Embed Size (px)
Citation preview
FERC Security Program for Hydropower Projects
D2SI Security Branch***Webinar to Begin @ 1:30 1:32 EASTERN***
• Ground Rules– All lines are muted
– Will not be using the "raise hand"
– Call-in info is in the Chat (if needed)
– Technical difficulties – please state in the Chat
Discussion Points
Slide 2
• Ground Rules– Questions
• Type in at anytime
• Reference slide number
• Answer at presentation end
• Read from the Q&A - to All Panelists
Discussion Points
Slide 3
• Ground Rules– The Q&A could be in two places:
Discussion Points
Slide 4
• Ground Rules– Magnifying glass to zoom
Discussion Points
Slide 5
• Correspondence Caveats
• Current Activities
• 2020 Virtual Inspections
• 2021 Inspection Season
• Annual Security Compliance Certifications (ASCCs)
• Cyber Security Topics
• Suspicious Activity Reporting
• sUAS/drones
• Resources
• Takeaways
• Questions
Discussion Points
Slide 6
• Do not mix safety & security information
• Do not efile security documents
• May conduct virtual inspections
• Labeling is important
Correspondence Caveats
Slide 7
• Continuing to train & create SOPs
• Backfilling vacancies
• Completed evaluation of all SG1 – DAMSVRs
• Working with federal dam partners on cyber– Risk prioritization
– Prescriptiveness of controls
Current Activities
Slide 8
• Looking at cases where hydro is at a federal dam– Mostly USACE & Reclamation
– Security Grouping
– Coordinating response
– Understanding MOUs/MOAs
Current Activities
Slide 9
• Evaluating standards on fencing– USACE published requirements
– Identifying what industry standards exist
– We have provided guidance on fencing upgrades
– First consideration for baseline measures
Current Activities
Slide 10
• Developing strategic path forward– How to mature a cyber program (e.g. NERC-CIP)
– Next phase of physical security
• Processing ASCCs
Current Activities
Slide 11
• Physical Security:
– On-site connectivity could be spotty
– Difficult to understand site conditions
– Pictures & videos worked well
– Great for follow-up inspections for confirmation
2020 Virtual Inspections
Slide 12
• Cyber Security:
– Requires a comprehensive overview
– Cyber assets need to be understood at the onset
– Duration is about the same
– Can review physical security docs in the same way
– Saves tremendous resources
– Positive feedback
2020 Virtual Inspections
Slide 13
• Still working on our inspection plan– Agency guidance on travel
– Development prioritization
• Branch members in ARO, CRO, and WO
2021 Inspection Season
Slide 14
• As in 2020
– Dam Safety Engineers no longer assess security
– No new requirements
• Will continue remote reviews
– Potentially ahead of inspections (documents)
– As stand-alone inspections (cyber focused)
2021 Inspection Season
Slide 15
• General Theme Behind the 2020 ASCC Template:– Not meant to “catch” anyone!
– We wanted our licensee(s) to have a better understanding of what they are certifying with regards to security.
Annual Security Compliance Certs.
Slide 16
• Issues We Attempted to Address from Previous Years:– Uniformity
– Licensees understanding their responsibilities.
– Relevant security data present in one filing.
– Submittal Issues
– Better communication from FERC
Annual Security Compliance Certs.
Slide 17
• General Results:– Uniformity was vastly improved.
– Licensees liked the new template (especially after looking at the examples) and better understood their responsibilities.
– Submittal issues were minimal – No problems with PW protected emails and limited problems with the new encrypted email communication.
– Better communication from FERC – Sent acknowledgement emails to let licensee’s know we received the submittal and were processing the filing.
Annual Security Compliance Certs.
Slide 18
• Common Findings to Improve on (general):– Deadline (12/31 each year) adherence was not great – we
opted to send a deficiency email instead of a formal letter.
– Inconsistent dates (out-of date...can't certify)
– No partial submittals – request an EOT
– Missing/incomplete development number (P-09999, instead of P-09999-01).
– Italicized instructions on the template were not removed.
Annual Security Compliance Certs.
Slide 19
• Common Findings to Improve on (cyber):– You are required to report interconnected SG3
developments.
– Do not need to submit extra docs (e.g. cyber checklist)
– CADWs (Attachment 2 of 2020 ASCC Template) did not have the detail were looking for:
1. Missing Physical Features (Spillway Gates, Powerhouse).
2. Too many Physical Features in one cell.
3. Did not detail the consequences of Physical Features in the notes section.
Annual Security Compliance Certs.
Slide 20
• What’s next:– Still processing data
– Will understand NERC-CIP overlap
– Will prioritize future cyber activities
– Will look for trends in physical protection measures (better understanding of security posture)
– Will adjust examples and guidance for 2021 ASCC to help licensees better understand what we are looking for.
Annual Security Compliance Certs.
Slide 21
• Long-term goal– Licensees/exemptees tapped into USG sources (next slide)
– FERC only disseminates the most highly irregular critical information
• Short-term goal– Determine if registered and what sources
• In the 2021 ASCC or a survey or email request
Cyber Security Topics
Slide 22
United States Government Sources• E-ISAC (NERC)• FBI Cyber Outreach• FEMA (DHS)• Homeland Security Information Network (HSIN, DHS)• ICS-CERT (CISA)• US-CERT (CISA)
Note: This list is not all inclusive
Cyber Security Topics
Slide 23
• This year taught us:– Supply chain targeted (Solarwinds Orion, Microsoft Exchange Server)
– Less sophisticated actors caused problems
– 3 notable ICS related events in the media
– The best defense is:• Off-site back-ups
• Manual operation
• Having a current inventory
• Risk evaluation for patching/testing
Cyber Security Topics
Slide 24
• The Office of the Director of National Intelligence (ODNI) published the Intelligence Communities annual publicly-released assessment of threats to the United States and U.S. interests.
• https://www.dni.gov/index.php/newsroom/press-releases/press-releases-2021/item/2205-odni-releases-2021-annual-threat-assessment-of-the-u-s-intelligence-community
Cyber Security Topics
Slide 25
• Threat Vector: Hardware, Software, and Services– Validation process prior to integration with production environment
– Standard procurement language
– Reporting requirements with vendor
Cyber Security Supply Chain Risk Management
Slide 26
27
Slide 27
Cyber Security Supply Chain Point of Attack
28
Source: MITRE Slide 28
Cyber Security Supply Chain Lifecycle
Defense in Depth
Slide 29
• Resources:– CISA Information And Communications Technology (ICT) Supply Chain
Risk Management (SCRM) Task Force (https://www.cisa.gov/supply-chain)
– CIP-013 - Cyber Security - Supply Chain Risk Management (https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf)
Cyber Security Supply Chain Risk Management
Slide 30
• Email PW protected security incidents or encrypted email to these two:
– Regional Engineer
• Can always call Justin Smith, D2SI Security Branch Chief
• Security Branch back briefs the Regional & Project Engineer
Suspicious Activity Reporting
Slide 31
March 2020 – March 2021 Summary
Suspicious Activity Reporting
0
1
2
3
4
5
6
7
Vandalism Theft Breach ofSecurity
Trespassing ImpliedThreat
Sabotage Surveillance
2020-2021 SAR/Incidents
CA CO MI NM OR SC Slide 32
• CISA-HSIN – Disabled SAR Tool
• Tracking Trends of SAR/Incidents
• Conduct meetings with licensees – Detailed information
• Provide recommendations to address reoccurring events
• Information sharing– We notified Reclamation of an incident at their facility
– We notified a licensee of an explosion in their area
Suspicious Activity Reporting
Slide 33
Suspicious Activity Reporting We work with our Intelligence Coordination Division (ICD)
Slide 34
• Signage @ project features– Licensees/exemptees have asked to use "federally regulated"
– Cannot post to discourage recreational opportunities
– Not be confused with Part 8 signage requirements
– Should not identify criticality of the feature
– Email us with questions
Suspicious Activity Reporting
Slide 35
• Still a viable threat– Weaponizing or Smuggling
– Surveillance/Reconnaissance
– Intellectual Property Theft
– Intentional Disruption or Harassment
• CISA Fact Sheets for Addressing CI Challenges– https://www.cisa.gov/publication/uas-fact-sheets
sUAS/Drones
Slide 36
• FAA website for more info– https://www.faa.gov/uas/
– FAA Signage – “No Drone Zone” – coordinate with local ordinance
– FAA regulations – CI may qualify for restricted airspace
– FAA B4Ufly App - where operators can and can’t fly
• DoD approved 5 manufacturers for US Gov and Mil:– Altavian, Parrot, Skydio, Teal, and Vantage Robotics
– https://www.diu.mil/autonomy-blue-suas
sUAS/Drones
Slide 37
• FERC Webpage contains:– Hydropower Guidelines – Rev. 3A
– Past Webinars• Security Branch background
• Physical Protection Measures
• Cyber Asset Designation Scenarios
– ASCC templates
– sUAS/drones resources
– DAMSVR request
• [email protected]• https://www.ferc.gov/industries-data/hydropower/dam-safety-and-inspections/security-program-hydropower-projects-revision
Resources
Slide 38
• Remote reviews will continue in 2021
• In-person inspections are uncertain
• ASCC reviews and data assessment is ongoing
• Additional guidance for 2021 ASCC will be provided in November
• Sign up for United States Government Cybersecurity Sources
• Continue reporting SARs and Share Information – Remember: Drones are still a threat
• ODNI – the physical & cyber threat exists
• If you can't find it on the Security Landing Page, email [email protected]
Takeaways
Slide 39
• Use the Q&A Chat only – to All Panelists
• Try and reference the slide number
• If your question is missed, please email us
Questions
Slide 40
• Slides will be posted to the Security Landing Page
• A short survey will be sent to attendees
• Thank you for participating!
Final Thoughts
Slide 41
