NERC Security Guideline Workshop Sponsored by: APPA, EEI and NRECA - PowerPoint PPT Presentation

Loading...

PPT – NERC Security Guideline Workshop Sponsored by: APPA, EEI and NRECA PowerPoint presentation | free to view - id: e9f7a-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

NERC Security Guideline Workshop Sponsored by: APPA, EEI and NRECA

Description:

Emergency Plans. Continuity of Business. Table of Contents, cont. 3. Communications ... Deal with incident until business unit recovery plan is implemented. CIRT ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 91
Provided by: northameri5
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: NERC Security Guideline Workshop Sponsored by: APPA, EEI and NRECA


1
NERC Security Guideline Workshop Sponsored by
APPA, EEI and NRECA
  • George T. Miserendino
  • Triton Security Solutions
  • Solutions_at_TritonSecSol.com
  • 952-423-3457


? Triton Security Solutions,Inc.
2
Table of Contents NERC Security Guideline
Workshop Overview and Development Session
  • Overview and Development
  • II. Electricity Sector Security Guidelines
  • Vulnerability Assessment and Risk Assessment
  • Threat Response
  • Emergency Plans
  • Continuity of Business

2

3
Table of Contents, cont.
  • Communications
  • Physical Security
  • Employment Screening
  • Protecting Sensitive Information
  • Cyber Security
  • I.T. Risk Management
  • Cyber Access Control
  • I.T. Firewalls
  • I.T. Intrusion Detection
  • Process Control Systems Security
  • Threat and Incident Reporting

3

4
Security Guidelines… Executive Summary
  • These guidelines describe
  • General approaches
  • Considerations
  • Practices
  • Planning philosophies
  • Implementation should reflect an individual
    organizations assessment of its own
  • Needs
  • Vulnerabilities and consequences
  • Tolerance for risk


4
5
Security Guidelines Basic Objective
  • The intent of the guidelines is to
  • Provide industry Best Practices for the
    protection of Critical Facilities against a
    Spectrum of Threats

5

6
Participants in The Guideline Development Process
  • North American Electric Reliability Council
  • Critical Infrastructure Protection Advisory Group
    (CIPAG) ….. Sponsored by NERC
  • National Rural Electric Cooperative Assoc.
  • Edison Electric Institute Security Committee
  • American Public Power Assoc.
  • Department of Energy
  • Department of Agriculture


6
7
Security Guidelines
  • Principles, continued
  • Each company is free to define and identify those
    facilities and functions it believes to be
    critical.
  • The ability to mitigate the loss of a facility
    through redundancies, spare parts and detailed
    response and recovery plans may make that
    facility less critical.


7
8
Security Guidelines
  • Critical Facility defined as
  • Any facility or combination of facilities, if
    severely damaged or destroyed, would have a
    significant impact on the ability
  • 1. To serve large numbers of customers for
    an extended period of time.
  • 2. Has a detrimental impact to the
    reliability or operability of the
  • energy grid.


8
9
Security Guidelines
  • Critical Facility, continued
  • 3. Would cause significant risk to
  • A. National security
  • B. National economic security
  • C. Public health and safety.


9
10
Security Guidelines
  • Spectrum of Threats
  • Weather-related incidents (storms, floods, fires,
    earthquakes, etc.)
  • Acts of vandalism
  • Acts of activism
  • Acts of terrorism
  • Acts of an insider


10
11
The Electricity Sector is a Target
  • Critical support to
  • Economy
  • National security
  • Public well-being
  • Conduit to national security or economic targets
  • Conduit to other critical infrastructures

11

Source NERC
12
Who is Targeting The Electricity Sector?
  • Hackers
  • Vandals
  • Activists
  • Criminals
  • Terrorists
  • Nation States
  • The threat is inside and outside!


Source NERC
12
13
Spectrum of Threats
1. What needs to be protected?
2. Who are we protecting against?
3. Worst Consequences Highest Probability
Prioritized Ranking

13
14
Who do We Need to Protect Against?
Threats
INSIDER
OUTSIDER
Activists
Disgruntled (ex) employee
Terrorist
Potentially violent or psychologically deranged
Vandalism
14

15
  • Guidelines Access
  • http//www.esisac.com/library.htm
  • http//www.oea.dis.anl.gov

15

16
NERC Vulnerability and Risk Assessment

17
Vulnerability And Risk Assessment Guideline
  • Purpose
  • Identify and prioritize critical facilities and
    impacts of loss.
  • Identify countermeasures to mitigate
    vulnerabilities of critical facilities.

17
18
Applicability
  • All companies should perform 5-step vulnerability
    assessment on Critical Facilities.
  • Focus is on facilities meeting the threshold
    definition for CRITICAL.

18
19
Implementation Considerations Best Practices
  • Use team approach Subject matter experts
    knowledgeable of system (brainstorming
    session)
  • Security/Facilities/Safety
  • Operations, Maintenance, and Logistics
  • Engineering
  • I.T.

19
20
Best Practices, cont.
  • Employ risk assessment worksheet process
  • Identify assets (critical facilities) and loss
    impact.
  • Characterize the threat.
  • Identify and analyze vulnerabilities
  • Consider interdependencies.
  • Assess risk (subjectively) and determine
    priorities.
  • Identify countermeasures, costs and trade-offs.

20
Source DOE
21
Identify Countermeasures, Costs and Trade-offs

21
Source DOE VRAP
22
Critical Facility Risk Value Table
22

23
NERC Threat Response Guideline

24
Threat Response Guideline
  • Purpose
  • Ensures that companies provide enhanced security
    in response to threat advisories.
  • Department of Homeland Security
  • NERC Threat Notices (ESISAC)
  • State Agencies
  • DHS / IAIP
  • D.O.T. (Combo Utilities)


24
25
Applicability
  • Plans, policies and procedures which contribute
    to the protection of company CRITICAL
    FACILITIES
  • NERC response guidance is consistent with the
    Homeland Security Advisory System
  • Describes elements for consideration based on
    threat levels
  • Addresses physical and cyber security threats


25
26
Homeland Security Advisory System
  • Purpose
  • Provides a comprehensive and effective means to
    disseminate information regarding the risk of
    terrorist or criminal attacks.
  • Five (5) levels intended to characterize
    appropriate levels of
  • Vigilance
  • Preparedness
  • Response


26
27
Homeland Security Advisory System
SEVERE Severe Risk of Terrorist Attacks
HIGH High Risk of Terrorist Attacks
ELEVATED Significant Risk of Terrorist Attacks
GUARDED General Risk of Terrorist Attacks
LOW Low Risk of Terrorist Attacks

Source Office of Homeland Security
27
28
NERC Physical Security

29
Physical Security Guideline
  • Purpose
  • Mitigates the threat through the implementation
    of physical security measures to
  • Safeguard Personnel
  • Prevent unauthorized access to critical
    equipment, systems, materials and information at
    CRITICAL FACILITIES
  • Applicability
  • Critical Equipment, systems, material and
    information at CRITICAL FACILITIES.

29
30
Implementation Considerations Best Practices
  • Implement a program and plan based on a SYSTEMS
    APPROACH of
  • Deterrence
  • Detection
  • Assessment and Communications
  • Delay and Response
  • Implement a security awareness program for
    employees
  • Priority Number 1
  • Observe and Report

30
31
Best Practices, cont.
  • Aware of The Environment
  • Heightened VIGILANCE
  • Limiting access to CRITICAL FACILITIES through
    applied technologies
  • Requesting law enforcement patrols during periods
    of heightened threat

31
32
Recommendation
  • Develop a security plan reflecting changes in
    THREAT LEVEL
  • Employ strategies of deterrence
  • Lighting
  • Signage
  • CCTV
  • Patrols

32
33
Elements of Physical Security
Signs, Patrols, Lighting, Fencing
Deter
Barriers, Security Officers, Police
Sensors, Patrols, Door Alarms
Delay Respond
Detect
Assess Communicate
Cameras, Central Alarm Station Monitoring
33
34
Physical Security Goals
  • Employee Safety.
  • Litigation Avoidance.
  • Prevention or Deterrence Against Intentional
    Disruption to the System.
  • Reduction of Theft.

34
35
NERC Emergency Plans Guideline

36
Emergency Plans Guideline
  • Purpose
  • Ensures the company is prepared to respond to
    Spectrum of Threats (Physical Cyber)
  • Trespassing
  • Vandalism
  • Civil Disruptions
  • Sabotage
  • Acts of Terror
  • Cyber Incidents

36

37
Applicability
  • Company defined CRITICAL FACILITIES
  • Focused on responding to incidents
  • Priority…restoration and recovery of THE
    SYSTEM


37
38
Implementation Considerations Best Practices
The Plan
  • Flexible
  • Update Annually
  • Update After an Incident
  • Identify lessons learned
  • What went right
  • What can be improved
  • Key Responders are identified with Specific
    Tasks Duties


38
39
Best Practices The Plan, continued
  • Designate Emergency Management Team
  • Operations and Maintenance
  • Communications
  • Logistics
  • I.T.
  • Security/Facilities/Safety
  • Media relations coordinator
  • Annual orientation for key responders
  • Annual TABLE TOP exercise
  • Scenario driven


39
40
Best Practices The Plan, continued
  • After actual employment of the plan or after
    TABLE TOP exercises
  • Perform a LESSONS LEARNED
  • Modify plan based on LESSONS LEARNED
  • Identify an alternative reporting location for
    key responders
  • Identify priorities for emergency response
  • Protecting life
  • Restoring services


40
41
Recommendation
  • Develop the security response plan and attach as
    a separate annex to WEATHER/STORM response plan
  • Assure consistency with NERC physical and cyber
    threat alert levels
  • Build on experiences in protecting critical
    infrastructure
  • Gulf War
  • Y2K
  • 9-11


41
42
Integrate Physical Security into the Plants and
Companys Overall Emergency Risk Management
Planning Program
The Four Phases of Emergency Risk Management
Mitigation
All Risks Hazards
Preparedness
Recovery
Response
42

43
Phases of Emergency Risk Management
  • Mitigation (long-term) Eliminate or reduce the
    chance of occurrence or the effects of a risk.
  • Preparedness (to respond) Planning how to respond
    in case a disaster occurs and how to ensure the
    right resources are available to respond
    effectively.
  • Response (to disaster) Planned or unplanned
    activities designed to provide emergency
    assistance to victims of the disaster and reduce
    the likelihood of further damage.
  • Recovery (short and long-term) Efforts to return
    the environment/victims to normal, or near normal
    status.

43

44
Implementation Strategy (I)
  • Overall, The Plan does not need to be detailed
    but is supported by detailed
  • System restoration plans
  • I.T. recovery plans
  • Life safety plans
  • Business unit continuity plans
  • Plan should include elements of
  • Operations
  • Communications
  • Facilities
  • I.T.
  • Financial support
  • Plan exercised and updated annually


44
45
Implementation Strategy (II)
  • Develop a Critical Incident Response Team
    (C.I.R.T.)
  • Swat Team to respond to
  • Explosions
  • Fires
  • Workplace Violence
  • Team make-up
  • H.R.
  • Legal
  • Communications
  • Security
  • Safety
  • Business Unit Representative


45
46
Implementation Strategy (II), cont.
  • Mission … Deal with incident until business unit
    recovery plan is implemented
  • CIRT … single point-of-contact
  • Emergency operations Center (E.O.C.)
  • Security operations center … Focal point to
    monitor incident

46

47
Implementation Strategy Mutual Assistance
Agreements For Security Incidents
  • Coordinated with
  • Local law enforcement
  • State emergency preparedness offices
  • Security plan topics
  • Bomb threats
  • Fire/Explosions
  • Chemical spills
  • Facility evacuations

47

48
Implementation Strategy Mutual Assistance
Agreements For Security Incidents, cont.
  • Recommend liaison with law enforcement
  • Critical facility tours
  • Information/plan exchange
  • Mutual training opportunities
  • Facility availability
  • Attachments
  • Notification telephone tree
  • Critical customer information
  • Equipment checklists
  • Emergency equipment suppliers

48

49
REPORT INCIDENTS TO
  • LOCAL LAW ENFORCEMENT
  • (Establish and maintain relationship)
  • LOCAL FBI
  • (Establish and maintain relationship)
  • DHS / IAIP
  • (IAW Program use InfraGard, CIPIS,
    nipc.watch_at_fbi.gov, 202-323-3204,5,6,
    888-585-9078)
  • Electricity Sector Information Sharing and
    Analysis Center
  • ( CIPIS, esisac_at_nerc.com, 609-452-8060
    day,
  • 609-452-1422 anytime )


Source NERC
49
50
NERC Continuity of Business Processes

51
Continuity of Business Processes
  • Purpose
  • Reduces the impact of interruptions to critical
    systems and ensures resumption of business and
    operations in a short time.
  • Applicability
  • Facilities and functions considered critical to
    the overall operation of the company.
  • World Trade Center Disaster.
  • Underscore need
  • Many applicable Lessons Learned

51

52
Summary of Plan Differences
  • Business
  • Continuity Plan
  • (BCP)
  • To recover mission critical business services and
    processes
  • Limited scenarios
  • Focus on technology facilities and/or data
  • Crisis Management
  • Plan (CMP)
  • To limit intensity, manage and control negative
    results of an event
  • Many scenarios
  • Focus on people, products, services and
    reputation

53
Implementation Considerations The Plan
  • Comprehensive tool with all critical functions
    having separate plans (Annexes)
  • Business recovery should be basis
  • Updated and Exercised Annually
  • LESSONS LEARNED conducted after each exercise
    and incident


53
54
Implementation Considerations The Plan, cont.
  • Prioritize restorations of functions
  • Business systems (Accounts payable and
    receivable, payroll, financial transactions)
  • Assure I.T. assets are available to meet Minimal
    Level of operations
  • Identify vulnerabilities in I.T. and business
    systems


54
55
Implementation Considerations The Plan, cont.
  • Identify alternate facilities if headquarters
    building is lost … Essential
  • Distance from headquarters
  • Controlled by company


55
56
Plan Reality Check
  • Plan Design worst case scenario
  • Usually one to three scenarios
  • Recovery Scenarios
  • Facility Losses (no access to a facility or
    related services)
  • Technology Losses (no access to systems,
    equipment, information/data or services)

57
Recommendation
  • Develop internally
  • Contract for external assessment
  • Functionally exercise a Portion of the plan
  • Evaluation should be independent
  • Annual Exercise
  • Document Lessons Learned


57
58
NERC Communications

59
Communications Guidelines
  • Purpose
  • To establish effective liaison relationships with
    local offices of federal, regional, and local law
    enforcement where critical facilities are located
  • To promptly report security incidents
  • To develop an INTERNAL THREAT WARNING
    system
  • Applicability
  • Applies to facilities and functions that are
    considered critical.

59

60
Implementation Considerations Best Practices
  • All contact telephone numbers should be placed
    in the EMERGENCY RESPONSE PLAN
  • Staff should be trained on what is to be reported
    and to what organization (Sheriff, FBI)
  • Single staff organization should make ALL
    external notifications
  • Provide familiarization tour of critical sites to
    law enforcement agencies
  • Explain The System


60
61
Best Practices, continued
  • Key officials and responders should be issued
    Emergency Responder wallet cards containing
    contact information
  • Sheriffs Department
  • Local FBI
  • National Infrastructure Protection Center / FBI
  • Information Sharing and Analysis Center / NERC
  • Company responders
  • State Emergency Operations Center


61
62
Best Practices, continued
  • Annually review all emergency incident response
    plans to assure
  • Responders are aware of plan changes
  • Modify Weather Response Plan by adding a
    Security Incident Annex
  • Cyber
  • Physical


62
63
Sample Wallet Card Front


63
64
Sample Wallet Card Back

64

65
REPORT INCIDENTS TO
  • LOCAL LAW ENFORCEMENT
  • (Establish and maintain relationship)
  • LOCAL FBI
  • (Establish and maintain relationship)
  • DHS / IAIP
  • (IAW Program use InfraGard, CIPIS,
    nipc.watch_at_fbi.gov, 202-323-3204,5,6,
    888-585-9078)
  • Electricity Sector-Information Sharing and
    Analysis Center
  • ( CIPIS, esisac_at_nerc.com, 609-452-8060
    day,
  • 609-452-1422 anytime )


Source NERC
65
66
NERC Employment Background Screening

67
Employment Background Screening
  • Purpose
  • Contributes to mitigating the INSIDER threat
    by assuring only trustworthy and reliable
    personnel have unescorted access to critical
    facilities
  • May prevent or deter
  • Regulatory Issues
  • Negligent Hiring
  • Theft
  • Drug use

67

68
Applicability
  • Regulated programs
  • D.O.T. … Gas
  • Commercial drivers license (CDL) programs
  • Employees, Contractors and Vendors with
    unescorted access to company defined Critical
    Facilities


68
69
Implementation Considerations Best Practices
  • Program must adhere to all Federal and State laws
  • Use a comprehensive employment application form
  • Publish Disqualification Criteria
  • Subcontract investigative services


69
70
Recommendation
  • At a minimum, a program should consist of the
    following elements
  • Verification of Social Security Number
  • Local level criminal history check (County of
    residence)
  • Employment checks
  • Motor vehicle license information
  • Drug screen
  • Verification of highest level of education or
    professional certification


70
71
NERC Protecting Potentially Sensitive
Information

72
Protecting Potentially Sensitive Information
  • Purpose
  • Ensure that potentially sensitive information
    regarding critical infrastructure is properly
    protected

72

73
Applicability
  • Information, both physical and electronic,
    defined by the company as SENSITIVE
  • Critical infrastructure targets
  • Personnel information
  • Security measures
  • Operational vulnerabilities
  • Details on critical operating
  • Facilities
  • Systems


73
74
Implementation Considerations Best Practices
  • Apply The Need-to-Know principle on access to
    sensitive information
  • Develop a policy defining the protection
    strategies
  • Assess The Life-Cycle of information in your
    company (Physical and Cyber)
  • Production
  • Storage
  • Transmission
  • Destruction


74
75
Recommendation
  • Question governmental organizations when they
    request Sensitive Information
  • Assurance of confidentiality
  • Designate a single person responsible for
    reviewing requests for Sensitive Information


75
76
Implementation Strategy Protecting Sensitive
Company Operating System Information
  • Companies should ensure that there are procedures
    in place to preclude the release of sensitive
    information
  • Regulatory Agencies … pursuant to their authority
  • Request confidentiality of data be maintained
  • Legitimate business enterprise
  • Request a non-disclosure agreement
  • Corporate websites and publications
  • Periodically assess for sensitive information


76
77
TERRORISTS WILL USE YOUR COMPANIES PUBLIC
INFORMATION IN THE INTELLIGENCE GATHERING STAGE
OF A TARGET ASSESSMENT!

77
78
NERC Cyber Security

79
Cyber Security Guidelines
  • Purpose
  • Identify, assess and mitigate cyber risks to
    computing infrastructures using five (5)
    guidelines
  • Risk Management
  • Access Control
  • I.T. Firewall
  • Intrusion Detection
  • Process Controls System Security

79
? Triton Security Solutions, Inc.
80
  • Applicability, cont.
  • Any company who owns information systems and
    services that support the electric infrastructure.

80
? Triton Security Solutions, Inc.
81
Implementation Considerations
  • Develop and implement a CYBER/I.T. SECURITY
    PLAN which addresses
  • Risk Management
  • Access Control
  • I.T. Firewalls
  • Intrusion Detection
  • Process Controls Systems
  • Review and test plan annually.

? Triton Security Solutions, Inc.
81
82
Recommendation
  • Applicable across the entire company
  • Business Operations
  • System Control
  • Personnel Data
  • Implement business continuity plans

? Triton Security Solutions, Inc.
82
83
NERC Threat and Incident Reporting

84
  • Purpose
  • Promote timely and actionable response to
    security
  • Threats
  • Incidents

84
85
  • Why Report
  • Prevent or mitigate the consequences of an attack
  • Minimize negative impact on company
  • Repair costs
  • Revenues
  • Productivity
  • Public Trust

85
86
  • The Audience / User
  • Law Enforcement
  • Government Agencies and Regulations
  • ESISAC
  • Reliability

86
87
  • What Should Be Reported
  • Date, Time and Location of Incident
  • Description of Incident
  • Cause (If Known)
  • Law Enforcement Involvement
  • NERC-DHS Indications, Analysis, Warnings (IAW)
    Program

87
88
NERC Securing Remote Access to Electronic
Control and Protection Systems

89
  • What Systems?
  • Those systems used to regulate physical
    processes, including but not limited to
    electronic protective relays, substation
    automation and control systems, power plant
    control systems, energy management systems (EMS),
    supervisory control and data acquisition (SCADA),
    programmable logic controllers (PLC).

89
90
  • Purpose
  • Realistic security
  • Definition of Remote Access
  • Recommended steps

90
About PowerShow.com