NERC Security Guideline Workshop Sponsored by: APPA, EEI and NRECA

1
NERCSecurity Guideline WorkshopSponsored by
APPA, EEI and NRECA

• George T. Miserendino
• Triton Security Solutions
• Solutions_at_TritonSecSol.com
• 952-423-3457

? Triton Security Solutions,Inc.
2
Table of ContentsNERC Security Guideline
Workshop Overview and Development Session

• Overview and Development
• II. Electricity Sector Security Guidelines
• Vulnerability Assessment and Risk Assessment
• Threat Response
• Emergency Plans
• Continuity of Business

2

3
Table of Contents, cont.

• Communications
• Physical Security
• Employment Screening
• Protecting Sensitive Information
• Cyber Security
• I.T. Risk Management
• Cyber Access Control
• I.T. Firewalls
• I.T. Intrusion Detection
• Process Control Systems Security
• Threat and Incident Reporting

3

4
Security GuidelinesExecutive Summary

• These guidelines describe
• General approaches
• Considerations
• Practices
• Planning philosophies
• Implementation should reflect an individual
  organizations assessment of its own
• Needs
• Vulnerabilities and consequences
• Tolerance for risk

4
5
Security Guidelines Basic Objective

• The intent of the guidelines is to
• Provide industry Best Practices for the
  protection of Critical Facilities against a
  Spectrum of Threats

5

6
Participants in The Guideline Development Process

• North American Electric Reliability Council
• Critical Infrastructure Protection Advisory Group
  (CIPAG) .. Sponsored by NERC
• National Rural Electric Cooperative Assoc.
• Edison Electric Institute Security Committee
• American Public Power Assoc.
• Department of Energy
• Department of Agriculture

6
7
Security Guidelines

• Principles, continued
• Each company is free to define and identify those
  facilities and functions it believes to be
  critical.
• The ability to mitigate the loss of a facility
  through redundancies, spare parts and detailed
  response and recovery plans may make that
  facility less critical.

7
8
Security Guidelines

• Critical Facility defined as
• Any facility or combination of facilities, if
  severely damaged or destroyed, would have a
  significant impact on the ability
• 1. To serve large numbers of customers for
  an extended period of time.
• 2. Has a detrimental impact to the
  reliability or operability of the
• energy grid.

8
9
Security Guidelines

• Critical Facility, continued
• 3. Would cause significant risk to
• A. National security
• B. National economic security
• C. Public health and safety.

9
10
Security Guidelines

• Spectrum of Threats
• Weather-related incidents (storms, floods, fires,
  earthquakes, etc.)
• Acts of vandalism
• Acts of activism
• Acts of terrorism
• Acts of an insider

10
11
The Electricity Sector is a Target

• Critical support to
• Economy
• National security
• Public well-being
• Conduit to national security or economic targets
• Conduit to other critical infrastructures

11

Source NERC
12
Who is Targeting The Electricity Sector?

• Hackers
• Vandals
• Activists
• Criminals
• Terrorists
• Nation States
• The threat is inside and outside!

Source NERC
12
13
Spectrum of Threats
1. What needs to be protected?
2. Who are we protecting against?
3. Worst Consequences Highest Probability
Prioritized Ranking

13
14
Who do We Need to Protect Against?
Threats
INSIDER
OUTSIDER
Activists
Disgruntled (ex) employee
Terrorist
Potentially violent or psychologically deranged
Vandalism
14

15

• Guidelines Access
• http//www.esisac.com/library.htm
• http//www.oea.dis.anl.gov

15

16
NERCVulnerability and Risk Assessment

17
Vulnerability And Risk Assessment Guideline

• Purpose
• Identify and prioritize critical facilities and
  impacts of loss.
• Identify countermeasures to mitigate
  vulnerabilities of critical facilities.

17
18
Applicability

• All companies should perform 5-step vulnerability
  assessment on Critical Facilities.
• Focus is on facilities meeting the threshold
  definition for CRITICAL.

18
19
Implementation ConsiderationsBest Practices

• Use team approach Subject matter experts
  knowledgeable of system (brainstorming
  session)
• Security/Facilities/Safety
• Operations, Maintenance, and Logistics
• Engineering
• I.T.

19
20
Best Practices, cont.

• Employ risk assessment worksheet process
• Identify assets (critical facilities) and loss
  impact.
• Characterize the threat.
• Identify and analyze vulnerabilities
• Consider interdependencies.
• Assess risk (subjectively) and determine
  priorities.
• Identify countermeasures, costs and trade-offs.

20
Source DOE
21
Identify Countermeasures, Costs and Trade-offs

21
Source DOE VRAP
22
Critical Facility Risk Value Table
22

23
NERCThreat Response Guideline

24
Threat Response Guideline

• Purpose
• Ensures that companies provide enhanced security
  in response to threat advisories.
• Department of Homeland Security
• NERC Threat Notices (ESISAC)
• State Agencies
• DHS / IAIP
• D.O.T. (Combo Utilities)

24
25
Applicability

• Plans, policies and procedures which contribute
  to the protection of company CRITICAL
  FACILITIES
• NERC response guidance is consistent with the
  Homeland Security Advisory System
• Describes elements for consideration based on
  threat levels
• Addresses physical and cyber security threats

25
26
Homeland Security Advisory System

• Purpose
• Provides a comprehensive and effective means to
  disseminate information regarding the risk of
  terrorist or criminal attacks.
• Five (5) levels intended to characterize
  appropriate levels of
• Vigilance
• Preparedness
• Response

26
27
Homeland Security Advisory System
SEVERE Severe Risk of Terrorist Attacks
HIGH High Risk of Terrorist Attacks
ELEVATED Significant Risk of Terrorist Attacks
GUARDED General Risk of Terrorist Attacks
LOW Low Risk of Terrorist Attacks

Source Office of Homeland Security
27
28
NERCPhysical Security

29
Physical Security Guideline

• Purpose
• Mitigates the threat through the implementation
  of physical security measures to
• Safeguard Personnel
• Prevent unauthorized access to critical
  equipment, systems, materials and information at
  CRITICAL FACILITIES
• Applicability
• Critical Equipment, systems, material and
  information at CRITICAL FACILITIES.

29
30
Implementation ConsiderationsBest Practices

• Implement a program and plan based on a SYSTEMS
  APPROACH of
• Deterrence
• Detection
• Assessment and Communications
• Delay and Response
• Implement a security awareness program for
  employees
• Priority Number 1
• Observe and Report

30
31
Best Practices, cont.

• Aware of The Environment
• Heightened VIGILANCE
• Limiting access to CRITICAL FACILITIES through
  applied technologies
• Requesting law enforcement patrols during periods
  of heightened threat

31
32
Recommendation

• Develop a security plan reflecting changes in
  THREAT LEVEL
• Employ strategies of deterrence
• Lighting
• Signage
• CCTV
• Patrols

32
33
Elements of Physical Security
Signs, Patrols, Lighting, Fencing
Deter
Barriers, Security Officers, Police
Sensors, Patrols, Door Alarms
Delay Respond
Detect
Assess Communicate
Cameras, Central Alarm Station Monitoring
33
34
Physical Security Goals

• Employee Safety.
• Litigation Avoidance.
• Prevention or Deterrence Against Intentional
  Disruption to the System.
• Reduction of Theft.

34
35
NERCEmergency Plans Guideline

36
Emergency Plans Guideline

• Purpose
• Ensures the company is prepared to respond to
  Spectrum of Threats (Physical Cyber)
• Trespassing
• Vandalism
• Civil Disruptions
• Sabotage
• Acts of Terror
• Cyber Incidents

36

37
Applicability

• Company defined CRITICAL FACILITIES
• Focused on responding to incidents
• Priorityrestoration and recovery of THE
  SYSTEM

37
38
Implementation ConsiderationsBest Practices
The Plan

• Flexible
• Update Annually
• Update After an Incident
• Identify lessons learned
• What went right
• What can be improved
• Key Responders are identified with Specific
  Tasks Duties

38
39
Best Practices The Plan, continued

• Designate Emergency Management Team
• Operations and Maintenance
• Communications
• Logistics
• I.T.
• Security/Facilities/Safety
• Media relations coordinator
• Annual orientation for key responders
• Annual TABLE TOP exercise
• Scenario driven

39
40
Best Practices The Plan, continued

• After actual employment of the plan or after
  TABLE TOP exercises
• Perform a LESSONS LEARNED
• Modify plan based on LESSONS LEARNED
• Identify an alternative reporting location for
  key responders
• Identify priorities for emergency response
• Protecting life
• Restoring services

40
41
Recommendation

• Develop the security response plan and attach as
  a separate annex to WEATHER/STORM response plan
• Assure consistency with NERC physical and cyber
  threat alert levels
• Build on experiences in protecting critical
  infrastructure
• Gulf War
• Y2K
• 9-11

41
42
Integrate Physical Security into the Plants and
Companys Overall Emergency Risk Management
Planning Program
The Four Phases of Emergency Risk Management
Mitigation
All Risks Hazards
Preparedness
Recovery
Response
42

43
Phases of Emergency Risk Management

• Mitigation (long-term) Eliminate or reduce the
  chance of occurrence or the effects of a risk.
• Preparedness (to respond) Planning how to respond
  in case a disaster occurs and how to ensure the
  right resources are available to respond
  effectively.
• Response (to disaster) Planned or unplanned
  activities designed to provide emergency
  assistance to victims of the disaster and reduce
  the likelihood of further damage.
• Recovery (short and long-term) Efforts to return
  the environment/victims to normal, or near normal
  status.

43

44
Implementation Strategy (I)

• Overall, The Plan does not need to be detailed
  but is supported by detailed
• System restoration plans
• I.T. recovery plans
• Life safety plans
• Business unit continuity plans
• Plan should include elements of
• Operations
• Communications
• Facilities
• I.T.
• Financial support
• Plan exercised and updated annually

44
45
Implementation Strategy (II)

• Develop a Critical Incident Response Team
  (C.I.R.T.)
• Swat Team to respond to
• Explosions
• Fires
• Workplace Violence
• Team make-up
• H.R.
• Legal
• Communications
• Security
• Safety
• Business Unit Representative

45
46
Implementation Strategy (II), cont.

• Mission Deal with incident until business unit
  recovery plan is implemented
• CIRT single point-of-contact
• Emergency operations Center (E.O.C.)
• Security operations center Focal point to
  monitor incident

46

47
Implementation StrategyMutual Assistance
Agreements ForSecurity Incidents

• Coordinated with
• Local law enforcement
• State emergency preparedness offices
• Security plan topics
• Bomb threats
• Fire/Explosions
• Chemical spills
• Facility evacuations

47

48
Implementation StrategyMutual Assistance
Agreements ForSecurity Incidents, cont.

• Recommend liaison with law enforcement
• Critical facility tours
• Information/plan exchange
• Mutual training opportunities
• Facility availability
• Attachments
• Notification telephone tree
• Critical customer information
• Equipment checklists
• Emergency equipment suppliers

48

49
REPORT INCIDENTS TO

• LOCAL LAW ENFORCEMENT
• (Establish and maintain relationship)
• LOCAL FBI
• (Establish and maintain relationship)
• DHS / IAIP
• (IAW Program use InfraGard, CIPIS,
  nipc.watch_at_fbi.gov, 202-323-3204,5,6,
  888-585-9078)
• Electricity Sector Information Sharing and
  Analysis Center
• ( CIPIS, esisac_at_nerc.com, 609-452-8060
  day,
• 609-452-1422 anytime )

Source NERC
49
50
NERCContinuity of Business Processes

51
Continuity of Business Processes

• Purpose
• Reduces the impact of interruptions to critical
  systems and ensures resumption of business and
  operations in a short time.
• Applicability
• Facilities and functions considered critical to
  the overall operation of the company.
• World Trade Center Disaster.
• Underscore need
• Many applicable Lessons Learned

51

52
Summary of Plan Differences

• Business
• Continuity Plan
• (BCP)
• To recover mission critical business services and
  processes
• Limited scenarios
• Focus on technology facilities and/or data

• Crisis Management
• Plan (CMP)
• To limit intensity, manage and control negative
  results of an event
• Many scenarios
• Focus on people, products, services and
  reputation

53
Implementation ConsiderationsThe Plan

• Comprehensive tool with all critical functions
  having separate plans (Annexes)
• Business recovery should be basis
• Updated and Exercised Annually
• LESSONS LEARNED conducted after each exercise
  and incident

53
54
Implementation ConsiderationsThe Plan, cont.

• Prioritize restorations of functions
• Business systems (Accounts payable and
  receivable, payroll, financial transactions)
• Assure I.T. assets are available to meet Minimal
  Level of operations
• Identify vulnerabilities in I.T. and business
  systems

54
55
Implementation ConsiderationsThe Plan, cont.

• Identify alternate facilities if headquarters
  building is lost Essential
• Distance from headquarters
• Controlled by company

55
56
Plan Reality Check

• Plan Design worst case scenario
• Usually one to three scenarios
• Recovery Scenarios
• Facility Losses (no access to a facility or
  related services)
• Technology Losses (no access to systems,
  equipment, information/data or services)

57
Recommendation

• Develop internally
• Contract for external assessment
• Functionally exercise a Portion of the plan
• Evaluation should be independent
• Annual Exercise
• Document Lessons Learned

57
58
NERCCommunications

59
Communications Guidelines

• Purpose
• To establish effective liaison relationships with
  local offices of federal, regional, and local law
  enforcement where critical facilities are located
• To promptly report security incidents
• To develop an INTERNAL THREAT WARNING
  system
• Applicability
• Applies to facilities and functions that are
  considered critical.

59

60
Implementation ConsiderationsBest Practices

• All contact telephone numbers should be placed
  in the EMERGENCY RESPONSE PLAN
• Staff should be trained on what is to be reported
  and to what organization (Sheriff, FBI)
• Single staff organization should make ALL
  external notifications
• Provide familiarization tour of critical sites to
  law enforcement agencies
• Explain The System

60
61
Best Practices, continued

• Key officials and responders should be issued
  Emergency Responder wallet cards containing
  contact information
• Sheriffs Department
• Local FBI
• National Infrastructure Protection Center / FBI
• Information Sharing and Analysis Center / NERC
• Company responders
• State Emergency Operations Center

61
62
Best Practices, continued

• Annually review all emergency incident response
  plans to assure
• Responders are aware of plan changes
• Modify Weather Response Plan by adding a
  Security Incident Annex
• Cyber
• Physical

62
63
Sample Wallet Card Front


63
64
Sample Wallet Card Back

64

65
REPORT INCIDENTS TO

• LOCAL LAW ENFORCEMENT
• (Establish and maintain relationship)
• LOCAL FBI
• (Establish and maintain relationship)
• DHS / IAIP
• (IAW Program use InfraGard, CIPIS,
  nipc.watch_at_fbi.gov, 202-323-3204,5,6,
  888-585-9078)
• Electricity Sector-Information Sharing and
  Analysis Center
• ( CIPIS, esisac_at_nerc.com, 609-452-8060
  day,
• 609-452-1422 anytime )

Source NERC
65
66
NERCEmployment Background Screening

67
Employment Background Screening

• Purpose
• Contributes to mitigating the INSIDER threat
  by assuring only trustworthy and reliable
  personnel have unescorted access to critical
  facilities
• May prevent or deter
• Regulatory Issues
• Negligent Hiring
• Theft
• Drug use

67

68
Applicability

• Regulated programs
• D.O.T. Gas
• Commercial drivers license (CDL) programs
• Employees, Contractors and Vendors with
  unescorted access to company defined Critical
  Facilities

68
69
Implementation ConsiderationsBest Practices

• Program must adhere to all Federal and State laws
• Use a comprehensive employment application form
• Publish Disqualification Criteria
• Subcontract investigative services

69
70
Recommendation

• At a minimum, a program should consist of the
  following elements
• Verification of Social Security Number
• Local level criminal history check (County of
  residence)
• Employment checks
• Motor vehicle license information
• Drug screen
• Verification of highest level of education or
  professional certification

70
71
NERCProtecting Potentially Sensitive
Information

72
Protecting Potentially Sensitive Information

• Purpose
• Ensure that potentially sensitive information
  regarding critical infrastructure is properly
  protected

72

73
Applicability

• Information, both physical and electronic,
  defined by the company as SENSITIVE
• Critical infrastructure targets
• Personnel information
• Security measures
• Operational vulnerabilities
• Details on critical operating
• Facilities
• Systems

73
74
Implementation ConsiderationsBest Practices

• Apply The Need-to-Know principle on access to
  sensitive information
• Develop a policy defining the protection
  strategies
• Assess The Life-Cycle of information in your
  company (Physical and Cyber)
• Production
• Storage
• Transmission
• Destruction

74
75
Recommendation

• Question governmental organizations when they
  request Sensitive Information
• Assurance of confidentiality
• Designate a single person responsible for
  reviewing requests for Sensitive Information

75
76
Implementation StrategyProtecting Sensitive
Company Operating System Information

• Companies should ensure that there are procedures
  in place to preclude the release of sensitive
  information
• Regulatory Agencies pursuant to their authority
• Request confidentiality of data be maintained
• Legitimate business enterprise
• Request a non-disclosure agreement
• Corporate websites and publications
• Periodically assess for sensitive information

76
77
TERRORISTS WILL USE YOUR COMPANIES PUBLIC
INFORMATION IN THE INTELLIGENCE GATHERING STAGE
OF A TARGET ASSESSMENT!

77
78
NERCCyber Security

79
Cyber Security Guidelines

• Purpose
• Identify, assess and mitigate cyber risks to
  computing infrastructures using five (5)
  guidelines
• Risk Management
• Access Control
• I.T. Firewall
• Intrusion Detection
• Process Controls System Security

79
? Triton Security Solutions, Inc.
80

• Applicability, cont.
• Any company who owns information systems and
  services that support the electric infrastructure.

80
? Triton Security Solutions, Inc.
81
Implementation Considerations

• Develop and implement a CYBER/I.T. SECURITY
  PLAN which addresses
• Risk Management
• Access Control
• I.T. Firewalls
• Intrusion Detection
• Process Controls Systems
• Review and test plan annually.

? Triton Security Solutions, Inc.
81
82
Recommendation

• Applicable across the entire company
• Business Operations
• System Control
• Personnel Data
• Implement business continuity plans

? Triton Security Solutions, Inc.
82
83
NERCThreat and IncidentReporting

84

• Purpose
• Promote timely and actionable response to
  security
• Threats
• Incidents

84
85

• Why Report
• Prevent or mitigate the consequences of an attack
• Minimize negative impact on company
• Repair costs
• Revenues
• Productivity
• Public Trust

85
86

• The Audience / User
• Law Enforcement
• Government Agencies and Regulations
• ESISAC
• Reliability

86
87

• What Should Be Reported
• Date, Time and Location of Incident
• Description of Incident
• Cause (If Known)
• Law Enforcement Involvement
• NERC-DHS Indications, Analysis, Warnings (IAW)
  Program

87
88
NERCSecuring Remote Access to Electronic
Control and Protection Systems

89

• What Systems?
• Those systems used to regulate physical
  processes, including but not limited to
  electronic protective relays, substation
  automation and control systems, power plant
  control systems, energy management systems (EMS),
  supervisory control and data acquisition (SCADA),
  programmable logic controllers (PLC).

89
90

• Purpose
• Realistic security
• Definition of Remote Access
• Recommended steps

90