Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Appendix F: Precursors and Local Indicators of an Unusual Event<br />
• Unexpected loss of network connectivity, both internal and external<br />
• Change in sound or pitch of equipment<br />
Anomalies within Substations<br />
• Alarms associated with relays, communications processors, SCADA<br />
• Indications of physical access to equipment (tamper-proof tape on maintenance ports)<br />
• Changes to relay configurations or settings<br />
• Changes to ports/services on PCs or other equipment in substations (i.e. different from<br />
baseline)<br />
• Changes to breaker settings or configurations<br />
• Changes to RTU configurations or settings<br />
• Passwords changed or checked out outside normal change cycle<br />
• Alarms associated with devices unplugged or unauthorized devices connected to<br />
secured network (MAC addresses, switch ports normally turned down)<br />
• Loss of RTU / DCS communication to the master EMS<br />
• Change in sound or pitch of equipment<br />
Anomalies in Situational Awareness<br />
• Decrease in expected activity<br />
• Similar activity as in previous hour, 24 hours or day that does not appear to match field<br />
readings<br />
• Telemetry readings not matching schedules<br />
Communication from (RTO and/or neighboring utilities, customers)<br />
• Confirmed cyber security event at another entity<br />
• Alarms associated with RTUs at interconnect points (multiple RTUs)<br />
• Unconfirmed cyber security event<br />
• Customer calls describing outages that do not correspond with normal alarms<br />
Personnel<br />
• Multiple personnel absent due to illness<br />
• Erratic or nervous behavior<br />
• Personnel missing or present during unusual times of during the day or shift<br />
62 <strong>Cyber</strong> <strong>Attack</strong> <strong>Task</strong> <strong>Force</strong> <strong>Report</strong>