Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024....
Transcript of Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024....
![Page 1: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/1.jpg)
Forward Together • ReliabilityFirst
Follow us on LinkedIn and Twitter @RFirst_Corp
![Page 2: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/2.jpg)
Enforcement Trends & Addressing Silos
Patrick O’Connor, CounselKristen Senk, Senior Counsel
![Page 3: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/3.jpg)
Forward Together • ReliabilityFirst
Agenda Topics
Update on enforcement trend data
Overview of CIP themes
Panel discussion on addressing organizational silos
3
![Page 4: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/4.jpg)
Forward Together • ReliabilityFirst
Most Violated Standards
4
132
90
63
3123
17 17 16 13 12
CIP-007 CIP-010 CIP-004 CIP-006 PRC-024 CIP-005 MOD-025 PRC-005 PRC-019 CIP-011
Num
ber o
f Vio
latio
ns
12 Month Rolling Count
![Page 5: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/5.jpg)
Forward Together • ReliabilityFirst
Disposition Method
111
316
1626
16411
37
62
0
50
100
150
200
250
300
350
2016 2017 2018
Dismissal/CE FFT Settlement
5
![Page 6: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/6.jpg)
Forward Together • ReliabilityFirst
Detective Controls
746
671
293
329
310
0 100 200 300 400 500 600 700 800
2014
2015
2016
2017
2018
By
Dat
e R
epor
ted
Average Days from Start Date to Report Date
6
![Page 7: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/7.jpg)
Forward Together • ReliabilityFirst
2018 CIP Themes Report
Purpose• Identify themes in violations
with the CIP Standards• Suggest potential resolutions
Collaboration• RF, WECC, and SERC
worked with Registered Entities to identify the themes and resolutions.
Second Edition• First edition in 2015
7
![Page 8: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/8.jpg)
Forward Together • ReliabilityFirst
CIP Themes
8
* The graph represents the violations that concern the more significant CIP compliance deficiencies.
45%
29%
11%15%
Disassociation
Organizational Silos
Inadequate Tools
Lack of Awareness
![Page 9: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/9.jpg)
Forward Together • ReliabilityFirst
Theme - Organizational Silos
9
Gen
erat
ion
Lack of coordination between departments, business units, and different levels of management
Vertical Silos
(Between Business
Units or Departments)
Horizontal Silos
(Between Layers from
the Top Down)
![Page 10: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/10.jpg)
Forward Together • ReliabilityFirst
Organizational Silos
10
Panel Discussion
Bill EdwardsAssistant General
CounselExelon Corporation
Thomas BreeneManager FERC/NERC
ComplianceWEC Energy Group Business Services
Kristina PacovskyManaging Senior
Corporate Counsel Midcontinent
Independent System Operator
![Page 11: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/11.jpg)
Forward Together • ReliabilityFirst
Questions & AnswersForward Together ReliabilityFirst
11
![Page 12: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/12.jpg)
GridEx IV ExerciseOverviewApril 26, 2018Columbus, OH
![Page 13: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/13.jpg)
Forward Together • ReliabilityFirst
Slide 1 of 237
13
![Page 14: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/14.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise - 2017
NERC conducted its fourth biennial grid security and emergency response exercise, GridEx IV, on November 15–16, 2017
GridEx IV consisted of a two-day distributed play exercise and a separate executive tabletop on the second day
The exercise provided an opportunity for stakeholders in the electricity sector to respond to simulated cyber and physical attacks affecting the reliable operation of the grid
14
![Page 15: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/15.jpg)
Forward Together • ReliabilityFirst
Cyber Attack Scenario
Cyber-attacks targeted corporate networks and industrial control systems (ICS) such as process control systems, energy management systems, distribution management systems, and supervisory control and data acquisition systems (SCADA) used to operate generating units, transmission substations, and control centers. The attacks disrupt the ability of power system operators to monitor and control the reliability of the bulk power system (BPS)
15
![Page 16: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/16.jpg)
Forward Together • ReliabilityFirst
Physical Attack Scenario
Simultaneous physical attacks against certain generation, transmission, and control center facilities cause large-scale power outages, while avoiding immediate and deliberate degradation to the level that would move the exercise into black start restoration plan scenarios. Voice and data communications systems used by BPS operations and security personnel are also affected by physical attack, hindering their ability to respond to the situation
16
![Page 17: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/17.jpg)
Forward Together • ReliabilityFirst
Communications Challenges
GridEx IV also provided participating organizations with the opportunity to exercise how they receive and share information with external stakeholders, including customers, local government officials, and the general public
17
![Page 18: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/18.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise - Objectives
Exercise incident response plans
Expand local and regional response
Engage critical interdependencies
Improve communication
Gather lessons learned
Engage senior leadership
18
![Page 19: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/19.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise - Participation
19
![Page 20: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/20.jpg)
Forward Together • ReliabilityFirst
GridEx Exercise – Lessons Learned
Some exercise scenarios or “moves” require more integration into the master scenario
More active Lead Planners
Greater Cross-Sector Participation
E-ISAC Portal Improvements
EEI and the E-ISAC should work together to further operationalize the Cyber Mutual Assistance (CMA) Program
20
![Page 21: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/21.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise – RF Participation
Engaged the EASA, IT, and Corporate Communications Teams, and the CSO
EASA “played” in our normal roles following the master scenario events as played out by electric utilities in our footprint
IT “played” by responding to a custom scenario which was created and played out simulating an RF data breach event
21
![Page 22: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/22.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise – RF Participation (cont.)
Corporate Communications “played” following the exercise master scenario events as played out by electric utilities and also responding to the RF data breach event coordinating with IT, the CSO, and Executives
The CSO “played” by responding to and interacting with EASA, IT, Corporate Communications, and Executives for both the master scenario events and the custom RF data breach scenario
Support was provided by the Enforcement Team acting as RF users affected by the RF Data Breach event
22
![Page 23: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/23.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise – RF Lessons Learned
Procedure and Process updates
Tools updates and training
Communication protocol updates (internal & external)
Emergency response action updates
Increase RF IT involvement in future exercises to test our response capabilities more completely
23
![Page 24: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/24.jpg)
Forward Together • ReliabilityFirst
GridEx IV Exercise – Follow on Activities
Review and comment on the GridEx IV After Action Report
Review and implement Lessons Learned
Planning for GridEx V in 2019
FERC Cyber Planning for Response and Recovery (CyPReS) Study
24
![Page 25: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/25.jpg)
Forward Together • ReliabilityFirst
Why participate in GridEx Exercises?
It’s fun! Just ask your Lead Planner…
It’s customizable!
Industry participants take part from their regular work locations
Provides an opportunity for utilities to demonstrate how they would respond to and recover from simulated coordinated cyber and physical security threats and incidents
Strengthen your crisis communications relationships
25
![Page 26: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/26.jpg)
Forward Together • ReliabilityFirst
Slide 237 of 237
26
![Page 27: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/27.jpg)
Forward Together • ReliabilityFirst
Questions & AnswersForward Together ReliabilityFirst
![Page 28: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/28.jpg)
Project 2016-02CIP ModificationsStandard Drafting Team Outreach Slides
![Page 29: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/29.jpg)
RELIABILITY | ACCOUNTABILITY29
• Project 2016-02 Scope• CIP-002 Modifications Planned and Unplanned Changes
• CIP-012 Modifications
• Control Center Definition • V5TAG Transition Document Definitions Virtualization
Agenda
![Page 30: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/30.jpg)
RELIABILITY | ACCOUNTABILITY30
• Per paragraph 53, “…the Commission concludes that modifications to CIP-006-6 to provide controls to protect, at a minimum, communication links and data communicated between bulk electric system Control Centers are necessary in light of the critical role Control Center communications play in maintaining bulk electric system reliability. Therefore, we adopt the NOPR proposal and direct that NERC, pursuant to section 215(d)(5) of the FPA, develop modifications to the CIP Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).”
SAR – FERC Directives
![Page 31: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/31.jpg)
RELIABILITY | ACCOUNTABILITY31
• Cyber Asset and BES Cyber Asset (BCA) Definitions Clarify the intent of “programmable” in Cyber Asset. Clarify and focus the definition of “BES Cyber Asset”
• Network and Externally Accessible Devices improving clarity within the concepts and requirements
• Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations Clarify:o the applicability of requirements on a TO Control Center that performs the functional obligations of a TOP,
particularly if the TO has the ability to operate switches, breakers and relays in the BES. o The definition of Control Center. o The language scope of “perform the functional obligations of” throughout the Attachment 1 criteria.
SAR – V5TAG Items
![Page 32: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/32.jpg)
RELIABILITY | ACCOUNTABILITY32
• The SDT identified the following areas that it intends to address as part of its work on virtualization: Determine the level to which mixing Cyber Asset classes is permitted (CIP-applicable with non-CIP
applicable, EACMS/PACS with BCS, Low/Medium/High BCS, EACMS/PACS with non-CIP applicable, etc.). Clarify in requirements/definitions/guidance the permitted architectures and control necessary to permit them.
Address the treatment of components typically associated with virtualization - hypervisor, management control, and physical hardware
Address treatment of each class of virtualization (server, network including SDN, and storage) including identifying any differences in treatment between classes.
Address VLANs, particularly the scenario in which there is a switch that has at least one VLAN inside the ESP and one VLAN outside the ESP.
Address monitoring-only EACMS and whether the risk profile of these systems is such that they should be treated differently than other EACMS
SAR - Virtualization
![Page 33: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/33.jpg)
RELIABILITY | ACCOUNTABILITY33
• The first ballot received 66.78% approval.• Based on comments and voting: The SDT did not modify criterion 2.12 for the second ballot. The SDT modified the Background section of the Standard to remove information related CIP version
4. The SDT extended the implementation timeline to be effective on the first day of the first calendar
quarter that is three (3) calendar months after the effective date. The SDT updated the Guideline and Technical Basis document. The SDT updated the Implementation Guidance document.
• The SDT added the Planned and Unplanned Change language to the Standard.
CIP-002-6a Modifications
![Page 34: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/34.jpg)
RELIABILITY | ACCOUNTABILITY34
2.12. Control Centers or backup Control Centers, not included in High Impact Rating above, that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below. The "aggregate weighted value" for a Control Center or backup Control Center is determined by summing the "weight value per line" shown in the table below for each BES Transmission Line monitored and controlled by the Control Center or backup Control Center.
CIP-002-6a Modifications
Voltage Value of a Line Weight Value per Lineless than 100 kV (not applicable) (not applicable)
100 kV to 199 kV 250200 kV to 299 kV 700300 kV to 499 kV 1300500 kV and above 0
![Page 35: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/35.jpg)
RELIABILITY | ACCOUNTABILITY35
• The SDT held a webinar on February 14, 2018 to discuss changes to the standard related to Planned and Unplanned Changes language that was previously found in the Implementation Plan
• The SDT used a polling feature to gather feedback from industry on the changes The feedback from industry was extremely positiveo 97% of respondents agreed with moving the language to the standardo 86% of respondents agreed with the potential languageo 94% of respondents agreed with not including the language in CIP-012
• The Planned and Unplanned Change language is being moved from the implementation plan to the standard.
• Implementation Plan will continue to cover timelines based on changes to a standard, a new section in the standard will be added to identify timelines based on changes to a BES asset or Cyber Asset
Planned/Unplanned Changes
![Page 36: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/36.jpg)
RELIABILITY | ACCOUNTABILITY36
• Planned Changes refer to changes to the Bulk Electric System or Cyber Asset(s) that were planned and implemented by the Responsible Entity or with the Responsible Entity’s awareness. Planned Changes typically involve a change to a Bulk Electric System asset (e.g., substation, generating resource, Control Center) or a change to a Cyber Asset that was foreseen by the Responsible Entity. Examples of Planned Changes include: (1) placing a new transmission substation into service or adding a new line to an existing substation; (2) placing a new BES generation resource into service or adding a generation resource to an existing plant; (3) placing a new primary or backup Control Center or associated data center into service or implementing a new supervisory control and data acquisition (SCADA) system or energy management system (EMS) or an upgrade to an existing SCADA system or EMS; (4) implementing a project for substation automation where Cyber Assets are installed, upgraded, or replaced such as electromechanical relays being replaced with digital relays; or (5) implementing a control system upgrade at a generating resource.
Planned/Unplanned Changes
![Page 37: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/37.jpg)
RELIABILITY | ACCOUNTABILITY37
• Unplanned Changes refer to (i) any changes to the Bulk Electric System or a Cyber Asset that occur without the entity’s awareness or (ii) changes to the categorization of a Cyber Asset caused by a notification from another entity or the output of a planning study. Examples of Unplanned Changes include: (1) when a Responsible Entity is notified (internally or externally) that a generation Facility has been designated as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year (CIP-002, Attachment 1, Criterion 2.3); (2) when a Responsible Entity is notified (internally or externally) that a generation or Transmission Facility has been identified as critical to the derivation of an IROL and their associated contingencies (CIP-002, Attachment 1, Criterion 2.6); (3) when a generating resource that is connected at less than 100kV is designated as a new Blackstart Resource along with its Cranking Path (CIP-002, Attachment 1, Criterion 3.4); or (4) when a system study that shows changes in customer load have resulted in crossing the 300 MW threshold of a load shedding system as described in Criterion 2.10 of CIP-002, Attachment 1.
Planned/Unplanned Changes
![Page 38: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/38.jpg)
RELIABILITY | ACCOUNTABILITY38
Planned and Unplanned Changes: If a Responsible Entity has a Planned Change or Unplanned Change, the Responsible Entity shall comply with the requirements in this Reliability Standard in accordance with the following:For Planned Changes resulting in a new BES Cyber System or a change in categorization for an existing BES Cyber System, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard upon the commissioned date of the Planned Change. For this provision, the commissioned date is the date a new or modified Bulk Electric System asset or Cyber Asset is capable of impacting the BES. For requirements that contain periodic obligations, initial performance of those obligations following a Planned Change shall occur within the first period following the commissioned date of the Planned Change.
Planned/Unplanned Changes
![Page 39: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/39.jpg)
RELIABILITY | ACCOUNTABILITY39
For Unplanned Changes, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard according to the timelines in the table below. As used in the table, the phrase “BES asset type” refers to the following BES asset types listed in Requirement R1 of CIP-002: (i) Control Centers or backup Control Centers; (ii) Transmission stations or substations; (iii) generation resources; (iv) systems and facilities critical to system restoration including Blackstart Resources and Cranking Paths and initial switching requirements; (v) Special Protection Systems that support the reliable operation of the Bulk Electric System; and (vi) the Distribution Provider Protection Systems specified in Applicability section 4.2.1.
Planned/Unplanned Changes
![Page 40: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/40.jpg)
RELIABILITY | ACCOUNTABILITY40
Scenario of Unplanned Change Implementation PeriodNew high impact BES Cyber Systemassociated with a BES asset type where theResponsible Entity has previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type
12 calendar months from the date of notification or detection of the Unplanned Change.
New high impact BES Cyber Systemassociated with a BES asset type where theResponsible Entity has not previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type
24 calendar months from the date of notification or detection of the Unplanned Change.
New medium impact BES Cyber Systemassociated with a BES asset type where theResponsible Entity has previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type
12 calendar months from the date of notification or detection of the Unplanned Change.
Planned/Unplanned Change (Part 1 of 2)
![Page 41: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/41.jpg)
RELIABILITY | ACCOUNTABILITY41
Planned/Unplanned Changes (Part 2 of 2)
New medium impact BES Cyber Systemassociated with a BES asset type wherethe Responsible Entity has not previouslyidentified a medium or high impact BESCyber System associated with that sameBES asset type
24 calendar months from the date of notification or detection of the Unplanned Change.
New low impact BES Cyber Systemassociated with a BES asset type wherethe Responsible Entity has previouslyidentified a low, medium, or high impactBES Cyber Systems associated with thatsame BES asset type
12 calendar months from the date of notification or detection of the Unplanned Change.
New low impact BES Cyber Systemassociated with a BES asset type wherethe Responsible Entity has not previouslyidentified a low, medium, or high impactBES Cyber systems associated with thatsame BES asset type
24 calendar months from the date of notification or detection of the Unplanned Change.
![Page 42: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/42.jpg)
RELIABILITY | ACCOUNTABILITY42
For requirements that contain periodic obligations, initial performance of those obligations following an Unplanned Change shall occur within the first period following the date that the Implementation Period ends, as defined in the table above.For Unplanned Changes resulting in a higher categorization for an existing BES Cyber System, the Responsible Entity shall continue to comply with the applicable requirements of the prior categorization during the Implementation Period defined above.
Planned/Unplanned Changes
![Page 43: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/43.jpg)
RELIABILITY | ACCOUNTABILITY43
• The second ballot received 63.91% approval.• Based on comments and voting: The SDT combined Requirements R1 and R2. Removed “and control” from Requirement R1. Removed “demarcation” from Requirement part 1.2. Removed “roles” from Requirement part 1.3. The SDT updated the Technical Rationale and Justification document. The SDT updated the Implementation Guidance document.
• The SDT did not add the Planned and Unplanned Change language to the Standard.
CIP-012-1 Modifications
![Page 44: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/44.jpg)
RELIABILITY | ACCOUNTABILITY44
R1. The Responsible Entity shall implement one or more documented plan(s) to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data, while being transmitted between any Control Centers. This requirement excludes oral communications. The plan shall include: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]1.1 Identification of security protection used to mitigate the risk of unauthorized disclosure or modification of
Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers;1.2 Identification of where the Responsible Entity applies security protection is applied for transmitting Real-
time Assessment and Real-time monitoring data between Control Centers; and1.3 When the by different Responsible Entities own or operate Control Centers identify the responsibilities of
each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between those Control Centers.
CIP-012-1 Modifications
![Page 45: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/45.jpg)
RELIABILITY | ACCOUNTABILITY45
• The team reviewed several scenarios that could be identified as meeting the current definition of Control Center, but that the team thought were not consistent with the spirit of the definition
Control Center Definition
![Page 46: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/46.jpg)
RELIABILITY | ACCOUNTABILITY46
• SDT Discussion: “Operating personnel” is undefined and could be interpreted to mean anyone who could operate the BES
including field switching personnel “Two or more locations” may be too broad without further context and does not reflect the realities of how
today’s renewable generation is built “Monitor and control” could have multiple interpretations and needs to tie to the functions performed by
the registered entities. Control should include the concept of jurisdictional authority and the ability to issue directives such as in the case of an RC control system that may not have the capability to open and close breakers directly
Use of the defined term “Real-time” or undefined term “real-time” – the team expressed concerns with the definition of Real-time, but ultimately weighed in favor of consistency with the use of the term based on its inclusion in the PER-005-2 standard
• In response to the concerns discussed, the SDT developed modifications to the Control Center definition to make specific inclusions and exclusions. This model was based on the BES definition which also has specific inclusions and exclusions as part of the definition.
Control Center Definition
![Page 47: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/47.jpg)
RELIABILITY | ACCOUNTABILITY47
One or more facilities, including their associated data centers, that monitor and control the Bulk Electric System (BES) and also host operating personnel who:
1) perform the Real-time reliability-related tasks of a Reliability Coordinator; or 2) perform the Real-time reliability-related tasks of a Balancing Authority; or 3) perform the Real-time reliability-related tasks of a Transmission Operator for Transmission Facilities at two or more locations; or 4) can act independently as the Generator Operator to develop specific dispatch instructions for generation Facilities at two or more locations; or 5) can operate or direct the operation of a Transmission Owner’s Bulk Electric System Transmission Facilities in Real-time.
Operating personnel do not include: 1) plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications; or 2) Transmission Owner or Transmission Operator field switching personnel.
Control Center Definition
![Page 48: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/48.jpg)
RELIABILITY | ACCOUNTABILITY48
• Assessed body of CIP requirementso Virtualization focus assessmento Reviewed requirements against the issue areas identified in the V5TAG transfer document
SDT discussion of next steps o Implementation guidanceo Modify requirements to address virtualization o Develop new requirements as appropriate o No Modifications needed
Virtualization
![Page 49: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/49.jpg)
RELIABILITY | ACCOUNTABILITY49
• Post CIP-002, CIP-012 and Control Center 45-day Comment and Ballot Period March 16 – April 30, 2018
• Continue Virtualization and other V5TAG Transition document discussion
Next Steps
![Page 50: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/50.jpg)
RELIABILITY | ACCOUNTABILITY50
Conference Dial-in See NERC calendar for WebEx info
Reserved Call Times Fridays - 11 a.m. – 1 p.m. (ET)o Full team update
• Discussion topics will vary based on the issue area work progress.
• Check the NERC Standards calendar of events for the most updated information.
Issue Area Working Calls--Scheduled if needed on the NERC Standards Calendar Tuesdays - Noon – 2 p.m. (ET)o Issue area working session
Thursdays - Noon – 2 p.m. (ET)o Issue area working session
• Issue area working calls will be scheduled as needed to allow the sub-teams to process input and develop proposals.
Conference Call Schedule
![Page 51: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/51.jpg)
RELIABILITY | ACCOUNTABILITY51
2018 Planned Dates: March 27-29, 2018 (NERC - Atlanta, GA) May 8-10, 2018 (Texas Reliability Entity, TX) June 19-21, 2018 (NERC – Atlanta, GA) July 10-12, 2018 (WECC, Salt Lake City, UT) September 4-6, 2018 (BPA – Portland, OR)
SDT Meeting Schedule
![Page 52: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/52.jpg)
RELIABILITY | ACCOUNTABILITY52
• Information relative to the CIP Modifications project and SDT may be found on the Project 2016-02 Project Page under Related Files: Project 2016-02 Modifications to CIP Standards
• Jordan Mallory, NERC Standards Developer [email protected] (Office)
Resources
![Page 53: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/53.jpg)
RELIABILITY | ACCOUNTABILITY53
![Page 54: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/54.jpg)
Sergio Caltagirone@cnoanalysis
![Page 55: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/55.jpg)
Forward Together • ReliabilityFirst
We can’t know all the threats or the capabilities of the adversary
We can’t know all the vulnerabilities of our software, hardware, or the people who use it
We can’t determine which assets have value to the adversary
- @peteherzog
![Page 56: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/56.jpg)
Forward Together • ReliabilityFirst
*Everyday in Information Security
“The adversary needs to be right once, the defender needs to be right every time”
![Page 57: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/57.jpg)
The Defenders AdvantageThe threat environment demands a new approach – anew dedication – to be present and active in our defense.
![Page 58: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/58.jpg)
Forward Together • ReliabilityFirst
Threat Intelligence
WhyThreat intelligence reduces harm by improving decision making before,during, and after cybersecurity incidents reducing operational meantime to recovery and reducing adversary dwell time
WhatThreat intelligence is previously unknown knowledge of malicious cyberactivity enabling better decision making in network protection andresponse
![Page 59: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/59.jpg)
Forward Together • ReliabilityFirst
What adversaries use, including their capabilities and infrastructure
Who adversaries are, comprising the actors, sponsors, and employers
Where adversaries target, detailing industries, verticals and geographic regions
When adversaries act, identifying timelines and patterns of life
Why adversaries attack, including their motives and intent
How adversaries operate, focused on their behaviors and patterns
![Page 60: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/60.jpg)
What is the threat? Addressing who, what, where, when, why, and how.
Threat Intelligence “3 Question Rule”
All threat intelligence should answer three questions enabling the audience to quickly identify the relevance and impact to their organization followed by immediate action if necessary.
Threat
Impact
Action
What is the impact to an organization if the threat were realized?
Which actions mitigate the threat in both the near and mid-term?
![Page 61: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/61.jpg)
Context describes the threat and proves or disproves the relevance and impact to the audience.
“Context is king” helping organizations properly prioritize their action and response when overwhelmed with alerts & alarms.
Threat Intelligence: A Composite of Two Elements
Threat intelligence is comprised of two elements: context and action. Without either intelligence is neither actionable nor understandable.
Context
Action Action provides technical and policy recommendations customized for the threat, its behavior, and impact.
![Page 62: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/62.jpg)
Detect
• Identify active threats using threat behavior analytics
Respond
• Mitigate detected threats through incident response
Prevent• Proactively
prevent through policy, education, and technology
Integrating Threat Intelligence Across the Security Process
![Page 63: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/63.jpg)
Tactical
Operational
Strategic
Security OperationsNetwork DefendersIncident Response
Technical indicators and behaviors to inform network-level action and remediation
Threat Intelligence Type Audience Description
Threat HuntersIncident ResponseSecurity Leadership
Security LeadershipOrganizational Leadership
Intelligence on adversary behavior informing: holistic remediation, threat hunting, behavioral detection, purchasing decisions, and data collection
Places threat into a business context and describes strategic impact informing risk management and organizational direction
![Page 64: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/64.jpg)
Intelligence on activities of adversaries known to have an interest in control systems and operational networks
ICS Threat Intelligence CategoriesICS threat intelligence falls into three categories – intelligence not conforming to these categories generally does not support industrial control security demands.
Interested Adversaries
Direct ICS Impact
Indirect ICS Impact
Example: DRAGONFLY compromises victim networks to gather information on their industrial control system and related operations but have not yet been identified as disrupting or directly interfacing with industrial control systems
Intelligence on threats directly affecting the operation of industrial control systems
Example: CRASHOVERRIDE is a malware framework designed and deployed to disrupt electric power transmission
Intelligence on threats not associated with industrial control systems but have a high likelihood of disrupting their operation
Example: WANNACRY ransomware does not target industrial control systems but it’s capability has shown to be debilitating to organizations when it can access operational networks
![Page 65: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/65.jpg)
2017 ICS Vulnerability Advisories
Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities:• 64% of all vulns didn’t eliminate the risk• 72% provided no alternate mitigation to the patch• Only 15% could be leveraged to gain initial access
![Page 66: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/66.jpg)
A short and easily-understood description of the vulnerability accessible to most security professionals
Vulnerability Description Elements
Vulnerability analysis is necessary for complete threat intelligence. Threat intelligence producers must include four elements of information about a vulnerability to ensure good decision-making.
Description
Impact
Mitigation
Threat Awareness
Understanding the vulnerability in the threat environment, including active exploitation and the scope and scale of such use
The potential impact of the vulnerability when leveraged by an adversary
The actions available to defenders to prevent or reduce the risk of the vulnerability impacting operations
![Page 67: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/67.jpg)
A producer must have the data sources and visibility into the threats affecting the customer’s environment. Without the proper data there can be no relevant intelligence.
Distinguishing Threat Intelligence Products
Three elements clearly distinguish threat intelligence products. An evaluation of any threat intelligence product and producer should examine these elements which will help a customer select the best ones for their business.
Data Sources and Visibility
Contextual Awareness
Action Relevance
A producer must have an understanding of the customer’s business in order to make intelligence immediately relevant. Otherwise, the customer must translate all intelligence into their domain themselves.
A producer must understand the customer’s operations so that they may recommend proper actions without causing undue harm or simply stating generic best practices.
![Page 68: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/68.jpg)
Threat intelligence must provide sufficient detail to enable a proper response
CART: Identifying Good Threat Intelligence
Completeness
Relevance
Timeliness
Accuracy Inaccurate threat intelligence is worse than no threat intelligence and any quality threat intelligence must be accurate
Threat intelligence must address only relevant threats to the organization and be delivered in a method that allows for effective action
Threat intelligence must be produced and delivered quickly so that it can be and used fast enough to make a difference
![Page 69: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/69.jpg)
Threat Intelligence: Measuring Return on Investment (ROI)
Mean Adversary Dwell TimeThe time measured between when an adversary first gained unauthorized access to a network/system and when incident response successfully severed adversary access and control
Mean Time to Recovery The time from when an adversary first causes an operational disruption to when operations return to normal
![Page 70: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/70.jpg)
Attacks in Context
5ICS tailored malware
families
3
• Stuxnet• Havex• Blackenergy2• CRASHOVERRID
E• TRISIS
• Stuxnet• CRASHOVERRIDE• TRISIS
Intent to disrupt industrial processes
2Identified in 2017
• CRASHOVERRIDE: First malware to target grid operations
• TRISIS: First malware to target SIS
![Page 71: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/71.jpg)
CHRYSENE
Links OilRig, Greenbug
IT compromise, information gathering and recon against industrial orgs
Victimology Oil & Gas, Manufacturing, Europe, MENA, N. America
Capabilities Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR
COVELLITE
Links Lazarus, Hidden Cobra
IT compromise with hardened anti-analysis malware against industrial orgs
Victimology Electric Utilities, US
Capabilities Encoded binaries in documents, evasion techniques
DYMALLOY
Links Dragonfly2, Berserker Bear
Deep ICS environment information gathering, operator credentials, industrial process details
Victimology Turkey, Europe, US
Capabilities COODOR, DORSHEL, KARAGANY, Mimikatz
ELECTRUM
Links Sandworm
Electric grid disruption and long-term persistence
Victimology Ukraine, Electric Utilities
Capabilities CRASHOVERRIDE
MAGNALLIUM
Links APT33
IT network limited, information gathering against industrial orgs
Victimology Petrochemical, Aerospace, Saudi Arabia
Capabilities STONEDRILL wiper, variants of TURNEDUP malware
ALLANITE
Links Palmetto Fusion
Watering-hole and phishing leading to ICS recon and screenshot collection
Victimology Electric utilities, US & UK
Capabilities Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec
XENOTIME
Links None
Focused on physical destruction and long-term persistence
Victimology Oil & Gas, Middle East
Capabilities TRISIS, custom credential harvesting
XTALMG
CV DY ELCR
Since 2014Since 2017Since 2016
Since 2016Since 2016Since 2017Since 2017
![Page 72: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/72.jpg)
![Page 73: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/73.jpg)
Penetrate ICS Network
Establish Foothold
Enumerate Systems & Protocols
Deliver Attack
Takes time, access, and work
• First grid-focused ICS attack via malware• Extensible framework for launching attacks requiring protocol
knowledge• Wiper function specifically designed to impede ICS recovery• Attack required widespread, persistent access to target network
ELECTRUM: Disrupting Electric Power Transmission
![Page 74: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/74.jpg)
Establish Access on SIS-Connecting
System
Transfer TRISIS Base Module to
System
Use TRISIS Base Module to
Compromise SISUpload Follow-On
Payloads
XENOTIME: Attacking Safety Systems and a Threat to Life
• Safety now a target for ICS operations• Greater possibility for physically-destructive events• Attack narrow but methodology may be replayed
![Page 75: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/75.jpg)
What Can You Do?
1 Enable two-factor (not phone factor) authentication across internal assets and services
2 Control IT-OT boundary
3 Audit and secure safety systems
4 Add OT monitoring, look for behaviors, not indicators
5 Get ICS threat intelligence
![Page 76: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/76.jpg)
Defenders expect adversaries – time for the adversaries to expect defenders.
Sergio [email protected]
@cnoanalysis
![Page 77: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/77.jpg)
NERC CIPC WorkplanUpdate
Larry Bugh, Chief Security Officer & Director EASAApril 26, 2018
![Page 78: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/78.jpg)
Forward Together • ReliabilityFirst
CIPC Organizational Chart
78
Executive CommitteeRoss Johnson, Phys SME, Capital Power Marc Child, Chair, Great River Energy Melanie Seader, EEIBrenda Davis, Cyber SME, CPS Energy David Grubbs, Vice Chair, City of Garland (vacant) APPALisa Carrington, Ops SME, Ariz Public Svc David Revill, Vice Chair, NRECA (vacant) EPSAJeff Fuller, Policy SME, AES (vacant), Secretary, NERC (vacant) IPC
Physical Security Subcommittee(Ross Johnson)
Cybersecurity Subcommittee(Brenda Davis)
Operating Security Subcommittee(Lisa Carrington)
Policy Subcommittee
(Jeff Fuller)
Physical SecurityWG (PSAG)
(Ross Johnson)
Control Systems Security
WG(Mike Mertz)
(Carter Manucy)
Grid Exercise WG
(Tim Conway)
Security Metrics WG
(Larry Bugh)
Compliance and Enforcement Input
WG(Paul Crist)
Physical Security Guidelines TF
(Darrell Klimitchek)
Security Training WG
(David Godfrey)(Amelia Sawyer)
Planning Committee Joint Project
Criticality Reduction (Vacant)
Supply Chain Working Group
(Vacant)
![Page 79: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/79.jpg)
Forward Together • ReliabilityFirst
CIPC Charter
Key updates to CIPC Charter: Minor verbiage update to acknowledge security guidelines and standards implementation guidance are key
deliverables of CIPC Added IEEE to the list of key collaborative organizations Added new non-voting member class: Partner Members
• Federal Energy Regulatory Commission• US Department of Homeland Security• US Department of Energy• US Department of Energy Laboratories• Public Safety Canada• Natural Resources Canada• Oil & Natural Gas subsector• Telecomm sector• Financial Services sector• Critical Manufacturing sector• Water sector
79
![Page 80: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/80.jpg)
Forward Together • ReliabilityFirst
CIPC Strategic Plan and Workplan
2018 – 2019 Strategic Plan & Work Plan Change in format to better align with the Electric Reliability Organization (ERO) strategic goals
• ERO Enterprise Long-Term Strategy• ERO Reliability Risk Priorities (“RISC Report”)• E-ISAC Long Term Strategic Plan
Appendix removed to reduce redundancy and enhance readability Organized into six major activities
• Advisory panel to the NERC Board of Trustees (Board)• Cyber security risk management• Physical security risk management• NERC standards implementation input• BES security metrics• Training, outreach, and industry communications
80
Plan available at https://www.nerc.com/comm/CIPC/Related%20Files%20DL/CIPC%20Strategic%20Plan%202018-2019.pdf
![Page 81: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/81.jpg)
Forward Together • ReliabilityFirst
Advisory Panel to the NERC Board
Reports to the Board - will become more strategic to address emerging risks and issues pertinent to the security of BES
Solicit Board input regarding priorities and new challenges Identify opportunities for collaboration with other
subcommittees Decrease focus on status reporting and increase focus on the
proactive resolution of issues
81
![Page 82: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/82.jpg)
Forward Together • ReliabilityFirst
Cyber Security Risk Management
Cyber security program efforts:• Identification and reduction of cyber risks• Cyber security risk of Fuel Handling SCADA systems for Generation• Updated guidance in relation to NERC’s Remote Access Study• GridEx planning and preparation• Supply Chain (vendor security controls and legacy systems testing)
All designed to address the RISC, E-ISAC Long Term Strategic Plan, and the ERO Enterprise Long Term Strategy
82
![Page 83: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/83.jpg)
Forward Together • ReliabilityFirst
Physical Security Risk Management
Physical security program efforts: • Identification and reduction of physical risks• Security practices for High Impact Control Centers• Security implications of drones on electric power• Key management security for physical access
All designed to address the RISC, E-ISAC Long Term Strategic Plan, and the ERO Enterprise Long Term Strategy
83
![Page 84: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/84.jpg)
Forward Together • ReliabilityFirst
NERC Standards Implementation Input
Compliance and Enforcement Input Working Group (CEIWG)
Established to solicit industry stakeholders for input to assist NERC staff with clarification on compliance monitoring or enforcement with the following documents:• Implications of Cloud Services for CIP Assets (Pilot/Study)• Implementation Guidance for Voice-over-IP services• Implementation Guidance for Shared Transmission Facilities
84
![Page 85: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/85.jpg)
Forward Together • ReliabilityFirst
BES Security Metrics
CIPC will utilize the expertise of its members, NERC staff, and others to provide direction, technical oversight, feedback on the collection of industry metrics, and reporting of BES security performance metrics.• Security Metrics derived from E-ISAC, compliance data, or other sources of periodic reporting• Annual security assessment of the BES (NERC State of Reliability Report)
85
![Page 86: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/86.jpg)
Forward Together • ReliabilityFirst
Training, Outreach, and Communications
CIPC will provide training, coordination, and communication with those responsible for both physical and cyber security to various industry segments.• Reorganize information on NERC.com• Industry facing collaboration site to maximize joint project activities• Publish annual training plan
86
![Page 87: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/87.jpg)
Forward Together • ReliabilityFirst
Timeline of Activities
87
# CIPC Deliverable (non-ongoing projects) Estimated
Completion Date
1 Implications of Voice-over-IP and the CIP Standards Q1 2018
2 Develop CIPC Collaboration Site on NERC.com Q2 2018
3 CIP Implications of Shared Transmission Facilities Q2 2018
4 Key management security guideline Q2 2018
5 Vendor Essential Security Practices Model Q3 2018
6 Security implications of UAVs Q3 2018
7 Update CIPC Website on NERC.com Q3 2018
8 Implications of Cloud Services for CIP Assets Q4 2018
9 Assess the cyber security risk of Fuel Handling SCADA systems for Generation Q1 2019
10 Address Remote Access Security Findings #1-#18 Q3 2019
11 Identification and Reduction of Cyber and Physical Security Risks Q4 2019
12 Legacy system testing coordination with National Labs Q4 2019
13 Annual Security Assessment of the BES Q4 2019
![Page 88: Follow us on LinkedIn and Twitter @RFirst Corp · 4/26/2018 · cip-004. cip-006. prc-024. cip-005. mod-025. prc-005. prc-019. cip-011](https://reader033.fdocuments.us/reader033/viewer/2022050406/5f832696b628c4309f6f509a/html5/thumbnails/88.jpg)
Forward Together • ReliabilityFirst
Questions & AnswersForward Together ReliabilityFirst
88