Cyber Attack Task Force - Final Report - NERC

More documents

Recommendations

Info

Appendix C: Cyber Event Scenarios for System Operators Appendix C: Cyber Event Scenarios for System Operators Overview The following scenarios are presented in order from more plausible to less plausible. Plausibility is based on the perceived ease with which a malicious individual could accomplish the task. The scenarios are centered on operator trainee actions as opposed to support personnel actions. We identified at least four major categories of events, and chose scenarios from among these: • Social engineering • Denial of service • Spurious device operation • Realistic data injection Almost all of the symptoms described in these scenarios could, and in overwhelming likelihood would arise from any number of problems other than a cyber attack. These other likelihoods should be considered before a cyber attack is assumed. 48 Cyber Attack Task Force Report
Appendix C: Cyber Event Scenarios for System Operators Social Engineering – false request or information to operator De scription In this scenario, a malicious individual contacts an operator and makes a request for action or information, or supplies false information. This individual could be a disgruntled current or former employee. They could represent themselves as field personnel, and RTO employee, or any number of legitimate individuals. Im plem e nta tion During a training exercise a phone call could be made to the trainee, with the individual asking for an action or supplying false information. Example: “Hello, this is John Doe at Metropolis substation. We’ve got a big problem here and need you to open the 1A breaker ASAP.” Recognition Awareness and a questioning attitude are probably the best tools for recognizing this scenario. • Is this an unusual request? • Is this a familiar identifiable person? • Does this person possess particular knowledge about the situation when asked? • Is this one of many unusual or suspicious requests? Response If a suspicious request is received, obviously the trainee would not act on it. They should: • Try to gain more information from the caller if possible • Consider the appropriateness of the request • Attempt to identify the individual • Verify the request with another entity (cross check) • If the situation remains suspicious, report the incident to their appropriate supervision and support personnel Cyber Attack Task Force Report 49
Page 1 and 2:
Cyber Attack Task Force Final Repor
Page 3 and 4:
Table of Contents Table of Contents
Page 5:
Denial of Service - EMS application
Page 8 and 9:
Executive Summary Defining a Coordi
Page 10 and 11: Executive Summary Key Recommendatio
Page 13 and 14: Executive Summary Introduction A hi
Page 15 and 16: Adversaries, Motivations, and Capab
Page 17 and 18: Adversaries, Motivations, and Capab
Page 19 and 20: Low Level Threat Criminals, Hackers
Page 21 and 22: Cyber Threat Group Foreign State Na
Page 23 and 24: What a Coordinated Attack Looks Lik
Page 25 and 26: Expanding each of the two events: S
Page 27 and 28: Detection Capabilities Global Monit
Page 29 and 30: Detection Capabilities Appendix F c
Page 31 and 32: Defensive Capabilities / Deterrence
Page 33 and 34: For example: Defensive Capabilities
Page 39 and 40: Responses to Attack Responses to At
Page 41 and 42: Responses to Attack staff to locati
Page 43: Responses to Attack Entities that u
Page 46 and 47: Recommendations • Continue to dev
Page 48 and 49: Recommendations node attack. At a m
Page 50 and 51: Outreach Outreach Outreach is an im
Page 52 and 53: References References Name Link DOE
Page 54 and 55: References NERC CATF Roster - Contr
Page 56 and 57: Appendix A: Introduction to Attack
Page 58 and 59: Appendix B: Resources Appendix B: R
Page 62 and 63: Appendix C: Cyber Event Scenarios f
Page 64 and 65: Appendix C: Cyber Event Scenarios f
Page 66 and 67: Appendix D: Acronyms Appendix D: Ac
Page 69 and 70: Appendix E: Potential Responses to
Page 71 and 72: Appendix E: Potential Responses to
Page 73 and 74: Appendix F: Precursors and Local In
Page 75: Appendix G: Isolation and Survivabi
Page 78 and 79: Appendix H: Defensive Capabilities
Page 80 and 81: Appendix I: CRPA Observations and R
Page 82 and 83: Appendix I: CRPA Observations and R
Page 84 and 85: Appendix J: Case Studies to underst
Page 86 and 87: Appendix J: Case Studies Lateral Mo
Page 88: Appendix K: Task Force Goals and Ob
show all

Cyber Attack Task Force - Final Report - NERC

Create successful ePaper yourself

Delete template?

Save as template?