Cybersecurity and the Electric Grid
Fun with the
EO, PD, DHS, NIST, NERC, ESCC, ES-ISAC,
DOE, and FERC
Roger Williams University
Cyber Threats and Cyber Realities
Jonathan Schneider
June 18, 2013
1
Background

Evidence of the nation’s cyber vulnerability has increased geometrically
over the past five years.

Mandiant report of the concerted effort apparently mounted by China’s
military is only the latest installment

High profile incidents pointing to potential destructive potential include:
•
•
•
•
Shamoon attack on Saudi Aramco disabled 30,000 computers
23 attacks on US Pipeline systems in 2012
Dozens of attacks on financial institutions in 2012 (DHS report)
82 intrusions that targeted energy companies in the 6 months
preceding October, 2012 (DHS report)
• Major Denial of Service attack successfully brought down internet
service to Jacksonville Electric Authority (LPPC member) last week.

Soviet Invasion of Georgia - Potential for full-out cyber warfare
demonstrated

Former Secretary of Defense Leon Panetta warned of potential for a cyber
9/11
2
Department of Homeland Security - Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT)
10/2012 Report – Energy sector has been a focal point
- 40% of all cyber attacks in 2012
3
Framework for Understanding
Cyber Vulnerabilities


Attack Vectors
• Internet access
• Inserted malware (Stuxnet and reversed engineered versions)
• Internal exposure
Electric Sector Vulnerabilities
• Operations/Control Systems


Idaho Labs Aurora Test – Industry wake-up call
(Televant (SCADA systems)
• Communications and Informations Systems


Communications: JEA Denial of Internet Service
Theft (proprietary data – Nortel, banking)
4
Legislative Gridlock





At least half-dozen bills introduced in Congress over the
past five years, and dozens of amendments
Most legislative activity targeted energy industry
• Ironically, energy industry may be better protected
through NERC standards than any other sector
Focus now encompasses other major economic, physical
infrastructure and manufacturing sectors.
Electric Industry Supported:
• Information Sharing – Govt. to Industry
• Emergency Directives
• Liability Protection
Electric Industry Opposed:
• Disruption of Industry-based (NERC) Standards
Development Process
5
Legislative Gridlock –
White House Response

White House stepped into the breach on February 12, 2013
with its Executive Order

Executive Order sets up a broad program:
• Information sharing by federal agencies w/owners of
critical assets
• Creation of a “voluntary framework” for managing cyber
vulnerabilities
6
Existing Protection:
Critical Infrastructure Protection under North American
Electric Reliability Corporation (NERC) Standards



What is NERC? - Energy Policy Act of 2005 authorized FERC to
certify and oversee an Electric Reliability Organization (ERO)
• FERC Certified NERC – Mission: develop and enforce reliability
standards governing the electric grid
By June, 2007, NERC had implemented mandatory, enforceable
standards governing the ‘Bulk Electric System ’
• BES - Generally defined as transmission operated at 100 kV
and above
• Distribution is excluded by Federal Power Act Section 215
(Think NYC)
Standards: (1) Communications; (2) Critical Infrastructure; (3)
Emergency Preparedness; (4) Facilities Design; (5) Interchange
coordination; (6)Modeling; (7) Protection and Control; (8) System
Balancing; (9) Transmission Operations; (10) Transmission
Planning; (11) Voltage and Reactive Control
7
Existing Protection:
Critical Infrastructure Protection (“CIP”) under North
American Electric Reliability Corporation (NERC)
Standards

NERC’s Suite of CIP Standards
• CIP-001 – Sabotage Reporting
• CIP-002-3 – Critical Cyber Asset Identification


Risk-based identification of ‘critical asssets ‘ (control centers,
transmission, generation) and identification of associated critical
cyber assets key to operation of Critical Assets.
CIP Version 5 (leap-frogs Version 4 per April 18, 2013 FERC Order:
• Calls for the identification and risk-based ranking of « BES Cyber Assets »
• Cyber assets are those that « if rendered unavailable, degraded or misused would,
within 15 minutes of requried operation….adversely impact one or more
facilities….which if …unavailable, would affect the reliable operation of the Bule
Electric System.
8
Existing Protection:
Critical Infrastructure Protection under North American
Electric Reliability Corporation (NERC) Standards

CIP-003-3 – Security Management Controls
• Utilities must maintain/implement/document a cybersecurity policy
addressing requirements CIP 2 - 9

CIP-004-3 – Personnel & Training

CIP-005-3 – Electronic Security Perimeters
• All critical cyber assets must reside within an “electronic security
perimeter” (secure access)
• Includes extermally connected (remote) access
9
Existing Protection:
Critical Infrastructure Protection under North American
Electric Reliability Corporation (NERC) Standards

CIP-006-3 – Physical Security of Critical Cyber Assets
• All critical cyber assets must reside behind “six all” border

CIP-007-3 – Systems Security Management
•
•
•
•
•

Manage secuirity of new cyber assets and changes
Security Patch Management
Malicious Software Prevention
Account management (authorized access)
Security status monitoring
CIP-008-3 – Incident Reporting and Response Planning
• Reporting to NERC’s ES-ISAC (Electric Sector Information Sharing and
Analysis Center)

CIP-009-3 – Recovery Plans for Critical Cyber Assets
• Responsible entiteis must devise, document , implement and test
recover (full operational exrercise) recovery plans.
10
Existing Protection –
DOE’s Cybersecurity Capability Maturity Model
(ES – C2M2) (May, 2012)

Ten Core Domains (Competencies)
(1) Risk Management;
(2) Asset, Change, and Configuration Management;
(3) Identity and Access Management;
(4) Threat and Vulnerability Management;
(5) Situational Awareness;
(6) Information Sharing and Communications;
(7) Event and Incident Response, Continuity of Operations;
(8) Supply Chain and External Dependencies Management;
(9) Workforce Management; and
(10) Cybersecurity Program Management

Levels of Accomplishment: (1) Initiation; (2) certain degree of
performance including program documentation, stakeholder involvement,
resource commitment and reliance on standards or guidelines; and (3) a
fully managed program
11
Other Mandatory Rules

Nuclear Regulatory Commission
• Regulations
 Critical digital asset identification
 Requires cybersecurity protective strategy
• NRC Guidance:
 Best Practices (NIST)
 International Society of Automation
 Institute of Electric and Electronic Engineers
 DHS
12
2/12/13 Executive Order
“Improving Critical Infrastructure Cybersecurity”

Headline News: Without legislation, the White House has
directed the Secretary of Homeland Security, the Attorney
General, DOD, and the NIST (National Institute of
Standards and Technology) to implement a broad program
ensuring:
• Information Sharing by Governmental Agencies with
private sector regarding cyber threats
• The identification of Critical Infrastructure at risk
• The creation of a “voluntary” Critical Infrastructure
Cybersecurity baseline program by NIST
13
Application to Industries and Responsible Sector-Specific
Agencies
















Chemical: Department of Homeland Security
Commercial Facilities: Department of Homeland Security
Communications: Department of Homeland Security
Critical Manufacturing: Department of Homeland Security
Dams: Department of Homeland Security
Defense Industrial Base: Department of Defense
Emergency Services: Department of Homeland Security
Energy: Department of Energy
Financial Services: Department of the Treasury
Food and Agriculture: U.S. Department of Agriculture and Department of
Health and Human Services
Government Facilities: Department of Homeland Security and General
Services Administration
Healthcare and Public Health: Department of Health and Human Services
Information Technology: Department of Homeland Security
Nuclear Reactors, Materials, and Waste: Department of Homeland Security
Transportation Systems: Department of Homeland Security and
Department of Transportation
Water and Wastewater Systems: Environmental Protection Agency
14
What is Critical Infrastructure?


Executive Order: Critical Infrastructure “means systems and
assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets
would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of
those matters.”
Identification of Assets:
• Within 150 days of the date of this order (mid-July, 2013), the
Secretary shall use a risk-based approach to identify critical
infrastructure where a cybersecurity incident could reasonably
result in catastrophic regional or national effects on public
health or safety, economic security, or national security.

Components of electrical distribution systems almost surely
implicated, broadening NERC’s BES focus
• A “consultative process” will be used by the Secretary of
Homeland Security to identify critical infrastructure. Owners
and operators will be included, along with sector specific
agencies, independent agencies and local governments.
15
2/12/13 Executive Order
Cybersecurity Information Sharing


Within 6 months (mid-August, 2013), instructions will be
issued by the Attorney General, the Secretary of Homeland
Security and the Director of National Intelligence ensuring
the timely production of unclassified reports of cyber
threats to identified targets.
Classified reports will be made to owners of critical
infrastructure to critical infrastructure entities authorized to
receive them.
• Within 6 months, Sec’y of Homeland Security, in collaboration
with the Sec’y of Defense will establish procedures to expand
the “Enhanced Cybersecurity Services” program to provide
classified cyber threat and technical information to eligible
critical infrastructure asset companies and service providers
that offer security services to critical infrastructure.
16
2/12/13 Executive Order
“Improving Critical Infrastructure Cybersecurity”

Cybersecurity Baseline Program (“The
Framework”)
• To be created by NIST in order to establish a
baseline set of guidelines and objectives for
critical infrastructure owners to follow in order
to guard against cyber threats.
• Preliminary Framework will be published within
8 months (October, 2013) and finalized in one
year (February, 2014)
• Industry input was filed April 8, 2013.
17
NIST Cybersecurity Baseline Program (“The
Framework”)

Goals of The Framework (from draft RFI):
• “(i) to identify existing cybersecurity
standards, guidelines, frameworks, and best
practices that are applicable to increase the
security of critical infrastructure sectors and
other interested entities;
• (ii) to specify high-priority gaps for which new
or revised standards are needed; and
• (iii) to collaboratively develop action plans by
which these gaps can be addressed.”
18
NIST Framework - Expected Elements (Draft RFI)






A consultative process to assess the cybersecurity-related risks to
organizational missions and business functions;
A menu of management, operational, and technical security controls,
including policies and processes, available to address a range of threats
and protect privacy and civil liberties;
A consultative process to identify the security controls that would
adequately address risks that have been assessed and to protect data and
information being processed, stored, and transmitted by organizational
information systems;
Metrics, methods, and procedures that can be used to assess and monitor,
on an ongoing or continuous basis, the effectiveness of security controls
that are selected and deployed in organizational information systems and
environments in which those systems operate and available processes that
can be used to facilitate continuous improvement in such controls;
A comprehensive risk management approach that provides the ability to
assess, respond to, and monitor information security-related risks and
provide senior leaders/executives with the kinds of necessary information
sets that help them to make ongoing risk-based decisions;
A menu of privacy controls necessary to protect privacy and civil liberties.
19
Electric Industry Input


NERC Standards should be rolled-into the
Framework, not contradicted.
Framework should be consistent with
DOE’s ES-C2M2
• Must be flexible, process oriented in
order to apply across sectors, and allow
entities to respond flexibly to emerging
threats.
20
Managing the “Voluntary” Framework



Secretary of Homeland Security, in coordination
with Sector-Specific Agencies, will notify
owners/operators of designated critical
infrastructure confidentially. Reconsideration
possible.
Sector-specific agencies will report annually to
the President (through Secretary of Homeland
Security) whether critical infrastructure
owners/operators are participating in the
Framework.
Incentives for compliance discussed, but not yet
developed
21
What May Owners/Operators of Critical
Infrastructure Do and What Must They Do?

CI Owners may:
• Participate in determination on Critical Infrastructure through
consultative process
• Participate in development of cybersecurity baseline framework

CI owners must:
• Determine whether to participate in baseline framework
• Weigh risks of non-compliance



Potential liability in not meeting benchmark
Possible Disclosure Issue
CI owners must consider good cyber “hygiene” to be a good
business practice
• Organization and Planning
• Internal Standards and Systems




Link to alert systems (ISC-CERT, ES-ISAC, Cross-Sector Cyber Working
Group)
Physical and electronic walls, passcodes, electronic access rules)
Consider link between business and operational control systems
Management of Remote Access
• Procurement Practices (vendor exposure)
• Personnel and Internal Policies
22