Recommendations for Improving Information Sharing
Recommendations for Improving Information Sharing
Force Electricity Sector Information Sharing Task May 2013
3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326
404-446-2560 | www.nerc.com 1 of 41
Table of Contents
NERC | Recommendations for Improving Information Sharing| May 2013 2 of 41
Executive Summary
The electricity sector remains susceptible to physical and cyber attacks. Mechanisms for timely and actionable information sharing between industry and the government are an essential component for the security and protection of critical infrastructure to include the bulk power system. The North American Electric Reliability Corporation (NERC) GridEx 2011—the first sector-wide grid exercise—uncovered gaps in vertical information sharing from the electricity sector to NERC’s Electricity Sector Information Sharing and Analysis Center (ES-ISAC) and government agencies that were caused by concerns about compliance implications. Exercise observers and participants also observed that the ES-ISAC was underutilized as the hub for information sharing and reporting. The Electricity Sector Information Sharing Task Force (ES-ISTF) was chartered by the Critical Infrastructure Protection Committee (CIPC) to examine the existing communication structure, provide recommendations, facilitate outreach to industry, and create a report that clarifies the requirements needed to establish effective information sharing within the electricity sector. The ES-ISTF identified the scope, structure, and participants necessary for effective industry-wide information sharing. Federal, state, local, tribal, and territorial entities have their own requirements and protocols for reporting. While certain reporting requirements have compliance implications, others are intended to protect critical infrastructure across North America. Below are the ES-ISTF’s recommendations: 1. Cultivate a trusting information-sharing environment. 2. Promote recognition of the ES-ISAC’s role as the central hub for the electricity sector to share physical and cyber threat information. 3. Reduce reporting complexity and redundancy. 4. Implement technology to encourage unattributed information sharing. 5. Improve information aggregation and collaborative analysis at the ES-ISAC. These recommendations, if adopted, will establish the ES-ISAC as the trusted center of centralized electricity sector information sharing. The ES-ISTF’s recommendations also align with President Obama’s Executive Order Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21 (PPD-21)—both of which seek to improve information sharing between public and private sources. Patricia Hoffman, Department of Energy (DOE) assistant secretary, recently sent a letter to Gerry Cauley, the president and CEO of NERC, supporting ES-ISAC’s role and mission. Copies of the Executive Order, PPD-21, and Hoffman’s letter are represented in the appendices.
NERC | Recommendations for Improving Information Sharing| May 2013 3 of 41
Introduction
NERC conducted the first sector-wide grid security exercise, GridEx 2011, November 16–17, 2011. One of the key findings detailed in the GridEx 2011 After-Action Report is: Significant horizontal communication occurs across industry, but vertical information sharing to NERC and government agencies is limited due to concerns about compliance implications. While entities relied on the ES-ISAC as the hub for information sharing and reporting, improved reporting guidance, as it related to NERC Situation Awareness (SA) and the ES-ISAC, could promote more information sharing. NERC will coordinate with guidance and outreach strategies that will further enable NERC to create a secure and trusted environment necessary for information sharing. The ES-ISTF should examine the existing communication structure and other factors affecting information sharing, provide recommendations for improvement, and facilitate outreach to industry to enable bidirectional information sharing.
1
Background
GridEx 2011 provided an opportunity for the electricity sector to test crisis response plans and evaluate current readiness for a cyber incident. The exercise also served as an opportunity to enhance collaboration and strengthen industry security processes and capabilities. Information sharing and reporting to ES-ISAC and relevant government agencies did not occur as frequently or comprehensively as communications between industry participants. For instance, several entities reported substation break-ins and potential cyber sabotage to the Federal Bureau of Investigation (FBI) but not to ES-ISAC. Despite the assurance that NERC information reported would not be used for compliance purposes, several entities expressed hesitation in sharing sensitive information about compromised critical cyber infrastructure. NERC subsequently took steps to clarify the difference between compliance and ES-ISAC functions. NERC created a dedicated ES-ISAC division, appointed a chief cybersecurity officer accountable to the NERC Board of Trustees (Board), and approved a policy that established a protected communications corridor between the industry and ES-ISAC.
2 1 See Appendix D — ES-ISTF Charter for further details.
2 See Appendices E and F for further details on the ES-ISAC Information Sharing Clarification and the NERC policy on the role of the ES ISAC dated March 8, 2013. NERC | Recommendation for Improving Information Sharing | May 2013 4 of 41
Scope of Work
With the goal of protecting the critical cyber infrastructure, the ES-ISTF recommends enhancements for physical security, cybersecurity, and incident response information sharing at industry, federal, state, local, tribal, and territorial levels. The task force also offers related recommendations in support of the overall information-sharing environment. ES-ISTF’s proposed recommendations build on practices and tools that are already in place.
NERC | Recommendations for Improving Information Sharing| May 2013 5 of 41
Review of Current Communication Process
The ES-ISTF studied the present communication process (horizontal, vertical, and bi-directional) between industry, government, and the ES-ISAC. The ES-ISTF also reviewed NERC standards with specific reporting requirements to examine the communication process with respect to methods, tools, forms, and structures. This high-level review was not meant to fully disclose all possible communication flows. Instead, through significant analysis, the task force was able to fully grasp the magnitude of existing issues. They determined that the present process is complex, burdensome, and inefficient. See Figure 1 for a graphical representation of the existing information data flows. It is important to note the directional flows indicated by the arrows.
Information Handling
Industry participants who engage in information sharing through the ES-ISAC expect that their company information will be treated as confidential and be properly handled by well-trained personnel. While applying a comprehensive information assurance and management policy consistent with the industry requirements, ES-ISAC analysts should be able to thoroughly understand the current threat environment and have the ability to adapt to changing threats. Along with development and implementation of effective policies regarding data handling the ES-ISAC staffing requirements should include a baseline security clearance posture on staff to handle the information sharing and the analytic aspects of their work. All, or a substantial portion of, ES-ISAC staff should hold requisite security clearances to accomplish their sector coordination role with the other 17 sectors.. Proper and rapid information sharing (where classified and commercially protected), Critical Energy Infrastructure Information, and other sensitive information may be involved, and is urgent and essential to national security and resilience concerns. This has been reflected in prior National Infrastructure Advisory Council and other authoritative blue ribbon panel recommendations. Additional clearances may be vitally important at selected locations and levels throughout the sector. The, ES-ISAC staff clearances would serve to accommodate full information access and collaboration at the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center and other government threat community fusion cell organizations is likely to be a primary success factor for furnishing rapid sector mitigation delivery in the face of challenging advanced and persistent threats. In addition to comprehensive ES-ISAC staff clearances, selected industry personnel should also be cleared. All personnel involved in security functions related to ES-ISAC must have suitable background checks and be managed within appropriate workforce security policies consistent with existing Critical Infrastructure Protection compliance requirements. Finally, all communication and analytic technology that supports information sharing should be subject to the appropriate policies on information management and assurance. In instances where sensitive data from government and fusion centers is involved, all applicable existing policies governing the management of classified data should apply. These systems should also afford suitable data protection consistent with industry, commercial, proprietary, and market concerns, rules, and regulations. The industry struggles to make correlations between information received from various information sources. Some examples of these information sources include: NERC Standards Announcements NERC Alerts NERC Standards Interpretation Requests DHS For Official Use Only DOE Sector Specific Agency Information Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Alerts United States Computer Emergency Readiness Team (US-CERT) Alerts
NERC | Recommendations for Improving Information Sharing| May 2013 6 of 41
ES-ISAC Notices Vendor Notices National Lab Research Due to various requirements, industry must report the same or similar information to sources listed above. Having so many reporting and information sources results in duplicative information, and important information can be overlooked. The industry needs a central hub for reporting suspicious physical and cyber-related events. Consolidated reporting will greatly enhance the analysis and detection of emerging threats. ES-ISAC analysts correlate reported information from industry and various organizations’ alerts to provide mitigation strategies for the protection of the Bulk Power System. The analysts store alert information in a repository that is indexed and searchable for industry participants. The ES-ISAC should use multiple methods to alert industry when information in the repository is added or updated. Where possible, ES-ISAC analysts should be able to extract actionable indicators of compromise from available information to support analysis and increase awareness among sector participants. The security of industry-provided information must be considered. However, if information is leaked or there is a breach because of the leaked data, the ES-ISAC should have a process in place to mitigate the issues.
Figure 1: Existing Communication Process
NERC | Recommendation for Improving Information Sharing | May 2013 7 of 41
Roles and Responsibilities
Effective information sharing requires that roles and responsibilities be clearly defined among all participants, which enables the effective flow of information with the proper safeguards. The ES-ISTF identified the following roles and responsibilities: The ES-ISAC is responsible for analyzing, processing, and distributing information. Industry is responsible for mandatory and voluntary incident reporting. Industry and the ES-ISAC must work together to establish mutual trust. This section addresses the clear definitions of roles and responsibilities, building of trust, classification of data, and mechanisms for sharing and dissemination of information.
ES-ISAC
The current complex and redundant reporting process could be greatly improved by strategically consolidating information flows through the ES-ISAC. The ES-ISAC, which plays a vital role in analyzing, processing, and distributing information, must address these complexities and assist in streamlining the reporting process. The ES-ISAC assists industry in sharing information, providing timely alerts, and delivering actionable information back to the industry in a collaborative environment. The ES-ISTF recommends that the following duties be the ES-ISAC’s responsibility when supporting industry reporting information: Prior to distribution, remove information that identifies a reporting organization. Make certain that data distributed to industry supports the use of automated processing systems used by industry. Maintain an information repository that is continuously updated with new threat information. Ensure separation between ES-ISAC and NERC’s Compliance and Monitoring Enforcement Program (CMEP).
Industry Mandatory Incident Reporting
Mandatory incident reporting applies to information that must be reported according to the guidance and regulations placed on industry participants by authoritative organizations. Rather than industry reaching out to multiple organizations with the same information but different reporting tools, the ES-ISAC must be responsible for coordinating information flows with all necessary entities. The guidance below for industry when reporting occurrences of mandatory information to the ES-ISAC will ensure appropriate information handling and distribution. Industry must understand that mandatory incident reporting to regulators must still occur even if the ES-ISAC portal is not accessible. Make mandatory reporting forms available through a central web portal to allow industry to easily select and submit forms directly to the necessary reporting organizations. Generate the mandatory reports from the data submitted to the ES-ISAC without requiring redundant data entry. Clearly list recipients of mandatory reporting forms so industry can ensure the appropriate parties are notified. Generate a confirmation receipt or failure of the mandatory reports to reach the intended recipient(s). Ensure Asset Owner and Operator (AOO) web portal maintains a high degree of availability. Analyze received information and distribute it to industry in accordance with predefined timelines. Industry must accept that the information submitted to the ES-ISAC may be distributed in an anonymous manner to other industry participants who use the ES-ISAC portal. Industry participants using the ES-ISAC portal as a centralized reporting tool are responsible for ensuring all recipients are correctly listed as recipients of the mandatory information. Industry participants using the ES-ISAC portal are responsible for collecting and retaining the receipt of information transfer. NERC | Recommendation for Improving Information Sharing | May 2013 8 of 41
Voluntary Incident Reporting
Information that is outside the scope of regulation but is still relevant to either physical or cybersecurity falls under the realm of voluntary incident reporting. This voluntary information of either physical or cyber origin could potentially benefit the ES-ISAC in the analysis and identification of emerging threats. This interaction between industry and the ES-ISAC should occur in a timely manner to maximize the value of the shared information. Voluntary incident reporting information could consist of technical or leading indicators of compromise for an infected system or physically identifying information (e.g., photographs or video of facilities with the suspect vehicle or license plate number of a car participating in wire theft or suspicious activity). When reporting voluntary incident information to the ES-ISAC, industry must follow the guidance below to ensure appropriate information handling and distribution. Industry must pass information to the ES-ISAC of cyber and physical security threats as soon as operationally feasible. Industry must accept that the information submitted to the ES-ISAC may be distributed in an anonymous manner to other industry participants who use the ES-ISAC portal. Industry should include threat severity ratings on information sent to the ES-ISAC when operationally feasible. Industry should send voluntary information through the ES-ISAC web portal.
Relationship between Industry and ES-ISAC
The ES-ISTF reiterates the concerns presented in the GridEx 2011 After-Action Report. Trust is the basis for any successful information-sharing mechanism. If trust does not exist, no information beyond the mandated minimum will be shared. Therefore, it is essential that NERC and its ES-ISAC make every effort to eliminate the trust deficit between ES-ISAC and industry. The ES-ISTF encourages the following activities be conducted to serve the best interest of the sector. Develop an industry outreach program that directly addresses the trust deficit. Enhance ES-ISAC’s personal communication with each industry participant. Use agreements between ES-ISAC and industry participants to resolve any legal concerns. Establish success criteria metrics based on ES-ISAC’s defined goals. NERC | Recommendation for Improving Information Sharing | May 2013 9 of 41
Recommendations
To develop the following recommendations, participants from industry, national labs, government, and academia reviewed processes, protocols, and identified steps needed to improve information sharing across the sector and with government partners. The implementation of ES-ISTF’s recommendations is expected to be a long-term, large-scale effort for the continual improvement of information sharing within the electricity sector. Once adopted, these recommendations will enable a more comprehensive view of emerging threats, collaborative analysis, and mitigating strategies to improve the reliability and security of the BES.
1. Cultivate a trusting information-sharing environment.
In the interest of developing trusting relations with industry, additional separation between ES-ISAC and NERC’s CMEP should be considered. The DOE recently affirmed the importance, purpose, and direction of the ES-ISAC. These developments combined hold potential for increased trust between government and industry, which will result in improved vertical sharing. Additionally, industry front-line reporting is the government’s best source for early indications and warnings for any impact event. The second finding in the GridEx 2011 After-Action Report stated, “Several entities expressed hesitation in sharing sensitive information regarding compromised critical cyber infrastructure. One entity indicated it was contacting corporate legal for ‘permission’ to report to the ES-ISAC.” Possible mechanisms to ease the legal hurdle include defining the intent to communicate and the legal boundaries of such communications in advance
2. Promote recognition of the ES-ISAC role as the electricity sector’s central hub for physical and cyber threat information sharing.
The ES-ISAC should be fully utilized as the hub of all electricity sector information on physical and cyber events. By streamlining and consolidating information sharing, the ES-ISAC will be more effective in analyzing and collaborating on emerging threats.
3. Reduce complexity and redundancy of the reporting process.
ES-ISAC should continue enhancements of the ES-ISAC portal, its self-service tools, collaborative analysis, and technical guidance products. Industry prefers one-stop reporting of timely and actionable security information. Figure 2 outlines streamlined security event collection and dissemination.
4. Implement technology to encourage unattributed information sharing.
ES-ISAC should continue to identify and implement new capabilities that will allow industry to share unattributed information. This could enhance vertical information sharing.
5. Improve information aggregation and collaborative analysis at the ES-ISAC.
ES-ISAC should continue to expand the use of analytic tools to increase the speed of mitigation development and delivery to industry. Recommend continuing to improve cross-sector information sharing with other ISACs to benefit the industry. The enhanced information sharing will result in timely and actionable information for industry and government. NERC | Recommendation for Improving Information Sharing | May 2013 10 of 41
Figure 2: Recommended Communication Process
NERC | Recommendation for Improving Information Sharing | May 2013 11 of 41
Recognition of Task Force Members
The ES-ISTF was comprised of individuals representing industry, academia, national labs, state regulators, industry consultants, and branches of the U.S. government. Each member brought a unique perspective, talent, and ability to the task force and participated in an exemplary, collaborative manner. Their donations of time and company support to the assignment are greatly appreciated. Chairman Vice Chairman Stephen Diebold Jerry Freese Kansas City Power & Light American Electric Power Amarnath Vangoor Brian Buckley Brian Zimmet Christopher Retz Don McDonnell Ed Goetz Jeffery Mauth John Breckenridge John Fridye John McDaniel Thomas Strickland Matt Dellon Michael David Pike Enterprises Inc. GE Hitachi Nuclear Energy Venable LLP EXELON The McDonnell Group, Inc. EXELON Pacific Northwest National Laboratory Kansas City Power & Light Ventyx – An ABB Company KEMA, Inc. KEMA, Inc. Pacific Gas and Electric Office of the Director of National Security Mikhail Falkovich Paul Skare Richard Kinas Roland Miller Scott Pinkerton Ted Heller Terry Nielsen Tim Conway Travis Borrini Vicki Cousino Wole Akpose John Dowd John Peterson Tim Roxey Orlando Stevenson Fred Hintermister Bob Canada Public Service Enterprise Group Pacific Northwest National Laboratory Orlando Utilities Commission NextEra Energy, Inc. Argonne National Laboratory U.S. Department of Defense (NSWC DD) Utility Integration Solutions, Inc. Northern Indiana Public Service Company Ameren Services Office of the Director of National Security Morgan State University Coalfire Coalfire NERC ES-ISAC NERC ES-ISAC NERC ES-ISAC NERC NERC | Recommendation for Improving Information Sharing | May 2013 12 of 41
CIPIS DHS DOE EOP-004 ES-ISAC ES-ISTF FBI FEMA GridEx ICS-CERT NERC NICC NIMS NIPP NRF NSIN OE-417 PDD-21 PDD-63 PUC RCIS RCMP RE RRO SEMA SIR US-CERT
Acronyms and Definitions
AOO CIP-001 CIP-008
Asset Owner and Operator NERC Critical Infrastructure Protection Standard for Sabotage Reporting NERC Critical Infrastructure Protection Cybersecurity Standard for Incident Reporting and Response Planning Critical Infrastructure Protection Information System Department of Homeland Security Department of Energy NERC Emergency Preparedness and Operations Standard for Disturbance Reporting NERC Electricity Sector Information Sharing and Analysis Center NERC Electricity Sector Information Sharing Task Force Federal Bureau of Investigation Federal Emergency Management Agency Cybersecurity incident readiness exercise on the power grid conducted by NERC Industrial Control Systems Cyber Emergency Response Team North American Electric Reliability Corporation National Cybersecurity and Communication Integration Center National Incident Management System National Infrastructure Protection Plan Canada’s National Response Framework National Security Information Network Department of Energy emergency incident and disturbance report Presidential Decision Directive 21 (Issued February 13, 2013 Presidential Decision Directive 63 (issued May 22, 1998) Public Utility Commission Reliability Coordination Information System Royal Canadian Mounted Police Regional Entity Regional Reliability Organization State Emergency Management Agencies Royal Canadian Mounted Police’s Suspicious Incident Reporting system United States Computer Emergency Readiness Team NERC | Recommendation for Improving Information Sharing | May 2013 13 of 41
Appendix A: Executive Order – Improving Critical Infrastructure Cybersecurity
NERC | Recommendation for Improving Information Sharing | May 2013 14 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 15 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 16 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 17 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 18 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 19 of 41
Appendix B: Presidential Policy Directive (PPD-21)
NERC | Recommendation for Improving Information Sharing | May 2013 20 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 21 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 22 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 23 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 24 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 25 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 26 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 27 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 28 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 29 of 41
Appendix C: Letter from Patricia Hoffman
NERC | Recommendation for Improving Information Sharing | May 2013 30 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 31 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 32 of 41
Appendix D: ES-ISTF Charter
NERC | Recommendation for Improving Information Sharing | May 2013 33 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 34 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 35 of 41
Appendix E: ES-ISAC Information Sharing Letter
NERC | Recommendation for Improving Information Sharing | May 2013 36 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 37 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 38 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 39 of 41
Appendix F: NERC Policy on ES-ISAC Role
NERC | Recommendation for Improving Information Sharing | May 2013 40 of 41
NERC | Recommendation for Improving Information Sharing | May 2013 41 of 41
