Cyber Attack Task Force - Final Report - NERC

More documents

Recommendations

Info

Appendix C: Cyber Event Scenarios for System Operators Spurious Device Operations De scription Multiple, un-commanded, unexpected device operations indicated in EMS system. Scenario could be based on: • Indication-only compromise (devices aren’t actually changing) • Control compromise (devices are actually being manipulated) Im plementation Most likely requires a training simulator environment. In that environment, event scenarios could be devised to: • Simulate compromised telemetry, such that false indications and alarms are present • Alter the power system simulation, such that power system devices actually operate (simulate a control compromise) Recognition • Unexpected state changes • Could be multiple changes at unrelated locations • May be conflicting indications (e.g. breakers open but flow present) • Other evidence of unauthorized system access exists or was suspected • State estimator may indicate that data is conflicting Response • If possible verify indications (cross-check) • Verify with field personnel • Call support staff 52 Cyber Attack Task Force Report
Realistic Data Injection Appendix C: Cyber Event Scenarios for System Operators De scription Convincing injection of false data into EMS or associated systems, for the purpose of changing operator behavior. This is much more subtle than strict denial of service and requires much greater knowledge of the system. Examples of changed operator behavior: • Convince them to shed load • Convince them to allow equipment overload/damage • Cause then to ignore changes taking place on the power system Im plem e nta tion Most likely requires a training simulator environment. In that environment, event scenarios could be devised to bias operator indications so that they do not match the true power system simulation. The power system simulation may be trending toward an adverse state, and this would be unknown to the trainee. Recognition The fact that this attack is very difficult to accomplish completely can help in recognition. It is possible the offender would make mistakes such that some indications would not look normal. • Lack of correlation between measurements • Indications defy known system conditions • Some indications appear abnormal (offender failed to accomplish convincing injection) • State estimator may flag anomalies where they didn’t previously exist • Other evidence of unauthorized system access exists or was suspected Response • If possible verify indications (cross-check) • Verify with field personnel • Call support staff Cyber Attack Task Force Report 53
Page 1 and 2:
Cyber Attack Task Force Final Repor
Page 3 and 4:
Table of Contents Table of Contents
Page 5:
Denial of Service - EMS application
Page 8 and 9:
Executive Summary Defining a Coordi
Page 10 and 11:
Executive Summary Key Recommendatio
Page 13 and 14: Executive Summary Introduction A hi
Page 15 and 16: Adversaries, Motivations, and Capab
Page 17 and 18: Adversaries, Motivations, and Capab
Page 19 and 20: Low Level Threat Criminals, Hackers
Page 21 and 22: Cyber Threat Group Foreign State Na
Page 23 and 24: What a Coordinated Attack Looks Lik
Page 25 and 26: Expanding each of the two events: S
Page 27 and 28: Detection Capabilities Global Monit
Page 29 and 30: Detection Capabilities Appendix F c
Page 31 and 32: Defensive Capabilities / Deterrence
Page 33 and 34: For example: Defensive Capabilities
Page 39 and 40: Responses to Attack Responses to At
Page 41 and 42: Responses to Attack staff to locati
Page 43: Responses to Attack Entities that u
Page 46 and 47: Recommendations • Continue to dev
Page 48 and 49: Recommendations node attack. At a m
Page 50 and 51: Outreach Outreach Outreach is an im
Page 52 and 53: References References Name Link DOE
Page 54 and 55: References NERC CATF Roster - Contr
Page 56 and 57: Appendix A: Introduction to Attack
Page 58 and 59: Appendix B: Resources Appendix B: R
Page 60 and 61: Appendix C: Cyber Event Scenarios f
Page 62 and 63: Appendix C: Cyber Event Scenarios f
Page 66 and 67: Appendix D: Acronyms Appendix D: Ac
Page 69 and 70: Appendix E: Potential Responses to
Page 71 and 72: Appendix E: Potential Responses to
Page 73 and 74: Appendix F: Precursors and Local In
Page 75: Appendix G: Isolation and Survivabi
Page 78 and 79: Appendix H: Defensive Capabilities
Page 80 and 81: Appendix I: CRPA Observations and R
Page 82 and 83: Appendix I: CRPA Observations and R
Page 84 and 85: Appendix J: Case Studies to underst
Page 86 and 87: Appendix J: Case Studies Lateral Mo
Page 88: Appendix K: Task Force Goals and Ob
show all

Cyber Attack Task Force - Final Report - NERC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?