OCR of the Document

View the Document >>

Director Bill Lawrence, Electric Information Sharing and Analysis Center, North American Electric Reliability Corporation, “Presentation on E-ISAC”, May 11 2018. Unclassified.

WELCOME TO MEETING #3 - PEOPLE PROCESS WORKING GROUP 3 RELIABILITY RESILIENCY AND CYBER SECURITY AGENDA Time Agenda Item Presenter 9 00AM - 9 10AM 10 minutes Meeting #2 Recap Other Updates WG3 Co-Leads 9 10AM - 10 10AM 60 minutes People Process Presentations NERC EPRI Ameren 10 10AM - 11 00 AM 50 minutes People Discussion WG Members WG Co-Leads 11 00AM - 11 05AM 5 minutes BREAK 11 05AM - 11 55 AM 50 minutes Process Discussion WG Members WG Co-Leads 11 55AM - 12 00PM 5 minutes Questions Process Discussion Items to Carryover to Next Meeting Next Steps Call for Presenters WG Co-Leads Wmn _u o RELIABILITY RESILIENCY AND CYBER SECURITY RELIABILITY ability of the system or its components to withstand instability uncontrolled events cascading failures or unanticipated loss of system components Reliability SECURITY ability of a system or its components to withstand attacks including physical and cyber incidents on its integrity and operations Resiliency Security RESILIENCY ability of a system or its components to adapt to changing conditions and withstand and rapidly recover from disruptions Definitions from DOE Quadrennial Energy Review Second Installment Chapter IV PROPOSED APPROACH TECHNOLOGY PEOPLE PROCESS AND REGULATION @Neforid Illinois SMART GRID A CYBER-PHYSICAL SYSTEM TECHNOLOGY Source NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 2 0 Reliability Standards February 2012 IO CYBER SECURITY THREAT PREVENTION MISUSE HAS INCREASED SIGNIEICANTLV SINCE 2012 - rum-m - noun um Ann um a nu tom numn An Ir Anna um TRAINING 5 A mournsku mum sou 30 N 1m2 53% Mwm unmiwy U10 MU W - 669 nanny a mvarvn mm Mn sum ammo-m A swan-m w wm mlnmu bun mll Cyborattackl are growing hut WC wt pool 0 Is uwn l L fawn Moniloring and Control D010 1 Collection Analysis PEOPLE 0 nba saanm Em a asua FEE a rmw imig brain 11 Im r n r Hrs 31 11 ryawiup iru in 3 I ii aid unil- 5093 i Farrah ti tall PE it Foam 1 an Eta- E 11 2 33 it lot R Eli T1 3 an 17 11 33 Harri-m Era EE-mai El 21 tux nap 1 23 7 re matting Iim m min E1 RE E55 qu ibmriam El E1 ani o gzimi 9 13 1 imam 1 3 Mandated OCTOBER Wrastructure P'otechon PIan dalabase prescnp ve 2004 Energy Subsector 9 7 Coordmar-on Couth - 9 CIP 014 I uudhon Study COMPLIANCE TOPICS MATRICES Challenges Opportunities Technology Solutions Education Potential Action Items Regulations Compliance People Process PEOPLE PROCESS PRESENTATIONS BILL LAWRENCE NORTH AMERICAN ELECTRIC PE A A ON Electricity Information Sharing and Analysis Center Bill Lawrence Director of the E-ISAC NextGrid Webinar May 11 2018 1 Agenda E-ISAC mission and vision E-ISAC products and services NextGrid process priority topics o Metrics #3 o Harmonizing frameworks #5 o Exercising evaluation and testing #6 E-ISAC points of contact 2 Electricity Information Sharing and Analysis Center Mission The E-ISAC reduces cyber and physical security risk to the electricity industry across North America by providing unique insights leadership and collaboration Vision To be a world class trusted source for the quality analysis and rapid sharing of electricity industry security information 3 E-ISAC Products and Services Products o o o o Subject matter experts for NERC Alerts Incident cyber and physical bulletins Weekly monthly and annual summary reports Issue-specific reports Programs and Services o o o o o Monthly briefing series first Tuesday of the month Grid Security Conference GridSecCon Grid Exercise GridEx Cyber Risk Information Sharing Program CRISP Industry Augmentation Program IAP Tools o E-ISAC portal www eisac com o Critical Broadcast Program CBP notifications o Cyber Automated Information Sharing System CAISS 4 Metrics o 3 Address need for metrics to quantify effectiveness of interventions Electricity Sector Cybersecurity Capability Maturity Model ES-C2M2 5 - I Metrics continued ELECTRICITY INFORMATION SHARING AND ANALYSIS CENTER baa-$63M a maaeneaenea Figure 3 Domains Graphical Summary of the EM A DIVISION OF NERC I implemenlcd I Fartia ll'r irn demented RESILIENCY RELIABILITY SECURITY Metrics continued o We 7 Can learn from other domains Have more data than we think Need less data than we think Can make better security and investment decisions using quantitative probabilistic methods Harmonizing frameworks o 5 Harmonizing framework adoption for information sharing incident response management and contingency planning analysis criteria o E-ISAC Portal with dedicated user communities www eisac com o Voluntary information sharing and required reporting Cyber Automated Information Sharing System CAISS Cyber Risk Information Sharing Program CRISP Cross-sector and federal government partners o Other opportunities 8 DOE Office of Cybersecurity Energy Security and Emergency Response CESER National Guard FBI field offices DHS Protective Security Advisors Exercising evaluation and testing o 6 Prioritizing effective regular and consistent evaluation and testing of core capabilities Department of Energy's regional exercise initiatives National Exercise Program NLE Cyber Storm etc NERC's biennial GridEx IV 9 GridEx Mission Statement GridEx is an unclassified public private exercise designed to simulate a coordinated cyber physical attack with operational impacts on electric and other critical infrastructures across North America to improve security resiliency and reliability 10 GridEx IV Objectives oExercise incident response plans oExpand local and regional response oEngage critical interdependencies oImprove communication oGather lessons learned oEngage senior leadership 11 Exercise Components Move 0 Pre-Exercise Preparation Identification Containment Operators may participate in Cyber Intrusion detection activities 12 Distributed Play 2 days Executive Tabletop 1 2 day Utilities E-ISAC and BPSA Executive Tabletop Reliability Injects and Coordinators info sharing by email and phone Support Fed State Prov and Agencies Vendors Players across the stakeholder landscape will participate from their local geographies Facilitated discussion engages senior decision makers in reviewing distributed play and exploring policy triggers GridEx Participation 500 GridEx Exercise Participation 450 400 117 26% 335 74% 350 300 155 43% 250 200 109 150 47% 209 100 50 0 40 53% 36 47% GridEx 2011 122 GridEx II Active 13 53% 57% GridEx III Observing GridEx IV GridEx IV Who Participated o o o o o 14 6500 Participants 206 Electric utilities 450 Organizations 17 Cross-sector partners 10 States 2 full-scale More information o GridEx V is November 13-14 2019 o GridSecCon 2018 in Las Vegas NV October 15-19 o E-ISAC points of contact events@eisac com memberservices@eisac com operations@eisac com 15 E-ISAC ELECTRICITY INFORMATION SHARING AND ANALYSIS CENTER A DIVISION OF NERC RESILIENCY RELIABILITY SECURITY Illinois NextGrid Utility of the Future Study WG3 Reliability Resiliency and Cyber Security Galen Rasche Sr Program Manager Cyber Security grasche@epri com May 11 2018 C 2018 Electric Power Research Institute Inc All rights reserved About the Electric Power Research Institute Independent Objective scientifically based results address reliability efficiency affordability health safety and the environment Nonprofit Chartered to serve the public benefit Collaborative Bring together scientists engineers academic researchers and industry experts 16 C 2018 Electric Power Research Institute Inc All rights reserved Industry Trends Impacting Cyber Security Risk Generation Transmission Distribution Real-time situational awareness Dynamic supply demand balancing with DER DERMS Mobile workforce Increased automation and communications Customer Self generation Solar PV Storage Electric vehicles IoT devices Third Parties DER and DR aggregators National Security Resiliency Mindset Malicious attack or natural catastrophe 17 C 2018 Electric Power Research Institute Inc All rights reserved Information Communication and Cyber Security Roadmap https www epri com # pages product 000000003002011698 EPRI's Cyber Security Program R D for Industry Mitigate risks to legacy and next-generation grid systems Improve security with advanced network and threat management technology and practices Effectively evaluate security program processes Learn how peer utilities address their security challenges Leverage EPRI's industry expertise sector knowledge and Cyber Security Research Lab to provide value ranging from thought leadership to hands-on demonstrations 18 C 2018 Electric Power Research Institute Inc All rights reserved IT OT Security Convergence Incident Response Situational Awareness o Integrated Security Operations Center o IDS IPS o Forensics o Security Data Analytics o Developing near-real-time knowledge of a dynamic operating environment o Common Operating Picture Threat Management Asset and Configuration Management o OT threat intelligence use cases methodologies and tools o Technologies to improve device identification and configuration management 19 C 2018 Electric Power Research Institute Inc All rights reserved Threat Detection - PG E Metcalf Substation Shooting 12 58 1 07 a m AT T fiber-optic telecommunications cables were cut and Internet Service Provider network cables cut near Metcalf substation Telecom Cyber Security 1 31 a m Surveillance camera at substation recorded a streak of light followed by muzzle flash of rifles and sparks from bullets hitting the fence 1 37 a m PG E received an alarm from motion sensors at the substation possibly from bullets grazing the fence 1 41 a m Sheriff's department received a 911 call about gunfire Physical Security 1 45 a m The transformers riddled with bullet holes leaked 52 000 gallons of oil overheated PG E's control center received equipment-failure alarm 1 51 a m Police officers arrived but found everything quiet Unable to get past the locked fence and seeing nothing suspicious they left Control Center 3 15 a m A PG E worker arrived to survey the damage https en wikipedia org wiki Metcalf_sniper_attack How quickly can utilities correlate these events with Siloed Monitoring and Analysis 20 C 2018 Electric Power Research Institute Inc All rights reserved 2 Integrated Security Operations Center ISOC IT Security Events Network Device Logs IT System Logs Business Systems Behavioral Learning Appliances Industrial Security Appliances Physical Security Systems Log and Event Aggregation Threat and Vulnerability Information Sources Correlation Engine OT Security Events Control Center Systems Substation Gateways Field Devices Grid Operations Events Field Network Operations Center Reporting Security Information and Event Management SIEM 21 C 2018 Electric Power Research Institute Inc All rights reserved What Are Security Metrics Numbers representing the EFFECTIVENESS of security controls 22 C 2018 Electric Power Research Institute Inc All rights reserved Security Metrics - Where does it fit o Framework for creating and implementing cybersecurity program NIST Cybersecur ity Framework C2M2 NERC CIP NIST SP 800 53 NISTIR 7628 o Mandatory or discretionary requirements for the program Security Metrics o Measuring the maturity of cybersecurity programs o Measuring effectiveness of cybersecurity program 23 C 2018 Electric Power Research Institute Inc All rights reserved Why Do We Need Security Metrics Security Team o To find out what works and what does not work o To communicate security posture threats and risks o To demonstrate value of their work IT OT Management o Make sound decisions on security technology resource allocation etc o To trend the effectiveness of security controls over time o Make recommendations to senior management on security priorities Senior Management The Board o Assess the cyber security risk o Make strategic decisions on cyber security risk management Stakeholders o Is our data secure o Is our power grid secure 24 C 2018 Electric Power Research Institute Inc All rights reserved Recap EPRI's Security Metrics 3 Strategic Metrics o Protection Score o Detection Score o Response Score 10 Tactical Metrics 46 Operational Metrics o Network Perimeter Protection Score o Threat Detection Score o End-Point Protection Score o o Mean Time To Containment o Monthly Count of Incidents involving Malicious Email o Security Event True Positive Rate o CVSS of a o 120 Data Points 25 C 2018 Electric Power Research Institute Inc All rights reserved vulnerability o Number of internal IPs reachable from an asset o Database criticality rating o Cyber Security Challenges for the Multi-Party Grid Generation and storage assets may not be owned or operated by the utility Energy generation consumption can be controlled by an aggregator Technology and business services are performed by third parties Operating increasingly complex interconnected systems Dynamic governance relationships How should the industry address these challenges 26 C 2018 Electric Power Research Institute Inc All rights reserved The Path Forward Multi-Party Grid Risk Model Framework for Collaborative Security Management Cyber Security Guidelines for DER Integration Light-weight Encryption Simple Certificate or Cryptographic Key Management Scheme Cloud Security for Cyber-Physical Systems 27 C 2018 Electric Power Research Institute Inc All rights reserved Together Shaping the Future of Electricity 28 C 2018 Electric Power Research Institute Inc All rights reserved ERIC HERR z Ameren ILLINOIS The Human Factor Challenges and Opportunities NextGrid WG3 05 11 2018 Eric Herr Director Cybersecurity Operations Institutionalizing Cybersecurity Current State 31 Opportunities o Mandatory training o Gamification - make training fun o Simulations o Incentivize secure behaviors o Functional scorecards o o Include cybersecurity curriculum in all degree programs Awareness campaigns o Partner with the trades to develop competencies in apprenticeship programs Developing a Security Mindset Current State o o Integrate IT OT operations o Reduce technical debt o Heavy reliance on network segmentation for security o Align roles and responsibility by competency o Different security technologies in IT and OT operated by different teams o Develop the hunting discipline o Career rotations within government and industry agencies o 32 Organizational boundaries exist between IT and OT Opportunities Situational awareness gaps Threat Intelligence and Adversary Behavior Current State o Labor intensive process o o Threat and vulnerability is primed for automation and RPA use cases Heavy focus on static indicators of compromise o Analysts focus on adversary tradecraft not static indicators Little orchestration of threat data across technology o Lobby to reduce dwell time on clearances o Expand programs such as DOE CRISP and others to all utilities o o 33 Opportunities Lack of security clearance prohibits access to timely threat intelligence data Educating the Customer Current State 34 Opportunities o Little direct communication to customers regarding security of IoT devices o As an industry we should educate consumers on risks associated with IoT devices o Consumer IoT device configurations are not secure out of the box and updates can be complicated o Include cybersecurity curriculum in primary and secondary education o Evolve the cybersecurity awareness campaign at the state level Building a Cybersecurity Workforce Opportunities 35 o Develop recruiting pipelines into universities and military o Encourage and support a diverse cybersecurity workforce o Support and participate with innovation hubs hackathons summer camps and other mentoring opportunities at all levels of education o Create an exciting dynamic workspace o Incentivize professional growth o Broaden adoption of cybersecurity scholarships o Support apprenticeships as entry to cybersecurity careers DISCUSSION FORMAT Purpose Describe challenge identify opportunities suggest solutions and propose action items Participant Feedback Let us know if this discussion format is not optimal WebEx Protocol o Raise hand or send chat message to let host know you have a comment or question o Host will notify who has the floor and who is on deck Tp WORKING GROUP PEOPLE DISCUSSION PEOPLE OVERVIEW Challenges Opportunities Solutions Education 1 Ensuring a collaborative and consistent approach towards achieving a higher level of cyber and physical security Building resiliency throughout ecosystem growing employee skillset Capability measurement a Baseline and advanced capabilities b Drivers' license type certification Achieving a baseline level of cyber and physical security competency among all personnel 2 Improve mindset and institutional culture to optimize problem solving capabilities and avoid the failure of imagination Growing security subject matter expertise aging workforce turnover Avoid sensory data overload through use of tools like machine learning data visualization 3 Streamlining data sharing security clearance access to necessary intelligence while balancing the need to protect critical infrastructure information Expedite security clearances which currently take 18 months to process and real-time intel sharing Expedite credible and accurate threat intel sharing through 1 improvement of government declassification of information and 2 improvement of processes for sharing of information Multidisciplinary approach required educational pipeline insufficient bandwidth university level education short courses summer schools Communicating an inspirational vision e g how to get people excited about internship at utility v Apple or NASA 4 Fully understanding adversary behavior tactics capabilities tools strategies growing sophistication identity of the adversaries including insider threats 5 Fully understanding stakeholder expectations Engaging all customers in addressing security challenges community buy-in Defining customer role in ensuring security understanding true customer reliability expectations and cost sensitivity including among different customer types e g residential business CI 6 Overcoming inadequate cybersecurity workforce Moving to 24 7 cybersecurity workforce Attracting retaining talent Automation AI to support and enhance human capital marketing breadth of opportunities fully utilizing existing programs such as hackathons Potential Action Items input sought if any PEOPLE #1 - 2 Challenges Opportunities Solutions Education Potential Action Items 1 Ensuring a collaborative and consistent approach towards achieving a higher level of cyber and physical security Building resiliency throughout ecosystem growing employee skillset Capability measurement a Baseline and advanced capabilities b Drivers' license type certification Achieving a baseline level of cyber and physical security competency among all personnel input sought if any 2 Improve mindset and institutional culture to optimize problem solving capabilities and avoid the failure of imagination Growing security subject matter expertise aging workforce turnover Avoid sensory data overload through use of tools like machine learning data visualization PEOPLE #3 - 4 Challenges Opportunities Solutions Education Potential Action Items 3 Streamlining data sharing security clearance access to necessary intelligence while balancing the need to protect critical infrastructure information Expedite security clearances which currently take 18 months to process and real-time intel sharing Expedite credible and accurate threat intel sharing through 1 improvement of government declassification of information and 2 improvement of processes for sharing of information 4 Fully understanding adversary behavior tactics capabilities tools strategies growing sophistication identity of the adversaries including insider threats PEOPLE #5 - 6 Challenges Opportunities Solutions 5 Fully understanding stakeholder expectations Engaging all customers in addressing security challenges community buy-in Defining customer role in ensuring security understanding true customer reliability expectations and cost sensitivity including among different customer types e g residential business CI 6 Overcoming inadequate cybersecurity workforce Moving to 24 7 cybersecurity workforce Attracting retaining talent Automation AI to support and enhance human capital marketing breadth of opportunities fully utilizing existing programs such as hackathons Education Multidisciplinary approach required educational pipeline insufficient bandwidth university level education short courses summer schools Potential Action Items Communicating an inspirational vision e g how to get people excited about internship at utility v Apple or NASA BREAK 5 MINUTES Tp WORKING GROUP PROCESS DISCUSSION 0 nba saanm Em a asua FEE a rmw imig brain 11 Im r n r Hrs 31 11 ryawiup iru in 3 I ii aid unil- 5093 i Farrah ti tall PE it Foam 1 an Eta- E 11 2 33 it lot R Eli T1 3 an 17 11 33 Harri-m Era EE-mai El 21 tux nap 1 23 7 re matting Iim m min E1 RE E55 qu ibmriam El E1 ani o gzimi 9 13 1 imam 1 3 PROCESS OVERVIEW Challenges Opportunities Solutions Educa tion Potential Action Items 1 Encouraging industry to gravitate toward adoption of a standardized set of approaches to increase operational efficiency Trend towards adopting business practices even Formalize processes to certify people in bestwhen not required because they make sense practice use when interacting with OT and IT and are effective e g NERC CIP NIST C2M2 Maturing risk management programs DOE cybersecurity risk management process RMP input sought if any input sought if any 2 Effectively measuring vendor capabilities practices and competencies when introducing their products into grid operations including multiple tiers in the supply chain Securing supply chain and ensuring vendors incorporate and integrate security protection capabilities Building resiliency throughout ecosystem Supply chain security Cloud 3rd Party and Consumergrade Products 3 Address need for metrics to quantify effectiveness of interventions Adoption of risk assessment and capability maturity models Third-party assessment and continuous improvement Establish metrics for reliability resiliency and cybersecurity 4 Promoting an integrated return on investment strategy that includes physical and cyber security management workforce technology process Ensuring security planning is incorporated in strategic planning and business processes Potential valuation of resilience attributes in transmission planning Incorporating change management into overall project plans 5 Harmonizing framework adoption for information sharing incident response management and contingency planning analysis criteria Promote increased cross-utility information sharing with regard to threat identification and incident response complimentary to role of ISACs Define need for information Recognizing differing needs and goals Increased public private partnerships to facilitate information and best practices sharing Enhancing operations across RTO seams processes and tools Responsive congestion management across RTO seams Integrating emerging technologies to improve process 6 Prioritizing effective regular and consistent evaluation and testing of core capabilities Testing and exercising crisis and incident management capabilities across multiple jurisdictions Exercise response capabilities through local regional and national coordinated exercises CSIRT GridEx etc Continued development of ESCC Cyber Mutual Assistance program to coordinate between utilities in the event of an attack PROCESS #1 - 2 Challenges Opportunities Solutions Education Potential Action Items 1 Encouraging industry to gravitate toward adoption of a standardized set of approaches to increase operational efficiency Trend towards adopting business practices even when not required because they make sense and are effective e g NERC CIP NIST C2M2 Maturing risk management programs DOE cybersecurity risk management process RMP Formalize processes to certify people in best-practice use when interacting with OT and IT input sought if any input sought if any 2 Effectively measuring vendor capabilities practices and competencies when introducing their products into grid operations including multiple tiers in the supply chain Securing supply chain and ensuring vendors incorporate and integrate security protection capabilities Building resiliency throughout ecosystem Supply chain security Cloud 3rd Party and Consumergrade Products PROCESS #3 - 4 Challenges Opportunities Solutions 3 Address need for metrics to quantify effectiveness of interventions Adoption of risk assessment Establish metrics for and capability maturity models reliability resiliency and Third-party assessment and cybersecurity continuous improvement 4 Promoting an integrated return on investment strategy that includes physical and cyber security management workforce technology process Ensuring security planning is incorporated in strategic planning and business processes Potential valuation of resilience attributes in transmission planning Incorporating change management into overall project plans Education Potential Action Items PROCESS #5 - 6 Challenges Opportunities Solutions Educ Potential Action Items ation 5 Harmonizing framework adoption for information sharing incident response management and contingency planning analysis criteria Promote increased crossutility information sharing with regard to threat identification and incident response complimentary to role of ISACs Define need for information Recognizing differing needs and goals Increased public private partnerships to facilitate information and best practices sharing Enhancing operations across RTO seams processes and tools Responsive congestion management across RTO seams Integrating emerging technologies to improve process 6 Prioritizing effective regular and consistent evaluation and testing of core capabilities Testing and exercising crisis and incident management capabilities across multiple jurisdictions Exercise response capabilities through local regional and national coordinated exercises CSIRT GridEx etc Continued development of ESCC Cyber Mutual Assistance program to coordinate between utilities in the event of an attack NEXT STEPS NEXT STEPS 1 Whitepaper Sample and Template WG Co-Leads and WG Members 2 Submit content to Google Drive WG Members and WG Co-Leads 3 Review Priority Matrix and Remaining Topics Matrix WG Members 4 Distribute Regulatory Compliance Matrices WG Co-Leads 5 Review and comment on notes from this session WG Members 6 Review and research topics for next session WG Members FUTURE MEETINGS FUTURE MEETINGS Meeting #4 May 22 2018 WebEx 9AM-12PM o Regulatory and Compliance and Any Carried Over Process Topics NextGrid Public Policy Meeting June 14 2018 o Chicago 1PM-3 30PM o Public participation and presentations from all Working Group Leads o Optional 10AM-12Noon in-person WG3 meeting Meeting #5 June 25 2018 WebEx 12PM-3 30PM o WG Report Discussion WebEx Final Chapter Due June 29 2018 THANK YOU This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu