140 likes | 237 Vues
CIP Program Highlights. Member Representatives Committee October 28, 2008 Michael Assante, CSO michael.assante@nerc.net. Establish a core CIP program, Enhance SA & work across NERC’s programs. Board of Trustees. ESSG. NERC CEO. CSO. Standards. Compliance. Assessment. Events Analysis.
E N D
CIP Program Highlights Member Representatives Committee October 28, 2008 Michael Assante, CSO michael.assante@nerc.net
Establish a core CIP program, Enhance SA & work across NERC’s programs Board of Trustees ESSG NERC CEO CSO Standards Compliance Assessment Events Analysis Training • Focused on CIP risks • Focused on CIP events & enhancing preparedness Mutually Supporting Constructive Overlap (ES-ISAC) Regions Industry • CIPC & EC • ESCC engagement • Standards • Assessments • Leadership • Support • Support their mission/role Situational Awareness Critical Infrastructure Protection • Support the development of expertise • Training • Identify, address and monitor security risk to the BPS • Provide expertise • Support efforts • Monitor reliability • Monitor hazards • Coordination with government • Coordinate with other sectors (PCIS)
NERC Core Programs - CIP Ensure the Reliability of the Bulk Power System • Trusted within the industry • Recognized for effective leadership Security Risk Assessment • Assess threats to the Bulk Power System • Identify concerns to be addressed • Cyber risk & preparedness evaluation CIP Standards Compliance • Enforce compliance (along with regional reliability organizations) • Audits, monitoring & investigations CIP Standards Development • 9 CIP standards approved • Enhance & update existing standards • Propose new standards to address security concerns “Ensure threats to the reliability of the BPS, especially cyber, are clearly understood and are sufficiently mitigated” Critical Infrastructure Protection Security Leadership ES-ISAC Situational Awareness Chief Security Officer (CSO) ESCC, ESSG, PCIS, NIAC, CSO Council • Notifications & alerts • Preparedness & response coordination • Monitor events impacting the grid • Facilitate coordination & reliability tools
NERC CIP Enhancement Plan 2HCY08 Milestones 2HCY09 1HCY09 • Mobilize executive participation & guidance (e.g. ESSG) • Establish NERC CIP Program (Hire CSO, Strategy, Resources) • Formalize NERC led assessment & initial CRP evaluation • Enhance the ES-ISAC (improve alert reporting, process maturity, lists) Cyber Summit CEO Briefing Executive Engagement • ESSG NERC CIP Program • Portfolio • Resourcing Assessments • Risk Assessment • CRP Evaluation Enhance ES-ISAC ESSG CSO CIP Portfolio Resourcing Order 706 Phase I Improve. Prjcts
Cyber Risk Preparedness Evaluation • Identify existing capabilities to prevent, detect, respond and limit the potential damage of existing/emerging attack techniques • Objective: Understanding how prepared both individual entities (by type) and existing processes/mechanisms are to ensure reliability of the BPS while under a successful cyber attack • Approach: Devise several realistic but challenging cyber scenarios and conduct a series of table top exercises with volunteer entities • CRP team will use a process to evaluate key criteria for determining preparedness • Areas to Evaluate: (The scenarios will be consistently evaluated for all entities for the following capabilities) • A. Prevent cyber attacks • B. Detect cyber attacks • C. Technically respond to cyber attacks • D. Manage their systems and electricity assets to minimize potential damage • E. Communicate and coordinate effectively with interconnected neighbors and area coordinators to contain effects on the bulk power system
ES-ISAC Mission • The ES-ISAC serves the Electricity Sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. • Preparedness & response calls (e.g. Hurricane Gustav) • It is the job of the ES-ISAC to promptly disseminate threat indications, analyses, and warnings, together with interpretations, to assist electricity sector participants to take protective actions. • As the ES-ISAC, NERC gathers, disseminates and interprets security-related information. • FERC has oversight of NERC’s alerting process for U.S. entities • Canadian authorities provide guidance for alerting to Canadian entities
ERO & ES-ISAC (similar but distinct) Formal effort to involve industry SME’s in the generation of Alerts
CIP: ES-ISAC/NERC Alerts Advisories, Recommendations, and requests for Essential Actions (ERO & ES-ISAC missions) Issued to relevant industry sectors when a security risk (threat or vulnerability) arises Advises the industry to evaluate the risk and take action to correct issues affecting reliability/CIP Cyber Physical Logical All Hazards
Reporting Concerns & Objectives • Don’t want to numb the sector with too much reporting • Do want to appropriately chose alerting vehicles based on the seriousness of the risk • Advisory – Notify the sector of a vulnerability that could be applied in a way that would directly or indirectly impact the BPS • Recommendation – Notify the sector and receive replies to appropriately monitor the status of the risk (mitigation efforts) based on the attributes of the vulnerability and potential to cause serious consequence in the BPS • Essential Action – Notify the sector so they may take immediate actions and require replies to appropriately monitor the status of the risk (mitigation efforts) based on the attributes of the vulnerability, potential consequences, and indications or the potential that an attacker will exploit the vulnerability • In a perfect world we would like to see the reporting fall into the following buckets over a year (we will not shape reporting to arbitrarily fit these levels): • Advisories: 80% • Recommendations: <20% • Essential Actions: <1% (only used for critical & time sensitive risks)
SCADA Vulnerability & Exploit Disclosures • Tracking from 2005 to Present (4QTR08) * This captures only publically released vulnerability discoveries and exploit tools/code
ES-ISAC “Operational Excellence” • Streamline & exercise NERC notification lists • Project underway to address existing problems and establish a sustainable approach to manage the lists • Will exercise the notification lists (improve, educate and verify) • Administrative exercise (November) • Addition of an FAQ • Instructions to recipients • Operational exercise (2 tests per year) • Recommendation-level or higher Alert • Instructions & Exercise Replies required • Longer-term: Develop a secure mechanism to receive alert feedback and facilitate effective two-way communication • Identify an appropriate mechanism for authenticated (record responses for recipients by entity) and secure feedback & alert responses