Cyber Attack Task Force - Final Report - NERC

More documents

Recommendations

Info

Defensive Capabilities / Deterrence A case study of success: Secure Remote Access Guideline September 2010 NERC Awareness Bulletin March 31, 2010 Classified Briefing Vulnerability with Client VPN December 9, 2009 NERC worked with Intelligence Community to obtain details January 20, 2010 Industry / NERC / DOE created sanitized joint product March 14, 2010 This exercise of having industry experts work with NERC and the Intelligence Community demonstrates the process can work. Future team efforts should strive to reduce the amount of time from briefing to awareness/alert. Existing formal and informal sources of information include: NERC ES-ISAC, RCIS / CIPIS, North American Transmission Forum, North American Generation Forum; US-CERT, ICS-CERT, RRO and RTO “communities” – mail distribution groups, newsletters, etc. and Vendor “User Communities” such as EMS users’ groups. Energy Security Public-Private Partnership (ES3P) Joint Working Group has been formed under the Electricity Sub-Sector Coordinating Council (ESCC) and the Energy Sector Government Coordinating Council (ES-GCC). With co-Chairs from Department of Energy and NERC, as well as representation from Departments of Defense and Homeland Security, industry trade groups and interdependent sectors (such as Oil and Natural Gas, Water, Nuclear), ES3P offers a protected venue for sensitive critical infrastructure and mission assurance discussion. Gaining awareness of a cyber attack before it occurs and stopping its effects is the best case scenario for information sharing. Sharing of information during the attack’s reconnaissance phase or early delivery phase will help achieve this end. Sharing of concise indicators of compromise (IOC) or attempted compromise will allow for quicker analysis of information and development of mitigations to prevent future incidents. These indicators of compromise may take the form of file MD5 hashes, IP addresses, targeted 24 Cyber Attack Task Force Report
Defensive Capabilities / Deterrence phishing email header information, captured network traffic, or other detailed activity. Such IOCs will be detected by the industry and must be shared with its various partners such as the ES-ISAC to ‘connect the dots’. The correlation of related indicators of compromise reported from independent industry members will create an industry view of attacks and will lead to informed preventative and detective measures which reduce overall risk to the BPS. Post-Event Analysis (Lessons Learned) In order to properly prepare for the next security incident it is critical to capture lessons learned from prior incidents such as Stuxnet, Aurora, Night Dragon, Shady Rat and even events such as major hurricanes or tornados that resulted in disruptions. The lessons learned process should strive to identify how to prevent future attacks, prevent or limit disruption if they do occur, and create early visibility of such attacks through enhanced awareness and security monitoring. Additionally, analysis of publicly disclosed attacks may provide a level of learning which may be incorporated into incident response plans, protective measures, resilience activity and preparedness. The FBI is working with the Pacific Northwest National Laboratory to evaluate and trend cases related to the electricity sector. The results of this analysis will be an important reference. The NERC enterprise-wide event analysis program is based on the recognition that bulk power system events that occur, or have the potential to occur, have varying levels of significance. The manner in which registered entities, regional entities, and NERC evaluate and process these events is intended to reflect the significance of the event and/or specific system conditions germane to the reliability of the bulk power system and the circumstances involved. The key ingredients of an effective post-event analysis program are to: • Identify what transpired – sequence of events; • Understand the causes of events; • Understand the vulnerabilities that were exploited; • Identify and ensure timely implementation of corrective actions; • Develop and disseminate recommendations and valuable lessons learned to the industry to enhance operational performance and avoid repeat events; • Develop the capability for integrating risk analysis into the event analysis process; and • Feed forward key results to facilitate enhancements in and support of the various NERC programs and initiatives (e.g., performance metrics, standards, compliance monitoring and enforcement, training and education, etc.) 26 While the full or partial loss of a single EMS or SCADA system may not result in the blackout depicted in the task force scenario, analysis of the causes of such a loss could be helpful in correcting conditions on the utility’s EMS or SCADA system and possibly lead to the identification of useful lessons learned for the industry. However, in the case of a coordinated 26 NERC Event Analysis Program Cyber Attack Task Force Report 25
Page 1 and 2: Cyber Attack Task Force Final Repor
Page 3 and 4: Table of Contents Table of Contents
Page 5: Denial of Service - EMS application
Page 8 and 9: Executive Summary Defining a Coordi
Page 10 and 11: Executive Summary Key Recommendatio
Page 13 and 14: Executive Summary Introduction A hi
Page 15 and 16: Adversaries, Motivations, and Capab
Page 17 and 18: Adversaries, Motivations, and Capab
Page 19 and 20: Low Level Threat Criminals, Hackers
Page 21 and 22: Cyber Threat Group Foreign State Na
Page 23 and 24: What a Coordinated Attack Looks Lik
Page 25 and 26: Expanding each of the two events: S
Page 27 and 28: Detection Capabilities Global Monit
Page 29 and 30: Detection Capabilities Appendix F c
Page 31 and 32: Defensive Capabilities / Deterrence
Page 33 and 34: For example: Defensive Capabilities
Page 35: Defensive Capabilities / Deterrence
Page 39 and 40: Responses to Attack Responses to At
Page 41 and 42: Responses to Attack staff to locati
Page 43: Responses to Attack Entities that u
Page 46 and 47: Recommendations • Continue to dev
Page 48 and 49: Recommendations node attack. At a m
Page 50 and 51: Outreach Outreach Outreach is an im
Page 52 and 53: References References Name Link DOE
Page 54 and 55: References NERC CATF Roster - Contr
Page 56 and 57: Appendix A: Introduction to Attack
Page 58 and 59: Appendix B: Resources Appendix B: R
Page 60 and 61: Appendix C: Cyber Event Scenarios f
Page 66 and 67: Appendix D: Acronyms Appendix D: Ac
Page 69 and 70: Appendix E: Potential Responses to
Page 71 and 72: Appendix E: Potential Responses to
Page 73 and 74: Appendix F: Precursors and Local In
Page 75: Appendix G: Isolation and Survivabi
Page 78 and 79: Appendix H: Defensive Capabilities
Page 80 and 81: Appendix I: CRPA Observations and R
Page 82 and 83: Appendix I: CRPA Observations and R
Page 84 and 85: Appendix J: Case Studies to underst
Page 86 and 87:
Appendix J: Case Studies Lateral Mo
Page 88:
Appendix K: Task Force Goals and Ob
show all

Cyber Attack Task Force - Final Report - NERC

Create successful ePaper yourself

Delete template?

Save as template?