htm
• THREAT Alert System and Cyber Response Guidelines
  for the Electricity Sector, Version 2.0 October
  08, 2002
• http//www.esisac.com/library.htm

34
Background Screening

• Who here works for a company that requires
  Pre-Employment Background Screening?
• What types of background checks are performed?
• Any periodic updates performed?

35
Background Screening

• Pre-employment background investigations mitigate
  the insider threat by assuring only trustworthy
  and reliable personnel have unescorted access to
  critical facilities.

36
Background Screening

• Effective pre-employment screening may prevent or
  deter
• Negligent hiring.
• Theft.
• Drug use.
• Especially important at critical job locations.

37
Background Screening

• A critical facility may be defined as any
  facility or combination of facilities, if
  severely damaged or destroyed, would have a
  significant impact on the ability to serve large
  quantities of customers for an extended period of
  time, would have a detrimental impact to the
  reliability or operability of the energy grid, or
  would cause significant risk to public health and
  safety.

38
Background Screening

• What are your companys critical cyber
  facilities?
• Examples
• Bulk power operations center
• Transmission / Dispatch center
• Market operations center
• Telecommunications facilities

39
Background Screening

• What might you check?
• Verification of social security number.
• Local-level criminal history check.
• Residence / employment checks.
• Motor vehicle check or drivers license history.
• Drug screening.
• Verification of highest level of education or
  professional certifications.

40
Background Screening

• Consider several levels of background checks.
• Full employment background checks (checks
  everything previously listed normally for full
  time employees).
• Limited employment background checks (Typically
  criminal history and social security number
  checks appropriate for part time employees and
  summer interns).

41
Background Screening

• Dont forget your vendors and contractors.
• May be less extensive than full and limited
  background checks.
• Can require vendor / contractor company to
  perform checks and certify results.
• Make sure you understand and follow ALL
  applicable Federal, State, and local laws
  regarding employee screening.

42
Background Screening

• References
• Security Guidelines for the Electricity Sector
• http//www.esisac.com/library.htm
• Fair Credit Reporting Act as amended September
  30, 1997
• An Approach to Action for the Electricity Sector,
  Version 1, NERC, June 2001
• http//www.esisac.com/library.htm
• THREAT Alert System and Physical Response
  Guidelines for the Electricity Sector, Version
  2.0 October 08, 2002
• http//www.esisac.com/library.htm
• THREAT Alert System and Cyber Response Guidelines
  for the Electricity Sector, Version 2.0 October
  08, 2002
• http//www.esisac.com/library.htm

43
Sensitive Information

• What types of information could a threat actor
  use to attack your cyber systems?
• How do you protect such sensitive information?

44
Sensitive Information

• You need to have an information security or
  confidentiality policy in place.
• The policy should address the production,
  storage, transmission, and disposal of both
  physical and electronic information.
• The policy should define the hierarchical
  confidentiality classification framework.

45
Sensitive Information

• Some questions to consider
• Has the information been cleared and authorized
  for appropriate release?
• Does the information contain details about
  critical computing systems or vulnerabilities?
• What impact could the information have if it
  inadvertently reached an unintended audience?

46
Sensitive Information

• Some questions to consider
• Does the information provide details concerning
  cyber security measures?
• Does the information contain personnel
  information?
• How could someone intent on causing harm use the
  information to his or her advantage?
• Could this information be dangerous if it were
  used in conjunction with other publicly available
  information?

47
Sensitive Information

• Some questions to consider
• What instructions should be given to legitimate
  users and recipients of sensitive information
  with regard to disseminating the information to
  other parties?
• Could someone use the information to target
  personnel, facilities, or operations?
• Does the information increase the attractiveness
  of a critical infrastructure asset as a target?

48
Sensitive Information

• Who should receive your data?
• A government agency requesting the data and is
  specifically entitled to it pursuant to its
  regulatory or statutory authority. Although
  compelled to provide the information, companies
  should ask that the agency provide assurances
  that the information will be kept confidential.

49
Sensitive Information

• Who should receive your data?
• A government agency requesting the data without
  having specific regulatory authority but can
  provide a legitimate public safety basis for its
  request as well as assurances that appropriate
  safeguards can be provided for ensuring that the
  information is protected.

50
Sensitive Information

• Who should receive your data?
• Third parties, such as energy companies,
  consultants working for such companies,
  developers, or others who can demonstrate a
  legitimate business need to have the information
  providing that they sign a nondisclosure
  agreement or other statement agreeing not to
  distribute the information outside their company
  or use it for any other purpose.

51
Sensitive Information

• Responding to disclosures
• Companies should have policies and procedures in
  place to promptly respond to disclosures of
  sensitive information.
• Should inform and involve senior management,
  market participants, regulators, law enforcement,
  public, and media as appropriate.

52
Sensitive Information

• Examples of what should be protected
• Details of critical computer systems and
  networks.
• Electronic copies of network topology maps.
• Electronic copies of documents, such as
  vulnerability or risk assessments, operating
  procedures, critical facility operating limits,
  security plans, and emergency plans.
• Real-time operations data.
• Key supplier or customer information.
• Personnel information.

53
Sensitive Information

• References
• Security Guidelines for the Electricity Sector
• http//www.esisac.com/library.htm
• An Approach to Action for the Electricity Sector,
  Version 1, NERC, June 2001
• http//www.esisac.com/library.htm
• THREAT Alert System and Physical Response
  Guidelines for the Electricity Sector, Version
  2.0 October 08, 2002
• http//www.esisac.com/library.htm
• THREAT Alert System and Cyber Response Guidelines
  for the Electricity Sector, Version 2.0 October
  08, 2002
• http//www.esisac.com/library.htm

54
Remote Access

• Do you permit remote access to Electronic Control
  and Protection Systems (ECPS)?
• Do you secure remote access to ECPS?
• Are you fully aware of all remote access to ECPS?

55
Remote Access

• ECPS control the systems that generate, transmit,
  and distribute electricity.
• Unauthorized Remote Access to an ECPS can result
  in
• interruption of electric service.
• damage to the elements of the electric grid.
• danger to life and property.

56
Remote Access

• ECPS vendors and other support personnel
  increasingly use Remote Access tools such as
  pcAnywhereTM, telnet, and FTP for support
  purposes directly over the Internet to the
  internal controls networks.
• It is critical to preserve the security of the
  Remote Access to the ECPS.

57
Remote Access

• Recommendations
• Establish policies and procedures governing use
  and installation of Remote Access for ECPS.
  Review periodically and update as required.
• Remote Access should only be enabled when
  required, approved, and authenticated.
• Multi-factor (two or more) authentication should
  be used.

58
Remote Access

• Recommendations
• Automatically lock accounts or access paths after
  a preset number of consecutive invalid password
  attempts.
• Consider automatically unlocking the account or
  access path after a pre-determined period of time
  or by other methods to ensure safe and reliable
  system operations.
• Encryption should be used when traversing
  unsecured networks to gain Remote Access.

59
Remote Access

• Recommendations
• Approved Remote Access authorization lists should
  be established.
• Change or delete any default passwords or User
  IDs.
• Consider using meaningful but non-descriptive
  IDs.
• All Remote Access enabling hardware and software
  should be approved and installed in accordance
  with Policy.

60
Remote Access

• Recommendations
• Remote Access connections should be logged and
  reviewed.
• Consider risk to the process when allowing Remote
  Access and specifying hardware and software.

61
Remote Access

• Policy considerations for Remote Access modems
• Change default settings as appropriate
• Set dial-out modems to not auto answer.
• Increase ring count before answer.
• Utilize inactivity timeout if available.
• Change passwords periodically.
• Use callback whenever possible.
• Require authentication before connection.
• Make maximum use of available security features.

62
Remote Access

• Reference Internet Sites
• Electricity Sector Information Sharing and
  Analysis Center
• http//www.esisac.com
• The SANS (System Administration, Networking, and
  Security) Institute
• http//www.sans.org
• The Open Web Application Security Project (OWASP)
  
• http//www.owasp.org

63
Remote Access

• Reference Internet Sites
• The National Security Agency http//www.nsa.gov/sn
  ac/index.html
• The Center for Internet Security (CIS)
  http//www.cisecurity.org
• The National Infrastructure Protection Center
  http//www.nipc.gov/publications/publications.htm

64
Remote Access

• Reference Internet Sites
• National Institute of Standards and Technology
  http//csrc.nist.gov/publications/nistpubs/index.h
  tml
•  
• U.S. government's CIO Council
• http//bsp.cio.gov/
•  
• The Cyber Emergency Response Team
• http//www.cert.org/

65
Homeland Security Advisory System
66
Homeland Security Advisory System

• Threat assessment factors
• Is the threat credible?
• Is the threat corroborated?
• Is the threat specific and/or imminent?
• How grave is the threat?
• Threat advisories may apply
• Regionally.
• By sector.
• Potential target.
• Specific target information will be conveyed by
  law enforcement agencies.

67
Threat Guidelines

• CIPAG has developed physical and cyber threat
  response guidelines that correspond to the HSAS
  system.
• Both the Physical and Cyber guidelines are
  recommendations to be considered.
• Each organization needs to do a risk analysis and
  develop appropriate response to each threat level.

68
Threat Guidelines

• Response actions are cumulative as threats
  increase in severity.
• Actions are intended to
• Reduce vulnerability.
• Deter or prevent incidents.
• Improve recovery.

69
Physical Threat Alert Levels

• Prepared by the NERC CIP Advisory Group.
• Contains guidelines for responding to Physical
  Threat Alert Levels

70
Physical Threat Alert Levels

• ES-Physical-Green (Low)
• Applies when no known threat exists of terrorist
  activity or only a general concern exists about
  criminal activity, such as vandalism, which
  warrants only routine security procedures. Any
  security measures applied should be maintainable
  indefinitely and without adverse impact to
  facility operations. This level is equivalent to
  normal daily conditions.

71
Physical Threat Alert Levels

• ES-Physical-Blue (Guarded)
• Applies when a general threat exists of terrorist
  or increased criminal activity with no specific
  threat directed against the electricity industry.
  Additional security measures are recommended,
  and they should be maintainable for an indefinite
  period of time with minimum impact on normal
  facility operations.

72
Physical Threat Alert Levels

• ES-Physical-Yellow (Elevated)
• Applies when a general threat exists of terrorist
  or criminal activity directed against the
  electricity industry. Implementation of
  additional security measures is expected. Such
  measures are anticipated to last for an
  indefinite period of time.

73
Example Physical-Yellow

• Physical Threat Alert Level-Yellow
• 6. Implement measures 1-5, if they have not
  already been implemented.
• 7. Ensure all gates, security doors, and
  security monitors are in working order and
  visitor, contractor, and employee access controls
  are enforced.
• 8. Notify critical and on-call personnel.
• 9. Establish/assure communications with law
  enforcement agencies.
• -etc.-

74
Physical Threat Alert Levels

• ES-Physical-Orange (High)
• Applies when a credible threat exists of
  terrorist or criminal activity directed against
  the electricity industry. Additional security
  measures have been implemented. Such measures
  may be anticipated to last for a defined period
  of time.

75
Example Physical-Orange

• Physical Threat Alert Level-Orange
• 11. Implement measures 1-10, if they have not
  already been implemented.
• 12. Review need to revise plans in measure 3,
  based on current intelligence, and include
  additional instructions as appropriate to the
  Security/Threat Plans.
• 13. Place all critical and on-call personnel on
  alert, consider holding tabletop exercises.
• 14. Enforce safe zones around facilities per
  Security Plan.
• -etc.-

76
Physical Threat Alert Levels

• ES-Physical-Red (Severe)
• Applies when an incident occurs (even if outside
  of the Electricity Sector) or credible
  intelligence information is received indicating a
  terrorist or criminal act against the electricity
  industry is imminent or has occurred. Maximum
  security measures are necessary. Implementation
  of such measures could cause hardship on
  personnel and seriously impact facility business
  and security activities.

77
Example Physical-Red

• Physical Threat Alert Level-Red
• 25. Implement measures 1-24, if they have not
  already been implemented.
• 26. Send non-essential personnel home, per
  business/site specific procedures.
• 27. Stop all non-alert related tours and
  visitors.
• 28. Consider having medical emergency personnel
  on-site, if possible.
• 29. Continuously monitor or otherwise secure all
  entrances and critical service facilities, such
  as substations. This step may include the use of
  armed security personnel.
• -etc.-

78
Cyber Threat Alert Levels

• Prepared by the NERC CIP Advisory Group.
• Contains guidelines for responding to Cyber
  Threat Alert Levels

79
Cyber Threat Alert Levels

• ES-Cyber-Green (Low)
• Applies when there is no known threat of cyber
  attack or only a general concern about hacker
  activity that warrants only routine security
  procedures. Any cyber security measures applied
  should be maintainable indefinitely and without
  adverse impact to business or expenses. This may
  be equivalent to normal daily conditions.

80
Physical Cyber Alert Levels

• ES-Cyber-Blue (Guarded)
• Applies when there is a general threat of
  increased cyber (hacker intrusions, viruses,
  etc.) activity with no specific threat directed
  toward the electricity industry. Additional
  cyber security measures may be necessary, and if
  initiated they should be maintainable for an
  indefinite period of time with minimum impact on
  normal business or expenses.

81
Cyber Threat Alert Levels

• ES-Cyber-Yellow (Elevated)
• Applies when a general threat exists of
  disruptive cyber activity is directed against the
  electricity industry. Implementation of
  additional cyber security measures is expected.
  Such measures are anticipated to last for an
  indefinite period of time.

82
Example Cyber-Yellow

• Cyber Threat Alert Level-Yellow
• 7. Implement measures 1-6, if they have not
  already been implemented.
• 8. Increase level of auditing, review, and
  critical file back-up procedures.
• 9. Conduct internal security review on all
  critical systems.
• 10. Increase review of intrusion detection and
  firewall logs.
• 11. More frequent checks of cyber security
  communications for software vulnerability.
• -etc.-

83
Cyber Threat Alert Levels

• ES-Cyber-Orange (High)
• Applies when a credible threat exists of
  disruptive cyber activity directed against the
  electricity industry. Additional cyber security
  measures have been implemented. Business
  entities need to be aware that corporate
  resources will be required above and beyond those
  required for normal business or expenses.

84
Example Cyber-Orange

• Cyber Threat Alert Level-Orange
• 14. Implement measures 1-13, if they have not
  already been implemented.
• 15. Conduct immediate internal security review on
  all critical systems.
• 16. Determine staffing availability for backup
  operations and provide notice.
• 17. Consider increasing physical access
  restrictions to computer rooms, communications
  closets, and critical operations areas.
• -etc.-

85
Cyber Threat Alert Levels

• ES-Cyber-Red (Severe)
• Applies when an incident occurs (even if outside
  of the Electricity Sector or credible
  intelligence information is received indicating a
  disruptive cyber attack against the electricity
  industry is imminent or has occurred. Maximum
  cyber security measures are necessary.
  Implementation of such measures could cause
  hardship on personnel and seriously impact
  facility business and security activities.

86
Example Cyber-Red

• Cyber Threat Alert Level-Red
• 23. Implement measures 1-22, if they have not
  already been implemented.
• 24. Consider 7/24 emergency tech support
  staffing.
• 25. Consider continuous 7/24 monitoring of
  intrusion detection and firewall logs.
• 26. Consider continuous 7/24 monitoring of cyber
  security communications for latest vulnerability
  information. Contact software vendors for status
  of software patches and updates.
• -etc.-

87
Implementation Considerations

• Integrate NERC threat levels in all security and
  emergency response plans.
• Notify local law enforcement (County Sheriff,
  Police Department) of threat level changes.
• Company security awareness briefings should
  address the NERC Threat Response procedures and
  employee responsibilities
• Vigilance.
• Observe and report.

88
Recommendations

• Subscribe to the Critical Infrastructure Open
  Source Daily Report through NERC.
• Register to be a participant in the ES-ISACs
  Critical Infrastructure Protection Information
  System (CIPIS).
• Establish regular communication with local law
  enforcement agencies, local FBI office, and US
  Secret Service Electronic Crimes Task Force as
  appropriate.

89
Questions?
90
Contact SPP
Kevin B. Perry kperry_at_spp.org
www.spp.org