13 - CIPC Brief (Harrell Conway Mar 2013) V2

7/29/2019 13 - CIPC Brief (Harrell Conway Mar 2013) V2

1/13

GridEx II / GridSecCon UpdateGrid Security Exercise / Grid Security Conference 2013

Brian M. Harrell, Associate Director of CIP Programs

CIPC

March 6, 2013


2/13

RELIABILITY | ACCOUNTABILITY2

GridEx II Overview

NERC will host GridEx 2013 on November 13-14, 2013 North American wide distributed-play exercise

Executive policy trigger table top exercise on 14 November


3/13


Identify potential improvements in physical and cybersecurity

plans, programs, and responder skills

Assess, test, and validate existing command, control and

communication plans and tools for NERC and its stakeholders

Validate the current readiness of the electricity industry to

respond to a security incident, incorporating lessons learned from

GridEx 2011

1

2

3

GridEx II Objectives

Evaluate senior leadership policy doctrine and triggers in response

to major grid reliability issues

4

GridEx II Objectives


4/13


Core group of approximately 10 planners committed to a sustained scenariodevelopment effort

Available for planning conferences and regular exercise design

teleconferences

CIPC Grid Exercise

Working Group

Players that will be fully engaged in the exercise, responding to all relevant

injects and coordinating activities across the player set

Fully player organizations generally engage in the planning process with

sufficient time to orient players

Full Players

Entities that are not fully engaged in the GridEx planning process but express

an interest in participating and gaining visibility into the exercise

Monitor/Respond entities can receive injects, exercise internal processes and

participate in coordination calls

Monitor/Respond

Players

Planners

Leaders of full player organizations that attend planning conferences,

provide scenario feedback and orient players

Provided opportunity to shape after action findings

GridEx II Participants


5/13


Given the diverse player

set, the scenario shouldhave far-reaching

application that can

exercise the plans and

processes of all players

Must test policy

implications

Broad Relevance and

Application

Scenario must feature

cyber & physical attacksthat engage a range of

security staff

Feature prolonged black-

out, potentially to be

played in TTX

Cyber and Physical

Vectorswith Extended

Conditions

Must feature current

concerns and challengesfacing industry

To avoid one-size-fits-

all, can craft several

scenario workstreams for

entities to select from

Highlights Timely

Vulnerabilities and Issues

Scenario Imperatives

CIPC Grid Exercise Working Group


6/13


Kick-Off

Initial

Planning

Phase

Mid-term

Planning

Phase

Final

Planning

Phase

ConductAfter

Action

Confirm

goal &

objectives

Finalize

timeline

Discuss

outreachgoals/plan

Initiate

outreach

Shape

scenario

themes

Confirm

exercisemechanics

Craft

scenario

narrative

Develop

materials

Confirm

participation

Oversee

distributed

play

Facilitate

senior TTX

Capture player

actions and

findings

Analyze

findings and

lessons

learned

Draft After

Action

Report and

Briefing

Finalize MSEL

Conduct

training

Distribute

player

materials

Set up venue

and logistics

C&O Meeting

(February)

IPC

(March 26)

MPC

(June 4)

FPC(October 1)

Execute GridEx II(November 13-14)

Deliver Final Report

(Q1 2014)

GridEx II Timeline


7/13RELIABILITY | ACCOUNTABILITY7

Operational and Discussion Based Play

Oversees

exercise play &facilitates

interactions

between

exercise

modules

Executive TTX (1/2 Day)Distributed Exercise (2 days)

Utilities

Regional

Entities

Federal

Agencies

NERC BPSA

&ES-ISAC

Control

System

Vendors

Players across the stakeholder

landscape will participate from

their local geographies

Discussion-based construct

engages senior decision

makers in assessing

distributed play and

exploring policy triggers

Executive TTX

Exercise Control

Injects and

info sharing

by email and

phone



Scenario Narrative:Mature scenario in written form that

features key events, timing and

expected player actions

Inject #1

11/16: 0830

Inject #2

11/16: 0900

Inject #3

11/16: 0915

Players respond to injects through

info sharing efforts, interaction with

ExCon and other players

Exercise Play

ExCon and C/Es observe and capture

interactions and craft dynamic

injects as needed

Developed by CIPC Working Groupto meet objectives and engage

player set

Individual injects (or pieces of

information) derived from scenario

narrative for release to players



Current level of interest



Compliance Concern

If we play and identify a weaknessdue to non-compliance

If we do not perform an expectedplayer action that is in ourprocedures do we self report

Legal teams not comfortable withsubmittal of data to NERC, ES-ISAC, law enforcement

Possible Benefits

PER training credits for operatorsCIP-008 exercise opportunity of

Incident Response Plan

Possible CIP-009 test opportunityPossible EOP-008 test opportunityCIP-001 exercise opportunity of

reporting to local and state FBIEOP-004 procedure test opportunityOE-417 test reporting opportunity

Utilize lessons learned to performannual updates

Test internal communications andnotification lists



Event

Transmission OperationsGeneration OperationsEnergy tradingField operations

Tech serviceCommunication & controlOT teamsCorporate ITPhysical Security

Major AccountsExecutive LeadershipCorporate communicationsState and local law enforcement

Large conference room 40 50 Players 4-5 planners on site to

coordinate and facilitate

Utilize tools, DTS, QAS,Communications tools,

reporting, IRP, physical

security

Utilize scenario activitygaps to whiteboard current

status (war room simulation

activity)

Project and display

scenario videos, all playerinjects and talk about how

your organization would

have seen the injects and

who they would have

communicated to.


12/13


Grid Security Conference 2013

October 15-17, 2013

J acksonville, Florida

Day 1

Full day of training covering emerging topics Cyber and physical security

Day 2-3

Full agenda highlighting recent policy changes,cyber attacks, security convergence and

response/recovery

GridSecCon 2013


13/13


13 - CIPC Brief (Harrell Conway Mar 2013) V2

Documents

Transcript of 13 - CIPC Brief (Harrell Conway Mar 2013) V2