Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Responses to <strong>Attack</strong><br />
staff to locations to determine status and relay information to operators in control centers<br />
would be challenging for an extended period of time.<br />
Once integrity has been verified on end devices and communication paths, connectivity can be<br />
re-established. However, monitoring should be continued to ensure a re-occurrence of the<br />
disruption does not happen nor develop without operator recognition.<br />
Restoration<br />
Restoration from a coordinated cyber attack could introduce conditions that are not normally<br />
encountered during restoration from hurricanes or other<br />
types of probabilistic events.<br />
During a cyber attack and the following aftermath,<br />
responders may be lulled into the false sense of security<br />
that there is only one wave of assault. As with a storm,<br />
once the storm passes, everyone pitches in to begin the<br />
restoration process with a clear and understood recovery<br />
plan. If the attack vector(s) and techniques/tools for the<br />
attack are not fully understood and mitigated, the<br />
attacker could launch subsequent attacks to disrupt<br />
recovery efforts or respond to mitigation efforts. These<br />
later attack waves may hold devastating impact potential<br />
if not understood and expected.<br />
Restoration from a<br />
coordinated cyber attack<br />
could introduce conditions<br />
that are not normally<br />
encountered during<br />
restoration from hurricanes<br />
or other types of<br />
probabilistic events<br />
To ensure the attack vector(s) and methods have curtailed and can’t be restarted, entities may<br />
need to restore application files and operating systems to a safe or trusted release. This can<br />
introduce problems or delay recovery due to any entity installed modifications. In addition,<br />
certain types of attacks can render hardware or other equipment inoperable. Consequently,<br />
new equipment may have to be acquired and installed. Manufacturer assistance may need to<br />
be obtained.<br />
Restoration of situational awareness may have to be manually implemented with staff<br />
physically stationed at key locations until communication with monitoring equipment and<br />
associated telemetry is restored. Restoration may also involve repair or replacement of parts<br />
suffering physical damage from a cyber event. Some of these may require long lead times for<br />
replacement due to supply chain or skilled installation workforce availability issues.<br />
Safety plays an even more important role during recovery than before. Because systems and<br />
equipment may behave unpredictably during restoration, extra caution should be<br />
communicated to staff to make them aware of this issue.<br />
Forensics<br />
Determining the actual cause of an attack is difficult at best even with logs and other<br />
monitoring and intrusion detection capabilities found on business system networks. On the<br />
operational side of the Bulk Power System, equipment and software are not always capable of<br />
capturing information necessary to do a proper forensic analysis. Nonstandard protocols,<br />
<strong>Cyber</strong> <strong>Attack</strong> <strong>Task</strong> <strong>Force</strong> <strong>Report</strong> 29