Title: Security Guidelines Workshop Cyber Security Breakout Session April 10, 2003 Washington, DC
1Security Guidelines WorkshopCyber Security
Breakout SessionApril 10, 2003 Washington, DC
- Kevin B. Perry
- Director, Information Technology
- Southwest Power Pool
2A Statement of Fact
- Thousands of attempts are made daily to intrude
into computer systems - Key government and industry networks
- Defense facilities
- Power grids
- Banks
- Government agencies
- Telephone systems
- Transportation systems
3Some Statistics
- In the second half of 2002
- Average attacks per company
- Power and Energy Sector 987
- Non-profit companies 869
- Telecommunications companies 845
- High tech companies 753
- Banking and finance 689
- 70 percent of attacks against Power and Energy
Sector rated as severe.
Source Symantec, February 2003
4You May Be A Target
- Recent data mining of multiple ES corporations
cyber logs shows a recurring many-to-one
pattern of distributed reconnaissance (scans /
attempted connection signatures) against specific
ES members (i.e., A, B, C) emanating from the
same IP addresses (i.e., 1, 2, 3) - Peoples Republic of China
- Hong Kong
- South Korea
- Source Critical Infrastructure Assurance
Program, April 2002
5You May Be A Target
- Are smaller companies a target for hackers? Yes!
You could be - Intermediate path to access a connected network.
- Vector for attacking a dependent critical sector.
- Platform used to initiate a cyber attack.
- Why? Because you may be convenient and possibly
less protected.
6How Did Your Company Do?
- Did you experience problems due to
- SQL/Slammer
- Nimda
- Code Red
- I Love You
- If you did, what have you done to fix the
problem? - The NERC Security Guidelines can help.
7Todays Discussion Topics
- Security Guidelines
- Risk Management
- Access Controls
- IT Firewalls
- Intrusion Detection
- Employment Background Screening
- Protecting Potentially Sensitive Information
- Remote Access
8Risk Management
- Who here has performed a cyber risk management
assessment? - What are the characteristics of a cyber risk
management program?
9Risk Management
- Characteristics of a risk management program
- Proactive
- Ongoing
- Identifies and assesses risk
- Weighs business tradeoffs
- Acceptable levels of risk
- Changing technologies and solutions
10Risk Management
- Risk management programs should address
- System characterization
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentation
11Risk Management
- References
- Risk Management Guide for Information Technology
Systems, National Institute of Standards and
Technology, Special Publication 800-30, January
2002 - http//csrc.nist.gov/publications/nistpubs/800-30
/sp800-30.pdf - Security Self-Assessment Guide for Information
Technology Systems, National Institute of
Standards and Technology, Special Publication
800-26, November 2001 - http//csrc.nist.gov/publications/nistpubs/800-26
/sp800-26.pdf - NIST Special Publications, NIST documents of
general interest to the computer security
community - http//csrc.nist.gov/publications/nistpubs/index.
html
12Risk Management
- References
- Information Security Primer, Electric Power
Research Institute, April 2001 - http//www.nerc.com/filez/cipfiles.html
- Security Guidelines for the Electricity Sector
- http//www.esisac.com/library.htm
13Access Controls
- What are access controls used for?
- Authorization, Authentication, and Monitoring
- What access controls do you use in your company?
- Can you get around your companys access controls?
14Access Controls
- Authorization
- Signed user agreement to abide by all policies
- User role description and access justification
- Specific systems to be accessed
- Access constraints or limitations
- Owner of system or restricted access area
- Signed approval by owner
- Authorization termination / renewal date
15Access Controls
- Authentication
- Authenticate before granting access
- Authentication factors
- Something you know
- Something you have
- Something you are
- Location information
- Use multiple factors in combination
- Something you know and something you have
16Access Controls
- Authentication techniques
- Basic lock and key
- Simple passwords
- Electronic badges / smart card
- Cryptography (handheld, digital keys, etc.)
- Biometrics
17Access Controls
- Monitoring
- Need a good audit trail
- Date / time access was authenticated
- User that was authenticated
- User initiated events
- Date / time of events
- Date / time access was terminated
- Audit trail enforces user accountability
- Audit trail helps establish trust in user
18Access Controls
- References
- Information Security Primer, Electric Power
Research Institute, April 2001 - http//www.nerc.com/filez/cipfiles.html
- An Introduction to Computer Security The NIST
Handbook, National Institute of Standards and
Technology, October 1995 - http//csrc.nist.gov/publications/nistpubs/800-12
- NIST Special Publications, NIST documents of
general interest to the computer security
community - http//csrc.nist.gov/publications/nistpubs/index.
html
19Access Controls
- References
- Security Guidelines for the Electricity Sector
- http//www.esisac.com/library.htm
- An Approach to Action for the Electricity Sector,
Version 1, NERC, June 2001 - http//www.esisac.com/library.htm
- THREAT Alert System and Physical Response
Guidelines for the Electricity Sector, Version
2.0 October 08, 2002 - http//www.esisac.com/library.htm
- THREAT Alert System and Cyber Response Guidelines
for the Electricity Sector, Version 2.0 October
08, 2002 - http//www.esisac.com/library.htm
20IT Firewalls
- Do you use network firewalls at your site?
- Do you use personal firewall software on your
laptops and home PCs - Are there any holes in your firewall
implementation plan?
21In The Beginning
22Todays Networks
23Firewalls, Anyone?
24What About Small Companies?
You Still Need To Protect Yourself
25IT Firewalls
- A successful firewall program
- Is proactive
- Is ongoing
- Is layered per the NIST recommendations
- Is frequently updated to counter new attack
methods and tools - Is supported by a dedicated staff who manage the
firewall rules and evaluate logs for suspicious
activity
26Layered Defense
Back Office
DMZ
27IT Firewalls
- References
- Guidelines on Firewalls and Firewall Policy,
National Institute of Standards and Technology,
Special Publication 800-41, January 2002 - http//csrc.nist.gov/publications/nistpubs/800-41
/sp800-41.pdf - NIST Special Publications, NIST documents of
general interest to the computer security
community - http//csrc.nist.gov/publications/nistpubs/index.
html - Information Security Primer, Electric Power
Research Institute, April 2001 - http//www.nerc.com/filez/cipfiles.html
28IT Firewalls
- References
- Security Guidelines for the Electricity Sector
- http//www.esisac.com/library.htm
- An Approach to Action for the Electricity Sector,
Version 1, NERC, June 2001 - http//www.esisac.com/library.htm
- THREAT Alert System and Physical Response
Guidelines for the Electricity Sector, Version
2.0 October 08, 2002 - http//www.esisac.com/library.htm
- THREAT Alert System and Cyber Response Guidelines
for the Electricity Sector, Version 2.0 October
08, 2002 - http//www.esisac.com/library.htm
29Intrusion Detection
- Who here has installed either a Network Intrusion
Detection System or a Host Intrusion Detection
System? - Do you respond to the alerts, or do you ignore
them?
30Intrusion Detection
- A successful IDS program
- Is proactive
- Is ongoing
- Is implemented per the NIST recommendations
- Is frequently updated to counter new attack
methods and tools - Has automated alerts (pager, voice message, etc.)
- Is supported by a dedicated staff who manage the
IDS sensor filters and immediately respond to
suspicious activity
31IDS Sensor Placement
Back Office
DMZ
32Intrusion Detection
- References
- Intrusion Detection Systems, National Institute
of Standards and Technology, Special Publication
800-41, November 2001 - http//csrc.nist.gov/publications/nistpubs/800-31
/sp800-31.pdf - NIST Special Publications, NIST documents of
general interest to the computer security
community - http//csrc.nist.gov/publications/nistpubs/index.
html - Information Security Primer, Electric Power
Research Institute, April 2001 - http//www.nerc.com/filez/cipfiles.html
33Intrusion Detection
- References
- Security Guidelines for the Electricity Sector
- http//www.esisac.com/library.htm
- An Approach to Action for the Electricity Sector,
Version 1, NERC, June 2001 - http//www.esisac.com/library.htm
- THREAT Alert System and Physical Response
Guidelines for the Electricity Sector, Version
2.0 October 08, 2002 - http//www.esisac.com/library.htm
- THREAT Alert System and Cyber Response Guidelines
for the Electricity Sector, Version 2.0 October
08, 2002 - http//www.esisac.com/library.htm
34Background Screening
- Who here works for a company that requires
Pre-Employment Background Screening? - What types of background checks are performed?
- Any periodic updates performed?
35Background Screening
- Pre-employment background investigations mitigate
the insider threat by assuring only trustworthy
and reliable personnel have unescorted access to
critical facilities.
36Background Screening
- Effective pre-employment screening may prevent or
deter - Negligent hiring.
- Theft.
- Drug use.
- Especially important at critical job locations.
37Background Screening
- A critical facility may be defined as any
facility or combination of facilities, if
severely damaged or destroyed, would have a
significant impact on the ability to serve large
quantities of customers for an extended period of
time, would have a detrimental impact to the
reliability or operability of the energy grid, or
would cause significant risk to public health and
safety.
38Background Screening
- What are your companys critical cyber
facilities? - Examples
- Bulk power operations center
- Transmission / Dispatch center
- Market operations center
- Telecommunications facilities
39Background Screening
- What might you check?
- Verification of social security number.
- Local-level criminal history check.
- Residence / employment checks.
- Motor vehicle check or drivers license history.
- Drug screening.
- Verification of highest level of education or
professional certifications.
40Background Screening
- Consider several levels of background checks.
- Full employment background checks (checks
everything previously listed normally for full
time employees). - Limited employment background checks (Typically
criminal history and social security number
checks appropriate for part time employees and
summer interns).
41Background Screening
- Dont forget your vendors and contractors.
- May be less extensive than full and limited
background checks. - Can require vendor / contractor company to
perform checks and certify results. - Make sure you understand and follow ALL
applicable Federal, State, and local laws
regarding employee screening.
42Background Screening
- References
- Security Guidelines for the Electricity Sector
- http//www.esisac.com/library.htm
- Fair Credit Reporting Act as amended September
30, 1997 - An Approach to Action for the Electricity Sector,
Version 1, NERC, June 2001 - http//www.esisac.com/library.htm
- THREAT Alert System and Physical Response
Guidelines for the Electricity Sector, Version
2.0 October 08, 2002 - http//www.esisac.com/library.htm
- THREAT Alert System and Cyber Response Guidelines
for the Electricity Sector, Version 2.0 October
08, 2002 - http//www.esisac.com/library.htm
43Sensitive Information
- What types of information could a threat actor
use to attack your cyber systems? - How do you protect such sensitive information?
44Sensitive Information
- You need to have an information security or
confidentiality policy in place. - The policy should address the production,
storage, transmission, and disposal of both
physical and electronic information. - The policy should define the hierarchical
confidentiality classification framework.
45Sensitive Information
- Some questions to consider
- Has the information been cleared and authorized
for appropriate release? - Does the information contain details about
critical computing systems or vulnerabilities? - What impact could the information have if it
inadvertently reached an unintended audience?
46Sensitive Information
- Some questions to consider
- Does the information provide details concerning
cyber security measures? - Does the information contain personnel
information? - How could someone intent on causing harm use the
information to his or her advantage? - Could this information be dangerous if it were
used in conjunction with other publicly available
information?
47Sensitive Information
- Some questions to consider
- What instructions should be given to legitimate
users and recipients of sensitive information
with regard to disseminating the information to
other parties? - Could someone use the information to target
personnel, facilities, or operations? - Does the information increase the attractiveness
of a critical infrastructure asset as a target?
48Sensitive Information
- Who should receive your data?
- A government agency requesting the data and is
specifically entitled to it pursuant to its
regulatory or statutory authority. Although
compelled to provide the information, companies
should ask that the agency provide assurances
that the information will be kept confidential.
49Sensitive Information
- Who should receive your data?
- A government agency requesting the data without
having specific regulatory authority but can
provide a legitimate public safety basis for its
request as well as assurances that appropriate
safeguards can be provided for ensuring that the
information is protected.
50Sensitive Information
- Who should receive your data?
- Third parties, such as energy companies,
consultants working for such companies,
developers, or others who can demonstrate a
legitimate business need to have the information
providing that they sign a nondisclosure
agreement or other statement agreeing not to
distribute the information outside their company
or use it for any other purpose.
51Sensitive Information
- Responding to disclosures
- Companies should have policies and procedures in
place to promptly respond to disclosures of
sensitive information. - Should inform and involve senior management,
market participants, regulators, law enforcement,
public, and media as appropriate.
52Sensitive Information
- Examples of what should be protected
- Details of critical computer systems and
networks. - Electronic copies of network topology maps.
- Electronic copies of documents, such as
vulnerability or risk assessments, operating
procedures, critical facility operating limits,
security plans, and emergency plans. - Real-time operations data.
- Key supplier or customer information.
- Personnel information.
53Sensitive Information
- References
- Security Guidelines for the Electricity Sector
- http//www.esisac.com/library.htm
- An Approach to Action for the Electricity Sector,
Version 1, NERC, June 2001 - http//www.esisac.com/library.htm
- THREAT Alert System and Physical Response
Guidelines for the Electricity Sector, Version
2.0 October 08, 2002 - http//www.esisac.com/library.htm
- THREAT Alert System and Cyber Response Guidelines
for the Electricity Sector, Version 2.0 October
08, 2002 - http//www.esisac.com/library.htm
54Remote Access
- Do you permit remote access to Electronic Control
and Protection Systems (ECPS)? - Do you secure remote access to ECPS?
- Are you fully aware of all remote access to ECPS?
55Remote Access
- ECPS control the systems that generate, transmit,
and distribute electricity. - Unauthorized Remote Access to an ECPS can result
in - interruption of electric service.
- damage to the elements of the electric grid.
- danger to life and property.
56Remote Access
- ECPS vendors and other support personnel
increasingly use Remote Access tools such as
pcAnywhereTM, telnet, and FTP for support
purposes directly over the Internet to the
internal controls networks. - It is critical to preserve the security of the
Remote Access to the ECPS.
57Remote Access
- Recommendations
- Establish policies and procedures governing use
and installation of Remote Access for ECPS.
Review periodically and update as required. - Remote Access should only be enabled when
required, approved, and authenticated. - Multi-factor (two or more) authentication should
be used.
58Remote Access
- Recommendations
- Automatically lock accounts or access paths after
a preset number of consecutive invalid password
attempts. - Consider automatically unlocking the account or
access path after a pre-determined period of time
or by other methods to ensure safe and reliable
system operations. - Encryption should be used when traversing
unsecured networks to gain Remote Access.
59Remote Access
- Recommendations
- Approved Remote Access authorization lists should
be established. - Change or delete any default passwords or User
IDs. - Consider using meaningful but non-descriptive
IDs. - All Remote Access enabling hardware and software
should be approved and installed in accordance
with Policy.
60Remote Access
- Recommendations
- Remote Access connections should be logged and
reviewed. - Consider risk to the process when allowing Remote
Access and specifying hardware and software.
61Remote Access
- Policy considerations for Remote Access modems
- Change default settings as appropriate
- Set dial-out modems to not auto answer.
- Increase ring count before answer.
- Utilize inactivity timeout if available.
- Change passwords periodically.
- Use callback whenever possible.
- Require authentication before connection.
- Make maximum use of available security features.
62Remote Access
- Reference Internet Sites
- Electricity Sector Information Sharing and
Analysis Center - http//www.esisac.com
- The SANS (System Administration, Networking, and
Security) Institute - http//www.sans.org
- The Open Web Application Security Project (OWASP)
- http//www.owasp.org
63Remote Access
- Reference Internet Sites
- The National Security Agency http//www.nsa.gov/sn
ac/index.html - The Center for Internet Security (CIS)
http//www.cisecurity.org - The National Infrastructure Protection Center
http//www.nipc.gov/publications/publications.htm
64Remote Access
- Reference Internet Sites
- National Institute of Standards and Technology
http//csrc.nist.gov/publications/nistpubs/index.h
tml -
- U.S. government's CIO Council
- http//bsp.cio.gov/
-
- The Cyber Emergency Response Team
- http//www.cert.org/
65Homeland Security Advisory System
66Homeland Security Advisory System
- Threat assessment factors
- Is the threat credible?
- Is the threat corroborated?
- Is the threat specific and/or imminent?
- How grave is the threat?
- Threat advisories may apply
- Regionally.
- By sector.
- Potential target.
- Specific target information will be conveyed by
law enforcement agencies.
67Threat Guidelines
- CIPAG has developed physical and cyber threat
response guidelines that correspond to the HSAS
system. - Both the Physical and Cyber guidelines are
recommendations to be considered. - Each organization needs to do a risk analysis and
develop appropriate response to each threat level.
68Threat Guidelines
- Response actions are cumulative as threats
increase in severity. - Actions are intended to
- Reduce vulnerability.
- Deter or prevent incidents.
- Improve recovery.
69Physical Threat Alert Levels
- Prepared by the NERC CIP Advisory Group.
- Contains guidelines for responding to Physical
Threat Alert Levels
70Physical Threat Alert Levels
- ES-Physical-Green (Low)
- Applies when no known threat exists of terrorist
activity or only a general concern exists about
criminal activity, such as vandalism, which
warrants only routine security procedures. Any
security measures applied should be maintainable
indefinitely and without adverse impact to
facility operations. This level is equivalent to
normal daily conditions.
71Physical Threat Alert Levels
- ES-Physical-Blue (Guarded)
- Applies when a general threat exists of terrorist
or increased criminal activity with no specific
threat directed against the electricity industry.
Additional security measures are recommended,
and they should be maintainable for an indefinite
period of time with minimum impact on normal
facility operations.
72Physical Threat Alert Levels
- ES-Physical-Yellow (Elevated)
- Applies when a general threat exists of terrorist
or criminal activity directed against the
electricity industry. Implementation of
additional security measures is expected. Such
measures are anticipated to last for an
indefinite period of time.
73Example Physical-Yellow
- Physical Threat Alert Level-Yellow
- 6. Implement measures 1-5, if they have not
already been implemented. - 7. Ensure all gates, security doors, and
security monitors are in working order and
visitor, contractor, and employee access controls
are enforced. - 8. Notify critical and on-call personnel.
- 9. Establish/assure communications with law
enforcement agencies. - -etc.-
74Physical Threat Alert Levels
- ES-Physical-Orange (High)
- Applies when a credible threat exists of
terrorist or criminal activity directed against
the electricity industry. Additional security
measures have been implemented. Such measures
may be anticipated to last for a defined period
of time.
75Example Physical-Orange
- Physical Threat Alert Level-Orange
- 11. Implement measures 1-10, if they have not
already been implemented. - 12. Review need to revise plans in measure 3,
based on current intelligence, and include
additional instructions as appropriate to the
Security/Threat Plans. - 13. Place all critical and on-call personnel on
alert, consider holding tabletop exercises. - 14. Enforce safe zones around facilities per
Security Plan. - -etc.-
76Physical Threat Alert Levels
- ES-Physical-Red (Severe)
- Applies when an incident occurs (even if outside
of the Electricity Sector) or credible
intelligence information is received indicating a
terrorist or criminal act against the electricity
industry is imminent or has occurred. Maximum
security measures are necessary. Implementation
of such measures could cause hardship on
personnel and seriously impact facility business
and security activities.
77Example Physical-Red
- Physical Threat Alert Level-Red
- 25. Implement measures 1-24, if they have not
already been implemented. - 26. Send non-essential personnel home, per
business/site specific procedures. - 27. Stop all non-alert related tours and
visitors. - 28. Consider having medical emergency personnel
on-site, if possible. - 29. Continuously monitor or otherwise secure all
entrances and critical service facilities, such
as substations. This step may include the use of
armed security personnel. - -etc.-
78Cyber Threat Alert Levels
- Prepared by the NERC CIP Advisory Group.
- Contains guidelines for responding to Cyber
Threat Alert Levels
79Cyber Threat Alert Levels
- ES-Cyber-Green (Low)
- Applies when there is no known threat of cyber
attack or only a general concern about hacker
activity that warrants only routine security
procedures. Any cyber security measures applied
should be maintainable indefinitely and without
adverse impact to business or expenses. This may
be equivalent to normal daily conditions.
80Physical Cyber Alert Levels
- ES-Cyber-Blue (Guarded)
- Applies when there is a general threat of
increased cyber (hacker intrusions, viruses,
etc.) activity with no specific threat directed
toward the electricity industry. Additional
cyber security measures may be necessary, and if
initiated they should be maintainable for an
indefinite period of time with minimum impact on
normal business or expenses.
81Cyber Threat Alert Levels
- ES-Cyber-Yellow (Elevated)
- Applies when a general threat exists of
disruptive cyber activity is directed against the
electricity industry. Implementation of
additional cyber security measures is expected.
Such measures are anticipated to last for an
indefinite period of time.
82Example Cyber-Yellow
- Cyber Threat Alert Level-Yellow
- 7. Implement measures 1-6, if they have not
already been implemented. - 8. Increase level of auditing, review, and
critical file back-up procedures. - 9. Conduct internal security review on all
critical systems. - 10. Increase review of intrusion detection and
firewall logs. - 11. More frequent checks of cyber security
communications for software vulnerability. - -etc.-
83Cyber Threat Alert Levels
- ES-Cyber-Orange (High)
- Applies when a credible threat exists of
disruptive cyber activity directed against the
electricity industry. Additional cyber security
measures have been implemented. Business
entities need to be aware that corporate
resources will be required above and beyond those
required for normal business or expenses.
84Example Cyber-Orange
- Cyber Threat Alert Level-Orange
- 14. Implement measures 1-13, if they have not
already been implemented. - 15. Conduct immediate internal security review on
all critical systems. - 16. Determine staffing availability for backup
operations and provide notice. - 17. Consider increasing physical access
restrictions to computer rooms, communications
closets, and critical operations areas. - -etc.-
85Cyber Threat Alert Levels
- ES-Cyber-Red (Severe)
- Applies when an incident occurs (even if outside
of the Electricity Sector or credible
intelligence information is received indicating a
disruptive cyber attack against the electricity
industry is imminent or has occurred. Maximum
cyber security measures are necessary.
Implementation of such measures could cause
hardship on personnel and seriously impact
facility business and security activities.
86Example Cyber-Red
- Cyber Threat Alert Level-Red
- 23. Implement measures 1-22, if they have not
already been implemented. - 24. Consider 7/24 emergency tech support
staffing. - 25. Consider continuous 7/24 monitoring of
intrusion detection and firewall logs. - 26. Consider continuous 7/24 monitoring of cyber
security communications for latest vulnerability
information. Contact software vendors for status
of software patches and updates. - -etc.-
87Implementation Considerations
- Integrate NERC threat levels in all security and
emergency response plans. - Notify local law enforcement (County Sheriff,
Police Department) of threat level changes. - Company security awareness briefings should
address the NERC Threat Response procedures and
employee responsibilities - Vigilance.
- Observe and report.
88Recommendations
- Subscribe to the Critical Infrastructure Open
Source Daily Report through NERC. - Register to be a participant in the ES-ISACs
Critical Infrastructure Protection Information
System (CIPIS). - Establish regular communication with local law
enforcement agencies, local FBI office, and US
Secret Service Electronic Crimes Task Force as
appropriate.
89Questions?
90Contact SPP
Kevin B. Perry kperry_at_spp.org
www.spp.org