Cyber Attack Task Force - Final Report - NERC

More documents

Recommendations

Info

Defensive Capabilities / Deterrence first responders, decision-makers, and supporting entities to provide a unified national response. Complimentary to the NRF is the DHS National Cyber Incident Response Plan (NCIRF). The National Cyber Incident Response Plan (NCIRP) was developed according to the principles outlined in the National Response Framework (NRF) and describes how the nation responds to significant cyber incidents. ES-ISAC has developed a policy protected communications corridor which delineates special protections and handling for security discussions to encourage participation from the entities and insulate against excessive compliance concerns which might otherwise impede vital security dialogue. Policies like this set the stage for enhanced security by establishing venues for effective information sharing crucial to BPS risk management and response. Rules of engagement for detecting, containing, and eradicating various incident scenarios will help guide personnel who are familiar with the incident response plan. This may include checklists for containment methods, procedures for forensic capture and evidence handling, and guidelines for disabling compromised accounts or reimaging server equipment. One of the most important roles of any incident response plan involves communication. Communication could involve coordination: • Between Reliability Coordinators • Between Balancing Authorities • Between Transmission Operators – minimize activities (i.e. maintenance outages) that would constrain an interface • Between utilities • With law enforcement • With National Security Staff • With regulators • With ES-ISAC • Between other sectors (oil and natural gas, nuclear, and dams) • With and among technology vendor community participants Creating an incident response plan is only one step towards being prepared for a security incident. It is invaluable to hold multi-team exercises or drills which develop familiarity with the incident response plans and defined roles and responsibilities during such events. Additionally, scenario-based drills which offer a plausible situation are a powerful tool to prepare staff on the potential confusion and hesitation which is inherent in an ongoing security incident. As part of any drill and in the case of an actual coordinated attack, it is imperative to communicate significant operational actions taken including their success or failure in mitigating or stopping the attack. This information is vital to partners so their responses are complimentary and not disruptive. 22 Cyber Attack Task Force Report
Defensive Capabilities / Deterrence Auxiliary preparedness materials such as customer communication templates, emergency contact lists and preplanned secure/alternative communications methods (e.g. phone conference bridges; Government Emergency Telecommunications System (GETS) & Wireless Priority System (WPS) for priority access to telecommunications; satellite phone communications for the occurrence where landline and cellular facilities are not available) will enable a more rapid response operation. Creating customer communication templates may help customer support line representatives address calls from customers while other prepared documents may act as a template for communications staff to engage the local news media or government officials during or shortly after any impact from a security related incident. Emergency contact lists may list mobile contact information for management escalation and support staff such as operations staff, IT or cyber security team members. Additionally, it may list outside parties such as ES-ISAC, local, state or federal law enforcement, managed security service providers and system vendor technical support lines. Information Sharing Information sharing is a critical component of any preparation as well as part of the actual response plan. Besides the formal, regulatory requirements for reporting unusual events outlined in the NERC CIP standards and the Department of Energy’s OE-417, there exists an informal communication network between utilities and non-regulatory entities such as the North American Transmission Forum and the North American Generation Forum. There have been successes between the industry, regulatory agencies and the intelligence community with taking classified intelligence, having industry experts assess sensitive information in a classified setting, remove or translate sensitive data and create an alert that can be distributed to a wider audience in the electricity industry. Cyber Attack Task Force Report 23
Page 1 and 2: Cyber Attack Task Force Final Repor
Page 3 and 4: Table of Contents Table of Contents
Page 5: Denial of Service - EMS application
Page 8 and 9: Executive Summary Defining a Coordi
Page 10 and 11: Executive Summary Key Recommendatio
Page 13 and 14: Executive Summary Introduction A hi
Page 15 and 16: Adversaries, Motivations, and Capab
Page 17 and 18: Adversaries, Motivations, and Capab
Page 19 and 20: Low Level Threat Criminals, Hackers
Page 21 and 22: Cyber Threat Group Foreign State Na
Page 23 and 24: What a Coordinated Attack Looks Lik
Page 25 and 26: Expanding each of the two events: S
Page 27 and 28: Detection Capabilities Global Monit
Page 29 and 30: Detection Capabilities Appendix F c
Page 31 and 32: Defensive Capabilities / Deterrence
Page 33: For example: Defensive Capabilities
Page 37 and 38: Defensive Capabilities / Deterrence
Page 39 and 40: Responses to Attack Responses to At
Page 41 and 42: Responses to Attack staff to locati
Page 43: Responses to Attack Entities that u
Page 46 and 47: Recommendations • Continue to dev
Page 48 and 49: Recommendations node attack. At a m
Page 50 and 51: Outreach Outreach Outreach is an im
Page 52 and 53: References References Name Link DOE
Page 54 and 55: References NERC CATF Roster - Contr
Page 56 and 57: Appendix A: Introduction to Attack
Page 58 and 59: Appendix B: Resources Appendix B: R
Page 60 and 61: Appendix C: Cyber Event Scenarios f
Page 66 and 67: Appendix D: Acronyms Appendix D: Ac
Page 69 and 70: Appendix E: Potential Responses to
Page 71 and 72: Appendix E: Potential Responses to
Page 73 and 74: Appendix F: Precursors and Local In
Page 75: Appendix G: Isolation and Survivabi
Page 78 and 79: Appendix H: Defensive Capabilities
Page 80 and 81: Appendix I: CRPA Observations and R
Page 82 and 83: Appendix I: CRPA Observations and R
Page 84 and 85:
Appendix J: Case Studies to underst
Page 86 and 87:
Appendix J: Case Studies Lateral Mo
Page 88:
Appendix K: Task Force Goals and Ob
show all

Cyber Attack Task Force - Final Report - NERC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?