Roger Williams University Cyber Threats and Cyber Realities Jonathan Schneider June 18, 2013

11

Cybersecurity and the Electric GridCybersecurity and the Electric Grid

Fun with the Fun with theEO, PD, DHS, NIST, NERC, ESCC, ES-ISAC, EO, PD, DHS, NIST, NERC, ESCC, ES-ISAC,

DOE, and FERCDOE, and FERC

Roger Williams UniversityRoger Williams UniversityCyber Threats and Cyber RealitiesCyber Threats and Cyber Realities

Jonathan SchneiderJonathan SchneiderJune 18, 2013June 18, 2013

22

BackgroundBackground Evidence of the nation’s cyber vulnerability has increased geometrically over Evidence of the nation’s cyber vulnerability has increased geometrically over

the past five years.the past five years.

Mandiant report of the concerted effort apparently mounted by China’s Mandiant report of the concerted effort apparently mounted by China’s military is only the latest installmentmilitary is only the latest installment

High profile incidents pointing to potential destructive potential include:High profile incidents pointing to potential destructive potential include:

• Shamoon attack on Saudi Aramco disabled 30,000 computers Shamoon attack on Saudi Aramco disabled 30,000 computers • 23 attacks on US Pipeline systems in 201223 attacks on US Pipeline systems in 2012• Dozens of attacks on financial institutions in 2012 (DHS report)Dozens of attacks on financial institutions in 2012 (DHS report)• 82 intrusions that targeted energy companies in the 6 months preceding 82 intrusions that targeted energy companies in the 6 months preceding

October, 2012 (DHS report) October, 2012 (DHS report) • Major Denial of Service attack successfully brought down internet service Major Denial of Service attack successfully brought down internet service

to Jacksonville Electric Authority (LPPC member) last week.to Jacksonville Electric Authority (LPPC member) last week.

Soviet Invasion of Georgia - Potential for full-out cyber warfare demonstratedSoviet Invasion of Georgia - Potential for full-out cyber warfare demonstrated

Former Secretary of Defense Leon Panetta warned of potential for a cyber Former Secretary of Defense Leon Panetta warned of potential for a cyber 9/11 9/11

33

Department of Homeland Security - Industrial Control SystemsDepartment of Homeland Security - Industrial Control SystemsCyber Emergency Response Team (ICS-CERT)Cyber Emergency Response Team (ICS-CERT)

10/2012 Report – Energy sector has been a focal point 10/2012 Report – Energy sector has been a focal point - 40% of all cyber attacks in 2012- 40% of all cyber attacks in 2012

44

Framework for Understanding Framework for Understanding Cyber VulnerabilitiesCyber Vulnerabilities

Attack VectorsAttack Vectors• Internet accessInternet access• Inserted malware (Stuxnet and reversed engineered versions)Inserted malware (Stuxnet and reversed engineered versions)• Internal exposureInternal exposure

Electric Sector VulnerabilitiesElectric Sector Vulnerabilities

• Operations/Control Systems Operations/Control Systems Idaho Labs Aurora Test – Industry wake-up callIdaho Labs Aurora Test – Industry wake-up call (Televant (SCADA systems)(Televant (SCADA systems)

• Communications and Informations SystemsCommunications and Informations Systems

Communications: JEA Denial of Internet ServiceCommunications: JEA Denial of Internet Service Theft (proprietary data – Nortel, banking)Theft (proprietary data – Nortel, banking)

55

Legislative GridlockLegislative Gridlock At least half-dozen bills introduced in Congress over the past five At least half-dozen bills introduced in Congress over the past five

years, and dozens of amendmentsyears, and dozens of amendments

Most legislative activity targeted energy industryMost legislative activity targeted energy industry• Ironically, energy industry may be better protected through Ironically, energy industry may be better protected through

NERC standards than any other sectorNERC standards than any other sector

Focus now encompasses other major economic, physical Focus now encompasses other major economic, physical infrastructure and manufacturing sectors.infrastructure and manufacturing sectors.

Electric Industry Supported: Electric Industry Supported: • Information Sharing – Govt. to IndustryInformation Sharing – Govt. to Industry• Emergency Directives Emergency Directives • Liability ProtectionLiability Protection

Electric Industry Opposed: Electric Industry Opposed: • Disruption of Industry-based (NERC) Standards Development Disruption of Industry-based (NERC) Standards Development

ProcessProcess

66

Legislative Gridlock – Legislative Gridlock – White House Response White House Response

White House stepped into the breach on February 12, 2013 White House stepped into the breach on February 12, 2013 with its Executive Orderwith its Executive Order

Executive Order sets up a broad program:Executive Order sets up a broad program:

• Information sharing by federal agencies w/owners of Information sharing by federal agencies w/owners of critical assetscritical assets

• Creation of a “voluntary framework” for managing cyber Creation of a “voluntary framework” for managing cyber vulnerabilities vulnerabilities

Existing Protection: Existing Protection: Critical Infrastructure Protection under North American Critical Infrastructure Protection under North American

Electric Reliability Corporation (NERC) StandardsElectric Reliability Corporation (NERC) Standards

What is NERC? - Energy Policy Act of 2005 authorized FERC to What is NERC? - Energy Policy Act of 2005 authorized FERC to certify and oversee an Electric Reliability Organization (ERO) certify and oversee an Electric Reliability Organization (ERO) • FERC Certified NERC – Mission: develop and enforce reliability FERC Certified NERC – Mission: develop and enforce reliability

standards governing the electric gridstandards governing the electric grid By June, 2007, NERC had implemented mandatory, enforceable By June, 2007, NERC had implemented mandatory, enforceable

standards governing the ‘Bulk Electric System ’ standards governing the ‘Bulk Electric System ’ • BES - Generally defined as transmission operated at 100 kV BES - Generally defined as transmission operated at 100 kV

and aboveand above• Distribution is excluded by Federal Power Act Section 215 Distribution is excluded by Federal Power Act Section 215

(Think NYC)(Think NYC) Standards: (1) Communications; (2) Critical Infrastructure; (3) Standards: (1) Communications; (2) Critical Infrastructure; (3)

Emergency Preparedness; (4) Facilities Design; (5) Interchange Emergency Preparedness; (4) Facilities Design; (5) Interchange coordination; (6)Modeling; (7) Protection and Control; (8) System coordination; (6)Modeling; (7) Protection and Control; (8) System Balancing; (9) Transmission Operations; (10) Transmission Balancing; (9) Transmission Operations; (10) Transmission Planning; (11) Voltage and Reactive ControlPlanning; (11) Voltage and Reactive Control

77

Existing Protection: Existing Protection: Critical Infrastructure Protection (“CIP”) under North Critical Infrastructure Protection (“CIP”) under North American Electric Reliability Corporation (NERC) American Electric Reliability Corporation (NERC)

StandardsStandards NERC’s Suite of CIP Standards NERC’s Suite of CIP Standards

• CIP-001 – Sabotage ReportingCIP-001 – Sabotage Reporting

• CIP-002-3 – Critical Cyber Asset IdentificationCIP-002-3 – Critical Cyber Asset Identification

Risk-based identification of ‘critical asssets ‘ (control centers, Risk-based identification of ‘critical asssets ‘ (control centers, transmission, generation) and identification of associated critical transmission, generation) and identification of associated critical cyber assets key to operation of Critical Assets. cyber assets key to operation of Critical Assets.

CIP Version 5 (leap-frogs Version 4 per April 18, 2013 FERC Order: CIP Version 5 (leap-frogs Version 4 per April 18, 2013 FERC Order: • Calls for the identification and risk-based ranking of « BES Cyber Assets »Calls for the identification and risk-based ranking of « BES Cyber Assets »• Cyber assets are those that « if rendered unavailable, degraded or misused would, Cyber assets are those that « if rendered unavailable, degraded or misused would,

within 15 minutes of requried operation….adversely impact one or more within 15 minutes of requried operation….adversely impact one or more facilities….which if …unavailable, would affect the reliable operation of the Bule facilities….which if …unavailable, would affect the reliable operation of the Bule Electric System. Electric System.

88



CIP-003-3 – Security Management ControlsCIP-003-3 – Security Management Controls• Utilities must maintain/implement/document a cybersecurity policy Utilities must maintain/implement/document a cybersecurity policy

addressing requirements CIP 2 - 9 addressing requirements CIP 2 - 9

CIP-004-3 – Personnel & TrainingCIP-004-3 – Personnel & Training

CIP-005-3 – Electronic Security PerimetersCIP-005-3 – Electronic Security Perimeters• All critical cyber assets must reside within an “electronic security All critical cyber assets must reside within an “electronic security

perimeter” (secure access)perimeter” (secure access)• Includes extermally connected (remote) access Includes extermally connected (remote) access

99



CIP-006-3 – Physical Security of Critical Cyber AssetsCIP-006-3 – Physical Security of Critical Cyber Assets• All critical cyber assets must reside behind “six all” borderAll critical cyber assets must reside behind “six all” border

CIP-007-3 – Systems Security ManagementCIP-007-3 – Systems Security Management• Manage secuirity of new cyber assets and changesManage secuirity of new cyber assets and changes• Security Patch ManagementSecurity Patch Management• Malicious Software PreventionMalicious Software Prevention• Account management (authorized access)Account management (authorized access)• Security status monitoringSecurity status monitoring

CIP-008-3 – Incident Reporting and Response PlanningCIP-008-3 – Incident Reporting and Response Planning• Reporting to NERC’s ES-ISAC (Electric Sector Information Sharing and Analysis Reporting to NERC’s ES-ISAC (Electric Sector Information Sharing and Analysis

Center)Center) CIP-009-3 – Recovery Plans for Critical Cyber AssetsCIP-009-3 – Recovery Plans for Critical Cyber Assets

• Responsible entiteis must devise, document , implement and test recover (full Responsible entiteis must devise, document , implement and test recover (full operational exrercise) recovery plans. operational exrercise) recovery plans.

1010

Existing Protection – Existing Protection – DOE’s Cybersecurity Capability Maturity Model DOE’s Cybersecurity Capability Maturity Model

(ES – C2M2) (May, 2012)(ES – C2M2) (May, 2012) Ten Core Domains (Competencies)Ten Core Domains (Competencies)

(1) Risk Management; (1) Risk Management;

(2) Asset, Change, and Configuration Management; (2) Asset, Change, and Configuration Management;

(3) Identity and Access Management; (3) Identity and Access Management;

(4) Threat and Vulnerability Management; (4) Threat and Vulnerability Management;

(5) Situational Awareness;(5) Situational Awareness;

(6) Information Sharing and Communications; (6) Information Sharing and Communications;

(7) Event and Incident Response, Continuity of Operations; (7) Event and Incident Response, Continuity of Operations;

(8) Supply Chain and External Dependencies Management; (8) Supply Chain and External Dependencies Management;

(9) Workforce Management; and (9) Workforce Management; and

(10) Cybersecurity Program Management(10) Cybersecurity Program Management

Levels of Accomplishment: (1) Initiation; (2) certain degree of performance Levels of Accomplishment: (1) Initiation; (2) certain degree of performance including program documentation, stakeholder involvement, resource including program documentation, stakeholder involvement, resource commitment and reliance on standards or guidelines; and (3) a fully commitment and reliance on standards or guidelines; and (3) a fully managed programmanaged program

1111

Other Mandatory RulesOther Mandatory Rules Nuclear Regulatory Commission

• Regulations Critical digital asset identification Requires cybersecurity protective strategy

• NRC Guidance: Best Practices (NIST) International Society of Automation Institute of Electric and Electronic Engineers DHS

1212

1313

2/12/13 Executive Order 2/12/13 Executive Order “Improving Critical Infrastructure Cybersecurity”“Improving Critical Infrastructure Cybersecurity”

Headline News: Without legislation, the White House has Headline News: Without legislation, the White House has directed the Secretary of Homeland Security, the Attorney directed the Secretary of Homeland Security, the Attorney General, DOD, and the NIST (National Institute of Standards General, DOD, and the NIST (National Institute of Standards and Technology) to implement a broad program ensuring: and Technology) to implement a broad program ensuring:

• Information Sharing by Governmental Agencies with Information Sharing by Governmental Agencies with private sector regarding cyber threatsprivate sector regarding cyber threats

• The identification of Critical Infrastructure at riskThe identification of Critical Infrastructure at risk

• The creation of a “voluntary” Critical Infrastructure The creation of a “voluntary” Critical Infrastructure Cybersecurity baseline program by NISTCybersecurity baseline program by NIST

1414

Application to Industries and Responsible Sector-Specific Application to Industries and Responsible Sector-Specific AgenciesAgencies

Chemical: Department of Homeland Security Commercial Facilities: Department of Homeland Security Communications: Department of Homeland Security Critical Manufacturing: Department of Homeland Security Dams: Department of Homeland Security Defense Industrial Base: Department of Defense Emergency Services: Department of Homeland Security Energy: Department of Energy Financial Services: Department of the Treasury Food and Agriculture: U.S. Department of Agriculture and Department of

Health and Human Services Government Facilities: Department of Homeland Security and General

Services Administration Healthcare and Public Health: Department of Health and Human Services Information Technology: Department of Homeland Security Nuclear Reactors, Materials, and Waste: Department of Homeland Security Transportation Systems: Department of Homeland Security and

Department of Transportation Water and Wastewater Systems: Environmental Protection Agency

1515

What is Critical Infrastructure?What is Critical Infrastructure? Executive Order: Critical Infrastructure “means systems and assets,

whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Identification of Assets:

• Within 150 days of the date of this order (mid-July, 2013), the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.

Components of electrical distribution systems almost surely implicated, broadening NERC’s BES focus

• A “consultative process” will be used by the Secretary of Homeland Security to identify critical infrastructure. Owners and operators will be included, along with sector specific agencies, independent agencies and local governments.

1616

2/12/13 Executive Order 2/12/13 Executive Order Cybersecurity Information Sharing Cybersecurity Information Sharing

Within 6 months (mid-August, 2013), instructions will be Within 6 months (mid-August, 2013), instructions will be issued by the Attorney General, the Secretary of Homeland issued by the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence ensuring Security and the Director of National Intelligence ensuring the timely production of unclassified reports of cyber the timely production of unclassified reports of cyber threats to identified targets.threats to identified targets.

Classified reports will be made to owners of critical Classified reports will be made to owners of critical infrastructure to critical infrastructure entities authorized to infrastructure to critical infrastructure entities authorized to receive them.receive them.

• Within 6 months, Sec’y of Homeland Security, in collaboration Within 6 months, Sec’y of Homeland Security, in collaboration with the Sec’y of Defense will establish procedures to expand with the Sec’y of Defense will establish procedures to expand the “Enhanced Cybersecurity Services” program to provide the “Enhanced Cybersecurity Services” program to provide classified cyber threat and technical information to eligible classified cyber threat and technical information to eligible critical infrastructure asset companies and service providers critical infrastructure asset companies and service providers that offer security services to critical infrastructure. that offer security services to critical infrastructure.

1717

2/12/13 Executive Order 2/12/13 Executive Order “Improving Critical Infrastructure Cybersecurity”“Improving Critical Infrastructure Cybersecurity”

Cybersecurity Baseline Program (“The Cybersecurity Baseline Program (“The Framework”)Framework”)• To be created by NIST in order to establish a To be created by NIST in order to establish a

baseline set of guidelines and objectives for baseline set of guidelines and objectives for critical infrastructure owners to follow in order critical infrastructure owners to follow in order to guard against cyber threats.to guard against cyber threats.

• Preliminary Framework will be published within Preliminary Framework will be published within 8 months (October, 2013) and finalized in one 8 months (October, 2013) and finalized in one year (February, 2014)year (February, 2014)

• Industry input was filed April 8, 2013.Industry input was filed April 8, 2013.

1818

NIST Cybersecurity Baseline Program (“The NIST Cybersecurity Baseline Program (“The Framework”)Framework”)

Goals of The Framework (from draft RFI): Goals of The Framework (from draft RFI): • “(i) to identify existing cybersecurity

standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities;

• (ii) to specify high-priority gaps for which new or revised standards are needed; and

• (iii) to collaboratively develop action plans by which these gaps can be addressed.”

1919

NIST Framework - Expected Elements (Draft RFI)NIST Framework - Expected Elements (Draft RFI)

A consultative process to assess the cybersecurity-related risks to organizational missions and business functions;

A menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats and protect privacy and civil liberties;

A consultative process to identify the security controls that would adequately address risks that have been assessed and to protect data and information being processed, stored, and transmitted by organizational information systems;

Metrics, methods, and procedures that can be used to assess and monitor, on an ongoing or continuous basis, the effectiveness of security controls that are selected and deployed in organizational information systems and environments in which those systems operate and available processes that can be used to facilitate continuous improvement in such controls;

A comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide senior leaders/executives with the kinds of necessary information sets that help them to make ongoing risk-based decisions;

A menu of privacy controls necessary to protect privacy and civil liberties.

Electric Industry InputElectric Industry Input

NERC Standards should be rolled-into the NERC Standards should be rolled-into the Framework, not contradicted. Framework, not contradicted.

Framework should be consistent with Framework should be consistent with DOE’s ES-C2M2 DOE’s ES-C2M2

• Must be flexible, process oriented in Must be flexible, process oriented in order to apply across sectors, and allow order to apply across sectors, and allow entities to respond flexibly to emerging entities to respond flexibly to emerging threats. threats.

2020

2121

Managing the “Voluntary” FrameworkManaging the “Voluntary” Framework

Secretary of Homeland Security, in coordination Secretary of Homeland Security, in coordination with Sector-Specific Agencies, will notify with Sector-Specific Agencies, will notify owners/operators of designated critical owners/operators of designated critical infrastructure confidentially. Reconsideration infrastructure confidentially. Reconsideration possible.possible.

Sector-specific agencies will report annually to Sector-specific agencies will report annually to the President (through Secretary of Homeland the President (through Secretary of Homeland Security) whether critical infrastructure Security) whether critical infrastructure owners/operators are participating in the owners/operators are participating in the Framework. Framework.

Incentives for compliance discussed, but not yet Incentives for compliance discussed, but not yet developeddeveloped

2222

What May Owners/Operators of Critical What May Owners/Operators of Critical Infrastructure Do and What Must They Do? Infrastructure Do and What Must They Do?

CI Owners may:CI Owners may:• Participate in determination on Critical Infrastructure through Participate in determination on Critical Infrastructure through

consultative processconsultative process• Participate in development of cybersecurity baseline frameworkParticipate in development of cybersecurity baseline framework

CI owners must: CI owners must: • Determine whether to participate in baseline frameworkDetermine whether to participate in baseline framework• Weigh risks of non-complianceWeigh risks of non-compliance

Potential liability in not meeting benchmarkPotential liability in not meeting benchmark Possible Disclosure Issue Possible Disclosure Issue

CI owners must consider good cyber “hygiene” to be a good CI owners must consider good cyber “hygiene” to be a good business practicebusiness practice• Organization and PlanningOrganization and Planning• Internal Standards and SystemsInternal Standards and Systems

Link to alert systems (ISC-CERT, ES-ISAC, Cross-Sector Cyber Working Link to alert systems (ISC-CERT, ES-ISAC, Cross-Sector Cyber Working Group)Group)

Physical and electronic walls, passcodes, electronic access rules)Physical and electronic walls, passcodes, electronic access rules) Consider link between business and operational control systemsConsider link between business and operational control systems Management of Remote AccessManagement of Remote Access

• Procurement Practices (vendor exposure)Procurement Practices (vendor exposure)• Personnel and Internal Policies Personnel and Internal Policies

Documents

Roger Williams University Cyber Threats and Cyber Realities Jonathan Schneider June 18, 2013