Title: NERC Security Guideline Workshop Sponsored by: APPA, EEI and NRECA
1NERCSecurity Guideline WorkshopSponsored by
APPA, EEI and NRECA
-
- George T. Miserendino
- Triton Security Solutions
- Solutions_at_TritonSecSol.com
- 952-423-3457
? Triton Security Solutions,Inc.
2Table of ContentsNERC Security Guideline
Workshop Overview and Development Session
- Overview and Development
- II. Electricity Sector Security Guidelines
- Vulnerability Assessment and Risk Assessment
- Threat Response
- Emergency Plans
- Continuity of Business
2
3Table of Contents, cont.
- Communications
- Physical Security
- Employment Screening
- Protecting Sensitive Information
- Cyber Security
- I.T. Risk Management
- Cyber Access Control
- I.T. Firewalls
- I.T. Intrusion Detection
- Process Control Systems Security
- Threat and Incident Reporting
3
4Security GuidelinesExecutive Summary
- These guidelines describe
- General approaches
- Considerations
- Practices
- Planning philosophies
- Implementation should reflect an individual
organizations assessment of its own - Needs
- Vulnerabilities and consequences
- Tolerance for risk
4
5Security Guidelines Basic Objective
- The intent of the guidelines is to
- Provide industry Best Practices for the
protection of Critical Facilities against a
Spectrum of Threats
5
6Participants in The Guideline Development Process
- North American Electric Reliability Council
- Critical Infrastructure Protection Advisory Group
(CIPAG) .. Sponsored by NERC - National Rural Electric Cooperative Assoc.
- Edison Electric Institute Security Committee
- American Public Power Assoc.
- Department of Energy
- Department of Agriculture
6
7Security Guidelines
- Principles, continued
- Each company is free to define and identify those
facilities and functions it believes to be
critical. - The ability to mitigate the loss of a facility
through redundancies, spare parts and detailed
response and recovery plans may make that
facility less critical.
7
8Security Guidelines
- Critical Facility defined as
- Any facility or combination of facilities, if
severely damaged or destroyed, would have a
significant impact on the ability - 1. To serve large numbers of customers for
an extended period of time. - 2. Has a detrimental impact to the
reliability or operability of the - energy grid.
8
9Security Guidelines
- Critical Facility, continued
- 3. Would cause significant risk to
- A. National security
- B. National economic security
- C. Public health and safety.
9
10Security Guidelines
- Spectrum of Threats
- Weather-related incidents (storms, floods, fires,
earthquakes, etc.) - Acts of vandalism
- Acts of activism
- Acts of terrorism
- Acts of an insider
-
10
11The Electricity Sector is a Target
- Critical support to
- Economy
- National security
- Public well-being
- Conduit to national security or economic targets
- Conduit to other critical infrastructures
11
Source NERC
12Who is Targeting The Electricity Sector?
- Hackers
- Vandals
- Activists
- Criminals
- Terrorists
- Nation States
- The threat is inside and outside!
Source NERC
12
13Spectrum of Threats
1. What needs to be protected?
2. Who are we protecting against?
3. Worst Consequences Highest Probability
Prioritized Ranking
13
14Who do We Need to Protect Against?
Threats
INSIDER
OUTSIDER
Activists
Disgruntled (ex) employee
Terrorist
Potentially violent or psychologically deranged
Vandalism
14
15- Guidelines Access
- http//www.esisac.com/library.htm
- http//www.oea.dis.anl.gov
15
16NERCVulnerability and Risk Assessment
17Vulnerability And Risk Assessment Guideline
- Purpose
- Identify and prioritize critical facilities and
impacts of loss. - Identify countermeasures to mitigate
vulnerabilities of critical facilities.
17
18Applicability
- All companies should perform 5-step vulnerability
assessment on Critical Facilities. - Focus is on facilities meeting the threshold
definition for CRITICAL.
18
19Implementation ConsiderationsBest Practices
- Use team approach Subject matter experts
knowledgeable of system (brainstorming
session) - Security/Facilities/Safety
- Operations, Maintenance, and Logistics
- Engineering
- I.T.
19
20Best Practices, cont.
- Employ risk assessment worksheet process
- Identify assets (critical facilities) and loss
impact. - Characterize the threat.
- Identify and analyze vulnerabilities
- Consider interdependencies.
- Assess risk (subjectively) and determine
priorities. - Identify countermeasures, costs and trade-offs.
20
Source DOE
21Identify Countermeasures, Costs and Trade-offs
21
Source DOE VRAP
22Critical Facility Risk Value Table
22
23NERCThreat Response Guideline
24Threat Response Guideline
- Purpose
- Ensures that companies provide enhanced security
in response to threat advisories. - Department of Homeland Security
- NERC Threat Notices (ESISAC)
- State Agencies
- DHS / IAIP
- D.O.T. (Combo Utilities)
24
25Applicability
- Plans, policies and procedures which contribute
to the protection of company CRITICAL
FACILITIES - NERC response guidance is consistent with the
Homeland Security Advisory System - Describes elements for consideration based on
threat levels - Addresses physical and cyber security threats
25
26Homeland Security Advisory System
- Purpose
- Provides a comprehensive and effective means to
disseminate information regarding the risk of
terrorist or criminal attacks. - Five (5) levels intended to characterize
appropriate levels of - Vigilance
- Preparedness
- Response
26
27Homeland Security Advisory System
SEVERE Severe Risk of Terrorist Attacks
HIGH High Risk of Terrorist Attacks
ELEVATED Significant Risk of Terrorist Attacks
GUARDED General Risk of Terrorist Attacks
LOW Low Risk of Terrorist Attacks
Source Office of Homeland Security
27
28NERCPhysical Security
29Physical Security Guideline
- Purpose
- Mitigates the threat through the implementation
of physical security measures to - Safeguard Personnel
- Prevent unauthorized access to critical
equipment, systems, materials and information at
CRITICAL FACILITIES - Applicability
- Critical Equipment, systems, material and
information at CRITICAL FACILITIES.
29
30Implementation ConsiderationsBest Practices
- Implement a program and plan based on a SYSTEMS
APPROACH of - Deterrence
- Detection
- Assessment and Communications
- Delay and Response
- Implement a security awareness program for
employees - Priority Number 1
- Observe and Report
30
31Best Practices, cont.
- Aware of The Environment
- Heightened VIGILANCE
- Limiting access to CRITICAL FACILITIES through
applied technologies - Requesting law enforcement patrols during periods
of heightened threat
31
32Recommendation
- Develop a security plan reflecting changes in
THREAT LEVEL - Employ strategies of deterrence
- Lighting
- Signage
- CCTV
- Patrols
32
33Elements of Physical Security
Signs, Patrols, Lighting, Fencing
Deter
Barriers, Security Officers, Police
Sensors, Patrols, Door Alarms
Delay Respond
Detect
Assess Communicate
Cameras, Central Alarm Station Monitoring
33
34Physical Security Goals
- Employee Safety.
- Litigation Avoidance.
- Prevention or Deterrence Against Intentional
Disruption to the System. - Reduction of Theft.
34
35NERCEmergency Plans Guideline
36Emergency Plans Guideline
- Purpose
- Ensures the company is prepared to respond to
Spectrum of Threats (Physical Cyber) - Trespassing
- Vandalism
- Civil Disruptions
- Sabotage
- Acts of Terror
- Cyber Incidents
36
37Applicability
- Company defined CRITICAL FACILITIES
- Focused on responding to incidents
- Priorityrestoration and recovery of THE
SYSTEM
37
38Implementation ConsiderationsBest Practices
The Plan
- Flexible
- Update Annually
- Update After an Incident
- Identify lessons learned
- What went right
- What can be improved
- Key Responders are identified with Specific
Tasks Duties
38
39Best Practices The Plan, continued
- Designate Emergency Management Team
- Operations and Maintenance
- Communications
- Logistics
- I.T.
- Security/Facilities/Safety
- Media relations coordinator
- Annual orientation for key responders
- Annual TABLE TOP exercise
- Scenario driven
39
40Best Practices The Plan, continued
- After actual employment of the plan or after
TABLE TOP exercises - Perform a LESSONS LEARNED
- Modify plan based on LESSONS LEARNED
- Identify an alternative reporting location for
key responders - Identify priorities for emergency response
- Protecting life
- Restoring services
40
41Recommendation
- Develop the security response plan and attach as
a separate annex to WEATHER/STORM response plan - Assure consistency with NERC physical and cyber
threat alert levels - Build on experiences in protecting critical
infrastructure - Gulf War
- Y2K
- 9-11
41
42Integrate Physical Security into the Plants and
Companys Overall Emergency Risk Management
Planning Program
The Four Phases of Emergency Risk Management
Mitigation
All Risks Hazards
Preparedness
Recovery
Response
42
43Phases of Emergency Risk Management
- Mitigation (long-term) Eliminate or reduce the
chance of occurrence or the effects of a risk. - Preparedness (to respond) Planning how to respond
in case a disaster occurs and how to ensure the
right resources are available to respond
effectively. - Response (to disaster) Planned or unplanned
activities designed to provide emergency
assistance to victims of the disaster and reduce
the likelihood of further damage. - Recovery (short and long-term) Efforts to return
the environment/victims to normal, or near normal
status.
43
44Implementation Strategy (I)
- Overall, The Plan does not need to be detailed
but is supported by detailed - System restoration plans
- I.T. recovery plans
- Life safety plans
- Business unit continuity plans
- Plan should include elements of
- Operations
- Communications
- Facilities
- I.T.
- Financial support
- Plan exercised and updated annually
44
45Implementation Strategy (II)
- Develop a Critical Incident Response Team
(C.I.R.T.) - Swat Team to respond to
- Explosions
- Fires
- Workplace Violence
- Team make-up
- H.R.
- Legal
- Communications
- Security
- Safety
- Business Unit Representative
45
46Implementation Strategy (II), cont.
- Mission Deal with incident until business unit
recovery plan is implemented - CIRT single point-of-contact
- Emergency operations Center (E.O.C.)
- Security operations center Focal point to
monitor incident
46
47Implementation StrategyMutual Assistance
Agreements ForSecurity Incidents
- Coordinated with
- Local law enforcement
- State emergency preparedness offices
- Security plan topics
- Bomb threats
- Fire/Explosions
- Chemical spills
- Facility evacuations
47
48Implementation StrategyMutual Assistance
Agreements ForSecurity Incidents, cont.
- Recommend liaison with law enforcement
- Critical facility tours
- Information/plan exchange
- Mutual training opportunities
- Facility availability
- Attachments
- Notification telephone tree
- Critical customer information
- Equipment checklists
- Emergency equipment suppliers
48
49REPORT INCIDENTS TO
- LOCAL LAW ENFORCEMENT
- (Establish and maintain relationship)
- LOCAL FBI
- (Establish and maintain relationship)
- DHS / IAIP
- (IAW Program use InfraGard, CIPIS,
nipc.watch_at_fbi.gov, 202-323-3204,5,6,
888-585-9078) - Electricity Sector Information Sharing and
Analysis Center - ( CIPIS, esisac_at_nerc.com, 609-452-8060
day, - 609-452-1422 anytime )
Source NERC
49
50NERCContinuity of Business Processes
51Continuity of Business Processes
- Purpose
- Reduces the impact of interruptions to critical
systems and ensures resumption of business and
operations in a short time. - Applicability
- Facilities and functions considered critical to
the overall operation of the company. - World Trade Center Disaster.
- Underscore need
- Many applicable Lessons Learned
51
52Summary of Plan Differences
- Business
- Continuity Plan
- (BCP)
- To recover mission critical business services and
processes - Limited scenarios
- Focus on technology facilities and/or data
- Crisis Management
- Plan (CMP)
- To limit intensity, manage and control negative
results of an event - Many scenarios
- Focus on people, products, services and
reputation
53Implementation ConsiderationsThe Plan
- Comprehensive tool with all critical functions
having separate plans (Annexes) - Business recovery should be basis
- Updated and Exercised Annually
- LESSONS LEARNED conducted after each exercise
and incident
53
54Implementation ConsiderationsThe Plan, cont.
- Prioritize restorations of functions
- Business systems (Accounts payable and
receivable, payroll, financial transactions) - Assure I.T. assets are available to meet Minimal
Level of operations - Identify vulnerabilities in I.T. and business
systems
54
55Implementation ConsiderationsThe Plan, cont.
- Identify alternate facilities if headquarters
building is lost Essential - Distance from headquarters
- Controlled by company
55
56 Plan Reality Check
- Plan Design worst case scenario
- Usually one to three scenarios
- Recovery Scenarios
- Facility Losses (no access to a facility or
related services) - Technology Losses (no access to systems,
equipment, information/data or services)
57Recommendation
- Develop internally
- Contract for external assessment
- Functionally exercise a Portion of the plan
- Evaluation should be independent
- Annual Exercise
- Document Lessons Learned
57
58NERCCommunications
59Communications Guidelines
- Purpose
- To establish effective liaison relationships with
local offices of federal, regional, and local law
enforcement where critical facilities are located - To promptly report security incidents
- To develop an INTERNAL THREAT WARNING
system - Applicability
- Applies to facilities and functions that are
considered critical.
59
60Implementation ConsiderationsBest Practices
- All contact telephone numbers should be placed
in the EMERGENCY RESPONSE PLAN - Staff should be trained on what is to be reported
and to what organization (Sheriff, FBI) - Single staff organization should make ALL
external notifications - Provide familiarization tour of critical sites to
law enforcement agencies - Explain The System
60
61Best Practices, continued
- Key officials and responders should be issued
Emergency Responder wallet cards containing
contact information - Sheriffs Department
- Local FBI
- National Infrastructure Protection Center / FBI
- Information Sharing and Analysis Center / NERC
- Company responders
- State Emergency Operations Center
61
62Best Practices, continued
- Annually review all emergency incident response
plans to assure - Responders are aware of plan changes
- Modify Weather Response Plan by adding a
Security Incident Annex - Cyber
- Physical
62
63Sample Wallet Card Front
63
64Sample Wallet Card Back
64
65REPORT INCIDENTS TO
- LOCAL LAW ENFORCEMENT
- (Establish and maintain relationship)
- LOCAL FBI
- (Establish and maintain relationship)
- DHS / IAIP
- (IAW Program use InfraGard, CIPIS,
nipc.watch_at_fbi.gov, 202-323-3204,5,6,
888-585-9078) - Electricity Sector-Information Sharing and
Analysis Center - ( CIPIS, esisac_at_nerc.com, 609-452-8060
day, - 609-452-1422 anytime )
Source NERC
65
66NERCEmployment Background Screening
67Employment Background Screening
- Purpose
- Contributes to mitigating the INSIDER threat
by assuring only trustworthy and reliable
personnel have unescorted access to critical
facilities - May prevent or deter
- Regulatory Issues
- Negligent Hiring
- Theft
- Drug use
67
68Applicability
- Regulated programs
- D.O.T. Gas
- Commercial drivers license (CDL) programs
- Employees, Contractors and Vendors with
unescorted access to company defined Critical
Facilities
68
69Implementation ConsiderationsBest Practices
- Program must adhere to all Federal and State laws
- Use a comprehensive employment application form
- Publish Disqualification Criteria
- Subcontract investigative services
69
70Recommendation
- At a minimum, a program should consist of the
following elements - Verification of Social Security Number
- Local level criminal history check (County of
residence) - Employment checks
- Motor vehicle license information
- Drug screen
- Verification of highest level of education or
professional certification
70
71NERCProtecting Potentially Sensitive
Information
72Protecting Potentially Sensitive Information
- Purpose
- Ensure that potentially sensitive information
regarding critical infrastructure is properly
protected
72
73Applicability
- Information, both physical and electronic,
defined by the company as SENSITIVE - Critical infrastructure targets
- Personnel information
- Security measures
- Operational vulnerabilities
- Details on critical operating
- Facilities
- Systems
73
74Implementation ConsiderationsBest Practices
- Apply The Need-to-Know principle on access to
sensitive information - Develop a policy defining the protection
strategies - Assess The Life-Cycle of information in your
company (Physical and Cyber) - Production
- Storage
- Transmission
- Destruction
74
75Recommendation
- Question governmental organizations when they
request Sensitive Information - Assurance of confidentiality
- Designate a single person responsible for
reviewing requests for Sensitive Information
75
76Implementation StrategyProtecting Sensitive
Company Operating System Information
- Companies should ensure that there are procedures
in place to preclude the release of sensitive
information - Regulatory Agencies pursuant to their authority
- Request confidentiality of data be maintained
- Legitimate business enterprise
- Request a non-disclosure agreement
- Corporate websites and publications
- Periodically assess for sensitive information
76
77TERRORISTS WILL USE YOUR COMPANIES PUBLIC
INFORMATION IN THE INTELLIGENCE GATHERING STAGE
OF A TARGET ASSESSMENT!
77
78NERCCyber Security
79Cyber Security Guidelines
- Purpose
- Identify, assess and mitigate cyber risks to
computing infrastructures using five (5)
guidelines - Risk Management
- Access Control
- I.T. Firewall
- Intrusion Detection
- Process Controls System Security
79
? Triton Security Solutions, Inc.
80- Applicability, cont.
- Any company who owns information systems and
services that support the electric infrastructure.
80
? Triton Security Solutions, Inc.
81Implementation Considerations
- Develop and implement a CYBER/I.T. SECURITY
PLAN which addresses - Risk Management
- Access Control
- I.T. Firewalls
- Intrusion Detection
- Process Controls Systems
- Review and test plan annually.
? Triton Security Solutions, Inc.
81
82Recommendation
- Applicable across the entire company
- Business Operations
- System Control
- Personnel Data
- Implement business continuity plans
? Triton Security Solutions, Inc.
82
83NERCThreat and IncidentReporting
84- Purpose
- Promote timely and actionable response to
security - Threats
- Incidents
84
85- Why Report
- Prevent or mitigate the consequences of an attack
- Minimize negative impact on company
- Repair costs
- Revenues
- Productivity
- Public Trust
85
86- The Audience / User
- Law Enforcement
- Government Agencies and Regulations
- ESISAC
- Reliability
86
87- What Should Be Reported
- Date, Time and Location of Incident
- Description of Incident
- Cause (If Known)
- Law Enforcement Involvement
- NERC-DHS Indications, Analysis, Warnings (IAW)
Program
87
88NERCSecuring Remote Access to Electronic
Control and Protection Systems
89- What Systems?
- Those systems used to regulate physical
processes, including but not limited to
electronic protective relays, substation
automation and control systems, power plant
control systems, energy management systems (EMS),
supervisory control and data acquisition (SCADA),
programmable logic controllers (PLC).
89
90- Purpose
- Realistic security
- Definition of Remote Access
- Recommended steps
90