Kirkwood Meadows Public Utility District

IT Committee

REGULAR MEETING NOTICE

NOTICE IS HEREBY GIVEN that the IT Committee of the Kirkwood Meadows

Public Utility District has called a Regular Meeting of the Committee to be held on

Thursday, July 25, 2019 at 9:00 A.M. at the Kirkwood Meadows Public Utility District

Community Services Building, 33540 Loop Road, Kirkwood, California 95646.

1) Propane Carbon Offsets. Update. Pgs. 2-4

2) Records Retention Policy. Discussion. Pgs. 5-23

3) Password Protocol Implementation. Update.

4) Cyber Security. Discussion. Pgs. 24-67

5) GM Goals & Objectives 2019/20. Discussion and possible action. Pg. 68

6) Future Topics

7) Next Meeting/Staff Recommendation: Thursday, September 26, 2019 – 9:00 am.

Dated: July 18, 2019

Kirkwood Meadows PUD

The Kirkwood Meadows Public Utility District is an equal opportunity provider and employer.

In compliance with the Americans with Disabilities Act, if you are a disabled person and you need a disability-related

modification or accommodation to participate in this meeting, please contact the District at (209) 258-4444, by email to

jgillies@kmpud.com. Requests must be made as early as possible, and at least two business days before the meeting.

DRAFT: Proposed letter to be customized and sent to all customers who have provided KMPUD with their email addresses: July 30, 2019 Dear <firstnames>, As a California Public Utility, Kirkwood Meadows Public Utility District is required to eliminate greenhouse gas emissions from our electricity by 2045. This can be done either through direct contracts or ownership of renewable energy or by purchasing of verifiable Renewable Energy Credits (RECs) sold by suppliers of renewable electricity delivered into the California market. Since the Kirkwood community is directly affected by climate change, we are very aware of the consequences of not doing everything we can to reduce emissions to help stabilize the climate. Last year, the District provided 30% renewable electricity, but we can provide 100% renewable electricity if you, our customers, are interested. Given the already high cost of electricity, we will offer this only as a voluntary program. Furthermore, while it is not possible to provide “renewable propane”, we can offset the emissions from combustion of propane by purchasing RECs that avoid the equivalent emissions. Each megawatt hour of renewable electricity avoids 941 pounds of CO2 emissions. The combustion of propane emits 139 pounds of CO2 per million BTUs. The District would appreciate knowing if you are interested in voluntarily having 100% renewable electricity in Kirkwood [ and/or offsetting the emissions from your use of propane]1. We would accomplish this through the purchase of RECs from companies that provide electricity to the California energy market. The most recent purchases of RECs by the District cost $19 per megawatt hour (mWh), but prices vary year to year. To understand what this would have cost you during the 12 months of July 2018 - June 2019, we have calculated the price based on your actual usage. The total cost to offset 100% of your energy use with renewable energy for this period would have been $256.31. Details are provided below:

Electricity Usage for 142 Glove Rock Rd Total Usage (mWh) (30% renewable) 4.16

Total Billed $2,994.47

Non-Renewable Usage (mWh) 2.91

Voluntary cost to increase to 100% renewable $55.29

1 This phrase and corresponding chart will only appear if they have a propane meter

2

Propane Usage for 142 Glove Rock Rd

Total Usage (cubic feet) 28,470

Total Billed $2,014.72

CO2 Emissions (lbs) 9,956

Voluntary cost to offset emissions from 100% of your propane use $201.02

The District is considering offering this voluntary program on an annual basis. Customers would pay in advance for a year’s worth of renewables or offsets calculated from the previous year’s actual usage, with charges based on the current market price of a REC. After the year is over, you will receive a report that compares your actual usage and whether you exceeded the goal of 100% renewables and/or propane offsets or fell behind. Customers could then make an appropriate adjustment in the subsequent year. Customers would reenroll on an annual basis by paying the estimate amount in advance in full by credit card. Participation in the 100% renewable program is voluntary and is not part of the regular utility billing system. Customers will be able to track monthly progress through their account at kmpud.com. To be eligible to participate, you must enroll through kmpud.com In order that the District can make an informed decision, please let us know your level of interest in this voluntary program no later than August 23, 2019. Follow the link below to a very short survey of 5 questions that should not take more than 2 minutes to answer. Thank you very much, Survey Questions 1. On a scale of 1 to 5, how clear was the explanation in our letter? 5 - Extremely clear 4 - Very clear 3 - OK but needs some clarification 2 - Somewhat confusing 1 - Confusing 2. If there were issues that needed further explanation or were confusing, please explain further? (text box for free form text)

3

3. Independent of your own level of interest, do you think this is a service that the District should offer? 1. yes 2. no 4. Regarding the voluntary 100% renewable electricity program, are you interested in enrolling for an initial 1 year period? 1. yes 2. no 3. maybe - but I have questions about the program 5. Regarding the offset program for Propane, are you interested in enrolling for an initial 1 year period? 1. yes 2. no 3. maybe - but I have questions about the program 4. I do not have propane service 6. KMPUD can design the program to work in one of two ways. Would you prefer to purchase credits in advance for the coming year’s usage based on an estimate; or purchase credits after completing the year for the prior year’s usage?

1. Pay in advance as described in this letter for the coming year 2. Pay after completing a year.

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

Cybersecurity University of Idaho - UEC June 2019

24

Cybersecurity Risk

2018 2017 2016 Risk

1 1 1 Cybersecurity

2 4 4 Regulation/Legislation

3 8 2 Safety - Employee and public

4 3 3 Pressure on Rates and Returns

5 2 5 Strategy and Execution

2018 EEI/AGA Enterprise Risk Management Committee Survey Summary 25

Cybersecurity Risk

Risk =

Probability of a threat exploiting a vulnerability resulting in some impact

26

Probability: Are we a target?

27

Threats

Organized Crime

Nation State Affiliated

ActivistsCashier

Threat actors in breaches over time – Verizon 2019 DBIR28

Nation State Threats

• FBI/DHS Bulletin TA18-074A – Russian Nation State Cyber Activity– 22 page bulletin issued March 15th, 2018 detailing ongoing cyber activity

focused on US electric utilities.

– 2+ year campaign utilizing email phishing & web watering hole vectors

– Infiltrated at least one undisclosed U.S. electric utility

• FBI/DHS Bulletin TA18-145A -Russian Activity Targets SOHO Networks– May 25th, 2018 bulletin describing malware referred to as VPNFilter

– The malware infected approximately 500k small office/home office (SOHO) consumer grade routers & network devices, and was publicly attributed to Russian nation-state activity.

– FBI Investigation is reported to have begun in Aug. 2017, culminating in seizure of the command and control domain in mid-May 2018

https://www.us-cert.gov/ncas/alerts/TA18-145A

https://blog.talosintelligence.com/2018/05/VPNFilter.html

29

Risks: Supply Chain

• Third party service providers or vendors/solutions providers from janitorial services to software engineering

• Mechanism to infiltrate well protected organizations where traditional infection vectors are unsuccessful.

30

Internal threats

• Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity

– Spear phishing:targeting specific companies or individuals

– Whaling: targets wealthy, powerful, or prominent

Research the company and key employees

•Tremendous amount of public information

Targeted e-mail

•Leads to compromised device or login credentials

Attack

•Harvest credentials or propagate malware to use as access point to other systems

31

Phishing

• What percentage of attackers utilize phishing as primary method?

A. 21%

B. 38%

C. 49%

D. 65%

Source: Symantec 2019 ISTR 32

Vishing/Smishing

Vishing - fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, passwords, or bank details and credit card numbers.

Smishing (SMS Phishing) - is a form of criminal activity using texting as a social engineering technique.

33

Threats

• 20+ Billion connected devices by 2020

Bot-net: a network of computers infected with

malicious software and controlled as a group

without the owners' knowledge, e.g., to send

spam messages.34

Threat Landscape

• Digital Transformation

• Changing customer expectations

• Significant generation portfolio changes

• Asset optimization

• Grid modernization

• Technology cost optimization

• Regulatory drivers

35

Vulnerabilities

29% increase

in Industrial

Control System

vulnerabilities

14,760 vulnerabilities catalogued in 2018

“Keeps me awake at night” window of time

36

Malicious Software

• 357,000,000 variants of malware

• Since the dawn of computers

• Not just developed by “hackers”

• Big business

Malware

Viruses

Trojan

Spyware

WormsRootkits

Ransomware

Adware

37

Advanced Persistent Threat

• Attack 1: Dec. 2015– Control Centers

– 225,000 customers

• Attack 2: Dec 2016– Substation

– 1hr interruption to portions of Kiev38

Ransomware

• “EternalBlue” exploit developed by NSA

• Ransomware attacks up 350% since 2016

39

NotPetya

$10+ Billion in financial impact: • $870,000,000

– Pharmaceutical company Merck

• $400,000,000

– Delivery company FedEx (through European subsidiary TNT Express)

• $384,000,000

– French construction company Saint-Gobain

• $300,000,000

– Danish shipping company Maersk

• $188,000,000

– Snack company Mondelēz (parent company of Nabisco and Cadbury)

• $129,000,000

– British manufacturer Reckitt Benckiser (owner of Lysol and Durex condoms)

“Wiper” disguised as ransomware

40

Ransomware

• What would you do? Why?

• Should you establish a Bitcoin account?

41

Cryptojacking

• Steal cryptocurrency or CPU processing resources to mine coin

• Unlike most other types of malware, cryptojacking scripts typically do no damage to computers or victim data

• Cost in investigation, containment, eradication

Source: Threats Report McAfee Labs 2018 42

Security Frameworks

• NIST Cybersecurity Framework

– Designed for US Critical Infrastructure

• COBIT - Control Objectives for Information and Related Technologies (COBIT) a security framework created by ISACA

• ISO 27001 - International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under a joint ISO and IEC subcommittee

43

Security Practices

Identify/Predict

Protect

Detect

Respond/Recover

44

Security Practices

“CIA” Triad

45

Good security

• “Defense in depth”• Awareness / Training• Access Management• Asset Management/Configuration Management• Effective policies

46

Vulnerability Management

• Patch Management

• Vulnerability assessments

• Countermeasures

• Remediation activities

47

Security Monitoring: Time to Discovery

Months

*Verizon DBIR 201948

Security Monitoring

Security Information & Event Monitoring

49

Cyber Incident Response/Recovery

50

Information Sharing

• Information Sharing and Analysis Centers (ISAC)– Electricity-ISAC (E-ISAC)– Downstream Natural Gas (DNG)–ISAC

• Trade Associations– Edison Electric Institute (EEI)– National Rural Electric Cooperative Association

(NRECA) – American Gas Association (AGA)

• Computer Emergency Response Team (CERT)– US-CERT – Industrial Control Systems (ICS)-CERT

51

Government Partnerships

• Department of Homeland Security

• Department of Energy

• FBI – Infragard

• National Institute of Science & Technology

• National Labs

52

Electric Sector Coordinating Council (ESCC)

• CEO level - Industry-Government and Cross-Sector Coordination

– Supply Chain Security

– R&D Alignment

– Electromagnetic Pulse

• Information Sharing and Tools and Technology

– Cyber Risk Information Sharing Program (CRISP)

• Response and Recovery

– Mutual Assistance/Cyber mutual assistance program

– Exercises 53

Cyber Risk: Political Climate

Federal

• Draft - S. 174/H.R. 680, Securing Energy Infrastructure Act – "Back to the Future" bill and mentions the bill in relation to restoration following a cyber attack in Ukraine, where the use of manual operations helped restore power.

• Draft - H.R. 362, Energy Emergency Leadership Act – Requires the Secretary of the Department of Energy to assign energy emergency and energy security functions to an Assistant Secretary, including responsibilities with respect to infrastructure and cybersecurity.

• Draft - H.R. 2114, Enhancing State Energy Security Planning and Emergency Preparedness Act of 2019. Would provide Federal financial assistance to States to implement State energy security plans.

• Draft - H.R. 359, Enhancing Grid Security through Public-Private Partnerships Act - directs the Department of Energy to facilitate and encourage public-private partnerships to address and mitigate the physical security and cybersecurity risks of electric utilities.

• Cyber threats to pipelines and consideration of mandatory cyber standards for natural gas pipelines continues to be a hot topic.

• Executive Order 13873, May 15, 2019

State

• In 2018, 35 states introduced more than 265 bills or resolutions related to cybersecurity

Cybersecurity attention remains high in federal government with continued attention at state level

Activities related to privacy/data breach notification, skills development/job training, and critical infrastructure protection

Continued interest in electromagnetic pulse threat

54

Energy Policy Act of 2005• Granted the Federal Energy Regulatory

Commission (FERC) authority to oversee the reliability of the nation’s electricity grid

• Required the creation of an Electric Reliability Organization (ERO) to be selected and certified by the FERC. FERC chose the North American Electric Reliability Corporation (NERC).

• NERC develops and enforces mandatory standards for all users, owners and operators of the bulk electric system

• FERC approves or remands proposed electric reliability standards, and oversees the effective enforcement of approved standards including the imposition of penalties.

FERC

NERC

(ERO)

Regional Entities

(RRO)FRCC, MRO, NPCC, RFC,

SERC, TRE, & WECC

Users, Owners, and Operators

(Registered Entities)

3255

NERC and Regional Structure

• “Self-regulatory” organizational structure covering U.S. and parts of Canada & Mexico

• Compliance oversight and enforcement delegated to Regional Reliability Organizations (RRO)

– Florida Reliability Coordinating Council (FRCC)

– Midwest Reliability Organization (MRO)

– Northeast Power Coordinating Council (NPCC)

– ReliabilityFirst Corporation (RFC)

– SERC Reliability Corporation (SERC)

– Texas Regional Entity (TRE)

– Western Electricity Coordinating Council (WECC)

*Southwest Power Pool (SPP) functions were absorbed into MRO and SERC at end of 2018

56

Base Penalty Amount Table ($/Violation/Day)

Penalties

57

Reliability Standards

➢ Critical Infrastructure Protection (CIP)

➢ Resource and Demand Balancing (BAL)

➢ Communications (COM)

➢ Emergency Preparedness and Operation (EOP)

➢ Facility Design, Connections and Maintenance (FAC)

➢ Interchange Scheduling and Coordination (INT)

➢ Modeling, Data and Analysis (MOD)

➢ Nuclear (NUC)

➢ Personnel Performance, Training, and Qualifications (PER)

➢ Protection and Control (PRC)

➢ Transmission Operations (TOP)

➢ Transmission Planning (TPL)

➢ Voltage and Reactive (VAR)

➢ Interconnection Reliability Operations and Coordination (IRO)

58

Why is CIP Different?

• CIP standards are primarily Cybersecurity in nature– Cyber security less mature in operational

environments

• Standards do not fit the same functional silos as nearly all other Reliability standards– Cut across all operations business areas

– Supported by HR, IT, Corporate Security

• FERC Attention

• Political spotlight

59

CIP Standards

• CIP-002 BES Cyber System Categorization• CIP-003 Security Management Controls• CIP-004 Personnel and Training• CIP-005 Electronic Security Perimeters• CIP-006 Physical Security of BES Cyber Systems• CIP-007 Systems Security Management • CIP-008 Incident Reporting & Response• CIP-009 Cyber Security Recovery Plans• CIP-010 Configuration Management & Vulnerability

Assessments• CIP-011 Information Protection• CIP-013 Supply Chain (New) – July 1st, 2020• CIP-014 Physical Security

60

CIP: Evolving Scope

▪ Only assets identified as Critical Assets are in scope for CIP

▪ Industry discretion on how to identify Critical Assets

▪ Only a small portion of total assets are considered Critical Assets

▪ Cyber Assets that are not dial up accessible or do not use routable protocol not in scope

▪ All Bulk Electric System Assets in scope for CIP

▪ Graded requirements where “High” assets have more requirements than “Medium” and “Low”

▪ No exclusion for assets that do not use a routable protocol

▪ Prescribed thresholds for identifying assets at each level

Bulk Electric

System Assets

Critical

Assets

Low

Medium

High

Prior versions: Current versions

Bulk Electric

System Assets

61

“Low” Impact Work Underway

• Low impact compliance represents a tremendous amount of work for most utilities

• FERC extended the Sept. 1st, 2018 implementation date to Jan 1st, 2020

• Scope expanded to include transient cyber assets for low impact facilities

• Physical access controls

• Cyber Access controls

• Cyber Asset inventory not explicitly required but difficult to demonstrate compliance without

62

Standards Evolution

• Moving target for compliance

• CIP-012-1 Communications between Controls Centers– Mitigate risk of unauthorized disclosure or modification of Real-time

Assessment, monitoring and control data.

• CIP-008-6 Incident Reporting & Response Planning– Expands reporting to cyber security incidents that not only compromise, but

attempt to compromise, a reliability task. In addition, the proposal would add reporting specifications and deadlines for reporting incidents. (Pending FERC approval)

• Virtualization/Cloud – Preliminary proposals to address virtualization within CIP includes doing away

with a cyber asset-specific approach and moving further towards a solely systems-based approach.

63

Electromagnetic Pulse(EMP) Threat

• Electro-magnetic pulse

• Human-made threat

• Different than

Geomagnetic

Disturbances (GMD)

• Political attention at state and

federal levels

• Complex/costly mitigation

• Substantial research underway

• Recent Electric Power

Research Institute report

64

How to effectively measure security?

• What is reasonable and prudent in the context of security?

• Regulatory commissions acquiring cyber expertise

• How much is too much or too little?

• Utilities must be able to quantify investments and technologies needed

65

66

References

Symantec Internet Security Threat Report (2019)

Verizon Data Breach Investigation Report (2019)

Ponemon Institute Data Breach Report (2019)

Threat Report McAfee Labs (2019)

67

Information Technology

1. Implement and test 2 factor authentication for all Supervisors & Managers. If satisfactory, implement District-wide.

2. Develop a records retention policy. 3. Develop a communications policy. 4. Regularly review Industry trends and issues in Cyber Security.

68